www.passrnslabs.

com FINAL RELEASE Lab 1:25-JUL-2017

QUESTION SET
V4.0
LAB 2

www.passrnslabs.com

www.passrnslabs.com 1 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

!!!!! Important read the following guidelines before starting the section !!!!
 This section is comprised of set of configuration tasks to be completed within 5.30 hours.


w
The final score of this section is combined with the troubleshooting section to comprise your final
pass or fail status on the ccie lab exam
w
 A candidate is required to pass both sections of cisco ccie certification.
1. Read all questions in each section before proceeding with any configuration.
w

2. Before starting the exam confirm that all devices in your rack are in working order. During the
exam, if any device is locked or inaccessible for any reason you must recover it. When you
.p

complete the exam ensure that all devices are accessible to the grading proctor. A device that is not
accessible for grading cannot be marked and may cause you to lose substantial point.
as
3. Knowledge of implementation and troubleshooting techniques is part of skills tested in the
configuration section of the lab exam.
4. If you suspect that there may be hardware problem with your equipment contact the lab proctor
sr
immediately
5. Points are awarded for working configuration only. Test the functionality of all of the requirements
ns
before you complete your exam. As you configure one part of the exam you may break a previous
requirement or configuration.
6. No partial points can be granted for any question. All requirements needed to be fulfill in order to
l
receive the points for the question some requirements depend on other questions either before or
ab

after the current question.

7. You will be presented with pre-configuration Routers and switches. Do not change the following
configuration on the device.
s

Hostname
.c
Enable password ‘’cisco’’
Console line configuration
8. In any configuration where additional addressing may be necessary. Use only the major network as
om

displayed in diagram 1. Ensure that it does not conflict with a network that is already used in your
network.

9. Unicast or multicast static and default routes are not permitted unless permission to use them is
directly stated in a specific question. This restricted includes floating static routes and those routes
that were generated by a routing protocol routes to null 0 that are generated as a result of a
dynamic routing protocol solution are permitted.

www.passrnslabs.com 2 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

10. Save your configuration frequently.

11. Doc cd:- you have access to http://www.cisco.com/ciscoweb/pass . All configuration guides and
master indexes are there
w

12. Tools: notepad and calculator are available

This ccie lab scenario is only for applicants, please do not publish it on the internet or anywhere else.
w
w
.p
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 3 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

TOPOLOGY
w
w
w
.p
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 4 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

Section 1 – Layer 2 Technologies

1.1 Jameson’s Datacenter : Access ports

w

Refer to “Diagram 1 : Jameson’s Layer 2 Connections” and “Table 1: Jameson’s VLAN to Port Mapping”.
w
There has been pre-configured in Jameson’s datacenter. Some other configuration was already started
but it is your responsibility to verify and complete them.
w

Configure all four switches in Jameson’s datacenter network (AS 65002) as per the following
requirements:
.p
 All unused ports must be configured in VLAN 999 and administratively shutdown. Refer to “Table 1
: Jameson’s VLAN to Port Mapping” to figure out which ports are used and unused. Datacenter
switches are in transparent mode and vtp version should be 2.
as

 Access-ports must immediately transition to the forwarding state upon link up, as long as they do
not receive a BPDU. Use a unique command per switch to enable this feature.
 If an access port received a BPDU,it must automatically shutdown , generate a syslog and a SNMP
sr
trap. Use a unique command per switch to enable this feature.
 Ports that were shutdown must always rely on a manual intervention to recover.
 VLAN 911 (10.2.100.x/24) will be used as the management VLAN in Jameson’s datacenter. Ensure
ns

that all datacenter switches are able to ping each other IP address in the management VLAN.
 SW5 and SW6 are low-end access switches and they do not have much processing power. Ensure
that their only Layer 3 interfaces are Loopback0 and VLAN 911.
l
 SW3 and SW4 are robust and powerful distribution switches. Ensure that they maintain a Layer 3
ab

interface for all local VLANs as well as all access VLANs, as specified in “ Table 1: Jameson’s VLAN to
Port Mapping”.
s .c
om

www.passrnslabs.com 5 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

Table 1 : Jameson's VLAN to Port Mapping

Sr.no VLAN SWITCH PORT SVI
1 100 SW1, E1/0-3 SW1,
w

SW2 SW2
2 100 SW3, SW4 - SW3,
w
SW4
3 100 SW5,SW6 E0/2-3 -
w

4 101 SW1 E0/0-1 SW1,

101 SW2 E0/0- SW2,
.p
153 SW3 1, SW3
E0/2
5 156 SW3,SW4 E0/3 -
as

6 164 SW4 E0/2 SW4

7 173 SW3 - SW3

sr

8 173 SW5 E0/1 -

ns

9 184 SW4 - SW4

10 184 SW6 E1/0 -

l ab
11 911 SW3, - SW3,
SW4, SW4,
SW5, SW5,
SW6 SW6
s

12 999 SW1,SW2 E0/2- -

3,
.c

E2/0-3
13 999 SW3, SW4 E0/0-1 -
om
E2/0-3

14 999 SW5 E0/0 -

E1/0-1
E2/0-3
15 999 SW6 E0/0, -
E1/1
E2/0-3

www.passrnslabs.com 6 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

Pre-Configurations :

1) SW1 and SW2 are configured with Vlan 100,101,999

w
Vlan 100 - Metro (PC), Vlan 911 - Management vlan, Vlan 999 - unused
2) SW3,SW4,SW5 & SW6 are configured with Vlan 34,100,153, 156,164,1732,184,911,999
3) Trunks are pre-configured on all switches. (Always check)
w

4) There are SVI Vlans configured, but may be in shutdown state.

5) In real exam port numbers may be different, so please refer to the physical topology and use “Show
w
cdp neighbor" command.
.p
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 7 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

1.2 Jameson’s Datacenter: Trunk ports

Refer to “Diagram 1: Jameson’s Layer 2 Connections "and “Table 1: Jameson’s VLAN to Port Mapping”.
w
Configure Jameson’s datacenter network (AS 65002) as per the following requirements:


w
All inter-switch links must be configured to use 4 byte tag encapsulation.
 Ensure that no switch attempt to negotiate the trunk parameters.
 Ensure that all four switches send and receive untagged frames on VLAN 1.
w

 All four switches must maintain exactly three instances of spanning-tree.

 Instance 1 VLANs : 1,34,100,101,153,156
.p
 Instance 2 VLANs: 164,173,184,911,999
 Switch 3 must be root bridge for instance 2 and Switch 4 root bridge for instance 1 and they must
have best chance of maintaining their respective role even if any new normal-range VLAN were to
as

be added in the future.

 Configure SW4 so that interface e1/1 of SW3 is forwarding traffic for VLAN 34 and interface e2/0
should block traffic for VLAN 34
sr
ns
l ab
s .c
om

www.passrnslabs.com 8 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

1.2 Jameson’s Datacenter: Link bundling

Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”.

w

Configure Jameson’s datacenter network as per the following requirements:

 All four switches must bundle their trunk ports so that they maintain a single layer 2 link between
w

distribution and access switches.

 Ensure that all four switches use a Cisco Proprietary protocol to negotiate which port should
w
become active in the bundle.
 Access switches SW5 and SW6 must initialize the link bundling negotiation and distribution
.p
switches SW3 and SW4 will only response to the negotiation, they should not initialize it.
 The distribution switches SW3 and SW4 must balance traffic between all members of the bundle
based on source and destination IP addresses
as

 The access switcher SW5 and SW6 must balance the incoming traffic (that is originated from
servers) between all members of the link bundle based on the server’s MAC address.
sr
ns
l ab
s .c
om

www.passrnslabs.com 9 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

1.3 Jameson’s Branch Offices

Configure interface Ethernet0/0 in Jameson’s branch routers R19, R20 and R21 as per the following
w
requirements:

 The Ethernet WAN links must rely on a Layer 2 protocol that supports link negotiation and
w

authentication.
 The service provider expects that the branch routers complete a three-way handshake by providing
w
the expected response of a challenge that is sent by R49.
 R19 must use the username “Jamesons-R19” and password “CCIE” (without quotes).
.p
 R20 must use the username “Jamesons-R20” and password “CCIE” (without quotes).
 R21 must use the username “Jamesons-R21” and password “CCIE” (without quotes).
 The interface Eth0/0 of all three routers must receive an IP address from R49.
as

 Ensure that all three routers can ping the IP address of each other’s interface Eth0/0.
 You are not allowed to configure any static route in each branch router to achieve the previous
requirement.
sr
ns
l ab
s .c
om

www.passrnslabs.com 10 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

Section 2 – Layer 3 Technologies

2.1 Jameson’s IGP - Part 1

w

Refer to “Diagram 2: Initial Topology”

w

The configuration was already started. It is your responsibility to complete and verify all requirements.
Configure Jameson’s network (AS 65001 and 65002) according to following requirements:
w

 Ensure that all routers use their interface Lo0 as OSPF router-id.
 Ensure that OSPF is not running on any interface that is facing another BGP AS.
.p

 SW5 and SW6 must not participate in OSPF at all.

 Do not use the “network” statement under the “router ospf” configuration anywhere in the
as
datacenter network (AS 65002).
 Ensure that OSPF Type-2 LSAs should not appear anywhere in the datacenter network.
 Use OSPF process-id 1 in all Jamesons network
 Do not change the default OSPF cost of any interface anywhere.
sr

 SW3 and SW4 must not establish neighborship on VLAN 100, 911,101 but they should advertise
them.
 Ensure that R1, SW1 and SW2 are elected as the designated router on all their interfaces, and that
ns

they have the best chances of maintaining that role as long as their interfaces are up.
 Ensure that R2 is elected the Backup Designated router on all of its interfaces, and that it has the
best chances of maintaining that role as long as its interfaces are up.
l ab

Note: R17 tunnel 0, loopback 0 and E0/1 is in vrf Corp

s .c
om

www.passrnslabs.com 11 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.2 Jameson’s IGP - Part 2

Refer to “Diagram 2: Initial Topology”

w

Configure Jameson’s branch network according to the following requirements:

w

 R17 must propagate a default route in its OSPF domain, but only if already has a default route in its
routing table. You are allowed to add a single static route to achieve this requirement.
w

 Do not redistribute BGP into OSPF and vice versa on R17.

 Each branch router must establish an OSPF adjacency with R17 and must receive a default route via
.p
OSPF. They may receive LSA type 3 from the ABR.
 Each branch router must install the prefix 10.2.0.0/16 in their routing table as an OSPF LSA Type-3.
 Each branch router must advertise their interfaces Lo0 and Eth0/1 into OSPF.
as

 None of the branch routers may attempt to elect a Designated Router on their Tunnel0 interface.
 Do not use network statement anywhere in area 51 under OSPF.
sr
Note: In R17 e0/1, tunnel 0, loopback 0 are in vrf Corp. On R19, R20 and R21, loopback 0, e0/1 and
tunnel 0 are in vrf Corp
ns
l ab
s .c
om

www.passrnslabs.com 12 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.3 Jacob’s IGP

Refer to “Diagram 2: Initial Topology”.

w

Jacob’s network is partly preconfigured. It is your responsibility to verify and complete them.
w

Configure EIGRP for IPv4 in Jacob’s core network (AS65006) according to the following requirements:
 All EIGRP router must support 64-bit metric calculations and Routing Information Base (RIB) scaling
w
in EIGRP topologies.
 The interface Lo0 of each router must be seen as an internal EIGRP prefix by all other routers in
.p
their local domain.
 Ensure that EIGRP is not running on any interface that is facing another AS. Use any method to
accomplish this requirement.
as

 Jacob’s core network must use the EIGRP autonomous system number 1.
 R52 must inject its interface Lo52 into EIGRP as an external prefix.
 Do not change the preconfigured bandwidth on interface loopback 52.
sr
 Do not configure any metric with the redistribution command.

The following output must be seen on R50:

ns
l ab
s .c
om

www.passrnslabs.com 13 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.4 Jameson’s Pre-merge Part 1

Refer to the “Overall Scenario”, “Diagram 2: Initial Topology” and “Diagram 4: Pre-merge Topology”.
w

Jameson’s decided to enable MPLS VPN in their network.

w

Configure Jameson’s network as per the following requirements:

w

 R11, R12, R13 and R14 must redistribute OSPF into BGP and they must advertise a default route
into their respective OSPF domain. They may not redistribute BGP into OSPF.
.p
 R15 and R16 must mutually redistribute OSPF and BGP.
 R11, R12, R13 and R14 must advertise only four prefixes via eBGP to Jameson’s core network as
follows:
as

 R11 and R12 must advertise 10.1.0.0/16, 10.255.1.11/32, 10.255.1.12/32 and 10.255.1.101/32;
 R13 and R14 must advertise 10.3.0.0/16, 10.255.1.13/32, 10.255.1.14/32 and 10.255.1.102/32;
 R1 must reflect IPv4 BGP prefixes to all core routers except R2. ALL internal BGP peerings must be
sr
established using interface Lo0.
 Ensure that each Jameson’s site receives BGP prefixes from other sites.
A very similar output as the one shown below must be seen on R11, R12, R13 and R14 (only the next-
ns

hop, version and update-group may differ).

l ab
s .c
om

NOTE:
 R3 and R4 are configured with vrf DC, where as R5,R6,R7 and R8 are configured with vrf Corp

www.passrnslabs.com 14 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.5 Jameson’s Pre-merge Part 2

Configure Jameson’s network as per following requirements:

w

 Ensure that any prefix that originated in any of these main sites will not advertise back to same site
w
via redundant gateway.
 The configuration must equally apply to any future prefixes that may be advertised by any site.
 R15 and R16 must advertise their OSPF default route to their PE.
w
.p
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 15 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.6 Merge Phase 1: BGP

Refer to the “Overall Scenario” and “Diagram 5: Merge Phase 1”.

w

Jameson’s and Jacob’s started the first phase of their merge and added a new border router in their
w
respective main site (R18 and R57).

Configure the network as per the following requirements:

w
 Interface Lo0 of both R18 and R57 must be added into their respective IGP domain.
 Interface Eth0/1 of both R18 and R57 must peer with its connected IGP neighbor.
.p
 Both R18 and R57 must advertise a summary prefix via eBGP to each other as follows:
 R18 advertises 10.0.0.0/8 summary-only
 R57 advertises 172.0.0.0/8 summary-only
as

 Both R18 and R57 must propagate the received summary prefix into their respective IGP domain.
 Ensure that Jacob’s CE (R55 and R56) don’t propagate 172.0.0.0/8 prefix to Jacob’s Corp VPN.
sr
ns
l ab
s .c
om

www.passrnslabs.com 16 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.7 Merge Phase 2 : IGP

Refer to “Diagram 2: Initial Topology” and “Diagram 6: Merge Phase 2”.

w

Jameson’s and Jacob’s are entering in the second phase of merge and have deployed two new border
w
routers in their respective core network.

Configure the core networks as per the following requirements:

w

 R9 and R10 must run OSPF on their interfaces Eth0/0 and Lo0.
 R9 and R10 must run EIGRP on their interface Eth0/1.
.p
 R53 and R54 must run EIGRP on all of their interfaces.
 Mutually redistribute EIGRP and OSPF on both R9 and R10.
 Avoid routing loops and ensure that all current and future prefixes are routed via their optimal.
as

Don’t use any access-map, prefix-list or route-map in order to achieve this requirement.
sr
ns
l ab
s .c
om

www.passrnslabs.com 17 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.8 Merge Phase 2 : Routing Policies

Refer to the “Overall Scenario”, “Diagram 2: Initial Topology” and “Diagram 6: Merge Phase 2”.
w

Configure the network as per the following requirements:

 Network managers have decided that the primary path for all traffic between Jameson’s
w
10.2.1.0/24 and Jacob’s 172.18.1.0/24 must be routed preferably via the BGP backdoor link
between R18 and R57. If this link should fail then traffic should fall back over the MPLS core
network.
w

 All other traffic must be routed preferably via the MPLS network.
 Do not configure any route-map nor access-list in order to achieve this requirement.
.p

Ensure that the following test reveals the same path as shown below.
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 18 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.9 IPv6 Routing - Part 1

Refer to “Diagram 2: Initial Topology”

w
Jameson’s started deploying IPv6 in dual-stack mode in the datacenter.
Configure Jameson’s datacenter network as per following requirements:
 Establish OSPFv3 adjacencies in Area 0 between SW3, SW4, R15 and R16.
w

 Do not use the command “ipv6 ospf” anywhere in order to accomplish the previous requirement.
 Interface VLAN 100 of SW3 must be configured with default router preference set to “medium”.
w

 Interface VLAN 100 of SW4 must be configured with default router preference set to “high”.
 The interval between Router Advertisement transmissions on VLAN 100 must be set to 10 seconds
.p
on both SW3 and SW4.

Note:
as
IPv6 address was configured on above devices in the following way:
ipv6 address fe80:db80::N/64 link-local
ipv6 address 2001:db80::VLANID:N/64
sr
ns
l ab
s .c
om

www.passrnslabs.com 19 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.10 IPv6 Routing - Part 2

Configure Jameson’s datacenter network as per the following requirements

w
:
 SW3 and SW4 must provide first-hop redundancy for hosts in VLAN 100 by sharing the virtual link-
local address FE80:100::1
w

 SW3 must be elected as the active router and SW4 must be elected as the standby router.
 In case SW3 is down, SW4 must take over the active role. If SW3 come back online, it must
w

automatically recover role from SW4.

 Ensure that HSRP hello packets are exchanged every 5 seconds and that the standby takes over the
.p
active role if three consecutive Hello packets were missed from the active.
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 20 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.11 Multicast in Jameson's

Refer to “Diagram 2: Initial Topology”.

w
An application running on server R101 (which is located in Jameson’s datacenter) uses multicast to
deliver specific traffic to users located in Jameson’s branch network.
w

Configure Jameson’s network as per the following requirements:

 Use PIM Sparse-mode
w
 The interface Lo0 of R17 must be elected as the Rendezvous point for the whole multicast domain
 R17 must announce its candidacy to advertise the group-to-RP mapping set to the router link local
.p
address.
 For interoperability reasons, the selection of R17 as the RP must adhere to Cisco proprietary
protocol and must use the default priority value as per the standard.
as
 The streaming server is located at R19’s E0/1 and uses the group address 239.1.1.1 to send traffic
to interested receivers
 Receivers are located in the branch network and they are connected to the datacenter via
sr
DMPVPN.
Ensure that the following test is successful:
ns
l ab
s .c
om

www.passrnslabs.com 21 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

Section 3 – VPN Technologies

3.1 Jameson’s Branch Offices

w

Refer to “Diagram 2: Initial Topology”

w

Configure DMVPN Phase 3 in Jameson’s branch network as per the following requirements:
Use the preconfigured interface Tunnel0 on all four routers in order to accomplish this task.
w

 R17 must be configured as the hub router.

 R19, R20 and R21 must be the spoke routers and must participate in the NHRP information
.p
exchange.
 Ensure that spoke-to-spoke traffic does not transit via the hub.
 Protect the tunnelled traffic by attaching the preconfigured IPsec profile to the tunnel interface on
as

all tunnel end-points.

 Ensure that all spokes establish an OSPF adjacency through the tunnel with the hub R17, without
attempting to elect any Designated Router.
sr
ns
l ab
s .c
om

www.passrnslabs.com 22 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

3.2 Jameson’s pre-merge VPN

Refer to the “Overall Scenario” and “Diagram 4: Pre-merge Topology”

w

Jameson’s decided to enable MPLS VPN in their network.

w

They started configuring it but it is your responsibility to complete it and verify that it is fully functional.
w
Configure Jameson’s network as per the following requirements:
 Enable LDP in the core network as indicated in “Diagram 4: Pre-merge Topology”.
 Ensure that all LDP routers use their interface Lo0 as their LDP router-id.
.p

 R1 must reflect VPNv4 prefixes to all PE’s.

 The datacenter network must be connected to the VPN “DC” via eBGP.
as
 The headquarters and main office networks must be connected to the VPN “Corp” via eBGP.
 All six PE’s must use a consistent format “ASN:nn” for the VPN route-distinguisher, where:
 ASN is the Autonomous System Number of the connected CE.
sr
 nn is any relevant number for the VPN site.

ns
l ab
s .c
om

www.passrnslabs.com 23 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

3.3 Merge Phase 2 : VPN

Refer to the “Overall Scenario” and “Diagram 6: Merge Phase 2”.

w

Jameson’s and Jacob’s are entering in the second phase of the merge and have deployed two new
w
border routers in their respective core network.

Configure the network as per the following requirements:

w

 The BGP AS number of Jacob’s original core network must be converted to use Jameson’s AS
.p
number 65001, as indicated in “Diagram 6: Merge Phase 2”.
 All BGP sessions between Jacob’s core and remote sites (including headquarters and office
networks) must be recovered using the new AS number.
as

 Do not modify the BGP configuration of Jacob’s CEs (R55,R56,R58) in order to accomplish this
requirement.
 Enable LDP in the merged core network as indicated in “Diagram 6: Merge Phase 2”, including the
sr
four new border routers(R9, R10, R53 and R54) and Jacob’s core network.
 Ensure that all LDP routers use their interface Lo0 as their LDP router-id.
 R1 must reflect VPNv4 prefixes to all PE’s, including to Jacob’s PEs.
ns

 Jacob’s headquarters network must be added to the VPN DC

 Jacob’s office network must be added to the VPN JacobsCorp
 All nine PE’s must use a consistent format “ASN:nn” for the VPN route-distinguisher, where:
l
 ASN is Autonomous System Number of the connected CE
ab

 nn is any relevant number

s .c
om

www.passrnslabs.com 24 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

3.4 Inter-VPN Routing

Refer to the “Overall Scenario” and “Diagram 6: Merge Phase 2”.

w

Configure the network as per the following requirements:

 Jameson’s headquarters, main office and Jacob’s office must receive datacenter prefixes
w

 Jameson’s main office and headquarters many not receive Jacob’s prefixes.
 In order to simplify future changes, your solution may not be limited to specific prefixes.
w
.p
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 25 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

Section 4 – Infrastructure Security

4.1 Device Security

w

Refer to “Diagram 1: Initial Topology”.

Configure the network as per the following requirements:
w

 Protect R17’s control-plane from TTL expiry attacks so that illegitimate IP packets with a TTL of 0 or
1 dropped before the CPU processes them.
w
 Legit packets include expected control protocols running on the link.
.p
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 26 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

4.2 Network Security

Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”.

w
Configure the network as per following requirements:
 SW5 and SW6 must filter DHCP messages received by untrusted hosts by comparing the source
w
MAC address and the DHCP client hardware address. If the addresses match, the switches must
forward the packet. If the addresses do not match, the switcher must drop the packet.
 Ensure that these access switches do not filter DHCP packets on their uplinks.
w

 Ensure that the DHCP relay switches(refer to item 5.1) allow DHCP messages received on their
interface Vlan 100 with the added Option 82 and uninitialized GIADDR field to be accepted.
.p
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 27 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

Section 5 – Infrastructure Services

w
5.1 Centralized DHCP

Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”.

w

Jameson’s R15 must centralize DHCP service for the datacenter’s hosts VLANs.
w

Configure the network as per the following requirements:

.p

 Ensure that the distribution switches SW3 and SW4 forward DHCP discover broadcast messages
received from VLAN 100’s hosts to interface Lo0 of R15 as unicast message.
 R15 must assign hosts in VLAN 100 a valid IP address from the prefix 10.2.1.0/24
as

 Ensure that addresses that were statically configured will never be assigned to any hosts.
 The DHCP offer must include the ip address 10.2.1.1/24 as the default gateway for VLAN 100 users.
 Ensure that the server R101 effectively receives an IP address from the expected prefix 10.2.1.0/24
sr

as well as its default gateway information.

ns
l ab
s .c
om

www.passrnslabs.com 28 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

5.2 Internet Gateway

Refer to “Diagram 1: Initial Topology”

w

Configure the network as per the following requirements:

w

 R17 is Jameson’s Internet gateway router.

 Ensure that R17 enables all internal hosts (that is: hosts with source IP address in the range os
w

10.0.0.0/8 or 172.0.0.0/8) to simultaneously connect to the Internet using the public IP address of
interface Eth0/0.
.p

The following tests must be successful:

as
CRL_LAB4_SW1#pi 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
sr

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

CRL_LAB4_SW2#pi 8.8.8.8
ns

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
l
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ab

CRL_LAB4_SW10#pi 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
s

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
.c

CRL_LAB4_R19#pi 8.8.8.8
om
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/5 ms

www.passrnslabs.com 29 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

5.3 First Hop Redundancy

Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”.

w

Jameson’s datacenter’s SW3 and SW4 must offer first hop redundancy to VLAN 100’s hosts using HSRP.
w

Configure the network as per the following requirements:

w

 SW3 and SW4 must use the multicast address 224.0.0.102 in order to negotiate the active and
standby roles.
.p
 SW3 must be elected as the standby router and SW4 must be elected as the active router.
 In case SW3 is down, SW4 must take over the active role. If SW3 comes back online, it must
automatically recover the active role from SW4.
as

 Ensure that HSRP hello packets are exchanged every 10 seconds and that the standby take over the
active role if three consecutive Hello packets were missed from the active.
 Both routers must share the virtual ip address 10.2.1.1 that will be used as the default gateway for
sr
WLAN 100’s hosts.
ns
l ab
s .c
om

www.passrnslabs.com 30 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

5.4 Tracking Reachability

Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial Topology”.

w
Configure the network as per the following requirements:
 SW3 and SW4 must monitor the reachability of their OSPF IPv4 default route and in case it is not
w
available, the HSRP priority must be decreased by 10.
w
.p
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 31 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

ALL OUR ACTIVE CLIENTS CAN GET DIRECT SUPPORT FROM

SKYPE: CCIESERVICEPROVIDERLABS
w

OUR CCIE SP ENGINEERS ARE AVAILABLE ON SKYPE CHAT OR LIVE SUPPORT CHAT FROM
WEBSITE
w

http://passsplabs.com/contactus.html (LIVE SUPPORT)

w

YOUR GATEWAY TO SUCCESS TOWARDS CCIE LAB

.p
ACTIVE CLIENTS WILL GET VERY SPECIAL DISCOUNTS ON OTHER CCIE TRACKS

KINDLY VISIT FOR FURTHER INFORMATION

as

CCIE R&S -- WWW.PASSRNSLABS.COM (PRL)

CCIE SECURITY ----> WWW.PASSSECURITYLABS.COM (PSL)

sr

CCIE WIRELESS ----> WWW.PASSWIRELESSLABS.COM (PWL)

ns
CCIE DATACENTER ----> WWW.PASSDATACENTERLABS.COM (PDL)

CCIE COLLABORATION ----> WWW.PASSCOLLABORATIONLABS.COM (PCL)

l
CCIE SERVICEPROVIDER -----> WWW.PASSSPLABS.COM (PSL)
ab

CCDE LABS -- WWW.PASSCCDELAB.COM (PCL)

CCIE WRITTEN ---- WWW.PASSWRITTEN.COM (PW)

s

VCIX -- WWW.VCIXLABS.COM (VL)

.c

WORLD FIRST REAL LAB RACK RENTAL FOR ALL CCIE TRACKS
om
CCIE RACK RENTALS -----> WWW.CCIERACK.RENTALS (CRR)

KINDLY CONTACT US AT [email protected] FOR FURTHER INFORMATION ON

OTHER TRACKS

www.passrnslabs.com 32 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017
w
w
w
.p
as
sr

Thank You for Choosing www.passrnslabs Workbooks.

ns
l ab
s .c
om

www.passrnslabs.com 33 www.passrnslabs.com