CBT Nuggets, CCIE Routing and Switching, Practice Lab 1

Pre-Lab Instructions
Read the entire lab before you start You may not use any static/default routes unless otherwise specified You may only use the Frame Relay DLCIs provided in the appropriate figures Build the lab topology per Figure 1.1 and Figure 1.2 All routers have been pre-configured with loopback interfaces that follow the numbering scheme 10.x.x.x, where x is the router number. For example, R1 has the loopback interface 10.1.1.1/24. R2 has the loopback 10.2.2.2/24.

Section 1: Bridging and Switching (11 Points)

Section 1.1: Frame Relay Configuration (4 Points)
Configure the Frame Relay portion of the network as shown in Figure 1.2. You may only use the PVCs shown in the diagram. R2 and R3 should be connected on their own network. R2, R4, and R5 should be connected on their own network. You can use subinterfaces only on R2 and R5. Do not configure subinterfaces on any other router. You must be able to ping across the Frame Relay network.

Section 1.2: 3550 Switch Configuration (5 Points)

The two 3550 switches are connected using a crossover cable on port fa0/23 and fa0/24. Configure these ports as a single, high-bandwidth connection. Configure the connections between the 3550 switches as an 802.1Q trunk. This connection should be redundant. If the fa0/23 link fails, fa0/24 should take over. If fa0/24 fails, fa0/23 should take over. All ports are pre-cabled as shown in table 1-1. All ports shown may not be used in the lab.

Interface R1 e0 (2514) R1 e1 (2514) R2 e0/0 (2610) R3 e0/0 (2610) R4 e0 (2520) R5 e0 (2620) R6 e0 (2503) R7 e1/0 (3640) R7 fa2/0 (3640) BB1 e0 (2503)

SwitchA fa0/1 fa0/2 fa0/3 fa0/4 fa0/7 -

SwitchB fa0/1 fa0/5 fa0/6 fa0/7 fa0/20

Configure the VLANs as follows: o VLAN 60: Connected to R6 e0 and BB1 e0 o VLAN 71: Connected to R7 fa2/0 o VLAN 120: Connected to R1 e0 and R2 e0/0 o VLAN 140: Connected to R4 e0 o VLAN 735: Connected to R3 e0/0, R5 e0, and R7 e1/0 Configure SwitchB as a server in the VTP domain CCIELab. Add SwitchA to the same domain as a VTP client. Ensure all VLANs replicate between the two switches. Configure SwitchB as the root bridge. SwitchA should be the secondary root. All ports connected to routers handle high-priority traffic and should move immediately to the forwarding state. Configure SwitchA on VLAN 140 with the IP address 180.1.40.140/24. Ensure you can ping this interface from any device in the network once your routing protocols are in place. Configure SwitchB on VLAN 71 with the IP address 170.12.7.140/24. Ensure you can ping this interface from any device in the network once your routing protocols are in place.

Section 1.3: LAN-based Security (2 Points)

In the future, a network client will be attached to SwitchAs fa0/21 port. This host should be authenticated through a radius server before it is able to access the network. The radius server will have the IP address 129.186.35.52/24 and will use the key nighthawk. Only a client with the MAC-address of 001a.fb03.1623 should be able to access SwitchBs fa0/22 port. If any other MAC address is detected on that port, the port should shut down until an administrator can re-activate the port.

Section 2: IGP Protocols (27 Points)

Section 2.1: OSPF Foundations (8 Points)
Configure OSPF according to Figure 1.3. The serial interface(s) of R2, R3-s0, R4-s0, and R5-s0 are to be a part of OSPF Area 0. R3-e0, R5-e0, and R7-e1/0 should be a part of OSPF Area 73. R1-s0 and R7-s0 should be a part of OSPF Area 17 R1-e0 and R2-e0/0 should be a part of OSPF Area 12 The BRI0 interfaces of R4 and R5 should be a part of OSPF Area 45 You may not use the ip ospf network command on R2.

Section 2.2: OSPF Features (5 Points)

All loopback interfaces should be a part of the OSPF process. Do not put R1s loopback interface into the OSPF process using the network command. All loopback interfaces should be seen in the routing tables of all OSPF routers with their original subnet mask (/24). Configure area 17 as a totally-stubby area. R1 should be the preferred exit point from this area. Configure R7 to be the designated router of Area 73.

Section 2.3: OSPF Authentication(3 Points)

Enable message-digest authentication between the routers in Area 0.

Section 2.4: RIPv2 (5 Points)

Configure RIP version 2 between R7 and Backbone 3. R7 should send updates only on fa2/0. Configure the RIP timers as follows: o Update: 1 minute o Invalid: 4 minutes o Hold-down: 4 minutes o Flush: 5 minutes Configure a filter that allows only networks 192.168.0.0/16 to be accepted by R7. Redistribute between RIP and OSPF. All RIP routes should have a metric of 56 kbps when entering the OSPF domain. The Backbone 3 router should only receive the 180.1.40.0/24 network once it has been redistributed from EIGRP.

Section 2.5: EIGRP (6 Points)

Enable the EIGRP routing process in Autonomous System 10 on routers R4, R5, and R6 as shown in Figure 1.3. R4, R5, and R6 should all be a member of the same AS and communicate as if they were directly connected. This EIGRP relationship does not require redundancy. Redistribute between OSPF and EIGRP on R4 and R5. R4 should only redistribute the network represented on VLAN 140. Enable message digest authentication between all routers.

Section 3: BGP (15 Points)

Section 3.1: Foundation BGP (8 Points)
Configure IBGP and EBGP as shown in Figure 1.4. Configure EBGP between R6 and BB1. R6 is a member of AS 6050 and BB1 is a member of BGP AS 60. R6 will receive routes from BB1 for 210.15.X.0 and 215.10.X.0, where X is any number. Configure IBGP R2, R3, and R6 are members of BGP AS 6050. R2 can only have a single IBGP peer. Configure EBGP between R2 and R1. R1 is a member of BGP AS 112 All IBGP neighbors should use their loopback interface address for all neighbor relationships. R1 and R2 should form an EBGP neighbor relationship using their loopback addresses. This neighbor relationship should recover if R1s e0 interface fails. Create a second loopback on R1 that has the address 100.100.100.1/24. Inject this network into BGP such that the origin code is i-igp. You may not use the network command to accomplish this.

Section 3.2: Managing BGP (7 Points)

Implement a route filter using an access-list on R6 that allows only odd-numbered subnets from the network ranges 210.15.X.0 and 215.10.X.0. Your access-list can have up to four entries. All routers participating in BGP should be able to see these subnets. Redistribute OSPF into BGP on R3. Allow only routes that were originally RIP routes to enter the BGP process. These routes should be tagged with a metric of 130. Configure an EBGP peer between R3 and R1. Configure R1 to prefer to use R3 for all 210.15.X.0 routes over R2 and to prefer R2 for all 215.10.X.0 routes over R3.

Section 4: ISDN (8 Points)

Section 4.1: ISDN Connectivity (4 Points)
Configure ISDN between R4 and R5. Use PPP as the encapsulation. R4 and R5 should authenticate each other using message-digest authentication when connecting over the ISDN link. Both B-Channels should activate immediately when the initial ISDN connection is made. R4 and R5 should be able to ping each other over the ISDN connection.

Section 4.2: ISDN Dial Restrictions (4 Points)

The ISDN link should pass traffic only if R4-s0 and/or R5-s0 and R5-e0 are down. OSPF routing updates should only bring up the link if the above conditions are true or there is a change to the routing topology.

Section 5: Cisco IOS Features (22 Points)

Section 5.1: DHCP Services (4 Points)
Configure two DHCP pools on R6 using the following information: Pool Name: VLAN140_Pool Network: 180.1.40.0.0/24 DNS Server: 129.186.35.100 Default Gateway: 180.1.40.4 Domain Name: cbtnuggets.com Option 150: 129.186.35.90

Pool Name: VLAN735_Pool Network: 129.186.35.0/24 DNS Server: 129.186.35.100 Default Gateway: 129.186.35.50 Domain Name: cbtnuggets.com

Ensure all addresses currently in use on the subnet are excluded from the DHCP pools. Configure R4 and R5 to pass DHCP requests from the respective VLANs to the R6 DHCP server. Configure the DHCP bindings database to be stored on a remote FTP server with the following configuration: o FTP Server: 192.168.1.11 o Username: guest o Password: guest o Filename: DHCP-Bindings

Section 5.2: Redundant Routing (5 Points)

R3, R5, and R7 act as redundant gateways for the clients on VLAN 735. Enable authenticated HSRP between these three routers. R5 should be the preferred gateway using 129.186.35.50/24 unless its s0 interface fails at which point R3 should become the preferred gateway. If the s0 interface of R3 fails, R7 should be the preferred gateway. If any preferred router and/or preferred router interface comes back online following a failure, the router should resume the role of preferred gateway. The HSRP routers should use a Hello timer interval of 5 seconds and a Hold-down timer interval of 10 seconds. The R1 and R2 routers connected to VLAN 120 also act as redundant gateways for the clients attached to this subnet. However, the corporate policy dictates these two routers must use an industry-standard gateway redundancy protocol. Configure R2 as the preferred gateway using 130.13.11.50/24 unless the s0/0 interface fails, at which point R1 should take over as the preferred gateway. All other settings should mirror the prior HSRP configuration.

Section 5.3: SNMP (5 Points)

Configure SNMP on R3 using the community string nugg3t for read-write requests and r3ad0n1y for read-only requests. Restrict read-write access to the host 170.12.7.10 and read-only requests to the 129.186.0.0 subnet. Change the SNMP version to SNMPv2c. Set the source address for SNMP trap messages to be the e0 interface of R3 Enable SNMP traps on R3. Assume the SNMP manager is located at 170.12.7.10. Configure the SNMP resend trap message time to 10 seconds greater than the default. Configure R7 to uniquely identify itself when sending SNMP messages. This will allow messages from R7 stored in a log file to be quickly filtered.

Section 5.4: NTP (4 Points)

Set the clock on R5 to the current time in USA MST (GMT -7) and assign the router to this time zone. You do not need to compensate for daylight savings time. Configure R5 as an NTP master using a stratum that is 2 greater than the default. Be sure the clock and time zone is set accurately. R5 should act as a broadcast NTP server to all clients on VLAN 735. R3 and R7 should receive their clock from this source. Configure R1 to use R5 as its time source. R1 should provide the NTP key of ILoveCBTNuggets when attempting to synchronize with R5. Ensure only R1s e0 IP address is able to remotely synchronize with R5.

Section 5.5: Miscellaneous Tasks (4 Points)

A Cisco router with IP routing disabled connects to VLAN 120 through its fa0 interface which is assigned the IP address 130.13.11.120/24. There is no default-gateway configured on this router and telnet/SSH access has been disabled. This router must be able to be reached by any host from the 129.186.0.0/16 subnet. You will be able to ping this IP address to test your configuration. When administrators on R6 enter global configuration mode they should not see a configuration prompt.

Section 6: Quality of Service (9 Points)

Section 6.1: Managing Traffic Flows (6 Points)
R7 is experiencing a high volume of traffic coming in from Backbone 3. Implement the following policy: o HTTP and HTTP-S should be limited to 100Kbps o FTP should be limited to 50Kbps o All recognized peer-to-peer file sharing applications should be dropped R4 connects to a VoIP network on VLAN 140. This is your critical application. On R4, guarantee 128Kbps of priority bandwidth to the hosts on VLAN 140 as they enter the Frame Relay network. All other traffic types should be treated with Fair-Queuing.

Section 6.2: Predicting Congestion (3 Points)

R6 is experiencing considerable load from the BB1 router. Configure this router to proactively drop HTTP and HTTP-S packets before the packet buffers fill completely. Just before the packet buffers have filled to the maximum threshold, the router should be dropping 1 out of every 20 packets.

Section 7: Multicast (4 Points)

Section 7.1: Multicast Configuration (4 Points)
Configure R3, R5, and R7 to support Multicast PIM Sparse-mode. R3 should be the rendezvous point. All routers in VLAN 735 should join the multicast group 239.77.77.77.

Section 8: Security (5 Points)

Section 8.1: Securing the Network (5 Points)
Configure R6 to permit telnet access from the source network 129.186.0.0/16 only. Ensure all successful and denied access attempts are logged. Configure R1 for management VIA HTTP. Authenticate users with the username marge with the password of homer. You have been logging ping sweeps and port scans on the 160.5.1.0/24 subnet coming from the host 180.1.40.105 behind R4. Configure an access list on R4 to block this host from reaching the subnet. Any access attempts should be logged. When the access-list is applied, the host will receive ICMP unreachable messages. Prevent this from occurring without using another access-list. The users of VLAN 71 have extremely strict web access requirements. During business hours (8:00AM 5:00PM), users are restricted from accessing the Internet (which is behind R4) using HTTP or HTTPS. Outside of those hours, access is allowed. Configure and access-list which provides these access permissions.