Professional Documents
Culture Documents
CCIE V5.0 LAB小凡实验室-H1
CCIE V5.0 LAB小凡实验室-H1
目 录
Section 1 –Layer 2 Technologies ................................................................................................ 2
1.1 Switch administration ...................................................................................................... 4
1.2 Layer 2 Ports .................................................................................................................... 5
1.3 Spanning-tree................................................................................................................... 6
1.4 WAN Switching................................................................................................................. 7
Section 2 –Layer 3 Technologies ................................................................................................ 8
2.1 OSPF in AS 12345 ............................................................................................................. 8
2.2 EIGRP in AS 34567 .......................................................................................................... 10
2.3 EIGRP in AS 45678 .......................................................................................................... 11
2.4 EIGRP in AS 65222 .......................................................................................................... 12
2.5 BGP in AS 12345 ............................................................................................................. 14
2.6 BGP in AS 34567 ............................................................................................................. 17
2.7 BGP in AS 45678 and AS 65222 ...................................................................................... 20
2.8 BGP routing policies ....................................................................................................... 22
2.9 OSPFV3 ........................................................................................................................... 25
2.10 BGP for IPv6 ................................................................................................................. 26
2.11 Layer 3 Multicast .......................................................................................................... 28
Section 3 -VPN Technology ...................................................................................................... 30
3.1 MPLS VPN Part 1 ............................................................................................................ 30
3.2 MPLS VPN part 2 ............................................................................................................ 31
3.3 DMVPN ........................................................................................................................... 33
3.4 Encryption ...................................................................................................................... 34
Section 4 – Infrastructure Security .......................................................................................... 35
4.1 Device Security ............................................................................................................... 35
4.2 network Security ............................................................................................................ 35
Section 5 –Infrastructure Services ........................................................................................... 36
5.1 System Management ..................................................................................................... 36
5.2 network Services ............................................................................................................ 37
5.3 network Optimization .................................................................................................... 39
5.4 network Services ............................................................................................................ 40
区域:34567
SW3/SW4
Vlan name
34 SW3-SW4
38 SW3-R8
49 SW4-R9
89 R8-R9
111 R10-R11
310 SW3-R10
411 SW4-R11
999 UNUSED
SW1 must be the VTP server and SW2 must be the VTP client.
Secure all VTP updates with an MD5 digest of the ASCII string “CCIErock$”(without
quotes)
In order to avoid as much as possible unknown unicast flooding in all VLANs, the
administrator requires that any dynamic entries learned by either SW1 or SW2 must be retained
for 2 hours before being refreshed.
SW1:
vtp mode server
vtp domain CCIE
vtp version 2
vtp password CCIErock$
SW2:
vtp mode client
vtp domain CCIE
vtp version 2
vtp password CCIErock$
SW1&SW2
mac address-table aging-time 7200 //保证所有VLAN 同步后再敲这条命令,因为新加的vlan
不会生效
Configure the network of the New York office (AS 34567) as per the following requirements;
SW3 and SW4 must not advertise their VLAN configuration but must forward VTP
Secure all VTP updates with an MD5 digest of the ASCII string “ CCIErock$ ” (without
quotes);
SW3/SW4:
vtp domain CCIE
vtp version 2
vtp mode transparent
vtp password CCIErock$
Complete the configuration of all VLANs so that all routers that are located in ACME`s
Headquarters (AS 12345) and New York office (AS 34567) can ping their directly connected
neighbors.
All four switches (SW1, SW2, SW3 and SW4) must have four dot1Q trunks that do not rely on
any negotiation.
Ensure that the following unused ports on all four switches are shut down and configured as
SW1/SW2/SW3/SW4
interface range e2/0 -3
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate IOU不支持这条命令,考试的时候注意看下有没有这个需求
1.3 Spanning-tree
SW1 must be the root switch for all odd VLANs and must be the backup root switch for all
even VLANs
SW2 must be the root switch for all even VLANs and must be the backup root switch for all
odd VLANs
SW3 must be the root switch for all odd VLANs and must be the backup root switch for all
even VLANs
SW4 must be the root switch for all even VLANs and must be the backup root switch for all
odd VLANs
Explicitly configure the root and backup roles, assuming that other switches with default
Use the STP mode that has only three possible port states
All access ports must immediately transition to the forwarding state upon linkup and they
must still participate in STP. Use a single command per switch to enable this feature.
Access ports must automatically shut down if they receive any BPDU and an administrator
must manually re-enable the port. Use a single command per switch to enable this feature.
spanning-tree portfastdefault
(配置portfast buduguard) spanning-tree portfastbpduguard default
SW1/SW2/SW3/SW4
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
SW1:
spanning-tree vlan 1,15,23,35,57,67,999 root primary
spanning-tree vlan 14,24,46 root secondary
SW3:
spanning-tree vlan 1,49,89,111,411,999 root primary
spanning-tree vlan 34,38,310 root secondary
SW4:
spanning-tree vlan 1,49,89,111,411,999 root secondary
spanning-tree vlan 34,38,310 root primary
The WAN links must rely on a Layer 2 protocol that supports link negotiation and
authentication.
The service provider expects that both R18 and R19 complete a three-way handshake by
R18 must use the username “ACME-R18” and password “CCIE”(without quotes)
R19 must use the username “ACME-R19” and password “CCIE”(without quotes)
R18:
interface Serial1/0
encapsulation ppp
ppp chap hostname ACME-R18
ppp chap password CCIE
R19:
interface Serial1/0
encapsulation ppp
ppp chap hostname ACME-R19
ppp chap password CCIE
Configure the OSPF process ID to 12345 and set the router-id interface Lo0 on all seven
routers.
The interface Lo0 of each router must be seen as an internal OSPF prefix by all other routers.
Ensure that OSPF is not running on any interface that is facing another AS. Use any method to
R2
router ospf 12345
router-id 123.2.2.2
network 123.2.2.2 0.0.0.0 area 0
network 123.10.1.9 0.0.0.0 area 0
network 123.10.1.17 0.0.0.0 area 0
R3
router ospf 12345
router-id 123.3.3.3
network 123.3.3.3 0.0.0.0 area 0
network 123.10.1.10 0.0.0.0 area 0
network 123.10.1.13 0.0.0.0 area 0
R4
router ospf 12345
router-id 123.4.4.4
network 123.4.4.4 0.0.0.0 area 0
network 123.10.1.1 0.0.0.0 area 0
network 123.10.1.18 0.0.0.0 area 0
network 123.10.1.21 0.0.0.0 area 0
R5
router ospf 12345
router-id 123.5.5.5
network 123.5.5.5 0.0.0.0 area 0
network 123.10.1.6 0.0.0.0 area 0
network 123.10.1.14 0.0.0.0 area 0
network 123.10.1.29 0.0.0.0 area 0
R6
router ospf 12345
router-id 123.6.6.6
network 123.6.6.6 0.0.0.0 area 0
network 123.10.1.22 0.0.0.0 area 0
network 123.10.1.25 0.0.0.0 area 0
The interface Lo0 of each router must be seen as an internal EIGRP prefix by all other routers
Ensure that EIGRP is not running on any interface that is facing another AS , Use any method
using a single command in one switch only ,ensure that R8 installs two equal-cost paths for
Using a single command in one switch only, ensure that R9 installs two equal-cost paths for
R8/R9/R10/R11/SW3/SW4:
router eigrp 34567
network 123.0.0.0
SW3/SW4
interface vlan 34
Delay 100
注:考场上IOS的版本是15.3,15.0以上的版本IEGRP下,默认是关闭自动汇总。交换
机默认开启ip routing
The interface Lo0 of each device must be seen as an internal EIGRP prefix by all other routers
Ensure that EIGRP is not running on any interface that is facing anot her AS, Use any method
SW5 and SW6 are Layer3 switches and must also run EIGRP
on all three routers (R15 ,R16 and R17),ensure that EIGRP uses 64 bits for the metric
Do not change the default bandwidth or delay on any physical links in AS 45678
R15
router eigrp CCIE
address-family ipv4 unicast autonomous-system 45678
network 123.0.0.0
R16
router eigrp CCIE
address-family ipv4 unicast autonomous-system 45678
network 123.0.0.0
R17
router eigrp CCIE
address-family ipv4 unicast autonomous-system 45678
network 123.0.0.0
network 10.18.19.17 0.0.0.0
SW5/SW6
router eigrp 45678
注:考场上IOS的版本是15.3,15.0以上的版本IEGRP下,默认是关闭自动汇总。交换
机默认开启ip routing
The interface Lo0 of each router belonging to EIGRP AS 45678 must be seen as an internal
Ensure that EIGRP is not running on any physical interface that is facing another AS. Use any
The LAN segment connected to interface E0/0 on both R18 and R19 must be advertised into
R17 must establish an EIGRP peering with both R18 and R19 via the same interface Tunnel0
R18
router eigrp CCIE
address-family ipv4 unicast autonomous-system 45678
network 10.1.18.1 0.0.0.0
network 10.18.19.18 0.0.0.0
network 123.18.18.18 0.0.0.0
eigrp stub
R19
router eigrp CCIE
address-family ipv4 unicast autonomous-system 45678
network 10.1.19.1 0.0.0.0
network 10.18.19.19 0.0.0.0
network 123.19.19.19 0.0.0.0
eigrp stub
基本的NHRP部分(红色部分见需求3.3 DMVPN部分)
R17
interface Tunnel0
ip address 10.18.19.17 255.255.255.248
ip nhrp map multicast dynamic
tunnel source e0/3
tunnel mode gre multipoint
R18
interface Tunnel0
ip address 10.18.19.18 255.255.255.248
ip nhrp map 10.18.19.17 203.3.17.2
ip nhrp map multicast 203.3.17.2
ip nhrp nhs 10.18.19.17
ip nhrp map multicast 203.3.17.2
tunnel source Serial1/0
tunnel mode gre multipoint
R19
interface Tunnel0
ip address 10.18.19.19 255.255.255.248
ip nhrp map 10.18.19.17 203.3.17.2
ip nhrp map multicast 203.3.17.2
ip nhrp nhs 10.18.19.17
ip nhrp map multicast 203.3.17.2
tunnel source Serial1/0
tunnel mode gre multipoint
R17
router eigrp cisco
address-family ipv4 unicast autonomous-system 45678
af-interface Tunnel0
no next-hop-self
no split-horizon
All BGP routers must use their interface lo0 as the BGP router ID
Disable the default IPv4 unicast address family for peering session establishment in all BGP
routers
R1 must use the peer-group named 'iBGP ' for all internal peerings.
R1
router bgp 12345
bgp router-id 123.1.1.1
no bgp default ipv4-unicast
neighbor iBGP peer-group
neighbor iBGP remote-as 12345
neighbor iBGP update-source loopback 0
neighbor 123.2.2.2 peer-group iBGP
neighbor 123.3.3.3 peer-group iBGP
neighbor 123.6.6.6 peer-group iBGP
neighbor 123.7.7.7 peer-group iBGP
address-family ipv4 unicast
neighbor 123.2.2.2 activate
neighbor 123.3.3.3 activate
neighbor 123.6.6.6 activate
neighbor 123.7.7.7 activate
neighbor iBGP route-reflector-client
R2/R3/R6/R7
router bgp 12345
bgp router-id 123.X.X.X
neighbor 123.1.1.1 remote-as 12345
neighbor 123.1.1.1 update-source Loopback0
Configure EBGP between ACME's San Francisco and San Jose sites according to the following
requirements:
R20 is a CE router and uses EBGP to connect to the managed services that are provided by
R20 must establish a separate EBGP peering with both R2 and R3 for every VRF
R20 must advertise the following prefixes to all of its BGP peers
123.0.0.0/8 , summary-only
10.0.0.0/8 , summary-only
R20 must advertise a default route to all of its BGP peers except to 10.120.99.1 and
10.120.99.5
R20
router bgp 65112
bgp router-id 123.20.20.20
bgp log-neighbor-changes
bgp listen range 10.120.12.0/22 peer-group RR
network 10.1.20.0 mask 255.255.255.128
network 10.1.20.128 mask 255.255.255.128
network 123.20.20.20 mask 255.255.255.255
aggregate-address 123.0.0.0 255.0.0.0 summary-only
aggregate-address 10.0.0.0 255.0.0.0 summary-only
neighbor RR peer-group
neighbor RR remote-as 12345
neighbor RR default-originate
neighbor 10.120.99.1 remote-as 12345
neighbor 10.120.99.5 remote-as 12345
no bgp default ipv4-unicast
R2
router bgp 12345
address-family ipv4 vrf GREEN
neighbor 10.120.12.2 remote-as 65112
neighbor 10.120.12.2 activate
address-family ipv4 vrf BLUE
R3
router bgp 12345
address-family ipv4 vrf GREEN
neighbor 10.120.12.6 remote-as 65112
neighbor 10.120.12.6 activate
address-family ipv4 vrf BLUE
neighbor 10.120.13.6 remote-as 65112
neighbor 10.120.13.6 activate
address-family ipv4 vrf RED
neighbor 10.120.14.6 remote-as 65112
neighbor 10.120.14.6 activate
address-family ipv4 vrf YELLOW
neighbor 10.120.15.6 remote-as 65112
neighbor 10.120.15.6 activate
address-family ipv4 vrf INET
neighbor 10.120.99.6 remote-as 65112
neighbor 10.120.99.6 activate
需求见MPLS VPN部分
R2
router bgp 12345
address-family ipv4 vrf BLUE
neighbor 101.1.123.1 remote-as 10001
address-family ipv4 vrf GREEN
neighbor 101.1.123.1 remote-as 10001
address-family ipv4 vrf INET
neighbor 101.1.123.1 remote-as 10001
address-family ipv4 vrf RED
neighbor 101.1.123.1 remote-as 10001
address-family ipv4 vrf YELLOW
neighbor 101.1.123.1 remote-as 10001
R6
router bgp 12345
address-family ipv4 vrf BLUE
neighbor 201.1.123.1 remote-as 20001
address-family ipv4 vrf GREEN
neighbor 201.1.123.1 remote-as 20001
address-family ipv4 vrf INET
neighbor 201.1.123.1 remote-as 20001
R7
router bgp 12345
address-family ipv4 vrf BLUE
neighbor 202.2.123.1 remote-as 20002
address-family ipv4 vrf INET
neighbor 202.2.123.1 remote-as 20002
address-family ipv4 vrf RED
neighbor 202.2.123.1 remote-as 20002
SW3 and SW4 must not establish any BGP session at any time
All four BGP routers must always use their interface Lo0 as the BGP router ID
Disable the default IPv4 unicast address family for peering session establishment in all BGP
routers
Configure full-mesh IBGP peerings between all four routers , use any configuration method.
R9 must be selected as the prefeibgped exit point for traffic destined to remote AS's
R11 must be selected as the next prefeibgped exit point in case R9 fails.
No BGP speaker in AS 34567 may use the 'network' statement under the BGP router
configuration.
Ensure that the BGP next-hop is never marked as unreachable as long as the interface Lo0 of
R9 and R11 must redistribute only the BGP default route into EIGRP
Ensure that R9 is the only router that sees the default route as a BGP route and that all other
R8
router bgp 34567
bgp router-id 123.8.8.8
neighbor iBGP peer-group
neighbor iBGP remote-as 34567
neighbor iBGP update-source Loopback0
neighbor iBGP next-hop-self
neighbor 123.9.9.9 peer-group iBGP
neighbor 123.10.10.10 peer-group iBGP
neighbor 123.11.11.11 peer-group iBGP
neighbor 101.1.34.1 remote-as 10001 // 应该是预配
no bgp default ipv4-unicast
R9
router bgp 34567
bgp router-id 123.9.9.9
neighbor iBGP peer-group
neighbor iBGP remote-as 34567
neighbor iBGP update-source Loopback0
neighbor iBGP next-hop-self
neighbor 123.8.8.8 peer-group iBGP
R10
router bgp 34567
bgp router-id 123.10.10.10
neighbor iBGP peer-group
neighbor iBGP remote-as 34567
neighbor iBGP update-source Loopback0
neighbor iBGP next-hop-self
neighbor 123.8.8.8 peer-group iBGP
neighbor 123.9.9.9 peer-group iBGP
neighbor 123.11.11.11 peer-group iBGP
neighbor 201.1.34.1 remote-as 20001 //预配
no bgp default ipv4-unicast
R11
router bgp 34567
bgp router-id 123.11.11.11
neighbor iBGP peer-group
neighbor iBGP remote-as 34567
neighbor iBGP update-source Loopback0
neighbor iBGP next-hop-self
neighbor 123.8.8.8 peer-group iBGP
neighbor 123.9.9.9 peer-group iBGP
neighbor 123.10.10.10 peer-group iBGP
nei 202.2.34.1 remote-as 20002 //预配
neighbor 33.34.3.1 remote-as 30000 //预配
no bgp default ipv4-unicast
R8/R9/R10/R11:
Router bgp 34567
Address-family ipv4
redistribute eigrp 34567
R9/R11
ip prefix-list DEFAULT permit 0.0.0.0/0
route-map DEFAULT permit 10
match ip address prefix-list DEFAULT
router eigrp 34567
redistribute bgp 34567 metric 10000 10 255 1 1500 route-map DEFAULT
R9
route-map LP permit 10
match ip address prefix-list DEFAULT
set local-preference 101
route-map LP permit 20
router bgp 34567
address-family ipv4
neighbor 33.34.4.1 route-map LP in
SW5 and SW6 must not establish any BGP session at any time
All BGP routers must always use their interface Lo0 as the BGP router ID
R15 must establish an EBGP peering with AS 10003 and must receive a default route as well
as other prefixes
R15 must also advertise an aggregate prefix for 123.20.1.0/24 to AS 10003 and must suppress
R16, R17, R18 and R19 must establish an EBGP peering with AS 20003 and must receive a
R16 , R17, R18 and R19 must not advertise any prefix to AS 20003
As long as R15 is operational, R16, R17, R18 and R19 must prefer the EIGRP default route
Do not create any VRF anywhere in order to accomplish the above requirements.
Be aware that the completion of this task is contingent on the completion of some other
tasks.
R15
router bgp 45678
bgp router-id 123.15.15.15
redistribute eigrp 45678
neighbor 103.2.45.1 remote-as 10003 //据说是预配
aggregate-address 123.20.1.0 255.255.255.0 summary-only
no bgp default ipv4-unicast
router eigrp CCIE
address-family ipv4 unicast autonomous-system 45678
topology base
redistribute bgp 45678 metric 1544 1000 255 1 1500
R16
router bgp 45678
bgp router-id 123.16.16.16
no bgp default ipv4-unicast
neighbor 203.3.16.1 remote-as 20003
address-family ipv4 unicast
neighbor 203.3.16.1 activate
network 0.0.0.0 backdoor
R17
router bgp 45678
bgp router-id 123.17.17.17
no bgp default ipv4-unicast
neighbor 203.3.17.1 remote-as 20003
address-family ipv4 unicast
neighbor 203.3.17.1 activate
network 0.0.0.0 backdoor
R18
router bgp 65222
bgp router-id 123.18.18.18
no bgp default ipv4-unicast
neighbor 203.3.18.1 remote-as 20003
address-family ipv4 unicast
neighbor 203.3.18.1 activate
network 0.0.0.0 backdoor
R19
router bgp 65222
bgp router-id 123.19.19.19
All ACME border routers in AS 12345 must filter the BGP prefixes that are advertised to their
SP in VRF INET and must allow only all prefixes that belong to the class A 123.0.0.0/8. All ther VRF
All ACME border router in AS 34567 must filter the BGP prefixes that are advertised to their
SP and must allow only all prefixes that belong to the class A 123.0.0.0/8.
R13 must route traffic preferably via AS 20002 . Use any method to accomplish this
requirement.
All three remote sites in AS 65111 must be able to ping 1.2.3.4 and traceroute must reveal
建议先做好MPLS 和NAT部分然后再来做这部分!
R8/R9/R10/R11
ip prefix-list 123OUT permit 123.0.0.0/8 le 32
R8:
router bgp 34567
address-family ipv4
neighbor 101.1.34.1 prefix-list 123OUT out
R9:
router bgp 34567
address-family ipv4
neighbor 102.2.34.1 prefix-list 123OUT out
neighbot 33.34.4.2 prefix-list 123OUT out
R10:
router bgp 34567
address-family ipv4
neighbor 201.1.34.1 prefix-list 123OUT out
R11:
router bgp 34567
address-family ipv4
neighbor 202.2.34.1 prefix-list 123OUT out
neighbor 33.34.3.2 prefix-list 123OUT out
R2:
router bgp 12345
address-family ipv4 vrf INET
neighbor 101.1.123.1 prefix-list 123OUT out
R3:
router bgp 12345
address-family ipv4 vrf INET
neighbor 102.2.123.1 prefix-list 123OUT out
R6:
router bgp 12345
address-family ipv4 vrf INET
neighbor 201.1.123.1 prefix-list 123OUT out
R7:
router bgp 12345
address-family ipv4 vrf INET
neighbor 202.2.123.1 prefix-list 123OUT out
R20:
router bgp 65112
address-family ipv4
neighbor 10.120.99.5 weight 2
R12:
router bgp 65111
bgp router-id 123.12.12.12
neighbor 201.1.12.1 remote-as 20001 //考场可能有预配
address-family ipv4
network 123.12.12.12 mask 255.255.255.255
network 10.1.12.0 mask 255.255.255.0
no bgp default ipv4-unicast
R13:
router bgp 65111
bgp router-id 123.13.13.13
neighbor 202.2.13.1 remote-as 20002 //考场可能有预配
neighbor 202.1.13.1 remote-as 20001 //考场可能有预配
address-family ipv4
network 123.13.13.13 mask 255.255.255.255
R14:
router bgp 65111
neighbor 202.2.14.1 remote-as 20002 //考场可能有预配
bgp router-id 123.14.14.14 //考场可能有预配
address-family ipv4
network 123.14.14.14 mask 255.255.255.255
network 10.1.14.0 mask 255.255.255.0
no bgp default ipv4-unicast
2.9 OSPFV3
Configure the OSPF process ID to 1 and set the router-id to interface Lo0 on all seven routers.
Do not enable OSPFv3 on any interfaces other than the interfaces that are indicated on the
Place the interfaces in the OSPFv3 area as indicated on the diagram. Do not create any new
area. No other interface may be included in OSPFv3. Do not forget the Lo0 interfaces.
SW4 must be elected as the designated router on VLAN 34 and must have the best chance of
retaining this role even if a new OSPFv3 device added to the VLAN in the future.
SW3 must be elected as the backup designated router on VLAN 34 and must take over the
SW3:
ipv6 unicast-routing
ipv6 router ospf 1
router-id 123.203.3.3
interface vlan 34
ipv6 ospf 1 area 0
SW4:
ipv6 unicast-routing
ipv6 router ospf 1
router-id 123.204.4.4
interface vlan 34
ipv6 ospf 1 area 0
ipv6 ospf priority 255
interface vlan 411
ipv6 ospf 1 area 11
interface loopback0
ipv6 ospf 1 area 0
R10:
ipv6 unicast-routing
ipv6 router ospf 1
router-id 123.10.10.10
interface ethernet0/2
ipv6 ospf 1 area 10
interface loopback0
ipv6 ospf 1 area 10
R11:
ipv6 router ospf 1
router-id 123.11.11.11
interface ethernet0/1
ipv6 ospf 1 area 11
interface loopback0
ipv6 ospf 1 area 11
Do not use the network command under the BGP address-family IPv6 on either R10 or R11.
Advertise the IPv6 prefix of interface E0/0 into BGP on both R12 and R14.
R10:
router bgp 34567
neighbor 2001:CC1E:BEF:10:201:1:34:1 remote-as 20001
address-family ipv6
redistribute ospf 1 match internal external 1 external 2 include-connected
neighbor 2001:CC1E:BEF:10:201:1:34:1 activate
ipv6 router ospf 1
redistribute bgp 34567
R11:
router bgp 34567
neighbor 2001:CC1E:BEF:11:202:2:34:1 remote-as 20002
address-family ipv6
redistribute ospf 1 match internal external 1 external 2 include-connected
neighbor 2001:CC1E:BEF:11:202:2:34:1 activate
ipv6 router ospf 1
redistribute bgp 34567
R12:
router bgp 65111
neighbor 2001:CC1E:BEF:12:201:1:12:1 remote-as 20001
address-family ipv6
network 2001:CC1E:BEEF:0:123:12:12:12/128
network 2001:CC1E:BEEF:12::/64
neighbor 2001:CC1E:BEF:12:201:1:12:1 activate
R14:
router bgp 65111
neighbor 2001:CC1E:BEF:14:202:2:14:1 remote-as 20002
address-family ipv6
network 2001:CC1E:BEEF:14::/64
network 2001:CC1E:BEEF:0:123:14:14:14/128
neighbor 2001:CC1E:BEF:14:202:2:14:1 activate
//IPv6地址是IOU环境中的,考场需要换成考场环境IPv6地址。
at a streaming server is connected to vlan5 on SW5 on the ACME Sydney office) and that
Only network Segment with Active receiver that explicitly requested the data must receive
multicast traffic
Testing purpose ,configure interface E0/0 of both R18 and R19 join to the group 232.1.1.1
Put unused port on sw5 into vlan 5 and confirm that multicast is working as required by using
the following test SW5 must receive from both R18 and R19
R15:
ip multicast-routing
ip pim bsr-candidate Loopback0
ip pim rp-candidate Loopback0
interface Ethernet0/1
ip pim sparse-mode
interface Ethernet0/2
ip pim sparse-mode
interface Loopback0
ip pim sparse-mode
R16:
ip multicast-routing
R17:
ip multicast-routing
interface Ethernet0/1
ip pim sparse-mode
interface Ethernet0/2
ip pim sparse-mode
interface Tunnel0
ip pim nbma-mode
ip pim sparse-mode
R18:
ip multicast-routing
interface Ethernet0/0
ip pim sparse-mode
ip igmp join-group 232.1.1.1
interface Tunnel0
ip pim sparse-mode
R19:
ip multicast-routing
interface Ethernet0/0
ip pim sparse-mode
ip igmp join-group 232.1.1.1
interface Tunnel0
ip pim sparse-mode
SW5:
ip multicast-routing
interface Vlan5
ip pim sparse-mode
interface Vlan55
ip pim sparse-mode
interface range [unusedinterface] /要求没有使用的接入vlan5,自行查看配置
switchport mode access
switchport access vlan 5
The ACME Headquarters network (AS 12335) uses MPLS L3VPN in order to clearly separate
The ACME corporate security policies are centralized and enforced at the San Jose site (AS
65112) for all remote sites. The policies require that all traffic that is originated from any remote
site (with the exception of AS34567) to the Internet is routed via R20 in AS 65112
Configure MPLS L3VPN in the ACME network according to the following requirements:
Ensure that no MPLS interface that belongs to any router in AS 12345 is visible on a
R1:
router bgp 12345
address-family vpnv4
neighbor iBGP send-community extended
neighbor iBGP route-reflector-client
neighbor iBGP activate
R2/R3/R6/R7
router bgp 12345
address-family vpnv4
neighbor 123.1.1.1 activate
neighbor 123.1.1.1 send-community extended /默认配置,敲不敲都可以
SW1/SW2
No ip igmp snooping //如果MPLS LDP 邻居起不来试着敲上这条命令,这条命令考场
R1-R7:
mpls ldp router-id loopback 0
interface range ethernet 0/1 -2
mpls ip
R4&R5
Interface Ethernet0/0
Mpls ip
R2/R3/R6/R7
no mpls ip propagate-ttl
The global and regional service providers have agreed to transport the ACME network
Complete the configuration of MPLS L3VPN in the ACME network according to the following
requirements:
R2 and R3 must establish an EBGP peering with both global service providers (AS 10001 and
R6 must establish an EBGP peering with the regional service provider (AS 20001) for the
R7 must establish an EBGP peering with the regional service provider (AS 20002) for the
All IP addressed used for EBGP peerings must pass BGP’s directly connected check
No BGP speaker in AS 12345 may use the network or the redistribute statements under any
At the end of the exam scenario, the interface e0/0 of the gateway router in any remote site
must be able connect to the interface e0/0 of any other remote gateway that belong to AS65111
or AS65112 and 65222
R13:
router bgp 65111
address-family ipv4 unicast
network 10.1.13.0 mask 255.255.255.0
R14:
router bgp 65111
address-family ipv4 unicast
network 10.1.14.0 mask 255.255.255.0
3.3 DMVPN
Use the preconfigured interface Tunnel0 on all three routers in order to accomplish this task
R18 and R19 must be the spoke routers and must participate in the NHRP information
exchange
Ensure that spoke-to-spoke traffic does not transit via the hub.
3.4 Encryption
Use AES encryption with the pre-shared key “CCIE” (without quotes).
All IPsec tunnels must be authenticated using the same IKE Phase 1 pre-shared key
Use 1024 bits for the key exchange using the Diffie-Hellman algorithm.
Configure a single policy with priority 10.Configure IKE Phase 2 according to the following
requirements:
Use the IPsec security protocol ESP and the algorithm AES with 128 bits.
Ensure that the DMVPN cloud is secured using the above parameters
R17/R18/R19
crypto isakmp policy 10
encr aes
authentication pre-share
Think about smart configuration options that can greatly speed up the time spent at typing
on the
All users who connect to R20 via the console port via any VTY line using SSH must be
prompted with the below message before any other prompt is displayed.
Do not include any extra spaces or any other characters as the ones shown above.
解法见5.1 部分!
Ensure that interface E0/0, E0/1, E0/2 and E0/3 of SW3 forward traffic that was sent from
SW3 must dynamically learn only one MAC address per port and must save the MAC address
SW3 must shut down the port if a security violation occurs any of these four ports SW3:
R20 must accept up to five remote authorized users to connect at the same time using SSH.
Create the user “test” with the password “test” in the local database of R20.
R20 must produce a syslog message for all SSH connection attempts, regardless of whether it
is permitted or denied.
When authenticated, the user “test” must be granted with the privilege level 1.
Ensure that SSH is the only remote access method that is permitted on VTY lines of R20.
Ensure that the console is not affected by your solution and that no “username” prompt
Test your solution from any device that is located in AS 34567 and ensure that the following
R20:
banner login &
WARNING! ACCESS RESTRICTED!
&
line vty 0 4
login local
access-class 1 in
transport input ssh
lin con 0 //会提示没有设置密码,不用理会
login
Refer to “Diagram 1: Main Topology Configure the ACME network as per the following
requirement.
R20 must enable all private corporate traffic that is originated from any host with source
All remote sites in AS 65111 and AS 65222 must be able to connect to these public
destinations.
R20 must swap the source IP address in these packets with the IP address of its interface Lo0.
The following tests must succeed after the above requirements (in addition to the previous
R20
access-list 1 permit 10.2.0.0 0.0.255.255
access-list 1 permit 10.1.0.0 0.0.255.255
ip nat inside source list 1 interface loopback 0 overload
interface Ethernet0/0
ip nat inside
interface Ethernet1/0
ip nat inside
interface Ethernet2/0.12
ip nat inside
interface Ethernet2/0.13
ip nat inside
interface Ethernet2/0.14
ip nat inside
interface Ethernet2/0.15
The output that is shown below must be seen on R17 during 10 seconds after R15
R17
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 10000
R10 and R12 must synchronise their clock to SW3 using NTPv4 for Ipv6.
SW3 must not capture or use any time information that is sent by R12 and R14.
All NTP traffic must be sourced and destined to the interface Lo0 of the coibgpesponding
devices.
SW3
ntp master
ntp source Loopback0
interface loopback 0
ntp disable ip
R10/R12
ntp server 2001:CC1E:BEF:0:123:33:33:33 source loopback0