Professional Documents
Culture Documents
net
Update 2015-01-09
www.cciereallab.net
HTU
UT H
www.cciereallab.net
-1-
www.cciereallab.net
Configure the network of the new York officeAS 34567as per the following
requirements
The vtp domain must be set to "CCIE (without quotes)
www.cciereallab.net
-2-
www.cciereallab.net
1.3 spanning-tree
www.cciereallab.net
-3-
www.cciereallab.net
Configure eigrp for ipv4 in the new York officeAS 34567according to the
following requirements
The EIGRP autonomous system 34567
The interface lo0 on each router must be seen as an internal EIGRP prefix by all other
routers
Ensure the eigrp is not running on any interface that is facing another AS use any
method to accomplish this requirement
Using a single command on one switch only ensure that R8 install two equal-cost route
for the following three path
vlan 411
www.cciereallab.net
-4-
www.cciereallab.net
Using a single command on one switch only ensure that R9 install two equal-cost route
for the following three path
vlan 310
interface lo0 at SW3
interface lo0 at R10
www.cciereallab.net
-5-
www.cciereallab.net
Configure EBGP between ACME`s San Francisco and San jose sites according the
following requirements
R20 is the CE router and used EBGP to connected to the manages services that are
provided by the PE routers R2 and R3
R20 must establish a separate EBGP peerings with both R2 and R3 for every VRF
www.cciereallab.net
-6-
www.cciereallab.net
R20 must advertise the following prefix to all of its BGP peers
123.0.0.0/8 summary-only
10.0.0.0/8 summary-only
R20 must advertise a default route to all of its bgp peers except to 10.120.99.1 and
10.120.99.5
www.cciereallab.net
-7-
www.cciereallab.net
www.cciereallab.net
-8-
www.cciereallab.net
Configure ospfv3 in the acme new York office as per the following requirements
Configure the OSPF process ID to 1 and set the router-id to interface lo0 on all
OSPFv3 devices.
Do not enable OSPFv3 on any interface other than the interfaces that are indicated
on the Diagram.5
Place the interfaces in the OSPFv3 area as indicated on the diagram. Do not create
any new area.Do not forget the Lo0 interfaces.
Sw4 must the selected as the designated router on vlan 34 and must have the best
chance
SW3 must be selected as the backup designated router on vlan 34 and must take over
the designated router if SW4 is down
www.cciereallab.net
-9-
www.cciereallab.net
Assure that a streaming server is connected in vlan 5 on sw5 and that receivers are
located at the DMVPN spokes belong R18 and R19
The ACME Headquarters network (AS 12345) uses MPLS L3VPN in order to
clearly separate remote site networks.
The ACME corporate security policies are centralized and enforced at the San Jose
site (AS 65112) for all remote sites. The Policies require that all traffic that is
originated from any remote site (with the exception of the New York office)
www.cciereallab.net
- 10 -
www.cciereallab.net
The global and regional service providers have agreed to transport the acme VPNs
via PE to PE EBGP peering that are already full preconfigured
Complete the configure of mpls L3VPN in the ACME network according to the
following requirements
R1 must reflect VPNv4 prefixes from any PE to any other PE in AS 12345
R2 and R3 must establish an EBGP peering with both global service providersAS
10001 and AS 10002for the following VRFs
GREEN
BLUE
RED
YELLOW
INET
www.cciereallab.net
- 11 -
www.cciereallab.net
site must be able to connect to the interface e0/0 of any other remote gateway that belong
to as 65111 or AS 65222
Use the following tests as example of connectivity checks
R12#ping 10.2.19.1 so e0/0
R12#traceroute 10.2.19.1 so e0/010hops
3.3 DMVPN
Configure DMVPN phase 3 in the ACME APAC regionAS 45678 and 65222 as
per the following requirements
Use the preconfigured interface tunnel0 on all three routers in order to accomplish this
task
R17 must be configured as the hub router
R18 and R19 must be the spoke routers and must participate in the NHRP information
exchange
Disable send icmp redirect message on all three tunnel0 interface
Configure the following parameter on all three tunnel0 interface
configure the bandwidth 1000kbps
configure the delay to 10000 usc
adjust the ip mtu to 1400 B
adjust the TCP MSS to 1360B
Authentication NHRP using the string 45678key
Use the HRP network-id 45678
Configure the nhrp hold time to 5min
Ensure that spoke-to-spoke traffic does not transit via the hub
www.cciereallab.net
- 12 -
www.cciereallab.net
3.4 Encryption
Secure the DMVPN tunnel with IPsec according to the following requirements:
Configure IKE Phase 1 according to the following requirements:
Use AES encryption with the pre-shared key "CCIE"(without quotes)
The key must appear in plain text in the configuration
All IPsec tunnels must be authenticated using the same IKE Phase 1 pre-shared
key
Use 1024 bits for the key exchange using the Diffie-Hellman algorithm
Configure a single policy with priority 10
Configure IKE Phase 2 according to the following requirements:
Use CCIEXFORM as the transform-set name.
Use DMVPNPROFILE as the IPsec profile name.
Use IPsec in transport mode.
Use the IPsec security protocol ESP and the algorithm AES with 128 bits.
Ensure that the DMVPN cloud is secured using the above parameters.
Use tunnel protection in your configuration.
www.cciereallab.net
- 13 -
www.cciereallab.net
Configure R20 in the ACME San Jose office as per the following requirements:
All users who connect to R20 via the console port or via any VTY line using SSH must
be prompted with the below message before any other prompt is displayed.
WARNING! ACCESS RESTRICTED
Do not include any extra spaces or any other characters as the ones shown above.
Configure the ACME New York office as per the following requirements:
Ensure that interfaces E0/0,E0/1,E0/2 and E0/3 of SW3 forward traffic that was sent
from expected and legitimate hosts and servers.
SW3 must dynamically learn only one MAC address per port and must save the MAC
address in its startup configuration.
SW3 must shut down the port if a security violation occurs on any of these four ports.
www.cciereallab.net
- 14 -
www.cciereallab.net
Configure R20 in the ACME San Jose office as per the following requirements
Enable SSH access in R20 using the domain name "acme.org".
Create the user "test" with the password "test" in the local database of R20.
Ensure that R20 accepts SSH connections from clients with a source IP address in
123.10.2.0/24. All other source IP addresses must be denied. Use a standard access-list to
configure this requirement.
R20 must generate a syslog message for all SSH connection attempts regardless of
whether it is permitted or denied.
When authenticated , the user "test" must be granted with the privilege level 1
Do not enable the aaa new-model command in R20.
Ensure that SSH is the only remote access method that is permitted on VTY lines of
R20.
Ensure that the console is not affected by your solution and that no "username" prompt
is presented on the console port.
Test your solution from any device that is located in AS 34567 and ensure that the
following sequence of commands produces the same output:
www.cciereallab.net
- 15 -
www.cciereallab.net
R15Ping
on
R17
during
Pr
SrcP
10
seconds
123.19.19.19
!!!!!
R17 # sh ip flow top
Srcif
srcipaddress
Bytes
e0/1
123.20.1.9
1 of 10 top talker shown .
DstIf
DstIPaddress
Tu0*
123.19.19.19
1 flows processed
01
0000
DstP
0800
500
www.cciereallab.net
- 16 -
www.cciereallab.net
www.cciereallab.net
- 17 -