TITANIC(K7)

Questionnaire Section 1: Layer 2 1.1 Initial Faults

Guard root on SW1 trunk ports DHCP snooping/ARP inspection on VLAN17 on SW2 Portfast trunk on SW4 trunk interfaces Root Guard on interfaces connected to backbone Ip cef disabled on few routers vtp version, domain name, password difference

1.2 Implement Access Switch Ports of Switched Network

Configure all of the appropriate non-trunking switch ports on SW1-SW4 according to the following requirements: VTP domain should be CCIE and password cisco VTP mode on all switches should be configures to transparent mode. Configure the VLAN ID and Name according to the table below (case sensitive). Configure the access ports for each VLAN as per the diagram. Vlans NAME Vlan17 VLAN_17_R1-SW2 Vlan29 - VLAN_29_R2-SW4 Vlan34 - VLAN_34 Vlan38 - VLAN_38_R3-SW3 Vlan45 VLAN_45 Vlan56 - VLAN_56_R5-SW1 Vlan67 - VLAN_67_SW1-SW2 Vlan89 - VLAN_89_SW3-SW4 Vlan100 - VLAN_BB1 Vlan200 - VLAN_BB2 Vlan300 - VLAN_BB3 Vlan333 - VLAN_CUSTOMER Vlan500 - VLAN_USERS Vlan666 - VLAN_CARRIER Vlan999 - VLAN_NATIVE Note: According to test taker feedback, probably, SW1 or so has been pre-configured with needed vlans

Configure the switches according to the following requirements Each of the following sets of VLAN must share a common spanning-tree topology: Spanning-tree topology 1: all odd VLANs used throughout your exam Spanning-tree topology 2: all even VLANs used throughout your exam Spanning-tree topology 3: all other VLANs must be explicitly put into instance 3 OR Spanning tree topology 3: all other VLANs Use domain name as cisco Ensure SW1 is root switch for Instance 1 and CIST VLANs and backup root switch for instance 2 Ensure SW2 is root switch for Instance 2 and backup root switch for instance 1 and CIST VLANs Configure native vlan to vlan 999. Ensure this vlan is tagged. All unused ports should be administratively shutdown and defined as access ports on VLAN 999. Dont forget GigaEthernet ports (2 ports).

1.3 Multiple Spanning Tree

Refer to the diagram . Configure the dual trunk ports between SW1, SW2, SW3 and SW4 according to the following requirements Use encapsulation 802.1q Disable DTP on the six distribution ports for each switch Configure an 802.3ad 200 Mbps Etherchannel between SW1 and SW2 SW2 should not actively start it Ether channel load balancing should be accomplished by source and destination MAC address In future, if more links (ports) are added to the bundle, make sure that interface fa0/24 is always chosen first for traffic flow along with the channel.**( Question now wants F0/24 on SW1 and SW2 )**. OR Configure the trunk using dot1q as per the diagram (port 19 24) for SW1 SW4 Allow the native VLAN 999 and sure native VLAN tagged the frame. Configure Etherchannel (LACP) between 2 switches, SW2 shouldnt actively starts it. Load balance hash of src-dst mac-add

1.4 Switch Trunking and Etherchannel

Configure the 802.1q tunneling on all switches according to the following requirements: Users connected to VLAN 333 on SW3 must be able to communicate withusers connected to VLAN 333 on SW4 via their interface Fa0/19 (respectively connected to SW1 and SW2) Configure the VLAN 333 interface on SW3 with the IP address YY.YY.33.8/24 Configure the VLAN 333 interface on SW4 with the IP address YY.YY.33.9/24 VLAN 333 must be allowed to flow only through SW3 and SW4s Fa0/19. No other trunks

1.5 Implement 802.1Q Tunneling

may carry this VLAN SW1 and SW2 must carry the VLAN 333 data across the network using VLAN 666 VLAN 666 may exist only on SW1 and SW2 SW1 and SW2 must not allow VLAN 333 on any trunks and must allow VLAN 666 only on the trunks between them. No other port in any switch may carry VLAN 333 Do not modify any spanning-tree cost or port priority to achieve this task Referring to the exhibit below SW3 must see SW4 as a CDP neighbor via interface Fa0/19 and must be able to ping SW4s VLAN 333. Note: RackYYSW3#ping 19.19.33.9 Ping should be successful

Configure PPPoE between R3 and R4 according to the following requirements: Configure R3 as the PPPoE server and R4 as a PPPoE client Configure group name as CISCO Ensure R4 always gets the same IP address. you are not allowed to use DHCP Ensure no interleaving in PPPoE link. R3 must require R4 to authenticate using CHAP but R4 must NOT require R3 to authenticate. Do NOT use the ppp chap hostname command on R4. Use CISCO as CHAP password for R4. Make sure that all CHAP passwords are shown in clear text in the configuration. Note: please read the question patiently as any of R3/R4 could be mentioned as PPPoE server

1.6 PPP over Ethernet

Use the following requirements to configure R1 and R2 for Frame-Relay use static frame relay maps with the broadcast capability do not use dynamic ARP mapping do not change anything in the frame-relay switch (R4) use RFC1490/RFC2427 encapsulation use the DLCI assignments from the table below use the IP addressing as documented in diagram#x and use the largest subnet mask Set the bandwidth administrative to 50000 Kb in the interfaces. R1 and R2 must be able to ping self interface R1 100 R2 200

1.7 Implement Frame Relay

Section 2: Layer 3
Configure OSPF area 0, 1, 2 as per IGP topology diagram and the following requirements The OSPF process ID can be any number OSPF router-id must be stable and must be configured using the IP address of interface Loopback 0 Loopback 0 interfaces should be advertised in the OSPF area as shown in the IGP topology diagram and must appear as /32 host routes Updates should be advertised only out of the interfaces that indicated in the IGP topology diagram Establish neighbor-ship between R1 and R2 without changing the OSPF network type Ensure that R4 can still reach all OSPF networks via R3 in case R1 or R5 goes down Do not create additional OSPF areas Do not use any IP address not listed in diagram Note: SW1, SW2, R1, R5 Loopback 0 in Area 0. R2, R3 Loopback 0 in Area 1, R4 loopback in area 2. Backbone 1 and 2 facing interface of R1 and R2 should also be advertised in OSPF. BB1 interface in Area 0 and BB2 interface in Area 1 (Not redistribute connected)

2.1 Implement IPv4 OSPF

Configure EIGRP 100 and EIGRP YY per the topology diagram Backbone 3 has the IP address 150.3.YY.254 and is using AS number 100 EIGRP updates should be advertised only out to the interface per the topology diagram On SW3 redistribute from EIGRP 100 into EIGRP YY Do not use auto summarization for any EIGRP process

2.2 Implement IPv4 EIGRP

Configure RIPv2 per IGP topology diagram RIP updates must be advertised only out to the interface per the IGP topology diagram Disable auto-summarization in the RIP domain Redistribute OSPF into RIP on R5 Ensure that R4 should access SW1 loopback 0 via R5 but all other routes should go through R3 Advertise VLAN 45 into OSPF without using the network command

2.3 Implement IPv4 RIP

Redistribute mutually between OSPF and EIGRP YY on R2 and R3 according to the following requirements On R2 and R3 ensure that all prefixes learned from OSPF should be seen as OSPF route and that the prefixes learned from EIGRP 100 should be seen as EIGRP External Route (DEX).

2.4 Redistribution between OSPF and EIGRP

 Only external route in R2 and R3 should be the EIGRP 100 routes. No default route should be seen in this network No route tagging permitted on SW3 You are not allowed to use any access-lists, prefix-lists or AD value to accomplish this requirement.

Configure iBGP between R1, R2, R3, R4 and R5 according to the following requirement: Where possible failure of a physical interface should not permanently affect BGP peer connections Use only the Loopback 0 IP Addresses to propagate BGP route information within your BGP domain Configure R3 as route-reflector. Minimize the number of BGP peering sessions and all BGP speakers in AS YY You are not allowed to use BGP peer groups

2.5 Implement IPv4 iBGP

Configure eBGP on R1 and R2 according to the following requirement R1 eBGP peers with the router 150.1.YY.254 on Backbone 1 AS 254 R2 eBGP peers with the router 150.2.YY.254 on Backbone 2 AS 254 R1 and R2 should have capability to signalize End of RIB Marker Do not change the BGP next-hop anywhere maximum 5 prefix is allowed otherwise it should generate a message Note : R1 routes as as-path 253 254 - R2 routes have as-path 254

2.6 Implement IPv4 eBGP

Configure BGP path selection as following requirements Redistribute OSPF into BGP on R1 and R2 R1 should prefer the path pointing to BB1 AS 254. the bgp tie breaker for best path selection has to be Internal Vs External Criteria R3 should prefer the path through R1 to BB1 for reaching AS 254. This configuration should not affect any other routers in AS YY getting toBGP AS 254 You are not allowed to change BGP attributes such as Weight, AS-Path or Local Preference on R4 and R5 to accomplish this task You are allowed to change the ospf cost of only one interface. R4 should prefer R1 as exit point for reaching AS 254 R4 should ping a prefix 197.68.1.254 network in learned from BGP AS254 with path to R1

2.7 Advanced BGP

The administrator has started to configure Global unicast IPv6 addresses in your network according to the Diagram 3 IPv6 Routing Configure Global unicast IP's on every interface on R1, R5, SW1 and SW2 Ensure that all routes and switches can ping each other using IPv6 Configure IPv6 address Number as follow (YY - Rack number, HH - interface ipv4 3rd octet, ZZ - interface ipv4 4th octet) Interfaces - 2001:YY:HH::ZZ/64 Loopbacks 2001:YY:HH::ZZ/128

2.8 Implement IPv6 addressing

Continue configuring IPv6 OSPFv3 according to the Diagram as per the following requirement: Process ID has to be 2001 OSPFv3 router IDs must be stable and identical to the OSPFv2 router IDs Do no create any additional OSPFv3 areas Ensure that periodic Router Advertisements should be disabled on the IPv6 enabled interfaces Ensure that all IPv6 networks on all routes and switches can ping each other using IPv6 Make sure the routers use cisco proprietary forwarding mechanism

2.9 Implement IPv6 OSPF v3 Routing

Section 3: IP Multicast 3.1 Implement IPv4 Multicast -I

Configure IPv4 Multicast Routing between R3 Serial 0/0/0 and R5 Serial 0/0/1 according to the following requirements Do not user any RP Interfaces Loopback 0 of R3 video server simulated in R5 client Multicast is sourced from on Loopback 0 R3 and receiver was R5 Fa 0/0 (225.1.1.1) Ensure that unnecessary flooding/pruning does not occur

Ensure that only R3 lo0 (YY.YY.3.3) is allowed to send multicast 225.1.1.1 Others users in R5 are planning to join 225.1.1.2 and 225.1.1.3 in near future These users will use IGMP v2. Ensure that these users can only access the two multicast streams (only for a given source) Routers should not use DNS query for mapping the source.

3.2 Implement IPv4 Multicast - II

Section 4: Advanced IP Services 4.1 Implement Time Based ACL

Configure SW1 and SW2 in order to restrict access for VLAN 500 users as per the following requirements. HTTP (from any user workstation to any remote server) is not allowed during office hours (from 09:00 to 16:59,Monday to Friday) FTP (from any user workstation to any remote server) is allowed only during every night for Backup between 22:00 to 23:59 and is not allowed all any other time. UDP traffic is allowed only outside of the office hours (every day from 17:00 to 8:59) Any required control traffic must be allowed all any time and the ACL entries must be specific as possible (i.e specify the Layer 4 with the connect port number on the destination) Sources in all ACL entries must be explicitly configured to YY.YY.100.0/24.

Configure ZBF on R1 using the exact naming convention as following output Ping from R5 and SW2 to the backbone interface or network Make sure that when you input the show command, it must show the same output Rack11R5# ping 150.1.11.254 Rack11SW2# ping 150.1.11.254 Output : #show policy-map type inspect zone-pair

4.2 Implement ZBF

Part 1 Traffic from 197.68.1.0/24 from BB1 is attacking host in OSPF Area 0 it should be limited to 128k on each interface on R1 when it goes to ospf area. Use MQC and do not use policing. Use only standard ACL to accomplish this task Part 2 Configure MQC on R5 link to R3 Consider that users connected to vlan 56 are sending traffic that is already marked as follows: control ip precedence 6 or 7 voice ip precedence 5 video ip precedence 4 business ip precedence 3 internet ip precedence 0 Configure R5's interface s0/0/1 to share its available bandwidth as per the following requirements: Use modular qos cli and use class names as per the above description( case sensitive) Use the match-all option for all class-maps Use only the criteria "match ip precedence" for all class-maps In case of congestion, the voice traffic must be sent in priority over all other traffic The low latency queue may never use more than 20% of the available bandwidth In case of congestion, reserve 100kbps of the available 2000kbps for the control traffic Only in case of congestion the video traffic may not exceed 30% of the available bandwidth Only in case of congestion the business traffic may not exceed 30% of the available bandwidth Enable the congestion avoidance mechanism for the business traffic using a weight factor of 10 for the average queue size calculation The Internet traffic should use the remaining bandwidth with no other guarantee

4.3 QoS

Secure the RIP domain according to the following requirement The key chain for RIP authentication is pre-configured on R4 Do not reconfigure on R4 Complete RIP authentication between R4 and R5 Note: the key chain pre-configured can be found using show key-chain rip on R4

4.4 Implement Routing Protocol Authentication I

Secure the OSPFv3 between R1 and R5 according to the following requirement Use the authentication type MD5 with Key-string 1234567890abcdef1234567890abcdef You are not allowed to use any commands under router configuration mode to accomplish this task

4.5 Implement Routing Protocol Authentication II

Configure Private VLAN according to the following requirement R4 and R5 should be able to communicate only with each other in vlan 45. No other host is allowed to communicate with them in vlan 45. Hosts connected to port fa0/6 on SW1 and SW2 should be a part of vlan 45, and should only communicate with each other. Must not be able to communicate with any other host in vlan 45. Hosts connected to port fa0/7 on SW1 and SW2 should not be able to communicate with any host. SW1 fa0/8 as promiscuous port Use only odd vlans ranging from 334-some vlan, if you need to create new vlans.

4.6 Implement Layer 2 Security - Private VLAN

Configure HSRP between SW1 and SW2 under VLAN 500 Define user gateway for VLAN 500 as YY.YY.100.254: The IP YY.YY.100.1 should be assigned to the primary HSRP gateway and YY.YY.100.2 should be assigned to the secondary HSRP gateway. Active group gateway assignment should comply with active root of spanning tree of VLAN 500. Active Gateway Priority 120 and the Standby is left at the default. Define track object for group, which is the reachability of one network 150.1.YY.0/24 Standby will take up active role in a second if 5 hello packets not received Authentication between both switches - md5 password cisco The primary gateway should have the ability to resume the Primary role once the tracked object is reachable Make sure IGP is not running in this subnet

4.7 HSRP

Section 5: Network Optimization 5.1 Implement SNMP

Configure SNMP on R3 as per the following requirements Use location "San Jose, US" Use contact ccie@cisco.com Use R3 loopback0 interface for SNMP trap as source A SNMPv3 group admin has a user with a view privilege adminview and must view only ISO mib. A SNMPv3 group admin has a user with a view privilege adminwrite and must write only system mib. Ensure that group admin should be set with strongest security mechanism. A user ccie should be from group admin and use md5 password of cisco (case sensitive) Ensure that admin group only allow users access from YY.YY.17.0/24 Use a SNMP v2c instance for NMS in YY.YY.67.0/24 to accomplish this task. Note: All view name, group, username and community should be case-sensitive

Configure Netflow on R1 according to the following requirements Enable Netflow on R1 to monitor the traffic entering and leaving Area 0 from BB1 Export the flows to the server YY.YY.56.100port 2222 In case the export to server fails, the accounting information should be exported to backup server YY.YY.56.101 with the same port number Generate netflow sample one out-of-every 1000 packets Use R1 Loopback as source address for the exports Use Netflow version 9 with reliable transfer Do not use policy-map OR Netflow other question: Use Netflow version 9 with reliable transfer Enable Netflow on R1 to monitor the traffic entering and leaving Area 0 from BB1 Export the flows to the server YY.YY.56.100 port 2222 In case the export to server fails, use backup server YY.YY.56.101 with the same port number. Generate netflow sample one out-of-every 1000 packets -By WaytoCcar

5.2 Implement Netflow