CCIE V5.0 LAB小凡实验室-H1

小凡实验室
目录
Section 1 –Layer 2 Technologies ................................................................................................ 2
1.1 Switch administration ...................................................................................................... 4
1.2 Layer 2 Ports .................................................................................................................... 5
1.3 Spanning-tree................................................................................................................... 6
1.4 WAN Switching................................................................................................................. 7
Section 2 –Layer 3 Technologies ................................................................................................ 8
2.1 OSPF in AS 12345 ............................................................................................................. 8
2.2 EIGRP in AS 34567 .......................................................................................................... 10
2.3 EIGRP in AS 45678 .......................................................................................................... 11
2.4 EIGRP in AS 65222 .......................................................................................................... 12
2.5 BGP in AS 12345 ............................................................................................................. 14
2.6 BGP in AS 34567 ............................................................................................................. 17
2.7 BGP in AS 45678 and AS 65222 ...................................................................................... 20
2.8 BGP routing policies ....................................................................................................... 22
2.9 OSPFV3 ........................................................................................................................... 25
2.10 BGP for IPv6 ................................................................................................................. 26
2.11 Layer 3 Multicast .......................................................................................................... 28
Section 3 -VPN Technology ...................................................................................................... 30
3.1 MPLS VPN Part 1 ............................................................................................................ 30
3.2 MPLS VPN part 2 ............................................................................................................ 31
3.3 DMVPN ........................................................................................................................... 33
3.4 Encryption ...................................................................................................................... 34
Section 4 – Infrastructure Security .......................................................................................... 35
4.1 Device Security ............................................................................................................... 35
4.2 network Security ............................................................................................................ 35
Section 5 –Infrastructure Services ........................................................................................... 36
5.1 System Management ..................................................................................................... 36
5.2 network Services ............................................................................................................ 37
5.3 network Optimization .................................................................................................... 39
5.4 network Services ............................................................................................................ 40
www.xiaofanlab.com 小凡实验室技术交流 QQ 群：113731787
PDF 檔案使用 "pdfFactory Pro" 試用版本建立 www.pdffactory.com

小凡实验室
区域：12345
SW1/SW2
Vlan name
14 R1-R4
15 R1-R5
23 R2-R3
24 R2-R4
35 R3-R5
46 R4-R6
57 R5-R7
67 R6-R7
999 UNUSED
区域：34567
SW3/SW4
Vlan name
34 SW3-SW4
38 SW3-R8
49 SW4-R9
89 R8-R9
111 R10-R11
310 SW3-R10
411 SW4-R11
999 UNUSED

小凡实验室

小凡实验室
Section 1 –Layer 2 Technologies
1.1 Switch administration
Refer to “Diagram 1: Layer 2 Connections”

Configure the ACME Headquarters network (AS 12345) as per the following requirements;
 The VTP domain must be set to “CCIE”(without quotes)
 Use VTP version 2
 SW1 must be the VTP server and SW2 must be the VTP client.
 Secure all VTP updates with an MD5 digest of the ASCII string “CCIErock$”(without
quotes)
 In order to avoid as much as possible unknown unicast flooding in all VLANs, the
administrator requires that any dynamic entries learned by either SW1 or SW2 must be retained
for 2 hours before being refreshed.
SW1:
vtp mode server
vtp domain CCIE
vtp version 2
vtp password CCIErock$
SW2:
vtp mode client
vtp domain CCIE
vtp version 2
SW1&SW2
mac address-table aging-time 7200 //保证所有VLAN 同步后再敲这条命令，因为新加的vlan
不会生效
Configure the network of the New York office (AS 34567) as per the following requirements;
 The VTP domain must be set to “CCIE”(without quotes)
 Use VTP version 2

小凡实验室
 SW3 and SW4 must not advertise their VLAN configuration but must forward VTP
advertisements that they receive out their trunk ports.
 Secure all VTP updates with an MD5 digest of the ASCII string “ CCIErock$ ” (without
quotes);
SW3/SW4:
vtp domain CCIE
vtp version 2
vtp mode transparent
1.2 Layer 2 Ports
Refer to “Diagram 1: Layer 2 Connections” and “Diagram 2: Main Topology”

Configure your network as per the following requirements;
 Complete the configuration of all VLANs so that all routers that are located in ACME`s
Headquarters (AS 12345) and New York office (AS 34567) can ping their directly connected
neighbors.
 All four switches (SW1, SW2, SW3 and SW4) must have four dot1Q trunks that do not rely on
any negotiation.
 Do not configure any Etherchannel.
 Ensure that the following unused ports on all four switches are shut down and configured as
access ports in VLAN 999.

E3/0,E3/1,E3/2,E3/3 are unused on SW1 and SW2
SW1/SW2/SW3/SW4
interface range e2/0 -3
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate IOU不支持这条命令，考试的时候注意看下有没有这个需求
interface range (unusedinterface)

switchport mode access
switchport access vlan 999

小凡实验室
shutdown
1.3 Spanning-tree

Configure the ACME network as per the following requirements;
 SW1 must be the root switch for all odd VLANs and must be the backup root switch for all
even VLANs
 SW2 must be the root switch for all even VLANs and must be the backup root switch for all
odd VLANs
 SW3 must be the root switch for all odd VLANs and must be the backup root switch for all
even VLANs
 SW4 must be the root switch for all even VLANs and must be the backup root switch for all
odd VLANs
 Explicitly configure the root and backup roles, assuming that other switches with default
configuration may eventually be added in the network in the future
 All switches must maintain one STP instance per VLAN
 Use the STP mode that has only three possible port states
 All access ports must immediately transition to the forwarding state upon linkup and they
must still participate in STP. Use a single command per switch to enable this feature.
 Access ports must automatically shut down if they receive any BPDU and an administrator
must manually re-enable the port. Use a single command per switch to enable this feature.
ｓｐａｎｎｉｎｇ－ｔｒｅｅ　ｐｏｒｔｆａｓｔｄｅｆａｕｌｔ　
（配置portfast buduguard）ｓｐａｎｎｉｎｇ－ｔｒｅｅ　ｐｏｒｔｆａｓｔｂｐｄｕｇｕａｒｄ　ｄｅｆａｕｌｔ
SW1/SW2/SW3/SW4
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
SW1:
spanning-tree vlan 1,15,23,35,57,67,999 root primary
spanning-tree vlan 14,24,46 root secondary

小凡实验室
SW2:
spanning-tree vlan 1,15,23,35,57,67,999 root secondary
spanning-tree vlan 14,24,46 root primary
SW3:
spanning-tree vlan 1,49,89,111,411,999 root primary
spanning-tree vlan 34,38,310 root secondary
SW4:
spanning-tree vlan 1,49,89,111,411,999 root secondary
spanning-tree vlan 34,38,310 root primary
1.4 WAN Switching

Configure the ACME remote offices in Tokyo and Singapore as per the following requirements;
 The WAN links must rely on a Layer 2 protocol that supports link negotiation and
authentication.
 The service provider expects that both R18 and R19 complete a three-way handshake by
providing the expected response of a challenge that is sent by R63.
 R18 must use the username “ACME-R18” and password “CCIE”(without quotes)
 R19 must use the username “ACME-R19” and password “CCIE”(without quotes)
R18:
interface Serial1/0
encapsulation ppp
ppp chap hostname ACME-R18
ppp chap password CCIE
R19:
interface Serial1/0
encapsulation ppp
ppp chap hostname ACME-R19
ppp chap password CCIE

小凡实验室
Section 2 –Layer 3 Technologies
2.1 OSPF in AS 12345
Refer to “Diagram 2: Main Topology”

Configure OSPFV2 Area 0 in the ACME Headquarters (AS 12345) according to the following
requirements;
 Configure the OSPF process ID to 12345 and set the router-id interface Lo0 on all seven
routers.
 The interface Lo0 of each router must be seen as an internal OSPF prefix by all other routers.
 Ensure that OSPF is not running on any interface that is facing another AS. Use any method to
accomplish this requirement.
 SW1 and SW2 must not participate in routing at all.
 Do not change the default OSPF cost of any interface in AS 12345.
 R1 must see the following OSPF routes in its routing table.

小凡实验室
R1
router ospf 12345
router-id 123.1.1.1
network 123.1.1.1 0.0.0.0 area 0
network 123.10.1.2 0.0.0.0 area 0
network 123.10.1.5 0.0.0.0 area 0
R2
router ospf 12345
router-id 123.2.2.2
network 123.2.2.2 0.0.0.0 area 0
network 123.10.1.9 0.0.0.0 area 0
network 123.10.1.17 0.0.0.0 area 0
R3
router ospf 12345
router-id 123.3.3.3
network 123.3.3.3 0.0.0.0 area 0
network 123.10.1.10 0.0.0.0 area 0
network 123.10.1.13 0.0.0.0 area 0
R4
router ospf 12345
router-id 123.4.4.4
network 123.4.4.4 0.0.0.0 area 0
network 123.10.1.1 0.0.0.0 area 0
network 123.10.1.18 0.0.0.0 area 0
network 123.10.1.21 0.0.0.0 area 0
R5
router ospf 12345
router-id 123.5.5.5
network 123.5.5.5 0.0.0.0 area 0
network 123.10.1.6 0.0.0.0 area 0
network 123.10.1.14 0.0.0.0 area 0
network 123.10.1.29 0.0.0.0 area 0
R6
router ospf 12345
router-id 123.6.6.6
network 123.6.6.6 0.0.0.0 area 0
network 123.10.1.22 0.0.0.0 area 0
network 123.10.1.25 0.0.0.0 area 0

小凡实验室
R7
router ospf 12345
router-id 123.7.7.7
network 123.7.7.7 0.0.0.0 area 0
network 123.10.1.26 0.0.0.0 area 0
network 123.10.1.30 0.0.0.0 area 0
2.2 EIGRP in AS 34567
Refer to 'Diagram 2 main Topology'

Configure EIGRP for IPv4 in the new York office (AS34567) according to the following
requirements:
 The Eigrp autonomous system number is 34567
 Do not configure any EIGRP virtual instance name in EIGRP AS 34567
 The interface Lo0 of each router must be seen as an internal EIGRP prefix by all other routers
 Ensure that EIGRP is not running on any interface that is facing another AS , Use any method
to accomplish this requirement .
 using a single command in one switch only ,ensure that R8 installs two equal-cost paths for
the following three prefixes:

VLAN 411
interface Lo0 of SW4
interface Lo0 of R11
 Using a single command in one switch only, ensure that R9 installs two equal-cost paths for
the following three prefixes:

VLAN 310
interface Lo0 of SW3
interface Lo0 of R10
R8/R9/R10/R11/SW3/SW4:
router eigrp 34567
network 123.0.0.0
SW3/SW4
interface vlan 34
Delay 100

小凡实验室
注：考场上IOS的版本是15.3，15.0以上的版本IEGRP下，默认是关闭自动汇总。交换
机默认开启ip routing
Refer to 'Diagram 2 Main topology'

Configure Eigrp for ipv4 in the Sydney office (BGP AS 45678) according to the following
requirements:
 The EIGRP autonomous system number is 45678
 The interface Lo0 of each device must be seen as an internal EIGRP prefix by all other routers
 Ensure that EIGRP is not running on any interface that is facing anot her AS, Use any method
to accomplish this requirement
 SW5 and SW6 are Layer3 switches and must also run EIGRP
 on all three routers (R15 ,R16 and R17),ensure that EIGRP uses 64 bits for the metric
calculation of any prefix
 Do not change the default bandwidth or delay on any physical links in AS 45678
R15
router eigrp CCIE
address-family ipv4 unicast autonomous-system 45678
network 123.0.0.0
R16
router eigrp CCIE
network 123.0.0.0
R17
router eigrp CCIE
network 123.0.0.0
network 10.18.19.17 0.0.0.0
SW5/SW6
router eigrp 45678

小凡实验室
network 123.0.0.0
注：考场上IOS的版本是15.3，15.0以上的版本IEGRP下，默认是关闭自动汇总。交换
机默认开启ip routing

Configure EIGRP for IPv4 in the Tokyo and Singapore offices (BGP AS 65222) according to the
following requirements:
 The EIGRP autonomous system number is 45678
 The interface Lo0 of each router belonging to EIGRP AS 45678 must be seen as an internal
EIGRP prefix by all routers in AS 65222
 Ensure that EIGRP is not running on any physical interface that is facing another AS. Use any
method to accomplish this requirement
 The LAN segment connected to interface E0/0 on both R18 and R19 must be advertised into
EIGRP as an internal prefix
 R17 must establish an EIGRP peering with both R18 and R19 via the same interface Tunnel0
 R17 will not send query to R18 and R19
R18
router eigrp CCIE
network 10.1.18.1 0.0.0.0
network 10.18.19.18 0.0.0.0
network 123.18.18.18 0.0.0.0
eigrp stub
R19
router eigrp CCIE
network 10.1.19.1 0.0.0.0
network 10.18.19.19 0.0.0.0
network 123.19.19.19 0.0.0.0
eigrp stub
基本的NHRP部分（红色部分见需求3.3 DMVPN部分）

小凡实验室
R17/R18/R19
interface Tunnel0
ip nhrp authentication 45678key
ip nhrp network-id 45678
bandwidth 1000
delay 1000
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp holdtime 300
R17
interface Tunnel0
ip address 10.18.19.17 255.255.255.248
ip nhrp map multicast dynamic
tunnel source e0/3
tunnel mode gre multipoint
R18
interface Tunnel0
ip address 10.18.19.18 255.255.255.248
ip nhrp map 10.18.19.17 203.3.17.2
ip nhrp map multicast 203.3.17.2
ip nhrp nhs 10.18.19.17
tunnel source Serial1/0
R19
interface Tunnel0
ip address 10.18.19.19 255.255.255.248
ip nhrp map 10.18.19.17 203.3.17.2
ip nhrp nhs 10.18.19.17
tunnel source Serial1/0
R17
router eigrp cisco
af-interface Tunnel0
no next-hop-self
no split-horizon

小凡实验室
2.5 BGP in AS 12345
Refer to 'Diagram 3: BGP Routing'

BGP is partially preconfigured in ACME Headquarters. Complete the configuration as required.
Configure IBGP in ACME's headquarters (AS 12345) according to the following requirements:
 R4 and R5 must not establish any BGP session at any time
 All BGP routers must use their interface lo0 as the BGP router ID
 Disable the default IPv4 unicast address family for peering session establishment in all BGP
routers
 R1 must be the IPv4 route reflector for BGP AS 12345
 R1 must use the peer-group named 'iBGP ' for all internal peerings.
R1
router bgp 12345
bgp router-id 123.1.1.1
no bgp default ipv4-unicast
neighbor iBGP peer-group
neighbor iBGP remote-as 12345
neighbor iBGP update-source loopback 0
neighbor 123.2.2.2 peer-group iBGP
address-family ipv4 unicast
neighbor 123.2.2.2 activate
neighbor iBGP route-reflector-client
R2/R3/R6/R7
router bgp 12345
bgp router-id 123.X.X.X
neighbor 123.1.1.1 remote-as 12345
neighbor 123.1.1.1 update-source Loopback0

小凡实验室
no bgp default ipv4-unicast //如果先敲了一定别忘了激活！
address-family ipv4
 Configure EBGP between ACME's San Francisco and San Jose sites according to the following
requirements:
 R20 is a CE router and uses EBGP to connect to the managed services that are provided by
the PE routers R2 and R3
 R20 must establish a separate EBGP peering with both R2 and R3 for every VRF
 R20 must advertise the following prefixes to all of its BGP peers
123.0.0.0/8 , summary-only
10.0.0.0/8 , summary-only
 R20 must advertise a default route to all of its BGP peers except to 10.120.99.1 and
10.120.99.5
R20
router bgp 65112
bgp log-neighbor-changes
bgp listen range 10.120.12.0/22 peer-group RR
network 10.1.20.0 mask 255.255.255.128
network 10.1.20.128 mask 255.255.255.128
network 123.20.20.20 mask 255.255.255.255
aggregate-address 123.0.0.0 255.0.0.0 summary-only
neighbor RR peer-group
neighbor RR remote-as 12345
neighbor RR default-originate
R2
router bgp 12345
address-family ipv4 vrf GREEN
address-family ipv4 vrf BLUE

小凡实验室
address-family ipv4 vrf RED
address-family ipv4 vrf YELLOW
address-family ipv4 vrf INET
R3
router bgp 12345
需求见MPLS VPN部分
R2
router bgp 12345

小凡实验室
R3
router bgp 12345
R6
router bgp 12345
R7
router bgp 12345
2.6 BGP in AS 34567

BGP is partly preconfigured in the ACME New York office (AS 34567 ). Complete the configuration
as required:
Configure IBGP in AS 34567 according to the following requirements:
 SW3 and SW4 must not establish any BGP session at any time
 All four BGP routers must always use their interface Lo0 as the BGP router ID

小凡实验室
 Disable the default IPv4 unicast address family for peering session establishment in all BGP
routers
 Configure full-mesh IBGP peerings between all four routers , use any configuration method.
 R9 must be selected as the prefeibgped exit point for traffic destined to remote AS's
 R11 must be selected as the next prefeibgped exit point in case R9 fails.
 No BGP speaker in AS 34567 may use the 'network' statement under the BGP router
configuration.
 Ensure that the BGP next-hop is never marked as unreachable as long as the interface Lo0 of
the remote peer is known via IGP
 All four bgp routers redistribute EIGRP into BGP
 R9 and R11 must redistribute only the BGP default route into EIGRP
 Ensure that R9 is the only router that sees the default route as a BGP route and that all other
routers (R8 , R10 , R11 ) see it as an EIGRP external route
R8
router bgp 34567
neighbor iBGP update-source Loopback0
neighbor iBGP next-hop-self
neighbor 101.1.34.1 remote-as 10001 // 应该是预配
R9
router bgp 34567

小凡实验室
nei 102.1.34.1 remote-as 10002 //预配
neighbor 33.34.4.1 remote-as 30000 //预配
R10
router bgp 34567
R11
router bgp 34567
nei 202.2.34.1 remote-as 20002 //预配
R8/R9/R10/R11：
Router bgp 34567
Address-family ipv4
redistribute eigrp 34567
R9/R11
ip prefix-list DEFAULT permit 0.0.0.0/0
route-map DEFAULT permit 10
match ip address prefix-list DEFAULT
router eigrp 34567
redistribute bgp 34567 metric 10000 10 255 1 1500 route-map DEFAULT

小凡实验室
R9
route-map LP permit 10
match ip address prefix-list DEFAULT
set local-preference 101
route-map LP permit 20
router bgp 34567
address-family ipv4
neighbor 33.34.4.1 route-map LP in
2.7 BGP in AS 45678 and AS 65222

Configure EBGP in the ACME APAC region (AS 45678 and AS 65222) according to the following
requirements:
 SW5 and SW6 must not establish any BGP session at any time
 All BGP routers must always use their interface Lo0 as the BGP router ID
 No IBGP peering sessions are allowed in AS 45678
 R15 must establish an EBGP peering with AS 10003 and must receive a default route as well
as other prefixes
 R15 must redistribute BGP into EIGRP and vice-versa.
 R15 must also advertise an aggregate prefix for 123.20.1.0/24 to AS 10003 and must suppress
all component prefixes
 R16, R17, R18 and R19 must establish an EBGP peering with AS 20003 and must receive a
default route as well as other prefixes
 R16 , R17, R18 and R19 must not advertise any prefix to AS 20003
 As long as R15 is operational, R16, R17, R18 and R19 must prefer the EIGRP default route
over the EBGP default route
 Do not create any VRF anywhere in order to accomplish the above requirements.
 Be aware that the completion of this task is contingent on the completion of some other
tasks.

小凡实验室
R15
router bgp 45678
redistribute eigrp 45678
neighbor 103.2.45.1 remote-as 10003 //据说是预配
router eigrp CCIE
topology base
redistribute bgp 45678 metric 1544 1000 255 1 1500
R16
router bgp 45678
network 0.0.0.0 backdoor
R17
router bgp 45678
R18
router bgp 65222
R19
router bgp 65222

小凡实验室
2.8 BGP routing policies

Configure the ACME network as per the following requirements:
 All ACME border routers in AS 12345 must filter the BGP prefixes that are advertised to their
SP in VRF INET and must allow only all prefixes that belong to the class A 123.0.0.0/8. All ther VRF
 All ACME border router in AS 34567 must filter the BGP prefixes that are advertised to their
SP and must allow only all prefixes that belong to the class A 123.0.0.0/8.
 Do not use any route-map or access-list to accomplish the above requirements
 R13 must route traffic preferably via AS 20002 . Use any method to accomplish this
requirement.
 All three remote sites in AS 65111 must be able to ping 1.2.3.4 and traceroute must reveal
the exact same path as shown in the following output

小凡实验室
建议先做好MPLS 和NAT部分然后再来做这部分！
R8/R9/R10/R11
ip prefix-list 123OUT permit 123.0.0.0/8 le 32
R8:
router bgp 34567
address-family ipv4
neighbor 101.1.34.1 prefix-list 123OUT out
R9:
router bgp 34567
address-family ipv4
neighbot 33.34.4.2 prefix-list 123OUT out
R10:
router bgp 34567
address-family ipv4
R11:
router bgp 34567
address-family ipv4

小凡实验室
R2/R3/R6/R7
ip prefix-list 123OUT permit 123.0.0.0/8 le 32
R2:
router bgp 12345
R3:
router bgp 12345
R6:
router bgp 12345
R7:
router bgp 12345
R20:
router bgp 65112
address-family ipv4
neighbor 10.120.99.5 weight 2
R12:
router bgp 65111
neighbor 201.1.12.1 remote-as 20001 //考场可能有预配
address-family ipv4
network 123.12.12.12 mask 255.255.255.255
network 10.1.12.0 mask 255.255.255.0
R13:
router bgp 65111
address-family ipv4
network 123.13.13.13 mask 255.255.255.255

小凡实验室
network 10.1.13.0 mask 255.255.255.0
neighbor 202.2.13.1 weight 1
R14:
router bgp 65111
bgp router-id 123.14.14.14 //考场可能有预配
address-family ipv4
network 123.14.14.14 mask 255.255.255.255
network 10.1.14.0 mask 255.255.255.0
2.9 OSPFV3
Refer to “Diagram 5: IPv6 Topology”

ACME Corp is considering deploying IPv6 and wants to start implementing OSPFv3 in three sites
only: New York, San Diego and Miami Both regional service providers offer IPv6 services via xx
Diego and Miami) by offering two subinterfaces, one for IPv4’s managed services and one for
IPv6.
Configure OSPFv3 in the ACME New York office as per the following requirements:
 Configure the OSPF process ID to 1 and set the router-id to interface Lo0 on all seven routers.
 Do not enable OSPFv3 on any interfaces other than the interfaces that are indicated on the
“Diagram 3:IPv6 Routing’
 Place the interfaces in the OSPFv3 area as indicated on the diagram. Do not create any new
area. No other interface may be included in OSPFv3. Do not forget the Lo0 interfaces.
 SW4 must be elected as the designated router on VLAN 34 and must have the best chance of
retaining this role even if a new OSPFv3 device added to the VLAN in the future.
 SW3 must be elected as the backup designated router on VLAN 34 and must take over the
Designated router role if SW4 is down.
SW3:
ipv6 unicast-routing
ipv6 router ospf 1
router-id 123.203.3.3
interface vlan 34
ipv6 ospf 1 area 0

小凡实验室
ipv6 ospf priority 254
Interface vlan 310
ipv6 ospf 1 area 10
interface loopback0
ipv6 ospf 1 area 0
SW4:
ipv6 router ospf 1
router-id 123.204.4.4
interface vlan 34
ipv6 ospf 1 area 0
ipv6 ospf priority 255
interface vlan 411
ipv6 ospf 1 area 11
interface loopback0
ipv6 ospf 1 area 0
R10：
ipv6 router ospf 1
router-id 123.10.10.10
interface ethernet0/2
ipv6 ospf 1 area 10
interface loopback0
ipv6 ospf 1 area 10
R11：
ipv6 router ospf 1
router-id 123.11.11.11
interface ethernet0/1
ipv6 ospf 1 area 11
interface loopback0
ipv6 ospf 1 area 11
2.10 BGP for IPv6
Refer to ‘Diagram 5:IPv6 Topology’

 Establish the four EBGP peerings as indicated on ‘Diagram 5: IPv6 Routing’.

小凡实验室
 Do not use the network command under the BGP address-family IPv6 on either R10 or R11.
 Both regional service providers will advertise the necessary prefixes.
 Advertise the IPv6 prefix of interface E0/0 into BGP on both R12 and R14.
 R12 and R14 can ping each othes’s E0/0
R10：
router bgp 34567
neighbor 2001:CC1E:BEF:10:201:1:34:1 remote-as 20001
address-family ipv6
redistribute ospf 1 match internal external 1 external 2 include-connected
neighbor 2001:CC1E:BEF:10:201:1:34:1 activate
ipv6 router ospf 1
redistribute bgp 34567
R11:
router bgp 34567
address-family ipv6
redistribute ospf 1 match internal external 1 external 2 include-connected
ipv6 router ospf 1
redistribute bgp 34567
R12:
router bgp 65111
address-family ipv6
network 2001:CC1E:BEEF:0:123:12:12:12/128
network 2001:CC1E:BEEF:12::/64
R14:
router bgp 65111
address-family ipv6
network 2001:CC1E:BEEF:14::/64
network 2001:CC1E:BEEF:0:123:14:14:14/128
//IPv6地址是IOU环境中的，考场需要换成考场环境IPv6地址。

小凡实验室
2.11 Layer 3 Multicast
 at a streaming server is connected to vlan5 on SW5 on the ACME Sydney office) and that
receivers at the DMVPN spokes , behind R18 and R19
 The ACME APAC region network as per the following requrements.
 Only network Segment with Active receiver that explicitly requested the data must receive
multicast traffic
 The loopback 0 of R15 must be configured as the Rendezvous Point.
 A standard method of dynamically distributing electing RP
 R16 and R17 must participate in the multicast routing
 Testing purpose ,configure interface E0/0 of both R18 and R19 join to the group 232.1.1.1
 Put unused port on sw5 into vlan 5 and confirm that multicast is working as required by using
the following test SW5 must receive from both R18 and R19
R15:
ip multicast-routing
ip pim bsr-candidate Loopback0
ip pim rp-candidate Loopback0
interface Ethernet0/1
ip pim sparse-mode
ip pim sparse-mode
interface Loopback0
ip pim sparse-mode
R16：

小凡实验室
ip pim sparse-mode
ip pim sparse-mode
R17:
ip pim sparse-mode
ip pim sparse-mode
interface Tunnel0
ip pim nbma-mode
ip pim sparse-mode
R18:
ip pim sparse-mode
ip igmp join-group 232.1.1.1
interface Tunnel0
ip pim sparse-mode
R19:
ip pim sparse-mode
ip igmp join-group 232.1.1.1
interface Tunnel0
ip pim sparse-mode
SW5:
interface Vlan5
ip pim sparse-mode
interface Vlan55
ip pim sparse-mode
interface range [unusedinterface] /要求没有使用的接入vlan5，自行查看配置
switchport mode access
switchport access vlan 5

小凡实验室
Section 3 -VPN Technology
3.1 MPLS VPN Part 1
Refer to “Diagram 3: BGP Topology” and “Diagram 4:VPN Topology”.
 The ACME Headquarters network (AS 12335) uses MPLS L3VPN in order to clearly separate
remote site networks.
 The ACME corporate security policies are centralized and enforced at the San Jose site (AS
65112) for all remote sites. The policies require that all traffic that is originated from any remote
site (with the exception of AS34567) to the Internet is routed via R20 in AS 65112
 Configure MPLS L3VPN in the ACME network according to the following requirements:
 Enable LDP only on required interfaces on all seven routers in AS 12345
 Use the interface Lo0 to establish LDP peering
 Ensure that no MPLS interface that belongs to any router in AS 12345 is visible on a
traceroute that originates outside of the AS.
 R2, R3, R6 and R7 must be configured as PE routers.
 R1, R4 and R5 must be configured as P routers.
R1：
router bgp 12345
address-family vpnv4
neighbor iBGP send-community extended
neighbor iBGP route-reflector-client
neighbor iBGP activate
R2/R3/R6/R7
router bgp 12345
address-family vpnv4
neighbor 123.1.1.1 send-community extended /默认配置，敲不敲都可以
SW1/SW2
No ip igmp snooping //如果MPLS LDP 邻居起不来试着敲上这条命令，这条命令考场

小凡实验室
上不用敲，这条命令是这IOS的bug。
R1-R7:
mpls ldp router-id loopback 0
interface range ethernet 0/1 -2
mpls ip
R4&R5
Interface Ethernet0/0
Mpls ip
R2/R3/R6/R7
no mpls ip propagate-ttl
3.2 MPLS VPN part 2
Refer to “Diagram 3: BGP Topology” and “Diagram 4:VPN Topology”.
 The global and regional service providers have agreed to transport the ACME network
according to following requirements.
 Complete the configuration of MPLS L3VPN in the ACME network according to the following
requirements:
 R1 must reflect VPNv4 prefixes from any PE to any other PE in AS 12345.
 R2 and R3 must establish an EBGP peering with both global service providers (AS 10001 and
AS 10002) for the following VRFs:

VRF “GREEN”
VRF “BLUE”
VRF “RED”
VRF “YELLOW”
VRF “INET”
 R6 must establish an EBGP peering with the regional service provider (AS 20001) for the
following VRFs only:

VRF “GREEN”
VRF “BLUE”
VRF “INET”
 R7 must establish an EBGP peering with the regional service provider (AS 20002) for the

小凡实验室
following VRFs only:
VRF “BLUE”
VRF “RED”
VRF ‘INET”
 All IP addressed used for EBGP peerings must pass BGP’s directly connected check
 No BGP speaker in AS 12345 may use the network or the redistribute statements under any
address-family of the BGP router configuration.
 At the end of the exam scenario, the interface e0/0 of the gateway router in any remote site
must be able connect to the interface e0/0 of any other remote gateway that belong to AS65111
or AS65112 and 65222
 Use the following tests as examples of connectivity checks:

小凡实验室
R12:
router bgp 65111
network 10.1.12.0 mask 255.255.255.0
R13:
router bgp 65111
network 10.1.13.0 mask 255.255.255.0
R14:
router bgp 65111
network 10.1.14.0 mask 255.255.255.0
3.3 DMVPN
Refer to “Diagram 4:VPN Topology”.

Configure DMVPN Phase 3 in the ACME APAC region(AS 45678 and 65222) as per the following
requirements:
 Use the preconfigured interface Tunnel0 on all three routers in order to accomplish this task
 R17 must be configured as the hub router
 R18 and R19 must be the spoke routers and must participate in the NHRP information
exchange
 Disable sending ICMP redirect messages no all thress Tunnel0 interfaces
 Configure the following parameters on all three tunnel0 interfaces:
 Configure the bandwidth to 1000 kilobits per second
 Configure the delay to 10000 microseconds
 Adjust the IP MTU to 1400 bytes
 Adjust the TCP maximum segment size to 1360 bytes
 Authenticate NHRP using the string “45678key”(without quotes!).

小凡实验室
 Use the NHRP network-id 45678
 Configure the NHRP hold time to 5 minutes.
 Ensure that spoke-to-spoke traffic does not transit via the hub.
3.4 Encryption
Refer to “Diagram 4:VPN Topology”.

Secure the DMVPN tunnel with IPsec according to the following requirements: Configure IKE
Phase 1 according to the following requirements:
 Use AES encryption with the pre-shared key “CCIE” (without quotes).
 The key must appear in plain text in the configuration
 All IPsec tunnels must be authenticated using the same IKE Phase 1 pre-shared key
 Use 1024 bits for the key exchange using the Diffie-Hellman algorithm.
 Configure a single policy with priority 10.Configure IKE Phase 2 according to the following
requirements:
 Use CCIEXFORM as the transform-set name.
 Use DMVPNPROFILE as the IPsec profile name.
 Use IPsec in transport mode.
 Use the IPsec security protocol ESP and the algorithm AES with 128 bits.
 Ensure that the DMVPN cloud is secured using the above parameters
 Use tunnel protection in your configuration
R17/R18/R19
crypto isakmp policy 10
encr aes
authentication pre-share

小凡实验室
group 2
crypto isakmp key CCIE address 0.0.0.0
crypto ipsec transform-set CCIEXFORM esp-aes
mode transport
crypto ipsec profile DMVPNPROFILE
set transform-set CCIEXFORM
interface tunnel0
tunnel protection ipsec profile DMVPNPROFILE
Section 4 – Infrastructure Security
 Check what is already preconfigured before jumping to configuration!
 Think about smart configuration options that can greatly speed up the time spent at typing
on the
 key board (use copy/paste when possible)!
4.1 Device Security
Refer to “Diagram 1: Main Topology:.

Configure R20 in the ACME San Jose office as per the following requirements:
 All users who connect to R20 via the console port via any VTY line using SSH must be
prompted with the below message before any other prompt is displayed.
 Do not include any extra spaces or any other characters as the ones shown above.
解法见5.1 部分！
4.2 network Security
Refer to “Diagram 1: Main Topology”.

Configure the ACME New York office as per the following requirements:
 Ensure that interface E0/0, E0/1, E0/2 and E0/3 of SW3 forward traffic that was sent from
expected and legitimate hosts and servers.
 SW3 must dynamically learn only one MAC address per port and must save the MAC address

小凡实验室
in its startup configuration
 SW3 must shut down the port if a security violation occurs any of these four ports SW3:
Interface range Ethernet0/0 -3

switchport port-security
switchport port-security mac-address sticky
Section 5 –Infrastructure Services

Check what is already preconfigured before jumping to configuration!Think
about smart configuration options that can greatly speed up the time spent
at typing on the key board (use copy/paste when possible)!
5.1 System Management

Configure R20 in the ACME San Jose office as per the following requirements:
 Enable SSH access in R20 using the domain name “acme.org ”.
 R20 must accept up to five remote authorized users to connect at the same time using SSH.
 Create the user “test” with the password “test” in the local database of R20.
 R20 must produce a syslog message for all SSH connection attempts, regardless of whether it
is permitted or denied.
 When authenticated, the user “test” must be granted with the privilege level 1.
 Do not enable the aaa new-model Command in R20.
 Ensure that SSH is the only remote access method that is permitted on VTY lines of R20.
 Ensure that the console is not affected by your solution and that no “username” prompt
is presented on the console port.
 Test your solution from any device that is located in AS 34567 and ensure that the following
sequence of commands produces the same output.

小凡实验室
R20:
banner login &
WARNING! ACCESS RESTRICTED!
&
privilege exec level 1 show privilege //考场如果可以出效果这条可以不敲

ip domain name acme.org
username test password test
crypto key generate rsa
1024
ip ssh maxstartups 5
Access-list 1 permit 123.10.2.0 0.0.0.255 log
Access-list 1 deny any log
line vty 0 4
login local
access-class 1 in
transport input ssh
lin con 0 //会提示没有设置密码，不用理会
login
5.2 network Services
Refer to “Diagram 1: Main Topology Configure the ACME network as per the following
requirement.
 R20 must enable all private corporate traffic that is originated from any host with source

小凡实验室
 IP address in 10.1.0.0/16 or in 10.2.0.0/16 to connect to any public destination that is located
in AS 34567 or in any services.
 All remote sites in AS 65111 and AS 65222 must be able to connect to these public
destinations.
 R20 must swap the source IP address in these packets with the IP address of its interface Lo0.
 R20 must allow multiple concuibgpent connections.
 Use a standard access-list to accomplish the above requirements.
 The following tests must succeed after the above requirements （in addition to the previous
requirements） are achieved.
R20
access-list 1 permit 10.2.0.0 0.0.255.255
access-list 1 permit 10.1.0.0 0.0.255.255
ip nat inside source list 1 interface loopback 0 overload
ip nat inside
ip nat inside
interface Ethernet2/0.12
ip nat inside
ip nat inside
ip nat inside

小凡实验室
ip nat inside
ip nat inside
ip nat inside
ip nat inside
ip nat inside
ip nat outside
ip nat outside
5.3 network Optimization
 Configure R17 as per the following requirement.
 The output that is shown below must be seen on R17 during 10 seconds after R15
successfully pinged interface Lo0 of R19.
R17
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 10000

小凡实验室
interface Tunnel0
ip flow egress
5.4 network Services
 SW3 must provide an authoritative time source to the ACME network.
 R10 and R12 must synchronise their clock to SW3 using NTPv4 for Ipv6.
 R10 and R12 must operate in client mode.
 SW3 must not capture or use any time information that is sent by R12 and R14.
 All NTP traffic must rely on IPv6 connectivity only
 All NTP traffic must be sourced and destined to the interface Lo0 of the coibgpesponding
devices.
SW3
ntp master
ntp source Loopback0
interface loopback 0
ntp disable ip
R10/R12
ntp server 2001:CC1E:BEF:0:123:33:33:33 source loopback0

CCIE V5.0 LAB小凡实验室-H1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCIE V5.0 LAB小凡实验室-H1

Uploaded by

Copyright:

Available Formats

小凡实验室

www.xiaofanlab.com 小凡实验室技术交流 QQ 群：113731787

PDF 檔案使用 "pdfFactory Pro" 試用版本建立 www.pdffactory.com

www.xiaofanlab.com 小凡实验室技术交流 QQ 群：113731787

PDF 檔案使用 "pdfFactory Pro" 試用版本建立 www.pdffactory.com

www.xiaofanlab.com 小凡实验室技术交流 QQ 群：113731787

PDF 檔案使用 "pdfFactory Pro" 試用版本建立 www.pdffactory.com

Section 1 –Layer 2 Technologies

1.1 Switch administration

Refer to “Diagram 1: Layer 2 Connections”

 The VTP domain must be set to “CCIE”(without quotes)

 Use VTP version 2

 The VTP domain must be set to “CCIE”(without quotes)

 Use VTP version 2

www.xiaofanlab.com 小凡实验室技术交流 QQ 群：113731787

PDF 檔案使用 "pdfFactory Pro" 試用版本建立 www.pdffactory.com

advertisements that they receive out their trunk ports.

1.2 Layer 2 Ports

Refer to “Diagram 1: Layer 2 Connections” and “Diagram 2: Main Topology”

 Do not configure any Etherchannel.

access ports in VLAN 999.

interface range (unusedinterface)

www.xiaofanlab.com 小凡实验室技术交流 QQ 群：113731787

PDF 檔案使用 "pdfFactory Pro" 試用版本建立 www.pdffactory.com

Refer to “Diagram 1: Layer 2 Connections”

configuration may eventually be added in the network in the future

 All switches must maintain one STP instance per VLAN

www.xiaofanlab.com 小凡实验室技术交流 QQ 群：113731787

PDF 檔案使用 "pdfFactory Pro" 試用版本建立 www.pdffactory.com

1.4 WAN Switching

Refer to “Diagram 1: Layer 2 Connections”

providing the expected response of a challenge that is sent by R63.

www.xiaofanlab.com 小凡实验室技术交流 QQ 群：113731787

PDF 檔案使用 "pdfFactory Pro" 試用版本建立 www.pdffactory.com

Section 2 –Layer 3 Technologies

2.1 OSPF in AS 12345

Refer to “Diagram 2: Main Topology”

accomplish this requirement.

 SW1 and SW2 must not participate in routing at all.

 Do not change the default OSPF cost of any interface in AS 12345.

 R1 must see the following OSPF routes in its routing table.

www.xiaofanlab.com 小凡实验室技术交流 QQ 群：113731787

PDF 檔案使用 "pdfFactory Pro" 試用版本建立 www.pdffactory.com

www.xiaofanlab.com 小凡实验室技术交流 QQ 群：113731787

PDF 檔案使用 "pdfFactory Pro" 試用版本建立 www.pdffactory.com

2.2 EIGRP in AS 34567

Refer to 'Diagram 2 main Topology'

 The Eigrp autonomous system number is 34567

 Do not configure any EIGRP virtual instance name in EIGRP AS 34567

to accomplish this requirement .

the following three prefixes:

the following three prefixes:

www.xiaofanlab.com 小凡实验室技术交流 QQ 群：113731787

PDF 檔案使用 "pdfFactory Pro" 試用版本建立 www.pdffactory.com

2.3 EIGRP in AS 45678

Refer to 'Diagram 2 Main topology'

 The EIGRP autonomous system number is 45678

to accomplish this requirement

calculation of any prefix

www.xiaofanlab.com 小凡实验室技术交流 QQ 群：113731787

PDF 檔案使用 "pdfFactory Pro" 試用版本建立 www.pdffactory.com

2.4 EIGRP in AS 65222

Refer to “Diagram 2: Main Topology”

 The EIGRP autonomous system number is 45678