Iewb Rsv2.Sample

8/6/2019 Iewb Rsv2.Sample

1/117

Internetwork Experts CCIE Routing and Switching

Lab Workbook(IEWB-RS)Sample Lab

Version 2.20

By: Brian Dennis, CCIE #2210Brian McGahan, CCIE #8593


2/117

Internetwork Experts CCIE R&S Lab Workbook Sample Lab

Copyright Information

Copyright 2005 Internetwork Expert, Inc. All rights reserved.

The following publication , CCIE Routing and Switching Lab Workbook Sample Lab ,was developed by Internetwork Expert, Inc. All rights reserved. No part of this publicationmay be reproduced or distributed in any form or by any means without the prior writtenpermission of Internetwork Expert, Inc.

Cisco, Cisco Systems, CCIE, and Cisco Certified Internetwork Expert, areregistered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certaincountries.

All other products and company names are the trademarks, registered trademarks, andservice marks of the respective owners. Throughout this manual, Internetwork Expert,Inc. has used its best efforts to distinguish proprietary trademarks from descriptivenames by following the capitalization styles used by the manufacturer.


3/117


Disclaimer

The following publication , CCIE Routing and Switching Lab Workbook Sample Lab ,is designed to assist candidates in the preparation for Cisco Systems CCIE Routing &Switching Lab exam. While every effort has been made to ensure that all material is ascomplete and accurate as possible, the enclosed material is presented on an as isbasis. Neither the authors nor Internetwork Expert, Inc. assume any liability orresponsibility to any person or entity with respect to loss or damages incurred from theinformation contained in this workbook.

This workbook was developed by Internetwork Expert, Inc. and is an original work of theaforementioned authors. Any similarities between material presented in this workbookand actual CCIE TM lab material is completely coincidental.


4/117


Table of ContentsAbout IEWB-RS .................................................................................................... vIEs End-to-End CCIE Program............................................................................vii

Tier 1 Learning the Technologies ................................................................. viiTier 2 Applying the Technologies .................................................................viiiTechnology Domains........................................................................................ ixTier-1 Products..................................................................................................x

CCIE R&S Advanced Technologies Class.................................................... xi

CCIE R&S Advanced Technologies Class-on-Demand................................ xiCCIE R&S Advanced Technologies Audio Class.......................................... xiCCIE R&S Advanced Technologies Labs.................................................... xiiCCIE R&S Lab Workbook............................................................................ xii

Tier-2 Products................................................................................................xiiiCCIE R&S Lab Workbook........................................................................... xivCCIE R&S Mock Lab Workshop ................................................................. xivCCIE R&S Mock Lab Exams ...................................................................... xiv

How to Use IEWB-RS......................................................................................... xvRestrictions .................................................................................................... xviDifficulty Rating ..............................................................................................xviiPoint Values ...................................................................................................xviiGrading .........................................................................................................xviiiSolutions Guide.............................................................................................. xixInitial Configurations....................................................................................... xix

Rack Rentals.................................................................................................. xixSupport............................................................................................................ xxFeedback ........................................................................................................ xx

Hardware Specification.......................................................................................xxiIEWB-RS Physical Cabling Connections.......................................................xxivIEWB-RS Physical Interface Connections..................................................... xxv

IEWB-RS Lab 1.....................................................................................................1

IEWB-RS Lab 1 Solutions...................................................................................17IEWB-RS Lab 1 Addressing Diagram .................................................................89

IEWB-RS Lab 1 Protocol Diagram......................................................................90
http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/http://0.0.0.0/


5/117



6/117


About IEWB-RSInternetwork Experts CCIE Routing & Switching Lab Workbook (IEWB-RS) isdesigned to be used as a supplement to other self-paced and instructor-ledtraining materials in preparation for Cisco Systems CCIE Routing & SwitchingLab Exam, and is a highly integral part of Internetwork Experts End-to-End CCIEProgram.

IEWB-RS consists of various lab scenarios designed from the ground up based

on Cisco Systems newest specification for the CCIE Routing & Switching LabExam. The labs contained in IEWB-RS are designed to simulate the actual CCIERouting & Switching Lab Exam and at the same time illustrate the principlesbehind the technologies which it covers.


7/117



8/117


9/117


Tier 2 Applying the Technologies

The second tier of the program, Applying the Technologies, is where CCIEcandidates are tested on the skills they have accumulated throughout theirpreparation. This level is for networking professionals that are almost ready forthe actual CCIE Lab Exam, but are looking for final preparation before The BigDay. Topics at this tier are designed to push your problem-solving skills andtechnological know-how to its limits.

CautionAttempting to use Tier-2 products to learn the technologies coveredin the CCIE R&S Lab Exam is not the proper way to prepare.Using this approach commonly results in candidates having criticalgaps in their knowledge base that are detrimental to passing theCCIE R&S Lab Exam, as well as implementing the technologies inthe real world.


10/117


Technology Domains

Topics within Internetwork Expert's End-to-End CCIE Program are divided intothree technology domains. These domains are Layer 2 Technologies, RoutingProtocols, and QoS/Security/Services.

Layer 2 Technologies Routing Protocols QoS/Security/Services

Ethernet SwitchingFrame Relay

ATM

ISDNPPP

RIPEIGRPOSPFIS-ISBGP

IP Multicast

QoSDLSw+

SecurityIOS Features

IOS ManagementIP Services

IPv4 and IPv6

CCIE ProgramTechnologies

Each of the above technology domains includes both the IPv4 and IPv6functionality. By clearly defining which topics fall into which category it makes iteasier to survey what topics you have a sound understanding of, and whichtopics you need to focus on in your preparation. This approach leads to more

focused preparation, which ultimately results in savings of time and money.


11/117


Tier-1 Products

The first tier of our End-to-End CCIE Program, Learning the Technologies, is thefoundation of our entire program. At this level a true understanding of the natureof the technologies covered in the CCIE R&S Lab Exam is obtained. It isessential that the topics covered at this level are learned before progressingfurther, as the topics at this level are the building blocks of the CCIE lab. Do notmistake products at this level as "Introduction to Networking", as at least aCCNP-level of knowledge of the topics covered here is required before usingproducts at this level.

The below diagram illustrates the recommended progression through this tier.While this order is not written in stone we have found that candidates who usethis structured approach have a higher rate of success not only in passing theCCIE lab exam but retaining their knowledge afterwards.

Tier 1: Learning the Technologies

Instructor-Led AdvancedTechnologies Class Week 1

Instructor-Led AdvancedTechnologies Class Week 2

Advanced TechnologiesLabs Level 1 Difficulty

Advanced TechnologiesAudio Class

Lab Workbook Volume ILevel 5 6 Difficulty

On to Tier-2

Advanced TechnologiesLabs Level 2 Difficulty


12/117


The products that make up this tier are as follows:

CCIE R&S Advanced Technologies Class

The CCIE Routing & Switching Advanced Technologies Class (IEATC-RS) is atwo-week instructor-led class delivered through our state-of-the-art onlineclassroom. This class uses a hands-on lecture approach that is designed toprovide students with a CCIE-level understanding of the technologies covered inCisco Systems CCIE Routing and Switching Lab Exam.

CCIE R&S Advanced Technologies Class-on-Demand

The CCIE Routing & Switching Advanced Technologies Class-on-Demand series(IECOD-RS) is a self-paced version of the CCIE Routing & Switching AdvancedTechnologies Class series. This series uses the exact same hands-on lectureapproach seen in the CCIE R&S Advanced Technologies Class series, but isavailable in streaming video format. Not only do you hear the instructor'sexplanation of the technologies in question, you see the configuration live on theIOS command line. This series allows candidates to attend the instructor-ledclass series at their own pace, and gives previous attendants of the live class aconvenient way to go back and review the topics covered in the class at a latertime.

CCIE R&S Advanced Technologies Audio Class

The CCIE Routing & Switching Advanced Technologies Audio Class series(IEAC-RS) is a CD audio series which takes an in-depth look at the technologiescovered in the CCIE Routing & Switching Lab exam. This product is the idealsolution for networking professionals who are preparing for their CCIE Routing &Switching Lab Exam but don't have the luxury of regularly scheduled study times,and is an excellent companion to the CCIE Routing & Switching AdvancedTechnologies Class.


13/117


14/117


Tier-2 Products

The second tier of our End-to-End CCIE Program, Applying the Technologies, isthe culmination of all technologies covered throughout the course of the program.At this level, topics are presented in full scale 8-hour lab format with intensedifficulty. Candidates will rely on all of the knowledge they have acquiredthroughout the first tier of the program as they implement all the technologies intandem in final preparation for the actual CCIE R&S Lab Exam.

The below diagram illustrates the recommended progression through this tier.For self-paced programs the CCIE Routing & Switching Mock Labs should besubstituted for the CCIE Routing & Switching Mock Lab Workshop.

Tier 2: Applying the Technologies

Lab Workbook Volume ILevel 7 10 Difficulty

Instructor-LedMock Lab Workshop

Take and PassCCIE Lab Exam!

Lab Workbook Volume II


15/117


The products that make up this tier are as follows:

CCIE R&S Lab WorkbookAt Tier-2 candidates are expected to master IEWB-RS Volume I labs with adifficulty rating of 7 or higher, and all labs in IEWB-RS Volume II.

CCIE R&S Mock Lab Workshop

The CCIE Routing and Switching Mock Lab Workshop (IEW-RS) is a five-day

instructor-led hands-on lab class delivered through our state-of-the-art onlineclassroom. This class is designed for students to solidify their existingknowledge, expose weaknesses, and fully prepare them as they lead up to theirCCIE R&S Lab Exam date. IEW-RS is not intended for candidates without acomplete knowledge of the topics covered in Tier-1, as the lab scenarios coveredduring IEW-RS are designed to be more technically challenging than the realCCIE Lab Exam.

CCIE R&S Mock Lab Exams

Internetwork Expert's CCIE Routing & Switching Mock Lab Exams (IEML-RS) area self-paced version of the CCIE Routing & Switching Mock Lab Workshop. Thisproduct gives candidates the opportunity to take mock lab simulations at theirown pace, but still allows them to get live feedback from our instructors throughour online classroom. After the mock lab is graded by our instructors candidatesmeet the instructor online for a one hour one-on-one breakdown session todiscuss their performance in real time. Taking the mock lab exams prior to theactual exam ensures that candidates do not have critical gaps in their knowledgebase.

For More Information

For more information on Internetwork Experts End-to-End CCIEProgram visit us on the web at http://www.internetworkexpert.com orcall toll free 877-224-8987, +1-775-826-4344 outside the US
http://www.internetworkexpert.com/http://www.internetworkexpert.com/


16/117


How to Use IEWB-RS Internetwork Experts CCIE Routing & Switching Lab Workbook falls into both theTier-1 and Tier-2 category of the End-to-End CCIE Program. Candidates usingthis product should already have a working knowledge of 90% of the topicscovered.

If at any time throughout the progression of these labs you find that you do notfully understand a presented technology, stop where you are and fall back to the

Tier-1 approach to the topic. Using this method will ensure that you are notoverlooking key fundamentals of the technology that may not be apparent in theirapplication here.

Each of these lab scenarios presented in IEWB-RS is divided into thirteentechnology sections:

1. Catalyst 3550

2. Frame Relay3. ATM4. ISDN/PPP5. Interior Gateway Routing6. Exterior Gateway Routing7. IP Multicast8. IPv69. QoS10. Security11. System Management12. IP Services13. DLSw+

Each of the above sections is then further subdivided into particular tasks. Foreach lab scenario, you must configure the presented tasks while conforming tovarious predefined restrictions.


17/117


Restrictions

For each lab scenario, there are explicit general restrictions that you mustconform to while configuring the lab. These restrictions are defined in the Lab Dos and Donts introductory section for each lab scenario. These restrictionsmay include not using static routes, not using default routes, not addingadditional IP addressing, etc.

CautionEnsure that you always read the Lab Dos and Donts sectioncarefully, as the restrictions may vary from lab to lab.

There may also be certain restrictions for particular tasks within a lab scenario.These restrictions may include not issuing a particular configuration command,

not creating a certain type of interface, not using the legacy configuration for atechnology, etc.

NoteYou may do whatever is necessary to complete a task unless thegeneral requirements for the lab scenario or the specific

requirements for the task explicitly prohibit you from doing so. Thismay include using policy routing, redistributing IGPs or BGP,configuring GRE tunnels, etc.


18/117


Difficulty Rating

We have given each lab scenario a difficulty rating. Ratings are on a scale of 1to 10, with 10 being the hardest. The labs within IEWB-RS are designed to bemore technically challenging than the actual CCIE Routing & Switching LabExam. Do not get discouraged if you are scoring low or do not understand aparticular set of technologies. If you are having trouble with a certain area, fallback to the Tier-1 approach to the topic. Using this method will ensure that youare not overlooking key fundamentals of the technology that may not be apparentin their application here.

Point Values

Like the actual CCIE lab exam, each task within a lab is assigned a specific pointvalue. Points are only awarded if the presented solution meets all the givenrequirements, and does not violate any preset restrictions. No partial credit isawarded for any task. A minimum score of 80 points is required to pass aparticular scenario.

Some tasks may have multiple solutions. As long as the presented solutionmeets the given requirements, points will be awarded for that task. However,certain solutions may negatively impact previous or future tasks. Make sure thatyou carefully read all presented requirements, and try your best to come up withan appropriate solution.

CautionPoints will never be awarded for a task for which you have violatedthe requirements. However, keep in mind the relative point value ofthe task in question as compared to other future tasks. If youcannot come up with an appropriate solution for a task, it is

advisable to solve the task by whatever means necessary in orderto complete future tasks which depend on it.


19/117


Grading

The authors of this workbook have noted throughout their many years of teachingCCIE preparation programs that many CCIE candidates fail the lab withoutunderstanding why. Although Cisco does provide a score report for unsuccessfullab attempts, this report does not give you an accurate picture of what was wrongwith your configurations. In order to eliminate this guesswork, the authors ofIEWB-RS have devised a detailed grading and feedback process for these labscenarios to enable you to quickly determine the areas that you need to work on.

Grading includes a detailed score report that illustrates which sections wereconfigured correctly and which sections were configured incorrectly. Sectionsthat were configured incorrectly include a detailed description of what wasincorrect, why it was incorrect, and what the expected solution was to be.Correctly configured areas may also include hints and pointers to improve yourconfigurations in the future. At the end of each score report, we provide arecommendation as to what areas need improvement, which may include links torecommended readings.

By utilizing Internetwork Experts grading services, you will know for certain whattechnologies you thoroughly understand, which technologies you need to workon, and whether or not you are ready to take and pass the CCIE Routing &Switching Lab Exam.


20/117


Solutions Guide

In addition to this workbook, a detailed solutions guide for Internetwork ExpertsCCIE Routing & Switching Lab Workbook is included free of charge. Thesolutions guide includes the final configurations for each lab scenario along witha thorough explanation of each task. The final configurations for IEWB-RS arebroken down on a task by task basis. Therefore, you will know exactly whichcommand or commands correspond to which task. There is no need to sortthrough a long configuration file to guess which commands correspond to whichquestion. The solutions guide for IEWB-RS is as much of an integral part of thisproduct as the workbook itself.

For the most recent copy of the IEWB-RS solutions guide see InternetworkExperts members site at http://members.internetworkexpert.com .

Initial Configurations

Internetwork Experts CCIE Routing & Switching Lab Workbook includes initialconfiguration scripts for all devices in each lab scenario. These configurationscripts should be loaded on your equipment before beginning the configuration ofthe scenario. In addition to these initial configuration scripts, it is necessary toload the provided configuration files for the backbone devices.

For more detail on the hardware requirements for the internal and external

devices in IEWB-RS see the accompanying Hardware Specification section ofthis document.

For the most recent copy of these configuration scripts see Internetwork Expertsmembers site at http://members.internetworkexpert.com .

Rack Rentals

We have built Internetwork Experts CCIE Routing & Switching Lab Workbook tothe publicly stated hardware specification used in the actual CCIE lab exam.Internetwork Expert offers cost effective equipment rentals specifically designedto be used with our self-paced training product lines in order to eliminate the cost
http://members.internetworkexpert.com/http://members.internetworkexpert.com/http://members.internetworkexpert.com/http://members.internetworkexpert.com/


21/117


Support

Interact with countless CCIEs, including the actual authors of the workbook, andengineers around the world preparing for the CCIE Lab Exam via our web forumand IRC server. To get the most out of this and other Internetwork Expertproducts join the IEWB-RS discussion on the Internetwork Expert Forum athttp://forum.internetworkexpert.com and on our live IRC chat server atirc.internetworkexpert.com, or http://www.internetworkexpert.com/chat/ via theweb.

Feedback

We want to hear from you! Internetwork Expert is committed to your satisfactionand to improving our product lines. If you have any questions, comments, orconcerns about this or any other Internetwork Expert product submit feedback tous via email to [email protected].
http://forum.internetworkexpert.com/http://www.internetworkexpert.com/chat/http://www.internetworkexpert.com/chat/http://forum.internetworkexpert.com/


22/117


Hardware SpecificationInternetwork Experts CCIE Routing & Switching Lab Workbook uses the samehardware specification that is used in the actual CCIE lab exam. This includessix routers with Ethernet, FastEthernet, Serial, and ISDN, one of which has ATM.All routers run 12.2T IOS. In addition to the six routers, two Catalyst 3550 seriesswitches running the enhanced multilayer software image (EMI) are alsoincluded.

As per the actual CCIE lab hardware specification, IEWB-RS also includesvarious external devices that are not within the control of the candidate. Thesedevices include a Frame Relay switch, an ISDN switch, and an ATM switch. Inaddition to this, three backbone routers are included to inject routes and facilitatein the testing of ATM configurations.

The physical topology of IEWB-RS remains the same throughout the entireworkbook. Therefore once your lab has been physically cabled to meet the

workbooks specification, there is no need to change the cabling in order tocomplete each lab.

NoteThe following hardware specification has been updated to reflect

platform changes made for IEWB-RS Volume II. This changeresults in minor discrepancies in references to FastEthernet asopposed to Ethernet of R1 and R2 in lab documents, diagrams, andsolutions. Please note that these discrepancies are cosmetic, anddo not affect any protocol or feature functionality throughout IEWB-RS Volume I.


23/117


The generic devices used in IEWB-RS include the following:

Device SoftwareVersion SoftwareFeature Set Interfaces

R1 12.2(15)T14 Enterprise Plus 1 - FastEthernet2 - Serial

R2 12.2(15)T14 Enterprise Plus 1 - FastEthernet2 - Serial

R3 12.2(15)T14 Enterprise Basic 2 - Ethernet4 - Serial

R4 12.2(15)T14 Enterprise Basic2 - Ethernet1 - Serial1 - ISDN

R5 12.2(15)T14 Enterprise Plus2 - Ethernet1 - Serial1 - ISDN

R6 12.2(13)T14 Enterprise 1 - FastEthernet1 - ATM

SW1 12.2(25)SEA EMI 24 - FastEthernet2 - GigEthernet

SW2 12.2(25)SEA EMI 24 - FastEthernet2 - GigEthernet

The specific devices used in design of IEWB-RS were the following

Device Platform DRAM Flash InstalledWICs / ModulesR1 2620 64 32 2 - WIC-1T

R2 2620 64 32 2 - WIC-1T

R3 2611 64 16 1 - NM-4A/S

R4 2611 64 16 1 - WIC-1T

1 - WIC-1B-UR5 3640 128 32

1 - NM-2E2W1 - WIC-1T1 - WIC-1B-U

R6 7505 128 24

1 - RSP22 - VIP2-40


24/117


The external core devices used in IEWB-RS include the following

Device SoftwareVersion SoftwareFeature Set Interfaces

BB1* 12.2(2)T4 EnterprisePlus 1 - ATM

BB2 12.2(15)T14 EnterprisePlus 1 - Ethernet

BB3* 12.2(2)T4 EnterprisePlus 1 - Ethernet

Frame RelaySwitch N/A N/A 6 - Serial

ATM Switch N/A N/A 2 - ATM OC3

ISDN Switch N/A N/A 2 - ISDN BRIU Interfaces* BB1 and BB3 will need to peer via iBGP with each other.

This can be done over any interface, such as Ethernet,

Serial, or even an AUX port to AUX port connection


25/117


IEWB-RS Physical Cabling Connections

Fa0/0

Fa0/0

S1/2 S1/3S1/1

S1/0E0/0 E0/1

E0/1E0/0

Fa1/0/0

ATM0/0/0

ATM

ISDN

R3

S0/1

S0/0

BRI0/0

S0/1

S0/0

S0/0

Backbone 2Ethernet

BB3Backbone 3

Ethernet

Connection forBGP Peering

Frame-Relay

R1

R3

R6

R4

R2

BB2 BB3BB1


26/117


IEWB-RS Physical Interface Connections

ISDNSwitch Type basic-ni

R4 BR0/0 SPID1 52720X4R5 BRI0/0 SPID1 52720X5

Frame Relay Switch Configuration Local

RouterLocal

InterfaceLocalDLCI

RemoteRouter

RemoteInterface

RemoteDLCI

R1 S0/0 102 R2 S0/0 201R1 S0/0 103 R3 S1/0 301R1 S0/0 113 R3 S1/1 311R1 S0/0 104 R4 S0/0 401R1 S0/0 105 R5 S0/0 501R2 S0/0 202 R1 S0/0 102R2 S0/0 203 R3 S1/0 302R2 S0/0 213 R3 S1/1 312R2 S0/0 204 R4 S0/0 402R2 S0/0 205 R5 S0/0 502R3 S1/0 301 R1 S0/0 103R3 S1/0 302 R2 S0/0 203

R3 S1/0 304 R4 S0/0 403R3 S1/0 305 R5 S0/0 503R3 S1/1 311 R1 S0/0 113R3 S1/1 312 R2 S0/0 213R3 S1/1 314 R4 S0/0 413R3 S1/1 315 R5 S0/0 513R4 S0/0 401 R1 S0/0 104R4 S0/0 402 R2 S0/0 204R4 S0/0 403 R3 S1/0 304R4 S0/0 413 R3 S1/1 314R4 S0/0 405 R5 S0/0 504R5 S0/0 501 R1 S0/0 105R5 S0/0 502 R2 S0/0 205

Ethernet ConnectionsLocal

RouterLocal

InterfaceRemoteRouter

RemoteInterface

R1 Fa0/0 SW1 Fa0/1R2 Fa0/0 SW1 Fa0/2R3 E0/0 SW1 Fa0/3R3 E0/1 SW2 Fa0/3R4 E0/0 SW1 Fa0/4

R4 E0/1 SW2 Fa0/4R5 E0/0 SW1 Fa0/5R5 E0/1 SW2 Fa0/5R6 Fa1/0/0 SW1 Fa0/6

SW1 Fa0/1 R1 Fa0/0SW1 Fa0/2 R2 Fa0/0SW1 Fa0/3 R3 E0/0SW1 Fa0/4 R4 E0/0SW1 Fa0/5 R5 E0/0SW1 Fa0/6 R6 Fa1/0/0SW1 Fa0/13 SW2 Fa0/13SW1 Fa0/14 SW2 Fa0/14SW1 Fa0/15 SW2 Fa0/15SW1 Fa0/24 BB3 N/ASW2 Fa0/3 R3 E0/1

SW2 Fa0/4 R4 E0/1SW2 Fa0/5 R5 E0/1SW2 Fa0/13 SW1 Fa0/13SW2 Fa0/14 SW1 Fa0/14SW2 Fa0/15 SW1 Fa0/15


27/117


k & b kb k l b


28/117


IEWB-RS Lab 1Difficulty Rating (10 highest): 5

Lab Overview:

The following scenario is a practice lab exam designed to test your skills atconfiguring Cisco networking devices. Specifically, this scenario is designed toassist you in your preparation for Cisco Systems CCIE Routing andSwitching Lab exam. However, remember that in addition to being designed as asimulation of the actual CCIE lab exam, this practice lab should be used as alearning tool. Instead of rushing through the lab in order to complete all theconfiguration steps, take the time to research the networking technology inquestion and gain a deeper understanding of the principles behind its operation.

Lab Instructions:Prior to starting, ensure that the initial configuration scripts for this lab have beenapplied. For a current copy of these scripts, see the Internetwork Experthomepage at http://www.internetworkexpert.com

Refer to the attached diagrams for interface and protocol assignments. Anyreference to X in an IP address refers to your rack number, while any referenceto Y in an IP address refers to your router number.

Upon completion, all devices should have full IP reachability to all networks in therouting domain, including any networks generated by the backbone routersunless explicitly specified.

Lab Dos and Donts:

Do not change or add any IP addresses from the initial configurationunless otherwise specified

Do not change any interface encapsulations unless otherwise specified Do not change the console AUX and VTY passwords or access methods

I t t k E t CCIE R&S L b W kb k S l L b


29/117


Grading:

This practice lab consists of various sections totaling 100 points. A score of 80points is required to achieve a passing score. A section must work 100% with therequirements given in order to be awarded the points for that section. No partialcredit is awarded. If a section has multiple possible solutions, choose the solutionthat best meets the requirements.

Grading for this practice lab is available when configured on InternetworkExperts racks, or the racks of Internetwork Experts preferred vendors. SeeInternetwork Experts homepage at http://www.internetworkexpert.com for moreinformation.

Point Values:

The point values for each section are as follows:

Section Point ValueCatalyst 3550 10Frame Relay 6ATM 2ISDN/PPP 7Interior Gateway Routing 17Exterior Gateway Routing 10IP Multicast 8IPv6 5QoS 7Security 5System Management 11IP Services 9DLSw+ 3

GOOD LUCK!

http://www.internetworkexpert.com/http://www.internetworkexpert.com/


30/117

Internetwork Expert s CCIE R&S Lab Workbook Sample Lab

1. Catalyst 3550

1.1. Configure the VTP domain CISCO between SW1 and SW2.1.2. Authenticate the VTP domain with the password CISCO.1.3. Create and configure the VLAN assignments on SW1 and SW2 as

follows:

Catalyst Port Interface VLANSW1 Fa0/1 R1 - E0/0 RoutedSW1 Fa0/2 R2 - E0/0 2

SW1 Fa0/3 R3 - E0/0 33SW1 Fa0/4 R4 - E0/0 N/ASW1 Fa0/5 R5 - E0/0 58SW1 Fa0/6 R6 Fa1/0/0 46SW1 Fa0/10 N/A 2SW1 Fa0/11 N/A 2SW1 Fa0/13 SW2 Fa0/13 TrunkSW1 Fa0/14 SW2 Fa0/14 Routed

SW1 Fa0/15 SW2 Fa0/15 58SW1 Fa0/24 BB3 33SW2 Fa0/3 R3 - E0/1 N/ASW2 Fa0/4 R4 - E0/1 46SW2 Fa0/5 R5 - E0/1 N/ASW2 Fa0/13 SW1 Fa0/13 TrunkSW2 Fa0/14 SW1 Fa0/14 RoutedSW2 Fa0/15 SW1 Fa0/15 Routed

SW2 Fa0/24 BB2 82SW2 VLAN 82 82

3 Points



31/117


1.4. Configure a trunk between SW1s interface Fa0/13 and SW2sinterface Fa0/13.

1.5. Traffic from VLAN 46 should not be tagged with a VLAN header whenit is sent over this trunk link.

1.6. This link should never become an access port under any circumstance.

3 Points

1.7. Ports in VLAN 2 connect to your corporate conference room. Recently

your network administrator has been getting complaints that whenusers plug their laptops into the conference room it either takes a verylong time to get an address from the DHCP server, or the DHCPrequest times out. After further investigation, you have discovered thatspanning-tree convergence time is to blame. Configure SW1 so thatusers in VLAN 2 do not have to wait for spanning-trees forwardingdelay when they connect to the network.

2 Points

1.8. After implementing the change in spanning-tree configuration for VLAN2, one of your users plugged a switch into the conference room andcrashed your entire network. After further investigation, you havediscovered that a spanning-tree loop was to blame. In order to preventthis problem in the future, ensure that any ports in VLAN 2 will be shutdown if a device running spanning-tree protocol is detected.

2 Points

2. Frame Relay

2.1. Using only physical interfaces configure a Frame Relay hub-and-spokenetwork between R1, R2, and R3 with R2 as the hub.2.2. Traffic from R1 destined for R3 should transit R2, and vice versa.2.3. Use only the DLCIs specified in the diagram.2.4. Do not use any dynamic layer 3 to layer 2 mappings over these Frame

Rela connections



32/117


2.6. Using only physical interfaces configure a Frame Relay hub-and-spokenetwork between R3, R4, and R5 with R5 as the hub.

2.7. Traffic from R3 destined for R4 should transit R5, and vice versa.2.8. Use only the DLCIs specified in the diagram.2.9. Do not use any dynamic layer 3 to layer 2 mappings over these Frame

Relay connections.2.10. Do not send any redundant broadcast traffic from the spokes to the

hub.

3 Points

3. ATM

3.1. Using the physical ATM interface configure a PVC 0/10X on R6.3.2. IP traffic destined for 54.X.1.254 should be sent over this VC.3.3. Do not rely on any dynamic layer 3 to layer 2 protocol mappings.3.4. Ensure that R6 can send broadcast and multicast traffic over the PVC

as a replicated unicast.

2 Points

4. ISDN/PPP

4.1. Configure legacy ISDN DDR between R4 and R5.4.2. Either device should be allowed to initiate an ISDN call if there is IP

traffic destined for the other side of the link.4.3. An ISDN call should be disconnected if neither router has sent or

received IP traffic for more than 3 minutes.

3 Points

4.4. Configure PPP encapsulation on the ISDN link between R4 and R5.4.5. R4 and R5 should authenticate each other across this ISDN link. Both

R4 and R5 should send their hostname along with the clear textpassword CISCO across the ISDN link for authentication.



33/117


4.6. In order to maximize throughput on the ISDN circuit configure yournetwork so that R4 and R5 fragment all traffic amongst both ISDN Bchannels.

4.7. This fragmentation should occur regardless of the utilization of the firstB channel.

2 Points

5. Interior Gateway Routing

5.1. Configure OSPF area 0 on the Frame Relay connection between R3,R4, and R5.

5.2. Ensure that R5 is always elected the designated router for thissegment.

5.3. Do not use the neighbor statement under the OSPF process toaccomplish this.

5.4. Advertise the Loopback 0 interfaces of R3, R4, & R5 into OSPF area 0.

3 Points

5.5. Configure OSPF area 46 on VLAN 46 between R4 and R6.5.6. Advertise R6s Loopback 0 interface into OSPF area 46.5.7. Configure OSPF area 45 on the ISDN link between R4 and R5.

5.8. OSPF should be allowed to trigger an ISDN call if there is a change inthe OSPF topology.5.9. OSPF should not keep the ISDN link up as long as the OSPF topology

remains stable.

3 Points

5.10. Configure EIGRP AS 100 on R1, R2, R3, R5, SW1, and SW2.5.11. Configure EIGRP on the Ethernet segments between R1, SW1, SW2,& R5, and VLAN 2.

5.12. Configure EIGRP on the Frame Relay segment between R1, R2, andR3.

5 13 Ad ertise the Loopback 0 interfaces of R1 R2 SW1 and SW2 into the



34/117

p p

5.15. Advertise VLAN 33 into the EIGRP domain. This prefix should appearas follows throughout the EIGRP domain:

D EX 204.12.X.0 [170/

1 Point

5.16. Configure EIGRP AS 10 on R6.5.17. Enable EIGRP on the ATM segment between R6 and BB1.5.18. Administrators of your network are concerned about false routing

information being injected from the ATM cloud. In order to ensure thatall routes learned over the ATM cloud are legitimate, use the mostsecure authentication with any neighbor relationships formed on thisinterface. Use key 1 with a password of CISCO for this authentication.

5.19. R6 should be receiving prefixes via EIGRP from BB1.

2 Points

5.20. Configure RIP on SW2.5.21. Enable RIP on the Ethernet segment connecting to BB2.5.22. In order to protect against false route injection from RIP as well,

configure SW2 to use the strongest authentication on any RIP updatesreceived on this Ethernet segment using key 1 and the passwordCISCO.

5.23. You should be receiving prefixes via RIP from BB2.2 Points

5.24. Redistribute between RIP and EIGRP on SW2.5.25. Redistribute between OSPF and EIGRP on R5.5.26. Redistribute between OSPF and EIGRP on R6.

5.27. Ensure that R4 and R6 maintain full IP reachability to the rest of therouting domain in the case that R4 loses its connection to the FrameRelay cloud.

4 Points



35/117

6. Exterior Gateway Routing

6.1. Configure BGP on the following devices with the following ASnumbers:

Device BGP ASR1 200R2 200R3 100R4 100R5 100R6 100

SW1 200SW2 200BB1 54BB2 254BB3 54

6.2. Configure the BGP peering sessions as follows:

Device 1 Device 2R6 BB1R5 R3R5 R4R5 R6R5 SW2

SW2 BB2SW2 SW1SW1 R1R1 R2R3 R2

R3 BB3

6.3. The BGP peering sessions between R4 & R5 and R5 & R6 shouldremain up if R4 loses its connection to the Frame Relay cloud.



36/117

6.5. For the purposes of load-sharing and redundancy, AS 100 has multipleconnections to AS 54. In order to maximize throughput, your corporatepolicy dictates that all traffic destined for prefixes originated in AS 54should traverse the ATM link between R6 and BB1.

6.6. In the case that the ATM link between R6 and BB1 goes down, AS 100should still have reachability to AS 54 via the Ethernet segmentbetween R3 and BB3.

6.7. Do not use weight to accomplish this.

3 Points

6.8. Configure a new Loopback interface on R1 with the IP address150.X.11.1/24 and advertise it into BGP.

6.9. Configure AS 200 so that all traffic from AS 100 destined to this prefixtraverses the Ethernet segment between SW2 and R5.

6.10. In the case that the route is lost between SW2 and R5, traffic destinedfor the 150.X.11.0/24 prefix should traverse the Frame Relay link

between R2 and R3.6.11. Do not use AS-Path prepending to accomplish this.

3 Points

7. IP Multicast

7.1. Configure IP Multicast routing on R2, R3, and R5.7.2. The use of multicast static routes is permitted.7.3. Configure PIM on the following interfaces:

Device InterfaceR2 E0/0R2 S0/0

R3 E0/0R3 S1/0R3 S1/1R5 E0/0R5 S0/0



37/117

7.4. Configure R3 to announce its most reliable interface as the RP for allmulticast groups.

7.5. R2 should be responsible for group to RP mappings.

2 Points

7.6. There is a Windows Media Server located on VLAN 2 that isstreaming a video feed into your network. Administrators of yournetwork have been getting complaints from users on VLAN 58 thatthey are unable to receive this feed. In order to help track down thesource of this problem, your administrators have requested for you toconfigure R5 to join the multicast group 226.26.26.26.

7.7. Ensure that R5 responds to ICMP echo-requests sourced from R2sEthernet interface which are sent to this multicast group address.

3 Points

7.8. Development engineers located on VLAN 58 are testing a newmulticast application prior to its deployment in your network. Thisapplication is generating random multicast streams destined foraddresses in the administratively scoped multicast range. In order toprevent this test traffic from being unnecessarily forwarded throughoutthe network, configure R3 so that hosts in VLAN 33 are not allowed to

join any groups in this range.

1 Point



38/117

8. IPv6

8.1. The network administrator has requested that VLAN 46 and VLAN 58be configured to support a test deployment of IPv6. Address R4'sinterface E0/1 with the IPv6 network of 2001:CC1E:X:404:: /64 andR5's interface E0/0 with the IPv6 network of 2001:CC1E:X:505:: /64.

1 Point

8.2. In order to connect these two isolated networks you have decided totunnel IPv6 over your existing IPv4 infrastructure. In order to ensurethat this connection survives a failure of the Frame Relay circuitbetween R4 and R5, use the Loopback0 interfaces of R4 and R5 tobuild the connection.

8.3. The tunnel should use the addresses 2001:CC1E:X:4545::Y/64.8.4. This tunnel should use a mode that specifies IPv6 as the passenger

protocol and IPv4 as the encapsulation and transport protocol.

2 Points

8.5. Enable RIPng on VLAN 46, VLAN 58 and on the tunnel interfaces.8.6. Use CISCO as the identifier string for the RIP process on both R4 and

R5.

8.7. Ensure that R4 and R5 can ping each other's IPv6 enabled Ethernetinterfaces using their respective hostnames.

2 Points



39/117

9. QoS

9.1. You have been noticing drops on R5s connection to the Frame Relaycloud. After further investigation, you have discovered that R5 hasbeen overwhelming R3 and R4s connections to the Frame Relaycloud. Configure Frame Relay Traffic Shaping on R5 in order toresolve this issue.

9.2. R5s connection to the Frame Relay cloud supports a transmission rateof 1536Kbps.

9.3. R5s DLCI 513 to R3 is 128Kbps.9.4. R5s DLCI 504 to R4 is 512Kbps.9.5. In the case that the Frame Relay cloud notifies R5 of congestion, R5

should reduce its sending rate to no lower than 96Kbps for the DLCI toR3, and 384Kbps for the DLCI to R4.

9.6. In the case that R5 has accumulated credit it should be allowed toburst up to the maximum transmission rate supported on the circuit toR4. Bursting on the circuit to R3 should not be allowed.

9.7. Assume an interval (Tc) of 50ms.

4 Points

9.8. One of your NOC engineers has noticed suspiciously high utilization onthe Ethernet segment of R1. After further investigation you have foundthat a large number of ICMP packets have been traversing this link.

9.9. In order to alleviate this congestion, a new policy has beenimplemented which states that R1 should not send more than 128Kbpsof ICMP out this Ethernet interface.

9.10. Configure your network so that ICMP traffic is limited to 128Kbps.Allow for a burst of 1/4 th of this rate.

3 Points



40/117

10. Security

10.1. Your network administrators have been getting complaints from usersthat the web server at IP address 183.X.2.100 is inaccessible. Afterfurther investigation, you have determined that this server isundergoing a TCP SYN flood denial of service attack.

10.2. In order to assist in tracking down the source of this attack, configureR3 and SW2 to generate a log message when HTTP SYN packets arereceived on R3s interface Ethernet 0/0 or SW2s interface VLAN 82and are destined for 183.X.2.100.

10.3. These log messages should include the MAC address of the devicewhich forwarded the packet onto the segment.

3 Points

10.4. After reviewing your log files, you have determined that the DoS attackon your web server came from hosts with spoofed source addresses.

To help prevent this type of attack in the future, configure your networkso that traffic will not be accepted from BB1, BB2, or BB3 if it sourcedfrom your address space 183.X.0.0/16.

2 Points

11. System Management

11.1. In order to help detect possible flood attacks in the future, it has beensuggested that R2 should generate an SNMP trap when the interfaceinput unicast packets ( ifEntry.11.1) value rises more than 15000 perminute, and when the value falls back below 5000 per minute.

11.2. The sampling interval should be every sixty seconds.11.3. When the 15000 threshold is breached, an event should be generated

that reads Above 15000 for ifInUcastPkts.11.4. When the value falls back to 5000, an event should be generated that

reads Below 5000 for ifInUcastPkts.11.5. The server to send these SNMP traps to is 183.X.17.100. This server

will be expecting the community string to be IETRAP.



41/117

11.6. In order to keep track of important device notifications, your corporatepolicy requires that all devices send their log messages to a syslogserver.

11.7. Configure all devices in the network to send syslog messages to thenetwork management station located at 183.17.X.100.

11.8. R1 through R6 should send log messages using facility local5.11.9. SW1 and SW2 should send log messages using facility local6.11.10. In order to ease in identifying where specific log messages are

originated from, ensure that all devices source their logging messagesfrom their respective Loopback 0 interfaces.

3 Points

11.11. After implementing syslog logging, your NOC engineers have noticedinconsistent timestamps on your device logs. In order to resolve thisproblem, you have decided to maintain consistent time byimplementing Network Time Protocol (NTP).

11.12. Configure R3 and R6 to get network time from BB3 and BB1respectively.11.13. R3 should fail over and get network time from R6 in the event that BB3

becomes unavailable, and vice versa.11.14. Configure R1, R2, and SW1 to get network time from R3.11.15. Configure R4, R5, and SW2 to get network time from R6.

3 Points

11.16. In order to assure that BB1 and BB3 are the correct time sources, R3and R6 should authenticate them with the password CISCO.

2 Points


42/117



43/117

13. DLSw+

13.1. Configure DLSw+ on R2 and R6.13.2. Use the Loopback 0 address for the local-peer IDs.

1 Point

13.3. Configure a DLSw+ peering between R2 and R6.13.4. This peering session should provide both reliable transport and local-

acknowledgement for any traffic sent across the WAN.13.5. Configure your network so that non-routable traffic can be bridged

between VLAN 2 and VLAN 46 over this DLSw+ session.

2 Points

IEWB-RS Solutions Guide Lab 1


44/117

1. Catalyst 3550

Task 1.1 1.3

SW1: vtp domain CISCOvtp mode servervtp password CISCO

Quick NoteVTP mode command isoptional as the defaultVTP mode is server.

vlan 2,33,46,58,82!interface FastEthernet0/1

no switchport

ip address 183.1.17.7 255.255.255.0!interface FastEthernet0/2

switchport access vlan 2!interface FastEthernet0/3





switchport access vlan 2

!interface FastEthernet0/14

no switchportip address 183.1.78.7 255.255.255.0



switchport access vlan 33

SW2:vtp domain CISCOvtp mode servervtp password CISCO

Quick NoteVTP mode command isoptional as the defaultVTP mode is server.

!



45/117

interface FastEthernet0/15no switchportip address 183.1.58.8 255.255.255.0


switchport access vlan 82!interface Vlan82

ip address 192.10.1.8 255.255.255.0

Task 1.1 1.3 Breakdown

The first step in configuring VLAN Trunking Protocol (VTP) is to define theVTP domain name. This is accomplished by issuing the vtp domain [ name ] command in either the vlan database or global configuration mode. By default,the VTP domain is NULL. Configuring the VTP domain name on either SW1 orSW2 will result in the opposite switch inheriting the VTP domain name.Therefore, it is only necessary to configure the VTP domain name on one switch.Also note that the VTP mode on both switches will default to server.

The next step is to define the VTP password. This is accomplished byissuing the vtp password [ password ] command on both switches.

Finally, the VLANs must be defined. Since both SW1 and SW2 are VTPservers, this step may be performed on either switch. To define a VLAN, issuethe VLAN [vlan ] command in either the VLAN database or global configurationmode.

In order to verify the above configuration, issue the show vtp status command. To check whether VTP is properly configured, ensure that the domainnames are identical, the MD5 hash value of the VTP passwords are the same,and the configuration revision number matches.

Further Reading Understanding and Configuring VLAN Trunk Protocol (VTP)

In addition to access ports and trunk ports, some interfaces in the VLANassignment table are listed as routed and VLAN interfaces The Catalyst 3550

http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtmlhttp://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtmlhttp://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml


46/117

Switchports include layer 2 access and trunk ports. The default mode forall interfaces on the 3550 is to be a switchport. Routed ports are native layer 3interfaces, and can be directly configured with IP. To configure a routedinterface, issue the no switchport command on the interface. Lastly, aswitched virtual interface (SVI) is a logical layer 3 interface that represents adomain of switchports. SVIs are used to configure inter-VLAN routing. Toconfigure an SVI, simply issue the interface vlan [ vlan ] command in globalconfiguration mode.

Further Reading Configuring Inter-VLAN Routing on the Catalyst 3550 Series Switch
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008015f17a.shtmlhttp://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008015f17a.shtmlhttp://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008015f17a.shtml


47/117



48/117

Since ports of the 3550 are dynamic ports, a failed negotiation in trunkingwill result in the port reverting to access mode. Access mode implies that theinterface will be connected to an end node, and belongs to one VLAN. Toensure that the interface always maintains trunking status, remove the port fromdynamic mode by issuing the switchport mode trunk interface command.

Further Reading

Configuring VLANs: Configuring VLAN Trunks

Note

A switchport cannot run in static trunking mode while the trunkingencapsulation is set to auto-negotiate. Therefore, be sure to issuethe switchport trunk encapsulation command before issuing theswitchport mode trunk command.

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a008014f375.htmlhttp://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a008014f375.html


49/117

Task 1.7

SW1:interface FastEthernet0/10

spanning-tree portfast!interface FastEthernet0/11

spanning-tree portfast

Task 1.7 Breakdown

Spanning-tree forwarding delay refers to the time it takes a port totransition through the listening and learning phases of spanning-tree protocol(STP). These phases are used to determine what type of traffic is being receivedon an interface, and to avoid a loop in the spanning-tree topology if one isdetected. Since end stations by definition are stub connections to the switchblock, a spanning-tree loop cannot occur on these ports under normalcircumstances. In addition to being unnecessary, running spanning-tree on portsthat connect to end stations may result in undesirable effects. These effects may

include hosts not being able to negotiate addresses through DHCP, log on to anetwork domain, etc. In order to minimize these effects, spanning-tree portfastshould be configured on interfaces which connect to end nodes.

Portfast reduces the delay associated with STP by skipping the listeningand learning phases, and transitioning a port directly to forwarding state. Toconfigure portfast, issue the spanning-tree portfast command on the interface.Note that portfast should not be configured on interfaces that connect to routers,switches, or hubs, as this may result in a loop in the spanning-tree domain.

Further Reading

Using PortFast and Other Commands to Fix Workstation StartupConnectivity Delays

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00800b1500.shtmlhttp://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00800b1500.shtmlhttp://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00800b1500.shtmlhttp://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00800b1500.shtmlhttp://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00800b1500.shtml


50/117

Task 1.8

SW1:interface FastEthernet0/10

spanning-tree bpduguard enable!interface FastEthernet0/11

spanning-tree bpduguard enable

Task 1.8 Breakdown

As stated in the previous section, portfast should not be configured oninterfaces that connect to routers, switches, or hubs, as this may result in a loopin the spanning-tree domain. When portfast is enabled, the listening and learningphases of STP are skipped. Since these are the phases used to determine ifthere is a loop in the topology, a loop can not be immediately detected if portfastis enabled. In order to prevent this case, the 3550 supports a feature known asBPDU guard.

A bridge protocol data unit (BPDU) is the packet used to advertisespanning-tree protocol information. If a BPDU is received on an interface, itimplies that there is a device running STP connected to that interface. If anBPDU is received on an interface which is configured with BPDU guard, theinterface will be put into err-disabled state. BPDU guard can therefore be used incombination with portfast to prevent a loop if a switch or bridge is connected to aport running portfast. To enable BPDU guard, use the interface commandspanning-tree bpduguard enable .

Further Reading

Spanning Tree Portfast BPDU Guard Enhancement

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtmlhttp://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml


51/117

2. Frame-Relay

Task 2.1 2.5

R2 (Hub):interface Serial0/0

ip address 183.1.123.2 255.255.255.0encapsulation frame-relayframe-relay map ip 183.1.123.1 201 broadcastframe-relay map ip 183.1.123.3 203 broadcastn

o frame-relay inverse-arp

R1 (Spoke):interface Serial0/0ip address 183.1.123.1 255.255.255.0encapsulation frame-relayframe-relay map ip 183.1.123.2 102 broadcast

Quick NoteBroadcast keyword notincluded to meet there uirements of task 2.5.

frame-relay map ip 183.1.123.3 102no frame-relay inverse-arp

R3 (Spoke):interface Serial1/0

ip address 183.1.123.3 255.255.255.0encapsulation frame-relayframe-relay map ip 183.1.123.1 302frame-relay map ip 183.1.123.2 302 broadcastno frame-relay inverse-arp


T k 2 6 2 10


52/117

Task 2.6 2.10

R5 (Hub):interface Serial0/0

ip address 183.1.0.5 255.255.255.0encapsulation frame-relayframe-relay map ip 183.1.0.3 513 broadcastframe-relay map ip 183.1.0.4 504 broadcastno frame-relay inverse-arp


ip address 183.1.0.3 255.255.255.0

encapsulation frame-relayframe-relay map ip 183.1.0.4 315frame-relay map ip 183.1.0.5 315 broadcastno frame-relay inverse-arp


ip address 183.1.0.4 255.255.255.0encapsulation frame-relayframe-relay map ip 183.1.0.3 405frame-relay map ip 183.1.0.5 405 broadcastno frame-relay inverse-arp


53/117


In the case of Frame Relay a static layer 3 to layer 2 protocol mapping is


54/117

In the case of Frame-Relay, a static layer 3 to layer 2 protocol mapping isdefined through the frame-relay map [ protocol ] [protocol_address ] [dlci ][broadcast ] interface command. Since layer 3 to layer 2 protocol resolution is

not required on point-to-point interfaces, the above command only applies tomultipoint interfaces. Also, since native broadcast and multicast transmission isnot supported on an NBMA media, the broadcast keyword instructs the router tosend both broadcast and multicast traffic out the DLCI as a replicated unicast.

Note

Frame-Relay Inverse-ARP automatically maps broadcast, howeverATM InARP does not. Use the broadcast keyword under the ATMVC configured for InARP to include broadcast support on a dynamicATM mapping.

A replicated unicast means that unlike a true broadcast or multicasttransmission where only one packet is encapsulated on the interface, the packetmust be replicated for each layer 2 circuit which it is destined for.

For partially-meshed NBMA configurations, one or more endpoints of thenetwork do not have direct layer 2 connectivity to all other endpoints of thenetwork. Partial-mesh is sometimes also referred to as hub-and-spoke, in whichcase a single endpoint (hub) of the network has a direct layer 2 connection to allother endpoints (spokes), while all other endpoints of the networks (spokes) onlyhave direct layer 2 connectivity to the hub. When using multipoint NBMAinterfaces in a partially-meshed configuration, it may be necessary to configuremultiple layer 3 mappings that resolve to the same layer 2 address. This can beseen in the above configuration example where R1 has multiple frame-relaymap statements that point to the same DLCI.

In the above configuration, R1 only has the broadcast keyword applied tothe mapping statement to R2. When a router is routing IP, an IP broadcast willnever be forwarded from one interface to another by default. An IP broadcastcan be forwarded between interfaces if the router is transparently bridging but willnot be forwarded out the same interface it was received on. Therefore, assumingthat the hub of the network is routing IP, spoke devices on the NBMA networkcan neither send nor receive broadcast or multicast packets between each other.


55/117


56/117


4 ISDN/PPP


57/117

4. ISDN/PPP

Task 4.1 4.3

R4:dialer-list 1 protocol ip permit!interface BRI0/0

ip address 183.1.45.4 255.255.255.248dialer idle-timeout 180 eitherdialer map ip 183.1.45.5 broadcast 5272015dialer-group 1

isdn switch-type basic-niisdn spid1 5272014

R5:dialer-list 1 protocol ip permit!interface BRI0/0

ip address 183.1.45.5 255.255.255.248dialer idle-timeout 180 eitherdialer map ip 183.1.45.4 broadcast 5272014dialer-group 1isdn switch-type basic-niisdn spid1 5272015


The term legacy ISDN refers to dial on demand configuration applied to

the physical BRI interface. As previously mentioned, ISDN is an NBMA mediamuch like Frame-Relay and ATM. The main BRI interface in ISDN is multipoint,while a dialer interface configured in a dialer profile is a point-to-point interface.

Note

A dialer interface may be a multipoint interface when it is configured

in a dialer rotary group.

The first step in configuring ISDN is to define the ISDN switch-type. In theabove configuration example, the ISDN switch-type in question is Basic-NI. Note


Since legacy DDR configuration implies using the physical multipoint


58/117

interface, it also implies that layer 3 to layer 2 resolution must be configured. Inthe case of ISDN, this resolution comes in the form of the interface command

dialer map .

Pitfall

Much like Frame-Relay Inverse-ARP and ATM InARP, ISDN doessupport the notion of a dynamic layer 3 to layer 2 mapping. However,this mapping will not be created until a call has connected in the firstplace. Therefore, in order to initiate an ISDN call, the router must beconfigured with a dialer map when using legacy DDR. The router thatis receiving the call does not necessarily need this mappingconfigured, as the dynamic mapping will occur once the call is up.

To configure this static layer 3 to layer 2 mapping, use the interfacecommand dialer map [ protocol ] [protocol_address ] name [ remote-name ]

[broadcast ]. Like other NBMA medias, native support for broadcast andmulticast transmission does not exist on multipoint ISDN interfaces. Therefore,the broadcast keyword must be added to any static protocol mappingstatements in order to send broadcast or multicast traffic out the circuit as a layer2 replicated unicast.

Dial configurations are referred to as dial-on demand due to the fact thatthe circuit must be initiated by predefined traffic. This traffic is commonly referredto as interesting traffic, and is defined through the dialer-list globalconfiguration command. To apply the interesting traffic to the interface, use theinterface level command dialer-group [ list_number ].

Note

Once a DDR call is initiated, all protocol traffic will flow over the

interface unless it is manually blocked, such as through theapplication of an access-list. However, only traffic that satisfies thedialer-list will keep the circuit up.


The duration that the circuit remains up is determined by the dialer idle-


59/117

timeout , and defaults to 120 seconds. Once a packet transits the circuit whichsatisfies the configured dialer-list, the idle timer will be reset.

Note

By default, the idle timer is only reset by outgoing traffic that matchesthe dialer-list. To match on inbound traffic, or both inbound andoutbound traffic, add the outbound or either option on to the end ofthe dialer idle-timeout command.

Task 4.4 4.5

Quick Notename option added

R4:username Rack1R5 password CISCO!interface BRI0/0

encapsulation ppp

ppp authentication papdialer map ip 183.1.45.5 name Rack1R5 broadcast 5272015ppp pap sent-username Rack1R4 password CISCO

Quick NoteThe name entered in the dialermap command should match thename the remote end is sendingfor authentication.

R5:username Rack1R4 password CISCO!interface BRI0/0

encapsulation ppp

ppp authentication papdialer map ip 183.1.45.4 name Rack1R4 broadcast 5272014ppp pap sent-username Rack1R5 password CISCO


Point-to-Point Protocol (PPP) is a media independent encapsulation that isdefined in RFC 1661. PPP offers enhanced features such as authentication,compression, and link quality monitoring that may not be natively supported onthe underlying media. The first step in configuring PPP is to issue theencapsulation ppp interface level command. Once this step is completed,additional features such as authentication may be configured.


To authenticate a remote device using PAP, issue the ppp authenticationf l l d b h d b d


60/117

pap interface level command. To be authenticated by a remote device usingPAP, it is necessary to configure the username and password that will be sent

over the line. This is accomplished by issuing the ppp pap sent-username[username ] password [ password ].

Pitfall

Unlike CHAP, PAP does not automatically send the routershostname for authentication. The username and password value

must be manually configured with the ppp pap sent-username command under the interface.

To verify that authentication was successful, use the debug pppauthentication command.

Task 4.6 4.7

R4:interface BRI0/0

ppp multilinkppp multilink links minimum 2

R5:interface BRI0/0

ppp multilinkppp multilink links minimum 2

An additional useful feature of PPP is the ability to bind multiple interfacestogether as one logical interface, and fragment traffic amongst the memberinterfaces. This feature is known as PPP multilink. To enable multilink, issue theinterface command ppp multilink .

In the case of ISDN BRI, enabling PPP multilink will allow both ISDN B

channels to be bound together as one logical link. One option whileimplementing PPP multilink on ISDN is to bind both B channels together once theutilization of the first channel exceed a certain threshold. This value is userdefinable through the interface level command dialer load-threshold . However,PPP multilink may also be initiated on ISDN regardless of the link utilization by


5. Interior Gateway Routing


61/117

Task 5.1 5.4

R3:router ospf 1

router-id 150.1.3.3network 150.1.3.3 0.0.0.0 area 0network 183.1.0.3 0.0.0.0 area 0

!interface Serial1/1

ip ospf network broadcastip ospf priority 0

R4:router ospf 1



ip ospf network broadcast

ip ospf priority 0

R5:router ospf 1



ip ospf network broadcast


The first step in enabling OSPF is to define the OSPF process. This isaccomplished with the global configuration command router ospf [ process_id ].The OSPF process ID is a locally significant number. Next, specify the OSPF

router-id by issuing the command router-id [ router_id ] under the OSPFprocess. Although this step is not necessary, it will prevent certain problems thatwill be evident later.


Pitfall


62/117

Router-IDs used for OSPF, BGP and even EIGRP should be unique.

Router-IDs like 1.1.1.1, 2.2.2.2 and 3.3.3.3 may not be unique. In ahome lab environment they may be unique but in an environment withshared backbone routers that connect to other candidates racks, youcould possibly end up using the same router-ID as another candidate.To help guard against this possibility, choose an existing loopbackaddress to hard code as your router-ID. Using a router-ID selectionmethod of X.X.Y.Y where X is your rack number and Y is the devicenumber (1=R1, 2=R2, etc) will also suffice.

The next step in configuring OSPF is to enable OSPF on an interface.This is accomplished by issuing the network [ address ] [wildcard ] area[area_number ] command under the OSPF process. The address fieldspecifies the IP address of an interface or a range of IP addresses, while thewildcard field specifies which bits of the address field are checked.

In the above case, OSPF is configured over Frame-Relay. By default, theOSPF process assumes that multipoint Frame-Relay interfaces do not supportthe transmission of multicast packets, and therefore do not support thetransmission of OSPF hello packets. In order to compensate, OSPF definesvarious network types. These network types are:

BroadcastNon-BroadcastPoint-to-PointPoint-to-MultipointPoint-to-Multipoint Non-BroadcastLoopback

The default OSPF network type on multipoint Frame-Relay interfaces isnon-broadcast. In order to establish adjacency on an OSPF non-broadcastnetwork segment, OSPF hello packets must be sent as unicast packets. This isaccomplished by issuing the neighbor statement under the OSPF process.

Of the above network types, only the broadcast and non-broadcastnetwork types support a designated router (DR) and a backup designated router(BDR) l i Th k i i h l h h R5 b l d


The OSPF DR for a segment is determined through an election process.This process first looks for the router with the highest OSPF priority If there is a


63/117

This process first looks for the router with the highest OSPF priority. If there is atie in the OSPF priority, the router with the highest router-iID wins. The OSPF

priority value has a range of 0-255, where 255 is most likely to be elected and 0indicates that the router will never be elected. Therefore, to ensure that R5 isalways elected the DR for the aforementioned segment, R3 and R4 should beconfigured with an ip ospf priority of 0.

Pitfall

Although it is true that the device with the highest OSPF priority valuewill be elected as the DR, the OSPF election does not supportpreemption. This means that once a device is elected the DR, noother device may assume this status unless the DR goes down.Therefore, there may be devices in the network with a higher prioritythan the current DR or BDR. This also implies that the only way toensure that a device is elected as the DR is to remove all otherdevices from the election process by setting their priority to 0.


Task 5.5 5.9


64/117

R4:router ospf 1

network 183.1.45.4 0.0.0.0 area 45network 183.1.46.4 0.0.0.0 area 46

R5:router ospf 1

n

etwork 183.1.45.5 0.0.0.0 area 45

Quick NoteOnly one router willneed to be configuredwith the demand-circuitoption.

R4 or R5:interface BRI0/0

ip ospf demand-circuit

R6:router ospf 1





65/117

Since OSPF is a link state protocol, it must maintain active adjacencies

with other neighboring OSPF enabled routers in order to retain an accurate viewof the current network topology. In the above task, OSPF is configured on theISDN circuit. Since OSPF is part of the IP stack, the previously defined dialer-listwill consider OSPF as interesting traffic. This implies that the ISDN line willremain up indefinitely due to OSPF hello packets transiting the link. In order toreduce unnecessary usage of DDR links, OSPF supports a special featureknown as demand circuit.

The ip ospf demand-circuit feature prohibits routers on the segmentfrom generating periodic heartbeat keepalives (hellos). Demand circuit also setsthe do not age flag on all LSAs learned over the DDR interface, which willprevent the so called paranoid update which normally occurs every 30 minutes.OSPF traffic will only be allowed to transit the demand circuit if there is a changein the OSPF topology. Therefore, the dial circuit will only be initiated by OSPF ifthere is a state change somewhere in the network. This ensures thatunnecessary usage of the DDR circuit is minimized, while an accurate view of thenetwork topology is maintained.

Standard

RFC 1793 Extending OSPF to Support Demand Circuits


Task 5.10 5.14
http://www.internetworkexpert.com/rfc/rfc1793.txthttp://www.internetworkexpert.com/rfc/rfc1793.txt


66/117

R1:router eigrp 100

eigrp router-id 150.1.1.1network 150.1.1.1 0.0.0.0network 183.1.17.1 0.0.0.0network 183.1.123.1 0.0.0.0 Recommended Commandno auto-summary

R2:router eigrp 100

eigrp router-id 150.1.2.2network 150.1.2.2 0.0.0.0network 183.1.2.2 0.0.0.0network 183.1.123.2 0.0.0.0no auto-summary


no ip split-horizon eigrp 100

Quick NoteUnlike RIP andIGRP split-horizon isnever automaticallydisabled for EIGRP.

R3:router eigrp 100

eigrp router-id 150.1.3.3network 183.1.123.3 0.0.0.0no auto-summary

R5:router eigrp 100


SW1:ip routing!router eigrp 100

eigrp router-id 150.1.7.7network 150.1.7.7 0.0.0.0network 183.1.17.7 0.0.0.0network 183.1.78.7 0.0.0.0no auto-summary

SW2:ip routing!router eigrp 100

eigrp router id 150 1 8 8




67/117

The first step in enabling EIGRP is to start the EIGRP process and define

the EIGRP AS number. This is accomplished by issuing the router eigrp[as_number ] global configuration command.

Note

IP routing is disabled by default on the Catalyst 3550 seriesswitches. To enable the IP routing process, issue the ip routing global configuration command.

Once the EIGRP process has been defined, a good general practice is todisable auto summarization by issuing the no auto-summary command underthe routing process. This will ensure that networks are not automaticallysummarized to the classfull boundary when passing between major networkboundaries. Specifically in the above case, auto-summary must be disabledsince discontiguous networks exist throughout the routing domain.

Next, to enable EIGRP on an interface, issue the network commandunder the EIGRP process. Like OSPF, the network command syntax includesboth an address and a wildcard as of IOS 12.0(4)T. These two fields incombination specify which interfaces, based on their IP address, or range ofinterfaces, based on the range of IP their IP addresses, will run EIGRP. In theabove example the wildcard mask is 0.0.0.0. This implies that only the interface

with that specific IP address will be running EIGRP.Lastly, the no ip split-horizon eigrp [ as_number ] command is

configured on R2. By default, split-horizon is enabled for EIGRP on allinterfaces. Since from R2s perspective both R1 and R3 are reachable out thesame interface, split-horizon must be disabled to ensure that R1 learns aboutR3s routes and vice versa.


Task 5.15

R3:


68/117

R3:router eigrp 100

redistribute connected metric 10000 100 255 1 1500 route-mapCONNECTED2EIGRP!route-map CONNECTED2EIGRP permit 10

match interface Ethernet0/0

Task 5.15 Breakdown

As seen in the show ip route output, routes with the D EX prefix denoteexternal EIGRP routes. External routes are those which have been injected froma different routing domain through redistribution. In the above case the networkin question is a connected interface. Therefore, the interface is injected in as anexternal route by issuing the redistribute connected routing process sub-command. In addition to this, a route-map has been created which matches theinterface in question. Therefore, other networks are not unnecessarily injectedinto the EIGRP domain as external routes.


Task 5.16 5.19

R6: Quick Note


69/117

R6:key chain EIGRP

key 1key-string CISCO

!interface ATM0/0/0

Be careful to not puta space at the endof the password inthe key-string.

ip authentication mode eigrp 10 md5ip authentication key-chain eigrp 10 EIGRP

!router eigrp 10



For added network security, EIGRP supports MD5 authentication ofadjacency relationships through the usage of a key chain. To enable EIGRP

authentication, first define the key chain in global configuration. Next, specifythe key number and the associated key-string (password). Finally, enable MD5authentication on the interface with the ip authentication mode eigrp[as_number ] md5 command, and apply the key chain with the ipauthentication key-chain eigrp [ as_number ] [key-chain ] command.

PitfallThe key numbers within the key-chain must match between neighborsfor authentication to be successful.


Task 5.20 5.23

SW2:


70/117

SW2:key chain RIP

key 1key-string CISCO

!interface Vlan82

ip rip authentication mode md5ip rip authentication key-chain RIP

!router rip

version 2network 192.10.1.0 Recommended Commandno auto-summary


Like EIGRP, RIP uses a key-chain configuration for authentication. UnlikeEIGRP however, RIP supports both clear-text and MD5 authentication. In eithercase, RIP authentication is only supported for RIPv2. Therefore, the above taskimplies that RIPv2 should be enabled.


Task 5.24 5.27

R4:


71/117

router ospf 1

area 45 virtual-link 150.1.5.5

R5:router eigrp 100

redistribute ospf 1 metric 10000 100 255 1 1500!router ospf 1

area 45 virtual-link 150.1.4.4redistribute eigrp 100 subnets

R6:router eigrp 10

redistribute ospf 1 metric 10000 100 255 1 1500!router ospf 1

redistribute eigrp 10 subnets

SW2:router eigrp 100

redistribute rip metric 10000 100 255 1 1500!router rip

redistribute eigrp 100 metric 1



In this scenario there are only single points of mutual redistribution This


72/117

In this scenario, there are only single points of mutual redistribution. This

means that redistribution is not happening between the same protocols atmultiple points in the network. Therefore, in this particular case there is little orno chance for routing loops due to redistribution, and the redistribute commandsare configured in both directions without any filters applied. In this case therouting process itself will prevent any route feedback.

When redistributing into OSPF, all routes are assigned a default metric of20. However, RIP and EIGRP do not have default routing metrics for

redistribution. Therefore, a metric value must be manually specified. Note thatthis metric value is arbitrary, and does not reflect any discernible value.

Note

When redistributing between EIGRP and IGRP a default metric isnot needed.

Lastly, the above tasks states to ensure IP reachability when R4 losesconnectivity to the Frame-Relay cloud. When this is the case, R4s only exitpoint to the rest of the network is through the ISDN circuit. Since OSPF hasbeen previously configured on the ISDN circuit, this is not a problem. However,once R4 loses connectivity to the Frame-Relay cloud, OSPF area 46 loses itsconnection to area 0. Since all areas in OSPF must be connected to area 0, avirtual-link has been created across the transit area, area 45, between the areaborder routers (ABRs) R4 and R5. When creating a virtual-link, the IP addressedreferenced is the OSPF router-ID of the remote ABR. To ensure that this IDdoes not change, the router-id command was previously issued when the OSPFprocess was initialized.


6. Exterior Gateway Routing

T k 6 1 6 4


73/117

Task 6.1 6.4

R1:router bgp 200

bgp router-id 150.1.1.1no synchronizationneighbor 183.1.17.7 remote-as 200neighbor 183.1.17.7 route-reflector-clientneighbor 183.1.123.2 remote-as 200

R2:router bgp 200

bgp router-id 150.1.2.2no synchronizationneighbor 183.1.123.1 remote-as 200neighbor 183.1.123.3 remote-as 100

R3:router bgp 100

bgp router-id 150.1.3.3

no synchronizationneighbor 183.1.0.5 remote-as 100neighbor 183.1.123.2 remote-as 200n

eighbor 204.12.1.254 remote-as 54

R4:router bgp 100

bgp router-id 150.1.4.4no synchronizationneighbor 150.1.5.5 remote-as 100neighbor 150.1.5.5 update-source Loopback0

R5:router bgp 100

bgp router-id 150.1.5.5no synchronizationneighbor 150.1.4.4 remote-as 100neighbor 150.1.4.4 update-source Loopback0neighbor 150.1.4.4 route-reflector-client

neighbor 150.1.6.6 remote-as 100neighbor 150.1.6.6 update-source Loopback0neighbor 150.1.6.6 route-reflector-clientneighbor 183.1.0.3 remote-as 100neighbor 183.1.0.3 route-reflector-clientneighbor 183 1 58 8 remote-as 200


SW1:router bgp 200

bgp router-id 150.1.7.7no synchronization


74/117

no synchronization

neighbor 183.1.17.1 remote-as 200neighbor 183.1.17.1 route-reflector-clientneighbor 183.1.78.8 remote-as 200

SW2:router bgp 200

bgp router-id 150.1.8.8no synchronizationneighbor 183.1.58.5 remote-as 100neighbor 183.1.78.7 remote-as 200neighbor 192.10.1.254 remote-as 254neighbor 192.10.1.254 password CISCO


Like other routing protocols, the first step in enabling BGP is to issue therouter bgp [ as_number ] command in global configuration mode. Note that onlyone BGP process may run on the router at any given time. Unlike most IGPs,

BGP does not supply its own transport protocol. Instead, BGP uses TCP toprovide reliable transport. This implies that to establish a BGP peeringrelationship, end-to-end IP reachability must already be established. To form aBGP peering relationship, use the BGP subcommand neighbor [ address ] remote-as [ remote_as_number ]. One fundamental rule about BGP peeringrelationships is that all iBGP peering sessions must be fully meshed by default.

NoteSince all devices in the transit path throughout the network arerunning BGP, synchronization has been disabled. As of 12.2(8)T,BGP synchronization is disabled by default. Implications of BGPsynchronization will be covered in depth in later scenarios.

Since BGP does not use a discernible metric value as IGPs do, the main loopprevention mechanism built into iBGP is that fact that routes learned from aniBGP neighbor cannot be advertised onto another iBGP neighbor. Therefore,this stipulation implies that all iBGP speaking devices must establish directpeering relationships with all other iBGP devices within your autonomous system.


75/117


Pitfall

The term candidate to be ad ertised is sed here beca se altho gh


76/117

The term candidate to be advertised is used here because althoughthe route is eligible to be advertised on to another peer, there arecertain cases when the prefix will not be advertised. Some of theseinclude because the route is not a best path, the route is part of acommunity that dictates it not to be advertised, distribute-list filteringis applied to a neighbor, etc. These cases will be covered in moredetail later.

Based upon the above described reflection behavior and the design of theBGP peering sessions in this particular task, the following can be inferred:

1. R5 must be configured as a route-reflector for R3, R4, and R6.

2a. SW1 should be configured as a route-reflector for SW2, while R1 isconfigured as a route-reflector for R2.

OR

2b. SW1 should be configured as a route-reflector for R1, while R1 isconfigured as a route-reflector for SW1.

Both of the aforementioned cases for AS 200 will result in all routes beingcandidate for propagation through AS 200.

Further Reading

BGP Case Studies: Route Reflectors

The next step in configuring BGP for this task states that the BGPpeerings between R4 & R5 and R5 & R6 should remain active if R4s connection

to the Frame-Relay cloud is lost. Since BGP relies on TCP transport, a BGPpeering session may route asynchronously (different forward path than returnpath) and may be rerouted due to changes in the IGP topology.

By default when a BGP peering relationship is established BGP packets
http://www.cisco.com/en/US/tech/tk365/tk80/technologies_tech_note09186a00800c95bb.shtmlhttp://www.cisco.com/en/US/tech/tk365/tk80/technologies_tech_note09186a00800c95bb.shtml


77/117


Lastly, this above task states that the BGP peering session between SW2and BB2 should be authenticated by using the password CISCO. BGPauthentication uses an MD5 hash value derived from a configured password onh i hb Thi d i fi d b i l ddi h


78/117

the neighbor statement. This password is configured by simply adding thepassword [ password ] field onto the appropriate BGP neighbor statement.

Standard

RFC 2385: Protection of BGP Sessions via the TCP MD5 SignatureOption

Further Reading

Thwarting TCP-Reset Attacks At Public Peering Points


Task 6.5 6.7

R6:ip as-path access-list 1 permit 54$
http://www.interne

Iewb Rsv2.Sample

Documents

Transcript of Iewb Rsv2.Sample