Workbook H2 CFG CCIE PDF

Download as pdf or txt
Download as pdf or txt
You are on page 1of 91

Ccie4career.

com Skype ID 1: ccie04final


Skype ID 2: nguyenbich279

CCIE4CAREER.COM - CCIE RS V5.0 H2 WORKBOOK


Ccie4career.com

Document Information
Author Combat C4C, CC Dreamer C4C
Skype ID1: ccie04final (NOT live:ccie04final)
Please Contact
Skype ID2: nguyenbich279 (NOT live:nguyenbich279)
Change Authority Advanced Team Focus
Version 1.7
Date 2020
Comment History Updated Solution

* Note: live:ccie04final and live:nguyenbich279 are falsified our Skype IDs.


Please avoid entering incorrect IDs.

1
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

CONTENTS
1. SECTION 1: Layer 2 technologies ................................................................................. 5
1.1 Section 1.1: Jameson’s Datacenter: Access Ports .......................................... 5
1.2 Section 1.2: Jameson’s Datacenter: Trunk Ports .......................................... 10
1.3 Section 1.3 Jameson’s Datacenter: Link bundling ....................................... 12
1.4 Section 1.4 Jameson’s Branch Offices ................................................................. 20
2. SECTION 2 Layer 3 Technologies ............................................................................... 23
2.1 Section 2.1 Jameson’s IGP, Part 1......................................................................... 23
2.2 Section 2.2 Jameson’s IGP, Part 2......................................................................... 30
2.3 Section 2.3 Jacob’s IGP ................................................................................................ 34
2.4 Section 2.4 Jameson’s Pre-merge.......................................................................... 38
2.5 Section 2.5 Jacob’s Pre-merge................................................................................. 46
2.6 Section 2.6 Merge phase 1: BGP ............................................................................. 50
2.7 Section 2.7 Merge phase 2: IGP .............................................................................. 52
2.8 Section 2.8 Merge phase 2: Routing Policies .................................................. 54
2.9 Section 2.9 IPv6 Routing, Part 1 ............................................................................ 56
2.10 Section 2.10 IPv6 Routing, Part 2...................................................................... 59
2.11 Section 2.11 Multicast in Jameson’s ................................................................. 60
3. SECTION 3 VPN Technology........................................................................................... 62
3.1 Section 3.1 Jameson’s Branch Offices ................................................................. 62
3.2 Section 3.2 Jameson’s Pre-merge VPN ............................................................... 64
3.3 Section 3.3 Merge Phase 2: VPN ............................................................................. 68
3.4 Section 3.4 Inter-VPN Routing ................................................................................ 74
4. SECTION 4 Infrastructure Security ........................................................................... 79
4.1 Section 4.1 Device Security ....................................................................................... 79
4.2 Network Security.............................................................................................................. 80
5. SECTION 5 Infrastructure Services ........................................................................... 82
5.1 Section 5.1 Centralized DHCP ................................................................................... 82
5.2 Section 5.2 Internet Gateway .................................................................................. 84
5.3 Section 5.3 First hop redundancy........................................................................... 86
5.4 Section 5.4 Tracking reachability ........................................................................... 88

2
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

Main Topology

3
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

BGP, VPN, Physical Topology

4
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

1. SECTION 1: Layer 2 technologies


1.1 Section 1.1: Jameson’s Datacenter: Access Ports
Question:

Refer to “Table 1: Jameson’s Layer 2 connection and Table 1:Jameson’s VLAN to


port Mapping”

There has been pre-configured in Jameson’ s Datacenter. SW3 is the server and the
other three switches are clients. Do not modify this configuration. Some other
configuration was already started but it is your responsibility to verify and complete
them.

Configure all four switches in Jameson’s datacenter network (AS 65002) as per the
following requirements:

 All unused ports must be configured in VLAN 999 and administratively


shutdown.
 Access‐ports must immediately transition to the forwarding state upon link up,
as long as they do not receive a BPDU. Use a unique command per switch to
enable this feature.
 If an access‐port received a BPDU, it must automatically shut down, generate
a syslog and a SNMP trap. Use a unique command per switch to enable to this
feature.
 Ports that were shutdown must always rely on a manual intervention to
recover.
 VLAN 911 (10.2.1.X/24) will be used as the management VLAN in Jameson’s
datacenter. Ensure that all datacenter switches are able to ping each other IP
address in the management VLAN.
 SW5 and SW6 are low-end access switches and they do not have much
processing power. Ensure that their only Layer 3 interfaces are Loopback0 and
VLAN 911.
 SW3 and SW4 are robust and powerfully distribution switches. Ensure that
they maintain a Layer 3 interface for all local VLANs as well as all access VLANs,
as specified in “Table 1: Jameson’s VLAN to Port Mapping”.
 Unused interface had associated VLAN 999 and shutdown
 SW3 SW4 had configure VTP and VLAN on exam

5
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

Jameson’s VLAN to port Mapping

VLAN SWITCH PORT SVI


34 SW3-SW4 - SW3-SW4
100 SW1,SW2, E1/0-3 SW1,SW2,
SW10,SW11 SW10,SW11
100 SW3,SW4, SW5 - SW3,SW4
100 SW6 E0/1-3 -
101 SW1,SW2,SW10 E0/0-1 SW1,SW2,SW10
101 SW11 E0/0 SW11
101 SW5 E0/1-3 -
153 SW3 E0/1 SW3
156 SW3,SW4 E0/0 -
164 SW4 E0/1 SW4
173 SW3 - SW3
173 SW5 E0/0 -
184 SW4 - SW4
184 SW6 E0/0 -
911 SW3,SW4,SW5,SW6 - SW3,SW4,SW5,SW6
E1/2-3
E0/2-3
999 SW3,SW4 -
E2/2-3
E3/0-3
E1/2-3
999 SW5,SW6 E2/0-3 -
E3/0-3

Solution: (Click to Expand)

Note:

In the real exam, you will have many deivcies with pre-configuration:
- Vlan is pre-configured in some switches but maybe it missed some VLANs, so
you need to check it carefully.
- Pay attention with trunk link (maybe it is pre-configured as well).
- Check the physical interface, interface vlan, it can be in “shutdown” status.
- Make sure that you save 30 minutes to read whole, and check the physical
topology as well.

SW3:
vtp mode server
vtp domain jamesons
vtp password CISCO
vtp version 2

6
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
vlan 34,100,101,153,156,164,173,184,911,999

SW4/SW5/SW6
vtp mode client
vtp domain jamesons
vtp password CISCO
vtp version 2

SW3 /exam had config/


interface e0/0
switchport access vlan 156
switchport mode access
!
interface e0/1
switchport access vlan 153
switchport mode access
no shutdown

SW4 /exam had config/


interface e0/0
switchport access vlan 156
switchport mode access
!
int e0/1
switchport access vlan 164
sw mode acc
no shut

SW3/SW4 /exam had config/


int range e0/2, e0/3,e1/2-3,e2/2,e3/0-3
sw acc vlan 999
sw mode acc
shutdown

SW5
int e0/0
sw acc vlan 173
sw mode acc
no shut
!
int range e0/1-3
sw acc vlan 101
sw mode acc
7
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
no shut

SW6
int e0/0
sw ac vlan 184
sw mode acc
no shut
!
int range e0/1-3
sw acc vlan 100
sw mode acc
no shut

SW5/SW6
int range e1/2-3,e2/0-3,e3/0-3
sw ac vlan 999
sw mod acc
shut

SW3/SW4/SW5/SW6
spanning-tree portfast default
spanning-tree portfast bpduguard default
snmp-server enable traps syslog

Verification:
SW3#show vlan bri

VLAN Name Status Ports


---- -------------------------------- --------- ----------------------------
---
1 default active
34 VLAN0034 active
100 VLAN0100 active
101 VLAN0101 active
153 VLAN0153 active Et0/1
156 VLAN0156 active Et0/0
164 VLAN0164 active
173 VLAN0173 active
184 VLAN0184 active
900 VLAN0900 active
911 VLAN0911 active
999 VLAN0999 active Et0/2, Et0/3, Et1/2, Et1/3
Et2/2, Et2/3, Et3/0, Et3/1
Et3/2, Et3/3
1002 fddi-default act/unsup
1003 trcrf-default act/unsup

8
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup

SW3#show vtp status


VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : jamesons
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : aabb.cc00.6000
Configuration last modified by 10.2.0.13 at 6-14-17 18:46:55
Local updater ID is 10.2.0.13 on interface Vl34 (lowest numbered VLAN
interface found)

Feature VLAN:
--------------
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 16
Configuration Revision : 1
MD5 digest : 0x9A 0xD9 0x43 0xA9 0x8B 0x3C 0xA8 0x31
0x1D 0x6F 0x53 0xAD 0x22 0xFA 0xF9 0xEC

9
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

1.2 Section 1.2: Jameson’s Datacenter: Trunk Ports


Question:

Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Table 1: Jameson’s VLAN


to Port Mapping”.

Configure Jameson’s datacenter network (AS 65002) as per the following


requirements:

 All inter-switch links must be configured to use dot1q encapsulation.


 Ensure that all four switches send and receive untagged frames on VLAN 1.
 All four switches must maintain a separate Spanning-tree instance for each
VLAN.
 Spanning-tree must immediately delete dynamically learned MAC address
entries on a per-port basis upon receiving a topology change.
 SW3 must be the root switch for all VLANs. SW4 must be the backup root
switch for all VLANs. Ensure that they both have the best chances of
maintaining their respective role even if any new normal-range VLAN were to
be added in the future.

Solution: (Click to Expand)

SW3/SW4
int range e2/0-1,e1/0-1
sw trunk en dot
sw mod trunk
sw trunk native vlan 1
no shut

SW5/SW6
int range e1/0-1
sw trunk en dot
sw mode trunk
sw trunk native vlan 1
no shut

SW3/SW4/SW5/SW6
spanning-tree mode rapid-pvst

SW3
span vlan 1-1005 pri 0
10
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

SW4
span vlan 1-1005 pri 4096

Note:

If question is asked you to do this one:


Ensure that no switch attempt to negotiate the trunk parameters
The solution is:
In the trunk link between two switches:

interface x/y
sw trunk en dot
sw mod trunk
switchport nonegotiate

Verification:
SW3#show int trunk

Port Mode Encapsulation Status Native vlan


Et2/0 on 802.1q trunking 1
Et2/1 on 802.1q trunking 1
Po35 on 802.1q trunking 1

Port Vlans allowed on trunk


Et2/0 none
Et2/1 none
Po35 1-4094

Port Vlans allowed and active in management domain


Et2/0 none
Et2/1 none
Po35 1,34,100-101,153,156,164,173,184,900,911,999

Port Vlans in spanning tree forwarding state and not pruned


Et2/0 none
Et2/1 none
Po35 1,34,100-101,153,156,164,173,184,900,911,999

11
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

1.3 Section 1.3 Jameson’s Datacenter: Link bundling


Question:

Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial


Topology”

Configure Jameson’s datacenter network as per the following requirements:

 All four switches must bundle trunk ports so that they maintain a single logical
link to each other (excepted between SW5 and SW6), as shown in the
“Diagram 2: Initial Topology”.
 The distribution switches SW3 and SW4 must balance traffic between all
members of the link bundle based on source and destination IP addresses.
 The access switches SW5 and SW6 must balance the income traffic (that is
originated from server) between all members of the link bundle based on the
source mac address.
 It requests use LACP, SW3 and SW4 configure, SW5 and SW6 configure
passive.

Solution: (Click to Expand)

SW3
int range e1/0-1,e2/0-1
shut
int range e2/0-1
channel-protocol lacp
channel-group 34 mode active
int range e1/0-1
channel-protocol lacp
channel-group 35 mode active

SW4
int range e1/0-1, e2/0-1
shut
int range e2/0-1
channel-protocol lacp
channel-group 34 mode active
int range e1/0-1
channel-pro lacp
channel-gro 46 mode active

SW5

12
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
int range e1/0-1
shut
channel-pro lacp
channel-gr 35 mode passive

SW6
int range e1/0-1
channel-protocol lacp
channel-group 46 mode pass

SW3/SW4
int range e1/0-1,e2/0-2
no shut
port-channel load-balance src-dst-ip

SW5/SW6
int range e1/0-1
no shut
port-channel load-balance src-mac

R17/R18
int range e0/0-1
no shut

Note:

It depends on your question you will get from Cisco, but you need to understand
about the negotiation in Link bundling with this picture below:

13
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

So if question ask you:


No switch attempt to negotiate which ports should become active in the bundle

You must configure both switches with mode: on

interface x/y
channel-group [number] mode on

Verification:
SW3#show int trunk

Port Mode Encapsulation Status Native vlan


Po35 on 802.1q trunking 1
Po34 on 802.1q trunking 1

Port Vlans allowed on trunk


Po35 1-4094
Po34 1-4094

Port Vlans allowed and active in management domain


Po35 1,34,100-101,153,156,164,173,184,911,999
Po34 1,34,100-101,153,156,164,173,184,911,999

Port Vlans in spanning tree forwarding state and not pruned


Po35 1,34,100-101,153,156,164,173,184,911,999
Po34 1,34,100-101,153,156,164,173,184,911,999

SW3#show int description


Interface Status Protocol Description
Et0/0 up up
Et0/1 up up
Et0/2 admin down down
Et0/3 admin down down
Et1/0 up up
Et1/1 up up

14
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
Et1/2 admin down down
Et1/3 admin down down
Et2/0 up up
Et2/1 up up
Et2/2 up up
Et2/3 admin down down
Et3/0 admin down down
Et3/1 admin down down
Et3/2 admin down down
Et3/3 admin down down
Po35 up up
Po34 up up
Lo0 up up
Vl1 admin down down
Vl34 up up
Vl100 up up
Vl101 up up
Vl153 up up
Vl173 up up
Vl911 up up

SW3#show vlan

VLAN Name Status Ports


---- -------------------------------- --------- -------------------------------
1 default active
34 VLAN0034 active
100 VLAN0100 active
101 VLAN0101 active
153 VLAN0153 active Et0/1
156 VLAN0156 active Et0/0
164 VLAN0164 active
173 VLAN0173 active
184 VLAN0184 active
911 VLAN0911 active
999 VLAN0999 active Et0/2, Et0/3, Et1/2, Et1/3
Et2/2, Et2/3, Et3/0, Et3/1
Et3/2, Et3/3
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
34 enet 100034 1500 - - - - - 0 0
100 enet 100100 1500 - - - - - 0 0
101 enet 100101 1500 - - - - - 0 0
153 enet 100153 1500 - - - - - 0 0
156 enet 100156 1500 - - - - - 0 0
164 enet 100164 1500 - - - - - 0 0
173 enet 100173 1500 - - - - - 0 0
184 enet 100184 1500 - - - - - 0 0
911 enet 100911 1500 - - - - - 0 0
999 enet 100999 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 trcrf 101003 4472 1005 3276 - - srb 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trbrf 101005 4472 - - 15 ibm - 0 0

15
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
VLAN AREHops STEHops Backup CRF
---- ------- ------- ----------
1003 7 7 off

Primary Secondary Type Ports


------- --------- ----------------- ------------------------------------------

SW3#show span

VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 1
Address aabb.cc00.6000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 1 (priority 0 sys-id-ext 1)


Address aabb.cc00.6000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type


------------------- ---- --- --------- -------- --------------------------------
Po34 Desg FWD 56 128.65 Shr Peer(STP)
Po35 Desg FWD 56 128.66 Shr

VLAN0034
Spanning tree enabled protocol rstp
Root ID Priority 34
Address aabb.cc00.6000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 34 (priority 0 sys-id-ext 34)


Address aabb.cc00.6000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type


------------------- ---- --- --------- -------- --------------------------------
Po34 Desg FWD 56 128.65 Shr Peer(STP)
Po35 Desg FWD 56 128.66 Shr

VLAN0100
Spanning tree enabled protocol rstp
Root ID Priority 100
Address aabb.cc00.6000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 100 (priority 0 sys-id-ext 100)


Address aabb.cc00.6000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type


------------------- ---- --- --------- -------- --------------------------------
Po34 Desg FWD 56 128.65 Shr Peer(STP)

16
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
Po35 Desg FWD 56 128.66 Shr

VLAN0101
Spanning tree enabled protocol rstp
Root ID Priority 101
Address aabb.cc00.6000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 101 (priority 0 sys-id-ext 101)


Address aabb.cc00.6000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type


------------------- ---- --- --------- -------- --------------------------------
Po34 Desg FWD 56 128.65 Shr Peer(STP)
Po35 Desg FWD 56 128.66 Shr

VLAN0153
Spanning tree enabled protocol rstp
Root ID Priority 153
Address aabb.cc00.6000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 153 (priority 0 sys-id-ext 153)


Address aabb.cc00.6000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type


------------------- ---- --- --------- -------- --------------------------------
Et0/1 Desg FWD 100 128.2 Shr Edge
Po34 Desg FWD 56 128.65 Shr Peer(STP)
Po35 Desg FWD 56 128.66 Shr

VLAN0156
Spanning tree enabled protocol rstp
Root ID Priority 156
Address aabb.cc00.6000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 156 (priority 0 sys-id-ext 156)


Address aabb.cc00.6000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type


------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 100 128.1 Shr Edge
Po34 Desg FWD 56 128.65 Shr Peer(STP)
Po35 Desg FWD 56 128.66 Shr

17
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

VLAN0164
Spanning tree enabled protocol rstp
Root ID Priority 164
Address aabb.cc00.6000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 164 (priority 0 sys-id-ext 164)


Address aabb.cc00.6000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type


------------------- ---- --- --------- -------- --------------------------------
Po34 Desg FWD 56 128.65 Shr Peer(STP)
Po35 Desg FWD 56 128.66 Shr

VLAN0173
Spanning tree enabled protocol rstp
Root ID Priority 173
Address aabb.cc00.6000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 173 (priority 0 sys-id-ext 173)


Address aabb.cc00.6000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type


------------------- ---- --- --------- -------- --------------------------------
Po34 Desg FWD 56 128.65 Shr Peer(STP)
Po35 Desg FWD 56 128.66 Shr

VLAN0184
Spanning tree enabled protocol rstp
Root ID Priority 184
Address aabb.cc00.6000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 184 (priority 0 sys-id-ext 184)


Address aabb.cc00.6000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type


------------------- ---- --- --------- -------- --------------------------------
Po34 Desg FWD 56 128.65 Shr Peer(STP)
Po35 Desg FWD 56 128.66 Shr

VLAN0911
Spanning tree enabled protocol rstp
Root ID Priority 911
Address aabb.cc00.6000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

18
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

Bridge ID Priority 911 (priority 0 sys-id-ext 911)


Address aabb.cc00.6000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type


------------------- ---- --- --------- -------- --------------------------------
Po34 Desg FWD 56 128.65 Shr Peer(STP)
Po35 Desg FWD 56 128.66 Shr

VLAN0999
Spanning tree enabled protocol rstp
Root ID Priority 999
Address aabb.cc00.6000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 999 (priority 0 sys-id-ext 999)


Address aabb.cc00.6000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type


------------------- ---- --- --------- -------- --------------------------------
Et2/2 Desg FWD 100 128.11 Shr Edge
Po34 Desg FWD 56 128.65 Shr Peer(STP)
Po35 Desg FWD 56 128.66 Shr

SW4#ping 255.255.255.255 re 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:

Reply to request 0 from 10.2.0.9, 1 ms


Reply to request 0 from 10.2.1.103, 3 ms
Reply to request 0 from 10.2.101.253, 3 ms
Reply to request 0 from 10.2.100.253, 3 ms
Reply to request 0 from 10.2.0.13, 3 ms

Reply to request 1 from 10.2.0.13, 5 ms


Reply to request 1 from 10.2.1.103, 10 ms
Reply to request 1 from 10.2.1.105, 5 ms
Reply to request 1 from 10.2.0.9, 5 ms
Reply to request 1 from 10.2.1.106, 5 ms
Reply to request 1 from 10.2.101.253, 5 ms
Reply to request 1 from 10.2.100.253, 5 ms

19
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

1.4 Section 1.4 Jameson’s Branch Offices


Question:

Refer to “Diagram 1: Jameson’s Layer 2 Connections”.

Configure interface Ethernet0/0 in Jameson’s branch routers R19, R20 and R21 as
per the following requirements:

 The Ethernet WAN links must rely on a Layer 2 protocol that support link
negotiation and authentication.
 The service provider expect that the branch routers complete a three-way
handshake by providing the expected response of a challenge that is sent by
ISP.
 R19 must use the username “Jamesons-R19” and password “CCIE” (without
quotes).
 R20 must use the username “Jamesons-R20” and password “CCIE” (without
quotes).
 R21 must use the username “Jamesons-R21” and password “CCIE” (without
quotes).
 The interface Eth0/0 of all three routers must receive an IP address from ISP.
 Ensure that all three routers can ping the IP address of each other’s interface
Eth0/0.
 You are allowed to configure a single static route in each branch router to
achieve the previous requirement.

Solution: (Click to Expand)

R19
interface dialer1
ip address negotiated
encap ppp
dialer pool 1
ppp chap hostname Jamesons-R19
ppp chap pass 0 CCIE
!
int e0/0
pppoe enable group global
pppoe-client dial-pool-number 1
no shut
!
ip route 192.0.2.0 255.255.255.0 dialer 1

R20

20
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
int dialer 1
ip add nego
en ppp
dialer pool 1
ppp chap hostname Jamesons-R20
ppp chap pass 0 CCIE
!
int e0/0
pppoe enable group global
pppoe-client dial-pool-number 1
no shut
!
ip route 192.0.2.0 255.255.255.0 dialer 1

R21
int dialer 1
ip add nego
en ppp
dialer pool 1
ppp chap hostname Jamesons-R21
ppp chap pass 0 CCIE
!
int e0/0
pppoe enable group global
pppoe-client dial-pool-number 1
no shut
!
ip route 192.0.2.0 255.255.255.0 dialer 1

Explain:

Why you need the command: ip route 192.0.2.0 255.255.255.0 dialer 1

By default, when you checked in the router, you will get the output:
C 192.0.2.5/32 is directly connected, Dialer1
C 192.0.2.6/32 is directly connected, Dialer1
So when you want to ping the Ip address of R21 interface E0/0, it will be not success
(because you don’t have route in the routing table, so it is reason you need to add a
static route).

Verification:
R19#show ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES TFTP up up
Ethernet0/1 10.16.1.1 YES TFTP up up
Ethernet0/2 unassigned YES TFTP administratively down down

21
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
Ethernet0/3 unassigned YES TFTP administratively down down
Ethernet1/0 unassigned YES TFTP administratively down down
Ethernet1/1 unassigned YES TFTP administratively down down
Ethernet1/2 unassigned YES TFTP administratively down down
Ethernet1/3 unassigned YES TFTP administratively down down
Dialer1 192.0.2.6 YES IPCP up up
Loopback0 10.255.1.19 YES TFTP up up
Tunnel0 10.100.0.19 YES TFTP up down
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up

R19#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks


C 10.16.1.0/24 is directly connected, Ethernet0/1
L 10.16.1.1/32 is directly connected, Ethernet0/1
C 10.255.1.19/32 is directly connected, Loopback0
192.0.2.0/24 is variably subnetted, 3 subnets, 2 masks
S 192.0.2.0/24 is directly connected, Dialer1
C 192.0.2.5/32 is directly connected, Dialer1
C 192.0.2.6/32 is directly connected, Dialer1

R19#ping 192.0.2.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

R19#ping 192.0.2.14
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

R19#ping 192.0.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

22
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

2. SECTION 2 Layer 3 Technologies


Rules and restrictions:

 After finishing each ò the following questions make sure that all configured
interfaces and subnets are consistently visible on all pertinent router and
switches.
 Do not redistribute route between any interior gateway protocol IGP and BGP
if not explicitly required.
 If not explicitly stated otherwise, you need to ping a BGP route only if it is
stated in a question otherwise the route should be only in the BGP table.
 At the end of this section all subnets in your topology in your topology
including the loopback interface must be reachable via Ping from anywhere in
your topology the back bone interfaces must be reachable only if they are
part of the solution to a question.
 The loopback interface must be seen as a host route /32 in the routing tables
unless stated otherwise in a question.

2.1 Section 2.1 Jameson’s IGP, Part 1


Question:

Refer to “Diagram 2: Initial Topology”. The configuration was already started. It is


your responsibility to complete and verify all requirements.

Configure Jameson’s network (AS 65001 and AS 65002) according to the following
requirements:

 Ensure that all routers use their interface Loopback 0 as OSPF router-id.
 Ensure that OSPF is not running on any interface that is facing another BGP
AS.
 SW5 and SW6 must not participate in OSPF at all.
 Do not use the “network” statement under the “router ospf” configuration
anywhere in the core network (AS 65001).
 Do not change the default OSPF cost of any interface anywhere.
 Ensure that R1, SW1 and SW2 are elected the Designated router on all of their
interfaces, and that they have the best chances of maintaining that role as
long as their interfaces are up.
 Ensure that R2 is elected the Backup Designated router on all of their
interfaces, and that it has the best chances of maintaining that role as long as
its interfaces are up.
 Request passive interface VLAN 100, VLAN 101, VLAN 911 on exam.
 OSPF process is 1.

23
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

Solution: (Click to Expand)

SW3/SW4
router ospf 1
passive-int vlan 100
passive-int vlan 101
passive-int vlan 911

R17
router ospf 1
router-id 10.255.1.17
!
interface l0
ip ospf 1 are 0
int e0/1
ip ospf 1 area 0

R18
router ospf 1
router-id 10.255.1.18
int l0
ip ospf 1 area 0
int e0/1
ip ospf 1 area 0

SW1/SW2 /exam had configured/


vlan 100
vlan 101

SW1
router ospf 1
router-id 10.255.1.101
int l0
ip ospf 1 area 0
int vlan 100
ip ospf 1 are 0
!
int vlan 101
ip ospf 1 area 0
ip ospf pri 255

24
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

R11
router ospf 1
router-id 10.255.1.11
int l0
ip ospf 1 area 0
int e0/1
ip ospf 1 area 0

R12
router ospf 1
router-id 10.255.1.12
!
int l0
ip ospf 1 area 0
int e0/1
ip ospf 1 area 0

SW2
router ospf 1
router-id 10.255.1.102
int l0
ip ospf 1 area 0
int vlan 100
ip ospf 1 are 0
int vlan 101
ip ospf 1 area 0
ip ospf priority 255

R13
router ospf 1
router-id 10.255.1.13
int l0
ip ospf 1 area 0
int e0/1
ip ospf 1 are 0

R14
router ospf 1
router-id 10.255.1.14
int l0
ip ospf 1 are 0
int e0/1
ip ospf 1 are 0

25
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

R1
router ospf 1
router-id 10.255.1.1
int l0
ip ospf 1 are 0
int range e0/0-3,e1/0
ip ospf 1 are 0
ip ospf pri 255

R3
router ospf 1
router-id 10.255.1.3
int l0
ip ospf 1 area 0
int e0/0
ip ospf 1 area 0
int e0/2
ip ospf 1 area 0

R4
router ospf 1
router-id 10.255.1.4
int l0
ip ospf 1 are 0
int e0/0
ip ospf 1 are 0
int e0/2
ip ospf 1 area 0
ip ospf pri 255

R5
router ospf 1
router-id 10.255.1.5
!
int l0
ip ospf 1 are 0
int rang e0/0-1
ip ospf 1 are 0

R6
router ospf 1
router-id 10.255.1.6
int l0

26
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
ip ospf 1 area 0
int e0/0
ip ospf 1 are 0
int e0/1
ip ospf 1 are 0
ip ospf pri 255

R7
router ospf 1
router-id 10.255.1.7
int l0
ip ospf 1 are 0
int e0/3
ip ospf 1 area 0

R8
router ospf 1
router-id 10.255.1.8
int l0
ip ospf 1 area 0
int e0/3
ip ospf 1 are 0
ip ospf pri 255

R9/R10
int range e0/0-1
no shut

R9
router ospf 1
router-id 10.255.1.9
int l0
ip ospf 1 area 0
int e0/0
ip ospf 1 are 0

R10
router ospf 1
router-id 10.22.1.10
int l0
ip ospf 1 area 0
int e0/0
ip ospf 1 area 0
27
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
ip ospf pri 255

R2
router ospf 1
router-id 10.255.1.2
int l0
ip ospf 1 are 0
int range e0/0-3,e1/0
ip ospf 1 are 0
ip ospf pri 254

Verification:
R1#show ip os int br
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Lo0 1 0 10.255.1.1/32 1 LOOP 0/0
Et0/0 1 0 10.254.0.1/30 10 DR 1/1
Et0/1 1 0 10.254.0.5/30 10 DR 1/1
Et0/2 1 0 10.254.0.13/30 10 DR 1/1
Et0/3 1 0 10.254.0.9/30 10 DR 1/1
Et1/0 1 0 10.254.0.17/30 10 DR 1/1

R1#show ip os ne
Neighbor ID Pri State Dead Time Address Interface
10.255.1.2 254 FULL/BDR 00:00:37 10.254.0.2 Ethernet0/0
10.255.1.5 1 FULL/BDR 00:00:33 10.254.0.6 Ethernet0/1
10.255.1.3 1 FULL/BDR 00:00:34 10.254.0.14 Ethernet0/2
10.255.1.7 1 FULL/BDR 00:00:31 10.254.0.10 Ethernet0/3
10.255.1.9

R2#show ip os int br
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Lo0 1 0 10.255.1.2/32 1 LOOP 0/0
Et0/0 1 0 10.254.0.2/30 10 BDR 1/1
Et0/1 1 0 10.254.0.21/30 10 BDR 1/1
Et0/2 1 0 10.254.0.33/30 10 BDR 1/1
Et0/3 1 0 10.254.0.25/30 10 BDR 1/1
Et1/0 1 0 10.254.0.29/30 10 BDR 1/1

R2#show ip os ne
Neighbor ID Pri State Dead Time Address Interface
10.255.1.1 255 FULL/DR 00:00:37 10.254.0.1 Ethernet0/0
10.255.1.6 255 FULL/DR 00:00:39 10.254.0.22 Ethernet0/1
10.255.1.4 255 FULL/DR 00:00:35 10.254.0.34 Ethernet0/2
10.255.1.8 255 FULL/DR 00:00:37 10.254.0.26 Ethernet0/3
10.22.1.10 255 FULL/DR 00:00:33 10.254.0.30 Ethernet1/0

SW1#show ip os int br
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Lo0 1 0 10.255.1.101/32 1 LOOP 0/0
Vl101 1 0 10.1.254.254/24 1 DR 2/2
Vl100 1 0 10.1.1.254/24 1 DR 0/0

SW1#show ip os ne

Neighbor ID Pri State Dead Time Address Interface

28
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
10.255.1.11 1 FULL/DROTHER 00:00:39 10.1.254.1 Vlan101
10.255.1.12 1 FULL/BDR 00:00:31 10.1.254.2 Vlan101

SW2#show ip os int br
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Lo0 1 0 10.255.1.102/32 1 LOOP 0/0
Vl101 1 0 10.3.254.254/24 1 DR 2/2
Vl100 1 0 10.3.1.254/24 1 DR 0/0

SW2#show ip os ne
Neighbor ID Pri State Dead Time Address Interface
10.255.1.13 1 FULL/DROTHER 00:00:34 10.3.254.1 Vlan101
10.255.1.14 1 FULL/BDR 00:00:33 10.3.254.2 Vlan101

R4#show ip os int br
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Lo0 1 0 10.255.1.4/32 1 LOOP 0/0
Et0/2 1 0 10.254.0.34/30 10 DR 1/1
Et0/0 1 0 10.254.0.50/30 10 BDR 1/1

R4#show ip os ne

Neighbor ID Pri State Dead Time Address Interface


10.255.1.2 254 FULL/BDR 00:00:37 10.254.0.33 Ethernet0/2
10.255.1.3 1 FULL/DR 00:00:39 10.254.0.49 Ethernet0/0

29
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

2.2 Section 2.2 Jameson’s IGP, Part 2


Question:

Refer to “Diagram 2: Initial Topology”. Configure Jameson’s branch network


according to the following requirements:

 R17 must propagate a default route in its OSPF domain, but only if it already
has a default route in its routing table.
 Do not redistribute BGP into OSPF and vice versa on R17.
 Each branch router must establish an OSPF adjacency with R17 and must
receive a default route via OSPF. They may not receive any other LSA type 3
from the ABR.
 Each branch router must advertise their interface Lo0 and Ethernet0/1 into
OSPF.
 None of the branch routers may attempt to elect a Designated Router on their
Tunnel 0 interface.

Solution: (Click to Expand)

R17 /exam had configured/


router bgp 65002
bgp router-id 10.255.1.17
nei 192.0.2.1 remote-as 12345

Explain

Help others network go to internet. It is needed configure for 3.1 section DMVPN

R17
int tunnel 0
ip nhrp map multicast dynamic
ip nhrp network-id 12345
ip nhrp redirect
tunnel source e0/0
tunnel mode gre multipoint

R19/20/21
int t0
ip nhrp map multicast 192.0.2.2
ip nhrp map 10.100.0.1 192.0.2.2
ip nhrp network-id 12345

30
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
ip nhrp shortcut
ip nhrp nhs 10.100.0.1
tunnel source dialer 1
tunnel mode gre multipoint

R17
router ospf 1
area 51 stub no-sum
default-information originate
!
int t0
ip ospf 1 area 51
ip ospf network point-to-multipoint

R19
router ospf 1
router-id 10.255.1.19
are 51 stub
!
int t0
ip ospf 1 area 51
ip ospf net point-to-multipoint
!
int l0
ip ospf 1 area 51
int e0/1
ip ospf 1 area 51

R20
router ospf 1
router-id 10.255.1.20
area 51 stub
!
int l0
ip ospf 1 are 51
int e0/1
ip ospf 1 are 51
int t0
ip ospf 1 area 51
ip ospf network point-to-multipoint

R21
router ospf 1
router-id 10.255.1.21

31
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
area 51 stub
int l0
ip ospf 1 are 51
int e0/1
ip ospf 1 are 51
int t0
ip ospf 1 are 51
ip ospf network point-to-multipoint

R17/R19/R20/R21
int tu0
shutdown
end
!
conf t
int tu 0
no shutdown
end

Explain:

Sometime the state of interface still down, so the best practice you should do:
shutdown and no shutdown interface Tunnel 0, Even after you shut and no shut
interface tunnel 0, the DMVPN still not up, so we need to reload router R17, R18,
R20 and R21.

Verification:
R17#show ip os ne

Neighbor ID Pri State Dead Time Address Interface


10.255.1.103 1 FULL/DR 00:00:39 10.2.0.37
Ethernet0/1
10.255.1.19 0 FULL/ - 00:01:57 10.100.0.19 Tunnel0
10.255.1.21 0 FULL/ - 00:01:36 10.100.0.21 Tunnel0
10.255.1.20 0 FULL/ - 00:01:57 10.100.0.20 Tunnel0

R17#show ip os int br
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Lo0 1 0 10.255.1.17/32 1 LOOP 0/0
Et0/1 1 0 10.2.0.38/30 10 BDR 1/1
Tu0 1 51 10.100.0.1/24 1000 P2MP 3/3

R19#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

32
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 10.100.0.1 to network 0.0.0.0

O*IA 0.0.0.0/0 [110/1001] via 10.100.0.1, 00:02:12, Tunnel0


10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks
C 10.16.1.0/24 is directly connected, Ethernet0/1
L 10.16.1.1/32 is directly connected, Ethernet0/1
O 10.16.2.0/24 [110/2010] via 10.100.0.1, 00:02:12, Tunnel0
O 10.16.3.0/24 [110/2010] via 10.100.0.1, 00:01:33, Tunnel0
C 10.100.0.0/24 is directly connected, Tunnel0
O 10.100.0.1/32 [110/1000] via 10.100.0.1, 00:02:12, Tunnel0
L 10.100.0.19/32 is directly connected, Tunnel0
O 10.100.0.20/32 [110/2000] via 10.100.0.1, 00:02:12, Tunnel0
O 10.100.0.21/32 [110/2000] via 10.100.0.1, 00:01:33, Tunnel0
C 10.255.1.19/32 is directly connected, Loopback0
O 10.255.1.20/32 [110/2001] via 10.100.0.1, 00:02:12, Tunnel0
O 10.255.1.21/32 [110/2001] via 10.100.0.1, 00:01:33, Tunnel0
192.0.2.0/24 is variably subnetted, 3 subnets, 2 masks
S 192.0.2.0/24 is directly connected, Dialer1
C 192.0.2.5/32 is directly connected, Dialer1
C 192.0.2.6/32 is directly connected, Dialer1

R17#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details


Type:Hub, NHRP Peers:3,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.0.2.6 10.100.0.19 UP 00:10:38 D
1 192.0.2.10 10.100.0.20 UP 00:10:26 D
1 192.0.2.14 10.100.0.21 UP 00:10:11 D

33
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

2.3 Section 2.3 Jacob’s IGP


Question:

Refer to “Diagram 2: Initial Topology”. Jacob’s network is partly preconfigured. It is


your responsibility to verify and complete them.

Configure EIGRP for IPv4 in Jacob’s core network (AS 65006) according to the
following requirements:

 All EIGRP routers must support 64-bit metric calculations and Routing
Information Base (RIB) scaling in EIGRP topologies.
 The interface Lo0 of each router must be seen as an internal EIGRP prefix by
all other routers in their local domain.
 Ensure that EIGRP is not running on any interface that is facing another AS.
Use any method to accomplish this requirement.
 Jacob’s core network must use the EIGRP autonomous system number 1.
 R52 must inject its interface loopback 52 into EIGRP as an external prefix.
 All EIGRP core routers R50, R51 must add the administrator tag
“172.172.172.172” to all prefixes that they inject into EIGRP. Ensure that
operators can filter routes by using the route tag wildcard mask.
 The following output must be seen on R50:
R50#show ip ei topology 52.52.52.52 255.255.255.255
EIGRP-IPv4 VR(JACOBS) Topology Entry for AS(1)/ID(172.30.1.50) for
52.52.52.52/32
State is Passive, Query origin flag is 1, 1 Successor(s), FD is
131153920, RIB is 1024640
Descriptor Blocks:
172.30.100.3 (Ethernet0/0), from 172.30.100.3, Send flag is 0x0
Composite metric is (131153920/163840), route is External
Vector metric:
Minimum bandwidth is 10000 Kbit
Total delay is 1001250000 picoseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 1
Originating router is 172.30.1.52
External data:
AS number of route is 0
External protocol is Connected, external metric is 0
Administrator tag is 172.172.172.172

Solution: (Click to Expand)

R53/R54

34
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
int range e0/0-1
no shut

R50/R51/R52/R53/R54
no router eigrp 1

R50
router eigrp JACOBS
address-family ipv4 unicast autonomous-system 1
network 172.30.1.50 0.0.0.0
network 172.30.100.1 0.0.0.0

R51
router eigrp JACOBS
address-family ipv4 unicast autonomous-system 1
network 172.30.1.51 0.0.0.0
network 172.30.100.2 0.0.0.0

R52
router eigrp JACOBS
address-family ipv4 unicast autonomous-system 1
net 172.30.1.52 0.0.0.0
net 172.30.100.3 0.0.0.0
topology base
redistribute connected route-map CONNECTED
route-map CONNECTED
match interface loopback 52

R53
router eigrp JACOBS
address-family ipv4 unicast autonomous-system 1
network 172.30.1.53 0.0.0.0
net 172.30.100.4 0.0.0.0

R54
router eigrp JACOBS
address-family ipv4 unicast autonomous-system 1
network 172.30.1.54 0.0.0.0
net 172.30.100.5 0.0.0.0

35
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

R50/51/52/53/54/R9/R10
route-tag notation dotted-decimal

Explain:

This is really important command. It helps the output to become Tag:


172.172.172.172

R50/51/52
route-map TAG permit 10
set tag 172.172.172.172
!
router eigrp JACOBS
address-family ipv4 unicast autonomous-system 1
topology base
distribute-list route-map TAG out

SW10/SW11 /exam had configured it//


vlan 100
vlan 101

R57
router eigrp 10
network 172.18.2.1 0.0.0.0
network 172.30.1.57 0.0.0.0

Verification:
R50#show ip ei ne
EIGRP-IPv4 VR(JACOBS) Address-Family Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
3 172.30.100.5 Et0/0 11 00:04:58 2 100 0 12
2 172.30.100.4 Et0/0 11 00:05:09 5 100 0 14
1 172.30.100.3 Et0/0 11 00:05:19 2 100 0 19
0 172.30.100.2 Et0/0 11 00:05:27 1 100 0 17

R50#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

36
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

Gateway of last resort is not set

52.0.0.0/32 is subnetted, 1 subnets


D EX 52.52.52.52 [170/1024640] via 172.30.100.3, 00:06:26, Ethernet0/0
172.18.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.18.253.0/30 is directly connected, Ethernet0/1
L 172.18.253.1/32 is directly connected, Ethernet0/1
172.30.0.0/16 is variably subnetted, 7 subnets, 2 masks
C 172.30.1.50/32 is directly connected, Loopback0
D 172.30.1.51/32 [90/1024640] via 172.30.100.2, 00:06:58, Ethernet0/0
D 172.30.1.52/32 [90/1024640] via 172.30.100.3, 00:06:26, Ethernet0/0
D 172.30.1.53/32 [90/1024640] via 172.30.100.4, 00:08:45, Ethernet0/0
D 172.30.1.54/32 [90/1024640] via 172.30.100.5, 00:08:34, Ethernet0/0
C 172.30.100.0/29 is directly connected, Ethernet0/0
L 172.30.100.1/32 is directly connected, Ethernet0/0

R50#show ip ei topology 52.52.52.52 255.255.255.255


EIGRP-IPv4 VR(JACOBS) Topology Entry for AS(1)/ID(172.30.1.50) for 52.52.52.52/32
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 131153920, RIB is
1024640
Descriptor Blocks:
172.30.100.3 (Ethernet0/0), from 172.30.100.3, Send flag is 0x0
Composite metric is (131153920/163840), route is External
Vector metric:
Minimum bandwidth is 10000 Kbit
Total delay is 1001250000 picoseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 1
Originating router is 172.30.1.52
External data:
AS number of route is 0
External protocol is Connected, external metric is 0
Administrator tag is 172.172.172.172

37
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

2.4 Section 2.4 Jameson’s Pre-merge


Question:

Refer to the “Overall Scenario”, “Diagram 2: Initial Topology” and “Diagram 4: Pre-
merge Topology”.

Jameson’s decided to enable MPLS VPN in their network Configure Jameson’s


network as per the following requirements:

 R11, R12, R13 and R14 must redistribute OSPF into BGP and they must
advertise a default route into their respective OSPF domain. They may not
redistribute BGP into OSPF. Need add always, it is request on exam.
 R15 and R16 must mutually redistribute OSPF and BGP.
 R11, R12, R13 and R14 must advertise only four prefixes via eBGP to
Jameson’s core network as follows:
o R11 and R12 must advertise 10.1.0.0/16, 10.255.1.11/32,
10.255.1.12/32 and 10.255.1.101/32;
o R13 and R14 must advertise 10.3.0.0/16, 10.255.1.13/32,
10.255.1.14/32 and 10.255.1.102/32;
 R1 must reflect IPv4 BGP prefixes to all core routers except R2. All internal
BGP peers must be established using interface Lo0.
 Ensure that each Jameson’s site receives BGP prefixes from other sites.
 A very smaller output as the one shown below must be seen on R11, R12, R13
and R14 (only the next-hop, version and update-group may differ).
R11#show ip bgp 10.2.0.0/16
BGP routing table entry for 10.2.0.0/16, version 18
Paths: (2 available, best #2, table default)
Advertised to update-groups:
2
Refresh Epoch 1
65001 65001, (aggregated by 65002 10.255.1.16)
10.255.1.12 (metric 11) from 10.255.1.12 (10.255.1.12)
Origin IGP, metric 0, localpref 100, valid, internal, atomic-aggregate
rx pathid: 0, tx pathid: 0
Refresh Epoch 1
65001 65001, (aggregated by 65002 10.255.1.15)
10.254.0.53 from 10.254.0.53 (10.255.1.7)
Origin IGP, localpref 100, valid, external, atomic-aggregate, best
rx pathid: 0, tx pathid: 0x0

Configure Jameson’ s network as per the following requirements:

 Ensure that any prefix that originate in any of these main site will not advertise
back to same site via redundant gateway.
 The configuration must equally apply to any future prefixes that may be
advertised by any site
 R15 and R16 must advertise their OSPF default route to their PE.

38
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

Solution: (Click to Expand)

R1
router bgp 65001
bgp router-id 10.255.1.1
nei IBGP peer-group
nei IBGP remote-as 65001
nei IBGP update-source loopback 0
nei IBGP route-reflector-client
nei 10.255.1.3 peer-group IBGP
nei 10.255.1.4 peer-group IBGP
nei 10.255.1.5 peer-group IBGP
nei 10.255.1.6 peer-group IBGP
nei 10.255.1.7 peer-group IBGP
nei 10.255.1.8 peer-group IBGP

R3
router bgp 65001
bgp router-id 10.255.1.3
nei 10.255.1.1 remote-as 65001
nei 10.255.1.1 update-source l0
nei 10.255.1.1 next-hop-self

R4
router bgp 65001
bgp router-id 10.255.1.4
nei 10.255.1.1 remote-as 65001
nei 10.255.1.1 update-source l0
nei 10.255.1.1 next-hop-self

R5
router bgp 65001
bgp router-id 10.255.1.5
nei 10.255.1.1 remote-as 65001
nei 10.255.1.1 update-source l0
nei 10.255.1.1 next-hop-self

R6
router bgp 65001
bgp router-id 10.255.1.6
nei 10.255.1.1 remote-as 65001
nei 10.255.1.1 update-source l0
nei 10.255.1.1 next-hop-self

39
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

R7
router bgp 65001
bgp router-id 10.255.1.7
nei 10.255.1.1 remote-as 65001
nei 10.255.1.1 update-source l0
nei 10.255.1.1 next-hop-self

R8
router bgp 65001
bgp router-id 10.255.1.8
nei 10.255.1.1 remote-as 65001
nei 10.255.1.1 update-source l0
nei 10.255.1.1 next-hop-self

Explain:

Why do you need the command: next-hop-self under the BGP configuration?
Because the interface faced to the edge router, you don’t advertise it into the core
network, so if the route from

R3 (role as PE)
ip vrf GREEN
rd 65002:15
!
int e0/1
ip vrf forwarding GREEN
ip add 10.254.0.73 255.255.255.252
!
router bgp 65001
no nei 10.254.0.74 remote-as 65002
address-family ipv4 vrf GREEN
nei 10.254.0.74 remote-as 65002
nei 10.254.0.74 as-override

R4 (PE role)
ip vrf GREEN
rd 65002:16
!
int e0/1
ip vrf forwarding GREEN
ip add 10.254.0.77 255.255.255.252
router bgp 65001
no nei 10.254.0.78 remote-as 65002
address-family ipv4 vrf GREEN

40
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
nei 10.254.0.78 remote-as 65002
nei 10.254.0.78 as-override

R5 (PE role)
ip vrf GREEN
rd 65002:13
int e0/2
ip vrf forwarding GREEN
ip add 10.254.0.41 255.255.255.252
!
router bgp 65001
no nei 10.254.0.42 remote-as 65002
address-family ipv4 vrf GREEN
nei 10.254.0.42 remote-as 65002
nei 10.254.0.42 as-override

R6 (PE role)
ip vrf GREEN
rd 65002:14
!
int e0/2
ip vrf forwarding GREEN
ip add 10.254.0.45 255.255.255.252
!
router bgp 65001
no nei 10.254.0.46 remote-as 65002
address-family ipv4 vrf GREEN
nei 10.254.0.46 remote-as 65002
nei 10.254.0.46 as-override

R7 (PE role)
ip vrf RED
rd 65002:11
!
int e0/0
ip vrf forwarding RED
ip add 10.254.0.53 255.255.255.252
!
router bgp 65001
no nei 10.254.0.54 remote-as 65002
address-family ipv4 vrf RED
nei 10.254.0.54 remote-as 65002
nei 10.254.0.54 as-override

41
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

R8 (PE role)
ip vrf RED
rd 65002:12
int e0/0
ip vrf forwarding RED
ip add 10.254.0.57 255.255.255.252
router bgp 65001
no nei 10.254.0.58 remote-as 65002
address-family ipv4 vrf RED
nei 10.254.0.58 remote-as 65002
nei 10.254.0.58 as-override

R11 (play as CE role)


router bgp 65002
bgp router-id 10.255.1.11
nei 10.254.0.53 remote-as 65001
nei 10.255.1.12 remote-as 65002
nei 10.255.1.12 update-source l0
nei 10.255.1.12 next-hop-self

R12 (play as CE role)


router bgp 65002
bgp router-id 10.255.1.12
nei 10.254.0.57 remote-as 65001
nei 10.255.1.11 remote-as 65002
nei 10.255.1.11 update-source l0
nei 10.255.1.11 next-hop-self

R13 (play as CE role)


router bgp 65002
bgp router-id 10.255.1.13
nei 10.254.0.41 remote-as 65001
nei 10.255.1.14 remote-as 65002
nei 10.255.1.14 update-source l0
nei 10.255.1.14 next-hop-self

R14 (play as CE role)


router bgp 65002
bgp router-id 10.255.1.14
nei 10.254.0.45 remote-as 65001
nei 10.255.1.13 remote-as 65002
nei 10.255.1.13 update-source l0
nei 10.255.1.13 next-hop-self

42
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

R15 (play as CE role)


router bgp 65002
bgp router-id 10.255.1.15
nei 10.254.0.73 remote-as 65001
nei 10.255.1.16 remote-as 65002
nei 10.255.1.16 update-source l0
nei 10.255.1.16 next-hop-self

R16 (play as CE role)


router bgp 65002
bgp router-id 10.255.1.16
nei 10.254.0.77 remote-as 65001
nei 10.255.1.15 remote-as 65002
nei 10.255.1.15 update-source l0
nei 10.255.1.15 next-hop-self

R11/R12
router bgp 65002
redistribute ospf 1
aggregate-address 10.1.0.0 255.255.0.0 summary-only
!
router ospf 1
default-information originate always

R13/R14
router bgp 65002
redistribute ospf 1
aggregate-address 10.3.0.0 255.255.0.0 summary-only
!
router ospf 1
default-information originate always

R15/R16
router bgp 65002
redistribute ospf 1 match internal external 2
aggregate-address 10.2.0.0 255.255.0.0 summary-only
!
router ospf 1
redistribute bgp 65002 subnets metric-type 1
!
router bgp 65002
default-information originate

43
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

Verification:
R1#show ip bgp summary
BGP router identifier 10.255.1.1, local AS number 65001
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down


State/PfxRcd
10.255.1.3 4 65001 16 52 1 0 0 00:01:44 0
10.255.1.4 4 65001 16 51 1 0 0 00:01:43 0
10.255.1.5 4 65001 9 53 1 0 0 00:01:46 0
10.255.1.6 4 65001 9 52 1 0 0 00:01:46 0
10.255.1.7 4 65001 9 51 1 0 0 00:01:43 0
10.255.1.8 4 65001 9 51 1 0 0 00:01:41 0

R15#show ip bgp
BGP table version is 342, local router ID is 10.255.1.15
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


* i 0.0.0.0 10.255.1.16 1 100 0 ?
*> 10.2.0.6 1 32768 ?
* i 10.0.0.0 10.255.1.16 1 100 0 ?
*> 10.2.0.6 1 32768 ?
* i 10.1.0.0/16 10.255.1.16 0 100 0 65001 65001 i
*> 10.254.0.73 0 65001 65001 i
s> 10.2.0.0/30 0.0.0.0 0 32768 ?
r i 10.2.0.0/16 10.255.1.16 0 100 0 i
r> 0.0.0.0 32768 i
s> 10.2.0.4/30 0.0.0.0 0 32768 ?
s> 10.2.0.8/30 10.2.0.6 12 32768 ?
s> 10.2.0.12/30 10.2.0.6 11 32768 ?
s> 10.2.0.36/30 10.2.0.6 11 32768 ?
s> 10.2.0.40/30 10.2.0.6 12 32768 ?
s> 10.2.1.0/24 10.2.0.6 11 32768 ?
s> 10.2.100.0/24 10.2.0.6 11 32768 ?
s> 10.2.101.0/24 10.2.0.6 11 32768 ?
* i 10.3.0.0/16 10.255.1.16 0 100 0 65001 65001 i
*> 10.254.0.73 0 65001 65001 i
* i 10.16.1.0/24 10.255.1.16 1031 100 0 ?
*> 10.2.0.6 1021 32768 ?
* i 10.16.2.0/24 10.255.1.16 1031 100 0 ?
*> 10.2.0.6 1021 32768 ?
* i 10.16.3.0/24 10.255.1.16 1031 100 0 ?
*> 10.2.0.6 1021 32768 ?
* i 10.100.0.1/32 10.255.1.16 21 100 0 ?
*> 10.2.0.6 11 32768 ?
* i 10.100.0.19/32 10.255.1.16 1021 100 0 ?
*> 10.2.0.6 1011 32768 ?
* i 10.100.0.20/32 10.255.1.16 1021 100 0 ?
*> 10.2.0.6 1011 32768 ?
* i 10.100.0.21/32 10.255.1.16 1021 100 0 ?
*> 10.2.0.6 1011 32768 ?
* i 10.255.1.11/32 10.255.1.16 0 100 0 65001 65001 ?
*> 10.254.0.73 0 65001 65001 ?
* i 10.255.1.12/32 10.255.1.16 0 100 0 65001 65001 ?
*> 10.254.0.73 0 65001 65001 ?
* i 10.255.1.13/32 10.255.1.16 0 100 0 65001 65001 ?

44
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
*> 10.254.0.73 0 65001 65001 ?
* i 10.255.1.14/32 10.255.1.16 0 100 0 65001 65001 ?
*> 10.254.0.73 0 65001 65001 ?
* i 10.255.1.15/32 10.255.1.16 11 100 0 ?
*> 0.0.0.0 0 32768 ?
* i 10.255.1.16/32 10.255.1.16 0 100 0 ?
*> 10.2.0.2 11 32768 ?
* i 10.255.1.17/32 10.255.1.16 22 100 0 ?
*> 10.2.0.6 12 32768 ?
* i 10.255.1.18/32 10.255.1.16 23 100 0 ?
*> 10.2.0.6 13 32768 ?
* i 10.255.1.19/32 10.255.1.16 1022 100 0 ?
*> 10.2.0.6 1012 32768 ?
* i 10.255.1.20/32 10.255.1.16 1022 100 0 ?
*> 10.2.0.6 1012 32768 ?
* i 10.255.1.21/32 10.255.1.16 1022 100 0 ?
*> 10.2.0.6 1012 32768 ?
* i 10.255.1.101/32 10.255.1.16 0 100 0 65001 65001 ?
*> 10.254.0.73 0 65001 65001 ?
* i 10.255.1.102/32 10.255.1.16 0 100 0 65001 65001 ?
*> 10.254.0.73 0 65001 65001 ?
* i 10.255.1.103/32 10.255.1.16 21 100 0 ?
*> 10.2.0.6 11 32768 ?
* i 10.255.1.104/32 10.255.1.16 22 100 0 ?
*> 10.2.0.6 12 32768 ?
* i 172.30.1.55/32 10.255.1.16 0 100 0 65001 65005 ?
*> 10.254.0.73 0 65001 65005 ?
* i 172.30.1.56/32 10.255.1.16 0 100 0 65001 65005 ?
*> 10.254.0.73 0 65001 65005 ?
* i 172.30.1.57/32 10.255.1.16 0 100 0 65001 65005 ?
*> 10.254.0.73 0 65001 65005 ?
* i 172.30.1.58/32 10.255.1.16 0 100 0 65001 65007 ?
*> 10.254.0.73 0 65001 65007 ?
* i 172.30.1.107/32 10.255.1.16 0 100 0 65001 65005 ?
*> 10.254.0.73 0 65001 65005 ?
* i 172.30.1.108/32 10.255.1.16 0 100 0 65001 65007 ?
*> 10.254.0.73 0 65001 65007 ?

45
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

2.5 Section 2.5 Jacob’s Pre-merge


Question:

Refer to the “Overall Scenario”, “Diagram 2: Initial Topology” and “Diagram 4: Pre-
merge Topology”. Jacob’s decided to enable MPLS VPN in their network Configure
Jameson’s network as per the following requirements: based on Topology.

Solution: (Click to Expand)

R56
router bgp 65005
bgp router-id 172.30.1.56
nei 172.18.253.5 remote-as 65006
nei 172.30.1.55 remote-as 65005
nei 172.30.1.55 update-source l0
nei 172.30.1.55 next-hop-self
aggregate-address 172.18.0.0 255.255.0.0 summary-only

R55
router bgp 65005
bgp router-id 172.30.1.55
nei 172.18.253.1 remote-as 65006
nei 172.30.1.56 remote-as 65005
nei 172.30.1.56 update-source l0
nei 172.30.1.56 next-hop-self
aggregate-address 172.18.0.0 255.255.0.0 summary-only

R50//play a PE role, VRF green


ip vrf GREEN
rd 65005:55

int e0/1
ip vrf forwarding GREEN
ip add 172.18.253.1 255.255.255.252

router bgp 65006


bgp router-id 172.30.1.50
address-family ipv4 vrf GREEN
nei 172.18.253.2 remote-as 65005

46
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

R51//PE , vrf GREEN, not yet define RT


ip vrf GREEN
rd 65005:56

interface Ethernet0/1
ip vrf forwarding GREEN
ip address 172.18.253.5 255.255.255.252

router bgp 65006


bgp router-id 172.30.1.51
address-family ipv4 vrf GREEN
nei 172.18.253.6 remote-as 65005

R52 //PE, vrf BLUE


ip vrf BLUE
rd 65007:58

int e0/1
ip vrf forwarding BLUE
ip add 172.17.253.22 255.255.255.252

router bgp 65006


bgp router-id 172.30.1.52
address-family ipv4 vrf BLUE
nei 172.17.253.21 remote-as 65007

R58 //in AS65007, act as CE role


router bgp 65007
bgp router-id 172.30.1.58
nei 172.17.253.22 remote-as 65006
aggregate-address 172.17.0.0 255.255.0.0 summary-only
!
router bgp 65007
redistribute eigrp 10
!

R55/R56 //exam had configured//


ip prefix-list EIGRP seq 5 permit 172.0.0.0/8 le 32
!
route-map JACOBHQ permit 10
match ip address prefix-list EIGRP
!
route-map JACOBHQ1 deny 10
match ip address prefix-list EIGRP
route-map JACOBHQ1 permit 20

47
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
!
router bgp 65005
redistribute eigrp 10 route-map JACOBHQ
!
router eigrp 10
redistribute bgp 65005 metric 1 1 1 1 1 route-map JACOBHQ1

Verification:
R50#show bgp vpnv4 uni all
BGP table version is 525, local router ID is 172.30.1.50
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


Route Distinguisher: 65002:15
*>i 0.0.0.0 10.255.1.3 1 100 0 65002 ?
*>i 10.0.0.0 10.255.1.3 1 100 0 65002 ?
*>i 10.2.0.0/16 10.255.1.3 0 100 0 65002 i
*>i 10.16.1.0/24 10.255.1.3 1021 100 0 65002 ?
*>i 10.16.2.0/24 10.255.1.3 1021 100 0 65002 ?
*>i 10.16.3.0/24 10.255.1.3 1021 100 0 65002 ?
*>i 10.100.0.1/32 10.255.1.3 11 100 0 65002 ?
*>i 10.100.0.19/32 10.255.1.3 1011 100 0 65002 ?
*>i 10.100.0.20/32 10.255.1.3 1011 100 0 65002 ?
*>i 10.100.0.21/32 10.255.1.3 1011 100 0 65002 ?
*>i 10.255.1.15/32 10.255.1.3 0 100 0 65002 ?
*>i 10.255.1.16/32 10.255.1.3 11 100 0 65002 ?
*>i 10.255.1.17/32 10.255.1.3 12 100 0 65002 ?
*>i 10.255.1.18/32 10.255.1.3 13 100 0 65002 ?
*>i 10.255.1.19/32 10.255.1.3 1012 100 0 65002 ?
*>i 10.255.1.20/32 10.255.1.3 1012 100 0 65002 ?
*>i 10.255.1.21/32 10.255.1.3 1012 100 0 65002 ?
*>i 10.255.1.103/32 10.255.1.3 11 100 0 65002 ?
*>i 10.255.1.104/32 10.255.1.3 12 100 0 65002 ?
*>i 172.18.1.0/24 10.255.1.3 1 100 0 65002 ?
Route Distinguisher: 65002:16
*>i 0.0.0.0 10.255.1.4 1 100 0 65002 ?
*>i 10.0.0.0 10.255.1.4 1 100 0 65002 ?
*>i 10.2.0.0/16 10.255.1.4 0 100 0 65002 i
*>i 10.16.1.0/24 10.255.1.4 1031 100 0 65002 ?
*>i 10.16.2.0/24 10.255.1.4 1031 100 0 65002 ?
*>i 10.16.3.0/24 10.255.1.4 1031 100 0 65002 ?
*>i 10.100.0.1/32 10.255.1.4 21 100 0 65002 ?
*>i 10.100.0.19/32 10.255.1.4 1021 100 0 65002 ?
*>i 10.100.0.20/32 10.255.1.4 1021 100 0 65002 ?
*>i 10.100.0.21/32 10.255.1.4 1021 100 0 65002 ?
*>i 10.255.1.15/32 10.255.1.4 11 100 0 65002 ?
*>i 10.255.1.16/32 10.255.1.4 0 100 0 65002 ?
*>i 10.255.1.17/32 10.255.1.4 22 100 0 65002 ?
*>i 10.255.1.18/32 10.255.1.4 23 100 0 65002 ?
*>i 10.255.1.19/32 10.255.1.4 1022 100 0 65002 ?
*>i 10.255.1.20/32 10.255.1.4 1022 100 0 65002 ?
*>i 10.255.1.21/32 10.255.1.4 1022 100 0 65002 ?
*>i 10.255.1.103/32 10.255.1.4 21 100 0 65002 ?
*>i 10.255.1.104/32 10.255.1.4 22 100 0 65002 ?
*>i 172.18.1.0/24 10.255.1.4 1 100 0 65002 ?
48
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
Route Distinguisher: 65005:55 (default for vrf GREEN)
*>i 0.0.0.0 10.255.1.3 1 100 0 65002 ?
* i 10.255.1.4 1 100 0 65002 ?
*>i 10.0.0.0 10.255.1.3 1 100 0 65002 ?
* i 10.255.1.4 1 100 0 65002 ?
* i 10.2.0.0/16 10.255.1.4 0 100 0 65002 i
*>i 10.255.1.3 0 100 0 65002 i
*>i 10.16.1.0/24 10.255.1.3 1021 100 0 65002 ?
* i 10.255.1.4 1031 100 0 65002 ?
*>i 10.16.2.0/24 10.255.1.3 1021 100 0 65002 ?
* i 10.255.1.4 1031 100 0 65002 ?
*>i 10.16.3.0/24 10.255.1.3 1021 100 0 65002 ?
* i 10.255.1.4 1031 100 0 65002 ?
*>i 10.100.0.1/32 10.255.1.3 11 100 0 65002 ?
* i 10.255.1.4 21 100 0 65002 ?
*>i 10.100.0.19/32 10.255.1.3 1011 100 0 65002 ?
* i 10.255.1.4 1021 100 0 65002 ?
*>i 10.100.0.20/32 10.255.1.3 1011 100 0 65002 ?
* i 10.255.1.4 1021 100 0 65002 ?
*>i 10.100.0.21/32 10.255.1.3 1011 100 0 65002 ?
* i 10.255.1.4 1021 100 0 65002 ?
* i 10.255.1.15/32 10.255.1.4 11 100 0 65002 ?
*>i 10.255.1.3 0 100 0 65002 ?
* i 10.255.1.16/32 10.255.1.3 11 100 0 65002 ?
*>i 10.255.1.4 0 100 0 65002 ?
*>i 10.255.1.17/32 10.255.1.3 12 100 0 65002 ?
* i 10.255.1.4 22 100 0 65002 ?
*>i 10.255.1.18/32 10.255.1.3 13 100 0 65002 ?
* i 10.255.1.4 23 100 0 65002 ?
*>i 10.255.1.19/32 10.255.1.3 1012 100 0 65002 ?
* i 10.255.1.4 1022 100 0 65002 ?
*>i 10.255.1.20/32 10.255.1.3 1012 100 0 65002 ?
* i 10.255.1.4 1022 100 0 65002 ?
*>i 10.255.1.21/32 10.255.1.3 1012 100 0 65002 ?
* i 10.255.1.4 1022 100 0 65002 ?
* i 10.255.1.103/32 10.255.1.4 21 100 0 65002 ?
*>i 10.255.1.3 11 100 0 65002 ?
*>i 10.255.1.104/32 10.255.1.3 12 100 0 65002 ?
* i 10.255.1.4 22 100 0 65002 ?
*> 172.0.0.0/8 172.18.253.2 332800 0 65005 ?
*> 172.18.0.0 172.18.253.2 0 0 65005 i
*>i 172.18.1.0/24 10.255.1.3 1 100 0 65002 ?
* i 10.255.1.4 1 100 0 65002 ?
*> 172.30.1.55/32 172.18.253.2 0 0 65005 ?
*> 172.30.1.56/32 172.18.253.2 409600 0 65005 ?
*> 172.30.1.57/32 172.18.253.2 435200 0 65005 ?
*> 172.30.1.107/32 172.18.253.2 409600 0 65005 ?

49
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

2.6 Section 2.6 Merge phase 1: BGP


Question:

Refer to the “Overall Scenario” and “Diagram 5: Merge Phase: 1” Jameson’s and
Jacob’s started the first phase of their merge and add a new border router in their
respective main site (R18 and R57).

Configure the network as per the following requirements:

 Interface loopback 0 of both R18 and R57 must be add into their respective
IGP domain.
 Interface Eth0/1 of both R18 and R57 must peer with its connected IGP
neighbor.
 Both R18 and R57 must advertise a summary prefix via eBGP to each other as
follows:
R18 advertises 10.0.0.0/8
R57 advertises 172.0.0.0/8
 Both R18 and R57 must propagate the received summary prefix into their
respective IGP domain.

Solution: (Click to Expand)

R18
router bgp 65002
bgp router-id 10.255.1.18
nei 10.2.0.46 remote-as 65005
network 10.2.100.0 mask 255.255.255.0
aggregate-address 10.0.0.0 255.0.0.0
router ospf 1
redistribute bgp 65002 metric-type 1 subnets

R57
router bgp 65005
bgp router-id 172.30.1.57
neighbor 10.2.0.45 remote-as 65002
network 172.18.1.0 mask 255.255.255.0
aggregate-address 172.0.0.0 255.0.0.0
!
router eigrp 10
redistribute bgp 65005 metric 10000 100 255 1 1500

50
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

Verification:
R18#show bgp ipv4 uni summary
BGP router identifier 10.255.1.18, local AS number 65002
BGP table version is 5, main routing table version 5
4 network entries using 560 bytes of memory
4 path entries using 320 bytes of memory
4/4 BGP path/bestpath attribute entries using 576 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1480 total bytes of memory
BGP activity 4/0 prefixes, 4/0 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down


State/PfxRcd
10.2.0.46 4 65005 7 6 5 0 0 00:01:03 2

R18#show bgp ipv4 uni nei 10.2.0.46 advertised-routes


BGP table version is 5, local router ID is 10.255.1.18
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


*> 10.0.0.0 0.0.0.0 32768 i
*> 10.2.100.0/24 10.2.0.41 11 32768 i

Total number of prefixes 2

51
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

2.7 Section 2.7 Merge phase 2: IGP


Question:

Refer to “Diagram 2: Initial Topology” and “Diagram 6: Merge Phase 2”. Jameson’s
and Jacob’s are entering in the second phase of the merge and have deployed two
new border routers in their respective core network. Configure the core networks as
per the following requirements:

 R9 and R10 must run OSPF on their interface Eth0/0 and Loopback 0.
 R9 and R10 must run EIGRP on their interface Eth0/1.
 R53 and R54 must run EIGRP on all of their interfaces.
 Mutually redistribute EIGRP and OSPF on both R9 and R10
 Avoid routing loops and ensure that all current and future prefixes are routed
via their optimal path. Do not use any access-list or prefix-list in order to
achieve this requirement
 Do not change any administrative distance of any protocol in any router.

Solution: (Click to Expand)

R9
router eigrp JACOBS
address-family ipv4 unicast autonomous-system 1
network 10.254.0.61 0.0.0.0

R10
router eigrp JACOBS
address-family ipv4 unicast autonomous-system 1
network 10.254.0.65 0.0.0.0

R53
router eigrp JACOBS
address-family ipv4 unicast autonomous-system 1
network 10.254.0.62 0.0.0.0

R54
router eigrp JACOBS
address-family ipv4 unicast autonomous-system 1
network 10.254.0.66 0.0.0.0

52
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

R9/R10
router ospf 1
redistribute eigrp 1 subnets
route-map METRIC permit 10
match metric 10 +- 11
set metric 10000 100 255 1 1500
route-map METRIC permit 20
set metric 1000 100 255 1 1500
router eigrp JACOBS
address-family ipv4 unicast autonomous-system 1
topology base
redistribute ospf 1 route-map METRIC

R9/R10 Filtering
route-map TAG deny 10
match tag 172.172.172.172
route-map TAG permit 20
!
router ospf 1
distribute-list route-map TAG in

R53/R54
int e0/0
no shut
int e0/1
no shut

Verification:
R50#traceroute 10.255.1.8
Type escape sequence to abort.
Tracing the route to 10.255.1.8
VRF info: (vrf in name/id, vrf out name/id)
1 172.30.100.5 [MPLS: Label 22 Exp 0] 2 msec 1 msec 2 msec
2 10.254.0.65 [MPLS: Label 26 Exp 0] 2 msec 1 msec 2 msec
3 10.254.0.29 [MPLS: Label 28 Exp 0] 1 msec 1 msec 1 msec
4 10.254.0.26 2 msec * 5 msec

53
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

2.8 Section 2.8 Merge phase 2: Routing Policies


Question:

Refer to the “Overall Scenario”, “Diagram 2: Initial Topology” and “Diagram 6:


Merge Phase 2”. Configure the network as per the following requirements:

 Network managers have decided that the primary path for all traffic between
Jameson’s 10.2.100.0/24 and Jacob’s 172.18.1.0/24 must be routed
preferably via the BGP backdoor link between R18 and R57. If this link
should fail, then traffic should fall back over the MPLS core network.
 All other traffic must be routed preferably via the MPLS core network.
 Do not configure any route-map nor access-list in order to achieve this
requirement
 Ensure that the following test reveals the same path as shown below:
R101#traceroute 172.18.1.254 numeric
Type escape sequence to abort.
Tracing the route to 172.18.1.254
VRF info: (vrf in name/id, vrf out name/id)
1 10.2.100.253 2 msec 1 msec 1 msec
2 10.2.0.14 1 msec 2 msec 1 msec
3 10.2.0.42 2 msec 2 msec 1 msec
4 10.2.0.46 2 msec 2 msec 1 msec
5 172.18.2.254 2 msec * 3 msec

SW10#traceroute 10.2.100.253
Type escape sequence to abort.
Tracing the route to 10.2.100.253
VRF info: (vrf in name/id, vrf out name/id)
1 172.18.2.1 0 msec 1 msec 0 msec
2 10.2.0.45 2 msec 1 msec 1 msec
3 10.2.0.41 1 msec 1 msec 2 msec
4 10.2.100.253 3 msec * 2 msec

R101#traceroute 172.18.2.254
Type escape sequence to abort.
Tracing the route to 172.18.2.254
VRF info: (vrf in name/id, vrf out name/id)
1 10.2.100.253 2 msec 1 msec 1 msec
2 10.2.0.5 1 msec 1 msec 1 msec
3 10.254.0.73 2 msec 2 msec 1 msec
4 10.254.0.13 [MPLS: Labels 35/46 Exp 0] 2 msec 2 msec 2 msec
5 10.254.0.18 [MPLS: Labels 38/46 Exp 0] 3 msec 3 msec 2 msec
6 10.254.0.62 [MPLS: Labels 40/46 Exp 0] 2 msec 2 msec 3 msec
7 172.18.253.5 [MPLS: Label 46 Exp 0] 3 msec 3 msec 3 msec
8 172.18.253.6 2 msec 2 msec 3 msec
9 172.18.254.254 3 msec * 3 msec

54
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

Solution: (Click to Expand)

R51
router bgp 65006
bgp default local-preference 200

Explain:

If you don’t add local-preference 200 on R51, so traffic from R101 will cannot
follow exactly output as request from Cisco. R1 is RR, maybe it will choose R50 as
best path go to Jacob’s Headquater Network.

Verification:
R101#traceroute 172.18.1.254 numeric
Type escape sequence to abort.
Tracing the route to 172.18.1.254
VRF info: (vrf in name/id, vrf out name/id)
1 10.2.100.253 2 msec 1 msec 1 msec
2 10.2.0.14 1 msec 2 msec 1 msec
3 10.2.0.42 2 msec 2 msec 1 msec
4 10.2.0.46 2 msec 2 msec 1 msec
5 172.18.2.254 2 msec * 3 msec

SW10#traceroute 10.2.100.253
Type escape sequence to abort.
Tracing the route to 10.2.100.253
VRF info: (vrf in name/id, vrf out name/id)
1 172.18.2.1 0 msec 1 msec 0 msec
2 10.2.0.45 2 msec 1 msec 1 msec
3 10.2.0.41 1 msec 1 msec 2 msec
4 10.2.100.253 3 msec * 2 msec

R101#traceroute 172.18.2.254
Type escape sequence to abort.
Tracing the route to 172.18.2.254
VRF info: (vrf in name/id, vrf out name/id)
1 10.2.100.253 2 msec 1 msec 1 msec
2 10.2.0.5 1 msec 1 msec 1 msec
3 10.254.0.73 2 msec 2 msec 1 msec
4 10.254.0.13 [MPLS: Labels 35/46 Exp 0] 2 msec 2 msec 2 msec
5 10.254.0.18 [MPLS: Labels 38/46 Exp 0] 3 msec 3 msec 2 msec
6 10.254.0.62 [MPLS: Labels 40/46 Exp 0] 2 msec 2 msec 3 msec
7 172.18.253.5 [MPLS: Label 46 Exp 0] 3 msec 3 msec 3 msec
8 172.18.253.6 2 msec 2 msec 3 msec
9 172.18.254.254 3 msec * 3 msec

55
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

2.9 Section 2.9 IPv6 Routing, Part 1


Question:

Refer to “Diagram 2: Initial Topology”. Jameson’s started deploying IPv6 in dual-


stack mode in the datacenter Configure Jameson’s datacenter network as per the
following requirements:

 Establish OSPFv3 adjacencies in Area 0 between SW3, SW4, R15 and R16.
 Do not use the command “ipv6 router ospf” anywhere in order to accomplish
the previous requirement.
 Interface VLAN 100 of SW3 must be configured with default route preference
set to “high”.
 Interface VLAN 100 of SW4 must be configured with default route preference
set to “medium”.
 The interval between Router Advertisement transmissions on VLAN 100 must
be set 20 seconds on both SW3 and SW4.

Solution: (Click to Expand)

R15
router ospfv3 1
address-family ipv6 unicast
router-id 10.255.1.15
interface e0/0
ospfv3 1 ipv6 area 0
int e0/2
ospfv3 1 ipv6 area 0

R16
router ospfv3 1
address-family ipv6 unicast
router-id 10.255.1.16
int e0/0
ospfv3 1 ipv6 area 0
int e0/2
ospfv3 1 ipv6 are 0

SW3
router ospfv3 1
address-family ipv6 unicast
router-id 10.255.1.103
int loopback 0

56
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
ospfv3 1 ipv6 area 0
int vlan 153
ospfv3 1 ipv6 area 0
int vlan 100
ospfv3 1 ipv6 area 0
ipv6 nd ra interval 20
int vlan 34
ospfv3 1 ipv6 area 0
int vlan 100
ipv6 nd router-preference high

SW4
router ospfv3 1
address-family ipv6 unicast
router-id 10.255.1.104
int loopback 0
ospfv3 1 ipv6 area 0
int vlan 164
ospfv3 1 ipv6 area 0
int vlan 100
ospfv3 1 ipv6 area 0
ipv6 nd ra interval 20
int vlan 34
ospfv3 1 ipv6 area 0
int vlan 100
ipv6 nd router-preference medium

Verification:
R15#show ipv6 ospf ne

OSPFv3 Router with ID (10.255.1.15) (Process ID 1)

Neighbor ID Pri State Dead Time Interface ID Interface


10.255.1.103 1 FULL/DR 00:00:38 30 Ethernet0/2
10.255.1.16 1 FULL/DR 00:00:35 3 Ethernet0/0

SW3#show ipv6 os ne

OSPFv3 Router with ID (10.255.1.103) (Process ID 1)

Neighbor ID Pri State Dead Time Interface ID Interface


10.255.1.15 1 FULL/BDR 00:00:38 5 Vlan153
10.255.1.104 1 FULL/DR 00:00:39 22 Vlan100
10.255.1.104 1 FULL/DR 00:00:37 21 Vlan34

SW3#show ipv6 route


IPv6 Routing Table - default - 11 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2

57
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
LC 2001:CC1E:BEEF:10:255:1:103:103/128 [0/0]
via Loopback0, receive
O 2001:CC1E:BEEF:10:255:1:104:104/128 [110/1]
via FE80::A8BB:CCFF:FE80:8000, Vlan100
via FE80::A8BB:CCFF:FE80:8000, Vlan34
C 2001:CC1E:BEEF:34::/64 [0/0]
via Vlan34, directly connected
L 2001:CC1E:BEEF:34:10:2:0:13/128 [0/0]
via Vlan34, receive
C 2001:CC1E:BEEF:100::/64 [0/0]
via Vlan100, directly connected
L 2001:CC1E:BEEF:100:10:2:1:253/128 [0/0]
via Vlan100, receive
C 2001:CC1E:BEEF:153::/64 [0/0]
via Vlan153, directly connected
L 2001:CC1E:BEEF:153:10:2:0:6/128 [0/0]
via Vlan153, receive
O 2001:CC1E:BEEF:156::/64 [110/11]
via FE80::A8BB:CCFF:FE00:D020, Vlan153
O 2001:CC1E:BEEF:164::/64 [110/2]
via FE80::A8BB:CCFF:FE80:8000, Vlan100
via FE80::A8BB:CCFF:FE80:8000, Vlan34
L FF00::/8 [0/0]
via Null0, receive

SW3#show ipv6 int vlan 100


Vlan100 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE80:6000 [UNA]
Virtual link-local address(es):
FE80:100::1 [OOD]
Global unicast address(es):
2001:CC1E:BEEF:100:10:2:1:253, subnet is 2001:CC1E:BEEF:100::/64
Joined group address(es):
FF02::1
FF02::2
FF02::5
FF02::6
FF02::66
FF02::1:FF00:1
FF02::1:FF01:253
FF02::1:FF80:6000
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 20 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is High
Hosts use stateless autoconfig for addresses.

58
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

2.10 Section 2.10 IPv6 Routing, Part 2


Question:

Configure Jameson’s datacenter network as per the following requirements:

 SW3 and SW4 must provide first-hop redundancy for hosts in VLAN 100 by
sharing the virtual link-local address FE80:100::1.
 SW3 must be elected as the active router and SW4 must be elected the
standby router.
 In case SW3 is down, SW4 must take over the active role. If SW3 comes
back online, it must automatically recover the active role from SW4.
 Ensure that HSRP Hello packets are exchanged every 10 second and that the
standby takes over the active role if three consecutive Hello packets were
missed from the active.

Solution: (Click to Expand)

SW3
int vlan 100
standby ver 2
standby 1 ipv6 fe80:100::1
standby 1 timers 10 30
standby 1 priority 105
standby 1 preempt

SW4
int vlan 100
standby version 2
standby 1 ipv6 fe80:100::1
standby 1 timer 10 30
standby 1 preempt

Verification:
SW3#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl100 1 105 P Active local FE80::A8BB:CCFF:FE80:8000
FE80:100::1
Vl100 2 95 P Active local 10.2.100.254 10.2.100.1

SW3#show standby
59
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
Vlan100 - Group 1 (version 2)
State is Active
2 state changes, last state change 00:01:41
Link-Local Virtual IPv6 address is FE80:100::1 (conf)
Active virtual MAC address is aabb.cc80.6000 (MAC In Use)
Local virtual MAC address is aabb.cc80.6000 (bia)
Hello time 10 sec, hold time 30 sec
Next hello sent in 5.824 secs
Preemption enabled
Active router is local
Standby router is FE80::A8BB:CCFF:FE80:8000, priority 100 (expires in
30.128 sec)
Priority 105 (configured 105)
Group name is "hsrp-Vl100-1" (default)
Vlan100 - Group 2 (version 2)
State is Active
2 state changes, last state change 00:01:39
Virtual IP address is 10.2.100.1
Active virtual MAC address is aabb.cc80.6000 (MAC In Use)
Local virtual MAC address is aabb.cc80.6000 (bia)
Hello time 10 sec, hold time 30 sec
Next hello sent in 2.624 secs
Preemption enabled
Active router is local
Standby router is 10.2.100.254, priority 90 (expires in 30.240 sec)
Priority 95 (configured 105)
Track object 1 state Down decrement 10
Group name is "hsrp-Vl100-2" (default)

2.11 Section 2.11 Multicast in Jameson’s


Question:

Refer to “Diagram 2: Initial Topology”.

An application running on SW3 (which is located in Jameson’s datacenter) uses


multicast to deliver specific traffic to users located in Jameson’s branch network.
Configure Jameson’s network as per following requirements:

 Use PIM Sparse-mode.


 The interface Lo0 of R17 must be elected as the RP for the whole multicast
domain.
 R17 must announce its candidacy to advertise the group-to-RP mapping set
to the router link local address.
 For interoperability reasons, the selection of R17 as the RP must adhere to
open standard and must use the default priority value as per the standard.
 The source SW3 uses the group address 239.1.1.1 to send traffic to
interested receivers.
 Receivers are located in the branch network and they are connected to the
datacenter via DMVPN.
 Ensure that the following test is successful:

60
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
SW3#ping 239.1.1.1 source vlan 173
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 239.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.0.37

Reply to request 0 from 10.16.1.1, 29 ms


Reply to request 0 from 10.16.2.1, 33 ms
Reply to request 0 from 10.16.3.1, 30 ms

Solution: (Click to Expand)

R17
ip multicast-routing
int e0/1
ip pim sparse-mode
int l0
ip pim sparse-mode
int tunnel 0
ip pim sparse-mode
ip pim bsr-candidate loopback0
ip pim rp-candidate loopback 0

R19/20/21
ip multicast-routing
int tunnel 0
ip pim sparse-mode
int e0/1
ip pim sparse-mode
ip igmp join-group 239.1.1.1

Verification:
R17#show ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
L - Local, P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set, J - Join SPT, M - MSDP created entry, E - Extranet,
X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
U - URD, I - Received Source Specific Host Report,
Z - Multicast Tunnel, z - MDT-data group sender,
Y - Joined MDT-data group, y - Sending to MDT-data group,
G - Received BGP C-Mroute, g - Sent BGP C-Mroute,
N - Received BGP Shared-Tree Prune, n - BGP C-Mroute suppressed,
Q - Received BGP S-A Route, q - Sent BGP S-A Route,
V - RD & Vector, v - Vector, p - PIM Joins on route
Outgoing interface flags: H - Hardware switched, A - Assert winner, p - PIM
Join
61
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 239.1.1.1), 00:00:50/stopped, RP 10.255.1.17, flags: S


Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Tunnel0, Forward/Sparse, 00:00:50/00:02:39

(10.2.0.37, 239.1.1.1), 00:00:40/00:02:19, flags: T


Incoming interface: Ethernet0/1, RPF nbr 0.0.0.0
Outgoing interface list:
Tunnel0, Forward/Sparse, 00:00:40/00:02:49

(*, 224.0.1.40), 00:01:45/00:02:09, RP 0.0.0.0, flags: DCL


Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Ethernet0/1, Forward/Sparse, 00:01:45/00:02:09

SW3#ping 239.1.1.1 source vlan 173


Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 239.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.0.37

Reply to request 0 from 10.16.1.1, 29 ms


Reply to request 0 from 10.16.2.1, 33 ms
Reply to request 0 from 10.16.3.1, 30 ms

3. SECTION 3 VPN Technology


3.1 Section 3.1 Jameson’s Branch Offices
Question:

Refer to “Diagram 2: Initial Topology”. Configure DMVPN Phase 3 in Jameson’s


branch network as per the following requirements:

Use the preconfigured interface Tunnel0 on all four routers in order to accomplish
this task.

 R17 must be configured as the hub router.


 R19, R20 and R21 must be the spoke routers and must participate in the
NHRP information exchange.
 Ensure that spoke-to-spoke traffic does not transit via the hub.
 Protect the tunneled traffic by attaching the preconfigured IPsec profile to the
tunnel interface on all tunnel end-points.
 Ensure that all spoke establish an OSPF adjacency through the tunnel with
the hub R17, without attempting to elect any Designated Router.
 Ensure that the following test are successful:
R19#traceroute 10.16.2.1 source e0/1 numeric
Type escape sequence to abort.
Tracing the route to 10.16.2.1

62
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
VRF info: (vrf in name/id, vrf out name/id)
1 10.100.0.20 5 msec * 5 msec

R19#traceroute 10.16.3.1 source e0/1 numeric


Type escape sequence to abort.
Tracing the route to 10.16.3.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.100.0.21 5 msec * 6 msec

Solution: (Click to Expand)

R17
int tunnel 0
ip nhrp map multicast dynamic
ip nhrp network-id 12345
ip nhrp redirect
tunnel source e0/0
tunnel mode gre multipoint

R19/20/21
int tunnel 0
ip nhrp map multicast 192.0.2.2
ip nhrp map 10.100.0.1 192.0.2.2
ip nhrp nhs 10.100.0.1
ip nhrp network-id 12345
ip nhrp shortcut
tunnel source dialer1
tunnel mode gre multipoint

R17/19/20/21
int tunnel 0
tunnel protection ipsec profile DMVPNPROFILE

Verification:
R17#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details


Type:Hub, NHRP Peers:3,
63
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.0.2.6 10.100.0.19 UP 02:17:23 D
1 192.0.2.10 10.100.0.20 UP 02:17:23 D
1 192.0.2.14 10.100.0.21 UP 02:17:23 D

R19#traceroute 10.16.2.1 source e0/1 numeric


Type escape sequence to abort.
Tracing the route to 10.16.2.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.100.0.20 5 msec * 5 msec

R19#traceroute 10.16.3.1 source e0/1 numeric


Type escape sequence to abort.
Tracing the route to 10.16.3.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.100.0.21 5 msec * 6 msec

3.2 Section 3.2 Jameson’s Pre-merge VPN


Question:

Refer to the “Overall Scenario” and “Diagram 4: Pre-merge Topology”. Jameson’s


decided to enable MPLS VPN in their network. They started configuring it but it is
your responsibility to complete it and verify that it is fully functional.

Configure Jameson’s network as per the following requirements:

 Enable LDP in the core network as indicated in “Diagram 4: Pre-merge


Topology”
 Ensure that all LDP routers use their interface Loopback0 as their LDP router-
id.
 R1 must reflect VPNv4 prefixes to all PE’s.
 The datacenter and main office network must be connected to the VPN
“GREEN” via eBGP.
 The headquarter network must be connected to the VPN “RED” via eBGP.
 All six PE’s must use a consistent format “ASN.nn” for the VPN route-
distinguisher, where:
o ASN is the Autonomous System Number of the connected CE
o nn is any relevant number for the VPN site.
 Ensure that R101 in the datacenter’s VLAN 100 can successfully ping SW2 in
the main office as shown below:
R101#traceroute 10.1.1.254
Type escape sequence to abort.
Tracing the route to 10.1.1.254
VRF info: (vrf in name/id, vrf out name/id)
1 10.2.100.253 1 msec 1 msec 1 msec
2 10.2.0.5 1 msec 1 msec 1 msec
3 10.254.0.73 2 msec 1 msec 1 msec
64
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
4 10.254.0.13 [MPLS: Labels 29/44 Exp 0] 2 msec 3 msec 2 msec
5 10.254.0.53 [MPLS: Label 44 Exp 0] 2 msec 1 msec 2 msec
6 10.254.0.54 2 msec 3 msec 2 msec
7 10.1.254.254 3 msec * 4 msec

R101#traceroute 10.3.1.254
Type escape sequence to abort.
Tracing the route to 10.3.1.254
VRF info: (vrf in name/id, vrf out name/id)
1 10.2.100.253 1 msec 1 msec 0 msec
2 10.2.0.5 1 msec 1 msec 2 msec
3 10.254.0.73 1 msec 1 msec 2 msec
4 10.254.0.13 [MPLS: Labels 27/43 Exp 0] 2 msec 2 msec 2 msec
5 10.254.0.41 [MPLS: Label 43 Exp 0] 2 msec 2 msec 2 msec
6 10.254.0.42 2 msec 2 msec 1 msec
7 10.3.254.254 2 msec * 5 msec

Solution: (Click to Expand)

R1/R2
ip cef
mpls ip
mpls label protocol ldp
mpls ldp router-id loopback 0
!
int range e0/0-3
mpls ip
int e1/0
mpls ip

R3/R4
ip cef
mpls ip
mpls label protocol ldp
mpls ldp router-id loopback 0
int range e0/0, e0/2
mpls ip

R5/R6
ip cef
mpls ip
mpls label protocol ldp
mpls ldp router-id loopback 0
int rang e0/0-1

65
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
mpls ip

R7/R8
ip cef
mpls ip
mpls label protocol ldp
mpls ldp router-id loopback 0
int e0/3
mpls ip

R9/R10 (as P router)


ip cef
mpls ip
mpls label protocol ldp
mpls ldp router-id loopback 0
int range e0/0-1
mpls ip

R1
router bgp 65001
address-family vpnv4
nei IBGP route-reflector-client
nei 10.255.1.3 activate
nei 10.255.1.4 activate
nei 10.255.1.5 activate
nei 10.255.1.6 activate
nei 10.255.1.7 activate
nei 10.255.1.8 activate

R3, R4, R5, R6, R7, R8 //R2 as P router don't config VPNV4
router bgp 65001
address-family vpnv4
nei 10.255.1.1 act

R3 //bring RT to VRF to import and export Routes


ip vrf GREEN
rd 65002:15
route-target export 65002:1516
route-target import 65002:1112
route-target import 65002:1314
route-target import 65005:5556
route-target import 65007:58

66
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

Explain:

show ip bgp vpnv4 all


interesting, if don't have Route-target then Router will be sent all Routes. but don't
have receive in other PE vrf table. R3 update to R1, R1 advertise to R5, but R5
don't insert to VRF routign table. check again the send-community both, R1 receive
and understanding RD but don't config RD, RT -->show ip bgp vpnv4 all

R4
ip vrf GREEN
rd 65002:16
route-target export 65002:1516
route-target import 65002:1112
route-target import 65002:1314
route-target import 65005:5556
route-target import 65007:58

R5
ip vrf GREEN
rd 65002:13
route-target export 65002:1314
route-target import 65002:1516

R6
ip vrf GREEN
rd 65002:14
route-target export 65002:1314
route-target import 65002:1516

R7
ip vrf RED
rd 65002:11
route-target export 65002:1112
route-target import 65002:1516

R8
ip vrf RED
rd 65002:12
route-target export 65002:1112
route-target import 65002:1516

67
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

Verification:
R101#traceroute 10.1.1.254
Type escape sequence to abort.
Tracing the route to 10.1.1.254
VRF info: (vrf in name/id, vrf out name/id)
1 10.2.100.253 1 msec 1 msec 1 msec
2 10.2.0.5 1 msec 1 msec 1 msec
3 10.254.0.73 2 msec 1 msec 1 msec
4 10.254.0.13 [MPLS: Labels 29/44 Exp 0] 2 msec 3 msec 2 msec
5 10.254.0.53 [MPLS: Label 44 Exp 0] 2 msec 1 msec 2 msec
6 10.254.0.54 2 msec 3 msec 2 msec
7 10.1.254.254 3 msec * 4 msec

R101#traceroute 10.3.1.254
Type escape sequence to abort.
Tracing the route to 10.3.1.254
VRF info: (vrf in name/id, vrf out name/id)
1 10.2.100.253 1 msec 1 msec 0 msec
2 10.2.0.5 1 msec 1 msec 2 msec
3 10.254.0.73 1 msec 1 msec 2 msec
4 10.254.0.13 [MPLS: Labels 27/43 Exp 0] 2 msec 2 msec 2 msec
5 10.254.0.41 [MPLS: Label 43 Exp 0] 2 msec 2 msec 2 msec
6 10.254.0.42 2 msec 2 msec 1 msec
7 10.3.254.254 2 msec * 5 msec

3.3 Section 3.3 Merge Phase 2: VPN


Question:

Refer to the “Overall Scenario” and “Diagram 6: Merge Phase 2”. Jameson’s and
Jacob’s are entering in the second phase of the merge and have deployed two new
border routers in their respective core network. Configure the network as per the
following requirements:

 The BGP AS number of Jacob’s original core network must be converted to


use Jameson’s AS number 65001, as indicated in “Diagram 6: Merge Phase
2”.
 All BGP sessions between Jacob’s core and remote sites (including
headquarters and office networks) must be recovered using the new AS
number.
 Do not modify the BGP configuration of Jacob’s CEs (R55, R56, R58) in order
to accomplish this requirement.
 Enable LDP in the merged core network as indicated in “Diagram 6: Merge
Phase2”, including the four new border router (R9, R10, R53, R54) and
Jacob’s core network.
 Ensure that all LDP routers use their interface Loopback0 as their LDP router-
id.
 R1 must reflect VPNv4 prefixes to all PE’s, including to Jacob’s PE.
68
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

 Jacob’s headquarters network must be added to the VPN GREEN.


 Jacob’s office network must be added to the VPN BLUE.
 All nine PE’s must use a consistent format “ASN.nn” for the VPN route
distinguisher, where:
o ASN is the Autonomous System Number of the connected CE
o nn is any relevant number

Solution: (Click to Expand)

R50/51/52 //as PE role


ip cef
mpls ip
mpls label protocol ldp
mpls ldp router-id l0
int e0/0
mpls ip

R53/54 //as P role


ip cef
mpls ip
mpls label protocol ldp
mpls ldp router-id loopback 0
interface range e0/0-1
mpls ip

R50/51/52
router bgp 65006
no bgp default ipv4-unicast
nei 10.255.1.1 remote-as 65001
nei 10.255.1.1 local-as 65001
nei 10.255.1.1 update-source l0
address-family ipv4
nei 10.255.1.1 act
address-family vpnv4
nei 10.255.1.1 act

R1
router bgp 65001
no bgp default ipv4-unicast
nei 172.30.1.50 peer-group IBGP
nei 172.30.1.51 peer-group IBGP

69
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
nei 172.30.1.52 peer-group IBGP
address-family ipv4
nei 172.30.1.50 act
nei 172.30.1.51 act
nei 172.30.1.52 act
address-family vpnv4
nei 172.30.1.50 act
nei 172.30.1.51 act
nei 172.30.1.52 act

R50
ip vrf GREEN
rd 65005:55
route-target export 65005:5556
route-target import 65002:1516

R51
ip vrf GREEN
rd 65005:56
route-target export 65005:5556
route-target import 65002:1516

R52
ip vrf BLUE
rd 65007:58
route-target export 65007:58
route-target import 65002:1516

Version 1.6.1 (updated CCIE4career.com)

Refer to the “Overall Scenario” and “Diagram 6: Merge Phase 2”. Jameson’s and
Jacob’s are entering in the second phase of the merge and have deployed two new
border routers in their respective core network. Configure the network as per the
following requirements:

 PE routers in the JACOBS location should not contain AS65001 in the BGP
NLRI
 Do not modify the BGP configuration of Jacob’s CEs (R55, R56, R58) in order
to accomplish this requirement.
 Enable LDP in the merged core network as indicated in “Diagram 6: Merge
Phase2”, including the four new border router (R9, R10, R53, R54) and
Jacob’s core network.
 Ensure that all LDP routers use their interface Loopback0 as their LDP router-
id.
70
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

 R1 must reflect VPNv4 prefixes to all PE’s, including to Jacob’s PE.


 Jacob’s headquarters network must be added to the VPN GREEN.
 Jacob’s office network must be added to the VPN BLUE.
 All nine PE’s must use a consistent format “ASN.nn” for the VPN route
distinguisher, where:
o ASN is the Autonomous System Number of the connected CE
o nn is any relevant number

Note:

The difference in this section with verison 1.6.1 and version 1.6

In Version 1.6.1:

 PE routers in the JACOBS location should not contain AS65001 in the BGP
NLRI

In Version 1.6:

 The BGP AS number of Jacob’s original core network must be converted to


use Jameson’s AS number 65001, as indicated in “Diagram 6: Merge Phase
2”.
 All BGP sessions between Jacob’s core and remote sites (including
headquarters and office networks) must be recovered using the new AS
number.

Solution:

Exactly same

R50/51/52 //as PE role


ip cef
mpls ip
mpls label protocol ldp
mpls ldp router-id l0
int e0/0
mpls ip

R53/54 //as P role


ip cef
mpls ip
mpls label protocol ldp
mpls ldp router-id loopback 0
interface range e0/0-1
mpls ip
71
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

R50/51/52
router bgp 65006
no bgp default ipv4-unicast
nei 10.255.1.1 remote-as 65001
nei 10.255.1.1 local-as 65001
nei 10.255.1.1 update-source l0
address-family ipv4
nei 10.255.1.1 act
address-family vpnv4
nei 10.255.1.1 act

R1
router bgp 65001
no bgp default ipv4-unicast
nei 172.30.1.50 peer-group IBGP
nei 172.30.1.51 peer-group IBGP
nei 172.30.1.52 peer-group IBGP
address-family ipv4
nei 172.30.1.50 act
nei 172.30.1.51 act
nei 172.30.1.52 act
address-family vpnv4
nei 172.30.1.50 act
nei 172.30.1.51 act
nei 172.30.1.52 act

R50
ip vrf GREEN
rd 65005:55
route-target export 65005:5556
route-target import 65002:1516

R51
ip vrf GREEN
rd 65005:56
route-target export 65005:5556
route-target import 65002:1516

R52
ip vrf BLUE
rd 65007:58
route-target export 65007:58
route-target import 65002:1516

72
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

Verification:
R50#show bgp vpnv4 uni all
BGP table version is 156, local router ID is 172.30.1.50
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


Route Distinguisher: 65002:15
*>i 0.0.0.0 10.255.1.3 0 100 0 65002 i
*>i 10.0.0.0 10.255.1.3 0 100 0 65002 i
Route Distinguisher: 65002:16
*>i 0.0.0.0 10.255.1.4 0 100 0 65002 i
*>i 10.0.0.0 10.255.1.4 0 100 0 65002 i
Route Distinguisher: 65005:55 (default for vrf JACOBSCORP)
* i 0.0.0.0 10.255.1.4 0 100 0 65002 i
*>i 10.255.1.3 0 100 0 65002 i
* i 10.0.0.0 10.255.1.4 0 100 0 65002 i
*>i 10.255.1.3 0 100 0 65002 i
*> 172.0.0.0/8 172.18.253.2 332800 0 65005 ?
*>i 172.17.1.0/24 172.30.1.52 281856 100 0 65007 ?
*>i 172.17.254.0/24 172.30.1.52 0 100 0 65007 ?
*> 172.18.2.0/24 172.18.253.2 307200 0 65005 ?
*> 172.18.254.0/24 172.18.253.2 0 0 65005 ?
*> 172.30.1.55/32 172.18.253.2 0 0 65005 ?
*> 172.30.1.56/32 172.18.253.2 409600 0 65005 ?
*> 172.30.1.57/32 172.18.253.2 435200 0 65005 ?
*>i 172.30.1.58/32 172.30.1.52 0 100 0 65007 ?
*> 172.30.1.107/32 172.18.253.2 409600 0 65005 ?
*>i 172.30.1.108/32 172.30.1.52 409600 100 0 65007 ?
Route Distinguisher: 65005:58
*>i 172.17.1.0/24 172.30.1.52 281856 100 0 65007 ?
*>i 172.17.254.0/24 172.30.1.52 0 100 0 65007 ?
*>i 172.30.1.58/32 172.30.1.52 0 100 0 65007 ?
*>i 172.30.1.108/32 172.30.1.52 409600 100 0 65007 ?

R1#show bgp vpnv4 uni all summary


BGP router identifier 10.255.1.1, local AS number 65001
BGP table version is 235, main routing table version 235
70 network entries using 10640 bytes of memory
70 path entries using 5600 bytes of memory
32/32 BGP path/bestpath attribute entries using 4864 bytes of memory
3 BGP AS-PATH entries using 72 bytes of memory
5 BGP extended community entries using 120 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 21296 total bytes of memory
BGP activity 83/13 prefixes, 83/13 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down


State/PfxRcd
10.255.1.3 4 65001 201 345 235 0 0 02:15:34 20
10.255.1.4 4 65001 201 344 235 0 0 02:15:30 20
10.255.1.5 4 65001 167 344 235 0 0 02:15:28 4
10.255.1.6 4 65001 167 342 235 0 0 02:15:24 4
10.255.1.7 4 65001 167 344 235 0 0 02:15:18 4
10.255.1.8 4 65001 166 345 235 0 0 02:15:16 4
172.30.1.50 4 65001 157 306 235 0 0 02:03:42 6
172.30.1.51 4 65001 163 497 235 0 0 02:03:40 6

73
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
172.30.1.52 4 65001 147 307 235 0 0 02:03:40 2

R1#show bgp vpnv4 uni all


BGP table version is 235, local router ID is 10.255.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


Route Distinguisher: 65002:11
*>i 10.1.0.0/16 10.255.1.7 0 100 0 65002 i
*>i 10.255.1.11/32 10.255.1.7 0 100 0 65002 ?
*>i 10.255.1.12/32 10.255.1.7 11 100 0 65002 ?
*>i 10.255.1.101/32 10.255.1.7 11 100 0 65002 ?
Route Distinguisher: 65002:12
*>i 10.1.0.0/16 10.255.1.8 0 100 0 65002 i
*>i 10.255.1.11/32 10.255.1.8 11 100 0 65002 ?
*>i 10.255.1.12/32 10.255.1.8 0 100 0 65002 ?
*>i 10.255.1.101/32 10.255.1.8 11 100 0 65002 ?
Route Distinguisher: 65002:13
*>i 10.3.0.0/16 10.255.1.5 0 100 0 65002 i
*>i 10.255.1.13/32 10.255.1.5 0 100 0 65002 ?
*>i 10.255.1.14/32 10.255.1.5 11 100 0 65002 ?
*>i 10.255.1.102/32 10.255.1.5 11 100 0 65002 ?
Route Distinguisher: 65002:14
*>i 10.3.0.0/16 10.255.1.6 0 100 0 65002 i
*>i 10.255.1.13/32 10.255.1.6 11 100 0 65002 ?
*>i 10.255.1.14/32 10.255.1.6 0 100 0 65002 ?
*>i 10.255.1.102/32 10.255.1.6 11 100 0 65002 ?
Route Distinguisher: 65002:15
*>i 0.0.0.0 10.255.1.3 1 100 0 65002 ?
*>i 10.0.0.0 10.255.1.3 1 100 0 65002 ?
*>i 10.2.0.0/16 10.255.1.3 0 100 0 65002 i
*>i 10.16.1.0/24 10.255.1.3 1021 100 0 65002 ?
*>i 10.16.2.0/24 10.255.1.3 1021 100 0 65002 ?
*>i 10.16.3.0/24 10.255.1.3 1021 100 0 65002 ?
*>i 10.100.0.1/32 10.255.1.3 11 100 0 65002 ?
*>i 10.100.0.19/32 10.255.1.3 1011 100 0 65002 ?

***Big note that: If don’t define RT or wrong RT then PE don’t receive VPNV4 route
from PE.

3.4 Section 3.4 Inter-VPN Routing


Question:

Refer to the “Overall Scenario” and “Diagram 6: Merge Phase 2”. Configure the
network as per the following requirements:

 Jameson’s headquarters (VPN RED), main office (VPN GREEN) and Jacob’
office (VPN BLUE) must receive datacenter prefixes (VPN GREEN).
 Jameson’s main office (VPN GREEN) may not receive prefixes from Jacob
(headquarters (VPN RED) prefixes and Office (VPN GREEN) prefixes).

74
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

 In order to simplify future changes, your solution may not be limited to


specific prefixes.

Solution: (Click to Expand)

R7/R8
ip vrf RED
route-target import 65002:1516

R50/51
ip vrf GREEN
route-target import 65002:1516

R52
ip vrf BLUE
route-target import 65002:1516

Verification:
R11#show bgp ipv4 uni
BGP table version is 56, local router ID is 10.255.1.11
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


* i 0.0.0.0 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.0.0.0 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
*> 10.1.0.0/16 0.0.0.0 32768 i
* i 10.255.1.12 0 100 0 i
s> 10.1.1.0/24 10.1.254.254 11 32768 ?
s> 10.1.254.0/24 0.0.0.0 0 32768 ?
* i 10.2.0.0/16 10.255.1.12 0 100 0 65001 65001 i
*> 10.254.0.53 0 65001 65001 i
* i 10.16.1.0/24 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.16.2.0/24 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
Network Next Hop Metric LocPrf Weight Path
* i 10.16.3.0/24 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.100.0.1/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.100.0.19/32 10.255.1.12 0 100 0 65001 65001 ?

75
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
*> 10.254.0.53 0 65001 65001 ?
* i 10.100.0.20/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.100.0.21/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
*> 10.255.1.11/32 0.0.0.0 0 32768 ?
* i 10.255.1.12 11 100 0 ?
*> 10.255.1.12/32 10.1.254.2 11 32768 ?
* i 10.255.1.12 0 100 0 ?
* i 10.255.1.15/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.255.1.16/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.255.1.17/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.255.1.18/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
Network Next Hop Metric LocPrf Weight Path
* i 10.255.1.19/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.255.1.20/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.255.1.21/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
*> 10.255.1.101/32 10.1.254.254 11 32768 ?
* i 10.255.1.12 11 100 0 ?
* i 10.255.1.103/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 10.255.1.104/32 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?
* i 172.18.1.0/24 10.255.1.12 0 100 0 65001 65001 ?
*> 10.254.0.53 0 65001 65001 ?

R11#show ip route bgp


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 10.254.0.53 to network 0.0.0.0

B* 0.0.0.0/0 [20/0] via 10.254.0.53, 02:10:08


10.0.0.0/8 is variably subnetted, 27 subnets, 5 masks
B 10.0.0.0/8 [20/0] via 10.254.0.53, 02:10:08
B 10.1.0.0/16 [200/0] via 0.0.0.0, 03:13:02, Null0
B 10.2.0.0/16 [20/0] via 10.254.0.53, 02:10:08
B 10.16.1.0/24 [20/0] via 10.254.0.53, 02:10:08
B 10.16.2.0/24 [20/0] via 10.254.0.53, 02:10:08
B 10.16.3.0/24 [20/0] via 10.254.0.53, 02:10:08
B 10.100.0.1/32 [20/0] via 10.254.0.53, 02:10:08
B 10.100.0.19/32 [20/0] via 10.254.0.53, 02:10:08
B 10.100.0.20/32 [20/0] via 10.254.0.53, 02:10:08
B 10.100.0.21/32 [20/0] via 10.254.0.53, 02:10:08
B 10.255.1.15/32 [20/0] via 10.254.0.53, 02:10:08
B 10.255.1.16/32 [20/0] via 10.254.0.53, 02:10:08
B 10.255.1.17/32 [20/0] via 10.254.0.53, 02:10:08
B 10.255.1.18/32 [20/0] via 10.254.0.53, 02:10:08

76
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
B 10.255.1.19/32 [20/0] via 10.254.0.53, 02:10:08
B 10.255.1.20/32 [20/0] via 10.254.0.53, 02:10:08
B 10.255.1.21/32 [20/0] via 10.254.0.53, 02:10:08
B 10.255.1.103/32 [20/0] via 10.254.0.53, 02:10:08
B 10.255.1.104/32 [20/0] via 10.254.0.53, 02:10:08
172.18.0.0/24 is subnetted, 1 subnets
B 172.18.1.0 [20/0] via 10.254.0.53, 01:24:39

R13#show bgp ipv4 uni


BGP table version is 57, local router ID is 10.255.1.13
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path


* i 0.0.0.0 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.0.0.0 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.2.0.0/16 10.255.1.14 0 100 0 65001 65001 i
*> 10.254.0.41 0 65001 65001 i
*> 10.3.0.0/16 0.0.0.0 32768 i
* i 10.255.1.14 0 100 0 i
s> 10.3.1.0/24 10.3.254.254 11 32768 ?
s> 10.3.254.0/24 0.0.0.0 0 32768 ?
* i 10.16.1.0/24 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.16.2.0/24 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.16.3.0/24 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.100.0.1/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.100.0.19/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.100.0.20/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.100.0.21/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.255.1.13/32 10.255.1.14 11 100 0 ?
*> 0.0.0.0 0 32768 ?
* i 10.255.1.14/32 10.255.1.14 0 100 0 ?
*> 10.3.254.2 11 32768 ?
* i 10.255.1.15/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.255.1.16/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.255.1.17/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.255.1.18/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.255.1.19/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.255.1.20/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.255.1.21/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 10.255.1.102/32 10.255.1.14 11 100 0 ?
*> 10.3.254.254 11 32768 ?
* i 10.255.1.103/32 10.255.1.14 0 100 0 65001 65001 ?

77
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
*> 10.254.0.41 0 65001 65001 ?
* i 10.255.1.104/32 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?
* i 172.18.1.0/24 10.255.1.14 0 100 0 65001 65001 ?
*> 10.254.0.41 0 65001 65001 ?

R13#show ip route bgp


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 10.254.0.41 to network 0.0.0.0

B* 0.0.0.0/0 [20/0] via 10.254.0.41, 02:11:32


10.0.0.0/8 is variably subnetted, 27 subnets, 5 masks
B 10.0.0.0/8 [20/0] via 10.254.0.41, 02:11:32
B 10.2.0.0/16 [20/0] via 10.254.0.41, 02:11:32
B 10.3.0.0/16 [200/0] via 0.0.0.0, 03:12:54, Null0
B 10.16.1.0/24 [20/0] via 10.254.0.41, 02:11:32
B 10.16.2.0/24 [20/0] via 10.254.0.41, 02:11:32
B 10.16.3.0/24 [20/0] via 10.254.0.41, 02:11:32
B 10.100.0.1/32 [20/0] via 10.254.0.41, 02:11:32
B 10.100.0.19/32 [20/0] via 10.254.0.41, 02:11:32
B 10.100.0.20/32 [20/0] via 10.254.0.41, 02:11:32
B 10.100.0.21/32 [20/0] via 10.254.0.41, 02:11:32
B 10.255.1.15/32 [20/0] via 10.254.0.41, 02:11:32
B 10.255.1.16/32 [20/0] via 10.254.0.41, 02:11:32
B 10.255.1.17/32 [20/0] via 10.254.0.41, 02:11:32
B 10.255.1.18/32 [20/0] via 10.254.0.41, 02:11:32
B 10.255.1.19/32 [20/0] via 10.254.0.41, 02:11:32
B 10.255.1.20/32 [20/0] via 10.254.0.41, 02:11:32
B 10.255.1.21/32 [20/0] via 10.254.0.41, 02:11:32
B 10.255.1.103/32 [20/0] via 10.254.0.41, 02:11:32
B 10.255.1.104/32 [20/0] via 10.254.0.41, 02:11:32
172.18.0.0/24 is subnetted, 1 subnets
B 172.18.1.0 [20/0] via 10.254.0.41, 01:25:34

78
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

4. SECTION 4 Infrastructure Security


4.1 Section 4.1 Device Security
Question:

Refer to “Diagram 1: Initial Topology”.

Configure the network as per the following requirements:

 Protect R17’s control-plane from TTL expiry attacks so that match IP packets
with a TTL of 0 or 1 are dropped before the CPU processes them.
 Legit packets include expected control protocols running on the link.

Solution: (Click to Expand)

R17
ip access-list extended TTL
deny ospf any any
deny tcp any any eq bgp
deny tcp any eq bgp any
deny pim any any
deny esp any any
deny gre any any
deny udp any any eq 500
deny udp any any eq 4500
permit ip any any ttl eq 0
permit ip any any ttl eq 1
class-map match-all TTL
match access-group name TTL

policy-map TTL
class TTL
drop
!
Control-plane
service-policy input TTL

Verification:
R17#show ip access-lists TTL
Extended IP access list TTL
10 deny ospf any any (1762 matches)
20 deny tcp any any eq bgp (275 matches)
30 deny tcp any eq bgp any
40 deny pim any any (683 matches)
50 deny esp any any
79
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
60 deny gre any any (17 matches)
70 deny udp any any eq isakmp (15 matches)
80 deny udp any any eq non500-isakmp
90 permit ip any any ttl eq 0
100 permit ip any any ttl eq 1 (217 matches)

R17#show policy-map control-plane


Control Plane

Service-policy input: TTL

Class-map: TTL (match-all)


217 packets, 6920 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name TTL
drop

Class-map: class-default (match-any)


3773 packets, 365532 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any

4.2 Network Security


Question:

Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial


Topology”.

Configure the network as per the following requirements:

 SW5 and SW6 must filter DHCP message received by untrusted hosts by
comparing the source MAC address and the DHCP client hardware address. If
the address match, the switches must forward the packet. If the addresses
do not match, the switches must drop the packet.
 Ensure that these access switches do not filter DHCP packets on their
uplinks.
 Ensure that the DHCP relay switches (refer to item 5.1) allow DHCP message
received on their interface VLAN 100 with the added Option 82 and
uninitialized GIADDR field to be accepted.

Solution: (Click to Expand)

SW5
ip dhcp snooping
ip dhcp snooping vlan 100

80
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
ip dhcp snooping information option
interface port-channel 35
ip dhcp snooping trust

sw6
ip dhcp snooping
ip dhcp snooping vlan 100
ip dhcp snooping information option
interface port-channel 46
ip dhcp snooping trust

Verification:
SW6#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100
DHCP snooping is operational on following VLANs:
100
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled


circuit-id default format: vlan-mod-port
remote-id: aabb.cc00.9000 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)


----------------------- ------- ------------ ----------------
Ethernet1/0 yes yes unlimited
Custom circuit-ids:
Ethernet1/1 yes yes unlimited
Custom circuit-ids:
Ethernet1/2 yes yes unlimited
Custom circuit-ids:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
Port-channel46 yes yes unlimited
Custom circuit-ids:

81
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

5. SECTION 5 Infrastructure Services


5.1 Section 5.1 Centralized DHCP
Question:

Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial


Topology”. Jameson’s R15 must centralize DHCP service for the datacenter’s hosts
VLANs. Configure the network as per the following requirements:

 Ensure that the distribution switches SW3 and SW4 forward DHCP discover
broadcast message received from VLAN 100’s hosts to interface Loopback0 of
R15 as unicast messages.
 R15 must assign hosts in VLAN 100 a valid IP address from the prefix
10.2.100.0/24.
 Ensure that addresses that were statically configured will never be assigned
to any host.
 The DHCP offer must include the IP address 10.2.100.1/24 as the default
gateway for VLAN 100 users.
 Ensure that the server R101 effectively receives an IP address from the
expected prefix 10.2.1.0/24 as well as its default gateway information.

Solution: (Click to Expand)

R15
ip dhcp pool R101
host 10.2.100.2 255.255.255.0
client-identifier 01aa.bbcc.00a0.00
default-router 10.2.100.1
!
ip dhcp pool VLAN 100
network 10.2.100.0 255.255.255.0
default-router 10.2.100.1
ip dhcp excluded-address 10.2.100.1
ip dhcp excluded-address 10.2.100.253
ip dhcp excluded-address 10.2.100.254

SW3/SW4
interface vlan 100
ip helper-address 10.255.1.15
ip dhcp relay information trusted

82
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

Explain:
R101#show int e0/0
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is aabb.cc00.a000 (bia aabb.cc00.a000)
Internet address is 10.2.100.2/24
MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set

Find the MAC address: aabb.cc00.a000, add 01 to aabb, it will become:


01aabb.cc00.a000.
Now you must convert it to Hexa: 01aa.bbcc.00a0.00

Verification:
R101#show ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 10.2.100.2 YES DHCP up up
Ethernet0/1 unassigned YES NVRAM administratively down down
Ethernet0/2 unassigned YES NVRAM administratively down down
Ethernet0/3 unassigned YES NVRAM administratively down down

R15#show ip dhcp binding


Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.2.100.2 01aa.bbcc.00a0.00 Infinite Manual

83
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

5.2 Section 5.2 Internet Gateway


Question:

Refer to “Diagram 1: Initial Topology”. Configure the network as per the following
requirements:

 R17 is Jameson’s Internet gateway router.


 Ensure that R17 enables all internal hosts (that is: hosts with source IP
address in the range of 10.0.0.0/8 or 172.0.0.0/8) to simultaneously connect
to the Internet using the public IP address of interface Eth0/0.
 The following tests must be successful:
R101#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms

SW1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/4 ms

SW2#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/4 ms

SW10#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms

SW11#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/3 ms

R19#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

84
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

Solution: (Click to Expand)

R17
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 172.0.0.0 0.255.255.255
!
ip nat inside source list 1 interface e0/0 overload
interface e0/0
ip nat outside
interface e0/1
ip nat inside
interface t0
ip nat inside

R58
router eigrp 10
summary-metric 0.0.0.0/0 distance 80

Verification:
R101#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms

SW1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/4 ms

SW2#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/4 ms

SW10#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
SW11#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

85
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/3 ms

R19#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

5.3 Section 5.3 First hop redundancy


Question:

Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial


Topology”. Jameson’s datacenter’s SW3 and SW4 must offer first hop redundancy
to VLAN 100’s host using HSRP. Configure the network as per the following
requirements:

 SW3 and SW4 must use the multicast address 224.0.0.102 in order to
negotiate the active and standby roles.
 SW3 must be elected as the active router and SW4 must be elected as the
standby router.
 In case SW3 is down, SW4 must take over the active role. If SW3 comes
back online, it must automatically recover the active role from SW4.
 Ensure that HSRP hello packets are exchanged every 10 second and that the
standby takes over the active role if three consecutive Hello packets were
missed from the active.
 Both routers must share the virtual IP address 10.2.100.1 that will be used
as default gateway for VLAN 100’s hosts.

Solution: (Click to Expand)

SW3
interface vlan 100
standby 2 ip 10.2.100.1
standby 2 timers 10 30
standby 2 priority 105
standby 2 preempt
standby version 2

SW4
interface vlan 100
standby 2 ip 10.2.100.1
standby timers 10 30
86
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
standby 2 preempt
standby version 2

Note

Many guys feedbacked for me, they got a problem with HSRP in the Real Lab,
EVE-NG, IOU. After they configured VTP and Standby verion 2 (HSRP), it is okay.
So please follow this workbook and configure VTP and Standby version 2.

Verification:
SW3#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl100 1 105 P Active local FE80::A8BB:CCFF:FE80:8000
FE80:100::1
Vl100 2 105 P Active local 10.2.100.254 10.2.100.1

SW3#show standby
Vlan100 - Group 1 (version 2)
State is Active
2 state changes, last state change 13:31:11
Link-Local Virtual IPv6 address is FE80:100::1 (conf)
Active virtual MAC address is aabb.cc80.6000 (MAC In Use)
Local virtual MAC address is aabb.cc80.6000 (bia)
Hello time 10 sec, hold time 30 sec
Next hello sent in 3.168 secs
Preemption enabled
Active router is local
Standby router is FE80::A8BB:CCFF:FE80:8000, priority 100 (expires in 28.896 sec)
Priority 105 (configured 105)
Group name is "hsrp-Vl100-1" (default)
Vlan100 - Group 2 (version 2)
State is Active
2 state changes, last state change 13:31:07
Virtual IP address is 10.2.100.1
Active virtual MAC address is aabb.cc80.6000 (MAC In Use)
Local virtual MAC address is aabb.cc80.6000 (bia)
Hello time 10 sec, hold time 30 sec
Next hello sent in 7.888 secs
Preemption enabled
Active router is local
Standby router is 10.2.100.254, priority 100 (expires in 28.368 sec)
Priority 105 (configured 105)
Track object 1 state Up decrement 10
Group name is "hsrp-Vl100-2" (default)

87
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

5.4 Section 5.4 Tracking reachability


Question:

Refer to “Diagram 1: Jameson’s Layer 2 Connections” and “Diagram 2: Initial


Topology”. Configure the network as per the following requirements:

 SW3 and SW4 must monitor the reachability of their OSPF IPv4 default route
and in case it is not available, the HSRP priority must be decreased by 10

Solution: (Click to Expand)

SW3/SW4
track 1 ip route 0.0.0.0 0.0.0.0 reachability
interface vlan 100
standby 2 track 1 decrement 10

Verification:
SW3#show track
Track 1
IP route 0.0.0.0 0.0.0.0 reachability
Reachability is Up (OSPF)
2 changes, last change 01:24:55
First-hop interface is Vlan173
Tracked by:
HSRP Vlan100 2

SW4#show track
Track 1
IP route 0.0.0.0 0.0.0.0 reachability
Reachability is Up (OSPF)
2 changes, last change 01:24:59
First-hop interface is Vlan34
Tracked by:
HSRP Vlan100 2

88
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279

After you finished the LAB, Exam is requested you test as following:
R11#show ip bgp 10.2.0.0/16
BGP routing table entry for 10.2.0.0/16, version 568
Paths: (2 available, best #2, table default)
Advertised to update-groups:
20
Refresh Epoch 1
65001 65001, (aggregated by 65002 10.255.1.16)
10.255.1.12 (metric 11) from 10.255.1.12 (10.255.1.12)
Origin IGP, metric 0, localpref 100, valid, internal, atomic-aggregate
rx pathid: 0, tx pathid: 0
Refresh Epoch 1
65001 65001, (aggregated by 65002 10.255.1.15)
10.254.0.53 from 10.254.0.53 (10.255.1.7)
Origin IGP, localpref 100, valid, external, atomic-aggregate, best
rx pathid: 0, tx pathid: 0x0

R101#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

R19#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

SW3#ping 239.1.1.1 source vlan 173


Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 239.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.0.37
Reply to request 0 from 10.16.2.1, 23 ms
Reply to request 0 from 10.16.1.1, 37 ms
Reply to request 0 from 10.16.3.1, 31 ms

SW1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms

SW2#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms

R101#ping 172.18.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.1.254, timeout is 2 seconds:
89
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms

R101#traceroute 172.18.1.254
Type escape sequence to abort.
Tracing the route to 172.18.1.254
VRF info: (vrf in name/id, vrf out name/id)
1 10.2.100.253 1 msec 1 msec 1 msec
2 10.2.0.14 1 msec 1 msec 0 msec
3 10.2.0.42 2 msec 2 msec 2 msec
4 10.2.0.46 2 msec 2 msec 2 msec
5 172.18.2.254 2 msec * 3 msec

R101#traceroute 172.18.2.254
Type escape sequence to abort.
Tracing the route to 172.18.2.254
VRF info: (vrf in name/id, vrf out name/id)
1 10.2.100.253 2 msec 1 msec 1 msec
2 10.2.0.5 1 msec 1 msec 1 msec
3 10.254.0.73 2 msec 3 msec 2 msec
4 10.254.0.13 [MPLS: Labels 58/81 Exp 0] 3 msec 2 msec 3 msec
5 10.254.0.18 [MPLS: Labels 38/81 Exp 0] 2 msec 2 msec 3 msec
6 10.254.0.62 [MPLS: Labels 20/81 Exp 0] 4 msec 3 msec 4 msec
7 172.18.253.5 [MPLS: Label 81 Exp 0] 10 msec 3 msec 4 msec
8 172.18.253.6 3 msec 3 msec 3 msec
9 172.18.254.254 3 msec * 4 msec

R101#traceroute 172.18.254.254
Type escape sequence to abort.
Tracing the route to 172.18.254.254
VRF info: (vrf in name/id, vrf out name/id)
1 10.2.100.253 2 msec 2 msec 1 msec
2 10.2.0.5 2 msec 1 msec 2 msec
3 10.254.0.73 1 msec 2 msec 2 msec
4 10.254.0.13 [MPLS: Labels 58/27 Exp 0] 3 msec 2 msec 3 msec
5 10.254.0.18 [MPLS: Labels 38/27 Exp 0] 2 msec 3 msec 3 msec
6 10.254.0.62 [MPLS: Labels 20/27 Exp 0] 2 msec 2 msec 2 msec
7 172.18.253.5 [MPLS: Label 27 Exp 0] 3 msec 3 msec 4 msec
8 172.18.253.6 3 msec 2 msec 2 msec
9 172.18.254.254 2 msec * 4 msec

Test backup path

R18
Router bgp 65002
Neighbor 10.2.0.46 shutdown

R101#ping 172.18.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.1.254, timeout is 2 seconds:
!!!!!
90
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
Skype ID 2: nguyenbich279
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/5 ms

R101#traceroute 172.18.1.254
Type escape sequence to abort.
Tracing the route to 172.18.1.254
VRF info: (vrf in name/id, vrf out name/id)
1 10.2.100.253 1 msec 1 msec 1 msec
2 10.2.0.5 2 msec 1 msec 1 msec
3 10.254.0.73 2 msec 1 msec 1 msec
4 10.254.0.13 [MPLS: Labels 58/84 Exp 0] 4 msec 5 msec 3 msec
5 10.254.0.18 [MPLS: Labels 38/84 Exp 0] 4 msec 4 msec 3 msec
6 10.254.0.62 [MPLS: Labels 20/84 Exp 0] 4 msec 5 msec 4 msec
7 172.18.253.5 [MPLS: Label 84 Exp 0] 4 msec 3 msec 3 msec
8 172.18.253.6 3 msec 4 msec 4 msec
9 172.18.254.254 4 msec * 5 msec

Note: remember no shutdown bgp peer after you test backup path.
R18
Router bgp 65002
no neighbor 10.2.0.46 shutdown

================= The End==================

91
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.

You might also like