1、Section 1: L2 SPANNING-TREE:1.1 Two fault. ( 4 point) Solution:1、全在交换机上, 一台交换机的 fa0/19-24 有 spanning-tree portfast trunk,会造成errdisable.删除即可Solution:2、另一台上有一个 vlan access map:vlan access-map XXX 10action dropmatch mac address ARP改成 transit3、在 sw X 全局下可能有 VLAN filter ,删除即可。1.2 Configure 2 spanning-tre
2、e domains.VLANs for backbones will be in instance 1 and, all other VLANs will be ininstance 2. Any other VLAN will be in the default spanning-tree instance.Sw1 must be the root for instance 1 with sw2 being the backupSw2 must be the root for instance 2 with sw1 being the backup.Solution:SW1:spanning
3、-tree mst configurationname ciscorevision 1 instance 1 vlan 11 , 22 , 33instance 2 vlan 42 , 44 , 52 , 123 , 999spanning-tree mode mstspanning-tree mst 1 root primaryspanning-tree mst 2 root secondarySW2:spanning-tree mst configurationname ciscorevision 1 instance 1 vlan 11 , 22 , 33instance 2 vlan
4、42 , 44 , 52 , 123 , 999spanning-tree mode mstspanning-tree mst 2 root primaryspanning-tree mst 1 root secondarySW3、 SW4:spanning-tree mst configurationname ciscorevision 1 instance 1 vlan 11 , 22 , 33instance 2 vlan 42 , 44 , 52 , 123 , 999spanning-tree mode mstCheck:Show spanning-tree mst configur
5、ationShow spanning-tree mst 1Show spanning-tree mst 21.3 Use one command to enable portfast. Ensure all access-ports go into err-disable if receiving any BPDUs (This does not apply to BB router ports).Ensure backbone ports cant influence the STP topology ever.Configure Spanning-tree timers such that
6、 if no bpdus was received within 30 seconds, the network will re-converge. (3 point)Solution:SW1、 SW2、 SW3:spanning-tree portfast defaultspanning-tree portfast bpduguard defaultint F0/10spanning-tree bpduguard disablespanning-tree guard root /spanning-tree bpduf enSW1、 SW2、 SW3, SW4:spanning-tree ms
7、t max-age 30Check:Show spanning-tree mst x1.3 Configure Additional Spanning-TreeEnsure port fa0/20 is forwarding rather than blocking for MST 1 on SW3.Ensure port fa0/20 is forwarding rather than blocking for MST 2 on SW4.You can not do any configuration on SW3. (3 point)Solution:SW1:int f0/20spanni
8、ng-tree mst 1 port-priority 0SW2:int f0/20spanning-tree mst 2 port-priority 0Check:Show spanning-tree mst x1.4 CONFIGURE ETHERCHANNEL:SW1 & SW3 should actively negotiate and SW4 & SW2 should only establish Etherchannel when requested. (2 points)Configure industry standard Etherchannel betwen SW1 & S
9、W2Solution:SW1:Rack12Sw1(config)#int r f0/23 - 24Rack12Sw1(config-if-range)# channel-protocol lacpRack12Sw1(config-if-range)#channel-group 12 mode active SW2:Rack12Sw2(config)#int r f0/23 24Rack12Sw1(config-if-range)# channel-protocol lacpRack12Sw2(config-if-range)#channel-group 12 mode passiveConfi
10、gure proprietary Etherchanel between SW3 & SW4Solution:SW3:Rack12Sw3(config)#int r f0/23 - 24Rack12Sw1(config-if-range)# channel-protocol pagpRack12Sw3(config-if-range)#channel-group 34 mode desirable SW4:RackSw4(config)#int r f0/23 - 24Rack12Sw1(config-if-range)# channel-protocol pagpRackSw4(config
11、-if-range)#channel-group 34 mode auto Check:Show etherchannel summary1.5 VLAN TRUNKING:Configure all inter-switch links to use an industry standardSet the VTP Domain to “CCIERoutingAndSwitching“. SW1 should be server, and rest Clients. Config vlan as following. (3 points)Vlan 11 for BB1Vlan 22 for B
12、B2Vlan 33 for BB3Vlan 42 for R2 to SW4Vlan 44 for R4 serverVlan 52 for R5 to SW2Vlan 123 for all switchVlan 999 for remote vlan Solution:A、Configure Trunk Link:SW1、 SW2、 SW3、SW4:int range f0/19 24switchport trunk encap dot1qswitchport mode trunkCheck:Show interface trunkB、Configure VTP:SW1:VTP domai
13、n CCIERoutingAndSwitchingVTP mode serverVtp pass cisco /注意看题vtp ve2 /注意看题SW2、 SW3、 SW4:VTP domain CCIERoutingAndSwitchingVTP mode clientCheck:Show vtp statusC、Configure VLANs:SW1: ( SW2、 SW3、 SW4 无需配置,直接同步过去)VLAN 11Name VLAN_BB1VLAN 22Name VLAN_BB2VLAN 33Name VLAN_BB3VLAN 42Name VLAN_42VLAN 44Name V
14、LAN_44VLAN 52Name VLAN_52VLAN 123Name VLAN_123Check:Show vlan briefD、Configure Access Ports:SW1:interface FastEthernet0/2switchport mode accessswitchport access vlan 42interface FastEthernet0/3switchport mode access switchport access vlan 11interface FastEthernet0/4switchport mode access switchport
15、access vlan 44interface FastEthernet0/10switchport mode accessswitchport access vlan 11SW2:interface FastEthernet0/2switchport mode accessswitchport access vlan 22interface FastEthernet0/5switchport mode access switchport access vlan 52interface FastEthernet0/10switchport mode access switchport acce
16、ss vlan 22SW3:interface FastEthernet0/10switchport mode access switchport access vlan 33Check:Show vlan brief1.6 RSPANConfigure port mirroring for port f0/13, f0/19 - 20 on SW1 as the source. Use remote vlan 999. Traffic should be sent to SW4 fa0/9. SW4 monitor f0/12 send F0/16. (3 points)Solution:S
17、W1:No monitor session all /*为了避免预配置中存在 monitor session 的配置*İnterface f0/13No shutdown /*有用到的接口必须开启*VLAN 999Name VLAN_999Remote vlanMonitor session 1 source int f0/13 , f0/19 -20Monitor session 1 destination remote vlan 999 Check:Show vlanShow monitor session allShow run interface xSW4:No monitor ses
18、sion all /*为了避免预配置中存在 monitor session 的配置*Interface range f0/9,f0/12,f0/16No shutdown /*有用到的接口必须开启*-这里是为什么?Monitor session 1 source remote vlan 999 Monitor session 1 destination int f0/9Monitor session 2 source int f0/12 Monitor session 2 destination int f0/16Check:Show vlanShow monitor session allS
19、how run interface x1.7 PPPUse PPP chap on R4 for R1 R2, one way. R1 R2 can not use ppp chap hostname, they can use ppp chap password with CISCO. Make sure AAA is not affecting any vty and console login. (3 points)Solution:R4:aaa new-modelaaa authentication login default line none /* AAA is not affec
20、ting any vty and console login*aaa authentication ppp CCIE group radius local-应该 local-caseradius-server host YY.YY.A.B key CISCO /敲完会自动生成多余的命令username Rack12R1 password CISCO /*username 根据考试 RACK 来确定*username Rack12R2 password CISCOinterface Serial0/0/0ip address 12.12.14.4 255.255.255.0encapsulati
21、on pppno peer neippp authentication chap CCIEinterface Serial0/0/1ip address 12.12.24.4 255.255.255.0encapsulation pppno peer neippp authentication chap CCIE R1:interface Serial0/1/0ip address 12.12.14.1 255.255.255.0encapsulation pppno peer neippp chap password CISCOR2:interface Serial0/1/0ip addre
22、ss 12.12.24.2 255.255.255.0encapsulation pppno peer neippp chap password CISCOSection 2: IP Routing2.1 Configure OSPF Area0, 142, 51 as diagram. (2 point)Use the any number for the process ID.-建议用 YYConfigure the Router ID to match Loopback 0-手动选举Configure Area 0 between on the Ethernet segment shar
23、ed by all switches.Configure OSPF AREA 142 between SW1-R1-R4-R2-SW4 Configure OSPF AREA 51 between SW2-R5-R3换回口放置 sw1-sw4 放 A0Solution:R1:router ospf 12router-id 12.12.1.1network 12.12.1.1 0.0.0.0 area 124network 12.12.14.1 0.0.0.0 area 124network 12.12.17.1 0.0.0.0 area 124R2:router ospf 12router-i
24、d 12.12.2.2network 12.12.2.2 0.0.0.0 area 124network 12.12.24.2 0.0.0.0 area 124network 12.12.29.2 0.0.0.0 area 124R3:router ospf 12router-id 12.12.3.3network 12.12.3.3 0.0.0.0 area 51network 12.12.35.3 0.0.0.0 area 51R4:router ospf 12router-id 12.12.4.4network 12.12.4.4 0.0.0.0 area 124network 12.1
25、2.14.7 0.0.0.0 area 124network 12.12.24.4 0.0.0.0 area 124network 12.12.34.4 0.0.0.0 area 124 /*这条是 R4 的 f0/1 上的 IP,看是否有用到?*network 12.12.44.4 0.0.0.0 area 124R5:router ospf 12router-id 12.12.5.5network 12.12.5.5 0.0.0.0 area 51network 12.12.35.5 0.0.0.0 area 51network 12.12.58.5 0.0.0.0 area 51SW1:
26、router ospf 12router-id 12.12.7.7network 12.12.7.7 0.0.0.0 area 0network 12.12.17.7 0.0.0.0 area 124network 12.12.123.7 0.0.0.0 area 0SW2:router ospf 12router-id 12.12.8.8network 12.12.8.8 0.0.0.0 area 0network 12.12.58.8 0.0.0.0 area 51network 12.12.123.8 0.0.0.0 area 0SW3:router ospf 12router-id 1
27、2.12.9.9network 12.12.9.9 0.0.0.0 area 0network 12.12.123.9 0.0.0.0 area 0SW4:router ospf 12router-id 12.12.10.10network 12.12.10.10 0.0.0.0 area 0network 12.12.29.10 0.0.0.0 area 124network 12.12.123.10 0.0.0.0 area 0SW1 should control all routing, and SW2 should be the backup. (Use largest value)S
28、olution:SW1:interface vlan 123ip ospf priority 255SW2:interface vlan 123ip ospf priority 254-这个不错SW3、 SW4:interface vlan 123ip ospf priority 02.2 Configure EIGRP 100Configure EIGRP 100 on SW2. Disable auto summary.SW2 should not be queried for any routes./可能会有此需求Solution:SW2:router eigrp 100no auto-
29、summarynetwork 150.3.12.1 0.0.0.0eigrp stub connected summary /默认就打 eigrp stub 就会产生Redistribute EIGRP 100 into OSPF. The EIGRP routes should not be present in OSPF Area 51 but to Area 142, SW2 should generate a intra area default route. (1 points)Solution:R3:router ospf 12area 51 nssaR5:router ospf
30、12area 51 nssaSW2:router ospf 12area 51 nssa no-redistribution no-summaryredistribute eigrp 100 subnets2.3 Configure RIP 注意会收到来自 BB1 的 20 条路由Configure R3 with RIPv2 . Disable auto summary.RIP route receive 199.172.1.0/24 to 199.172.20.0/24 from BB1Control RIP route, Only 199.172.5.0/24,199.172.7.0/2
31、4, 199.172.13.0/24, 199.172.15.0/24 should be received on R3. Use single standard ACL single entry for this task. (2 points)Solution:R3:access-list 1 permit 199.172.5.0 0.0.10.0router ripversion 2no auto-summarynetwork 150.1.0.0distribute-list 1 in f0/02.4 Redistribute RIP into OSPF.Match the screen
32、 shot :Screenshot indicated Routes x.x.5.0 & x.x.7.0 should appears as N1 routes , and x.x.13.0 x.x.15.0 150.1.x.0 should be N2 routes. Use single standard ACL single entry. (2 point)Solution:R3:access-list 2 permit 199.172.5.0 0.0.2.0route-map RIP_TO_OSPF permit 10match ip address 2set metric-type
33、type-1route-map RIP_TO_OSPF permit 20 /*dont forget it*router ospf 12redistribute rip route-map RIP_TO_OSPF subnets2.5 BGPConfigure one ibgp peering for each router in diagram except SW2Peer R2 with BB2. Configure community to 254 108 104 for bgp route from BB2.Peer R3 with BB1. Configure community
34、to 254 107 103 for bgp router from BB1All bgp route should prefer BB1. (3 point)Update:SW2 、R1 、R2、R3、R5 running BGP,R4,R2,R1,R5,R3,SW2 using minimum commands剩下的设备(SW1)不运行 BGP 那中间肯定会存在 BGP 黑洞问题,特别R1、R2,R3 和 R5 由于存在默认路由,能够解决黑洞Solution:A、 Basic BGP Configuration:ip bgp-community new-format / 全局下开启R1:R
35、outer bgp 12no synchronizationno auto-summarybgp router-id 12.12.1.1neighbor 12.12.8.8 remote 12neighbor 12.12.8.8 update-soure loopback 0R2:router bgp 12no synchronizationno auto-summarybgp router-id 12.12.2.2neighbor 150.2.12.254 remote-as 254 /*TO BB2*neighbor 12.12.8.8 remote 12neighbor 12.12.8.
36、8 update-soure loopback 0route-map conn permit 10match interface f0/1 /*确保 BGP 下一跳可达*router ospf 12redistribute connected route-map conn subnetsR3:Router bgp 12no synchronizationno auto-summarybgp router-id 12.12.3.3neighbor 150.1.12.254 remote-as 254 /*TO BB1*neighbor 12.12.8.8 remote 12neighbor 12
37、.12.8.8 update-soure loopback 0R5:Router bgp 12no synchronizationno auto-summarybgp router-id 12.12.5.5neighbor 12.12.8.8 remote 12neighbor 12.12.8.8 update-soure loopback 0SW2:Router bgp 12no synchronizationno auto-summarybgp router-id 12.12.8.8neighbor IBGP peer-groupneighbor IBGP remote-as 12neig
38、hbor IBGP update-source loopback 0neighbor IBGP route-reflector-clientneighbor 12.12.1.1 peer-group IBGPneighbor 12.12.2.2 peer-group IBGPneighbor 12.12.3.3 peer-group IBGPneighbor 12.12.5.5 peer-group IBGPB、BGP Community Configuration:R2:route-map BGP_COMM permit 10set community 254 108 104 /*自动变为
39、104 108 254,可以采用 show run 查看*router bgp 12neighbor 150.2.12.254 route-map BGP_COMM inneighbor 12.12.8.8 send-communityR3:route-map BGP_COMM permit 10set community 254 107 103 /*自动变为 103 107 254,可以采用 show run 查看*router bgp 12neighbor 150.1.12.254 route-map BGP_COMM inneighbor 12.12.8.8 send-community
40、SW2:router bgp 12neighbor IBGP send-communityC、BGP Path Control:SW2:ip community-list 1 permit 104 108 254route-map BGP_COMM permit 10match community 1set local-preference 0route-map BGP_COMM permit 20router bgp 12neighbor 12.12.2.2 route-map BGP_COMM in2.6 IPV6 OSPF as diagram. (3 point)Use any num
41、ber for the process ID. -建议用 YYConfigure the Router ID to match Loopback 0-手动选举Configure Area 0 between on the Ethernet segment shared by all switches.SW1 should control all routing, and SW2 should be the backup for area 0. (Use largest value)Configure OSPF AREA 142 between SW1-R1-R4-R2-SW4 Configur
42、e OSPF AREA 51 between SW2-R5-R3Some ipv6 address is already configured.Ie 2010:cc1e:0:44:4/64Update:Configure the most secure form of authentication for IPv6配置别的就是接口下加 OSPFV3 进程和 IPV4 的一样注意 3560 必须 sdm prefer dual-ipv4-and-ipv6 routing存盘重启还有个需求就是 OFPFv3 过滤不让一个 lo 路由进入某个区域 那么就把那个区域做成 stub 区域Reduce l
43、ink traffic, set icmp request 4 times one secondeIpV6 nd ra-interval 250-?这个是出于什么目的?Solution:Rx: SWx:ipv6 router ospf 12router-id 12.12.x.x /*loopback 0*interface xipv6 ospf 12 area x关于认证 对 area 0 做认证:区域认证:ipv6 router ospf 12area 0 authentication ipsec spi 500 sha1 1234567890123456789012345678901234
44、567890 service password-encryption /*add this command,your key will be encrypted*接口认证:interface xipv6 ospf authentication ipsec spi 500 sha1 1234567890123456789012345678901234567890service password-encryption /*add this command,your key will be encrypted*2.7 IPv6 FilteringAdd a Loopback 8 to SW2 wit
45、h Global IPv6 Address and ospfv3 Area 0 have the route in OE2. Configure OSPF filtering to allow SW2 Loopback8 in Area 0 to go into Area 51, but not Area 142. Reduce link traffic, change icmp request to 4 times a second. (3 points)Solution:SW2:interface loopback 8ipv6 address x:x:x:x:x:x:x:x/64route
46、-map IPV6_CONN permit 10match interface loopback 8ipv6 router ospf 12redistribute connected route-map IPV6_CONN metric-type 2 /*default metric-type 2*R1、 R2、 R4、 SW1、 SW4:ipv6 router ospf 12area 142 stub /*not send loopback 8 route to area 142R1、 R2、 R3、 R4、 R5、 SW1、 SW2、 SW3、 SW4: /*考试看看 SW3 是否有运行,
47、在所有运行 ipv6 的接口修改*ipv6 nd ns-interval 250 /*enter the interface config mode,the unit is milliseconds*2.8 PFR You are required to implement pfr on the network. R4 will be the master controller and R1 & R2 will be the Border routers.Ensure that the pfr sessions is established from the Loopback interfac
48、es. Pfr Optimization. You need to optimize the pfr implementation such that when packets with a DSCP of 41 passes the network, it is routed out to R1 exit interface, and when a DSCP of 31 passes, it is routed out to R2 exit interface. Use extend ACL with one entry if need. You are allowed to use any
49、 prefix-list. (3 point)Solution:R4:key chain PFR key 1 key-string CISCOoer master policy-rules DSCP /*Apply oer-map,this name is DSCP*logging border 12.12.1.1 key-chain PFRinterface Serial 0/0/0 internal interface FastEthernet 0/0 external link-group A exit /*exit the previou mode (config-oer-mc)*border 12.12.2.2 key-chain PFRinterface Serial 0/0/0 internal interface FastEthernet 0/0 external link-group B exit /*exit the previou mode (config-oer-mc-br)*interface FastEthe
