www.passrnslabs.

com FINAL RELEASE Lab 1:25-JUL-2017

QUESTION SET
V4.0
LAB 1

www.passrnslabs.com

www.passrnslabs.com 1 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

!!!!! Important read the following guidelines before starting the section !!!!
 This section is comprised of set of configuration tasks to be completed within 5.30 hours.


w
The final score of this section is combined with the troubleshooting section to comprise your final
pass or fail status on the ccie lab exam
w
 A candidate is required to pass both sections of cisco ccie certification.
1. Read all questions in each section before proceeding with any configuration.
w

2. Before starting the exam confirm that all devices in your rack are in working order. During the
exam, if any device is locked or inaccessible for any reason you must recover it. When you
.p

complete the exam ensure that all devices are accessible to the grading proctor. A device that is not
accessible for grading cannot be marked and may cause you to lose substantial point.
as
3. Knowledge of implementation and troubleshooting techniques is part of skills tested in the
configuration section of the lab exam.
4. If you suspect that there may be hardware problem with your equipment contact the lab proctor
sr
immediately
5. Points are awarded for working configuration only. Test the functionality of all of the requirements
ns
before you complete your exam. As you configure one part of the exam you may break a previous
requirement or configuration.
6. No partial points can be granted for any question. All requirements needed to be fulfill in order to
l
receive the points for the question some requirements depend on other questions either before or
ab

after the current question.

7. You will be presented with pre-configuration Routers and switches. Do not change the following
configuration on the device.
s

Hostname
.c
Enable password ‘’cisco’’
Console line configuration
8. In any configuration where additional addressing may be necessary. Use only the major network as
om

displayed in diagram 1. Ensure that it does not conflict with a network that is already used in your
network.

9. Unicast or multicast static and default routes are not permitted unless permission to use them is
directly stated in a specific question. This restricted includes floating static routes and those routes
that were generated by a routing protocol routes to null 0 that are generated as a result of a
dynamic routing protocol solution are permitted.

www.passrnslabs.com 2 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

10. Save your configuration frequently.

w
11. Doc cd:- you have access to http://www.cisco.com/ciscoweb/pass . All configuration guides and
master indexes are there
w

12. Tools: notepad and calculator are available

This ccie lab scenario is only for applicants, please do not publish it on the internet or anywhere else.
w
.p
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 3 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

TOPOLOGY
w
w
w
.p
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 4 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

Section 1 – Layer 2 Technologies

w

1.1 Switch Administration 4 Points

w
Configure the ACME Headquarters network (AS 12345) as per the following requirements
• The VTP domain must be set to CCIE
• Use VTP version 2
w

• SW1 must be the VTP server and SW2 must be the VTP client
• Secure all VTP updates with an MD5 digest of the ASCII string “CCIERocks?”
.p
• In order to avoid as much as possible unknown unicast flooding in all vlans the administrator
requires that any dynamic entries learned by other SW1 and SW2 must be retained for 3 hours
before being refreshed.
as

Configure the network of the New York office (AS 34567) as per the following requirements
• The VTP domain must be set to CCIE
• Use VTP version 2
sr

• SW3 and SW4 must not advertise their vlan config but must forward VTP advertisement that
they receive out their trunk ports
ns
• Secure all VTP updates with an MD5 digest of the ASCII string “CCIERocks?”
l ab
s .c
om

www.passrnslabs.com 5 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

1.2 Layer 2 Ports 2 Points

Configure your network as per the following requirements

w
• Complete the configuration of all vlans so that all routers that are located in ACME's
headquarters (AS12345) and New York office (AS 34567) can ping their directly connected
neighbors
w

• All four switches (SW1-SW4) must have dot1q trunks that do not rely on negotiation do not
configure any etherchannel
w

• Ensure that the following unused ports on all four switches are shutdown and configured as
access ports in vlan 999
.p

 E3/0 - E3/3 are unused on SW1 and SW2

 E1/0 - E1/3 are unused on SW3 and SW4
as
 E3/0 - E3/3 are unused on SW3 and SW4
sr
ns
l ab
s .c
om

www.passrnslabs.com 6 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

1.3 Spanning Tree 4 Points

Configure the ACME network as per the following requirements

w

• SW1 must be the root switch for all odd vlans and must be the backup for all even vlans
• SW2 must be the root switch for all even vlans and must be the backup for all odd vlans
w

• SW3 must be the root switch for all odd vlans and must be the backup for all even vlans
• SW4 must be the root switch for all even vlans and must be the backup for all odd vlans
w
• Explicitly configure the root and backup roles, assuming that other switches with default
configuration may eventually be added in the network in the future
.p
• All switches must maintain one STP instance per vlan
• Use the STP mode that has only three possible states
• All access ports must immediately transitioned to the forwarding state upon link up and they
as
must still participate in STP. use single command per switch to enable this
• Access ports must automatically shut down if they receive any BPDU and an administrator must
still manually re-enable the port. Use a single command per switch to enable this feature.
sr
ns
l ab
s .c
om

www.passrnslabs.com 7 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

1.4 WAN Switching 2 Points

• The WAN links must rely on a layer 2 protocol that supports link negotiation and
w
authentication.
• The Service provider expects both R18 and R19 to complete three way hand shake by providing
w
the expected response of a challenge that is sent by AS 20003 Router
• R18 must use the username ACME-R18 and password CCIE
• R19 must use the username ACME-R19 and password CCIE
w
.p
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 8 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

Section II layer 3 technologies

a) After finishing each of the following questions make sure that all configured interfaces and subnets
w

are consistently visible on all pertinent router and switches

b) Do not redistribute route between any interior gateway protocol IGP and BGP if not explicitly
w
required.
c) If not explicitly stated otherwise you need to ping a BGP route only if it is stated in a question
w
otherwise the route should be only the BGP table.
d) At the end of this section all subnets in your topology including the loopback interface must be
reachable via ping from anywhere in your topology the back bone interfaces must be reachable
.p

only if they are part of the solution to a question.

e) The loopback interfaces must be seen as a host route/32 in the routing tables unless stated
as
otherwise stated in a question.
sr
ns
l ab
s .c
om

www.passrnslabs.com 9 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.1 OSPF in AS12345 4 Points

Configure OSPFv2 area 0 in ACME HQ (AS12345) according to the following requirements

w
• Configure the OSPF process id to 12345 and set the router id to interface lo0 on all seven
routers
w
• The interface lo0 at each router must be seen as an internal OSPF prefix by all other routers
• Ensure that OSPF is not running on any interface that is facing another AS. use any method to
accomplish this requirement
w

• SW1 and SW2 must not participate in routing at all

• Do not change the default OSPF cost of any interface in AS12345
.p
• Configure R1 to use OSPF STUB advertisement features in AS12345
• R1 must see the following OSPF routes in the routing table. R1 should not be used as transit
path in AS12345, no ACL is allowed to complete this task.
as

R1#show ip route ospf

123.0.0.0/8 is variably subnetted, 17 subnets, 2 masks
O 123.2.2.2/32 [110/65546] via 123.10.1.2, 00:00:34, Ethernet0/1
sr
O 123.3.3.3/32 [110/65546] via 123.10.1.6, 00:00:34, Ethernet0/2
O 123.4.4.4/32 [110/65536] via 123.10.1.2, 00:00:34, Ethernet0/1
O 123.5.5.5/32 [110/65536] via 123.10.1.6, 00:00:34, Ethernet0/2
ns
O 123.6.6.6/32 [110/65546] via 123.10.1.2, 00:00:34, Ethernet0/1
O 123.7.7.7/32 [110/65546] via 123.10.1.6, 00:00:34, Ethernet0/2
O 123.10.1.8/30 [110/65555] via 123.10.1.6, 00:00:34, Ethernet0/2
[110/65555] via 123.10.1.2, 00:00:34, Ethernet0/1
l
O 123.10.1.12/30 [110/65545] via 123.10.1.6, 00:00:34, Ethernet0/2
ab

O 123.10.1.16/30 [110/65545] via 123.10.1.2, 00:00:34, Ethernet0/1

O 123.10.1.20/30 [110/65545] via 123.10.1.2, 00:00:34, Ethernet0/1
O 123.10.1.24/30 [110/65555] via 123.10.1.6, 00:00:34, Ethernet0/2
s
[110/65555] via 123.10.1.2, 00:00:34, Ethernet0/1
O 123.10.1.28/30 [110/65545] via 123.10.1.6, 00:00:34, Ethernet0/2
.c
om

www.passrnslabs.com 10 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.2 EIGRP IN AS34567 2 Points

Configure EIGRP for ipv4 in the New York office (AS34567) according to the following requirements
w
 The EIGRP AS is 34567
 The interface lo0 must be seen as an internal EIGRP prefix by all other routers
w
 Ensure the EIGRP is not running on any interface that is facing another AS use any method to
accomplish this
 Using a single command on one switch only ensure that R8 installs two equal-cost route for the
w

following three path you are not allowed to use any virtual name
 vlan 411
.p

 int lo0 of SW4

 int lo0 of R11
as

 Using a single command on one switch only ensure that R9 installs two equal cost route for the
following three path
 vlan 310
sr
 int lo0 of SW3
 int lo0 of R10
ns
l ab
s .c
om

www.passrnslabs.com 11 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.3 EIGRP IN AS 45678 2 Points

w
Configure EIGRP in AS45678 according to the following requirements


w
The EIGRP AS is 45678
 The interface lo0 must be seen as an internal EIGRP prefix by all other routers
 Ensure the EIGRP is not running on any interface that is facing another AS use any method to
w

accomplish this requirement

 EIGRP running AS 45678 should use the strongest Authentication method
.p
 SW5 and SW6 are layer 3 switches and must configure EIGRP
 Do not change the interface bandwidth on any physical interface in AS 45678
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 12 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.4 EIGRP in AS 65222 4 Points

 The EIGRP AS is 45678.

w

 The interface lo0 at each router must be seen as an internal EIGRP prefix by all other routers.
 Ensure that EIGRP is not running on any interface that is facing another AS use any method to
w
accomplish this requirement.
 R17 is the DMVPN hub, R18, R19 as the spoke, use the pre-config tunnel 0.

w
R17 must not send any queries to R18 & R19 for active EIGRP routes.
 R17 must not receive EIGRP summary routes from R18 and R19.
.p
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 13 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.5 BGP in AS 12345 3 Points

BGP is partially configured in ACME headquarters, complete the config as required

w
Configure the BGP in ACME’s HQ (AS 12345) according to the following requirements
 R4 and R5 must not establish any BGP session at any time.
 All BGP routers must use their int lo0 as their router-id.
w

 Disable the default ipv4 unicast address family for peering session establishment in all BGP routers.
 R1 must be the ipv4 route-reflector for BGP AS12345 and use peer group.
w

Configure eBGP between ACME's San Francisco and San Jose sites according to the following
.p
requirements
 R20 is the CE router and used EBGP to connect to the manages services that are provided by the PE
routers R2 and R3.
as
 R20 must establish separate EBGP peering with both R2 and R3 for every VRF.
 R20 must advertise the following prefix to all the BGP peers.
 123.0.0.0/8 summary-only
 10.0.0.0/8 summary-only
sr

R20 must advertise a default route to all of its BGP peers except to 10.120.99.1 and 10.120.99.5
ns
l ab
s .c
om

www.passrnslabs.com 14 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.6 BGP in AS 34567 3 Points

BGP is partially pre-configured in ACME New-York office, complete the config as required
w
Configure IBGP in AS 34567 according to the following requirements


w
SW3 and SW4 must not establish any BGP session at any time
 All BGP routers must use their int lo0 as their router-id
 Configure full mesh IBGP peering between all four routers use any configuration method
w

 R9 must be selected as the preferred exit point for traffic destined to remote AS's
 R11 must selected as the next preferred exit in case R9 fails
.p
 No BGP speaker must use network statement under the BGP router config.
 Ensure that all the BGP next-hop is never marked as unreachable as long as int lo0 of the remote
peer is known via IGP
as

 Disable the default ipv4 unicast address family for peering session establishment in all BGP routers

Configure EBGP in AS 34567 according to the following requirements

 All four BGP routers must establish eBGPpeerings with their neighboring AS as shown in diagram 3
sr

(BGP topology)
 All four BGP routers must redistribute EIGRP into BGP
ns
 R9 & R11 must redistribute only the BGP default route into EIGRP
 Ensure that R9 is the only router that sees the default as a BGP route and that all other routers (R8,
R10, R11) see it as an EIGRP external
l ab
s .c
om

www.passrnslabs.com 15 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.7 BGP in AS 45678 and 65222 2 Points

Refer to diagram 3 (BGP routing)

w

Configure EBGP in ACME's APAC region (AS45678 and AS 65222) according to the following
w
requirements:

 SW5 and SW6 must not establish any BGP session at any time
w

 All BGP routers must use their int lo0 as their router-id
 No IBGP peering sessions are allowed in AS 45678
.p
 R15 must establish an EBGP peering with AS 10003 and must receive default route as well as other
prefix.
 R15 must redistribute BGP into EIGRP and vice versa
as

 R15 must also advertise an aggregate prefix 123.20.1.0/24 to AS 1003 and must suppress all
component prefixes
 R16, R17, R18, R19 must establish an eBGP peering with AS 20003 and must receive a default route
sr
as well as other prefixes
 R16, R17 , R18 , R19 must not advertise any prefix to AS 20003
 As long as R15 is operational, R16, R17, R18, R19 must prefer the EIGRP default route over the
ns

EBGP default route

 Do not create any VRF anywhere in order to accomplish the above requirements
l ab
s .c
om

www.passrnslabs.com 16 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.8 BGP routing policies 2 Points

Configure the ACME network as per the following requirements

w

 All ACME border routers in AS 12345 must filter the BGP prefixes that are advertised to their SP in
w
VRF INET and must allow all prefixes that belong to class A 123.0.0.0/8 and all other VRF's must
propagate all prefix
 All ACME border routers in AS 34567 must filter the BGP prefixes that are advertised to their SP and
w

must allow only all prefixes that belong to the class A 123.0.0.0/8
 Do not use any route-map or access-list to accomplish the above requirements
.p
 R13 must route traffic preferably via AS 20002, use any method to accomplish this requirement
 All three remote sites in AS 65111 must be able to ping 1.2.3.4 and traceroute must reveal the
exact same path as shown in the following output
as

R12#ping 1.2.3.4 source loopback 0

Type escape sequence to abort.
sr
Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds:
Packet sent with a source address of 123.12.12.12
!!!!!
ns
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

R12#traceroute 1.2.3.4 source loopback 0

Type escape sequence to abort.
l ab
Tracing the route to 1.2.3.4
VRF info: (vrf in name/id, vrf out name/id)
1 201.1.12.1 0 msec 0 msec 0 msec
2 201.1.123.2 [AS 65112] 0 msec 0 msec 0 msec
s
3 10.120.12.1 [AS 65112] [MPLS: Label 61 Exp 0] 1 msec 1 msec 1 msec
4 10.120.12.2 [AS 65112] 1 msec 1 msec 1 msec
.c
5 10.120.99.5 [AS 65112] 1 msec 1 msec 0 msec
6 102.2.123.1 [AS 65112] 1 msec 2 msec 0 msec
7 33.10.2.2 [AS 65112] 1 msec 2 msec *
om

www.passrnslabs.com 17 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.9 IPV6 OSPF 4 Points

Configure OSPFv3 in the ACME New York office as per the following requirements
w

 Configure the OSPF process id 1 and set the router-id as interface lo0

w
SW4 must be selected as the DR on vlan 34 and must have the best chance
 SW3 must be selected as the backup DR on vlan 34 and must take over DR if SW4 is down
Note: IPv6 Network in the diagram is 2001:CC1E:BEEF::/48 (General Prefix)
w
.p
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 18 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.10 BGP for IPV6 4 Points

Configure ACME network as per the following requirements

w

 Establish the four eBGP peering as indicated on "diagram IPV6 routing"


w
Do not use the network command under the BGP address-family ipv6 on either R10 or R11
 Both regional SP will advertise the necessary prefixes
 Advertise the ipv6 prefix on interface E0/0 into BGP on both R12 and R14
w

 Configure your network such that any ipv6 that any user can communicate with any ipv6 user that
is located and vice versa
.p

 Do not use any static route or default route anywhere

 Use the following ping to verify your config
as

R12#ping 2001:CC1E:BEF:14:202:2:14:2 source ethernet 0/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:CC1E:BEF:14:202:2:14:2, timeout is 2 seconds:
sr
Packet sent with a source address of 2001:CC1E:BEF:12:201:1:12:2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ns
l ab
s .c
om

www.passrnslabs.com 19 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

2.11 Layer 3 multicast 4 Points

Streaming server is connected in vlan 5 on SW5. Receivers are located at the DMVPN spokes R18 and
w
R19.
w
Configure the ACME network as per the following requirements:

 Only network segments with active receivers that explicitly require the data must receive the
w
multicast traffic.
 Interface lo0 of R15 must be configured as RP.
.p
 Use a standard method of dynamically distributing the RP.
 Both R16 and R17 must participate in the multicast routing.
 To test configure int E0/0 of both R18 and R19 to join group 232.1.1.1.
as

 Multicast traffic should prefer path through R16, don’t use delay or bandwidth to enforce it.

SW5#ping 232.1.1.1 source vlan 5

sr
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 232.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 123.55.55.55
ns

Reply to request 0 from 10.1.18.1, 19 ms

Reply to request 0 from 10.1.19.1, 27 ms
l ab
s .c
om

www.passrnslabs.com 20 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

Section 3 VPN Technology

3.1 MPLS VPN Part 1 4 Points

w

Refer to "diagram 3 BGP topology" and "diagram 4 VPN technology"

w

 The ACME HQ network (AS12345) uses MPLS L3VPN in order to clearly separate remote site
networks
w

 The ACME corporate security policies are centralized and enforced at the San Jose site (AS 65112)
for all remote sites. the policies require that all traffic that is originated from any remote sites (with
.p

the exception of New York office)

 Configure mpls L3 VPN in the ACME network according to the following requirements

as
Enable ldp only on required interfaces on all seven routers in AS 12345
 Use the interface lo0 to establish ldp peerings
 Ensure that no mpls interface that belongs to any router ins AS12345 is visible on a trace route that
originates outside of the AS
sr

 R2, R3, R6 and R7 must be configured as PE routers

 R1, R4 and R5 must be configured as P routers
ns
l ab
s .c
om

www.passrnslabs.com 21 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

3.2 MPLS VPN Part 2 4 Points

Refer to "diagram 3 BGP topology" and "diagram 4 VPN technology"

w

The global and regional service providers have agreed to transport the ACME VPN via PE to PE eBGP
w
peering that are already preconfigured. Complete all the config of mpls L3 VPN in the ACME network
according to the following requirements
w
 R1 must reflect VPNv4 prefixes from any PE to any other PE in AS 12345
 R2 and R3 must establish eBGP peering with both global SP (As 10001 and AS 10002) for the
.p
following VRF's
 BLUE
 GREEN
as
 RED
 YELLOW
 INET
sr

 R6 must establish an eBGP peering with the regional SP (AS 20001) for the following VRFs
 GREEN
ns
 BLUE
 INET

 R7 must establish an eBGP peering with the regional SP (AS 20002) for the following VRFs
l ab
 BLUE
 RED
 INET
 All ip add used for eBGP peering must pass the BGP's directly connected check
s

 No BGP speaker is AS 12345 may use the network or redistribute statement under any address-
.c
family of the BGP router config
 At the end of the exam scenario the interface E0/0 of the gateway router in any remote site must
be able to connect to the int E0/0 of any other remote gateway that belongs to AS 65111 or AS
om

65222
 Use the following tests as examples of connectivity checks

R12#ping 10.1.19.1 source ethernet 0/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.19.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.12.1
!!!!!

www.passrnslabs.com 22 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/11 ms

R12#traceroute 10.1.19.1 source ethernet 0/0

w

1 201.1.12.1 0 msec 0 msec 0 msec

2 201.1.123.2 [AS 65112] 0 msec 0 msec 0 msec
w

3 10.120.12.1 [AS 65112] [MPLS: Label 62 Exp 0] 0 msec 0 msec 1 msec

4 10.120.12.2 [AS 65112] 1 msec 0 msec 0 msec
w
5 10.120.15.1 [AS 65112] 1 msec 1 msec 0 msec
6 101.1.123.1 [AS 65112] 1 msec 1 msec 1 msec
7 100.1.3.2 [AS 65112] 0 msec 1 msec 0 msec
.p

8 103.2.45.2 [AS 65112] 1 msec 1 msec 1 msec

9 123.20.1.10 [AS 65112] 1 msec 0 msec 1 msec
10 123.20.1.27 [AS 65112] 10 msec * 11 msec
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 23 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

3.3 DMVPN 4 points

Configure DMVPN phase 3 in the ACME APAC region (AS 45678 and 65222) as per the following
w

requirements
w

 Use the preconfigured interface tunnel 0 on all the three routers in order to accomplish this task
 R17 must be the hub router
w

 R18 and R19 must be the spoke and must participate in NHRP information exchange
 Disable send icmp redirect message on all three tunnel interfaces
.p

 Configure the following parameters on all the three tunnel interfaces

 bandwidth 1000 kbps

as

 delay 10000 msec

 mtu 1400 bytes
 tcpmss 1380
sr

 Authenticate NHRP using the string 45678key

 Use NHRP network-id 45678
ns

 Config NHRP hold time to 5 min

 Ensure that spoke to spoke traffic does not transit via the hub
l ab
s .c
om

www.passrnslabs.com 24 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

3.4 DMVPN Encryption 2 Points

Refer to "Diagram 4 VPN technology"

w

Secure the DMVPN tunnel using IPSEC according to the following requirements
w

 Configure IKE phase 1 as per the following

 Use AES encryption with the pre-shared key CCIE
w

 The key must appear in plain text in the config

 All IPSEC tunnels must be authenticated using the same IKE phase 1 pre-shared key
.p
 Use 1024 bits for the key exchange using the Diffie-Hellman algorithm
 configure a single policy using priority 10
as
 Config IKE phase 2 as per the following requirements
 use CCIEXFORM as transform set name
 use DMVPNPROFILE as IPSEC profile name
sr
 use IPSEC in transport mode
 use the IPSEC protocol ESP and algorithm AES with 128 bits
ns
 Ensure that the DMVPN cloud is secured using above parameters. use tunnel protection in your
config
l ab
s .c
om

www.passrnslabs.com 25 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

Section 4 Infrastructure security

4.1 Device security 1 points

w

 Configure R20 int the ACME San Jose office as per the following
w
 All users who connect to R20 via the console or via any of VTY lines using SSH must be prompted
with the below message before any other prompt is displayed
w
WARNING! ACCESS RESTRICTED
 Do not use any other spaces or any other characters
.p
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 26 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

4.2 Network Security 1 points

Configure ACME New York office as per the following

w

 Ensure that int E0/0-3 of SW3 forward the traffic send from expected and legitimate users only

w
Sw3 must dynamically learn only one mac address per port and must save the mac address in its
startup config
 Sw3 must shut down the port if security violation occurs on any of the four ports
w
.p
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 27 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

Section 5 Infrastructure Services

5.1 System management 2 Points

w

Configure R20 int the ACME San Jose office as per the following
w

 Establish SSH access in R20 using the domain name acme.org

 R20 must accept up to five remote authorized users to connect at the same time using SSH
w

 Create the user "test" with password "test" in local database of R20
 Ensure that R20 accepts SSH connections with clients with source ip in 123.10.2.0/24. All other
.p

source ip should be denied. Use standard ACL to accomplish this

 R20 must generate a syslog message for all SSH connection attempts whether permitted or denied

as
When authenticate the username test must be granted privilege level 1
 Do not enable aaa new model on R20
 Ensure that SSH is the only remote access method permitted on VTY lines of R20
 Ensure that the console is not affected by your solution and no username prompt is presented on
sr

the console port

 Test your solution from any device that is located in AS 34567 and ensure that the following
ns
sequence of command produce the following output

R10#ssh -l test 123.20.20.20

WARNING! ACCESS RESTRICTED
l
Password:
ab

R20>show privilege
Current privilege level is 1
s
R20>q
R10#
.c
om

www.passrnslabs.com 28 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

5.2 Network Services 4 Points

Configure the ACME network as per the following

w

 R20 must enable all private corporate traffic that is originated from any host with source ip
w
address 10.1.0.0/16 or 10.2.0.0/16 to connect to any public destination that is located in AS 34567
 All remote sites in AS 65111 and 65222 must be able to connect to the public destinations
 R20 must swap the source ip address in these packets with the ip address of its lo0
w

 R20 must allow multiple concurrent connections

 Use a standard ACL to accomplish this.
.p

 The following tests must succeed after the above requirements (in addition to previous
requirements) are achieved
R12#ping 1.2.3.4 source ethernet 0/0
as

!!!!!
R18#ping 1.2.3.4 source ethernet 0/0
!!!!!
sr
ns
l ab
s .c
om

www.passrnslabs.com 29 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

5.3 Network Optimization 2 Points

Configure R17 as per the following requirements

w

 The output shown below must be seen on R19 during 10 sec after R15 successfully pings interface
w
lo0 of R19

R15# ping 123.19.19.19

w

!!!!!
R17#show ip flow top-talkers
.p
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Et0/2 123.20.1.9 Tu0* 123.19.19.19 01 0000 0800 500
1 of 1 top talkers shown. 1 of 1 flows matched.
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 30 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

5.4 Network Services 2 Points

Configure ACME as per the following requirements

w

 SW3 must provide an authoritive time source to the ACME network


w
R10 and R12 must sync their clock to Sw3 using ntpv4 for ipv6
 R10 and R12 must operate in client mode
 Sw3 must not capture or use any time info that is sent by R12 and R14
w

 All NTP traffic must be sourced and destined to interface lo0 of the corresponding devices
 The NTP devices must use strongest authentication method to synchronize, using
.p

passwordCCIERocks$
as
sr
ns
l ab
s .c
om

www.passrnslabs.com 31 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017

ALL OUR ACTIVE CLIENTS CAN GET DIRECT SUPPORT FROM

SKYPE: CCIESERVICEPROVIDERLABS
w

OUR CCIE SP ENGINEERS ARE AVAILABLE ON SKYPE CHAT OR LIVE SUPPORT CHAT FROM
WEBSITE
w

http://passsplabs.com/contactus.html (LIVE SUPPORT)

w

YOUR GATEWAY TO SUCCESS TOWARDS CCIE LAB

.p
ACTIVE CLIENTS WILL GET VERY SPECIAL DISCOUNTS ON OTHER CCIE TRACKS

KINDLY VISIT FOR FURTHER INFORMATION

as

CCIE R&S -- WWW.PASSRNSLABS.COM (PRL)

CCIE SECURITY ----> WWW.PASSSECURITYLABS.COM (PSL)

sr

CCIE WIRELESS ----> WWW.PASSWIRELESSLABS.COM (PWL)

ns
CCIE DATACENTER ----> WWW.PASSDATACENTERLABS.COM (PDL)

CCIE COLLABORATION ----> WWW.PASSCOLLABORATIONLABS.COM (PCL)

l
CCIE SERVICEPROVIDER -----> WWW.PASSSPLABS.COM (PSL)
ab

CCDE LABS -- WWW.PASSCCDELAB.COM (PCL)

CCIE WRITTEN ---- WWW.PASSWRITTEN.COM (PW)

s

VCIX -- WWW.VCIXLABS.COM (VL)

.c

WORLD FIRST REAL LAB RACK RENTAL FOR ALL CCIE TRACKS
om
CCIE RACK RENTALS -----> WWW.CCIERACK.RENTALS (CRR)

KINDLY CONTACT US AT [email protected] FOR FURTHER INFORMATION ON

OTHER TRACKS

www.passrnslabs.com 32 www.passrnslabs.com
www.passrnslabs.com FINAL RELEASE Lab 1:25-JUL-2017
w
w
w
.p
as
sr

Thank You for Choosing www.passrnslabs Workbooks.

ns
l ab
s .c
om

www.passrnslabs.com 33 www.passrnslabs.com