CCIE EI DOO Part2


CCIE Deploy, Operate and Optimize guidelines

Before you begin, please read these guidelines
在开始之前,请阅读以下指南

Overall module guidelines
总体指南

1.The network that you will deploy, operate and optimize in thismodule will be similar, but not necessarily identical. to the network designed in the previous module. All relevant information that is needed to successfully complete this module can be found in this module itself and overrides any information that was provided in the previous module.
您将在此模块中部署、操作和优化的网络将与上一个模块中设计的网络相似,但不一定相同。成功完成此模块所需的所有相关信息都可以在此模块本身中找到,并覆盖前一个模块中提供的任何信息。

2.Before you start, confirm that all devices in your rack are accessible. During the exam, if any device be ecomes ocked or inaccessible. you must recover.
在开始之前,请确认机架中的所有设备均可访问。在考试期间,如果任何设备被锁定或无法访问,您必须将其恢复。

3.Your equipment is partially preconfigured. Do not change any of the preconfigured parameters unless you are specifically told to.
您的设备已经包含了部分预配置。除非明确告知,否则不要更改任何预配。

4.The partial configuration on the devices may deliberately contain mistakes and errors which may need to be corrected. or workarounds applied, in order to complete specific tasks. Therefore consider troubleshooting as an integral part of this module.
设备中的部分配置可能故意包含一些需要纠正的错误或应用某种解决方案以完成特定任务。因此,请将排错视为此模块的一个组成部分。

5.Points are awarded only for fully working configurations. No partial scoring is provided. It is recommended that toward the end of the exam. you go back and test the functionality as per all question requirements.
(每一小节的)积分仅给予完全实现需求的配置。不提供(该小节的)部分评分。建议在考试接近尾声时依据各个小节的需求来测试是否匹配题目。

6.If you need clarification on any of the questions, or if you suspect that there might be an issue with your equipment or exam environment, contact the lab proctor as soon as possible.
如果您对任何问题存在疑问,或者如果您怀疑您的设备或考试环境可能存在问题,请尽快联系考官。

7.Item-level feedback can be provided at the question level Feedback will be processed, but Cisco will not reach out to you to discuss any feedback provided. You will not be compensated for the time you spend while providing the feedback.
针对LAB中的问题可以提交项目级的反馈,反馈将进行处理,但思科不会联系您以讨论提供的任何反馈。用于提供反馈所消耗的时间将无法获得补偿。

8.Access to select cisco online documentation is available from your desktop. Access to select 3rd party product documentation(such as Python) is available from the Resources window under the
External Documentation category.

在考试过程中,您将被允许从桌面访冋思科在线文档。并可在“外部文档类别”下的资源窗口访问选择的第三方产品文档(如 Python)。

9.When you finish the lab exam. make sure that all devices are accessible for the grading proctor by having them in EXEC mode and closing the console windows. A device that is not accessible for grading cannot be graded and this may cause you to lose substantial oints.
完成lab之后,请确保考官能够访问所有设备,让它们处于EXEC模式并关闭所有配置窗口。无法访问的设备将不会被评分,这可能会导致您失去大量积分。

10.You have 5 hours to complete this module. Upon finishing the exam, ensure that all devices are accessible. Any device that is not accessible for grading purposes may cause you to lose substantial points.
您有5个小时来完成此模块。考试结束后,确保所有设备均可访问。任何无法用无评分的设备都可能会导致您失去大量积分。

Track specific guidelines
针对部分任务的特殊指南

1.There are several end hosts present in the lab topology, named hostXY(for example, host11). They are all identical and they can all be used at your full discretion, including accessing the gui of DNA Center, vManage and ise through Firefox, performing IP connectivity tests, generating or capturing traffic, and performing coding in Python or C.
拓扑中将会有几台终端设备,名为 hostY(如host11)。它们都是相同的且可以完全自由裁量使用,包括通过 Firefox访问 DNA Center GUI、 MAnage或ISE,执行TP连通性测试、生成或捕获流量、以及在 Python或C语言进行编程。

2.All hosty devices are configured as dhcp clients Should it be necessary to force the host to release and renew its dhcp leaseright-click on the icon of the network manager located between CPU utilization and check applets in the bottom task bar. then unselect Enable Networking, right-click on it again and select Enable Networking.
所有的 hostY设备均为DHCP客户端。当需要手动释放IP地址或更新DHCP租约时,请右键单击位于底部任务栏右方CPU利用率旁的网络管理器图标,然后取消选择” Enable Networking”,再次右键单击该图标并选择” Enable Networking”。

3.The web-based gui of dna center vManage and Ise can only be accessed from the hostXY end hosts, using firefox installed on these end hosts These servers cannot be accessed directly from the desktop you are just now working with. You must always connect to hostxY as a jump host and access the dNA center, vManage or Ise from there. Always ignore any SSL/TLS certificate warnings in Firefox that may be displayed.
DNA Center、 vManage和ISE的 Web GUI将只能通过安装在这些Host上的 Firefox中访问。这些服务器无法直接从您正在使用的终端中访问(即考场的电脑)。您将始终以 HostY 作为跳板,并从那里访问 DNA Center, vManage和ISE请忽略Firefox中可能显示的任何SSL/TLS证书警告。

4.Devices in the topology may have more interfaces. addresses and routes configured than what is shown in the diagrams and accompanying tables. Ignore such interfaces addresses and routes entirely, unless a task explicitly requires you to use or modify them.
拓扑中的设备可能比图示与附表中显示的接口、地址和路由要多。请忽略此类接口、地址和路由,除非任务眀确要求您使用或修改它们。

5.Changing or removing parts of initial running configurationon devices, as opposed to adding new configuration, is allowed onlyif the task allows or requires it explicitly or if there is no other way of accomplishing the task.
仅在需求明确允许或要求必须如此,或在没有其他方式完成任务的情况下,才允许将更改或删除预配而不是添加新配置。

SECTION 2.3: Mapping SDA VNs to SD-WAN VPNs

Using vManage gui, perform configuration tasks:

使用vManage GUI 完成配置任务:

1.Use any Host. such as Host11.to Access the vManage gui website at https://203.0.113.21 url.

使用任何主机如 Host11 来访问 URLhttps://203.0.113.21,即vManage GUI。

2.Create three new sd-wan VPNs to carry the sda vn traffic.

创建三个新的SD-WAN VPN来承载sda vn流量。

2.1.VPN id 198 for iot vn.

为虚拟网络 iot 指定 VPN ID 198。

2.2.VPN id 199 for guest vn.

为虚拟网络 guest 指定 VPN ID 199。

2.3.VPN id 200 for employees vn.

为虚拟网络 employees 指定 VPN ID 200。

on branch #1 and branch #2 vEdges, for each_of these VPNs:

在 Branch#1 和 Branch#2 的 vEdge 中为上述每个 VPN 执行下列配置:

1.Create a new subinterface on the interface toward the sda border switch, align the VLAN id and ip address on the subinterface with the configuration generated by DNA Center on the border switches for the appropriate vn.

在与SDA边界交换机互联的接口上创建一个新的子接口,并将子接口上的VLANID、IP地址与DNACenter为边界交换机上生成相应虚拟网络匹配。

2.Peer the vEdge and the sda border switch using IBGP. ensure full reachability between all locations of the same VPN.

在vEdge与SDA边界交换机之间建立IBGP对等体,确保同一VPN内所有位置之间的完全可达性。

解法:

这里需要登录到SW400,SW501,SW502上查看北向VLAN的IP地址进行填写模板。

验证:

SW400:

SW501:

SW502:

SECTION 2.4:Configuring SD-WAN VPN Route Leaking

1.To allow the traditional parts of the FABD2 network to communicate with the employees and iot VPNs/vns. configure route leaking in sd-wan:

允许FABD2传统网络与employees和iot的VPN/VN通信,在sd-wan中配置路由泄漏:

2.prefixes in the iot VPN 198 must be imported into the existing sda underlay VPN 999 and tagged with the tag value of 198.

VPN iot中的前缀必须被导入至现存的SDA Underlay VPN 999中,并使用tag 198标记。

3.prefixes in the employees VPN 200 must be imported into the existing sda underlay VPN 999 and tagged with the tag value of 200.

VPN employees中的前缀必须被导入至现存的SDA Underlay VPN 999中,并使用tag 200标记。

4.prefixes in the sda underlay VPN 999 advertised from the DC that are within the 10.4.0.0/15 range must be rejected.

SDA Underlay VPN 999中,从DC中通告的10.4.0.0/15范围内的前缀必须被拒绝。

5.other prefixes in the sda underlay VPN 999 advertised from the DC must be accepted and also imported into iot VPN 198 and employees VPN 200.

SDA Underlay VPN 999中,从DC中通告的其他前缀必须被接受且必须导入至iot VPN 198与employees VPN 200中。

6.redistribution from omp into OSPF on branches #1 and #2 in VPN 999 must exclude vroutes tagged with values 198 or 200.

在Branch#1和Branch#2上重分发omp至OSPF,但必须排除标记为198和200的vroute。

6.1.place Host41 into employees vn.

将Host41置入虚拟网络employees。

6.2.place Host51 into iot vn.

将Host51置入虚拟网络iot。

6.3.make sure both Hosts receive their ip settings from DHCP.

确保上述两台主机能够通过DHCP接收到它们的IP地址配置信息。

6.4.ensure that the iot and employees VPNs on branches #1 and #2 have reachability to branches #3 and #4.

确保Branch#1与Branch#2上的iot与employees VPN拥有通往Branch#3与Branch#4的可达性。

6.5.it is allowed to modify the VPN 999 omp settings to accomplish this requirement.

允许修改VPN 999中的OMP设置来完成此需求。

解法:

这里需要登录到vSmart上进行填写模板。

验证:

SW400:

SW501:

SW502:

SECTION 2.5:Handling Guest Traffic

1.The guest vn/VPN on branches #l and #2 must remain isolated from the rest of the company network.it is only allowed to reach internet through R23 and R24 in the DC.

Branch#1与Branch#2上的guest VPN/VN必须与公司网络的其他部分保持隔离。仅允许其通过DC中的R23与R24访问Internet。

1.1.enable internet connectivity for the guest VPN:

为虚拟网络guest启用Internet连接。

1.2.on vEdge21 and vEdge22.place the ge0/2 interfaces into the guest VPN 199.

在vEdge21与22上,将ge0/2接口置入guest VPN199。

1.3.on R23 and R24.create a new VRF named guest using the rd of 65002:199. and place the gi4 interfaces into this VRF.

在 R23 与 R24 上,使用 RD 65002:199 创建一个名为 guest 的新VRF并将接口 gi4 置入该VRF。

2.assign addresses to these interfaces:

为下列接口分配 IP 地址。

·R23 gi4: 10.2.123.1/24 
·R24 gi4: 10.2.224.1/24
·vEdge21 ge0/2:10.2.123.2/24 
·vEdge22 ge0/2:10.2.224.2/24

3.Peer R23 and vEdge21 in the guest VRF/VPN using IBGP.

在guest VRF/VPN 中使R23 与vEdge21 建立 IBGP 对等体。

4.Peer R24 and vEdge22 in the guest VRF/VPN using IBGP.

在guest VRF/VPN 中使R24 与vEdge22 建立 IBGP 对等体。

5.Ensure that R23 and R24 learn the routes in the guest VRF/VPN over IBGP.

确保 R23 与 R24 通过 IBGP 来学习 guest VRF/VPN 中的路由。

6.On R23 and R24. configure a static default route in the guest VRF and point it to the ISP’s ip address 200.99.23.1 or 200.99.24.1 as appropriate.

在 R23 与 R24 中为 guest VRF 配置静态默认路由,并据需要将其指向 ISP 的IP 地址 200.99.23.1 或 200.99.24.1。

6.1.Advertise this default route in IBGP to vEdge21 and vEdge22.

在 IBGP 中将此默认路由通告至 vEdge21 和vEdge22。

6.2.On R23 and R24, configure pat to allow the guest VPN to Access internet by translating it to the router address on the link toward the ISP.

在 R23 和 R24 上,配置 PAT 以允许 guest VPN 通过将其转换路由器与ISP互联的IP地址来访问Internet。

6.3.Reuse the nat acl already created on the router.

复用路由器上巳创建的 NAT ACL。

6.4.Do not use nat pools.

不得使用 NAT 池。

6.5.Configure R23 as the DHCP server for guest VPN:

将R23配置为guest VPN的DHCP服务器:

6.6.Create looopback1 interface on R23 associated with the guest VRF and having the ip address 10.2.255.211/32 advertise this prefix in BGP toward vEdge21.

在R23 上创建loopback1 接口,将此接口与 VRF guest 关联,IP 地址为 10.2.255.211/32 并在 BGP 中向vEdge21 通告此前缀。

6.7.Create DHCP pool named br1_guest for branch #1 guest subnet.

为Branch#1 中Guest 子网创建名为 br1_guest 之地址池。

6.8.create DHCP pool named br2_guest for branch #2 guest subnet.

为Branch#2 中Guest 子网创建名为 br2_guest 之地址池。

6.9.Explicitly associate both DHCP pools with the VRF guest.

明确的将两个 DHCP 池与VRF guest 关联。

6.10.In each subnet. Assign addresses from.101 up to.254 inclusively and the appropriate gateway to clients.

在每个子网中分配.101 至.254 的地址以及恰当的网关地址(至客户端)

6.11.Associate Host42 and Host52 with the guest vn in DNAc. and make sure that both Hosts receive the appropriate address.

将Host42 和Host52 与 DNAC 中的虚拟网络 guest 关联,并确保两个主机获取到适当的地址。

6.12.make sure that Host42 and Host52 can ping 8.8.8.8 in the ISP cloud.

确保Host42 与 Host52 能Ping 通ISP 中的 8.8.8.8。

解法:

R23:

ip dhcp use vrf remote

vrf definition Guest
    rd 65002:199
    address-family ipv4

interface loopback 1
    vrf forwarding Guest 
    ip address 10.2.255.211 255.255.255.255

interface ethernet0/3(考场是G4口)
    vrf forwarding Guest
    ip address 10.2.123.1 255.255.255.0
    
ip dhcp excluded-address vrf Guest 10.4.199.0 10.4.199.100
ip dhcp excluded-address vrf Guest 10.5.199.0 10.5.199.100

ip dhcp pool br1_guest
    vrf Guest
    network 10.4.199.0 255.255.255.0
    default-router 10.4.199.1 

ip dhcp pool br2_guest
    vrf Guest
    network 10.5.199.0 255.255.255.0
    default-router 10.5.199.1 

ip route vrf Guest 0.0.0.0 0.0.0.0 200.99.23.1 global

router bgp 65002
    address-family ipv4 vrf Guest
        network 0.0.0.0 mask 0.0.0.0
        network 10.2.255.211 mask 255.255.255.255
        neighbor 10.2.123.2 remote-as 65002
        neighbor 10.2.123.2 activate 
        neighbor 10.2.123.2 next-hop-self 
ip nat inside source list NAT interface Ethernet0/0(考场是g1口) vrf Guest overload

R24:

vrf definition Guest
    rd 65002:199
    address-family ipv4
    
interface ethernet0/3(考场是G4口)
    vrf forwarding Guest
    ip address 10.2.224.1 255.255.255.0
    
ip route vrf Guest 0.0.0.0 0.0.0.0 200.99.24.1 global

router bgp 65002
    address-family ipv4 vrf Guest
        network 0.0.0.0 mask 0.0.0.0
        neighbor 10.2.224.2 remote-as 65002
        neighbor 10.2.224.2 activate 
        neighbor 10.2.224.2 next-hop-self 
ip nat inside source list NAT interface Ethernet0/0(考场是g1口) vrf Guest overload

验证:

vEdge21:

vEdge22:

SW400:

SW501:

SW502:

Host42:

SECTION 2.6: Support for Silent Hosts in Branch #2

1.In future, branch #2 will be equipped with ip-based iot endpoints operating in speak-when-spoken-to Mode, also called silent Hosts. Which of the following SDa features enables a working connectivity with these iot endpoints?
在未来, Branch#2将配备一些基于 IP 的 iot 终端,这些终端设备以 “Speak-When- Spoken-To” 模式 (也称为静默主机) 运行。以下哪些SDA功能可实现与这些 IoT 终端的正常连接?

A. Layer 2 Flooding

B. Layer 2 Extension

C. Native Multicast

D. Endpoint Mobility

Answer:A

2.In the statement below, select one of the options from the drop-down list to complete the sentence and form a correct statement.

以下陈述中,从下拉列表中选择一个选项以完成句子并形成正确的说法。

For SDA to support silent Hosts_______________________________in the underlay as a prerequisite.

为了使 SDA 支持静默主机,在 Underlay网络中_______________________________是提前条件。

A. IP Multicast routing with PIM-SM must be enabled
启用PIM-SM的IP组播路由

B. DHCP snooping must be enabled
开启 DHCP Snooping

C. is-is must be used as a routing protocol
使用IS-IS作为路由协议

D. NO additional capability aside from unicast iP connectivity is required
除单播IP连通性以外无其他需求

Answer:A


文章作者: Naraku
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Naraku !
  目录