K6++_Jimm

Section 1 - Layer 2

----------------------------------1.1 Troubleshoot Layer 2 Switching----------------------------------Cisco says that there are two faults injected. Each fault will give you 2 points. The whole K6++ Lab had 78 points to get, so you must have 62 points in order to be over 80%.

- VLAN access map that is denying OSPF is in pre-configuration (change the drop to forward) --> that should be enough- root guard on BB Links (interface f0/10)- no ip cef on some routers (not sure if that is a fault)

-----------------------------------------------------1.2 Implement Access Switch Ports of Switched Network-----------------------------------------------------Configure all of the appropriate non-trunking switch ports on SW1 – SW4 according to the following

- SW1 is the server for the VLAN Trunking Protocol version 2 domain "CCIE" (VTP password "cisco" )- SW2, SW3, SW4 are expecting SW1 update their VLAN database when needed- Configure the VLAN ID and Name according to the table below (case sensitive)- Configure the access ports for each VLAN as per the diagram- Using a single command ensure that all access ports are transitioned to forwarding state as quickly as possible- Using a single command ensure that the interface is forced the err-disabled state if BPDU is received by any ports- Ensure that any BPDU received by the access ports facing the backbone devices (and only these devices) have no effect to your spanning tree decision- Don’t forget to configure the Layer 3 interfaces and to include SW1’s port fa 0/4 into VLAN 44

VLAN_ID NAME11 VLAN_11_BB122 VLAB_22_BB233 VLAN_33_BB342 VLAN_?_R2-SW444 VLAN_44_R455 VLAN_55_R5-SW2123 VLAN_123_SWITCHES999 VLAN_RSPAN

SW1

vtp version 2vtp domain CCIEvtp password cisco

vtp mode server

SW2-SW4vtp version 2vtp domain CCIEvtp password ciscovtp mode client

SW1-SW2

interface f0/2switchport mode accessswitchport access vlan xx

Repeat that for every access interface on the switches.

SW1-SW3

interface f0/10spanning-tree bpdufilter enable

SW1-SW4

spanning-tree portfast defaultspanning-tree bpduguard default

Need to find the clan between R2 and SW4. They tell you that the bridge priority has to be 12330 for that vlan.Now you multiple the spanning-tree vlan priority in steps of 4096 until you get close. That is 12288. Then you subtract 12288 from 12330 and get 42.

--------------------------------------------------------------------------------------------------------------1.3 Spanning-Tree Domains for Switched Network Configure the switches according to the following requirements:--------------------------------------------------------------------------------------------------------------

- Both switches must have one instance per vlan.- Ensure that SW1 is the Root Switch, and SW2 the Backup Switch for all odd vlans- Ensure that SW2 is the Root Switch, and SW1 is the Backup Switch for all even vlans- Configure instance per vlan and rapid transition for forwarding- Configure to 30 seconds that time that all switches wait before their spanning-tree processes attempts to re-converge if it didn’t receive any spanning-tree configuration message for all future vlans.

SW1

spanning-tree mode rpvstspanning-tree vlan 1,11,33,55,123,999 root primaryspanning-tree vlan 22,42,44 root secondary

SW2

spanning-tree mode rpvstspanning-tree vlan 1,11,33,55,123,999 root secondaryroot secondary spanning-tree vlan 22,42,44 root primaryspanning-tree vlan 42 priority 12288

SW1-SW4

spanning-tree vlan 1-4094 max-age 30

-------------------------------------1.4 Switch Trunking and Ether Channel-------------------------------------Use the following requirements to configure the Etherchannel of SW1, SW2, SW3 and SW4:

- Use encapsulation 802.1q- Configure Etherchannel between SW3 and SW4, the proprietary method- Configure Etherchannel between SW1 and SW2, use the Industry standard.- Ensure that SW1 and SW3 must initiate the negotiation and SW2 and SW4 must not start the negotiation

SW1-SW4

interface range f0/19 - 24switchport trunk encapsulation dot1qswitchport mode trunk

SW1

interface range f0/x - x (range of ports to SW2)channel-group 12 mode active

SW2

interface range f0/x - x (range of ports to SW1)channel-group 12 mode passive

SW3

interface range f0/x - x (range of ports to SW4)channel-group 12 mode desirable

SW4

interface range f0/x - x (range of ports to SW3)channel-group 12 mode auto

------------------------1.5 Spanning-Tree Tuning------------------------- Find the vlan between R2 and SW4. The Bride ID priority of that Vlan must be 12330 on SW2- Ensure that the port fa0/20 is in the forwarding state rather than the blocking state for even vlans on SW4.- You must do this without changing any configurations on SW4- Use the highest numerical value to complete

SW2

int f0/19spanning-tree vlan 22,42,44 port-priority 240

---------1.6 RSPAN---------- Any traffic received (and only received) from VLAN_BB1 and VLAN_BB2 must be replicated to a traffic analyser connected to SW4 Fa0/15 via VLAN 999- You need to monitor any future interfaces connecting to VLAN_BB1 and VLAN_BB2- Any traffic flowing through the trunk between SW3 and SW4 must be replicated to another traffic analyser connected to SW4 Fa0/16- There should not be any configuration regarding this on SW3.- Don’t create any new VLAN while configuring this

SW1

vlan 999remote-span

monitor session 1 source vlan 11 , 22 rxmonitor session 1 destination remote vlan 999

SW2

monitor session 1 source vlan 11 , 22 rxmonitor session 1 destination remote vlan 999

SW4

monitor session 1 source remote vlan 999monitor session 1 destination interface f0/15

monitor session 2 source interface port-channel 34 bothmonitor session 2 destination interface f0/16

--------------1.7 PPP & CHAP--------------

- R4 must require R1 and R2 to authenticate using CHAP but R1 and R2 must not require R4 to authenticate- R1 and R2 cannot use ppp chap hostname, they can use ppp chap password with "CCIE".- Make sure that all CHAP passwords are shown in clear int the configuration- Use radius server at YY.YY.44.200 as authentication server and fallback to the local AAA database in case the server is unreachable- Use CISCO as key required by the Radius server- Make sure AAA authentication does not affect any console or line VTY from any PPP devices (ensure that there is no username prompt either)- Use only default authentication list for both console and line VTY.

R4

no service password-encryption

aaa new-modelaaa authentication login default lineaaa authentication ppp default group radius local-case

radius host YY.YY.44.200 key CISCO

username RackYYR1 password 0 CCIEusername RackYYR2 password 0 CCIE

interface s0/0/0encapsulation pppppp authentication chap default

interface s0/1/0 /encapsulation pppppp authentication chap default

R1-R2


interface s0/0/0encapsulation pppppp chap password 0 CCIE

--------------------------------Section 2 – Layer 3 Technologies--------------------------------2.1 Configure OSPF Area 0, 142 and 51 as per diagram

- OSPF process ID can be any number- Router ID must be stable and must be configed using the IP Address of Lo0- Lo0 interfaces must be advertised in the OSPF area as shown in the IGP topology diagram and must appear as /32 routes- Ensure that all switches attached to the VLAN 123 exchange routing updates primarily with SW1 and then SW2 (in case SW1 goes down)- Use highest numerical values- Make sure that all 3 prefixes for the backbone links (150.BB.YY.0/24) appear as OSPF External Type 2 routes in routing table- Do not create any additional OSPF areas. Do not use any IP address not listed in the diagram

R1

router ospf YYrouter-id YY.YY.1.1network YY.YY.1.1 0.0.0.0 area 142network YY.YY.14.1 0.0.0.0 area 142network YY.YY.17.1 0.0.0.0 area 142

R2

router ospf YYrouter-id YY.YY.2.2network YY.YY.2.2 0.0.0.0 area 142network YY.YY.24.2 0.0.0.0 area 142network YY.YY.42.2 0.0.0.0 area 142redistribute connected subnets route-map BB2

route-map BB2match interface g0/1

R3

router ospf YYrouter-id YY.YY.3.3network YY.YY.3.3 0.0.0.0 area 51network YY.YY.35.3 0.0.0.0 area 51

R4

router ospf YYrouter-id YY.YY.4.4network YY.YY.4.4 0.0.0.0 area 142network YY.YY.14.4 0.0.0.0 area 142network YY.YY.24.4 0.0.0.0 area 142network YY.YY.44.4 0.0.0.0 area 142network YY.YY.144.4 0.0.0.0 area 142passive-interface f0/0passive-interface f0/1

R5

router ospf YYrouter-id YY.YY.5.5network YY.YY.5.5 0.0.0.0 area 51network YY.YY.35.5 0.0.0.0 area 51network YY.YY.58.5 0.0.0.0 area 51

SW1

ip routingrouter ospf YYrouter-id YY.YY.7.7network YY.YY.7.7 0.0.0.0 area 0network YY.YY.123.7 0.0.0.0 area 0network YY.YY.17.7 0.0.0.0 area 142

interface vlan 123ip ospf priority 255

SW2

ip routingrouter ospf YYrouter-id YY.YY.8.8network YY.YY.8.8 0.0.0.0 area 0network YY.YY.123.8 0.0.0.0 area 0

network YY.YY.58.8 0.0.0.0 area 51

interface vlan 123ip ospf priority 254

SW3

ip routingrouter ospf YYrouter-id YY.YY.9.9network YY.YY.9.9 0.0.0.0 area 0network YY.YY.123.9 0.0.0.0 area 0

SW4

ip routingrouter ospf YYrouter-id YY.YY.10.10network YY.YY.10.10 0.0.0.0 area 0network YY.YY.123.10 0.0.0.0 area 0network YY.YY.42.10 0.0.0.0 area 142

--------------------------2.2 – Implement IPv4 EIGRP--------------------------

Configure Enhanced Interior Gateway Routing Protocol (EIGRP) 100 on SW2 in order to establish EIGRP neighbor with Backbone 3 in the IGP topology diagram.

- BB3 has IP address 150.3.YY.254 and is using AS number 100- Disable auto-summary

SW2

router eigrp 100no auto-summarynetwork 150.3.0.1 0.0.0.0

---------------------------2.3 Implement RIP Version 2---------------------------Configure RIP Version 2 (RIPv2) between R3 and BB1

R3 must accept from BB1 only the following prefixes199.172.4.0/24

199.172.6.0/24199.172.12.0/24199.172.14.0/24

- Use Standard ACL with a single entry- Disable Auto Summarization

router ripversion 2no auto-summarynetwork 150.1.0.0distribute-list 1 in interface g0/0

access-list 1 permit 199.172.4.0 0.0.10.0

------------------------------2.4 Redistribute RIP into OSPF------------------------------Redistribute RIP into OSPF on R3 such that the routing table on R5 contains the following.O N2 199.172.14.0/24O N2 199.172.12.0/24O N1 199.172.6.0/24O N1 199.172.4.0/24O N2 150.1.YY.0

- Use Standard ACL with a single entry

access-list 2 permit 199.172.4.0 0.0.2.0

route-map RIP_TO_OSPFmatch ip address 2set metric-type type-1

route-map RIP_TO_OSPF permit 20

router ospf YYredistribute rip subnets route-map RIP_TO_OSPF

--------------------------------2.5 Redistribute EIGRP into OSPF--------------------------------Redistribute EIGRP into OSPF on SW2 such that

- Redistributed EIGRP routes must not be advertised into Area 51- Redistributed EIGRP routes must be advertised into Area 0 and 142 as OSPF Type E2

- SW2 must advertise an inter-area default route into Area 51 only- Don’t use any route-map and do not add any static route anywhere

SW2

router ospf YYredistribute eigrp YY subnetsarea 51 nssa no-summary no-redistribution

R3 and R5router ospf yyarea 51 nssa

----------------------2.6 Implement IPv4 BGP----------------------Configure iBGP peering for R1, R2, SW2, R3 and R5 as per the following requirement.

- Where possible failure of a physical interface should not permanently affect BGP peer connections- Minimize number of BGP peering sessions and all BGP speakers in AS YY except SW2 must have only one iBGP peer- All BGP routes on all devices must be valid routes

Configure BGP as per diagram

- BGP routes from BB1 must have community values 254 207 103 in AS YY- BGP routes from BB2 must have community values 254 208 104 in AS YY- Make sure that all BGP speakers in AS YY (even R2) are pointing all BGP prefixes from AS 254 via BB1 only (their BGP next hop must be the IP address of the backbone devices)

R1 / R2 / R3 / R5

router bgp YY

bgp router-id YY.YY.X.Xneighbor YY.YY.8.8 remote-as YYneighbor YY.YY.8.8 update-source loopback0neighbor YY.YY.8.8 send-community

SW2

router bgp YYbgp router-id YY.YY.X.X

neighbor YY.YY.1.1 remote-as YY

neighbor YY.YY.1.1 update-source loopback 0neighbor YY.YY.1.1 route-reflector-clientneighbor YY.YY.1.1 send-community

neighbor YY.YY.2.2 remote-as YYneighbor YY.YY.2.2 update-source loopback 0neighbor YY.YY.2.2 route-reflector-clientneighbor YY.YY.2.2 send-community



R2

neighbor 150.2.YY.254 remote-as 254neighbor 150.2.YY.254 route-map BB2 in

route-map BB2set community 104 208 additive

R3neighbor 150.1.YY.254 remote-as 254neighbor 150.1.YY.254 route-map BB1 in

route-map BB1set local-preference 111set community 103 207 additive

---------------------------------2.7 Implement Performance Routing---------------------------------Implement PfR to achieve the following policies:

- R1 must be the Master and Border Router and R2 must be a Border Routers- Ensure that PfR sessions are established using the Lo0 interface only- A specific traffic (marked with DSCP "CS2") from VLAN_44 to VLAN_55 must be routed via R1- Another traffic (marked with DSCP "CS4") from VLAN_44 to VLAN_55 must be routed via R2- Use Extended ACL with a single entry

- Use active probes only- Your interface is allowed to have a maximum utilization on R1 of 80% and a maximum utilization on R2 of 90%- You should use access-list specifying only source address and DSCP value- Your border routers must be directly connected. Create a GRE tunnel between them and use any subnet that is not used in your config.- Use the lowest load-interval on your external interfaces to monitor the load- You must use "set mode select-exit good" everywhere in your config- Configure a floating static default route with an AD of 250 on R1 and R2 facing the Switches

- Disable the following global commands:max-range-utilization,resolve utilizationresolve range

- Use the following:monitor-period 1periodic-interval 0period rotation 90

R2

key chain PFRkey 1key-string PFR

oer borderlocal loopback0active-probe address source interface loopback 0master y.y.1.1 key-chain PFR

int tunnel 12tunnel source lo0tunnel destination y.y.1.1ip addr y.y.11.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 y.y.42.10 250

R1

key chain PFRkey 1key-string PFR

oer border

local loopback0active-probe address source interface loopback 0master y.y.1.1 key-chain PFR

int tunnel 12tunnel source lo0tunnel destination y.y.2.2ip addr y.y.11.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 y.y.17.7 250

ip access-list extended CS2permit ip y.y.44.0 0.0.0.255 any dscp cs2

ip access-list extended CS4permit ip y.y.44.0 0.0.0.255 any dscp cs4

oer-map PFR_MAP 10match ip address access-list CS2set mode select-exit goodactive-probe icmp y.y.55.5set link-group R1

oer-map PFR_MAP 20match ip address access-list CS4set mode select-exit goodactive-probe icmp y.y.55.5set link-group R2

oer masterloggingpolicy PFR_MAPno max-range-utilization,no resolve utilizationno resolve rangeperiodic 90

border y.y.1.1 key-chain PFRinterface tunnel 12 internalinterface s0/0/0 internalinterface g0/0 externalmax-xmit-utilization percentage 80link-group R1

border y.y.2.2 key-chain PFR

interface tunnel 12 internalinterface s0/0/0 internalinterface g0/0 externalmax-xmit-utilization percentage 90link-group R2

learnperiodic-interval 0monitor-period 1

---------------------------------2.8 Implement Performance Routing---------------------------------Continue as per following:

- Set the frequency of probes to the lowest value- Make sure that all exits are probed constantly.- The voice traffic is sourced from VLAN_44 destined to the voice gateway R5 (YY.YY.55.5) and marked with DSCP "EF"- Voice traffic should go through R1 if the delay is 40ms and jitter is 5ms and it should fallback to R2 should these values not be met- You should use access-list specifying only source address and DSCP value

R1

ip access-list extended EFpermit ip y.y.44.0 0.0.0.255 any dscp ef

oer-map PFR_MAP 30match ip address access-list EFset mode select-exit goodset active-probe jitter y.y.55.5 target-port 16384 codec g729aset delay 40set jitter 5set link-group R1

------------------2.9 Implement IPv6------------------

The ipv6 address are preconfigured for you. (ipv6 unicast-routing was enabled for me as well...check for it!)

- Configure OSPF Area 142 between R1, R2, R4- Configure IPv6 PIM sparse mode on the serial interfaces

- R4's interface f0/0 should be the static RP-address (FEC1:CC1E:44::4) for the multicast group FFTS::4000:4000-

Determine the value of TS. The multicast stream should be a transient one and the scope should be 5 for company wide.You should be able to ping the multicast group from R2 Interface s0/0/0

R1

ipv6 multicast-routingipv6 cef

int g0/0ipv6 ospf yy area 142ipv6 mld join-group FF15::4000:4000

int s0/0/0ipv6 ospf yy area 142

ipv6 router ospf yypassive-interface g0/0

ipv6 pim rp-address fec1:cc1e:44::4

R2


int g0/0ipv6 ospf yy area 142


ipv6 router ospf yypassive-interface g0/0

ipv6 pim rp-address fec1:cc1e:44::4

R4


int f0/0ipv6 ospf yy area 142

int f0/1ipv6 ospf yy area 142



ipv6 router ospf yypassive-interface f0/0passive-interface f0/1

ipv6 pim rp-address fec1:cc1e:44::4 MCAST

ipv6 access-list MCASTpermit ipv6 any FF15::4000:4000/127

If you use /128 in the lab and apply this acl to the static rp command, IOS will warn you that you need a bigger mask and that /128 is not working.

------------------------------------2.10 Implement Advanced IPv6 feature------------------------------------

- In an attempt to reduce link-layer congestion, limit to 5 messages per second the rate at which all IPv6 enabled devices generate all IPv6 ICMP error messages- Enable Netflow for IPv6 on R1 to monitor the traffic entering Area 142- Export the flows every 3 hours to the server YY.YY.44.100 (port 9876)- Use R1-Lo0 as source address for the exports- Aggregate the flows per destination and allow up to 20000 entries in the cache- Inactive entries must be deleted from the cache after 2 minutes of inactivity

R1/R2/R4

ipv6 icmp error-interval 200 1

R1

ipv6 flow-export source Loopback0

ipv6 flow-aggregation cache destination-prefixexport template timeout-rate 180cache entries 20000cache timeout inactive 120export version 9export destination YY.YY.44.100 9876enabled

int g0/0ipv6 flow ingress

--------------------------3 Section 3 – IP Multicast--------------------------3.1 IPv4 Multicast

- There is a multicast source on VLAN 44 and clients are located on the BB3 subnet (150.3.YY.0/24). Use a dynamic protocol that supports PIM v1 and v2.- Configure R1 and R2 loopback0 to be a rendezvous point (RP).- Ensure that R2 should be the preferred RP rather than R1.- Simulate clients have sent requests to join the multicast group 239.YY.YY.1.- Make sure R4 f0/0 is able to ping this multicast IP.

Note:

For IOU:

int vlan 123

no ip mfib cef input

no ip mfib cef output

R4

ip multicast-routing

int lo0ip pim sparse-mode

int s0/0/0ip pim sparse-mode


int f0/0ip pim sparse-mode

ip pim autorp listener

ip pim send-rp-discovery lo0 scope 16

R1 - R2

ip multicast-routing

int lo0ip pim sparse-mode


int g0/0ip pim sparse-mode


ip pim send-rp-announce lo0 scope 16

SW1

ip multicast-routing distributed

int f0/1ip pim sparse-mode

int vlan 123ip pim sparse-mode


SW2



ip igmp join-group 239.y.y.1



SW3




Sw4





--------------3.2 PIM Tuning--------------

- Ensure PIM register message should reach RP via SW1.- PIM register messages should reach the RP upstream via SW1, If SW1 goes down PIM register messages should reach RP via one of the other switches.- Vlan 33 should not receive any RP messages

SW1:

int vlan 123ip pim dr-prio <MAX VALUE>

SW2:

access-list 1 deny 224.0.1.39

access-list 1 deny 224.0.1.40access-list 1 permit any

int vlan33ip multicast boundary 1 filter-autorp

SW4:

int vlan 123ip pim dr-prio <MAX VALUE-1>

-----------------------------Section 4 – Advanced Services-----------------------------4.1 Network Address Translations (NAT)

You are required to implement NAT. You need to match the output in the screenshots provided.

- Do not propagate and prefix from the network 100.0.0.0/8 in any routing protocol.- You are allowed to add one /24 static in four devices.- Do not add any static route in R4.

Screenshot:SW1# ping 100.100.42.10 source lo 100SW4# ping 100.100.17.7 source lo 100

R4: show ip nat translationsPro Inside global Inside local Outside local Outside globalicmp 100.100.17.7:N YY.YY.17.7:0 100.100.42.10:0 100.100.42.10:0icmp 100.100.17.7:N YY.YY.17.7:0 YY.YY.42.10:0 YY.YY.42.10:0icmp 100.100.42.10:N YY.YY.42.10:0 YY.YY.17.7:0 YY.YY.17.7:0icmp 100.100.42.10:N YY.YY.42.10:0 100.100.17.7:0 100.100.17.7:0

SW1

interface loopback100ip address 100.100.17.7 255.255.255.255

ip route 100.100.42.0 255.255.255.0 YY.YY.17.1

R1

ip route 100.100.42.0 255.255.255.0 YY.YY.14.4

SW4

interface loopback100ip address 100.100.42.10 255.255.255.255

ip route 100.100.17.0 255.255.255.0 YY.YY.42.2

R2

ip route 100.100.17.0 255.255.255.0 YY.YY.24.4

R4

interface serials0/0/0ip nat outside

interface serial0/0/1ip nat outside

ip nat inside source static YY.YY.17.7 100.100.17.7ip nat inside source static YY.YY.42.10 100.100.42.10

-----------4.2 MLS QoS-----------Configure your four switches according to the following requirements.

- Make sure that ports SW1-f0/1 to SW1-F0/5 are marking all untagged packets to "COS 1"- Make sure that these ports are trusting the COS value if packets are already marked.- Ensure that all switches are queuing packets marked with "COS 1" in the ingress queue #1- Ensure that all switches drop ingress traffic marked with "COS 1" when the respective ingress queue level is between 40 and 100 percent- Ensure that the switches do not drop packets marked with "COS 5" in ingress until the respective ingress queue in completely full

SW1-SW4

mls qosmls qos srr-queue input threshold 1 40 100

interface range fastethernet 0/19 – 24mls qos trust cos

SW1

interface range fastethernet 0/1 – 5

mls qos cos 1mls qos trust cos

---------------------------------------------------4.3 QoS – Class Based Weighted Fair Queuing (CBWFQ)---------------------------------------------------The IT administrator requires that you implement QoS.

- For traffic coming from BB2 allocate 10000 kbps on R2 g0/0.- For traffic coming from BB1 allocate 1000 kbps on R3 s0/0/0.- This should not affect any other traffic other than to all possible traffic entering from these links

R2

class-map BB2match input-interface fastethernet0/1

policy-map CBWFQclass BB2bandwidth 10000

interface g0/0service-policy output CBWFQ

R3

class-map BB1match input-interface g0/0

policy-map CBWFQclass BB1 bandwidth 1000

interface serial0/0/0service-policy output CBWFQ

---------------------------------------------4.4 Implement Routing Protocol Authentication---------------------------------------------Secure OSPF area 0 according to the following requirement

- Use the strongest authentication type- The password must be saved in clear in the config and must be seen to "cisco"- You are not allowed to use any commands in the router configurationSW1-SW4


interface vlan 123ip ospf authentication message-digestip ospf message-digest-key 1 md5 cisco

------------------4.5 Implement DHCP------------------R4 has been configured to provide the following parameters for DHCP clients on VLAN 44

- IP addresses- DNS servers YY.YY.55.50 and YY.YY.55.51- Domain name cisco.com- Default gateway is YY.YY.44.4

- The administrator wants that the DHCP deployment is as secured as possible. Complete the DHCP configuration on R4 and SW1 according to the following requirements- Protect users in VLAN 44 from rogue DHCP servers- Ensure that only R4 services the DHCP requests- Disable the insertion and removal of option-82 field- Protect the DHCP server from DHCP attacks originating from SW1 port Fa0/14, which may lead to resource exhaustion and ensure that maximum 3 different hostscan still connect to that port (Shutdown the port when violation occurred)- Make sure that SW1 Fa 0/14 is enabled and provisioned so that the customer only needs to connect the printer to the port

R4

ip dhcp excluded-address y.y.44.100ip dhcp excluded-address y.y.44.200

SW1

ip dhcp snoopingip dhcp snooping vlan 44

no ip dhcp snooping information option

interface fastethernet0/4ip dhcp snooping trust

interface fastethernet0/14switchport mode access

switchport access vlan 44switchport port-securityswitchport port-security maximum 3switchport port-security violation shutdownip dhcp snooping limit rate 150no shutdown

------------------------------4.6 Implement Layer 2 Security------------------------------Continue securing the DHCP deployment according to the following requirements

- In the near future the customer will connect a printer to SW1’s Fa0/14 in VLAN 44 and assign it the static IP address YY.YY.44.100. The printers MAC address is abcd.abcd.abcd- Ensure that the printer is able to communicate with the users on VLAN 44 and ensure that your solution survives a reload (use the file flash:CCIE.TXT)- Enable a feature on the switch to dynamically protect interface Fa 0/14 against spoofed IP packets and ARP request

SW1

ip dhcp snooping database flash:CCIE.TXT (after 300s the binding from below will be written into that file; check with "more flash:CCIE.txt")ip arp inspection vlan 44

(in exec mode)ip dhcp snooping binding abcd.abcd.abcd vlan 44 YY.YY.44.100 interface fastEthernet 0/14 expiry <MAX VALUE>

int f0/4ip arp inspection trust

int f0/14ip verify source -- only source ip // ip verify source port-sec - + mac

--------------------------------------------4.7 Web Caching Communication Protocol (WCCP)--------------------------------------------Configure WCCP on R4 according to the following requirement

- There will be a WAAS appliance connected to interface of Fa0/1- Any traffic from any client connected to Fa0/0 going out of the 2 serial interfaces must be redirected to the WAAS server on Fa0/1

- Traffic redirected from the server to the clients must use WCCP service 61- Traffic redirected from the clients to the server must use WCCP service 62- Traffic that is being sent from R1 to R2 and from R2 to R1 is not allowed to be redirected.

R4

ip wccp version 2ip wccp 61 redirect-list CLIENTS_INip wccp 62 redirect-list CLIENTS_OUT

ip access ext CLIENTS_OUTpermit ip y.y.44.0 0.0.0.255 any

ip access ext CLIENTS_INpermit ip any y.y.44.0 0.0.0.255

ip wccp check services all

int f0/0ip wccp 62 redirect in

ints0/0/0ip wccp 61 redirect in

ints0/0/1ip wccp 61 redirect in

int f0/1ip wccp redirect exclude in

--------------------------------Section 5 – Optimize the Network--------------------------------5.1 Implement SNMP

- On R5 implement SNMP to send traps to an NMS system.- Use the community string of CiscoWorks.- The NMS system is located at YY.YY.55.240 which is the only SNMP manager that should be able to use this community string- SNMP manager should be able to modify any MIB on R5.- Configure R5 to send bgp traps. R5

snmp-server community CiscoWorks RW 1snmp-server enable traps bgpsnmp-server host YY.YY.55.240 CiscoWorks bgp

access-list 1 permit YY.YY.55.240

--------------------------5.2 Embedded Event Manager--------------------------Configure 2 eem scripts one for enabling ospf debug if the ospf neighborship of R3 goes down.

- Configure R3 with event manger applet “ENABLE_OSPF_DEBUG” when the ospf adjacency goes down to R5 ,- It should enable the “debug ip ospf event” and “debug ip ospf adj”- Configure another EEM applet “ DISABLE_OSPF_DEBUG” when OSPF neighbor ship comes up with R5. It should disable all the debug messages.- Make sure that each event generates a syslog message with a priority of 6 that shows the name of the event being activated.- These logs should be seen both in the console and in the log buffer.- You MUST be able to have these events run on R3 when R5 bounces its interface.

event manager applet ENABLE_OSPF_DEBUGevent syslog pattern ".*%OSPF-5-ADJCHG: Process y, Nbr y.y.5.5 on Serial0/0/0 from FULL to DOWN.*"action 1.0 cli command "enable"action 2.0 cli command "debug ip ospf event"action 3.0 cli command "debug ip ospf adj"action 4.0 syslog priority informational msg "ENABLE_OSPF_DEBUG"

event manager applet DISABLE_OSPF_DEBUGevent syslog pattern ".*%OSPF-5-ADJCHG: Process y, Nbr y.u.5.5 on Serial0/0/0 from LOADING to FULL.*"action 1.0 cli command "enable"action 2.0 cli command "undebug all"action 3.0 syslog priority informational msg "

logging onlogging console debugginglogging buffered debugging

Documents

K6++_Jimm