Wednesday, July 25, 2012

CCIE Routing & Switching LAB Soution(K1)


1.1 Errors in Initial Configuration

    VTP domain name mismatch.
    VTP password mismatch.
    Backup interface configured in SW1 fa 0/10 (or maybe in some other switches or interface)
    VTP version mismatch.
    'no peer neighbor-route' to be given if missing somewhere where required.

1.2 Switching

Configure all of the appropriate non trunking access switch ports on sw1, sw2, sw3, according to the following requirements.

    Configure the VLANs for the access switch ports as shown in the table.
    Include the ports to BB1, BB2 and BB3.
    Configure trunks between sw2 fa0/2 and R2 G0/1
    Ensure that SW1 is the spanning-tree Root Switch for all vlans and has the best chance of staying as such, even for any new vlan that might added in the future
    Make sure that the spanning tree enters the forwarding state immediately only for these access switch ports, by passing the listening and learning states.
    Avoid transmitting bridge protocol data units (BPDUs) on these access switch ports, if a BPDU is received on any of these ports, the ports should transition back to the listening, learning and forward states.
    Add any special layer 2 commands that are required on the routers including trunk configuration.

SW1

spanning-tree vlan 1-1005 priority 0
spanning-tree portfast bpdufilter default

interface FastEthernet0/3
switchport access vlan 3
switchport mode access
spanning-tree portfast

interface FastEthernet0/4
switchport access vlan 44
switchport mode access
spanning-tree portfast

interface FastEthernet0/5
switchport access vlan 15
switchport mode access
spanning-tree portfast

interface FastEthernet0/10
switchport access vlan 15
switchport mode access
spanning-tree portfast

SW2

spanning-tree portfast bpdufilter default
interface FastEthernet0/1
switchport access vlan 11
switchport mode access
spanning-tree portfast

interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 22,24
switchport mode trunk

interface FastEthernet0/3
switchport access vlan 13
switchport mode access
spanning-tree portfast

interface FastEthernet0/4
switchport access vlan 24
switchport mode access
spanning-tree portfast

interface FastEthernet0/5
switchport access vlan 45
switchport mode access
spanning-tree portfast

interface FastEthernet0/10
switchport access vlan 2
switchport mode access
spanning-tree portfast

SW3

spanning-tree portfast bpdufilter default
interface FastEthernet0/10
switchport access vlan 3
switchport mode access
spanning-tree portfast

SW4

spanning-tree portfast bpdufilter default

1.3 Implement Frame-Relay

Use the following requirements to configure R1 and R2 for Frame-relay and R4 the frame-relay  switch.

    Use ANSI LMI on the frame-relay switch and auto-sensing on R1 and R2
    Don't use any static frame-relay maps or inverse address resolution protocol.
    Use RFC 1490/RFC2427(IETF) encapsulation.
    Use sub-interfaces between R1 and R2
    Use largest mask for frame relay link
    Do not change anything in the frame-relay switch R4
    Use the data-link connection identifier DLCI assignments from the table below

Router  DLCI assignments
R1  100
R2  200

R1

interface Serial0/1/1
no ip address
encapsulation frame-relay ietf
no frame-relay inverse-arp
clock rate 64000

interface Serial0/1/1.100 point-to-point
ip address YY.YY.15.242 255.255.255.252
frame-relay interface-dlci 100 ietf

R2
interface Serial0/1/1
no ip address
encapsulation frame-relay ietf
no frame-relay inverse-arp
clock rate 64000

interface Serial0/1/1.200 point-to-point
ip address YY.YY.15.241 255.255.255.252
frame-relay interface-dlci 200 ietf

Frame relay switch should be already configured

R4
frame-relay switching

interface Serial0/1/0
no ip address
encapsulation frame-relay IETF
clock rate 64000
frame-relay lmi-type ansi
frame-relay intf-type dce
frame-relay route 100 interface Serial0/1/1 200

interface Serial0/1/1
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
frame-relay intf-type dce
frame-relay route 200 interface Serial0/1/0 100
no shut

1.4 Traffic Control protection from backbone

Configure traffic control on the three backbone links, protecting your network from a broadcast storm. This protection should begin once broadcast traffic is half (50%) available bandwidth. The port should remain functional during this time.

SW1, SW2, SW3

interface FastEthernet0/10
storm-control broadcast level 50.00

1.5 Trunking Manipulations

Configure the dual trunk ports between Sw1, sw2, sw3 and sw4 according to the following  requirements

    Disable DTP on six distribution ports for each switch. Use dot1q encapsulation.
    Set the list of allowed VLANs that can receive and send traffic on these interfaces in tagged format. In particular only allow the VLANs need to go through the trunk links. VLAN 1 not inclusive.
    Ensure the link to the backbone are able to read to unidirectional link failure
    Ensure the interfaces that are connected to backbone not become root switch

SW1,SW2,SW3,SW4

vlan dot1q tag native    /* if native vlan should be tagged */

interface range fa0/19 – 24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 3,11,13,,44,45
switchport nonegotiate

SW1,SW2,SW3,SW4
interface fa0/10
udld port aggressive
spanning-tree guard root

Section II layer 3 Technologies

    After finishing each of the following questions, make sure that all configured  interfaces and subnets are consistently visible on all pertinent routers and  switches.
    Do not redistribute between any interior gateway protocol (IGP) and Border  Gateway Protocol (BGP).
    You need to ping a BGP route only if stated in a question, otherwise the route should be only in the BGP table.
    At the end of section 2, all subnets in your topology, including the loop back  interfaces (except for SW3), must be reachable via ping.
    Therefore redistribute as you wish unless directly stated in the question.
    The backbone interface must be reachable only if they are part of the solution to a question.
    The loop back interfaces can be seen as either /24 or /32 in the routing tables  unless stated otherwise in a question.
    The loop back interfaces can be added into your IGP either via redistribution or  added to a routing process of your choice.

2.1 Implement IPV4 OSPF

Configure Open Shortest Path First (OSPF)

    Updates should be advertised only out of the interfaces that are indicated in the IGP topology diagram.
    The Process ID can be any number
    Don't manually change the router ID.
    Don't create additional OSPF areas
    Configure OSPF area 2 such that there are no TYPE 5 Advertisements (LSA) in the area, R1 should generate a default route.
    Configure OSPF over frame relay between R1 and R2 choosing a network type that requires designate router (DR) and backup designate router (BDR) negotiations and has the fastest recovery times.

R1

interface Serial0/1/1.100 point-to-point
ip ospf network broadcast
ip ospf dead-interval minimal hello-multiplier 20

router ospf 1
area 2 nssa default-information-originate
network YY.YY.15.161 0.0.0.0 area 0
network YY.YY.1.1 0.0.0.0 area 0
network YY.YY.15.242 0.0.0.0 area 2

R2

interface Serial0/1/1.200 point-to-point
ip ospf network broadcast
ip ospf dead-interval minimal hello-multiplier 20

router ospf 1
area 2 nssa
network YY.YY.2.2 0.0.0.0 area 2
network YY.YY.15.130 0.0.0.0 area 2
network YY.YY.15.241 0.0.0.0 area 2

R3

router ospf 1
network YY.YY.15.193 0.0.0.0 area 0

SW1

ip routing

interface Vlan11
ip address YY.YY.15.162 255.255.255.224

interface Vlan13
ip address YY.YY.15.194 255.255.255.224

router ospf 1
network YY.YY.7.7 0.0.0.0 area 0
network YY.YY.15.162 0.0.0.0 area 0
network YY.YY.15.194 0.0.0.0 area 0

SW2

interface Vlan2
ip address 150.2.1.1 255.255.255.0

interface Vlan22
ip address YY.YY.15.129 255.255.255.224

router ospf 1
area 2 nssa
network YY.YY.8.8 0.0.0.0 area 2
network YY.YY.15.129 0.0.0.0 area 2

2.2 Implement IPV4 EIGRP

Configure EIGRP 100 and EIGRP YY per the IGP topology diagram.

    EIGRP updates should be advertised only out to the interface per the IGP topology diagram.
    On R1, redistribute between OSPF and EIGRP YY. However all of the routes that are indicated below from backbone 3 (EIGRP 100) should not be redistributed between both protocols,
    Use route maps to accomplish this requirement. All route-maps should utilize the same access-list.
    Cannot disable auto-summary

    On OSPF area 0, EIGRP 100 routers should be choose the connection through R3 and should be seen as one path
    On R3 redistribute from EIGRP 100 into OSPF with metric-type 2
    On R3 redistribute from EIGRP 100 into EIGRP YY. However 3 networks 198.2.1.0 198.2.3.0 and 198.2.5.0 should be aggregated into a single address with the most specific mask possible

R1

router eigrp 1
redistribute ospf 1 metric 1544 2000 255 1 1500 route-map BLOCK
network YY.YY.1.1 0.0.0.0
network YY.YY.15.249 0.0.0.0
auto-summary

router ospf 1
redistribute eigrp 1 subnets route-map BLOCK

route-map BLOCK deny 10
match ip address 10
route-map BLOCK permit 20

access-list 10 permit 4.YY.YY.0 0.0.0.255
access-list 10 permit 128.28.2.0 0.0.0.255
access-list 10 permit 198.YY.YY.4 0.0.0.3
access-list 10 permit 198.2.1.0 0.0.0.255
access-list 10 permit 182.2.4.0 0.0.0.255
access-list 10 permit 182.2.2.0 0.0.0.255
access-list 10 permit 198.2.5.0 0.0.0.255
access-list 10 permit 150.3.YY.0 0.0.0.255

R3
router eigrp 100
no auto-summary
network 150.3.1.1 0.0.0.0

interface Serial0/1/0
ip summary-address eigrp 1 198.2.0.0 255.255.248.0

router eigrp 1
redistribute eigrp 100
network YY.YY.3.3 0.0.0.0
network YY.YY.15.245 0.0.0.0
auto-summary

router ospf 1
redistribute eigrp 100 subnets metric-type 2

R5

router eigrp 1
auto-summary
network YY.YY.5.5 0.0.0.0
network YY.YY.15.97 0.0.0.0
network YY.YY.15.246 0.0.0.0
network YY.YY.15.250 0.0.0.0

SW4

interface Vlan44
ip address YY.YY.15.66 255.255.255.224

interface Vlan45
ip address YY.YY.15.98 255.255.255.224

router eigrp 1
auto-summary
network YY.YY.10.10 0.0.0.0
network YY.YY.15.98 0.0.0.0

2.3 Implement RIP version 2

Configure RIP version 2 (RIP V2) per the IGP topology diagram.

    RIP update must be advertised only out to the interface per the IGP topology diagram
    Use the auto-summary
    All rip updates should be unicast.
    Mutually redistribute between RIP and EIGRP on SW4 and mutually redistribute between RIP and ospf of R2. EIGRP learned routes should be preferred over OSPF routes.
    RIP and EIGRP cannot turn off auto-summary, this cannot affect ospf routing.

R2

router rip
auto-summary
version 2
passive-interface default
neighbor YY.YY.15.33
network YY.YY.0.0
redistribute ospf YY metric 1
offset-list 0 out 4 fastethernet0/1.24

router ospf YY
redistribute rip subnets route-map EIGRP100

// EIGRP 100 learned routes from RIP
ip prefix-list EIGRP100PL permit 4.0.0.0/8
ip prefix-list EIGRP100PL permit 128.28.0.0/16
ip prefix-list EIGRP100PL permit 128.128.0.0/16
ip prefix-list EIGRP100PL permit 150.3.0.0/16
ip prefix-list EIGRP100PL permit 198.198.5.0/24

route-map EIGRP100 deny 10
match ip address prefix-list EIGRP100PL

route-map EIGRP100 permit 20

R4

router rip
version 2
auto-summary
passive-interface default
neighbor YY.YY.15.34
neighbor YY.YY.15.66
network YY.YY.0.0

SW4

router rip
version 2
auto-summary
passive-interface default
neighbor YY.YY.15.65
network YY.YY.0.0
redistribute eigrp YY metric 2
distance 171 YY.YY.15.65 0.0.0.0 10

access-list 10 deny YY.YY.4.4
access-list 10 deny YY.YY.15.32 0.0.0.31
access-list 10 permit any

route-map NET_RIP permit 10
match ip address prefix-list net_rip

ip prefix-list net_rip permit YY.YY.4.4/32
ip prefix-list net_rip permit YY.YY.15.32/27
ip prefix-list net_rip permit YY.YY.15.64/27

router eigrp YY
redistribute rip metric 1544 2000 255 1 1500 route-map NET_RIP

2.4 Implement IPV6

Refer to the IPV6 topology diagram to configure IPV6 unique local unicast addresses using the eui-64 interface identifier.

    Configure OSPFv3 as per the IPV6 topology.
    Ensure that R4 can ping SW1 using IPV6.

R4 G0/1 and R2 G0/1.z (Vlan 24)  FC01:DB8:74:9::/64 EUI-64
R2  S0/1/0.z and R1 -S0/1/0.z FC01:DB8:74:A::/64 EUI-64
R1  G0/1 and SW1 - Svi 11 FC01:DB8:74:B::/64 EUI-64

R1

ipv6 unicast-routing
ipv6 cef

interface FastEthernet0/1
ipv6 address FC01:DB8:74:B::/64 eui-64
ipv6 ospf mtu-ignore
ipv6 ospf 1 area 1

ipv6 router ospf 1
router-id YY.YY.1.1

interface Serial0/1/1.100 point-to-point
ipv6 address FC01:DB8:74:A::/64 eui-64
ipv6 ospf 1 area 1

R2

ipv6 unicast-routing
ipv6 cef

ipv6 router ospf 1
router-id YY.YY.2.2

interface Serial0/1/1.200 point-to-point
ipv6 address FC01:DB8:74:A::/64 eui-64
ipv6 ospf 1 area 1

interface FastEthernet0/1.24
ipv6 address FC01:DB8:74:9::/64 eui-64
ipv6 ospf 1 area 0

R4

ipv6 unicast-routing
ipv6 cef

ipv6 router ospf 1
router-id YY.YY.4.4

interface FastEthernet0/1
ipv6 address FC01:DB8:74:9::/64 eui-64
ipv6 ospf 1 area 0

SW1

sdm prefer dual-ipv4-and-ipv6-default  /* reload the router */

ipv6 unicast-routing
ipv6 router ospf 1
router-id YY.YY.7.7
interface Vlan11
ipv6 address FC01:DB8:74:B::/64 eui-64
ipv6 ospf 1 area 1

2.5 – Implement IPv4 BGP

Referring to the bgp routing diagram, configure BGP with these parameters:

    Configure two bgp confederations R1, R3, R5 and SW4 (ASYY1) and R2 and SW2 (ASYY2).
    The confederation peers should neighbor between R1 and R2 and between SW4 and R2.
    EBGP: SW2 ebgp peers with the router 150.2.YY.254 on BB2 in AS254. This router advertises five routes with format 197.68.z.0/24 and the AS path 254.
    EBGP: R5 ebgp peers with the router 150.1.YY.254 on BB1 in AS254. This router advertises five routes with the format 197.68.z.0/24 and the AS path 254,253.
    The bgp devices should all prefer the path through R5 (150.1.YY.254) for network 197.68.21.0/24 and 197.68.22.0/24. The ibgp devices should all prefer the path through SW2 (150.2.YY.254) for network 197.68.1.0/24, 197.68.4.0/24 and 197.68.5.0/24. This manipulation should be accomplished by configuring only on one router using route maps that refer to a single access list.
    Configure only the loopback 0 ip address to propagate BGP route information.
    You cannot use route reflector or change next-hop self.
    BGP routes should be advertised to AS254.

R1

router bgp YY1
no synchronization
no auto-summary
bgp log-neighbor-changes
bgp confederation identifier YY
bgp confederation peers YY2
neighbor YY.YY.2.2 remote-as YY2
neighbor YY.YY.2.2 ebgp-multihop 255
neighbor YY.YY.2.2 update-source Loopback0
neighbor YY.YY.3.3 remote-as YY1
neighbor YY.YY.3.3 update-source Loopback0
neighbor YY.YY.5.5 remote-as YY1
neighbor YY.YY.5.5 update-source Loopback0
neighbor YY.YY.10.10 remote-as YY1
neighbor YY.YY.10.10 update-source Loopback0

R3

router bgp YY1
no synchronization
bgp log-neighbor-changes
bgp confederation identifier YY
neighbor YY.YY.5.5 remote-as YY1
neighbor YY.YY.5.5 update-source Loopback0
neighbor YY.YY.1.1 remote-as YY1
neighbor YY.YY.1.1 update-source Loopback0
neighbor YY.YY.10.10 remote-as YY1
neighbor YY.YY.10.10 update-source Loopback0
no auto-summary

R5

router bgp YY1
no synchronization
bgp log-neighbor-changes
bgp confederation identifier YY
neighbor YY.YY.3.3 remote-as YY1
neighbor YY.YY.3.3 update-source Loopback0
neighbor YY.YY.1.1 remote-as YY1
neighbor YY.YY.1.1 update-source Loopback0
neighbor YY.YY.10.10 remote-as YY1
neighbor YY.YY.10.10 update-source Loopback0
neighbor 150.1.YY.254 remote-as 254
neighbor 150.1.YY.254 route-map TAG in
no auto-summary

access-list 5 permit 197.68.20.0 0.0.3.255

route-map TAG permit 10
match ip address 5
set local-preference 250
route-map TAG permit 20

router eigrp YY
redistribute connected metrix 1544 200 255 1 1500 route-map BB1

route-map BB1 permit 10
match interface fa0/0

SW4

router bgp YY1
no synchronization
bgp log-neighbor-changes
bgp confederation identifier YY
bgp confederation peers YY2
neighbor YY.YY.1.1 remote-as YY1
neighbor YY.YY.1.1 update-source Loopback0
neighbor YY.YY.2.2 remote-as YY2
neighbor YY.YY.2.2 ebgp-multihop 255
neighbor YY.YY.2.2 update-source Loopback0
neighbor YY.YY.3.3 remote-as YY1
neighbor YY.YY.3.3 update-source Loopback0
neighbor YY.YY.5.5 remote-as YY1
neighbor YY.YY.5.5 update-source Loopback0
no auto-summary

R2

router bgp YY2
no synchronization
bgp log-neighbor-changes
bgp confederation identifier YY
bgp confederation peers YY1
neighbor YY.YY.1.1 remote-as YY1
neighbor YY.YY.1.1 ebgp-multihop 255
neighbor YY.YY.1.1 update-source Loopback0
neighbor YY.YY.8.8 remote-as YY2
neighbor YY.YY.8.8 update-source Loopback0
neighbor YY.YY.10.10 remote-as YY1
neighbor YY.YY.10.10 ebgp-multihop 255
neighbor YY.YY.10.10 update-source Loopback0
no auto-summary

SW2

router bgp YY2
no synchronization
bgp log-neighbor-changes
bgp confederation identifier YY
neighbor YY.YY.2.2 remote-as YY2
neighbor YY.YY.2.2 update-source Loopback0
neighbor 150.2.1.254 remote-as 254
no auto-summary

router ospf YY
redistribute connected metric 100 subnets route-map BB2

route-map BB2 permit 10
match interface vlan 2

Section III IP Multicast

3.1 Implement PIM sparse mode for IPV6 multicast.

    Enable pim sparse mode (pim-sm) on the lan between R4 and R2, and on the WAN link between R2 and R1,
    Using these criteria. Configure R4 Fa0/1 to be the redezvous point (RP) for the FF08::4000:4000 multicast group, no other groups should be  permitted.

R4

ipv6 cef
ipv6 multicast-routing

ipv6 pim rp-address X:X:X:X

R2

ipv6 cef
ipv6 multicast-routing

ipv6 pim rp-address X:X:X:X

R1

ipv6 cef
ipv6 multicast-routing

ipv6 pim rp-address X:X:X:X

3.2 Multicast Joins

Configure R2 s0/0/0.z as an IPV6 receiver for the multicast group FF08::4000:4000.
R2 should be able to ping the multicast group FF08::4000:4000.

R2

interface Serial0/1/1.100 point-to-point
ipv6 mld join-group FF08::4000:4000 X:X:X:X

Section IV Advanced Services

4.1 Secure HTTP Access

Enable secure HTTP access for R5.

    Enable authentication using the list "HTTP" which utilizes local user authentication.
    Configure two different users for access to R5; the user cisco (password "cisco"), who only have privilege 1 access to R5; and the user ADMIN (password “CISCO") who has privilege 15 access to R5.
    Do no modify console and vty lines login and password configuration

R5

aaa new-model
aaa authenctication login default line    /* none required at the end if no line passwords are configured */
aaa authentication login HTTP local-case

username cisco privilege 1 password 0 cisco
username ADMIN privilege 15 password 0 CISCO

no ip http server
ip http secure-server

ip http authentication aaa login-authentication HTTP

4.2 Secure the WAN PPP Links

Configure challenge handshake authentication protocol (CHAP) on R5 for the link to R1 and R3, according to the following requirements.

    An authentication, authorization, and accounting (AAA) list names R1 and R3 for R1 and R3 respectively.
    Authentication for R1 should first try the radius server 198.2.3.128 using a key of cisco and fall back to local login in the event of a failure to connect to the radius server.
    R1 should present itself to R5 as RACKYYR1 with a shared password cisco.
    Authentication for R3 should first try the TACAS server 198.2.3.129 using a key of cisco and fall back to local login in the event of a failure to connect to the TACAS server.
    R3 should present itself to R5 as BACKUP with a shared password of CISCO.

R5

aaa new-model

aaa authentication ppp R1 group radius local-case
aaa authentication ppp R3 group tacacs+ local-case

username RACK1R1 password 0 cisco
username BACKUP password 0 CISCO

tacacs-server host 198.2.3.129 key cisco
radius-server host 198.2.3.128 key cisco

interface Serial0/1/0
ppp authentication chap R1

interface Serial0/1/1
ppp authentication chap R3

R1

interface Serial0/1/0
ppp chap hostname RACK1R1
ppp chap password cisco

R3

interface Serial0/1/0
ppp chap hostname BACKUP
ppp chap password CISCO

4.3 MQC Based frame-relay traffic shaping

Configure R1 for Modular QoS CLI (MQC) based frame relay traffic shaping (FRTS) according to the following requirements:

    Using a hierarchical policy map, specify the parent class-default committed information rate (CIR) as 64KB (when no backward explicit congestion notification (BECNs) are present and 32KB (when BECNs are present).
    The traffic already marked with class 1 or 2 (AF11 or AF21) must be classified as Data traffic.
    Data Traffic should receive a guaranteed bandwidth of 35%.
    Voice packets are marked as Expedited Forwarding (EF)
    Voice traffic should receive a guaranteed bandwidth of 40%

R2

class-map match-any DATA
match ip dscp af11
match ip dscp af21

class-map match-all VOICE
match ip dscp ef

policy-map CHILD
class VOICE
priority percent 40
class DATA
bandwidth percent 35
class class-default
fait-queue

policy-map PARENT
class class-default
shape average 64000
shape adaptive 32000
service-policy CHILD

map-class frame-relay FRTS
service-policy output PARENT

interface Serial0/1/1.100 point-to-point
frame-relay class FRTS

4.4 AutoQOS over PPP

To 4.3 continue to address VOIP quality of service (QOS) by configuring Cisco autoqos over PPP link between R1 and R5.
AutoQos should not use NBAR to classify the voice traffic.

R1

interface s0/1/0
auto discovery qos trust
auto qos voip trust

Interface multilink XXXXX
no peer neighbor-route


R5

interface s0/0
auto discovery qos trust
auto qos voip trust

Interface multilink XXXXX
no peer neighbor-route

Note
Bandwidth needs to be set to 128 which is the default.
Also, no peer neighbor-route needs to be configured on the dynamic multilink interfaces on R1 and R5.

4.5 First Hop Redundancy

To facilitate load balancing and back for hosts off VLAN_H, configure GLBP on VLAN_H, use any group number.

    R4 should have the higher priority with the ability for R2 to assume control if the priority of R4 decreases. Use MD5 authentication to protect the GLBP group. Use the key-string "cisco".
    Configure the IP YY.YY.15.35 as your GLBP virtual address.
    R2 should assume control if R4 loses reachability to the default route
    On R4 should track availability of default route

R4

track 11 ip route 0.0.0.0 0.0.0.0 reachability

interface FastEthernet0/1

glbp 1 ip YY.YY.15.35
glbp 1 priority 105
glbp 1 preempt
glbp 1 authentication md5 key-string cisco

glbp 1 weighting 110 lower 95 upper 105
glbp 1 weighting track 11 decrement 20

R2

interface FastEthernet0/1.24

glbp 1 ip YY.YY.15.35
glbp 1 priority 100
glbp 1 preempt
glbp 1 authentication md5 key-string cisco

Section V. Optimize the Network

5.1 Netflow IPv4 Multicast Accounting

Configure netflow multicast accounting on R4 according to the following requirement

    Sources should be VLAN_H
    Export all data to 198.2.5.10
    Use UDP port 9991 for exporting
    Use net flow version 9 only
    Collect all of the output and failure statistics, both in and out of R4 in VLAN_H.

R4

ip multicast netflow rpf-failure
ip multicast netflow output-counters

ip flow-export version 9
ip flow-export destination 198.2.5.10 9991

interface f0/1
ip flow ingress
ip flow egress

5.2 TFTP Server

Configure R3 as TFTP server with the following requirements

    R4 should be able to copy the file TEST from the flash memory of R3.
    No other files should be available from R3
    No other devices should be able to copy the file TEST from R3

Note: You do not need to create the TEST file on R3 or attempt to make a actual copy.

R3

access-list 53 permit YY.YY.4.4
access-list 53 permit YY.YY.15.33
access-list 53 permit YY.YY.15.65

tftp-server flash:TEST 53

5.2 Embedded Event Manager Monitor of CPU

Using IOS CLI an event manager applet on R3 according to the following requirements:

    If the 5min CPU value (cpmCPUTotal5minRev "1.3.6.1.4.1.9.9.109.YY.YY.YY.YY.8" ) goes  above 60 percent, the first 10 lines of the show process cpu sorted 5min  command output should be emailed to engineer@cisco.com from eem@cisco.com with a  subject of "CPUAlert5min" using the mail server 198.2.5.10. Polling should be every 60  seconds.

R3

event manager applet cpmCPUTotal5minRev
event snmp oid 1.3.6.1.4.1.9.9.109.YY.YY.1.8 get-type exact entry-op ge entry-val 60 poll-interval 60
action 1.0 cli command "terminal length 13"
action 2.0 cli command "show processes cpu sort 5min"
action 3.0 cli command “q”
action 4.0 mail server "198.2.5.10" to "engineer@cisco.com" from "EEM@cisco.com" subject  "CPUAlert5min" body "$_cli_result" 

Wednesday, November 18, 2009

Spanning Tree Protocol

The Spanning Tree Protocol was created by DEC (Digital Equipment Corporation) now Compaq. This is not compatible with the IEEE 802.1d version which Cisco use.

The Spanning Tree Protocol:

Prevents loops, loops cause broadcast storms
Allows redundant links
Resilient to topology changes
STA (Spanning Tree Algorithm) - Used to calculate loop-free path
BPDUs (Bridge Protocol Data Units) are sent and received by switches in the network every 2 seconds (default) to determine spanning tree topology.
Bridge Priority - Numerical value held by switches. All Catalyst switches are 32768
Bridge ID = MAC Address



Spanning Tree States
Blocking No frames forwarded, BPDUs heard
Listening No frames forwarded, listening for frames
Learning No frames forwarded, learning addresses
Forwarding Frames forwarded, learning addresses
Disabled No frames forwarded, no BPDUs heard



STA - Spanning Tree Algorithm
Spanning Tree Algorithm is used to calculate a loop-free path.

All switch ports are in blocking mode to begin with. It takes approx 30 seconds until packets can be forwarded.

Step 1 : Elect Root Bridge - Lowest bridge priority, if there is a tie then switch with lowest bridge ID
Step 2 : Elect Root Ports - Locate redundant paths to root bridge; block all but on root. Root Path Cost is cumulative cost of path to root bridge. Ports directly connected to Root Bridge will be root ports, otherwise lowest root path cost used.
Step 3 : Elect Designated Ports - Single port that sends and receives traffic from a switch to and from Root Bridge - Lowest cost path to Root Bridge.






Spanning Tree Overview
 There can only be one Root Bridge.
 Root-Bridge ports are called 'Designated' and are set to send and receive traffic (forwarding state). All other redundant links to the root bridge are shutdown.
 Blocked ports still receive BPDUs.
 Convergence occurs when switches have transitioned to either forwarding or blocking states. No other data is forwarded during this time.
 Forward delay - Time taken for a switch to go from Listening to Learning (50 seconds default).
 IEEE default priority = 32,768, this is true for all devices running STP IEEE version.
 Port Fast Mode - Immediately brings a port from blocking to forwarding state by eliminating forward delays.
 Bridges can only have one spanning tree instance compared to switches which can have many.
 Bridge Protocol Data Units send confirmation messages using multicast frames.

Thursday, November 12, 2009

Switching – EtherChannels (02)

Configuring EtherChannels:-

Configuring Port Channel Logical Interfaces for Layer 3 EtherChannels

When configuring Layer 2 EtherChannels, you cannot put Layer 2 LAN ports into manually created port channel logical interfaces. When configuring Layer 3 EtherChannels, you must manually create the port channel logical interface as described in this section, and then put the Layer 3 LAN ports into the channel group. To create a port channel interface for a Layer 3 EtherChannel, perform this task:


Creates the port channel interface.
Router(config)# interface port-channel group_number
Assigns an IP address and subnet mask to the EtherChannel.
Router(config-if)# ip address ip_address mask
Router(config-if)# end



Configuring Channel Groups
When configuring Layer 3 EtherChannels, you must manually create the port channel logical interface first and then put the Layer 3 LAN ports into the channel group. When configuring Layer 2 EtherChannels, configure the LAN ports with the channel-group command, which automatically creates the port channel logical interface. To configure channel groups, perform this task for each LAN port:


Selects a LAN port to configure


Router(config)# interface interface-id

(Optional) On the selected LAN port, restricts the channel-group command to the EtherChannel protocol configured with the channel-protocol command.
Router(config-if)# channel-protocol (lacp | pagp}
! Configures the LAN port in a port channel and specifies the mode
Router(config-if)# channel-group group_number mode {active | auto | desirable | on | passive}
! (Optional for LACP) Valid values are 1 through 65535. Higher numbers have lower priority. The default is 32768.
Router(config-if)# lacp port-priority priority_value
Router(config-if)# end
! Verifies the configuration.
Router# show interfaces interface-id etherchannel




Configuring the LACP System Priority and System ID
To configure the LACP system priority and system ID, perform this task:
! (Optional for LACP) Valid values are 1 through 65535. Higher numbers have lower priority. The default is 32768.
Router(config)# lacp system-priority priority_value
! Verify
Router# show lacp sys-id



Configuring EtherChannel Load Balancing
To configure EtherChannel load balancing, perform this task:
! Configures the EtherChannel load-balancing method. The method is globally applied to all port channels.
Router(config)# port-channel load-balance {src-mac | dst-mac | src-dst-mac | src-ip | dst-ip | src-dst-ip | src-port | dst-port | src-dst-port} [module slot]
Router(config)# end
! Verifies the configuration.
Router# show etherchannel load-balance




Configuring the EtherChannel Min-Links Feature
To configure the EtherChannel min-links feature, perform this task:
! Selects an LACP port channel interface.
Router(config)# interface port-channel group_number
! Configures the minimum number of member ports that must be in the link-up state and bundled in the EtherChannel for the port
! channel interface to transition to the link-up state.
Router(config-if)# port-channel min-links number
Router(config-if)# end
! Verifies the configuration.
Router# show interfaces interface-id etherchannel




Configuring LACP 1:1 Redundancy
To configure the LACP 1:1 redundancy feature, perform this task:
! Selects an LACP port channel interface.
Router(config)# interface port-channel group_number
! Enables the fast switchover feature for this EtherChannel.
Router(config-if)# lacp fast-switchover
! Sets the maximum number of active member ports to be one.
Router(config-if)# lacp max-bundle 1
Router(config-if)# end

Monday, November 9, 2009

VLAN Access Control Lists (VACLs)

Vlan Access Control List are often also referred to as VLAN Access Maps or just VLAN Maps

When you want to filter traffic that is moving from one VLAN to another, things are real CCNA-like and friendly :-) We use an Access Control List. In fact, we should elaborate on that term a bit now in light of this discussion. We actually use a Router-based Access Control List or RACL.

But what if we want to filter traffic that is flowing within a VLAN? On no, a Router-based Access Control List cannot help us! This is when we turn to the VLAN Access Control List. To help us understand this feature, let us create a topology and a sample scenario. Here is the simple topology:




Notice the Fast Ethernet interfaces of R1 and R2 are within the same VLAN (VLAN 10). So, based on the theory we have discussed, we will need a VACL if we want to filter the ability of R1 to communicate with R2. For this experiment, let us use Telnet. Before we begin, let me try Telnetting from R1 to R2. We want to ensure that works before we try and prevent that capability with a VACL.



R1#telnet 10.10.10.2
Trying 10.10.10.2 ... Open

User Access Verification

Password:

R2>quit

[Connection to 10.10.10.2 closed by foreign host]
R1#




Excellent, there is everything we need in place to test a VACL now. Let us be very specific and create a VACL that denies the ability of R1 to Telnet to R2. Notice, we want to be very specific. Can R1 ping R2 when we are done? Sure! That is, if we configure all of this correctly.

I begin the scenario configuration with an Access Control List that will define the exact traffic we are interested in preventing. Notice I am using a permit Access Control List Entry (ACE) to specify the traffic, but I will end up denying it later on in the VACL structure.

SW2(config)#ip access-list extended ACL_TELNETR1_R2
SW2(config-ext-nacl)#permit tcp host 10.10.10.1 host 10.10.10.2 eq 23


Now that we have configured the identifying access list, it is time to configure the VACL. The first step is to create the VLAN Access Map, and then the second step is to apply it to the appropriate VLAN(s). Notice how these structures are eerily similar to Route Maps. Here is step one:


SW2(config-ext-nacl)#vlan access-map VACL_STOPTELNET
SW2(config-access-map)#action drop
SW2(config-access-map)#match ip address ACL_TELNETR1_R2
SW2(config-access-map)#vlan access-map VACL_STOPTELNET
SW2(config-access-map)#action forward
SW2(config-access-map)#exit



Notice that the ACL that matches on the Telnet has an action of DROP, then we match on all other traffic (implicitly), and we forward all of that. Forward is the default action, so I actually did not need the action forward commands, but I added them above to make it more clear for us to learn.

Now for the really easy part of this configuration. In step two, all I need to do is apply this “map” to the appropriate VLAN. That is our VLAN 10:


SW2(config)#vlan filter VACL_STOPTELNET vlan-list10


Now it is time for verification. In our case it should be very simple to test. R1 should be able to ping R1, but Telnet should fail. First the ping:


R1#ping 10.10.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!



That worked as expected. Now, drumroll please, it is time for the Telnet attempt. This is a time in the lab exam where you really hope for a failure:

R1#telnet 10.10.10.2
Trying 10.10.10.2 ...
% Connection timed out; remote host not responding

Monday, September 7, 2009

ARP-Address Resolution Protocol

ARP is a protocol broadcasting locally, meaning works only on local LAN or local subnet.
PC1 send ping to PC2.

1. PC1 looks in its ARP cache for default gateway IP address. If does not have it, it sends ARP request (hey, you with IP 1.1.1.1, what is your MAC?)
2. Switch1 gets it, frame is ARP broadcast, so Switch1 processes the frame. Adds MAC source address and interface # it came in.
3. ARP request's target IP address does not match the receiving port's IP address on Switch1 's VLAN 1, so Switch 1 sends out the frame to all ports in the same VLAN except the receiving port. (Frame is not move to upper layers in OSI, instead Data link takes care of it)
4. Broadcast ARP reaches your Router.Router accepts frame since target IP address matches the receiving port's IP address.
5. Router updates its ARP table with received information and replies to the request with the receiving port's MAC address. (I am 1.1.1.1, my MAC is 00-11-22-33-44-55)
6. Frame ARP replay now is going back to PC1.
7. Switch1 has MAC of PC1, but adds MAC of Router and sends frame ONLY to PC1.
8. PC1 receives APR replay and puts info into his ARP cache. (5 minutes on Windows)
9. Now, whatever you were trying do in the first place, PC1 takes MAC of d.g stored in cache and builds packet with upper layer (ICMP, HTTP, FTP) protocols.
10. PC1 sends packet to PC2. Source IP is PC1, Dest IP is PC2, source MAC is PC1, Dest. MAC is Router's D.G.
11. Switch receives packet and forwards out of port connected to Router. It does not do anything special now.
12. Router looks at MAC Dest. It is for him, process the frame to look at IP Dest. IP dest. is directly connected, so it will process the packet (knows about network that PC2 is connected).
13. If router does not have MAC address of PC2 in his cache, it will send ARP broadcast on the interface connected to PC2. Router waits for ARP replay from PC2, not from switch 2, although ARP frame will pass through the Switch2 on the way to PC2 and back.
14. With PC2's MAC in cache, Router will process packet by adding PC2's MAC address as dest. and his outgoing interface MAC as a source. The IPs in the packet are the same.
15. Switch 2 receives frame, adds MAC address (if not already in the table).
16. Switch 2 (and switch 1 for that matter) will process frames if ports are access ports and are on the same VLAN. Two conditions are often omitted in our discussions.
17. Assuming router and PC2 are on the same VLAN, Switch 2 will forward frame to PC2.
18. PC2 receives frame, reads dest. MAC, strips Ethernet header and trailer, and looks at dest. IP. OK, it is for me and processes.
19. If, for example, packet is an ICMP packet. The ICMP process processes it by sending Echo Replay message.
20. IP addresses are reversed. Source IP (PC1) becomes destination; destination IP (PC2) becomes source. Data link layer takes packet and encapsulates it with PC2's MAC as source and MAC of default gateway on Router (destination IP is on different network).

Monday, June 29, 2009

BGP Audio Trainings

01. Introduction to BGP
02. iBGP Peerings
03. Route Reflection
04. eBGP Peerings
05. Confederation
06. Update Source
07. Next Hop Processing
08. Advertising BGP Prefix Information
09. Summarization
10. BGP Default Routing
11. Best Path Selection
12. Best Path Selection Order
13. Manipulating Best Path Selection
14. Communities
15. Regular Expressions
16. Route Dampening

FREE DOWNLOAD NOW

Friday, June 26, 2009

CCNA INTERVIEW Q&A

Q. What is a router?
A. A router is a device that connects more than one physical network, or segments of a network, using IP routing software. As packets reach the router, the router reads them and forwards them to their destination.

Q. Discuss wireless networking.
A. This is a network configured to use communication techniques such as infrared, cellular, or microwave, so that cable connections are not required.

Q. Discuss WAN (wide area network).
A. A WAN is extended over longer distances that a LAN (local area network). It can range from a few miles to across the world. TCP/IP is the primary WAN protocol and was developed to provide reliable, secure data transmissions over long distances.

Q. What is OSPF?
A. Open Shortest Path First is a routing protocol that supports the concept of a core area to which everything attaches.

Q. What is BGP?

A. Border Gateway Protocol is used for routing between networks on the Internet core, and it supports many advanced routing features.

Q. What is an autonomous system?
A. An autonomous system is a community of interest. Used in conjunction with routing protocols, it breaks up parts of the network into manageable chunks.

Q. What is dial on demand?
A. Dial on demand is a technology that only activates network connection when “interesting” packets are to be sent across the infrastructure.

Q. What mask would you use to supernet two class C addresses?
A. The subnet would be 255.255.254.0.

Q. What is VLANing?
A. Virtual LAN is used on large LANs to break up the network into smaller broadcast domains. This creates communities of interest. These communities can be based around organizational structures.

Q. What is CIDR?
A. Classless Internet domain routing is used in conjunction with classless routing protocols to summarize the Internet into smaller routing tables.

Q. What is VLSM?
A. Variable Length Subnet Mask is used to allocate the amount of address space required by the end network.

Q. What is a class D IP address?

A. Class D addresses are multicast addresses.

Q. What addresses do multicasts start with?
A. Multicasts start with the address 224.0.0.0.

Q. Which name resolution system is implemented with TCP/IP by default?
A. Although WINS is a name resolution that is implemented by TCP/IP by default, it only works on Windows-based networks. The only true name resolution system that almost every TCP/IP networks uses is DNS.

Q. You are the administrator of a 100-station Ethernet network. Your users are complaining of slow network speeds. What could you replace your hub with to increase your network throughput?
A. A switch would increase performance by making virtual, direct connections between sender and receiver. A bridge and router would actually decrease performance because these devices introduce latency into the communication.

Q. Which TCP/IP utility is most often used to test whether an IP host is up and functional?

A. The Ping utility is the most often used TCP/IP utility because it allows you to test individual hosts.

Q. Which utility can you use to find the MAC and TCP/IP address of your Windows NT or 2000 workstation?
A. The ipconfig utility is available for both these operating systems. It displays information like the MAC and TCP/IP address of your workstation as well as other TCP/IP configuration information.

Q. Which utility can you use to verify a packet’s path?
A. The tracert utility traces the route from the source IP host to the destination host.

Q. Which WAN technology uses digital signaling from sender to receiver?

A. The T-series of WAN connection (such as T1, T3, and so on) uses digital signaling from sending hardware to receiving hardware.

Q. You are setting up a workstation for remote access to the office. The office has a modem pool configured, and it is working correctly. The required results are that the workstation and modem bank must establish a connection and that the server at the office must authenticate the workstation. Optionally, the workstation and office must be able to communicate by using a single protocol, and the workstation must be able to access all network devices at the office. The proposed solution is to install a POTS telephone line, modem cable, and modem connected to the workstation. How would you configure the protocols to achieve the desired results?
A. This question tests your ability to configure protocols and select the best one to meet the connectivity requirements. The recommended protocol here would be TCP/IP since it can be used across the different access methods.

Q. Which remote access protocol can run over both serial and parallel connections?
A. Because PPP doesn’t contain a physical layer specification as part of the protocol, it can run over any kind of medium.

Q. What Microsoft TCP/IP protocol can be used over the Internet to create a secure, virtual network?

A. The Point-to-Point Tunneling Protocol (PPTP) allows you to create a secure, virtual connection between two points by tunneling one protocol inside another. Usually, a PPP connection is opened over a TCP/IP link.

Q. Which type of firewall checks for a current communication and the next packet needed?
A. A proxy provides firewall services by keeping track of all communications sessions and “prefetching” the next packets.

Q. Which type of security uses a file that identifies predefined IP addresses that are allowed to send data through a router?
A. Access Control List security uses a file (the ACL) that identifies which addresses can send data through a particular firewall or router.

LABELS

Audios (1) BCMSN (1) BGP (1) CCIE (4) CCNA (9) CCNA LABS (2) CCNP (11) CCNP LABS (1) CCVP (1) DHCP (1) DYNAGEN (2) E-BOOKS (5) ETHERCHANNELS (1) IOS (1) IP ACCESS-LIST (1) ISCW (2) MPLS (1) ONLINE-LABS (1) SWITCHING (4) VLAN ACCESS-LIST (1) VPN (1)