Post on 13-Dec-2015
description
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
K4版本
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
1.1 Troubleshoot Layer 2 Switching
1.2 VLAN and Access-ports
1.3 Spanning-Tree (STP)
1.4 Switch Trunking and EtherChannel
1.5 Layer2 Protocol tunneling
1.6 PPP over Ethernet
1.7 Frame-Relay
2.1 IPv4 OSPF
2.2 IPv4 EIGRP
2.3 IPv4 RIP
2.4 Redistribution: OSPF into RIP
2.5 Redistribution: EIGRP into OSPF
2.6 IPv4 eBGP
2.7 IPv4 iBGP
2.8 Advanced BGP
2.9 IPv6 Addressing
2.10 IPv6 Routing
3.1Multicast
3.2 Advanced Multicast feature
4.1 IGP Authentication
4.2 Zone-Based Firewall
4.3 Layer 2 Security
4.4 Quality of Service
4.5 Quality of Services
4.6 First Hop redundancy
4.7 Time-based Access-list
5.1 NetworkManagement
5.2 Network optimization
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
1.1 Troubleshoot Layer 2 Switching 4 Points
Two faults have been injected into the pre configurations just described. These
issues may impede a working solution for certain portions of this lab exam, and
these issues can affect any lab exam section. You must verify that all of your
configurations works as expected. If something is not working as expected, then
you must fix the underlying problem.
DHCP snooping/ARP inspection on VLAN17 on SW2SW2:no ip arp inspection vlan 17
Trunks configured with portfastSWx:interface range f0/19 - 24no spanning-tree portfast
Guard root on SW4 and possibly incorrect vtp passwords--->重配置 VTPSW4:interface range f0/19 - 24no spanning-tree portfast guard root
R2 连接 BB2 的地址配置错误
所有的 SW 的 SVI 接口没有配置地址
1.2 VLAN and Access-ports 3 Points
Vlan17 – Between R1 & SW2
Vlan29 – Between R2 & SW4
Vlan34 – Between R3 & R4
Vlan38 – Between R3 & SW3
Vlan45 – Between R4 & R5
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
Vlan56 – Between R5 & SW1
Vlan67 – SVI Between SW1 & SW2
Vlan89 – SVI Between SW3 & SW4
Vlan100 – Between R1 & BB1
Vlan200 – Between R2 & BB2
Vlan300 – Between SW3 & BB3
Vlan333 – Customer Vlan
Vlan666 – Carrier Vlan
Vlan999 – Unused ports Vlan
1. Complete the VLANs configuration for the access ports as per the VLAN table
above (case sensitive).
2. Ensure that all unused physical ports on all switches are shutdown and
configured as access-ports in VLAN 999 (Do not forget Gigabit ports)
3. Configure VTP transparent mode on all switches.
SW1/SW2/SW3/SW4:vtp domain CCIEvtp mode transparentvtp version 2vtp password sannetinter range f0/19 - 24switchport trunk encapsulation dot1qswitchport mode trunkswitchport nonegotiate
exit!vlan 17vlan 29vlan 34vlan 38vlan 45
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
vlan 56vlan 67vlan 89vlan 100vlan 200vlan 300vlan 333vlan 666vlan 999
SW1:interface f0/1sw mode accsw acc vlan 17
!int f0/2sw mode accsw acc vlan 200
!int f0/3sw mode accsw acc vlan 34
!int f0/4sw mode accsw acc vlan 45
!interface f0/5sw mode accesssw acc vlan 56
!int f0/10sw mode accsw acc vlan 100
!int range f0/6 - 9 , f0/11 - 18 , g0/1 - 2sw mode accsw acc vlan 999shutdown
SW2:int f0/1swmode accsw acc vlan 100
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
!int f0/2sw mode accsw acc vlan 29
!int f0/3sw mode accsw acc vlan 38
!int f0/4sw mode accsw acc vlan 34
int f0/5sw mode accsw acc vlan 45
!int f0/10sw mode accsw acc vlan 200
!int range f0/6 - 9 , f0/11 - 18 , g0/1 - 2sw mode accsw acc vlan 999shutdown
!SW3:int f0/10sw mode accsw acc vlan 300
!int range f0/1 - 9 , f0/11 - 18 , g0/1 - 2sw mode accsw acc vlan 999shutdown
SW4:int range f0/1 - 18 , g0/1 - 2sw mode accsw acc vlan 999shutdown
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
1.3 Spanning-Tree (STP) 3 Points
1. Set the region name as Cisco
2. Assign all active odd VLANs to instance 1
3. Assign all active even VLANs to instance 2
4. Explicitly assign all unused VLANs to instance 3
5. Ensure that SW1 is the primary root bridge for odd VLANs and for CIST
6. Ensure that SW1 is the secondary root for even VLANs
7. Ensure that SW2 is the primary root bridge for even VLANs
8. Ensure that SW2 is the secondary root for odd VLANs and for CIST
Note: Odd numbers are 1 , 3 , 5 etc and even numbers are 2 , 4 , 6 etc
Don’t forget any other VLAN used throughout the exam!
SW1 - SW4:spanning mode mstspanning-tree extend system-idspanning-tree mst configurationrevision 1name ciscoinstance 3 vlan 1 - 4094instance 1 vlan 17,29,45,67,89,333,999instance 2 vlan 34,38,56,100,200,300,666
SW1:spanning-tree mst 0 root primaryspanning-tree mst 1 root primaryspanning-tree mst 2 root secondary
SW2:spanning-tree mst 0 root secondaryspanning-tree mst 1 root secondaryspanning-tree mst 2 root primary
check:
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
show spanning-tree mst config
show spanning-tree
1.4 Switch Trunking and EtherChannel 3 Points
1. Disable DTP
2. Use encapsulation 802.1Q
3. The native VLAN is VLAN 999
4. Ensure that native VLAN is tagged
5. Configure a 200 Mbps logical trunk between SW1 and SW2 as per the following
requirements:
� The EtherChannel must use IEEE 802.3ad
� SW2 can't initiate the negotiation
� The load distribution mechanism must use the source and destination host
MAC address
� If more channel members were added in the future, Fa0/24 must have the best
chance to be the first active port.
SW1 – SW4:vlan dot1q tag nativeinterface range f0/19 – 24switchport trunk encapsulation dot1qswitchport trunk native vlan 999switchport mode trunkswitchport nonegotiate
SW1:interface range f0/23 – 24channel-group 12 mode active
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
!interface f0/24lacp port-priority 0
!port-channel load-balancing src-dst-mac
SW2:interface range f0/23 – 24channel-group 12 mode passive
!interface f0/24lacp port-priority 0
!port-channel load-balancing src-dst-mac
1.5 Layer2 Protocol tunneling 4 Points
1. Users connected to VLAN 333 on SW3 must be able to communicate the users
connected to VLAN 333 on SW4 via the interface perspective connected to SW1
and SW2
2. Configure the VLAN 333 interface on SW3 with the IP address YY.YY.33.8/24
3. Configure the VLAN 333 interface on SW4 with the IP address YY.YY.33.9/24
4. VLAN 333 must be allowed to flow only through SW3 and SW4's Fa0/19, no
other trunks may carry this VLAN
5. SW1 and SW2 must carry the VLAN 333 data across the network using VLAN 666
6. VLAN 666 may exist only on SW1 and SW2
7. SW1 and SW2 must not allow VLAN 333 on any trunks and must allow VLAN 666
only on the trunks between them
8. No other port in any switch may carry VLAN 333
9. Do not modify any spanning-tree cost or port-priority to achieve this task
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
10. Referring to the exhibit below SW3 must see SW4 as a CDP neighbor via
interface Fa0/19 and must be able to ping SW4’s VLAN 333
SW1/SW2:system mtu 1504sdm prefer dual-ipv4-and-ipv6 defaultexitwrreload!!mtu 值更改后必须保存重启,顺便将 C3560 交换机的 OSPFv3 功能启动。
SW1:int f0/19sw mode dot1q-tunnelsw acc vlan 666l2protocol-tunnel cdp
int range f0/20 - 24 , port-channel 12switchport trunk allowed vlan remove 333
!int range f0/20 - 22switchport trunk allowed vlan remove 666
SW2:int f0/19sw mode dot1q-tunnelsw acc vlan 666l2protocol-tunnel cdp
!int range f0/20 - 24 , port-channel 12switchport trunk allowed vlan remove 333
int range f0/20 - 22switchport trunk allowed vlan remove 666
SW3:int range f0/19switchport trunk allowed vlan 333
!int range f0/20 - 24switchport trunk allowed vlan remove 333,666
!int vlan 333ip add YY.YY.33.8 255.255.255.0
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
no shutdown!no vlan 666
SW4:int range f0/19switchport trunk allowed vlan 333
!int range f0/20 - 24switchport trunk allowed vlan remove 333,666
!int vlan 333ip add YY.YY.33.9 255.255.255.0no shutdown
!no vlan 666
1.6 PPP over Ethernet 3 Points
1. Configure R3 as a PPPoE server
2. Configure R4 as a PPPoE client
3. The link must be up even if there is no traffic at all
4. R4 must always receive the IP address YY.YY.34.4/32 from R3
5. Do not use DHCP to assign the IP address
6. Avoid unnecessary fragmentation on the PPPoE link
7. The client must use CHAP to authenticate with the server (Use device’s
hostname as CHAP username and any password)
R3(Server):username RackYYR4 password sannet!bba-group pppoe globalvirtual-template 1
!vpdn enable
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
!vpdn-group ciscoaccept-dialinprotocol any
!ip local pool cisco YY.YY.34.4!interface Virtual-Template1ip address YY.YY.34.3 255.255.255.0peer default ip address pool ciscoppp authentication chapip tcp adjust-mss 1452
!interface Gi0/0no shutdownpppoe enable group global
R4(client):host RackYYR4interface FastEthernet0/1no shutdownpppoe enable group globalpppoe-client dial-pool-number 1
!interface Dialer1ip address negotiatedencapsulation pppip tcp adjust-mss 1452dialer pool 1mtu 1492dialer idle-timeout 0dialer persistentppp chap password sannet
以上解法是满分的,PPPoE Server 与 Client 之间的 ospf neighbor 可以正常建立,但是要求 IOS12.4T 以上。以下配置也能实现同样功能,但未经过考场验证。
R3 (server):username RackYYR4 password CCIEbba-group pppoe CCIEvirtual-template 1
!interface Gi0/0ip address YY.YY.34.3 255.255.255.0
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
pppoe enable group CCIEno shutdown
!interface Virtual-Template1mtu 1492ip unnumbered FastEthernet0/0peer default ip address pool ipcp
!ip local pool ipcp YY.YY.34.4
R4 (Client):host Rack08R4interface FastEthernet0/1pppoe enable group globalpppoe-client dial-pool-number 1no shutdown
!interface Dialer1mtu 1492ip address negotiatedencapsulation pppdialer pool 1dialer idle-timeout 0dialer persistentdialer-group 1ppp chap password 0 CCIE
!dialer-list 1 protocol ip permit
1.7 Frame-Relay 2 Points
1. R1 uses DLCI 102
2. R2 uses DLCI 201
3. Use IETF encapsulation(rfc1490)
4. Ensure both DTE do not build dynamic address mapping
5. Ensure the broadcast packets are replicated on the frame-relay link
6. Ensure that both DTE are able to ping each other as well as their own
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
Frame-Relay interface
7. Configure on R1 and R2 the administrative bandwidth for both Frame-Relay
interface to 50000kbps
8. R4 is preconfigured as the Frame-Relay Switch Do not modify any Frame-Relay
configuration on R4.
R4 pre-config:frame-relay switching!interface Serial0/0encapsulation frame-relay ietfclock rate 64000frame-relay lmi-type ciscoframe-relay intf-type dceframe-relay route 102 interface Serial0/1 201no shut
interface Serial0/1encapsulation frame-relay ietfclock rate 64000frame-relay lmi-type ciscoframe-relay intf-type dceframe-relay route 201 interface Serial0/0 102no shut
R1:interface s0/0/0bandwidth 50000encapsulation frame-relay ietfno frame-relay inverse-arpip address YY.YY.12.1 255.255.255.0no shutdownframe-relay map ip YY.YY.12.1 102frame-relay map ip YY.YY.12.2 102 broadcast
R2:interface s0/0/0bandwidth 50000encapsulation frame-relay ietfno frame-relay inverse-arpip address YY.YY.12.2 255.255.255.0
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
no shutdownframe-relay map ip YY.YY.12.2 201frame-relay map ip YY.YY.12.1 201 broadcast
2.1 IPv4 OSPF 3 Points
1. The OSPF process ID can be any number
2. The OSPF router-IDs must be stable and must be configured using the IP address
of interface loopback0
3. Loopback 0 interfaces must be advertised in the OSPF area shown in the
“diagram 1 IGP Routing”
4. Do not create additional OSPF areas
5. Do not use any IP address not listed in “Diagram 1 IGP Routing”
6. In case either R1 or R5 is down , R4 must still be able to reach all other OSPF
prefixes via R3
7. Do not change the OSPF network type on Frame-Relay interfaces
8. Do not propagate any default route in any Area
R1:router ospf YYrouter-id YY.YY.1.1network YY.YY.1.1 0.0.0.0 area 0network YY.YY.17.1 0.0.0.0 area 0network YY.YY.15.1 0.0.0.0 area 0network YY.YY.12.1 0.0.0.0 area 1area 1 virtual-link YY.YY.3.3network 150.1.YY.1 0.0.0.0 area 0passive-interface g0/1
!
int g0/0ip ospf mtu-ignore
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
R2:router ospf YYrouter-id YY.YY.2.2network YY.YY.12.2 0.0.0.0 area 1network YY.YY.23.2 0.0.0.0 area 1network YY.YY.2.2 0.0.0.0 area 1network 150.2.YY.1 0.0.0.0 area 1passive-interface g0/0neighbor YY.YY.12.1
R3:router ospf YYrouter-id YY.YY.3.3network YY.YY.3.3 0.0.0.0 area 1network YY.YY.23.3 0.0.0.0 area 1network YY.YY.35.3 0.0.0.0 area 1network YY.YY.34.3 0.0.0.0 area 2area 1 virtual-link YY.YY.1.1area 1 virtual-link YY.YY.5.5
R4:router ospf YYrouter-id YY.YY.4.4network YY.YY.4.4 0.0.0.0 area 2network YY.YY.34.4 0.0.0.0 area 2
!
R5:router ospf YYrouter-id YY.YY.5.5network YY.YY.5.5 0.0.0.0 area 0network YY.YY.35.5 0.0.0.0 area 1network YY.YY.15.5 0.0.0.0 area 0network YY.YY.56.5 0.0.0.0 area 0area 1 virtual-link YY.YY.3.3
!
int f0/0ip ospf mtu-ignore
SW1:ip rouitngrouter ospf YYrouter-id YY.YY.6.6network YY.YY.6.6 0.0.0.0 area 0
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
network YY.YY.56.6 0.0.0.0 area 0network YY.YY.67.6 0.0.0.0 area 0
SW2:ip routingrouter ospf YYrouter-id YY.YY.7.7network YY.YY.7.7 0.0.0.0 area 0network YY.YY.67.7 0.0.0.0 area 0network YY.YY.17.7 0.0.0.0 area 0
2.2 IPv4 EIGRP 2 Points
1. Configure EIGRP AS YY and EIGRP AS 100 as per the “Diagram 1 IGP Routing”
2. Redistribute EIGRP AS 100 into EIGRP AS YY
3. Disable automatic summarization for both autonomous Systems
SW3:ip routingrouter eigrp 100no auto-summarynetwork 150.3.YY.1 0.0.0.0
!router eigrp YYno auto-summarynetwork YY.YY.89.8 0.0.0.0network YY.YY.38.8 0.0.0.0network YY.YY.8.8 0.0.0.0redistribute eigrp 100 metric 10000 100 255 1 1500
SW4:ip routingrouter eigrp YYno auto-summarynetwork YY.YY.89.9 0.0.0.0network YY.YY.9.9 0.0.0.0network YY.YY.29.9 0.0.0.0
R2:router eigrp YY
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
no auto-summarynetwork YY.YY.29.2 0.0.0.0
R3:router eigrp YYno auto-summarynetwork YY.YY.38.3 0.0.0.0
2.3 IPv4 RIP 1 Point
1. Disable automatic summarization
2. RIP must be enabled only for the required interfaces, no other interfaces may
send and RIP Update
R4:router ripversion 2network YY.0.0.0no auto-summarypassive-interface defaultno passive-interface f0/0
R5:router ripversion 2network YY.0.0.0no auto-summarypassive-interface defaultno passive-interface f0/1
2.4 Redistribution: OSPF into RIP 2 Points
1. Redistribute OSPF into RIP on R5
2. R4 must route traffic destined to SW1 loopback 0 via R5
3. R4 must route all other OSPF prefixes via R3
R5:router rip
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
redistribute ospf YY metric 1R4:router ospf YYdistance 125 YY.YY.3.3 0.0.0.0 1access-list 1 permit YY.YY.6.6
如果考题有出现类似:Mutual redistribute between OSPF and RIP:R4:router ospf YYredistribute rip subnets route-map rip_prefix
!route-map rip_prefix permit 10match ip address 10
!access-list 10 permit YY.YY.45.0
2.5 Redistribution: EIGRP into OSPF 4 Points
1. Manually redistribute EIGRP and OSPF on both R2 and R3
2. The only EIGRP External routes that both R2 and R3 must see are the prefixes
originated in EIGRP 100 and the VLAN 300 prefix
3. All internal OSPF prefixes (i.e. all existing subnets of YY.YY.0.0/16 that are not
originated in EIGRP YY and EIGRP 100) must be seen as OSPF internal by both R2
and R3
4. Without any additional configuration. Your solution must cover any future
prefixes that could eventually be advertised by BB3
5. You must use a route filtering mechanism but do not use any access-list or
prefix-list to achieve this task
6. Ensure optimal routing is performed on both R2 and R3
7. Do not change any default administrative distance to achieve this task
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
R2/R3:router ospf YYredistribute eigrp YY subnets metric-type 1 tag 100distribute-list route-map filter in
!route-map filter deny 10match tag 100
!route-map filter permit 20!router eigrp YYredistribute ospf YY metric 10000 1000 255 1 1500
2.6 IPv4 eBGP 2 Points
1. Configure eBGP between AS YY and AS 254 as per the “Diagram 2 BGP
Routing”
2. R2 must generate a warning log message if it receives more than 5 prefixes from
BB2
3. Both R2 and R3 must exchange the BGP capability that indicates the end of RIB
marker after the initial routing update is complete
4. Redistribute OSPF into BGP on both R1 and R2
5. Ensure that you receive BGP Prefixes from both BB1 and BB2
6. Do not use next-hop-self in either R1 and R2
R1:router bgp YYbgp router-id YY.YY.1.1neighbor 150.1.YY.254 remote-as 254redistribute ospf YY match internal external 1 external 2
R2:router bgp YYbgp router-id YY.YY.2.2
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
neighbor 150.2.YY.254 remote-as 254neighbor 150.2.YY.254 maximum-prefix 500 1 warning-onlyredistribute ospf YY match internal external 1 external 2bgp graceful-restart
R3:router bgp YYbgp router-id YY.YY.3.3bgp graceful-restart
2.7 IPv4 iBGP 2 Points
1. Configure BGP AS YY between all five routers
2. Use loopback 0 interface for all internal BGP connections
3. R3 must be the Route Reflector for AS YY
4. Do not use peer-groups
R1:router bgp YYneighbor YY.YY.3.3 remote-as YYneighbor YY.YY.3.3 update-source loopback 0
R2:router bgp YYneighbor YY.YY.3.3 remote-as YYneighbor YY.YY.3.3 update-source loopback 0
R4:router bgp YYbgp router-id YY.YY.4.4neighbor YY.YY.3.3 remote-as YYneighbor YY.YY.3.3 update-source loopback 0
R5:router bgp YYbgp router-id YY.YY.5.5neighbor YY.YY.3.3 remote-as YYneighbor YY.YY.3.3 update-source loopback 0
R3:
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
router bgp YYneighbor YY.YY.1.1 remote-as YYneighbor YY.YY.1.1 update-source loopback 0neighbor YY.YY.1.1 route-reflector-clientneighbor YY.YY.2.2 remote-as YYneighbor YY.YY.2.2 update-source loopback 0neighbor YY.YY.2.2 route-reflector-clientneighbor YY.YY.4.4 remote-as YYneighbor YY.YY.4.4 update-source loopback 0neighbor YY.YY.4.4 route-reflector-clientneighbor YY.YY.5.5 remote-as YYneighbor YY.YY.5.5 update-source loopback 0neighbor YY.YY.5.5 route-reflector-client
2.8 Advanced BGP 5 Points
1. R1 must prefer the external path to reach destinations in AS 254 and the tie
breaker in the BGP best path selection algorithm must be the “External VS
Internal” criteria
2. R3 must prefer the path via R1 and the change must not impact any other routers
3. R4 must be able to successfully ping host 197.68.1.254
4. Traffic sent from R4 to destinations in AS 254 must be routed through R1
5. BGP attributes of AS-Path, Local Preference and Weight can't be changed on
either R4 or R5
6. OSPF costs may be changed for only one interface
R1:router bgp 8bgp bestpath as-path ignore
access-list 1 permit 197.68.0.0 0.0.31.0route-map from_bb2 permit 10match ip address 1set as-path prepend 253
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
router bgp 8neighbor 150.2.YY.254 route-map from_bb2 in
R3:router bgp 8bgp bestpath igp-metric ignoremaximum-paths ibgp 2bgp additional-paths select backupbgp bestpath igp-metric ignore
address-family ipv4neighbor 8.8.1.1 activeneighbor 8.8.2.2 activeneighbor 8.8.4.4 activeneighbor 8.8.5.5 activeneighbor 8.8.1.1 advertise diverse-path mpathneighbor 8.8.2.2 advertise diverse-path mpathneighbor 8.8.4.4 advertise diverse-path mpathneighbor 8.8.5.5 advertise diverse-path mpath
R4:router bgp 8bgp bestpath igp-metric ignorebgp bestpath igp-metric ignore
R3:router bgp YYneighbor YY.YY.1.1 weight 100
R5:int serial 0/0/0ip ospf cost 1
2.9 IPv6 Addressing 2 Points
1. Refer to the “Diagram 3 IPv6 Routing” and configure IPv6 in your network
2. Configure all global unicast addresses to match 2001:YY:YY:SS::HH/MM where
YY Stands for your two-digits rack number, written in decimal format SS is the third
Guys,
Certcollection is busy in these days to earn money by cheating people. From last two months members are crying for PCL updates but did not get from certcollection.
Members have created many posts to complain about new updates but admin is continuously deleting these post. Some times admin make lame excuses like SS busy in exam, we are trying to crack PCL, we have cracked PCL and give you update after 3 or 4 days.
Then after 3 to 4 days admin delete this post.
The latest post link on which are complaining about update is below, But admin delete this post and members did not get update.
http://certcollection.org/forum/topic/152517-pcl-update-or-refund-issue-resolved-updates-coming-832012crackerjoe69/
I have uploaded this complete post on below link for your understanding.
http://www.4shared.com/rar/kX__cv83/Cercollection_latest_Fraud.htmlThis is clear crystal that
Cercollection did not have PCL updates and they are cheating people.
New members should not waste money by buying old PCL from here.
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
octet of the IPv4 address of the same interface, written in decimal format HH is the
fourth octet of the IPv4 address of the same interface, written in decimal format
MM is the subnet mask and must be /128 for loopback interfaces and /64 for
other interfaces
3. Disable sending the periodic router advertisement messages on all IPv6
interface
4. IPv6 device must use Cisco's proprietary forwarding algorithm
2.10 IPv6 Routing 2Points
1. Configure OSPFv3 according to the “Diagram 3 IPv6 Routing”
2. Use the number 2001 as the OSPFv3 process ID
3. Use the loopback 0 IP address as the OSPFv3 router-ID
4. Using a single command, the serial link between R1 and R5 must be
authenticated using MD5 key “1234567890ABCDEF1234567890ABCDEF”
5. All IPv6 interfaces must be reachable from any IPv6 router
R1:ipv6 unicast-routingipv6 cefipv6 router ospf 2001router-id Y.Y.1.1
!int lo0ipv6 address 2001: YY:YY:1::1/128ipv6 ospf 2001 area 0
!int s0/1ipv6 address 2001: YY:YY:15::1/64ipv6 ospf 2001 area 0
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
ipv6 ospf authentication ipsec spi 256 md5 1234567890ABCDEF1234567890ABCDEF!int g0/0ipv6 address 2001: YY:YY:17::1/64ipv6 ospf 2001 area 0ipv6 nd ra suppress
R5:ipv6 unicast-routingipv6 cefipv6 router ospf 2001router-id Y.Y.5.5
int lo0ipv6 address 2001: YY:YY:5::5/128ipv6 ospf 2001 area 0
int s0/0ipv6 address 2001: YY:YY:15::5/64ipv6 ospf 2001 area 0ipv6 ospf authentication ipsec spi 256 md5 1234567890ABCDEF1234567890ABCDEF
int f0/0ipv6 address 2001: YY:YY:56::5/64ipv6 ospf 2001 area 0ipv6 nd ra suppress
SW1:ipv6 unicast-routingipv6 cefipv6 router ospf 2001router-id Y.Y.6.6
int lo0ipv6 address 2001: YY:YY:6::6/128ipv6 ospf 2001 area 0
!int vlan 56ipv6 address 2001:YY:YY:56::6/64ipv6 ospf 2001 area 0ipv6 nd ra suppress
!int vlan 67ipv6 address 2001:YY:YY:67::6/64ipv6 ospf 2001 area 0ipv6 nd ra suppress
SW2:
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
ipv6 unicast-routingipv6 cefipv6 router ospf 2001router-id YY.YY.7.7
int lo0ipv6 address 2001:YY:YY:7::7/128ipv6 ospf 2001 area 0
!int vlan 17ipv6 address 2001:YY:YY:17::7/64ipv6 ospf 2001 area 0ipv6 nd ra suppress
!int vlan 67ipv6 address 2001:YY:YY:67::7/64ipv6 ospf 2001 area 0ipv6 nd ra suppress
check:show ipv6 routepingshow ipv6 interfaceshow ipv6 cef
3.1Multicast 3 points
1. Configure IPv4 Multicast on R3 and R5
2. R3's loopback 0 is simulating a multicast video server and receivers are
connected to R5 Fa0/0
3. Multicast forwarding should not rely on any Rendezvous Point
4. The network should not have to flood and prune multicast traffic unnecessarily
R3:ip multicast-routinginterface Loopback0ip pim sparse-mode
!interface Serial0/0/0ip pim sparse-mode
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
R5:ip multicast-routinginterface Serial0/0/0ip pim sparse-mode
!interface FastEthernet0/0ip pim sparse-mode
3.2 Advanced Multicast feature 3 Points
1. Configure a static join on R5 FastEthernet0/0 for the group address 225.1.1.1 and
ensure that only the multicast video server simulated by YY.YY.3.3 is allowed to
send traffic for that group
2. Consider that there are hosts connected to R5 that only support IGMPv2 and
who are interested to join the group addresses 225.1.1.2 and 225.1.1.3
3. These hosts must be able to join these two groups for the source address
YY.YY.3.3
4. Routers should not query the Domain Name System (DNS) for any source
addresses
R3:ip pim ssm range 1!access-list 1 permit 225.1.1.1access-list 1 permit 225.1.1.3access-list 1 permit 225.1.1.2
R5:int f0/0ip igmp join-group 225.1.1.1 source YY.YY.3.3ip igmp v3lite
!access-list 15 permit 225.1.1.1
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
access-list 15 permit 225.1.1.2access-list 15 permit 225.1.1.3!ip pim ssm range 15ip igmp ssm-map enableno ip igmp ssm-map query dnsip igmp ssm-map static 15 YY.YY.3.3!
check:R3/R5show ip pim interfaceshow ip pim neighborshow ip mrouteping 225.1.1.1 source YY.YY.3.3ping 225.1.1.1 source YY.YY.38.3此时 R3 能 ping 成功,R5 ping 不成功
R5:show ip igmp ssm-mapping 225.1.1.2
4.1 IGP Authentication 3 Points
1. Complete the configuration of MD5 authentication in the BGP domain
2. You are not allowed to change the pre-configured key in R4
3. R5 must save the key as a plane text (not encrypted) in the configuration
R4:int f0/0ip rip authentication mode md5ip rip authentication key-chain rip
!key chain ripkey 1
key-string cisco !!此密码按照 pre-config,勿改。有部分更新说可能 RIP 验证已经取消,
大家一定要认真读题。
R5:int f0/1ip rip authentication mode md5
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
ip rip authentication key-chain rip!key chain ripkey 1
key-string ciscono service password-encryption
R1/R2/R3/R5:router ospf YYarea 1 authentication message-digest
R1/R2/R3/R5:int s0/0/0ip ospf authentication message-digestip ospf message-digest-key 1 md5 cisco
int s0/0/1ip ospf authentication message-digestip ospf message-digest-key 1 md5 cisco
R4/R3:router ospf YYarea 2 authentication message-digest
R3:int gi0/0ip ospf authentication message-digestip ospf message-digest-key 1 md5 cisco
R4:int f0/1ip ospf authentication message-digestip ospf message-digest-key 1 md5 cisco
4.2 Zone-Based Firewall 3 Points
1. Two output given, first one showed you that ping from SW2 to 150.1.YY.254
successfully, and ping from R5 to 150.1.YY.254 successfully, second one showed
you the output of “show policy-map type inspect zone-pair”, note that the
action under the class-map hit is “pass”.
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
Class-map: A_B(match-all)Match:protocol icmpPass10packets, 800 bytesClass-map: class-default(match-any)Match:any Pass0packets, 0 bytes.
2. You are required to build ZBF base on zone-security names, assigning
zone-members, zone-pairs given, case sensitive.
R1:class-map type inspect A_Bmatch protocol icmp
!policy-map type inspect A_Bclass A_Bpass
!class class-defaultpass
!policy-map type inspect B_Aclass A_Bpass
!class class-defaultdrop
!zone security Zone_inzone security Zone_out!zone-pair security A_B source Zone_in destination Zone_outservice-policy type inspect A_B
!zone-pair security B_A source Zone_out destination Zone_inservice-policy type inspect B_A
!interface g0/1zone-member security Zone_out
!interface g0/0zone-member security Zone_in
!
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
interface s0/0/1zone-member security Zone_in
4.3 Layer 2 Security 3 Points
1. Configure SW1 and SW2 as per the following requirements
2. R4 and R5 may communicate only with each other in VLAN 45 and not with any
other host in that VLAN
3.Hosts connected to port Fa0/6 of both SW1 and SW2 must also be part of VLAN
45, and may communicate only with each other
4. Hosts connected to port Fa0/7 of both SW1 and SW2 are not allowed to
communicate with any host in VLAN 45
5. All of the above ports (Fa0/6 , Fa0/7 from SW1 and SW2) must be allowed to
communicate with a device connected to port Fa0/8 of SW1
6. Use only odd VLAN number(s) (between 334 and 998) if you need to create any
new VLAN(s)
7. Currently , there is no host attached to these ports but ensure that they are fully
configured and that no intervention is required when actually connecting
physical hosts to them
SW1/SW2:spanning-tree mst configurationinstance 1 vlan 335,337,401
vlan 45private-vlan primary
vlan 335private-vlan community
vlan 337private-vlan community
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
vlan 401private-vlan isolated
vlan 45private-vlan association 335,337,401
!int fa0/6no shutdownswitchport mode private-vlan hostswitchport private-vlan host-association 45 337
int f0/7no shutdownswitchport mode private-vlan hostswitchport private-vlan host-association 45 401
SW1:int f0/4switchport mode private-vlan hostswitchport private-vlan host-association 45 335
int fa0/8no shutdownswitchport mode private-vlan promiscuousswitchport private-vlan mapping 45 335 337 401
SW2:int f0/5switchport mode private-vlan hostswitchport private-vlan host-association 45 335
SW3/SW4:spanning-tree mst configurationinstance 1 vlan 335,337,401
如果考题有要求将 SW1 的 SVI 口也做成混杂模式:
SW1:int vlan 45ip add YY.YY.45.6 255.255.255.0private-vlan mapping add 335,337,401
4.4 Quality of Service 2 Points
1. It appears that some hosts attached to the subnet 197.68.22.0/24 behind BB1 are
sending suspicious traffic to multiple devices in OSPF Area 0
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
2. Configure R1 as per the following requirements
3. Use the Modular QoS CLI
4. Limit only this suspicious traffic to 128kbps per interface
5. Do not police this traffic
6. Use a standard access-list with a single entry, do not use a named access-list
R1:access-list 1 permit 197.68.22.0 0.0.0.255!class-map bb1match access-group 1
!policy-map limit_bb1class bb1shape average 128000
!int g0/0service-policy output limit_bb1
!int s0/0/1service-policy output limit_bb1
4.5 Quality of Services 3 Points
1. Consider that users connected to VLAN 56 are sending traffic that is already
marked as follows
2. Control IP precedence 6 or 7
3. Voice IP precedence 5
4. Video IP precedence 4
5. Business IP precedence 3
6. Internet IP precedence 0
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
7. Configure R5's interface S0/0/1 to share its available bandwidth as per the
following requirements
8. Use the Modular QoS CLI and use class names as per the above description(case
sensitive)
9. Use the match-all option for all Class-maps
10. Use only the criteria “match ip precedence” for all Class-maps
11. In case of congestion, the Voice traffic must be sent in priority over all other
traffic
12. The low latency queue may never use more than 20% of the available
bandwidth
13. In case of congestion, reserve 100Kbps of the available 2000Kbps for the control
traffic
14. Only in case of congestion the Video traffic may not exceed 30% of the available
bandwidth
15. Only in case of congestion the Business traffic may not exceed 30% of the
available bandwidth
16. Enable the congestion avoidance mechanism for the Business traffic using a
weight factor of 10 for the average queue size calculation
17. The Internet traffic should use the remaining bandwidth with no other
guarantee
Note:
1. Kbps=Kilo bits per second
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
2. Use the first word (case sensitive) of the above traffic description to name your
classes (ie class Control class Voice etc)
R5:class-map Controlmatch ip precedence 6 7
!class-map Voicematch ip precedence 5
!class-map Videomatch ip precedence 4
!class-map Businessmatch ip precedence 3
!class-map Internetmatch ip precedence 0
!policy-map mqcclass Voicepriority percent 20police cir percent 20 (cir - USE FOR DATA PLANE,rate - USE FOR CONTROL PLANE)
class Controlbandwidth per 5
class Videobandwidth per 30
class Businessbandwidth per 30random-detectrandom-detect exponential-weighting-constant 10
class Internet!int s0/0/1bandwidth 2000max-reserved-bandwidth 100service-policy output mqc
4.6 First Hop redundancy 3 points
1. Consider that users are connected to VLAN 500 on both SW1 and SW2
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
2. Configure HSRP to provide redundancy for the user gateway YY.YY.100.254/24 as
per the following requirements
3. The HSRP topology must follow the STP topology (i.e. the default active gateway
must be the default root bridge)
4. The active gateway IP address is YY.YY.100.1/24 and the standby gateway IP
address is YY.YY.100.2/24
5. Use priority 120 on the active gateway and the default priority on the secondary
gateway
6. Both HSRP gateways must authenticate each other using the MD5 password CCIE
7. The standby gateway must take over the active role when the active gateway
loses reachability to the BB1 subnet (150.1.YY.0/24)
8. The primary gateway must recover its active role when reachability to the BB1
subnet is restored
9. When 5 Hello packets are missed, the secondary gateway must take over the
active role within 1 second
10. Make sure no IGP protocol is running on VLAN 500
SW1:vlan 500spanning-tree mst configinstance 2 vlan 500
!int vlan 500no shutip address YY.YY.100.2 255.255.255.0standby 1 ip YY.YY.100.254standby 1 preemptstandby 1 authentication md5 key-string CCIEstandby 1 timers msec 200 1
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
SW2:vlan 500spanning-tree mst configinstance 2 vlan 500
track 1 ip route 150.1.8.0/24 reachabilityint vlan 500no shutip address YY.YY.100.1 255.255.255.0standby 1 ip YY.YY.100.254standby 1 priority 120standby 1 preemptstandby 1 timers msec 200 1standby 1 track 1 decrement 30standby 1 authentication md5 key-string CCIE
SW3/SW4:spanning-tree mst configinstance 2 vlan 500
check:show track 1show standby brief
4.7 Time-based Access-list 3points
1. Configure SW1 and SW2 in order to restrict access for VLAN 500 users as per the
following requirements
2. HTTP (from any user workstation to any remote server) is not allowed during
office hours (from 09:00 to 16:59, Monday to Friday)
3. FTP (from any user workstation to any remote server) is allowed only during
every night for backup between 22:00 to 23:59 and is not allowed at any other
time
4. UDP traffic is allowed only outside the office hours (every day from 17:00 to 8:59)
5. Any required control traffic must be allowed at any time and the ACL entry(-ies)
must be as specific as possible (i.e. specify the Layer 4 with the correct port
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
number on the destination)
6. Sources in all ACL entries must be explicitly configured to YY.YY.100.0/24
SW1/SW2:time-range worktimeperiodic weekdays 09:00 to 16:59
time-range everyday-udpperiodic daily 9:00 to 16:59
time-range ftpperiodic daily 00:00 to 21:59
!ip access-list extended t_aclpermit udp y.y.100.0 0.0.0.255 host 224.0.0.2 eq 1985deny tcp y.y.100.0 0.0.0.255 any eq www time-range worktimedeny tcp y.y.100.0.0 0.0.0.255 any eq ftp time-range ftpdeny udp y.y.100.0 0.0.0.255 any time-range everyday-udppermit ip y.y.100.0 0.0.0.255 any
!interface vlan 500ip access-group t_acl in
5.1 NetworkManagement 3 Points
1. Configure SNMP version 3 for the group “admin” on R1 as per the following
requirements
2. Location is “San, Josie, US”, and the contact is ccie@cisco.com
3. The “admin” group’s read privilege must be called “adminview” and must
include the ISO MIB family
4. The “admin” group’s write privilege must be called “adminwrite” and must
include the system MIB family
5. The strongest security mechanism must be employed when handing SNMP
packets for any user belonging to the “admin” group
6. User “ccie” must be part of the “admin” group and can only connect with
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
SNMPv3 using the MD5 password “cisco”
7. Members of the “admin” group can connect only from VLAN 17’s subnet
YY.YY.17.0/24
8. Configure SNMPv2c for the “nms” servers connected from VLAN 67’s subnet
YY.YY.67.0/24
9. All traps must be sourced from the Loopback0 interface
10. If needed, use standard Access-lists only
Note: Location, Group, User, View and Community names are all case-sensitive (all
without quotation marks!)
R1:access-list 10 permit YY.YY.17.0 0.0.0.255access-list 11 per YY.YY.67.0 0.0.0.255!snmp-server group nms v2c access 11snmp-server location San, Josie, USsnmp-server contact ccie@cisco.comsnmp-server group admin v3 authsnmp-server group admin v3 priv match exact read adminview write adminwrite access 10snmp-server view adminview iso includedsnmp-server view adminwrite system includedsnmp-server user ccie admin v3 auth md5 cisco priv aes 256 ciscosnmp-server trap-source loopback0
5.2 Network optimization 3 Points
1. Configure Netflow version 9 on R1 on the interface connected to BB1 as per the
following requirements
2. R1 must export a Netflow sample for every 1000 packets in both directions
3. Export the flow accounting information to server YY.YY.56.100 using the full
苏州三网 IT 教育
苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net
reliable export mode on port 2222
4. In case the server fails, R1 should export the same flow accounting information
to YY.YY.17.100 using the same protocol and port
5. Do not use any server-policy to configure these requirements
R1:ip cefip flow-export version 9ip flow-export destination YY.YY.56.100 2222 sctpreliability fullbackup destination YY.YY.17.100 2222backup mode fail-over
!flow-sampler-map sample1kmode random one-out-of 1000
!interface gi0/1no ip route-cache flowip route-cache cefflow-sample sample1kflow-sample sample1k egress
check:show flow-sampleshow ip flow export sctp verbose
CCIE 群攻 QQ 群号:
235877260
欢迎加入讨论,如有发现好的解法,请各位不理赐教。
感谢 ricky chan、joyce、Kai Fang 提供的各方面协助。
TS1++、TS2++也即将推出,敬请关注。