IPexpert CCIE Data Center Volume 1 Workbook 1 12 PDF

IPexpert’s Lab Preparation Workbook
for the Cisco® CCIE™ Data Center v1.0 Lab Exam

Volume 1
Authored by: Rick Mur - CCIE3 #21946 (R&S / SP / Storage), JNCIE-SP #851
CCIE Data Center Lab Preparation Workbook

IPexpert’s
Lab Preparation Workbook for Cisco’s CCIE
Data Center Lab
Before We Begin
This product is part of the IPexpert suite of materials that provide CCIE candidates and network
engineers with a comprehensive training program. For information about the full solution, contact an
IPexpert Training Advisor today.

Telephone: +1.810.326.1444
Email: sales@ipexpert.com

Congratulations! You now possess one of the ULTIMATE CCIETM Lab preparation and network
operation resources available today! This resource was produced by senior engineers, technical
instructors, and author boasting decades of internetworking experience. Although there is no way to
100% guarantee success rate on the CCIE™ Data Center Lab exam, we feel VERY confident that your
chances of passing the Lab will improve dramatically after completing this industry-‐recognized
Workbook!

Technical Support from IPexpert, and your CCIE community!
Copyright © by IPexpert. All rights reserved. 1


IPexpert is proud to lead the industry with multiple support options at your disposal free of charge. Our
online communities have attracted a membership of over 20,000 of your peers from around the world!
At blog.ipexpert.com, you can keep up to date with everything IPexpert does and read the latest in
technical articles from world-‐renowned IPexpert instructors. At OnlineStudyList.com, you may subscribe
to multiple “SPAM-‐free,” moderated CCIE-‐focused email lists.
Feedback

Do you have a suggestion or other feedback regarding this book or other IPexpert products? At IPexpert,
we look to you – our valued clients – for the real world, frontline evaluation that we believe is necessary
so that we may always improve. Please send an email with your thoughts to feedback@ipexpert.com or
call 1.866.225.8064 (international callers dial +1.810.326.1444).

In addition, for those using this book as CCIETM preparation, when you pass the CCIETM Lab exam, we
want to hear about it! Email your CCIETM number to success@ipexpert.com and let us know how
IPexpert helped you succeed. We would like to send you a gift of thanks and congratulations.

Additional CCIETM Preparation Material

IPexpert, Inc. is committed to developing the most effective Cisco CCIETM R&S, Security, Voice, Wireless
and Data Center Lab certification preparation tools available. Our team of certified networking
professionals develops the most up-‐to-‐date and comprehensive materials for networking certification,
including self-‐paced workbooks, online Cisco hardware rental, classroom training, online (distance
learning) instructor-‐led training, audio products, and video training materials. Unlike other certification-‐
training providers, we employ the most experienced and accomplished teams of experts to create,
maintain, and constantly update our products. At IPexpert, we are focus on making your CCIETM Lab
preparation more effective.

Issues with this Book

This book is carefully edited to ensure the accuracy of all content. Should you find any error whatsoever,
please email a page reference and detailed comment to wberrors@ipexpert.com. Your email will be
responded to promptly.


IPEXPERT END-‐USER LICENSE AGREEMENT

END USER LICENSE FOR ONE (1) PERSON ONLY
IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS,
DO NOT OPEN OR USE THE TRAINING MATERIALS.
This is a legally binding agreement between you and IPEXPERT, the “Licensor,” from whom you have
licensed the IPEXPERT training materials (the “Training Materials”). By using the Training Materials, you
agree to be bound by the terms of this License, except to the extent these terms have been modified by
a written agreement (the “Governing Agreement”) signed by you (or the party that has licensed the
Training Materials for your use) and an executive officer of Licensor. If you do not agree to the License
terms, the Licensor is unwilling to license the Training Materials to you. In this event, you may not use
the Training Materials, and you should promptly contact the Licensor for return instructions.

The Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual
authorized to use the Training Materials throughout the term of this License.

Copyright and Proprietary Rights

The Training Materials are the property of IPEXPERT, Inc. ("IPEXPERT") and are protected by United
States and International copyright laws. All copyright, trademark, and other proprietary rights in the
Training Materials and in the Training Materials, text, graphics, design elements, audio, and all other
materials originated by IPEXPERT at its site, in its workbooks, scenarios and courses (the "IPEXPERT
Information") are reserved to IPEXPERT.

The Training Materials cannot be used by or transferred to any other person. You may not rent, lease,
loan, barter, sell or time-‐share the Training Materials or accompanying documentation. You may not
reverse engineer, decompile, or disassemble the Training Materials. You may not modify, or create
derivative works based upon the Training Materials in whole or in part. You may not reproduce, store,
upload, post, transmit, download or distribute in any form or by any means, electronic, mechanical,
recording or otherwise any part of the Training Materials and IPEXPERT Information other than printing
out or downloading portions of the text and images for your own personal, non-‐commercial use without
the prior written permission of IPEXPERT.

You shall observe copyright and other restrictions imposed by IPEXPERT. You may not use the Training
Materials or IPEXPERT Information in any manner that infringes the rights of any person or entity.



Exclusions of Warranties

THE TRAINING MATERIALS AND DOCUMENTATION ARE PROVIDED “AS IS.” LICENSOR HEREBY DISCLAIMS
ALL OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. SOME STATES
DO NOT ALLOW THE LIMITATION OF INCIDENTAL DAMAGES OR LIMITATIONS ON HOW LONG AN
IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. This
agreement gives you specific legal rights, and you may have other rights that vary from state to state.

Choice of Law and Jurisdiction
This Agreement shall be governed by and construed in accordance with the laws of the State of
Michigan, without reference to any conflict of law principles. You agree that any litigation or other
proceeding between you and Licensor in connection with the Training Materials shall be brought in the
Michigan state or courts located in Port Huron, Michigan, and you consent to the jurisdiction of such
courts to decide the matter. The parties agree that the United Nations Convention on Contracts for the
International Sale of Goods shall not apply to this License. If any provision of this Agreement is held
invalid, the remainder of this License shall continue in full force and effect.
Limitation of Claims and Liability

ANY ACTION ON ANY CLAIM AGAINST IPEXPERT MUST BE BROUGHT BY THE USER WITHIN ONE (1) YEAR
FOLLOWING THE DATE THE CLAIM FIRST ACCRUED, OR SHALL BE DEEMED WAIVED. IN NO EVENT WILL
THE LICENSOR’S LIABILITY UNDER, ARISING OUT OF, OR RELATING TO THIS AGREEMENT EXCEED THE
AMOUNT PAID TO LICENSOR FOR THE TRAINING MATERIALS. LICENSOR SHALL NOT BE LIABLE FOR ANY
SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, REGARDLESS OF WHETHER LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES. WITHOUT LIMITING THE FOREGOING, LICENSOR WILL NOT BE LIABLE FOR LOST
PROFITS, LOSS OF DATA, OR COSTS OF COVER.



Entire Agreement

This is the entire agreement between the parties and may not be modified except in writing signed by
both parties.

U.S. Government -‐ Restricted Rights

The Training Materials and accompanying documentation are “commercial computer Training
Materials” and “commercial computer Training Materials documentation,” respectively, pursuant to
DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use, modification, reproduction
release, performance, display, or disclosure of the Training Materials and accompanying documentation
by the U.S. Government shall be governed solely by the terms of this Agreement and shall be prohibited
except to the extent expressly permitted by the terms of this Agreement.

IF YOU DO NOT AGREE WITH THE ABOVE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE
TRAINING MATERIALS AND CONTACT LICENSOR FOR INSTRUCTIONS ON RETURN OF THE TRAINING
MATERIAL



Contents
IPexpert’s ..................................................................................................................................................... 1
Lab Preparation Workbook for Cisco’s CCIE Data Center Lab ................................................................. 1
Before We Begin ...................................................................................................................................... 1
Feedback ................................................................................................................................................. 2
Additional CCIETM Preparation Material .................................................................................................. 2
Issues with this Book ............................................................................................................................... 2
IPEXPERT END-‐USER LICENSE AGREEMENT ............................................................................................. 3
Copyright and Proprietary Rights ............................................................................................................ 3
Exclusions of Warranties ......................................................................................................................... 4
Choice of Law and Jurisdiction ................................................................................................................ 4
Limitation of Claims and Liability ............................................................................................................ 4
Entire Agreement .................................................................................................................................... 5
U.S. Government -‐ Restricted Rights ....................................................................................................... 5
Default Lab Topology ............................................................................................................................ 10
Default passwords and IP addresses ..................................................................................................... 10
Chapter 1: Introduction to CCIE Data Center ............................................................................................. 11
Who Should Read this Book? ................................................................................................................ 12
How to Use this Book ............................................................................................................................ 12
An Introduction to CCIE Data Center ..................................................................................................... 12
Availability ............................................................................................................................................. 13
Written exam ........................................................................................................................................ 13
The current published reading list: ....................................................................................................... 13
Lab exam ............................................................................................................................................... 14
Software Versions ................................................................................................................................. 14
CCIE Storage? ........................................................................................................................................ 14
What about P and A tracks? .................................................................................................................. 14
Troubleshooting .................................................................................................................................... 14
An Introduction to the Proctor Labs CCIE Data Center hardware rack ................................................. 15
Software Versions ................................................................................................................................. 17
Chapter 2: Data Center Networking Layer 2 Infrastructure ...................................................................... 19
(NX-‐OS) ...................................................................................................................................................... 19
General Rules ........................................................................................................................................ 20
Pre-‐setup ............................................................................................................................................... 20
Topology ................................................................................................................................................ 20
Configuration tasks ................................................................................................................................ 21
Task 1: General set-‐up ....................................................................................................................... 21
Task 2: Implement VLANs .................................................................................................................. 21
Task 3: Implement Private-‐VLANs ..................................................................................................... 22
Task 4: Implement Rapid Spanning-‐Tree protocol ............................................................................ 23
Task 5: Implement Multiple Spanning-‐Tree protocol ........................................................................ 24
Task 6: Spanning-‐Tree and UDLD features ........................................................................................ 25
Task 7: Fabric Extenders .................................................................................................................... 25
Task 8: Misc features ......................................................................................................................... 26
Chapter 3: Data Center Networking Layer 3 Infrastructure (NX-‐OS) ......................................................... 27
General Rules ........................................................................................................................................ 28
Pre-‐setup ............................................................................................................................................... 28


Drawing 1: Physical Topology Routing .................................................................................................. 29

Drawing 2: Logical Routing Topology .................................................................................................... 29
............................................................................................................................................................... 29
Task 1: Layer 3 topology set-‐up ......................................................................................................... 30
Task 2: Static routing ......................................................................................................................... 30
Task 3: EIGRP ..................................................................................................................................... 30
Task 4: OSPF ....................................................................................................................................... 31
Task 5: Redistribution, BFD and ECMP .............................................................................................. 32
Task 6: Layer 3 switching features ..................................................................................................... 32
Drawing 3: FabricPath / OTV Topology ................................................................................................. 33
Task 7: FabricPath and OTV ............................................................................................................... 33
Chapter 4: Data Center Networking High Availability (NX-‐OS) .................................................................. 35
General Rules ........................................................................................................................................ 36
Pre-‐setup ............................................................................................................................................... 36
Drawing 1: Physical Topology ................................................................................................................ 37
Drawing 2: Logical Topology .................................................................................................................. 38
Task 1: Topology set-‐up ..................................................................................................................... 39
Task 2: Port-‐Channels ........................................................................................................................ 39
Task 3: Virtual Port-‐channels (vPCs) .................................................................................................. 40
Task 4: Graceful Restart / Non-‐Stop Forwarding ............................................................................... 41
Task 5: HSRP ...................................................................................................................................... 41
Task 6: VRRP ...................................................................................................................................... 42
Task 7: GLBP ...................................................................................................................................... 43
........................................................................................................................................................... 44
Task 8: Virtual Port-‐Channels (vPCs) and FabricPath ......................................................................... 44
Chapter 5: Data Center Storage Networking ............................................................................................. 45
General Rules ........................................................................................................................................ 46
Pre-‐setup ............................................................................................................................................... 46
............................................................................................................................................................... 47
Task 1: Initial set-‐up ........................................................................................................................... 48
Task 2: VSANs .................................................................................................................................... 49
Task 3: Zoning .................................................................................................................................... 50
Task 4: FC Domain ............................................................................................................................. 51
Task 5: Fibre Channel Security Features ............................................................................................ 52
Task 6: Advanced Features ................................................................................................................ 53
Chapter 6: Data Center Storage Networking Extension ............................................................................ 54
General Rules ........................................................................................................................................ 55
Pre-‐setup ............................................................................................................................................... 56
............................................................................................................................................................... 57
Task 2: FCIP ........................................................................................................................................ 58


Task 3: FCIP Security .......................................................................................................................... 59

Task 4: SAN Extension Tuner ............................................................................................................. 59
Task 5: iSCSI ....................................................................................................................................... 59
Task 6: iSLB ........................................................................................................................................ 60
Chapter 7: Data Center Unified Fabric ....................................................................................................... 62
General Rules ........................................................................................................................................ 63
Pre-‐setup ........................................................................................................................................... 64
Drawing 2: Logical Topology VSAN 20 ................................................................................................... 65
Task 1: Native Fibre Channel on Nexus ............................................................................................. 66
Task 2: Fibre Channel over Ethernet (FCoE) ...................................................................................... 66
Task 3: Multi hop FCoE ...................................................................................................................... 67
Task 4: FCoE Quality of Service (QoS) ................................................................................................ 67
Drawing 3: NPV topology ...................................................................................................................... 68
Task 5: N-‐Port Virtualization (NPV) and N-‐Port ID Virtualization (NPIV) ............................................... 68
Task 6: FCoE NPV ............................................................................................................................... 69
Chapter 8: Security Features ..................................................................................................................... 70
General Rules ........................................................................................................................................ 71
Pre-‐setup ............................................................................................................................................... 71
............................................................................................................................................................... 72
Task 1: Port Security .......................................................................................................................... 73
Task 2: DHCP Snooping, DAI, IP Source Guard ................................................................................... 74
Task 3: Access Control Lists ............................................................................................................... 74
Task 4: AAA services .......................................................................................................................... 75
Task 5: 802.1X .................................................................................................................................... 76
Task 6: Cisco TrustSec ........................................................................................................................ 77
Chapter 9: Management Features ............................................................................................................. 78
General Rules ........................................................................................................................................ 79
Pre-‐setup ............................................................................................................................................... 79
............................................................................................................................................................... 80
Task 1: Role Based Access Control (RBAC) ......................................................................................... 81
Task 2: Traffic monitoring .................................................................................................................. 82
Task 3: NetFlow ................................................................................................................................. 82
Task 4: Management protocols ......................................................................................................... 82
Task 5: Device management .............................................................................................................. 83
Task 6: Smart Call Home and GOLD ................................................................................................... 84
Chapter 10: Data Center Unified Computing Networking ......................................................................... 85
General Rules ........................................................................................................................................ 86
Pre-‐setup ............................................................................................................................................... 87



Task 2: VLANs ..................................................................................................................................... 88
Task 3: vNIC templates ...................................................................................................................... 88
Task 4: Policies and pin groups .......................................................................................................... 89
Task 5: Quality of Service ................................................................................................................... 89
Task 6: Disjoint Layer 2 ...................................................................................................................... 90
Task 7: Switch mode .......................................................................................................................... 90
Chapter 11: Data Center Unified Computing Storage ............................................................................... 91
General Rules ..................................................................................................................................... 92
Pre-‐setup ........................................................................................................................................... 93
Drawing 1: Physical Topology ............................................................................................................ 93
Configuration tasks ............................................................................................................................ 94
Task 1: Initial set-‐up .............................................................................................................................. 94
Task 2: VSANs ........................................................................................................................................ 94
Task 3: Fibre Channel Trunks and Port Channels .................................................................................. 95
Task 4: Pools .......................................................................................................................................... 95
Task 5: vHBA templates ......................................................................................................................... 95
Task 6: SAN Pinning and Storage Policies .............................................................................................. 96
Task 7: Fibre Channel Boot policies ....................................................................................................... 96
Task 8: iSCSI Boot policies ..................................................................................................................... 97
Task 9: Local Disk policies ...................................................................................................................... 97
Chapter 12: Data Center Unified Computing Servers and Blades .............................................................. 98
General Rules ..................................................................................................................................... 99
Pre-‐setup ......................................................................................................................................... 100
Drawing 1: Physical Topology .......................................................................................................... 100
Configuration tasks .............................................................................................................................. 101
Task 1: Server pools ............................................................................................................................. 101
Task 2: UUID pools .............................................................................................................................. 101
Task 3: Management IP addresses ...................................................................................................... 101
Task 4: Server policies ......................................................................................................................... 102
Task 5: Service Profile Templates ........................................................................................................ 102
Task 6: Service Profiles ........................................................................................................................ 103


Default Lab Topology

Default passwords and IP addresses

• Default management username / password: admin / IPexpert123
• Other passwords: ipexpert
• Management IP addressing: 172.16.100.0/24
• Management Default Gateway: 172.16.100.254


Chapter 1:
Introduction to CCIE
Data Center

Chapter 1: Introduction to CCIE Data Center introduces the team of authors, consultants, and editors
that completed this book and describes the book’s purpose. This chapter also provides suggestions for
the usage of this written work.


Who Should Read this Book?

This workbooks primary audience is for those CCIE candidates that are searching for the most
comprehensive and error-‐free materials available covering the CCIE Data Center practical lab exam.
These students should possess a home rack of equipment for CCIE-‐level command-‐line practice, they
should possess an equipment emulator (for certain parts of the topology), or they should rent
equipment from a company like www.proctorlabs.com. The authors and technical editors exhaustively
tested all of the demonstrations found throughout the technology tasks, troubleshooting-‐ and full-‐scale
lab exercises against all practice rack options described earlier. Where issues arise with popular
equipment emulators, the text makes note. This book is the most remarkably thorough and technically
accurate book written on the CCIE Data Center lab exam to date.
How to Use this Book

This book breaks all specific CCIE Data Center technologies down on a chapter-‐by-‐chapter basis for a
complete and thorough review of this broad set of topics. Each chapter is broken down is various tasks
regarding the subject. Following this, the Detailed Solutions Guide provided with this workbook provides
an intense examination of the operation of the tasks, including key aspects of troubleshooting for the
specific technology. After this, the book presents some of the most common issues that can result with a
particular technology-‐set, and most importantly, details the simple troubleshooting tools and steps that
succeed for remediation.
The final chapters conclude the book with sample lab scenarios that provide a full scale lab exam as you
will see it when you take the actual test. The Detailed Solutions Guide then provides a well-‐designed
approach for troubleshooting each major task and offers detailed explanations. The text provides
reference guides for the most popular and powerful show and debug commands for a specific
technology.
Each chapter uses specific initial configurations on the specific chapter. Readers may download initial
configurations, or install them in a simple Graphical User Interface (GUI) on www.proctorlabs.com.
Students are encouraged to follow along on a rack of equipment for every section of every chapter. This
really enhances and strengthens the learning process.
An Introduction to CCIE Data Center

Since the release of the Nexus platform there has been talk about when these platforms were to be
introduced in a CCIE track. With the introduction of UCS in 2009 this became an even higher request
especially since UCS really took off in sales.


The scope of the exam is pretty much based on the usual suspects, so in summary you should be aware
of the:
• UCS B-‐series blade systems

• UCS C-‐series rackmount systems connected to UCS Manager via FEX
• Virtual Interface Cards (virtualized NICs and HBAs) in all servers
• Nexus 7000 with all features like VDC, OTV, FabricPath, etc.
• Nexus 5500 with all features like FCoE, FEX
• Nexus 2000 connected to either the 5k or the 7k
• Nexus 1000V distributed virtual switch in ESX
o There is no mention of any VMware product in the blueprint, so expect ESX and vCenter
to be pre-‐installed on the UCS blades and FC boot to pre-‐configured disks
• MDS 9222i for connecting FC storage to UCS
• ACE appliance
• DCNM management software

Availability
The live exam is available from September 1st.
Currently there are no dates when the lab is available.
Written exam
The written exam has an extensive blueprint published to Cisco Learning Network (CLN) including a
reading list.
The current published reading list:

Data Center Fundamentals (ISBN-10: 1-58705-023-4)
NX-OS and Cisco Nexus Switching (ISBN-10: 1-58705-892-8)
Cisco Unified Computing System (UCS) (ISBN-10: 1-58714-193-0)
I/O Consolidation in the Data Center (ISBN-10: 1-58705-888-X)
Storage Networking Fundamentals (ISBN-10: 1-58705-162-1)


Please find the extensive blueprint published by Cisco on the bottom of this blog post.
Lab exam
There is not much information available regarding the lab exam. Availability is not mentioned. There is
however information regarding the hardware list and this is an immense list of expensive hardware you
require:
Software Versions

• NXOS v6.0(2) on Nexus 7000 Switches

• NXOS v4.2(1) on Nexus 1000V
• NXOS v5.2(2) on MDS 9222i Switches
• UCS Software release 2.0(1x) for UCS-‐6248 Fabric Interconnect and all UCS systems
• Software Release A5(1.0) on ACE4710
• Cisco Data Center Manager software v5.2(2)

CCIE Storage?
There are currently no plans for replacing CCIE Storage for CCIE Datacenter. Because of this, there will
not be a large focus on MDS/FC configuration as there is another track for that.
What about P and A tracks?

A CCNA Data Center and CCNP Data Center will be released soon!
Troubleshooting
Troubleshooting will be a big part of the exam, which is also pretty clear in the blueprint. There is no
confirmation yet how this will be introduced, either using tickets in the CCIE R&S or just by pre-‐
configuration on the lab. I can imagine that they pre-‐configured a broken Nexus 1000V on an ESX
installation on one of the JBODs. More information on how this troubleshooting is done will be available
during other Q&A sessions. The implication is that it might be trouble tickets like the CCIE R&S.


An Introduction to the Proctor Labs CCIE Data Center hardware rack
The IPexpert CCIE Data Center rack will support 100% of the features that are tested on the lab! We
have based the topology to be close as possible on the CCIE Data Center rack layout, but have ensured
that all features and functionality is there.
Our CCIE Data Center rack layout is based on the very limited information that has been made available
by Cisco. IPexpert has been in close contact with the people involved in creating this lab exam, and
therefore the layout of the rack is based on some early examples and the published components and
software version blueprint.
As you will see the topology is very much based on a common datacenter design and has more 'static'
layout than other CCIE tracks.
The blueprint specified the following components to be in the lab:
First is the NX-‐OS Networking equipment.
• Nexus7009 (with licensing)

o (1) Sup
o (1) 32 Port 10Gb (F1 Module)
o (1) 32 Port 10Gb (M1 Module)
• Nexus5548
• Nexus2232

The Nexus 7000 will be configured with VDC's to simulate various different topologies and create
multiple 'core switch' layers within the network.
Nexus 5548 will be used as a 'distribution' layer within the datacenter network. The Nexus 2k's can be
configured as FEX for the Nexus 7000; Nexus 5000 and the Fabric Interconnects of the UCS system to
connect the UCS C-‐series rack mount servers. The VDC's are a major component in the network as the
number of devices is limited and the connectivity is very much based on a best practice design.
The below drawing illustrates an example topology from our new CCIE Data Center lab preparation
workbook which is currently under development.
All these interconnections and switches are based within a single physical chassis with complete
separation of the control and data plane protocols!


Second is the storage networking (SAN) equipment:
• Dual attached JBODs = Fibre Channel disks

• MDS 9222i (dual fabric)

The MDS switches used in the lab are capable of a ton of features. The blueprint however only describes
certain fibre-‐channel features which are considered 'basic' features like zoning, VSANs, oversubscription
and ISLs. The other major topic on the blueprint is Fibre Channel Expansion over FCIP and iSCSI. These
features are the IP features supported by the MDS platform. The 1G Ethernet connections are
connected to the Nexus switches for testing the expansion features. Through that connection it's
possible to connect the MDS switches across another connection than Fibre Channel. As the CCIE
Storage track is not being replaced by the CCIE Data Center the focus on Storage Networking (SAN)
features is not that big. The major topics are more in the features that aren't tested in any other CCIE
track.
The JBODs mentioned in this list represent just plain simple hard-‐disks that are connected via Fibre
Channel. They are used later as shared storage for the UCS system.
The third major component within the hardware blueprint is the Unified Computing System (UCS).
• UCS-‐6248 Fabric Interconnects

• UCS-‐5108 Blade Chassis
o B200 M2 Blade Servers
o Palo/VIC mezzanine card
o Menlo/Emulex mezzanine card
• UCS C200 Series Server = Connected to Fabric Interconnects
o VIC card for C-‐series


This is based on the C-‐series rackmount servers, connected to the Fabric Interconnects so the C-‐series
can also be managed from the central UCS manager the same as the Blade chassis is managed.
The blades are equipped with different NICs. This also means a little different configuration. The VIC
cards are the most interesting ones as they can virtualize NICs to present to the OS.
Ones inside the blades there is a pre-‐installed VMware ESX(i) environment with a Nexus 1000v
distributed virtual switch. As this is a Cisco lab exam, you are not required to know anything about
VMware. Of course you will need to be able to install this environment in your possible own lab, but
when you step into the lab you will face a pre-‐installed VMware and 1000V. After that, the switch is not
configured and you are required to configure it.
The final topic on the blueprint is called ANS (Application Networking Services). This means an ACE
appliance is in your lab that you will need to configure. There is not much very interesting going on there
and you will not see a lot of points on that appliance. You will need to know the topics as described on
the lab blueprint and our workbook will focus a whole section on these specific topics.
The last components are used for management. You will not be configuring these devices, but just using
them from your student workstation to access the network.
• Cisco Catalyst Switch 3750 = management ethernet connections

• Cisco 2511 Terminal Server = console lines

What is not mentioned on the hardware blueprint list is that you will also need to be able to configure
(or set-‐up) the DCNM software as is being given by Cisco when you purchase enough Nexus equipment.
Again this is not extremely difficult, but you need to be aware of the basic configuration items related to
this software.
Software Versions

• NXOS v4.2(1) on Nexus 1000v
• NXOS v5.2(2) on MDS 9222i Switches
• UCS Software release 2.0(1x) for UCS-‐6248 Fabric Interconnect and UCS system


• Software Release A5(1.0) for ACE 4710

• Cisco Data Center Manager software v5.2(2)

Above you'll find a reference overview of the used software versions. The exact versions are still
unknown where we might be using newer software versions as our IPexpert lab will be using quite new
hardware for virtualization purposes. Within the Nexus 7000 we will be using the new Supervisor 2E,
meaning that we are able to build 8 VDC's and 1 management VDC meaning we have enough flexibility
for some challenging topologies!
The next chapter of this workbook, Chapter 2: Data Center Networking Layer 2 Infrastructure (NX-‐OS)
begins with the initial topic on the CCIE Data Center Blueprint regarding layer 2 switching, VLANs,
Private-‐VLANs, Spanning-‐Tree and other layer 2 features on the NX-‐OS platform.


Chapter 2: Data

Center Networking
Layer 2
Infrastructure
(NX-‐OS)

Chapter 2: Data Center Networking Layer 2 Infrastructure (NX-‐OS) is intended to let you be familiar
with the NX-‐OS CLI on the Nexus switches and afterwards configure Layer 2 Ethernet features on the
physical Nexus switches within the topology as shown at the beginning of this workbook. We highly
recommend to create your own diagram at the beginning of each lab so you are able to draw on your
own diagram, making it much easier when you step into the real lab. Our devices start with a blank
configuration, which will not be the case when you are in the real lab. Then devices are staged with
configuration containing usernames/passwords, management IP addressing, core IP addressing and
(possible) errors.


General Rules
• Try to diagram out the task. Draw your own connections the way you like it
• Create a checklist to aid as you work thru the lab
• Take a very close read of the tasks to ensure you don’t miss any points during grading!
• Take your time. This is not a Mock Lab, so no time constraints are in place for finishing this
particular chapter
Estimated Time to Complete: 3 hours
Pre-‐setup
• Connect to the Nexus 7000 switch and Nexus 5000 switches within the topology
• Use the central topology drawing at the start of this workbook
• This lab is intended to be used with online rack access provided by our partner Proctorlabs
(www.proctorlabs.com). Connect to the terminal server and complete the configuration tasks as
detailed below.
Topology


Configuration tasks
Task 1: General set-‐up

1. Erase the configuration from all 3 switches and reboot and
2. Configure the default parameters as mentioned in in the Generic Lab Topology
3. Configure the Nexus 7000 switch with a hostname of “SW1-‐1” and the Nexus 5500 switches with
hostnames of “SW2” and “SW3”
4. Ensure the switches will not perform any DNS lookups
5. Configure “ipexpert.com” as the DNS domain name
6. Ensure that both encrypted and unencrypted management connections are allowed
7. Save the configuration using the wr command
8. On SW1-‐1 configure a message, containing the hostname and warning unauthorized users, that
is shown each time a user logs in
9. Use the serial number of “SW1-‐1” as the ID which is used to advertise the switch using CDP
10. Ensure only CDP version 2 packets are sent from “SW1-‐1”
11. Disable CDP on the management ethernet interface
12. Ensure a log message is generated when more than 999 packets per second are sent or received
on the management ethernet interface
Task 2: Implement VLANs

1. Configure all inter-‐switch links as described by the topology drawing at the beginning of this
chapter to be in layer 2 trunk mode allowing VLANs 100 up to 499
2. After specifying the allowed range, remove VLAN 333 from this range with a single command,
without specifying the previous range (or parts of it) again
3. Configure all switches to be in VTP domain “IPexpert”
4. Ensure VLANs are removed from switches that have no active hosts in that VLAN, except for
VLAN 101. This VLAN 101 should always be active on the switch not depending on this
configuration task
5. Enable the latest version of VTP
6. Store the VTP database configuration with filename ‘ipexpert.dat’


7. Ensure SW2 and SW3 will have new VLANs being pushed by SW1-‐1 and are not able to create
new VLANs by themselves
8. Secure the VTP protocol with a password of ‘ipexpert’
9. Create VLANs 101, 102, 103 and 104 and ensure they are visible on all switches
10. Assign names to all VLANs by format of “IPexpertVLAN#” where # is the VLAN number
11. Configure SW1-‐1 so the following output is matched
12. (Ports section should show all active trunks):
SW1-1(config)# sh ip igmp snooping | in vlan

IGMP Snooping information for vlan 1
SW1-1(config)# sh vlan brief
VLAN Name Status Ports

---- -------------------------------- --------- --------------------------
-----
1 default active
101 VLAN0101 active
102 VLAN0102 active
103 VLAN0103 active
104 VLAN0104 active
1002 fddi-default suspended
1003 token-ring-default suspended
1004 fddinet-default suspended
1005 trnet-default suspended
SW1-1(config)#
Task 3: Implement Private-‐VLANs

Note: This lab will be using unused ports in the topology to simulate hosts being connected. For
clarification of the tasks it’s advisable to read the entire task before starting your configuration.
1. A firewall is connected to Ethernet3/19 on SW1-‐1 which should receive all traffic from DMZ
hosts. This port should be in VLAN 200. You are allowed to change configuration from the
previous task to accomplish this.


2. Ensure that hosts in VLAN 201 are not able to communicate with each other, but only to the
firewall connected to Ethernet3/19
3. Configure ports Ethernet3/20 and Ethernet3/21 in VLAN 201
4. Hosts in VLAN 202 and 203 are able to communicate to each other in the VLAN and to the
firewall, but not to hosts in the other VLAN (202 can’t communicate with 203 and vice versa)
5. Configure ports Ethernet3/22 and Ethernet3/23 in VLAN202. Configure ports Ethernet3/24 and
Ethernet3/25 in VLAN203
6. DMZ servers in VLAN 204 need to be secured. They are not allowed to communicate to each
other, but they can communicate with the rest of the IP network by reaching a default gateway
configured on SW1-‐1 with IP address 10.1.10.254/24
7. Hosts connected in VLAN 204 are connected on SW2. Configure the first trunk connection for
this use. Configure Ethernet 1/21, 1/22 and 1/23 in VLAN205 on SW2 and ensure they are able
to reach the default gateway to the network. Hosts are not allowed to communicate to each
other.
8. Other hosts of VLAN 201 and 202 are also connected to SW2. Use the second trunk connection
between SW1 and SW2 for this use. The hosts of VLAN201 are connected to ports Ethernet 1/24
and 1/25. The host of VLAN 202 is connected to Ethernet 1/26
Task 4: Implement Rapid Spanning-‐Tree protocol

1. Ensure non-‐core-‐facing interfaces on SW2 and SW3 are not generating any spanning-‐tree
topology changes
2. Configure SW2 to be the root bridge for VLAN 101 and SW3 to be the backup root bridge
3. Ensure all switches are using optimal spanning-‐tree timers for the size of the layer 2 network to
optimize network convergence. Do not configure timer values to complete this task.
4. Configure SW1 to be the root bridge for VLAN 102
5. Ensure that new bridges with a default spanning-‐tree configuration will never be elected as a
root bridge in VLAN 102 when SW1 fails
6. When traffic steering is necessary, you are required to use values higher than 100,000
7. Configure the network in such a way that SW1 is using SW3 as the best path towards the root
bridge of the network in VLAN 101
8. Ensure that the last interface (fourth link) between all switches is used as primary


9. Configure spanning-‐tree of VLAN 103 to converge in the shortest time possible
10. Configure all inter-‐switch-‐links to utilize IEEE 802.1w ‘Rapid Connectivity’
11. Remove all spanning-‐tree related configuration from interfaces and global configuration on all
switches before continuing with the next task
Task 5: Implement Multiple Spanning-‐Tree protocol

1. Configure SW1, SW2 and SW3 to run the IEEE 802.1s protocol
2. Configure the following parameters on SW1
3. MST name of IPexpert
4. MST configuration number of 5
5. Map VLAN 10 through 99 to instance 1
8. Ensure MST is functioning properly on all switches
9. Assume Private VLANs are in use. Ensure that all secondary VLANs are in the same MSTI as their
associated primary VLAN
10. Configure SW2 to be the root bridge for instance 1 by configuring the lowest possible value
11. Try making SW3 the primary root bridge for instance 1 using the dedicated command for this.
What happens?
12. Make SW3 the backup root bridge for instance 1. You are allowed to configure other switches,
but not SW3.
13. Ensure all switches are using optimal spanning-‐tree timers for the size of the layer 2 network to
optimize network convergence.
14. When traffic steering is necessary, you are required to use values higher than 100,000
15. Configure the network in such a way that SW1 is using SW3 as the best path towards the root
bridge of the network in instance 2
16. Ensure that all instances use a different interface between the switches to ensure load balancing
between instances. Meaning instance 0 uses interface 1, etc.


17. Ensure BPDUs are discarded when the network is larger than 10 hops
18. Assume a switch with an old version of software is connected to Ethernet 1/16 on SW2.
Configure this interface to pro-‐actively send pre-‐standard MST messages
Task 6: Spanning-‐Tree and UDLD features

1. Configure SW3 so that all ports, when not configured individually, are seen as network edge
ports
2. Configure Ethernet 1/10 on SW3 so the port is put in error-‐disabled state when spanning-‐tree
packets are received
3. Configure Ethernet1/11 on SW3 so the port will never process spanning-‐tree protocol data
units, but will allow other layer 2 frames
4. Ensure that Ethernet 1/10 on SW2 will also never process spanning-‐tree protocol packets, but
you are not allowed to configure the command required for this directly under the interface
5. Ensure Ethernet 1/11 on SW2 will never become a root port on the switch
6. Ethernet1/12 on SW2 should never become the designated port of the LAN segment
7. Assume the network is running MST and Ethernet 1/13 on SW3 is connected to a Rapid-‐PVST+
network. Ensure that this port will fail to interoperate with this other kind spanning-‐tree
protocol for security reasons.
8. Use a Cisco-‐proprietary protocol which allows devices that are connected through fiber or
copper cables to monitor the physical configuration of the cables and detect when a
unidirectional link exists on Ethernet 1/12 on SW3
9. Use a method on Ethernet 1/12 on SW3 which disables one of the ports on the link, which
prevents traffic from being discarded.
Task 7: Fabric Extenders

1. Use SW2 and FEX1 for these tasks
2. Name the fabric extender as “IPexpert Fabric Extender 1”
3. Ensure the LED on the FEX starts blinking for easier locating the FEX in a rack
4. Ensure the output of the following show command is matched on SW2:


SW2# show interface port-channel 4 fex-intf

Fabric FEX
Interface Interfaces
---------------------------------------------------
Po4 Eth101/1/48 Eth101/1/47 Eth101/1/46 Eth101/1/45
Eth101/1/44 Eth101/1/43 Eth101/1/42 Eth101/1/41
Eth101/1/40 Eth101/1/39 Eth101/1/38 Eth101/1/37
Eth101/1/36 Eth101/1/35 Eth101/1/34 Eth101/1/33
Eth101/1/32 Eth101/1/31 Eth101/1/30 Eth101/1/29
Eth101/1/28 Eth101/1/27 Eth101/1/26 Eth101/1/25
Eth101/1/24 Eth101/1/23 Eth101/1/22 Eth101/1/21
Eth101/1/20 Eth101/1/19 Eth101/1/18 Eth101/1/17
Eth101/1/16 Eth101/1/15 Eth101/1/14 Eth101/1/13
Eth101/1/12 Eth101/1/11 Eth101/1/10 Eth101/1/9
Eth101/1/8 Eth101/1/7 Eth101/1/6 Eth101/1/5
Eth101/1/4 Eth101/1/3 Eth101/1/2 Eth101/1/1
Task 8: Misc features

1. Read this whole section first, before starting your configuration!
2. Configure Ethernet 5/16, 5/17 and 5/18 on SW1-‐1 with the settings from the following bullets (3
through 6).
3. Layer 2 trunk port with VLAN 101 through 104 allowed
4. Rx flowcontrol should be enabled
5. Disable the automatic cross/straight cable detection
6. ‘show interface’ should show usage statistics using sampling intervals of 30, 60 and 120 seconds
7. You are only allowed to have the settings for these interfaces showing up once in the
configuration


Chapter 3: Data
Center Networking
Layer 3
Infrastructure (NX-‐
OS)

Chapter 3: Data Center Networking Layer 3 Infrastructure is intended to let you be familiar with the
NX-‐OS Layer 3 features on the Nexus platforms to create a basic routed network. The second part of this
chapter consists of Data Center extension and Layer 2 routing features. We highly recommend to create
your own diagram at the beginning of each lab so you are able to draw on your own diagram, making it
much easier when you step into the real lab. The lab is divided in two pieces. During the first tasks you
will be configuring a dynamically routed layer 3 network using EIGRP and OSPF protocols. The second
part of this chapter is based on the Cisco proprietary technologies FabricPath and OTV. Multiple
topology drawings are available for this chapter.



General Rules
particular chapter
Pre-‐setup
• Load the initial configuration of Chapter 2 on the Nexus 7000 switch to stage the Virtual Device
Contexts needed for this lab
• When starting the second part of this lab for configuring Fabric Path and OTV the second set of
initial configuration should be loaded on the Nexus 7000 to create a different topology with
Virtual Device Contexts
• This lab is intended to be used with online rack access provided by our partner Proctor Labs
detailed below


Drawing 1: Physical Topology Routing

Drawing 2: Logical Routing Topology


Configuration tasks
Task 1: Layer 3 topology set-‐up

• Configure the Nexus 5500 switches with hostnames of “SW2” and “SW3”. The Nexus 7000 VDC’s
should already have hostnames through the loading of the initial configuration. Use switchto
vdc and switchback to move between different switches on the Nexus 7000.
• Configure all switches so they can all carry the layer 2 VLANs as described in drawing 1
• Configure sufficient inter-‐switch-‐links to carry the VLANs between the switches
• Configure IP addressing on SVI and physical interfaces according to drawing 1
• Configure all switches to have a Loopback0 interface with an IP address of 198.18.0.Z/32
where Z is the router number / host address as specified in drawing 1
Task 2: Static routing

• Ensure SW1-‐3 can ping the loopback address of SW1-‐4 from its own loopback address
• SW1-‐1 should be able to ping the loopback address of SW1-‐2 and vice versa without using the
directly connected link between those switches, but should use the path over SW1-‐3 and SW1-‐4
for this
• Configure SW1-‐2 to be a blackhole for the 192.0.1.0/24 prefix. Give this entry a tag of 666 and
an increased preference of +1
• Ensure that all layer 3 interfaces on SW1-‐2 do not send out any unreachable messages
• Remove all static routes before continuing with the next tasks
Task 3: EIGRP

• Configure a secure EIGRP adjacency between SW1-‐2 and SW1-‐4
• Ensure Loopbacks are reachable and dynamically advertised. Ensure that there are no attempts
to make adjacencies on the Loopback interfaces.
• Use 64999 as autonomous system number and IPEXPERT as the EIGRP process name


• Configure 4 static routes for 198.18.4.0/24 through 198.18.7.0/24 on SW1-‐4 and

ensure they are reachable through a single EIGRP routing entry on SW1-‐2. Besides the single
entry the 198.18.5.0/24 network should also be seen in the routing table of SW1-‐2.
• Use wide metrics with a scaling factor of 64
• Change the bandwidth that EIGRP may use on an interface 10% lower than default
• Update the link between SW1-‐2 and SW1-‐4 so the EIGRP neighbor is declared down after 4 hello
packets. You are only allowed to change configuration on SW1-‐2 to accomplish this
• Routes which are declared active should become Stuck in Active after 5 minutes
• Routes should be advertised as unreachable when there are more than 50 hops in the network
• Update the K3 value on the SW1-‐2 to SW1-‐4 interfaces to 500
Task 4: OSPF

• Configure the OSPF network as shown in drawing 2. Use the dotted decimal notation to
configure area 264
• Ensure that all OSPF routers can reach each other’s Loopback addresses
• Ignore the MTU size between SW1-‐1 and SW1-‐3 when forming an adjacency
• Ensure that SW2 will never become a designated router on any OSPF interface
• Ensure that SW3 will never become a designated router on any OSPF interface
• Ensure all adjacencies in area 0 are secured using a hashed version of “IPexpertSecure”
• Ensure area 1 is secure using a simple-‐text-‐password of “IPexpert”
• Configure 4 additional Loopback interfaces on SW2 with IP addresses of 198.18.128.1/24
through 198.18.131.1/24 and ensure they are seen as a single entry in the backbone area
and other areas without overlapping other IP space
• Configure a Loopback1 interface on SW1-‐3 with an IP address of 198.18.13.1/24 and
ensure this whole subnet is seen throughout the layer 3 network
• Type 3, 4 and 5 LSA’s are not allowed in area 1
• Ensure that routers do not attract traffic for 2 minutes after booting up


Task 5: Redistribution, BFD and ECMP

• Configure redistribution between EIGRP and OSPF on SW1-‐4 and SW1-‐2
• Ensure full reachability is achieved while maintaining all requirements from previous tasks
• Ensure all links towards area 0 are used when traffic is exiting area 1
• Ensure that all Dynamic Routing adjacencies on SW1-‐2 towards adjacent devices are terminated
using a dedicated detection protocol
• BFD sessions between SW1-‐2 and SW3 should be secured using a hashed key of
“IPexpertSecure”
• Ensure neighbor failures on SW1-‐2 are detected within 300ms
• Configure OSPF and EIGRP so they use the dedicated fast-‐hello failure detection mechanism
Task 6: Layer 3 switching features

• Ensure a static layer 2 to layer 3 mapping is created on VLAN 112 on SW1-‐1 for
198.18.112.24 to mac address abcd.1234.5678
• Configure SW2 so that it detects duplicate IP addresses and updates it’s cache on
Ethernet1/5
• Ensure that SW1-‐1 reserves space for 2750 outstanding ARP entries in the ASIC to prevent the
ARP replies are dropped when returned and attempted to install in the ASIC hardware
• Configure all switches so they use RFC 1191


Drawing 3: FabricPath / OTV Topology

Task 7: FabricPath and OTV

• Load the initial configuration file for part 2 of chapter 2, which will create a topology
according to drawing 3
• Create VLAN 666 on all relevant switches in the topology
• Ensure hosts on VLAN 666 can communicate via layer 2 on all 4 edge switches using the
technologies as mentioned in drawing 3
• Use the 198.18.10.0/24 subnet when a layer 3 link is required in the topology
• Configure VLAN interfaces (SVIs) with the following IP addresses:

SW2: 198.18.66.1/24
SW3: 198.18.66.2/24
SW1-‐3: 198.18.66.3/24
SW1-‐4: 198.18.66.4/24
• Ensure traffic is using all links between the switches to reach from SW2 and SW3 to SW1-‐3 and
SW1-‐4


• Verify this task is completed successfully by being able to ping all 198.18.66.x interfaces of
all edge switches


Chapter 4: Data
Center Networking
High Availability
(NX-‐OS)

Chapter 4: Data Center Networking High Availability (NX-‐OS) is intended to let you be familiar with the
NX-‐OS High Availability features on the Nexus platforms to create a high available network. Various
types of deployments of Port-‐channels and Virtual Port-‐channels are discussed in this chapter. The
second part of this chapter focuses on First Hop Redundancy Protocols (FHRPs) and High Available
features of dynamic routing protocols. The third part focuses on a special implementation of virtual
port-‐channels in FabricPath networks.
We highly recommend creating your own diagram at the beginning of each lab so you are able to draw
on your own diagram, making it much easier when you step into the real lab.
Multiple topology drawings are available for this chapter.


General Rules
particular chapter
Pre-‐setup
• Load the initial configuration of Chapter 4 on the Nexus 7000 switch to stage the Virtual Device
Contexts needed for this lab
• When starting the third part of this lab regarding virtual Port-‐Channels within FabricPath
networks the second set of initial configuration should be loaded on the Nexus 7000 to create a
different topology with Virtual Device Contexts
detailed below


Drawing 1: Physical Topology



Drawing 2: Logical Topology



Configuration tasks
Task 1: Topology set-‐up

1. Configure the Nexus 5500 switches with hostnames of “SW2” and “SW3”. The Nexus 7000 VDC’s
should already have hostnames through the loading of the initial configuration. Use switchto
vdc and switchback to move between different switches on the Nexus 7000.
2. Create the VLANs as are required on the switches as shown in drawing 2
3. Configure IP addressing on SVI and interfaces according to drawing 2
4. Configure all switches to have a Loopback0 interface with an IP address of 198.18.0.Z/32
where Z is the router number / host address as specified in drawing 2
Task 2: Port-‐Channels

1. Configure Ethernet3/1 and Ethernet3/2 on SW1-1 and Ethernet1/1 and Ethernet
1/2 on SW2 to be a single logical connection to carry the VLAN required as stated in drawing
2. Use number 1 for this connection.
2. Configure Ethernet3/5 and Ethernet3/6 on SW1-2 and Ethernet1/1 and

Ethernet1/2 on SW3 to be a single logical connection to carry the VLAN required as stated in
drawing 2. Use number 2 for this connection.
3. Configure logical interface 1 to negotiate it’s bundling capabilities between the
switches
4. SW2 should never actively start negotiating link bundling
5. Logical interface 1 is used for bandwidth reasons and should therefore shutdown
when there is less than 20Gbps capacity available in the bundle
6. Logical interface 1 should mark interfaces as hot-‐standby when additional interfaces
are added to the bundle
7. Configure Ethernet1/5 and Ethernet1/6 on SW2 and SW3 to negotiate a link bundle. Use
number 3 for this interface.
8. Configure logical interface 3 with IP addressing in the 198.18.23.0/24 subnet.
Use host IP addresses as previously used for these switches.
9. Ensure that when no dynamic link bundling advertisements are received on an interface on
logical interface 3. The physical interface is brought up in an Individual state.


10. There are plans to increase the capacity between SW2 and SW3 to 80Gbps with additional
interfaces for resiliency purposes. Ensure that Ethernet1/5 is always chosen to participate
in the bundle and Ethernet1/6 should be selected as a hot-‐standby link when additional
interfaces are added to the bundle.
11. Logical interface 3 should use a very fast detection mechanism to signal the removal of
an interface in the bundle
12. Configure SW2 and SW3 to load-‐balance between the interfaces in link-‐bundles using the most
packet header information as possible.
13. Remove any configuration related to interface bundle 1 and 2 from the switches before
continuing with the next task
Task 3: Virtual Port-‐channels (vPCs)

1. Ensure it’s possible to create Multi-‐Chassis Link Aggregation Groups (link bundles) on SW1-1
and SW1-2. Use ID 100 for this.
2. SW1-2 should be the primary device
3. Ensure it’s possible to create Multi-‐Chassis Link Aggregation Groups (link bundles) on SW2 and
SW3. Use ID 200 for this.
4. Send keep alive messages across the mgmt0 interfaces of domain 200 switches
5. Use a dedicated SVI with IP addressing in the subnet of 198.18.5.0/24 to send keep alive
messages between switches in domain 100. Ensure that the keep alive messages are not
using the global IP routing table. Use Ethernet3/10 on SW1-1 and Ethernet 3/12 on
SW1-2 for this.
6. Configure Ethernet3/9 on SW1-1 and Ethernet3/11 on SW1-2 as peer-‐link
7. Bundle Ethernet1/7 and Ethernet1/8 on SW2 and SW3 and configure this as the peer-‐
link
8. Ensure domain 100 brings up its vPCs once a peer fails or reboots. Delay this process for 5
minutes.
9. SW2 and SW3 should be seen as a single Spanning-‐Tree root with a priority of 8192
10. Configure an MC-‐LAG connection between SW1-1, SW1-2 and SW2. Use Ethernet3/1 on
SW1-1. Ethernet3/3 on SW1-2 and Ethernet1/1 and Ethernet 1/2 on SW2. Use
number 101 for this connection


11. Configure a vPC connection between SW2, SW3 and SW1-2. Use Ethernet3/5 and
Ethernet3/7 on SW1-2, Ethernet1/3 on SW2 and Ethernet1/3 on SW3. Use number
102 for this connection.
12. Use the remaining connections between SW1-1, SW1-2, SW2 and SW3 and bundle them in
a single logical interface with number 103.
13. Ensure all VLANs required for Drawing 2 are allowed on the vPC links
14. Use 1234.5678.90ab as the single MAC address that is used for the identification of domain
100 LACP packets
Task 4: Graceful Restart / Non-‐Stop Forwarding

1. Configure dynamic routing protocols according to drawing 2. Ensure Loopback interfaces of
SW2 and SW1-1 can ping each other and SW1-2 and SW3 can ping each other
2. Ensure that the routers running OSPF keep their routing information and keep forwarding traffic
to neighbors when they are rebooting
3. An older router that will take a little over 2 minutes to reboot will be connected to SW2.
Ensure that your configuration supports this
4. Ensure that SW3 supports ISSU
5. SW3 should keep routes from restarting neighbors for 5 minutes
6. Signal a restart as fast as possible on SW3
Task 5: HSRP

1. Ensure that hosts on VLAN 111 are always able to reach their default gateway, when one of
the 2 switches fails
2. Use a Cisco proprietary protocol for this use, which uses a single active default gateway
3. Use the .1 host IP address as the default gateway for this network segment
4. Make the switches primary and backup according to the best practice
5. Use a hashed key of “IPexpertYEAR1” to secure this protocol from now until December 31st
the same year. At January 1st one year later the key should change to “IPexpertYEAR2”.
Ensure that switches keep accepting the old key for at least 2 more hours


6. When the backup switch is active and the primary switch comes back online after a reboot.
Ensure that it will take back the active role after the switch is up for 3 minutes
7. Give this process a name of “IPexpertVLAN111”
8. A switch should declare it’s neighbor down within 1 second
9. When one of the Ethernet uplinks fails the priority should be lowered with 1/10th of the
configured priority value
10. When a second Ethernet uplink fails the switch should stop forwarding Layer 3 traffic and send
traffic across the vPC peer-‐link
11. The default gateway MAC address should be the MAC address of one of the physical Ethernet
interfaces
Task 6: VRRP

2. Use a standards based protocol for this use, which uses a single active default gateway
3. When clients on VLAN 121 issue an ARP request for the Default Gateway it should respond
with MAC address 0000.5E00.0174 without configuring this MAC address in the
configuration
5. Configure SW1-2 as the primary switch using a value of 200
6. Use a clear text password of “IPexpert” to secure the protocol
7. Ensure a higher priority backup router does not take over the role of a lower priority active
router. Configure this only on the current primary switch.
8. Ensure that SW1-2 becomes the standby router after 30 seconds, when the Loopback address
of SW3 disappears from the routing-‐table
9. Switches should declare their neighbors down in 10 seconds


Task 7: GLBP

2. Use a load balancing Cisco proprietary protocol
4. Both routers should be capable of forwarding traffic.
5. SW1-1 should be answering all ARP requests
6. When the Loopback address of one of the upstream switches disappears from the routing table
the switches should no longer be AVF
7. Delay the take over of the AVF role for a standby switch for 3 minutes if any current AVF
fails
8. The router should become the AVG after 30 seconds if it has a higher priority than the
current AVG
9. Ensure the routers support In-‐Service-‐Software-‐Upgrades


Task 8: Virtual Port-‐Channels (vPCs) and FabricPath

1. Load the initial configuration of Chapter 4 Task 8 on the Nexus 7000 switch to stage the
Virtual Device Contexts needed for this lab
2. Configure the FabricPath network to stretch VLAN 666 between all Leaf switches
3. Ensure the PC connected to SW2 and SW3 is able to connect using a virtual Port-‐Channel with
number 100 on all places where necessary to configure a number



Chapter 5: Data
Center Storage
Networking

Chapter 5: Data Center Storage networking is intended to let you be familiar with the Storage
Networking features on the Cisco MDS switches. Configuring traditional Fibre Channel networks and
basic Fibre Channel features.



General Rules
particular chapter
Pre-‐setup
• Connect to the MDS switches within the topology
• The switches start with a blank configuration. You will be creating parts of your own Initial
Configuration for later labs.
detailed below




Configuration tasks
Task 1: Initial set-‐up

1. Give the MDS switches in the topology the following hostnames: MDS1, MDS2. Configure the
default username and password according to the generic lab topology
2. Ensure that they can be reached through the management network using IP addresses in the
range as stated in the initial set-‐up information at the beginning of the workbook. Use Host IP
addresses of .10 and .11
3. Use the default gateway of the management subnet as Time Synchronization server
4. Do not use any automatic selection of interface type for this lab, unless specifically stated
5. Do not use any automatic speed selected for interfaces
6. Use 200MBps connections towards the JBODs
7. JBODs on MDS2 should automatically detect the interface speeds
8. Ensure Fabric Logins are done by the connected JBODs
9. Enable the links between the MDS switches as standard based ISLs
10. Configure a descriptive name on all interfaces consisting of the name and port of the device
which is connected. You are prohibited to use the ‘description’ command.
11. Ensure the connection towards JBOD1 is easily physically located on MDS1
12. The fiber connected to fc1/10 is of low quality causing errors on the interface. Ensure the
switch does not go into err-disable state, because of this reason.
13. Ensure that interfaces on the MDS switches are shutdown when no configuration is applied to
them
14. All disks inside of the JBODs should be identified on the MDS switches with a simple name in the
form of JxDy where X is the JBOD number and Y is the disk number.
15. The simple device names should be seen on both MDS switches, by only configuring one of the
switches. The names should not be VSAN dependent.
16. Ensure applications that use the simple names will follow changes to the database
17. Interface fc1/1 on MDS1 will be used for a long reach link. Enable the most credit
buffers as possible and enable recovery of credits


18. JBOD1 on MDS1 is only allowed to send packets with a maximum size of 2000 bytes
19. Enable B2B credit state change numbers on all JBOD interfaces
Task 2: VSANs

1. Create VSAN 10, 20, 30 and 40 with names of “IPX_VSAN_#”, where # is the VSAN number
2. Configure fc1/5 on MDS1 in VSAN 10 and fc1/6 on MDS2
3. Configure fc1/5 on MDS2 and fc1/6 on MDS1 in VSAN 20
4. Ensure that when WWPN 20:11:00:0a:31:00:aa:de is automatically placed in VSAN 30
when it comes online anywhere in the Fibre Channel fabric
5. Ensure that J1D1 is automatically placed in VSAN 40 when it comes online in the fabric
6. MDS1 should use the Source and Destination FCID for load balancing across equal cost paths in
VSAN 10
7. MDS2 should use Exchange based load balancing across different interfaces in a port-‐channel in
VSAN 20
8. Ensure that all ISLs of the MDS switches are capable of transferring multiple VSANs across the
same interface
9. Configure fc1/1 and fc1/3 on both MDS switches as a single logical connection using number
101
10. Interfaces fc1/1 and fc1/3 should negotiate their bundling capabilities
11. Create a single logical connection consisting of fc1/2 and fc1/4 on both MDS1 and MDS2
switches with number 127
12. VSAN 30 should only use the logical interface 127
13. VSAN 40 should only use logical interface 101
14. VSAN 10 and VSAN 20 should be able to cross both ISL bundles between the MDS switches
15. VSAN 10 should always use bundle 101 as it’s primary connection to the other MDS
16. VSAN 20 should always use the bundle 127 as it’s primary connection to the other MDS
17. Packets traversing VSAN 30 should be guaranteed to reach their destination in the same order
as they have left the source.


18. Traffic between J1D1 and J2D2 in VSAN 10 should always use the bundle 127 as long as
the interface is up
19. The Lowest domain ID in VSAN 20 should be the Multicast root switch
20. Use incremental Dijkstra algorithm calculations in VSAN 30
21. Prevent unused ports from using the Default VSAN
22. Configure an IP connection between the MDS switches across the ISL links. Use VSAN 50 for
this use, which can flow across all ISLs. Use an IP subnet of 198.18.50.x/24 with .1 and
.2 as host IP addresses
Task 3: Zoning

1. Configure zoning in VSAN 10 so the following disks are able to communicate, ensure that the
simple names are kept in the configuration:
a. J1D2
b. J1D3
c. J1D4
2. Configure zoning for VSAN 10 so the following disks can see each other, use the WWPN of the
disks:
a. J1D5
b. J1D6
3. Ensure all disks of interface fc1/6 on MDS2 are able to see each other in VSAN 10. Perform
the configuration on MDS1.
4. FC frames sent to a destination FCID of 0xFFFFFF should only arrive at disk J1D5 and J1D6
5. Activate the zoning in VSAN 10
6. Copy the current zoneset of VSAN 10.
7. Remove the zone created in question 3 from the just copied zoneset and add another
zone that adds all disks of JBOD2 using their FCIDs
8. Ensure that this second zoneset is not activated, but it seen on both MDS switches. You are
not allowed to change any configuration on MDS1


9. Ensure that all changes to all zonesets are replicated between all switches in VSAN 10 every
time a zoneset is activated
10. Use zoning compliant with FC-GS-4 and FC-SW-3 in VSAN 20
11. Use inline zone creation for VSAN 20
12. Zoning in VSAN 20 should ensure that the following disks are able to read data from each
other, but never write:
a. J2D1
b. J2D2
c. J2D3
13. Create a zone in VSAN 20 that ensures the following disks are prioritized over other disks when
ISLs are congested. Use the FWWN of the disks:
a. J2D4
b. J2D5
14. When devices are not specified in zones in VSAN 20, they should be allowed to read data
from each other
15. J2D5 LUN 19 and J1D6 LUN 116 should be able to communicate to each other in VSAN
20. No other LUNs on those disks can communicate
16. Activate zoning in VSAN 20 and ensure its seen on both MDS1 and MDS2
Task 4: FC Domain

1. Configure FC Domain IDs in VSAN 10. MDS1 should be using a static ID of 34 and MDS2 should
prefer to use an ID of 0x34, but can use a different one when this is already taken
2. Ensure MDS1 is the principal switch in VSAN 10
3. Domain IDs for new switches should be handed out in a sequential order
4. Disruptive restarts from other switches should not affect MDS1
5. Ensure the J1D1 disk in VSAN 10 gets assigned an FCID in the range of 0x222200 to
0x2222FF
6. MDS2 should be assigning Domain IDs to other switches in the fabric for VSAN 20. MDS2
should use a range of 0xB0 to 0xCE.


7. MDS1 should prefer a Domain ID of 214 in VSAN 20
8. Ensure that VSAN 30 is prepared for fast-restart
Task 5: Fibre Channel Security Features

1. Rogue devices cannot be connected to VSAN 10 other than the current JBODs and MDS
switches. Assume you are not aware of the WWPNs and SWWNs of the current attached devices
and switches.
2. Prepare VSAN 10 so the following PWWNs that will be added to in the future are able to access
the Fibre Channel network:
a. 20:00:00:A3:BF:33:11:33 on MDS1 fc1/11
b. 20:00:00:A3:DE:11:66:2B on MDS2
c. 20:00:00:A3:FE:00:98:32 can be connected to either MDS
3. Configure a security mechanism in VSAN 20 to ensure all devices participating are manually
configured before they are allowed access. You are only allowed to change configuration on
MDS1 for this task. Be as specific as possible.
4. No other MDS switches other than MDS1 and MDS2 are allowed to participate in VSAN 30
5. Only the existing Domain IDs are allowed to be used in VSAN 30
6. Ensure the strongest Diffie-‐Hellman group is used between the MDS switches for link
authentication
7. Accept a password of ‘IPexpertMDS1’ on MDS1 and a password of ‘IPexpertMDS2’ on
MDS2. Be as specific as possible.
8. MDS1 should actively initiate authentication requests to MDS2 on fc1/1. When MDS2 fails to
respond after 15 minutes the link should go down. MDS2 should not initiate authentication
requests
9. Use an SHA1 hash on fc1/2 between the MDS switches. A fall-‐back to MD5 is supported. Both
MDS switches should actively start negotiating the authentication capabilities
10. Disable authentication on the second member of port-channel 101
11. The link fc1/4 is authenticated, but it is not a strict requirement and is able to come online
without any authentication.


Task 6: Advanced Features

1. Assume that there is a topology with more than 2 MDS switches. Ensure that Cisco Call Home
configuration is distributed between all switches. MDS2 has its own call-‐home configuration and
should not be changed when other switches are changed. Other distributed configuration
should not be affected by this configuration
2. Your manager has asked you to come up with a list of all SCSI hosts connected to VSAN 10.
Save this list to a file called ‘VSAN10hosts.txt’ on the flash of MDS1.
3. The list of SCSI hosts should be generated every 24 hours and the text file on the flash should be
updated with the updated list.
4. J1D1 and J2D1 are synchronized with each other. J1D1 is the primary disk and J2D1 is its
backup. Ensure that hosts in VSAN 10 can automatically keep accessing the disk when the
primary fails. When the failed disk is replaced and working again, it should return to being the
primary disk.


Chapter 6: Data
Center Storage
Networking
Extension

Chapter 6: Data Center Storage networking Extension is intended to let you be familiar with the
Storage Networking features on the Cisco MDS switches. This chapter will be about configuring IP
features like iSCSI, iSLB and FCIP including the relevant Security features for Fibre Channel extension
across IP connections. We highly recommend creating your own diagram at the beginning of each lab so
you are able to draw on your own diagram, making it much easier when you step into the real lab.


General Rules
particular chapter


Pre-‐setup

• The switches start with a blank configuration. You will be creating parts of your own
Initial Configuration for later labs.
• This lab is intended to be used with online rack access provided by our partner Proctor
Labs (www.proctorlabs.com). Connect to the terminal server and complete the configuration
tasks as detailed below







Configuration tasks

1. Leave the configurations of MDS1 and MDS2 in tact from the previous exercises.
2. Configure the Nexus 5000 switches SW2 and SW3 with the VLANs as stated in Drawing
2. MDS1 and MDS2 should be able to communicate over these VLANs to each other
across SW2 and SW3.
3. Both GigabitEthernet interfaces on each MDS switch should have access to all VLANs
required in this lab
4. When required, use IP addresses in the range of 198.18.X.Y/24 in this lab. Where X
is the VLAN number and Y is the Host address as stated in Drawing 2

Task 2: FCIP
1. Configure a FCIP
1 connection between MDS1 and MDS2 using the
GigabitEthernet1/1 interface
2. You are only allowed to use 1 TCP connection

3. VSAN 10 and 20 may be transported across this connection
4. Make sure MDS1 always initiates the connection

5. Use a non-‐default port for the FCIP 1 connection
6. When GigabitEthernet1/1 would fail, the GigabitEthernet1/2 interface should

automatically take over the FCIP 1 connection. You are not allowed to change the
FCIP configuration to accomplish this. The use of port-‐channels for this question is
prohibited.
2 connections
7. Create a FCIP between MDS1 and MDS2 using the
GigabitEthernet1/2 interface
8. Ensure this connection will receive a higher QoS priority than FCIP 1
9. VSAN 10, 20 and 50 may be transported across this connection
10. Ensure VSAN 10 uses FCIP 1 as primary link and VSAN 20 uses FCIP 2 as the
primary link on MDS1, where MDS2 is configured vice versa
11. The FCIP 2 tunnel should be brought down when no TCP packets are received for 90
seconds


12. The FCIP 2 connection should use the highest possible compression
13. Ensure FCIP 1 supports a method that sends R_RDY messages locally, which causes
that write actions are done faster
14. The FCIP 2 connection should be high available. A third FCIP connection is allowed
for this task. Keep high availability in mind when configuring the third FCIP
connection. When a failure occurs in the FCIP 2 connection this should not be noticed
by the FSPF protocol. The use of Ethernet port-‐channels for this question is prohibited.
Task 3: FCIP Security
1. Protect the failover mechanism of the FCIP 1 connection using a MD5 hash of
‘SecureIPexpert’
2. Traffic crossing the FCIP 1 connection should be transferred encrypted across the IP
network.
3. Use an MD5 hash, AES 128-bits encryption and use a pre-shared-key of
‘IPexpertEncrypt’
Task 4: SAN Extension Tuner
1. Use VSAN 50 and the FCIP 2 connection for this task

2. Simulate a continuous SCSI read flow across VSAN 50 using the FCIP 2 connection
3. Use 2 open I/O operations

4. Use 512KB data packets
5. Configure the traffic simulation in 2 directions
Task 5: iSCSI
1. Do not use any dynamic configuration option which might be available in this task
2. Use GigabitEthernet1/1 for this task on MDS1
3. Create an iSCSI portal on this interface using the iSCSI VLAN as mentioned in
Drawing 2
4. Use a non-‐default port for the iSCSI portal

5. iSCSI traffic leaving this interface should be marked with DSCP 22


6. Configure an initiator with IP address 198.18.71.100

7. Manually assign a nWWN and a pWWN to the initiator
8. This initiator wants to access resources in VSAN 20, do not configure the VSAN under
the initiator
9. Ensure that only the just configured iSCSI initiator can access the virtual J2D1 target
10. Use an IQN of “iqn.iscsi-disk-JBOD2-Disk1” for this target
11. This target should only be available on this iSCSI portal
12. The host should mutually authenticate the iSCSI session with a username of
“iSCSI1” and a password of “IP3xp3rtiSCSI”
13. iSCSI initiators should be able to access J1D3 on LUN 0, where the J1D3 FC disk
only advertises LUN 10
14. When the disk J1D3 fails, J2D3 should seamlessly take over. When the disk in J1D3 has
been replaced it should automatically switch back to this primary target
15. Enable trespass support
16. Improve read performance on MDS1 for iSCSI traffic
17. Configure an iSCSI portal in the iSCSI VLAN as mentioned in Drawing 2 on MDS2
GigabitEthernet1/1
18. All iSCSI initiators on this new portal should appear as a single N-port in the
Fibre Channel fabric
19. Enable data-digest on this portal
20. Configure 3 initiators on MDS2 named iqn.initiator-server-1,

iqn.initiator-server-2 and iqn.initiator-server-3.
21. Give the 3 initiators access to J1D1 in VSAN 10 without configuring the VSAN
database for VSAN 10
22. Use a single zone with 2 entries to accomplish this
Task 6: iSLB
1. Do not use any dynamic configuration option which might be available in this task
2. Configure an iSLB portal on GigabitEthernet1/2 on MDS1 and MDS2 on the iSLB
VLAN as presented in Drawing 2
3. Configuration for iSLB targets and initiators may only be done on MDS2


4. When MDS2 fails, MDS1 should automatically take over all sessions
5. Ensure that both MDS switches are using weighted load balancing.
6. Manual zoning changes are not allowed
7. Configure 5 initiators with names of iqn.islb-initiator-host-1 through
host-5
8. Ensure the initiators are assigned with a nWWN and 2 pWWNs which are automatically
assigned by the MDS switch
9. Zones should have ‘IPexpert’ in their name
10. Host 3 is a database server, which will have more iSCSI connections than the other
hosts. Ensure load balancing takes care of this.
11. All initiators should have access to J2D2 LUN 0x0 and 0x1 in VSAN 10 which
should be presented as LUN 0xA and 0xB. Do not use the ‘virtual-target’
command.
12. Use J1D2 as a backup when J2D2 fails. The target should not switch back when J2D2
is repaired
13. The J1D1 disk in VSAN 20 should be made high-‐available on the 2 MDS switches.
Ensure iqn.islb-initiator-host-3 is the only host that can access it on both
MDS switches using the resilient iSLB portal. Do not use the ‘virtual-target’
command.
14. The use of auto-zoning is not allowed for the question above as is zoning based on
Symbolic Name or IP addressing
15. Ensure all initiators are authenticated with a username of “host-1” through
“host-5” with a password of “iSLBpassw0rd”
16. Do not remove any configuration from the MDS switches when continuing with the next
chapter



Chapter 7: Data
Center Unified
Fabric

Chapter 7: Data Unified Fabric is intended to let you be familiar with the Storage Networking features
available on the Cisco Nexus switches and combined with the Cisco MDS switches.
This chapter will be about implementing FCoE features inside of the Nexus switches and the backwards
compatibility with Native FC connections. Besides that we will be looking at N-‐Port Virtualization
configurations..
on your own diagram, making it much easier when you step into the real lab. Multiple topology
drawings are available for this chapter.


General Rules
particular chapter


Pre-‐setup

• The Nexus switches start with a blank configuration. You will be creating parts of your
own Initial Configuration for later labs.
• The MDS switches are using the configuration from the previous chapters



Drawing 2: Logical Topology VSAN 20


Configuration tasks
Task 1: Native Fibre Channel on Nexus
1. Leave the configurations of MDS1 and MDS2 in tact from the previous exercises.
2. Set the GigabitEthernet interfaces on MDS1 and MDS2 to shutdown, so all iSCSI
and FCIP connections are down
3. SW2 and SW3 should participate in VSAN 10 and VSAN 20 using native Fibre Channel
interface fc1/31 and fc1/32. Use fc1/13 and fc1/14 on the MDS switches.
4. Ensure the interfaces are seen as a single connection for the FSPF protocol
5. Request the lowest Domain ID possible, but accept any other as given out by the
principal switch
6. Ensure all devices in VSAN 10 and VSAN 20 are visible on SW2 and SW3
7. Keep in mind the security mechanism active in VSAN 10 and VSAN 20
Task 2: Fibre Channel over Ethernet (FCoE)
1. Create a vPC consisting of Ethernet1/24 on both SW2 and SW3
2. Assume a host is connected to the vPC on SW2 and SW3.
3. This host should be able to communicate to disks in VSAN 10 on SW2 and disks in VSAN
20 on SW3.
4. Use VLAN 10 and VLAN 20 for this task
5. Ensure both SW2 and SW3 discard FCoE frames received across the interlink between the
switches
6. SW2 should be used as the primary switch to connect to
7. Non-‐FCoE traffic is not allowed to cross the link. You are not allowed to use the
switchport trunk allowed vlan command.



Task 3: Multi hop FCoE
1. Shutdown all ISL links on the MDS switches

2. Ensure that the Fibre Channel fabric keeps functioning in VSAN 20 without enabling
direct interfaces between the MDS switches
3. Configure the network in such a way that it is compliant to Drawing 2
4. Turn on the VFID check on SW1-1 to prevent loopbacks
5. Ensure all FCoE connections are authenticated using an SHA-1 hash
6. SW1-1 is authenticating using a password of ‘Nexus7000password’
7. SW1-1 should authenticate SW2 with a password of ‘SecureNexus5000-1’
8. SW3 is using a password of ‘IPexpertIsAwesome’
9. SW1-1 should never initiate the authentication negotiation
10. Configure a feature that only the switches currently participating in VSAN 20 to
be allowed in the VSAN 20 fabric.
Task 4: FCoE Quality of Service (QoS)
1. Ensure FCoE best practices are followed in this topology

2. Configure Quality of Service so all Nexus switches support the configured
topology
3. Prevent one blocked receiver from affecting traffic that is sent to other non-‐congested
blocking receivers on SW2
4. The link between SW2 and SW3 is 2000 meters long. Ensure the topology supports
lossless Ethernet on this link.
5. Fibre Channel frames crossing the Nexus switches may never be fragmented



Drawing 3: NPV topology

Task 5: N-‐Port Virtualization (NPV) and N-‐Port ID Virtualization (NPIV)
1. Enable the ISL links between MDS1 and MDS2 again
2. Ensure the MDS switches are not limited to 239 Domain IDs per VSAN
3. MDS2 is the core switch and MDS1 the edge switch in this topology
4. Devices need to be connected in VSAN 10

5. JBOD1 interface on MDS1 should be using the first uplink to the core switch
6. JBOD2 interface on MDS1 should be using the third uplink to the core switch
7. Ensure traffic is automatically balanced across all uplinks



Task 6: FCoE NPV

1. Configure SW2 to support N-‐Port Virtualization. A reboot of the switch is not allowed to
accomplish this task
2. Use Ethernet1/8 on SW3 as the link where the logins are received from SW2
3. Use VSAN 20 for this task



Chapter 8: Security
Features

Chapter 8: Security Features is intended to let you be familiar with the Security features which are
available on the Nexus platform. You will be configuring both AAA services and other management
security as well as LAN security features like DHCP snooping and other protective features.


General Rules
particular chapter
Pre-‐setup
• Connect to the Nexus switches within the topology
• The Nexus switches start with a blank configuration.
labs (www.proctorlabs.com). Connect to the terminal server and complete the configuration





Configuration tasks
Task 1: Port Security
1. Configure a basic configuration for the 3 Nexus switches SW1, SW2 and SW3, using the
defaults as stated at the beginning of this workbook.
2. Create VLANs where necessary in this chapter.
3. Configure a port-channel of the first 2 interfaces between each switch. Use a
standards based protocol to negotiate the bundling parameters. The result should be
equal to Drawing 2
4. Ensure that only 10 hosts are able to use Ethernet1/11 on SW2. The port should go
into ‘errdisable’ when the 11th host is connected to the interface.
5. Ensure that the learnt MAC addresses are cleared on the Ethernet1/11 interface on
SW2 after they did not send any traffic for 6 minutes.
6. Only the following MAC addresses are able to access Ethernet1/11 on SW3
a. 0010.4431.a1b3
b. 10:22:a0:f5:b3:de
c. 0011.99ff.22aa
d. 55:81:a0:9a:b0:0c
e. ba01.dad3.c0ff
7. Ensure packet count is logged for all violating packets on Ethernet1/11 on SW3
8. Ensure that no more than 100 MAC addresses are learnt on the port-channel
between SW2 and SW3. The interfaces should keep working, but stop learning and deny
access to possible new MAC addresses after the number has been reached.
9. On the port-channel between SW2 and SW3 the amount of MAC addresses should be
divided between VLAN 10, 11, 12 and 13. Ensure VLAN 10 can use 2/3 of the
maximum.
10. Ensure all MAC addresses on the port-channel between SW2 and SW3 are saved in the
database
11. Create a routed interface of Ethernet1/7 on SW2 with IP address 198.18.100.1/24.
Create a VLAN 100 interface on SW3 with IP address 198.18.100.2.
12. Ensure that only the host with MAC address 1234.5678.abcd can access
Ethernet1/7 on SW3. It’s not allowed to configure this MAC address on SW3.


13. Ensure SW2 and SW3 are able to ping each other.
Task 2: DHCP Snooping, DAI, IP Source Guard
1. A DHCP server is connected in VLAN 50 on interface Ethernet3/10 on SW1. No other
interfaces are allowed to send DHCP OFFER messages to clients.
2. Ensure the DHCP server receives the DHCP REQUEST packets with information about the
port that the host is connected to in the DHCP packet
3. When a DHCP REQUEST message is received on an interface, the Source MAC address
and the DHCP Client Hardware Address should be verified to match
4. Ensure VLAN 50 is protected for ARP Spoofing attacks on SW1
5. SW1 should not check ARP packets received on the port-channel interfaces
6. Ensure that ARP requests to IP addresses that fall in the range of 198.18.50.0/28 are
always allowed
7. Ensure that SW1 keeps a log of the last 50 deny and accept messages
8. Ensure that SW1 also checks for invalid or unexpected IP addresses in ARP packets
9. Ensure that all IP traffic is checked for spoofing attacks on interface Ethernet3/11,
Ethernet3/13 and Ethernet3/14 using the DHCP Snooping database.
10. A host with MAC address 4019.a201.b04e and a statically configured IP address of
198.18.50.254 is connected to Ethernet3/12 on SW1. Ensure this host is allowed
access.
11. Configure a SVI with IP address 198.18.50.1/24 in VLAN 50 on SW1.
12. Ensure that all traffic entering the VLAN interface is checked against the routing
table to ensure that the switch knows the Destination IP address of the packet and
it has a routing entry towards this network. A default route would also qualify for this
check.

Task 3: Access Control Lists
1. Use a protection on VLAN 50 of SW1 to protect it against denied traffic according to the
following rules.
2. Be as specific as possible.
3. The 198.18.255.100 host is allowed to access hosts in VLAN 50.


4. Secure Web traffic coming from servers in 198.18.128.0/18 to VLAN 50 is allowed.

Clients in VLAN 50 are using non-reserved ports.
5. The Server farm is located in the 198.19.0.0/16 subnet and the

198.18.192.0/24 subnet. Hosts in VLAN 50 want to access Web servers, DNS servers
and Mail (to receive mail through POP3 and send mail) servers. You are prohibited
to configure these applications in the ACL. Only two entries in the ACL are allowed for
this question.
6. You are not allowed to apply the ACL to the VLAN interface
7. A host connected in VLAN 50 through interface Ethernet1/15 on SW2 is not allowed
to access the IMAP server with IP address 198.19.0.25. Ensure this is enforced.
8. A rogue device is found that tries to log-‐in to management interfaces. Deny telnet
and SSH traffic to the management interface of the switches from the 192.0.2.0/24
subnet. Ensure all other IP address are still able to manage the switches through all
management services. Only a single ACL entry is allowed for this task.
9. Ensure all TCP traffic entering on Ethernet3/22 on SW1 is copied to
Ethernet3/23 on SW1
10. In addition to the IP security of VLAN 50 your manager also wants to only allow valid
MAC addresses from the Server farm to access hosts in VLAN 50. The servers have MAC
addresses in the range of 0bad.c0ff.ee00 up to 0bad.c0ff.eeff.
11. Statistics should be collected per entry in VLAN 50
12. Ensure the control plane of SW2 and SW3 is optimized for Layer 3 routing
Task 4: AAA services
Always group configurations for AAA servers

There is a RADIUS server in the management network with IP address 172.16.100.201
The TACACS+ server in this network is 172.16.100.202
Both AAA servers are using a key of “IPexpertAAA”
Declare the RADIUS server dead after 22 minutes. Check if the RADIUS server is working
every 2 minutes. Use a username of “ipexpert” and a password of “IPexpert123”
for this task
Requests to AAA servers should timeout after 2 seconds
On SW2 configure default authentication to be done by the RADIUS server


SW2 should perform a fall-back to local user database in case the RADIUS server does
not respond.
For access to the console port only the local user database should be used
On SW3 a Cisco proprietary protocol should be used for authenticating SSH users.
When users do not have a role assigned, they should not be able to log-‐in to the switch.
Users that try to log-‐in shout be notified when AAA servers are unreachable
Use the strongest encryption for the local username/password database available and
ensure that existing passwords are converted
Ensure accounting is enabled on SW2
The TACACS+ users are configured with IOS-‐style privilege levels. Ensure SW3 honors
these.
SW2 should require local user entries to use strong passwords. SW3 does not enforce this.
Create a user on SW3 with your first name as username which expires on December 31st of
this year.

Task 5: 802.1X
1. Hosts that want to access SW1 are required to authenticate. Hosts are connected at
interfaces Ethernet3/25 up to 3/31
2. Users should be authenticated by the RADIUS server
3. On Ethernet3/26 and Ethernet3/27 it should be possible to have multiple hosts
connected
4. After an hour the authentication should be re-‐checked against the RADIUS server
for all interfaces participating in the authentication. You are not allowed to use
global configuration commands for this task.
5. Interface Ethernet3/31 has a printer connected that has no software to support this
authentication. Ensure the interface is still authenticated against the RADIUS
server.
6. The switch should allow up to 4 authentication attempts before denying access
7. Ensure all activity on the switch is logged with the RADIUS server



Task 6: Cisco TrustSec
1. Ensure all switches authenticate each other in the network

2. Ensure Cisco TrustSec is using RADIUS for authentication
3. Enable Cisco TrustSec on the 802.1X interfaces from Task 5
4. SW1 should authenticate itself with a password of “SW1p@ssw0rd”
5. SW2 should authenticate itself with a password of “SW2p@ssw0rd”
6. SW3 should authenticate itself with a password of “P@ssw0rdSW3”
7. Ensure switches authenticate each other without using the RADIUS server for
exchanging SGT’s.
8. You are allowed to use a SVI on each switch in VLAN 99 with the IP subnet of
198.18.99.0/24
9. Leave all configuration in place on the switches when continuing with the next chapter.



Chapter 9:
Management
Features

Chapter 9: Management Features is intended to let you be familiar with the Management features
which are available on the Nexus platform. You will be configuring Role Based Access Control (RBAC),
SNMP, Syslog, NetFlow, NTP and many more.


General Rules
particular chapter
Pre-‐setup
• The Nexus switches start with configuration from the previous chapter




Configuration tasks
Task 1: Role Based Access Control (RBAC)
• Perform configuration on SW1
• Create a username “user1” with a password of “User1p@ssw0rd”

• User1 should only be allowed to configure the following:
o VLANs
o VLAN Interfaces
o Spanning-Tree
o First Hop Redundancy Protocols
• You are not allowed to configure these features directly under the role configuration for
user1
• User1 is only allowed to configure interfaces Ethernet3/1 through Ethernet3/10
• Configure username “user2” with password “User2User2”

• User2 is not allowed to change configuration, but is allowed to verify everything related to
o Access Lists
o Routing protocols
o Licensing
• You are not allowed to configure individual routing-protocols or configure a new

feature-group for user2
• User2 can only configure Layer 3 protocols in VRF “VPN1”, “VPN2” and “VPN3”
• Configure username “maintenance” with password “MainTenanc3”
• User maintenance should only be allowed to configure management protocols and

upgrade software
• Username “storage-admin” with password “st0rage-@Dmin” is allowed to configure

Fibre Channel related configurations
• Username “nocuser” with password “NOCus3r” and a role-‐name of “NOC” is allowed to
execute all show and is allowed to issue a Telnet or SSH from the CLI
• Ensure all switches share a common role configuration


Task 2: Traffic monitoring
• Regulations determine that all traffic entering SW1 through the port-‐channels connecting to
SW2 and SW3 should be monitored, but only for VLAN 50 and 99.
• Traffic should be directed to a monitoring server connected to Ethernet3/19. VLAN tags
should be retained.
• Ensure the MTU size for the monitoring is consistent at 1100 bytes, no matter what the
MTU of the source packet is
• An interface on a third party switch is being monitored, but the monitoring server is
connected to Ethernet3/20 on SW1. Use a Layer 2 transportation to pick up this traffic.
Use VLAN 601 for this task.
• Interface Ethernet1/17 on SW2 should be monitored, but the monitoring server is

connected to Ethernet3/17 on SW3. Use a Layer 3 transportation to accomplish this.
• Ensure this Layer 3 monitoring traffic receives a high priority treatment throughout
the network
• Use the finest granularity possible for the Layer 3 monitoring session.

Task 3: NetFlow
• Use SW1 for this task. The port-‐channels to the other switches should be used for collecting
information
• Create a flow record based on the IPv4 source and destination IP address
• Ensure the flow ID is captured and the pps (packets per second) 64-bit counter
• This information should be exported to the server with IP address of 172.16.100.109
• Ensure that 5 out of 150 packets are sampled that enter the port-‐channels of SW1
• Ensure that it’s possible for Layer 2 fields to be exported to the flow server

Task 4: Management protocols
• Ensure the management server 172.16.100.110 receives version 2c traps from SW1


• This server should also be able to read information from SW1 while using a classical
community string of ‘IPexpert’
• Configure your name and current location on SW1
• Ensure that SW1 does not accept SNMPv3 unencrypted requests
• User ‘version3’ with password ‘version3password’ should be able to access SW1 using
SNMP version 3
• Ensure that the version3 user has the same rights as the storage-admin user
• The Telnet and SSH sessions should see Informational messages

• Debugging messages should be visible in a separate logfile
• Ensure logfiles are using the most precise timestamps
• Logging up to Notifications level should be sent to 172.16.100.110 with a

facility of local3
• SW1 should be synching it’s time to SW2 and SW3
• SW1 is a stratum 1 clock
• Devices other than SW2 and SW3 should not be able to synchronize time with SW1
• Ensure all time synchronization is secured via a key of ‘TimeIPX’
• Set the timezone to your current location

• SW1 should identify itself to other Cisco devices with it’s serial number
• All switches should send advertisements about themselves every 10 seconds
• Interface Ethernet1/10-20 on SW2 and SW3 has devices connected that are outside of
your management domain. They should not be able to see any information about the
devices that they are connected to.

Task 5: Device management
• The current configuration of SW1 should be stored so it can be re-‐used
• You should be able to compare differences with a newer version of the configuration
compared to the now saved one
• The configuration of SW1 should also be saved to a TFTP server at IP address

172.16.100.103 on a weekly basis.


• This saving should be done every Sunday night at 10PM (22:00).
• Ensure the hostname and the date and time are included in the filename that is saved
• Users logging in to the switches should see a message that they are logging in to the
“IPexpert CCIE Data Center Lab”
• Save a “show tech-support” to the flash and compress the file by creating the zip file
manually.
• Also save a “show interfaces” output to flash and let this be automatically
compressed
• Both outputs should be saved in a compressed Tar file
Task 6: Smart Call Home and GOLD
• During boot-up all switches should run the maximum level of diagnostics
• SW1 should generate a message towards the on-‐call support engineer when a critical
issue occurs.
• Do not use an existing profile
• This message should be sent to callhome@ciscocallhome.com via the mail server

mail.ciscocallhome.com.
• You can use 172.16.100.111 as the server to resolve names.
• The sender of the message should be your name and e-‐mail
• All urgency levels and any size should be sent
• Send periodic inventory notifications every day to callhome@ciscocallhome.com

• SW1 is the core switch and an important switch. Ensure this is noticed in the messages.
• Cisco TAC should receive XML messages via e-‐mail (ciscotac@ciscocallhome.com)

and directly via HTTP.
• You are allowed to create one additional destination profile for the previous
question



Chapter 10: Data
Center Unified
Computing
Networking

Chapter 10: Data Center Unified Computing Networking is intended to let you be familiar with the
Networking features which are available on the Unified Computing platform. You will be configuring
VLANs, Port-‐Channels, switch modes, PIN groups and Polices related to the Networking features of the
UCS system.


General Rules
particular chapter


Pre-‐setup
• The UCS system and Fabric Interconnects start with a blank configuration
• This lab is intended to be used with online rack access provided by our partner
Proctorlabs (www.proctorlabs.com). Connect to the terminal server and complete the
configuration tasks as detailed below




Configuration tasks
• Ensure that the Fabric Interconnects are able to be managed with IP addresses
172.16.100.6, .7 and .8. The 172.16.100.8 address should be the Virtual IP
address to manage the interconnect cluster.
• Ensure the UCS1 chassis is detected. Interface 1/1 through 1/4 are used for
connecting the chassis
• The uplinks are connected to 1/9 and 1/10. Ensure these are bundled as a single
logical connection
• Identify the port-‐channels by giving them easily rememberable names
• Ensure the Fabric Interconnects are easily found for physical maintenance by
engineers
• Ensure the chassis and servers are also given easy readable names that are shown
in the Equipment tree

Task 2: VLANs
• Create VLAN 11, 12, 13 and 15 with only using 2 create commands
• Create VLAN 1 through 10 except 8 on both Fabric Interconnects

• VLAN 16 is the primary Private VLAN
• VLAN 17 is an Isolated VLAN
• Configure a VLAN named “IPexpertVLAN” this VLAN should have number 20 on

Fabric Interconnect A and number 21 on Fabric Interconnect B.

Task 3: vNIC templates
• Ensure vNICs on fabric interconnect A get MAC addresses assigned in the range
of 00:05:12:AA:00:00 to 00:05:12:AA:00:11


• Create a vNIC template for management traffic in VLAN 10. This traffic should be
untagged and should automatically switch over between fabrics. Ensure that after
using the template to create a vNIC it does not stay connected with it.
• Create vNIC templates with vNIC#-$-XYZ where # is the vNIC number, $ is the fabric
interconnect on which it’s active and XYZ is a short description what it’s used for
• The first vNIC pair should be active on fabric interconnect A and should carry all
VLANs except the Private VLANs. This vNIC should be using the new settings once the
template as changed after the creation of the vNIC.
• Create a redundant vNIC on Fabric Interconnect B with the same settings as the
previous question.
• Ensure vNICs on fabric interconnect B get MAC addresses assigned in the range
of 00:05:12:BB:00:00 to 00:05:12:BB:00:22
• The second vNIC template redundant pair should carry all the Private VLANs and should
be offered with 2 paths to the host over different fabrics
• Create a third vNIC which is active on fabric B and has VLAN 11,12 and 13 enabled.
Frames without a tag should be assigned to VLAN 10.
• Ensure the third vNIC is able to support Jumbo frames

Task 4: Policies and pin groups
• Ensure the first redundant vNIC pair allows CDP traffic
• Ensure the second redundant vNIC pair will not go down in case of an uplink failure
• Create a pin group for each of the Fabric Interconnects
• Ensure that the management vNIC is connected to the uplink of FI1-B

Task 5: Quality of Service
• The Private VLAN traffic should get a higher priority treatment throughout the UCS
system
• The system needs to differentiate between 3 QoS classes and a class for FCoE traffic.
Divide traffic evenly across the 3 classes


• Traffic entering on the third vNIC marked with 802.1p bits should be trusted in the
UCS system
• Ensure traffic on the management vNIC will never use more than 95Mbps of bandwidth
• All classes should support Jumbo frames

Task 6: Disjoint Layer 2
• Create additional uplinks for Fabric A and Fabric B using ports 1/11 and 1/12
• Create VLANs 100 to 110 on the UCS system
• All even VLANs of this range should use Uplink1/11 on Fabric A and
Uplink1/12 on Fabric B
• All odd VLANs of this range should use Uplink1/12 on Fabric A and
Uplink1/11 on Fabric B
• Ensure vNICs are having access to these VLANs while maintaining the dispersion
between uplinks without using pin groups

Task 7: Switch mode
Convert the Fabric Interconnect cluster to switching mode
Ensure all VLANs, templates, policies and settings are equal to the previous tasks



Chapter 11: Data
Center Unified
Computing Storage

Chapter 11: Data Center Unified Computing Storage is intended to let you be familiar with the Storage
features that are available on the Unified Computing platform. You will be configuring VSANs, FCoE
features, Quality of Service, SAN pinning and many more features


General Rules
particular chapter


Pre-‐setup

• The UCS system and Fabric Interconnects use the configuration of the previous chapter as are
the MDS switches
(www.proctorlabs.com). Connect to the terminal server and complete the configuration tasks
as detailed below



Configuration tasks

• Ensure you keep the configuration of the previous chapter for the UCS system and the
Nexus switches.
• Give the MDS switches in the topology the following hostnames: MDS1, MDS2. Configure the
default username and password according to the generic lab topology
• Ensure that they can be reached through the management network using IP addresses in
the range as stated in the initial set-‐up information at the beginning of the workbook. Use
Host IP addresses of 172.16.100.9 and 172.16.100.10
• Enable the ISL links between the MDS switches on fc1/1 through fc1/4 and trunk all
VSANs.
• Configure the JBOD interfaces fc1/5 and fc1/6 so FLOGI’s are seen from the JBOD into
the FC Fabric
• The MDS switches should support Fabric Logins from the UCS Fabric
Interconnects
• Configure the interfaces to the Fabric Interconnects to support the UCS system. The
UCS Fabric Interconnects are connected to interfaces fc1/9 on the MDS switches
Task 2: VSANs

• Create a VSAN with an ID of 301. The VLAN connected to it should use an ID of
1000+VSANID.
• VSAN 301 should be available on both Fabrics.
• Hosts in VSAN 301 should be able to communicate with each other without any other
zoning changes
• Create VSAN 302 on Fabric A and VSAN 303 on Fabric B with matching VLAN IDs.
• This VSAN should be named “SecondVSAN”.
• Create all these VSANs on both MDS switches



Task 3: Fibre Channel Trunks and Port Channels

• Ensure that all created VSANs are transported across the FC Uplinks
• Interface 32 on both Fabric Interconnects should become a native Fibre Channel
interface
• Use fc1/32 as the connection to the MDS switches on both Fabric Interconnects
• In the near future the FC connection to the MDS switches will be expanded. Ensure that this
can be done without any downtime by inserting a physical connection in a single
logical connection.
• Ensure the MDS switch is aware of this change

Task 4: Pools

• Ensure vHBAs on fabric interconnect A get WWPNs assigned in the range of
20:11:00:05:12:AA:00:00 to 20:11:00:05:12:AA:00:11
• Ensure vHBAs on fabric interconnect B get WWPNs assigned in the range of

20:22:00:05:12:BB:00:00 to 20:22:00:05:12:BB:00:22
• WWNNs should be generated in the same range except with a prefix of 20:88:
• iSCSI Qualified Names should be generated with the following format:

iqn.initiator.iscsi-boot-ipexpert:1 through :25
• iSCSI interfaces should get IP addresses assigned in the range of 198.18.200.10/24

through 198.18.200.35 with a default gateway of 198.18.200.254.
• The iSCSI name resolving should be done against 198.18.254.254 and

198.18.254.253
Task 5: vHBA templates

• Create vHBA templates connecting to VSAN 301 on both fabrics.
• The VSAN 301 vHBAs should be created using a method that only the template is used to
create the vHBA and after that it’s disconnected from the template.
• Create vHBA templates connecting to VSAN “SecondVSAN” on Fabric A and B.
• The template should only be used for initially creating the vHBA, after the creation changes
to the template should not be propagated to the vHBA, but it should always be possible to
re-‐connect it again to have changes assigned to the vHBA from the template.


• The “SecondVSAN” templates should always be assigned to the FC forwarding class.

Bandwidth should be limited to 100MBps.
• Create another vHBA template for VSAN 304 on Fabric B. You are not allowed to leave
the vHBA Template wizard for this task
• Ensure vHBA’s are assigned with the correct WWN’s according to the previous task

Task 6: SAN Pinning and Storage Policies

• Create a pin group for each of the Fabric Interconnects
• Ensure that second vHBA is connected to the uplink of FI1-B
• Create a policy so the vHBA’s are using best practices for VMware servers. This special policy
should support up to 512 LUNs per FC target
• This policy should also allow for maximum FLOGI and PLOGI retries
• Ring Sizes should be 128 for Transmit, Receive and SCSI queues
Task 7: Fibre Channel Boot policies

• Create a policy so that a server is able to boot from vHBA’s in VSAN 301.
• Before the server boots from SAN, it should try to boot from an ISO image mounted to the
KVM session.
• Ensure that the server will still boot when one fabric is not available.
• When both Fabrics are operational, the server should select Fabric A. You can assume
that the vHBA of Fabric A has a lower PCIe bus scan order.
• Use WWPN: 20:01:00:AA:BB:CC:DD:EE, LUN 20 as the target on Fabric A
• On Fabric B the WWPN for the boot disk is: 20:01:00:EE:DD:CC:BB:AA, LUN 21
• Create another policy for a server to boot from VSAN 304.
• VSAN 304 has 2 boot disks available for failover. Both are using the same WWPN as the
previous policy, except they are using LUN 5 for both targets.



Task 8: iSCSI Boot policies

• When the Fibre Channel fabric is completely down the servers using VSAN 301
should still be able to access their boot disks through the use of the iSCSI protocol
• You do not need to configure the MDS switch for this task, assume this is pre-‐configured
• The names of the iSCSI vNICs that will be created in the service profile are
“iSCSIvNIC1” and “iSCSIvNIC2”
• The iSCSI Targets should be authenticated with a username of “IPexpertISCSI” and
a password of “iSCSIstorage”
• The iSCSI vNICs should have TCP Timestamps enabled and the connection should time-‐
out after 30 seconds
Task 9: Local Disk policies

• When blades are equipped with local disks they should get a protected configuration
so at least 1 disk is able to fail in the configuration.
• Create one additional policy that when the policy is applied to a blade where the local
disks are already configured that this is overwritten with the new configuration
• Create a policy so that when a service profile is disassociated from a blade the disks
are formatted and settings in the BIOS are set to default



Chapter 12: Data
Center Unified
Computing Servers
and Blades

Chapter 12: Data Center Unified Computing Servers and Blades is intended to let you be familiar with
the primary features of the Unified Computing System. In this lab we will be configuring all settings
related to compute blades and servers. This means we will be configuring service profiles, templates and
policies related to the compute nodes.


General Rules
particular chapter


Pre-‐setup

• The UCS system and Fabric Interconnects use the configuration of the previous chapter as are
the MDS switches and Nexus switches
(www.proctorlabs.com). Connect to the terminal server and complete the configuration tasks
as detailed below


Configuration tasks
Task 1: Server pools

• Ensure you keep the configuration of the previous chapter for the UCS system, the Nexus
switches and the MDS switches.
• Combine blades on the left side of the chassis in a pool named “LEFT”
• Create an automatic classification of compute nodes so all blades with 48GB of RAM are set
together inside a pool called “48GB”
• Create a classification so all blades with a Cisco VIC card will be combined in a pool called
“VIC”
• Ensure that all servers are placed inside a pool “IPexpertServers”

Task 2: UUID pools

• Servers should get an Identifier assigned through the use of a pool. The prefix should be
automatically generated by the UCS Manager.
• The pool should be called “IPexpertIDs” and consist of a size of 32 identifiers.
• The suffix should start with “7442-C0FFEE”
• Create a second identifier pool where the identifiers should start with “01010202-ABCD-
DEF0-0ABB-AA”, a total of 16 identifiers should be generated.
Task 3: Management IP addresses

• Create an IP address pool for addresses 172.16.100.20 up to 27 with a mask of /24 and
a gateway of .254
• Assign IP addresses to the first 2 blades in the chassis by using the pool
• Assign static IP addresses to the other 2 blades. Blade 3 should have an IP address of
172.16.100.28 and blade 4 an IP address of 172.16.100.29
• The other addresses in the pool are used during the creation of service profiles



Task 4: Server policies

• Create a policy so the settings of the blade are set to the following parameters:
o Quiet boot is enabled
o Server is reset after a power loss
o The front panel should be locked out

o Hyper threading is enabled
o Virtualization support is enabled
o CPU performance is set to enterprise
o Server should be secured by a hardware feature to prevent viruses and malicious code
to be executed
o Serial port is disabled
o RAID controller is enabled
o The server should be powered off when the OS is not booted after 20 minutes
• Create a policy so that changes are only applied to the servers after an acknowledgement
by the user
• Create a policy so SoL is enabled with a speed of 19200
• Create a policy for SoL users with a username of IPexpert and a password of IPexpert
Task 5: Service Profile Templates

• Create a template called “SP_template1” to give a server state information which keeps
connected to the profile when it’s deployed.
• Ensure UUIDs are assigned from the pool “IPexpertIDs”
• The World Wide Node Name should be assigned using the pre-‐configured pool
• The disks inside the blade should be configured with a RAID 1 configuration which is not
overwritten if a current configuration is in place
• Redundant vHBA’s should be created to support boot from VSAN 301
• Ensure correct WWPNs are assigned
• The custom created VMware adapter policy should be used


• Pick names for the vHBA so the created boot policy will work without changes
• Create vNICs for management and 2 for data traffic. The Data vNICs should be redundant
with 2 active paths across fabrics where the management should be protected.
• Ensure the vNICs are created with optimized settings for VMware
• All vNICs and vHBAs should be based on templates
• Leave placement of vNICs and vHBAs to the system
• Configure the system to boot from SAN in VSAN 301 based on a previously configured
template.
• The user should confirm changes that require a reboot. Again this should be based on a
previously configured policy
• Servers should be automatically booted up when this template is deployed to a server
• No servers need to be assigned now
• Servers need to be powered on after this template is applied as service profile
• Ensure BIOS settings are applied according to the policy created in Task 4
• Enable Serial over LAN with a speed of 19200bps without configuring this speed
directly in the service profile
• Users accessing the Serial over LAN feature require to use a username and password of
“IPexpert”
• The Management IP address of this service profile should be coming from the previously
configured IP address pool
• Hard Disks should not be erased when the service profile is removed from the
blade. Create a new policy to support this configuration called “NO_SCRUB”
Task 6: Service Profiles

• Assign the previously created template to all servers while using the server pool
containing all the blades in the chassis
• You are not allowed to configure the pool under the template configuration
• Use a prefix of “UCS1-SP” for naming of the service profiles


IPexpert CCIE Data Center Volume 1 Workbook 1 12 PDF

Uploaded by

Copyright:

Available Formats

You might also like

IPexpert CCIE Data Center Volume 1 Workbook 1 12 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IPexpert CCIE Data Center Volume 1 Workbook 1 12 PDF

Uploaded by

Copyright:

Available Formats

IPexpert’s Lab Preparation Workbook

for the Cisco® CCIE™ Data Center v1.0 Lab Exam

Copyright © by IPexpert. All rights reserved. 1

Additional CCIETM Preparation Material

Issues with this Book

Copyright © by IPexpert. All rights reserved. 2

IPEXPERT END-­‐USER LICENSE AGREEMENT

IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS,

DO NOT OPEN OR USE THE TRAINING MATERIALS.

Copyright and Proprietary Rights

Copyright © by IPexpert. All rights reserved. 3

Exclusions of Warranties

Limitation of Claims and Liability

Copyright © by IPexpert. All rights reserved. 4

U.S. Government -­‐ Restricted Rights

Copyright © by IPexpert. All rights reserved. 5

Copyright © by IPexpert. All rights reserved. 6

Drawing 1: Physical Topology Routing .................................................................................................. 29

Copyright © by IPexpert. All rights reserved. 7

Task 3: FCIP Security .......................................................................................................................... 59

Copyright © by IPexpert. All rights reserved. 8

Task 1: Initial set-­‐up ........................................................................................................................... 88

Copyright © by IPexpert. All rights reserved. 9

Default Lab Topology

Default passwords and IP addresses

Copyright © by IPexpert. All rights reserved. 10

Copyright © by IPexpert. All rights reserved. 11

Who Should Read this Book?

How to Use this Book

An Introduction to CCIE Data Center

Copyright © by IPexpert. All rights reserved. 12

• UCS B-­‐series blade systems

The current published reading list:

NX-OS and Cisco Nexus Switching (ISBN-10: 1-58705-892-8)

Cisco Unified Computing System (UCS) (ISBN-10: 1-58714-193-0)

I/O Consolidation in the Data Center (ISBN-10: 1-58705-888-X)

Storage Networking Fundamentals (ISBN-10: 1-58705-162-1)

Copyright © by IPexpert. All rights reserved. 13

• NXOS v6.0(2) on Nexus 7000 Switches

What about P and A tracks?

Copyright © by IPexpert. All rights reserved. 14

First is the NX-­‐OS Networking equipment.

• Nexus7009 (with licensing)

Copyright © by IPexpert. All rights reserved. 15

Second is the storage networking (SAN) equipment:

• Dual attached JBODs = Fibre Channel disks

• UCS-­‐6248 Fabric Interconnects

Copyright © by IPexpert. All rights reserved. 16

• Cisco Catalyst Switch 3750 = management ethernet connections

• NXOS v6.0(2) on Nexus 7000 Switches

Copyright © by IPexpert. All rights reserved. 17

• Software Release A5(1.0) for ACE 4710

Copyright © by IPexpert. All rights reserved. 18

Chapter 2: Data

Copyright © by IPexpert. All rights reserved. 19

Estimated Time to Complete: 3 hours

Copyright © by IPexpert. All rights reserved. 20

Task 1: General set-­‐up

IPEXPERT END-‐USER LICENSE AGREEMENT

U.S. Government -‐ Restricted Rights

Task 1: Initial set-‐up ........................................................................................................................... 88

• UCS B-‐series blade systems

First is the NX-‐OS Networking equipment.

• UCS-‐6248 Fabric Interconnects

Task 1: General set-‐up

11. Configure SW1-‐1 so the following output is matched

Task 3: Implement Private-‐VLANs

Task 4: Implement Rapid Spanning-‐Tree protocol

Task 5: Implement Multiple Spanning-‐Tree protocol

Task 6: Spanning-‐Tree and UDLD features

Task 1: Layer 3 topology set-‐up

• Configure 4 static routes for 198.18.4.0/24 through 198.18.7.0/24 on SW1-‐4 and

• Ensure area 1 is secure using a simple-‐text-‐password of “IPexpert”

• Ensure neighbor failures on SW1-‐2 are detected within 300ms