Jump to content

To Pass CCIE Enterprise Infrastructure v1.0 Deploy discussion - Real Attempt


Recommended Posts

On 7/18/2021 at 10:36 PM, mrhacker said:

HI Guys,

if we agree so we can start the discussion of CCIE EI. If all agree so i can share the list of Questions of Section wise.

Hi Mr Hacker, what would you like us to do that will make you share the questions?

  • Like 2
Link to comment
Share on other sites

Section 1.1

SW110
聽聽
sw110(config)#spanning-tree mode rapid 聽
sw110(config)#spanning-tree pathcost method long聽
sw110(config)#spanning-tree portfast edge default 聽

sw110(config)#interface range gi1/2-3 聽
sw110(config-if-range)#channel-group 2 mode active 聽


SW101 聽

sw101(config)#spanning-tree mode rapid聽
sw101(config)#spanning-tree pathcost method long聽
sw101(config)#spanning-tree vlan 2000 priority 0聽
sw101(config)#spanning-tree vlan 1-4094 hello-time 1聽

sw101(config)#interface range gi1/2-3 聽
sw101(config-if-range)#channel-group 1 mode on聽


SW102

sw102(config)#spanning-tree mode rapid
sw102(config)#spanning-tree pathcost method long聽
sw102(config)#spanning-tree vlan 2001 priority 0聽
sw102(config)#spanning-tree vlan 1-4094 hello-time 1 聽

sw102(config)#interface range gi1/2-3 聽
sw102(config-if-range)#channel-group 2 mode active


Verification: 聽

sw110# sh etherchannel summary聽
sh spanning-tree vlan 2000 聽聽
聽聽
SWll0#sh etherchanne 1 summary聽
Flags: D - down P - bundled in port-channel聽
I - stand-alone s - suspended聽
H - Hot-standby (LACP only)聽
R - Layer3 S - Layer2聽
U - in use N - not in use, no aggregation聽
f - failed to allocate aggregator聽
M - not in use, minimum links not met聽
m - not in use, port not aggregated due to minimum links not met
u- unsuitable for bundling聽
w- waiting to be aggregated聽

d- default port聽
A - formed by Auto LAG聽

Number of channel -groups in use: 2聽
Number of aggregators: 2聽
Group Port-channel Protocol Ports聽
------ + -------------+ 聽----------- +---------------------聽
1 Pol (SU) LACP Gil/O(P) Gil/l(P)聽
2 Po2 (SU) LACP Gil/2(P) Gil/3(P)

SWl02#sh etherchanne 1 summary聽
Flags: D - down P - bundled in port-channel聽
I - stand-alone s - suspended聽
H - Hot-standby (LACP only)聽
R - Layer3 S - Layer2聽
U - in use N - not in use, no aggregation聽
f - failed to allocate aggregator聽
M - not in use, minimum links not met聽
m - not in use, port not aggregated due to minimum links not met
u- unsuitable for bundling聽
w- waiting to be aggregated聽

d- default port聽
A - formed by Auto LAG聽

Number of channel -groups in use: 2聽
Number of aggregators: 2聽
Group Port-channel Protocol Ports聽
------ + -------------+ 聽----------- +---------------------聽
1 Po2 (SU) LACP Gil/2(P) Gil/3(P)聽
2 Po3 (SU) LACP Gi2/0(P) Gi2/1(P)


SWl01#sh etherchanne 1 summary聽
Flags: D - down P - bundled in port-channel聽
I - stand-alone s - suspended聽
H - Hot-standby (LACP only)聽
R - Layer3 S - Layer2聽
U - in use N - not in use, no aggregation聽
f - failed to allocate aggregator聽
M - not in use, minimum links not met聽
m - not in use, port not aggregated due to minimum links not met
u- unsuitable for bundling聽
w- waiting to be aggregated聽

d- default port聽
A - formed by Auto LAG聽

Number of channel -groups in use: 2聽
Number of aggregators: 2聽
Group Port-channel Protocol Ports聽
------ + -------------+ 聽----------- +---------------------聽
1 Pol (SU) LACP Gil/2(P) Gil/3(P)聽
2 Po2 (SU) LACP Gil/2(P) Gil/3(P)

  • Like 15
  • Confused 1
Link to comment
Share on other sites

On 7/23/2021 at 10:34 PM, mrhacker said:

Thanks to all Dear's,

Below are the list of question and review and validate the solutions.

1.2聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽: Layer 2 Technologies in HQ

Complete and correct the EtherChannel configuration between switches sw101, sw102, sw110 according to these requirements:

路聽聽聽聽聽聽聽聽 At the end of the task, all EtherChannel鈥檚 between switches sw101, sw102, sw110 must be up and operational including all their physical member links.

路聽聽聽聽聽聽聽聽 Do not create new Port- channel interface; reuse those that already exist on the switches.

路聽聽聽聽聽聽聽聽 When resolving existing issues, do not change the preconfigured negotiation protocol (if any)

路聽聽聽聽聽聽聽聽 On EtherChannel鈥檚 that use a negotiation protocol, tune its mode of operation for the shortest link building time possible.

Configure spanning tree protocol on switches sw101, sw102, sw110 according to these requirements:

路聽聽聽聽聽聽聽聽 The STP root for VLAN 2000 must be sw101.

路聽聽聽聽聽聽聽聽 The STP root for VLAN 2001 must be sw102.

路聽聽聽聽聽聽聽聽 STP roots must be elected based on bridge priorities.

路聽聽聽聽聽聽聽聽 On the three switches, have STP perform cost calculations in 32-bit arithmetic.

路聽聽聽聽聽聽聽聽 On the three switches, use the Rapid STP version and ensure that it can achieve rapid convergence on all interconnections between the switches.

路聽聽聽聽聽聽聽聽 On Sw110, prevent all current and future access mode interfaces from being affected by the proposal/ Agreement process.

1.2聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : First Hop Redundancy Protocol in HQ

For IPv4, implement an FHRP mechanism on sw101 and sw102 fo rVLANs 2000 and 2001 according to these requirements:

路聽聽聽聽聽聽聽聽 Use Group number 100 for VLAN 2000 and group number 101 for VLAN 2001.

路聽聽聽聽聽聽聽聽 Use the first available IPV4 address in the subnet for the address of the virtual router.

路聽聽聽聽聽聽聽聽 For VLAN 2000, sw101 must be preferred gateway; for VLAN 2001, sw102 must be the preferred gateway. Do not rely on the IPv4 addresses of the switches as role tiebreakers. The role must determine by an explicit configuration solely on the intended preferred gateway.

路聽聽聽聽聽聽聽聽 Each preferred gateway must monitor the reachability of both routers r11 and r12 using the loopback IPv4 addresses of the routers by an ICMP Echo. The reachability is to be verified every 5 seconds with a timeout of 400 msec. A router must be declared unreachable as soon as it does not respond to three probes in a row. If both r11 an dr12 are declared unreachable from a preferred gateway, the other switch must be allowed to assume the gateway role.

路聽聽聽聽聽聽聽聽 Use the FHRP protocol that allows the virtual IPv4 address to match the IPv4 address of a member router.

1.3聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : OSPFv2 between HQ and DC

Complete and correct the OSPF configuration on the switches sw101, sw102,sw201 and sw202 according to these requirements:

路聽聽聽聽聽聽聽聽 Enable OSPFv2 on the redundant interconnections between the DC and HQ sites. Make sure that establishes adjacencies on these interconnections and exchanges routing information between the DC and HQ sites.

路聽聽聽聽聽聽聽聽 Protect the authenticity and integrity of the OSPFv2 sessions on the redundant interconnections between DC and HQ with the SHA-384 mechanism. Use key ID 1 and a shared secret of 鈥渃ci3鈥 (without quotes).

路聽聽聽聽聽聽聽聽 Improve the detection of unreachable OSPFv2 neighbors on the redundant interconnections between DC and HQ so that OSPF can detect the loss of a neighbor within 200 msec, with the probes being sent every 100 msec. it is not allowed to modify ODPF timers to accomplish this requirement.

1.4聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : DHCP IPv4 service for HQ

Enable hosts in HQ VLAN 2000 and VLAN 2001 to obtain their IP configuration via DHCP according to these requirements:

路聽聽聽聽聽聽聽聽 On sw211, create IPv4 DHCP pools named hq_v2000 and hq_v2001 for HQ VLANs 2000 and 2001, respectively. In each subnet, assign addresses from .101 upto .254 inclusively, and the appropriate gateway to clients.

路聽聽聽聽聽聽聽聽 Enable DHCP snooping on sw110 in VLANs 2000 and 2001 to protect against DHCP-related attacks.

路聽聽聽聽聽聽聽聽 Place host11 into VLAN 2000.

路聽聽聽聽聽聽聽聽 Place host12 into VLAN 2001.

路聽聽聽聽聽聽聽聽 Perform the necessary configuration on switches sw101, sw102, sw110 to enable hosts in VLANs2000 and 2001 to obtain IPv4 configuration through DHCP. The DHCP server running at sw211 in the DC must be referred to by its loopback IPv4 address 10.2.255.211. Do not disable the Option 82 insertion, and do not enable DHCP snooping on other switches.

路聽聽聽聽聽聽聽聽 Verify that host11 and host12 have IP connectivity to the Cisco DNA Center, VManage and UCE running in the DC using their internal (In Band Connectivity) addresses.

1.5聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : IPv6 in HQ

Implement IPv6 on sw101 and sw102 for switch virtual interfaces (SVIs) Vlan 2000 and Vlan 2001 according to these requirements:

路聽聽聽聽聽聽聽聽 sw101

Interface Vlan2000:2001:db:8:1:100::1/64 Interface Vlan2001:2001:db8:1:101::1/64

路聽聽聽聽聽聽聽聽 sw102

Interface Vlan2000:2001:db8:1:100::2/64 Interface Vlan2001:2001:db8:1:101::2/64

路聽聽聽聽聽聽聽聽 The configuration must enable hosts in these VLANs to obtain their IPv6 configuration via SLAAC and keep a stable connectivity with other IPv6 networks.

路聽聽聽聽聽聽聽聽 Use native IPv6 means to provide gateway redundancy, with sw101 being the preferred gateway in VLAN 2000 and sw102 being the preferred gateway in VLAN 2001. The role must be determined by an explicit configuration solely on the intended preferred gateway.

路聽聽聽聽聽聽聽聽 Hosts must be able to detect the failure of the preferred gateway in as little as 3 seconds.

1.6聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : IPv6 EIGRP in HQ

In HQ, enable EIGRP for IPv6 on r11, r12, sw101 and sw102 according to these requirements:

路聽聽聽聽聽聽聽聽 Use process name 鈥渃cie鈥 (without the quotes) and AS number 65001.

路聽聽聽聽聽聽聽聽 Do not configure any additional IPv6 addresses.

路聽聽聽聽聽聽聽聽 IPv6 EIGRP may form adjacencies only over the physical Layer3 interfaces between r11, r12, sw101 and sw102.

路聽聽聽聽聽聽聽聽 Prevent IPv6 EIGRP from automatically running on, or advertising attached prefixes from, new IPv6-enabled interfaces in the future unless allowed explicitly.

路聽聽聽聽聽聽聽聽 Ensure that the attached IPv6 prefixes on SVIs Vlan2000 and Vlan2001 onsw101 and sw102 are advertised in IPv6 EIGRP and learned on r11 and r12.

路聽聽聽聽聽聽聽聽 No route filtering is allowed to accomplish this entire task.

1.7聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : OSPFv2 in DC

Configure devices in the DC according to these requirements:

路聽聽聽聽聽聽聽聽 Switches sw201 and sw202 must establish a stable OSPF adjacency in the FULL state with vedge21 and vedge22 on interface Vlan3999. Any configuration changes and corrections necessary to meet this requirement may be performed only on the switches, and any mismatched parameters causing the issue must be changed to exactly match the configuration of the vEdges.

路聽聽聽聽聽聽聽聽 All OSPF speakers in the DC running Cisco IOS and IOS-XE software must be configured to keep the number of advertised internal routes to an absolute minimum while not impacting the reachability of the services. This included the reachability of ISE,DNA center,vManage,vBond and vSmart on their internal (in Band Connectivty) addresses, as well as any existing and future devices in VLAN 4000 and sw201 and sw202. The configuration of this requirement must be completed exclusively within the 鈥渞outer ospf鈥 and 鈥渋nterface vlan鈥 contexts without causing any impact to existing OSPF adjacencies.

路聽聽聽聽聽聽聽聽 Router r24 must advertise two prefixes, 10.6.0.0/15 and 10.200.0.0/24, as Type-5 LSAs in OSPFv2 to provide HQ and DC with the reachability to the DMVPN tunnel and branches #3 and #4. The configuration of this requirement must be completed exclusively within the 鈥渞outer ospf鈥 context.

路聽聽聽聽聽聽聽聽 Any route from the 10.2.0.0/16 range that keeps being advertised in OSPF must continue being advertised as an intra-area route.

路聽聽聽聽聽聽聽聽 It is not allowed to modify existing areas to accomplish this entire task.

1.8聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : BGP between HQ/DC and service providers

Configure the BGP peering鈥檚 between HQ/DC and Global SP#1 and Global SP#2 according to these requirements:

路聽聽聽聽聽聽聽聽 Bring up the BGP peering between HQ r11 and SP#1 r3

路聽聽聽聽聽聽聽聽 Bring up the BGP peering between DC r21 and SP#1 r3

路聽聽聽聽聽聽聽聽 Bring up the BGP Peering between DC r22 and SP#2

路聽聽聽聽聽聽聽聽 Ensure that the routes learned over eBGP sessions and further advertised in iBGP will be considered reachable even if the networks on inter-AS links are not advertised in OSPF. The configuration of this requirement must be completed exclusively within the 鈥渞outer bgp鈥 context.

路聽聽聽聽聽聽聽聽 On r11, r21 and r22 perform mutual redistribution between OSPFv2 and BGP. However, prevent routes that were injected into OSPF from BGP to be reinjected back into BGP. This requirement must be solved on r11, r21 and r22 using only a single route-map on each of the routers and without any reference to ACLs, prefix lists, or route types.

路聽聽聽聽聽聽聽聽 Prevent HQ and DC from ever communicating through SP#1 r3. All Communication between HQ and DC must occur only over the direct SW101/SW201 and SW102/SW202 interconnections. Any other communication must remain unaffected. This requirement must be solved on r21 and r22 by route filtering based on a well-known mandatory attribute without the use of route maps.

路聽聽聽聽聽聽聽聽 No command may be removed from the configuration on r11 to accomplish this entire task.

路聽聽聽聽聽聽聽聽 It is allowed to modify existing configuration commands on r21 and r22 to accomplish this entire task.

1.9聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Bringing up VPNv4/VPNv6 in SP#1

Configure routers r3, r4, r5 and r6 in SP#1 according to these requirements:

路聽聽聽聽聽聽聽聽 Configure r3 through r6 for mutual VPNv4 and VPNv6 route exchange without the use of a route reflector. Use Lo0 IPv4 addresses for peering鈥檚.

路聽聽聽聽聽聽聽聽 Configure r3 through r6 to assign (allocate/bind) as few unique MPLS labels to all existing and future VPNv4 and VPNv6 routes as possible.

路聽聽聽聽聽聽聽聽 On Routers r3 through r6, prevent any existing and future customer from discovering details about the inner topology of SP#1. It is not allowed to use ACLs to accomplish this requirement.

1.10聽 : Fixing Broken DMVPN between Dc and Branches #3 and #4

Correct the configuration issues resulting in broken DMVPN tunnel connectivity between DC, Branch3 and Branch4 according to these requirements:

路聽聽聽聽聽聽聽聽 The DMVPN must operate in IPsec-protected phase 3 mode.

路聽聽聽聽聽聽聽聽 Using the FVRF approach, safeguard the DMVPN operation against any potential recursive routing issues involving the tunnel.

路聽聽聽聽聽聽聽聽 Do not create any new VRFs.

路聽聽聽聽聽聽聽聽 Do not change the tunnel source commands on Tunnel interfaces.

路聽聽聽聽聽聽聽聽 On Spokes, do not add new BGP neighbors; reuse those that are currently up while changing their VRF membership as needed.

路聽聽聽聽聽聽聽聽 It is not allowed to modify configuration on DC r24 to complete this entire task.

1.11聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Tuning EIGRP on DMVPN and DMVPN-enabled Sites

Optimize the DMVPN operation according to these requirements:

路聽聽聽聽聽聽聽聽 Ensure that Branches#3 and #4 receive only a default route over EIGRP in DMVPN.

路聽聽聽聽聽聽聽聽 The default route origination must be done on DC r24 without the use of any static routes, redistribution, or route filtering.

路聽聽聽聽聽聽聽聽 It is not allowed to modify the configuration of r61 and r62 in Branch#3 to accomplish this task;

路聽聽聽聽聽聽聽聽 It is allowed to add commands to the configuration of r70 in branch #4 to accomplish this task;

None of the existing configuration on r70 may be removed to accomplish this task.

聽聽聽聽聽聽聽聽聽聽聽

聽聽聽聽聽聽聽聽聽聽聽 Configure Sw601 and Sw602 at Branch#3 according to these requirements:

路聽聽聽聽聽聽聽聽 Routers r61 and r62 must not send EIGRP queries to SW601 and SW602.

路聽聽聽聽聽聽聽聽 Switches SW601 and SW602 must allow advertising any current or future directly connected network to r61 and r62 after the network is added to EIGRP.

路聽聽聽聽聽聽聽聽 Switches Sw601 and Sw602 must continue to propagate the default route received from r61 and r62 to each other. To Select the default route, use a prefix list with a 鈥淧ermit鈥 鈥 type entry only.

路聽聽聽聽聽聽聽聽 Switches SW601 and SW602 must not propagate the default route back to r61 and r62.

路聽聽聽聽聽聽聽聽 If the prefix list that allows the propagation of selected EIGRP-learned networks between sw601 and sw602 is modified in the future, the same set of networks must be disallowed from being advertised back to r61 and r62 automatically, without any additional commands.

路聽聽聽聽聽聽聽聽 聽

1.12聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : IPv4 Networks on Legacy Branches

On sw211 in DC, complete the DHCP server configuration according to these requirements:

路聽聽聽聽聽聽聽聽 Create IPv4 DHCP pools named br3_v2000 and br3_v2001 for Branch #3 VLANs 2000 (10.6.100.0/24) and 2001 (10.6.101.0/24), respectively.

路聽聽聽聽聽聽聽聽 Create IPv4 DHCP pool named br4_v1 for the subnet 10.7.1.0/24 on branch #4.

路聽聽聽聽聽聽聽聽 In each subnet, assign addresses from .101 up to .254 inclusively, and the appropriate gateway to clients.

On Branch #3; Complete and correct the configuration on switches sw601, sw602 and sw610 to allow HSRP and DHCP relay operation in VLANs 2000 and 2001 according to these requirements:

路聽聽聽聽聽聽聽聽 HSRP must implicitly use the vMAC address range of 0000. 0c9f.f000 through 0000. 0c9f.ffff

路聽聽聽聽聽聽聽聽 The group member must be 100 for VLAN 2000 and 101 for VLAN 2001

路聽聽聽聽聽聽聽聽 Sw601 must be the Active gateway for VLAN 2000 with a priority of 110; the Active role ownership must be deterministic

路聽聽聽聽聽聽聽聽 Sw602 must be the Active gateway for VLAN 2001 with a priority of 110; the Active role ownership must be deterministic

路聽聽聽聽聽聽聽聽 Each active switch must track its uplink interfaces gi0/1 and gi0/2/ if either of these interfaces goes down; the active switch must allow the other switch to become Active. However, it is not allowed for the tracking to modify the HSRP priority to accomplish this requirement.

路聽聽聽聽聽聽聽聽 Both sw601 and sw602 must be configured as DHCP relay agents in both VLANs 2000 and 2001, pointing toward the DHCP server 10.2.255.211 at sw211. However, at any time, only the Active router in the particular VLAN should relay the DHCP messages.

路聽聽聽聽聽聽聽聽 Place host61 and host62 into VLANs 2000 and 2001, respectively, and make sure they are assigned their correct IPv4 configuration.

It is not permitted to use any kind of scripting to complete this task.

On Branch #4, complete the configuration of the router r70 according to these requirements;

路聽聽聽聽聽聽聽聽 Assign IP address 10.7.1.1/24 to gi0/2

路聽聽聽聽聽聽聽聽 Enable DHCP relay on this interface and point it to the DHCP server 10.2.255.211 at sw211

路聽聽聽聽聽聽聽聽 It is allowed to add one additional missing command to the r70 configuration to allow DHCP clients connected to gi0/2 obtain their IPv4 configuration.

路聽聽聽聽聽聽聽聽 Make sure that host71 and host72 are assigned their correct IPv4 configuration.

1.13聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Multicast in FABD2

FABD2 is preparing to enable PIM Sparse mode multicast routing in its network. As a part of validating the runbooks, FABD2 requires a sanity check to prevent inappropriate use of multicast-related configuration commands on different router types:

路聽聽聽聽聽聽聽聽 First Hop Routers 鈥 Routers where multicast sources are connected

路聽聽聽聽聽聽聽聽 Last Hop Routers- routers where multicast receivers (subscribers) are connected

路聽聽聽聽聽聽聽聽 Intermediary Hop Routers- routers on the path between First Hop and Last Hop routers In the Table below, for each configuration command, select all router type where the use of the command is appropriate. (Select all that apply)

Router Type

Command

First Hop Router

Intermediary Hop Router

Last Hop Router

Ip pim register-source

Ip igmp version

ip pim spt-threshold

ip pim rp-address

IP pim sparse-mode

1.14聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Extending Connectivity to laaS Site

Extend the IPv6 connectivity from HQ through the SP into the giosk VRF on the laaS site according to these requirements:

Set up global IPv6 addressing on the link between r11 and r3

路聽聽聽聽聽聽聽聽 On r11, assign 2001:2710:311::2/64 to g0/0

路聽聽聽聽聽聽聽聽 On r3, assign 2001:2710:311::1/64 to g1

路聽聽聽聽聽聽聽聽 Enable the existing IPv4 BGP session between r11 and r3 to also advertise IPv6 prefixes. Do not configure a standalone IPv6 BGP session between these two routers.

路聽聽聽聽聽聽聽聽 Perform bidirectional route redistribution between the IPv6 EIGRP and BGP processes on r11.

路聽聽聽聽聽聽聽聽 Ensure that all current and future IPv6 prefixes advertised between r11 and r3 will be installed into the RIB of these routers with the next hop address set to the proper global unicast address on their interconnection. Any policy that accomplishes this requirement must be applied in the inbound direction.

路聽聽聽聽聽聽聽聽 The giosk VRF on r4 that extends the IPv6 connectivity from r4 to r30 on the laaS site is a separate VRF independent of fabd2 VRF. Any route leaking from fabd2 VRF into giosk VRF must be done on per-site basis and only for those FABD2 sites that need connectivity in the laaS site.

路聽聽聽聽聽聽聽聽 By configuring r3 and r4 only, ensure that the HQ FABD2 site will have mutual visibility with the laaS site while preventing

-聽聽聽聽聽聽聽聽聽 Any other FABD2 site from possibly learning about the routes on the laaS site

-聽聽聽聽聽聽聽聽聽 The laaS site from possibly learning about the routes on any other FABD2 site

Use the minimum amount of commands necessary to accomplish this requirement. Do not remove any existing configuration. If necessary, you are allowed to use an additional route target with the value of 10000:3681.

路聽聽聽聽聽聽聽聽 Verify that host11 and host12 can ping 2001:db8:14::1 located at the laaS site. It is permitted to modify one existing configuration command on one of the SP routers to meet this requirement.

1.15聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Enabling Internet Access for FABD2

Enable highly available internet access for the FABD2 company network according to these requirements:

路聽聽聽聽聽聽聽聽 On routers r12, r23 and r24, bring up IPv4 BGP peerings with the ISP, make sure that a default route is received over these peerings.

路聽聽聽聽聽聽聽聽 On router r12 and r23, inject default route into OSPF if it present in the routing table from a different routing source than the OSPFv2 process 1. On each router, this requirement must be completed using the minimum possible number of commands.

路聽聽聽聽聽聽聽聽 On route r24, inject default route into OSPF if any only if it is learned from ISP over BGP, To accomplish this requirement, it is allowed to use a route-map that referenced both a prefix-list and tag. This requirement must be completed using the minimum possible number of commands.

路聽聽聽聽聽聽聽聽 Router r12 may be used as an internet exit for the FABD2 company network only if neither r23 nor r24 are advertising the default route in OSPF. This requirement must be accomplished exclusively in 鈥渞outer ospf鈥 mode on router r12 without changing the default parameters on routers r23 and r24.

路聽聽聽聽聽聽聽聽 On routers r12, r23 and r24, configure PAT and translate the entire FABD2 internal network 10.0.0.0/8 to the router address on the link toward the ISP. Create a standard ACL named NAT for this purpose. Do not use NAT pools.

Ensure that the internet connectivity of the FABD2 company network makes use of the highly availability provided by r12, r23 and r24.

2.1 : Correcting the IP addresses of Managed switches in DNA center

After Cisco DNA center first achieves IP connectivity with the managed switches in Branches #1 and #2, it will place them into maintenance mode due to their serial number being different from the one DNA center remember, In addition, their management IP addresses in DNA Center will be automatically changed by appending them with the 鈥.dummy.com鈥 string. As a result, after an initial contact, DNA Center will lose connectivity with the switches unless their management IP addresses are corrected in the DNA center settings.

Correct the IP addresses of managed switches in the DNA center according to the following requirements:

路聽聽聽聽聽聽聽聽 Use any host, such as host11, to access the DNA Center GUI website at

This is the hidden content, please
URL.

路聽聽聽聽聽聽聽聽 Execute the provision-Devices- Inventory- Global- Actions-Inventory- Resync Device action in DNA Center on all switches before proceeding further.

路聽聽聽聽聽聽聽聽 DNA Center API reference and sandbox is available at

This is the hidden content, please
URL.

路聽聽聽聽聽聽聽聽 The /network/device/update-maintenance-device-ip-address API call description and sandbox are available in the Inventory section of the API reference.

路聽聽聽聽聽聽聽聽 Use the /network-device/update-maintenance-device-ip address API call to correct the IP addresses of the switches in Branches #1 and #2 by removing the appended text.

Note: These IP addresses cannot be changed from DNA Center GUI directly because they will become automatically invalidated again. This is a built-in DNA Center behavior.

2.2聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Completing VN Configuration in DNA center

Using the DNA Center GUI, perform configuration tasks according to these requirements:

路聽聽聽聽聽聽聽聽 Add new virtual Network named IoT for the internet-of-things network on the Branches #1 and #2

路聽聽聽聽聽聽聽聽 Create new address pools for the IoT VN named Branch1- For IoT and Branch2-ForIoT on the global level, and branch1-IoT and Branch2-IoT on the Branch level.

路聽聽聽聽聽聽聽聽 For Branch #1 loT VN, allocate the subnet 10.4.198.0/24 and the gateway IP address 10.4.198.1.

路聽聽聽聽聽聽聽聽 For Branch #2 loT VN, allocate the subnet 10.5.198.0/24, and the gateway IP address 10.5.198.1.

路聽聽聽聽聽聽聽聽 Associate the Branch1-loT and Branch2-loT pools with the loT VN on the respective branches.

路聽聽聽聽聽聽聽聽 Complete the configuration of the address pools for the Guest VN in the DNA Center so that Branch #1 and Branch #2 can accommodate guest connections. If a new address pool needs to be created and an address range allocated to it, follow the established addressing plan.

路聽聽聽聽聽聽聽聽 Correct the addressing information currently defined for the Branch2- For Employees and Branch2- Employees address pool.

路聽聽聽聽聽聽聽聽 For all address pools, use the DHCP server 10.2.255.211 to allocate addresses to clients.

On sw211, complete the DHCP server configuration according to these requirements:

路聽聽聽聽聽聽聽聽 Create four new DHCP pools for the loT and Employees VNs on respective branches

o聽聽 Pool named br1_iot for Branch #1 loT VN

o聽聽 Pool named br1_emp for Branch #1 Employees VN

o聽聽 Pool named br2_iot for Branch #2 loT VN

o聽聽 Pool named br2_emp for Branch #2 Employees VN

路聽聽聽聽聽聽聽聽 In each subset, assign addresses from .101 up to .254 inclusively, and the appropriate gateway to clients.

2.3聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Mapping SDA VNs to SD-WAN VPNs

Using vManage GUI, perform configuration tasks according to these requirements:

路聽聽聽聽聽聽聽聽 Use any host, such as host11, to access the vManage GUI website at

This is the hidden content, please
URL.

路聽聽聽聽聽聽聽聽 Create three new SD-WAN VPNs to carry the SDA VN traffic

o聽聽 VPN ID 198 for IoT VN

o聽聽 VPN ID 199 for Guest VN

o聽聽 VPN ID 200 for Employees VN

路聽聽聽聽聽聽聽聽 On Branch #1 and Branch #2 vEdges, for each of these VPNs:

o聽聽 Create a new sub-interface on the interface toward the SDA border switch. Align the VLAN ID and IP address on the sub interface with the configuration generated by DNA Center on the border switches for the appropriate VN.

o聽聽 Peer the vEdge and the SDA border switch using iBGP. Ensure full reachability between all locations of the same VPN.

2.4聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Configuring SD-WAN VPN Route Leaking

To Allow the traditional parts of the FABD2 network to communication with the employees and IOT VPNs/VNs, configure route leaking in SD-WAN according to these requirements:

路聽聽聽聽聽聽聽聽 Prefixes in the IoT VPN 198 must be imported into the existing SDA Underlay VPN 999 and tagged with tag value of 198.

路聽聽聽聽聽聽聽聽 Prefixes in the Employees VPN 200 must be imported into the existing SDA Underlay VPN 999 and tagged with the tag value of 200

路聽聽聽聽聽聽聽聽 Prefixes in the SDA underlay VPN 999 advertised from the DC that are within the 10.4.0.0/15 range must be rejected. Other prefixes in the SDA underlay VPN 999 advertise from DC must be accepted and also imported into IoT VPN 198 and Employees VPN 200.

路聽聽聽聽聽聽聽聽 Redistribution from OMP into OSPF on Branches#1 and #2 in VPN 999 must exclude vRoutes tagged with values 198 or 200.

路聽聽聽聽聽聽聽聽 Place host41 into Employees VN. Place host51 into IoT VN. Make sure both hosts receive their IP setting from DHCP.

路聽聽聽聽聽聽聽聽 Ensure that the IoT and Employees VPNs on Branches #1 and #2 have reachability to Branches #3 and #4. It is allowed to modify the VPN 999 OMP settings to accomplish this requirement.

2.5聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Handling Guest Traffic

The guest VN/VPN on Branches #1 and #2 must remain isolated from the rest of the company network. It 鈥榮 only allowed to reach internet through r23 and r24 in the DC. Enable internet connectivity for the Guest VPN according to these requirements:

路聽聽聽聽聽聽聽聽 On Vedge21 and Vedge22, place the ge0/2 interfaces into the Guest VPN 199.

路聽聽聽聽聽聽聽聽 On r23 and r24, create a new VRF named Guest using the RD of 65002:199, and place the gi4 interfaces into the VRF.

路聽聽聽聽聽聽聽聽 Assign addresses to these Interfaces:

路聽聽聽聽聽聽聽聽 R23 Gi4: 10.2.123.1/24

路聽聽聽聽聽聽聽聽 R24 Gi4: 10.2.224.1/24

路聽聽聽聽聽聽聽聽 Vedge 21 gi0/2: 10.2.123.2/24

路聽聽聽聽聽聽聽聽 Vedge 22 Gi0/2: 10.2.224.2/24

路聽聽聽聽聽聽聽聽 Peer r23 and vedge21 in the Guest VRF/VPN using iBGP.

路聽聽聽聽聽聽聽聽 Peer r24 and vedge22 in the Guest VRF/VPN using iBGP.

路聽聽聽聽聽聽聽聽 Ensure that r23 and r24 learn the routes in the Guest VRF/VPN over iBGP.

路聽聽聽聽聽聽聽聽 On r23 and r24, configure a static default route in the Guest VRF and point it to the ISP鈥檚 IP address 200.99.23.1 or 200.99.24.1 as appropriate. Advertise this default route in iBGP to vedge21 and vedge22.

路聽聽聽聽聽聽聽聽 On r23 and r24, configure PAT to allow the Guest VPN to access internet by translating it to the router address on the link toward the ISP. Reuse the NAT ACL already created on the router. Do not use NAT pools.

Configure r23 as DHCP server for Guest VPN according to these requirements:

路聽聽聽聽聽聽聽聽 Create loopback1 interface on r23 associated with the Guest VRF and having the IP address 10.2.255.211/32

路聽聽聽聽聽聽聽聽 Advertise this prefix in BGP toward vedge21.

路聽聽聽聽聽聽聽聽 Create DHCP Pool named br1_guest for branch#1 Guest subnet.

路聽聽聽聽聽聽聽聽 Create DHCP Pool named br2_guest for branch#2 Guest subnet.

路聽聽聽聽聽聽聽聽 Explicitly associate both DHCP pools with the VRF guest.

路聽聽聽聽聽聽聽聽 In each subnet, assign addresses from .101 up to .254 inclusively, and the appropriate gateway to clients.

路聽聽聽聽聽聽聽聽 Associate host42 and host52 with guest VN in DNAC, and make sure that both hosts receive the appropriate address.

路聽聽聽聽聽聽聽聽 Make sure that host42 and host 52 can ping 8.8.8.8 in the ISP cloud.

2.6聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Support for silent Hosts in Branch #2

The item consists of multiple questions. You may need to scroll down to be able to see all questions. In future, Branch#2 will be equipped with IP-based IoT endpoints operating in speak-when-spoken-to mode also called silent hosts. Which of the following SDA features enables a working connectivity with these IoT endpoints?

路聽聽聽聽聽聽聽聽 Native Multicast

路聽聽聽聽聽聽聽聽 Endpoint Mobility

路聽聽聽聽聽聽聽聽 Layer 2 flooding

路聽聽聽聽聽聽聽聽 Layer 2 Extension

In the statement below, select one of the options from the drop-down list to complete the sentence and form a correct statement.

For SDA to support silent hosts,聽 聽---------------------Selection Option----- in the underlay as a prerequisite.

Options:-

路聽聽聽聽聽聽聽聽 IP Multicast routing with PIM-SM must be enabled

路聽聽聽聽聽聽聽聽 No additional capability aside from unicast IP Connectivity is required.

路聽聽聽聽聽聽聽聽 IS-IS must be used as a routing protocol

路聽聽聽聽聽聽聽聽 DHCP Snooping must be enabled.

3.1: Enabling CLI access to r30

聽聽聽聽聽聽聽聽聽 There is no direct console access provided to the router r30. Moreover, r30 does not accept any remote connections because its VTY lines are configured with transport input non. Using RESTCONF, enable remote access to r30 for all remote access protocols, according to these requirements:

路聽聽聽聽聽聽聽聽 You can use host31 to access router r30 using ip address 10.3.11.1

路聽聽聽聽聽聽聽聽 You can use any method of accessing the RESTCONF API on r30 from host31, including curl, python, or postman.

路聽聽聽聽聽聽聽聽 You must change the input transport protocol on all configurable VTY lines.

路聽聽聽聽聽聽聽聽 The input transport protocol value setting must be changed from none to all.

Important Parameters:

路聽聽聽聽聽聽聽聽 Username / Password for HTTP authentication

搂聽 admin / admin

搂聽 URL

搂聽

This is the hidden content, please

路聽聽聽聽聽聽聽聽 HTTP Method

搂聽 GET

o聽聽 HTTP method to modify the configuration

搂聽 PATCH

o聽聽 HTTP Headers

搂聽 Content-Type:application/yang-data+json

搂聽 Accept:application/yang-data+json

o聽聽 Recommended curl switches

搂聽 -I,-k,-X,-H,-u,-d

3.2 Using Guest Shell and Python on r30

On r30, enable guestshell and create a python script name ribdump.py in the guestshell according to these requirements:

路聽聽聽聽聽聽聽聽 If an additional IP network is necessary to start guestshell, you are allowed to use addresses from the range 192.168.255.0/24. This range must not be advertised in any routing protocol.

路聽聽聽聽聽聽聽聽 The python script must be saved under the name ribdump.py in the home directory of the guestshell user.

路聽聽聽聽聽聽聽聽 The purpose of the script is to display the complete contents of all routing tables in non-default VRFs created on the router.

路聽聽聽聽聽聽聽聽 The script must execute the show ip route Vrf鈥 or show ipv6 route vrf鈥 command for every non default VRF created on the router, depending on what address families are enabled in that VRF.

路聽聽聽聽聽聽聽聽 The script must determine the list of created VRFs and enabled address families dynamically every time it is run using, for example, show vrf brief | include ipv4

路聽聽聽聽聽聽聽聽 The script must not attempt to display the VRF routing table for an address family that is not enabled in the VRF.

路聽聽聽聽聽聽聽聽 It must be possible to run the script using the guestshell run python ribdump.py command from privileged EXEC mode.

===========================================================================================================================================

Please update the solution like CCIE V5.聽 I hope everyone will support and update their knowledge to make perfect solution.

On 7/23/2021 at 10:34 PM, mrhacker said:

Thanks to all Dear's,

Below are the list of question and review and validate the solutions.

1.2聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽: Layer 2 Technologies in HQ

Complete and correct the EtherChannel configuration between switches sw101, sw102, sw110 according to these requirements:

路聽聽聽聽聽聽聽聽 At the end of the task, all EtherChannel鈥檚 between switches sw101, sw102, sw110 must be up and operational including all their physical member links.

路聽聽聽聽聽聽聽聽 Do not create new Port- channel interface; reuse those that already exist on the switches.

路聽聽聽聽聽聽聽聽 When resolving existing issues, do not change the preconfigured negotiation protocol (if any)

路聽聽聽聽聽聽聽聽 On EtherChannel鈥檚 that use a negotiation protocol, tune its mode of operation for the shortest link building time possible.

Configure spanning tree protocol on switches sw101, sw102, sw110 according to these requirements:

路聽聽聽聽聽聽聽聽 The STP root for VLAN 2000 must be sw101.

路聽聽聽聽聽聽聽聽 The STP root for VLAN 2001 must be sw102.

路聽聽聽聽聽聽聽聽 STP roots must be elected based on bridge priorities.

路聽聽聽聽聽聽聽聽 On the three switches, have STP perform cost calculations in 32-bit arithmetic.

路聽聽聽聽聽聽聽聽 On the three switches, use the Rapid STP version and ensure that it can achieve rapid convergence on all interconnections between the switches.

路聽聽聽聽聽聽聽聽 On Sw110, prevent all current and future access mode interfaces from being affected by the proposal/ Agreement process.

1.2聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : First Hop Redundancy Protocol in HQ

For IPv4, implement an FHRP mechanism on sw101 and sw102 fo rVLANs 2000 and 2001 according to these requirements:

路聽聽聽聽聽聽聽聽 Use Group number 100 for VLAN 2000 and group number 101 for VLAN 2001.

路聽聽聽聽聽聽聽聽 Use the first available IPV4 address in the subnet for the address of the virtual router.

路聽聽聽聽聽聽聽聽 For VLAN 2000, sw101 must be preferred gateway; for VLAN 2001, sw102 must be the preferred gateway. Do not rely on the IPv4 addresses of the switches as role tiebreakers. The role must determine by an explicit configuration solely on the intended preferred gateway.

路聽聽聽聽聽聽聽聽 Each preferred gateway must monitor the reachability of both routers r11 and r12 using the loopback IPv4 addresses of the routers by an ICMP Echo. The reachability is to be verified every 5 seconds with a timeout of 400 msec. A router must be declared unreachable as soon as it does not respond to three probes in a row. If both r11 an dr12 are declared unreachable from a preferred gateway, the other switch must be allowed to assume the gateway role.

路聽聽聽聽聽聽聽聽 Use the FHRP protocol that allows the virtual IPv4 address to match the IPv4 address of a member router.

1.3聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : OSPFv2 between HQ and DC

Complete and correct the OSPF configuration on the switches sw101, sw102,sw201 and sw202 according to these requirements:

路聽聽聽聽聽聽聽聽 Enable OSPFv2 on the redundant interconnections between the DC and HQ sites. Make sure that establishes adjacencies on these interconnections and exchanges routing information between the DC and HQ sites.

路聽聽聽聽聽聽聽聽 Protect the authenticity and integrity of the OSPFv2 sessions on the redundant interconnections between DC and HQ with the SHA-384 mechanism. Use key ID 1 and a shared secret of 鈥渃ci3鈥 (without quotes).

路聽聽聽聽聽聽聽聽 Improve the detection of unreachable OSPFv2 neighbors on the redundant interconnections between DC and HQ so that OSPF can detect the loss of a neighbor within 200 msec, with the probes being sent every 100 msec. it is not allowed to modify ODPF timers to accomplish this requirement.

1.4聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : DHCP IPv4 service for HQ

Enable hosts in HQ VLAN 2000 and VLAN 2001 to obtain their IP configuration via DHCP according to these requirements:

路聽聽聽聽聽聽聽聽 On sw211, create IPv4 DHCP pools named hq_v2000 and hq_v2001 for HQ VLANs 2000 and 2001, respectively. In each subnet, assign addresses from .101 upto .254 inclusively, and the appropriate gateway to clients.

路聽聽聽聽聽聽聽聽 Enable DHCP snooping on sw110 in VLANs 2000 and 2001 to protect against DHCP-related attacks.

路聽聽聽聽聽聽聽聽 Place host11 into VLAN 2000.

路聽聽聽聽聽聽聽聽 Place host12 into VLAN 2001.

路聽聽聽聽聽聽聽聽 Perform the necessary configuration on switches sw101, sw102, sw110 to enable hosts in VLANs2000 and 2001 to obtain IPv4 configuration through DHCP. The DHCP server running at sw211 in the DC must be referred to by its loopback IPv4 address 10.2.255.211. Do not disable the Option 82 insertion, and do not enable DHCP snooping on other switches.

路聽聽聽聽聽聽聽聽 Verify that host11 and host12 have IP connectivity to the Cisco DNA Center, VManage and UCE running in the DC using their internal (In Band Connectivity) addresses.

1.5聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : IPv6 in HQ

Implement IPv6 on sw101 and sw102 for switch virtual interfaces (SVIs) Vlan 2000 and Vlan 2001 according to these requirements:

路聽聽聽聽聽聽聽聽 sw101

Interface Vlan2000:2001:db:8:1:100::1/64 Interface Vlan2001:2001:db8:1:101::1/64

路聽聽聽聽聽聽聽聽 sw102

Interface Vlan2000:2001:db8:1:100::2/64 Interface Vlan2001:2001:db8:1:101::2/64

路聽聽聽聽聽聽聽聽 The configuration must enable hosts in these VLANs to obtain their IPv6 configuration via SLAAC and keep a stable connectivity with other IPv6 networks.

路聽聽聽聽聽聽聽聽 Use native IPv6 means to provide gateway redundancy, with sw101 being the preferred gateway in VLAN 2000 and sw102 being the preferred gateway in VLAN 2001. The role must be determined by an explicit configuration solely on the intended preferred gateway.

路聽聽聽聽聽聽聽聽 Hosts must be able to detect the failure of the preferred gateway in as little as 3 seconds.

1.6聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : IPv6 EIGRP in HQ

In HQ, enable EIGRP for IPv6 on r11, r12, sw101 and sw102 according to these requirements:

路聽聽聽聽聽聽聽聽 Use process name 鈥渃cie鈥 (without the quotes) and AS number 65001.

路聽聽聽聽聽聽聽聽 Do not configure any additional IPv6 addresses.

路聽聽聽聽聽聽聽聽 IPv6 EIGRP may form adjacencies only over the physical Layer3 interfaces between r11, r12, sw101 and sw102.

路聽聽聽聽聽聽聽聽 Prevent IPv6 EIGRP from automatically running on, or advertising attached prefixes from, new IPv6-enabled interfaces in the future unless allowed explicitly.

路聽聽聽聽聽聽聽聽 Ensure that the attached IPv6 prefixes on SVIs Vlan2000 and Vlan2001 onsw101 and sw102 are advertised in IPv6 EIGRP and learned on r11 and r12.

路聽聽聽聽聽聽聽聽 No route filtering is allowed to accomplish this entire task.

1.7聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : OSPFv2 in DC

Configure devices in the DC according to these requirements:

路聽聽聽聽聽聽聽聽 Switches sw201 and sw202 must establish a stable OSPF adjacency in the FULL state with vedge21 and vedge22 on interface Vlan3999. Any configuration changes and corrections necessary to meet this requirement may be performed only on the switches, and any mismatched parameters causing the issue must be changed to exactly match the configuration of the vEdges.

路聽聽聽聽聽聽聽聽 All OSPF speakers in the DC running Cisco IOS and IOS-XE software must be configured to keep the number of advertised internal routes to an absolute minimum while not impacting the reachability of the services. This included the reachability of ISE,DNA center,vManage,vBond and vSmart on their internal (in Band Connectivty) addresses, as well as any existing and future devices in VLAN 4000 and sw201 and sw202. The configuration of this requirement must be completed exclusively within the 鈥渞outer ospf鈥 and 鈥渋nterface vlan鈥 contexts without causing any impact to existing OSPF adjacencies.

路聽聽聽聽聽聽聽聽 Router r24 must advertise two prefixes, 10.6.0.0/15 and 10.200.0.0/24, as Type-5 LSAs in OSPFv2 to provide HQ and DC with the reachability to the DMVPN tunnel and branches #3 and #4. The configuration of this requirement must be completed exclusively within the 鈥渞outer ospf鈥 context.

路聽聽聽聽聽聽聽聽 Any route from the 10.2.0.0/16 range that keeps being advertised in OSPF must continue being advertised as an intra-area route.

路聽聽聽聽聽聽聽聽 It is not allowed to modify existing areas to accomplish this entire task.

1.8聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : BGP between HQ/DC and service providers

Configure the BGP peering鈥檚 between HQ/DC and Global SP#1 and Global SP#2 according to these requirements:

路聽聽聽聽聽聽聽聽 Bring up the BGP peering between HQ r11 and SP#1 r3

路聽聽聽聽聽聽聽聽 Bring up the BGP peering between DC r21 and SP#1 r3

路聽聽聽聽聽聽聽聽 Bring up the BGP Peering between DC r22 and SP#2

路聽聽聽聽聽聽聽聽 Ensure that the routes learned over eBGP sessions and further advertised in iBGP will be considered reachable even if the networks on inter-AS links are not advertised in OSPF. The configuration of this requirement must be completed exclusively within the 鈥渞outer bgp鈥 context.

路聽聽聽聽聽聽聽聽 On r11, r21 and r22 perform mutual redistribution between OSPFv2 and BGP. However, prevent routes that were injected into OSPF from BGP to be reinjected back into BGP. This requirement must be solved on r11, r21 and r22 using only a single route-map on each of the routers and without any reference to ACLs, prefix lists, or route types.

路聽聽聽聽聽聽聽聽 Prevent HQ and DC from ever communicating through SP#1 r3. All Communication between HQ and DC must occur only over the direct SW101/SW201 and SW102/SW202 interconnections. Any other communication must remain unaffected. This requirement must be solved on r21 and r22 by route filtering based on a well-known mandatory attribute without the use of route maps.

路聽聽聽聽聽聽聽聽 No command may be removed from the configuration on r11 to accomplish this entire task.

路聽聽聽聽聽聽聽聽 It is allowed to modify existing configuration commands on r21 and r22 to accomplish this entire task.

1.9聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Bringing up VPNv4/VPNv6 in SP#1

Configure routers r3, r4, r5 and r6 in SP#1 according to these requirements:

路聽聽聽聽聽聽聽聽 Configure r3 through r6 for mutual VPNv4 and VPNv6 route exchange without the use of a route reflector. Use Lo0 IPv4 addresses for peering鈥檚.

路聽聽聽聽聽聽聽聽 Configure r3 through r6 to assign (allocate/bind) as few unique MPLS labels to all existing and future VPNv4 and VPNv6 routes as possible.

路聽聽聽聽聽聽聽聽 On Routers r3 through r6, prevent any existing and future customer from discovering details about the inner topology of SP#1. It is not allowed to use ACLs to accomplish this requirement.

1.10聽 : Fixing Broken DMVPN between Dc and Branches #3 and #4

Correct the configuration issues resulting in broken DMVPN tunnel connectivity between DC, Branch3 and Branch4 according to these requirements:

路聽聽聽聽聽聽聽聽 The DMVPN must operate in IPsec-protected phase 3 mode.

路聽聽聽聽聽聽聽聽 Using the FVRF approach, safeguard the DMVPN operation against any potential recursive routing issues involving the tunnel.

路聽聽聽聽聽聽聽聽 Do not create any new VRFs.

路聽聽聽聽聽聽聽聽 Do not change the tunnel source commands on Tunnel interfaces.

路聽聽聽聽聽聽聽聽 On Spokes, do not add new BGP neighbors; reuse those that are currently up while changing their VRF membership as needed.

路聽聽聽聽聽聽聽聽 It is not allowed to modify configuration on DC r24 to complete this entire task.

1.11聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Tuning EIGRP on DMVPN and DMVPN-enabled Sites

Optimize the DMVPN operation according to these requirements:

路聽聽聽聽聽聽聽聽 Ensure that Branches#3 and #4 receive only a default route over EIGRP in DMVPN.

路聽聽聽聽聽聽聽聽 The default route origination must be done on DC r24 without the use of any static routes, redistribution, or route filtering.

路聽聽聽聽聽聽聽聽 It is not allowed to modify the configuration of r61 and r62 in Branch#3 to accomplish this task;

路聽聽聽聽聽聽聽聽 It is allowed to add commands to the configuration of r70 in branch #4 to accomplish this task;

None of the existing configuration on r70 may be removed to accomplish this task.

聽聽聽聽聽聽聽聽聽聽聽

聽聽聽聽聽聽聽聽聽聽聽 Configure Sw601 and Sw602 at Branch#3 according to these requirements:

路聽聽聽聽聽聽聽聽 Routers r61 and r62 must not send EIGRP queries to SW601 and SW602.

路聽聽聽聽聽聽聽聽 Switches SW601 and SW602 must allow advertising any current or future directly connected network to r61 and r62 after the network is added to EIGRP.

路聽聽聽聽聽聽聽聽 Switches Sw601 and Sw602 must continue to propagate the default route received from r61 and r62 to each other. To Select the default route, use a prefix list with a 鈥淧ermit鈥 鈥 type entry only.

路聽聽聽聽聽聽聽聽 Switches SW601 and SW602 must not propagate the default route back to r61 and r62.

路聽聽聽聽聽聽聽聽 If the prefix list that allows the propagation of selected EIGRP-learned networks between sw601 and sw602 is modified in the future, the same set of networks must be disallowed from being advertised back to r61 and r62 automatically, without any additional commands.

路聽聽聽聽聽聽聽聽 聽

1.12聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : IPv4 Networks on Legacy Branches

On sw211 in DC, complete the DHCP server configuration according to these requirements:

路聽聽聽聽聽聽聽聽 Create IPv4 DHCP pools named br3_v2000 and br3_v2001 for Branch #3 VLANs 2000 (10.6.100.0/24) and 2001 (10.6.101.0/24), respectively.

路聽聽聽聽聽聽聽聽 Create IPv4 DHCP pool named br4_v1 for the subnet 10.7.1.0/24 on branch #4.

路聽聽聽聽聽聽聽聽 In each subnet, assign addresses from .101 up to .254 inclusively, and the appropriate gateway to clients.

On Branch #3; Complete and correct the configuration on switches sw601, sw602 and sw610 to allow HSRP and DHCP relay operation in VLANs 2000 and 2001 according to these requirements:

路聽聽聽聽聽聽聽聽 HSRP must implicitly use the vMAC address range of 0000. 0c9f.f000 through 0000. 0c9f.ffff

路聽聽聽聽聽聽聽聽 The group member must be 100 for VLAN 2000 and 101 for VLAN 2001

路聽聽聽聽聽聽聽聽 Sw601 must be the Active gateway for VLAN 2000 with a priority of 110; the Active role ownership must be deterministic

路聽聽聽聽聽聽聽聽 Sw602 must be the Active gateway for VLAN 2001 with a priority of 110; the Active role ownership must be deterministic

路聽聽聽聽聽聽聽聽 Each active switch must track its uplink interfaces gi0/1 and gi0/2/ if either of these interfaces goes down; the active switch must allow the other switch to become Active. However, it is not allowed for the tracking to modify the HSRP priority to accomplish this requirement.

路聽聽聽聽聽聽聽聽 Both sw601 and sw602 must be configured as DHCP relay agents in both VLANs 2000 and 2001, pointing toward the DHCP server 10.2.255.211 at sw211. However, at any time, only the Active router in the particular VLAN should relay the DHCP messages.

路聽聽聽聽聽聽聽聽 Place host61 and host62 into VLANs 2000 and 2001, respectively, and make sure they are assigned their correct IPv4 configuration.

It is not permitted to use any kind of scripting to complete this task.

On Branch #4, complete the configuration of the router r70 according to these requirements;

路聽聽聽聽聽聽聽聽 Assign IP address 10.7.1.1/24 to gi0/2

路聽聽聽聽聽聽聽聽 Enable DHCP relay on this interface and point it to the DHCP server 10.2.255.211 at sw211

路聽聽聽聽聽聽聽聽 It is allowed to add one additional missing command to the r70 configuration to allow DHCP clients connected to gi0/2 obtain their IPv4 configuration.

路聽聽聽聽聽聽聽聽 Make sure that host71 and host72 are assigned their correct IPv4 configuration.

1.13聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Multicast in FABD2

FABD2 is preparing to enable PIM Sparse mode multicast routing in its network. As a part of validating the runbooks, FABD2 requires a sanity check to prevent inappropriate use of multicast-related configuration commands on different router types:

路聽聽聽聽聽聽聽聽 First Hop Routers 鈥 Routers where multicast sources are connected

路聽聽聽聽聽聽聽聽 Last Hop Routers- routers where multicast receivers (subscribers) are connected

路聽聽聽聽聽聽聽聽 Intermediary Hop Routers- routers on the path between First Hop and Last Hop routers In the Table below, for each configuration command, select all router type where the use of the command is appropriate. (Select all that apply)

Router Type

Command

First Hop Router

Intermediary Hop Router

Last Hop Router

Ip pim register-source

Ip igmp version

ip pim spt-threshold

ip pim rp-address

IP pim sparse-mode

1.14聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Extending Connectivity to laaS Site

Extend the IPv6 connectivity from HQ through the SP into the giosk VRF on the laaS site according to these requirements:

Set up global IPv6 addressing on the link between r11 and r3

路聽聽聽聽聽聽聽聽 On r11, assign 2001:2710:311::2/64 to g0/0

路聽聽聽聽聽聽聽聽 On r3, assign 2001:2710:311::1/64 to g1

路聽聽聽聽聽聽聽聽 Enable the existing IPv4 BGP session between r11 and r3 to also advertise IPv6 prefixes. Do not configure a standalone IPv6 BGP session between these two routers.

路聽聽聽聽聽聽聽聽 Perform bidirectional route redistribution between the IPv6 EIGRP and BGP processes on r11.

路聽聽聽聽聽聽聽聽 Ensure that all current and future IPv6 prefixes advertised between r11 and r3 will be installed into the RIB of these routers with the next hop address set to the proper global unicast address on their interconnection. Any policy that accomplishes this requirement must be applied in the inbound direction.

路聽聽聽聽聽聽聽聽 The giosk VRF on r4 that extends the IPv6 connectivity from r4 to r30 on the laaS site is a separate VRF independent of fabd2 VRF. Any route leaking from fabd2 VRF into giosk VRF must be done on per-site basis and only for those FABD2 sites that need connectivity in the laaS site.

路聽聽聽聽聽聽聽聽 By configuring r3 and r4 only, ensure that the HQ FABD2 site will have mutual visibility with the laaS site while preventing

-聽聽聽聽聽聽聽聽聽 Any other FABD2 site from possibly learning about the routes on the laaS site

-聽聽聽聽聽聽聽聽聽 The laaS site from possibly learning about the routes on any other FABD2 site

Use the minimum amount of commands necessary to accomplish this requirement. Do not remove any existing configuration. If necessary, you are allowed to use an additional route target with the value of 10000:3681.

路聽聽聽聽聽聽聽聽 Verify that host11 and host12 can ping 2001:db8:14::1 located at the laaS site. It is permitted to modify one existing configuration command on one of the SP routers to meet this requirement.

1.15聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Enabling Internet Access for FABD2

Enable highly available internet access for the FABD2 company network according to these requirements:

路聽聽聽聽聽聽聽聽 On routers r12, r23 and r24, bring up IPv4 BGP peerings with the ISP, make sure that a default route is received over these peerings.

路聽聽聽聽聽聽聽聽 On router r12 and r23, inject default route into OSPF if it present in the routing table from a different routing source than the OSPFv2 process 1. On each router, this requirement must be completed using the minimum possible number of commands.

路聽聽聽聽聽聽聽聽 On route r24, inject default route into OSPF if any only if it is learned from ISP over BGP, To accomplish this requirement, it is allowed to use a route-map that referenced both a prefix-list and tag. This requirement must be completed using the minimum possible number of commands.

路聽聽聽聽聽聽聽聽 Router r12 may be used as an internet exit for the FABD2 company network only if neither r23 nor r24 are advertising the default route in OSPF. This requirement must be accomplished exclusively in 鈥渞outer ospf鈥 mode on router r12 without changing the default parameters on routers r23 and r24.

路聽聽聽聽聽聽聽聽 On routers r12, r23 and r24, configure PAT and translate the entire FABD2 internal network 10.0.0.0/8 to the router address on the link toward the ISP. Create a standard ACL named NAT for this purpose. Do not use NAT pools.

Ensure that the internet connectivity of the FABD2 company network makes use of the highly availability provided by r12, r23 and r24.

2.1 : Correcting the IP addresses of Managed switches in DNA center

After Cisco DNA center first achieves IP connectivity with the managed switches in Branches #1 and #2, it will place them into maintenance mode due to their serial number being different from the one DNA center remember, In addition, their management IP addresses in DNA Center will be automatically changed by appending them with the 鈥.dummy.com鈥 string. As a result, after an initial contact, DNA Center will lose connectivity with the switches unless their management IP addresses are corrected in the DNA center settings.

Correct the IP addresses of managed switches in the DNA center according to the following requirements:

路聽聽聽聽聽聽聽聽 Use any host, such as host11, to access the DNA Center GUI website at

This is the hidden content, please
URL.

路聽聽聽聽聽聽聽聽 Execute the provision-Devices- Inventory- Global- Actions-Inventory- Resync Device action in DNA Center on all switches before proceeding further.

路聽聽聽聽聽聽聽聽 DNA Center API reference and sandbox is available at

This is the hidden content, please
URL.

路聽聽聽聽聽聽聽聽 The /network/device/update-maintenance-device-ip-address API call description and sandbox are available in the Inventory section of the API reference.

路聽聽聽聽聽聽聽聽 Use the /network-device/update-maintenance-device-ip address API call to correct the IP addresses of the switches in Branches #1 and #2 by removing the appended text.

Note: These IP addresses cannot be changed from DNA Center GUI directly because they will become automatically invalidated again. This is a built-in DNA Center behavior.

2.2聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Completing VN Configuration in DNA center

Using the DNA Center GUI, perform configuration tasks according to these requirements:

路聽聽聽聽聽聽聽聽 Add new virtual Network named IoT for the internet-of-things network on the Branches #1 and #2

路聽聽聽聽聽聽聽聽 Create new address pools for the IoT VN named Branch1- For IoT and Branch2-ForIoT on the global level, and branch1-IoT and Branch2-IoT on the Branch level.

路聽聽聽聽聽聽聽聽 For Branch #1 loT VN, allocate the subnet 10.4.198.0/24 and the gateway IP address 10.4.198.1.

路聽聽聽聽聽聽聽聽 For Branch #2 loT VN, allocate the subnet 10.5.198.0/24, and the gateway IP address 10.5.198.1.

路聽聽聽聽聽聽聽聽 Associate the Branch1-loT and Branch2-loT pools with the loT VN on the respective branches.

路聽聽聽聽聽聽聽聽 Complete the configuration of the address pools for the Guest VN in the DNA Center so that Branch #1 and Branch #2 can accommodate guest connections. If a new address pool needs to be created and an address range allocated to it, follow the established addressing plan.

路聽聽聽聽聽聽聽聽 Correct the addressing information currently defined for the Branch2- For Employees and Branch2- Employees address pool.

路聽聽聽聽聽聽聽聽 For all address pools, use the DHCP server 10.2.255.211 to allocate addresses to clients.

On sw211, complete the DHCP server configuration according to these requirements:

路聽聽聽聽聽聽聽聽 Create four new DHCP pools for the loT and Employees VNs on respective branches

o聽聽 Pool named br1_iot for Branch #1 loT VN

o聽聽 Pool named br1_emp for Branch #1 Employees VN

o聽聽 Pool named br2_iot for Branch #2 loT VN

o聽聽 Pool named br2_emp for Branch #2 Employees VN

路聽聽聽聽聽聽聽聽 In each subset, assign addresses from .101 up to .254 inclusively, and the appropriate gateway to clients.

2.3聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Mapping SDA VNs to SD-WAN VPNs

Using vManage GUI, perform configuration tasks according to these requirements:

路聽聽聽聽聽聽聽聽 Use any host, such as host11, to access the vManage GUI website at

This is the hidden content, please
URL.

路聽聽聽聽聽聽聽聽 Create three new SD-WAN VPNs to carry the SDA VN traffic

o聽聽 VPN ID 198 for IoT VN

o聽聽 VPN ID 199 for Guest VN

o聽聽 VPN ID 200 for Employees VN

路聽聽聽聽聽聽聽聽 On Branch #1 and Branch #2 vEdges, for each of these VPNs:

o聽聽 Create a new sub-interface on the interface toward the SDA border switch. Align the VLAN ID and IP address on the sub interface with the configuration generated by DNA Center on the border switches for the appropriate VN.

o聽聽 Peer the vEdge and the SDA border switch using iBGP. Ensure full reachability between all locations of the same VPN.

2.4聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Configuring SD-WAN VPN Route Leaking

To Allow the traditional parts of the FABD2 network to communication with the employees and IOT VPNs/VNs, configure route leaking in SD-WAN according to these requirements:

路聽聽聽聽聽聽聽聽 Prefixes in the IoT VPN 198 must be imported into the existing SDA Underlay VPN 999 and tagged with tag value of 198.

路聽聽聽聽聽聽聽聽 Prefixes in the Employees VPN 200 must be imported into the existing SDA Underlay VPN 999 and tagged with the tag value of 200

路聽聽聽聽聽聽聽聽 Prefixes in the SDA underlay VPN 999 advertised from the DC that are within the 10.4.0.0/15 range must be rejected. Other prefixes in the SDA underlay VPN 999 advertise from DC must be accepted and also imported into IoT VPN 198 and Employees VPN 200.

路聽聽聽聽聽聽聽聽 Redistribution from OMP into OSPF on Branches#1 and #2 in VPN 999 must exclude vRoutes tagged with values 198 or 200.

路聽聽聽聽聽聽聽聽 Place host41 into Employees VN. Place host51 into IoT VN. Make sure both hosts receive their IP setting from DHCP.

路聽聽聽聽聽聽聽聽 Ensure that the IoT and Employees VPNs on Branches #1 and #2 have reachability to Branches #3 and #4. It is allowed to modify the VPN 999 OMP settings to accomplish this requirement.

2.5聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Handling Guest Traffic

The guest VN/VPN on Branches #1 and #2 must remain isolated from the rest of the company network. It 鈥榮 only allowed to reach internet through r23 and r24 in the DC. Enable internet connectivity for the Guest VPN according to these requirements:

路聽聽聽聽聽聽聽聽 On Vedge21 and Vedge22, place the ge0/2 interfaces into the Guest VPN 199.

路聽聽聽聽聽聽聽聽 On r23 and r24, create a new VRF named Guest using the RD of 65002:199, and place the gi4 interfaces into the VRF.

路聽聽聽聽聽聽聽聽 Assign addresses to these Interfaces:

路聽聽聽聽聽聽聽聽 R23 Gi4: 10.2.123.1/24

路聽聽聽聽聽聽聽聽 R24 Gi4: 10.2.224.1/24

路聽聽聽聽聽聽聽聽 Vedge 21 gi0/2: 10.2.123.2/24

路聽聽聽聽聽聽聽聽 Vedge 22 Gi0/2: 10.2.224.2/24

路聽聽聽聽聽聽聽聽 Peer r23 and vedge21 in the Guest VRF/VPN using iBGP.

路聽聽聽聽聽聽聽聽 Peer r24 and vedge22 in the Guest VRF/VPN using iBGP.

路聽聽聽聽聽聽聽聽 Ensure that r23 and r24 learn the routes in the Guest VRF/VPN over iBGP.

路聽聽聽聽聽聽聽聽 On r23 and r24, configure a static default route in the Guest VRF and point it to the ISP鈥檚 IP address 200.99.23.1 or 200.99.24.1 as appropriate. Advertise this default route in iBGP to vedge21 and vedge22.

路聽聽聽聽聽聽聽聽 On r23 and r24, configure PAT to allow the Guest VPN to access internet by translating it to the router address on the link toward the ISP. Reuse the NAT ACL already created on the router. Do not use NAT pools.

Configure r23 as DHCP server for Guest VPN according to these requirements:

路聽聽聽聽聽聽聽聽 Create loopback1 interface on r23 associated with the Guest VRF and having the IP address 10.2.255.211/32

路聽聽聽聽聽聽聽聽 Advertise this prefix in BGP toward vedge21.

路聽聽聽聽聽聽聽聽 Create DHCP Pool named br1_guest for branch#1 Guest subnet.

路聽聽聽聽聽聽聽聽 Create DHCP Pool named br2_guest for branch#2 Guest subnet.

路聽聽聽聽聽聽聽聽 Explicitly associate both DHCP pools with the VRF guest.

路聽聽聽聽聽聽聽聽 In each subnet, assign addresses from .101 up to .254 inclusively, and the appropriate gateway to clients.

路聽聽聽聽聽聽聽聽 Associate host42 and host52 with guest VN in DNAC, and make sure that both hosts receive the appropriate address.

路聽聽聽聽聽聽聽聽 Make sure that host42 and host 52 can ping 8.8.8.8 in the ISP cloud.

2.6聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Support for silent Hosts in Branch #2

The item consists of multiple questions. You may need to scroll down to be able to see all questions. In future, Branch#2 will be equipped with IP-based IoT endpoints operating in speak-when-spoken-to mode also called silent hosts. Which of the following SDA features enables a working connectivity with these IoT endpoints?

路聽聽聽聽聽聽聽聽 Native Multicast

路聽聽聽聽聽聽聽聽 Endpoint Mobility

路聽聽聽聽聽聽聽聽 Layer 2 flooding

路聽聽聽聽聽聽聽聽 Layer 2 Extension

In the statement below, select one of the options from the drop-down list to complete the sentence and form a correct statement.

For SDA to support silent hosts,聽 聽---------------------Selection Option----- in the underlay as a prerequisite.

Options:-

路聽聽聽聽聽聽聽聽 IP Multicast routing with PIM-SM must be enabled

路聽聽聽聽聽聽聽聽 No additional capability aside from unicast IP Connectivity is required.

路聽聽聽聽聽聽聽聽 IS-IS must be used as a routing protocol

路聽聽聽聽聽聽聽聽 DHCP Snooping must be enabled.

3.1: Enabling CLI access to r30

聽聽聽聽聽聽聽聽聽 There is no direct console access provided to the router r30. Moreover, r30 does not accept any remote connections because its VTY lines are configured with transport input non. Using RESTCONF, enable remote access to r30 for all remote access protocols, according to these requirements:

路聽聽聽聽聽聽聽聽 You can use host31 to access router r30 using ip address 10.3.11.1

路聽聽聽聽聽聽聽聽 You can use any method of accessing the RESTCONF API on r30 from host31, including curl, python, or postman.

路聽聽聽聽聽聽聽聽 You must change the input transport protocol on all configurable VTY lines.

路聽聽聽聽聽聽聽聽 The input transport protocol value setting must be changed from none to all.

Important Parameters:

路聽聽聽聽聽聽聽聽 Username / Password for HTTP authentication

搂聽 admin / admin

搂聽 URL

搂聽

This is the hidden content, please

路聽聽聽聽聽聽聽聽 HTTP Method

搂聽 GET

o聽聽 HTTP method to modify the configuration

搂聽 PATCH

o聽聽 HTTP Headers

搂聽 Content-Type:application/yang-data+json

搂聽 Accept:application/yang-data+json

o聽聽 Recommended curl switches

搂聽 -I,-k,-X,-H,-u,-d

3.2 Using Guest Shell and Python on r30

On r30, enable guestshell and create a python script name ribdump.py in the guestshell according to these requirements:

路聽聽聽聽聽聽聽聽 If an additional IP network is necessary to start guestshell, you are allowed to use addresses from the range 192.168.255.0/24. This range must not be advertised in any routing protocol.

路聽聽聽聽聽聽聽聽 The python script must be saved under the name ribdump.py in the home directory of the guestshell user.

路聽聽聽聽聽聽聽聽 The purpose of the script is to display the complete contents of all routing tables in non-default VRFs created on the router.

路聽聽聽聽聽聽聽聽 The script must execute the show ip route Vrf鈥 or show ipv6 route vrf鈥 command for every non default VRF created on the router, depending on what address families are enabled in that VRF.

路聽聽聽聽聽聽聽聽 The script must determine the list of created VRFs and enabled address families dynamically every time it is run using, for example, show vrf brief | include ipv4

路聽聽聽聽聽聽聽聽 The script must not attempt to display the VRF routing table for an address family that is not enabled in the VRF.

路聽聽聽聽聽聽聽聽 It must be possible to run the script using the guestshell run python ribdump.py command from privileged EXEC mode.

===========================================================================================================================================

Please update the solution like CCIE V5.聽 I hope everyone will support and update their knowledge to make perfect solution.

I will attempt to solve 3.1

Thank you for聽 bringing the questions.

  • Like 37
  • Thanks 8
Link to comment
Share on other sites

On 7/24/2021 at 4:05 PM, Natasha said:

Section 1.1

SW110
聽聽
sw110(config)#spanning-tree mode rapid 聽
sw110(config)#spanning-tree pathcost method long聽
sw110(config)#spanning-tree portfast edge default 聽

sw110(config)#interface range gi1/2-3 聽
sw110(config-if-range)#channel-group 2 mode active 聽


SW101 聽

sw101(config)#spanning-tree mode rapid聽
sw101(config)#spanning-tree pathcost method long聽
sw101(config)#spanning-tree vlan 2000 priority 0聽
sw101(config)#spanning-tree vlan 1-4094 hello-time 1聽

sw101(config)#interface range gi1/2-3 聽
sw101(config-if-range)#channel-group 1 mode on聽


SW102

sw102(config)#spanning-tree mode rapid
sw102(config)#spanning-tree pathcost method long聽
sw102(config)#spanning-tree vlan 2001 priority 0聽
sw102(config)#spanning-tree vlan 1-4094 hello-time 1 聽

sw102(config)#interface range gi1/2-3 聽
sw102(config-if-range)#channel-group 2 mode active


Verification: 聽

sw110# sh etherchannel summary聽
sh spanning-tree vlan 2000 聽聽
聽聽
SWll0#sh etherchanne 1 summary聽
Flags: D - down P - bundled in port-channel聽
I - stand-alone s - suspended聽
H - Hot-standby (LACP only)聽
R - Layer3 S - Layer2聽
U - in use N - not in use, no aggregation聽
f - failed to allocate aggregator聽
M - not in use, minimum links not met聽
m - not in use, port not aggregated due to minimum links not met
u- unsuitable for bundling聽
w- waiting to be aggregated聽

d- default port聽
A - formed by Auto LAG聽

Number of channel -groups in use: 2聽
Number of aggregators: 2聽
Group Port-channel Protocol Ports聽
------ + -------------+ 聽----------- +---------------------聽
1 Pol (SU) LACP Gil/O(P) Gil/l(P)聽
2 Po2 (SU) LACP Gil/2(P) Gil/3(P)

SWl02#sh etherchanne 1 summary聽
Flags: D - down P - bundled in port-channel聽
I - stand-alone s - suspended聽
H - Hot-standby (LACP only)聽
R - Layer3 S - Layer2聽
U - in use N - not in use, no aggregation聽
f - failed to allocate aggregator聽
M - not in use, minimum links not met聽
m - not in use, port not aggregated due to minimum links not met
u- unsuitable for bundling聽
w- waiting to be aggregated聽

d- default port聽
A - formed by Auto LAG聽

Number of channel -groups in use: 2聽
Number of aggregators: 2聽
Group Port-channel Protocol Ports聽
------ + -------------+ 聽----------- +---------------------聽
1 Po2 (SU) LACP Gil/2(P) Gil/3(P)聽
2 Po3 (SU) LACP Gi2/0(P) Gi2/1(P)


SWl01#sh etherchanne 1 summary聽
Flags: D - down P - bundled in port-channel聽
I - stand-alone s - suspended聽
H - Hot-standby (LACP only)聽
R - Layer3 S - Layer2聽
U - in use N - not in use, no aggregation聽
f - failed to allocate aggregator聽
M - not in use, minimum links not met聽
m - not in use, port not aggregated due to minimum links not met
u- unsuitable for bundling聽
w- waiting to be aggregated聽

d- default port聽
A - formed by Auto LAG聽

Number of channel -groups in use: 2聽
Number of aggregators: 2聽
Group Port-channel Protocol Ports聽
------ + -------------+ 聽----------- +---------------------聽
1 Pol (SU) LACP Gil/2(P) Gil/3(P)聽
2 Po2 (SU) LACP Gil/2(P) Gil/3(P)

On the 3聽 switches port channel we need to used below command or not.

spanning-tree link-type point-to-point聽 ================> this required or not.

  • Like 2
Link to comment
Share on other sites

I havent tried it in a lab to observe RSTP convergence but technical docs explain that聽 point-to-point is required on half duplex聽 on switch ports connecting to other switch ports so that rstp can transition fast like the way portfast behaves on edge ports.聽

If the switch link ports are full duplex they are treated as point-to-point which defaults to STP message handshake method (STP convergence occurs quickly over a point-to-point link through RSTP handshake messages)

Maybe during exam we just need to verify the switch to switch link ports if they are half or full duplex

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

On 7/23/2021 at 1:34 PM, mrhacker said:

Thanks to all Dear's,

Below are the list of question and review and validate the solutions.

1.2聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽 聽: Layer 2 Technologies in HQ

Complete and correct the EtherChannel configuration between switches sw101, sw102, sw110 according to these requirements:

路聽聽聽聽聽聽聽聽 At the end of the task, all EtherChannel鈥檚 between switches sw101, sw102, sw110 must be up and operational including all their physical member links.

路聽聽聽聽聽聽聽聽 Do not create new Port- channel interface; reuse those that already exist on the switches.

路聽聽聽聽聽聽聽聽 When resolving existing issues, do not change the preconfigured negotiation protocol (if any)

路聽聽聽聽聽聽聽聽 On EtherChannel鈥檚 that use a negotiation protocol, tune its mode of operation for the shortest link building time possible.

Configure spanning tree protocol on switches sw101, sw102, sw110 according to these requirements:

路聽聽聽聽聽聽聽聽 The STP root for VLAN 2000 must be sw101.

路聽聽聽聽聽聽聽聽 The STP root for VLAN 2001 must be sw102.

路聽聽聽聽聽聽聽聽 STP roots must be elected based on bridge priorities.

路聽聽聽聽聽聽聽聽 On the three switches, have STP perform cost calculations in 32-bit arithmetic.

路聽聽聽聽聽聽聽聽 On the three switches, use the Rapid STP version and ensure that it can achieve rapid convergence on all interconnections between the switches.

路聽聽聽聽聽聽聽聽 On Sw110, prevent all current and future access mode interfaces from being affected by the proposal/ Agreement process.

1.2聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : First Hop Redundancy Protocol in HQ

For IPv4, implement an FHRP mechanism on sw101 and sw102 fo rVLANs 2000 and 2001 according to these requirements:

路聽聽聽聽聽聽聽聽 Use Group number 100 for VLAN 2000 and group number 101 for VLAN 2001.

路聽聽聽聽聽聽聽聽 Use the first available IPV4 address in the subnet for the address of the virtual router.

路聽聽聽聽聽聽聽聽 For VLAN 2000, sw101 must be preferred gateway; for VLAN 2001, sw102 must be the preferred gateway. Do not rely on the IPv4 addresses of the switches as role tiebreakers. The role must determine by an explicit configuration solely on the intended preferred gateway.

路聽聽聽聽聽聽聽聽 Each preferred gateway must monitor the reachability of both routers r11 and r12 using the loopback IPv4 addresses of the routers by an ICMP Echo. The reachability is to be verified every 5 seconds with a timeout of 400 msec. A router must be declared unreachable as soon as it does not respond to three probes in a row. If both r11 an dr12 are declared unreachable from a preferred gateway, the other switch must be allowed to assume the gateway role.

路聽聽聽聽聽聽聽聽 Use the FHRP protocol that allows the virtual IPv4 address to match the IPv4 address of a member router.

1.3聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : OSPFv2 between HQ and DC

Complete and correct the OSPF configuration on the switches sw101, sw102,sw201 and sw202 according to these requirements:

路聽聽聽聽聽聽聽聽 Enable OSPFv2 on the redundant interconnections between the DC and HQ sites. Make sure that establishes adjacencies on these interconnections and exchanges routing information between the DC and HQ sites.

路聽聽聽聽聽聽聽聽 Protect the authenticity and integrity of the OSPFv2 sessions on the redundant interconnections between DC and HQ with the SHA-384 mechanism. Use key ID 1 and a shared secret of 鈥渃ci3鈥 (without quotes).

路聽聽聽聽聽聽聽聽 Improve the detection of unreachable OSPFv2 neighbors on the redundant interconnections between DC and HQ so that OSPF can detect the loss of a neighbor within 200 msec, with the probes being sent every 100 msec. it is not allowed to modify ODPF timers to accomplish this requirement.

1.4聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : DHCP IPv4 service for HQ

Enable hosts in HQ VLAN 2000 and VLAN 2001 to obtain their IP configuration via DHCP according to these requirements:

路聽聽聽聽聽聽聽聽 On sw211, create IPv4 DHCP pools named hq_v2000 and hq_v2001 for HQ VLANs 2000 and 2001, respectively. In each subnet, assign addresses from .101 upto .254 inclusively, and the appropriate gateway to clients.

路聽聽聽聽聽聽聽聽 Enable DHCP snooping on sw110 in VLANs 2000 and 2001 to protect against DHCP-related attacks.

路聽聽聽聽聽聽聽聽 Place host11 into VLAN 2000.

路聽聽聽聽聽聽聽聽 Place host12 into VLAN 2001.

路聽聽聽聽聽聽聽聽 Perform the necessary configuration on switches sw101, sw102, sw110 to enable hosts in VLANs2000 and 2001 to obtain IPv4 configuration through DHCP. The DHCP server running at sw211 in the DC must be referred to by its loopback IPv4 address 10.2.255.211. Do not disable the Option 82 insertion, and do not enable DHCP snooping on other switches.

路聽聽聽聽聽聽聽聽 Verify that host11 and host12 have IP connectivity to the Cisco DNA Center, VManage and UCE running in the DC using their internal (In Band Connectivity) addresses.

1.5聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : IPv6 in HQ

Implement IPv6 on sw101 and sw102 for switch virtual interfaces (SVIs) Vlan 2000 and Vlan 2001 according to these requirements:

路聽聽聽聽聽聽聽聽 sw101

Interface Vlan2000:2001:db:8:1:100::1/64 Interface Vlan2001:2001:db8:1:101::1/64

路聽聽聽聽聽聽聽聽 sw102

Interface Vlan2000:2001:db8:1:100::2/64 Interface Vlan2001:2001:db8:1:101::2/64

路聽聽聽聽聽聽聽聽 The configuration must enable hosts in these VLANs to obtain their IPv6 configuration via SLAAC and keep a stable connectivity with other IPv6 networks.

路聽聽聽聽聽聽聽聽 Use native IPv6 means to provide gateway redundancy, with sw101 being the preferred gateway in VLAN 2000 and sw102 being the preferred gateway in VLAN 2001. The role must be determined by an explicit configuration solely on the intended preferred gateway.

路聽聽聽聽聽聽聽聽 Hosts must be able to detect the failure of the preferred gateway in as little as 3 seconds.

1.6聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : IPv6 EIGRP in HQ

In HQ, enable EIGRP for IPv6 on r11, r12, sw101 and sw102 according to these requirements:

路聽聽聽聽聽聽聽聽 Use process name 鈥渃cie鈥 (without the quotes) and AS number 65001.

路聽聽聽聽聽聽聽聽 Do not configure any additional IPv6 addresses.

路聽聽聽聽聽聽聽聽 IPv6 EIGRP may form adjacencies only over the physical Layer3 interfaces between r11, r12, sw101 and sw102.

路聽聽聽聽聽聽聽聽 Prevent IPv6 EIGRP from automatically running on, or advertising attached prefixes from, new IPv6-enabled interfaces in the future unless allowed explicitly.

路聽聽聽聽聽聽聽聽 Ensure that the attached IPv6 prefixes on SVIs Vlan2000 and Vlan2001 onsw101 and sw102 are advertised in IPv6 EIGRP and learned on r11 and r12.

路聽聽聽聽聽聽聽聽 No route filtering is allowed to accomplish this entire task.

1.7聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : OSPFv2 in DC

Configure devices in the DC according to these requirements:

路聽聽聽聽聽聽聽聽 Switches sw201 and sw202 must establish a stable OSPF adjacency in the FULL state with vedge21 and vedge22 on interface Vlan3999. Any configuration changes and corrections necessary to meet this requirement may be performed only on the switches, and any mismatched parameters causing the issue must be changed to exactly match the configuration of the vEdges.

路聽聽聽聽聽聽聽聽 All OSPF speakers in the DC running Cisco IOS and IOS-XE software must be configured to keep the number of advertised internal routes to an absolute minimum while not impacting the reachability of the services. This included the reachability of ISE,DNA center,vManage,vBond and vSmart on their internal (in Band Connectivty) addresses, as well as any existing and future devices in VLAN 4000 and sw201 and sw202. The configuration of this requirement must be completed exclusively within the 鈥渞outer ospf鈥 and 鈥渋nterface vlan鈥 contexts without causing any impact to existing OSPF adjacencies.

路聽聽聽聽聽聽聽聽 Router r24 must advertise two prefixes, 10.6.0.0/15 and 10.200.0.0/24, as Type-5 LSAs in OSPFv2 to provide HQ and DC with the reachability to the DMVPN tunnel and branches #3 and #4. The configuration of this requirement must be completed exclusively within the 鈥渞outer ospf鈥 context.

路聽聽聽聽聽聽聽聽 Any route from the 10.2.0.0/16 range that keeps being advertised in OSPF must continue being advertised as an intra-area route.

路聽聽聽聽聽聽聽聽 It is not allowed to modify existing areas to accomplish this entire task.

1.8聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : BGP between HQ/DC and service providers

Configure the BGP peering鈥檚 between HQ/DC and Global SP#1 and Global SP#2 according to these requirements:

路聽聽聽聽聽聽聽聽 Bring up the BGP peering between HQ r11 and SP#1 r3

路聽聽聽聽聽聽聽聽 Bring up the BGP peering between DC r21 and SP#1 r3

路聽聽聽聽聽聽聽聽 Bring up the BGP Peering between DC r22 and SP#2

路聽聽聽聽聽聽聽聽 Ensure that the routes learned over eBGP sessions and further advertised in iBGP will be considered reachable even if the networks on inter-AS links are not advertised in OSPF. The configuration of this requirement must be completed exclusively within the 鈥渞outer bgp鈥 context.

路聽聽聽聽聽聽聽聽 On r11, r21 and r22 perform mutual redistribution between OSPFv2 and BGP. However, prevent routes that were injected into OSPF from BGP to be reinjected back into BGP. This requirement must be solved on r11, r21 and r22 using only a single route-map on each of the routers and without any reference to ACLs, prefix lists, or route types.

路聽聽聽聽聽聽聽聽 Prevent HQ and DC from ever communicating through SP#1 r3. All Communication between HQ and DC must occur only over the direct SW101/SW201 and SW102/SW202 interconnections. Any other communication must remain unaffected. This requirement must be solved on r21 and r22 by route filtering based on a well-known mandatory attribute without the use of route maps.

路聽聽聽聽聽聽聽聽 No command may be removed from the configuration on r11 to accomplish this entire task.

路聽聽聽聽聽聽聽聽 It is allowed to modify existing configuration commands on r21 and r22 to accomplish this entire task.

1.9聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Bringing up VPNv4/VPNv6 in SP#1

Configure routers r3, r4, r5 and r6 in SP#1 according to these requirements:

路聽聽聽聽聽聽聽聽 Configure r3 through r6 for mutual VPNv4 and VPNv6 route exchange without the use of a route reflector. Use Lo0 IPv4 addresses for peering鈥檚.

路聽聽聽聽聽聽聽聽 Configure r3 through r6 to assign (allocate/bind) as few unique MPLS labels to all existing and future VPNv4 and VPNv6 routes as possible.

路聽聽聽聽聽聽聽聽 On Routers r3 through r6, prevent any existing and future customer from discovering details about the inner topology of SP#1. It is not allowed to use ACLs to accomplish this requirement.

1.10聽 : Fixing Broken DMVPN between Dc and Branches #3 and #4

Correct the configuration issues resulting in broken DMVPN tunnel connectivity between DC, Branch3 and Branch4 according to these requirements:

路聽聽聽聽聽聽聽聽 The DMVPN must operate in IPsec-protected phase 3 mode.

路聽聽聽聽聽聽聽聽 Using the FVRF approach, safeguard the DMVPN operation against any potential recursive routing issues involving the tunnel.

路聽聽聽聽聽聽聽聽 Do not create any new VRFs.

路聽聽聽聽聽聽聽聽 Do not change the tunnel source commands on Tunnel interfaces.

路聽聽聽聽聽聽聽聽 On Spokes, do not add new BGP neighbors; reuse those that are currently up while changing their VRF membership as needed.

路聽聽聽聽聽聽聽聽 It is not allowed to modify configuration on DC r24 to complete this entire task.

1.11聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Tuning EIGRP on DMVPN and DMVPN-enabled Sites

Optimize the DMVPN operation according to these requirements:

路聽聽聽聽聽聽聽聽 Ensure that Branches#3 and #4 receive only a default route over EIGRP in DMVPN.

路聽聽聽聽聽聽聽聽 The default route origination must be done on DC r24 without the use of any static routes, redistribution, or route filtering.

路聽聽聽聽聽聽聽聽 It is not allowed to modify the configuration of r61 and r62 in Branch#3 to accomplish this task;

路聽聽聽聽聽聽聽聽 It is allowed to add commands to the configuration of r70 in branch #4 to accomplish this task;

None of the existing configuration on r70 may be removed to accomplish this task.

聽聽聽聽聽聽聽聽聽聽聽

聽聽聽聽聽聽聽聽聽聽聽 Configure Sw601 and Sw602 at Branch#3 according to these requirements:

路聽聽聽聽聽聽聽聽 Routers r61 and r62 must not send EIGRP queries to SW601 and SW602.

路聽聽聽聽聽聽聽聽 Switches SW601 and SW602 must allow advertising any current or future directly connected network to r61 and r62 after the network is added to EIGRP.

路聽聽聽聽聽聽聽聽 Switches Sw601 and Sw602 must continue to propagate the default route received from r61 and r62 to each other. To Select the default route, use a prefix list with a 鈥淧ermit鈥 鈥 type entry only.

路聽聽聽聽聽聽聽聽 Switches SW601 and SW602 must not propagate the default route back to r61 and r62.

路聽聽聽聽聽聽聽聽 If the prefix list that allows the propagation of selected EIGRP-learned networks between sw601 and sw602 is modified in the future, the same set of networks must be disallowed from being advertised back to r61 and r62 automatically, without any additional commands.

路聽聽聽聽聽聽聽聽 聽

1.12聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : IPv4 Networks on Legacy Branches

On sw211 in DC, complete the DHCP server configuration according to these requirements:

路聽聽聽聽聽聽聽聽 Create IPv4 DHCP pools named br3_v2000 and br3_v2001 for Branch #3 VLANs 2000 (10.6.100.0/24) and 2001 (10.6.101.0/24), respectively.

路聽聽聽聽聽聽聽聽 Create IPv4 DHCP pool named br4_v1 for the subnet 10.7.1.0/24 on branch #4.

路聽聽聽聽聽聽聽聽 In each subnet, assign addresses from .101 up to .254 inclusively, and the appropriate gateway to clients.

On Branch #3; Complete and correct the configuration on switches sw601, sw602 and sw610 to allow HSRP and DHCP relay operation in VLANs 2000 and 2001 according to these requirements:

路聽聽聽聽聽聽聽聽 HSRP must implicitly use the vMAC address range of 0000. 0c9f.f000 through 0000. 0c9f.ffff

路聽聽聽聽聽聽聽聽 The group member must be 100 for VLAN 2000 and 101 for VLAN 2001

路聽聽聽聽聽聽聽聽 Sw601 must be the Active gateway for VLAN 2000 with a priority of 110; the Active role ownership must be deterministic

路聽聽聽聽聽聽聽聽 Sw602 must be the Active gateway for VLAN 2001 with a priority of 110; the Active role ownership must be deterministic

路聽聽聽聽聽聽聽聽 Each active switch must track its uplink interfaces gi0/1 and gi0/2/ if either of these interfaces goes down; the active switch must allow the other switch to become Active. However, it is not allowed for the tracking to modify the HSRP priority to accomplish this requirement.

路聽聽聽聽聽聽聽聽 Both sw601 and sw602 must be configured as DHCP relay agents in both VLANs 2000 and 2001, pointing toward the DHCP server 10.2.255.211 at sw211. However, at any time, only the Active router in the particular VLAN should relay the DHCP messages.

路聽聽聽聽聽聽聽聽 Place host61 and host62 into VLANs 2000 and 2001, respectively, and make sure they are assigned their correct IPv4 configuration.

It is not permitted to use any kind of scripting to complete this task.

On Branch #4, complete the configuration of the router r70 according to these requirements;

路聽聽聽聽聽聽聽聽 Assign IP address 10.7.1.1/24 to gi0/2

路聽聽聽聽聽聽聽聽 Enable DHCP relay on this interface and point it to the DHCP server 10.2.255.211 at sw211

路聽聽聽聽聽聽聽聽 It is allowed to add one additional missing command to the r70 configuration to allow DHCP clients connected to gi0/2 obtain their IPv4 configuration.

路聽聽聽聽聽聽聽聽 Make sure that host71 and host72 are assigned their correct IPv4 configuration.

1.13聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Multicast in FABD2

FABD2 is preparing to enable PIM Sparse mode multicast routing in its network. As a part of validating the runbooks, FABD2 requires a sanity check to prevent inappropriate use of multicast-related configuration commands on different router types:

路聽聽聽聽聽聽聽聽 First Hop Routers 鈥 Routers where multicast sources are connected

路聽聽聽聽聽聽聽聽 Last Hop Routers- routers where multicast receivers (subscribers) are connected

路聽聽聽聽聽聽聽聽 Intermediary Hop Routers- routers on the path between First Hop and Last Hop routers In the Table below, for each configuration command, select all router type where the use of the command is appropriate. (Select all that apply)

Router Type

Command

First Hop Router

Intermediary Hop Router

Last Hop Router

Ip pim register-source

Ip igmp version

ip pim spt-threshold

ip pim rp-address

IP pim sparse-mode

1.14聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Extending Connectivity to laaS Site

Extend the IPv6 connectivity from HQ through the SP into the giosk VRF on the laaS site according to these requirements:

Set up global IPv6 addressing on the link between r11 and r3

路聽聽聽聽聽聽聽聽 On r11, assign 2001:2710:311::2/64 to g0/0

路聽聽聽聽聽聽聽聽 On r3, assign 2001:2710:311::1/64 to g1

路聽聽聽聽聽聽聽聽 Enable the existing IPv4 BGP session between r11 and r3 to also advertise IPv6 prefixes. Do not configure a standalone IPv6 BGP session between these two routers.

路聽聽聽聽聽聽聽聽 Perform bidirectional route redistribution between the IPv6 EIGRP and BGP processes on r11.

路聽聽聽聽聽聽聽聽 Ensure that all current and future IPv6 prefixes advertised between r11 and r3 will be installed into the RIB of these routers with the next hop address set to the proper global unicast address on their interconnection. Any policy that accomplishes this requirement must be applied in the inbound direction.

路聽聽聽聽聽聽聽聽 The giosk VRF on r4 that extends the IPv6 connectivity from r4 to r30 on the laaS site is a separate VRF independent of fabd2 VRF. Any route leaking from fabd2 VRF into giosk VRF must be done on per-site basis and only for those FABD2 sites that need connectivity in the laaS site.

路聽聽聽聽聽聽聽聽 By configuring r3 and r4 only, ensure that the HQ FABD2 site will have mutual visibility with the laaS site while preventing

-聽聽聽聽聽聽聽聽聽 Any other FABD2 site from possibly learning about the routes on the laaS site

-聽聽聽聽聽聽聽聽聽 The laaS site from possibly learning about the routes on any other FABD2 site

Use the minimum amount of commands necessary to accomplish this requirement. Do not remove any existing configuration. If necessary, you are allowed to use an additional route target with the value of 10000:3681.

路聽聽聽聽聽聽聽聽 Verify that host11 and host12 can ping 2001:db8:14::1 located at the laaS site. It is permitted to modify one existing configuration command on one of the SP routers to meet this requirement.

1.15聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Enabling Internet Access for FABD2

Enable highly available internet access for the FABD2 company network according to these requirements:

路聽聽聽聽聽聽聽聽 On routers r12, r23 and r24, bring up IPv4 BGP peerings with the ISP, make sure that a default route is received over these peerings.

路聽聽聽聽聽聽聽聽 On router r12 and r23, inject default route into OSPF if it present in the routing table from a different routing source than the OSPFv2 process 1. On each router, this requirement must be completed using the minimum possible number of commands.

路聽聽聽聽聽聽聽聽 On route r24, inject default route into OSPF if any only if it is learned from ISP over BGP, To accomplish this requirement, it is allowed to use a route-map that referenced both a prefix-list and tag. This requirement must be completed using the minimum possible number of commands.

路聽聽聽聽聽聽聽聽 Router r12 may be used as an internet exit for the FABD2 company network only if neither r23 nor r24 are advertising the default route in OSPF. This requirement must be accomplished exclusively in 鈥渞outer ospf鈥 mode on router r12 without changing the default parameters on routers r23 and r24.

路聽聽聽聽聽聽聽聽 On routers r12, r23 and r24, configure PAT and translate the entire FABD2 internal network 10.0.0.0/8 to the router address on the link toward the ISP. Create a standard ACL named NAT for this purpose. Do not use NAT pools.

Ensure that the internet connectivity of the FABD2 company network makes use of the highly availability provided by r12, r23 and r24.

2.1 : Correcting the IP addresses of Managed switches in DNA center

After Cisco DNA center first achieves IP connectivity with the managed switches in Branches #1 and #2, it will place them into maintenance mode due to their serial number being different from the one DNA center remember, In addition, their management IP addresses in DNA Center will be automatically changed by appending them with the 鈥.dummy.com鈥 string. As a result, after an initial contact, DNA Center will lose connectivity with the switches unless their management IP addresses are corrected in the DNA center settings.

Correct the IP addresses of managed switches in the DNA center according to the following requirements:

路聽聽聽聽聽聽聽聽 Use any host, such as host11, to access the DNA Center GUI website at

This is the hidden content, please
URL.

路聽聽聽聽聽聽聽聽 Execute the provision-Devices- Inventory- Global- Actions-Inventory- Resync Device action in DNA Center on all switches before proceeding further.

路聽聽聽聽聽聽聽聽 DNA Center API reference and sandbox is available at

This is the hidden content, please
URL.

路聽聽聽聽聽聽聽聽 The /network/device/update-maintenance-device-ip-address API call description and sandbox are available in the Inventory section of the API reference.

路聽聽聽聽聽聽聽聽 Use the /network-device/update-maintenance-device-ip address API call to correct the IP addresses of the switches in Branches #1 and #2 by removing the appended text.

Note: These IP addresses cannot be changed from DNA Center GUI directly because they will become automatically invalidated again. This is a built-in DNA Center behavior.

2.2聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Completing VN Configuration in DNA center

Using the DNA Center GUI, perform configuration tasks according to these requirements:

路聽聽聽聽聽聽聽聽 Add new virtual Network named IoT for the internet-of-things network on the Branches #1 and #2

路聽聽聽聽聽聽聽聽 Create new address pools for the IoT VN named Branch1- For IoT and Branch2-ForIoT on the global level, and branch1-IoT and Branch2-IoT on the Branch level.

路聽聽聽聽聽聽聽聽 For Branch #1 loT VN, allocate the subnet 10.4.198.0/24 and the gateway IP address 10.4.198.1.

路聽聽聽聽聽聽聽聽 For Branch #2 loT VN, allocate the subnet 10.5.198.0/24, and the gateway IP address 10.5.198.1.

路聽聽聽聽聽聽聽聽 Associate the Branch1-loT and Branch2-loT pools with the loT VN on the respective branches.

路聽聽聽聽聽聽聽聽 Complete the configuration of the address pools for the Guest VN in the DNA Center so that Branch #1 and Branch #2 can accommodate guest connections. If a new address pool needs to be created and an address range allocated to it, follow the established addressing plan.

路聽聽聽聽聽聽聽聽 Correct the addressing information currently defined for the Branch2- For Employees and Branch2- Employees address pool.

路聽聽聽聽聽聽聽聽 For all address pools, use the DHCP server 10.2.255.211 to allocate addresses to clients.

On sw211, complete the DHCP server configuration according to these requirements:

路聽聽聽聽聽聽聽聽 Create four new DHCP pools for the loT and Employees VNs on respective branches

o聽聽 Pool named br1_iot for Branch #1 loT VN

o聽聽 Pool named br1_emp for Branch #1 Employees VN

o聽聽 Pool named br2_iot for Branch #2 loT VN

o聽聽 Pool named br2_emp for Branch #2 Employees VN

路聽聽聽聽聽聽聽聽 In each subset, assign addresses from .101 up to .254 inclusively, and the appropriate gateway to clients.

2.3聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Mapping SDA VNs to SD-WAN VPNs

Using vManage GUI, perform configuration tasks according to these requirements:

路聽聽聽聽聽聽聽聽 Use any host, such as host11, to access the vManage GUI website at

This is the hidden content, please
URL.

路聽聽聽聽聽聽聽聽 Create three new SD-WAN VPNs to carry the SDA VN traffic

o聽聽 VPN ID 198 for IoT VN

o聽聽 VPN ID 199 for Guest VN

o聽聽 VPN ID 200 for Employees VN

路聽聽聽聽聽聽聽聽 On Branch #1 and Branch #2 vEdges, for each of these VPNs:

o聽聽 Create a new sub-interface on the interface toward the SDA border switch. Align the VLAN ID and IP address on the sub interface with the configuration generated by DNA Center on the border switches for the appropriate VN.

o聽聽 Peer the vEdge and the SDA border switch using iBGP. Ensure full reachability between all locations of the same VPN.

2.4聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Configuring SD-WAN VPN Route Leaking

To Allow the traditional parts of the FABD2 network to communication with the employees and IOT VPNs/VNs, configure route leaking in SD-WAN according to these requirements:

路聽聽聽聽聽聽聽聽 Prefixes in the IoT VPN 198 must be imported into the existing SDA Underlay VPN 999 and tagged with tag value of 198.

路聽聽聽聽聽聽聽聽 Prefixes in the Employees VPN 200 must be imported into the existing SDA Underlay VPN 999 and tagged with the tag value of 200

路聽聽聽聽聽聽聽聽 Prefixes in the SDA underlay VPN 999 advertised from the DC that are within the 10.4.0.0/15 range must be rejected. Other prefixes in the SDA underlay VPN 999 advertise from DC must be accepted and also imported into IoT VPN 198 and Employees VPN 200.

路聽聽聽聽聽聽聽聽 Redistribution from OMP into OSPF on Branches#1 and #2 in VPN 999 must exclude vRoutes tagged with values 198 or 200.

路聽聽聽聽聽聽聽聽 Place host41 into Employees VN. Place host51 into IoT VN. Make sure both hosts receive their IP setting from DHCP.

路聽聽聽聽聽聽聽聽 Ensure that the IoT and Employees VPNs on Branches #1 and #2 have reachability to Branches #3 and #4. It is allowed to modify the VPN 999 OMP settings to accomplish this requirement.

2.5聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Handling Guest Traffic

The guest VN/VPN on Branches #1 and #2 must remain isolated from the rest of the company network. It 鈥榮 only allowed to reach internet through r23 and r24 in the DC. Enable internet connectivity for the Guest VPN according to these requirements:

路聽聽聽聽聽聽聽聽 On Vedge21 and Vedge22, place the ge0/2 interfaces into the Guest VPN 199.

路聽聽聽聽聽聽聽聽 On r23 and r24, create a new VRF named Guest using the RD of 65002:199, and place the gi4 interfaces into the VRF.

路聽聽聽聽聽聽聽聽 Assign addresses to these Interfaces:

路聽聽聽聽聽聽聽聽 R23 Gi4: 10.2.123.1/24

路聽聽聽聽聽聽聽聽 R24 Gi4: 10.2.224.1/24

路聽聽聽聽聽聽聽聽 Vedge 21 gi0/2: 10.2.123.2/24

路聽聽聽聽聽聽聽聽 Vedge 22 Gi0/2: 10.2.224.2/24

路聽聽聽聽聽聽聽聽 Peer r23 and vedge21 in the Guest VRF/VPN using iBGP.

路聽聽聽聽聽聽聽聽 Peer r24 and vedge22 in the Guest VRF/VPN using iBGP.

路聽聽聽聽聽聽聽聽 Ensure that r23 and r24 learn the routes in the Guest VRF/VPN over iBGP.

路聽聽聽聽聽聽聽聽 On r23 and r24, configure a static default route in the Guest VRF and point it to the ISP鈥檚 IP address 200.99.23.1 or 200.99.24.1 as appropriate. Advertise this default route in iBGP to vedge21 and vedge22.

路聽聽聽聽聽聽聽聽 On r23 and r24, configure PAT to allow the Guest VPN to access internet by translating it to the router address on the link toward the ISP. Reuse the NAT ACL already created on the router. Do not use NAT pools.

Configure r23 as DHCP server for Guest VPN according to these requirements:

路聽聽聽聽聽聽聽聽 Create loopback1 interface on r23 associated with the Guest VRF and having the IP address 10.2.255.211/32

路聽聽聽聽聽聽聽聽 Advertise this prefix in BGP toward vedge21.

路聽聽聽聽聽聽聽聽 Create DHCP Pool named br1_guest for branch#1 Guest subnet.

路聽聽聽聽聽聽聽聽 Create DHCP Pool named br2_guest for branch#2 Guest subnet.

路聽聽聽聽聽聽聽聽 Explicitly associate both DHCP pools with the VRF guest.

路聽聽聽聽聽聽聽聽 In each subnet, assign addresses from .101 up to .254 inclusively, and the appropriate gateway to clients.

路聽聽聽聽聽聽聽聽 Associate host42 and host52 with guest VN in DNAC, and make sure that both hosts receive the appropriate address.

路聽聽聽聽聽聽聽聽 Make sure that host42 and host 52 can ping 8.8.8.8 in the ISP cloud.

2.6聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 : Support for silent Hosts in Branch #2

The item consists of multiple questions. You may need to scroll down to be able to see all questions. In future, Branch#2 will be equipped with IP-based IoT endpoints operating in speak-when-spoken-to mode also called silent hosts. Which of the following SDA features enables a working connectivity with these IoT endpoints?

路聽聽聽聽聽聽聽聽 Native Multicast

路聽聽聽聽聽聽聽聽 Endpoint Mobility

路聽聽聽聽聽聽聽聽 Layer 2 flooding

路聽聽聽聽聽聽聽聽 Layer 2 Extension

In the statement below, select one of the options from the drop-down list to complete the sentence and form a correct statement.

For SDA to support silent hosts,聽 聽---------------------Selection Option----- in the underlay as a prerequisite.

Options:-

路聽聽聽聽聽聽聽聽 IP Multicast routing with PIM-SM must be enabled

路聽聽聽聽聽聽聽聽 No additional capability aside from unicast IP Connectivity is required.

路聽聽聽聽聽聽聽聽 IS-IS must be used as a routing protocol

路聽聽聽聽聽聽聽聽 DHCP Snooping must be enabled.

3.1: Enabling CLI access to r30

聽聽聽聽聽聽聽聽聽 There is no direct console access provided to the router r30. Moreover, r30 does not accept any remote connections because its VTY lines are configured with transport input non. Using RESTCONF, enable remote access to r30 for all remote access protocols, according to these requirements:

路聽聽聽聽聽聽聽聽 You can use host31 to access router r30 using ip address 10.3.11.1

路聽聽聽聽聽聽聽聽 You can use any method of accessing the RESTCONF API on r30 from host31, including curl, python, or postman.

路聽聽聽聽聽聽聽聽 You must change the input transport protocol on all configurable VTY lines.

路聽聽聽聽聽聽聽聽 The input transport protocol value setting must be changed from none to all.

Important Parameters:

路聽聽聽聽聽聽聽聽 Username / Password for HTTP authentication

搂聽 admin / admin

搂聽 URL

搂聽

This is the hidden content, please

路聽聽聽聽聽聽聽聽 HTTP Method

搂聽 GET

o聽聽 HTTP method to modify the configuration

搂聽 PATCH

o聽聽 HTTP Headers

搂聽 Content-Type:application/yang-data+json

搂聽 Accept:application/yang-data+json

o聽聽 Recommended curl switches

搂聽 -I,-k,-X,-H,-u,-d

3.2 Using Guest Shell and Python on r30

On r30, enable guestshell and create a python script name ribdump.py in the guestshell according to these requirements:

路聽聽聽聽聽聽聽聽 If an additional IP network is necessary to start guestshell, you are allowed to use addresses from the range 192.168.255.0/24. This range must not be advertised in any routing protocol.

路聽聽聽聽聽聽聽聽 The python script must be saved under the name ribdump.py in the home directory of the guestshell user.

路聽聽聽聽聽聽聽聽 The purpose of the script is to display the complete contents of all routing tables in non-default VRFs created on the router.

路聽聽聽聽聽聽聽聽 The script must execute the show ip route Vrf鈥 or show ipv6 route vrf鈥 command for every non default VRF created on the router, depending on what address families are enabled in that VRF.

路聽聽聽聽聽聽聽聽 The script must determine the list of created VRFs and enabled address families dynamically every time it is run using, for example, show vrf brief | include ipv4

路聽聽聽聽聽聽聽聽 The script must not attempt to display the VRF routing table for an address family that is not enabled in the VRF.

路聽聽聽聽聽聽聽聽 It must be possible to run the script using the guestshell run python ribdump.py command from privileged EXEC mode.

===========================================================================================================================================

Please update the solution like CCIE V5.聽 I hope everyone will support and update their knowledge to make perfect solution.

Is this the list of question that were on the exam ?聽

  • Like 16
  • Thanks 2
Link to comment
Share on other sites

Attemptedlab and failed.

Lot of things to discusswill be updating it to all soon here.

Thanks to CC we all were missing you lets discuss guys so that we crack it easily.聽

Do not relay on any workbook discussing on every point is must lets provide feedbacks very important to pass for all.

Sorry about that Bro but then it is well just don鈥檛 give up I believe you will definitely crack it next attempt聽

Link to comment
Share on other sites

On 6/14/2021 at 1:29 PM, enterprise said:

Attempted lab and failed.

Lot of things to discuss will be updating it to all soon here.

Thanks to CC we all were missing you lets discuss guys so that we crack it easily.聽

Do not relay on any workbook discussing on every point is must lets provide feedbacks very important to pass for all.

Hemali-pinku.jpeg

Sorry about that Bro. I believe next attempt you will crack it.聽

  • Like 20
  • Thanks 4
  • Confused 1
Link to comment
Share on other sites

On 6/14/2021 at 6:29 AM, enterprise said:

Attempted lab and failed.

Lot of things to discuss will be updating it to all soon here.

Thanks to CC we all were missing you lets discuss guys so that we crack it easily.聽

Do not relay on any workbook discussing on every point is must lets provide feedbacks very important to pass for all.

Hemali-pinku.jpeg

do you have a list of question that came on the exam ?

  • Like 22
  • Thanks 5
  • Haha 1
  • Confused 1
Link to comment
Share on other sites

Sorry for confusion, this was more the question for you as you posted these questions.I was wondering if you could share聽聽where did you get them from ? Are they coming from聽chinesedumps or somewhere else ? Were these questions on the exam ? thank you in advance !

  • Like 1
Link to comment
Share on other sites

2 hours ago, Vlaja said:

Sorry for confusion, this was more the question for you as you posted these questions.I was wondering if you could share聽聽where did you get them from ? Are they coming from聽chinesedumps or somewhere else ? Were these questions on the exam ? thank you in advance !

Dear Vlaja,

Already this questions available on internet and also one my friend share to me and he also preparing for lab. This question are from 2 to 3 vendors have same questions.

regards

  • Like 2
Link to comment
Share on other sites

  • 4 weeks later...
  • 3 weeks later...
  • Glavin changed the title to To Pass CCIE Enterprise Infrastructure v1.0 Deploy discussion - Real Attempt

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...