Ccie Rs BC v4 Rev 1

CCIE R/S Lab Bootcamp Workbook
Version 4.0
Authored By:
Khawar Butt
CCIE # 12353
(R/S, Security, SP, Voice)
CCIE R/S Lab Bootcamp Workbook
Netmetric Solutions FZC

http://www.netmetricsolutionsfzc.com
Copyrights Netmetric Solutions FZC 2006-2010
Website: http://www.netmetricsolutionsfzc.com; Email: khawarb@khawarb.com
1 of 241
Module 1 Frame Relay

2 of 241
Lab 1 Configuring a Router as a FrameRelay Switch

R1
S 0/0
R2
S 0/0
Frame-Relay
R3
S 0/0
Task 1
Configure the Frame-relay switch to connect R1, R2 & R3. R1 should act
as the hub to connect for R2 and R3. Use the following for the DLCI
assignments:
R1
R1
R2
R3
>
>
>
>
R2
R3
R1
R1
102
103
201
302

3 of 241
Frame-Relay Switch
Frame-relay switching
!
Interface S0/1
Description Connection to R1
Encap frame-relay
Frame-relay intf-type dce
Clock rate 64000
Frame-relay route 102 interface
No shut
!
Interface S0/2
Encap frame-relay
Clock rate 64000
No shut
!
Interface S0/3
Encap frame-relay
Clock rate 64000
No shut
S0/2 201
S0/3 301
S0/1 102
S0/1 103

4 of 241
Task 2
Configure the R1, R2 and R3 to communicate to each other. Use the
following IP Addressing scheme. Make sure that Inverse-ARP is not used
to setup the Frame-relay mappings. Make sure routing protocols can run
between the Hub and Spokes. All devices should be able to Ping each
other and their local interfaces:
R1 192.1.123.1/24
R2 192.1.123.2/24
R3 192.1.123.3/24
R1
Interface Serial0/0
Ip address 192.1.123.1 255.255.255.0
Encapsulation frame
No frame-relay inverse-arp
Frame-relay map ip 192.1.123.2 102 Broadcast
Frame-relay map ip 192.1.123.4 102
No shut
R2
Interface Serial0/0
Ip address 192.1.123.2 255.255.255.0
Encapsulation frame
No shut
R3
Interface Serial0/0
Ip address 192.1.123.3 255.255.255.0
Encapsulation frame
No shut

5 of 241
Lab 2 Running RIPv2 on Frame-Relay

(Builds on Lab 1)
Task 1
Configure the following Loopbacks on R1, R2 and R3:
R1 Interface Loopback 0 1.1.1.1/8

R1
R2
Interface Loopback0
Ip address 1.1.1.1 255.0.0.0
R3
Interface Loopback0
Ip address 2.2.2.2 255.0.0.0
Interface Loopback0
Ip address 3.3.3.3 255.0.0.0
Task 2
Configure RIPv2 on R1, R2 & R3. Make sure all routes are getting
propagated.
R1
R2
Router RIP
Version 2
No auto-summary
Network 1.0.0.0
Network 192.1.123.0
R3
Router RIP
Version 2
No auto-summary
Network 2.0.0.0
Network 192.1.123.0
Router RIP
Version 2
No auto-summary
Network 3.0.0.0
Network 192.1.123.0
Note:
Although Split-horizon should have blocked R1 propagating R2 routes
towards R3 and vice-versa, it is not. The reason behind it is that when
you enable Frame-relay on a Physical interface, it automatically disables
Split-horizon on the interface for Distance Vector Routing protocols. This
6 of 241
behaviour is only for Physical interfaces and not for Multipoint Subinterfaces.

7 of 241
Lab 3 Running EIGRP on Frame-Relay

(Builds on Lab 2)
Task 1
Disable RIP on all 3 routers.
R1
R2
No Router RIP
R3
No Router RIP
No Router RIP
Task 2
Configure EIGRP on R1, R2 & R3 in AS 123. Make sure all routes are
getting propagated.
R1
R2
Router EIGRP 123

No auto-summary
Network 1.0.0.0
Network 192.1.123.0
R3
Router EIGRP 123

No auto-summary
Network 2.0.0.0
Network 192.1.123.0
Router EIGRP 123

No auto-summary
Network 3.0.0.0
Network 192.1.123.0
Note:
Although Split-horizon is disabled on the interface for Distance Vector
Routing protocols by enabling Frame-relay, this behaviour is not
applicable to EIGRP (Advanced Distance Vector Routing Protocol). You
need to disable split-horizon for the specific EIGRP AS.
Task 3
Disable Spilt-horizon on R1 to allow routes from R2 getting propagating
towards R3 and vice versa
R1
Interface S 0/0
No ip split-horizon eigrp 123
8 of 241
Lab 4 Configuring Point-to-Point and

Multipoint Sub-interfaces
R1
S 0/0 .123
R2
S 0/0 .14
S 0/0 .14
S 0/0
R4
Frame-Relay
S 0/0
R3
Task 1
Configure the routers connected to the frame-relay cloud as follows:
o R1 (The HUB) must be configured with two sub-interfaces, one
of the two sub-interfaces must be configured to connect R1 to
R4, this sub-interface should be configured in a point-to-point
manner using the following IP addressing:
R1 = 192.1.14.1 /24
R4 = 192.1.14.4 /24.
o The second sub-interface on R1 must be configured in a
multipoint manner, and this sub-interface must be configured
to connect R1 to routers R2 and R3 using the following IP
addressing:
R1 = 192.1.123.1 /24
R2 = 192.1.123.2 /24
9 of 241
R3 = 192.1.123.3 /24
o R2 is not a Cisco router. Set the encapsulation accordingly.
o Routers R2, R3 should not be configured with a sub-interface
and these routers should NOT rely on Inverse-arp.
o R4 should be configured with a sub-interface in a point-to-point
manner.
o The routers connecting to the frame-relay cloud should be
configured in a hub and spoke, with R1 being the hub and R2,
R3 and R4 the spokes.
o Ensure that the routers on the 192.1.123.0/24 network can
ping every IP address including their own within their IP
address space.
R1
Interface Serial0/0
Encapsulation frame-relay
No frame-relay inverse
No shut
!
Int S0/0.14 point-to-point
Ip address 192.1.14.1 255.255.255.0
Frame-relay interface-dlci 104
!
Int S0/0.123 multipoint
Ip address 192.1.123.1 255.255.255.0
Frame-relay map ip 192.1.123.2 102 ietf broadcast
Frame-relay map ip 192.1.123.3 103 broadcast
R2
Int S0/0
Ip address 192.1.123.2 255.255.255.0
Encapsulation frame ietf
No shut

10 of 241
R3
Int S0/0
Encapsulation frame
Ip address 192.1.123.3 255.255.255.0
Frame-relay map ip 192.1.123.2 301 ietf
No shut
R4
Int S0/0
Encap frame
No shut
!
Inter S0/0.14 point-to-point
Ip address 192.1.14.4 255.255.255.0
Task 2
Ensure that R1 and R4 use CHAP authentication using Cisco as the
password. These routers must authenticate each other before they can
communicate.
R1
Username R4 password Cisco
Interface S0/0.14
No ip address
Inter virtual-template 1
Ip address 192.1.14.1 255.255.255.0
Ppp authentication chap
Int S0/0.14
Frame-relay interface-dlci 104 ppp virtual-template 1
R4
Username R1 password Cisco
Inter S0/0.14
No ip address
11 of 241
Inter virtual-template 1
Ip address 192.1.14.4 255.255.255.0
Ppp authentication chap
Int S0/0.41
Frame-relay interface-dlci 401 ppp virtual-template 1

12 of 241
Module 2 Basic Switching

13 of 241
Lab 1 Configuring VLANs and VTP
R5
F 0/0 (.5)
192.1.15.0/24 VLAN 10
F 0/0.1 (.1)
R1
F 0/0.2 (.1)
192.1.13.0/24 VLAN 20
F0/0.1 (.3)
R3
F0/0.2 (.3)
192.1.34.0/24 VLAN 30
VLAN 30 (.15)
F 0/0 (.4)
R4
SW1
VLAN 40 (.15)
192.1.2.0/24 VLAN 40
F 0/0 (.2)
R2
Task 1
Configure Switch1 as the VTP Server and the other Switch(s) as VTP
Clients. Use CCIE as the Domain name. Authenticate the relationship
using CCIERS as the password.
SW1
SW2
VTP domain CCIE

VTP mode server
VTP password CCIERS
SW3
VTP domain CCIE

VTP mode client
VTP password CCIERS
SW4

14 of 241
VTP domain CCIE

VTP mode client
VTP password CCIERS
VTP domain CCIE

VTP mode client
VTP password CCIERS
Task 2
Ensure that you can enhance network bandwidth use through the trunk
ports by reducing the unnecessary traffic flooding of VLANs throughout
the switches in your network.
All Switches
Vtp pruning
Task 3
Ensure that the Trunk ports of your Rack are statically configured to
trunk using an industry standard protocol. Configure these ports such
that they will trunk even if the negotiation fails. Also make sure to
disable DTP on the trunk interfaces.
All Switches
Interface range F0/XX XX
Switchport trunk encapsulation dot1q
Switchport mode trunk
Switchport nonegotiate
Task 4
Assign Ports to the appropriate VLANs based on the Network Diagram.
Use the physical topology diagram for your rack to accomplish this. Make
sure the ports are either set to Trunk or Access statically.
SW1
VLAN 10
VLAN 20
VLAN 30
VLAN40
SWx
interface F0/XX
Switchport mode access
Switchport access vlan XX
!
15 of 241
interface F0/XX
Switchport trunk encapsulation dot1q
Swithcport mode trunk
Task 5
Test by pinging directly connected interfaces on each router and on the
Switch1.

16 of 241
Module 3 RIP V2

17 of 241
Lab 1 Basic RIPv2 Configuration

Note: It builds on the topology created in the previous lab.
Task 1
Configure Loopback 0 on all routers and SW1. Use the format of
X.X.X.X/8 for the IP address of the loopback. Use 15 for Switch1.
Task 2
Configure RIP V2 on all Devices to advertise all directly connected
networks. Disable Auto-summary.
R1
R2
Router Rip
Version 2
No auto-summary
Network 1.0.0.0
Network 192.1.13.0
Network 192.1.15.0
R3
Router Rip
Version 2
No auto-summary
Network 2.0.0.0
Network 192.1.2.0
Router Rip
Version 2
No auto-summary
Network 3.0.0.0
Network 192.1.34.0
Network 192.1.13.0
R5
Router Rip
Version 2
No auto-summary
Network 4.0.0.0
Network 192.1.34.0
Router Rip
Version 2
No auto-summary
Network 5.0.0.0
Network 192.1.15.0
IP Routing
!
Router RIP
Version 2
No auto-summary
Network 15.0.0.0
Network 192.1.2.0
Network 192.1.34.0
R4
Switch1

18 of 241
Lab 2 Configuring RIPv2

Authentication
(Builds on Lab1)
Task 1
Configure Clear Text authentication between R1 and R5. Use ccie as the
key-string with a key-id of 1.
R1
R5
Key chain AUTH

Key 1
Key-string ccie
!
Interface F 0/0.1
Ip rip authentication key-chain
AUTH
Key chain AUTH

Key 1
Key-string ccie
!
Interface F 0/0
AUTH
Task 2
Configure MD5 authentication for all links except the previously
configured link between R1 and R5. Use the same key and key-string.
R1
R2
Interface F 0/0.2
AUTH
IP rip authentication mode MD5
Key chain AUTH

Key 1
Key-string ccie
!
Interface F 0/0
AUTH
Ip rip authentication mode MD5
R4
R3
Key chain AUTH
Key 1
Key-string ccie
!
Interface F 0/0.1
AUTH
!
Interface F 0/0.2
Key chain AUTH

Key 1
Key-string ccie
!
Interface F 0/0
AUTH
Ip rip authentication mode MD5

19 of 241
AUTH
SW1
Key chain AUTH
Key 1
Key-string ccie
!
Interface VLAN 30
Ip rip authentication
AUTH
!
Interface VLAN 40
AUTH
key-chain
mode MD5
key-chain
mode MD5

20 of 241
Lab 3 Routing Filtering using Access

Control Lists
(Builds on Lab 2)
Task 1
Configure the following Loopback Interfaces on R3:
Loopback
Loopback
Loopback
Loopback
Loopback
Loopback
21:
22:
23:
24:
25:
26:
201.1.1.1/24
201.1.2.1/24
201.1.3.1/24
201.1.4.1/24
201.1.5.1/24
201.1.6.1/24
R3
Interface loopback 21
Ip address 201.1.1.1 255.255.255.0
Ip address 201.1.2.1 255.255.255.0
Ip address 201.1.3.1 255.255.255.0
Ip address 201.1.4.1 255.255.255.0
Ip address 201.1.5.1 255.255.255.0
Ip address 201.1.6.1 255.255.255.0
Task 2
R1 should only receive routes from the 201.1.X.0 range that have an
even number in the 3rd Octet. Use the minimum number of lines possible
to accomplish this task. No configuration should be done on R1. Make
sure R4 and Switch1 receive all 201.1.X.0 routes.
R3
Access-list 2 deny 201.1.1.0 0.0.254.255
Access-list 2 permit any
!
Router RIP
Network 201.1.1.0
Network 201.1.2.0
Network 201.1.3.0
21 of 241
Network 201.1.4.0
Network 201.1.5.0
Network 201.1.6.0
Distribute-list 2 out F0/0.1

22 of 241
Lab 4 Routing Filtering using Prefixlists

(Builds on Lab 3)
Task 1
Configure the following Loopback Interfaces on R5 and advertise them
under RIP:
Loopback
Loopback
Loopback
Loopback
Loopback
Loopback
21:
22:
23:
24:
25:
26:
150.50.1.1/24
150.50.2.1/24
150.50.3.1/24
205.1.1.33/27
206.1.1.17/28
107.1.1.1/16
R5
Ip address 150.50.1.1 255.255.255.0
Ip address 150.50.2.1 255.255.255.0
Ip address 150.50.3.1 255.255.255.0
Ip address 205.1.1.33 255.255.255.224
Ip address 206.1.1.1 255.255.255.240
Ip address 107.1.1.1 255.255.0.0
!
Router Rip
Network 150.50.0.0
Network 205.1.1.0
Network 206.1.1.0
Network 107.0.0.0
Task 2
R1 should only receive prefixes with a prefix-length of 8 to 24 from R5.
Configure the Filtering on R1.
R1
ip prefix-list PLIST permit 0.0.0.0/0 ge 8 le 24
!
23 of 241
Router RIP
distribute-list prefix PLIST in F0/0.1

24 of 241
Lab 5 Route Summarization with RIP

(Builds on Lab 4)
Task 1
Configure the following Loopback Interfaces on Switch1 and advertise
them under RIP:
Loopback
Loopback
Loopback
Loopback
Loopback
Loopback
Loopback
Loopback
41:
42:
43:
44:
45:
46:
47:
48:
154.1.8.1/24
154.1.9.1/24
154.1.10.1/24
154.1.11.1/24
154.1.12.1/24
154.1.13.1/24
154.1.14.1/24
154.1.15.1/24
SW1
Ip address 154.1.8.1 255.255.255.0
Ip address 154.1.9.1 255.255.255.0
Ip address 154.1.10.1 255.255.255.0
Ip address 154.1.11.1 255.255.255.0
Ip address 154.1.12.1 255.255.255.0
Ip address 154.1.13.1 255.255.255.0
Ip address 154.1.14.1 255.255.255.0
Ip address 154.1.15.1 255.255.255.0
!
Router Rip
Network 154.1.0.0
Task 2
Ensure that all routers except R2 only get a summary route from
Switch1 for the new Loopback interfaces that were created in Task 1. R2
should get all the specific routes. Do not enable auto summary on SW1.
SW1
25 of 241
int VLAN 30
ip summary-address rip 154.1.8.0 255.255.248.0

26 of 241
Module 4 EIGRP

27 of 241
Lab 1 Basic EIGRP Configuration
R1
Loopback 0
R2
F 0/0
F 0/0
Loopback 0
S 0/0
S 0/0
Loopback 0
F 0/0
F 0/0
Loopback 0
R4
R3
Interface IP Address Configuration

R1
Interface
Loopback 0
F 0/0
IP Address
1.1.1.1
192.1.12.1
Subnet Mask
255.0.0.0
255.255.255.0
IP Address
2.2.2.2
192.1.12.2
192.1.23.2
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
IP Address
3.3.3.3
192.1.23.3
192.1.34.3
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
R2
Interface
Loopback 0
F 0/0
S 0/0
R3
Interface
Loopback 0
S 0/0
F 0/0

28 of 241
R4
Interface
Loopback 0
F 0/0
IP Address
4.4.4.4
192.1.34.4
Subnet Mask
255.0.0.0
255.255.255.0
Task 1
Configure the interfaces with the appropriate addresses. Configure the
Serial interfaces between R2 and R3 using Frame Relay. Configure the
interface as a Regular Frame Relay interface. Configure the Frame Relay
mapping manually.
R1
R2
Interface Loopback 0
Ip address 1.1.1.1 255.0.0.0
!
Interface F 0/0
Ip address 192.1.12.1 255.255.255.0
No shut
Ip address 2.2.2.2 255.0.0.0
!
Interface F 0/0
Ip address 192.1.12.2 255.255.255.0
No shut
!
Interface S 0/0
Ip address 192.1.23.2 255.255.255.0
Encap frame-relay
Frame-relay map ip 192.1.23.3 203 broad
No shut
R4
R3
Ip address 3.3.3.3 255.0.0.0
!
Interface F 0/0
Ip address 192.1.34.3 255.255.255.0
No shut
!
Interface S 0/0
Ip address 192.1.23.3 255.255.255.0
Encap frame-relay
No shut
Ip address 4.4.4.4 255.0.0.0
!
Interface F 0/0
Ip address 192.1.34.4 255.255.255.0
No shut
Task 2
Configure EIGRP on all 4 routers in AS 12353. Disable Auto-summary.
29 of 241
R1
R2
Router EIGRP 12353

No auto-summary
Network 1.0.0.0
Network 192.1.12.0
Router EIGRP 12353

No auto-summary
Network 2.0.0.0
Network 192.1.12.0
Network 192.1.23.0
R4
R3
Router EIGRP 12353
No auto-summary
Network 3.0.0.0
Network 192.1.34.0
Network 192.1.23.0
Router EIGRP 12353

No auto-summary
Network 4.0.0.0
Network 192.1.34.0

30 of 241
Lab 2 EIGRP Authentication

(Builds on Lab1)
Task 1
Configure MD5 authentication for all links. Use ccie as the key-string
with a key-id of 1.
R1
Key chain AUTH
Key 1
Key-string ccie
!
Interface F 0/0
Ip authentication key-chain eigrp 12353 AUTH
Ip authentication mode eigrp 12353 MD5
R2
Key chain AUTH
Key 1
Key-string ccie
!
Interface S 0/0
Ip authentication
Ip authentication
!
Interface F 0/0
Ip authentication
Ip authentication
R3
key-chain eigrp 12353 AUTH

mode eigrp 12353 MD5
Key chain AUTH

Key 1
Key-string ccie
!
Interface S 0/0
Ip authentication
Ip authentication
!
Interface F 0/0
Ip authentication
Ip authentication
R4




31 of 241
Key chain AUTH

Key 1
Key-string ccie
!
Interface F 0/0
Ip authentication key-chain eigrp 12353 AUTH
Ip authentication mode eigrp 12353 MD5

32 of 241
Lab 3 Advanced EIGRP Configurations

(Builds on Lab 2)
Lab Objective:
Task 1
Configure all routers such that they advertise EIGRP routes with greater
than 110 hops as unreachable.
R1
R2
router eigrp 12353

metric maximum-hops 110
R3
router eigrp 12353

R4
router eigrp 12353

router eigrp 12353

Task 2
Change the administrative distance of all internal and external EIGRP
networks to be 95.
R1
R2
router eigrp 12353

distance eigrp 95 95
R3
router eigrp 12353

R4
router eigrp 12353

router eigrp 12353

Task 3
Ensure that R2 never uses more than 45% of the bandwidth for EIGRP
updates; you should use an EIGRP specific command to accomplish this
task.
R2
Interface S 0/0
ip bandwidth-percent eigrp 12353 45
Interface F 0/0
ip bandwidth-percent eigrp 12353 45

33 of 241
Lab 4 Route Filtering Using ACLs

(Builds on Lab 3)
Task 1
Configure the following Loopback Interfaces on R2:
Loopback
Loopback
Loopback
Loopback
Loopback
Loopback
21:
22:
23:
24:
25:
26:
201.1.1.1/24
201.1.2.1/24
201.1.3.1/24
201.1.4.1/24
201.1.5.1/24
201.1.6.1/24
R2
Ip address 201.1.1.1 255.255.255.0
Ip address 201.1.2.1 255.255.255.0
Ip address 201.1.3.1 255.255.255.0
Ip address 201.1.4.1 255.255.255.0
Ip address 201.1.5.1 255.255.255.0
Ip address 201.1.6.1 255.255.255.0
Task 2
R1 should only receive routes from the 201.1.X.0 range that have an
even number in the 3rd Octet. Use the minimum number of lines possible
to accomplish this task. No configuration should be done on R1. Make
sure R3 and R4 receive all 201.1.X.0 routes.
R2
Access-list 2 deny 201.1.1.0 0.0.254.255
!
Router EIGRP 12353
Network 201.1.1.0
Network 201.1.2.0
Network 201.1.3.0
Network 201.1.4.0
34 of 241
Network 201.1.5.0
Network 201.1.6.0
Distribute-list 2 out F 0/0

35 of 241
Lab 5 Route Filtering Using Prefix-List

(Builds on Lab 4)
Task 1
under RIP:
Loopback
Loopback
Loopback
Loopback
Loopback
Loopback
21:
22:
23:
24:
25:
26:
150.50.1.1/24
150.50.2.1/24
150.50.3.1/24
205.1.1.33/27
206.1.1.17/28
107.1.1.1/16
R3
Ip address 150.50.1.1 255.255.255.0
Ip address 150.50.2.1 255.255.255.0
Ip address 150.50.3.1 255.255.255.0
Ip address 205.1.1.33 255.255.255.224
Ip address 206.1.1.1 255.255.255.240
Ip address 107.1.1.1 255.255.0.0
!
Router EIGRP 12353
Network 150.50.0.0
Network 205.1.1.0
Network 206.1.1.0
Network 107.0.0.0
Task 2
R4 should only receive prefixes with a prefix-length of 8 to 24 from R3.
R4
ip prefix-list ABC permit 0.0.0.0/0 ge 8 le 24
!
Router EIGRP 12353
distribute-list prefix ABC in F0/0
36 of 241
Lab 6 Route Summarization with

EIGRP
(Builds on Lab 5)
Task 1
under RIP:
Loopback
Loopback
Loopback
Loopback
Loopback
Loopback
Loopback
Loopback
41:
42:
43:
44:
45:
46:
47:
48:
194.1.8.1/24
194.1.9.1/24
194.1.10.1/24
194.1.11.1/24
194.1.12.1/24
194.1.13.1/24
194.1.14.1/24
194.1.15.1/24
R3
Ip address 194.1.8.1 255.255.255.0
Ip address 194.1.9.1 255.255.255.0
Ip address 194.1.10.1 255.255.255.0
Ip address 194.1.11.1 255.255.255.0
Ip address 194.1.12.1 255.255.255.0
Ip address 194.1.13.1 255.255.255.0
Ip address 194.1.14.1 255.255.255.0
Ip address 194.1.15.1 255.255.255.0
!
Router EIGRP 12353
Network 194.1.8.0
Network 194.1.9.0
Network 194.1.10.0
Network 194.1.110
Network 194.1.12.0
Network 194.1.13.0
37 of 241
Network 194.1.14.0
Network 194.1.150
Task 2
Ensure that all routers only get a summary route from R3 for the new
Loopback interfaces that were created in Task 1. R3 should NOT enable
auto summary.
R3
int F 0/0
ip summary-address eigrp 12353 194.1.8.0 255.255.248.0
!
int S 0/0
ip summary-address eigrp 12353 194.1.8.0 255.255.248.0

38 of 241
Lab 7 Configuring EIGRP Stub

(Builds on Lab 6)
Task 1
Configure Loopback100 on R1. Assign it an address of 200.11.11.11/24.
The rest of the network needs reachibility for the new loopback of R1. Do
not use the "network" statement to advertise the loopback address on R1.
R1
Interface loopback100
IP address 200.11.11.11 255.255.255.0
!
Route-map REDCON permit 10
Match interface Loopback100
Router EIGRP 12353
Redistribute connected route-map REDCON
Task 2
R1 is a low end spoke router that has low bandwith connection to the
hub. Ensure that eigrp queries are not sent to the spoke.
R1
Router EIGRP 12353
Eigrp stub

39 of 241
Module 5 OSPF

40 of 241
Lab 1 Configure OSPF on Ethernet

R2
R1
L0 2.2.2.2/8
L0 1.1.1.1/8
F 0/0 (.2)
F 0/0 (.1)
L0 192.1.100.0/24
F 0/0 (.4)
F 0/0 (.3)
L0 3.3.3.3/8
L0 4.4.4.4/8
R3
R4

R1
Interface
Loopback 0
F 0/0
IP Address
1.1.1.1
192.1.100.1
Subnet Mask
255.0.0.0
255.255.255.0
IP Address
2.2.2.2
192.1.100.2
Subnet Mask
255.0.0.0
255.255.255.0
IP Address
3.3.3.3
192.1.100.3
Subnet Mask
255.0.0.0
255.255.255.0
IP Address
4.4.4.4
192.1.100.4
Subnet Mask
255.0.0.0
255.255.255.0
R2
Interface
Loopback 0
F 0/0
R3
Interface
Loopback 0
F 0/0
R4
Interface
Loopback 0
F 0/0

41 of 241
Configure the Interface IP addresses based on the above table

Task 1
Configure OSPF on a Broadcast Multi-Access(BMA) Ethernet network in
Area 0. Advertise all networks on all routers. Hard Code the Router-id
based on the following:
R1 11.11.11.11
R2 22.22.22.22
R3 33.33.33.33
R4 44.44.44.44
R1
R2
Router OSPF 1
Router-id 11.11.11.11
Network 1.1.1.1 0.0.0.0 area 0
Network 192.1.100.1 0.0.0.0 area 0
R3
Router OSPF 1
Router-id 22.22.22.22
Network 2.2.2.2 0.0.0.0 area 0
Network 192.1.100.2 0.0.0.0 area 0
R4
Router OSPF 1
Router-id 33.33.33.33
Network 3.3.3.3 0.0.0.0 area 0
Network 192.1.100.3 0.0.0.0 area 0
Router OSPF 1
Router-id 44.44.44.44
Network 4.4.4.4 0.0.0.0 area 0
Network 192.1.100.4 0.0.0.0 area 0
Task 2
Configure the routers such that R1 becomes the DR and R2 as the BDR
on the 100 Network.
R1
R2
Interface E 0/0
Ip ospf priority 100
Interface E 0/0
Ip ospf priority 50
Note: Issue the Clear ip ospf process command to reset the OSPF
process for the change to take effect.

42 of 241
Lab 2 Configure OSPF over Frame-Relay
R1
R2
R4
Frame-Relay
R3
Task 1
Configure the following loopback on all the routers:
R1 Loopback 0 1.1.1.1/8
R2 Loopback 0 2.2.2.2/8
R3 Loopback 0 3.3.3.3/8
R4 Loopback 0 4.4.4.4/8
R1
R2
Ip address 1.1.1.1 255.0.0.0
R3
Ip address 2.2.2.2 255.0.0.0
R4
Ip address 3.3.3.3 255.0.0.0
Ip address 4.4.4.4 255.0.0.0

43 of 241
Task 2
Configure the link between R1 and R4 using Frame Relay. Keep in mind
that R1 will also be connected to R2 and R3 over a Multipoint interface.
Do not create any sub-interfaces on R4. Do not rely on Inverse ARP for
Frame Relay mappings. Do not use the Frame-relay map command on
R1 for this task. Use 192.1.14.0/24 as the network for this link.
R1
R4
Interface S 0/0
Encap frame-relay
No frame-relay inverse-ARP
No shut
Interface S0/0.14 point-to-point
Ip address 192.1.14.1 255.255.255.0
Interface S0/0
Ip address 192.1.14.4 255.255.255.0
Encap frame-relay
No shut
Task 3
Configure the link between R1, R2 and R3 using Frame Relay. This link
should be a multipoint link Do not create any sub-interfaces on R2 and
R3. Do not rely on Inverse ARP for Frame Relay mappings. Use
192.1.123.0/24 as the network for this link. All routers should be able to
ping each other and their own local frame-relay interfaces.
R1
Interface S0/0.23 multipoint
Ip address 192.1.123.1 255.255.255.0
R2
Interface S0/0
Ip address 192.1.123.2 255.255.255.0
Encap frame-relay
No shut
R3
Interface S0/0
Ip address 192.1.123.3 255.255.255.0
44 of 241
Encap frame-relay
No shut
Task 4
Configure OSPF in Area 0 as the routing protocol between R1, R2, R3
and R4. All loopback networks should be visible in all routing tables.
They should be using a /8 mask. Hard-code the router ID based on the
Loopback 0 addresses. Do not use the OSPF network type broadcast on
any of the Frame Relay links.
R1
Interface S0/0.23
Ip ospf network point-to-multipoint
!
Ip ospf network point-to-point
!
Router OSPF 1
Router-id 1.1.1.1
Network 1.0.0.0 0.255.255.255 area 0
Network 192.1.123.0 0.0.0.255 area 0
Network 192.1.14.0 0.0.0.255 area 0
R2
Interface S0/0
!
!
Router OSPF 1
Router-id 2.2.2.2
Network 2.0.0.0 0.255.255.255 area 0
Network 192.1.123.0 0.0.0.255 area 0
R3
Interface S0/0
!
45 of 241

!
Router OSPF 1
Router-id 3.3.3.3
Network 3.0.0.0 0.255.255.255 area 0
Network 192.1.123.0 0.0.0.255 area 0
R4
Interface S0/0
!
!
Router OSPF 1
Router-id 4.4.4.4
Network 4.0.0.0 0.255.255.255 area 0
Network 192.1.14.0 0.0.0.255 area 0

46 of 241
Lab 3 Configuring Virtual Link
R1
Lo 0
R2
F 0/0
Lo 0
F 0/0
192.1.12.0/24
S 0/0
R4
192.1.234.0/24
Switch 1
S 0/0
192.1.3.0/24
Lo 0
VLAN 3
Lo 0
F 0/0
R3
VLAN 5
F 0/0
192.1.5.0/24
R5
R1
Interface
Loopback 0
F 0/0
IP Address
1.1.1.1
192.1.12.1
Subnet Mask
255.0. 0.0
255.255.255.0
IP Address
192.1.12.2
192.1.234.2
2.2.2.2
Subnet Mask
255.255.255.0
255.255.255.0
255.0.0.0
IP Address
192.1.234.3
192.1.3.3
3.3.3.3
Subnet Mask
255.255.255.0
255.255.255.0
255.0.0.0
R2
Interface
F 0/0
S 0/0
Loopback 0
R3
Interface
S 0/0
F 0/0
Loopback 0

47 of 241
R4
Interface
Loopback 0
S 0/0
IP Address
4.4.4.4
192.1.234.4
Subnet Mask
255.0.0.0
255.255.255.0
IP Address
5.5.5.5
192.1.5.5
Subnet Mask
255.0.0.0
255.255.255.0
IP Address
55.55.55.55
192.1.3.33
192.1.5.55
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
R5
Interface
Loopback 0
F 0/0
SW1
Interface
Loopback 0
VLAN 3
VLAN 5
Interface Configuration
R1
interface Loopback0
ip address 1.1.1.1 255.0.0.0
!
interface F 0/0
ip address 192.1.12.1 255.255.255.0
no shutdown
R2
interface Loopback0
ip address 2.2.2.2 255.0.0.0
!
Interface F0/0
ip address 192.1.12.2 255.255.255.0
no shut down
!
interface Serial0/0
ip address 192.1.234.2 255.255.255.0
encapsulation frame-relay
frame-relay map ip 192.1.234.3 203 broadcast
no frame-relay inverse-arp
no shutdown
48 of 241
R3
interface Loopback0
ip address 3.3.3.3 255.0.0.0
!
interface F 0/0
ip address 192.1.3.3 255.255.255.0
no shutdown
!
interface Serial0/0
ip address 192.1.234.3 255.255.255.0
frame-relay map ip 192.1.234.4 302
no shutdown
R4
interface Loopback0
ip address 4.4.4.4 255.0.0.0
!
interface Serial0/0
ip address 192.1.234.4 255.255.255.0
no shutdown
R5
Switch
interface Loopback0
ip address 5.5.5.5 255.0.0.0
!
interface F 0/0
ip address 192.1.5.5 255.255.255.0
no shutdown
interface Loopback0
ip address 55.55.55.55 255.0.0.0
!
interface Vlan3
ip address 192.1.3.33 255.255.255.0
no shutdown
!
interface Vlan5
ip address 192.1.5.55 255.255.255.0
no shutdown
Task 1
Run OSPF as your Routing Protocol on all Routers and the Switch.
Advertise the networks in the following areas:
49 of 241
Area 0 R1 Loopback 0, R1 F 0/0, R2 F 0/0, R2 Loopback 0

Area 10 R2 S 0/0, R3 S 0/0, R3 Loop 0, R4 S 0/0, R4 Loop 0
Area 100 R3 F 0/0, SW VLAN 3, SW VLAN 5, SW Loopback 0, R5 F
0/0, R5 Loop 0
Configure a Virtual Link between the appropriate devices.
R1
router ospf 1
network 1.0.0.0 0.255.255.255 area 0
network 192.1.12.0 0.0.0.255 area 0
R2
router ospf 1
router-id 2.2.2.2
area 10 virtual-link 3.3.3.3
network 2.0.0.0 0.255.255.255 area 0
network 192.1.12.0 0.0.0.255 area 0
network 192.1.234.0 0.0.0.255 area 10
!
interface S 0/0
ip ospf network point-to-mulitpoint
R3
router ospf 1
router-id 3.3.3.3
area 10 virtual-link 2.2.2.2
network 3.0.0.0 0.255.255.255 area 10
network 192.1.3.0 0.0.0.255 area 100
network 192.1.234.0 0.0.0.255 area 10
!
interface S 0/0
R5
R4
router ospf 1
network 4.0.0.0 0.255.255.255
area 10
network 192.1.234.0 0.0.0.255
area 10
!
interface S 0/0
ip ospf network point-tomulitpoint
router ospf 1
network 5.0.0.0 0.255.255.255 area 100
network 192.1.5.0 0.0.0.255 area 100
SW1
router ospf 1
network 55.0.0.0 0.255.255.255 area 100
network 192.1.3.0 0.0.0.255 area 100
network 192.1.5.0 0.0.0.255 area 100
50 of 241
Lab 4 Configuring OSPF Authentication

(Builds on Lab 3)
Task 1
All routers and the switch should Authenticate Routing updates using
the most secure authentication method. The Virtual Link should also be
authenticated. Use Key 1 with a key-string of ccie. Do not use wide
authentication.
R1
interface F 0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 ccie
R2
interface F 0/0
!
interface Serial0/0
!
router ospf 1
area 10 virtual-link 3.3.3.3 authentication message-digest
area 10 virtual-link 3.3.3.3 message-digest-key 1 md5 ccie
R3
interface F 0/0
!
interface Serial0/0
!
router ospf 1
area 10 virtual-link 2.2.2.2 authentication message-digest
area 10 virtual-link 2.2.2.2 message-digest-key 1 md5 ccie
R4
interface Serial0/0
51 of 241

SW1
interface Vlan3
!
interface Vlan5
R5
interface F 0/0

52 of 241
Lab 5 Multi-Area Configurations with

Filtering
R1
Lo 0
R2
F 0/0
Lo 0
F 0/0
192.1.12.0/24
S 0/0
R4
192.1.234.0/24
Switch 1
S 0/0
192.1.3.0/24
Lo 0
VLAN 3
Lo 0
F 0/0
R3
VLAN 5
F 0/0
192.1.5.0/24
R5
R1
Interface
Loopback 0
F 0/0
IP Address
1.1.1.1
192.1.12.1
Subnet Mask
255.0. 0.0
255.255.255.0
IP Address
192.1.12.2
192.1.234.2
2.2.2.2
Subnet Mask
255.255.255.0
255.255.255.0
255.0.0.0
IP Address
192.1.234.3
192.1.3.3
Subnet Mask
255.255.255.0
255.255.255.0
R2
Interface
F 0/0
S 0/0
Loopback 0
R3
Interface
S 0/0
F 0/0

53 of 241
Loopback 0
3.3.3.3
255.0.0.0
IP Address
4.4.4.4
192.1.234.4
Subnet Mask
255.0.0.0
255.255.255.0
IP Address
5.5.5.5
192.1.5.5
Subnet Mask
255.0.0.0
255.255.255.0
IP Address
55.55.55.55
192.1.3.33
192.1.5.55
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
R4
Interface
Loopback 0
S 0/0
R5
Interface
Loopback 0
F 0/0
SW1
Interface
Loopback 0
VLAN 3
VLAN 5
R1
interface Loopback0
ip address 1.1.1.1 255.0.0.0
!
interface F 0/0
ip address 192.1.12.1 255.255.255.0
no shutdown
R2
interface Loopback0
ip address 2.2.2.2 255.0.0.0
!
Interface F0/0
ip address 192.1.12.2 255.255.255.0
no shut down
!
interface Serial0/0
ip address 192.1.234.2 255.255.255.0
54 of 241
no shutdown
R3
interface Loopback0
ip address 3.3.3.3 255.0.0.0
!
interface F 0/0
ip address 192.1.3.3 255.255.255.0
no shutdown
!
interface Serial0/0
ip address 192.1.234.3 255.255.255.0
no shutdown
R4
interface Loopback0
ip address 4.4.4.4 255.0.0.0
!
interface Serial0/0
ip address 192.1.234.4 255.255.255.0
no shutdown
R5
Switch
interface Loopback0
ip address 5.5.5.5 255.0.0.0
!
interface F 0/0
ip address 192.1.5.5 255.255.255.0
no shutdown
interface Loopback0
ip address 55.55.55.55 255.0.0.0
!
interface Vlan3
ip address 192.1.3.33 255.255.255.0
no shutdown
!
interface Vlan5
ip address 192.1.5.55 255.255.255.0
no shutdown

55 of 241
Task 1
Run OSPF as your Routing Protocol on all Routers and the Switch.
Configure the Frame Relay links as Point-to-multipoint network types.
Advertise the networks in the following areas:
Area 0 R2 S 0/0, R3 S 0/0, R3 Loop 0, R4 S 0/0, R4 Loop 0
Area 10 R1 Loopback 0, R1 F 0/0, R2 F 0/0, R2 Loop 0
Area 100 R3 F 0/0, SW VLAN 3, SW Loop 0
R1
router ospf 1
network 1.0.0.0 0.255.255.255 area 10
network 192.1.12.0 0.0.0.255 area 10
R2
router ospf 1
router-id 2.2.2.2
network 2.0.0.0 0.255.255.255 area 10
network 192.1.12.0 0.0.0.255 area 10
network 192.1.234.0 0.0.0.255 area 0
!
interface S 0/0
R3
router ospf 1
router-id 3.3.3.3
network 3.0.0.0 0.255.255.255 area 100
network 192.1.3.0 0.0.0.255 area 100
network 192.1.234.0 0.0.0.255 area 0
!
interface S 0/0
R4
router ospf 1
network 4.0.0.0 0.255.255.255 area 0
network 192.1.234.0 0.0.0.255 area 0
!
interface S 0/0
SW1
router ospf 1
56 of 241
network 55.0.0.0 0.255.255.255 area 100

network 192.1.3.0 0.0.0.255 area 100
Task 2
Run RIP as a Routing Protocol between R5 and the Switch. Advertise the
Loopback on R5 in RIP. Mutually Redistribute RIP and OSPF on the
Switch.
R5
Switch
router rip
version 2
no auto-summary
network 5.0.0.0
network 192.1.5.0
router rip
version 2
no auto-summary
network 192.1.5.0
redistribute ospf 1 metric 1
!
router ospf 1
redistribute rip subnets
Task 3
Create the following Loopbacks on R2:
Loopback 21 12.1.1.1/24
Loopback 22 12.1.2.1/24
Advertise these newly created loopbacks in OSPF using the network
command. Make sure they appear in the routing table using a /24 mask.
Filter these routes going into Area 10. The configuration needs to be done
on R2.
R2
interface Loopback21
ip address 12.1.1.1 255.255.255.0
ip ospf network point-to-point
!
ip address 12.1.2.1 255.255.255.0
!
Ip prefix-list A10-IN deny 12.1.1.0/24
Ip prefix-list A10-IN deny 12.1.2.0/24
Ip prefix-list A10-IN permit 0.0.0.0/0 le 32
!
57 of 241
Router OSPF 1
Network 12.1.1.0 0.0.0.255 area 0
Network 12.1.2.0 0.0.0.255 area 0
Area 10 filter-list prefix A10-IN in
Task 4
Loopback
Loopback
Loopback
Loopback
41
42
43
44
44.1.1.1/24
44.1.2.1/24
44.1.3.1/24
44.1.4.1/24
Advertise these newly created loopbacks in OSPF without using the

network command.
R4
ip address 44.1.1.1 255.255.255.0
!
ip address 44.1.2.1 255.255.255.0
!
ip address 44.1.3.1 255.255.255.0
!
ip address 44.1.4.1 255.255.255.0
!
access-list 1 permit 44.1.1.0 0.0.0.255
!
route-map redcon permit 10
match ip address 1
!
router ospf 1
redistribute connected subnets route-map redcon
Task 5
Area 10 should not receive any Inter Area or External Routes. The
devices in Area 10 should have full connectivity to the rest of the
network. Do not use any filtering mechanism.
58 of 241
R1
R2
router ospf 1
area 10 stub
router ospf 1
area 10 stub no-summary
Task 6
Area 100 should not receive any Inter Area or External Routes from the
Backbone. It should have full connectivity to all routes. It Should
maintain connectivity to routes learned via RIP and propagate these
routes to other Areas.
SW1
R3
router ospf 1
area 100 nssa
router ospf 1
area 100 nssa no-summary

59 of 241
Lab 6 Inter-Area Summarization

(Builds on Lab 5)
Task 1
Loopback
Loopback
Loopback
Loopback
201
202
203
204
201.1.4.1/24
201.1.5.1/24
201.1.6.1/24
201.1.7.1/24
Advertise these newly created loopbacks in OSPF using the network

command. Make sure they appear in the routing table using a /24 mask.
These routes should be seen as a single summarized route outside of
area 10.
R1
interface Loopback 201
ip address 201.1.4.1 255.255.255.0
!
ip address 201.1.5.1 255.255.255.0
!
ip address 201.1.6.1 255.255.255.0
!
ip address 201.1.7.1 255.255.255.0
!
Router OSPF 1
Network 201.1.4.0 0.0.0.255 area 10
Network 201.1.5.0 0.0.0.255 area 10
Network 201.1.6.0 0.0.0.255 area 10
Network 201.1.7.0 0.0.0.255 area 10
R2
Router OSPF 1
Area 10 range 201.1.4.0 255.255.252.0
60 of 241
Task 2
Loopback
Loopback
Loopback
Loopback
205
206
207
208
202.1.4.1/24
202.1.5.1/24
202.1.6.1/24
202.1.7.1/24
Advertise these newly created loopbacks in OSPF without using the

network command. These routes should be seen be summarized.
R4
ip address 202.1.4.1 255.255.255.0
!
ip address 202.1.5.1 255.255.255.0
!
ip address 202.1.6.1 255.255.255.0
!
ip address 202.1.7.1 255.255.255.0
!
!
route-map redcon permit 10
mat address 5
!
Router OSPF 1
Redistribute connected route-map redcon
Summary-address 202.1.4.0 255.255.252.0

61 of 241
Lab 7 Route Redistribution
R1
Lo 0
R2
F 0/0
Lo 0
F 0/0
192.1.12.0/24
S 0/0
R4
192.1.234.0/24
Switch 1
S 0/0
192.1.3.0/24
Lo 0
VLAN 3
Lo 0
F 0/0
R3
VLAN 5
F 0/0
192.1.5.0/24
R5
R1
Interface
Loopback 0
F 0/0
IP Address
1.1.1.1
192.1.12.1
Subnet Mask
255.0. 0.0
255.255.255.0
IP Address
192.1.12.2
192.1.234.2
2.2.2.2
Subnet Mask
255.255.255.0
255.255.255.0
255.0.0.0
IP Address
192.1.234.3
192.1.3.3
3.3.3.3
Subnet Mask
255.255.255.0
255.255.255.0
255.0.0.0
R2
Interface
F 0/0
S 0/0
Loopback 0
R3
Interface
S 0/0
F 0/0
Loopback 0

62 of 241
R4
Interface
Loopback 0
S 0/0
IP Address
4.4.4.4
192.1.234.4
Subnet Mask
255.0.0.0
255.255.255.0
IP Address
5.5.5.5
192.1.5.5
Subnet Mask
255.0.0.0
255.255.255.0
IP Address
55.55.55.55
192.1.3.33
192.1.5.55
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
R5
Interface
Loopback 0
F 0/0
SW1
Interface
Loopback 0
VLAN 3
VLAN 5
R1
interface Loopback0
ip address 1.1.1.1 255.0.0.0
!
interface F 0/0
ip address 192.1.12.1 255.255.255.0
no shutdown
R2
interface Loopback0
ip address 2.2.2.2 255.0.0.0
!
Interface F0/0
ip address 192.1.12.2 255.255.255.0
no shut down
!
interface Serial0/0
ip address 192.1.234.2 255.255.255.0
63 of 241
no shutdown
R3
interface Loopback0
ip address 3.3.3.3 255.0.0.0
!
interface F 0/0
ip address 192.1.3.3 255.255.255.0
no shutdown
!
interface Serial0/0
ip address 192.1.234.3 255.255.255.0
no shutdown
R4
interface Loopback0
ip address 4.4.4.4 255.0.0.0
!
interface Serial0/0
ip address 192.1.234.4 255.255.255.0
no shutdown
R5
Switch
interface Loopback0
ip address 5.5.5.5 255.0.0.0
!
interface F 0/0
ip address 192.1.5.5 255.255.255.0
no shutdown
interface Loopback0
ip address 55.55.55.55 255.0.0.0
!
interface Vlan3
ip address 192.1.3.33 255.255.255.0
no shutdown
!
interface Vlan5
ip address 192.1.5.55 255.255.255.0
no shutdown

64 of 241
Task 1
Create the following Loopbacks on R1. Run RIP V2 as the Routing
Protocol between R1 and R2. Advertise all directly connected networks
including the newly created loopbacks in RIP. Advertise the Loopback
and the F 0/0 Interface on R2 in RIP.
Loopback
Loopback
Loopback
Loopback
Loopback
Loopback
Loopback
Loopback
1
2
3
4
5
6
7
8
192.2.1.1/24
192.2.2.1/24
192.2.3.1/24
192.2.4.1/24
192.2.5.1/24
192.2.6.1/24
192.2.7.1/24
192.2.8.1/24
R1
interface Loopback1
ip address 192.2.1.1
!
interface Loopback2
!
interface Loopback3
!
interface Loopback4
!
interface Loopback5
!
interface Loopback6
!
interface Loopback7
!
interface Loopback8
!
router rip
version 2
network 1.0.0.0
network 192.1.12.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0

65 of 241
network 192.2.1.0
network 192.2.2.0
network 192.2.3.0
network 192.2.4.0
network 192.2.5.0
network 192.2.6.0
network 192.2.7.0
network 192.2.8.0
no auto-summary
R2
router rip
version 2
network 2.0.0.0
network 192.1.12.0
no auto-summary
Task 2
Run EIGRP in AS 234 as the Routing Protocol between R2, R3 and R4.
Advertise all directly connected networks on R4 in EIGRP. Advertise the
S 0/0 interfaces on R2 and R3 in EIGRP. Also advertise the Loopback 0
network of R3 in EIGRP.
R2
R3
router eigrp 234

network 192.1.234.0
no auto-summary
!
Interface S 0/0
No ip split-horizon eigrp 234
R4
router eigrp 234

network 3.0.0.0
network 192.1.234.0
no auto-summary
router eigrp 234

network 4.0.0.0
network 192.1.234.0
no auto-summary
Task 3
Run OSPF in Area 0 as the Routing Protocol between R3, the Switch and
R5. Advertise all directly connected networks on R5 in OSPF. Advertise
the 2 VLAN interfaces and the Loopback on the Switch in OSPF.
Advertise the E 0/0 network in OSPF on R3.
R3
66 of 241
router ospf 1
network 192.1.3.0 0.0.0.255 area 0
R5
router ospf 1
network 5.0.0.0 0.255.255.255 area 0
network 192.1.5.0 0.0.0.255 area 0
Switch
router ospf 1
network 55.0.0.0 0.255.255.255 area 0
network 192.1.3.0 0.0.0.255 area 0
network 192.1.5.0 0.0.0.255 area 0
Task 4
Configure Mutual redistribution between RIP and EIGRP at the
appropriate router. Configure Mutual redistribution between EIGRP and
OSPF at the appropriate router. Make sure OSPF adds the cost of the
links in the OSPF metric for the External Routes.
R2
router eigrp 234
redistribute rip metric 1 1 1 1 1
!
router rip
redistribute eigrp 234 metric 5
R3
router eigrp 234
redistribute ospf 1 metric 1 1 1 1 1
!
router ospf 1
redistribute eigrp 234 metric 150 metric-type 1 subnets
Task 5
The RIP routes should not be leaked to OSPF and OSPF routes should
not be leaked to RIP. Do not use the Distribute-list or Prefix-list
command to accomplish this task. You might have to re-configure the
redistribution from the previous task to accomplish this.
R2
Route-map R-2-E per 10
67 of 241
Set tag 120

!
Route-map E-2-R deny 10
Match tag 110
Route-map E-2-R permit 20
!
router eigrp 234
redistribute rip metric 1 1 1 1 1 route-map R-2-E
!
router rip
redistribute eigrp 234 metric 5 route-map E-2-R
R3
Route-map O-2-E per 10
Set tag 110
!
Route-map E-2-O deny 10
Match tag 120
Route-map E-2-O permit 20
!
router eigrp 234
redistribute ospf 1 metric 1 1 1 1 1 route-map O-2-E
!
router ospf 1
redistribute eigrp 234 metric 150 metric-type 1 route-map E-2-O subnets

68 of 241
Module 6 BGP

69 of 241
Lab 1 Configuring eBGP

Physical Layout
Loopback 0
R1
R2
F 0/0
Loopback 0
F 0/0
Loopback 1
Loopback 1
S 0/0
Loopback 1
S 0/0
Loopback 1
Loopback 0
Loopback 0
F 0/0
F 0/0
R3
R4
BGP Logical Layout
AS 1
AS 2
R2
R1
R4
R3
AS 4
AS 3

70 of 241

R1
Interface
Loopback 0
Loopback 1
F 0/0
IP Address
1.1.1.1
11.1.0.1
192.1.12.1
Subnet Mask
255.0.0.0
255.255.0.0
255.255.255.0
R2
Interface
Loopback 0
Loopback 1
E 0/0
S 0/0
IP Address
2.2.2.2
12.1.0.1
192.1.12.2
192.1.23.2
Subnet Mask
255.0.0.0
255.255.0.0
255.255.255.0
255.255.255.0
IP Address
3.3.3.3
13.1.0.1
192.1.23.3
192.1.34.3
Subnet Mask
255.0.0.0
255.255.0.0
255.255.255.0
255.255.255.0
IP Address
4.4.4.4
14.1.0.1
192.1.34.4
Subnet Mask
255.0.0.0
255.255.0.0
255.255.255.0
R3
Interface
Loopback 0
Loopback 1
S 0/0
E 0/0
R4
Interface
Loopback 0
Loopback 1
E 0/0
Task 1
Configure a BGP neighbor relationship between R1 and R2. R1 should be
in AS 1 and R2 should be in AS 2. Advertise the loopback networks in
BGP. Hard-code the Router ID for the BGP routers as 11.11.11.11 for R1
and 22.22.22.22 for R2.
R1
R2
Router BGP 1
bgp router-id 11.11.11.11
Network 1.0.0.0
Network 11.1.0.0 mask 255.255.0.0
Router BGP 2
Network 2.0.0.0
Network 12.1.0.0 mask 255.255.0.0

71 of 241
Neighbor 192.1.12.2 remote-as 2
Task 2
Configure a BGP neighbor relationship between R2 and R3. R2 should
already be configured in AS 2 and R3 should be in AS 3. Advertise the
loopback network of R3 in BGP. Hard-code the Router ID for R3 as
33.33.33.33
R2
R3
Router BGP 2
Router BGP 3
Network 3.0.0.0
Network 13.1.0.0 mask 255.255.0.0
Task 3
Configure a BGP neighbor relationship between R3 and R4. R3 should
already be configured in AS 3 and R4 should be in AS 4. Advertise the
loopback network of R4 in BGP. Hard-code the Router ID for R4 as
44.44.44.44. Establish the neighbor relationship based on Loopback 0
addresses. You are allowed to create a static route on each router to
accomplish this task.
R3
R4
Ip route 4.0.0.0 255.0.0.0 192.1.34.4

!
Router BGP 3
Neighbor 4.4.4.4 update-source loo0
Neighbor 4.4.4.4 ebgp-multihop
Ip route 3.0.0.0 255.0.0.0 192.1.34.3

!
Router BGP 4
Network 4.0.0.0
Network 14.1.0.0 mask 255.255.0.0
Neighbor 3.3.3.3 update-source loop 0
Neighbor 3.3.3.3 ebgp-mulithop

72 of 241
Lab 2 Configuring BGP Authentication

(Builds on Lab 1)
Task 1
Configure MD5 Authentication between R1 and R2 using a password of
cciers.
R1
R2
Router BGP 1
Neighbor 192.1.12.2 pass cciers
Router BGP 2
Neighbor 192.1.12.1 password cciers
Task 2
cciesec.
R2
R3
Router BGP 2
Neighbor 192.1.23.3 pass cciesec
Router BGP 3
Neighbor 192.1.23.2 password cciesec
Task 3
cciers.
R3
R4
Router BGP 3
Router BGP 4

73 of 241
Lab 3 Configuring iBGP

Physical Layout
L0 1.1.1.1/8
R1
S 0/0(.1)
R2
192.1.12.0/24
L0 2.2.2.2/8
S 0/0 (.2)
L1 12.1.0.1/16
F 0/0 (.2)
R5
192.1.23.0/24
F 0/0 (.5)
192.1.45.0/24
S 0/0(.4)
F 0/0 (.4)
L0 4.4.4.4/8
F 0/0 (.3)
192.1.34.0/24
L0 3.3.3.3/8
S 0/0 (.3)
R4
R3
L1 13.1.0.1/16
BGP Logical Layout
R3
AS 5
AS 1
AS 234
R1
R2
R4
R5

74 of 241

R1
Interface
Loopback 0
S 0/0
IP Address
1.1.1.1
192.1.12.1
Subnet Mask
255.0.0.0
255.255.255.0
R2
Interface
Loopback 0
Loopback 1
S 0/0
F 0/0
IP Address
2.2.2.2
12.1.0.1
192.1.12.2
192.1.23.2
Subnet Mask
255.0.0.0
255.255.0.0
255.255.255.0
255.255.255.0
IP Address
3.3.3.3
13.1.0.1
192.1.23.3
192.1.34.3
Subnet Mask
255.0.0.0
255.255.0.0
255.255.255.0
255.255.255.0
IP Address
4.4.4.4
192.1.34.4
192.1.45.4
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
IP Address
5.5.5.5
192.1.45.5
Subnet Mask
255.0.0.0
255.255.255.0
R3
Interface
Loopback 0
Loopback 1
F 0/0
S 0/0
R4
Interface
Loopback 0
S 0/0
F 0/0
R5
Interface
Loopback 0
F 0/0
Task 1
Configure a neighbor relationship between R1 and R2 based on the
Logical diagram. Advertise the Loopback networks on both Routers.
Hard-code the Router ID for the BGP routers as 11.11.11.11 for R1 and
22.22.22.22 for R2.
R1
R2
75 of 241
Router BGP 1
Network 1.0.0.0
Router BGP 234

Network 2.0.0.0
Network 12.1.0.0 mask 255.255.0.0
Task 2
Configure EIGRP in AS 234 as the routing protocol within AS 234. Only
advertise the internal physical link in EIGRP on R2, R3 and R4. Do not
advertise the 192.1.12.0 and the 192.1.45.0 networks in EIGRP.
R2
R3
Router EIGRP 234

no auto-summary
Network 192.1.23.0
Router EIGRP 234

no auto-summary
Network 192.1.23.0
Network 192.1.34.0
R4
Router EIGRP 234
no auto-summary
Network 192.1.34.0
Task 3
Configure neighbor relationships between R2 and R3 and another one
between R3 and R4. Do not configure a neighbor relationship between R2
and R4. Advertise the Loopback networks under BGP. Make sure routes
from R1 can get propagated to R3 and R4. Do not use a Confederation to
accomplish this.
R2
Router BGP 234
Network 2.0.0.0
Network 12.1.0.0 mask 255.255.0.0
Neighbor 192.1.23.3 next-hop-self
R3
Router BGP 234
Network 3.0.0.0
Network 13.1.0.0 mask 255.255.0.0
Neighbor 192.1.23.2 route-reflector-client
76 of 241

R4
Router BGP 234
Network 4.0.0.0
Task 4
Logical diagram. Advertise the Loopback network on R5 in BGP. Hardcode the Router ID for R5 as 55.55.55.55.
R4
R5
Router BGP 234

Neighbor 192.134.3 next-hop-self
Router BGP 5
Network 5.0.0.0

77 of 241
Lab 4 Route Filteriing using ACLs

(Builds on R3)
Task 1
Create the following Loopbacks on R2
Loopback
Loopback
Loopback
Loopback
Loopback
Loopback
Loopback
Loopback
1
2
3
4
5
6
7
8
192.2.1.1/24
192.2.2.1/24
192.2.3.1/24
192.2.4.1/24
192.2.5.1/24
192.2.6.1/24
192.2.7.1/24
192.2.8.1/24
R2
interface Loopback1
!
interface Loopback2
!
interface Loopback3
!
interface Loopback4
!
interface Loopback5
!
interface Loopback6
!
interface Loopback7
!
interface Loopback8
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0

78 of 241
Task 2
Advertise the newly created routes in BGP. Do not use the network
command to accomplish this. These routes should have an origin code of
igp.
R2
Access-list 1 permit 192.2.1.1 0.0.0.255
!
Route-map redcon permit 10
Match address 1
Set origin igp
!
Router bgp 234
Redistribute connected route-map redcon
Task 3
Configure R2 such that it blocks all the 192.2.X.0 routes that have an
odd number in the third octet from propagating outside the local AS. Use
the distribute-list command to accomplish this task.
R2
Access-list 2 deny 192.2.1.0 0.0.254.255
!
Router bgp 234
Neighbor 192.1.12.1 distribute-list 2 out
Task 4
Configure R4 such that it blocks all the 192.2.X.0 routes that have an
even number in the third octet from coming in. Make sure that even if in
the future that a neighbor relationship is established between R2 and R4
these routes dont come into R4. Use the distribute-list command to
R4
79 of 241
Access-list 3 deny 192.2.0.0 0.0.254.255

!
Router bgp 234
distribute-list 3 in

80 of 241
Lab 5 Route Filteriing using Prefix-Lists

(Builds on R4)
Task 1
Create the following Loopbacks on R3
Loopback
Loopback
Loopback
Loopback
Loopback
Loopback
Loopback
1
2
3
4
5
6
7
150.3.16.1/20
150.3.36.1/22
150.3.40.1/22
150.3.50.1/23
150.3.65.1/24
150.13.0.1/16
150.14.64.1/18
R3
interface Loopback1
ip address 150.3.16.1 255.255.240.0
!
interface Loopback2
ip address 150.3.36.1 255.255.252.0
!
interface Loopback3
ip address 150.3.40.1 255.255.252.0
!
interface Loopback4
ip address 150.3.50.1 255.255.254.0
!
interface Loopback5
ip address 150.3.65.1 255.255.255.0
!
interface Loopback6
ip address 150.13.0.1 255.255.0.0
!
interface Loopback7
ip address 150.14.64.1 255.255.192.0
Task 2
Advertise the newly created routes in BGP using the Network command.
R3
Router bgp 234
Network 150.3.16.0 mask 255.255.240.0
81 of 241
Network
Network
Network
Network
Network
Network
150.3.36.0 mask 255.255.252.0

150.3.40.0 mask 255.255.252.0
150.3.50.0 mask 255.255.254.0
150.3.65.0 mask 255.255.255.0
150.13.0.0
150.14.64.0 mask 255.255.192.0
Task 3
Configure R2 such that it blocks all the 150.X.X.0 routes that have a
subnet mask between 17 and 23 bits.
R2
IP Prefix-list PLIST deny 150.0.0.0/8 ge 17 le 23
IP Prefix-list PLIST permit 0.0.0.0/0 le 32
!
Router bgp 234
Neighbor 192.1.23.3 prefix-list PLIST in

82 of 241
Lab 6 Route Filteriing using AS PathFilter

Physical Layout
L0 1.1.1.1/8
R1
S 0/0(.1)
R2
192.1.12.0/24
L0 2.2.2.2/8
S 0/0 (.2)
L1 12.1.0.1/16
F 0/0 (.2)
R5
192.1.23.0/24
F 0/0 (.5)
192.1.45.0/24
S 0/0(.4)
F 0/0 (.4)
L0 4.4.4.4/8
F 0/0 (.3)
192.1.34.0/24
L0 3.3.3.3/8
S 0/0 (.3)
R4
R3
L1 13.1.0.1/16
BGP Logical Layout
R3
AS 5
AS 1
AS 234
R1
R2
R4
R5

83 of 241
R1
Interface
Loopback 0
S 0/0
IP Address
1.1.1.1
192.1.12.1
Subnet Mask
255.0.0.0
255.255.255.0
R2
Interface
Loopback 0
Loopback 1
S 0/0
F 0/0
IP Address
2.2.2.2
12.1.0.1
192.1.12.2
192.1.23.2
Subnet Mask
255.0.0.0
255.255.0.0
255.255.255.0
255.255.255.0
IP Address
3.3.3.3
13.1.0.1
192.1.23.3
192.1.34.3
Subnet Mask
255.0.0.0
255.255.0.0
255.255.255.0
255.255.255.0
IP Address
4.4.4.4
192.1.34.4
192.1.45.4
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
IP Address
5.5.5.5
192.1.45.5
Subnet Mask
255.0.0.0
255.255.255.0
R3
Interface
Loopback 0
Loopback 1
F 0/0
S 0/0
R4
Interface
Loopback 0
S 0/0
F 0/0
R5
Interface
Loopback 0
F 0/0
Task 1
Logical diagram. Advertise the Loopback networks on both Routers.
Hard-code the Router ID for the BGP routers as 11.11.11.11 for R1 and
22.22.22.22 for R2.
R1
R2
Router BGP 1
Router BGP 234

84 of 241

Network 1.0.0.0

Network 2.0.0.0
Network 12.1.0.0 mask 255.255.0.0
Task 2
Configure EIGRP in AS 234 as the routing protocol within AS 234. Only
advertise the internal physical link in EIGRP on R2, R3 and R4. Do not
advertise the 192.1.12.0 and the 192.1.45.0 networks in EIGRP.
R2
R3
Router EIGRP 234

no auto-summary
Network 192.1.23.0
Router EIGRP 234

no auto-summary
Network 192.1.23.0
Network 192.1.34.0
R4
Router EIGRP 234
no auto-summary
Network 192.1.34.0
Task 3
Configure neighbor relationships between R2 and R3 and another one
between R3 and R4. Do not configure a neighbor relationship between R2
and R4. Advertise the Loopback networks under BGP. Make sure routes
from R1 can get propagated to R3 and R4. Do not use a Confederation to
accomplish this.
R2
Router BGP 234
Network 2.0.0.0
Network 12.1.0.0 mask 255.255.0.0
R3
Router BGP 234
Network 3.0.0.0
Network 13.1.0.0 mask 255.255.0.0
85 of 241
R4
Router BGP 234
Network 4.0.0.0
Network 14.1.0.0 mask 255.255.0.0
Task 4
Logical diagram. Advertise the Loopback network on R5 in BGP. Hardcode the Router ID for R5 as 55.55.55.55.
R4
R5
Router BGP 234

Router BGP 5
Network 5.0.0.0
Task 5
Configure BGP such that AS 5 does not use AS 234 as a transit AS.
Configuration should be done in AS 5.
R5
Ip as-path access-list 1 permit ^234$
!
Router BGP 5
Neighbor 192.1.45.4 filter-list 1 in
Task 6
Configure BGP such that AS 1 does not use AS 234 to get AS 5 routes.
Configuration should be done in AS 234. You are only allowed a single
line in the AS-path filter.
R2
Ip as-path access-list 1 permit ^$
!
Router BGP 234
Neighbor 192.1.12.1 filter-list 1 out

86 of 241
Lab 7 Configuring Route Aggregation

(Builds on Lab 6)
Task 1
Create the following Loopbacks on R3 and advertise them under BGP:
Loopback
Loopback
Loopback
Loopback
1
2
3
4
203.1.4.1/24
203.1.5.1/24
203.1.6.1/24
203.1.7.1/24
R3
interface Loopback1
!
interface Loopback2
!
interface Loopback3
!
interface Loopback4
!
Router BGP 234
Network 203.1.4.0
Network 203.1.5.0
Network 203.1.6.0
Network 203.1.7.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Task 2
Configure Route Aggregation on R3 such that these routes are
summarized as a single route. Only the Summary route should be send
to R3s neighbors.
R3
Router bgp 234
Aggregate-address 203.1.4.0 255.255.252.0 summary-only
Task 3
87 of 241
Loopback
Loopback
Loopback
Loopback
1
2
3
4
204.1.4.1/24
204.1.5.1/24
204.1.6.1/24
204.1.7.1/24
R4
interface Loopback1
!
interface Loopback2
!
interface Loopback3
!
interface Loopback4
!
Router BGP 234
Network 204.1.4.0
Network 204.1.5.0
Network 204.1.6.0
Network 204.1.7.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Task 4
summarized as a single route. Only the Summary route should be send
to R4s neighbor. The routes should not be seen as suppressed on R4.
Use the minimum number of lines in your filtering mechanism.
R4
IP Prefix-list PLIST deny 204.1.4.0/22 ge 24
IP Prefix-list PLIST permit 0.0.0.0/0 le 32
!
Router bgp 234
Aggregate-address 204.1.4.0 255.255.252.0
Neighbor 192.1.34.3 prefix-list PLIST out
Neighbor 192.1.45.5 prefix-list PLIST out
Task 5
88 of 241
Loopback
Loopback
Loopback
Loopback
1
2
3
4
202.1.4.1/24
202.1.5.1/24
202.1.6.1/24
202.1.7.1/24
R2
interface Loopback1
!
interface Loopback2
!
interface Loopback3
!
interface Loopback4
!
Router BGP 234
Network 202.1.4.0
Network 202.1.5.0
Network 202.1.6.0
Network 202.1.7.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Task 6
summarized as a single route. Only the Summary route and the
202.1.5.0 route should be send to R2s neighbor.
R2
!
Route-map SUPMAP deny 10
Match address 5
Route-map SUPMAP permit 20
!
Router bgp 234
Aggregate-address 202.1.4.0 255.255.252.0 supress-map SUPMAP

89 of 241
Lab 8 Configuring Confederations

Physical Layout
Loopback 0
R1
R2
F 0/0
Loopback 0
F 0/0
Loopback 1
Loopback 1
S 0/0
Loopback 1
S 0/0
Loopback 1
Loopback 0
Loopback 0
F 0/0
F 0/0
R3
R4
BGP Logical Layout
R2
AS 65002
AS 4
AS 123
R1
R3
AS 65003
AS 65001
R4

90 of 241

R1
Interface
Loopback 0
F 0/0
IP Address
1.1.1.1
192.1.12.1
Subnet Mask
255.0.0.0
255.255.255.0
R2
Interface
Loopback 0
F 0/0
S 0/0
IP Address
2.2.2.2
192.1.12.2
192.1.23.2
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
IP Address
3.3.3.3
192.1.23.3
192.1.34.3
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
IP Address
4.4.4.4
192.1.34.4
Subnet Mask
255.0.0.0
255.255.255.0
R3
Interface
Loopback 0
S 0/0
F 0/0
R4
Interface
Loopback 0
F 0/0
Task 1
Configure RIP V2 as the routing protocol between R1, R2 and R3. Only
advertise the R1-R2 and R2-R3 links in RIP on the appropriate routers.
R1
R2
Router RIP
No auto-summary
Version 2
Network 192.1.12.0
Router RIP
No auto-summary
Version 2
Network 192.1.12.0
Network 192.1.23.0
R3
Router RIP
No auto-summary
Version 2
91 of 241
Network 192.1.23.0
Task 2
Configure AS 65001, AS 65002 and AS 65003 are Sub Autonomous
Systems of a Larger AS 123 using Confederations. Advertise the
Loopback 0 networks under BGP in AS 65001, AS 65002 and AS 65003.
Configure a Neighbor relationship between AS 65001 and AS 65002 and
another Neighbor relationship between AS 65002 and AS 65003.
R1
R2
Router BGP 65001

Network 1.0.0.0
bgp confederation identifier 123
bgp confederation peers 65002
Router BGP 65002

Network 2.0.0.0
bgp confederation peers 65001 65003
R3
Router BGP 65003
Network 3.0.0.0
bgp confederation peers 65002
Task 3
Configure a neighbor relationship between R3 and R4. R4 is in AS 4. It
peers with R3 in the confederation AS 123. Advertise the loopback 0
interface under BGP in AS 4.
R3
Router BGP 65003
R4
Router BGP 4
Network 4.0.0.0

92 of 241
Lab 9 Configuring Route Manipulation

using MED
Physical Layout
Loopback 0
R1
R2
F 0/0
Loopback 1
Loopback 1
Loopback 0
F 0/0
Loopback 1
S 0/0
S 0/0
S 0/0
S 0/0
Loopback 1
Loopback 0
Loopback 0
F 0/0
F 0/0
R3
R4
BGP Logical Layout
R2
AS 1
AS 234
R3
R1
R4

93 of 241

R1
Interface
Loopback 0
F 0/0
S 0/0
IP Address
1.1.1.1
192.1.12.1
192.1.14.1
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
R2
Interface
Loopback 0
F 0/0
S 0/0
IP Address
2.2.2.2
192.1.12.2
192.1.23.2
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
IP Address
3.3.3.3
192.1.23.3
192.1.34.3
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
IP Address
4.4.4.4
192.1.34.4
192.1.14.4
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
R3
Interface
Loopback 0
S 0/0
F 0/0
R4
Interface
Loopback 0
F 0/0
S 0/0
Task 1
Run RIP V2 as the IGP in AS 234. Advertise the directly connected links
under RIP. Do not advertise the external links (192.1.12.0, 192.1.14.0) or
the Loopbacks in RIP.
R2
R3
Router RIP
Version 2
No auto-summary
Network 192.1.23.0
Router RIP
Version 2
No auto-summary
Network 192.1.23.0
Network 192.1.34.0
R4
94 of 241
Router RIP
Version 2
No auto-summary
Network 194.1.34.0
Task 2
Configure the routers under BGP based on the Logical diagram.
Configure the Neighbor relationships also based on the Logical diagram.
Advertise Loopback 0 Networks on all routers under BGP. Make sure the
1.0.0.0 gets put into the routing table of R3. Also make sure that Routes
from R2 are getting propagated to R4 and vice versa.
R1
R2
Router BGP 1
No auto-summary
No sync
Network 1.0.0.0
Neighbor 192.1.12.2 remote-as
234
234
R3
Router BGP 234

No auto-summary
No sync
Network 2.0.0.0
234
R4
Router BGP 234

No auto-summary
No sync
Network 3.0.0.0
Neighbor 192.1.23.2
234
Neighbor 192.1.23.2
reflector-client
Neighbor 192.1.34.4
234
Neighbor 192.1.34.4
reflector-client
Router BGP 234

No auto-summary
No sync
Network 4.0.0.0
234
remote-as
routeremote-as
route-

95 of 241
Task 3
All ingress (incoming) traffic to AS 234 should use the path thru R4
using the MED attribute. Configure the MED on R2 to 100. R4s MED is
0 by default. Lower MED will be preferred.
R2
Route-map SETMED permit 10
Set metric 100
!
Router BGP 234
Neighbor 192.1.12.1 route-map SETMED out

96 of 241

using Local Preference
(Builds on Lab 9)
Task 1
Configure AS 234 such that all traffic destined for AS 1 should go
through R2 in the outbound direction.Use Local-Preference Attribute to
accomplish this.
R2
Route-map SETLP permit 10
Set Local-preference 200
!
Router BGP 234
Neighbor 192.1.12.1 route-map SETLP in

97 of 241

using Cisco Weight Attribute
(Builds on Lab 10)
Task 1
Configure AS 234 such that all traffic originating from R4 and destined
for AS1 should go directly from R4 to R1 instead of using R2. Make sure
this configuration does not affect the traffic flow for the rest of the AS.
R4
Route-map SETWT permit 10
Set weight 5000
!
Router BGP 234
Neighbor 192.1.14.1 route-map SETWT in
Task 2
Configure AS 1 such that all traffic destined for network 3.0.0.0 should
go thru R2. It is taking the R1-R4 route because of the MED attribute set
in Lab 9. Use the Weight attribute to accomplish this task.
R1
!
Match address 3
Set weight 5000
!
Router BGP 1
Neighbor 192.1.12.2 route-map SETWT in

98 of 241
Module 7 Advanced Switching

99 of 241
Lab 1- VTP, Trunking, VLANs and InterVLAN Routing
R5
F 0/0 (.5)
192.1.15.0/24 VLAN 10
F 0/0.1 (.1)
R1
F 0/0.2 (.1)
192.1.13.0/24 VLAN 20
F0/0.1 (.3)
R3
F0/0.2 (.3)
192.1.34.0/24 VLAN 30
VLAN 30 (.15)
F 0/0 (.4)
R4
SW1
VLAN 40 (.15)
192.1.2.0/24 VLAN 40
F 0/0 (.2)
R2
Task 1
Configure the Switches with Hostnames of SW1 and SW2 respectively.
SW1
SW2
Hostname SW1
Hostname SW2
Task 2
Configure both switches to be in a VTP Domain CISCO. SW1 should be
configured as a Server and SW2 as a Client.
100 of 241
SW1
SW2
VTP domain CISCO

VTP mode Server
VTP domain CISCO

VTP mode client
Task 3
The CISCO VTP Domain should be password protected using NETMET as
the Password.
SW1
SW2
VTP password NETMET
VTP password NETMET
Task 4
Configure Trunking between SW1 and SW2 on all ports that connect the
switches to each other. Use an Industry standard encapsulation
mechanism.
SW1
SW2
Interface Range F0/XX Fast0/YY

Switchport Trunk Encap dot1q
Interface Range F0/XX Fast0/YY

Task 5
Create VLANs based on the Diagram. Assign the appropriate ports to the
appropriate VLANs based on the Logical Diagram. Use an industry
standard encapsulation wherever required.
SW1
VLAN 10
VLAN 20
VLAN 30
VLAN 40
!
interface F0/1 , F0/3
!
interface F0/2
Switchport access vlan 40
!
101 of 241
Interface F0/4
!
Interface F0/5
Task 6
Configure the Routers and SW1 with the Appropriate IP addresses based
on the Logical Diagram.
R1
R2
Interface F 0/0
No shut
!
Interface F 0/0.1
Encapsulation dot1q 10
IP Address 192.1.15.1 255.255.255.0
!
Interface F0/0.2
IP Address 192.1.13.1 255.255.255.0
R3
Interface F 0/0
IP Address 192.1.2.2 255.255.255.0
No shut
Interface F 0/0
No shut
!
Interface F 0/0.1
IP Address 192.1.13.3 255.255.255.0
!
Interface F0/0.2
IP Address 192.1.34.3 255.255.255.0
R5
Interface F 0/0
IP Address 192.1.34.4 255.255.255.0
No shut
Interface F 0/0
IP Address 192.1.15.5 255.255.255.0
No shut
R4
SW1
IP Routing
!
Interface VLAN 30
IP Address 192.1.34.15 255.255.255.0
!
Interface VLAN 40
IP Address 192.1.2.15 255.255.255.0

102 of 241
Task 7
Configure a Loopback 0 interface on each Rotuer with an IP Address of
X.X.X.X/8 (where X is the Router # - R1=1, R2=2 .). Loopback 0 on
SW1 as 15.15.15.15/8. Run RIP v2 on all the routers and SW1 such that
all networks are reachable from all devices.
R1
R2
IP Address 1.1.1.1 255.0.0.0
!
Router RIP
Version 2
No auto-summary
Network 192.1.15.0
Network 192.1.13.0
Network 1.0.0.0
R3
IP Address 2.2.2.2 255.0.0.0
!
Router RIP
Version 2
No auto-summary
Network 192.1.2.0
Network 2.0.0.0
IP Address 3.3.3.3 255.0.0.0
!
Router RIP
Version 2
No auto-summary
Network 192.1.13.0
Network 192.1.34.0
Network 3.0.0.0
R5
IP Address 4.4.4.4 255.0.0.0
!
Router RIP
Version 2
No auto-summary
Network 192.1.34.0
Network 4.0.0.0
R4
SW1
IP Address 15.15.15.15 255.0.0.0
!
Router RIP
Version 2
No auto-summary
Network 192.1.34.0
Network 192.1.2.0
Network 15.0.0.0
IP Address 5.5.5.5 255.0.0.0
!
Router RIP
Version 2
No auto-summary
Network 192.1.15.0
Network 1.0.0.0

103 of 241
Lab 2 Configuring Etherchannels

Task 1
Configure the Trunk Ports connecting SW1 and SW2 to be part of an
Etherchannel. The Etherchannel should use an Industry standard
protocol.
SW1
SW2
Inteface F0/XX , F0/YY

Channel-group 1 mode active

Channel-group 1 mode active
Task 2
Configure the Load Balancing mechanism method to be done based on a
combination of the Source and Destination IP.
SW1
Port-channel load-balance src-dst-ip
SW2
Port-channel load-balance src-dst-ip
Task 3
Verify the Etherchannel status.
SW1
Show etherchannel 1 port-channel
Port-channels in the group:
--------------------------Port-channel: Po1 (Primary Aggregator)
-----------Age of the Port-channel = 00d:00h:01m:09s
Logical slot/port = 1/0 Number of ports = 0
HotStandBy port = null
Port state = Port-channel Ag-Not-Inuse
Protocol = LACP

104 of 241
Explanation:
An EtherChannel consists of individual Fast Ethernet or Gigabit
Ethernet links bundled into a single logical link.
If a link within an EtherChannel fails, traffic previously carried over that
failed link changes to the remaining links within the EtherChannel. A
trap is sent for a failure, identifying the switch, the EtherChannel, and
the failed link.
Inbound broadcast and multicast packets on one link in an
EtherChannel are blocked from returning on any other link of the
EtherChannel.
NOTE: All interfaces in each Etherchannel must be the same speed and
duplex, same trunking encapsulation or the same access vlan ID, also
the STP cost for each port must be the same and none of the
Etherchannel ports can be involved in SPAN, RSPAN configuration or
neither 802.1X.
Understanding Port-Channel Interfaces
You create an EtherChannel for Layer 2 interfaces differently from Layer
3 interfaces. Both configurations involve logical interfaces.
With Layer 3 interfaces, you manually create the logical interface by
using the interface port-channel global configuration command.
With Layer 2 interfaces, the logical interface is dynamically created.
With both Layer 3 and 2 interfaces, you manually assign an interface
to the EtherChannel by using the channel-group interface configuration
command. This command binds the physical and logical ports together
An Etherchannel cannot be configured in both the PAgP and LACP
modes.

105 of 241
Lab 3 Configuring MSTP

Task 1
Disable the Etherchannel configured in the previous lab on SW1 and
SW2 to test MSTP.
SW1
SW2

No Channel-group 1 mode active

No Channel-group 1 mode active
Task 2
Configure Multi-instance of Spanning Tree on the switches as follows:
There should be two instances of STP, instance 1 and 2
Instance 1 should handle VLANs 10 and 20
Instance 2 should handle VLAN 30 and 40
SW1 should be the root bridge for the first instance
SW2 should be the root bridge for the second instance
MST configuration should use the following:
o Name : CISCO
o Revision : 1
Instance 1 should use the lower Trunk Interface as the Primary
forwarding port
Instance 2 should use the higher Trunk Interface as the Primary
forwarding port

SW1
SW2
Spanning-tree mode mst

!
Spanning-tree mst configuration
Revision 1
Name CISCO
Instance 1 vlan 10,20
!
Spanning-tree mst 1 priority 0
!
Int F0/XX
Spanning-tree mst 1 port-priority 0
Spanning-tree mode mst

!
Spanning-tree mst configuration
Revision 1
Name CISCO
!
!
Int F0/YY
Spanning-tree mst 1 port-priority 0

106 of 241
Lab 4 Configuring SPAN/RSPAN

Task 1
There is a protocol analyzer connected to SW2 port F0/18. You received
a request to monitor and analyze all packets for port F0/16 on SW1,
configure the switches to accommodate this request.
SW1
Vlan 90
Remote-span
!
Monitor session 1 source interface F0/16
Monitor session 1 destination remote vlan 90
SW2
Monitor session 1 source vlan 90
Monitor session 1 destination interface F 0/18

107 of 241
Lab 5 Configuring VLAN ACLs (VACL)

Task 1
You have been requested to implement the following policy on SW1:
Deny IGMP in VLAN 10
Deny TFTP in VLAN 20
Deny ICMP and TFTP in VLAN 30
There is a MAC address 0001.0012.2222 trying to attack VLAN 40.
Block this MAC address from accessing any device in VLAN 40.
SW1
Access-list 101 permit igmp any any
!
Access-list 102 permit udp any any eq 69
!
Access-list 103 permit igmp any any
Access-list 103 permit udp any any eq 69
!
Mac access-list extended MAC-ACL
Permit host 0001.0012.2222 any
!
Vlan access-map VLAN10 10
Match ip addr 101
Action drop
!
Match ip addr 102
Action drop
!
Match ip addr 103
Action drop
!
Match mac address MAC-ACL
Action drop
108 of 241
Vlan
!
Vlan
Vlan
Vlan
Vlan
access-map VLAN40 100

filter
filter
filter
filter
VLAN10
VLAN20
VLAN30
VLAN40
vlan-list
vlan-list
vlan-list
vlan-list
10
20
30
40

109 of 241
Lab 6 Configuring Storm Control

Task 1
Configure SW2 port F0/14 such that broadcast and multicast traffic do
not use more than 50% of the Interface bandwidth.
SW2
Interface F0/14
Storm-control broadcast level 50.00
Storm-control multicast level 50.00

110 of 241
Lab 7 Configuring QinQ Tunneling
SW1
SW2
VLAN 80
VLAN 90
SW4
VLAN 80
SW3
VLAN 90

SW1 (Customer Switch)
terfSWace IP Address Subnet Mask
Interface
IP Address
Int VLAN 80
150.1.80.1
Int VLAN 90
150.1.90.1
Subnet Mask
255.255.255.0
255.255.255.0
SW4 (Customer Switch)

Interface
Int VLAN 80
Int VLAN 90
IP Address
150.1.80.4
150.1.90.4
Subnet Mask
255.255.255.0
255.255.255.0
Task 1
Only Keep 1 Trunk link up between the switches. Also, make sure only
the following links are up:
SW1 SW3
SW1 SW2
SW2 SW4
SW1
!
Interface range F0/X Y
111 of 241
Shutdown
Description All trunk ports on SW1
!
Interface range F 0/A , F 0/B
No shutdown
Description One Trunk link towards SW1
SW2
!
Shutdown
!
Interface range F 0/A , F 0/B
No shutdown
Description One Trunk each towards SW1 and SW3
SW3
!
Shutdown
!
Interface F 0/A
No shutdown
Description One Trunk each towards SW2 and SW4
SW4
!
Shutdown
!
Interface F 0/A
No shutdown
Description One Trunk link towards SW3
Task 2
Configure Q-in-Q tunneling on SW2 and SW3 in such a way that allows
customer VLANs to cross the trunk linkds without alteration in the
Customer switches. Also, allow VLAN overlapping between other Service
Provider Customers. Change the MTU size to accommodate Q-in-Q
tunneling. Assign the Customer to a VLAN 120.

112 of 241
SW2
System mtu 1504
!*** requires a reload***
VLAN 120
!
Interface F0/A
Description Trunk ports connecting towards SW1-Customer Switch
Switchport mode dot1q-tunnel
!
Interface F0/B
Description Trunk port towards the other Service Provider Switch(s)
Switchport trunk encap dot1q
SW3
System mtu 1504
! *** requires a reload***
VLAN 120
!
Interface F0/A
Switchport mode dot1q-tunnel
!
Interface F0/B
Description Trunk port towards the other Service Provider Switch(s)
Task 3
Configure the Customer Side Switches with Dot1Q trunking
encapsulation.
SW1
Interface F0/B
Description Trunk port towards the Service Provider Cloud
SW4
Interface F0/B
113 of 241
Description Trunk port towards the Service Provider Cloud

Task 4
Configure QinQ and Layer Protocol Forwarding (metro) in such a way
that allows switches to forward CDP and VTP customer's frames
transparently. Configure switches SW2 and SW3 ports facing SW1 and
SW4 respectively.
SW2
Interface F0/A
L2protocol-tunnel cdp
L2protocol-tunnel vtp
SW3
Interface F0/A
L2protocol-tunnel cdp
L2protocol-tunnel vtp

114 of 241
Lab 8 Configuring Private VLANs
R1
192.1.15.0/24 VLAN 10
VLAN 10 Primary
F 0/0 (.1)
192.1.100.0/24
F 0/0 (.2)
R2
F 0/0 (.4)
F0/0 (.3)
R3
VLAN 20 Community
R4
F 0/0 (.5)
R5
VLAN 30 Isolated

R1
Interface IP
F 0/0
Address
192.1.100.1
Subnet Mask
255.255.255.0
R2
Interface IP
F 0/0
Address
192.1.100.2
Subnet Mask
255.255.255.0
R3
Interface IP
F 0/0
Address
192.1.100.3
Subnet Mask
255.255.255.0

115 of 241
R4
Interface IP
F 0/0
Address
192.1.100.4
Subnet Mask
255.255.255.0
R5
Interface IP
F 0/0
Address
192.1.100.5
Subnet Mask
255.255.255.0
Task 1
Configure VTP Transparent mode in SW1 and create the following
configuration:
Vlan 10 as Private-Vlan Primary
Vlan 20 as Private-Vlan Community
Vlan 30 as Private-Vlan Isolated
SW1
Vtp mode transparent
!
Vlan 10
Private-vlan primary
!
Vlan 20
Private-vlan community
!
Vlan 30
Private-vlan isolated
!
Vlan 10
Private-vlan association add 20, 30
Task 2
Configure SW1 such that the following is accomplished keeping the VLAN
designations from Task1:
R1 should be able to communicate to all other devices.

R2 and R3 should be able to communicate to each other and R1
but should not have access to R4 or R5.
R4 and R5 should only be able to communicate to R1. They should
not be able to communicate to each other or R2 or R3.

116 of 241
SW1
Interface F0/1
Switchport mode private-vlan promiscuous
Switchport private-vlan mapping 10 add 20 , 30
!
Interface range F0/2 3
Switchport mode private-vlan host
Switchport private-vlan host-assoc 10 20
!
Interface range F0/4 5
Switchport mode private-vlan host
Switchport private-vlan host-assoc 10 30
erface on SW1 Private-vlan Mode Primary Vlan Secondary Vlans

117 of 241
Explanation:
Private VLANs provide Layer 2 isolation between ports within the same
private VLAN. There are
three types of private VLAN ports:
PromiscuousA promiscuous port can communicate with all
interfaces, including the community and isolated ports within a private
VLAN.
IsolatedAn isolated port has complete Layer 2 separation from other
ports within the same private VLAN except for the promiscuous port.
Private VLANs block all traffic to isolated ports except traffic from
promiscuous ports. Traffic received from an isolated port is forwarded
only to promiscuous ports.
CommunityCommunity ports communicate among themselves and
with their promiscuous ports. These interfaces are isolated at Layer 2
from all other interfaces in other communities or isolated ports within
their private VLAN.
NOTE: Because trunks can support the VLANs carrying traffic between
isolated, community, and promiscuous ports, isolated and community
port traffic might enter or leave the switch through a trunk interface.
Private VLAN ports are associated with a set of supporting VLANs that
are used to create the private VLAN structure. A private VLAN uses
VLANs three ways:
Primary VLANCarries traffic from promiscuous ports to isolated,
community, and other promiscuous ports.
Isolated VLANCarries traffic from isolated ports to promiscuous
ports.
Community VLANCarries traffic between community ports and to
promiscuous ports. You can configure multiple community VLANs in a
private VLAN.
NOTE: Isolated and community VLANs are both called secondary
VLANs.
A promiscuous port can serve only one primary VLAN and can serve as
many isolated or community VLANs as desired

118 of 241
Lab 9 Tuning STP Startup Times

Task 1
Create a VLAN 50 on SW1. Assign ports F 0/6 F 0/8 to VLAN 50.
SW1
VLAN 50
!
Interface range F 0/6 8
Task 2
Users in Vlan 50 are complaining about the time it usually takes for an
interface to come up after they have plugged in the network cable.
Configure the TOTAL link startup delay until the port becomes
forwarding to 16 seconds. Configure SW1 to accomplish this without
jumping any state.
SW1
Spanning-tree vlan 50 forward-time 8
Output of command:
SW1
show spanning-tree vlan 50 brief
VLAN50
Spanning tree enabled protocol ieee
Root ID Priority 8192
Address cc08.01f8.000c
Cost 32
Port 50 (FastEthernet0/6)
Hello Time 2 sec Max Age 20 sec Forward Delay 8 sec
Bridge ID Priority 32768
Address cc06.0a4c.000c
Hello Time 2 sec Max Age 20 sec Forward Delay 8 sec
Aging Time 0
Interface Designated

119 of 241
Explanation:
Forwarding delay is the time spent by a port in the learning and
listening states.
By default it has a value of 15 seconds so a normal port without portfast
enable on it usually takes 50 seconds to start forwarding packets
because it goes through learning (15 seconds) plus listening (15 seconds)
and maximum age time (which is 20 seconds by default) when changing
the forwarding delay to 8 the time the port for the first time a desktop is
plugged into a port in a switch it would take 8 + 8 + 20 (if its using the
default value) so it would takes 36 seconds instead of 50 seconds in that
case.

120 of 241
Lab 10 Configuring Port-Fast

Task 1
Configure the port range from F0/1 6 on SW1 in a way that, the link
will come up as soon as someone plug in a network cable into some of
these ports bypassing STP learning/listening states.
SW1
Interface range F0/1 - 6
Spanning-tree portfast
Output of command:
SW1
show spanning-tree interface F0/1 portfast
VLAN10 enabled
Explanation:
After a port on the switch has linked and joined the bridge group, STP
runs on that port. A port that runs STP can be in one of five states:
blocking
listening
learning
forwarding
disabled
STP dictates that the port starts out blocking, and then immediately
moves through the listening and learning phases.
By default, the port spends approximately 15 seconds listening and 15
seconds learning.
During the listening state, the switch tries to determine where the port
fits in
the spanning tree topology. The switch especially wants to know whether
this port is part of a physical loop. If the port is part of a loop, the port
can be chosen to go into blocking mode.
The blocking state means that the port does not send or receive user
data in order to eliminate loops.
121 of 241
If the port is not part of a loop, the port proceeds to the learning state, in
which the port learns which MAC addresses live off this port. This entire
STP initialization process takes about 30 seconds.
If you connect a workstation or a server with a single NIC card or an IP
phone to a switch port, the connection cannot create a physical loop.
These connections are considered leaf nodes. There is no reason to make
the workstation wait 30 seconds while the switch checks for loops if the
workstation cannot cause a loop.
Cisco added the PortFast or fast-start feature. With this feature,
the STP for this port assumes that the port is not part of a loop and
immediately moves to the forwarding state and does not go through the
blocking, listening, or learning states. This command does not turn STP
off. This command makes STP skip a few initial steps (unnecessary
steps, in this circumstance) on the selected port.
NOTE: Never use the PortFast feature on switch ports that connect to
other switches, hubs, or routers. These connections can cause physical
loops, and spanning tree must go through the full initialization
procedure in these situations. A spanning tree loop can bring your
network down. If
you turn on PortFast for a port that is part of a physical loop, there can
be a window of time when packets are continuously forwarded (and can
even multiply) in such a way that the network cannot recover.
At the global level, you enable BPDU guard on Port Fast-enabled NNIs by
using the spanning-tree portfast bpduguard default global
configuration command. Spanning tree shuts down NNIs that are in a
Port Fast-operational state if any BPDU is received on those NNIs.
In a valid configuration, Port Fast-enabled NNIs do not receive BPDUs.
Receiving a BPDU on a Port Fastenabled NNI signals an invalid
configuration, such as the connection of an unauthorized device,and the
BPDU guard feature puts the interface in the error-disabled state.
At the interface level, you enable BPDU guard on any NNI by using the
spanning-tree bpduguard enable interface configuration command
without also enabling the Port Fast feature. When the NNI receives a
BPDU, it is put in the error-disabled state.

122 of 241
Lab 11 - Configuring BPDU Guard

Task 1
The IT departament just found out that someone in the lobby area just
plugged in a switch into port F0/6 on SW1. Configure a command
globally on SW1 that if someone connects a hub or a switch to any of the
access ports, the port will be disabled. Also make sure that after 4
minutes the disabled port comes up automatically
SW1
Spanning-tree portfast bpduguard
!
Errdisable recovery cause bpduguard
Errdisable recovery interval 240
Output of command:
SW1
show errdisable recovery
ErrDisable Reason Timer Status
----------------- -------------udld Disabled
bpduguard Enabled
rootguard Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Disabled
Timer interval: 240 seconds
Interfaces that will be enabled at the next timeout:
show spanning-tree summary
Root bridge for: VLAN1, VLAN10, VLAN13, VLAN16, VLAN19, VLAN20,
VLAN30
PortFast BPDU Guard is enabled
UplinkFast is disabled
BackboneFast is disabled

123 of 241
Explanation:
Port Fast-enabled ports do not receive BPDUs. Receiving a BPDU on a
Port Fast-enabled port signals an invalid configuration, such as the
connection of an unauthorized device, and the BPDU guard feature puts
the port in the error-disabled state.
The BPDU guard feature provides a secure response to invalid
configurations because you must manually put the port back in service.
Use the BPDU guard feature in a service-provider network to prevent an
access port
from participating in the spanning tree.
Use the spanning-tree portfast default global configuration command
to globally enable the Port Fast feature on all nontrunking ports.
Configure Port Fast only on ports that connect to end stations; otherwise,
an accidental topology loop could cause a data packet loop and disrupt
switch and network operation. A Port Fast-enabled port moves directly to
the spanning-tree
forwarding state when linkup occurs without waiting for the standard
forward-delay time.
You can also configure bpduguard under an interface using the
command spanning-tree bpduguard.

124 of 241
Lab 12 Configuring BPDU Filter

Task 1
Configure SW2 port F0/15 such that this port wont send or receive any
BDPU
packets.
SW2
Interface F0/15
Spanning-tree bpdufilter enable
Explanation:
BPDU Filtering
The BPDU filtering feature can be globally enabled on the switch or can
be enabled per interface, but the feature operates with some differences.
At the global level, you can enable BPDU filtering on Port Fast-enabled
interfaces by using the spanning-tree portfast bpdufilter default global
configuration command. This command prevents interfaces that are in a
Port Fast-operational state from sending or receiving BPDUs.
The interfaces still send a few BPDUs at link-up before the switch begins
to filter outbound BPDUs. You should globally enable BPDU filtering on a
switch so that hosts connected to these interfaces do not receive BPDUs.
If a BPDU is received on a Port Fast-enabled interface, the interface loses
its Port Fast-operational status, and BPDU filtering is disabled.
At the interface level, you can enable BPDU filtering on any interface by
using the spanning-tree bpdufilter enable interface configuration
command without also enabling the Port Fast feature. This command
prevents the interface from sending or receiving BPDUs.
Task 2
Configure SW1 such that any port configured with portfast should be
limited
from sending or receiving BPDU. Dont use any interface level command
to accomplish this.
SW1
Spanning-tree portfast bpdufilter default
125 of 241
Output of command:
SW
Switch is in pvst mode
Root bridge for: none
EtherChannel misconfig guard is enabled
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is enabled
Loopguard Default is disabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short

126 of 241
Lab 13 Configuring UplinkFast

Task 1
On SW1 configure a feature to improve the uplinks and make sure that if
a root port has failed, the switch will choose a new root port and put it
directly to FORWARDING state.
SW1
Spanning-tree uplinkfast
Output of command:
SW1
show spanning-tree uplinkfast
UplinkFast is enabled
Station update rate set to 150 packets/sec.
UplinkFast statistics
----------------------Number of transitions via uplinkFast (all VLANs) : 0
Number of proxy multicast addresses transmitted (all VLANs) : 0
Name Interface List
..
Explanation:
UplinkFast provides fast convergence after a spanning-tree topology
change and achieves load balancing between redundant links using
uplink groups. An uplink group is a set of ports (per VLAN), only one of
which is forwarding at any given time. Specifically, an uplink group
consists of the root port (which is forwarding) and a set of blocked ports,
except for self-looping ports. The uplink group provides an alternate path
in case the currently forwarding link fails.
UplinkFast is most useful in wiring-closet switches. This feature may
not be useful for other types of applications.
NOTE: In other words UplinkFast is used to designate a Backup Root
Port in case of direct failure of a link.

127 of 241
Lab 14 Configuring Backbone Fast

Task 1
Configure SW1 and make sure that if an inferior BPDU is received on a
root port or blocked port this inferior BPDUs is ignored on those ports.
SW1
Spanning-tree backbonefast
Output of command:
SW1
Switch is in pvst mode
Root bridge for: none
EtherChannel misconfig guard is enabled
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is enabled
Loopguard Default is disabled
UplinkFast is enabled
BackboneFast is enabled
Configured Pathcost method used is short
----------------------Number of transitions via uplinkFast (all VLANs) : 0

Number of proxy multicast addresses transmitted (all VLANs) : 0
BackboneFast statistics
----------------------Number of transition via backboneFast (all VLANs) : 0
Number of inferior BPDUs received (all VLANs) : 0
Number of RLQ request PDUs received (all VLANs) : 0
Number of RLQ response PDUs received (all VLANs) : 0
Number of RLQ request PDUs sent (all VLANs) : 0
Number of RLQ response PDUs sent (all VLANs) : 0

128 of 241
Explanation:
BackboneFast is initiated when a root port or blocked port on a switch
eceives inferior BPDUs from its designated bridge.
An inferior BPDU identifies one switch as both the root bridge and the
designated bridge. When a switch receives an inferior BPDU, it indicates
that a link to which the switch is not directly connected (an indirect link)
has failed (that is, the designated bridge has lost its connection to the
root bridge). Under normal spanning-tree rules, the switch ignores
inferior BPDUs for the configured maximum aging time, as specified by
the agingtime variable.
The switch tries to determine if it has an alternate path to the root
bridge. If the inferior BPDU arrives on a blocked port, the root port and
other blocked ports on the switch become alternate paths to the root
bridge. (Self-looped ports are not considered alternate paths to the root
bridge.)If the inferior BPDU arrives on the root port, all blocked ports
become alternate paths to the rootbridge.
If the inferior BPDU arrives on the root port and there are no blocked
ports, the switch assumes that it has lost connectivity to the root bridge,
causes the maximum aging time on the root to expire, and becomes the
root switch according to normal spanning-tree rules.
If the switch has alternate paths to the root bridge, it uses these
alternate paths to transmit a new kind of PDU called the Root Link
Query PDU. The switch sends the Root Link Query PDU out all
alternate paths to the root bridge.
If the switch determines that it still has an alternate path to the root, it
causes the maximum aging time on the ports on which it received the
inferior BPDU to expire. If all the alternate paths to the root bridge
indicate that the switch has lost connectivity to the root bridge, the
switch causes the maximum aging times on the ports on which it
received an inferior BPDU to expire.
If one or more alternate paths can still connect to the root bridge, the
switch makes all ports on which it received an inferior BPDU its
designated ports and moves them out of the blocking state (if they were
in blocking state), through the listening and learning states, and into the
forwarding state.

129 of 241
Lab 15 Configuring Root Guard

Task 1
Configure the ports that connect SW1 to SW2 in such a way that if for
some reason the spanning-tree causes one of those ports to be selected
as root port, the port transition to a root-inconsistent (blocked) state.
SW1
Description Connection towards SW2
Spanning-tree guard root
Explanation:
The Layer 2 network of a service provider (SP) can include many
connections to switches that are not owned by the SP. In such a
topology, the spanning tree can reconfigure itself and select a customer
switch as the root switch,
You can avoid this situation by enabling root guard on SP switch
interfaces that connect to switches in your customer's network. If
spanning-tree calculations cause an interface in the customer network to
be selected as the root port, root guard then places the interface in the
rootinconsistent (blocked) state to prevent the customer's switch from
becoming the root switch or being in the path to the root.
If a switch outside the SP network becomes the root switch, the interface
is blocked (rootinconsistent state), and spanning tree selects a new root
switch. The customer's switch does not become the root switch and is
not in the path to the root.
If the switch is operating in multiple spanning-tree (MST) mode, root
guard forces the interface to be a designated port. If a boundary port is
blocked in an internal spanning-tree (IST) instance because of root
guard, the interface also is blocked in all MST instances. A boundary
port is an interface that connects to a LAN, the designated switch of
which is either an 802.1D switch or a
switch with a different MST region configuration.
Root guard enabled on an interface applies to all the VLANs to which the
interface belongs. VLANs can be grouped and mapped to an MST
instance. You can enable this feature by using the spanning-tree guard
root interface configuration command.
130 of 241
Module 8 IPv6

131 of 241
Lab 1 Configuring IPv6 with RIPng
R1
Lo 0
R2
F 0/0
Lo 0
F 0/0
2001:1:1:12::/64
S 0/0
2001:1:1:23::/64
S 0/0
2001:1:1:34::/64
Lo 0
F 0/0
Lo 0
F 0/0
R4
R3
Task 1
Enable IPv6 routing on R1,R2, R3 and R4. Assign IPv6 addresses to the F
0/0 interface of the routers as follows:

R1
R2
R3
R4
2001:1:1:12::1
2001:1:1:12::2
2001:1:1:34::3
2001:1:1:34::4
/64
/64
/64
/64
R1
R2
ipv6 unicast-routing
Interface F 0/0
ipv6 address 2001:1:1:12::1/64
no shut
R3
Ipv6 unicast-routing
Interface F 0/0
Ipv6 address 2001:1:1:12::2/64
No shut
R4
Interface F 0/0
ipv6 address 2001:1:1:34::3/64
no shut
Interface F 0/0
Ipv6 address 2001:1:1:34::4/64
No shut
Task 2
Configure the Loopback0 interface on all routers as follows:
132 of 241

R1
R2
R3
R4
Loopback0
Loopback0
Loopback0
Loopback0
2000:1:1:1::/64
2000:2:2:2::/64
2000:3:3:3::/64
2000:4:4:4::/64
R1
Ipv6 address 2000:1:1:1::/64 eui-64
R2
ipv6 address 2000:2:2:2::/64 eui-64
R3
Ipv6 address 2000:3:3:3::/64 eui-64
R4
ipv6 address 2000:4:4:4::/64 eui-64
Task 3
Configure Frame-relay between R2 and R3 using the folloing IPV6
addresses:
R2 2000:1:1:23::2/64
R3 2000:1:1:23::3/64
Ensure that the routers can ping each others serial interface. Also allow
R2 and R3 to ping their own IP addresses. Use a sun-interface on R2 and
R3 for the Frame relay configuration.
R2
Interface S0/0
Encap frame-relay
No shut
!
Interface S 0/0.3 point-to-point
ipv6 address 2001:1:1:23::2/64
frame-relay interface-dlci 203
R3
133 of 241
Interface S0/0
Encap frame-relay
no shut
!
Interface S 0/0.2 point-to-point
ipv6 address 2001:1:1:23::3/64
frame-relay interface-dlci 302
Task 4
Configure RIPng on all routers to route all loopbacks. Enable RIPng
under the following interfaces:

R1
R2
R3
R4
F
F
F
F
0/0,
0/0,
0/0,
0/0,
Loopback
Loopback
Loopback
Loopback
0
0, S 0/0.3
0, S 0/0.2
0
R1
R2
ipv6 rip 100 enable
ipv6 rip 100 enable
Interface F 0/0
ipv6 rip 100 enable
Interface S 0/0.3
ipv6 rip 100 enable
!
Interface F 0/0
ipv6 rip 100 enable
R4
R3
ipv6 rip 100 enable
!
Interface F 0/0
ipv6 rip 100 enable
!
Interface S0/0.2
ipv6 rip 100 enable
ipv6 rip 100 enable
Interface F 0/0
ipv6 rip 100 enable

134 of 241
Lab 2 Configuring IPv6 with OSPFv3

(Builds on Lab1)
Task 1
Disable RIP NG on all routers on all interfaces by disabling IPv6 Unicast
Routing and re-enabling it.
R1
R2
No ipv6 unicast-routing
!
R3
!
R4
!
!
Task 2
Configure the routers in OSPFv3 area 0 and advertise their directly
connected interfaces in this area
R1
R2
ipv6 router ospf 1

router-id 1.1.1.1
!
Interface Loopback0
ipv6 ospf 1 area 0
!
Interface F 0/0
ipv6 ospf 1 area 0
ipv6 router ospf 1

router-id 2.2.2.2
!
Interface Loopback0
ipv6 ospf 1 area 0
!
Interface F 0/0
ipv6 ospf 1 area 0
!
Interface S 0/0.3
ipv6 ospf 1 area 0

135 of 241
R3
R4
ipv6 router ospf 1

router-id 3.3.3.3
!
Interface Loopback0
ipv6 ospf 1 area 0
!
Interface F 0/0
ipv6 ospf 1 area 0
!
Interface S 0/0.2
ipv6 ospf 1 area 0
ipv6 router ospf 1

router-id 4.4.4.4
!
Interface Loopback0
ipv6 ospf 1 area 0
!
Interface F 0/0
ipv6 ospf 1 area 0
Task 3
Ensure that the loopback interfaces are advertised with their correct
mask.
R1
R2
Interface Loopback0
ipv6 ospf network point-to-point
Interface Loopback0
R3
R4
Interface Loopback0
Interface Loopback0

136 of 241
Lab 3 Configuring IPv6 Thru IPv4 Link

using a Tunnel
R1
Lo 0
R2
F 0/0
Lo 0
F 0/0
2001:1:1:12::/64
S 0/0
192.1.23.0/24
S 0/0
2001:1:1:34::/64
Lo 0
F 0/0
Lo 0
F 0/0
R4
R3
Task 1
Enable IPv6 routing on R1,R2, R3 and R4. Assign IPv6 addresses to the F
0/0 interface of the routers as follows:

R1
R2
R3
R4
2001:1:1:12::1
2001:1:1:12::2
2001:1:1:34::3
2001:1:1:34::4
/64
/64
/64
/64
R1
R2
Interface F 0/0
ipv6 address 2001:1:1:12::1/64
no shut
R3
Interface F 0/0
Ipv6 address 2001:1:1:12::2/64
No shut
R4
Interface F 0/0
ipv6 address 2001:1:1:34::3/64
no shut
Interface F 0/0
Ipv6 address 2001:1:1:34::4/64
No shut
Task 2
137 of 241
Configure the Loopback0 interface on all routers as follows:

R1
R2
R3
R4
Loopback0
Loopback0
Loopback0
Loopback0
2000:1:1:1::/64
2000:2:2:2::/64
2000:3:3:3::/64
2000:4:4:4::/64
R1
R2
Ipv6 address 2000:1:1:1::/64 eui-64
R3
ipv6 address 2000:2:2:2::/64 eui-64
R4
Ipv6 address 2000:3:3:3::/64 eui-64
ipv6 address 2000:4:4:4::/64 eui-64
Task 3
Configure RIPng between R1 and R2. Enable RIPng under the following
interfaces:
R1 F 0/0, Loopback 0
R1
R2
ipv6 rip 100 enable
!
Interface F 0/0
ipv6 rip 100 enable
ipv6 rip 100 enable
!
Interface F 0/0
ipv6 rip 100 enable
Task 4
Configure RIPng between R3 and R4. Enable RIPng under the following
interfaces:
R3
R4
ipv6 rip 100 enable
!
Interface F 0/0
ipv6 rip 100 enable
ipv6 rip 100 enable
!
Interface F 0/0
ipv6 rip 100 enable

138 of 241
Task 5
Configure the Frame Relay link between R2 and R3 as an IPv4 Link on
the 192.1.23.0/24 network.
R2
Interface S0/0
Ip address 192.1.23.2 255.255.255.0
Encap frame-relay
No shut
R3
Interface S0/0
Ip address 192.1.23.3 255.255.255.0
Encap frame-relay
No shut
Task 6
Create a Tunnel between R2 and R3 Assign it an IPv6 address of
2001:23:23:23::/64. Set the Tunnel Mode to IPv6. Enable RIPng on the
Tunnel Interface.
R2
R3
Interface Tunnel 23
Tunnel source S 0/0
Tunnel destination 192.1.23.3
Ipv6 address 2001:23:23:23::2/64
Ipv6 enable
Ipv6 rip CCIERS enable
Tunnel mode IPV6IP
No shut
Interface Tunnel 23
Tunnel source S 0/0
Tunnel destination 192.1.23.2
Ipv6 address 2001:23:23:23::3/64
Ipv6 enable
Ipv6 rip CCIERS enable
Tunnel mode IPV6IP
No shut

139 of 241
Lab 4 Configuring IPv6 over FrameRelay

R1
S 0/0 .123
R2
S 0/0 .14
S 0/0
S 0/0
R4
Frame-Relay
S 0/0
R3
Interface IPv6 Address Configuration

R1
Interface
Loopback 0
S 0/0.123
S 0/0.14
IPv6 Address
2001:1:1:1::1
2001:1:1:123::1
2001:1:1:14::1
Subnet Mask
/64
/64
/64
IPv6 Address
2001:2:2:2::2
2001:1:1:123::2
Subnet Mask
/64
/64
R2
Interface
Loopback 0
S 0/0

140 of 241
R3
Interface
Loopback 0
S 0/0
IPv6 Address
2001:3:3:3::3
2001:1:1:123::3
Subnet Mask
/64
/64
IPv6 Address
2001:4:4:4::4
2001:1:1:14::4
Subnet Mask
/64
/64
R4
Interface
Loopback 0
S 0/0
Task 1
Configure the routers connected to the frame-relay cloud as follows:
o R1 (The HUB) must be configured with two sub-interfaces. The
first one of the two sub-interfaces must be configured to
connect R1 to R4. Configure the interface based on the IPv6
addressing table
o The second sub-interface on R1 must be configured in a
multipoint manner. This sub-interface must be configured to
connect R1 to routers R2 and R3 using the IPv6 addressing
table.
o Routers R2, R3 should not be configured with a sub-interface
and these routers should NOT rely on Inverse-arp.

141 of 241
R1
Int S0/0
Encapsulation frame-relay
No shut
!
Int S0/0.14 point-to-point
Ipv6 enable
Ipv6 address 2001:1:1:14::1/64
!
Int S0/0.123 multipoint
Ipv6 enable
Ipv6 address 2001:1:1:123::1/64
Frame-relay map ipv6 2001:1:1:123::2 102 broadcast
R2
Int S0/0
Ipv6 enable
Ipv6 address 2001:1:1:123::2/64
Encapsulation frame
Frame-relay map ipv6 2001:1:1:123::3 201
No shut
Exit

142 of 241
R3
Int S0/0
Encapsulation frame
Ipv6 enable
Ipv6 address 2001:1:1:123::3/64
No shut
R4
Int S0/0
Encapsulation frame
Ipv6 enable
Ipv6 address 2001:1:1:14::4/64
No shut
Task 2
Configure the routers in OSPFv3 area 0 and advertise their directly
connected interfaces in this area. Also Configure Loopbacks on all 4
Routers using the 2001:X:X:X::X/64 format

143 of 241
R1
IPv6 router ospf 1
router-id 1.1.1.1
!
ipv6 address 2001:1:1:1::1/64
ipv6 ospf 1 area 0
!
Interface S 0/0.14
ipv6 ospf 1 area 0
!
Interface S 0/0.123
ipv6 ospf 1 area 0
Frame-relay map ipv6 Link-Local 102
ipv6 ospf network point-to-multipoint
Note: Find the Link-Local Address for R2 and R3 by using Show IPv6 int
brief on R2 and R3 respectively. This is required for OSPFv3 Neighbor
relationship to be established
R2
IPv6 router ospf 1
router-id 2.2.2.2
!
ipv6 address 2001:2:2:2::2/64
ipv6 ospf 1 area 0
!
Interface S 0/0
ipv6 ospf 1 area 0
Note: Find the Link-Local Address for R1 by using Show IPv6 int brief
on R1. This is required for OSPFv3 Neighbor relationship to be
established.

144 of 241
R3
IPv6 router ospf 1
router-id 3.3.3.3
!
ipv6 address 2001:3:3:3::3/64
ipv6 ospf 1 area 0
!
Interface S 0/0
ipv6 ospf 1 area 0
established.
R4
IPv6 router ospf 1
router-id 4.4.4.4
!
ipv6 address 2001:4:4:4::4/64
ipv6 ospf 1 area 0
!
Interface S 0/0
ipv6 ospf 1 area 0
established.
Task 3
Ensure that the loopback interfaces are advertised with their correct
mask.
R1
R2
Ipv6 ospf network point-to-point
R3
R4

145 of 241

146 of 241
Module 9 IOS Services

147 of 241
Lab 1 Configuring M-HSRP
R1
F 0/0 (.1)
192.1.11.0/24 VLAN 11
F 0/0 (.3)
F 0/0 (.4)
R4
R3
F 0/1(.3)
F 0/1 (.4)
192.1.22.0/24 VLAN 22
F0/0(.2)
R2
F 0/1(.2)
192.1.33.0/24 VLAN 33
F 0/0 (.5)
R5

R1
Interface
Loopback 0
F 0/0
IP Address
1.1.1.1
192.1.11.1
Subnet Mask
255.0.0.0
255.255.255.0
IP Address
2.2.2.2
192.1.22.2
192.1.33.2
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
IP Address
Subnet Mask
R2
Interface
Loopback 0
F 0/0
F 0/1
R3
Interface

148 of 241
Loopback 0
F 0/0
F 0/1
3.3.3.3
192.1.11.3
192.1.22.3
255.0.0.0
255.255.255.0
255.255.255.0
IP Address
4.4.4.4
192.1.11.4
192.1.22.4
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
IP Address
5.5.5.5
192.1.33.5
Subnet Mask
255.0.0.0
255.255.255.0
R4
Interface
Loopback 0
F 0/0
F 0/1
R5
Interface
Loopback 0
F 0/0
Task 1
R1 is the ISP Router. It is simulating the Internet. R3 & R4 should point
to R1 as the default gateway. R1, R3 and R4 should also run EIGRP in
AS 11. R1 should advertise its loopback in EIGRP 11.
R1
Router eigrp 11
No auto-summary
Network 192.1.11.0
Network 1.0.0.0
R3
R4
ip route 0.0.0.0 0.0.0.0 192.1.11.1

!
Router eigrp 11
No auto-summary
Network 192.1.11.0
ip route 0.0.0.0 0.0.0.0 192.1.11.1

!
Router eigrp 11
No auto-summary
Network 192.1.11.0
Task 2
Configure Multigroup HSRP between R3 and R4 on the 192.1.22.0
segment. R3 should be the Active router and R4 should be the Standby
router for Standby Group 1. Group 1 should use 192.1.22.11 as the
Standby address. Set the Priority for R3 as 105 for this group. Make sure
R3 is the Active router whenever it is up. Configure a authenticated
HSRP connection between the routers. Use ccie as the password. If the
active HSRP router for this group loses the 1.0.0.0 route from the routing
149 of 241
table, it should decrement the priority by 20 and the other router should
become the Active HSRP router.
R3
track 1 ip route 1.0.0.0/8 reachability
!
Interface F 0/1
Standby 1 ip 192.1.22.11
Standby 1 priority 105
Standby 1 preempt
Standby 1 authentication ccie
Standby 1 track 1 decrement 20
R4
track 1 ip route 1.0.0.0/8 reachability
!
Interface F 0/1
Standby 1 ip 192.1.22.11
Standby 1 preempt
Standby 1 track 1 decrement 20
Task 3
Configure Multigroup HSRP between R3 and R4 on the 192.1.22.0
segment. R4 should be the Active router and R3 should be the Standby
router for Standby Group 2. Group 2 should use 192.1.22.12 as the
Standby address. Set the Priority for R4 as 105 for this group. Make sure
R4 is the Active router whenever it is up. Configure a authenticated
HSRP connection between the routers. Use ccie as the password. If the
F0/0 interface goes down on the active HSRP router for this group, it
should decrement the priority by 20 and the other router should become
the Active HSRP router.
R3
Interface F 0/1
Standby 2 ip 192.1.22.12
Standby 2 preempt
Standby 2 track Fast 0/0 20
R4
Interface F 0/1
Standby 2 ip 192.1.22.12
150 of 241
Standby
Standby
Standby
Standby
2
2
2
2
preempt
priority 105
authentication ccie
track Fast 0/0 20

151 of 241
Lab 2 Configuring a Router as a DHCP

Server
(Builds on Lab 1)
Task 1
Configure R3 as a DHCP Server with the following parameters:

IP ADDRESS : 192.1.22.0
WINS ADDRESS : 192.1.22.5
DNS ADDRESS : 192.1.22.6, 192.1.22.7
DEFAULT GATEWAY : 192.1.22.11
LEASE TIME : 3 Days 12 hours
Excluded addresses : 192.1.22.2 4 & 192.1.22.34
R3
ip dhcp excluded-address 192.1.22.2 192.1.22.4
ip dhcp excluded-address 192.1.22.11
!
ip dhcp pool VLAN22
network 192.1.22.0 255.255.255.0
netbios-name-server 192.1.22.5
dns-server 192.1.22.6 192.1.22.7
default-router 192.1.22.11
lease 3 12
Task 2
Disable the DHCP server service on R4
R4
No service dhcp

152 of 241
Lab 3 Configuring a Router to generate

a Core Dump using FTP
(Builds on Lab 2)
Task 1
Configure R3 to send a Core Dump to a FTP Server located at
192.1.22.100. Set the Dump size to 32768.
R3
exception dump 192.1.22.100
exception region-size 32768
exception protocol ftp
Task 2
The router logs into the FTP Server using a username of ccie and a
password of ccie.
R3
ip ftp username ccie
ip ftp password ccie

153 of 241
Lab 4 Configuring a Router to act as a

TFTP Server to share the IOS Image
(Builds on Lab 3)
Task 1
Configure R5 as a TFTP Server. It should allow access to its IOS Image
file.
Task 2
Only allow R2 to access this file.
R5
Access-list 1 permit host 192.1.33.2
!
Tftp-server flash: IOS-Filename 1
Note: Find the IOS-Filename by using the Show Flash command

154 of 241
Lab 5 Using PBR for Traffic Engineering

(Builds on Lab 4)
Task 1
Run EIGRP in AS 25 between R2 and R5. Advertise all the interfaces on
R5 in EIGRP. Advertise the 192.1.33.0 network in EIGRP. R2 should
inject a default gateway into R5. Do not use the default-information
originate command to accomplish this.
R2
Ip route 0.0.0.0 0.0.0.0 192.1.22.11
!
Router EIGRP 25
No auto-summary
Network 192.1.33.0
Redistribute static
R5
Router EIGRP 25
No auto-summary
Network 192.1.33.0
Network 5.0.0.0
Task 2
Configure R2 such that all traffic from the 5.0.0.0 network uses R4 as its
next hop. The rest of the traffic should use the routing table for the
routing decision..
R2
Access-list 101 permit ip 5.0.0.0 0.255.255.255 any
!
Route-map PBR permit 10
match ip address 101
set ip next-hop 192.1.22.4
!
Interface F 0/1
ip policy route-map PBR
Note: You can create static routes to test the conectivity

155 of 241
Lab 6 Configuring NTP

(Builds on Lab 5)
Task 1
Configure R3 as a NTP Master with a stratum of 2. It should authenticate
the clients using a key id of 234. The Key string should be ccie12353.
Set it with a Time Zone of GMT +4.
R3
Clock timezone DST 4
!
Set the clock to the current date and time using the clock set
command
!
Ntp authenticate
Ntp authentication-key 234 md5 ccie12353
Ntp trusted-key 234
Ntp master 2
Task 2
Configure R2 to receive its clock from R3. Set it with a Time Zone of GMT
+5.5. Configure R2 such that it automatically adjusts the clock based on
the time zone
R2
Clock timezone DST 5 30
!
Ntp authenticate
Ntp trusted-key 234
Ntp server 192.1.22.3 key 234
Task 3
Configure R5 to receive its clock from R2. Set it with a Time Zone of GMT
+8. Do not use the NTP Server command to receive the clock. Do not
configure any commands under the interface to accomplish this task.
R5
Clock timezone DST 8
!
Ntp authenticate
156 of 241

Ntp trusted-key 234
Ntp peer 192.1.33.2 key 234

157 of 241
Lab 7 Configuring a Router as a DHCP

Relay Agent
(Builds on Lab 6)
Task 1
Configure R3 with another pool for VLAN 33. Use the following
parameters:

IP ADDRESS : 192.1.33.0
DNS ADDRESS : 192.1.22.6, 192.1.22.7
LEASE TIME : 3 Days 12 hours
Excluded addresses : 192.1.33.2 & 192.1.33.5
R3
!
ip dhcp pool VLAN33
network 192.1.33.0 255.255.255.0
netbios-name-server 192.1.22.5
dns-server 192.1.22.6 192.1.22.7
default-router 192.1.33.2
lease 3 12
Task 2
Configure R2 to forward incoming DHCP Address request broadcasts to
R3, which is the DHCP Server.
R2
Interface F 0/1
Ip helper-address 192.1.22.3

158 of 241
Lab 8 Configuring GLBP

(Builds on Lab 7)
Task 1
Remove the HSRP configuration on R3 and R4. We will be configuring
GLBP on VLAN 22 instead.
R3
R4
Default interface F 0/1

!
Int f 0/1
Ip add 192.1.22.3 255.255.255.0
No shut
Default interface F 0/1

!
Int f 0/1
Ip add 192.1.22.4 255.255.255.0
No shut
Task 2
Configure R3 and R4 as GLBP AVGs for VLAN 22. Use 22 as the GLBP
Group number and .34 as the Virtual IP Address. R4 should be the
preferred AVG.
R3
Interface F 0/1
GLBP 22 ip 192.1.22.34
R4
Interface F 0/1
GLBP 22 ip 192.1.22.34
GLBP 22 priority 102
GLBP 22 preempt

159 of 241
Module 10 Security

160 of 241
Lab 1 Configuring Telnet Management

using Local Management
R1
F 0/0 (.1)
192.1.11.0/24 VLAN 11
F 0/0 (.3)
F 0/0 (.4)
R4
R3
F 0/1(.3)
F 0/1 (.4)
192.1.22.0/24 VLAN 22
F0/0(.2)
VLAN 22 (.15)
R2
SW1
F 0/1(.2)
192.1.33.0/24 VLAN 33
F 0/0 (.5)
R5

R1
Interface
Loopback 0
F 0/0
IP Address
1.1.1.1
192.1.11.1
Subnet Mask
255.0.0.0
255.255.255.0
IP Address
2.2.2.2
192.1.22.2
192.1.33.2
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
R2
Interface
Loopback 0
F 0/0
F 0/1

161 of 241
R3
Interface
Loopback 0
F 0/0
F 0/1
IP Address
3.3.3.3
192.1.11.3
192.1.22.3
Subnet Mask
255.255.255.0
255.255.255.0
255.255.255.0
IP Address
4.4.4.4
192.1.11.4
192.1.22.4
Subnet Mask
255.255.255.0
255.255.255.0
255.255.255.0
IP Address
5.5.5.5
192.1.33.5
Subnet Mask
255.0.0.0
255.255.255.0
IP Address
15.15.15.15
192.1.22.15
Subnet Mask
255.0.0.0
255.255.255.0
R4
Interface
Loopback 0
F 0/0
F 0/1
R5
Interface
Loopback 0
F 0/0
SW1
Interface
Loopback 0
VLAN 22
Task 1
Configure EIGRP in AS 100 on all routers and SW1 to route all networks.
R1
R2
Router EIGRP 100

No auto-summary
Network 192.1.11.0
Network 1.0.0.0
R3
Router EIGRP 100

No auto-summary
Network 192.1.22.0
Network 192.1.33.0
Network 2.0.0.0
R4
Router EIGRP 100

No auto-summary
Network 192.1.11.0
Network 192.1.22.0
Router EIGRP 100

No auto-summary
Network 192.1.11.0
Network 192.1.22.0

162 of 241
Network 3.0.0.0
R5
Network 4.0.0.0
SW1
Router EIGRP 100

No auto-summary
Network 192.1.33.0
Network 5.0.0.0
Router EIGRP 100

No auto-summary
Network 192.1.22.0
Network 15.0.0.0
Task 2
Configure Telnet on SW1 based on the following requirements:
SW1 should only allow networks 192.1.11.0, 192.1.22.0 and

1.0.0.0 to Telnet in for Management access to it.
Disable Telnet Client on SW1 for Console and Telnet lines.
Use AAA to point the Telnet authentication to the local Username

Database.
Configure a local username admin with a password of admin.
Make sure the Console port does not get authentication.
SW1
Aaa new-model
!
Username admin password admin
!
Aaa authentication login L-AUTHEN local
Aaa authentication login NO-AUTHEN none
!
!
line vty 0 4
access-class 5 in
login authentication L-AUTHEN
transport output none
!
line console 0
login authentication NO-AUTHEN
transport output none
163 of 241
Lab 2 Configuring SSH Management

(Builds on Lab 1)
Task 1
Enable SSH on R1. Use abc.com as the domain name. Use a 512 bit key.
Authentication should be done based on the Local Database. Create a
user sshuser with a password of ccie. Configure R1 with local
authentication on the vty lines. No authentication should be done on the
aux and console lines. Make sure of it. Only allow SSH Management
connections to the VTY lines.
R1
ip domain name abc.com
!
crypto key generate rsa usage-keys
!
aaa new-model
!
username sshuser password ccie
!
aaa authentication login L-AUHTEN local
aaa authentication login NO-AUTHEN none
!
line con 0
login authentication NO-AUTHEN
!
line vty 0 15
login authentication L-AUHTEN
transport input ssh
Note: Use ssh l sshuser c des 192.1.23.2 to test the configuration
from R3.

164 of 241
Lab 3 Configuring HTTP Management

(Builds on Lab 2)
Task 1
Configure R3 to communicate with an ACS server using TACACS+ as the
authentication protocol. Use CC1E as the key. The TACACS+ server is
located at 192.1.11.100.
R3
aaa new-model
!
Tacacs-server host 192.1.11.100 key CC1E
Task 2
Configure R3 to allow HTTP Management using HTTP. It should only
allow HTTP Management from VLAN 11.
R3
!
IP HTTP server
Ip http access-class 11
Task 3
Authenticate the users connecting into R3 for HTTP using the ACS
server. If the ACS Server is down, authenticate against the local
Database. Create a local user Admin with a password of admin.
R3
Username Admin password admin
!
Aaa authentication login L-AUTHEN tacacs+ local
!
Ip http authentication aaa login-authentication L-AUTHEN

165 of 241
Lab 4 Configuring Control Plane

Management
(Builds on Lab 3)
Task 1
R3 has been configured to allow telnet access for management purposes.
Using Control Plane Policing, control the rate of Telnet traffic to 64000
bps.
3
access-list 101 permit tcp any any eq 23
!
class-map TELNET
match access-group 101
!
policy-map CP-Police
class TELNET
police 64000
!
control-plane
service-policy input CP-Police
Task 3
Configure a queue-threshold on R3 such that it sets the queue limit for
HTTP to 100, the queue limit for Telnet traffic to 75 and all other
protocols to 200.
R3
class-map type queue-threshold QT-HTTP
match protocol http
class-map type queue-threshold QT-TELNET
match protocol telnet
class-map type queue-threshold QT-ALL-OTHER
match host-protocols
!
policy-map type queue-threshold QT-POLICY
class QT-HTTP
queue-limit 100
class QT-TELNET
queue-limit 75
class QT-ALL-OTHER
166 of 241
queue-limit 200
control-plane host
service-policy type queue-threshold input QT-POLICY

167 of 241
Lab 5 Configuring NBAR to Block HTTP

Attacks
(Builds on Lab 4)
Task 1
R4 is under the Code Red attack from R1. The footprint has the following
urls:
cmd.exe
root.exe
default.ida
Using NBAR classify the traffic on the inbound on F 0/0. Drop the
classified traffic.
R4
class-map match-any ABC
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*default.ida*"
!
policy-map Attacks
class ABC
drop
!
interface F 0/0
service-policy input Attacks

168 of 241
Lab 6Lab
Configuring
IP TCP
Intercept
4 Blocking Attacks
using NBAR
(Optional)
(Builds on Lab 5)
Task 1
The Web Server at 192.1.33.55 is getting overwhelmed by syn-attacks.
R2 should watch the traffic and if it does not complete the TCP
handshake in 10 seconds, it should drop the packets.
R2
Access-list 161 permit tcp any host 192.1.33.55 eq www
!
Ip tcp intercept mode watch
Ip tcp intercept watch-timeout 10
Ip tcp intercept list 161

169 of 241
Lab 7 Configuring IP Source Track

(Optional)
(Builds on Lab 6)
Task 1
Host 192.1.33.25 is under a DoS service attack. You need to find out the
IP address of the attacker so you can instruct the ISP to block this
address. Configure R2 to keep track of incoming packets with their
source addresses, track the amount of traffic generated from the source
and report it to a syslog server every 6 hours. The syslog server is located
at 192.1.12.100.
R2
Ip source-track 192.1.33.25
Ip source-track syslog-interval 360
Logging on
Logging 192.1.33.100

170 of 241
Module 11 MPLS

171 of 241
Lab 1 Configuring MPLS Unicast

Routing
R2
R3
F 0/0.23 (.2)
F 0/0.23 (.3)
192.1.23.0/24 VLAN 23
F 0/0.12 (.2)
F 0/0.34 (.3)
192.1.12.0/24 VLAN 12
192.1.34.0/24 VLAN 34
SP Core
AS 12353
OSPF Area 0
F 0/0.12 (.1)
F 0/0.34 (.4)
R1
R4
F 0/0.15 (.1)
F 0/0.47 (.4)
F 0/0.48 (.4)
F 0/0.16 (.1)
192.1.15.0/24
VLAN 15
F 0/0 (.5)
R5
C1-Site1
192.1.47.0/24
VLAN 47
192.1.16.0/24
VLAN 16
F 0/0.16 (.6)
F 0/0.47 (.7)
R6
R7
C2-Site1
192.1.48.0/24
VLAN 48
F 0/0 (.8)
R8
C2-Site2
C1-Site2

172 of 241

R1
Interface
Loopback 0
Loopback 1
F 0/0.12
F 0/0.15
F 0/0.16
R2
IP Address
1.1.1.1
11.11.11.11
192.1.12.1
192.1.15.1
192.1.16.1
Subnet Mask
255.0.0.0
255.255.0.0
255.255.255.0
255.255.255.0
255.255.255.0
Interface
Loopback 0
F 0/0.12
F 0/0.23
R3
IP Address
2.2.2.2
192.1.12.2
192.1.23.2
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
Interface
Loopback 0
F 0/0.23
F 0/0.34
R4
IP Address
3.3.3.3
192.1.23.3
192.1.34.3
Subnet Mask
255.0.0.0
255.255.255.0
255.255.255.0
Interface
Loopback 0
Loopback 1
F 0/0.34
F 0/0.47
F 0/0.48
R5
IP Address
4.4.4.4
44.44.44.44
192.1.34.4
192.1.47.4
192.1.48.4
Subnet Mask
255.0.0.0
255.255.0.0
255.255.255.0
255.255.255.0
255.255.255.0
Interface
Loopback 0
F 0/0
IP Address
10.5.5.5
192.1.15.5
Subnet Mask
255.255.255.0
255.255.255.0

173 of 241
R6
Interface
Loopback 0
F 0/0.16
R7
IP Address
10.6.6.6
192.1.16.6
Subnet Mask
255.255.255.0
255.255.255.0
Interface
Loopback 0
F 0/0.47
IP Address
10.7.7.7
192.1.47.7
Subnet Mask
255.255.255.0
255.255.255.0
IP Address
10.8.8.8
192.1.48.8
Subnet Mask
255.255.255.0
255.255.255.0
R8
Interface
Loopback 0
F 0/0
Task 1
Configure OSPF between all the SP routers (R1, R2, R3, R4). OSPF
process should use Loopback0 on each router as the router-id. Advertise
all links in OSPF except Loopack 1s on R1 and R4. Loopback 0s should
appear with a /8 mask in the routing table.
R1
R2
!
Router ospf 1
Router-id 1.1.1.1
Network 1.1.1.1 0.0.0.0 area 0
Network 192.1.12.1 0.0.0.0 area 0
!
Router ospf 1
Router-id 2.2.2.2
Network 2.2.2.2 0.0.0.0 area 0
Network 192.1.12.2 0.0.0.0 area 0
Network 192.1.23.2 0.0.0.0 area 0
R4
R3
!
Router ospf 1
Router-id 3.3.3.3
Network 3.3.3.3 0.0.0.0 area 0
Network 192.1.23.3 0.0.0.0 area 0
Network 192.1.34.3 0.0.0.0 area 0
!
Router ospf 1
Router-id 4.4.4.4
Network 4.4.4.4 0.0.0.0 area 0
Network 192.1.34.4 0.0.0.0 area 0
Task 2
174 of 241
Configure BGP between R1 and R4 in AS 12353. Use the most reliable

interface to form the neighbour relationship between them. Advertise
Loopback 1 on both the routers in BGP.
R1
R4
Router BGP 12353

Network 11.11.0.0 mask 255.255.0.0
Neighbor 4.4.4.4 update-source Loo0
Router BGP 12353

Network 44.44.0.0 mask 255.255.0.0
Neighbor 1.1.1.1 update-source Loo0
Task 3
Configure MPLS on all the physical links in the SP Network. Use LDP to
distribute labels. The LDP neighbour relationships should be formed
based on the most reliable interface. The Labels should be assigned from
the range X00 X99, where X is the router number.
R1
R2
Mpls ldp router-id Loopback0

Mpls label protocol LDP
Mpls label range 100 199
!
Interface F 0/0.12
Mpls ip

!
Interface F 0/0.12
Mpls ip
!
Interface F 0/0.23
Mpls ip
R4
R3
!
Interface F 0/0.23
Mpls ip
!
Interface F 0/0.34
Mpls ip

!
Interface F 0/0.34
Mpls ip

175 of 241
Lab 2 Conditional Label Advertising

(Builds on Lab 1)
Task 1
Make sure that labels are only exchanged for Loopback 0 networks
throughout the MPLS network.
R1
R2
Access-list 1 permit 1.0.0.0

!
no mpls ldp advertise-labels
mpls ldp advertise-labels for 1
R3

!
R4

!

!

176 of 241
Lab 3 Configuring MPLS VPN with

Static Routes between PE-CE
(Builds on Lab 2)
Note:
Save the Configs on all the routers. Dont save the configs during the
labs. At the completion of this lab, reload the routers without saving.
This will allow you to do the next lab based on the same topology.
Task 1
Configure a VPNv4 neighbor relationship between R1 and R4. Set the
next-hop-self attribute on the IPv4 neighbor relationship.
R1
R4
Router BGP 12353

!
Address-family vpnv4
Neighbor 4.4.4.4 activate
Neighbor 4.4.4.4 send-community both
Router BGP 12353

!
Task 2
Configure a VRF CUST-A with a RD value of 1:100 on R1 and R4. Use
the same extended community for your Route-target import and export.
Assign this VRF to the links that connect to C1 sites on R1 and R4.
R1
R4
ip vrf CUST-A
rd 1:100
route-target both 1:100
!
Interface F 0/0.15
Ip vrf forwarding CUST-A
Ip address 192.1.15.1 255.255.255.0
ip vrf CUST-A
rd 1:100
!
Interface F 0/0.48
Ip address 192.1.48.4 255.255.255.0
Task 3
Configure a static route on R1 in the CUST-A vrf to reach the 10.5.5.0 on
R5. Inject this route into BGP such that it should be reachable from
CUST-A VRF on R4. Configure a default Route on R5 towards R1.
177 of 241
R1
ip route vrf CUST-A 10.5.5.0 255.255.255.0 192.1.15.5
!
Router BGP 12353
!
Address-family ipv4 vrf CUST-A
Redistribute static
R5
ip route 0.0.0.0 0.0.0.0 192.1.15.1
Task 4
Configure a static route on R4 in the CUST-A vrf to reach the 10.8.8.0 on
CUST-A VRF on R1. Configure a default Route on R8 towards R4.
R4
ip route vrf CUST-A 10.8.8.0 255.255.255.0 192.1.48.8
!
Router BGP 12353
!
Redistribute static
R8
ip route 0.0.0.0 0.0.0.0 192.1.48.4
Task 5
Configure a VRF CUST-B with a RD value of 1:200 on R1 and R4. Use
R1
R4
ip vrf CUST-B
rd 1:200
!
Interface F 0/0.16
Ip vrf forwarding CUST-B
Ip address 192.1.16.1 255.255.255.0
ip vrf CUST-B
rd 1:200
!
Interface F 0/0.47
Ip address 192.1.47.4 255.255.255.0
Task 6
178 of 241
Configure a static route on R1 in the CUST-B vrf to reach the 10.6.6.0 on

CUST-B VRF on R4. Configure a default Route on R6 towards R1.
R1
ip route vrf CUST-B 10.6.6.0 255.255.255.0 192.1.16.6
!
Router BGP 12353
!
Address-family ipv4 vrf CUST-B
Redistribute static
R6
ip route 0.0.0.0 0.0.0.0 192.1.16.1
Task 7
Configure a static route on R4 in the CUST-B vrf to reach the 10.7.7.0 on
CUST-B VRF on R1. Configure a default Route on R7 towards R4.
R4
ip route vrf CUST-B 10.7.7.0 255.255.255.0 192.1.47.7
!
Router BGP 12353
!
Redistribute static
R7
ip route 0.0.0.0 0.0.0.0 192.1.47.4
NOTE:
Reload the Routers without saving the configs. This will setup the
topology for the next lab.

179 of 241

RIPv2 as PE-CE Routing Protocol
(Builds on Lab 3)
Note:
Task 1
R1
R4
Router BGP 12353

!
Router BGP 12353

!
Task 2
R1
R4
ip vrf CUST-A
rd 1:100
!
Interface F 0/0.15
Ip address 192.1.15.1 255.255.255.0
ip vrf CUST-A
rd 1:100
!
Interface F 0/0.48
Ip address 192.1.48.4 255.255.255.0
Task 3
Configure RIPv2 as the Routing Protocol between R5 and R1-vrf CUST-A.
Advertise all the routes on R5 in RIP. Advertise the VRF link in RIP on R1
under the appropriate address family. Make sure the VRF CUST-A on R4
has reachability to routes learned from R5.
180 of 241
R1
Router RIP
!
Version 2
No auto-summary
Network 192.1.15.0
Redistribute BGP 12353 metric 1
!
Router BGP 12353
!
Redistribute rip
R5
Router RIP
Version 2
No auto-summary
Network 192.1.15.0
Network 10.0.0.0
Task 4
Configure RIPv2 as the Routing Protocol between R4 and R8-vrf CUST-A.
under the appropriate address family. Make sure the VRF CUST-A on R1
R4
Router RIP
!
Version 2
No auto-summary
Network 192.1.48.0
!
Router BGP 12353
!
Redistribute rip
R8
Router RIP
181 of 241
Version 2
No auto-summary
Network 192.1.48.0
Network 10.0.0.0
Task 5
R1
R4
ip vrf CUST-B
rd 1:200
!
Interface F 0/0.16
Ip address 192.1.16.1 255.255.255.0
ip vrf CUST-B
rd 1:200
!
Interface F 0/0.47
Ip address 192.1.47.4 255.255.255.0
Task 6
Configure RIPv2 as the Routing Protocol between R6 and R1-vrf CUST-B.
under the appropriate address family. Make sure the VRF CUST-B on R4
R1
Router RIP
!
Version 2
No auto-summary
Network 192.1.16.0
!
Router BGP 12353
!
Redistribute rip
R6
Router RIP
Version 2
No auto-summary
182 of 241
Network 192.1.16.0
Network 10.0.0.0
Task 7
R4
Router RIP
!
Version 2
No auto-summary
Network 192.1.47.0
!
Router BGP 12353
!
Redistribute rip
R7
Router RIP
Version 2
No auto-summary
Network 192.1.47.0
Network 10.0.0.0
NOTE:

183 of 241

EIGRP as PE-CE Routing Protocol
(Builds on Lab 4)
Note:
Task 1
R1
R4
Router BGP 12353

!
Router BGP 12353

!
Task 2
R1
R4
ip vrf CUST-A
rd 1:100
!
Interface F 0/0.15
Ip address 192.1.15.1 255.255.255.0
ip vrf CUST-A
rd 1:100
!
Interface F 0/0.48
Ip address 192.1.48.4 255.255.255.0
Task 3
Configure EIGRP 100 as the Routing Protocol between R5 and R1-vrf
CUST-A. Advertise all the routes on R5 in EIGRP. Advertise the VRF link
in RIP on R1 under the appropriate address family. Make sure the VRF
CUST-A on R4 has reachability to routes learned from R5.
184 of 241
R1
Router EIGRP 12353
!
Autonomous-system 100
No auto-summary
Network 192.1.15.0
Redistribute BGP 12353 metric 1 1 1 1 1
!
Router BGP 12353
!
Redistribute eigrp 100
R5
Router EIGRP 100
No auto-summary
Network 192.1.15.0
Network 10.0.0.0
Task 4
CUST-A. Advertise all the routes on R8 in EIGRP. Advertise the VRF link
in RIP on R4 under the appropriate address family. Make sure the VRF
CUST-A on R1 has reachability to routes learned from R8.
R4
Router EIGRP 12353
!
No auto-summary
Network 192.1.48.0
!
Router BGP 12353
!
R8
Router EIGRP 100
No auto-summary
185 of 241
Network 192.1.48.0
Network 10.0.0.0
Task 5
R1
R4
ip vrf CUST-B
rd 1:200
!
Interface F 0/0.16
Ip address 192.1.16.1 255.255.255.0
ip vrf CUST-B
rd 1:200
!
Interface F 0/0.47
Ip address 192.1.47.4 255.255.255.0
Task 6
CUST-B. Advertise all the routes on R6 in EIGRP 200. Advertise the VRF
link in RIP on R1 under the appropriate address family. Make sure the
VRF CUST-B on R4 has reachability to routes learned from R6.
R1
Router EIGRP 12353
!
No auto-summary
Network 192.1.16.0
!
Router BGP 12353
!
R6
Router EIGRP 200
No auto-summary
Network 192.1.16.0
Network 10.0.0.0
186 of 241
Task 7
R4
Router EIGRP 12353
!
No auto-summary
Network 192.1.47.0
!
Router BGP 12353
!
R7
Router EIGRP 200
No auto-summary
Network 192.1.47.0
Network 10.0.0.0
NOTE:

187 of 241
Lab 6 Configuring MPLS VPN with BGP

as PE-CE Routing Protocol
(Builds on Lab 5)
Note:
Task 1
R1
R4
Router BGP 12353

!
Router BGP 12353

!
Task 2
R1
R4
ip vrf CUST-A
rd 1:100
!
Interface F 0/0.15
Ip address 192.1.15.1 255.255.255.0
ip vrf CUST-A
rd 1:100
!
Interface F 0/0.48
Ip address 192.1.48.4 255.255.255.0
Task 3
Cust-A is running BGP in AS 100. Advertise all the routes on R5 in BGP.
Configure R1-R5 neighbor relationship in the appropriate address family.
Make sure the VRF CUST-A on R4 has reachability to routes learned
from R5.
188 of 241
R1
Router BGP 12353
!
Neighbor 192.1.15.5 as-override
Redistribute connected
R5
Router BGP 100
Network 10.5.5.0 mask 255.255.255.0
Task 4
Cust-A is running BGP in AS 100. Advertise all the routes on R8 in BGP.
from R8.
R4
Router BGP 12353
!
R8
Router BGP 100
Network 10.8.8.0 mask 255.255.255.0
Task 5
R1
R4
ip vrf CUST-B
rd 1:200
ip vrf CUST-B
rd 1:200

189 of 241

!
Interface F 0/0.16
Ip address 192.1.16.1 255.255.255.0

!
Interface F 0/0.47
Ip address 192.1.47.4 255.255.255.0
Task 6
Cust-B is running BGP in AS 200. Advertise all the routes on R6 in BGP.
from R6.
R1
Router BGP 12353
!
R6
Router BGP 200
Network 10.6.6.0 mask 255.255.255.0
Task 7
Cust-B is running BGP in AS 200. Advertise all the routes on R7 in BGP.
from R7.
R4
Router BGP 12353
!
R7
190 of 241
Router BGP 200

Network 10.7.7.0 mask 255.255.255.0
NOTE:

191 of 241
Lab 7 Configuring MPLS VPN with OSPF

as PE-CE Routing Protocol
(Builds on Lab 6)
Task 1
R1
R4
Router BGP 12353

!
Router BGP 12353

!
Task 2
R1
R4
ip vrf CUST-A
rd 1:100
!
Interface F 0/0.15
Ip address 192.1.15.1 255.255.255.0
ip vrf CUST-A
rd 1:100
!
Interface F 0/0.48
Ip address 192.1.48.4 255.255.255.0
Task 3
Configure OSPF using process ID of 2 as the Routing Protocol between
R5 and R1-vrf CUST-A. Advertise all the routes on R5 in OSPF. Advertise
the VRF link in OSPF on R1 under the appropriate address family. Make
sure the VRF CUST-A on R4 has reachability to routes learned from R5.
R1
Router ospf 2 vrf CUST-A
redistribute bgp 12353 subnets
network 192.1.15.0 0.0.0.255 area 0
192 of 241
!
Router BGP 12353
!
Redistribute ospf 2
R5
Router ospf 2
Network 192.1.15.0 0.0.0.255 area 0
Network 10.0.0.0 0.255.255.255 area 0
Task 4
R8 and R4-vrf CUST-A. Advertise all the routes on R8 in OSPF. Advertise
sure the VRF CUST-A on R1 has reachability to routes learned from R8.
R4
Router ospf 2 vrf CUST-A
Network 192.1.48.0 0.0.0.255 area 0
Redistribute BGP 12353 subnets
!
Router BGP 12353
!
Redistribute ospf 2
R8
Router ospf 2
Network 192.1.48.0 0.0.0.255 area 0
Network 10.0.0.0 0.255.255.255 area 0
Task 5
R1
R4
ip vrf CUST-B
rd 1:200
!
Interface F 0/0.16
ip vrf CUST-B
rd 1:200
!
Interface F 0/0.47

193 of 241

Ip address 192.1.16.1 255.255.255.0

Ip address 192.1.47.4 255.255.255.0
Task 6
R6 and R1-vrf CUST-B. Advertise all the routes on R6 in OSPF. Advertise
sure the VRF CUST-B on R4 has reachability to routes learned from R6.
R1
Router ospf 3 vrf CUST-B
Network 192.1.16.0 0.0.0.255 area 0
!
Router BGP 12353
!
Redistribute ospf 3
R6
Router ospf 3
Network 192.1.16.0 0.0.0.255 area 0
Network 10.0.0.0 0.255.255.255 area 0
Task 7
R7 and R4-vrf CUST-B. Advertise all the routes on R7 in OSPF. Advertise
sure the VRF CUST-B on R1 has reachability to routes learned from R7.
R4
Network 192.1.47.0 0.0.0.255 area 0
!
Router BGP 12353
!
Redistribute ospf 3
R7
Router ospf 3
Network 192.1.47.0 0.0.0.255 area 0
194 of 241
Network 10.0.0.0 0.255.255.255 area 0

195 of 241
Lab 8 Configuring OSPF Sham Link

(Builds on Lab 7)
Task 1
Configure a Link between R6 and R7 as 192.1.67.0/24. Advertise this
link in OSPF. Use F 0/0.67 as the sub-interface ID in VLAN 67.
R6
R4
Interface F 0/0.67
Ip address 192.1.67.6 255.255.255.0
!
Router OSPF 3
Network 192.1.67.0 0.0.0.255 area 0
Interface F 0/0.67
Ip address 192.1.67.7 255.255.255.0
!
Router OSPF 3
Network 192.1.67.0 0.0.0.255 area 0
Task 2
Configure a new loopback each on R1 and R4. This newly created
loopback should be part of vrf CUST-B. Advertise this loopback under
BGP for the CUST-B vrf. The Loopback information is as follows:
R1 Loopback 67 10.67.67.1/32
R4 Loopback 67 10.67.67.4/32
R1
Ip address 10.67.67.1 255.255.255.255
!
Router BGP 12353
!
Network 10.67.67.1 mask 255.255.255.255
R4
Ip address 10.67.67.4 255.255.255.255
!
Router BGP 12353
!
196 of 241
Network 10.67.67.4 mask 255.255.255.255

Task 3
Traffic between C2-Site1 and C2-Site2 should be using the new link
(Back door). You would like the traffic to go thru the MPLS link instead.
Configure a Sham-Link between R1 and R4 based on the new Loopbacks
created in the previous step.
R1
R4

area 0 sham-link 10.67.67.1 10.67.67.4
R6

area 0 sham-link 10.67.67.4 10.67.67.1
R7
Interface F 0/0.67
Ip ospf cost 200
Interface F 0/0.67
Ip ospf cost 200

197 of 241
Module 12 Quality of Service

(QoS)

198 of 241
Lab 1 Frame Relay QoS
R1
Lo 0
R2
F 0/0
Lo 0
F 0/0
S 0/0
192.1.12.0/24
Frame
192.1.23.0/24
S 0/0
192.1.34.0/24
Lo 0
F 0/0
Lo 0
F 0/0
R4
R3
R1
Interface
Loopback 0
F 0/0
IP Address
1.1.1.1
192.1.12.1
Subnet Mask
255.0. 0.0
255.255.255.0
IP Address
192.1.12.2
192.1.23.2
2.2.2.2
Subnet Mask
255.255.255.0
255.255.255.0
255.0.0.0
IP Address
192.1.23.3
192.1.34.3
3.3.3.3
Subnet Mask
255.255.255.0
255.255.255.0
255.0.0.0
R2
Interface
F 0/0
S 0/0
Loopback 0
R3
Interface
S 0/0
F 0/0
Loopback 0

199 of 241
R4
Interface
Loopback 0
F 0/0
IP Address
4.4.4.4
192.1.34.4
Subnet Mask
255.0.0.0
255.255.255.0
Task 1
Run OSPF as the Routing protocol on all routers
R1
R2
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
R3
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
R4
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
Task 2
Make sure that OSPF packets between R2 and R3 are not Discard
Eligible.
R2
R3
Access-list 101 deny ospf any any

Access-list 101 permit ip any any
!
Frame-relay de-list 1 protocol ip list 101
!
Interface S 0/0
Frame-relay de-group 1 203
Access-list 101 deny ospf any any

Access-list 101 permit ip any any
!
Frame-relay de-list 1 protocol ip list 101
!
Interface S 0/0
Frame-relay de-group 1 302
Task 3
Configure the R2 Frame Relay interface for rate limiting by configuring
the parameters CIR, Bc, Be and MINCIR, considering the following:
Your interface speed is 768000 bps. The router should send at a rate of
384000 bps. During congestion, your provider will mark any traffic in
excess of 48kbps as discard eligible, make sure your throughput changes
accordingly based upon BECNs received only and throttle down to
192000 bps upon the receipt of BECNs. Allow the Router to double the
speed if it has tokens available. Your token bucket interval is 125 ms.
Use a "map-class" to apply this feature to all PVCs.
R2
200 of 241
Map-class frame-relay FRTS

Frame-relay cir 384000
Frame-relay bc 48000
Frame-relay be 96000
Frame-relay mincir 192000
Frame-relay adaptive-shaping becn
!
Interface S 0/0
Frame-relay traffic-shaping
Frame-relay class FRTS

201 of 241
Lab 2 MQC Policing

(Builds on Lab1)
Task 1
Configure R1 for Rate Limiting (Policing) for traffic originating from the
1.0.0.0 network going towards the Ethernet segment using the following
parameters:
HTTP traffic should be limited to 750 kbps
FTP traffic should be limited to 400 kbps
R1
Access-list 101 permit tcp 1.0.0.0 0.255.255.255 any eq 80
!
!
Class-map match-all HTTP
Match access-group 101
Class-map match-all FTP
!
Policy-map CB-CAR
Class HTTP
Police 750000
Class FTP
Police 400000
!
Interface F 0/0
Service-policy output CB-CAR

202 of 241
Lab 3 MQC Congestion Management

(Builds on Lab 2)
Task 1
Configure R4 Ethernet interface for CB-WFQ using the following:
HTTP and HTTPS traffic = Reserve 30% of the Bandwidth
Telnet Traffic = Reserve 10% of the Bandwidth
R4
Access-list 104 permit tcp any any eq 80
!
!
class-map Telnet
!
class-map WEB
!
policy-map QoS
class Telnet
bandwidth percent 10
class WEB
bandwidth percent 30
!
Interface F 0/0
Service-policy output QoS
Task 2
Configure R4 Ethernet interface for LLQ using the following:
SSH Traffic = 15% of the bandwidth. SSH traffic should use LLQ.
R4
!
class-map SSH
!
policy-map QoS
203 of 241
class SSH
priority percent 15

204 of 241
Lab 4 MQC Using NBAR to Classify

(Builds on Lab 3)
Task 1
Configure R1 Ethernet interface for QoS using the following criteria:
Configure Policing such that HTTP downloading is policed at 100
kbps for *.gif or *.jpg files.
R1
class-map match-any FILES
match protocol http url *.gif*
match protocol http url *.jpg*
!
policy-map FT-PMAP
class FILES
police 100000
!
Interface F 0/0
Service-policy input FT-MAP

205 of 241
Lab 5 MQC Shaping

(Builds on Lab 4)
Task 1
R2-R3 has a CIR of 512 and Peak CIR of 1544. Configure R3 such that
all HTTP and HTTPS traffic going towads 1.0.0.0 network should have a
minimum reserved bandwidth of 256 kbps and should be shaped to the
average rate. FTP traffic towards the 1.0.0.0 network should have a
minimum of 56Kbps reserved and should be shaped to CIR.
R3
Access-list 110 permit tcp any
!
!
Class-map match-all WEB
!
Class-map match-all FTP
!
Policy-map SHAPE
Class WEB
Bandwidth 256
Shape average 512000
Class FTP
Bandwidth 56
Shape average 512000
!
Interface S 0/0
Service-policy output SHAPE
1.0.0.0 0.255.255.255 eq 80
1.0.0.0 0.255.255.255 eq 443
1.0.0.0 0.255.255.255 eq 20
1.0.0.0 0.255.255.255 eq 21

206 of 241
Lab 6 MQC Nesting Classes

(Builds on Lab 5)
Task 1
Classify traffic that has a precedence of 3 or is destined to any TFTP
server on R2.
R2
Access-list 169 permit udp any any eq tftp
!
Class-map match-any PREC-3-TFTP
Mach access-group 169
Match ip precedence 3
Task 2
Any traffic from the previously classified traffic destined to a Server
192.1.34.100 should be policed to a rate of 128 kbps. This policy should
be applied on the inbound direction of R2 F 0/0 interface.
R2
Access-list 170 permit ip any host 192.1.34.100
!
Class-map Nested-Class
Match class-map PREC-3-TFTP
!
Policy-map Nested-Policy
Class Nested-Class
Police 128000
!
Interface F 0/0
Service-policy input Nested-Policy

207 of 241
13 Multicasting

208 of 241
Lab 1 Configuring Multicasting Routing

using PIM Dense Mode
192.1.12.0/24
R2
R1
F 0/0
S 0/0
Frame
S 0/0
F 0/0
R1
Interface
F 0/0
S 0/0
Loopback0
IP Address
10.1.1.1
192.1.12.1
1.1.1.1
Subnet Mask
255.255.255.0
255.255.255.0
255.0.0.0
IP Address
192.1.12.2
10.2.2.2
2.2.2.2
Subnet Mask
255.255.255.0
255.255.255.0
255.0.0.0
R2
Interface
S 0/0
F 0/0
Loopback0
Task 1
Configure PIM dense mode on the routers.
R1
R2
Ip multicast-routing
Int F 0/0
Ip pim dense-mode
Int F 0/0
Ip pim dense-mode
Int S 0/0
Ip pim dense-mode
Int S 0/0
Ip pim dense-mode

209 of 241
Task 2
Configure R1 to join the multicast group 224.11.11.11 and R2 to join the
multicast group 224.22.22.22 on the Ethernet interfaces.
R1
R2
Int F 0/0
Ip igmp join-group 224.11.11.11
Int F 0/0

210 of 241

using PIM Sparse Mode using Static RP
192.1.12.0/24
R2
R1
F 0/0
S 0/0
S 0/0
Frame
F 0/0
R1
Interface
F 0/0
S 0/0
Loopback0
IP Address
10.1.1.1
192.1.12.1
1.1.1.1
Subnet Mask
255.255.255.0
255.255.255.0
255.0.0.0
IP Address
192.1.12.2
10.2.2.2
2.2.2.2
Subnet Mask
255.255.255.0
255.255.255.0
255.0.0.0
R2
Interface
S 0/0
F 0/0
Loopback0
Task 1
Configure RIPv2 on both routers and advertise your directly connected
interfaces.
R1
R2
Router RIP
Version 2
No auto-summary
Network 192.1.12.0
Network 1.0.0.0
Router RIP
Version 2
No auto-summary
Network 192.1.12.0
Network 2.0.0.0

211 of 241
Network 10.0.0.0
Network 10.0.0.0
Task 2
Configure R1 to be the RP for all groups. Use the most reliable interface.
R1
R2
Interface loopback0
Ip pim sparse-mode
Ip pim rp-address 1.1.1.1
Ip pim rp-address 1.1.1.1
Int F 0/0
Ip pim sparse-mode
Int F 0/0
Ip pim sparse-mode
Int S 0/0
Ip pim sparse-mode
Int S 0/0
Ip pim sparse-mode
Task 3
Have R2 F 0/0 to join the multicast group 224.12.3.53
R2
Int F 0/0

212 of 241

using PIM Sparse Mode Multiple RPs
R1
Lo 0
R2
F 0/0
Lo 0
F 0/0
192.1.12.0/24
S 0/0
Frame
192.1.23.0/24
S 0/0
192.1.34.0/24
Lo 0
F 0/0
Lo 0
F 0/0
R4
R3
R1
Interface
Loopback 0
F 0/0
IP Address
1.1.1.1
192.1.12.1
Subnet Mask
255.0. 0.0
255.255.255.0
IP Address
192.1.12.2
192.1.23.2
2.2.2.2
Subnet Mask
255.255.255.0
255.255.255.0
255.0.0.0
IP Address
192.1.23.3
192.1.34.3
3.3.3.3
Subnet Mask
255.255.255.0
255.255.255.0
255.0.0.0
R2
Interface
F 0/0
S 0/0
Loopback 0
R3
Interface
S 0/0
F 0/0
Loopback 0

213 of 241
R4
Interface
Loopback 0
F 0/0
IP Address
4.4.4.4
192.1.34.4
Subnet Mask
255.0.0.0
255.255.255.0
Task 1
Configure RIP V2 on all routers and advertise all the directly connected
networks.
R1
R2
Router RIP
Version 2
No auto-summary
Network 1.0.0.0
Network 192.1.12.0
Router RIP
Version 2
No auto-summary
Network 2.0.0.0
Network 192.1.12.0
Network 192.1.23.0
R4
R3
Router RIP
Version 2
No auto-summary
Network 192.1.23.0
Network 192.1.34.0
Network 3.0.0.0
Router RIP
Version 2
No auto-summary
Network 192.1.34.0
Network 4.0.0.0
Task 2
Configure R1 to be the RP for Multicast groups 224.1.1.1 2, and R4 to
be the RP for the groups 224.4.4.1 2. These two RPs should use their
Loopback 0 interface for this purpose.
R1
R2
!
Ip pim rp-address 1.1.1.1 10
!
!
!
!
!

214 of 241
R3
R4
!
!
!
!
!
!
Task 3
Configure R1 Loopback 0 and R4 loopback to to join the following
Multicast groups:
R1 224.1.1.1, 224.1.1.2, 224.1.1.3
R4 224.4.4.1, 224.4.4.2, 224.4.4.3
R1
R4
Interface Loopback0
Interface Loopback0
Task 4
Configure PIM on the physical and loopback interfaces in such a way
that all routers have access to all the multicast groups, including the
ones that are not configured for RPs.
R1
R2
Interface F 0/0
Ip pim sparse-dense-mode
!
Interface Loopback0
R3
Interface F 0/0
!
Interface S 0/0
R4
Interface F 0/0
!
Interface S 0/0
Interface F 0/0
!
Interface Loopback0

215 of 241

216 of 241

using PIM Sparse Mode Auto RP
R1
Lo 0
R2
F 0/0
Lo 0
F 0/0
192.1.12.0/24
S 0/0
Frame
192.1.23.0/24
S 0/0
192.1.34.0/24
Lo 0
F 0/0
Lo 0
F 0/0
R4
R3
R1
Interface
Loopback 0
F 0/0
IP Address
1.1.1.1
192.1.12.1
Subnet Mask
255.0. 0.0
255.255.255.0
IP Address
192.1.12.2
192.1.23.2
2.2.2.2
Subnet Mask
255.255.255.0
255.255.255.0
255.0.0.0
IP Address
192.1.23.3
192.1.34.3
3.3.3.3
Subnet Mask
255.255.255.0
255.255.255.0
255.0.0.0
R2
Interface
F 0/0
S 0/0
Loopback 0
R3
Interface
S 0/0
F 0/0
Loopback 0
R4
217 of 241
Interface
Loopback 0
F 0/0
IP Address
4.4.4.4
192.1.34.4
Subnet Mask
255.0.0.0
255.255.255.0
Task 1
Configure RIP V2 on all routers and advertise all the directly connected
networks.
R1
R2
Router RIP
Version 2
No auto-summary
Network 1.0.0.0
Network 192.1.12.0
Router RIP
Version 2
No auto-summary
Network 2.0.0.0
Network 192.1.12.0
Network 192.1.23.0
R4
R3
Router RIP
Version 2
No auto-summary
Network 192.1.23.0
Network 192.1.34.0
Network 3.0.0.0
Router RIP
Version 2
No auto-summary
Network 192.1.34.0
Network 4.0.0.0
Task 2
Configure IP Multicast Sparse Mode on R1 (Loopback0, F 0/0), R2 (F
0/0, S 0/0) and R3 (S 0/0, Loopback0). Configure R2 Loopback0 to be
the RP for multicast groups 224.3.3.1 and 224.3.3.2 only. Ensure that is
sends its RP-announcements every 10 seconds with a TTL of 5. Do not
configure any Static RP on any router. R1 should join the multicast
groups 224.3.3.1 and 224.3.3.2 on the F 0/0 interface. All multicast
routers should be able to ping all R3 multicast routes.
R2
Ip pim sparse-mode
Ip pim autorp listener
!
access-list 1 permit 224.3.3.1
!
218 of 241
Ip pim send-rp-announce loopback0 scope 5 group-list 1 interval 10

Ip pim send-rp-discovery scope 5
!
Interface S0/0
Ip pim sparse-mode
!
Interface E0/0
Ip pim sparse-mode
R1
R3
!
Ip pim sparse-mode
!
Interface F 0/0
Ip pim sparse-mode
!
Interface S0/0
Ip pim sparse-mode
!
Interface Loopback0
Ip pim sparse-mode

219 of 241
Lab 5 Controlling Multicast Traffic on

Routers and Switches
(Builds on Lab 4)
Task 1
On R1, limit the bandwidth of the multicast traffic sent to group
224.3.3.1 on F 0/0 to 40 Mbps and traffic sent to group 224.3.3.2 to 10
Mbps
R1
!
interface F 0/0
ip multicast rate-limit out group-list 5 40000
ip multicast rate-limit out group-list 6 10000
Task 2
Only allow the 224.3.3.1 and 224.3.3.2 group to do a IGMP join on the F
0/0 interface of R1.
R1
!
Interface F 0/0
ip igmp access-group 20
Task 3
Block all Multicast traffic coming into interface F 0/18
SW1
interface F 0/18
switchport block multicast

220 of 241
Super Lab

221 of 241
Super Lab I
Layer 3 Diagram
BB1
F 0/0(.100)
192.1.100.0/24 VLAN 100
F 0/0.100 (.5)
R5
F0/0.56 (.5)
192.1.56.0/24 VLAN 56
F0/0.56 (.6)
R6
F0/0.46 (.6)
192.1.46.0/24 VLAN 46
F 0/0 (.4)
SW2
R4
S 0/0.134 (.4)
S 0/0.24 (.4)
VLAN 20
(.22)
R1
F 0/0 (.1)
F 0/0 (.2)
192.1.24.0/24
S 0/0 (.1)
S 0/0 (.2)
Frame Relay
R2
192.1.20.0/24
VLAN 20
192.1.134.0/24
192.1.10.0/24
VLAN 10
SW1
S 0/0 (.3)
VLAN 10
(.21)
192.1.40.0/24
VLAN 40
R3
F 0/0.40 (.3)
F 0/0.30 (.3)
VLAN 40
(.24)
SW4
BB2
VLAN 200
(.24)
F 0/0 (.200)
192.1.30.0/24 VLAN 30
192.1.200.0/24
VLAN 200
VLAN 30 (.23)
SW3

222 of 241
IP Addressing
Device
Port
IP Address
R1
F 0/0
192.1.10.1/24
S 0/0
192.1.134.1/24
Loopback 0
1.1.1.1/8
F 0/0
192.1.20.2/24
S 0/0
192.1.24.2/24
Loopback 0
2.2.2.2/8
S 0/0
192.1.134.3/24
F 0/0.30
192.1.30.3/24
F 0/0.40
192.1.40.3/24
Loopback 0
3.3.3.3/8
F 0/0
192.1.46.4/24
S 0/0.134
192.1.134.4/24
S 0/0.24
192.1.24.4/24
Loopback 0
4.4.4.4/8
F 0/0.56
192.1.56.5/24
F 0/0.100
192.1.100.5/24
Loopback 0
5.5.5.5 / 8
F 0/0.46
192.1.46.6/24
F 0/0.56
192.1.56.6/24
Loopback 0
6.6.6.6/8
SW1
VLAN 10
192.1.10.21/24
SW2
VLAN 20
192.1.20.22/24
SW3
VLAN 30
192.1.30.23/24
SW4
VLAN 40
192.1.40.24/24
VLAN 200
192.1.200.24/24
R2
R3
R4
R5
R6

223 of 241
RIP V2 Configuration
BB1
R5
OSPF Configuration
R5
Area 0
R6
R4
R6
R1
R2
Area 100
Area 10
R3
SW4

224 of 241
EIGRP Configuration
SW3
1
SW4
1
AS 200
AS 300
BB2
R3
BGP Configuration
R4
AS 100
R1
R3
R2
SW4
BB2
AS 150
AS 200

225 of 241
MPLS VPN Diagram
R4
AS 100
R1
R2
R3
Cust A
Site 1
Cust A
Site 2
SW1
SW2

226 of 241
Section 1 Layer 2 (20 points)

1.1 Trunking (3 Point)
Configure all the ports that connect switches together as Trunk
ports.
Set the encapsulation as Dot1q.
Configure Switch 1 as the VTP Server in a VTP Domain of CCIE.
Secure VTP with a password of CCIERS.
Configure the rest of the Switch(s) as VTP Client(s) in the CCIE VTP
Domain.
Only allowed the VLANs on the Topology to cross the trunks.
1.2 VLAN Creation and Assignment (2 Point)
Create the following VLANs with the appropriate names:
o VLAN 10 Name : VLAN_10
Assign the appropriate ports to the appropriate VLANs based on
the Diagram.
1.3 Flood Reduction (2 Point)
Configure the switches such that they avoid unnecessary
forwarding of broadcast/flooded traffic.
1.4 SPAN (3 Point)
There is a Traffic Analyzer connected to port 10 on Switch 3.
Send a copy of all traffic received on VLANs 30 and 40 to the
Traffic Analyzer.
227 of 241
1.5 Spanning Tree Optimization (3 Point)

Configure SW1 as the Root Bridge for VLANs 10, 20, 30 and 40.
SW3 should be the Secondary Root Bridge for these VLANs.
Configure SW2 as the Root Bridge for all other VLANs in your
Topology. SW4 should be the Secondary Root Bridge for these
VLANs.
Configure the Switches such that the link startup time for ports
should be a total of 20 seconds for VLANs 10 and 100
1.6 Controlling Multicast and broadcast Traffic (2 Point)
Configure F0/1 on SW1 such that the maximum amount of
bandwidth utilization for broadcast traffic is 40% and 50% for
Multicast traffic.
1.7 Frame Relay Multipoint (3 Point)
Configure frame relay to connect R1, R3 and R4 based on the
Diagram.
You can create 2 sub-interfaces on R4. You cannot create subinterfaces on R1 and R3.
R1, R3 and R4 should be configured in a hub-n-spoke
configuration. R4 being the hub and R2 and R3 being spokes.
R1 should be able to ping R3 and vice versa.
All routers should be able to ping their local frame relay interface.
Do not rely on inverse ARP for frame relay mappings.
Use an industry standard encapsulation for these routers.
1.8 Frame-Relay between R2 and R4 (2 Point)
Configure frame relay to connect R2 and R4 based on the Diagram.
Configure R4s connection towards R2 as a point-to-point link.
R2s link should be a multipoint link.

228 of 241
Ensure that R2 and R4 use CHAP authentication using Cisco as

the password. These routers must authenticate each other before
they can communicate.

229 of 241
Section 2 IGP (30 points)

2.1 Configure RIP Version 2 (3 Points)
Configure RIP V2 on R5 to communicate to BB1 which is already
configured with RIP V2. Advertise the Loopback network on R5 in
RIP.
Also, advertise the 192.1.56.0/25 in RIP. Make sure that no RIP
advertisements are send on VLAN 56.
2.2 RIP Authentication (2 Points)
Configure R5 to authenticate with BB1. BB1 has been configured
with a Key # of 1 and key-string of cisco.
Use the most secure authentication mechanism.
2.3 Route Filtering using RIP (2 Points)
Deny all networks that have an even number in the 195.1.X.0
network range.
Do the filtering on R5. Use minimum number of lines possible to
2.4 Configuring EIGRP (2 Points)
Configure the following Loopbacks:
o SW3 Loopback 23: 23.23.23.23/24
o SW4 Loopback 24: 24.24.24.24/24
Configure EIGRP on R3 and SW3 in AS 300 to communicate with
each other.
Advertise the Loopback network on SW3 in EIGRP. Dont advertise
the Loopback on R3 under EIGRP.
Configure EIGRP on SW4 in AS 200 to communicate with BB2.
Advertise the Loopback network on SW4 in EIGRP.
2.5 EIGRP Authentication and Optimization (3 Points)

230 of 241
Authenticate the EIGRP connection with BB2. BB2 has been

configured with a key # 1 with a key-string of cisco.
Use the most secure authentication mechanism.
Make sure R3 does not send query packets towards SW3.
2.6 Configuring OSPF (4 Point)
Configure OSPF between R5 and R6 in Area 0. Advertise the
Loopback interface on R6 in Area 0. Make sure the route appears
in OSPF with the proper mask and not a host mask
Configure OSPF between R1, R2, R3, R4 and R6 in Area 10.
Advertise the Loopback addresses on R1, R2, R3 and R4 in Area
10. They should appear with the proper mask and the not a host
mask.
Dont use the OSPF network type Broadcast on the Serial
Interfaces. Dont use the Neighbor command to establish the
neighbor relationships.
Configure OSPF between R3 and SW4 in Area 100. Advertise the
Loopback interface on SW4 in Area 100. Make sure the route
appears in OSPF with the proper mask and not a host mask
Hard code the router-id on all OSPF devices. Use the following as
the router-ids:
o
o
o
o
o
o
o
R1 11.11.11.11
R2 22.22.22.22
R3 33.33.33.33
R4 44.44.44.44
R5 55.55.55.55
R6 66.66.66.66
SW4 24.24.24.24
2.7 Configuring OSPF Virtual Links (3 Point)

Configure Virtual Links on the appropriate routers to connect Area
100 to Area 0.
2.8 OSPF Authentication (4 Point)

231 of 241
Configure authentication for OSPF routers in Area 0. Use Message

Digest as the authentication Mechanism. Use ccie as the key with
a key id of 1.
Configure Authentication for OSPF routers in Area 100. Use
Message Digest as the authentication Mechanism. Use cisco as the
key with a key id of 1.
Configure Authentication for OSPF routers in Area 10. Use
Message Digest as the authentication Mechanism. Use ccie as the
key with a key id of 1.
Configure Authentication on the virtual link as well.
2.9 Redistribution and Filtering(4 Point)
Mutually redistribute RIP and OSPF at the appropriate router.
Routes should be redistributed in such a way that OSPF adds the
link cost at each router.
When redistributing the 200.1.X.0 routes learned from BB1, only
the even networks should be redistributed at the appropriate
router.
Mutually redistribute OSPF and EIGRP on the appropriate devices.
Routes should be redistributed in such a way that OSPF adds the
link cost at each router.
Area 100 should not receive RIP routes or Inter-Area routes. It
should maintain connectivity to them. Do not use an ACL or Prefixlist to accomplish this step. All EIGRP routes from EIGRP 200
should be visible in OSPF.
2.10 Summarization (3 Point)
Configure the following loopbacks on SW4:
o Loopback 201: 201.1.12.1/24
o Loopback 202: 201.1.13.1/24
o Loopback 203: 201.1.14.1/24
o Loopback 204: 201.1.15.1/24
Advertise the newly created loopbacks under EIGRP on SW4.
These routes should be summarized towards BB2.
232 of 241
Inject these routes into OSPF as well. Dont use the network
command to accomplish this task. Only send a summarized route
into OSPF.
Configure the following loopbacks on R5:
o Loopback 201: 205.1.20.1/24
o Loopback 202: 205.1.21.1/24
o Loopback 203: 205.1.22.1/24
o Loopback 204: 205.1.23.1/24
Advertise the newly created loopbacks under OSPF on R5.
These routes should be summarized on R6.

233 of 241
Section 3 BGP (6 points)

3.1 IBGP (2 Point)
Configure the following Loopbacks:
o R1 Loopback 125: 125.1.1.1/24
o R2 Loopback 125: 125.2.2.2/24
o R3 Loopback 125: 125.3.3.3/24
o R4 Loopback 125: 125.4.4.4/24
o R6 Loopback 125: 125.6.6.6/24
o SW4 Loopback 125: 125.24.24.24/24
Configure R1, R2, R3 and R4 in AS 100.
R4 should have a neighbor relationship with R1, R2 and R3. Do
not configure any relationship between R1, R2 and R3.
Advertise the Loopback 125 networks on the appropriate routers.
Configure the neighbor relationship with redundancy in mind.
All IBGP routers using the most secure authentication method.
Use CC1E as the password.
3.2 EBGP (2 Points)
Configure an EBGP relationship between AS 100 and AS 150. Use
R3 in AS 100 to set this relationship up.
Advertise the Loopback 125 network in BGP on SW4. Dont use the
network command to accomplish task The origin should be
internal.
Configure a EBGP relationship between AS 150 and AS 200.
Authenticate this relationship using a password of cisco.
3.3 Route Aggregation (2 Points)
Create the following loopback on R1:
o Loopback 191: 199.1.4.1/24
o Loopback 192: 199.1.5.1/24
o Loopback 193: 199.1.6.1/24
o Loopback 194: 199.1.7.1/24
Advertise these networks under BGP.
234 of 241
Summarize these networks on R1.

Suppress the specific routes from getting propagated to BGP
neighbors except for 199.1.5.0/24. This route should get
propagated in addition to the summary route.

235 of 241
Section 4 MPLS (8 points)

4.1 Configuring MP-BGP (4 Points)
Configure MPLS Unicast routing on R1, R2, R3 and R4 on the
Serial interfaces.
Make sure the LDP neighbor relationships are established based
on a reliable interface.
Enable R1 and R2 to exchange VPNv4 routes with each other.
4.2 Configuring PE-CE Routing using VRFs (4 Points)
Configure a VRF named CUST-A on R1 and R2. Use a RD value of
1:10. Use 1:11 as the Import and Export RT.
Configure RIP v2 as the PE-CE routing protocol between R1 and
SW1.
Create the following loopback on SW1:
o Loopback 11: 10.1.4.1/24
o Loopback 12: 10.1.5.1/24
o Loopback 13: 10.1.6.1/24
o Loopback 14: 10.1.7.1/24
Advertise them in RIP on SW1.
Configure EIGRP as the PE-CE routing protocol between R2 and
SW2 in AS 120.
Create the following loopback on SW2:
o Loopback 11: 10.1.8.1/24
o Loopback 12: 10.1.9.1/24
o Loopback 13: 10.1.10.1/24
o Loopback 14: 10.1.11.1/24
Advertise them in EIGRP 120 on SW1.
Configure a MPLS VPN to connect Cust-A Site 1 and Site 2 to each
other. Make sure all Site-1 routes are seen on SW2 and All Site 2
routes are seen on SW1.

236 of 241
Section 5 Security (6 points)

5.1 HTTP Management with AAA Authentication (3 Points)
Configure R3 to communicate with an ACS server using TACACS+
as the authentication protocol. Use CC1E
as the key. The
TACACS+ server is located at 192.1.30.100.
Configure R3 to allow HTTP Management using Secure HTTP. It
should only allow HTTP Management from VLAN 30.
Authenticate the users connecting into R3 for HTTP using the ACS
server. If the ACS Server is down, authenticate against the local
Database. Create a local user Admin with a password of admin.
5.2 Control Plane Management (3 Points)
Configure a queue-threshold on R3 such that it sets the incoming
queue limit using the following:
o HTTP 100
o Telnet 75
o SNMP 50
o All other protocols 200

237 of 241
Section 6 IOS Services (12 points)

6.1 IOS DHCP Server (3 Points)
Enable R5 as a DHCP Server with the following information:
o
o
o
o
o
o
IP ADDRESS : 192.1.100.0/24
DNS ADDRESS : 192.1.100.6
LEASE TIME : 6 Days
Exclude-addresses : 192.1.100.1-192.1.100.10 and
192.1.100.100
6.2 TFTP (3 Points)

Configure R6 as a TFTP Server. It should allow access to its IOS
Image file.
Only allow R5 to access this file.
6.3 NTP (3 Points)
Configure R2 as a NTP Master with a stratum of 2. It should
authenticate the clients using a key id of 234. The Key string
should be ccie12353. Set it with a Time Zone of GMT +4.
Configure R4 to receive its clock from R4. Set it with a Time Zone
of GMT +5.5. Configure R4 such that it automatically adjusts the
clock based on the time zone
Configure R3 to receive its clock from R4. Set it with a Time Zone
of GMT +5.5. Do not use the NTP Server command to receive the
clock. Do not configure any commands under the interface to
6.4 GLBP (3 Points)
Configure R4 as GLBP AVG for VLAN 46. Use 46 as the GLBP Group
number and .100 as the Virtual IP Address.
R4 should be the preferred AVG.

238 of 241
Section 7 Multicasting (6 points)

7.1 Configuring PIM Sparse Mode (3 Points)
Configure VLAN 56 to receive and send multicast Traffic from and to
VLAN 46.
Perform configurations on R5 and R6 using PIM-Sparse-Mode. R5
should be the RP for 224.5.5.5 and R6 should be the RP for 224.6.6.6.
7.2 Configuring IGMP (3 Points)
Configure R5 to statically join multicast group 224.5.5.5 and R6 to
statically join the multicast group 224.6.6.6.
R5 and R6 should be able to ping both Multicast groups.

239 of 241
Section 8 QoS (6 points)

8.1 Configuring QoS using NBAR (3 Points)
Configure R3 such that traffic going towards the Frame Cloud uses
the following QoS parameters:
o All HTTP traffic towards a Web Server http://www.netmetricsolutions.com should be assigned a minimum bandwidth of
35%.
o Telnet Traffic should be assigned a minimum bandwidth of
10%. Configure it for LLQ.
o FTP traffic should be limited to 256 kbps.
8.2 Traffic Shaping with MQC and Map-class (3 Points)
Classify traffic that has a precedence of 3 or is destined to any
TFTP server on R2.
Any traffic from the previously classified traffic destined to a Server
192.1.34.100 should be policed to a rate of 128 kbps. This policy
should be applied on the inbound direction of R2 F 0/0 interface.

240 of 241
Section 9 IPv6 (6 points)

9.1 Configuring IPv6 (3 Points)
Configure R2, R4, R5 and R6 with the following IPv6 Addresses:
Router
R2
R4
R5
R4
Interface
Loopback 100
S 0/0
Loopback 100
S 0/0.24
Loopback 100
F 0/0.56
Loopback 100
F 0/0.56
IPv6 Address
2000:2222:2222:2222::/64
2000:192:1:24::2/64
2000:4444:4444:4444::/64
2222: 192:1:24::4/64
2000:5555:5555:5555::/64
2000:192:1:56::5/64
2000:6666:6666:6666::/64
2000:192:1:56::6/64
Enable IPv6 Unicast Routing on R2, R4, R5 and R6.

Run OSPFv3 between R2 and R4 and advertise the Loopback
networks.
Run OSPFv3 between R5 and R6 and advertise the Loopback
networks.
9.2 Configuring Tunneling to connect the IPv6 networks over a
IPv4 network (3 Points)
Configure a tunnel to connect R6 to R4. It should carry the IPv6
packet within a IPv4 packet.
Run OSPFv3 on the tunnel interface to connect VLAN 56 IPv6 network
with R2 and R4 IPv6 network.

241 of 241

Ccie Rs BC v4 Rev 1

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Ccie Rs BC v4 Rev 1

Diunggah oleh

Hak Cipta:

Format Tersedia

CCIE R/S Lab Bootcamp Workbook

CCIE R/S Lab Bootcamp Workbook

Netmetric Solutions FZC

Module 1 Frame Relay

Copyrights Netmetric Solutions FZC 2006-2010

Lab 1 Configuring a Router as a FrameRelay Switch

Copyrights Netmetric Solutions FZC 2006-2010

Copyrights Netmetric Solutions FZC 2006-2010

Copyrights Netmetric Solutions FZC 2006-2010

Lab 2 Running RIPv2 on Frame-Relay

R1 Interface Loopback 0 1.1.1.1/8

Copyrights Netmetric Solutions FZC 2006-2010

Lab 3 Running EIGRP on Frame-Relay

Router EIGRP 123

Router EIGRP 123

Router EIGRP 123

Lab 4 Configuring Point-to-Point and

Copyrights Netmetric Solutions FZC 2006-2010

Copyrights Netmetric Solutions FZC 2006-2010

Module 2 Basic Switching

Copyrights Netmetric Solutions FZC 2006-2010

Lab 1 Configuring VLANs and VTP

VTP domain CCIE

VTP domain CCIE

Copyrights Netmetric Solutions FZC 2006-2010

VTP domain CCIE

VTP domain CCIE

Copyrights Netmetric Solutions FZC 2006-2010

Copyrights Netmetric Solutions FZC 2006-2010

Lab 1 Basic RIPv2 Configuration

Copyrights Netmetric Solutions FZC 2006-2010

Lab 2 Configuring RIPv2

Key chain AUTH

Key chain AUTH

Key chain AUTH

Key chain AUTH

Copyrights Netmetric Solutions FZC 2006-2010

Copyrights Netmetric Solutions FZC 2006-2010

Lab 3 Routing Filtering using Access

Copyrights Netmetric Solutions FZC 2006-2010

Lab 4 Routing Filtering using Prefixlists

Copyrights Netmetric Solutions FZC 2006-2010

Lab 5 Route Summarization with RIP

Copyrights Netmetric Solutions FZC 2006-2010

Copyrights Netmetric Solutions FZC 2006-2010

Lab 1 Basic EIGRP Configuration

Interface IP Address Configuration

Copyrights Netmetric Solutions FZC 2006-2010

Router EIGRP 12353

Router EIGRP 12353

Router EIGRP 12353

Copyrights Netmetric Solutions FZC 2006-2010

Lab 2 EIGRP Authentication

key-chain eigrp 12353 AUTH

Key chain AUTH

key-chain eigrp 12353 AUTH

key-chain eigrp 12353 AUTH

key-chain eigrp 123453 AUTH

Copyrights Netmetric Solutions FZC 2006-2010

Key chain AUTH

Copyrights Netmetric Solutions FZC 2006-2010

Lab 3 Advanced EIGRP Configurations

router eigrp 12353