CCIE EI Lab Workbook Section 2.4-6

Hello everyone, BestCiscoDumps has shared more than half of Cisco CCIE EI lab workbook dumps now. How do you feel about learning? Are there any difficulties? It's normal to encounter difficulties but I believe you can understand as long as you have some experience and read it several times. Today, BestCiscoDumps shares CCIE EI lab workbook section 2.4-2.6. It is strongly recommended that you practice using it with BestCiscoDumps real remote rack when watching CCIE EI lab workbook. BestCiscoDumps remote rack highly simulates the real examination environment. You can also use remote rack to verify your confidence in passing the exam.

Click the link to view the complete CCIE EI Lab topology
Click the link to view the CCIE EI Lab Workbook Section 1.1-1.9
Click the link to view the CCIE EI Lab Workbook Section 1.10-1.16
Click the link to view the CCIE EI Lab Workbook Section 2.1-2.3
The current page is CCIE EI Lab Workbook Section 2.4-2.6
Click the link to view the CCIE EI Lab Workbook Section 3.1-3.4

SECTION 2.4: Configuring SD-WAN VPN Route Leaking

To allow the traditional parts of FABD2 network to communicate with the Employees and IoT VPNs/VNs, configure route leaking in SD-WAN according to these requirements.

1. Prefixes in the IoT VPN 198 must be imported into the existing SDA underlay VPN 999 and tagged with the tag value of 198.
2. Prefixes in the Employees VPN 200 must be imported into the existing SDA underlay VPN 999 and tagged with the tag value of 200.
3. Prefixes in the SDA Underlay VPN 999 advertised from the DC that are within the 10.4.0.0/15 range must be rejected. Other prefixes in the SDA Underlay VPN 999 advertised from the DC must be accepted and also imported into IoT VPN 198 and Employees VPN 200
4. Redistribution from OMP into OSPF on Branches #1 and #2 in VPN 999 must exclude vRoutes tagged with value of 198 and 200
5. Place host41 into Employees VN, Place host51 into IoT VN. Make sure both hosts receive their IP settings from DHCP.
6. Ensure that IoT and Employees VPNs on Branches #1 and #2 have reachability to Branches #3 and #4. It is allowed to modify the VPN 999 settings to accomplish this requirement.

Solution

First Step: Creating Lists & Topology For Route-Leaking & Denying Data Traffic as per task requirements

1. Creating Lists:- Navigate: Configuration > Policies
   • On top-right corner > Custom Options > Centralized Policy > Select Lists
   • Select “Site” and than click on “New Site List”
   • Enter all the details as given in the screenshots. Repeat the 3rd step to cover all sites as per screenshots
   • Now all required Site Lists are created.
   • Select “VPN” and than click on “New VPN List”
   • Enter all the details as given in the screenshots. Repeat the 6th step to cover all VPN as per screenshots
   • Now all required VPN Lists are created.
   • Select “Prefix” and than click on “New Prefix List”
   • Enter all the details as given in the screenshots.
   • Now all required Prefix Lists are created.
2. Creating Topology (VPN198 & VPN200 into VPN999):- Navigate: Configuration > Policies
   • On top-right corner > Custom Options > Centralized Policy > Select Topology
   • Click on “Add Topology” and Select “Custom Control (Route & TLOC)”
   • Select “Route” as shown in screenshot
   • Click “Sequence Rule”
   • Input the details given in screenshots
   • Click “Save Match and Actions”
   • Click “Sequence Rule”
   • Input the details given in screenshots
   • Click “Save Match and Actions”
   • Click on “Default Action” and click on “Edit Symbol on the right side”
   • Change it to : “Accept”
   • Click “Save Match and Actions”
3. Creating Topology (VPN999 into VPN198 & VPN200):- Navigate: Configuration > Policies
   • On top-right corner > Custom Options > Centralized Policy > Select Topology
   • Click on “Add Topology” and Select “Custom Control (Route & TLOC)”
   • Select “Route” as shown in screenshot
   • Click “Sequence Rule”
   • Input the details given in screenshots
   • Click “Save Match and Actions”
   • Click “Sequence Rule”
   • Input the details given in screenshots
   • Click “Save Match and Actions”
   • Click on “Default Action” and click on “Edit Symbol on the right side”
   • Change it to : “Accept”
   • Click “Save Match and Actions”
4. Creating Topology (denying routes from DC 10.4.0.0/15 in VPN999):- Navigate: Configuration > Policies
   • On top-right corner > Custom Options > Centralized Policy > Select Topology
   • Click on “Add Topology” and Select “Custom Control (Route & TLOC)”
   • Select “Route” as shown in screenshot
   • Click “Sequence Rule”
   • Input the details given in screenshots
   • Click “Save Match and Actions”
   • Click “Sequence Rule”
   • Input the details given in screenshots
   • Click “Save Match and Actions”
   • Click on “Default Action” and click on “Edit Symbol on the right side”
   • Change it to : “Accept”
   • Click “Save Match and Actions”
5. Done

Next Step: Creating Centralized Policy For Route-Leaking & Denying Data Traffic as per task requirements

1. Creating Lists:- Navigate: Configuration > Policies > Centralized Policy
2. Select “Add Policy”
3. Click “Next”
4. Under Topology, Click on “Add Topology” and than select “Import Existing Topology”
5. Select “Custom Control”
6. Select “ VPN198 & VPN200 into VPN999”
7. Click Import
8. Under Topology, Click on “Add Topology” and than select “Import Existing Topology”
9. Select “Custom Control”
10. Select “VPN999 into VPN198 & VPN200”
11. Click Import
12. Under Topology, Click on “Add Topology” and than select “Import Existing Topology”
13. Select “Custom Control”
14. Select “VPN999 into VPN198 & VPN200”
15. Click Import
16. Under Topology, Click on “Add Topology” and than select “Import Existing Topology”
17. Select “Custom Control”
18. Select “Rejetc-DC”
19. Click Import
20. Click “Next”
21. Click “Next”
22. Input the Policy Name : Any name you can use
23. Under Topology:
    • Under Reject-DC: Select Site “DC” & Direction “out”
    • Under VPN198 & VPN200 into VPN999: Select Site “Branch1-Branch2” & Direction “in”
    • Under VPN999 into VPN198 & VPN200: Select Site “DC” & Direction “in”
24. Save
25. Click on the three dots on the right corner.
26. Click “Activate”
27. Click “Activate”
28. Done

Next Step: Creating Localized Policy to meet task requirements

1. Creating Lists:- Navigate: Configuration > Policies >
2. On the right corner select “Localized Policy”
3. Select “Route Policy”
4. Click “Add Route Policy”
5. Select “Create New”
6. Click on “Sequence Rule”
7. Input the details as shown in the screenshots
8. Click “Save Match and Actions”
9. Click on “Sequence Rule”
10. Input the details as shown in the screenshots
11. Click “Save Match and Actions”
12. Change the Default Action to “Accept” as shown in screenhots

Next Step: Attaching Localized Policy to Device Template

1. Navigate to Configuration > Templates > Device
2. Select Branch1 and click on Edit
3. Under “Additional Templates”
   • Policy: Select the Policy
4. Select Branch2-vedge51 and click on Edit
5. Under “Additional Templates”
   • Policy: Select the Policy
6. Select Branch2-vedge52 and click on Edit
7. Under “Additional Templates”
   • Policy: Select the Policy
8. Done

Next Step: Attaching Localized Policy to OSPF Feature Template

1. Navigate to Configuration > Templates > Feature
2. Select Branch1-VPN999 OSPF Template and click on three dots and select Edit
3. Under “Redistribute”
   • Click on edit symbol
   • Under Route-Policy: Select the Localized Policy
4. Click Save
5. Click Update
6. Select Branch1-VPN999 OSPF Template and click on three dots and select Edit
7. Under “Redistribute”
   • Click on edit symbol
   • Under Route-Policy: Select the Localized Policy
8. Click Save
9. Click Update
10. Done

Next Step: Modifying VPN999

1. Navigate: Configuration > Templates > Feature
2. Select VPN999 Template, click on three dots on right corner, click Edit
3. Under Advertise OMP
   • OSPF External (Global): Select “On”
4. Done

Next Step: Associating host41 in Employees VN & host51 in IoT VN

1. Navigate: Provision > Fabric
2. Select Branch1 > Select Host Onboarding > Select Port Assignment
3. Select sw400 > Click GigabitEthernet 1/0/1
4. Click “Save/Update”
5. Repeat the above steps
6. Navigate: Provision > Fabric
7. Select Branch2 > Select Host Onboarding > Select Port Assignment
8. Select sw510 > Click GigabitEthernet 1/0/1
9. Click “Save/Update”

SECTION 2.5: Handling Guest Traffic

The Guest VN/VPN on Branches #1 and #2 must remain isolated from the rest of the company network. It is only allowed to reach the internet through r23 and r24 in the DC. Enable internet connectivity for the Guest VPN according to these requirements.

1. On vedge21 and vedge22, place the ge0/2 interfaces into the Guest VPN 199
2. On r23 and r24, create a new VRF named Guest using the RD of 65002:199, and place the g4 interface into this VRF.
3. Assign addresses to these interfaces:
   • r23 g4: 10.2.123.1/24
   • r24 g4: 10.2.224.1/24
   • vedge21 ge0/2: 10.2.123.2/24
   • vedge22 ge0/2: 10.2.224.2/24
4. Peer r23 and vedge21 in the Guest VRF/VPN using iBGP
5. Peer r24 and vedge22 in the Guest VRF/VPN using iBGP
6. Ensure that r23 and r24 learn the routes in the Guest VRF/VPN over iBGP.
7. On r23 and r24 configure a static default route in the Guest VRF and point it to the ISP’s IP Address 200.99.23.1 or 200.99.24.1 as appropriate. Advertise this default route in iBGP to vedge21 and vedge22
8. On r23 and r24 configure PAT to allow the Guest VPN to access internet by translating in to the router address on the link towards the ISP. Resue the NAT ACL already created on the router. Do not use NAT pools

Configure r23 as a DHCP server for Guest VPN according to these requirements.

1. Create Loopback1 interface on r23 assocaited with the Guest VRF and having the IP address 10.2.255.211/32
2. Advertise this prefix in BGP toward vedge21
3. Create DHCP pool named br1_guest for Branch #1 Guest subnet
4. Create DHCP pool named br2_guest for Branch #2 Guest subnet
5. Explicitly associate both DHCP pools with the VRF Guest
6. In each subnet assign addresses from .101 up to .254 inclusively and the appropriate gateway to clients.
7. Associate host42 and host52 with the Guest VN in DNAC, and make sure that both hosts receive the appropriate address.
8. Make sure that host42 and host52 can ping 8.8.8.8 in the ISP cloud

Solution

On vManage

First Step: Creating Feature Template – VPN Interface for DC vEdge21 & vEdge22: For Guest VPN

1. Navigate: Configuration > Template > Feature
2. Click “Add Template”
3. From the Drop-down list on left side: select vEdge Cloud
4. Right side under VPN: select “VPN Interface”
5. Input the Template Name & Description: You can use any name of your choice
6. Under Basic Configuration
   • Shutdown (Global): Select “No”
   • Interface Name (Global): Input “ge0/2”
   • Ipv4 Address (Device Specific): You can use any name of your choice
7. Click “Save”

Next Step: Creating Feature Template – DC-BGP for: Guest

1. Navigate: Configuration > Template > Feature
2. Click “Add Template”
3. From the Drop-down list on left side: select vEdge Cloud
4. Right side under Other Templates: select “BGP”
5. Input the Template Name & Description: You can use any name of your choice
6. Under Basic Configuration
   • AS Number (Global): Input “65002”
7. Under Unicast Address Family
   • Select: New-Redistribute
   • Select: (Global) “omp”
   • Add/Save Changes
8. Under Neighbor
   • Click “New Neighbor”
   • Address (Device Specific): You can use any name of your choice
   • Remote AS (Global): Input “65002”
9. Click “Add”
10. Click “Save”

Next Step: Creating Device Template From Feature Template – DC: vedges21&22

1. Navigate: Configuration > Template > Device
2. Select DC
3. Click on the three dots on the right side corner to edit the template
4. Under Service VPN: Click on “Add Symbol”
5. Under Basic Information
   • Select: OMP Feature Template
6. To Add BGP and VPN Interface: Click on the right side on BGP and VPN Interface
   • VPN: Guest-VN --->Select the template name which you have given
   • BGP: DC_iBGP_vedge21_vedge22 --->Select the template name which you have given
   • DC_vedges_guest_vpn199_interfacege0/2 ---> Select the template name which you have given
7. Click “Update”
8. Two Device Template are now updated (but not yet attached)
9. Select the first updated device template (vedge21)and click on the three dots on right side and click “Edit Device Template”
10. Input the proper values as given in the screenshots and click “Update”
11. Click “Update”
12. Select the second updated device template (vedge22)and click on the three dots on right side and click “Edit Device Template”
13. Input the proper values as given in the screenshots and click “Update”
14. Click “Update”
15. Click “Next”
16. Click “Configure Devices”
17. A dialog box will appear: Select “Confirm” and click “OK” ---> May be Optional
18. All Done

Next Step: Associating host42 &host52 in Guest VN

1. 1. Navigate: Provision > Fabric
2. 2. Select Branch1 > Select Host Onboarding > Select Port Assignment
3. 3. Select sw400 > Click GigabitEthernet 1/0/2
4. 4. Click “Save/Update”
5. 5. Repeat the above steps
6. 6. Navigate: Provision > Fabric
7. 7. Select Branch2 > Select Host Onboarding > Select Port Assignment
8. 8. Select sw510 > Click GigabitEthernet 1/0/2
9. 9. Click “Save/Update”

On r23

r23(config)#vrf definition Guest

r23(config-vrf)#rd 65002:199

r23(config-vrf)# address-family ipv4

r23(config-vrf-af)#exit-address-family

r23(config-vrf)#exit

r23(config)#

r23(config)#interface Loopback1

r23(config-if)#vrf forwarding Guest

r23(config-if)#ip address 10.2.255.211 255.255.255.255

r23(config-if)#exit

r23(config)#

r23(config)#interface GigabitEthernet4

r23(config-if)#vrf forwarding Guest

r23(config-if)#ip address 10.2.123.1 255.255.255.0

r23(config-if)#ip nat inside

r23(config-if)#no shutdown

r23(config-if)#exit

r23(config)#

r23(config)#ip route vrf Guest 0.0.0.0 0.0.0.0 200.99.23.1 global

r23(config)#ip nat inside source list NAT interface Ethernet0/0 vrf Guest overload

r23(config)#router bgp 65002

r23(config-router)#address-family ipv4 vrf Guest

r23(config-router-af)#network 10.2.255.211 mask 255.255.255.255

r23(config-router-af)#neighbor 10.2.123.2 remote-as 65002

r23(config-router-af)#neighbor 10.2.123.2 activate

r23(config-router-af)#redistribute static

r23(config-router-af)#default-information originate

r23(config-router-af)#exit-address-family

r23(config-router)#exit

r23(config)#

r23(config)#ip dhcp pool br1_guest

r23(dhcp-config)#vrf Guest

r23(dhcp-config)#network 10.4.199.0 255.255.255.0

r23(dhcp-config)#default-router 10.4.199.1

r23(dhcp-config)#exit

r23(config)#

r23(config)#ip dhcp pool br2_guest

r23(dhcp-config)#vrf Guest

r23(dhcp-config)#network 10.5.199.0 255.255.255.0

r23(dhcp-config)#default-router 10.5.199.1

r23(dhcp-config)#exit

r23(config)#

r23(config)#ip dhcp use vrf remote

r23(config)#ip dhcp excluded-address vrf Guest 10.4.199.1 10.4.199.100

r23(config)#ip dhcp excluded-address vrf Guest 10.5.199.1 10.5.199.100

On r24

r24(config)#vrf definition Guest

r24(config-vrf)#rd 65002:199

r24(config-vrf)#address-family ipv4

r24(config-vrf-af)#exit-address-family

r24(config-vrf)#exit

r24(config)#

r24(config)#interface GigabitEthernet4

r24(config-if)#vrf forwarding Guest

r24(config-if)#ip address 10.2.224.1 255.255.255.0

r24(config-if)#ip nat inside

r24(config-if)#no shutdown

r24(config-if)#exit

r24(config)#

r24(config)#ip route vrf Guest 0.0.0.0 0.0.0.0 200.99.24.1 global

r24(config)#ip nat inside source list NAT interface Ethernet0/0 vrf Guest overload

r24(config)#router bgp 65002

r24(config-router)#address-family ipv4 vrf Guest

r24(config-router-af)#neighbor 10.2.224.2 remote-as 65002

r24(config-router-af)#neighbor 10.2.224.2 activate

r24(config-router-af)#redistribute static

r24(config-router-af)#default-information originate

r24(config-router-af)#exit-address-family

r24(config-router)#exit

r24(config)#

SECTION 2.6: Support for Silent Hosts in Branch #2

The Item consist of multiple questions. You may need to scroll down to be able to see all questions.

In Future Branch #2 will be equipped with IP-based IoT endpoints operating in speak-whenspoken- to mode, also called silent hosts. Which of the following SDA features enables a working connectivity with thses IoT endpoints?

1. Layer 2 Extension
2. Native Multicast
3. Layer 2 Flooding
4. Endpoint Mobility

In the statement below, select one of the option from the drop-down list to complete the sentence and form a correct statement.

For SDA to Support Silent hosts, in the underlay as a prerequisite.

1. IP Multicast routing with PIM-SM must be enabled
2. No additional capability aside from unicast IP connectivity is required
3. IS-IS must be used as a routing protocol
4. DHCP Snooping must be enabled

Solution

Part 1

Answer: c

Part 2

Answer: b

The above is about section 2.4-2.6 in CCIE EI lab workbook dumps. Candidates must read it several times to deepen their impression. It is best to practice with Cisco rack to deepen their understanding. We will update the follow-up part of CCIE EI lab from time to time, and share other benefits that are very important for Cisco candidates!

If you want to get more verification about the questions and a more complete CCIE EI lab workbook, please contact us!