Ciers2 Ca Lab01 Ak PDF

CIERSASSESS-5-AK
Cisco 360 CCIE R&S Advanced Workshop 2 Assessment Lab 1

The Cisco 360 CCIE Routing and Switching (R&S) Advanced Workshop 2 is a five-day course for CCIE candidates who are ready to attempt the Cisco CCIE lab. Advanced Workshop 2 is not an entry-level course. You should take this course only if you are close to passing the actual CCIE lab. Advanced Workshop 2 further develops such high-level candidates by presenting learners with five multitopic labs that simulate the actual Cisco CCIE lab experience. Four of the labs are eight hours long; one is four hours long. One lab is administered on each day of the course. On the first four days, you will perform an eight-hour lab. On the fifth day of the course, you will perform the four-hour lab. During each lab, you will be tested on your knowledge of complex internetworking subjects, your problemsolving skills, and your test-taking strategies. After each of the labs, you will receive a detailed assessment score report combined with an answer key and Mentor Guide support. To supplement this feedback, Cisco CCIE instructors will provide review sessions after each lab and directed instruction during each lab, if necessary. These resources provide feedback that maximizes the learning experience of each lab.
Cisco 360 CCIE R&S Advanced Workshop 2 Assessment Lab 1 Answer Key
COPYRIGHT 2009, CISCO SYSTEMS, INC. ALL RIGHTS RESERVED. ALL CONTENT AND MATERIALS, INCLUDING WITHOUT LIMITATION, RECORDINGS, COURSE MATERIALS, HANDOUTS AND PRESENTATIONS AVAILABLE ON THIS PAGE, ARE PROTECTED BY COPYRIGHT LAWS. THESE MATERIALS ARE LICENSED EXCLUSIVELY TO REGISTERED STUDENTS FOR THEIR INDIVIDUAL PARTICIPATION IN THE SUBJECT COURSE. DOWNLOADING THESE MATERIALS SIGNIFIES YOUR AGREEMENT TO THE FOLLOWING: (1) YOU ARE PERMITTED TO PRINT THESE MATERIALS ONLY ONCE, AND OTHERWISE MAY NOT REPRODUCE THESE MATERIALS IN ANY FORM, OR BY ANY MEANS, WITHOUT PRIOR WRITTEN PERMISSION FROM CISCO; AND (2) YOU ARE NOT PERMITTED TO SAVE ON ANY SYSTEM, MODIFY, DISTRIBUTE, REBROADCAST, PUBLISH, TRANSMIT, SHARE OR CREATE DERIVATIVE WORKS ANY OF THESE MATERIALS. IF YOU ARE NOT A REGISTERED STUDENT THAT HAS ACCEPTED THESE AND OTHER TERMS OUTLINED IN THE STUDENT AGREEMENT OR OTHERWISE AUTHORIZED BY CISCO, YOU ARE NOT AUTHORIZED TO ACCESS THESE MATERIALS.
Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key
2009 Cisco Systems, Inc.
Table of Contents
Cisco 360 CCIE R&S Advanced Workshop 2 Assessment Lab 1.....................................1
Cisco 360 CCIE R&S Advanced Workshop 2 Assessment Lab 1 Answer Key ...................... 2 Table of Contents ..................................................................................................................................... 3 Answer Key Structure .............................................................................................................................. 4 Section One ....................................................................................................................................... 4 Section Two ....................................................................................................................................... 4 Cisco 360 CCIE R&S Advanced Workshop 2 Assessment Lab 1 Answer Key ...................... 5 Grading and Duration ............................................................................................................................... 5 Restrictions and Goals ............................................................................................................................. 5 Explanation of Each of the Restrictions and Goals.................................................................................. 7 1. Frame Relay and Serial Communications Section ............................................................................. 9 2. Cisco Catalyst Switch Configuration Section.................................................................................... 11 3. IPv4 OSPF Section .......................................................................................................................... 22 4. IPv4 EIGRP Section ......................................................................................................................... 24 5. IPv4 RIP Section .............................................................................................................................. 27 6. Cisco OER and NAT Section ........................................................................................................... 28 7. Border Gateway Protocol Section .................................................................................................... 37 8. IPv6 Routing Section ........................................................................................................................ 41 9. Security Section ............................................................................................................................... 46 10. QoS Section ................................................................................................................................... 49 11. Address Administration Section ..................................................................................................... 50 12. HSRP Gateway Redundancy Section ............................................................................................ 51 13. NTP Configuration Section ............................................................................................................. 52 14. Multicast Configuration Section ...................................................................................................... 54 15. SNMP Section ................................................................................................................................ 57
Answer Key Structure

Section One
The answer key PDF document is downloadable from the web portal.
Section Two
To obtain a comprehensive view of the configuration, access the Mentor Guide engine in the web portal.
Cisco 360 CCIE R&S Advanced Workshop 2 Assessment Lab 1 Answer Key
Regardless of any configuration that you perform in this lab, you must conform to the general guidelines that are provided. If you do not conform to the guidelines, you can expect a significant deduction of points in your final exam score.
Grading and Duration

Lab duration: Maximum score: Minimum passing score:
8 hours 100 points 80 points
Restrictions and Goals

Note Read this section carefully.
To receive any credit for a subsection, you must complete the subsection. You will not get partial credit for partially completed subsections. IP subnets on the Lab IPv4 IGP diagram belong to network 172.16.0.0/16. Use a minimum number of statements in all filters unless otherwise directed. Use only the IP version 4 (IPv4) and IP version 6 (IPv6) addresses that are displayed on the IPv4 and IPv6 interior gateway protocol (IGP) diagrams. Do not introduce new addresses. The Frame Relay switching router is configured for a full mesh of permanent virtual circuits (PVCs). Do not change the PVC configuration on the Frame Relay switching router. Do not rely on Frame Relay Inverse Address Resolution Protocol (Inverse ARP). Do not create any static routes on any routers and switches except for R6 and SW2. Do not use policy-based routing (PBR). Advertise all loopback interfaces with their original masks, unless noted otherwise. All IPv4 IP addresses involved in this scenario must be reachable, except for the prefixes from the 1.0.0.0/8 network that are involved in Cisco Optimized Edge Routing (OER), prefixes that are advertised from the backbone, and interfaces that are connected to the shared equipment.

N represents the group number; X represents the pod number. Check your online instructions for your number NX. Failure to assign the correct IP address could result in losing points in multiple sections. Do not modify the hostname, console, or vty configuration unless you are specifically asked to do so. Do not modify the initial interface or IP address numbering.
Explanation of Each of the Restrictions and Goals

IP subnets in the scenario diagrams belong to network 172.16.0.0/16. The third and fourth octets of the IP addresses that are displayed on the diagrams belong to 172.16.0.0/16. Use a minimum number of statements whenever possible. If a task requires an access list, prefix list or, autonomous system (AS) path filter list, use as few statements as possible. Use only the IPv4 and IPv6 addresses that are displayed on the IPv4 and IPv6 IGP diagrams. Do not introduce new ones. Do not create any new IP addresses. Use the existing addresses to accomplish all tasks. The Frame Relay switch router is configured for a full mesh of PVCs. Do not change the PVC configuration. Find alternate methods of controlling the full mesh of PVCs. Do not rely on dynamic Frame Relay Inverse ARP. This requirement forces you to fulfill your Frame Relay Inverse ARP requirements with Frame Relay map statements. Think of a Frame Relay map statement as the equivalent of a static Inverse ARP entry. Do not create any static routes manually. Static routes can solve a range of reachability problems. However, you cannot use them. You must rely on skillful configuration of all your unicast routing protocols. The scenario is not concerned about static routes created by any Cisco IOS Software protocol or feature. You can create only one tunnel link in this scenario. Only one tunnel interface is allowed between R1 and R6 to encapsulate and exchange the Cisco Discovery Protocol packets. Advertise all IPv4 and IPv6 loopback interfaces with their original mask, unless noted otherwise. This requirement is primarily for the Open Shortest Path First (OSPF) advertised loopbacks. Use the ip ospf network point-to-point command under the loopback interface. Otherwise, the loopback will be advertised as a /32 host entry by default. Do not change the configuration on the lines CON and AUX. These lines are used for grading. All IP interfaces in the diagram must be reachable within this internetwork. This is a key goal and requires that all IGPs and routing policy tasks be configured properly. The key elements of your routing policy include route redistribution and the controlling of routing updates using distribute lists, route maps, and the distance command. Although the term redistribution might never be explicitly used in this exam, you must perform redistribution to ensure that all IP addresses are reachable without the use of static routes. IP addresses from the networks that are connected to the backbone are excluded from the previous requirement. You are not required to make backbone prefixes reachable from all routers in your pod.
N represents the group number; X represents the pod number. Check your online instructions for your number NX. Check your online instructions for your group and pod numbers. Do not modify the hostname, console configuration, vty configuration, initial interface, or IP address numbering. Follow the numbering conventions carefully.
1. Frame Relay and Serial Communications Section

Issue: Configure the Frame Relay interface, and control the full mesh with static maps. Verify Layer 3 connectivity. Solution: The Frame Relay switch is preconfigured for a full mesh of PVCs. You are instructed to use a minimum amount of data-link connection identifiers (DLCIs) to provide Layer 3 connectivity. When examining the Lab IPv4 IGP diagram, you see that the Layer 3 connections over the nonbroadcast multiaccess (NBMA) network reflect a hub-and-spoke topology. To fulfill this requirement, perform the following tasks:

Disable Inverse ARP. Provide static Frame Relay mappings on each of the Frame Relay attached routers. Make sure that one spoke of the Frame Relay topology can ping the other spoke. To fulfill this requirement, make sure that routers R2 and R3 not only possess a Frame Relay map statement to R1 but also possess map statements to one another.
Issue: All Frame Relay interfaces must be capable of receiving pings, including local interfaces. Solution: A local Frame Relay interface will not respond to a ping from a router unless you provide Layer 3-to-Layer 2 mapping for the destination address. To make the local address capable of receiving pings, there must be a mapping for the local address as well. Use the PVC associated with the interface where the local IP address is configured for the Frame Relay map. For example, use the frame-relay map IP 172.16.123.2 201 command on R2. Issue: R1 must be sending Internet Control Message Protocol (ICMP) packets to R2 when you ping 172.16.123.1 from R1. Solution: This requirement suggests using DLCI 102 in the map statement for the local Frame Relay mapping to the R1 IP address 172.16.123.1. Even if the router pings its own local interface, the ICMP packet will be encapsulated into a Frame Relay frame with the respective DLCI and will be transmitted to the other end of the PVC associated with the DLCI. The remote end will send it back, assuming that the other router possesses necessary Layer 3-to-Layer 2 mapping information. Configuration and verification: R1 and R2 are used as an example of configuration of hub and spoke. R3 is configured similarly to R2.
R1#show run interface Serial0/0/0.123 | inc map ip + frame-relay map ip 172.16.123.1 102 frame-relay map ip 172.16.123.2 102 broadcast frame-relay map ip 172.16.123.3 103 broadcast R1# R2#show run int Serial0/0/0 | inc map ip + frame-relay map ip 172.16.123.1 201 frame-relay map ip 172.16.123.2 201 broadcast frame-relay map ip 172.16.123.3 201 R2#
Note
Only one map statement for a protocol and a DLCI is configured with the broadcast statement. It will satisfy the requirement to encapsulate the broadcast and multicast packets on this DLCI if necessary (IGP routing and multicast routing).
R1#ping 172.16.123.255 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 172.16.123.255, timeout is 2 seconds: Reply to request 0 from 172.16.123.2, 8 ms Reply to request 0 from 172.16.123.3, 20 ms R1#
interface Serial0/0/0.62 point-to-point ip address 172.16.62.2 255.255.255.0 frame-relay interface-dlci 206 R6: interface Serial0/0/0.62 point-to-point ip address 172.16.62.6 255.255.255.0 frame-relay interface-dlci 602
Verify connectivity on the Frame Relay subnet:

R2#ping 172.16.123.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.123.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms R2#ping 172.16.123.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.123.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/27/88 ms R2#ping 172.16.123.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.123.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/24/28 ms R2# R6#ping 172.16.62.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.62.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 100/104/120 ms
Verify that when R1 pings its own IP address 172.16.123.1, the ICMP packets travel to R2. On R2, create an access list for the debugging purposefor example, 199:
R2(config)#access-list 199 permit icmp any any
Disable fast switching on the serial interface so that the debugging process can pick up the ICMP packets, which are not destined to R2 but are rerouted to R1:
R2(config)#int Serial0/0/0 R2(config-if)#no ip route-cache
Run the debug ip packets detail 199 and debug ip icmp commands on R2:
R2#deb ip pack det 199 IP packet debugging is on (detailed) for access list 199 R2#debug ip icmp ICMP packet debugging is on R2#
Go to R1 and ping 172.16.123.1:

10 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 2009 Cisco Systems, Inc.
R1#ping 172.16.123.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.123.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/36/100 ms R1#
On R2, you should see similar debugging traces:

R2# *May 29 18:33:36.169: (Serial0/0/0), routed *May 29 18:33:36.169: redirected *May 29 18:33:36.169: *May 29 18:33:36.169: 172.16.123.1 IP: tableid=0, s=172.16.123.1 (Serial0/0/0), d=172.16.123.1 via FIB IP: s=172.16.123.1 (Serial0/0/0), d=172.16.123.1 (Serial0/0/0), len 100, ICMP type=8, code=0 ICMP: redirect sent to 172.16.123.1 for dest 172.16.123.1, use gw
R2 receives the Frame Relay packets on DLCI 102 and redirects the IPv4 packets back to R1 according to the destination IPv4 address 172.16.123.1 and Frame Relay map statement for 172.16.123.1 and DLCI 201. Do not forget to remove the access list, apply fast switching, and use the undebug all command.
Note To obtain a comprehensive view of the configuration tasks in this section, access the Mentor Guide engine. With the Mentor Guide engine, you can enter more than 1000 Cisco IOS Software commands as well as a collection of proprietary commands such as show all.
2. Cisco Catalyst Switch Configuration Section

Configure the VLANs and the VLAN names according to the scenario specifications, and assign the ports of the switches to these VLANs. Spell the VLAN names correctly, and match the letter case. To ensure a thorough understanding of the Layer 2 topology, create a VLAN propagation diagram like the one that follows. Construct it by studying the VLAN table, Switch-to-Router Connections table, Switch-to-Switch Connections table, the IGP diagrams, and the other section requirements, and then carefully document each connection on a copy of the physical layer diagram. You will find that, with practice, you can create such a diagram quickly and find it to be a valuable tool.
11
VLAN Propagation
12
Issue: Do not use any dynamic VLAN advertisement techniques. Solution: The Cisco Catalyst switch can be configured in one of three modes: server mode, client mode, or transparent mode. The client and server communicate VLANs dynamically to each other using the VLAN Trunking Protocol (VTP). This scenario requires no dynamic VLAN advertisements; therefore, configure VTP transparent mode. VTP transparent mode does not advertise any VLANs that are locally created. Issue: Allow only necessary VLANs on the trunk between switches SW1 and SW2. Solution: The preceding VLAN Propagation diagram will help you determine which VLANs stay within one switch and which VLANs span across the links between SW1, SW2, SW3, and SW4. The diagram also shows which VLANs must be allowed on the trunks. Only VLANs 12, 16, 88, and 150 will be allowed between SW1 and SW2 on the port channel. Verification:
SW1#show int trunk Port Fa0/5 Fa0/19 Po1 Port Fa0/5 Fa0/19 Po1 Port Fa0/5 Fa0/19 Po1 Port Fa0/5 Fa0/19 Po1 SW1# Mode on desirable desirable Encapsulation 802.1q isl n-isl Status trunking trunking trunking Native vlan 1 1 1
Vlans allowed on trunk 25,150 12,16 12,16,88,150 Vlans allowed and active in management domain 25,150 12,16 12,16,88,150 Vlans in spanning tree forwarding state and not pruned 25,150 12 12,16,88,150
SW2#show interfaces trunk Port Fa0/1 Fa0/19 Po1 Port Fa0/1 Fa0/19 Po1 Port Fa0/1 Fa0/19 Po1 Port Fa0/1 Fa0/19 Po1 Mode on on on Encapsulation 802.1q isl isl Status trunking trunking trunking Native vlan 1 1 1
Vlans allowed on trunk 16-17,88,100 12,17,34,100,150 12,16,88,150 Vlans allowed and active in management domain 16-17,88,100 12,17,34,100,150 12,16,88,150 Vlans in spanning tree forwarding state and not pruned 16-17,88,100 12,17,34,100,150 12,16,88,150
13
Issue: Configure the following switch-to-router connections. Use the IEEE tagging method on these trunk links where necessary. Solution: Inter-Switch Link (ISL) is a proprietary Cisco protocol; the alternative trunking protocol, 802.1Q, is an IEEE standard. Issue: Automatically aggregate ports 0/23 and 0/24 between SW1 and SW2 using the protocol that is nonproprietary to Cisco. Solution: The ports 0/23 and 0/24 can be automatically aggregated using Link Aggregation Control Protocol (LACP). This protocol is defined in IEEE 802.3ad. Issue: Initiate this process from the SW1 switch only. Solution: The interface starts actively sending LACP negotiation protocol packets if it is configured with the keyword active. If the interface is configured as passive, it listens to the LACP packets and responds to them, but it does not initiate the packets itself. The solution is to configure the SW1 ports as active (SA below) and the SW2 ports as passive (SP below). Verification:
SW1#show lacp internal Flags: S - Device is requesting Slow LACPDUs F - Device is requesting Fast LACPDUs A - Device is in Active mode P - Device is in Passive mode Channel group 1 Port Fa0/23 Fa0/24 SW1# Flags SA SA State bndl bndl LACP port Priority 32768 32768 Admin Key 0x1 0x1 Oper Key 0x1 0x1 Port Number 0x13 0x14 Port State 0x3D 0x3D
SW1#show lacp neighbor Flags: S - Device is requesting Slow LACPDUs F - Device is requesting Fast LACPDUs A - Device is in Active mode P - Device is in Passive mode Channel group 1 neighbors Partner's information: LACP port Priority Dev ID Age 32768 000a.8afb.2680 4s 32768 000a.8afb.2680 4s Oper Key 0x1 0x1 Port Number 0x13 0x14 Port State 0x3C 0x3C
Port Fa0/23 Fa0/24 SW1#
Flags SP SP
Issue: Use a Cisco proprietary trunk protocol on the link between SW1 and SW2. Specify the trunk encapsulation on SW2 only. The SW2 end of the trunk should be set to permanent trunking. Solution: The Cisco proprietary protocol is ISL. The SW2 end will be set with the encapsulation ISL and mode trunk. SW1 will retain the default mode, dynamic desirable. A summary of the configuration is shown here. Note that the channel-protocol lacp command is optional here; it simply precludes the configuration of modes other than LACP.
SW1:
interface Port-channel1 switchport mode dynamic desirable ! interface FastEthernet0/23 switchport mode dynamic desirable channel-group 1 mode active channel-protocol lacp ! interface FastEthernet0/24 switchport mode dynamic desirable channel-group 1 mode active channel-protocol lacp
SW2:
interface Port-channel1 switchport trunk encapsulation isl switchport mode trunk ! interface FastEthernet0/23 switchport trunk encapsulation isl switchport mode trunk channel-group 1 mode passive channel-protocol lacp ! interface FastEthernet0/24 switchport trunk encapsulation isl switchport mode trunk channel-group 1 mode passive channel-protocol lacp
Verification:
SW1#sh interfaces trunk | inc isl Fa0/19 desirable isl Po1 desirable n-isl SW1# SW2#sh interfaces trunk | inc isl Fa0/19 on isl Po1 on isl SW2# trunking trunking 1 1
trunking trunking
1 1
Issue: Make SW4 the root bridge for VLAN 12 with priority 24576. Leave all path cost values on the links of VLAN 12 to the default values set by the Cisco IOS Software. If the link between SW1 and SW2 goes down, make sure that forwarding on the link between SW1 and SW3 resumes within 5 seconds maximum. Solution: Look at the following diagram. By default, you should find the interface 0/19 on SW1 blocking for VLAN 12:
15
If the link between SW1 and SW2 goes down, the Spanning Tree Protocol (STP) will recalculate a new forwarding path from SW1 to the root, and interface 0/23 will go through different states, namely listening and learning. This can take up to 50 seconds. The scenario specifies a maximum of only 5 seconds. The optional spanning-tree feature UplinkFast can help you to solve this task: UplinkFast provides fast convergence after a direct link failure and achieves load balancing between redundant Layer 2 links using uplink groups. An uplink group is a set of Layer 2 interfaces (per VLAN), only one of which is forwarding at any given time. Specifically, an uplink group consists of the root port, which is forwarding, and a set of blocked ports, except for self-looping ports. The uplink group provides an alternate path in case the currently forwarding link fails.
16
As the preceding diagram shows, if SW1 detects a direct link failure on its root portthe port channel linkUplinkFast unblocks the blocked interface on SW1 and transitions it to the forwarding state without going through the listening and learning states. This change takes approximately 1 to 5 seconds. The following diagram illustrates this process:
Configuration and verification: Configure the root bridge on SW4:

spanning-tree vlan 12 priority 24576
On SW1, verify the blocking interface:

SW1#sh spanning-tree vlan 12 VLAN0012 Spanning tree enabled protocol ieee Root ID Priority 24588 Address 0017.0e3f.4080 Cost 3031 Port 65 (Port-channel1) Hello Time 2 sec Max Age 20 sec Bridge ID
Forward Delay 15 sec
Priority 49164 (priority 49152 sys-id-ext 12) Address 000a.b7f7.7900 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Uplinkfast enabled Interface ---------------Fa0/6 Fa0/19 Po1 SW1 Role ---Desg Altn Root Sts --FWD BLK FWD Cost Prio.Nbr Type --------- -------- -------------------------------3019 128.8 P2p 19 128.19 P2p 12 128.65 P2p
As you can see, the blocking interface is on the link just as on the diagram. Normally, a blocking port transitions from blocking to a forwarding state through listening and learning states. For example:
17
SW1#debug spanning-tree events Spanning Tree event debugging is on

SW1#conf t Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#int po1 SW1(config-if)#shut SW1(config-if)# 20:51:37: STP: VLAN0012 new root port Fa0/19, cost 38 20:51:37: STP: VLAN0012 Fa0/19 -> listening 20:51:37: STP: VLAN0016 we are the spanning tree root 20:51:37: STP: VLAN0088 we are the spanning tree root 20:51:38: STP: VLAN0016 heard root 24592-000a.8afb.2680 on Fa0/19 20:51:38: supersedes 32784-000a.b7f7.7900 20:51:38: STP: VLAN0016 new root is 24592, 000a.8afb.2680 on port Fa0/19, cost 38 20:51:38: STP: VLAN0016 sent Topology C SW1(config-if)#hange Notice on Fa0/19 20:51:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to down 20:51:39: %LINK-5-CHANGED: Interface FastEthernet0/23, changed state to administratively down 20:51:39: %LINK-5-CHANGED: Interface FastEthernet0/24, changed state to administratively down 20:51:39: STP: VLAN0012 sent Topology Change Notice on Fa0/19 SW1(config-if)# 20:51:39: %LINK-5-CHANGED: Interface Port-channel1, changed state to administratively down 20:51:40: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/23, changed state to down 20:51:40: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down SW1(config-if)# 20:51:52: STP: VLAN0012 Fa0/19 -> learning SW1(config-if)# 20:52:07: STP: VLAN0012 sent Topology Change Notice on Fa0/19 20:52:07: STP: VLAN0012 Fa0/19 -> forwarding SW1(config-if)#
It took about 30 seconds in this example to get from blocking to forwarding. Bring the interface port channel back up, and configure UplinkFast. When you enable UplinkFast, it affects all VLANs on the switch. You cannot configure UplinkFast on an individual VLAN. When UplinkFast is enabled, the switch priority of all VLANs is set to 49152. If you change the path cost to a value less than 3000 and enable UplinkFast, or UplinkFast is already enabled, the path cost of all interfaces and VLAN trunks is increased by 3000. (If you change the path cost to 3000 or above, the path cost is not altered.) The changes to the switch priority reduce the chance that a switch will become the root switch.
SW1(config)#spanning-tree uplinkfast
SW1#show spanning-tree vlan 12 VLAN0012 Spanning tree enabled protocol ieee Root ID Priority 24588 Address 0017.0e3f.4080 Cost 3031 Port 65 (Port-channel1) Hello Time 2 sec Max Age 20 sec Bridge ID
Priority 49164 (priority 49152 sys-id-ext 12) Address 000a.b7f7.7900 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Uplinkfast enabled Interface ---------------Fa0/6 Fa0/19 Po1 SW1# Role ---Desg Altn Root Sts --FWD BLK FWD Cost --------3019 3019 3012 Prio.Nbr -------128.8 128.23 128.65 Type -------------------------------P2p P2p P2p
Note
Path cost and bridge priority are changed.
18
Shut down the port channel interface, and observe the spanning-tree events:
SW1(config)#int po 1 SW1(config-if)#shut SW1(config-if)# 21:02:09: STP: VLAN0012 new root port Fa0/19, cost 3038 21:02:09: %SPANTREE_FAST-7-PORT_FWD_UPLINK: VLAN0012 FastEthernet0/19 moved to Forwarding (UplinkFast). 21:02:09: STP: VLAN0016 new root port Fa0/19, cost 3038 21:02:09: STP: VLAN0088 we are the spanning tree root 21:02:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to down SW1(config-if)# 21:02:11: %LINK-5-CHANGED: Interface FastEthernet0/23, changed state to administratively down 21:02:11: %LINK-5-CHANGED: Interface FastEthernet0/24, changed state to administratively down 21:02:11: STP: VLAN0012 sent Topology Change Notice on Fa0/19 21:02:11: STP: VLAN0016 sent Topology Change Notice on Fa0/19 SW1(config-if)# 21:02:11: %LINK-5-CHANGED: Interface Port-channel1, changed state to administratively down 21:02:12: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/23, changed state to down 21:02:12: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down SW1(config-if)#
Note
Port 0/19 immediately moved to the forwarding state.
Issue: Place the access interfaces 0/21 of SW2 and SW3 on the STP. Make SW2 the root bridge for VLAN 16 with priority 24576. Leave all path cost values on the links of VLAN 16 to the default set by Cisco IOS Software. If the link between SW2 and SW3 goes down, make sure that forwarding on the link between SW1 and SW3 resumes without waiting for maximum aging time expiration. Solution: Look at the following diagram. By default, you should find that the blocking interface is 0/19 on SW1 for VLAN 16:
19
If the link between SW2 and SW3 fails, as shown in the following diagram, SW1 cannot detect this failure, because it is not connected directly to the failed link. However, because SW3 is directly connected to the root switch over this link, it detects the failure, elects itself the root, and begins sending bridge protocol data units (BPDUs) to SW1, identifying itself as the root. When SW1 receives the inferior BPDUs from SW3, SW1 assumes that an indirect failure has occurred. At that point, BackboneFast allows the blocked interface on SW1 to move immediately to the listening state without waiting for the maximum aging time for the interface to expire. BackboneFast then transitions the Layer 2 interface on SW1 to the forwarding state, providing a path from SW3 to SW2. The root-switch election takes approximately 30 seconds, twice the forward delay time if the default forward delay time of 15 seconds is set. The following diagram shows how BackboneFast reconfigures the topology to account for the failure between SW2 and SW3. If you use BackboneFast, you must enable it on all switches in the network.
Configuration and verification: Configure the root bridge on SW2:

spanning-tree vlan 16 priority 24576
On SW2 and SW1, verify the blocking interface:

SW2#show spanning-tree vlan 16 VLAN0016 Spanning tree enabled protocol ieee Root ID Priority 24592 Address 000a.8afb.2680 This bridge is the root Hello Time 2 sec Max Age 20 sec Bridge ID
Priority 24592 (priority 24576 sys-id-ext 16) Address 000a.8afb.2680 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Role ---Desg Desg Desg Sts --FWD FWD FWD Cost --------19 19 12 Prio.Nbr -------128.8 128.21 128.65 Type -------------------------------P2p P2p P2p
Interface ---------------Fa0/6 Fa0/21 Po1 SW2#
SW1#show spanning-tree vlan 16 20 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 2009 Cisco Systems, Inc.
VLAN0016 Spanning tree enabled protocol ieee Root ID Priority 24592 Address 000a.8afb.2680 Cost 3012 Port 65 (Port-channel1) Hello Time 2 sec Max Age 20 sec Bridge ID
Priority 49168 (priority 49152 sys-id-ext 16) Address 000a.b7f7.7900 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Uplinkfast enabled Interface ---------------Fa0/1 Fa0/19 Po1 SW1# Role ---Desg Altn Root Sts --FWD BLK FWD Cost --------3019 3019 3012 Prio.Nbr -------128.8 128.23 128.65 Type -------------------------------P2p P2p P2p
The blocking interface is on the link, just as on the diagram. Path cost and bridge priority are changed by the previous UplinkFast configuration. Shut down the interface 0/21 of SW2, and observe the spanning-tree events on SW1:
SW1#debug spanning-tree events Spanning Tree event debugging is on
SW1# 21:25:19: 21:25:21: 21:25:23: 21:25:25: 21:25:27: 21:25:29: 21:25:31: 21:25:33: 21:25:35: 21:25:37: 21:25:37: 21:25:38: 21:25:38: 21:25:52: 21:26:07: 21:26:07: STP: STP: STP: STP: STP: STP: STP: STP: STP: STP: STP: STP: STP: STP: STP: STP: VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 heard root 32784-0019.55af.7800 on heard root 32784-0019.55af.7800 on heard root 32784-0019.55af.7800 on heard root 32784-0019.55af.7800 on heard root 32784-0019.55af.7800 on heard root 32784-0019.55af.7800 on heard root 32784-0019.55af.7800 on heard root 32784-0019.55af.7800 on heard root 32784-0019.55af.7800 on heard root 32784-0019.55af.7800 on Fa0/19 -> listening Topology Change rcvd on Fa0/19 sent Topology Change Notice on Po1 Fa0/19 -> learning sent Topology Change Notice on Po1 Fa0/19 -> forwarding Fa0/19 Fa0/19 Fa0/19 Fa0/19 Fa0/19 Fa0/19 Fa0/19 Fa0/19 Fa0/19 Fa0/19
In this example, it took about 18 seconds to get to a listening state. Bring the interface 0/21 of SW2 back up, and configure BackboneFast on all switches configured for VLAN 16:
SW1#show run | inc backbone spanning-tree backbonefast SW1# SW2#show run | inc backbone spanning-tree backbonefast SW2# SW3#show run | inc backbone spanning-tree backbonefast SW3#
21
Shut down interface 0/21 of SW2, and observe the spanning-tree events:
21:40:47: 21:40:47: 21:40:48: 21:40:48: 21:41:02: 21:41:17: 21:41:17: STP: STP: STP: STP: STP: STP: STP: VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 VLAN0016 heard root 32784-0019.55af.7800 on Fa0/19 Fa0/19 -> listening Topology Change rcvd on Fa0/19 sent Topology Change Notice on Po1 Fa0/19 -> learning sent Topology Change Notice on Po1 Fa0/19 -> forwarding
Port Fa0/19 moved to listening state right after it received the inferior BPDU from SW3.
3. IPv4 OSPF Section

Note Configure all OSPF routers with only one OSPF process ID (PID). Use your IGP diagram to help guide configuration.
Issue: Allow backbone OSPF speakers to automatically discover each other, and elect a designated router (DR). Solution: The OSPF network type broadcast is the correct answer here. OSPF speakers will automatically discover each other through the multicast address 224.0.0.5 during the initial hello exchange. The OSPF speakers will also elect at least a DR and possibly a backup designated router (BDR), fulfilling both tasks. In a Frame Relay hub-and-spoke topology, the DR must be on the hub router. To ensure that the hub router is elected as the DR and that a spoke router is not elected as a BDR, use the ip ospf priority command on the spoke routers to set the priority to 0, which makes the spokes ineligible for DR or BDR election. No BDR should be elected in this topology, because all DROTHERsrouters that are neither DRs nor DBRsmust form an adjacency with both the DR and the BDR. Any other spoke router cannot form an OSPF adjacency with another spoke router. Therefore, a BDR cannot be designated in a hub-and-spoke topology. Issue: Add loopback 2 on R2 into the OSPF as an external route. Configure OSPF Area 126 on the R2 Frame Relay interface configured with the IPv4 address 172.16.62.2. Solution: Add loopback 2 into OSPF using the redistribute connected command. Make sure that you filter the redistribution process so that only loopback 2 and no other connected network is injected into OSPF. Fulfill this filtering requirement by applying either a route map or a distribution list to the redistribution of the connected networks. Configure OSPF Area 126 on the Frame Relay interface on R2. You can use the OSPF router network command or the ip ospf PID area 126 interface command to accomplish this task. The network command was used in this answer key.
22
router ospf 100 redistribute connected subnets route-map CONNECTED network 172.16.62.0 0.0.0.255 area 126 ! access-list 1 permit 172.16.2.0 0.0.0.255 ! route-map CONNECTED permit 10 match ip address 1 R2#show ip ospf int brie Interface PID Area IP Address/Mask Se0/0/0 100 0 172.16.123.2/24 VL0 100 0 172.16.25.2/24 Lo20 100 20 172.16.20.5/30 Fa0/0 100 25 172.16.25.2/24 Se0/0/0.62 100 126 172.16.62.2/24 R2# R2#show ip ospf database external 172.16.2.0
Cost 64 1 1 1 64
State DROTH P2P P2P BDR P2P
Nbrs F/C 1/1 1/1 0/0 1/1 0/0
OSPF Router with ID (172.16.20.5) (Process ID 100) Type-5 AS External Link States LS age: 267 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 172.16.2.0 (External Network Number ) Advertising Router: 172.16.20.5 LS Seq Number: 8000027C Checksum: 0x127C Length: 36 Network Mask: /24 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: 0.0.0.0 External Route Tag: 0 R2#
Issue: Place loopback 30 and loopback 3 in OSPF Area 30 on R3. Solution: Configure OSPF Area 30 on R3 as requested in the scenario:
R3#show run | section router ospf router ospf 100 log-adjacency-changes redistribute eigrp 1 subnets redistribute eigrp 2 subnets network 3.3.3.0 0.0.0.255 area 30 network 172.16.30.0 0.0.0.255 area 30 network 172.16.123.0 0.0.0.255 area 0 R3# R3#show ip ospf int brie Interface PID Area Se0/0/0 100 0 Lo30 100 30 Lo3 100 30 R3#
IP Address/Mask 172.16.123.3/24 172.16.30.3/22 3.3.3.3/24
Cost 64 1 1
State DROTH P2P P2P
Nbrs F/C 1/1 0/0 0/0
23
Issue: Make sure that the network 2.0.0.0 and its subnets do not appear in the routing tables of any router except R2. Solution: The challenge in this task is to make the 2.2.2.0/24 network reachable throughout the pod without announcing it to any other router. The solution is provided by configuring defaultinformation originate always on R2. Whenever you must make an unadvertised network reachable, consider advertising a summary that includes the network. The 0.0.0.0/0 prefix is just an extreme summary:
R2#show ip ospf database external 0.0.0.0 OSPF Router with ID (172.16.20.5) (Process ID 100) Type-5 AS External Link States LS age: 480 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 0.0.0.0 (External Network Number ) Advertising Router: 172.16.20.5 LS Seq Number: 8000027C Checksum: 0xFDFD Length: 36 Network Mask: /0 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 1 Forward Address: 0.0.0.0 External Route Tag: 100 R2#
Issue: Configure Area 25 between R2 and R5. Add loopback 50 on R5 into OSPF as Area 50. Solution: R5 possesses a connection to R2 through Area 25. R5 has no direct connection to Area 0. However, R5 also has a loopback interface assigned to Area 50. Because R5 maintains a connection to an area that has no direct connection to Area 0, it requires a virtual link for Area 50.
4. IPv4 EIGRP Section

Issue: Solving reachability issues on R4 Solution: The only IGP configured on R4 is Enhanced Interior Gateway Routing Protocol (EIGRP). R4 will not be able to reach all addresses in the test pod unless a gateway of last resort is set to R3. An EIGRP speaker sets the gateway of last resort based on a 0.0.0.0/0 network or a prefix marked as a candidate default. The scenario allows only the 3.0.0.0/8 prefix to be advertised from R3 to R4. The scenario does not specify how the 3.0.0.0/8 prefix should be advertised from
R3 to R4; the EIGRP network statement is chosen in this answer key. So the solution to this issue is to configure ip default-network 3.0.0.0 on R4. This will provide a default route configuration for R4 referencing the next-hop router as R3. You cannot use the ip default-network command on R3, because it already has a necessary 0.0.0.0/0 route learned from R2 through OSPF. The ip default-network command will take precedence over 0.0.0.0/0, making network 2.2.2.0 unreachable. To best understand this statement, consider the following progression of events: 1. R3 learns the 0.0.0.0/0 prefix from R2. 2. The 0.0.0.0/0 on R3 allows R3 to reach the 2.2.2.0/24 prefix on R2. 3. If R3 is configured to advertise a default route to the stub EIGRP R4, it must use the ip default-network command referencing a non-0.0.0.0/0 prefix; due to the constraints of this exam, EIGRP is not allowed to advertise the 0.0.0.0/0 prefix. 4. If R3 references the 3.0.0.0/8 prefix using the ip default-network command, this command will deactivate the use of the 0.0.0.0/0 prefix on R3, because any non-0.0.0.0/0 prefix that is specified by ip default-network takes precedence over the 0.0.0.0/0 route. Add network 3.3.3.0 in EIGRP AS1 on R3:
router eigrp 1 network 3.3.3.0 0.0.0.255 network 172.16.34.0 0.0.0.127 no auto-summary no eigrp log-neighbor-changes ! R4#show ip route summary IP routing table name is Default-IP-Routing-Table(0) IP routing table maximum-paths is 16 Route Source Networks Subnets Overhead Memory (bytes) connected 0 2 144 272 static 0 0 0 0 eigrp 1 1 0 72 136 bgp 64600 3 0 216 408 External: 0 Internal: 3 Local: 0 internal 1 1156 Total 5 2 432 1972 Removing Queue Size 0 R4#
Note that R4 receives only an EIGRP prefix. Configure the ip default-network command on R4:
R4#sh run | inc ip default-network ip default-network 3.0.0.0 R4# R4#sho ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 172.16.34.3 to network 3.0.0.0 B 192.168.104.0/24 [200/0] via 172.16.123.1, 1d01h
Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 25
D* B C C B R4#
3.0.0.0/8 [90/156160] via 172.16.34.3, 2w0d, FastEthernet0/1 192.168.105.0/24 [200/0] via 172.16.123.1, 1d01h 172.16.0.0/25 is subnetted, 2 subnets 172.16.40.0 is directly connected, Loopback40 172.16.34.0 is directly connected, FastEthernet0/1 192.168.100.0/22 [200/0] via 172.16.123.1, 1d01h
Note that the prefix 3.0.0.0/8 is a candidate default prefix, and the gateway of last resort is set to R3. Issue: Add loopback 40 on R4 into EIGRP as an EX prefix. Solution: Redistribute the loopback 40 network as a connected network into EIGRP AS1 on R4:
router eigrp 1 redistribute connected metric 1000 100 255 3 1500 route-map CONNECTED network 172.16.34.0 0.0.0.127 ! access-list 1 permit 172.16.40.0 0.0.0.127 ! route-map CONNECTED permit 10 match ip address 1 ! R4#show ip eigrp 1 topology 172.16.40.0/25 IP-EIGRP (AS 1): Topology entry for 172.16.40.0/25 State is Passive, Query origin flag is 1, 1 Successor(s), FD is 2585600 Routing Descriptor Blocks: 0.0.0.0, from Rconnected, Send flag is 0x0 Composite metric is (2585600/0), Route is External Vector metric: Minimum bandwidth is 1000 Kbit Total delay is 1000 microseconds Reliability is 255/255 Load is 3/255 Minimum MTU is 1500 Hop count is 0 External data: Originating router is 172.16.40.1 (this system) AS number of route is 0 External protocol is Connected, external metric is 0 Administrator tag is 0 (0x00000000) R4# R3#show ip route eigrp 3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks D 3.0.0.0/8 is a summary, 2w0d, Null0 172.16.0.0/16 is variably subnetted, 16 subnets, 3 masks D 172.16.140.0/24 [90/156160] via 172.16.34.40, 2w0d, FastEthernet0/1 D EX 172.16.40.0/25 [170/2588160] via 172.16.34.4, 2w0d, FastEthernet0/1 R3#
Issue: Allow only one prefixthe one that represents the entire IPv4 address spaceto be advertised from R3 to SW4; filter all other prefixes. Solution: Prefix 0.0.0.0/0 represents the entire IPv4 address space. It is a default route. R3 learns 0.0.0.0/0 through OSPF. On R3, redistribute OSPF into EIGRP AS2, and allow only 0.0.0.0/0 to be advertised from R3 to SW4, as shown:
router eigrp 2 redistribute ospf 100
network 172.16.34.0 0.0.0.127 default-metric 1000 100 3 255 1500 distribute-list 10 out FastEthernet0/0 auto-summary ! access-list 10 permit 0.0.0.0
Verify the results of the configuration on SW4:

SW4#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 172.16.34.3 to network 0.0.0.0 172.16.0.0/24 is subnetted, 2 subnets C 172.16.140.0 is directly connected, Loopback140 C 172.16.34.0 is directly connected, Vlan34 D*EX 0.0.0.0/0 [170/2585856] via 172.16.34.3, 18:05:17, Vlan34 SW4#
On SW4, advertise loopback 140 with the EIGRP network statement:

router eigrp 2 network 172.16.34.0 0.0.0.255 network 172.16.140.0 0.0.0.255 auto-summary
Verify the results on R3. Make sure that EIGRP AS2 is redistributed into OSPF to propagate loopback 140 to other routers.
R3#show ip route eigrp 3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks D 3.0.0.0/8 is a summary, 1d19h, Null0 172.16.0.0/16 is variably subnetted, 18 subnets, 5 masks D 172.16.140.0/24 [90/156160] via 172.16.34.40, 18:08:12, FastEthernet0/0 D EX 172.16.40.0/25 [170/2588160] via 172.16.34.4, 1d19h, FastEthernet0/0 R3# R3#sh run | beg router ospf router ospf 100 log-adjacency-changes redistribute eigrp 1 subnets redistribute eigrp 2 subnets R3#
Note
To obtain a comprehensive view of the configuration tasks in this section, access the Mentor Guide engine. With the Mentor Guide engine, you can enter more than 1000 Cisco IOS Software commands as well as a collection of proprietary commands such as show all.
5. IPv4 RIP Section

Issue: Configure SW1 to send only a summary 172.16.80.0/25 on VLAN 88. Solution: Configure this summary on SW1 with the command ip summary-address rip 172.16.80.0 255.255.255.128 under interface VLAN 88. Issue: Restrict the advertisement of Routing Information Protocol (RIP) updates to the VLAN 17 and VLAN 88 interfaces only.
2009 Cisco Systems, Inc. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 27
Solution: Configure R1, SW3, and SW1 with passive interface default. Then, disable passive interface on the VLAN 17 and VLAN and 88 interfaces with the no passive command. Issue: Solving reachability issues in the RIP domain Solution: You can redistribute OSPF into RIP on R1. You do not have to redistribute RIP into OSPF to provide reachability to RIP-originated networks. The 0.0.0.0/0 route will provide the reachability to these networks. The RIP domain will receive the 0.0.0.0/0 default generated on R2. This will provide full reachability from the RIP domain to the rest of the pod addresses, including 2.2.2.0/24 on R2. There are no fixed-length subnet mask (FLSM) or variable-length subnet mask (VLSM) issues, because RIP version 2 (RIPv2) is classless. One could filter the more specific prefixes using a distribution list or route map, but this is not required.
6. Cisco OER and NAT Section

Issue: Statically configure two default routes to 172.16.16.1 and 172.16.62.2 on R6. Statically configure a default route to 1.1.1.6 on SW2. Solution: The lab general restrictions prohibit the use of static routes except for R6. Configure two default networks on R6:
ip route 0.0.0.0 0.0.0.0 172.16.16.1 ip route 0.0.0.0 0.0.0.0 172.16.62.2
Verify static routing entries in the show ip route table on R6:

R6#show ip route 0.0.0.0 Routing entry for 0.0.0.0/0, supernet Known via "static", distance 1, metric 0, candidate default path Routing Descriptor Blocks: 172.16.62.2 Route metric is 0, traffic share count is 1 * 172.16.16.1 Route metric is 0, traffic share count is 1 R6#
Configure a default networks on SW2:

ip route 0.0.0.0 0.0.0.0 1.1.1.6
Issue: R6 should be configured as a master controller and a border Cisco OER router. R6 should measure a network delay to network 3.3.3.3/32 and, based on the lower delay, select R1 as a gateway for the network 3.3.3.3/32.
28
Solution: Cisco OER provides automatic route optimization and load distribution for multiple connections between networks. Cisco OER is an integrated Cisco IOS Software solution that allows you to monitor IP traffic flows and then define policies and rules based on network delay, traffic class performance, link-load distribution, link bandwidth monetary cost, and traffic type. Cisco OER deployment has two primary components: a master controller and one or more border routers. The master controller is a decision maker. Communication between the master controller and border router is protected by Message Digest 5 (MD5) authentication. A Cisco OER-managed network must have at least two egress interfaces that can carry outbound traffic and can be configured as external interfaces. The router must also have one interface, reachable by the internal network, that can be configured as an internal interface. There are three interface configurations required to deploy Cisco OER:
External interfaces are configured as Cisco OER-managed exit links to forward traffic. Each border router must have at least one external interface, and a minimum of two external interfaces are required in a Cisco OER-managed network. Internal interfaces are used only for passive performance monitoring with NetFlow. The internal interface is configured as a Cisco OER internal interface on the master controller. At least one internal interface must be configured on each border router. Local interfaces are used only for master controller and border router MD5-protected communication.
The following diagram illustrates R6 configured as a single router that is configured to run a master controller and border router process:
Note that a Cisco router that is configured to run both a master controller and border router process will use more memory than a router that is configured to run only a border router process. This memory impact should be considered when selecting a router for dual operation. Configure the Cisco OER master controller and the border router on R6. MD5 authentication is required. You can use any string in this lab, because the lab does not explicitly specify it. The string OER is used in this answer key:
key chain OER key 1 key-string OER ! oer master 2009 Cisco Systems, Inc. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 29
policy-rules prfx logging ! border 1.1.1.6 key-chain OER interface FastEthernet0/0 internal interface FastEthernet0/1 external interface Serial0/0/0.62 external ! learn delay periodic-interval 3 monitor-period 1 mode route control mode monitor active ! active-probe echo 3.3.3.3 ! oer border logging local Loopback80 master 1.1.1.6 key-chain OER !
Internal communication between the master controller and the border router is illustrated in the following diagram:
Verification:
R6#show oer master OER state: ENABLED and ACTIVE Conn Status: SUCCESS, PORT: 3949 Number of Border routers: 1 Number of Exits: 2 Number of monitored prefixes: 1 (max 5000) Max prefixes: total 5000 learn 2500 Prefix count: total 1, learn 0, cfg 1 Border 1.1.1.6 <skipped> Status ACTIVE UP UP/DOWN 2d22h AuthFail 0
30
R6#show oer border OER BR 1.1.1.6 ACTIVE, MC 1.1.1.6 UP/DOWN: UP 2d22h, Auth Failures: 0 Conn Status: SUCCESS, PORT: 3949 Exits Fa0/0 INTERNAL Fa0/1 EXTERNAL Se0/0/0.62 EXTERNAL R6#
Issue: R6 should actively monitor a network delay to the network 3.3.3.3/32 by sending ICMP probes and, based on the lower delay, select R1 as a gateway for 3.3.3.3/32. If the ICMP probe fails between the R6 interface on VLAN 16 and the network 3.3.3.3/32, R6 should forward packets to R2. Solution: Cisco OER uses three methods of traffic class performance measurement:
Passive monitoring measures the performance metrics of traffic class entries while the traffic is flowing through the device, using NetFlow functionality. Active monitoring creates a stream of traffic that replicates a traffic class as closely as possible and measures the performance metrics of the traffic. Active monitoring uses integrated Cisco IOS IP Service Level Agreements (IP SLAs) functionality. Both active and passive monitoring are used to generate a more complete picture of traffic flows within the network.
There is a requirement for active monitoring of ICMP traffic between R6 and 3.3.3.3/32 in this lab:
oer master policy-rules prfx logging ! border 1.1.1.6 key-chain OER interface FastEthernet0/0 internal interface FastEthernet0/1 external interface Serial0/0/0.62 external ! learn delay periodic-interval 3 monitor-period 1 mode route control mode monitor active ! active-probe echo 3.3.3.3 ! oer border logging local Loopback80 master 1.1.1.6 key-chain OER ! ip prefix-list prfx seq 5 permit 3.3.3.3/32 ! oer-map prfx 10 match ip address prefix-list prfx ! R6#
Note that R6 is configured with the command active-probe echo 3.3.3.3. Periodically, R6 will be sending the ICMP probes. If you run the debug ip icmp command on R6, you can see the ICMP echo replies from R3 to the ICMP probes:
*May 22 17:16:35.359: ICMP: echo reply rcvd, src 3.3.3.3, dst 172.16.16.6 *May 22 17:16:35.443: ICMP: echo reply rcvd, src 3.3.3.3, dst 172.16.62.6
Verify the watched prefix 3.3.3.3/32:

R6#show oer master prefix OER Prefix Statistics: Pas - Passive, Act - Active, S - Short term, L - Long term, Dly - Delay (ms), Los - Packet Loss (packets-per-million), Un - Unreachable (flows-per-million), E - Egress, I - Ingress, Bw - Bandwidth (kbps), N - Not applicable U - unknown, * - uncontrolled, + - control more specific, @ - active probe all Prefix State Time Curr BR CurrI/F Protocol PasSDly PasLDly PasSUn PasLUn PasSLos PasLLos ActSDly ActLDly ActSUn ActLUn EBw IBw -------------------------------------------------------------------------------3.3.3.3/32 DEFAULT* 36 U U R6#
Verify the master controller policy:

R6#show oer master policy Default Policy Settings: backoff 300 3000 300 delay relative 50 holddown 300 periodic 0 mode route control mode monitor active mode select-exit good loss relative 10 unreachable relative 50 resolve delay priority 11 variance 20 resolve utilization priority 12 variance 20 oer-map prfx 10 match ip prefix-lists: prfx backoff 300 3000 300 delay relative 50 holddown 300 periodic 0 mode route control mode monitor active mode select-exit good loss relative 10 unreachable relative 50 resolve delay priority 11 variance 20 resolve utilization priority 12 variance 20 * Overrides Default Policy Setting R6#
The prefix will go through the different statesDEFAULT, HOLDDOWN, and INPOLICYas R6 learns about the prefix.
R6#show oer master prefix OER Prefix Statistics: Pas - Passive, Act - Active, S - Short term, L - Long term, Dly - Delay (ms), Los - Packet Loss (packets-per-million), Un - Unreachable (flows-per-million), E - Egress, I - Ingress, Bw - Bandwidth (kbps), N - Not applicable U - unknown, * - uncontrolled, + - control more specific, @ - active probe all Prefix State Time Curr BR CurrI/F Protocol PasSDly PasLDly PasSUn PasLUn PasSLos PasLLos ActSDly ActLDly ActSUn ActLUn EBw IBw -------------------------------------------------------------------------------3.3.3.3/32 HOLDDOWN 321 1.1.1.6 Fa0/1 STATIC N N N N N N U U 0 0 N N R6#
32
R6#show oer master prefix OER Prefix Statistics: Pas - Passive, Act - Active, S - Short term, L - Long term, Dly - Delay (ms), Los - Packet Loss (packets-per-million), Un - Unreachable (flows-per-million), E - Egress, I - Ingress, Bw - Bandwidth (kbps), N - Not applicable U - unknown, * - uncontrolled, + - control more specific, @ - active probe all Prefix State Time Curr BR CurrI/F Protocol PasSDly PasLDly PasSUn PasLUn PasSLos PasLLos ActSDly ActLDly ActSUn ActLUn EBw IBw -------------------------------------------------------------------------------3.3.3.3/32 INPOLICY 0 1.1.1.6 Fa0/1 STATIC N N N N N N 31 35 0 0 N N R6# *May 22 17:19:25.847: OER MC APC: R6#show ip route stat 3.0.0.0/32 is subnetted, 1 subnets S 3.3.3.3 [1/0] via 172.16.16.1 S* 0.0.0.0/0 [1/0] via 172.16.62.2 [1/0] via 172.16.16.1 R6#
Note that the static route to the watched prefix 3.3.3.3/32 is added when it is in policy. Issue: IP packets that originated from SW2 should arrive on the network 3.3.3.0/24 with either source IP addresses 172.16.16.6 or 172.16.62.6.
33
Solution: Translate the source IP address 1.1.1.20 on R6; see the following diagram:
Network Address Translation (NAT) and Cisco OER configuration tasks are related.
Tip Always read a CCIE lab exam end-to-end, and carefully look for hidden issues that might involve multiple tasks.
34
The solution also involves a minimal configuration change with a new keyword, oer, that has been added to the ip nat inside source command. When the oer keyword is configured, new NATs are given the source IP address of the interface that Cisco OER has selected for the packet, and Cisco OER forces existing flows to be routed through the interface for which the NAT was created. Configure NAT on R6:
interface FastEthernet0/0 ip address 1.1.1.6 255.255.255.0 ip nat inside ! interface Serial0/0/0.62 point-to-point ip address 172.16.62.6 255.255.255.0 ip nat outside ! interface FastEthernet0/1 ip address 172.16.16.6 255.255.255.0 ip nat outside ! ip nat inside source route-map TR1 interface FastEthernet0/1 overload oer ip nat inside source route-map TR2 interface Serial0/0/0.62 overload oer ! ! access-list 1 permit 1.0.0.0 0.255.255.255 ! ! route-map TR2 permit 10 match ip address 1 ! route-map TR1 permit 10 match ip address 1 ! !
Verification: This step is not required to perform during the lab; it is provided in the answer key for education purposes. Verify a Cisco OER failover by removing VLAN 16 on the SW1 interface Fa0/1 that is connected to R1. The static routing on R6 would not be able to detect this kind of failure and would continue forwarding traffic to R1. Verify the OER prefix before VLAN 16 pruning:
R6#show oer master prefix OER Prefix Statistics: Pas - Passive, Act - Active, S - Short term, L - Long term, Dly - Delay (ms), Los - Packet Loss (packets-per-million), Un - Unreachable (flows-per-million), E - Egress, I - Ingress, Bw - Bandwidth (kbps), N - Not applicable U - unknown, * - uncontrolled, + - control more specific, @ - active probe all Prefix State Time Curr BR CurrI/F Protocol PasSDly PasLDly PasSUn PasLUn PasSLos PasLLos ActSDly ActLDly ActSUn ActLUn EBw IBw -------------------------------------------------------------------------------3.3.3.3/32 INPOLICY 0 1.1.1.6 Fa0/1 STATIC N N N N N N 31 34 0 0 N N R6#
Note that the prefix 3.3.3.3/32 is in policy, and Fa0/1 is used for forwarding as requested in the lab.
Run the following debug commands on R6:

R6#debug oer master prefix 3.3.3.3/32
35
OER Master Prefix debugging is on R6#debug oer border active-probes OER Border Router Active Probes debugging is on
Remove VLAN 16 on SW1 interface Fa0/1:

SW1#conf t Enter configuration commands, one per line. SW1(config)#int fa 0/1 SW1(config-if)#no switchport access vlan 16 SW1(config-if)#end SW1# End with CNTL/Z.
Note that the Cisco OER on R6 detected that the prefix 3.3.3.3/32 is unreachable:
R6# *May 22 18:30:26.711: OER MC PFX 3.3.3.3/32: Check ACT REL unreachable: unreachable 166666, policy 50%, notify TRUE *May 22 18:30:26.711: OER MC PFX 3.3.3.3/32: Check ACT REL delay: delay 31, policy 50%, notify TRUE R6#
In a few minutes:
R6# *May 22 18:33:17.747: OER MC PFX 3.3.3.3/32: Check ACT REL unreachable: unreachable 166666, policy 50%, notify FALSE *May 22 18:33:17.747: OER MC PFX 3.3.3.3/32: Best exit is 1.1.1.6 Se0/0/0.62, based on unreachable *May 22 18:33:17.747: OER MC PFX 3.3.3.3/32: Start FWD on new exit, br = 1.1.1.6, i/f = Se0/0/0.62, nexthop 0.0.0.0, seq 1812, proto 2, exact TRUE *May 22 18:33:17.747: OER MC PFX 3.3.3.3/32: PDP start timer = 15 secs, prefix state = CHOOSE *May 22 18:33:17.759: OER BR ACTIVE PROBE: Probe deletion completed. probeType = echo, probeTarget = 3.3.3.3, probeTargetPort = 0 probeSource = Default, probeSourcePort = 0, probeNextHop = Default probeIfIndex = 2 *May 22 18:33:17.771: OER BR ACTIVE PROBE: Probe deletion completed. probeType = echo, probeTarget = 3.3.3.3, probeTargetPort R6# = 0 probeSource = Default, probeSourcePort = 0, probeNextHop = Default probeIfIndex = 11 *May 22 18:33:17.975: OER MC PFX 3.3.3.3/32: prefix_status 0 received, br = 1.1.1.6 i/f = Se0/0/0.62 *May 22 18:33:17.975: OER MC PFX 3.3.3.3/32: PDP start timer = 300 secs, prefix state = HOLDDOWN *May 22 18:33:17.975: %OER_MC-5-NOTICE: Route changed 3.3.3.3/32, BR 1.1.1.6, i/f Se0/0/0.62, Reason Unreachable, OOP Reason Unreachable *May 22 18:33:17.979: OER BR ACTIVE PROBE: Creation of SAA probe completed successfully. probeType = echo, probeTarget = 3.3.3.3, probeTargetPort = 0 probeSource = 172.16.62.6, probeSourcePort = 0, probeNextHop = 172.16.62.2 probeIfIndex = 11, SAA index = 35 R6#
Note that the Cisco OER detected an out of policy (OOP) condition based on the reason unreachable. The Cisco OER transitions through the states CHOOSE, to select the new interface S0/0/0.62, and HOLDDOWN, to hold it for a default 5 minutes. State HOLDDOWN is a route-flapping prevention measure.
R6#show oer master prefix OER Prefix Statistics: Pas - Passive, Act - Active, S - Short term, L - Long term, Dly - Delay (ms), Los - Packet Loss (packets-per-million), Un - Unreachable (flows-per-million), E - Egress, I - Ingress, Bw - Bandwidth (kbps), N - Not applicable U - unknown, * - uncontrolled, + - control more specific, @ - active probe all Prefix State Time Curr BR CurrI/F Protocol PasSDly PasLDly PasSUn PasLUn PasSLos PasLLos ActSDly ActLDly ActSUn ActLUn EBw IBw -------------------------------------------------------------------------------3.3.3.3/32 HOLDDOWN 318 1.1.1.6 Se0/0/0.62 STATIC N N N N N N U U 0 0 N N R6#
Also, at this step, Cisco OER creates a new static route for 3.3.3.3/32 through the S0/0/0.62 interface:
R6#show ip route static 3.0.0.0/32 is subnetted, 1 subnets S 3.3.3.3 [1/0] via 172.16.62.2 S* 0.0.0.0/0 [1/0] via 172.16.62.2 [1/0] via 172.16.16.1 R6#
In about 5 minutes:
R6# *May 22 18:38:40.863: OER MC PFX 3.3.3.3/32: PDP choose exit, prefix state = HOLDDOWN, 0 *May 22 18:38:40.863: OER MC PFX 3.3.3.3/32: Check ACT REL delay: delay 99, policy 50%, notify FALSE *May 22 18:38:40.863: OER MC PFX 3.3.3.3/32: Check ACT REL unreachable: unreachable 0, policy 50%, notify FALSE *May 22 18:38:40.863: OER MC PFX 3.3.3.3/32: PDP no start timer, prefix state = INPOLICY R6#show oer master prefix OER Prefix Statistics: Pas - Passive, Act - Active, S - Short term, L - Long term, Dly - Delay (ms), Los - Packet Loss (packets-per-million), Un - Unreachable (flows-per-million), E - Egress, I - Ingress, Bw - Bandwidth (kbps), N - Not applicable U - unknown, * - uncontrolled, + - control more specific, @ - active probe all Prefix State Time Curr BR CurrI/F Protocol PasSDly PasLDly PasSUn PasLUn PasSLos PasLLos ActSDly ActLDly ActSUn ActLUn EBw IBw -------------------------------------------------------------------------------3.3.3.3/32 INPOLICY 0 1.1.1.6 Se0/0/0.62 STATIC N N N N N N 99 99 0 0 N N R6#
Note that the prefix 3.3.3.3/32 is in policy through the S0/0/0/.62 interface:
SW2#ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 151/151/151 ms SW2# R6#show ip nat translations Pro Inside global Inside local icmp 172.16.62.6:25 1.1.1.20:25 R6#
Outside local 3.3.3.3:25
Outside global 3.3.3.3:25
Note that the packet is forwarded out the S0/0/0.62 interface of R6 and is translated according to the NAT rules, as specified in the lab. Do not forget to add the SW1 interface Fa0/1 to VLAN 16 after you complete testing:
SW1#conf t Enter configuration commands, one per line. SW1(config)#int fa 0/1 SW1(config-if)#switchport access vlan 16 SW1(config-if)# End with CNTL/Z.
Note
7. Border Gateway Protocol Section

Issue:
Originate the following prefixes from SW3 with the origin code incomplete. Solution: Do not use the network command to originate these prefixes in Border Gateway Protocol (BGP). Instead, use redistribution. When prefixes are originated in BGP through redistribution, their origin code is set to incomplete. Issue: Do not form a BGP peer relationship between R2 and R4. Use the AS numbers that are given in the exam. Solution: R2, R3, and R4 are Internal BGP (IBGP) speakers within the same AS. By default, a full mesh of IBGP neighbor relationships must be formed between IBGP speakers. However, you cannot form a full mesh, because you are instructed not to form a BGP peer relationship between R2 and R4. The remedy for this non-full-mesh requirement is to configure a route reflector on R3. The following diagram will help you understand the configuration of the BGP section:
Issue: Make sure that all BGP speakers in AS64600 have the following prefixes in their BGP and IP routing tables: (1) 192.168.104.0/24, (2) 192.168.105.0/24, and (3) a summary for the remaining prefixes that are advertised by SW3 through BGP. Apply this configuration on R1. The summary must have the same AS path attribute as its constituents. Solution: Configure the BGP aggregate command as follows:
aggregate-address 192.168.100.0 255.255.252.0 as-set summary-only
This aggregate covers the prefixes 192.168.100.0, 192.168.101.0, 192.168.102.0, and 192.168.103.0. The specified additional subnets, 192.168.104.0/24 and 192.168.105.0/24, will also be advertised. By default, the longer matching subnets of an aggregate are advertised with
the aggregate. This behavior is suppressed with the summary-only command. Including the asset option in the aggregate statement can fulfill the second requirement. Issue: Use the synchronization method on R2 and R3. Solution: The rule of synchronization requires that all routes learned from an IBGP peer must have matching routes in the forwarding table from a source other than BGP. You can satisfy the synchronization requirement on R3 by redistributing BGP into OSPF on R2. You must disable synchronization on R4, because R4 must receive only the 3.0.0.0 prefix from R3 through EIGRP. Issue: All BGP speakers should have only a classful prefix of the IP address assigned to the R3 loopback 3 interface in their BGP tables. Solution: Originate the 3.0.0.0/8 network on R3 into BGP using a network statement without a mask. This will originate the classful prefix for the Class A address 3.0.0.0 into BGP. Using a 3.3.3.0/24 network statement and then aggregating it to 3.0.0.0/8 would not meet the requirement. To synchronize 3.0.0.0/8 on R2, R3 must advertise the classful prefix into OSPF. One way to do this would be to configure an interarea summary. Issue: On SW3, this major network should be shown as originated from AS100. Solution: Apply the remove private-as command to the neighbor relationship between R1 and SW3. Issue: Allow into BGP AS11111 only prefixes that have one of the following AS numbers in their AS path: 51, 524, 523, and 52323. Use the minimal number of statements and characters in the filtering solution. Solution: AS path-based filtering can be used to accomplish this goal. Examine the following regular expression: ip as-path access list 1 permit _5(1|24|23(23)?)_ ! !!! !! ! ! ! ! ! ! ! ! ! ! ! ! ! +-------------------- matches other AS numbers or EOL ! ! ! ! ! ! ! +---------------or optionally an additional 23, for example 52323 ! ! ! ! ! ! +-------------------- 23, for example 523 ! ! ! ! ! +---------------------- or ! ! ! ! +------------------------------------- 24, for example 524 ! ! ! +-------------------------or ! ! +-------------------------- match 1 for example 51 ! +------------------------must match 5, for example 5 +-----------------matches other transit AS numbers or BOL The regular expression that is displayed includes a few special characters that deserve a detailed description. The parentheses ( ) are reserved regular expression symbols that group all the characters enclosed within them as a single entity. Within the ( ) grouping are a series of vertical bars, |. These symbols are reserved regular expressions that represent a logical OR operation. When combined, you can use these symbols in the following manner: _5(1|24)_. This regular expression will match on an AS number that begins with 5 and is appended by one of two possible combinations, 1 OR 24. The result of this regular expression is that it will match: 51 OR
524. The ? symbol is a reserved regular expression expansion character. Whatever symbol is to the immediate left of the ? symbol can be present in the desired matching string or it can be absent. For example, the regular expression 52? will match one of two possible strings: 5 or 52. By grouping the string of digits 23 together in the regular expression of this task (23)? the effect is that the AS number that possesses an additional string of 23 will be matched, for example, 52323 or the additional 23 will be ignored, for example, 523. Finally, the underscore symbol will match on the following: beginning of line, end of line, or some delimiter such as a blank space. Beginning and ending the regular expression with underscores ensures that the entire expression will match one and only one AS number. Other acceptable expressions would include _5(1|24|23|2323)_ and _5(1|24|(23)+)_. The latter expression is only 15 characters but assumes that the AS path field will never grow beyond 16 bits. The plus sign (+) indicates one or more of the previous, which would match on 23, 2323, 232323, and so on. Issue: Summarize the received prefixes on R5 with an optimal mask. The summary must not be listed in the BGP tables of the other routers. The solution should work even if new BGP peer relationships are added in the future without any additional configuration. Solution: This task can be accomplished by using prefix aggregation under the BGP routing process:
aggregate-address 172.17.0.0 255.255.224.0 summary-only attribute-map NOADV route-map NOADV permit 10 set community no-advertise
By changing the community attribute to the well-known community no-advertise, you stop R5 from advertising the aggregate to any peer.
R5#sho ip bgp 172.17.0.0/19 BGP routing table entry for 172.17.0.0/19, version 6 Paths: (1 available, best #1, table Default-IP-Routing-Table, not advertised to any peer) Not advertised to any peer Local, (aggregated by 11111 172.16.50.1) 0.0.0.0 from 0.0.0.0 (172.16.50.1) Origin IGP, localpref 100, weight 32768, valid, aggregated, local, atomic-aggregate, best Community: no-advertise R5#
Another solution would be to use the distribute-list out command under the BGP process.
Connectivity verification: You can verify universal reachability with a simple Tool Command Language (Tcl) script, like the one shown below. You can create it once in Notepad and then paste it into each router. To test for stability, observe the output of the debug ip routing command. It shows you each time that a route goes into or out of the routing table. It is useful for detecting route feedback. Finally, test for optimal paths. The definition of optimal can be related to specific lab tasks, but there are certain general rules that you should enforce. Using the show ip route command with some of its extensions can help you focus on the needed information. For example, use show ip route rip; show ip route | include E; show ip route | include /22; show ip route | include Serial0/0/0. Simple Tcl Script to Test for Universal Reachability
foreach address { 172.16.123.1 172.16.16.1 172.16.10.1 172.16.17.1 172.16.88.1 172.16.123.2 172.16.25.2 172.16.2.1 172.16.20.5 2.2.2.2 172.16.34.3 172.16.123.3 3.3.3.3 172.16.30.3 172.16.34.4 172.16.40.1 172.16.25.5 172.16.50.1 172.16.16.6 172.16.88.2 172.16.80.1 172.16.17.7 172.16.77.7 192.168.100.1 192.168.101.1 192.168.102.1 192.168.103.1 192.168.104.1 192.168.105.1 172.16.34.40 172.16.140.1 } { ping $address}
8. IPv6 Routing Section

Issue: Configure IPv6 addresses and the RIP next generation (RIPng) routing process frame. Change the port and multicast address for the process frame. Solution: Before you start configuring the IPv6 routing protocols, enter ipv6 unicast-routing in global configuration mode on the IPv6 routers. Then, configure IPv6 addresses on the Frame Relay link between R1, R2, and R3. Map the remote IPv6 addresses to the local DLCIs. This configuration is similar to IPv4, except that you do not have to provide mapping for the local IPv6 addresses to be able to ping them. R1:
interface Serial0/0/0.123 multipoint ipv6 address 1230::1/16 ipv6 address FE80::123:1 link-local ipv6 rip frame enable frame-relay map ipv6 1230::2 102 frame-relay map ipv6 1230::3 103 frame-relay map ipv6 FE80::123:2 102 broadcast frame-relay map ipv6 FE80::123:3 103 broadcast
R2:
interface Serial0/0/0 ipv6 address 1230::2/16 ipv6 address FE80::123:2 link-local
ipv6 rip frame enable frame-relay map ipv6 1230::1 201 frame-relay map ipv6 1230::3 201 frame-relay map ipv6 FE80::123:1 201 broadcast frame-relay map ipv6 FE80::123:3 201 broadcast
R3:
interface Serial0/0/0 ipv6 address 1230::3/16 ipv6 address FE80::123:3 link-local ipv6 rip frame enable frame-relay map ipv6 1230::1 301 frame-relay map ipv6 1230::2 301 frame-relay map ipv6 FE80::123:1 301 broadcast frame-relay map ipv6 FE80::123:2 301 broadcast
To verify connectivity within the Frame Relay subnet, ping each Frame Relay address from each connected router, as follows:
R2#ping 1230::2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1230::2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R2#ping 1230::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1230::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms R2#ping 1230::3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1230::3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/49/128 ms R2#ping fe80::123:2 Output Interface: Serial0/0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FE80::123:2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R2#ping fe80::123:1 Output Interface: Serial0/0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FE80::123:1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms R2#ping fe80::123:3 Output Interface: Serial0/0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FE80::123:3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/50/128 ms
Next, configure other IPv6 addresses in the RIP domain and RIPng routing processes according to the scenario specifications: R1:
interface Serial0/0/0.123 multipoint ipv6 address 1230::1/16 ipv6 address FE80::123:1 link-local ipv6 rip frame enable frame-relay map ipv6 1230::2 102 frame-relay map ipv6 1230::3 103 frame-relay map ipv6 FE80::123:2 102 broadcast frame-relay map ipv6 FE80::123:3 103 broadcast ! ipv6 router rip frame redistribute ospf 1 metric 3
no split-horizon port 65000 multicast-group FF02::9999
R2:
interface Serial0/0/0 ipv6 address 1230::2/16 ipv6 address FE80::123:2 link-local ipv6 rip frame enable frame-relay map ipv6 1230::1 201 frame-relay map ipv6 1230::3 201 frame-relay map ipv6 FE80::123:1 201 broadcast frame-relay map ipv6 FE80::123:3 201 broadcast ipv6 router rip frame port 65000 multicast-group FF02::9999 !
R3:
interface Serial0/0/0 ipv6 address 1230::3/16 ipv6 address FE80::123:3 link-local ipv6 rip frame enable ! ipv6 router rip frame port 65000 multicast-group FF02::9999
Note that the RIP port and the multicast address are changed under the RIP process. You also have to configure the port and the multicast address between R3 and SW4, because they are in the same RIP instance frame.
SW4#sh run | beg ipv6 router rip ipv6 router rip frame port 65000 multicast-group FF02::9999 SW4#
To configure IPv4 and IPv6 protocols on Cisco Catalyst 3560 Series Switches, activate the dualstack template. Look at the following configuration and the Cisco IOS Software output. The dual-ipv4-and-ipv6 default template is used in this answer key. The output was generated on SW4:
SW4(config)#sdm prefer dual-ipv4-and-ipv6 default Changes to the running SDM preferences have been stored, but cannot take effect until the next reload. Use 'show sdm prefer' to see what SDM preference is currently active. SW4(config)#end
Save your running configuration, and reload the switches:

SW4#write memory Building configuration... 1d01h: %SYS-5-CONFIG_I: Configured from console by console[OK] SW4#reload Proceed with reload? [confirm]
When the switch comes back up, verify the current template:
SW4#show sdm prefer The current template is "desktop IPv4 and IPv6 default" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: number of IPv4 IGMP groups + multicast routes: number of IPv4 unicast routes: number of directly-connected IPv4 hosts: number of indirect IPv4 routes: number of IPv6 multicast groups: number of directly-connected IPv6 addresses: number of indirect IPv6 unicast routes: 2009 Cisco Systems, Inc. 2K 1K 3K 2K 1K 1152 2K 1K 43
number number number number number number SW4#
of of of of of of
IPv4 policy based routing aces: IPv4/MAC qos aces: IPv4/MAC security aces: IPv6 policy based routing aces: IPv6 qos aces: IPv6 security aces:
0 512 1K 0 510 510
To exchange RIP updates between the spokes R2 and R3, disable split horizon on the hub router R1. Issue: Configure IPv6 addresses and IPv6 OSPF Area 0 on the VLAN 16 link between R1 and R6 and Area 80 on the loopback 80 interface of R6. Use the OSPF network type that does not elect a DR or BDR and that would permit additional OSPF routers on the link. Solution: First, issue the ipv6 unicast-routing command on the IPv6 routers. Then, assign routable and link-local addresses on each required interface, and add them to the IPv6 OSPF process, as shown: R1:
interface FastEthernet0/0 encapsulation dot1Q 16 ipv6 address 1600::1/16 ipv6 address FE80::16:1 link-local ipv6 ospf network point-to-multipoint ipv6 ospf 1 area 0 ! ipv6 router ospf 1 log-adjacency-changes
R6:
interface Loopback80 ipv6 address 8000::1/16 ipv6 ospf network point-to-point ipv6 ospf 1 area 80 ! interface FastEthernet0/1 ip address 172.16.16.6 255.255.255.0 duplex auto speed auto ipv6 address 1600::6/16 ipv6 address FE80::16:6 link-local ipv6 ospf network point-to-multipoint ipv6 ospf 1 area 0 ! ipv6 router ospf 1
Notice that the IPv6 OSPF network type on the Fast Ethernet interfaces defaults to broadcast. The scenario requires that you choose the OSPF network type that does not elect a DR and BDR. The point-to-point network type would meet this requirement, but it would not permit more than two OSPF neighbors on the link. Therefore, change the network type on R1 and R6 to point-tomultipoint or point-to-multipoint nonbroadcast:
R1#show ipv6 ospf int fa 0/0 FastEthernet0/0 is up, line protocol is up Link Local Address FE80::16:1, Interface ID 13 Area 0, Process ID 1, Instance ID 0, Router ID 172.16.10.1 Network Type POINT_TO_MULTIPOINT, Cost: 1 Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT, Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5 Hello due in 00:00:07 Index 1/1/1, flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 3, maximum is 6 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 2, Adjacent neighbor count is 2 44 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 2009 Cisco Systems, Inc.
Adjacent with neighbor 172.16.80.97 Adjacent with neighbor 172.16.16.30 Suppress hello for 0 neighbor(s) R1#show ipv6 ospf neighbor Neighbor ID 172.16.62.6 R1# Pri 1 State FULL/ Dead Time 00:01:45 Interface ID 4 Interface FastEthernet0/0
R1#show ipv6 route ospf IPv6 Routing Table - 9 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 O 1600::6/128 [110/1] via FE80::16:6, FastEthernet0/0 OI 8000::/16 [110/2] via FE80::16:6, FastEthernet0/0 R1#
Just as with IPv4, the point-to-multipoint OSPF network type generates host routes for devices on the subnet. In the case of IPv6, they are /128. IPv6 Redistribution Strategy On R1, mutually redistribute the RIPng frame process and IPv6 OSPF into each other. Configure the redistribute connected command into both RIP and OSPF, or use the include-connected keyword where available. This diagram illustrates the steps described:
IPv6 OSPF
R1
RIPng frame IPv6 CONNECTED
Configuration and verification: R1:

ipv6 router ospf 1 log-adjacency-changes redistribute connected redistribute rip frame ! ipv6 router rip frame redistribute connected metric 3 redistribute ospf 1 metric 3 no split-horizon
port 65000 multicast-group FF02::9999
Here is a Tcl script that you can use to verify connectivity between the IPv6 addresses:
foreach address {
1230::1 1600::1 1230::2 1230::3 3400::3 1600::6 8000::1 3400::40 1400::1
} {ping $address} Note To obtain a comprehensive view of the configuration tasks in this section, access the Mentor Guide engine. With the Mentor Guide engine, you can enter more than 1000 Cisco IOS Software commands as well as a collection of proprietary commands such as show all.
9. Security Section
Issue: The IPv4 options are not used very much in modern networks, and your supervisor decided to drop all IP traffic containing IP options on R5. Do not apply the solution to any interface. Solution: Here is the format of an IP datagram:
There may, or may not, be an option field. If there is one, it can vary in length. The following diagram expands the IP Options field:
The IP options values are documented at http://www.iana.org/assignments/ip-parameters.

The ACL IP Options Selective Drop feature, integrated into Cisco IOS Software Release 12.3(4)T, allows Cisco routers to filter packets containing IP options or to mitigate the effects of IP options on a router or downstream routers by dropping these packets or ignoring the processing of the IP options. The ignore option is not available in the Cisco IOS Software release used to generate this answer key. Configure ip options drop on R5. Verification: Verify that R5 does not drop IP packets with no IP options:
R1#ping 172.16.50.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.50.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 36/39/40 ms
Verify that R5 does drop the IP packets with IP options. The timestamp IP option is used in this test:
R1#ping Protocol [ip]: Target IP address: 172.16.50.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Time Number of timestamps [ 9 ]: Loose, Strict, Record, Timestamp, Verbose[TV]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.50.1, timeout is 2 seconds: Packet has IP options: Total option bytes= 40, padded length=40 Timestamp: Type 0. Overflows: 0 length 40, ptr 5 >>Current pointer<< Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Time= 00:00:00.000 UTC (00000000) Request Request Request Request Request Success 0 timed 1 timed 2 timed 3 timed 4 timed rate is out out out out out 0 percent (0/5)
You can see the statistics in the output of the following command:
R5#show ip traffic IP statistics: Rcvd: 5551 total, 5527 local destination 0 format errors, 0 checksum errors, 0 bad hop count 10 unknown protocol, 0 not a gateway 0 security failures, 0 bad options, 0 with options Opts: 0 end, 0 nop, 0 basic security, 0 loose source route 0 timestamp, 0 extended security, 0 record route 0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump 0 other Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble 0 fragmented, 0 fragments, 0 couldn't fragment 2009 Cisco Systems, Inc. Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 47
Bcast: Mcast: Sent: Drop:
Drop: Drop: R5#
145 received, 0 sent 3799 received, 3595 sent 5146 generated, 10 forwarded 1 encapsulation failed, 0 unresolved, 0 no adjacency 0 no route, 0 unicast RPF, 0 forced drop 5 options denied 0 packets with source IP address zero 0 packets with internal loop back IP address
Issue: An imaginary intrusion prevention system (IPS) probe with the MAC address 0007.ebaa.0e00 is residing on VLAN 16. One in every five packets of the incoming traffic from the network 172.16.50.0/24 destined to the network 172.16.77.0/24 must be exported to the IPS probe. Solution: The IP Traffic Export feature, introduced in Cisco IOS Software Release 12.3(4)T, allows users to configure their router to export IP packets that are received on multiple, simultaneous WAN or LAN interfaces. The unaltered IP packets are exported on a single LAN or VLAN interface, easing deployment of protocol analyzers and monitoring devices. Configuration and verification: Configure the traffic export profile on R1:
ip traffic-export profile TRAFFIC-R5-SW3 interface FastEthernet0/0 incoming access-list 199 mac-address 0007.ebaa.0e00 incoming sample one-in-every 5
Specify the access list to match the required criteria for the incoming traffic on R1:
access-list 199 permit ip 172.16.50.0 0.0.0.255 172.16.77.0 0.0.0.255
Apply the traffic export profile on the interface:

interface Serial0/0/0.123 multipoint ip address 172.16.123.1 255.255.255.0 ip traffic-export apply TRAFFIC-R5-SW3
Generate the traffic to be exported:

R5#ping 172.16.77.7 source 172.16.50.1 repeat 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 172.16.77.7, timeout is 2 seconds: Packet sent with a source address of 172.16.50.1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100), round-trip min/avg/max = 40/43/240 ms R5# R1#show ip traffic-export Router IP Traffic Export Parameters Monitored Interface Serial0/0/0 Export Interface FastEthernet0/0 Destination MAC address 0007.ebaa.0e00 bi-directional traffic export is off Input IP Traffic Export Information Packets/Bytes Exported Packets Dropped 81 Sampling Rate one-in-every 5 packets Access List 199 [extended IP] Profile TRAFFIC-R5-SW3 is Active R1#
20/2000
Note that the number of exported packets is 20 out of a total number of 100 generated packets, according to the sampling rate.
48
Note
10. QoS Section

Issue: Limit only incoming User Datagram Protocol (UDP) traffic destined to port 5120 to an 8000-b/s rate on the VLAN 100 interface of R1. Configure the minimal values for normal burst size and maximum burst size. Solution: You have two traffic policing configuration options: committed access rate (CAR) rate limit and Modular QoS CLI (MQC) policing. The MQC configuration must not be used to accomplish this quality of service (QoS) task according to the scenario requirement. The only option left is a CAR. Use an access list to specify only the required UDP stream for rate limiting. The minimal values depend on the Cisco IOS Software version. Determine these minimal values by using the ? key with the Cisco IOS Software help facility. When you use CAR, you will notice that the listed 1000 byte minimal value will not be accepted. The Cisco IOS Software will let you know that you have to use at least the maximum transmission unit (MTU) size for the burst size. Issue: The committed information rate (CIR) of the PVC should be set to 96000 b/s. The committed rate measurement interval (Tc) value should be 10 ms. Make sure that you do not excessively burst the data traffic, and do not use the throttling mechanism. Solution: To accomplish this task, you must configure Frame Relay traffic shaping (FRTS). Keep in mind the following recommended practices:
Do not exceed the CIR of the PVC. In other words, do not allow the router to burst to port speed. Do not use Frame Relay adaptive shaping. Look at the first recommendation; if you do not allow the CIR to be exceeded, there is no reason to configure the throttling-down mechanism based on the backward explicit congestion notifications (BECNs). Make committed burst size (Bc) small so that Tc is small (Tc = Bc/CIR). The Tc value should be 10 ms. Making Bc equal 1000 bits is usually a low enough value to force the router to use the minimum Tc of 10 ms. Set excess burst (Be) to zero.
The resulting map class is displayed:

map-class frame-relay SHAPE-R1-R3 frame-relay cir 96000 frame-relay mincir 96000 frame-relay bc 1000 frame-relay be 0
The fragment size was not explicitly specified anywhere in the scenario. The value 70 is used as a fragment size in this answer key. Verification:
R3#sh frame-relay pvc 301 PVC Statistics for interface Serial0/0/0 (Frame Relay DTE)
49
DLCI = 301, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/0 input pkts 2875 output pkts 5420 in bytes 287787 out bytes 465979 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 4265 out bcast bytes 329530 5 minute input rate 2000 bits/sec, 2 packets/sec 5 minute output rate 2000 bits/sec, 3 packets/sec pvc create time 01:49:49, last time pvc status changed 01:48:39 cir 96000 bc 1000 be 0 byte limit 125 interval 10 mincir 96000 byte increment 120 Adaptive Shaping none pkts 2090 bytes 217372 pkts delayed 306 bytes delayed 26050 shaping inactive traffic shaping drops 0 Queueing strategy: fifo Output queue 0/40, 0 drop, 306 dequeued R3#
Note
11. Address Administration Section

Issue: IP address 172.16.34.40 is configured on the VLAN 34 interface of SW4, and the lowest 10 IP addresses will be used for routers, servers, and printers. Solution: Configure an ip dhcp excluded-address command for these addresses. Issue: Specific workstations with supplied MAC addresses should always receive the same IP address. Solution: Create separate DHCP pools, the manual bindings for each supplied MAC address, and configure the corresponding IP address to each separate pool. Issue: Supply the appropriate gateway IP address. Solution: This task is tied to the Hot Standby Router Protocol (HSRP) configuration in the next section. To fulfill this task, read ahead and determine the virtual IP address used by HSRP. Configuration and verification:
ip dhcp excluded-address 172.16.34.1 172.16.34.10 ip dhcp excluded-address 172.16.34.40 ! ip dhcp pool test network 172.16.34.0 255.255.255.128 default-router 172.16.34.1 dns-server 10.10.10.10 domain-name test.net ! ip dhcp pool 1 host 172.16.34.61 255.255.255.128 hardware-address 0050.04df.5f61 default-router 172.16.34.1 dns-server 10.10.10.10 domain-name test.net ! 50 Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key 2009 Cisco Systems, Inc.
ip dhcp pool 2 host 172.16.34.60 255.255.255.128 hardware-address 0050.04df.5f60 default-router 172.16.34.1 dns-server 10.10.10.10 domain-name test.net R4#show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Hardware address/ User name 172.16.34.60 0050.04df.5f60 Infinite 172.16.34.61 0050.04df.5f61 Infinite R4#
Type
Manual Manual
Tip
Always read a CCIE lab exam end-to-end, and carefully look for hidden issues that might involve multiple tasks.
Note
12. HSRP Gateway Redundancy Section

Issue: If the Frame Relay connection fails, prefer R4. Solution: Configure the HSRP track command to allow R3 to check the status of the Frame Relay interface. If the R3 Frame Relay interface goes down, change the state of the HSRP router. Issue: Prefer R3 when the Frame Relay connection becomes active. Solution: Configure the HSRP preempt command to allow R3 to regain the active standby status when its Frame Relay link becomes active again. The virtual IP address will be used in the DHCP pools. Issue: Why would pre-empt be required? Will R4 take over from R3 when the serial goes down without the preempt statement on R4? Verification steps: 1. On R3, tracked interface S0/0/0 is shut down, and priority is decremented to 99:
R3#show stand FastEthernet0/0 - Group 1 State is Active 2 state changes, last state change 00:01:58 Virtual IP address is 172.16.34.1 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.120 secs Preemption enabled
51
Active router is local Standby router is 172.16.34.4, priority 100 (expires in 8.272 sec) Priority 99 (configured 109) Track interface Serial0/0/0 state Down decrement 10 IP redundancy name is "hsrp-Fa0/0-1" (default) R3#
2. Check the HSRP status on R4:

R4#sh standby FastEthernet0/0 - Group 1 State is Standby 1 state change, last state change 00:04:51 Virtual IP address is 172.16.34.1 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.316 secs Preemption disabled Active router is 172.16.34.3, priority 99 (expires in 9.164 sec) Standby router is local Priority 100 (default 100) IP redundancy name is "hsrp-Fa0/0-1" (default) R4#
Note that the local priority is 100, which is higher than the advertised priority from R399. Because pre-emption is disabled on R4, R4 remains in standby state. 3. Enable pre-emption on R4:
R4#conf t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#int fa 0/0 R4(config-if)#standby 1 preempt R4(config-if)# *Mar 1 00:09:19.617: %HSRP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active R4(config-if)#
4. With the disabled pre-emption, R4 would become an active router only if R3 goes down entirely and R4 stops receiving the HSRP hello from R3. Issue: Assign the lowest IP address on VLAN 34 to the virtual gateway. Solution: From the DHCP configuration in the previous section, select the lowest IP address from the DHCP excluded-address pool.
13. NTP Configuration Section

Issue: Make R1 the Network Time Protocol (NTP) master with stratum 5. Solution: Configure the ntp master command on R1, setting the stratum level to 5. Issue: Configure a server association between R3 and R1. Solution:
To fulfill this requirement, use the ntp server command on R3. Issue: Configure a peer association between R3 and R4. Solution: To fulfill this requirement, use the ntp peer command on R4, pointing to R3. Verify the correctness of your approach with show ntp association detail. You need not configure an NTP peer command on R3, because the default configuration of a Cisco router allows it to become an NTP peer. Verification: On R1, verify show ntp status:
Clock is synchronized, stratum 5, reference is 127.127.7.1 nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24 reference time is C71E598D.D7302378 (23:43:09.840 UTC Thu Nov 10 2005) clock offset is 0.0000 msec, root delay is 0.00 msec root dispersion is 0.02 msec, peer dispersion is 0.02 msec
On R3, verify show ntp status:

Clock is synchronized, stratum 6, reference is 172.16.123.1 nominal freq is 250.0000 Hz, actual freq is 249.9930 Hz, precision is 2**18 reference time is C71E59C9.B49D5EB9 (23:44:09.705 UTC Thu Nov 10 2005) clock offset is -0.0807 msec, root delay is 17.62 msec root dispersion is 1.31 msec, peer dispersion is 1.19 msec
On R4, verify show ntp status:

Clock is synchronized, stratum 7, reference is 172.16.34.3 nominal freq is 250.0000 Hz, actual freq is 249.9976 Hz, precision is 2**18 reference time is C71E58CB.A34BDA8D (23:39:55.637 UTC Thu Nov 10 2005) clock offset is -0.1109 msec, root delay is 20.55 msec root dispersion is 0.47 msec, peer dispersion is 0.09 msec
Note
53
14. Multicast Configuration Section

Issue: Root the shared tree for the group 230.30.30.30 from the interface loopback 10 of R1. Solution: The wording of this task clearly leads toward a Protocol Independent Multicast (PIM) sparse configuration. The rendezvous point (RP) IP address will be the IP address of the loopback 10 interface of R1. Loopback 10 must be reachable through unicast routing, which is also a part of the overall reachability requirement. Issue: All the member multicast routers of this tree should be configured statically to form the shared tree. Solution: Three methods exist for letting the multicast routers know where the RP is: 1. Static ip pim rp-address configuration on every member of the shared tree 2. Autodiscovery protocol 3. Bootstrap router (BSR) protocol You will use the static configuration in this scenario. Issue: R6 is excluded from the multicast tree and should not have any PIM configuration. Solution: R6 is a source of the multicast stream and does not have to be a multicast router. The scenario prohibits the configuration of R6 as a multicast router. Issue: No multicast routers should display (S,G) state in their respective multicast routing tables. Solution: Normally, a sparse mode multicast distribution tree has (S,G) forwarding entries along the path from the RP to the first-hop router from the source of the multicast traffic. Bidirectional PIM uses (*,G) entries only for the forwarding of multicast traffic. Use the ip pim bidir-enable command to activate bidirectional functionality on the multicast router.
54
Issue: Use loopback interfaces to simulate the receivers of the traffic destined to the group 230.30.30.30. Solution: You can use the loopback interfaces for active multicast receiver simulation. Follow these steps for each loopback interface that is required in this scenario: 1. Configure an IP address on the loopback interface. 2. Enable IP PIM on the interface. 3. Use the interface configuration command ip igmp join-group 230.30.30.30. Issue: Build the shared tree only for 230.30.30.30. Use a standard access list with the name MCAST to accomplish this task. Solution: Use the named access list MCAST to restrict the use of the RP to the specified group. R3 is used as an example: R3:
ip pim rp-address 172.16.10.1 MCAST bidir ! ip access-list standard MCAST permit 230.30.30.30
55
R3#sh ip pim rp map PIM Group-to-RP Mappings Acl: MCAST, Static, Bidir Mode RP: 172.16.10.1 (?) R3#
Here is a configuration verification procedure: 1. Ping the multicast group 230.30.30.30 from R6:
R6#ping 230.30.30.30 source 172.16.16.6 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 230.30.30.30, timeout is 2 seconds: Packet sent with a source address of 172.16.16.6 Reply Reply Reply Reply R6# to to to to request request request request 0 0 0 0 from from from from 172.16.16.1, 4 ms 172.16.123.3, 76 ms 172.16.25.5, 64 ms 172.16.123.2, 52 ms
2. Check the multicast routing table on the RP, R1:

R1#show ip mroute bidirectional (*, 230.30.30.30), 00:05:26/00:03:21, RP 172.16.10.1, flags: BCL Bidir-Upstream: Null, RPF nbr 0.0.0.0 RP itself Outgoing interface list: Loopback10, Forward/Sparse, 00:05:26/00:02:43 Serial0/0/0.123, 172.16.123.2, Forward/Sparse, 00:04:15/00:03:10 Serial0/0/0.123, 172.16.123.3, Forward/Sparse, 00:04:07/00:03:21 R1#show ip mroute IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel Y - Joined MDT-data group, y - Sending to MDT-data group Outgoing interface flags: H - Hardware switched Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 230.30.30.30), 00:05:38/00:03:09, RP 172.16.10.1, flags: BCL Bidir-Upstream: Null, RPF nbr 0.0.0.0 Outgoing interface list: Loopback10, Forward/Sparse, 00:05:38/00:02:31 Serial0/0/0.123, 172.16.123.2, Forward/Sparse, 00:04:27/00:02:59 Serial0/0/0.123, 172.16.123.3, Forward/Sparse, 00:04:19/00:03:09 (*, 224.0.1.40), 00:05:38/00:02:32, RP 0.0.0.0, flags: DCL Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Loopback10, Forward/Sparse, 00:05:39/00:02:31 R1#
3. Check the multicast routing table on the router members of the shared treefor example, R3:
R3#show ip mroute bidirectional (*, 230.30.30.30), 00:09:30/00:02:46, RP 172.16.10.1, flags: BCL Bidir-Upstream: Serial0/0/0, RPF nbr 172.16.123.1 Outgoing interface list: Serial0/0/0, Bidir-Upstream/Sparse, 00:08:12/00:00:00 Loopback30, Forward/Sparse, 00:09:30/00:02:46
Note
56
15. SNMP Section

Issue: Use the Simple Network Management Protocol version 3 (SNMPv3) security model to enable user OPER in the OPERATORS group to have read access to the Cisco MIB, and create user ADMIN in the ADMINISTRATORS group to have write access to this view. Do not use authentication, but restrict access by source IP address. Solution: The SNMPv3 security model is based on users and groups. In this exercise, you create two groupsOPERATORS and ADMINISTRATORSand create a user for each groupOPER and ADMIN. You create a view with the name CISCO that includes just the Cisco branch of the MIB tree. The OPERATORS group has only read access to this view. ADMINISTRATORS can read any MIB object and have write privileges to the CISCO view. In addition, group access is limited by source IP address. Here is the configuration:
snmp-server snmp-server snmp-server snmp-server snmp-server user OPER OPERATORS v3 user ADMIN ADMINISTRATORS v3 group OPERATORS v3 noauth read CISCO access 90 group ADMINISTRATORS v3 noauth write CISCO access 91 view CISCO cisco included
access-list 90 permit 10.1.1.90 access-list 91 permit 10.1.1.91
It is possible to apply the access list at the user or group level, but this task specifically required the group restriction. Verify your user and group configuration:
R1#show snmp user User name: OPER Engine ID: 80000009030000D0BA8B0021 storage-type: nonvolatile active Authentication Protocol: None Privacy Protocol: None Group-name: OPERATORS User name: ADMIN Engine ID: 80000009030000D0BA8B0021 storage-type: nonvolatile active Authentication Protocol: None Privacy Protocol: None Group-name: ADMINISTRATORS
The users have been created without authentication and have been assigned to the required groups. Here is output verifying the group configuration; it excludes the built-in groups:
R1#show snmp group groupname: OPERATORS readview : CISCO notifyview: <no notifyview specified> row status: active access-list: 90 groupname: ADMINISTRATORS readview : v1default notifyview: <no notifyview specified> row status: active access-list: 91 security model:v3 noauth writeview: <no writeview specified>
security model:v3 noauth writeview: CISCO
As required, members of the OPERATORS have only read access to the CISCO view. They can neither read any other MIB objects nor make any changes. By contrast, members of the ADMINISTRATORS group have complete read access through the default view and have write privileges to objects in the CISCO view.
Here you see a portion of the MIB tree in graphical form.
The Cisco portion of the MIB tree is part of the org/dod/internet/private/enterprises branch, and all its object IDs (OIDs) begin 1.3.6.1.4.1.9. To demonstrate and verify this configuration, use the network entity title (NET)-SNMP programs snmpget.exe and snmpset.exe from a workstation on VLAN 100. First, demonstrate that both users OPER and ADMIN can read the hostname string from the Cisco MIB:
C:\>snmpget -v 3 -u OPER 172.40.10.18 1.3.6.1.4.1.9.2.1.3.0 iso.3.6.1.4.1.9.2.1.3.0 = STRING: "R1" C:\>snmpget -v 3 -u ADMIN 172.40.10.18 1.3.6.1.4.1.9.2.1.3.0 iso.3.6.1.4.1.9.2.1.3.0 = STRING: "R1"
Both users get a response of R1, because they both were given read access to the CISCO view. Next, try to read an object outside of the CISCO viewthe sysUpTime object from the MIB-2 branch:
C:\>snmpget -v 3 -u OPER 172.40.10.18 1.3.6.1.2.1.1.3.0 iso.3.6.1.2.1.1.3.0 = No Such Object available on this agent at this OID
Note that user OPER gets an error message. Here is the response when the same command is issued by ADMIN:
C:\>snmpget -v 3 -u ADMIN 172.40.10.18 1.3.6.1.2.1.1.3.0 iso.3.6.1.2.1.1.3.0 = Timeticks: (7905507) 21:57:35.07
User ADMIN has read access to the entire MIB tree, but user OPER cannot read objects outside the CISCO view, just as required. Verify that user ADMIN has write access to the CISCO view but user OPER does not. Issuing an SNMP set command to OID 1.3.6.1.4.1.9.2.1.75.0 of the Cisco MIB with integer value zero clears the ARP cache.
C:\>snmpset -v 3 -u ADMIN 172.40.10.18 1.3.6.1.4.1.9.2.1.75.0 i 0 iso.3.6.1.4.1.9.2.1.75.0 = INTEGER: 0 C:\>snmpset -v 3 -u OPER 172.40.10.18 1.3.6.1.4.1.9.2.1.75.0 i 0 Error in packet. Reason: noAccess Failed object: iso.3.6.1.4.1.9.2.1.75.0
For user ADMIN, the set variable is echoed back, and the ARP cache is cleared, but user OPER gets an error message indicating that write access was denied.
59

Ciers2 Ca Lab01 Ak PDF

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Ciers2 Ca Lab01 Ak PDF

Diunggah oleh

Hak Cipta:

Format Tersedia

CIERSASSESS-5-AK

Cisco 360 CCIE R&S Advanced Workshop 2 Assessment Lab 1

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

2009 Cisco Systems, Inc.

2009 Cisco Systems, Inc.

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

Answer Key Structure

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

2009 Cisco Systems, Inc.

Grading and Duration

Lab duration: Maximum score: Minimum passing score:

8 hours 100 points 80 points

Restrictions and Goals

2009 Cisco Systems, Inc.

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

2009 Cisco Systems, Inc.

Explanation of Each of the Restrictions and Goals

2009 Cisco Systems, Inc.

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

2009 Cisco Systems, Inc.

1. Frame Relay and Serial Communications Section

2009 Cisco Systems, Inc.

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

Verify connectivity on the Frame Relay subnet:

Go to R1 and ping 172.16.123.1:

On R2, you should see similar debugging traces:

2. Cisco Catalyst Switch Configuration Section

2009 Cisco Systems, Inc.

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

2009 Cisco Systems, Inc.

2009 Cisco Systems, Inc.

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

Port Fa0/23 Fa0/24 SW1#

2009 Cisco Systems, Inc.

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

2009 Cisco Systems, Inc.

Configuration and verification: Configure the root bridge on SW4:

On SW1, verify the blocking interface:

Forward Delay 15 sec

2009 Cisco Systems, Inc.

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

SW1#debug spanning-tree events Spanning Tree event debugging is on

Forward Delay 15 sec

Path cost and bridge priority are changed.

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

2009 Cisco Systems, Inc.

Port 0/19 immediately moved to the forwarding state.

2009 Cisco Systems, Inc.

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

Configuration and verification: Configure the root bridge on SW2:

On SW2 and SW1, verify the blocking interface:

Forward Delay 15 sec

Interface ---------------Fa0/6 Fa0/21 Po1 SW2#

Forward Delay 15 sec

2009 Cisco Systems, Inc.

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

3. IPv4 OSPF Section

Cisco 360 CCIE R&S Workshop 2 Assessment Lab 1 Answer Key

2009 Cisco Systems, Inc.