Nation Building II Understood the heritage and culture of People of HK are English speaking Cantonese, Traditional Chinese and Confucian Christians. mild Buddhists like Vietnam before 1963 Writing the Constitutions in articles as this configuration example Lab 2 Figure 2-4 Lab Topology Diagram ###Section 1: LAN Switching (22 Points) ..Configure your switched network to use 802.1w spanning tree. Switch 1 should be the root bridge for VLANs 34, 46, 53, 63, 100, 132, and 200, with Switch 2 being the secondary root bridge for all listed VLANs. (3 points) ..Switch 3 should use its interface directly connecting to Switch 2 (Fast Ethernet 0/21) for traffic directed toward even-numbered VLANs (34, 46, 100, 132, 200) and the interface directly connecting to Switch 1 (Fast Ethernet 0/19) for odd-numbered VLANs (53, 63). (3 points) ..Switch 4 should use its interface directly connecting to Switch 2 (Fast Ethernet0/19) for traffic destined toward even-numbered VLANs (34, 46, 100, 132, 200) and the interface directly connected to Switch 1 (Fast Ethernet 0/21) for odd-numbered VLANs (53, 63). (3 points) .. Ensure a cable fault between Switches 1 and 2 could not result in one-way traffic between the two switches, resulting in spanning-tree issues. (2 points) .. Configure Switch 1 and Switch 2 to enable connectivity of two further switches in the future to be connected to ports Fast Ethernet 0/18 on each switch. The new switches should be able to tunnel their own configured VLANs through a new VLAN (30) between Switch 1 and Switch 2. There is no requirement to configure a root bridge or VLAN load balancing for the new VLAN between Switch 1 and Switch 2. (4 points) ..Configure your switched network to monitor the VLAN 200 interface associated with R2 (Switch 2 Fast Ethernet 0/1), and send only traffic destined to R2 on this switch port across your network to Switch 3 port Fast Ethernet 0/17; use a new VLAN (20) to assist in this configuration. There is no requirement to configure a root bridge or VLAN load balancing for the new VLAN. (3 points) ..Configure the interface on Switch 2 that connects to R5 VLAN 53 (Fast Ethernet 0/5) in such a way that if all the trunks on Switch 2 connecting to Switch 1, Switch 3, and Switch 4 should fail, this Ethernet port transitions into error-disable state. (3 points) ..Configure interfaces Fast Ethernet 0/9 and 0/10 on Switch 1 so that even if they are configured to belong to the same VLAN, they will not be able to forward unicast, broadcast, or multicast traffic to one another. Do not use any form of ACL or configure the ports to belong to a PVLAN. (1 point) Section 2: IPv4 IGP Protocols (26 Points) Section 2.1: EIGRP Figure 2-5 EIGRP Topology ..Configure EIGRP per Figure 2-5 using an instance name of CCIE and autonomous system of 1; each EIGRP router should have its Loopback 0 interface configured and advertised within EIGRP. (2 points) ..Configure R1 to advertise a summary route of 120.100.0.0/16 outbound on its VLAN 132 interface. R3 should see the original VLAN 100 and Loopback 0 individual routes in addition to the summary route. You may use only one summary route in your configuration; do not apply the summary command directly to the interface. (3 points) .. Ensure that the length of time that EIGRP considers neighbors to be valid without receiving a hello packet on the VLAN 132 network between R1, R2, and R3 is 200 seconds; do not change the hello-interval parameter. (2 points) ..Configure new loopback interfaces on R1 and R2 using a loopback interface 2 with an identical IP address of 150.101.1.1/24 on both routers; advertise this network into EIGRP on each router. Ensure that R3 prefers the route from R1 by manipulating the delay associated with this route. Do not manually adjust the delay associated with the interface by use of the delay command. You are only permitted to configure R2 to influence the delay. (3 points) ..Configure EIGRP with a new instance name of CCIE2 between R2 and R3 over VLAN 132 with an autonomous system of 2 and 256-bit encryption with a password of lake2aho3, any additional connections to AS2 should be encrypted using the same password without further configuration on R2 and R3. Configure a new loopback interface on R2 (Loopback 3) with an IP address of 150.101.2.1/24, and advertise this and only this network to R3 from R2. (2 points) Section 2.2: OSPF Figure 2-6 OSPF Topology .. Configure OSPF per Figure 2-6 using a process ID of 1. All OSPF configuration, where possible, should not be configured under the process ID. Each OSPF router should also have its Loopback 0 interface configured and advertised within OSPF as follows: (2 points) R4 Loopback 0 – Area 0 R5 Loopback 0 – Area 0 R6 Loopback 0 – Area 1 SW1 Loopback 0 – Area 2 SW2 Loopback 0 – Area 1 SW3 Loopback 0 – Area 2 SW4 Loopback 0 – Area 3 ..Area 0 is partitioned between R4 and R5. Ensure that your network can accommodate this issue. You are not permitted to form any Area 0 neighbor relationship directly between R4 and R5 to join Area 0. (4 points) Section 2.3: Redistribution ..Perform a one-way redistribution of EIGRP AS2 into EIGRP AS1 on R3 using the following default metric: 1544 20000 255 1 1500. Ensure that R1 shows a next hop for the AS2 advertised route of 150.101.2.0/24 of R2 and perform configuration only on R3 for this task. (3 points) .. Perform mutual redistribution of EIGRP AS1 and OSPF on R4 and R5. Use a metric of 5000 for redistributed routes into OSPF that should appear as external type 2 routes and the following K values for OSPF routes redistributed into EIGRP: 1544 20000 255 1 1500. (2 points) .. R3 will have equal cost external EIGRP routes to the redistributed OSPF subnet 120.100.63.0/24 (VLAN 63). Configure only R3 to ensure that R3 routes via a next hop of R5 (120.100.34.5) for this destination subnet. If this route fails, the route advertised from R4 (120.100.34.4) should be used dynamically. (3 points) Section 3: BGP (15 Points) Figure 2-7 BGP Topology .. Configure BGP peering per Figure 2-7 as follows: iBGP R1-R3, R2-R3, R4-R6, R4-SW2. R5-SW1 R5-SW3. eBGP R3-R4, R3-R5, SW4-SW3. R6-SW4. Use loopback interfaces to peer on all routers with the exception of peering between R3-R4 and R3-R5. Do not use the command ebgp-multihop within your configurations. (3 points) .. Routers R1 and R2 in AS100 should be made to only passively accept BGP sessions. R3 should be configured to only actively create BGP sessions to R1 and R2 within AS100. (3 points) .. Configure the following loopback interfaces on R3 and SW4; advertise these networks into BGP using the network command: (2 points) R3 – Loopback interface 5 (152.100.100.1/24) SW4 – Loopback interface 5 (152.200.32.1/24) SW4 – Loopback interface 6 (152.200.33.1/24) SW4 – Loopback interface 7 (152.200.34.1/24) SW4 – Loopback interface 8 (152.200.35.1/24) ..Configure R3 to inform R4 that it does not want to receive routes advertised from SW4 for networks 152.200.33.0/24, 152.200.34.0/24, and 152.200.35.0/24. Achieve this in such a manner that R4 does not actually advertise these routes toward R3. You may also configure R4. (4 points) ..Configure a route map on R5 that prepends its local autonomous system an additional two times for network 152.200.32.0/24 when advertised to R3. The route map may contain mu ltiple permit statements, but only one prepend is permitted per line. (3 points) Section 4: IPv6 (12 Points) .. Configure IPv6 addresses on your network as follows: 2007:C15:C0:10::1/64 – R1 Gi0/1 2007:C15:C0:11::1/64 – R1 tunnel0 2007:C15:C0:11::3/64 – R3 tunnel0 2007:C15:C0:12::2/64 – R2 tunnel0 2007:C15:C0:12::3/64 – R3 tunnel1 2007:C15:C0:13::2/64 – R2 fe0/1 2007:C15:C0:14::3/64 – R3 Gi0/0 2007:C15:C0:14::4/64 – R4 Gi0/0 2007:C15:C0:14::5/64 – R5 Gi0/0 2007:C15:C0:15::4/64 – R4 Gi0/1 2007:C15:C0:15::6/64 – R6 Gi0/0 Section 4.1: EIGRPv6 ..Configure EIGRPv6 with an autonomous system of 6 between R1, R2, and R3. EIGRPv6 should not be enabled directly under the interfaces of the routers. Build your tunnels from R1 to R3 and R2 to R3 with source interfaces from VLAN 132 to advertise IPv6 edge networks from each router using ipv6ip mode. (2 points) Section 4.2: OSPFv3 .. Configure OSPFv3 per Figure 2-8 ; use an OSPFv3 process of 1 on each router. (2 points) .. Configure Area 1 with IPsec authentication, use message digest 5, a security policy index of 500, and a key of DEC0DECC1E0DDBA11B0BB0BBEDB00B00. (2 points) .. Ensure the area router in Area 1 receives the following route. You may configure R4 to achieve this: (2 points) I 2007::/16 [110/2] via XXXX::XXXX:XXXX:XXXX:XXXX, GigabitEthernet0/0 Section 4.3: Redistribution ..Redistribute EIGRPv6 into OSPFv3 on R3. Redistributed EIGRPv6 routes should have a metric of 5000 associated with them, regardless of which area they are seen in within the OSPFv3 network. (2 points) ..Configure R3 so that both R1 and R2 have the following IPv6 EIGRPv6 route in place. Do not redistribute OSPF into EIGRPv6 to achieve this, and do ensure that all routers have full visibility: (2 points) D 2007::/16 [90/XXXXXXXXX] via XXXX::XXXX:XXXX:XXXX:XXXX, Tunnel0 Section 5: QoS (6 Points) ..Two IP video conferencing units are to be installed onto Switch 2 ports Fast Ethernet 0/15 and 0/16 on VLAN 200. The devices use TCP ports 3230–3231 and UDP ports 3230–3235, and this traffic is unmarked from the devices as it enters the switch. Configure Switch 2 to assign a DSCP value of AF41 to video traffic from both of these devices. Ensure that the switch ports assigned to the devices do not participate in the usual spanning-tree checks, cannot form trunk links, and cannot be configured as EtherChannels. (3 points) ..Configure R2 to assign a strict-priority queue with a 40 percent reservation of the WAN bandwidth for the video conferencing traffic in the previous question. Maximize the available bandwidth by ensuring the RTP headers within the video stream are compressed. The remainder of the bandwidth should be guaranteed for a default queue with WRED enabled. (3 points) Section 6: Multicast (9 Points) ..Configure routers R1, R2, R3, and R4 for IPv4 multicast. Each router should use PIM sparse dense mode. Both R1 and R2 should be configured to be candidate RPs specifically for the following multicast groups: 225.225.0.1, 225.225.0.2, 225.225.0.3, and 225.225.0.4 (by use of their Loopback 0 interfaces). You should limit the boundary of your multicast network so that it does propagate further into your network than R4. R3 should be configured as a mapping agent to announce the rendezvous points for the multicast network with the same boundary constraints. (3 points) .. Configure R3 to ensure R4 has a candidate RP as R1 for groups 225.225.0.1 and 225.225.0.2 and R2 for groups 225.225.0.3 and 225.225.0.3. (3 points) ..multicast group of 225.225.0.1. If no packet for this group is received within a single 10-second interval, ensure that an SNMP trap is sent to an SNMP management station on 120.100.100.100 using a community string of public . (3 points) Section 7: Security (10 Points) ..Allow router R6 to passively watch the SYN connections that flow to only VLAN 63 for servers that might reside on this subnet. To prevent a potential denial-of-service (DoS) attack from a flood of SYN requests, the router should be configured to randomly drop SYN packets from any source to this VLAN that have not been correctly established within 20 seconds. (2 points) .. Configure an ACL on R1 to allow TCP sessions generated on this router and through its Ethernet interface and to block TCP sessions from entering on its VLAN 132 interface that were not initiated on it or through it originally. Do not use the established feature within standard ACLs to achieve this, and apply ACLs only on the VLAN 132 interface. The ACL should timeout after 100 seconds of locally initiated TCP inactivity; it should also enable ICMP traffic inbound for testing purposes. (3 points) .. Configure R1 so that it can perform SCP. The router should belong to a domain of toughtest.co.uk. Use local authentication with a username and password of cisco, a key size of 768 bits, and an SSH timeout of 2 minutes and retry value of 2. (2 points) .. The network administrator has determined that IPv6 router advertisements are being sourced from routers on VLAN 34. Disable these advertisements from entering and propagating on VLAN 34. You may use an ACL applied in a single location in your solution. Do not use the RA guard solution with untrusted ports. (3 points)
Posted on: Sun, 30 Nov 2014 00:46:09 +0000