CCIE K4 V2.0

苏州三网 IT 教育

苏州三网 IT 教育-CCIE 群攻 QQ 群号:235877260 http://www.sannet.net

K4版本











1.1 Troubleshoot Layer 2 Switching

1.2 VLAN and Access-ports

1.3 Spanning-Tree (STP)

1.4 Switch Trunking and EtherChannel

1.5 Layer2 Protocol tunneling

1.6 PPP over Ethernet

1.7 Frame-Relay

2.1 IPv4 OSPF

2.2 IPv4 EIGRP

2.3 IPv4 RIP

2.4 Redistribution: OSPF into RIP

2.5 Redistribution: EIGRP into OSPF

2.6 IPv4 eBGP

2.7 IPv4 iBGP

2.8 Advanced BGP

2.9 IPv6 Addressing

2.10 IPv6 Routing

3.1Multicast

3.2 Advanced Multicast feature

4.1 IGP Authentication

4.2 Zone-Based Firewall

4.3 Layer 2 Security

4.4 Quality of Service

4.5 Quality of Services

4.6 First Hop redundancy

4.7 Time-based Access-list

5.1 NetworkManagement

5.2 Network optimization



1.1 Troubleshoot Layer 2 Switching 4 Points

Two faults have been injected into the pre configurations just described. These

issues may impede a working solution for certain portions of this lab exam, and

these issues can affect any lab exam section. You must verify that all of your

configurations works as expected. If something is not working as expected, then

you must fix the underlying problem.

DHCP snooping/ARP inspection on VLAN17 on SW2SW2:no ip arp inspection vlan 17

Trunks configured with portfastSWx:interface range f0/19 - 24no spanning-tree portfast

Guard root on SW4 and possibly incorrect vtp passwords--->重配置 VTPSW4:interface range f0/19 - 24no spanning-tree portfast guard root

R2 连接 BB2 的地址配置错误

所有的 SW 的 SVI 接口没有配置地址

1.2 VLAN and Access-ports 3 Points

Vlan17 – Between R1 & SW2


Vlan34 – Between R3 & R4


Vlan45 – Between R4 & R5




Vlan67 – SVI Between SW1 & SW2

Vlan89 – SVI Between SW3 & SW4

Vlan100 – Between R1 & BB1

Vlan200 – Between R2 & BB2

Vlan300 – Between SW3 & BB3

Vlan333 – Customer Vlan

Vlan666 – Carrier Vlan

Vlan999 – Unused ports Vlan

1. Complete the VLANs configuration for the access ports as per the VLAN table

above (case sensitive).

2. Ensure that all unused physical ports on all switches are shutdown and

configured as access-ports in VLAN 999 (Do not forget Gigabit ports)

3. Configure VTP transparent mode on all switches.

SW1/SW2/SW3/SW4:vtp domain CCIEvtp mode transparentvtp version 2vtp password sannetinter range f0/19 - 24switchport trunk encapsulation dot1qswitchport mode trunkswitchport nonegotiate

exit!vlan 17vlan 29vlan 34vlan 38vlan 45



vlan 56vlan 67vlan 89vlan 100vlan 200vlan 300vlan 333vlan 666vlan 999

SW1:interface f0/1sw mode accsw acc vlan 17

!int f0/2sw mode accsw acc vlan 200



!interface f0/5sw mode accesssw acc vlan 56


!int range f0/6 - 9 , f0/11 - 18 , g0/1 - 2sw mode accsw acc vlan 999shutdown

SW2:int f0/1swmode accsw acc vlan 100






int f0/5sw mode accsw acc vlan 45



!SW3:int f0/10sw mode accsw acc vlan 300


SW4:int range f0/1 - 18 , g0/1 - 2sw mode accsw acc vlan 999shutdown



1.3 Spanning-Tree (STP) 3 Points

1. Set the region name as Cisco

2. Assign all active odd VLANs to instance 1

3. Assign all active even VLANs to instance 2

4. Explicitly assign all unused VLANs to instance 3

5. Ensure that SW1 is the primary root bridge for odd VLANs and for CIST

6. Ensure that SW1 is the secondary root for even VLANs

7. Ensure that SW2 is the primary root bridge for even VLANs

8. Ensure that SW2 is the secondary root for odd VLANs and for CIST

Note: Odd numbers are 1 , 3 , 5 etc and even numbers are 2 , 4 , 6 etc

Don’t forget any other VLAN used throughout the exam!

SW1 - SW4:spanning mode mstspanning-tree extend system-idspanning-tree mst configurationrevision 1name ciscoinstance 3 vlan 1 - 4094instance 1 vlan 17,29,45,67,89,333,999instance 2 vlan 34,38,56,100,200,300,666

SW1:spanning-tree mst 0 root primaryspanning-tree mst 1 root primaryspanning-tree mst 2 root secondary

SW2:spanning-tree mst 0 root secondaryspanning-tree mst 1 root secondaryspanning-tree mst 2 root primary

check:



show spanning-tree mst config

show spanning-tree

1.4 Switch Trunking and EtherChannel 3 Points

1. Disable DTP

2. Use encapsulation 802.1Q

3. The native VLAN is VLAN 999

4. Ensure that native VLAN is tagged

5. Configure a 200 Mbps logical trunk between SW1 and SW2 as per the following

requirements：

� The EtherChannel must use IEEE 802.3ad

� SW2 can't initiate the negotiation

� The load distribution mechanism must use the source and destination host

MAC address

� If more channel members were added in the future, Fa0/24 must have the best

chance to be the first active port.

SW1 – SW4：vlan dot1q tag nativeinterface range f0/19 – 24switchport trunk encapsulation dot1qswitchport trunk native vlan 999switchport mode trunkswitchport nonegotiate

SW1:interface range f0/23 – 24channel-group 12 mode active



!interface f0/24lacp port-priority 0

!port-channel load-balancing src-dst-mac

SW2:interface range f0/23 – 24channel-group 12 mode passive

!interface f0/24lacp port-priority 0

!port-channel load-balancing src-dst-mac

1.5 Layer2 Protocol tunneling 4 Points

1. Users connected to VLAN 333 on SW3 must be able to communicate the users

connected to VLAN 333 on SW4 via the interface perspective connected to SW1

and SW2

2. Configure the VLAN 333 interface on SW3 with the IP address YY.YY.33.8/24

3. Configure the VLAN 333 interface on SW4 with the IP address YY.YY.33.9/24

4. VLAN 333 must be allowed to flow only through SW3 and SW4's Fa0/19, no

other trunks may carry this VLAN

5. SW1 and SW2 must carry the VLAN 333 data across the network using VLAN 666

6. VLAN 666 may exist only on SW1 and SW2

7. SW1 and SW2 must not allow VLAN 333 on any trunks and must allow VLAN 666

only on the trunks between them

8. No other port in any switch may carry VLAN 333

9. Do not modify any spanning-tree cost or port-priority to achieve this task



10. Referring to the exhibit below SW3 must see SW4 as a CDP neighbor via

interface Fa0/19 and must be able to ping SW4’s VLAN 333

SW1/SW2:system mtu 1504sdm prefer dual-ipv4-and-ipv6 defaultexitwrreload!!mtu 值更改后必须保存重启，顺便将 C3560 交换机的 OSPFv3 功能启动。

SW1:int f0/19sw mode dot1q-tunnelsw acc vlan 666l2protocol-tunnel cdp

int range f0/20 - 24 , port-channel 12switchport trunk allowed vlan remove 333

!int range f0/20 - 22switchport trunk allowed vlan remove 666

SW2:int f0/19sw mode dot1q-tunnelsw acc vlan 666l2protocol-tunnel cdp

!int range f0/20 - 24 , port-channel 12switchport trunk allowed vlan remove 333

int range f0/20 - 22switchport trunk allowed vlan remove 666

SW3:int range f0/19switchport trunk allowed vlan 333

!int range f0/20 - 24switchport trunk allowed vlan remove 333,666

!int vlan 333ip add YY.YY.33.8 255.255.255.0



no shutdown!no vlan 666

SW4:int range f0/19switchport trunk allowed vlan 333

!int range f0/20 - 24switchport trunk allowed vlan remove 333,666

!int vlan 333ip add YY.YY.33.9 255.255.255.0no shutdown

!no vlan 666

1.6 PPP over Ethernet 3 Points

1. Configure R3 as a PPPoE server

2. Configure R4 as a PPPoE client

3. The link must be up even if there is no traffic at all

4. R4 must always receive the IP address YY.YY.34.4/32 from R3

5. Do not use DHCP to assign the IP address

6. Avoid unnecessary fragmentation on the PPPoE link

7. The client must use CHAP to authenticate with the server (Use device’s

hostname as CHAP username and any password)

R3(Server):username RackYYR4 password sannet!bba-group pppoe globalvirtual-template 1

!vpdn enable



!vpdn-group ciscoaccept-dialinprotocol any

!ip local pool cisco YY.YY.34.4!interface Virtual-Template1ip address YY.YY.34.3 255.255.255.0peer default ip address pool ciscoppp authentication chapip tcp adjust-mss 1452

!interface Gi0/0no shutdownpppoe enable group global

R4(client):host RackYYR4interface FastEthernet0/1no shutdownpppoe enable group globalpppoe-client dial-pool-number 1

!interface Dialer1ip address negotiatedencapsulation pppip tcp adjust-mss 1452dialer pool 1mtu 1492dialer idle-timeout 0dialer persistentppp chap password sannet

以上解法是满分的，PPPoE Server 与 Client 之间的 ospf neighbor 可以正常建立，但是要求 IOS12.4T 以上。以下配置也能实现同样功能，但未经过考场验证。

R3 (server):username RackYYR4 password CCIEbba-group pppoe CCIEvirtual-template 1

!interface Gi0/0ip address YY.YY.34.3 255.255.255.0



pppoe enable group CCIEno shutdown

!interface Virtual-Template1mtu 1492ip unnumbered FastEthernet0/0peer default ip address pool ipcp

!ip local pool ipcp YY.YY.34.4

R4 (Client):host Rack08R4interface FastEthernet0/1pppoe enable group globalpppoe-client dial-pool-number 1no shutdown

!interface Dialer1mtu 1492ip address negotiatedencapsulation pppdialer pool 1dialer idle-timeout 0dialer persistentdialer-group 1ppp chap password 0 CCIE

!dialer-list 1 protocol ip permit

1.7 Frame-Relay 2 Points

1. R1 uses DLCI 102

2. R2 uses DLCI 201

3. Use IETF encapsulation(rfc1490)

4. Ensure both DTE do not build dynamic address mapping

5. Ensure the broadcast packets are replicated on the frame-relay link

6. Ensure that both DTE are able to ping each other as well as their own



Frame-Relay interface

7. Configure on R1 and R2 the administrative bandwidth for both Frame-Relay

interface to 50000kbps

8. R4 is preconfigured as the Frame-Relay Switch Do not modify any Frame-Relay

configuration on R4.

R4 pre-config:frame-relay switching!interface Serial0/0encapsulation frame-relay ietfclock rate 64000frame-relay lmi-type ciscoframe-relay intf-type dceframe-relay route 102 interface Serial0/1 201no shut

interface Serial0/1encapsulation frame-relay ietfclock rate 64000frame-relay lmi-type ciscoframe-relay intf-type dceframe-relay route 201 interface Serial0/0 102no shut

R1:interface s0/0/0bandwidth 50000encapsulation frame-relay ietfno frame-relay inverse-arpip address YY.YY.12.1 255.255.255.0no shutdownframe-relay map ip YY.YY.12.1 102frame-relay map ip YY.YY.12.2 102 broadcast

R2:interface s0/0/0bandwidth 50000encapsulation frame-relay ietfno frame-relay inverse-arpip address YY.YY.12.2 255.255.255.0



no shutdownframe-relay map ip YY.YY.12.2 201frame-relay map ip YY.YY.12.1 201 broadcast

2.1 IPv4 OSPF 3 Points

1. The OSPF process ID can be any number

2. The OSPF router-IDs must be stable and must be configured using the IP address

of interface loopback0

3. Loopback 0 interfaces must be advertised in the OSPF area shown in the

“diagram 1 IGP Routing”

4. Do not create additional OSPF areas

5. Do not use any IP address not listed in “Diagram 1 IGP Routing”

6. In case either R1 or R5 is down , R4 must still be able to reach all other OSPF

prefixes via R3

7. Do not change the OSPF network type on Frame-Relay interfaces

8. Do not propagate any default route in any Area

R1:router ospf YYrouter-id YY.YY.1.1network YY.YY.1.1 0.0.0.0 area 0network YY.YY.17.1 0.0.0.0 area 0network YY.YY.15.1 0.0.0.0 area 0network YY.YY.12.1 0.0.0.0 area 1area 1 virtual-link YY.YY.3.3network 150.1.YY.1 0.0.0.0 area 0passive-interface g0/1

！

int g0/0ip ospf mtu-ignore



R2:router ospf YYrouter-id YY.YY.2.2network YY.YY.12.2 0.0.0.0 area 1network YY.YY.23.2 0.0.0.0 area 1network YY.YY.2.2 0.0.0.0 area 1network 150.2.YY.1 0.0.0.0 area 1passive-interface g0/0neighbor YY.YY.12.1

R3:router ospf YYrouter-id YY.YY.3.3network YY.YY.3.3 0.0.0.0 area 1network YY.YY.23.3 0.0.0.0 area 1network YY.YY.35.3 0.0.0.0 area 1network YY.YY.34.3 0.0.0.0 area 2area 1 virtual-link YY.YY.1.1area 1 virtual-link YY.YY.5.5

R4:router ospf YYrouter-id YY.YY.4.4network YY.YY.4.4 0.0.0.0 area 2network YY.YY.34.4 0.0.0.0 area 2

!

R5:router ospf YYrouter-id YY.YY.5.5network YY.YY.5.5 0.0.0.0 area 0network YY.YY.35.5 0.0.0.0 area 1network YY.YY.15.5 0.0.0.0 area 0network YY.YY.56.5 0.0.0.0 area 0area 1 virtual-link YY.YY.3.3

！

int f0/0ip ospf mtu-ignore

SW1:ip rouitngrouter ospf YYrouter-id YY.YY.6.6network YY.YY.6.6 0.0.0.0 area 0



network YY.YY.56.6 0.0.0.0 area 0network YY.YY.67.6 0.0.0.0 area 0

SW2:ip routingrouter ospf YYrouter-id YY.YY.7.7network YY.YY.7.7 0.0.0.0 area 0network YY.YY.67.7 0.0.0.0 area 0network YY.YY.17.7 0.0.0.0 area 0

2.2 IPv4 EIGRP 2 Points

1. Configure EIGRP AS YY and EIGRP AS 100 as per the “Diagram 1 IGP Routing”

2. Redistribute EIGRP AS 100 into EIGRP AS YY

3. Disable automatic summarization for both autonomous Systems

SW3:ip routingrouter eigrp 100no auto-summarynetwork 150.3.YY.1 0.0.0.0

!router eigrp YYno auto-summarynetwork YY.YY.89.8 0.0.0.0network YY.YY.38.8 0.0.0.0network YY.YY.8.8 0.0.0.0redistribute eigrp 100 metric 10000 100 255 1 1500

SW4:ip routingrouter eigrp YYno auto-summarynetwork YY.YY.89.9 0.0.0.0network YY.YY.9.9 0.0.0.0network YY.YY.29.9 0.0.0.0

R2:router eigrp YY



no auto-summarynetwork YY.YY.29.2 0.0.0.0

R3:router eigrp YYno auto-summarynetwork YY.YY.38.3 0.0.0.0

2.3 IPv4 RIP 1 Point

1. Disable automatic summarization

2. RIP must be enabled only for the required interfaces, no other interfaces may

send and RIP Update

R4:router ripversion 2network YY.0.0.0no auto-summarypassive-interface defaultno passive-interface f0/0

R5:router ripversion 2network YY.0.0.0no auto-summarypassive-interface defaultno passive-interface f0/1

2.4 Redistribution: OSPF into RIP 2 Points

1. Redistribute OSPF into RIP on R5

2. R4 must route traffic destined to SW1 loopback 0 via R5

3. R4 must route all other OSPF prefixes via R3

R5:router rip



redistribute ospf YY metric 1R4:router ospf YYdistance 125 YY.YY.3.3 0.0.0.0 1access-list 1 permit YY.YY.6.6

如果考题有出现类似:Mutual redistribute between OSPF and RIP:R4:router ospf YYredistribute rip subnets route-map rip_prefix

!route-map rip_prefix permit 10match ip address 10

!access-list 10 permit YY.YY.45.0

2.5 Redistribution: EIGRP into OSPF 4 Points

1. Manually redistribute EIGRP and OSPF on both R2 and R3

2. The only EIGRP External routes that both R2 and R3 must see are the prefixes

originated in EIGRP 100 and the VLAN 300 prefix

3. All internal OSPF prefixes (i.e. all existing subnets of YY.YY.0.0/16 that are not

originated in EIGRP YY and EIGRP 100) must be seen as OSPF internal by both R2

and R3

4. Without any additional configuration. Your solution must cover any future

prefixes that could eventually be advertised by BB3

5. You must use a route filtering mechanism but do not use any access-list or

prefix-list to achieve this task

6. Ensure optimal routing is performed on both R2 and R3

7. Do not change any default administrative distance to achieve this task



R2/R3:router ospf YYredistribute eigrp YY subnets metric-type 1 tag 100distribute-list route-map filter in

!route-map filter deny 10match tag 100

!route-map filter permit 20!router eigrp YYredistribute ospf YY metric 10000 1000 255 1 1500

2.6 IPv4 eBGP 2 Points

1. Configure eBGP between AS YY and AS 254 as per the “Diagram 2 BGP

Routing”

2. R2 must generate a warning log message if it receives more than 5 prefixes from

BB2

3. Both R2 and R3 must exchange the BGP capability that indicates the end of RIB

marker after the initial routing update is complete

4. Redistribute OSPF into BGP on both R1 and R2

5. Ensure that you receive BGP Prefixes from both BB1 and BB2

6. Do not use next-hop-self in either R1 and R2

R1:router bgp YYbgp router-id YY.YY.1.1neighbor 150.1.YY.254 remote-as 254redistribute ospf YY match internal external 1 external 2

R2:router bgp YYbgp router-id YY.YY.2.2



neighbor 150.2.YY.254 remote-as 254neighbor 150.2.YY.254 maximum-prefix 500 1 warning-onlyredistribute ospf YY match internal external 1 external 2bgp graceful-restart

R3:router bgp YYbgp router-id YY.YY.3.3bgp graceful-restart

2.7 IPv4 iBGP 2 Points

1. Configure BGP AS YY between all five routers

2. Use loopback 0 interface for all internal BGP connections

3. R3 must be the Route Reflector for AS YY

4. Do not use peer-groups

R1:router bgp YYneighbor YY.YY.3.3 remote-as YYneighbor YY.YY.3.3 update-source loopback 0

R2:router bgp YYneighbor YY.YY.3.3 remote-as YYneighbor YY.YY.3.3 update-source loopback 0

R4:router bgp YYbgp router-id YY.YY.4.4neighbor YY.YY.3.3 remote-as YYneighbor YY.YY.3.3 update-source loopback 0

R5:router bgp YYbgp router-id YY.YY.5.5neighbor YY.YY.3.3 remote-as YYneighbor YY.YY.3.3 update-source loopback 0

R3:



router bgp YYneighbor YY.YY.1.1 remote-as YYneighbor YY.YY.1.1 update-source loopback 0neighbor YY.YY.1.1 route-reflector-clientneighbor YY.YY.2.2 remote-as YYneighbor YY.YY.2.2 update-source loopback 0neighbor YY.YY.2.2 route-reflector-clientneighbor YY.YY.4.4 remote-as YYneighbor YY.YY.4.4 update-source loopback 0neighbor YY.YY.4.4 route-reflector-clientneighbor YY.YY.5.5 remote-as YYneighbor YY.YY.5.5 update-source loopback 0neighbor YY.YY.5.5 route-reflector-client

2.8 Advanced BGP 5 Points

1. R1 must prefer the external path to reach destinations in AS 254 and the tie

breaker in the BGP best path selection algorithm must be the “External VS

Internal” criteria

2. R3 must prefer the path via R1 and the change must not impact any other routers

3. R4 must be able to successfully ping host 197.68.1.254

4. Traffic sent from R4 to destinations in AS 254 must be routed through R1

5. BGP attributes of AS-Path, Local Preference and Weight can't be changed on

either R4 or R5

6. OSPF costs may be changed for only one interface

R1:router bgp 8bgp bestpath as-path ignore

access-list 1 permit 197.68.0.0 0.0.31.0route-map from_bb2 permit 10match ip address 1set as-path prepend 253



router bgp 8neighbor 150.2.YY.254 route-map from_bb2 in

R3:router bgp 8bgp bestpath igp-metric ignoremaximum-paths ibgp 2bgp additional-paths select backupbgp bestpath igp-metric ignore

address-family ipv4neighbor 8.8.1.1 activeneighbor 8.8.2.2 activeneighbor 8.8.4.4 activeneighbor 8.8.5.5 activeneighbor 8.8.1.1 advertise diverse-path mpathneighbor 8.8.2.2 advertise diverse-path mpathneighbor 8.8.4.4 advertise diverse-path mpathneighbor 8.8.5.5 advertise diverse-path mpath

R4:router bgp 8bgp bestpath igp-metric ignorebgp bestpath igp-metric ignore

R3:router bgp YYneighbor YY.YY.1.1 weight 100

R5:int serial 0/0/0ip ospf cost 1

2.9 IPv6 Addressing 2 Points

1. Refer to the “Diagram 3 IPv6 Routing” and configure IPv6 in your network

2. Configure all global unicast addresses to match 2001:YY:YY:SS::HH/MM where

YY Stands for your two-digits rack number, written in decimal format SS is the third

Guys,

Certcollection is busy in these days to earn money by cheating people. From last two months members are crying for PCL updates but did not get from certcollection.

Members have created many posts to complain about new updates but admin is continuously deleting these post. Some times admin make lame excuses like SS busy in exam, we are trying to crack PCL, we have cracked PCL and give you update after 3 or 4 days.

Then after 3 to 4 days admin delete this post.

The latest post link on which are complaining about update is below, But admin delete this post and members did not get update.

http://certcollection.org/forum/topic/152517-pcl-update-or-refund-issue-resolved-updates-coming-832012crackerjoe69/

I have uploaded this complete post on below link for your understanding.

http://www.4shared.com/rar/kX__cv83/Cercollection_latest_Fraud.htmlThis is clear crystal that

Cercollection did not have PCL updates and they are cheating people.

New members should not waste money by buying old PCL from here.



octet of the IPv4 address of the same interface, written in decimal format HH is the

fourth octet of the IPv4 address of the same interface, written in decimal format

MM is the subnet mask and must be /128 for loopback interfaces and /64 for

other interfaces

3. Disable sending the periodic router advertisement messages on all IPv6

interface

4. IPv6 device must use Cisco's proprietary forwarding algorithm

2.10 IPv6 Routing 2Points

1. Configure OSPFv3 according to the “Diagram 3 IPv6 Routing”

2. Use the number 2001 as the OSPFv3 process ID

3. Use the loopback 0 IP address as the OSPFv3 router-ID

4. Using a single command, the serial link between R1 and R5 must be

authenticated using MD5 key “1234567890ABCDEF1234567890ABCDEF”

5. All IPv6 interfaces must be reachable from any IPv6 router

R1:ipv6 unicast-routingipv6 cefipv6 router ospf 2001router-id Y.Y.1.1

!int lo0ipv6 address 2001: YY:YY:1::1/128ipv6 ospf 2001 area 0

!int s0/1ipv6 address 2001: YY:YY:15::1/64ipv6 ospf 2001 area 0



ipv6 ospf authentication ipsec spi 256 md5 1234567890ABCDEF1234567890ABCDEF!int g0/0ipv6 address 2001: YY:YY:17::1/64ipv6 ospf 2001 area 0ipv6 nd ra suppress

R5:ipv6 unicast-routingipv6 cefipv6 router ospf 2001router-id Y.Y.5.5

int lo0ipv6 address 2001: YY:YY:5::5/128ipv6 ospf 2001 area 0

int s0/0ipv6 address 2001: YY:YY:15::5/64ipv6 ospf 2001 area 0ipv6 ospf authentication ipsec spi 256 md5 1234567890ABCDEF1234567890ABCDEF

int f0/0ipv6 address 2001: YY:YY:56::5/64ipv6 ospf 2001 area 0ipv6 nd ra suppress

SW1:ipv6 unicast-routingipv6 cefipv6 router ospf 2001router-id Y.Y.6.6

int lo0ipv6 address 2001: YY:YY:6::6/128ipv6 ospf 2001 area 0

!int vlan 56ipv6 address 2001:YY:YY:56::6/64ipv6 ospf 2001 area 0ipv6 nd ra suppress


SW2:



ipv6 unicast-routingipv6 cefipv6 router ospf 2001router-id YY.YY.7.7

int lo0ipv6 address 2001:YY:YY:7::7/128ipv6 ospf 2001 area 0



check:show ipv6 routepingshow ipv6 interfaceshow ipv6 cef

3.1Multicast 3 points

1. Configure IPv4 Multicast on R3 and R5

2. R3's loopback 0 is simulating a multicast video server and receivers are

connected to R5 Fa0/0

3. Multicast forwarding should not rely on any Rendezvous Point

4. The network should not have to flood and prune multicast traffic unnecessarily

R3:ip multicast-routinginterface Loopback0ip pim sparse-mode

!interface Serial0/0/0ip pim sparse-mode



R5:ip multicast-routinginterface Serial0/0/0ip pim sparse-mode

!interface FastEthernet0/0ip pim sparse-mode

3.2 Advanced Multicast feature 3 Points

1. Configure a static join on R5 FastEthernet0/0 for the group address 225.1.1.1 and

ensure that only the multicast video server simulated by YY.YY.3.3 is allowed to

send traffic for that group

2. Consider that there are hosts connected to R5 that only support IGMPv2 and

who are interested to join the group addresses 225.1.1.2 and 225.1.1.3

3. These hosts must be able to join these two groups for the source address

YY.YY.3.3

4. Routers should not query the Domain Name System (DNS) for any source

addresses

R3:ip pim ssm range 1!access-list 1 permit 225.1.1.1access-list 1 permit 225.1.1.3access-list 1 permit 225.1.1.2

R5:int f0/0ip igmp join-group 225.1.1.1 source YY.YY.3.3ip igmp v3lite

!access-list 15 permit 225.1.1.1



access-list 15 permit 225.1.1.2access-list 15 permit 225.1.1.3!ip pim ssm range 15ip igmp ssm-map enableno ip igmp ssm-map query dnsip igmp ssm-map static 15 YY.YY.3.3!

check:R3/R5show ip pim interfaceshow ip pim neighborshow ip mrouteping 225.1.1.1 source YY.YY.3.3ping 225.1.1.1 source YY.YY.38.3此时 R3 能 ping 成功，R5 ping 不成功

R5:show ip igmp ssm-mapping 225.1.1.2

4.1 IGP Authentication 3 Points

1. Complete the configuration of MD5 authentication in the BGP domain

2. You are not allowed to change the pre-configured key in R4

3. R5 must save the key as a plane text (not encrypted) in the configuration

R4:int f0/0ip rip authentication mode md5ip rip authentication key-chain rip

!key chain ripkey 1

key-string cisco !!此密码按照 pre-config，勿改。有部分更新说可能 RIP 验证已经取消，

大家一定要认真读题。

R5:int f0/1ip rip authentication mode md5



ip rip authentication key-chain rip!key chain ripkey 1

key-string ciscono service password-encryption

R1/R2/R3/R5:router ospf YYarea 1 authentication message-digest

R1/R2/R3/R5:int s0/0/0ip ospf authentication message-digestip ospf message-digest-key 1 md5 cisco

int s0/0/1ip ospf authentication message-digestip ospf message-digest-key 1 md5 cisco

R4/R3:router ospf YYarea 2 authentication message-digest

R3:int gi0/0ip ospf authentication message-digestip ospf message-digest-key 1 md5 cisco

R4:int f0/1ip ospf authentication message-digestip ospf message-digest-key 1 md5 cisco

4.2 Zone-Based Firewall 3 Points

1. Two output given, first one showed you that ping from SW2 to 150.1.YY.254

successfully, and ping from R5 to 150.1.YY.254 successfully, second one showed

you the output of “show policy-map type inspect zone-pair”, note that the

action under the class-map hit is “pass”.



Class-map: A_B(match-all)Match:protocol icmpPass10packets, 800 bytesClass-map: class-default(match-any)Match:any Pass0packets, 0 bytes.

2. You are required to build ZBF base on zone-security names, assigning

zone-members, zone-pairs given, case sensitive.

R1:class-map type inspect A_Bmatch protocol icmp

!policy-map type inspect A_Bclass A_Bpass

!class class-defaultpass

!policy-map type inspect B_Aclass A_Bpass

!class class-defaultdrop

!zone security Zone_inzone security Zone_out!zone-pair security A_B source Zone_in destination Zone_outservice-policy type inspect A_B

!zone-pair security B_A source Zone_out destination Zone_inservice-policy type inspect B_A

!interface g0/1zone-member security Zone_out

!interface g0/0zone-member security Zone_in

!



interface s0/0/1zone-member security Zone_in

4.3 Layer 2 Security 3 Points

1. Configure SW1 and SW2 as per the following requirements

2. R4 and R5 may communicate only with each other in VLAN 45 and not with any

other host in that VLAN

3.Hosts connected to port Fa0/6 of both SW1 and SW2 must also be part of VLAN

45, and may communicate only with each other

4. Hosts connected to port Fa0/7 of both SW1 and SW2 are not allowed to

communicate with any host in VLAN 45

5. All of the above ports (Fa0/6 , Fa0/7 from SW1 and SW2) must be allowed to

communicate with a device connected to port Fa0/8 of SW1

6. Use only odd VLAN number(s) (between 334 and 998) if you need to create any

new VLAN(s)

7. Currently , there is no host attached to these ports but ensure that they are fully

configured and that no intervention is required when actually connecting

physical hosts to them

SW1/SW2:spanning-tree mst configurationinstance 1 vlan 335,337,401

vlan 45private-vlan primary

vlan 335private-vlan community

vlan 337private-vlan community



vlan 401private-vlan isolated

vlan 45private-vlan association 335,337,401

!int fa0/6no shutdownswitchport mode private-vlan hostswitchport private-vlan host-association 45 337

int f0/7no shutdownswitchport mode private-vlan hostswitchport private-vlan host-association 45 401

SW1:int f0/4switchport mode private-vlan hostswitchport private-vlan host-association 45 335

int fa0/8no shutdownswitchport mode private-vlan promiscuousswitchport private-vlan mapping 45 335 337 401

SW2:int f0/5switchport mode private-vlan hostswitchport private-vlan host-association 45 335

SW3/SW4:spanning-tree mst configurationinstance 1 vlan 335,337,401

如果考题有要求将 SW1 的 SVI 口也做成混杂模式：

SW1：int vlan 45ip add YY.YY.45.6 255.255.255.0private-vlan mapping add 335,337,401

4.4 Quality of Service 2 Points

1. It appears that some hosts attached to the subnet 197.68.22.0/24 behind BB1 are

sending suspicious traffic to multiple devices in OSPF Area 0



2. Configure R1 as per the following requirements

3. Use the Modular QoS CLI

4. Limit only this suspicious traffic to 128kbps per interface

5. Do not police this traffic

6. Use a standard access-list with a single entry, do not use a named access-list

R1:access-list 1 permit 197.68.22.0 0.0.0.255!class-map bb1match access-group 1

!policy-map limit_bb1class bb1shape average 128000

!int g0/0service-policy output limit_bb1

!int s0/0/1service-policy output limit_bb1

4.5 Quality of Services 3 Points

1. Consider that users connected to VLAN 56 are sending traffic that is already

marked as follows

2. Control IP precedence 6 or 7

3. Voice IP precedence 5

4. Video IP precedence 4

5. Business IP precedence 3

6. Internet IP precedence 0



7. Configure R5's interface S0/0/1 to share its available bandwidth as per the

following requirements

8. Use the Modular QoS CLI and use class names as per the above description（case

sensitive）

9. Use the match-all option for all Class-maps

10. Use only the criteria “match ip precedence” for all Class-maps

11. In case of congestion, the Voice traffic must be sent in priority over all other

traffic

12. The low latency queue may never use more than 20% of the available

bandwidth

13. In case of congestion, reserve 100Kbps of the available 2000Kbps for the control

traffic

14. Only in case of congestion the Video traffic may not exceed 30% of the available

bandwidth

15. Only in case of congestion the Business traffic may not exceed 30% of the

available bandwidth

16. Enable the congestion avoidance mechanism for the Business traffic using a

weight factor of 10 for the average queue size calculation

17. The Internet traffic should use the remaining bandwidth with no other

guarantee

Note:

1. Kbps=Kilo bits per second



2. Use the first word (case sensitive) of the above traffic description to name your

classes (ie class Control class Voice etc)

R5:class-map Controlmatch ip precedence 6 7

!class-map Voicematch ip precedence 5

!class-map Videomatch ip precedence 4

!class-map Businessmatch ip precedence 3

!class-map Internetmatch ip precedence 0

!policy-map mqcclass Voicepriority percent 20police cir percent 20 （cir - USE FOR DATA PLANE，rate - USE FOR CONTROL PLANE）

class Controlbandwidth per 5

class Videobandwidth per 30

class Businessbandwidth per 30random-detectrandom-detect exponential-weighting-constant 10

class Internet!int s0/0/1bandwidth 2000max-reserved-bandwidth 100service-policy output mqc

4.6 First Hop redundancy 3 points

1. Consider that users are connected to VLAN 500 on both SW1 and SW2



2. Configure HSRP to provide redundancy for the user gateway YY.YY.100.254/24 as

per the following requirements

3. The HSRP topology must follow the STP topology (i.e. the default active gateway

must be the default root bridge)

4. The active gateway IP address is YY.YY.100.1/24 and the standby gateway IP

address is YY.YY.100.2/24

5. Use priority 120 on the active gateway and the default priority on the secondary

gateway

6. Both HSRP gateways must authenticate each other using the MD5 password CCIE

7. The standby gateway must take over the active role when the active gateway

loses reachability to the BB1 subnet (150.1.YY.0/24)

8. The primary gateway must recover its active role when reachability to the BB1

subnet is restored

9. When 5 Hello packets are missed, the secondary gateway must take over the

active role within 1 second

10. Make sure no IGP protocol is running on VLAN 500

SW1:vlan 500spanning-tree mst configinstance 2 vlan 500

!int vlan 500no shutip address YY.YY.100.2 255.255.255.0standby 1 ip YY.YY.100.254standby 1 preemptstandby 1 authentication md5 key-string CCIEstandby 1 timers msec 200 1



SW2:vlan 500spanning-tree mst configinstance 2 vlan 500

track 1 ip route 150.1.8.0/24 reachabilityint vlan 500no shutip address YY.YY.100.1 255.255.255.0standby 1 ip YY.YY.100.254standby 1 priority 120standby 1 preemptstandby 1 timers msec 200 1standby 1 track 1 decrement 30standby 1 authentication md5 key-string CCIE

SW3/SW4:spanning-tree mst configinstance 2 vlan 500

check:show track 1show standby brief

4.7 Time-based Access-list 3points

1. Configure SW1 and SW2 in order to restrict access for VLAN 500 users as per the


2. HTTP (from any user workstation to any remote server) is not allowed during

office hours (from 09:00 to 16:59, Monday to Friday)

3. FTP (from any user workstation to any remote server) is allowed only during

every night for backup between 22:00 to 23:59 and is not allowed at any other

time

4. UDP traffic is allowed only outside the office hours (every day from 17:00 to 8:59)

5. Any required control traffic must be allowed at any time and the ACL entry(-ies)

must be as specific as possible (i.e. specify the Layer 4 with the correct port



number on the destination)

6. Sources in all ACL entries must be explicitly configured to YY.YY.100.0/24

SW1/SW2:time-range worktimeperiodic weekdays 09:00 to 16:59

time-range everyday-udpperiodic daily 9:00 to 16:59

time-range ftpperiodic daily 00:00 to 21:59

!ip access-list extended t_aclpermit udp y.y.100.0 0.0.0.255 host 224.0.0.2 eq 1985deny tcp y.y.100.0 0.0.0.255 any eq www time-range worktimedeny tcp y.y.100.0.0 0.0.0.255 any eq ftp time-range ftpdeny udp y.y.100.0 0.0.0.255 any time-range everyday-udppermit ip y.y.100.0 0.0.0.255 any

!interface vlan 500ip access-group t_acl in

5.1 NetworkManagement 3 Points

1. Configure SNMP version 3 for the group “admin” on R1 as per the following

requirements

2. Location is “San, Josie, US”, and the contact is [email protected]

3. The “admin” group’s read privilege must be called “adminview” and must

include the ISO MIB family

4. The “admin” group’s write privilege must be called “adminwrite” and must

include the system MIB family

5. The strongest security mechanism must be employed when handing SNMP

packets for any user belonging to the “admin” group

6. User “ccie” must be part of the “admin” group and can only connect with



SNMPv3 using the MD5 password “cisco”

7. Members of the “admin” group can connect only from VLAN 17’s subnet

YY.YY.17.0/24

8. Configure SNMPv2c for the “nms” servers connected from VLAN 67’s subnet

YY.YY.67.0/24

9. All traps must be sourced from the Loopback0 interface

10. If needed, use standard Access-lists only

Note: Location, Group, User, View and Community names are all case-sensitive (all

without quotation marks!)

R1:access-list 10 permit YY.YY.17.0 0.0.0.255access-list 11 per YY.YY.67.0 0.0.0.255!snmp-server group nms v2c access 11snmp-server location San, Josie, USsnmp-server contact [email protected] group admin v3 authsnmp-server group admin v3 priv match exact read adminview write adminwrite access 10snmp-server view adminview iso includedsnmp-server view adminwrite system includedsnmp-server user ccie admin v3 auth md5 cisco priv aes 256 ciscosnmp-server trap-source loopback0

5.2 Network optimization 3 Points

1. Configure Netflow version 9 on R1 on the interface connected to BB1 as per the


2. R1 must export a Netflow sample for every 1000 packets in both directions

3. Export the flow accounting information to server YY.YY.56.100 using the full

mailto:[email protected]



reliable export mode on port 2222

4. In case the server fails, R1 should export the same flow accounting information

to YY.YY.17.100 using the same protocol and port

5. Do not use any server-policy to configure these requirements

R1:ip cefip flow-export version 9ip flow-export destination YY.YY.56.100 2222 sctpreliability fullbackup destination YY.YY.17.100 2222backup mode fail-over

!flow-sampler-map sample1kmode random one-out-of 1000

!interface gi0/1no ip route-cache flowip route-cache cefflow-sample sample1kflow-sample sample1k egress

check:show flow-sampleshow ip flow export sctp verbose

CCIE 群攻 QQ 群号：

235877260

欢迎加入讨论,如有发现好的解法，请各位不理赐教。

感谢 ricky chan、joyce、Kai Fang 提供的各方面协助。

TS1++、TS2++也即将推出，敬请关注。

Documents

CCIE K4 V2.0