News

CCIE R&S Mock Lab Dumps Section 3-5

Publish Time: Author: James Visit: 423

Hello, today, BestCiscoDumps will share all the remaining parts of CCIE R&S Lab1, that is, CCIE R&S mock lab dumps section 3-5. It includes some network security technologies and some advanced applications. Although these technologies are rarely used in peacetime, if you can carefully read and understand these knowledge points, your ability will be greatly improved! These technologies are skills that only CCIEer will know!

CCIE R&S Mock Lab

Click the link to view the CCIE R&S Lab Topology and CCIE R&S Mock Lab Dumps Section 1
Click the link to view the CCIE R&S Mock Lab Dumps Section 2
The current page is CCIE R&S Mock Lab Dumps Section 3-5

SECTION 3 – VPN Technology

SECTION 3.1: MPLS VPN Part 1

Refer to "Diagram 3: BGP Topology" and "Diagram 4: VPN Technology"

  • The ACME Headquarters network (AS 12345) uses MPLS L3VPN in order to clearly separateremote site networks
  • The ACME corporate security policies are centralized and enforced at the San Jose site (AS65112) for all remote sites. The policies require that all traffic that is originated from any remote sites (with the exception of AS 34567) to the Internet is routed via R20 in AS 65112 Configure MPLS L3VPN in the ACME network according to the following requirements
  • Enable LDP only on required interfaces on all seven routers in AS 12345
  • Use the interface Lo0 to establish LDP peering
  • Ensure that no MPLS interface that belongs to any router in AS 12345 is visible on atraceroute that originates outside of the AS
  • R2, R3, R6 and R7 must be configured as PE routers
  • R1, R4 and R5 must be configured as P routers

Note: The simulator's R6, R7 includes: no mpls ip propagate-ttl

R2, R3, R6, and R7 on the examination room must manually type :no mpls ip propagate-ttl

Solution:

R1/R2/R3/R4/R5/R6/R7:

mpls ldp router-id lo0 force

router ospf 12345

mpls ldp autoconfig area 0

R2/R3/R6/R7:

no mpls ip propagate-ttl

Note: no ip igmp snooping //on the examination room, if the MPLS LDP neighbor does not established, type this command.

SECTION 3.2: MPLS VPN Part 2

Refer to "Diagram 3: BGP topology" and "Diagram 4: VPN Technology"

The global and regional service providers have agreed to transport the ACME network according to the following requirements

Complete the configuration of MPLS L3VPN in the ACME network according to the following requirements

  • R1 must reflect VPNv4 prefixes from any PE to any other PE in AS 12345
  • R2 and R3 must establish an EBGP peering with both global service providers (As 10001and AS 10002) for the following VRFs:
  • VRF “BLUE”
  • VRF “GREEN”
  • VRF “RED”
  • VRF “YELLOW”
  • VRF “INET”
  • R6 must establish an EBGP peering with the regional service provider (AS 20001) for the following VRFs only:
  • VRF “GREEN”
  • VRF “BLUE”
  • VRF “INET”
  • R7 must establish an EBGP peering with the regional service provider (AS 20002) for the following VRFs only:
  • VRF “BLUE”
  • VRF “RED”
  • VRF “INET”
  • All IP addressed used for EBGP peering must pass the BGP's directly connected check
  • No BGP speaker is AS 12345 may use the network or redistribute statement under anyaddress-family of the BGP router configuration
  • At the end of the exam scenario, the interface e0/0 of the gateway router in any remotesite must be able connect to the interface e0/0 of any other remote gateway that belong to AS 65111 or AS 65112 and AS 65222
  • Use the following tests as examples of connectivity checks

CCIE RS LAB 1 Section 3 R12 ping 10.2.19.1

CCIE RS LAB 1 Section 3 R12 trace 10.2.19.1

Solution:

R1:

router bgp 12345 address-family vpnv4

neighbor 123.2.2.2 activate

neighbor 123.3.3.3 activate

neighbor 123.6.6.6 activate

neighbor 123.7.7.7 activate

neighbor IBGP route-reflector-client

R2/R3/R6/R7:

router bgp 12345 address-family vpnv4

neighbor 123.1.1.1 activate

R20:

router bgp 65112

neighbor 10.120.15.1 weight 1000 //Trace 10.2.19.1 source e0/0, let R12's next hop go through R3's e0/3

SECTION 3.3: DMVPN

Configure DMVPN phase 3 in the ACME APAC region (AS 45678 and 65222) as per the following requirements

  • Use the preconfigured interface Tunnel0 on all the three routers in order to accomplish this task
  • R17 must be configured as the hub router
  • R18 and R19 must be the spoke routers and must participate in NHRP information exchange
  • Disable send ICMP redirect messages on all three Tunnel0 interfaces

Configure the following parameters on all the three Tunnel0 interfaces

  • Configure the bandwidth to 1000 kilobits per second
  • Configure the delay to 10000 microseconds
  • Adjust the IP MTU to 1400 bytes
  • Adjust the TCP maximum segment size to 1360 bytes
  • Authenticate NHRP using the string “45678key” (without quotes!)
  • Use the NHRP network-id 45678
  • Configure the NHRP hold time to 5 minutes
  • Ensure that spoke-to-spoke traffic does not transit via the hub

Solution:

R17:

interface tunnel 0

ip address 10.18.19.1 255.255.255.0

tunnel source e0/3

tunnel mode gre multipoint

ip nhrp network-id 45678

ip nhrp map multicast dynamic

ip nhrp authentication 45678key

ip nhrp holdtime 300

no ip redirects

bandwidth 1000

delay 1000

ip mtu 1400

ip tcp adjust-mss 1360

router eigrp CCIE

address-family ipv4 unicast autonomous-system 45678

network 10.18.19.0 0.0.0.255

R18:

interface tunnel0

ip address 10.18.19.18 255.255.255.0

tunnel source Serial1/0

tunnel mode gre multipoint

ip nhrp network-id 45678

ip nhrp map multicast 203.3.17.2

ip nhrp nhs 10.18.19.1

ip nhrp map 10.18.19.1 203.3.17.2

ip nhrp authentication 45678key

ip nhrp holdtime 300

no ip redirects

bandwidth 1000

delay 1000 ip mtu 1400

ip tcp adjust-mss 1360

router eigrp 45678

network 10.18.19.0 0.0.0.255

R19:

interface tunnel0

ip address 10.18.19.19 255.255.255.0

tunnel source Serial1/0

tunnel mode gre multipoint

ip nhrp network-id 45678

ip nhrp map multicast 203.3.17.2

ip nhrp nhs 10.18.19.1

ip nhrp map 10.18.19.1 203.3.17.2

ip nhrp authentication 45678key

ip nhrp holdtime 300

no ip redirects

bandwidth 1000

delay 1000 ip mtu 1400

ip tcp adjust-mss 1360

router eigrp 45678

network 10.18.19.0 0.0.0.255

Meet the needs of the shortest path for data exchange between R18 and R19:

R17:

interface tunnel 0

ip nhrp redirect //Turn on nhrp redirect

router eigrp AS45678

address-family ipv4 unicast autonomous-system 45678

af-interface Tunnel0

no split-horizon

Note: You must turn off the split horizon under tun0. After typing, check that R18 R19 can learn each other's detailed routes.

R18/R19:

interface tunnel 0

ip nhrp shortcut

SECTION 3.4: Encryption

Refer to "Diagram 4: VPN Technology"

Secure the DMVPN tunnel with IPsec according to the following requirements Configure IKE Phase 1 according to the following requirements

  • Use AES encryption with the pre-shared key “CCIE” (without quotes)
  • The key must appear in plain text in the configuration
  • All IPsec tunnels must be authenticated using the same IKE Phase 1 pre-shared key
  • Use 1024 bits for the key exchange using the Diff-Hellman algorithm
  • Configure a single policy using priority 10

Configure IKE Phase 2 according to the following requirements

  • Use CCIEXFORM as the transform-set name
  • Use DMVPNPROFILE as the IPsec profile name
  • Use IPsec in transport mode
  • Use the IPsec security protocol ESP and algorithm AES with 128 bits
  • Ensure that the DMVPN cloud is secured using the above parameters
  • Use tunnel protection in your configuration

Solution:

R17/R18/R19:

crypto isakmp policy 10

encryption aes

authentication pre-share

group 2

crypto isakmp key 0 CCIE address 0.0.0.0

crypto ipsec transform-set CCIEXFORM esp-aes 128

mode transport

crypto ipsec profile DMVPNPROFILE

set transform-set CCIEXFORM

interface tunnel 0

tunnel protection ipsec profile DMVPNPROFILE

SECTION 4 – Infrastructure Security

  • Check what is already preconfigured before jumping to configuration!
  • Think about smart configuration options that can greatly speed up the time spent at typing on the key board(use copy/paste when possible)!

SECTION 4.1: Device Security

Configure R20 in the ACME San Jose office as per the following requirements

  • All users who connect to R20 via the console port via any vty line using SSH must be prompted with the below message before any other prompt is displayed
  • WARNING!ACCESS RESTRICTED!
  • Do not include any extra spaces or any other characters as the ones shown above

Solution:

R20:

banner login #WARNING!ACCESS RESTRICTED!#

banner motd #WARNING!ACCESS RESTRICTED!#

On the examination room, if the desired phenomenon does not appear, knock in the privileged mode: terminal moniter

Or:

line con 0

pass XXX

logging local

no pass

SECTION 4.2 Network Security

Configure the ACME New York office as per the following requirements

  • Ensure that interface E0/0-3 of SW3 forward traffic that was sent from expected and legitimate hosts and servers
  • SW3 must dynamically learn only one MAC address per port and must save the MAC address in its startup configuration
  • SW3 must shut down the port if a security violation occurs any of these four ports

Solution:

SW3:

int range e0/0 - 3

switchport mode access //Pre-configured

switchport port-security

switchport port-security mac-address sticky

switchport port-security violation shutdown //Default

switchport port-security maximum 1 //Default

SECTION 5 – Infrastructure Services

  • Check what is already preconfigured before jumping to configuration!
  • Think about smart configuration options that can greatly speed up the time spent at typing on the key board(use copy/paste when possible)!

SECTION 5.1: System Management

Configure R20 in the ACME San Jose office as per the following requirements

  • Enable SSH access in R20 using the domain name “acme.org”
  • R20 must accept up to five remote authorized users to connect at the same time using SSH
  • Create the user "test" with the password "test" in the local database of R20
  • R20 must produce a syslog message for all SSH connection attempts, regardless of whether it is permitted or denied
  • When authenticated, the user “test” must be granted with the privilege level 1
  • Do not enable the aaa new-model Command on R20
  • Ensure that SSH is the only remote access method that is permitted on VTY lines of R20
  • Ensure that the console is not affected by your solution and that no “username” prompt is presented on the console port
  • Test your solution from any device that is located in AS 34567 and ensure that the following sequence of commands produces the same output

CCIE RS LAB 1 Section 5 R10 ssh command

Solution:

R20:

username test privilege 1 password test

ip domain-name acme.org

crypto key generate rsa modulus 1024

ip ssh maxstartups 5

privilege exec level 1 show privilege

login on-failuer log

login on-success log

ip ssh logging events

line vty 0 4

login local

transport input ssh

SECTION 5.2: Network Services

Configure the ACME network as per the following requirements

  • R20 must enable all private corporate traffic that is originated from any host with source ip address in 10.1.0.0/16 or in 10.2.0.0/16 to connect to any public destination that is located in AS 34567 or in any services
  • All remote sites in AS 65111 and AS 65222 must be able to connect to these public destinations
  • R20 must swap the source ip address in these packets with the ip address of its interfaceLo0
  • R20 must allow multiple concurrent connections
  • Use a standard access-list to accomplish the above requirements
  • The following tests must succeed after the above requirements (in addition to previous requirements) are acheived

CCIE RS LAB  1 Section 5 R12 R18 ping command

Solution:

NAT for originating data flows in AS65111

R20:

access-list 20 per 10.1.0.0 0.0.255.255

int e0/0.12

ip nat inside //R12

int e0/0.13

ip nat inside //R13

int e0/0.14

ip nat inside //R14

int e0/1.99

ip nat outside

int e0/0.99

ip nat outside //Since the weight was added to the R20 route, it must be 10.120.99.6, but it can also be used as a backup route for 10.120.99.2

ip nat inside source list 20 interface lo0 overload

Test:

R12: ping 1.2.3.4 source 10.1.12.1 //same as R13/R14

If you do not do NAT on R20, it is impossible to ping successfully because ISP7 does not have a return route.

R20:

debug ip nat

sh ip nat translations

NAT for originating data flows in AS65222

R16:

router bgp 45678

nei 203.3.16.1 prefix-list NAT in

ip prefix-list NAT permit 0.0.0.0/0

ip prefix-list NAT permit 203.3.16.0/22 le 30

R17:

router bgp 45678

nei 203.3.17.1 prefix-list NAT in

ip prefix-list NAT permit 0.0.0.0/0

ip prefix-list NAT permit 203.3.16.0/22 le 30

R18:

router bgp 65222

nei 203.3.18.1 prefix-list NAT in

ip prefix-list NAT permit 0.0.0.0/0

ip prefix-list NAT permit 203.3.16.0/22 le 30

R19:

router bgp 65222

nei 203.3.19.1 prefix-list NAT in

ip prefix-list NAT permit 0.0.0.0/0

ip prefix-list NAT permit 203.3.16.0/22 le 30

R20:

access-list 20 per 10.2.0.0 0.0.255.255

int e0/0.15 ip nat inside

int e0/1.15

ip nat inside //Back up, because ISP3 goes to 1.2.3.4 to match the default route in VRF YELLOW

Test:

R18: ping 1.2.3.4 source 10.2.18.1 //same as R19

If you do not do NAT on R20, there is no return route in ISP2's VRF INET. It is not possible to ping successfully.

NAT for originating data flows in AS65112

R20:

int lo1

ip nat inside

int lo2

ip nat inside

SECTION 5.3: Network Optimization

Configure R17 as per the following requirements

  • The output that is shown below must be seen on R17 during 10 seconds after R15successfully pinged interface Lo0 of R19

CCIE RS LAB 1 Section 5 Network Optimization

Solution:

R17:

ip flow-export version 9

ip flow-top-talkers

top 10

sort-by bytes

cache-timeout 10000

match output-interface tunnel0

match source address 123.20.1.9 255.255.255.255

match destination address 123.19.19.19 255.255.255.255

interface tunnel0

ip flow egress

shell processing full

SECTION 5.4: Network Services

Configure ACME network as per the following requirements

  • SW3 must provide an authoritative time source to the ACME network
  • R10 and R12 must synchronise their clock to SW3 using NTPv4 for ipv6
  • R10 and R12 must operate in client mode
  • SW3 must not capture or use any time information that is sent by R10 and R12
  • All NTP traffic must rely on IPv6 connectivity only
  • All NTP traffic must be sourced and destined to the interface Lo0 of the corresponding devices

Solution:

R10/R12/R14/SW3:

ntp source lo0

interface lo0

ntp disable ip

clock timezone BEIJING +8

SW3:

clock set XXXXXXXX

ntp master

R10/R12/R14:

ntp server 2001:CC1E:BEEF:33:123:33:33:33 version 4 //Ipv6 address of SW3 lo0 port

Note: The Lo0 port address on SW3 serves as the source address for NTP synchronization. You need to look at show ipv6 int brief on SW3, and show run interface lo0 cannot see it.

The above is the whole content of CCIE R&S mock lab dumps section 3-5. CCIE RS Lab1 is completed. I wonder if you have gained anything? Do you want to learn more about CCIE Lab dumps? If you think the content we share is good, you can click the share button below to share these useful CCIE Lab Dumps to more people in need. Your support will be the driving force for BestCiscoDumps to move forward!

CCIE R&S Mock Lab Dumps Section 3-5
Download

Have Any question for us?