k8 solution art
TRANSCRIPT
ARTOR K8 Solution reference from certcollection.
sh run | i cef|guard|snooping|access-map|arp|portfast|filter|block|protected|tcp|nrzi
============================
SECTION 1-1.1,1.2,1.3,1.4,1.5,1.6
SW1
conf t
vtp mode server
vtp domain CCIE
vtp password cisco
vtp version 2
vlan 16
name VLAN_16_R1toSW1
vlan 18
name VLAN_18_R1toSW3
vlan 28
name VLAN_28_R2toSW3
vlan 36
name VLAN_36_R3toSW1
vlan 45
name VLAN_45_R4toR5
vlan 68
name VLAN_68_SW1toSW3
vlan 69
name VLAN_69_SW1toSW4
vlan 89
name VLAN_89_SW3toSW4
vlan 100
name VLAN_100_BB1
vlan 200
name VLAN_200_BB2
vlan 300
name VLAN_300_BB3
vlan 500
name VLAN_500_Client
vlan 999
name Unused_Ports
int range e0/0-3,e1/0-3,e2/0-1
sw acc vlan 999
sw mode acc
shut
exit
int e2/0
sw access vlan 100
sw mode access
no shut
int e0/1
sw access vlan 18
sw mode access
no shut
int e0/2
sw access vlan 28
sw mode access
no shut
int e0/3
sw access vlan 36
sw mode access
no shut
int e1/0
sw access vlan 100
sw mode access
no shut
int e1/1
sw access vlan 200
sw mode access
no shut
int vlan 36
ip address 10.28.36.6 255.255.255.0
no shut
int vlan 16
ip address 10.28.16.6 255.255.255.0
no shut
int vlan 68
ip address 10.28.68.6 255.255.255.0
no shut
int vlan 69
ip address 10.28.69.6 255.255.255.0
no shut
exit
int range e2/2-3,e3/0-3
no sw access vlan 999
sw trunk encap dot1q
sw mode trunk
sw trunk native vlan 1
sw nonegotiate
no shut
exit
vlan dot1q tag native
int range e2/2-3
channel-group 14 mode active
int range e3/2-3
channel-group 13 mode active
int range e3/0-1
channel-group 12 mode active
exit
port-channel load-balance src-dst-mac
spanning-tree mode rapid-pvst
spanning-tree vlan 1-4094 root primary
int e2/0
spanning-tree bpduguard disable
spanning-tree bpdufilter enable
exit
int range e0/1-2
sw port-security
sw port-security maximum 1
sw port-security mac-address sticky
sw port-security violation shutdown
exit
SW2
conf t
vtp mode client
vtp domain CCIE
vtp password cisco
vtp version 2
int range e0/0-3,e1/0-3,e2/0-1
sw acc vlan 999
sw mode acc
shut
exit
int e2/0
sw access vlan 200
sw mode access
no shut
int e0/1
sw access vlan 16
sw mode access
no shut
int e0/2
no switchport
ip address 172.16.27.7 255.255.255.0
no shut
int e0/3
no switchport
ip address 172.16.37.7 255.255.255.0
no shut
int e1/0
sw access vlan 45
sw mode access
no shut
int e1/1
sw access vlan 45
sw mode access
no shut
int range e2/2-3,e3/0-3
no sw access vlan 999
sw trunk encap dot1q
sw mode trunk
sw trunk native vlan 1
sw nonegotiate
no shut
exit
vlan dot1q tag native
int range e2/2-3
channel-group 23 mode active
int range e3/2-3
channel-group 24 mode active
int range e3/0-1
channel-group 12 mode active
exit
port-channel load-balance src-dst-mac
spanning-tree mode rapid-pvst
spanning-tree vlan 1-4094 root secondary
int e2/0
spanning-tree bpduguard disable
spanning-tree bpdufilter enable
exit
SW3
conf t
vtp mode client
vtp domain CCIE
vtp password cisco
vtp version 2
int range e0/0-3,e1/0-3,e2/0-1
sw acc vlan 999
sw mode acc
shut
exit
int e2/0
sw access vlan 3
no shut
exit
int vlan 68
ip add 10.28.68.8 255.255.255.0
no shut
int vlan 89
ip add 10.28.89.8 255.255.255.0
no shut
int vlan 500
ip add 10.28.188.8 255.255.255.0
no shut
int vlan 18
ip add 10.8.18.8 255.255.255.0
no shut
int vlan 28
ip add 10.8.28.8 255.255.255.0
no shut
int range e2/2-3,e3/0-3
no sw access vlan 999
sw trunk encap dot1q
sw mode trunk
sw trunk native vlan 1
sw nonegotiate
no shut
exit
vlan dot1q tag native
int range e2/2-3
channel-group 23 mode active
int range e3/2-3
channel-group 13 mode active
int range e3/0-1
channel-group 34 mode active
exit
port-channel load-balance src-dst-mac
spanning-tree mode rapid-pvst
int e2/0
spanning-tree bpduguard disable
spanning-tree bpdufilter enable
exit
SW4
conf t
vtp mode client
vtp domain CCIE
vtp password cisco
vtp version 2
int range e0/0-3,e1/0-3,e2/0-1
sw acc vlan 999
sw mode acc
shut
exit
int range e0/1-3,e1/0-1
sw access vlan 500
sw mode access
spanning-tree porfast
sw protected
sw block unicast
sw block multicast
no shut
exit
int vlan 300
ip add 150.3.8.1 255.255.255.0
no shut
int range e2/2-3,e3/0-3
no sw access vlan 999
sw trunk encap dot1q
sw mode trunk
sw trunk native vlan 1
sw nonegotiate
no shut
exit
vlan dot1q tag native
int range e2/2-3
channel-group 14 mode active
int range e3/2-3
channel-group 24 mode active
int range e3/0-1
channel-group 34 mode active
exit
port-channel load-balance src-dst-mac
spanning-tree mode rapid-pvst
SW1/SW2,SW3,SW4
vtp mode transparent
=============================================
1.7 Frame-relay with frame-relay ipv6,mpls and multicast config for interfaces
R3
conf t
ip cef
ipv6 unicast-routing
ipv6 cef
ip multicast-routing
mpls ldp router-id lo 0
mpls label protocol ldp
int s1/0
encapsulation ppp
mpls ip
ip pim sparse-mode
exit
int e0/0
ip pim sparse-mode
exit
R5
conf t
ip cef
ipv6 unicast-routing
ipv6 cef
ip multicast-routing
mpls ldp router-id lo 0
mpls label protocol ldp
frame-relay switching
int s1/0
encapsulation frame-relay
no frame-relay inverse-arp
clock rate 128000
frame-relay intf-type dce
no shut
exit
int s1/0.100
frame-relay interface-dlci 100
mpls ip
ip pim sparse-mode
int s1/0.8
frame-relay interface-dlci 18
mpls ip
ip pim sparse-mode
int s1/1
encapsulation ppp
mpls ip
ip pim sparse-mode
exit
int e0/1
ip pim sparse-mode
mpls ip
exit
R1
conf t
ip cef
ipv6 unicast-routing
ipv6 cef
ip multicast-routing
mpls ldp router-id lo 0
mpls label protocol ldp
int s1/1
encapsulation frame-relay
no frame-relay inverse-arp
no shut
exit
int s1/1.100
frame-relay interface-dlci 100
mpls ip
ip pim sparse-mode
int s1/1.8
frame-relay interface-dlci 18
mpls ip
ip pim sparse-mode
int s1/0
encapsulation frame-relay
no frame-relay inverse-arp
ipv6 address FE80::14 link-local
frame-relay map ip 10.8.14.4 200 broadcast
frame-relay map ip 10.8.14.1 200
frame-relay map ipv6 2001:8:8:14::1 200
frame-relay map ipv6 2001:8:8:14::4 200 broadcast
frame-relay map ipv6 FE80::41 200 broadcast
ip pim sparse-mode
mpls ip
no shut
exit
int e0/1
ip pim sparse-mode
exit
int e0/0
ip pim sparse-mode
exit
R4
conf t
ip cef
ipv6 unicast-routing
ipv6 cef
ip multicast-routing
mpls ldp router-id lo 0
mpls label protocol ldp
frame-relay switching
int s1/1
encapsulation frame-relay
no frame-relay inverse-arp
clock rate 128000
frame-relay intf-type dce
ipv6 address FE80::42 link-local
frame-relay map ip 10.8.24.2 28 broadcast
frame-relay map ip 10.8.24.4 28
frame-relay map ipv6 2001:8:8:24::4 28
frame-relay map ipv6 2001:8:8:24::2 28 broadcast
frame-relay map ipv6 FE80::24 28 broadcast
ip pim sparse-mode
mpls ip
no shut
exit
int s1/0
encapsulation frame-relay
no frame-relay inverse-arp
clock rate 128000
frame-relay intf-type dce
ipv6 address FE80::41 link-local
frame-relay map ip 10.8.14.1 200 broadcast
frame-relay map ip 10.8.14.4 200
frame-relay map ipv6 2001:8:8:14::4 200
frame-relay map ipv6 2001:8:8:14::1 200 broadcast
frame-relay map ipv6 FE80::14 200 broadcast
ip pim sparse-mode
mpls ip
no shut
exit
int e0/1
ip pim sparse-mode
mpls ip
R2
conf t
ip cef
ipv6 unicast-routing
ipv6 cef
ip multicast-routing
mpls ldp router-id lo 0
mpls label protocol ldp
int s1/0
encapsulation frame-relay
no frame-relay inverse-arp
ipv6 address FE80::24 link-local
frame-relay map ip 10.8.24.4 28 broadcast
frame-relay map ip 10.8.24.2 28
frame-relay map ipv6 2001:8:8:24::2 28
frame-relay map ipv6 2001:8:8:24::4 28 broadcast
frame-relay map ipv6 FE80::42 28 broadcast
ip pim sparse-mode
mpls ip
no shut
exit
int e0/0
ip pim sparse-mode
===================================================
SECTION 2 IGP
2.1,2.2,2.3,2.4,2.5
SW1
conf t
sdm prefer dual-ipv4-and-ipv6 default
ip routing
ip multicast-routing
router ospf 100
router-id 18.6.6.6
network 18.6.6.6 0.0.0.0 area 0
network 10.28.68.6 0.0.0.0 area 0
network 10.28.16.6 0.0.0.0 area 1
network 10.28.36.6 0.0.0.0 area 1
area 1 nssa default-information-originate
default-information originate always
area 0 filter-list prefix VLAN500 out
exit
ip prefix-list VLAN500 deny 10.28.188.0/24
ip prefix-list VLAN500 permit 0.0.0.0/0 le 32
int vlan 16
ip ospf priority 255
int vlan 36
ip ospf priority 255
int vlan 68
ip ospf priority 255
exit
router rip
version 2
no auto-summary
passive-interface default
no passive-interface vlan 69
network 10.28.69.0
redistribute ospf 100 metric 5
exit
SW3
conf t
sdm prefer dual-ipv4-and-ipv6 default
ip routing
ip multicast-routing
router ospf 100
router-id 18.8.8.8
passive-interface vlan 500
network 18.8.8.8 0.0.0.0 area 0
network 10.28.68.8 0.0.0.0 area 0
network 10.28.188.8 0.0.0.255 area 500
area 0 filter-list prefix VLAN500 out
exit
ip prefix-list VLAN500 deny 10.28.188.0/24
ip prefix-list VLAN500 permit 0.0.0.0/0 le 32
router eigrp 8
no auto-summary
network 10.8.18.8 0.0.0.0
network 10.8.28.8 0.0.0.0
exit
router rip
version 2
no auto-summary
passive-interface default
no passive-interface vlan 89
network 10.28.89.0
exit
SW4
conf t
ip routing
router eigrp 100
no auto-summary
network 150.3.8.0 0.0.0.255
redistribute rip metric 1544 20000 1 255 1500
exit
router rip
version 2
no auto-summary
passive-interface default
no passive-interface vlan 89
no passive-interface vlan 69
network 18.9.9.9
network 10.28.89.0
network 10.28.69.0
redistribute eigrp 100 metric 5
exit
R1
conf t
router ospf 100
router-id 18.1.1.1
network 18.1.1.1 0.0.0.0 area 1
network 10.28.16.1 0.0.0.0 area 1
network 10.28.15.1 0.0.0.255 area 1
area 1 nssa
exit
int e0/1
ip ospf priority 0
exit
router eigrp 8
no auto-summary
network 10.8.18.1 0.0.0.0
network 10.8.14.1 0.0.0.0
network 10.8.15.1 0.0.0.0
distance eigrp 90 100
exit
access-list 2 permit host 18.2.2.2
R3
conf t
router ospf 100
router-id 18.3.3.3
network 18.3.3.3 0.0.0.0 area 1
network 10.28.36.3 0.0.0.0 area 1
network 10.28.35.3 0.0.0.255 area 1
area 1 nssa
exit
int e0/0
ip ospf priority 0
exit
R5
conf t
router ospf 100
router-id 18.5.5.5
network 18.5.5.5 0.0.0.0 area 1
network 10.28.35.5 0.0.0.0 area 1
network 10.28.15.5 0.0.0.255 area 1
area 1 nssa
redistribute eigrp 8 subnets
exit
router eigrp 8
no auto-summary
network 10.8.45.5 0.0.0.0
network 10.8.15.5 0.0.0.0
redistribute ospf 100 metric 1544 2000 1 255 1500
exit
int e0/1
delay 10000
exit
int s1/0.100
ip ospf cost 1000
exit
R4
conf t
router eigrp 8
no auto-summary
network 18.4.4.4 0.0.0.0
network 10.8.45.4 0.0.0.0
network 10.8.14.4 0.0.0.0
network 10.8.24.4 0.0.0.0
exit
int e0/1
delay 10000
exit
R2
conf t
router eigrp 8
no auto-summary
network 18.2.2.2 0.0.0.0
network 10.8.28.2 0.0.0.0
network 10.8.24.2 0.0.0.0
exit
================
tclsh
foreach address {
10.8.14.1
10.8.15.1
10.8.18.1
10.28.15.1
10.28.16.1
18.1.1.1
10.8.24.2
10.8.28.2
18.2.2.2
10.28.35.3
10.28.36.3
18.3.3.3
10.8.14.4
10.8.24.4
10.8.45.4
18.4.4.4
10.8.15.5
10.8.45.5
10.28.15.5
10.28.35.5
18.5.5.5
10.28.16.6
10.28.36.6
10.28.68.6
10.28.69.6
18.6.6.6
10.8.18.8
10.8.28.8
10.28.68.8
10.28.89.8
10.28.188.8
18.8.8.8
10.28.69.9
10.28.89.9
18.9.9.9
150.3.8.1
150.3.8.254
} {ping $address}
========================
2.6 BGP
SW1/SW3/R2/R4/R5/R3
conf t
router bgp 8
no bgp default ipv4-unicast
bgp router-id 18.
neighbor 18.1.1.1 remote-as 8
neighbor 18.1.1.1 update-source lo 0
neighbor 18.1.1.1 transport connection-mode passive
neighbor 18.1.1.1 password cisco
address-family ipv4
neighbor 18.1.1.1 activate
R1
neighbor 18.2.2.2 remote-as 8
neighbor 18.2.2.2 update-source lo 0
neighbor 18.2.2.2 transport connection-mode active
neighbor 18.2.2.2 password cisco
neighbor 18.3.3.3 remote-as 8
neighbor 18.3.3.3 update-source lo 0
neighbor 18.3.3.3 transport connection-mode active
neighbor 18.3.3.3 password cisco
neighbor 18.4.4.4 remote-as 8
neighbor 18.4.4.4 update-source lo 0
neighbor 18.4.4.4 transport connection-mode active
neighbor 18.4.4.4 password cisco
neighbor 18.5.5.5 remote-as 8
neighbor 18.5.5.5 update-source lo 0
neighbor 18.5.5.5 transport connection-mode active
neighbor 18.5.5.5 password cisco
neighbor 18.6.6.6 remote-as 8
neighbor 18.6.6.6 update-source lo 0
neighbor 18.6.6.6 transport connection-mode active
neighbor 18.6.6.6 password cisco
neighbor 18.8.8.8 remote-as 8
neighbor 18.8.8.8 update-source lo 0
neighbor 18.8.8.8 transport connection-mode active
neighbor 18.8.8.8 password cisco
address-family ipv4
neighbor 18.2.2.2 activate
neighbor 18.2.2.2 route-reflector-client
neighbor 18.3.3.3 activate
neighbor 18.3.3.3 route-reflector-client
neighbor 18.4.4.4 activate
neighbor 18.4.4.4 route-reflector-client
neighbor 18.5.5.5 activate
neighbor 18.5.5.5 route-reflector-client
neighbor 18.6.6.6 activate
neighbor 18.6.6.6 route-reflector-client
neighbor 18.8.8.8 activate
neighbor 18.8.8.8 route-reflector-client
exit
2.7 Advance BGP
R4
conf t
router bgp 8
neighbor 150.1.8.254 remote-as 254
neighbor 150.1.8.254 route-map LP in
address-family ipv4
neighbor 150.1.8.254 activate
neighbor 18.1.1.1 next-hop-self
exit
route-map LP permit 10
set local-preference 200
exit
R5
conf t
router bgp 8
neighbor 150.2.8.254 remote-as 254
address-family ipv4
neighbor 150.2.8.254 activate
neighbor 18.1.1.1 next-hop-self
exit
SW4
conf t
router bgp 144
bgp router-id 18.9.9.9
neighbor 10.28.69.6 remote-as 8
neighbor 10.28.89.8 remote-as 8
maximum-paths 2
exit
SW1
conf t
router bgp 8
neighbor 10.28.69.9 remote-as 144
address-family ipv4
neighbor 10.28.69.9 activate
exit
SW3
conf t
router bgp 8
neighbor 10.28.89.9 remote-as 144
address-family ipv4
neighbor 10.28.89.9 activate
exit
==========================================
2.8 MPLS
Note : mpls interface configuration already done in Section 1.7
SW2
conf t
ip routing
ip cef
ip vrf SITE1
rd 3:3
ip vrf SITE2
rd 2:2
exit
int lo 71
ip vrf forwarding SITE1
ip add 71.71.71.71 255.255.255.255
exit
int e0/3
ip vrf forwarding SITE1
ip add 172.16.37.7 255.255.255.0
no shut
exit
int lo 72
ip vrf forwarding SITE2
ip add 72.72.72.72 255.255.255.255
exit
int e0/2
ip vrf forwarding SITE2
ip add 172.16.27.7 255.255.255.0
no shut
exit
router bgp 777
bgp router-id 18.7.7.7
address-family ipv4 vrf SITE1
network 71.71.71.71 mask 255.255.255.255
network 172.16.37.0 mask 255.255.255.0
neighbor 172.16.37.3 remote-as 8
neighbor 172.16.37.3 activate
exit
address-family ipv4 vrf SITE2
network 72.72.72.72 mask 255.255.255.255
network 172.16.27.0 mask 255.255.255.0
neighbor 172.16.27.2 remote-as 8
neighbor 172.16.27.2 activate
exit
R3
conf t
mpls ldp explicit-null
ip vrf SITE1
rd 3:3
route-target both 3:3
route-target import 2:2
exit
int e0/1
ip vrf forwarding SITE1
ip add 172.16.37.3 255.255.255.0
no shut
router bgp 8
neighbor 18.5.5.5 remote-as 8
neighbor 18.5.5.5 update-source lo 0
address-family vpnv4
neighbor 18.5.5.5 activate
neighbor 18.5.5.5 send-community extended
address-family ipv4 vrf SITE1
neighbor 172.16.37.7 remote-as 777
neighbor 172.16.37.7 activate
neighbor 172.16.37.7 as-override
exit
R2
conf t
mpls ldp explicit-null
ip vrf SITE2
rd 2:2
route-target both 2:2
route-target import 3:3
exit
int e0/1
ip vrf forwarding SITE2
ip add 172.16.27.2 255.255.255.0
no shut
router bgp 8
neighbor 18.5.5.5 remote-as 8
neighbor 18.5.5.5 update-source lo 0
address-family vpnv4
neighbor 18.5.5.5 activate
neighbor 18.5.5.5 send-community extended
address-family ipv4 vrf SITE2
neighbor 172.16.27.7 remote-as 777
neighbor 172.16.27.7 activate
neighbor 172.16.27.7 as-override
exit
R5
conf t
router bgp 8
neighbor 18.2.2.2 remote-as 8
neighbor 18.2.2.2 update-source lo 0
neighbor 18.3.3.3 remote-as 8
neighbor 18.3.3.3 update-source lo 0
address-family vpnv4
neighbor 18.2.2.2 activate
neighbor 18.3.3.3 activate
neighbor 18.2.2.2 route-reflector-client
neighbor 18.3.3.3 route-reflector-client
exit
================================
2.9 & 2.10 ipv6 addressing
Note : IPv6 frame-relay configuration is already done in Section 1.7
SW1
conf t
ipv6 unicast-routing
ipv6 cef
ipv6 router ospf 100
router-id 18.6.6.6
exit
int lo 0
ipv6 address 2001:28:8:6::6/128
ipv6 ospf 100 area 0
exit
int vlan 68
ipv6 address 2001:28:8:68::6/64
ipv6 ospf 100 area 0
exit
SW3
conf t
ipv6 unicast-routing
ipv6 cef
ipv6 router ospf 100
router-id 18.8.8.8
redistribute eigrp 8
redistribute connected
exit
ipv6 router eigrp 8
router-id 18.8.8.8
redistribute ospf 100 metric 10000 2000 255 1 1500
redistribute connected metric 10000 2000 255 1 1500
no shut
exit
int lo 0
ipv6 address 2001:28:8:8::8/128
ipv6 ospf 100 area 0
exit
int vlan 68
ipv6 address 2001:28:8:68::8/64
ipv6 ospf 100 area 0
exit
int vlan 18
ipv6 address 2001:8:8:18::8/64
ipv6 eigrp 8
exit
int vlan 28
ipv6 address 2001:8:8:28::8/64
ipv6 eigrp 8
exit
R2
conf t
ipv6 router eigrp 8
router-id 18.2.2.2
no shut
exit
int lo 0
ipv6 eigrp 8
int e0/0
ipv6 eigrp 8
int s1/0
ipv6 eigrp 8
R4
conf t
ipv6 router eigrp 8
router-id 18.4.4.4
no shut
exit
int lo 0
ipv6 eigrp 8
int e0/1
ipv6 eigrp 8
int s1/0
ipv6 eigrp 8
int s1/1
ipv6 eigrp 8
R1
conf t
ipv6 router eigrp 8
router-id 18.1.1.1
no shut
exit
int lo 0
ipv6 eigrp 8
int e0/0
ipv6 eigrp 8
int s1/0
ipv6 eigrp 8
int s1/1.8
ipv6 eigrp 8
exit
int tunnel 13
ipv6 address 2001:13:13:13::1/64
tunnel source lo 0
tunnel destination 18.3.3.3
ipv6 eigrp 8
exit
R5
conf t
ipv6 router eigrp 8
router-id 18.5.5.5
no shut
exit
int lo 0
ipv6 eigrp 8
int e0/1
ipv6 eigrp 8
int s1/0.8
ipv6 eigrp 8
exit
R3
conf t
ipv6 router eigrp 8
router-id 18.3.3.3
no shut
exit
int lo 0
ipv6 eigrp 8
int tunnel 13
ipv6 address 2001:13:13:13::3/64
tunnel source lo 0
tunnel destination 18.1.1.1
ipv6 eigrp 8
exit
=========================
SECTION 3
3.1 Multicast
Note All the remaining interfaces already configured during Section 1.7
SW1
conf t
ip multicast-routing
int lo 0
ip pim sparse-mode
int vlan 16
ip pim sparse-mode
int vlan 36
ip pim sparse-mode
int vlan 68
ip pim sparse-mode
ip pim dr-priority
SW3
conf t
ip multicast-routing
int lo 0
ip pim sparse-mode
int vlan 18
ip pim sparse-mode
int vlan 28
ip pim sparse-mode
int vlan 68
ip pim sparse-mode
int vlan 500
ip pim sparse-mode
exit
R3
conf t
int lo 1
ip add 200.100.100.100 255.255.255.255
no shut
exit
router ospf 100
network 200.100.100.100 0.0.0.0 area 1
exit
ip msdp peer 18.2.2.2 connect-source lo 0
ip msdp originator-id lo 0
ip pim bsr-candidate lo 1
ip pim rp-candidate lo 1
exit
R2
conf t
int lo 1
ip add 200.100.100.100 255.255.255.255
no shut
exit
router eigrp 8
network 200.100.100.100 0.0.0.0
exit
ip msdp peer 18.3.3.3 connect-source lo 0
ip msdp originator-id lo 0
ip pim bsr-candidate lo 1
ip pim rp-candidate lo 1
exit
R4
conf t
int e0/1
ip igmp join-group 232.1.1.1
exit
do wr
int lo 0
ip pim sparse-mode
exit
3.2 Advance multicasting
R2/R3
conf t
access-list 10 permit host 232.1.1.1
access-list 100 permit ip 10.28.68.0 0.0.0.255 host 232.1.1.1
ip pim rp-candidate lo 1 group-list 10
ip pim accept-register list 100
================================
SECTION 4
4.1 FIRST HOP REDUNDANCY
R4
conf t
int e0/1
glbp 0 ip 10.8.45.1
glbp 0 load-balance weighted
glbp 0 weighting 150
glbp 0 preempt
glbp 0 authentication md5 key-string CCIE123
exit
R5
conf t
int e0/1
glbp 0 ip 10.8.45.1
glbp 0 load-balancing weighted
glbp 0 weighting 50
glbp 0 preempt
glbp 0 authentication md5 key-string CCIE123
exit
4.2 LAYER 2 SECURITY
SW3
conf t
ip access-list extended FILTER
permit tcp any any eq smtp
permit tcp any eq smtp any
permit tcp any any eq www
permit tcp any eq www any
permit udp any any eq domain
permit udp any eq domain any
permit icmp any any
exit
vlan access-map BLOCK 10
action forward
match ip address FILTER
exit
vlan filter BLOCK vlan-list 500
4.3 IMPLEMENTATION SSH
R5
conf t
username admin privilege 15 password 0 ccie
username guest password 0 cisco
ip domain name ccie.com
ip ssh version 2
ip ssh maxstartup 16
crypto key generate rsa
line con 0
no login local
line vty 0 4
login local
transport input none
transport input ssh
exit
Verify with R3
ssh -l admin 18.5.5.5
ssh -l guest 18.3.3.3
===================================
4.4 L3VPN QOS
R1
policy-map MPLS-CORE-FACING
class CRITICAL
bandwidth percent 30
class BESTEFFORT
bandwidth percent 30
class REALTIME
priority percent 15
set mpls experimental topmost 4
R2/R3
conf t
class-map match-all QOSGROUP123
match qos-group 1
match qos-group 2
match qos-group 3
class-map match-all QOSGROUP5
match qos-group 5
class-map match-all QOSGROUP467
match qos-group 4
match qos-group 6
match qos-group 7
policy-map INBOUND
class class-default
set qos-group mpls experimental topmost
exit
policy-map SHAPING
class class-default
shape average 3000000
set prec qos-group
service-policy CE-FACING
exit
int s1/0
service-policy input INBOUND
exit
int e0/1
no service-policy output CE-FACING
service-policy output SHAPING
exit
Verify by using two method
1)
ping vrf SITE 1
target ip : 72.72.72.72
Datagram : 150000 (if R1 has police with set-mpls-exp-transmit 4
TOS : 160
Go to R1
sh polic-map interface Serial0/0 (interface between R1 and R4)
2)
ip access-list extended QOSTEST
10 permit ip any any precedence routine
20 permit ip any any precedence priority
30 permit ip any any precedence immediate
40 permit ip any any precedence flash
50 permit ip any any precedence flash-override
60 permit ip any any precedence critical
70 permit ip any any precedence internet
80 permit ip any any precedence network
int e0/2
ip access-group QOSTEST in
exit
ping vrf SITE 1
target ip : 72.72.72.72
TOS : 160
4.5 IMPLEMENTATION QOS
SW3
conf t
int lo 148
ip add 148.0.0.8 255.255.255.255
exit
router eigrp 8
network 148.0.0.8 0.0.0.0
exit
access-list 148 permit ip host 148.0.0.8 host 148.0.0.4
route-map LO148
match ip address 148
set interface vlan 18 null0
exit
ip local policy route-map LO148
R4
conf t
int lo 148
ip add 148.0.0.4 255.255.255.255
exit
router eigrp 8
network 148.0.0.4 0.0.0.0
exit
4.6 NTP
R1
conf t
ntp master 1
clock calendar-valid
ntp source lo 0
ntp update-calendar
R3/R5
conf t
ntp source lo 0
ntp update-calendar
ntp server 18.1.1.1
4.7 DEVICE SECURITY
R5
conf t
ip access-list extended SSH
deny tcp 10.8.18.0 0.0.0.255 host 10.28.35.5 eq 22
permit tcp any any eq 22
ip access-list extended HTTP
permit tcp 10.28.188.0 0.0.0.255 any eq 80
permit tcp 10.28.188.0 0.0.0.255 any eq 443
ip access-list extended ALL_ICMP
permit icmp any any
ip access-list extended ICMP_ECHO
permit icmp any any echo
permit icmp any any echo-reply
class-map SSH
match access-group name SSH
class-map ICMP_LIMIT
match access-group name ICMP_ECHO
class-map match-any BLOCK
match access-group name HTTP
match access-group name ALL_ICMP
policy-map CONTROL
class SSH
police cir 16000
conform-action transmit
exceed-action drop
class ICMP_LIMIT
police rate 100 pps burst 10 packets
class BLOCK
drop
exit
control-plane
service-policy input CONTROL
===================================================
SECTION 5
5.1 OPTIMIZE THE NETWORK
R1
conf t
no logging buffered
logging host 10.28.69.100
archive
log config
logging enable
logging size 10
hidekeys
notify syslog
exit
5.2 EEM IMPLEMENTATION
R3
conf t
event manager applet BOUNCEGIG
event syslog pattern ".*SYS-5-RESTART.*"
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "int e0/0"
action 4.0 cli command "shut"
action 5.0 cli command "no shut"
action 6.0 cli command "int e0/1"
action 7.0 cli command "shut"
action 8.0 cli command "no shut"
exit
RELOAD the router
