Embed Size (px)
DESCRIPTION
CCIE-DC Lab2 Solution Final
Citation preview
1.1 - DC2: Allocate ports and resources to VDC's In Data Center 2 (DC2), there is one Cisco Nexus 7000 switch. On this switch VDC's are pre-configured for you. During this task you will assign ports and resources to these VDC's
DC2-N7K-1 is the default VDC DC2-N7K-3 and DC2-N7K-4 are non-default VDC's
In DC2, allocate ports to VDC's as shown in this table: Device Name ID Ports Type DC2-N7K-1 1 Ethernet3/1-8, Ethernet 4/1-16 Ethernet DC2-N7K-3 3 Ethernet 3/17-24, Ethernet 4/17-24 Ethernet DC2-N7K-4 4 Ethernet 3/25-32, Ethernet 4/25-32 Ethernet In DC2, you must configure resources for the VDC's. Use resource templates to perform this task. Create and apply VDC resource templates as shown in this table: Template Name VDC Name Resource Minimum Maximum otv-template DC2-N7K-1 VRF 8 16
VLAN 16 32 Port-Channel 0 32
switch-template DC2-N7K-3 & DC2-N7K-4
VRF 16 32 VLAN 64 128 Port-Channel 32 64
In DC2, make sure that these high-availability policies are applied to the VDC's: High-availability policy for DC2-N7K-1 must be RESET. High-availability policy for DC2-N7K-3 and DC2-N7K-4 must be BRINGDOWN. (2 Points)
DC2-N7K-1 license grace-period no vdc combined-hostname ! vdc resource template otv-template limit-resource vrf min 8 max 16 limit-resource vlan min 16 max 32 limit-resource port-channel min 0 max 32 ! vdc resource template switch-template limit-resource vrf min 16 max 32 limit-resource vlan min 64 max 128 limit-resource port-channel min 32 max 64 ! System hap-reset ! vdc DC2-N7K-1 id 1 template otv-template ha-policy single-sup reload allocate interface ethernet 3/1-8,ethernet 4/1-16
! vdc DC2-N7K-3 id 3 template switch-template ha-policy single-sup bringdown dual-sup bringdown allocate interface ethernet 3/17-24,ethernet 4/17-24 ! vdc DC2-N7K-4 id 4 template switch-template ha-policy single-sup bringdown dual-sup bringdown allocate interface ethernet 3/25-32,etherent 4/25-32 ! Verification: DC2-N7K-1# show running-config vdc DC2-N7K-1# show vdc membership DC2-N7K-1# show vdc detail DC2-N7K-1# show resource DC2-N7K-1# show vdc resource template 1.2 - DC2: Implement VLANs You must configure VLANs in Data Center 2. These VLANs will be used later in the exam. Assign the correct name and type as outlined here. Configure these VLANs on DC2-N7K-1: Device VLAN ID Name VLAN Mode DC2-N7K-1
90 dci-site Classic Ethernet 4001 dci-data1 Classic Ethernet 4002 dci-data2 Classic Ethernet
DC2-N7K-3 DC2-N7K-4
30 iscsi FabricPath 40 Esx-mgmt FabricPath 50 Dmz FabricPath 4001 dci-data1 Classic Ethernet 4002 dci-data2 Classic Ethernet
DC2-N5K-1 DC2-N5K-2
30 iscsi FabricPath 40 esx-mgmt FabricPath 50 Dmz FabricPath 70 Vm-data Classic Ethernet 71 Vm-data-nat Classic Ethernet 72 Ace-ft Classic Ethernet
(1 Point)
DC2-N7K-1 install feature-set fabricpath vlan 90 name dci-site vlan 4001 name dci-data1 vlan 4002
name dci-data2 !
DC2-N7K-3 feature-set fabricpath vlan 30 name iscsi mode fabricpath vlan 40 name esx-mgmt mode fabricpath vlan 50 name dmz mode fabricpath vlan 4001 name dci-data1 vlan 4002 name dci-data2
DC2-N7K-4 feature-set fabricpath vlan 30 name iscsi mode fabricpath vlan 40 name esx-mgmt mode fabricpath vlan 50 name dmz mode fabricpath vlan 4001 name dci-data1 vlan 4002 name dci-data2 !
DC2-N5K-1 install feature-set fabricpath feature-set fabricpath ! vlan 30 name iscsi mode fabricpath vlan 40 name esx-mgmt
mode fabricpath vlan 50 name dmz mode fabricpath vlan 70 name vm-data vlan 71 name vm-data-nat vlan 72 name ace-ft !
DC2-N5K-2 install feature-set fabricpath feature-set fabricpath ! vlan 30 name iscsi mode fabricpath vlan 40 name esx-mgmt mode fabricpath vlan 50 name dmz mode fabricpath vlan 70 name vm-data vlan 71 name vm-data-nat vlan 72 name ace-ft ! Verification: DC2-N7K-1# show vlan DC2-N7K-3# show vlan DC2-N7K-4# show vlan DC2-N5K-1# show vlan DC2-N5K-2# show vlan
1.3 - DC2: Configure Layer 2 Links
In this task, you must configure Layer 2 port channels and trunk ports between Data Center 2 switches. Configure the Layer 2 port channel between DC2-N7K-3 and DC2-N7K-4. Use this information to complete this task:
Use port channel number 200. Allow only VLANs 90, 4001, and 4002 on the port channel. Do not use LACP.
Port assignments are as follows: VDC Name Port Channel Member Port DC2-N7K-3 200 Ethernet 4/18-19 DC2-N7K-4 200 Ethernet 4/26-27 DC2-N7K-1 and DC2-N7K-3 are connected using a Layer2 link and a Layer 3 link. Configure the Layer 2 link between these switches as a trunk port.
Use following information to complete this task:
Use VLAN 1 as the native VLAN Allow only VLAN 90, 4001, 4002 on the port channel.
VDC Name Trunk Port Mode DC2-N7K-1 Ethernet 4/12 Layer 2 DC2-N7K-3 Ethernet 4/20 Layer 2 (1 Point)
DC2-N7K-3 interface ethernet 4/18-19 channel-group 200 no shutdown ! interface port-channel 200 switchport switchport mode trunk switchport trunk allow vlan 90,4001,4002 no shutdown ! interface ethernet 4/20 switchport switchport mode trunk switchport trunk allow vlan 90,4001,4002 switchport trunk native vlan 1 no shutdown !
DC2-N7K-4 interface ethernet 4/26-27 channel-group 200 no shutdown ! interface port-channel 200 switchport switchport mode trunk switchport trunk allow vlan 90,4001,4002 no shutdown !
DC2-N7K-1 interface ethernet 4/12 switchport switchport mode trunk switchport trunk allow vlan 90,4001,4002 switchport trunk native vlan 1 no shutdown ! Verification: DC2-N7K-4# show interface port-channel 200 trunk DC2-N7K-3# show interface port-channel 200 trunk DC2-N7K-3# show interface ethernet 4/20 trunk DC2-N7K-1# show interface ethernet 4/12 trunk
1.4 - DC2: Configure Fabric Path In DC2, enable fabric-path isis routing between DC2-N7K-3, DC2-N7K-4, DC2-N5K-1, and DC2-N5K-2 Perform these tasks:
Assure that all of the switches that are listed use the FabricPath network for Layer 2 switching between them.
The port channel between DC2-N7K-3 and DC2-N7K-4 will not participate in FabricPath. Create a port channel between DC2-N5K-1 and DC2-N5K-2, and enable FabricPath on the port
channel. Use any number for the port channel. Configure switch ID 30, 40, 50, and 60 on DC2-N7K-3, DC2-N7K-4, DC2-N5K-1, and DC2-N5K-2
respectively. Allow 20 seconds to detect any switch ID conflicts in the FabricPath domain. Make sure that only two equal cost paths are selected in the FabricPath domain. Make sure that DC2-N7K-3 and DC2-N7K-4 use DC2-N5K1 and DC2-N5K-2 as equal cost paths.
(3 points)
DC2-N7K-3 fabricpath switch-id 30 fabricpath timers linkup-delay 20 ! fabricpath domain default maximum-paths 2 !
interface ethernet 3/21-24 switchport mode fabricpath no shutdown ! interface ethernet 3/21, ethernet 3/23 fabricpath isis metric 50 no shutdown !
DC2-N7K-4 fabricpath switch-id 40 fabricpath timers linkup-delay 20 ! fabricpath domain default maximum-paths 2 ! interface ethernet 3/29-32 switchport mode fabricpath no shutdown ! interface ethernet 3/29, ethernet 3/31 fabricpath isis metric 50 no shutdown !
DC2-N5K-1 feature lacp ! fabricpath switch-id 50 fabricpath timers linkup-delay 20 ! fabricpath domain default maximum-paths 2 ! interface ethernet 1/21-24 switchport mode fabricpath no shutdown ! interface ethernet 1/21, ethernet 1/24 fabricpath isis metric 50 no shutdown ! interface ethernet 1/10-11 channel-group 200 mode active no shutdown !
interface port-channel 200 switchport mode fabricpath no shutdown !
DC2-N5K-2 feature lacp ! fabricpath switch-id 60 fabricpath timers linkup-delay 20 ! fabricpath domain default maximum-paths 2 ! interface ethernet 1/10-11 channel-group 200 mode active no shutdown ! interface port-channel 200 switchport mode fabricpath no shutdown ! interface ethernet 1/23-24, ethernet 1/29-30 switchport mode fabricpath no shutdown ! interface ethernet 1/23, ethernet 1/29 fabricpath isis metric 50 no shutdown ! Verification: DC2-N5K-1# show fabricpath route DC2-N5K-2# show fabricpath route DC2-N7K-3# show fabricpath route DC2-N7K-4# show fabricpath route DC2-N5K-1# show fabricpath timers DC2-N5K-2# show fabricpath timers DC2-N7K-3# show fabricpath timers DC2-N7K-4# show fabricpath timers
1.5 - DC2: Configure vPC+ to Cisco UCS In DC2, configure vPC domain 20 between DC2-N5K-1 and DC2-N5K-2. Perform these tasks:
Make sure that N5K-1 is always the vPC primary switch. Use port channel ID 200 for the vPC peer link. Do not add any new Layer 3 interfaces. Use switch ID value 70. Use port channel ID 10 toward Fabric Interconnect A (FI-A). Use port channel ID 20 toward Fabric Interconnect B (FI-B). Port channels to Cisco UCS should be configured as IEEE 802.1Q trunk interfaces that allow only
VLANs 30, 40, 70, and 71. Make sure that port channels 10 and 20 come up without waiting for the standard forward-time
delay. In a few months, our server team will connect a single-leg server on VLAN 300 that is connected
to N5K-2. Make sure that the interface does not go down in a dual-active scenario. Make sure that vPC peer devices are the primary devices on LACP and use priority value 2500.
(3 Points)
DC2-N5K-1 feature vpc ! vpc domain 20 role priority 1 fabricpath switch-id 70 system-priority 2500 peer-keepalive destination 10.4.12.152 ! interface port-channel 200 vpc peer-link no shutdown ! interface ethernet 1/6 channel-group 10 mode active no shutdown ! interface ethernet 1/7 channel-group 20 mode active no shutdown ! interface port-channel 10 switchport mode trunk switchport trunk allow vlan 30,40,70,71 spanning-tree port type edge trunk vpc 10 no shutdown ! interface port-channel 20 switchport mode trunk sw trunk allow vlan 30,40,70,71 spanning-tree port type edge trunk vpc 20 no shutdown !
DC2-N5K-2 feature vpc ! vpc domain 20 fabricpath switch-id 70 system-priority 2500 peer-keepalive destination 10.4.12.151 dual-active exclude interface-vlan 300 !
interface port-channel 200 vpc peer-link no shutdown ! interface ethernet 1/7 channel-group 10 mode active no shutdown ! interface ethernet 1/6 channel-group 20 mode active no shutdown ! interface port-channel 10 switchport mode trunk switchport trunk allow vlan 30,40,70,71 spanning-tree port type edge trunk vpc 10 no shutdown ! interface port-channel 20 switchport mode trunk switchport trunk allow vlan 30,40,70,71 spanning-tree port type edge trunk vpc 20 no shutdown ! Verification: DC2-N5K-1# show vpc DC2-N5K-2# show vpc DC2-N5K-1# show port-channel summary DC2-N5K-2# show port-channel summary
1.6 - DC2: Configure FEX In Data Center 2 (DC2), configure active/active connections from DC2-N5K-1 and DC2-N5K-2 to the FEX. Use FEX 103 and 104 as indicated in this figure. Make sure both FEX instances skip any bootup tests.
(2 Points)
DC2-N5K-1 feature fex ! fex 103 diagnostic bootup level bypass ! fex 104 diagnostic bootup level bypass ! interface ethernet 1/1-2 channel-group 103 no shutdown ! interface ethernet 1/3-4 channel-group 104 no shutdown ! interface port-channel 103 switchport mode fex fex associate 103 vpc 103 no shutdown
! interface port-channel 104 switchport mode fex fex associate 104 vpc 104 no shutdown !
DC2-N5K-2 feature fex ! fex 103 diagnostic bootup level bypass ! fex 104 diagnostic bootup level bypass ! interface ethernet 1/3-4 channel-group 103 no shutdown ! interface ethernet 1/1-2 channel-group 104 no shutdown ! interface port-channel 103 switchport mode fex fex associate 103 vpc 103 no shutdown ! interface port-channel 104 switchport mode fex fex associate 104 vpc 104 no shutdown ! Verification: DC2-N5K-1# show fex DC2-N5K-2# show fex
1.7 - DC2: Implement Cisco NX-OS Layer 3 functionality You must now configure Layer 3 interfaces on the Cisco Nexus 7000 switches in DC2. Configure the following:
WAN Layer 3 interfaces on DC2-N7K-3 and DC2-N7K-4 Layer 3 link between DC2-N7K-3 and DC2-N7K-1 Loopback interfaces on DC2-N7K-1, DC2-N7K-3, and DC2-N7K-4
WAN interfaces connect the Cisco Nexus 7000 switch to the WAN switch. The WAN switch is preconfigured. No configuration is necessary on your part.
Configure the WAN IP addresses as shown in this table: Device Name Interface IP Address Subnet Mask DC2-N7K-3 Ethernet 4/23 10.4.1.9 30 DC2-N7K-4 Ethernet 4/31 10.4.1.13 30 Make sure that the jumbo frame size of 9100 bytes is allowed on the WAN. DC2-N7K-1 and DC2-N7K-3 are connected with a Layer 2 link and Layer 3 link. Configure the Layer 3 link between these switches.
In DC2, configure the Layer 3 link between DC2-N7K-1 and DC2-N7K-3: Device Name Interface IP Address Subnet Mask DC2-N7K-1 Ethernet 4/5 10.4.1.22 30 DC2-N7K-3 Ethernet 4/24 10.4.1.21 30 In DC2, configure the loopback IP addresses as shown in this table: Device Name Interface IP Address Subnet Mask DC2-N7K-1 Loopback 0 10.0.2.1 32 DC2-N7K-3 Loopback 0 10.0.2.3 32 DC2-N7K-4 Loopback 0 10.0.2.4 32 (2 Points)
DC2-N7K-1 interface loopback 0 ip address 10.0.2.1/32 no shutdown ! interface ethernet 4/5 ip address 10.4.1.22/30 mtu 9100 no shutdown !
DC2-N7K-3 interface loopback 0 ip address 10.0.2.3/32 no shutdown ! interface ethernet 4/23 ip address 10.4.1.9/30 mtu 9100 no shutdown ! interface ethernet 4/24 ip address 10.4.1.21/30 mtu 9100 no shutdown !
DC2-N7K-4 interface loopback 0 ip address 10.0.2.4/32 no shutdown ! interface ethernet 4/31 ip address 10.4.1.13/30 mtu 9100
no shutdown ! Verification: DC2-N7K-1# show ip interface brief DC2-N7K-3# show ip interface brief DC2-N7K-4# show ip interface brief 1.8 - DC2: Configure SVI and HSRP In DC2, configure the switch virtual interfaces as shown in this table: Device Name Interface IP Address Subnet Mask DC2-N7K-3 VLAN 40 10.1.40.252 24
VLAN 4001 10.1.41.252 24 VLAN 4002 10.1.42.252 24
DC2-N7K-4 VLAN 40 10.1.40.253 24 VLAN 4001 10.1.41.253 24 VLAN 4002 10.1.42.253 24
In DC2, configure HSRP on DC2-N7K-3 and DC2-N7K-4 as shown in this table: VLAN Virtual IP Address Group Active MD5 Key VLAN 40 10.1.40.254 2 ANY CCIEDC VLAN 4001 10.1.41.254 2 DC2-N7K-3 CCIEDC VLAN 4002 10.1.42.254 2 DC2-N7K-3 CCIEDC Use any key chain name. Make sure that HSRP waits 3 seconds before detecting a neighbor down instance. Also make sure that DC2-N7K-3 is always the active router for VLAN 4001 and VLAN 4002. (2 Points)
DC2-N7K-3 feature interface-vlan feature hsrp ! key chain ABC key 0 key-string CCIEDC ! interface vlan 40 no shutdown ip address 10.1.40.252/24 hsrp version 2 hsrp 2 ip 10.1.40.254 authentication md5 key-chain ABC timers 1 3 !
interface vlan 4001 no shutdown ip address 10.1.41.252/24 hsrp version 2 hsrp 2 ip 10.1.41.254 preempt priority 255 authentication md5 key-chain ABC timers 1 3 ! interface vlan 4002 no shutdown ip address 10.1.42.252/24 hsrp version 2 hsrp 2 ip 10.1.42.254 preempt priority 255 authentication md5 key-chain ABC timers 1 3 !
DC2-N7K-4 feature interface-vlan feature hsrp ! key chain ABC key 0 key-string CCIEDC ! interface vlan 40 no shutdown ip address 10.1.40.253/24 hsrp version 2 hsrp 2 ip 10.1.40.254 authentication md5 key-chain ABC timers 1 3 ! interface vlan 4001 no shutdown ip address 10.1.41.253/24 hsrp version 2 hsrp 2
ip 10.1.41.254 authentication md5 key-chain ABC timers 1 3 ! interface vlan 4002 no shutdown ip addr 10.1.42.253/24 hsrp version 2 hsrp 2 ip 10.1.42.254 authentication md5 key-chain ABC timers 1 3 ! Verification: DC2-N7K-3# show hsrp brief DC2-N7K-4# show hsrp brief 1.9 - DC2: Implement Cisco NX-OS Layer 3 Routing In DC2, set up EIGRP. Enable EIGRP within DC2 devices and on the connectivity to the WAN. Make sure that fast failure detection is enabled. The core WAN router is preconfigured with EIGRP.
Perform these tasks on DC2-N7K-1:
Configure EIGRP with AS number 1. Use the loopback 0 address as the router ID. Configure interfaces E4/5 in EIGRP. You are not permitted to use static routes.
Perform these tasks on DC2-N7K-3: Configure EIGRP with AS number 1. Use the loopback 0 address as the router ID. Configure interface E4/23 and E4/24 in EIGRP. Advertise these SVIs into EIGRP
o VLAN 40 o VLAN 4001 o VLAN 4002
You are not permitted to use static routes. You are not permitted to configure EIGRP on the VLAN interface. Make sure that a summary route is sent for VLAN 40, VLAN 4001, and VLAN 4002.
Perform these tasks on DC2-N7K-4:
Configure EIGRP with AS number 1. Use the loopback 0 address as the router ID. Configure interface E4/31 in EIGRP. Advertise these SVIs into EIGRP
o VLAN 40 o VLAN 4001 o VLAN 4002
You are not permitted to use static routes. You are not permitted to configure EIGRP on the VLAN interface. Make sure that a summary route is sent for VLAN 40, VLAN 4001, and VLAN 4002.
( 3 Points)
DC2-N7k-1 feature eigrp feature bfd ! router eigrp 1 bfd autonomous-system 1 router-id 10.0.2.1 no shutdown ! interface ethernet 4/5 ip router eigrp 1 no ip redirect no shutdown !
DC2-N7K-3 feature eigrp feature bfd ! router eigrp 1 bfd autonomous-system 1
router-id 10.0.2.3 no shutdown ! interface ethernet 4/23 ip router eigrp 1 ip summary-address eigrp 1 10.1.40.0/22 no ip redirect no shutdown ! interface ethernet 4/24 ip router eigrp 1 ip summary-address eigrp 1 10.1.40.0/22 no ip redirect no shutdown ! route-map EIGRP-RED permit 10 match interface vlan 40 vlan 4001 vlan 4002 ! router eigrp 1 redistribute direct route-map EIGRP-RED !
DC2-N7K-4 feature eigrp feature bfd ! router eigrp 1 bfd router-id 10.0.2.4 autonomous-system 1 no shutdown ! interface ethernet 4/31 ip router eigrp 1 ip summary-address eigrp 1 10.1.40.0/22 no ip redirect no shutdown ! route-map EIGRP-RED permit 10 match interface vlan 40 vlan 4001 vlan 4002 ! router eigrp 1 redistribute direct route-map EIGRP-RED !
Verification: DC2-N7K-1# show ip route eigrp DC2-N7K-3# show ip route eigrp DC2-N7K-4# show ip route eigrp 1.10 - DC2: Configure ACL In this task, you will configure an IP access list on the WAN interface on DC2 switches. Allow traffic to VLAN 40, VLAN 4001, and VLAN 4002 via the WAN interface according to this table: Switch Name WAN Interface Destination Traffic Allowed DC2-N7K-3 Ethernet 4/23 VLAN 40: 10.1.40.0/24 Any Traffic to this Network
VLAN 4001: 10.1.41.0/24 World Wide Web Secure Socket Layer Telnet
VLAN 4002: 10.1.42.0/24 World Wide Web Secure Socket Layer Telnet
DC2-N7K-4 Ethernet 4/31 VLAN 40: 10.1.40.0/24 Any Traffic to this Network VLAN 4001: 10.1.41.0/24 World Wide Web
Secure Socket Layer Telnet
VLAN 4002: 10.1.42.0/24 World Wide Web Secure Socket Layer Telnet
(4 Points)
DC2-N7K-3 ip access-list ABC 10 permit ip any 10.1.40.0/24 20 permit tcp any 10.1.41.0/24 eq telnet 30 permit tcp any 10.1.41.0/24 eq www 40 permit tcp any 10.1.41.0/24 eq 443 50 permit tcp any 10.1.42.0/24 eq www 60 permit tcp any 10.1.42.0/24 eq 443 70 permit tcp any 10.1.42.0/24 eq telnet 80 permit udp any any range 3784 3785 90 permit udp 20.0.0.2/32 eq ntp any 100 permit eigrp any any 110 permit gre any any 120 permit icmp any any 130 permit pim any any 140 per ip 10.1.1.214/32 any 150 per ip 10.1.1.201/32 any ! interface ethernet4/23 ip access-group ABC in
DC2-N7K-4 ip access-list ABC 10 permit ip any 10.1.40.0/24 20 permit tcp any 10.1.41.0/24 eq telnet 30 permit tcp any 10.1.41.0/24 eq www 40 permit tcp any 10.1.41.0/24 eq 443 50 permit tcp any 10.1.42.0/24 eq www 60 permit tcp any 10.1.42.0/24 eq 443 70 permit tcp any 10.1.42.0/24 eq telnet 80 permit udp any any range 3784 3785 90 permit udp 20.0.0.2/32 eq ntp any 100 permit eigrp any any 110 permit gre any any 120 permit icmp any any 130 permit pim any any 140 per ip 10.1.1.214/32 any 150 per ip 10.1.1.201/32 any ! interface ethernet4/31 ip access-group ABC in ! 1.11 - DC2: Configure syslog and NTP In DC2, make sure that DC2-N7K-3 receives the time from the NTP server 20.0.0.2. There is a syslog server on a remote sire that is accessible from the WAN network. Configure DC2-N7K-3 to send logs to syslog. The IP address of the syslog server is 10.0.0.1. (1 Point)
DC2-N7K-1 clock protocol ntp vdc 3 !
DC2-N7K-3 ntp server 20.0.0.2 logging server 10.0.0.1 !
1.12 - DC2: Configure STP In this task, you will configure Spanning Tree Protocol in Data Center 2. Complete these tasks on DC2-N7K-1, DC2-N7K-3, and DC2-N7K-4:
Configure Multiple Spanning Tree for VLAN 4001 and VLAN 4002. Make sure that DC2-N7K-3 is the root for VLAN 4001 and VLAN 4002. Use this information to configure MST:
o MST region = 1 o Name = ccie o MST revision number = 5
Enable Bridge Assurance on the appropriate ports.
(2 Points)
DC2-N7K-1 spanning-tree mode mst ! spanning-tree mst configuration name ccie revision 5 instance 1 vlan 4001-4002 ! interface ethernet 4/12 spanning-tree port type network no shutdown !
DC2-N7K-3 spanning-tree mode mst spanning-tree mst configuration name ccie revision 5 instance 1 vlan 4001-4002 ! spanning-tree mst 1 root primary ! interface ethernet 4/20
spanning-tree port type network no shutdown ! interface port-channel 200 spanning-tree port type network no shutdown !
DC2-N7K-4 spanning-tree mode mst ! spanning-tree mst configuration name ccie revision 5 instance 1 vlan 4001-4002 ! interface port-channel 200 spanning-tree port type network no shutdown ! Verification: DC2-N7K-1# show spanning-tree mst 1 DC2-N7K-3# show spanning-tree mst 1 DC2-N7K-4# show spanning-tree mst 1
1.13 - DC1: Allocate ports to VDCs and implement Vlans In DC1, allocate ports to VDCs as shown in this table: Device Name ID Ports Type DC1-N7K-1 1 Ethernet3/1-8,Ethernet4/1-8,Ethernet4/10,
Ethernet 4/12,Ethernet 4/14, Ethernet 4/16 Ethernet
DC1-N7K-2 2 Ethernet3/9-16,Ethernet4/9,Ethernet 4/11, Ethernet 4/13, Ethernet 4/15
Ethernet
DC1-N7K-3 3 Ethernet 3/17-24, Ethernet 4/17-24 Ethernet DC1-N7K-4 4 Ethernet 3/25-32, Ethernet 4/25-32 Ethernet You must configure VLANs in Data Center 1. These VLANs will be used later in the exam. Assign the correct name and type as outlined here. Configure these VLANs on DC1-N7K-1, DC1-N7K-2, DC1-N7K-3, and DC1-N7K-4: Device Name Vlan ID VLAN Name VLAN Mode DC1-N7K-1 DC1-N7K-2 DC1-N7K-3 DC1-N7K-4
90 dci-site Classic Ethernet 4001 dci-data1 Classic Ethernet 4002 dci-data2 Classic Ethernet
(2 Points)
DC1-N7K-1 vdc DC1-N7K-1 id 1 no limit-resource module-type allocate interface ethernet 3/1-8,ethernet 4/1-8 allocate interface ethernet 4/10,ethernet 4/12 allocate interface ethernet 4/14, ethernet 4/16 ! vdc DC1-N7K-2 id 2 no limit-resource module-type allocate interface ethernet 3/9-16, ethernet 4/9 allocate interface ethernet4/11,ethernet 4/13 allocate interface ethernet4/15 ! vdc DC1-N7K-3 id 3 no limit-resource module-type allocate interface ethernet 3/17-24 allocate interface ethernet 4/17-24 ! vdc DC1-N7K-4 id 4 no limit-resource module-type allocate interface ethernet 3/25-32 allocate interface ethernet 4/25-32 !
DC1-N7K-1 Vlan 90 Name dci-site Vlan 4001 Name dci-data1 Vlan 4002 Name dci-data2 !
DC1-N7K-2 Vlan 90 Name dci-site Vlan 4001 Name dci-data1 Vlan 4002 Name dci-data2 !
DC1-N7K-3 Vlan 90 Name dci-site Vlan 4001 Name dci-data1 Vlan 4002 Name dci-data2 !
DC1-N7K-4 Vlan 90 Name dci-site Vlan 4001 Name dci-data1 Vlan 4002 Name dci-data2 ! Verification: DC1-N7K-1# show vdc membership DC1-N7K-1# show run vdc DC1-N7K-1# show vlan DC1-N7K-2# show vlan DC1-N7K-3# show vlan DC1-N7K-4# show vlan
1.14 - DC1: Configure Layer 2 links In this task, you must configure Layer 2 port channels and trunk ports between Data Center 1 switches. Configure the Layer 2 port channel between DC1-N7K-3 and DC1-N7K-4. Use this information to complete this task:
Use port channel number 200. Allow only VLANs 90, 4001, and 4002 on the port channel. Use LACP. Use VLAN 90 as the native VLAN. Make sure that the native VLAN is tagged.
Here are the port assignments: Device Name Port Channel Member Port DC1-N7K-3 200 Ethernet 4/18-19 DC1-N7K-4 200 Ethernet 4/26-27 DC1-N7K-1 and DC1-N7K-3 are connected using a Layer 2 link and a Layer 3 link. In this task, you will configure the Layer 2 link between these switches as a trunk port. Use this information to complete this task:
Allow only VLANs 90, 4001, and 4002. Use VLAN 90 as the native VLAN.
Device Name Trunk Port Mode DC1-N7K-1 Ethernet 4/12 Layer 2 DC1-N7K-3 Ethernet 4/20 Layer 2
DC1-N7K-2 and DC1-N7K-4 are connected using a Layer 2 and a Layer 3 link. In this task, you will configure the Layer 2 link between these switches as a trunk port. Use this information to complete this task:
Allow only VLANs 90, 4001, and 4002. Use VLAN 90 as the native VLAN.
Device Name Trunk Port Mode DC1-N7K-2 Ethernet 4/13 Layer 2 DC1-N7K-4 Ethernet 4/28 Layer 2
(2 Points)
DC1-N7K-1 vlan dot1Q tag native !
DC1-N7K-2 vlan dot1Q tag native !
DC1-N7K-3 vlan dot1Q tag native !
DC1-N7K-4 vlan dot1Q tag native !
DC1-N7K-3 feature lacp ! int ethernet 3/18-19 channel-group 200 mode active no shutdown ! interface port-channel 200 switchport switchport mode trunk switchport trunk native vlan 90 switchport trunk allowed vlan 90,4001-4002 no shutdown ! interface Ethernet 4/20 switchport
switchport mode trunk switchport trunk native vlan 90 switchport trunk allowed vlan 90,4001-4002 no shutdown !
DC1-N7K-1 interface Ethernet 4/12 switchport switchport mode trunk switchport trunk native vlan 90 switchport trunk allowed vlan 90,4001-4002 no shutdown !
DC1-N7K-4 interface ethernet 3/26-27 channel-group 200 mode active no shutdown ! interface port-channel 200 switchport switchport mode trunk switchport trunk native vlan 90 switchport trunk allowed vlan 90,4001-4002 no shutdown ! interface Ethernet 4/28 switchport switchport mode trunk switchport trunk native vlan 90 switchport trunk allowed vlan 90,4001-4002 no shutdown !
DC1-N7K-2 interface ethernet 4/13 switchport Switchport mode trunk Switchport trunk allowed vlan 90, 4001, 4002 Switchport trunk native vlan 90 no shutdown !
Verification: DC1-N7K-1# show interface ethernet 4/12 trunk DC1-N7K-3# show interface ethernet 4/20 trunk DC1-N7K-3# show interface port-channel 200 trunk DC1-N7K-4# show interface port-channel 200 trunk DC1-N7K-2# show interface ethernet 4/13 trunk DC1-N7K-4# show interface ethernet 4/28 trunk DC1-N7K-1# show vlan dot1Q tag native DC1-N7K-2# show vlan dot1Q tag native DC1-N7K-3# show vlan dot1Q tag native DC1-N7K-4# show vlan dot1Q tag native 1.15 - DC1: Implement Cisco NX-OS Layer 3 functionality You must now configure Layer 3 interfaces on the Cisco Nexus 7000 switches in DC1. Configure the following:
WAN Layer 3 interfaces on DC1-N7K-3 and DC1-N7K-4 Layer 3 link between DC1-N7K-3 and DC1-N7K-1 Layer 3 link between DC1-N7K-4 and DC1-N7K-2 Loopback interfaces on DC1-N7K-1, DC1-N7K-2, DC1-N7K-3, and DC1-N7K-4
WAN interfaces connect the Cisco Nexus 7000 switch to the WAN switch. The WAN switch is preconfigured. No configuration is necessary on your part.
Configure the WAN IP addresses as shown in this table: Device Name Interface IP Address Subnet Mask DC1-N7K-3 Ethernet 4/23 10.4.1.1 30 DC1-N7K-4 Ethernet 4/31 10.4.1.5 30 Make sure that the jumbo frame size of 9100 bytes is allowed on the WAN. DC1-N7K-1 and DC1-N7K-3 are connected with a Layer 2 link and Layer 3 link. Configure the Layer 3 link between these switches. In DC1, configure the Layer 3 link between DC1-N7K-1 and DC1-N7K-3:
Device Name Interface IP Address Subnet Mask DC1-N7K-1 Ethernet 4/5 10.4.1.17 30 DC1-N7K-3 Ethernet 4/24 10.4.1.18 30
DC1-N7K-2 and DC1-N7K-4 are connected with a Layer 2 link and Layer 3 link. Configure the Layer 3 link between these switches. In DC1, configure the Layer 3 link between DC1-N7K-2 and DC1-N7K-4: Device Name Interface IP Address Subnet Mask DC1-N7K-2 Ethernet 4/9 10.4.1.26 30 DC1-N7K-4 Ethernet 4/25 10.4.1.25 30
In DC1, configure the loopback IP addresses as shown in this table: Device Name Interface IP Address Subnet Mask DC1-N7K-1 Loopback0 10.0.1.1 32 DC1-N7K-2 Loopback0 10.0.1.2 32 DC1-N7K-3 Loopback0 10.0.1.3 32 DC1-N7K-4 Loopback0 10.0.1.4 32 (2 Points)
DC1-N7K-1 interface loopback0 ip addr 10.0.1.1/32 no shutdown ! interface ethernet 4/5 ip address 10.4.1.17/30 mtu 9100 no shutdown !
DC1-N7K-2 interface loopback0 ip address 10.0.1.2/32 no shutdown ! interface ethernet 4/9 ip address 10.4.1.26/30 no shutdown !
DC1-N7K-3 interface loopback0 ip address 10.0.1.3/32 no shutdown ! interface ethernet 4/23 ip address 10.4.1.1/30 mtu 9100 no shutdown ! interface ethernet 4/24 ip address 10.4.1.18/30 mtu 9100 no shutdown !
DC1-N7K-4 interface loopback0 ip address 10.0.1.4/32 no shutdown ! interface ethernet 4/31 ip address 10.4.1.5/30 mtu 9100 no shutdown
! interface ethernet 4/25 mtu 9100 ip address 10.4.1.25/30 no shutdown Verification: DC1-N7K-1# show ip interface brief DC1-N7K-2# show ip interface brief DC1-N7K-3# show ip interface brief DC1-N7K-4# show ip interface brief DC1-N7K-1# ping 10.4.1.17 DC1-N7K-2# ping 10.4.1.25 DC1-N7K-3# ping 10.4.1.2 DC1-N7K-4# ping 10.4.1.6 1.16 - DC1: Configure SVI and HSRP In DC1, configure SVI 4001 and 4002 on DC1-N7K-3 and DC1-N7K-4: Device Name Interface IP Address Subnet Mask DC1-N7K-3 VLAN 4001 10.1.41.250 24
VLAN 4002 10.1.42.250 24 DC1-N7K-4 VLAN 4001 10.1.41.251 24
VLAN 4002 10.1.42.251 24 Configure HSRP on DC1-N7K-3 and DC1-N7K-4 as shown in this table: VLAN Virtual IP Group Active MD5 Key VLAN 4001 10.1.41.254 2 DC1-N7K-3 CCIEDC VLAN 4002 10.1.42.254 2 DC1-N7K-3 CCIEDC Use any key chain name. Make sure that HSRP waits 3 seconds before detecting a neighbor down instance. Also make sure that DC1-N7K-3 is always the active router for VLAN 4001 and VLAN 4002. (2 Points)
DC1-N7K-3 feature hsrp feature interface-vlan ! key chain HSRP key 0 key-string CCIEDC ! interface Vlan4001 no shutdown ip address 10.1.41.250/24 hsrp version 2 hsrp 2 ip 10.1.41.254 preempt
priority 255 timers 1 3 authentication md5 key-chain HSRP ! interface Vlan4002 no shutdown ip address 10.1.42.250/24 hsrp version 2 hsrp 2 ip 10.1.42.254 preempt priority 255 timers 1 3 authentication md5 key-chain HSRP !
DC1-N7K-4 feature hsrp feature interface-vlan ! key chain HSRP key 0 key-string CCIEDC ! interface Vlan4001 no shutdown ip address 10.1.41.251/24 hsrp version 2 hsrp 2 ip 10.1.41.254 timers 1 3 authentication md5 key-chain HSRP ! interface Vlan4002 no shutdown ip address 10.1.42.251/24 hsrp version 2 hsrp 2 ip 10.1.42.254 timers 1 3 authentication md5 key-chain HSRP ! Verification: DC1-N7K-3# show hsrp brief DC1-N7K-4# show hsrp brief
1.17 - DC1: Implement Cisco NX-OS Layer 3 Routing In DC1, set up EIGRP. Enable EIGRP within DC1 and also on the connectivity to the WAN. Make sure that fast failure detection is enabled. The core WAN router is preconfigured with EIGRP. You are not permitted to use static routes.
Perform these tasks on DC1-N7K-1:
Configure EIGRP with AS number 1. Use the loopback 0 address as the router ID. Configure interfaces E4/5 in EIGRP.
Perform these tasks on DC1-N7K-2:
Configure EIGRP with AS number 1. Use the loopback 0 address as the router ID. Configure interfaces E4/9 in EIGRP.
Perform these tasks on DC1-N7K-3:
Configure EIGRP with AS number 1. Use the loopback 0 address as the router ID. Configure interface E4/23 and E4/24 in EIGRP.
Perform these tasks on DC1-N7K-4:
Configure EIGRP with AS number 1. Use the loopback 0 address as the router ID. Configure interface E4/25 and E4/31 in EIGRP.
(3 Points)
DC1-N7K-1 feature eigrp feature bfd ! router eigrp 1 bfd autonomous-system 1 router-id 10.0.1.1 no shutdown ! interface Ethernet4/5 ip router eigrp 1 no ip redirect no shutdown !
DC1-N7K-3 feature eigrp feature bfd ! router eigrp 1 bfd autonomous-system 1 router-id 10.0.1.3 no shutdown ! interface Ethernet4/23 ip router eigrp 1 no ip redirect no shutdown ! interface Ethernet4/24 ip router eigrp 1 no ip redirect no shutdown !
DC1-N7K-2 feature eigrp feature bfd ! router eigrp 1 bfd autonomous-system 1 router-id 10.0.1.2
no shutdown ! interface Ethernet4/9 ip router eigrp 1 no ip redirect no shutdown !
DC1-N7K-4 feature eigrp feature bfd ! router eigrp 1 bfd autonomous-system 1 router-id 10.0.1.4 no shutdown ! interface Ethernet4/25 ip router eigrp 1 no ip redirect no shutdown ! interface Ethernet4/31 ip router eigrp 1 no ip redirect no shutdown ! Verification: DC1-N7K-1# show ip route eigrp DC1-N7K-2# show ip route eigrp DC1-N7K-3# show ip route eigrp DC1-N7K-4# show ip route eigrp
1.18 - DC1 and DC2: Configure OTV You must now perform Cisco Data Center Interconnect (DCI) between DC1 and DC2. The WAN core is enabled for multicast. During this task, you will make sure that DC1-N7K-1, DC1-N7K-2, DC1-N7K-3, and DC1-N7K-4 are configured appropriately to support OTV within DC1. Similarly, make sure that DC2-N7K-1, DC2-N7K-3, and DC2-N7K-4 are configured appropriately to support OTV in DC2. VLAN 4001 and VLAN 4002 must be extended between DC1 and DC2. All other VLANs will stay local to the data center. Do not create additional VLANs for this task. You are allowed to use a multicast address range to achieve the task. The RP address is 20.0.0.1. PIM sparse mode is running in the WAN core.
In Data Center 1, perform these tasks:
On the Layer 2 trunk port between DC1-N7K-1 and DC1-N7K-3, only allow VLANs that must be extended. On the Layer 2 trunk port between DC1-N7K-2 and DC1-N7K-4, only allow VLANs that must be extended. Use the loopback 0 address as the router ID. Use VLAN 90 as the site VLAN.
In Data Center 2, perform these tasks:
On the Layer 2 trunk port between DC2-N7K-1 and DC2-N7K-3. Only allow VLANs that must be extended.
Use VLAN 90 as the site VLAN. After completing these infrastructure tasks, configure the necessary DCI tasks as specified in the question. Then verify that DCI was successful by pinging SVIs 4001 and 4002 from DC1-N7K-3 and DC2-N7K-3. Make sure that HSRP is localized within each data center.
(3 Points)
DC1-N7K-1 feature otv ! interface ethernet 4/5 ip igmp version 3 no shutdown ! otv site-identifier 0x1 otv site-vlan 90 ! interface overlay 0 otv join-interface ethernet 4/5 otv control-group 239.1.1.1 otv data-group 232.1.1.0/28 otv extend-vlan 4001-4002 no shutdown !
DC1-N7K-3 feature pim ! ip pim rp-address 20.0.0.1 ! interface ethernet 4/24 ip igmp version 3 ip pim sparse-mode no shutdown ! interface ethernet 4/23 ip pim sparse-mode no shutdown !
DC1-N7K-2 feature otv ! interface ethernet 4/9 ip igmp version 3 no shutdown ! otv site-identifier 0x1 otv site-vlan 90 ! interface overlay 0 otv join-interface ethernet 4/9
otv control-group 239.1.1.1 otv data-group 232.1.1.0/28 otv extend-vlan 4001-4002 no shutdown !
DC1-N7K-4 feature pim ! ip pim rp-address 20.0.0.1 ! interface ethernet 4/25 ip igmp version 3 ip pim sparse-mode no shutdown ! interface ethernet 4/31 ip pim sparse-mode no shutdown !
DC2-N7K-1 feature otv ! interface ethernet 4/5 ip igmp version 3 no shutdown ! otv site-identifier 0x2 otv site-vlan 90 ! interface overlay 1 otv join-interface ethernet 4/5 otv control-group 239.1.1.1 otv data-group 232.1.1.0/28 otv extend-vlan 4001-4002 no shutdown !
DC2-N7K-3 feature pim ! ip pim rp-address 20.0.0.1 ! interface ethernet 4/24 ip igmp version 3
ip pim sparse-mode no shutdown ! interface ethernet 4/23 ip pim sparse-mode no shutdown !
DC1-N7K-1 ip access-list ALL_IPs permit ip any any ! ip access-list HSRP_IP permit udp any 224.0.0.102/32 eq 1985 ! vlan access-map HSRP_Localization 10 match ip address HSRP_IP action drop ! vlan access-map HSRP_Localization 20 match ip address ALL_IPs action forward ! vlan filter HSRP_Localization vlan-list 4001-4002 ! mac-list OTV_HSRP_VMAC_deny seq 20 deny 0000.0c9f.f000 ffff.ffff.f000 mac-list OTV_HSRP_VMAC_deny seq 30 permit 0000.0000.0000 0000.0000.0000 ! route-map OTV_HSRP_filter permit 10 match mac-list OTV_HSRP_VMAC_deny ! otv-isis default vpn Overlay0 redistribute filter route-map OTV_HSRP_filter ! DC1-N7K-2 ip access-list ALL_IPs permit ip any any ! ip access-list HSRP_IP permit udp any 224.0.0.102/32 eq 1985 ! vlan access-map HSRP_Localization 10
match ip address HSRP_IP action drop ! vlan access-map HSRP_Localization 20 match ip address ALL_IPs action forward ! vlan filter HSRP_Localization vlan-list 4001-4002 ! mac-list OTV_HSRP_VMAC_deny seq 20 deny 0000.0c9f.f000 ffff.ffff.f000 mac-list OTV_HSRP_VMAC_deny seq 30 permit 0000.0000.0000 0000.0000.0000 ! route-map OTV_HSRP_filter permit 10 match mac-list OTV_HSRP_VMAC_deny ! otv-isis default vpn Overlay0 redistribute filter route-map OTV_HSRP_filter ! DC2-N7K-1 ip access-list ALL_IPs permit ip any any ! ip access-list HSRP_IP permit udp any 224.0.0.102/32 eq 1985 ! vlan access-map HSRP_Localization 10 match ip address HSRP_IP action drop ! vlan access-map HSRP_Localization 20 match ip address ALL_IPs action forward ! vlan filter HSRP_Localization vlan-list 4001-4002 ! mac-list OTV_HSRP_VMAC_deny seq 20 deny 0000.0c9f.f000 ffff.ffff.f000 mac-list OTV_HSRP_VMAC_deny seq 30 permit 0000.0000.0000 0000.0000.0000 ! route-map OTV_HSRP_filter permit 10
match mac-list OTV_HSRP_VMAC_deny ! otv-isis default vpn Overlay0 redistribute filter route-map OTV_HSRP_filter ! Verification: DC1-N7K-1# show otv DC1-N7K-1# show otv vlan DC1-N7K-2# show otv DC1-N7K-2# show otv vlan DC1-N7K-3# ping 10.1.41.252 DC1-N7K-3# ping 10.1.42.252 DC1-N7K-3# show hsrp brief
2.1 - Fibre Channel port channel, ISL, and trunking Refer to this figure:
You have been asked to help resolve a non-optimal Fibre Channel port channel between DC2-MDS-1 and DC2-N5K-2. The desired result is that port channel ID 22 is up at 8 Gb/s between the two devices and that only VSANs 1 and 200 are able to traverse it. (3 Point)
Remove from san port channel 22/ port channel 22 following: no switchport trunk allow vsan add 999
Check Existing Configurations DC2-N5K-2# show interface san-port-channel 22 DC2-N5K-2# show running-config interface san-port-channel 22 DC2-N5K-2# show running-config interface fc2/1-2 DC2-MDS-1# show running-config interface port-channel 22 DC2-N5K-2 feature fcoe ! slot 1 port 31-32 type fc ! vsan database vsan 200 name VSAN200 ! interface san-port-channel 22 channel mode active switchport mode e switchport trunk mode on switchport trunk allow vsan 1 switchport trunk allow vsan add 200 switchport speed 4000 no shutdown ! interface fc1/31-32 channel 22 force no shutdown !
DC2-MDS-1 vsan database vsan 200 name VSAN200 ! interface port-channel 22 channel mode active switchport rate-mode dedicated switchport mode e switchport trunk mode on switchport trunk allow vsan 1
Slot 2 Port 1-16 type fc copy running startup poweroff module 2 no poweroff module 2
switchport trunk allow vsan add 200 switchport speed 4000 no shutdown ! interface fc1/5-6 channel 22 force no shutdown ! Verification: DC2-MDS-1# show port-channel summary DC2-N5K-2# show port-channel summary DC2-N5K-2# show interface san-port-channel 22 2.2 - Implement Fibre Channel NPV and NPIV features Configure the two Fibre Channel links between DC2-N5K-1 and DC2-MDS-1 to be two parallel, non-trunking, NPV-NPIV links for VSAN 100. The customer demands that servers in VSAN 100 that use these links be distributed equally at all times, even in the event that one of the links goes down and comes back up.
DC2-N5K-1 feature fcoe feature npv ! slot 1 port 31-32 type fc ! vsan database vsan 100 name VSAN100 vsan 100 interface fc1/31 vsan 100 interface fc1/32 ! interface fc1/31-32 switchport mode np no shutdown ! npv auto-load-balance disruptive !
DC2-MDS-1 feature npiv ! vsan database vsan 100 name VSAN100 vsan 100 interface fc1/1 vsan 100 interface fc1/2
Slot 2 Port 1-16 type fc copy running startup poweroff module 2 no poweroff module 2
! interface fc1/1-2 switchport mode f switchport trunk mode off no shutdown ! Verification: DC2-N5K-1# show interface fc1/31 DC2-MDS-1# show interface fc1/1-2 brief DC2-MDS-1# show flogi database 2.3 - Implement FCoE NPV features Create a logical device within DC2-N7K-1 that is capable on FCoE functionality. Use the following parameters: Device Name ID Port Allocation DC2-N7K-2 2 Ethernet 3/9-16 Initialize this logical device with the following parameters:
Password : cisco Mgmt IP : 10.1.1.27 Mgmt Netmask : 255.255.255.0 Mgmt Gateway : 10.1.1.254 Telnet : Enabled
Configure a FCoE NPV-NPIV F-Port trunking and port-channeling link between the DC2-N7K-2 and DC2-N5K-1 switches. Create VSAN 100 and allow only this VSAN across this link. This link should be configured to use LACP. Make sure that SID/DID/OXID load-balancing is used across this link. Use port channel ID 11. (4 points)
DC2-N7K-1 install feature-set fcoe license fcoe module 3 ! system qos service-policy type network-qos default-nq-7e-policy ! vdc DC2-N7K-2 id 2 type storage allocate interface ethernet 3/9-16 allocate fcoe-vlan-range 100,200 ! switchto vdc DC2-N7K-2 feature-set fcoe feature npiv feature lldp feature lacp
feature telnet feature fport-channel-trunk ! interface mgmt0 ip address 10.1.1.27/24 ip route 0.0.0.0/0 10.1.1.254 ! vsan database vsan 100 name VSAN100 vsan 200 name VSAN200 ! vlan 100 fcoe vsan 100 ! vlan 200 fcoe vsan 200 ! interface ethernet 3/13-14 channel-group 11 mode active no shutdown ! interface port-channel 11 switchport switchport mode trunk switchport trunk allow vlan 100 no shutdown ! interface vfc-port-channel 11 bind interface port-channel 11 switchport mode f switchport trunk mode on switchport trunk allow vsan 100 no shutdown !
DC2-N5K-1 feature fcoe ! vlan 100 fcoe vsan 100 ! port-channel load-balance ethernet source-dest-port ! interface ethernet 1/13-14 channel-group 11 mode active
no shutdown ! interface port-channel 11 switchport switchport mode trunk switchport trunk allow vlan 100 no shutdown ! interface vfc 11 bind interface port-channel 11 switchport mode np switchport trunk allow vsan 100 no shutdown ! Verification: DC2-N7K-2# show flogi database DC2-N7K-2# show interface vfc-port-channel 11 DC2-N5K-1# show npv status DC2-N5K-1# show interface vfc 11 2.4 - Troubleshoot multihop FCoE The customer reports that the FCoE VE Port channel between the DC2-N7K-2 and DC2-N5K-2 switches is no working. You have been asked to resolve the issue and get the FCoE VE Port channel working. Once it is up, it should transport VSAN 200 only. The link should be formed with LACP and use port channel ID 12. Traffic form the N5K to the N7K must load-balance with SID/DID. The resolution must not impact port channel 11.
(4 points)
DC2-N7K-2 vsan database vsan 200 name VSAN200 ! vlan 200 fcoe vsan 200 ! interface ethernet 3/15-16 channel-group 12 mode active no shutdown ! interface port-channel 12 switchport switchport mode trunk switchport trunk allow vlan 200 no shutdown !
Remove wrong fcmap map from 5k2:: DC2-N5K-2(config)# show running-config | include fcmap fcoe fcmap 0xefcff DC2-N5K-2(config)# no fcoe fcmap 0xefcff show fcoe FC-MAP is 0e:fc:00
interface vfc-port-channel 12 bind interface port-channel 12 switchport mode e switchport trunk mode on switchport trunk allow vsan 200 no shutdown !
DC2-N5K-2 feature fcoe feature lacp ! vsan database vsan 200 name VSAN200 ! vlan 200 fcoe vsan 200 ! port-channel load-balance ethernet source-dest-ip ! interface ethernet 1/15-16 channel-group 12 mode active no shutdown ! interface port-channel 12 switchport switchport mode trunk switchport trunk allow vlan 200 no shutdown ! interface vfc 12 bind interface port-channel 12 switchport mode e switchport trunk allow vsan 200 no shutdown ! Verification: DC2-N5K-2# show interface vfc 12 DC2-N5K-2# show fcoe
2.5 - Implement IP Storage Based Solution Configure two FCIP links between the DC1-MDS-1 and DC2-MDS-1 switches. Allow VSANs 1, 200 and 100 across both links. The customer has a firewall between the date centers that only permits connections for each FCIP tunnel with port 3005. The connections must only be initialized from the DC2-MDS-1 side. Link MTU should be able to accommodate a complete Fibre Channel frame. Use FCIP profiles 10 and 20, and interfaces FCIP 10 and 20. Device Name Primary Link Address Secondary Link Address DC1-MDS-1 10.3.1.1/30 10.3.1.5/30 DC2-MDS-1 10.3.1.2/30 10.3.1.6/30
(2 points)
DC1-MDS-1 feature fcip ! vsan database vsan 100 vsan 200 vsan 100 interface fc 1/10 vsan 200 interface fc 1/11 ! interface fc 1/10 switchport mode fx no shutdown ! interface fc 1/11 switchport mode fx no shutdown ! interface gigabitethernet 1/3 ip address 10.3.1.1 255.255.255.252 switchport mtu 2300 no shutdown ! interface gigabitethernet 1/4 ip address 10.3.1.5 255.255.255.252 switchport mtu 2300 no shutdown ! fcip profile 10 ip address 10.3.1.1 port 3005 ! fcip profile 20 ip address 10.3.1.5 port 3005
! interface fcip 10 use-profile 10 peer-info ipaddr 10.3.1.2 switchport mode e switchport trunk mode on switchport trunk allow vsan 1 switchport trunk allow vsan add 100 switchport trunk allow vsan add 200 no shutdown passive-mode ! interface fcip 20 use-profile 20 peer-info ipaddr 10.3.1.6 switchport mode e switchport trunk mode on switchport trunk allow vsan 1 switchport trunk allow vsan add 100 switchport trunk allow vsan add 200 no shutdown passive-mode !
DC2-MDS-1 feature fcip ! vsan database Vsan 100 Vsan 200 ! interface gigabitethernet 1/3 ip address 10.3.1.2 255.255.255.252 switchport mtu 2300 no shutdown ! interface gigabitethernet 1/4 ip address 10.3.1.6 255.255.255.252 switchport mtu 2300 no shutdown ! fcip profile 10 ip address 10.3.1.2 !
fcip profile 20 ip address 10.3.1.6 ! interface fcip 10 use-profile 10 peer-info ipaddr 10.3.1.1 port 3005 switchport mode e switchport trunk mode on switchport trunk allow vsan 1 switchport trunk allow vsan add 100 switchport trunk allow vsan add 200 no shutdown ! interface fcip 20 use-profile 20 peer-info ipaddr 10.3.1.5 port 3005 switchport mode e switchport trunk mode on switchport trunk allow vsan 1 switchport trunk allow vsan add 100 switchport trunk allow vsan add 200 no shutdown ! Verification: DC1-MDS-1# show fcip summary DC2-MDS-2# show fcip summary DC1-MDS-1# show interface fcip 10 DC2-MDS-1# show interface fcip 20
2.6 - Implement FCoE Host Configuration
Configure FCoE connections for DC2-SRV-3 and DC2-SRV-4.
DC2-SRV-3 port 1 should be in VSAN/VLAN 200. Use vfc 311 for this interface. DC2-SRV-3 port 0 should be in VSAN/VLAN 100. Use vfc 20 for this interface. Interface vfc20 must always use DC2-N5K-1 uplink FC 1/32. DC2-SRV-4 port 0 should be in VSAN/VLAN 100. Use vfc 320 for this interface. DC2-SRV-4 port 1 should be in VSAN/VLAN 200. Use vfc 420 for this interface.
All required configurations on the host side are preconfigured. You are only required to configure the N5K and N7K sides. You have access to both servers' Cisco Integrated Management Controllers in case you need to verify and troubleshoot from the host side.
DC2-N7K-2 interface ethernet 3/11 switchport mode trunk switchport trunk allow vlan 1, 200 no shutdown ! interface vfc 311 bind interface ethernet 3/11 switchport mode f switchport trunk allowed vsan 200 no shutdown ! vsan database vsan 200 interface vfc 311 !
DC2-N5K-1 interface ethernet 1/20 switchport mode trunk switchport trunk allow vlan 1,100 spanning-tree port type edge trunk no shutdown ! interface vfc 20 bind interface ethernet 1/20 switchport mode f switchport trunk allowed vsan 100 ! npv traffic-map server-interface vfc 20 external-interface fc1/32 ! interface vfc 20 no shutdown
! vsan database vsan 100 interface vfc 20 ! fex 103 fcoe ! interface ethernet 103/1/20 switchport switchport mode trunk switchport trunk allowed vlan 100 spanning-tree port type edge trunk no shutdown ! interface vfc 320 bind interface ethernet 103/1/20 switchport mode f switchport trunk allowed vsan 100 no shutdown ! vsan database vsan 100 interface vfc 320 !
DC2-N5K-2 fex 104 fcoe ! Vlan 200 fcoe vsan 200 ! interface ethernet 104/1/20 switchport mode trunk switchport trunk allowed vlan 100 spanning-tree port type edge trunk no shutdown ! interface vfc 420 bind interface ethernet 104/1/20 switchport mode f switchport trunk allowed vsan 200 no shutdown ! vsan database Vsan 200 interface vfc 420
Verification: DC2-N7K-2# show interface vfc311 DC2-N7K-2# show flogi database DC2-N5K-1# show interface vfc20 DC2-N5K-1# show npv flogi-table DC2-N5K-1# show interface vfc320 DC2-N5K-1# show npv flogi-table DC2-N5K-2# show interface vfc420 DC2-N5K-2# show npv flogi-table DC2-N5K-2# show flogi database Section 3 - Unified Computing
You have been tasked to configure and troubleshoot an existing computing solution based on Cisco UCS. DC2 will be hosting your primary computing cluster. Your primary storage array resides in DC1 and is reachable via the FCIP link that was already configured. You must configure all Cisco UCS endpoints as well as SAN and LAN devices as instructed. No access is required to the storage array. Please review this topology subset, which shows the relevant devices for this section. Reference Topology:
Note: The port numbers on the topology diagram are the physical port numbers.
3.1 - Troubleshoot Cisco UCS domain infrastructure You have been tasked to reconfigure the uplink connectivity for your Cisco UCS domain. Configure the uplinks as shown in the diagram. Port channel IDs and VPC IDs should match each side of the links where applicable. The network administrator previously implemented a disjoint Layer 2 network design. This is no longer required. Remove all disjoint Layer 2 configurations from Cisco UCS and disable any uplinks that are not listed in this reference diagram. (5 points) 3.2 - Modify CoS for iSCSI Some of your blades will use iSCSI. To accommodate this, perform these configurations:
Configure the Silver CoS queue to accommodate 9000-byte frames Create a QoS policy named ccie-dc-qos and assign the Silver priority. Allow full host control. Assign the QOS policy to the two existing vNIC templates.
(3 Points)
3.3 - Create FCoE boot policy Create a boot policy that meets these criteria:
Name of policy: fcoe-boot-pol. The CD-ROM should be the first boot device. The second boot device should be the SAN Boot Primary, using LUN ID 0 on Fabric B. Obtain target WWN information from the resources that are at your disposal.
(3 Points)
3.4 - Create WWxN pool Create these resource pools or policies:
Sequentially allocated WWxN pool called ccie-dc-wwxn. Add a WWN block starting with 20:00:00:25:B5:C0:FF:EE of the minimum size.
(2 points)
3.5 - Create I/O connectivity policies Create a LAN connectivity policy that meets these requirements:
Name: ccie-lan-con-pol Create two vNICs named eth0 and eth1 and bind each vNIC to a unique existing vNIC template. Adapter settings should be optimized for VMware
Create a SAN connectivity policy that meets these requirements:
Name: ccie-san-con-pol Create a single vHBA named fc0 and assign it to VSAN 200 Use existing WWxN pool that was previously created.
(4 points)
3.6 - Cisco UCS Initiator Zoning Now that you have created your connectivity policies, you must add your initiators to the correct MDS zones. Ensure that the existing MDS zones are correctly configured to ensure that your Cisco UCS initiators and targets can communicate. Add initiator WWNs as required, using the resources that are at your disposal.
(3 points)
3.7 - Remote boot host over FCoE multihop As part of this questions and the next one, you must create a service profile. Detailed requirements for the service profile are provided here. Part of your objective is to ensure that the previously installed operating system successfully boots with your configured service profile. Note: If object names are not explicitly provided, you can use your own naming convention. If policies or settings are not explicitly provided, use the default values.
Perform the following configurations: Create a service profile named fcoe-boot in the root organization. This profile should be restricted to blades that have no local disks installed. Assign the LAN and SAN connectivity policies that were created in the previous section. The service profile should use the previously created ccie-xxxx resource pools. Assign the boot policy that you created in the previous section. Associate the service profile with Server 1/1 and ensure that the ESX host boots up.
(5 Points) 3.8 - Configure Cisco UCS authentication LDAP authentication had been configured by one of your colleagues, but they are unable to perform a successful test authentication. Your task is to troubleshoot and resolve the issue. The LDAP administrator has confirmed that these details are correct. No access to the Microsoft Active Directory server is required. Active Directory Object Value Domain Controller 10.1.1.214 Bind User CN=ucs binduser, OU=CiscoUCS, DC=cciedc, DC=lab Bind User Password Cisco Base DN DC=cciedc, DC=lab Port 389 Filter $AMAccountName=$userid Group Authorization Enable Authentication Domain Name Ldap-domain Group Recursion Recursive TargetAttribute Memberof Ldap provider group Name Ldap-group Active Directory Group Mapped Cisco UCS Role Ucsaaa Aaa Ucsnetwork Network Active Directory Test User Expected Role John.smith aaa
(6 Points)
3.9 - Configure Call Home monitoring Your manager has instructed you to configure Call Home for Cisco UCS. Call Home should be configured to only send notifications regarding association failures. Use these details for configure Call Home: No need to test Call Home or send inventory Contact: John Smith Phone: +1555-555-5555 Email: [email protected] Address: 555 Tasman Contract ID: 555 From Email: [email protected] Reply To: [email protected] SMTP Server: 10.1.1.201 (2 Points) Section 4 - Data Center Virtualization with Cisco Nexus 1000V The Cisco Nexus 1000V Switch has been previously installed. All VMware configurations have been completed. No access to VMware vCenter or the host is required. The Cisco VSM contains a basic configuration. After a review of these directives, make any necessary changes. 4.1 - Implement Virtual Switch Module Assuming that your Cisco UCS blade booted successfully in the previous section, there should be two modules inserted and online on Cisco VSM. Modify the uplink port profile to use manual subgroup IDs. The manual subgroup ID for each uplink interface should match with the vmnic numbering of the host. Example: vmnic1 = subgroup ID 1, vmnic2 = subgroup ID 2, and so on. (3 Points) N1Kv # show module N1Kv # show interface brief --------------------------------------------------------------------- Port VRF Status IP Address Speed MTU --------------------------------------------------------------------- mgmt0 -- up 10.10.10.10 1000 1500 --------------------------------------------------------------------- Ethernet VLAN Type Mode Status Reason Speed Port Interface Ch # --------------------------------------------------------------------- Eth25/1 1 eth trunk up none 10G 1 Eth25/2 1 eth trunk up none 10G 1 N1Kv# module vem 25 execute vemcmd show port LTL VSM Port Admin Link State PC-LTL SGID Vem Port Type 17 Eth25/1 UP UP FWD 305 0 vmnic0 18 Eth25/2 UP UP FWD 305 1 vmnic1 49 Veth1 UP UP FWD 0 0 vmk0 305 Po2 UP UP FWD 0
port-profile type Ethernet system-uplink vmware port-group channel-group auto mode on sub-group manual no shutdown state enabled ! system jumbo mtu 9000 ! interface Ethernet25/1 sub-group-id 0 ! interface Ethernet25/2 sub-group-id 1 N1Kv # track network-state N1Kv # show network-state tracking Port- Network Tracking SG SG Tracking SG Channel Mode Vlan ID State Interface Members ------- ------- -------- ---- -------- ------------ ---------- Po2 ok 1 0 Active Eth25/1 Eth25/1 1 Active Eth25/2 Eth25/2
4.2 - Troubleshoot: Basic port profile configuration A colleague mistakenly configured the name of the vlan50 port profile. This port profile is already in use and must not be deleted. Your task is to change the port profile name that is presented to VMware vCenter to dmz. (2 Points) port-profile type vethernet vlan 50 vmware port-group dmz ! 4.3 - Advanced port profile configuration, part 1 You have been tasked to configure the Cisco Nexus 1000V Switch to support iSCSI traffic for IP storage. One of your colleagues has created a port profile called iscsi. The configuration is no complete. Your job is to modify the port profile and any other configuration to support IP- based storage.
(3 points) port-profile type vethernet ISCSI switchport mode access switchport access vlan 30 capability iscsi-multipath no shutdown system vlan 30 state enabled ! port-profile type Ethernet system-uplink system vlan 1,40,30
4.4 - Advanced port profile configuration, part 2 To ensure that proper QoS is applied to your IP storage traffic, configure the iscsi port profile to assign a CoS value of 2 to all traffic. This will align with the CoS that was previously configured in the Cisco UCS section. You may use any names you want for policy names.
(2 points) policy-map type qos ISCSI class class-default set cos 2 ! port-profile type vethernet ISCSI service-policy type qos output ISCSI service-policy type qos input ISCSI ! port-profile type Ethernet system-uplink mtu 9000
UCS / N1K Reference Section Device IP Username Password UCS-Cluster-IP 10.1.1.50 Admin cisco DC-FI-A 10.1.1.51 Admin cisco DC-FI-B 10.1.1.52 Admin cisco DC1-MDS-1 10.1.1.61 admin cisco DC2-N7K-3 10.1.1.24 admin cisco DC2-N7K-4 10.1.1.25 admin cisco DC2-N1K (VSM) 10.1.1.212 admin cisco UCS Pools / Resources Pool Name Starting Value Qty (if applicable) UUID suffix ccie-dc-uuid 1111-000000000001 10 WWPN (Fabric A) ccie-dc-wwpn-a 20:00:00:25:B5:10:10:01 4 WWPN (Fabric B) ccie-dc-wwpn-b 20:00:00:25:B5:10:10:0A 4 WWNN ccie-dc-wwnn 20:00:00:25:B5:11:10:01 4 MACs ccie-dc-mac 00:25:B5:00:00:01 32 Managements IPs (KVM)
10.1.1.53/24 7
Management Gateway 10.1.1.254 Storage Objects Value Fiber Channel SAN Boot LUN ID 0 SAN Boot Policy san-boot-dual Fabric A zone name zone_ucs_van100 Fabric B zone name zone_ucs_vlan200 Zone set name zs_vsan100, zs_vsan200 Zone names zone_ucs_vsan100, zone_ucs_vsan200
