1. FRAME RELAY (2points)
Requires R15 to telnet to R13 and R14 loopbacks
R13
interface Serial0/0
ip address 172.16.13.2 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip ospf network point-to-point
ip ospf priority 255
serial restart-delay 0
no snmp trap link-status
no fair-queue
frame-relay map ip 172.16.13.1 341
frame-relay map ip 172.16.13.3 345
ip pim sparse-dense-mode
R14
interface Serial0/0
ip address 172.16.13.3 255.255.255.252
ip ospf message-digest-key 1 md5 cisco
ip ospf network point-to-pointt
serial restart-delay 0
no fair-queue
frame-relay lmi-type ansi
R15
interface Serial1/0
ip address 172.16.13.1 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip ospf network point-to-point
serial restart-delay 0
no fair-queue
frame-relay lmi-type ansi
Prob.4 > Wrong sub-interface type--
Prob.9 > FR switch
Prob.12 > R15
2. HRSP (2 points)
Ensure the output of "show standby" on R22 and R23 is the same as shown below
R22 being the active unit with a priority configured of 100 (not by default), and also a track 1 configured and up, with a decrement value of 60.
R23 is the standby unit, using the default priority value (100), no authentication, with preempt, track 1 configured and up, with a decrement value of 60.
Initial Configs ()
R22
track 1 ip route 0.0.0.0 0.0.0.0 reachability→R13へ
track 1 ip route 1.1.70.0 255.255.255.0 reachability→R21へ
!
interface Ethernet0/0
ip address 172.16.10.10 255.255.255.248
half-duplex
standby 1 ip 172.16.10.14
standby 1 priority 150
standby 1 preempt
standby 1 track 1 shutdown
R23
!
interface Ethernet0/0
ip address 172.16.10.11 255.255.255.248
half-duplex
standby 1 ip 172.16.10.14
standby 1 priority 150
standby 1 track 1 shutdown
standby 1 preempt
standby 1 authentication md5 key-string cisco
R21(1.1.70.0/24 だった場合)
router eigrp 200
redistribute ospf 1 route-map PREFIX
distribute-list route-map PREFIX
network 172.16.10.22 0.0.0.0
network 172.16.10.26 0.0.0.0
no auto-summary
!
route-map PREFIX permit 10
match ip address 1
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 172.16.0.0 0.0.255.255
R13(DefaultRouteだった場合)
!
router ospf 1
log-adjacency-changes
area 1 nssa
network 10.1.1.13 0.0.0.0 area 0
network 172.16.13.2 0.0.0.0 area 1
network 172.16.14.42 0.0.0.0 area 0
Prob.5 > Distribute-list on R21
Prob.6 > R22, R23
Prob.7 > R22
3. NTP (2 points)
R13 NTP cannot synchronize with R5, Fix it
Initial Configs ()
R5
ntp authentication-key 1 md5 030758020337
ntp master 2
R13
ntp authentication-key 1 md5 cisco
ntp server 10.1.1.5 key 1
R9
interface Ethernet0/0
ip address 172.16.14.1 255.255.255.248
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip igmp access-group 10
ip access-group deny_udp in
half-duplex
!
ip access-list extended deny_udp
deny udp any any eq ntp
R11
interface Ethernet1/0
ip address 172.16.14.34 255.255.255.248
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip pim sparse-dense-mode
ip access-group deny_udp in
half-duplex
!
ip access-list extended deny_udp
deny udp any any eq ntp
Prob.1 > R5
Prob.2 > R9
Prob.3 > R9
Verification steps:
R5/R13#show ntp association detail <--should be synchronized and sane
4. PPP/RIP (2 points)
R24 cannot ping R29 192.168.20.1, Fix it
Initial Configs ()
R25
service password-encryption
!
interface Serial1/0 ---> connecting to R29
ip address 172.16.9.1 255.255.255.248
encapsulation ppp
serial restart-delay 0
no fair-queue
!
router eigrp 200
network 10.1.1.25 0.0.0.0
network 172.16.10.77 0.0.0.0
!
version 1
network 172.16.0.0
R29
no service password-encryption
!
interface Loopback1
ip address 192.168.20.1 255.255.255.255
!
interface Serial1/0
ip address 172.16.9.2 255.255.255.248
encapsulation ppp
serial restart-delay 0
no fair-queue
ppp chap hostname ccie
ppp chap password 0 cisco
!
router rip
network 172.16.0.0
Verification steps:
R25/R29#show ip interface brief <--serial1/0 should be up
R25#show ip route <--should see the network 192.168.20.0
R24#telnet 192.168.20.1
open...
5. OSPF (3 points)
PC 10.1.1.20 on R20 cannot ping PC 10.1.1.28 on R28, Fix it
Initial Configs ()
R18
router ospf 1
router-id 10.1.1.18
log-adjacency-changes
area 0 max lsa X
area 3 virtual-link 10.1.1.16 authentication message-digest
area 3 virtual-link 10.1.1.16 message-digest-key 1 md5 cisco
network 10.1.1.18 0.0.0.0 area 0
network 10.10.10.1 0.0.0.0 area 0
network 172.16.12.6 0.0.0.0 area 3
!
ip route X.X.X.X 0.0.0.X.172.16.12.5 --->pointing toward R17
R17
interface Ethernet0/0
ip address 172.16.12.5 255.255.255.252
ip access-group 111 in
half-duplex
!
router ospf 1
area 0 max lsa 5
!
interface Ethernet1/0
ip address 172.16.12.2 255.255.255.252
ip ospf network point-to-point
half-duplex
ip access-list extended 111
deny icmp any any
permit udp any any
permit ospf any any
permit tcp any any
!
ip route X.X.X.X 0.0.0.X 172.16.12.6 --->pointing toward R18
R16
interface Ethernet2/0 ---> facing R17
ip address 172.16.12.1 255.255.255.252
ip ospf network broadcast
half-duplex
!
router ospf 1
router-id 10.1.1.16
log-adjacency-changes
area 3 virtual-link 10.1.1.18 authentication message-digest
area 3 virtual-link 10.1.1.18 message-digest-key 1 md5 cisc0
network 10.1.1.16 0.0.0.0 area 3
network 172.16.12.1 0.0.0.0 area 3
network 172.32.10.2 0.0.0.0 area 1
distribute-list 12 in e1/0
R8
router eigrp 200
redistribute ospf 1 metric 100000 100 255 1 1500
network 10.1.1.8 0.0.0.0
network 172.16.16.21 0.0.0.0
no auto-summary
!
router ospf 1
log-adjacency-changes
redistribute eigrp 200 subnets
network 172.32.10.1 0.0.0.0 area 1
!
router bgp 200
no synchronization
bgp log-neighbor-changes
network 10.1.1.8 mask 255.255.255.255
neighbor 10.1.1.6 remote-as 200
neighbor 10.1.1.6 password cisco
neighbor 10.1.1.6 update-source Loopback0
neighbor 10.1.1.6 route-reflector-client
neighbor 10.1.1.6 next-hop-self
neighbor 197.68.3.2 remote-as 300
no auto-summary
R27
router ospf 1
log-adjacency-changes
network 10.1.1.27 0.0.0.0 area 0
network 172.16.17.9 0.0.0.0 area 0
!
router bgp 300
no synchronization
bgp log-neighbor-changes
bgp default local-preference 200
network 10.1.1.27 mask 255.255.255.255
neighbor 10.1.1.28 remote-as 300
neighbor 10.1.1.28 update-source Loopback0
neighbor 197.68.3.1 remote-as 200
no auto-summary
Prob.3 > R20 area 0
Prob.8 > R16 distribute-list
Prob.9 > R18 distribute list
6. ZBFW (2 points)
R30 cannot telnet R31, fix it
R30#telnet 10.1.1.31
Trying open 10.1.1.31
User verification
.....
--> Should match the given "show policy‐map type inspect zone-pair sessions" output. R31 is in outside zone, R30 was in inside zone.
Initial Configs ()
R29
class-map type inspect match-all telneticmp
match protocol telnet
match protocol icmp
class-map type inspect match-all http
match protocol http
class-map type inspect match-all outbound
match access-group name from R30toR31
!
class type inspect outbound
inspect
class type inspect telneticmp
inspect
class type inspect http
inspect
!
zone security zonein
zone security zoneout
!
zone-pair security inbound source zoneout destination zonein
zone-pair security outbound source zonein destination zoneout
!
interface Ethernet2/0<-- to R30
ip address 172.16.39.29 255.255.255.248
no shutdown
zone-member security zoneout
half-duplex
!
interface Ethernet2/1 <-- to R31
ip address 172.16.129.29 255.255.255.248
no shutdown
zone-member security zonein
half-duplex
!
ip access-list extended R30toR31
permit ip host 172.16.39.30 host 10.1.1.31
permit ip host 10.1.1.30 host 10.1.1.31
permit ip host 10.1.1.30 host 172.16.129.31
permit ip host 172.16.39.30 host 172.16.129.31
!
router rip
version 2
network 172.16.0.0
network 192.168.20.0
no auto-summary
R30
interface Loopback0
ip address 10.1.1.30 255.255.255.255
!
interface Ethernet0/0
ip address 172.16.39.30 255.255.255.248
half-duplex
no shutdown
!
R31
interface Loopback0
ip address 10.1.1.31 255.255.255.255
!
interface Ethernet0/0
ip address 172.16.129.31 255.255.255.248
half-duplex
no shutdown
!
Prob.8 > R29
7. BGP (2 points)
R28 must see two next hop for the network 1.100.100.100 in show ip bgp table
R28 must see 2 paths in BGP tableキ・
R28 must select path through R26キ・
Not allowed to touch AS100キ・& 300 configuration (variable depending on the Lab)
Initial Configs ()
R6
router bgp 200
bgp log-neighbor-changes
network 10.1.1.6 mask 255.255.255.255
neighbor 10.1.1.2 remote-as 200
neighbor 10.1.1.2 update-source Loopback0
neighbor 10.1.1.2 route-reflector-client
neighbor 10.1.1.7 remote-as 200
neighbor 10.1.1.7 update-source Loopback0
neighbor 10.1.1.7 route-reflector-client
neighbor 10.1.1.8 remote-as 200
neighbor 10.1.1.8 update-source Loopback0
no auto-summary
R7
router bgp 200
synchronization
bgp log-neighbor-changes
network 10.1.1.7 mask 255.255.255.255
bgp maxas-limit 1
neighbor 10.1.1.6 remote-as 200
neighbor 10.1.1.6 update-source Loopback0
neighbor 10.1.1.6 route-reflector-client
neighbor 197.68.2.2 remote-as 300
neighbor 197.68.2.2 route-map toas300 out
no auto-summary
!
route-map toas300 permit 10
match ip address toas300
set metric 99
!
ip access-list extended toas300
permit ip any any
R8
router bgp 200
bgp log-neighbor-changes
network 10.1.1.8 mask 255.255.255.255
neighbor 10.1.1.6 remote-as 200
neighbor 10.1.1.6 password cisc0
neighbor 10.1.1.6 update-source Loopback0
neighbor 10.1.1.6 next-hop-self
neighbor 197.68.3.2 remote-as 300
neighbor 197.68.3.2 route-map toas300 out
no auto-summary
!
route-map toas300 permit 10
match ip address toas300
!
ip access-list extended toas300
permit ip any any
R26
router bgp 300
no synchronization
bgp log-neighbor-changes
network 10.1.1.26 mask 255.255.255.255
neighbor 10.1.1.28 remote-as 300
neighbor 10.1.1.28 update-source Loopback0
neighbor 197.68.2.1 remote-as 200
no auto-summary
R27
router bgp 300
no synchronization
bgp log-neighbor-changes
network 10.1.1.27 mask 255.255.255.255
neighbor 10.1.1.28 remote-as 300
neighbor 10.1.1.28 update-source Loopback0
neighbor 197.68.3.1 remote-as 200
no auto-summary
Prob.2 > R7
Prob.3 > R7
Prob.6 > R7,
Prob.10 > R8
Verification steps:
R28# sh ip bgp 1.100.100.100 <-- should see two possible next hops R26 & R2R with R26 being the preferred next hop
8. IPv6 (2 points)
R1 can not telnet R4 IPv6 address 2011:ABC:34::4, fix the problem
Note: Not allowed to delete any configuration!
Initial Configs ()
R1
ipv6 unicast-routing
!
interface Loopback1
ip address 10.1.1.1 255.255.255.255
ip pim sparse-dense-mode
!
interface Ethernet1/0
ip address 172.16.15.1 255.255.255.248
ip pim sparse-dense-mode
half-duplex
ipv6 address 2011:ABC:13::1/64
ipv6 ospf 1 area 0
!
ipv6 router ospf 1
log-adjacency-changes
router-id 10.1.1.4
R3
ipv6 unicast-routing
!
interface Ethernet0/0
ip address 172.16.15.9 255.255.255.248
ip pim sparse-dense-mode
half-duplex
ipv6 address 2011:ABC:34::3/64
ipv6 ospf 1 area 0
!
interface Ethernet1/0
ip address 172.16.15.2 255.255.255.248
ip pim sparse-dense-mode
half-duplex
ipv6 address 2011:ABC:13::3/64
ipv6 ospf 1 area 0
ipv6 traffic-filter filter in
!
ipv6 access-list filter
deny ipv6 any any routing
R4
ipv6 unicast-routing
interface Ethernet0/0
ip address 172.16.15.10 255.255.255.248
ip pim sparse-dense-mode
half-duplex
ipv6 address 2011:ABC:34::4/64
ipv6 ospf 1 area 0
!
ipv6 router ospf 1
log-adjacency-changes
Summary of issues
a. R3 ACL Blocking Ipv6 traffic <-- should add explicit rules for link‐local addresses
ipv6 access-list filter
permit 89 any host FF02::5 seq 1 <-- OSPFv3 Multicast dest IP
permit 89 any host FF02::6 seq 2
permit 89 host <R1 link local> host <R3 link local> seq 3
permit icmp any any seq 4
deny ipv6 any any (by default seq 10) <-- don't touch
b. R1/R4 Duplicate router-id <-- make sure R1 router-id is set to its Loopback1 IP
Verification steps:
R1# ping 2011:ABC:34::4
9. MST (2 points)
R10 must reach R9 in a single hop, SW1 (or SW2) is not allowed to be touched
SW1
hostname SW1
no aaa new-model
clock timezone CSRT 8
!
ip cef
!
no ipv6 cef
!
spanning-tree mode mst
spanning-tree extended system-id
!
spanning-tree mst configuration
name cisco
instance 1 vlan 102,119
instance 2 vlan 109,129
!
spanning-tree mst 2 priority 0
vlan internal allocation policy ascendeing
!
int e0/0
swi
swi acce vlan 102
swi mode acce
!
int e0/1
swi
shutdown
!
int e0/2
swi
swi acce vlan 129
swi mode acce
!
int e0/3
swi
swi acce vlan 109
swi mode acce
!
int e1/0
swi
swi acce vlan 102
swi mode acce
!
int e1/1
swi
shut
!
int 1/2
swi
swi acce vlan 110
swi mode acce
!
int e1/3
swi
shut
!
int e2/0
swi
swi trunk encapsualtion dot1q
swi mode trunk
!
int e2/1
swi
swi trunk enc dot1q
swi mode trunk
shut
!
int e2/2
swi
shut
!
int e2/3
swi
shut
SW2
hostname SW2
no aaa new-model
clock timezone CSRT 8
!
ip cef
!
no ipv6 cef
!
spanning-tree mode mst
spanning-tree extended system-id
!
spanning-tree mst configuration
name cisco
instance 1 vlan 102,119
instance 2 vlan 109,129
!
spanning-tree mst 2 priority 24576
vlan internal allocation policy ascendeing
!
int e0/0
swi
swi acce vlan 110
swi mode acce
!
int e0/1
swi
swi acce vlan 109
swi mode acce
!
int e0/2
swi
shut
!
int e0/3
swi
swi acce vlan 119
swi mode acc
!
int e1/0
swi
shut
!
int e1/1
swi
swi acce vlan 129
swi mode accce
!
int 1/2
swi
shut
!
int e1/3
swi
swi acce vlan 119
swi mode access
!
int e2/0
swi
swi trunk encapsualtion dot1q
swi mode trunk
!
int e2/1
swi
swi trunk enc dot1q
swi mode trunk
shut
!
int e2/2
swi
shut
!
int e2/3
swi
shut
R9
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R9
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 5
!
ip cef
no ip domain lookup
!
ip multicast-routing
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
!
vlan internal allocation policy ascending
!
interface Loopback0
ip address 10.1.1.9 255.255.255.255
ip pim sparse-dense-mode
!
interface FastEthernet0/0
ip address 172.16.14.1 255.255.255.248
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
no switchport
ip address 172.16.14.33 255.255.255.248
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip igmp access-group 10
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
no ip address
!
router ospf 1
log-adjacency-changes
network 10.1.1.9 0.0.0.0 area 0
network 172.16.14.1 0.0.0.0 area 0
network 172.16.14.33 0.0.0.0 area 0
!
no ip http server
no ip http secure-server
ip forward-protocol nd
!
ip pim rp-address 10.1.1.3
!
access-list 10 deny 10.1.1.3
!
control-plane
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
!
end
Note: This question has 02 completely different requirements depending on the Lab. On Some Lab, you are required to not SW1 and on some you are required to not touched SW2.
a. Vlan R9-R10 is blocked on the trunk1 and allowed on trunk2. But trunk2 is in spanning blocking state for MSTX (which contains) Vlan R9-R10. Which make the link between R9-R10 being down <-- Just lower the port-priority on trunk2 so it can became the forwarding port or raise the port-priority on trunk1 son trunk2 can be preferred.
interface ex/y
spanning-tree mst x port-priority 0
Note: The switch denied to be touched is the root for the mst containing the vlan between R9-R10
b. R9 Exiting route-map dropping some traffic <-- the route map selects certain traffic and has an explicit deny. Put another route‐map with the permit statement
10. MSDP (3 points)
R13 cannot ping R28 group 224.8.8.8 in AS 200, Fix it
(R8->R6->R2)->(R1->R3->R5)->R9->R11->R13
AS200 AS100
R8
ip multicast-routing
!
interface Loopback0
ip address 10.1.1.8 255.255.255.255
ip pim sparse-dense-mode
ip igmp join-group 224.8.8.8
!
interface Ethernet0/0
ip address 172.16.16.21 255.255.255.248
half-duplex
!
router eigrp 200
redistribute ospf 1 metric 100000 100 255 1 1500
redistribute bgp 200 metric 100000 100 255 1 1500
network 10.1.1.8 0.0.0.0
network 172.16.16.21 0.0.0.0
no auto-summary
!
ip pim rp-address 10.1.1.2
R6
ip multicast-routing
!
interface Loopback0
ip address 10.1.1.6 255.255.255.255
ip pim sparse-dense-mode
!
interface Ethernet0/0
ip address 172.16.16.19 255.255.255.248
half-duplex
!
interface Ethernet1/0
ip address 172.16.16.2 255.255.255.248
ip pim sparse-dense-mode
half-duplex
!
router eigrp 200
network 10.1.1.6 0.0.0.0
network 172.16.16.2 0.0.0.0
network 172.16.16.19 0.0.0.0
no auto-summary
!
R2
interface Loopback0
ip address 10.1.1.2 255.255.255.255
ip pim sparse-dense-mode
!
interface Loopback1
ip address 200.0.0.1 255.255.255.255
ip pim sparse-dense-mode
!
interface Ethernet0/0
ip address 197.68.1.2 255.255.255.252
ip pim sparse-dense-mode
half-duplex
ipv6 address 2011:ABC:12::2/64
ipv6 ospf 1 area 0
!
interface Ethernet1/0
ip address 172.16.16.1 255.255.255.248
ip pim sparse-dense-mode
half-duplex
!
router eigrp 200
network 10.1.1.2 0.0.0.0
network 172.16.16.1 0.0.0.0
no auto-summary
!
router bgp 200
no synchronization
bgp log-neighbor-changes
network 10.1.1.1 mask 255.255.255.255
neighbor 10.1.1.6 remote-as 200
neighbor 10.1.1.6 update-source Loopback0
neighbor 10.1.1.6 next-hop-self
neighbor 197.68.1.1 remote-as 100
no auto-summary
!
address-family ipv4 unicast
no synchronization
network 10.1.1.2 mask 255.255.255.255
redistribute eigrp 200
neighbor 10.1.1.6 activate
neighbor 10.1.1.6 next-hop-self
neighbor 197.68.1.1 activate
exit-address-family
!
address-family ipv4 multicast
network 200.0.0.1 mask 255.255.255.255
neighbor 197.68.1.1 activate
no auto-summary
exit-address-family
!
ip msdp peer 10.1.1.3 connect-source Loopback1 remote-as 100
!
ip pim rp-address 10.1.1.2
R1
ip multicast-routing
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
ip pim sparse-dense-mode
!
interface Ethernet0/0
ip address 197.68.1.1 255.255.255.252
ip pim sparse-dense-mode
half-duplex
ipv6 address 2011:ABC:12::1/64
ipv6 ospf 1 area 0
!
interface Ethernet1/0
ip address 172.16.15.1 255.255.255.248
ip pim sparse-dense-mode
half-duplex
ipv6 address 2011:ABC:13::1/64
ipv6 ospf 1 area 0
!
router ospf 1
log-adjacency-changes
network 10.1.1.1 0.0.0.0 area 3
network 172.16.15.1 0.0.0.0 area 3
!
router bgp 100
no synchronization
bgp log-neighbor-changes
network 1.100.100.100 mask 255.255.255.255
network 10.1.1.1 mask 255.255.255.255
neighbor 10.1.1.3 remote-as 100
neighbor 10.1.1.3 update-source Loopback0
neighbor 10.1.1.3 next-hop-self
neighbor 197.68.1.2 remote-as 200
neighbor 197.68.1.2 route-map as100 out
no auto-summary
!
address-family ipv4 unicast
no synchronization
neighbor 10.1.1.3 activate
neighbor 10.1.1.3 next-hop-self
neighbor 197.68.1.2 activate
exit-address-family
!
address-family ipv4 multicast
neighbor 10.1.1.3 activate
no auto-summary
exit-address-family
ip pim rp-address 10.1.1.3
R3
ip multicast-routing
!
interface Loopback0
ip address 10.1.1.3 255.255.255.255
ip pim sparse-dense-mode
!
interface Loopback1
ip address 200.0.0.3 255.255.255.255
ip pim sparse-dense-mode
!
interface Ethernet0/0
ip address 172.16.15.9 255.255.255.248
ip pim sparse-dense-mode
half-duplex
ipv6 address 2011:ABC:34::3/64
ipv6 ospf 1 area 0
!
interface Ethernet1/0
ip address 172.16.15.2 255.255.255.248
ip pim sparse-dense-mode
half-duplex
ipv6 address 2011:ABC:13::3/64
ipv6 ospf 1 area 0
ipv6 traffic-filter filter in
!
router ospf 1
log-adjacency-changes
network 10.1.1.3 0.0.0.0 area 3
network 172.16.15.2 0.0.0.0 area 3
network 172.16.15.9 0.0.0.0 area 3
!
router bgp 100
no synchronization
bgp log-neighbor-changes
network 10.1.1.3 mask 255.255.255.255
neighbor 10.1.1.1 remote-as 100
neighbor 10.1.1.1 update-source Loopback0
neighbor 10.1.1.1 route-reflector-client
neighbor 10.1.1.4 remote-as 100
neighbor 10.1.1.4 update-source Loopback0
neighbor 10.1.1.4 route-reflector-client
neighbor 10.1.1.5 remote-as 100
neighbor 10.1.1.5 update-source Loopback0
neighbor 10.1.1.5 route-reflector-client
no auto-summary
!
address-family ipv4 unicast
no synchronization
network 10.1.1.3 mask 255.255.255.255
neighbor 10.1.1.1 activate
exit-address-family
!
address-family ipv4 multicast
network 200.0.0.3 mask 255.255.255.255
neighbor 10.1.1.1 activate
no auto-summary
exit-address-family
!
ip msdp peer 10.1.1.2 connect-source loopback 0 remote-as 200
!
ip pim rp-address 10.1.1.3
R9
interface Loopback0
ip address 10.1.1.9 255.255.255.255
ip pim sparse-dense-mode
!
interface Ethernet0/0
ip address 172.16.14.1 255.255.255.248
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip igmp access-group 10
half-duplex
!
interface Ethernet1/0
ip address 172.16.14.33 255.255.255.248
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
half-duplex
!
access-list 10 deny 10.1.1.3
Summary of issues
a. Wrong MSDP source and peer IPs <---
R3:ip msdp peer 200.0.0.2 connect-source loopback 1 remote-as 200
R2:ip msdp peer 200.0.0.3 connect-source Loopback1 remote-as 100
b. R6/R9 Missing RP config <-- R6: ip pim rp-address 10.1.1.2, R9: ip pim rp-address 10.1.1.3
c. R8 Missing PIM command on R8 interface <-- enable ip pim sparse-dense-mode on the interface connecting R8->R6
d. R9 IGMP traffic being blocked <-- change the ACL 10 to permit any
e. R1 Missing OSPF/BGP address-family ipv4 multicast redistribution<-- under R1 address-family ipv4 multicast, add the command "redistribute ospf 1"
###################################################
###################################################
###################################################
1. FRAME RELAY (2points)
Requires R15 to telnet to R13 and R14 loopbacks
R13
interface Serial0/0
ip address 172.16.13.2 255.255.255.248
encapsulation frame-relay
ip ospf network broadcast or point-to-multipoint
frame-relay map ip 172.16.13.4 341 broadcast
frame-relay map ip 172.16.13.3 345 broadcast
frame-relay lmi-type cisco
no frame-relay inverse arp
R14
interface Serial0/0
ip address 172.16.13.4 255.255.255.248
encapsulation frame-relay
ip ospf network broadcast or point-to-multipoint
frame-relay map ip 172.16.13.2 314 broadcast
frame-relay map ip 172.16.13.3 315 broadcast
frame-relay lmi-type cisco
no frame-relay inverse arp
R15
interface Serial1/0
ip address 172.16.13.3 255.255.255.248
encapsulation frame-relay
ip ospf network broadcast or point-to-multipoint
frame-relay map ip 172.16.13.4 351 broadcast
frame-relay map ip 172.16.13.2 354 broadcast
frame-relay lmi-type cisco
no frame-relay inverse arp
Verification steps:
show frame‐relay map <--DLCI should be active
sh run interface s0/0/0
R15# telnet 10.1.1.14
....open
R15# telnet 10.1.1.14
....open
Prob.4 > Wrong sub-interface type-- in case sub-interface is used, it should be always multipoint
Prob.9 > FR switch not configured with two dlci 345 334 (if It is allowed to touch)
Prob.12 > R15 password is “cIsco” change it to “cisco” --------- (26 Aug Update )
2. HRSP (2 points)
Ensure the output of "show standby" on R22 and R23 is the same as shown below
R22 being the active unit with a priority configured of 100 (not by default), and also a track 1 configured and up, with a decrement value of 60.
R23 is the standby unit, using the default priority value (100), no authentication, with preempt, track 1 configured and up, with a decrement value of 60.
R22
interface Ethernet0/0
standby 1 priority 100
standby 1 track 1 decrement 60
no standby 1 preempt
R23
interface Ethernet0/0
no standby 1 priority 150
no standby 1 authentication md5 key-string cisco
standby 1 track 1 decrement 60
R21(1.1.70.0/24 だった場合)
router eigrp 200
redistribute ospf 1 metric 10000 100 255 1 1500 route-map PREFIX
!
route-map PREFIX permit 10
match ip address 1
!
access-list 1 permit 1.1.70.0 0.0.0.255
R13(DefaultRouteだった場合)
!
router ospf 1
area 1 nssa default-information originate allways
Verification steps:
R22/R23#show standby <--should match exactly the output given
Make sure to add the metric "values" and "access-list 1 permit 1.1.70.0 0.0.0.255"
Prob.5 > Distribute-list on R21 EIGRP ---- permit the network 1.1.70.0/24 in that prefix-list and
And also on R21 when redistributing OSPF in EIGRP route-map is applied which uses
Access-list on which network 1.1.70.0/24 is explicitly denied permit that specific
Network -------- (26 Aug Update)
Prob.6 > R22, R23 HSRP standby outputR22 will be standby, preemption disabled, pri def 100 . R23
Will a be ctive , preemp enabled There was st track 1 shut down on R22. I removed it. It
was so easy question as usual. ---- (update from candidate who face it on 16 Aug)
Prob.7 > R22 - Priority was 150, change to default, Standby ip was in Group 2, change to Group 0, Track route was there, but standby track 1 shutdown was there, I changed to standby track 1 reachability decrement 10
3. NTP (2 points)
R13 NTP cannot synchronize with R5, Fix it
R5
ntp authentication-key 1 md5 cisco
R13
ntp authentication-key 1 md5 cisco
ntp server 10.1.1.5 key 1
ntp authentication
ntp trusted-key
R9
ip access-list extended deny_udp
permit ip any any
R11
!
ip access-list extended deny_udp
permit ip any any
Prob.1 > R5 Missing trust-key command
Prob.2 > R9 Access list blocking UDP traffic ------- Change it to permit
Prob.3 > R9 configured class map to NTP...in that Remove Drop command in policy Map
Verification steps:
R5/R13#show ntp association detail <--should be synchronized and sane
4. PPP/RIP (2 points)
R24 cannot ping R29 192.168.20.1, Fix it
R25
username ccie password cisco
interface Serial1/0 ---> connecting to R29
ip address 172.16.9.1 255.255.255.248
clockrate 512000
ppp authentication chap
!
router eigrp 200
redistribute rip metric 100000 100 255 1 1500
no auto-summary
!
router rip
version 2
R29
interface Serial1/0
ip address 172.16.9.2 255.255.255.248
encapsulation ppp
ppp chap hostname ccie
ppp chap password 0 cisco
!
router rip
version 2
network 172.16.0.0
no auto-summary
Verification steps:
R25/R29#show ip interface brief <--serial1/0 should be up
R25#show ip route <--should see the network 192.168.20.0
R24#telnet 192.168.20.1
open...
5. OSPF (3 points)
R18
no ip route X.X.X.X 0.0.0.X.172.16.12.5 --->pointing toward R17
router ospf 1
no area 0 max lsa X
R17
interface Ethernet1/0
ip ospf network broadcast
!
ip access-list extended 111
permit icmp any any
!
router ospf 1
no area 0 max lsa 5
!
no ip route X.X.X.X 0.0.0.X 172.16.12.6--->pointing toward R18
R16
interface Ethernet2/0 ---> facing R17
ip ospf network broadcast
!
router ospf 1
area 3 virtual-link 10.1.1.18 message-digest-key 1 md5 cisco
distribute-list 12 in e1/0
!
access-list 12 permit ip any
R8
router ospf 1
redistribute bgp 200 subnets
!
router bgp 200
no synchronization
redistribute ospf 1
R27
router bgp 300
neighbor 10.1.1.28 next-hop-self
Summary of issues
Verification steps:
R20#ping 10.1.1.28 source loopback0
trying open 10.1.1.28
user verification
password:
Prob.3 > R20 area 0 authentication message-digest
Prob.8 > R16 distribute-list locking the n/w 10.1.1.28
Prob.9 > R18 distribute list in its E0/1 interface
6. ZBFW (2 points)
R29
class-map type inspect match-all telneticmp
no match protocol icmp
!
policy-map type inspect outbound
policy-map type inspect inbound
!
zone-pair security inbound source zoneout destination zonein
service-policy type inspect inbound
zone-pair security outbound source zonein destination zoneout
service-policy type inspect outbound
!
interface Ethernet2/0<-- to R30
zone-member security zonein
!
interface Ethernet2/1 <-- to R31
zone-member security zoneout
!
ip route 10.1.1.30 255.255.255.255 172.16.39.30
ip route 10.1.1.31 255.255.255.255 172.16.129.31
R30
ip route 0.0.0.0 0.0.0.0 172.16.39.29
R31
ip route 0.0.0.0 0.0.0.0 172.16.129.29
Prob.8 > R29 under policy-map change pass to inspect
Verification steps:
R30#telnet 10.1.1.31
Trying open 10.1.1.31
User verification
.....
then -->R29#show policy‐map type inspect zone-pair sessions <-- should match exactly the given output
7. BGP (2 points)
R28 must see two next hop for the network 1.100.100.100 in show ip bgp table
R28 must see 2 paths in BGP tableキ・
R28 must select path through R26キ・
Not allowed to touch AS100キ・& 300 configuration (variable depending on the Lab)
R6
router bgp 200
no synchronization
neighbor 10.1.1.8 route-reflector-client
neighbor 10.1.1.8 password cisco
no auto-summary
R7
router bgp 200
no synchronization
bgp default local-preference 200
no bgp maxas-limit 1
neighbor 10.1.1.6 next-hop-self
neighbor 197.68.2.2 next-hop-self
!
route-map toas300 permit 10
set metric 100
!
R8
router bgp 200
no synchronization
bgp default local-preference 200
neighbor 10.1.1.6 password cisco
neighbor 10.1.1.6 route-reflector-client
redistribute ospf 1
!
route-map toas300 permit 10
set metric 100
!
R26
router bgp 300
bgp default local-preference 200
R27
router bgp 300
bgp default local-preference 200
nei 10.1.1.28 next-hop-self
Prob.2 > R7 Metric is Higher Make it Lower Than R8 ie 99 ------ Adjust it according to the Question
Prob.3 > R7 remove community list or modify it according to the question (neighbor 172.16.11.11 route-map out) route-map community match community 666
Prob.6 > R7, change route-map MED to 99
Prob.10 > R8 has COPP policy on Control plane, remove it or correct with no drop.
Verification steps:
R28# sh ip bgp 1.100.100.100 <-- should see two possible next hops R26 & R2R with R26 being the preferred next hop
8. IPv6 (2 points)
R1 can not telnet R4 IPv6 address 2011:ABC:34::4, fix the problem
R1
ipv6 router ospf 1
router-id 10.1.1.1
R3
interface Ethernet1/0
ipv6 traffic-filter filter in
!
ipv6 access-list filter
permit 89 any host FF02::5 seq 1 <-- OSPFv3 Multicast dest IP
permit 89 any host FF02::6 seq 2
permit 89 host <R1 link local> host <R3 link local> seq 3
permit icmp any any seq 4
deny ipv6 any any
R4
ipv6 router ospf 1
router-id 10.1.1.4
Summary of issues
Verification steps:
R1# ping 2011:ABC:34::4
9. MST (2 points)
R10 must reach R9 in a single hop, SW1 (or SW2) is not allowed to be touched
SW2
int e0/1
spanning-tree mst 1 port-priority 0
!
R9
でroute-map が入ってる場合は新しいのをもうひとつつくること。
b. R9 Exiting route-map dropping some traffic <-- the route map selects certain traffic and has an explicit deny. Put another route‐map with the permit statement
route-map kakuninnhituyou
match ip add 1
Prob.1 > One trunk link has removed vlan 109.make other trunk link priority lower so that it is
Preferred
Prob.2 > One trunk link has removed vlan 109.and same trunk link has mst priority 0 change it to 240
Prob.3 > removed vlan 109/911
Prob.4 > Trunk is not defined
Prob.5 > Access port not defined --------------------------------------- ( Aug 26 update)
Prob.6 > SW1-SW2 has no mapping of vlan 109 --------- instance 1 vlan 109 On both Switches
Prob.7 > R9 Exiting route-map dropping some traffic
Prob.8 > R10 was in wrong vlan - change to vlan 109 ------------- (31 Aug Update)
10. MSDP (3 points)
R13 cannot ping R28 group 224.8.8.8 in AS 200, Fix it
(R8->R6->R2)->(R1->R3->R5)->R9->R11->R13
AS200 AS100
R8
interface Ethernet0/0
ip pim sparse-dense-mode
R6
interface Ethernet0/0
ip pim sparse-dense-mode
!
ip pim rp-address 10.1.1.2
R2
ip msdp peer 200.0.0.3 connect-source Loopback1 remote-as 100
!
ip pim rp-address 10.1.1.2
R1
router bgp 100
address-family ipv4 multicast
redistribute ospf 1
exit-address-family
R3
ip msdp peer 200.0.0.3 connect-source loopback 1 remote-as 200
!
ip pim rp-address 10.1.1.3
R9
access-list 10 permit any
ip pim rp-address 10.1.1.3
Problems:-
Prob.1 > R3 change msdp loopback0 to lo1 200.0.0.1
Prob.2 > R2-R3 originator-id lo1
Prob.3 > R2 rp-address 200.0.0.1
Prob.4 > R2 MSDP peer lo1
Prob.5 > R1/R11 assign RP address 100.0.0.1
Prob.6 > R6 assign RP address 10.1.1.8
Prob.7 > R3 Access-list 111 change to permit (Alternate pre config) ip msdp redistribute list 111
Prob.8 > R2 Enable pim on Serial link
Prob.9 > R1 Redistribute Mutually Wrong
Prob.10 > For MSDP, they have static mroutes on R5 which point R13 to wrong destination.
I can't recall exactly what the mroute was.
Prob.11 > For MSDP, R8 was not joined to the IGMP group they want you to ping.
Prob.12 > For MSDP, connect source AS missing on the statements
Prob.13 > For MSDP, wrong source interface used on R3 side.
Prob.14 > R9 missing rp configuration
Prob.15 > R9 IGMP traffic being blocked -- change the ACL 10 to permit any
Prob.16 > R1 Missing OSPF/BGP address-family ipv4 multicast redistribution
Prob.17 > R3 ip msdp sa-filter in 10.1.1.2 ------------------------------------------- remove it
Prob.18 > R6 Multicast routing is disabled ---- Enable multicast routing and put the interface
into sparse-dense mode
0 件のコメント:
コメントを投稿