HCIE-R&S Lab Mock Exam 2 With Solutions

HCIE-R&S Mock Exam 2 INTERNAL
HCIE-R&S Lab Mock Exam 2
2017-5-23 Huawei Confidential Page 1, Total 38



Test Questions: (Y Represents the Rack Number, and X

Represents the Equipment Number)
i. Section 1: Layer 2 Technologies
1.1.1.1 VLAN
Create VLANs 4, 5, 27, 42, 58 and 255 on switches SW1, SW2, SW3 and SW4.
SW1-SW4:
vlan batch 4 to 5 27 42 58 255
Add the following access interfaces to VLANs
VLAN Switch Interfaces

4 SW2 Eth0/0/4
5 SW1 Eth0/0/5
SW4 Gi0/0/1, Gi0/0/2
27 SW1 Eth0/0/2
SW3 Gi0/0/1
42 SW1 Eth0/0/4
SW2 Eth0/0/20
58 SW2 Eth0/0/5
255 SW1 Eth0/0/1, Eth0/0/3, Eth0/0/6, Gi0/0/1, Gi0/0/2
SW2 Eth0/0/22
SW3 Eth0/0/20
.
SW1:
interface Ethernet0/0/1
port link-type access
port default vlan 255

port default vlan 5
interface GigabitEthernet0/0/1
SW2:
port default vlan 4
SW3:
SW4:
port default vlan 5


port default vlan 5
1.1.1.2 Link Aggregation

The E0/0/11 and E0/0/12 interfaces linking SW1 and SW2 should be combined to
form a single logical link, using a dynamic mode and implementing load balancing.
SW1:
interface Eth-Trunk12
mode lacp-static
eth-trunk 12
eth-trunk 12
SW2:
mode lacp-static
eth-trunk 12
eth-trunk 12
Set the interface rate on these links to 10 Mbit/s.

SW1:
undo negotiation auto
speed 10
speed 10
SW2:
speed 10
speed 10
Ensure the maximum bandwidth on the link between SW1 and SW2 is 20Mbps.
SW1:

max active-linknumber 2
SW2
max active-linknumber 2
1.1.1.3 Mirroring
Incoming and outgoing traffic on G0/0/2 of SW4 should be copied to G0/0/1 for
analysis.
SW4:
observe-port 1 interface GigabitEthernet0/0/1
port-mirroring to observe-port 1 both
1.1.1.4 Layer 2 Traffic Filtering

Configure G0/0/1 on SW3 to allow only packets with the SOURCE-MAC address
of 54-89-98-CF-2B-0B.
SW3:
acl number 4000
rule 5 permit source-mac 5489-98cf-2b0b
rule 10 deny
traffic classifier DENYMAC operator and
if-match acl 4000
traffic behavior DENYMAC
permit
traffic policy DENYMAC
classifier DENYMAC behavior DENYMAC
traffic-policy DENYMAC inbound
traffic-policy DENYMAC outbound
1.1.1.5 Trunk
All links between switches SW1, SW2, SW3 and SW4 should be configured as
trunk interfaces. Only VLANs 2 to 4094 should be allowed to pass across these
links.
SW1:
port link-type trunk

undo port trunk allow-pass vlan 1

port trunk allow-pass vlan 2 to 4094
SW2:
SW3:
SW4:
1.1.1.6 MSTP
Switches SW1, SW2, SW3 and SW4 run MSTP as follows.
VLANs 4, 5 and 27 are in instance 10, VLANs 42, 58 and 255 are in instance 20.
Set the MST region name to huawei and revision-level to 10.

SW1-SW4:
stp mode mstp
stp region-configuration
region-name huawei
revision-level 10
instance 10 vlan 4 5 27
instance 20 vlan 42 58 255
active region-configuration
Spanning tree path cost calculations, should use Huawei proprietary values.
SW1-SW4:
stp pathcost-standard legacy
Configure SW1 to be root for instance 10 and SW2 to be root for instance 20.
SW1:
stp instance 10 priority 0
SW2:
stp instance 20 priority 0
Unauthorized switches that connect to G0/0/1 of SW3 must be prevented from

taking over as root bridges.
SW3:
stp root-protection
1.1.1.7 Hub-and-Spoke
R1, R5 and R3 use Frame Relay (FR) encapsulation and are connected in hub and
spoke mode with R3 as the hub. Connect R3 to R1 and R5 using P2P sub-
interfaces.
Traffic between R1 and R5 must pass through R3.
Only the DLCIs and IP addresses shown in the topology may be used. Your
configuration should take into account that IS-IS will need to run over these links.
Automatic FR mapping between layer 2 and layer 3 must be disabled.
Spoke devices may not send any multicast traffic to the hub.
R1:
interface Serial1/0/1
link-protocol fr
undo fr inarp

interface Serial1/0/1.1 P2P

ip address 10.1.113.1 255.255.255.0
fr dlci 103
R3:
link-protocol fr
undo fr inarp

ip address 10.1.113.3 255.255.255.0
fr dlci 301
ip address 10.1.135.3 255.255.255.0
fr dlci 305
R5:
link-protocol fr
undo fr inarp
ip address 10.1.135.5 255.255.255.0
fr dlci 503
1.1.1.8 Point-to-Point
The link between R3 and R4 should be configured as FR point to point.
Static layer 3 to layer 2 mapping may not be used on R3 or R4.
Automatic FR mapping between layer 2 and layer 3 must be disabled. On R3 and
R4.
Only the interfaces, DLCIs and IP addresses shown in the topology can be used.
R3:
link-protocol fr
undo fr inarp
interface Serial1/0/0.1 p2p
fr dlci 304
ip address 10.1.34.3 255.255.255.0
R4:

link-protocol fr
undo fr inarp
fr dlci 403
ip address 10.1.34.4 255.255.255.0
1.1.1.9 FR
Perform the necessary configuration on R6 to ensure the following output can be
displayed:
[R6]display fr map-info
Map Statistics for interface Serial1/0/1 (DTE)
DLCI = 116, IP 157.68.1.254, Serial1/0/1
create time = 2013/09/03 16:54:33, status = ACTIVE
encapsulation = ietf, vlink = 1, broadcast
R6:
link-protocol fr
undo fr inarp
fr map ip 157.68.1.254 116 broadcast
ip address 157.68.1.6 255.255.255.0
1.1.1.10 PPP
R4 and R5 are connected through a pair of serial links, which should be combined
using a suitable mechanism to make best use of the bandwidth.
Only the specified IP network may be used for this link.
R4:
interface Mp-group0/0/0
ip address 10.1.45.4 255.255.255.0
link-protocol ppp
ppp mp Mp-group 0/0/0
link-protocol ppp
R5:
ip address 10.1.45.5 255.255.255.0

link-protocol ppp
link-protocol ppp
ii. Section 2: IGP
2.1.1.1 Basic Configurations

When implementing IP addressing, replace Y with your rack number and replace X
with the device number. For example the device numbers of R1, R2, SW1 and
SW2 are 1, 2, 11 and 22. The IP addresses on all physical interfaces use 24-bit
masks. All routers have Loopback0 interfaces with an IP address of 10.Y.X.X and a
32-bit mask.
Configure IP addresses on device interfaces as per the information in the IPv4
logical topology diagram.
SW1 VLAN interfaces 27 and 5 should be assigned IP addresses 10.1.22.11/24 and
10.1.21.11/24 respectively. SW2 VLAN interfaces 5, 58 and 255 should be
assigned IP addresses 10.1.21.22/24, 10.1.52.22/24 and 157.68.3.22/24
respectively. SW4 VLAN interface 4 should be assigned IP address 10.1.44.44/24.
The router ID of all routers should be set to the IP address of Loopback0.
R1:
router id 10.1.1.1
ip address 10.1.13.1 255.255.255.0
ip address 157.68.3.1 255.255.255.0
interface LoopBack0
ip address 10.1.1.1 255.255.255.255
R2:
router id 10.1.2.2
ip address 10.1.22.2 255.255.255.0
interface LoopBack0
ip address 10.1.2.2 255.255.255.255
R3:
router id 10.1.3.3
ip address 10.1.13.3 255.255.255.0

ip address 157.68.3.3 255.255.255.0
interface LoopBack0
ip address 10.1.3.3 255.255.255.255
R4:
router id 10.1.4.4
ip address 157.68.2.4 255.255.255.0
ip address 10.1.44.4 255.255.255.0
interface LoopBack0
ip address 10.1.4.4 255.255.255.255
R5:
router id 10.1.5.5
ip address 10.1.50.5 255.255.255.0
ip address 10.1.52.5 255.255.255.0
interface LoopBack0
ip address 10.1.5.5 255.255.255.255
R6:
router id 10.1.6.6
ip address 157.68.3.6 255.255.255.0
interface LoopBack0
ip address 10.1.6.6 255.255.255.255
SW1:
interface Vlanif5
ip address 10.1.21.11 255.255.255.0
interface Vlanif27
ip address 10.1.22.11 255.255.255.0
SW2:
interface Vlanif5
ip address 10.1.21.22 255.255.255.0
interface Vlanif58
ip address 10.1.52.22 255.255.255.0
interface Vlanif255
ip address 157.68.3.22 255.255.255.0

SW4:
interface Vlanif4
ip address 10.1.44.44 255.255.255.0
2.1.1.2 RIP
R4 should run RIPv2 on G0/0/0, summarization should be disabled.
Enable MD5 authentication for RIP update packets, use a password of HW, the
IETF defined format for authentication packets should be used.
R4:
rip 1
undo summary
version 2
network 157.68.0.0
rip authentication-mode md5 nonstandard plain HW 1
2.1.1.3 OSPF Basic Configurations

R5 G0/0/1, R2 G0/0/0, SW1 VLAN interfaces 5 and 27 and SW2 VLAN interfaces
5 and 58 are in OSPF area 1. Set the OSPF process ID to Y.
Loopback0 interfaces of R2 and R5 are in OSPF area 1. Ensure they are advertised
with the full 24-bit mask.
R2:
interface LoopBack0
ip address 10.1.2.2 255.255.255.255
ospf network-type broadcast
ospf 1
area 0.0.0.1
network 10.1.2.0 0.0.0.255
network 10.1.22.0 0.0.0.255
R5:
interface LoopBack0
ip address 10.1.5.5 255.255.255.255
ospf network-type broadcast
ospf 1
area 0.0.0.1
network 10.1.52.0 0.0.0.255
network 10.1.5.5 0.0.0.0

SW1:
ospf 1
area 0.0.0.1
network 10.1.21.0 0.0.0.255
network 10.1.22.0 0.0.0.255
SW2:
ospf 1
area 0.0.0.1
network 10.1.21.0 0.0.0.255
network 10.1.52.0 0.0.0.255
2.1.1.4 OSPF Optimization

Set the cost of all OSPF interfaces to 10.
Configure MD5 authentication in OSPF area 1, use a password of HW, and do not
use the ospf authentication-mode command.
R2:
ospf cost 10
ospf 1
area 0.0.0.1
authentication-mode md5 1 plain HW
R5:
ospf cost 10
ospf 1
area 0.0.0.1
SW1:
interface Vlanif5
ospf cost 10
interface Vlanif27
ospf cost 10
ospf 1
area 0.0.0.1
SW2:
interface Vlanif5

ospf cost 10
interface Vlanif58
ospf cost 10
ospf 1
area 0.0.0.1
2.1.1.5 OSPF BFD

Implement BFD in OSPF to detect peer failures in less than 1 second. You may not
use the ospf bfd enable command.
R2, R5, SW1, and SW2:
bfd
ospf 1
bfd all-interfaces enable
bfd all-interfaces min-tx-interval 300 min-rx-interval 300
2.1.1.6 IS-IS Basic Configurations

Configure IS-IS with a process ID of Y on routers R1, R3, R4, R5 and R6. All
devices belong to area 49.0001 and have a system ID of 0000.0000.000X..
IS-IS should be enabled on the FR link between R3 and R4.
IS-IS should be enabled on the FR links from R3 to R1 and R5.
IS-IS should be enabled on G/0/0 of R1, R3 and R6.
IS-IS should be enabled on the PPP links from R1 to R3 and R4 to R5.
The Loopback0 networks of R1, R3, R4 and R6 should also be added to IS-IS.
R1:
isis 1
is-level level-2
cost-style wide
network-entity 49.0001.0000.0000.0001.00
isis enable 1
isis enable 1
interface LoopBack0
isis enable 1
isis enable 1
R3:

isis 1
is-level level-2
cost-style wide
network-entity 49.0001.0000.0000.0003.00
isis enable 1
interface Serial1/0/1.1
isis enable 1
isis enable 1
interface LoopBack0
isis enable 1
isis enable 1
R4:
isis 1
is-level level-2
cost-style wide
network-entity 49.0001.0000.0000.0004.00
isis enable 1
isis enable 1
interface LoopBack0
isis enable 1
R5:
isis 1
is-level level-2
cost-style wide
network-entity 49.0001.0000.0000.0005.00
isis enable 1
isis enable 1
R6:
isis 1
is-level level-2
cost-style wide
network-entity 49.0001.0000.0000.0006.00

isis enable 1
interface LoopBack0
isis enable 1
2.1.1.7 IS-IS Optimization

The FR link between R1 and R3 should be used as the primary path. Configure R1
to switch to the PPP link 3s after it detects that the FR link is down.
R1:
standby interface Serial2/0/0
standby timer delay 3 3
2.1.1.8 IS-IS Authentication

Configure MD5 authentication for SNPs and LSPs in the IS-IS area and set the
password to HW.
R1, R3, R4, R5, and R6:
isis 1
domain-authentication-mode md5 plain HW
2.1.1.9 IGP Import

Configure full mutual route import between RIP and IS-IS, R4 should summarize
the 10.1.X.X addresses and set the tag to 100. The tag of RIP routes imported into
the IS-IS area should be set to 200.
R4:
rip 1
import-route isis 1 route-policy ISIStoRIP
route-policy ISIStoRIP permit node 10

apply tag 100
rip summary-address 10.1.0.0 255.255.0.0 avoid-feedback
isis 1
import-route rip 1 tag 200
R5 should generate default routes in both OSPF and IS-IS.
R5:
isis 1

default-route-advertise always
ospf 1
default-route-advertise always
To ensure that the entire network interworking
R4:
rip 1
default-route originate
iii. Section 3: EGP
3.1.1.1 BGP Neighbor

BGP AS numbers are shown in the IPv4 BGP topology diagram. Use physical
interface addresses to establish BGP peer relationships between SW1 and SW2,
between SW2 and R5, between R6 and BB1 (157.68.1.254), between R6 and BB3
(157.68.3.254), between R1 and BB3 (157.68.3.254) and between R3 and BB3
(157.68.3.254).
SW1:
bgp 65530
peer 10.1.21.22 as-number 65530
ipv4-family unicast
peer 10.1.21.22 enable
SW2:
bgp 65530
peer 10.1.21.11 as-number 65530
peer 10.1.52.5 as-number 100
ipv4-family unicast
R1:
bgp 100
ipv4-family unicast
R3:
bgp 100
ipv4-family unicast

R5:
bgp 100
peer 10.1.52.22 as-number 65530
ipv4-family unicast
R6:
bgp 100
ipv4-family unicast
3.1.1.2 BGP Peer Relationship Optimization

Establish an IBGP peer relationship, using the IP addresses of the directly
connected interfaces between R3 and R5.
R3 acts as a RR for the remaining routers in AS 100. To reduce resource usage in
R3 uses a peer group. The community attribute should be propagated between
group members.
The peer group configuration should include two new routers, which will be added,
with router IDs of 10.1.9.9 and 10.1.10.10. Your configuration should take into
account that these routers have not been deployed yet.
R6 should set the next hop address of learned routes to its own IP address.
R1:
bgp 100
peer 10.1.3.3 connect-interface LoopBack0
R3:
bgp 100
group AS100 internal
peer AS100 connect-interface LoopBack0
peer 10.1.1.1 group AS100


peer 10.1.9.9 ignore
peer 10.1.10.10 ignore
ipv4-family unicast
peer 10.1.135.5 reflect-client
peer AS100 enable
peer AS100 reflect-client
peer AS100 advertise-community
R4:
bgp 100
R5:
bgp 100
ipv4-family unicast
R6:
bgp 100
ipv4-family unicast
peer 10.1.3.3 next-hop-local

3.1.1.3 BGP Security

Establish an EBGP peer relationship between R4 and BB2 (157.68.2.254). BB2
must think that R4 is in AS number 200, configuring authentication, and set the
password to HUAWEI.
R4:
bgp 100
peer 157.68.2.254 fake-as 200
peer 157.68.2.254 password simple HUAWEI
ipv4-family unicast
3.1.1.4 BGP Filtering

Assume BB2 is configured to deny prefixes from ASs except AS 200 and AS 100.
To ensure connectivity from BB2 to other ASs, change the AS Path in R4.
R4:
bgp 100
ipv4-family unicast
peer 157.68.2.254 route-policy FILTEROTHERAS export
route-policy FILTEROTHERAS permit node 10
apply as-path 100 overwrite
Note:
Apply a route-policy to R4 routes to be advertised to BB2 and change the AS-Path to 100.
3.1.1.5 BGP Optimization

R5 G0/0/0 and R4 G0/0/1 should be advertised by BGP.
Traffic towards R5 G0/0/0 and R4 G0/0/1 from AS 11 should be forwarded through
BB1 and R6 as the primary path. The MED attribute may not be used to achieve
this.
R1:
bgp 100
peer 157.68.3.254 route-policy ADDAS export
route-policy ADDAS permit node 10
if-match ip-prefix ADDAS
apply as-path 100 additive
ip ip-prefix ADDAS index 10 permit 10.1.44.0 24

R3:
bgp 100
R4:
bgp 100
ipv4-family unicast
network 10.1.44.0 255.255.255.0
R5:
bgp 100
ipv4-family unicast
network 10.1.50.0 255.255.255.0
R6:
bgp 100
Note:
R1, R3, and R6 each advertise two prefixes to AS 11. To ensure that traffic is received
through BB1 and R6, increase the value of AS-Path of the two prefixes. In this situation, the
AS-Path advertised by R6 to BB1 is the lowest. Should only ever add your own AS number to
the AS path..
3.1.1.6 BGP AS Control

AS 65530 managed by AS 100 is a private AS number. When BGP updates are sent
from AS 100, the AS Path cannot carry the private AS number. AS path filtering
may not be used to achieve this.

R1:
bgp 100
ipv4-family unicast
peer 157.68.3.254 public-as-only
R3:
bgp 100
ipv4-family unicast
R4:
bgp 100
ipv4-family unicast
R6:
bgp 100
ipv4-family unicast
3.1.1.7 BGP Aggregation

On R4, aggregate 24 bit prefixes starting with 222.22 and having a community of
22:22 to 222.22.0.0/16.
The aggregated route may only appear in AS 100 and the original community value
must be retained.
R4:
bgp 100
ipv4-family unicast
aggregate 222.22.0.0 255.255.0.0 origin-policy MATCHCOMM attribute-policy
SETCOMM
peer 10.1.3.3 advertise-community
route-policy MATCHCOMM permit node 10
if-match community-filter 1
route-policy SETCOMM permit node 10
apply community no-export additive
ip community-filter 1 permit 22:22
R3:
bgp 100
peer 10.1.135.5 advertise-community

iv. Section 4: IP Multicast
4.1.1.1 PIM
Enable multicast routing on R1, R3, R4, and R5.
Enable PIM-SM on the Ethernet link between R1 and R3, the Frame Relay network
between R3 and R4, and interconnected interfaces between R4 and R5.
Enable PIM-SM on the loopback interfaces of R1, R3, R4, and R5.
R1
multicast routing-enable
pim sm
interface LoopBack0
pim sm
R3:
pim sm
pim sm
interface LoopBack0
pim sm
R4:
pim sm
pim sm
interface LoopBack0
pim sm
R5:
pim sm
interface LoopBack0
pim sm

4.1.1.2 RP Redundancy
Use the IP address of loopback 0 on R1 as a C-RP address to serve group addresses
232.0.0.0-235.255.255.255.
Use the IP address of loopback 0 on R3 as a C-BSR address.
Ensure that R5 can learn the RP address.
R1
acl number 2100
rule 5 permit source 232.0.0.0 3.255.255.255
pim
c-rp LoopBack0 group-policy 2300
R3
pim
c-bsr LoopBack0
R5
ip rpf-route-static 10.1.3.3 255.255.255.255 10.1.45.4
Note:
Use an ACL to specify the range of group addresses that the C-RP serves.
Multicast routers learn RP addresses from BSR messages they receive. BSR messages are
transmitted hop-by-hop among routers in multicast mode. Each router performs an RPF
check on received BSR messages and accepts only those passing the check. BSR messages
that fail RPF checks are dropped. R5 can only receive BSR messages from R4 because PIM
is not enabled on the Frame Relay network between R5 and R3. As a result, the BSR
messages fail RPF checks on R5. To enable R5 to accept BSR messages sent from R4, modify
the RPF check setting on R5.
When performing an RPF check on a BSR message, a router obtains the C-BSR address from
the message and searches its routing table for the next-hop address based on the C-BSR
address. The router then compares the next-hop address with the source IP address in the IP
header of the BSR message. If the two addresses are the same, the BSR message passes the
RPF check. If not, the router drops the BSR message. Here, the C-BSR address is the IP
address of loopback 0 on R3, and the next-hop address in the matching route entry is the IP
address of S1/0/1 on R3. However, the source IP address of the BSR message received by R5
is the MP-group interface address on R4. Therefore, the RPF check fails under the default
RPF check configuration.

4.1.1.3 IGMP
Enable IGMP on G0/0/0 of R5 and statically bind the interface to group
235.10.10.10.
Change the RPT-to-SPT switchover threshold to ensure that an RPT-to-SPT
switchover will occur when the traffic rate exceeds 64 kbps.
Ensure that R5 can receive multicast traffic from the RP.
Ensure that R1 will be elected as the PIM DR in VLAN 255.
R5:
igmp enable
igmp static-group 235.10.10.10
pim
spt-switch-threshold 64
ip rpf-route-static 10.1.1.1 32 10.1.45.4
R1
pim hello-option dr-priority 3
Note:
An interface can be statically bound to a multicast group using the igmp static-group
command.
The source DR encapsulates multicast data packets in Register messages and sends unicast
Register messages to the RP, which then forwards the multicast data packets to receivers
along the RPT. By default, when the RP or receiver DR receives the first multicast data
packet, it initiates an SPT switchover to the multicast source. After the spt-switch-threshold
command is configured on the receiver DR, the receiver DR periodically checks the rate of
multicast data packets. When this rate exceeds the threshold, the receiver DR sends a Join
message to the source to trigger an SPT switchover.
A DR needs to be elected on a shared network segment of a PIM-SM network to manage
multicast source registration and receiver joining. DR election depends on the priorities and
IP addresses of multicast routers. Routers on a shared network segment exchange Hello
messages carrying their DR priorities, and the one with the highest priority becomes the DR.
If two or more routers share the highest priority, the one with the largest IP address becomes
the DR. Change the DR priority of an interface using the pim hello-option dr-priority
command.

5. Section 5:MPLS VPN

5.1.1.1 MPLS
Enable MPLS on R1, R3, and R4, and use the IP address of Loopback0 as the LSR
ID.
Enable label switching on the links between R1 and R3 and between R3 and R4.
Disable label switching on all other links.
R1:
mpls lsr-id 10.1.1.1
mpls
mpls
mpls
mpls
R3:
mpls
mpls
mpls
mpls
mpls
R4:
mpls
mpls
5.1.1.2 VPN-Instance
On R1: create a VPN instance TEST_R1, and set both RD and RT to 100:11.
Create Loopback1 and set its address to 192.168.100.11/32. Loopback1 belongs to
TEST_R1.
On R3: create a VPN instance TEST_HUB, and set both RD and export RT to
100:33. Create Loopback1 and set its address to 192.168.100.33/32. Loopback1
belongs to TEST_HUB.

On R4: create a VPN instance TEST_R4, and set both RD and export RT to
100:44. Create Loopback1 and set its address to 192.168.100.44/32. Loopback1
belongs to TEST_R4.
R1
interface LoopBack1
ip binding vpn-instance TEST_R1
ip address 192.168.100.11 255.255.255.255
ip vpn-instance TEST_R1
ipv4-family
route-distinguisher 100:11
vpn-target 100:11 export-extcommunity
R3
interface LoopBack1
ip binding vpn-instance TEST_HUB
ip address 192.168.100.33 255.255.255.255
ip vpn-instance TEST_HUB
ipv4-family
R4
interface LoopBack1
ip binding vpn-instance TEST_R4
ip address 192.168.100.44 255.255.255.255
ipv4-family
5.1.1.3 MP-BGP
Use the VPNv4 address family for BGP connections among R1, R3, and
R4.
Set the import RT for each VPN instance on R1, R3, and R4 to ensure that
TEST_HUB on R3 can communicate with TEST_R1 on R1 and TEST_R4
on R4 while TEST_R1 on R1 and TEST_R4 on R4 remain isolated from
each other.
The VPN connection between R1 and R3 is not interrupted so long as there
is a reachable route between them.

R1
ipv4-family
vpn-target 100:33 import-extcommunity
bgp 100
ipv4-family vpnv4
policy vpn-target
ipv4-family vpn-instance TEST_R1
network 192.168.100.11 255.255.255.255
static-lsp ingress 103 destination 10.1.3.3 32 nexthop 10.1.113.3 out-label 103
static-lsp egress 301 incoming-interface Serial1/0/1.1 in-label 301
static-lsp egress 311 incoming-interface GigabitEthernet0/0/0 in-label 311
static-lsp egress 321 incoming-interface Serial2/0/0 in-label 321
R3:
ip vpn-instance TEST_HUB
ipv4-family
vpn-target 100:11 100:44 import-extcommunity
bgp 100
ipv4-family vpnv4
policy vpn-target
ipv4-family vpn-instance TEST_HUB
network 192.168.100.33 255.255.255.255
static-lsp egress 113 incoming-interface GigabitEthernet0/0/0 in-label 113
static-lsp egress 123 incoming-interface Serial2/0/0 in-label 123
R4:
ipv4-family
vpn-target 100:33 import-extcommunity
bgp 100

ipv4-family vpnv4
policy vpn-target
ipv4-family vpn-instance TEST_R4
network 192.168.100.44 255.255.255.255
static-lsp ingress 403 destination 10.1.3.3 32 nexthop Serial1/0/0.1 out-label 403
Note:
Establish an LSP between BGP peers to ensure proper MPLS VPN function.
If LDP is used, LSPs are automatically established based on the unicast routing table. In this
exam, however, LDP cannot be enabled. Instead, manually configure static LSPs.
Three paths that serve as each others backups exist between R1 and R3. For this exam,
configure static LSPs for all three paths.
6. Section 6: QoS
6.1.1.1 Traffic Classification

Configure G0/0/0 of R4 to re-mark the priority values of 46 and above on received
data packets to 45. Other values must remain unchanged; a traffic policy may not
be used.
Configure SW3 E0/0/13 to mark received frames in VLAN 42 with an 802.1p
priority of 4.
Configure SW3 E0/0/11 to mark received frames in VLAN 58 with an 802.1p
priority of 2.
R4:
trust dscp override
qos map-table dscp-dscp
input 46 to 63 output 45
SW3:
traffic classifier c1 operator and
if-match vlan-id 42
traffic behavior b1
remark 8021p 4
traffic policy p1
classifier c1 behavior b1
traffic-policy p1 inbound


if-match vlan-id 58
traffic behavior b2
remark 8021p 2
traffic policy p2
6.1.1.2 Traffic Policing

Configure SW4 E0/0/11 to police inbound traffic in VLAN 255to a rate of
200kbps, packets exceeding this rate should be discarded. Forwarded packets
should be marked with an 802.1p priority of 3.
Enable traffic statistics collection.
SW4:
if-match vlan-id 255
traffic behavior b1
car cir 2000 pir 2000 cbs 250000 pbs 250000 green pass yellow discard red discard
remark 8021p 3
statistic enable
traffic policy p1
6.1.1.3 Traffic Shaping

Three types of traffic is being received from R4, data traffic with a 802.1p value of
2, video traffic with a 802.1p value of 5 and voice traffic with a 802.1p value of 6.
The outbound link to R4 should be shaped to 8Mbps. Outbound traffic should be
placed in interface queues according to the 802.1p values received.
Set the scheduling mode for the link to R4 to WFQ for queues 0 to 5 and PQ for
queue 6 and queue 7. The queue serving data traffic should be shaped to 2Mbps,
the video queue shaped to 4Mbps and the voice queue shaped to 256 kbps.
R4:
qos queue-profile qp1
queue 2 gts cir 2000 cbs 50000
schedule wfq 0 to 5 pq 6 to 7

trust 8021p
qos queue-profile qp1
qos gts cir 8000 cbs 200000
7. Section 7: Security
7.1.1.1 Traffic Suppression

VLAN 255 on SW3 is receiving excessive broadcast traffic. Configure SW3 to
discard broadcast packets when their rate exceeds 500 kbit/s.
On SW4 E0/0/11, limit the rate of ICMP packets to 20 pps,
SW3:
vlan 255
broadcast-suppression 500
SW4:
icmp rate-limit interface Ethernet0/0/11 threshold 20
The network connected to E0/0/11 of SW4 is suffering serious transmission delays.

The administrator finds that E0/0/11 has received a large number of unknown
unicast and multicast packets. Take measures to reduce these delays. The interface
must be blocked when the packet rate exceeds 5000 ps and unblocked when packet
rate is lower than 3000 ps. Enable the log function and set the detection interval to
90 seconds.
SW4
E0/0/11
storm-control multicast min-rate 1000 max-rate 2000
storm-control unicast min-rate 1000 max-rate 2000
storm-control action block
storm-control enable log
storm-control interval 90
Note:
1. Observe the differences between QoS lr, multicast suppression, and storm control.
2. Traffic shaping increases the delay because it uses the buffer mechanism. Multicast
suppression applies to only multicast packets and therefore is inapplicable to this section of
the exam.

7.1.1.2 DHCP
Configure SW1 to allocate IP addresses to clients connected to VLANIF 27. The
address of the network segment is 10.1.22.0/24; addresses 10.1.22.2 and 10.1.22.11
are reserved. The DNS server is 10.1.22.254 and the lease is 2 days.
The DHCP server should probe an IP address before allocating it to a client, the
maximum number of probe packets sent by the DHCP server should be 10 and the
waiting time to 100ms.
Enable DHCP snooping in VLAN 27 on SW3 to prevent unauthorized DHCP
servers disrupting the network.
SW1:
dhcp enable
dhcp server ping packet 10
dhcp server ping timeout 100
interface vlanif27
dhcp select interface
dhcp server excluded-ip-address 10.1.22.2
dhcp server excluded-ip-address 10.1.22.254
dhcp server lease day 2 hour 0 minute 0
dhcp server dns-list 10.1.22.254
SW3:
dhcp enable
dhcp snooping enable
vlan 27
dhcp snooping enable
dhcp snooping trusted interface Ethernet0/0/13
7.1.1.3 ARP Security

Configure defense against man-in-the-middle attacks in VLAN 27 on SW3.
SW3:
vlan 27
arp anti-attack check user-bind enable
E0/0/0 of R6 has received a large number of IP packets with unresolvable

destination IP addresses. These packets are sent from 157.68.3.100. Each second,
R6 can only accept a maximum of 40 ARP Miss messages from this IP address and
20 ARP Miss messages from each of the other source IP addresses. In addition,
make sure to avoid the fake ARP packets that will incorrectly update R6's ARP
table.

R6:
arp-miss speed-limit source-ip maximum 20
arp-miss speed-limit source-ip 157.68.3.100 maximum 40
arp learning strict
Note:
Observe the difference between ARP rate limiting and ARP Miss rate limiting.
7.1.1.4 IPSG
Configure defense against source address spoofing attacks from VLAN 27 of SW3.
SW3 should discard IP packets with the same source and destination IP addresses.
SW3:
ip anti-attack source-ip equals destination-ip drop
vlan 27
ip source check user-bind enable
7.5 Attack Protection

Interface G0/0/0 on R6 has received flooding packets. Take measures on R6 to
address this problem by limiting both the rate of received TCP SYN packets and
rate of ICMP flooding packets to 15000 bit/s each.
R6:
undo anti-attack tcp-syn enable
undo anti-attack icmp-flood enable
anti-attack tcp-syn car cir 15000
anti-attack icmp-flood car cir 15000
Note:
Before configuring, run the undo command to cancel the default configurations for defense
against TCP SYN and ICMP flooding attacks.
8. Section 8: IP Feature
8.1.1.1 Packet Analysis

The customer wants to obtain incoming and outgoing traffic on G0/0/0 of R2
within 100s and view traffic information on a terminal. Use the HyperTerminal to
record the output within 100 ms and display the information.

R2:
capture-packet interface G0/0/0 destination terminal time-out 100
8.1.1.2 VRRP
Add R1 and R3 to a VRRP group with IP address 157.68.3.102. Set R1 to master
and preemption delay to 10 seconds. To lessen fault impact on services, configure
ICMP on R1 to monitor packets on R5's S1/0/1 and set the detection interval to 20
seconds. When the packet rate reaches 80%, an active/standby switchover occurs in
the VRRP group.
R1
Interface GigabitEthernet0/0/0
vrrp vrid 1 virtual-ip 157.68.3.102
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 10
R3
vrrp vrid 1 virtual-ip 157.68.3.102
R1
nqa test-instance user test
test-type icmp
destination-address ipv4 10.1.135.5
frequency 20
fail-percent 80
start now
vrrp vrid 1 track nqa user test reduced 40
Note:
Understand the NQA functions, plan the detection and destination points in NQA
tests, and configure VRRP and NQA association.
8.1.1.3 Network Management

Configure the information center on R3. Output the error messages of the ping
module to the log buffer. Use the default channel.
The network management system uses SNMP to monitor BGP on R1. Configure
R1 to output the error messages of the BGP module to the server with name
SNMPHOST and IP address 157.68.3.101. Use the default channel. Set the user
group name to testgroup and user name to testuser. Use SHA authentication, set the
password to password, and set the name of trap source to SNMPV3. To avoid

impacting service traffic, allow the NMS server to monitor R1 only between 7:00-
21:00 on weekends.
R3
info-center source ping channel 4 log level warning
R1
time-range acl_1 7:00 to 21:00 off-day
acl number 2001
rule 1 permit source 157.68.3.101 0.0.0.0 time-range acl_1
snmp-agent
snmp-agent sys-info version v3
snmp-agent usm-user v3 testuser testgroup authentication-mode sha password
snmp-agent group v3 testgroup privacy write-view SNMPV3 notify-view SNMPV3
snmp-agent target-host trap-paramsname SNMPV3 v3 securityname testuser privacy
snmp-agent target-host trap-hostname SNMPHOST address 157.68.3.101 trap-paramsname
SNMPV3
snmp-agent trap enable feature-name bgp
info-center source BGP channel 5 trap level error
Note:
1. This section of the exam implies that information will be output through channel 4.
2. This section requires a time range-based ACL.
8.1.1.4 SSH
Set up secure login for users to VTY 0-4 of R6 through R3. The listening port of
R6 is port 1025. Ensure that SFTP and SCP are supported. Use password
authentication and set user name to R3, password to Hellow, and update interval to
24 hours. Give the R3 administrator all configuration rights on R6.
R6:
ssh user R3 authentication-type password
aaa
local-user R3 password cipher Hellow
local-user R3 service-type ssh
local-user R3 privilege level 3
stelnet server enable
ssh server port 1025
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh

R3
ssh client first-time enable
Note:
Use SSH and management level for this section.
8.1.1.5 NTP
R6 has synchronized with the standard clock. Configure the R3 clock to
synchronize with R6. Set the clock stratum to 5, encrypt NTP broadcast traffic on
the LAN with hmac-sha256, set key ID to 16, and set the password to Hello.
R6
ntp-service refclock-master 4
ntp-service authentication enable
ntp-service authentication-keyid 16 authentication-mode hmac-sha256 Hello
ntp-service reliable authentication-keyid 16
interface gigabitethernet 0/0/0
ntp-service broadcast-server authentication-keyid 16
R3
ntp-service authentication enable
ntp-service authentication-keyid 16 authentication-mode hmac-sha256 Hello
ntp-service reliable authentication-keyid 16
interface gigabitethernet G/0/0
ntp-service broadcast-client
Note:
Configure R6 as the NTP server.

HCIE-R&S Lab Mock Exam 2 With Solutions

Uploaded by

Copyright:

Available Formats

HCIE-R&S Lab Mock Exam 2 With Solutions

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HCIE-R&S Lab Mock Exam 2 With Solutions

Uploaded by

Copyright:

Available Formats

What are VLANs configured on each switch and their associated interfaces?

What are VLANs configured on each switch and their associated interfaces?

What technologies are used for link aggregation and traffic mirroring?

What technologies are used for link aggregation and traffic mirroring?

HCIE-R&S Mock Exam 2 INTERNAL

HCIE-R&S Lab Mock Exam 2

2017-5-23 Huawei Confidential Page 1, Total 38

2017-5-23 Huawei Confidential Page 2, Total 38

2017-5-23 Huawei Confidential Page 3, Total 38

Test Questions: (Y Represents the Rack Number, and X

Add the following access interfaces to VLANs

VLAN Switch Interfaces

2017-5-23 Huawei Confidential Page 4, Total 38

2017-5-23 Huawei Confidential Page 5, Total 38

port link-type access

1.1.1.2 Link Aggregation

Set the interface rate on these links to 10 Mbit/s.

2017-5-23 Huawei Confidential Page 6, Total 38

1.1.1.4 Layer 2 Traffic Filtering

2017-5-23 Huawei Confidential Page 7, Total 38

undo port trunk allow-pass vlan 1

2017-5-23 Huawei Confidential Page 8, Total 38

Unauthorized switches that connect to G0/0/1 of SW3 must be prevented from

2017-5-23 Huawei Confidential Page 9, Total 38

interface Serial1/0/1.1 P2P

interface Serial1/0/1.1 P2P

2017-5-23 Huawei Confidential Page 10, Total 38

2017-5-23 Huawei Confidential Page 11, Total 38

ii. Section 2: IGP

2.1.1.1 Basic Configurations

2017-5-23 Huawei Confidential Page 12, Total 38

2017-5-23 Huawei Confidential Page 13, Total 38

2.1.1.3 OSPF Basic Configurations

2017-5-23 Huawei Confidential Page 14, Total 38

2.1.1.4 OSPF Optimization

2017-5-23 Huawei Confidential Page 15, Total 38

2.1.1.5 OSPF BFD

2.1.1.6 IS-IS Basic Configurations

2017-5-23 Huawei Confidential Page 16, Total 38

2017-5-23 Huawei Confidential Page 17, Total 38

2.1.1.7 IS-IS Optimization

2.1.1.8 IS-IS Authentication

2.1.1.9 IGP Import

route-policy ISIStoRIP permit node 10

R5 should generate default routes in both OSPF and IS-IS.

2017-5-23 Huawei Confidential Page 18, Total 38

To ensure that the entire network interworking

iii. Section 3: EGP

3.1.1.1 BGP Neighbor

2017-5-23 Huawei Confidential Page 19, Total 38

peer 157.68.3.254 enable

3.1.1.2 BGP Peer Relationship Optimization

2017-5-23 Huawei Confidential Page 20, Total 38

peer 10.1.6.6 group AS100

2017-5-23 Huawei Confidential Page 21, Total 38

3.1.1.3 BGP Security

3.1.1.4 BGP Filtering

3.1.1.5 BGP Optimization

2017-5-23 Huawei Confidential Page 22, Total 38