CCIE EI DOO Part1


CCIE Deploy, Operate and Optimize guidelines

Before you begin, please read these guidelines
在开始之前,请阅读以下指南

Overall module guidelines
总体指南

1.The network that you will deploy, operate and optimize in thismodule will be similar, but not necessarily identical. to the network designed in the previous module. All relevant information that is needed to successfully complete this module can be found in this module itself and overrides any information that was provided in the previous module.
您将在此模块中部署、操作和优化的网络将与上一个模块中设计的网络相似,但不一定相同。成功完成此模块所需的所有相关信息都可以在此模块本身中找到,并覆盖前一个模块中提供的任何信息。

2.Before you start, confirm that all devices in your rack are accessible. During the exam, if any device be ecomes ocked or inaccessible. you must recover.
在开始之前,请确认机架中的所有设备均可访问。在考试期间,如果任何设备被锁定或无法访问,您必须将其恢复。

3.Your equipment is partially preconfigured. Do not change any of the preconfigured parameters unless you are specifically told to.
您的设备已经包含了部分预配置。除非明确告知,否则不要更改任何预配。

4.The partial configuration on the devices may deliberately contain mistakes and errors which may need to be corrected. or workarounds applied, in order to complete specific tasks. Therefore consider troubleshooting as an integral part of this module.
设备中的部分配置可能故意包含一些需要纠正的错误或应用某种解决方案以完成特定任务。因此,请将排错视为此模块的一个组成部分。

5.Points are awarded only for fully working configurations. No partial scoring is provided. It is recommended that toward the end of the exam. you go back and test the functionality as per all question requirements.
(每一小节的)积分仅给予完全实现需求的配置。不提供(该小节的)部分评分。建议在考试接近尾声时依据各个小节的需求来测试是否匹配题目。

6.If you need clarification on any of the questions, or if you suspect that there might be an issue with your equipment or exam environment, contact the lab proctor as soon as possible.
如果您对任何问题存在疑问,或者如果您怀疑您的设备或考试环境可能存在问题,请尽快联系考官。

7.Item-level feedback can be provided at the question level Feedback will be processed, but Cisco will not reach out to you to discuss any feedback provided. You will not be compensated for the time you spend while providing the feedback.
针对LAB中的问题可以提交项目级的反馈,反馈将进行处理,但思科不会联系您以讨论提供的任何反馈。用于提供反馈所消耗的时间将无法获得补偿。

8.Access to select cisco online documentation is available from your desktop. Access to select 3rd party product documentation(such as Python) is available from the Resources window under the
External Documentation category.

在考试过程中,您将被允许从桌面访冋思科在线文档。并可在“外部文档类别”下的资源窗口访问选择的第三方产品文档(如 Python)。

9.When you finish the lab exam. make sure that all devices are accessible for the grading proctor by having them in EXEC mode and closing the console windows. A device that is not accessible for grading cannot be graded and this may cause you to lose substantial oints.
完成lab之后,请确保考官能够访问所有设备,让它们处于EXEC模式并关闭所有配置窗口。无法访问的设备将不会被评分,这可能会导致您失去大量积分。

10.You have 5 hours to complete this module. Upon finishing the exam, ensure that all devices are accessible. Any device that is not accessible for grading purposes may cause you to lose substantial points.
您有5个小时来完成此模块。考试结束后,确保所有设备均可访问。任何无法用无评分的设备都可能会导致您失去大量积分。

Track specific guidelines
针对部分任务的特殊指南

1.There are several end hosts present in the lab topology, named hostXY(for example, host11). They are all identical and they can all be used at your full discretion, including accessing the gui of DNA Center, vManage and ise through Firefox, performing IP connectivity tests, generating or capturing traffic, and performing coding in Python or C.
拓扑中将会有几台终端设备,名为 hostY(如host11)。它们都是相同的且可以完全自由裁量使用,包括通过 Firefox访问 DNA Center GUI、 MAnage或ISE,执行TP连通性测试、生成或捕获流量、以及在 Python或C语言进行编程。

2.All hosty devices are configured as dhcp clients Should it be necessary to force the host to release and renew its dhcp leaseright-click on the icon of the network manager located between CPU utilization and check applets in the bottom task bar. then unselect Enable Networking, right-click on it again and select Enable Networking.
所有的 hostY设备均为DHCP客户端。当需要手动释放IP地址或更新DHCP租约时,请右键单击位于底部任务栏右方CPU利用率旁的网络管理器图标,然后取消选择” Enable Networking”,再次右键单击该图标并选择” Enable Networking”。

3.The web-based gui of dna center vManage and Ise can only be accessed from the hostXY end hosts, using firefox installed on these end hosts These servers cannot be accessed directly from the desktop you are just now working with. You must always connect to hostxY as a jump host and access the dNA center, vManage or Ise from there. Always ignore any SSL/TLS certificate warnings in Firefox that may be displayed.
DNA Center、 vManage和ISE的 Web GUI将只能通过安装在这些Host上的 Firefox中访问。这些服务器无法直接从您正在使用的终端中访问(即考场的电脑)。您将始终以 HostY 作为跳板,并从那里访问 DNA Center, vManage和ISE请忽略Firefox中可能显示的任何SSL/TLS证书警告。

4.Devices in the topology may have more interfaces. addresses and routes configured than what is shown in the diagrams and accompanying tables. Ignore such interfaces addresses and routes entirely, unless a task explicitly requires you to use or modify them.
拓扑中的设备可能比图示与附表中显示的接口、地址和路由要多。请忽略此类接口、地址和路由,除非任务眀确要求您使用或修改它们。

5.Changing or removing parts of initial running configurationon devices, as opposed to adding new configuration, is allowed onlyif the task allows or requires it explicitly or if there is no other way of accomplishing the task.
仅在需求明确允许或要求必须如此,或在没有其他方式完成任务的情况下,才允许将更改或删除预配而不是添加新配置。

SECTION 1.1: Introduction

Welcome back to the Fabd2 company!
欢迎回到FABD2公司!

You will deploy, operate, and optimize our network. The topology you will be working with will be similar, but not necessarily identical to the network that was designed in the previous module and may include technologies and feature sets not touches upon previously.
您将部署、运营和优化我们的网络。您将要处理的拓扑将相似,但不一定与之前模块中设计的网络相同,并且可能包括之前阶段中未曾提及的技术栈。

The best of success!
祝您成功!

SECTION 1.2: Layer 2 Technologies in HQ

Complete and correct the EtherChannel configuration between switches sw101, sw102,sw110 according to these requirements:
根据下列需求补全更正SW101、SW102、SW110之间的EtherChannel配置。

1.At the end of task, all EtherChannels between switches sw101, sw102, sw110 must be up and
operational including all their physical member links.

此配置任务结束后,交换机SW101,SW102,SW110之间的所有 EtherChannel,包括其所有物理成员链接必须为UP并且正常运行。

2.Do not create new Port-Channel interfaces, reuse those that already exist on the switches.
不要创建新的Port-Channel接口,使用已经存在于现有交换机上的。

3.When resolving existing issues, do not change the preconfigured negotiation protocol (if any).
解决现有问题时,不得改变预配置的协议(如果存在)

4.On EtherChannels that use a negotiation protocol, tune its mode of operation for the shortest
link bundling time possible.

在使用协商协议的 EtherChannel上,调整其协商模式以尽可能的缩短链路绑定时间。

SW101:

int range g1/0-1
    channel-group 1 mode on

SW102:

int range g1/0-1
    channel-group 2 mode active

SW110:

interface port-channel 1
    shutdown
    no shutdown
int range g1/2-3
    channel-group 2 mode active

Configure Spanning Tree Protocol on switches sw101, sw102, sw110 according to these requirements:
根据下列需求在交换机Sw101,SW102,SW110上配置生成树协议。

1.The STP root for VLAN 2000 must be sw101.
VLAN2000中的 STP Root必须为SW101。

2.The STP root for VLAN 2001 must be sw102.
VLAN2001中的 STP Root必须为SW102。

3.The roots must be elected based on bridge priority.
Root的优先级必须通过网桥优先级(BP)来选择。

4.On the three switches, have STP perform cost calculations in 32-bit arithmetic.
将上述三台交换机上的STP调整为32-bit cost算法。

5.On the three switches, use the Rapid STP version and ensure that it can achieve rapid
convergence on all interconnections between the switches.

将上述三台交换机上的生成树版本调整为RSTP,确保它们能实现所有互联链路的快速收敛。

6.On sw110, prevent all current and future access mode interface from being affected by the
Proposal/Agreement process.

防止SW110上任何现存或将来的 access模式接口收到P/A机制的影响。

解法:

SW101:

spanning-tree mode rapid-pvst
spanning-tree vlan 2000 priority 0
spanning-tree pathcost method long
interface range port-channel 1-3
    spanning-tree link-type point-to-point

SW102:

spanning-tree mode rapid-pvst
spanning-tree vlan 2001 priority 0
spanning-tree pathcost method long
interface range port-channel 2-3
    spanning-tree link-type point-to-point

SW110:

spanning-tree mode rapid-pvst
spanning-tree portfast edge default
spanning-tree pathcost method long
interface range port-channel 1-2
spanning-tree link-type point-to-point
    shutdown
    no shutdown

验证:

以太信道部分:

生成树部分:

SECTION 1.3: First Hop Redundancy Protocol in HQ

For IPv4, implement an FHRP mechanism on sw101 and sw102 for VLANs 2000 and 2001 according to these requirements:
根据下列需求在SW101与SW102上针对VLAN2000和VLAN2001实现IPv4 FHRP的部署。

1.Use group number 100 for VLAN 2000 and group number 101 for VLAN 2001.
VLAN2000使用组号100,VLAN2001使用组号101

2.Use the first available IPv4 address in the subnet for the address of the virtual router.
使用子网中第一个可用的IPv4地址作为虚拟路由器的地址。

3.For VLAN 2000 - SW101 must be the preferred gateway & for VLAN 2001 - SW102 must be the
preferred gateway. Do not rely on the IPv4 addresses of the switches as role tiebreakers. The
role must be determined by an explicit configuration solely on the intended preferred gateway.

VLAN2000的首选网关必须为SW101,VLAN2001中的首选网关必须为SW102,在预期的首选网关上使用明确的配置而不是依靠IPv4的选举机制来达成此目标。

4.Each preferred gateway must monitor the reachability of both routers r11 and r12 using the
loopback IPv4 address of the routers by an ICMP Echo. The reachability is to be verified every 5
seconds with a timeout of 400 msec. A router must be declared unreachable as soon as it does
not respond to three probes in a row. If both r11 and r12 are declared unreachable from a
preferred gateway, the other switch must be allowed to assume the gateway role.

每个首选网关都必须通过 ICMP Echo验证R11、R12中环回口的可达性,每5s验证一次,超时时间为400ms,一旦路由器连续3次无响应,则必须将其声明为不可达。如果R11与R12均无法从首选网关访问,则必须允许另一台交换机接替网关角色。

5.Use the FHRP protocol that allows the virtual IPv4 address to match the IPv4 address of a
member router.

使用FHRP协议来实现虚拟IPv4地址与成员路由器地址的匹配。

解法:

SW101:

ip sla 11
    icmp-echo 10.1.255.11
    threshold 80
    timeout 400
    frequency 5
ip sla 12
    icmp-echo 10.1.255.12
    threshold 80
    timeout 400
    frequency 5
    
ip sla schedule 11 start-time now life forever 
ip sla schedule 12 start-time now life forever 

track 11 ip sla 11 reachability
    delay down 10
track 12 ip sla 12 reachability
    delay down 10
    
track 100 list boolean or
    object 11
    object 12
    
interface vlan2000
    vrrp 100 ip 10.1.100.1
    vrrp 100 priority 110
    vrrp 100 track 100 decrement 20
    ip ospf 1 area 0

interface vlan2001
    vrrp 101 ip 10.1.101.1
    ip ospf 1 area 0
    
router ospf 1
    passive-interface Vlan2000
    passive-interface Vlan2001

SW102:

ip sla 11
    icmp-echo 10.1.255.11
    threshold 80
    timeout 400
    frequency 5
ip sla 12
    icmp-echo 10.1.255.12
    threshold 80
    timeout 400
    frequency 5

ip sla schedule 11 start-time now life forever 
ip sla schedule 12 start-time now life forever 

track 11 ip sla 11 reachability
    delay down 10
track 12 ip sla 12 reachability
    delay down 10
    
track 100 list boolean or
    object 11
    object 12

interface vlan2000
    vrrp 100 ip 10.1.100.1
    ip ospf 1 area 0
interface vlan2001
    vrrp 101 ip 10.1.101.1
    vrrp 101 priority 110
    vrrp 101 track 100 decrement 20
    ip ospf 1 area 0
    
router ospf 1
    passive-interface Vlan2000
    passive-interface Vlan2001

验证:

查看VRRP和track

注意STP根桥是VRRP的MASTER

SECTION 1.4: OSPFv2 between HQ and DC

Complete and correct the OSPF configuration on the switches sw101, sw102, sw201 and sw202 according to these requirements:
根据下列需求来补全并更正SW101、SW102、SW201、SW202中的OSPF配置:

1.Enable OSPFv2 on the redundant interconnections between the DC and HQ sites. Make sure
that OSPF establishes adjacencies on these interconnections and exchange routing information
between the DC and HQ sites.

在DC与HQ之间的冗余互联上启用 OSPFv2,确保OSPF 能在这些互联链路上建立邻接关系并交换路由信息。

2.Protect the authencity and integrity of the OSPFv2 sessions on the redundant interconnections
between DC and HQ with the SHA-384 mechanism. Use key ID 1 and a shared secret of “cci3”
(without quotes).

使用SHA-384算法来保护DC与HQ之间冗余互联链路上OSPFv2会话之真实性与完整性。使用密钥ID为1,密钥为“cci3”(无引号)

3.Improve the detection of unreachable OSPFv2 neighbors on the redundant interconnections
between DC and HQ so that OSPF can detect the loss of a neighbor within 300 msec, with the
probes being sent every 100 msec. It is not allowed to modify OSPF timers to accomplish this
requirements.

增强DC与HQ冗余互联链路上 OSPFv2邻居之间的不可达检测,以实现OSPF能在300ms内检测到邻居的丢失,并且每100ms发送一次探测。此需求不得通过修改OSPF计时器来达成。

解法:

SW101&SW102:

key chain hqdc
    key 1
        key-string cci3
        cryptographic-algorithm hmac-sha-384
interface GigabitEthernet 0/2
    ip ospf authentication key-chain hqdc
    ip ospf bfd
    bfd interval 100 min_rx 100 multiplier 3

SW201&SW202:

key chain hqdc
    key 1
        key-string cci3
        cryptographic-algorithm hmac-sha-384
interface GigabitEthernet 1/2
    ip ospf authentication key-chain hqdc
    ip ospf bfd
    bfd interval 100 min_rx 100 multiplier 3

router ospf 1
    no passive-interface gigabitEthernet 1/2

验证:

SECTION 1.5: DHCP IPv4 Service for HQ

Enable hosts in HQ VLAN 2000 and VLAN 2001 to obtain their IP configuration via DHCP according to these requirements.
根据下列需求来使得HQ中VLAN2000、VLAN2001中的主机能通过DHCP获得其IP配置。

1.On SW211, create IPv4 DHCP pools named hq_v2000 and hq_v2001 for HQ VLANs 2000 and 2001
respectively. In each subnet assign addresses from .101 up to .254 inclusively and the
appropriate gateway to clients.

在SW211上分别为HQ中的VAN2000和VLAN2001创建名为hq_v2000和hq_v2001的DHCPv4地址池在每个子网中分配.101至.254的地址以及恰当的网关地址(至客户端)

2.Enable DHCP Snooping on sw110 in VLANs 2000 and 2001 to protect against DHCP related
attacks.

在SW110上为VLAN2000与VLAN2001开启DHCP Snooping功能以防止DHCP相关的攻击。

3.Place Host11 into VLAN 2000
将Host11置入VLAN200

4.Place Host12 into VLAN 2001
将Host12置入VLAN2001

5.Perform the necessary configuration on switches sw101, sw102, sw110 to enable hosts in VLANs
2000 and 2001 to obtain IPv4 configuration through DHCP. The DHCP server running at sw211 in
the DC must be referred to by its loopback IPv4 address 10.2.255.211. Do not disable the Option
82 insertion, and do not enable DHCP Snooping on other switches.

在SW101、SW102、SW110上进行必要的配置以使得VLAN2000和VLAN2001能通过DHCP获得IPv4配置信息。DHCP服务器必须指向运行在DC中的SW211的环回IPv4地址 10.2.255.211。不得禁用 Option82。不得在其他交换机上开启DHCP Snooping。

6.Verify that host11 and host12 have the IP connectivity to the Cisco DNA Center, vManage, ISE
running in the DC using their internal (in Band Connectivity) address.

验证Host11和Host12拥有去往DC中 Cisco DNA Center vManage、ISE的带内连接地址的可访问性。

解法:

SW211:

ip dhcp relay information trust-all

ip dhcp excluded-address 10.1.100.0 10.1.100.100
ip dhcp excluded-address 10.1.101.0 10.1.101.100
ip dhcp pool hq_v2000
    network 10.1.100.0 255.255.255,0
    default-router 10.1.100.1
ip dhcp pool hq_v2001
    network 10.1.101.0 255.255.255,0
    default-router 10.1.101.1

SW101&SW102:

ip dhcp relay information option
ip dhcp relay information trust-all

int vlan 2000
    ip helper-address 10.2.255.211
    
int vlan 2001
    ip helper-address 10.2.255.211

SW110:

ip dhcp snooping vlan 2000
ip dhcp snooping vlan 2001
ip dhcp snooping information option
ip dhcp snooping
interface range port-channel 1-2
    ip dhcp snooping trust
    
interface GigabitEthernet 0/0
    switchport mode access
    switchport access vlan 2000
interface GigabitEthernet 0/1
    switchport mode access
    switchport access vlan 2001

验证:

在host11和host12上,连接Sw110的接口启用地址DHCP的获取方式,获取到IP地址之后,查看和R16/R11的环回口的连通性。

查看SW211地址释放情况,可以看到已经释放了1个地址,是从101开始的,1-100已经被排除在外。

SECTION 1.6: IPv6 in HQ

Implement IPv6 on sw101 and sw102 for switch virtual interfaces (SVI’s) Vlan2000 and Vlan2001 according to these requirements:
按照下列需求在SW101与SW102上的SVI VLAN2000与VLAN2001部署IPv6。

SW101:

·Interface VLAN 2000:  2001:DB8:1:100::1/64
·Interface VLAN 2001:  2001:DB8:1:101::1/64

SW102:

·Interface VLAN 2000 : 2001:DB8:1:100::2/64
·Interface VLAN 2001 : 2001:DB8:1:101::2/64

1.The configuration must enable hosts in these VLANs to obtain their IPv6 configuration via SLAAC
and keep a stable connectivity with other IPv6 networks.

该配置必须使这些VLAN中的主机能够通过无状态自动配 置获得其IPv6配置,并保持与其他IPv6网络的稳定连接。

2.Use native IPv6 means to provide gateway redundancy with sw101 being the preferred gateway
in VLAN 2000 and sw102 being the preferred gateway in VLAN 2001. The role must be
detrmined by an explicit configuration solely on the intended preferred gateway.

使用原生的IPv6手段来实现网关冗余性,SW101作为VLAN2000的首选网关,SW102作为VLAN2001的首选网关必须在预期的首选网关上使用明确的配置来达成此目标。

3.Hosts must be able to detect the failure of the preferred gateway in as little as 3 seconds.
主机必须在3s内检测到首选网关故障。

解法:

SW101:

ipv6 unicast-routing
interface vlan2000
    ipv6 enable
    ipv6 address 2001:DB8:1:100::1/64
    ipv6 nd router-preference High
    ipv6 nd ra lifetime 3
    ipv6 nd ra interval msec 2000
    
interface vlan2001
    ipv6 enable
    ipv6 address 2001:DB8:1:101::1/64
    ipv6 nd ra lifetime 3
    ipv6 nd ra interval msec 2000

SW102:

ipv6 unicast-routing
interface vlan2000
    ipv6 enable
    ipv6 address 2001:DB8:1:10::2/64
    ipv6 nd ra lifetime 3
    ipv6 nd ra interval msec 2000
    
interface vlan2001
    ipv6 enable
    ipv6 address 2001:DB8:1:101::2/64
    ipv6 nd router-preference High
    ipv6 nd ra lifetime 3
    ipv6 nd ra interval msec 2000

验证:

SECTION 1.7: IPV6 EIGRP in HQ

In HQ enable EIGRP for IPv6 on r11, r12, sw101 and sw102 according to these requirements:
按照下列需求在 HQ 中的R11、R12、SW101、SW102上开启 IPV6 EIGRP。

1.Use process name “ccie” (without the quotes) and AS number 65001.
使用进程名”ccie”(不带引号),AS号65001。

2.Do not configure any additional IPv6 addresses.
不得配置任何额外的 IPv6 地址。

3.IPv6 EIGRP may form adjacencies only over the physical Layer3 interface between r11, r12,
sw101 and sw102.

IPv6 EIGRP 只能在 R11、R12、SW101、SW102 之间的三层物理链路上形成邻接关系。

4.Prevent IPv6 EIGRP from automatically running on, or advertising attached prefixes from new
IPv6-enabled interfaces in the future unless allowed explicitly.

除非明确允许,否则 IPv6 EIGRP 不得在未来新增的 IPv6 的接口上自动运行或通告其网络前缀。

5.Ensure that the attached IPv6 prefixes on SVI’s Vlan2000 and Vlan2001 on SW101 and sw102
are advertised in IPv6 EIGRP and learned on r11 and r12.

确保SW101,SW102 上 SVI VLAN2000、VLAN2001 之 IPv6 前缀在 IPv6 EIGRP上被通告并且被 R11 和R12 获悉。

6.No route filtering is allowed to accomplish this entire task.
不得使用路由过滤。

解法:

R11&R12:

ipv6 unicast-routing
router eigrp ccie
    address-family ipv6 unicast autonomous-system 65001
        af-interface default
            shutdown
            passive-interface
        af-interface GigabitEthernet0/1
            no shutdown
            no passive-interface
        af-interface GigabitEthernet0/2
            no shutdown
            no passive-interface
        af-interface GigabitEthernet0/3
            no shutdown
            no passive-interface
        af-interface loopback 0
            no shutdown

SW101&SW102:

router eigrp ccie
    address-family ipv6 unicast autonomous-system 65001
        af-interface default
            passive-interface
            shutdown
        af-interface GigabitEthernet0/1
            no passive-interface
            no shutdown
        af-interface GigabitEthernet0/2
            no passive-interface
            no shutdown
        af-interface Vlan2000
            no shutdown
        af-interface Vlan2001
            no shutdown

验证:

查看ipv6 eigrp邻居,查看 ipv6 路由, ping SW101 / 102 的 Vlan2000 / Vlan2001 地址。
注意R11/R12有环回口 loopback0,而SW101/SW102 是没有环回口的,而是SVI接口。

SECTION 1.8 OSPFv2 in DC

Configure devices in the DC according to these requirements:
按照下列需求配置DC中的设备

1.Switches SW201 and SW202 must establish a stable OSPF adjacency in the full state with vEdge21 and vEdge22 0n interface VLAN3999. any configuration changes and corrections necessary to meet this requirement may be performed only on the switches, and any mismatch parameters causing the issue must be changed to exactly match the configuration of the vEdges.
交换机SW201、SW202必须通过 SW3999 与 vEdge21,vEdge22 建立 OSPF 邻接关系至 Full 状态,为满足此需求产生之任何配置修改只能在交换机上进行,必须更改所有导致问题之错误参数以与vEdge之配置完全匹配。

2.All OSPF speakers in the DC running Cisco IOS and IOS-XE software must be configured to keep the number of advertised internal routes to an absolute minimum while not impacting the reachability of the services. This includes the reachability of ISE, DNA Center, vManage, vBond and vSmart on their internal (in band connectivity) addresses, as well as any existing and future devices in VLAN4000 0n SW201 and SW202.the configuration of this requirement must be completed exclusively within the ‘router OSPF’ and ‘interface VLAN’ contexts without causing any impact to existing OSPF adjacencies.
所有在DC中运行IOS与 IOS-XE软件的 OSPF Speaker必须将通告的内部路由数量限制为绝对最小数量,同时不得影响服务的可达性。包括ISE、 DNA Center,Manager,vBond与 vSmart的内部连接(带内连接)地址的可达性,以及SW210、SW202上任何现存与将来的设备。为满足此需求产生的任何配置只可在Router OSPF与 Interface VLAN上下文内完成且不得影响现存的任何OSPF邻接关系。

3.Router R24 must advertise two prefixes 10.6.0.0/15 and 10.200.0.0/24, as type-5 LSAs in OSPFv2 to provide HQ and DC with the reachability to the DMVPN tunnel and branches #3 and #4.the configuration of this requirement must be completed exclusively within the ‘ router OSPF’ context.
R24 必须在 OSPFv2 中使用Type5 LSA通告10.6.0.0/15 与 10.200.0.0/24,以便为HQ与DC提供 DMVPN隧道至 branch#3,branch#4的可达性。此配置只可在 Router OSPF 上下文内完成。

4.Sny route from the 10.2.0.0/16 range that keeps being advertised in OSPF must continue being advertised as an intra-area route.
10.2.0.0/16范围内的路由必须作为区域内路由通告。

5.It is not allowed to modify existing areas in this task.
此任务中不得修改已经存在的区域。

解法:

SW201&SW202:

interface Vlan3999
    ip mtu 1496
interface Vlan4000
    ip ospf prefix-suppression disable
    
clear ip ospf process

SW201&SW202&SW211&SW212&R21&R22&R23&R24:

router ospf 1
    prefix-suppression

SW211:

router ospf 1
    passive-interface GigabitEthernet1/1
    passive-interface GigabitEthernet1/2
    passive-interface GigabitEthernet1/3

SW212:

router ospf 1
    passive-interface GigabitEthernet1/1
    passive-interface GigabitEthernet1/2

R24:

ip prefix-list dmvpn seq 5 permit 10.6.0.0/15 le 32
ip prefix-list dmvpn seq 10 permit 10.200.0.0/24

route-map dmvpn permit 10
    match ip address prefix-list dmvpn
router ospf 1
    redistribute eigrp 65006 route-map dmvpn
    summary-address 10.200.0.0 255.255.255.0
    summary-address 10.6.0.0 255.254.0.0

备注:

prefix-suppression 特性只能通告 stub 类型、环回类型、或者是在接口下敲了 ip ospf prefix-suppression disable 类型的路由、其他的 1 类 LSA 对应的路由不通告。

验证:

10.6.0.0/15 路由要等 DMVPN 做完才出现。

SECTION 1.9: BGP between HQ-DC and Service Providers

Configure the BGP peering between HQ/DC and Global SP #1 and Global SP #2 according to these requirements:
在HQ/DC和 Global SP#1与 Global SP#2之间依据下列需求配置BGP对等体。

1.Bring up the BGP peering between HQ R11 and SP#1 R3.
在HQ R11和SP#1 R3之间建立BGP对等体。

2.Bring up the BGP peering between DC R21 and SP#1 R3.
在DC R21和SP#1 R3之间建立BGP对等体。

3.Bring up the BGP peering between DC R22 and SP#2.
在DC R22和SP#2之间建立BGP对等体。

4.Ensure that the routes learned over EBGP sessions and further advertised in IBGP will be considered reachable even if the networks on inter-as links are not advertised in OSPF. the configuration of this requirement must be completed exclusively within the ‘ router BGP’ context.
确保通过EBGP 学习且在IBGP中通告的路由被视为可达,即便跨域网络链路未在OSPF中被通告。此需求必须 在 Router BGP上下文内完成。

5.On R11, R21 and R22. perform mutual redistribution between OSPFv2 and BGP. however. prevent routes that were injected into OSPF from BGP to be reinjected back into BGP. this requirement must be solved on R11, R21 and R22 using only a single route-map on each of the routers and without any reference to acls, prefix list, or route type.
在R11、R21、R22上进行BGP与 OSPFv2 的双向重分发。但是必须保证由BGP注入OSPF的路由不会被反向注入至BGP,仅可在上述路由器中各自使用一条 Route-map实现此需求,并且不得引用任何ACL、前缀列表或路由类型。

6.Prevent HQ and DC from ever communicating through SP#1 R3,all communication between HQ and DC must occur only over the direct SW101/SW201 and SW102/SW202 interconnections. Any other communication must remain unaffected. This requirement must be solved on R21 and R22 by route filtering based on a well-known mandatory attribute without the use of route maps.
阻止HQ与DC之间的通信通过SP#1上的R3来进行,HQ和DC之间的所有通信必须仅由SW101/SW201 与SW102/SW202之间的互连进行,除此之外的任何其他通信都不得被影响。此需求必须在R21与R22上使用公有强制属性完成且不得使用 Route-map。

7.No command may be removed from the configuration on R11 in this task.
此任务中不得移除R11中的任何命令。

8.It is allowed to modify existing configuration commands on R21 and R22 in this task.
此任务中可以修改R21与R22上已经存在的配置。

解法:

R11:

router ospf 1
    redistribute bgp 65001 subnet tag 1122

route-map tag deny 10
    match tag 1122 
    route-map tag permit 20

ip as-path access-list 100 deny 65002$
ip as-path access-list 100 permit .*

router bgp 65001
    bgp router-id 10.1.255.11
    neighbor 100.3.11.1 remote-as 10000
    address-family ipv4 unicast
        neighbor 100.3.11.1 activate
        neighbor-100.3.11.1 filter-list 100 in
        redistribute ospf 1 route-map tag 

clear ip bgp * soft

R21:

router ospf 1
    redistribute bgp 65002 subnet tag 1122

route-map tag deny 10
    match tag 1122 
    route map tag permit 20

ip as-path access-list 100 deny 65001$ 
ip as-path access-list 100 permit .*

router bgp 65002
    neighbor 10.2.255.22 next-hop-self
    neighbor 100.3.21.1 remote-as-10000
    neighbor 100.3.21.1 filter list 100 in
    no redistribute ospf 1 match external 1 external 2
    redistribute ospf 1 route-map tag

clear ip bgp * soft

R22:

router ospf 1
    redistribute bgp 65002 subnet tag 1122

route-map tag deny 10
    match tag 1122 
    route-map tag permit 20

router bgp 65002
    neighbor 101.22.0.1 remote as 10001
    no redistribute ospf 1 match external 1 external 2
    redistribute ospf 1 route-map tag

clear ip bgp * soft

验证:

相同的方法查看R21和R22。

SECTION 1.10: Bringing up VPNv4/VPNv6 in SP#1

Configure routers r3, r4, r5 and r6 in SP#1 accoding to these requirements:
在SP#1中按照下列需求配置R3、4、5、6。

1.Configure r3 through r6 for mutual VPNv4 and VPNv6 route exchange without the use of a
route-reflector. Use Lo0 IPv4 addresses for peerings.

在不使用路由反射器的前提下,使R3至R6之间进行VPNv4/VPNv6路由交换,使用lo0接口的IPv4地址建立对等体。

2.Configure r3 through r6 to assign (allocate/bind) as few unique MPLS labels to all existing and
future VPNv4 and VPNv6 routes as possible.

配置R3至R6,以尽可能少的为所有现有以及将来的VPNv4/VPNv6分派唯一的MPLS标签。

3.On routers r3 through r6, prevent any existing and future customer from discovering details
about the inner topology of SP#1, It is not allowed to use ACLs to accomplish this requirement.

在路由器R3至R6上,阻止任何现有以及将来的客户发现有关SP#1内部拓扑的详细信息。完成此任务时,不得使用ACL。

解法:

R3:

ipv6 unicast-routing

mpls label protocol ldp
mpls ldp router-id loopback 0 force
no mpls ip propagate-ttl forwarded
mpls label mode all-vrfs protocol all-afs per-vrf

router bgp 10000
    bgp router-id 100.255.254.3
    neighbor 100.255.254.4 remote-as 10000
    neighbor 100.255.254.4 update-source Loopback 0
    neighbor 100.255.254.5 remote-as 10000 
    neighbor 100.255.254.5 update-source Loopback 0
    neighbor 100.255.254.6 remote-as 10000 
    neighbor 100.255.254.6 update-source Loopback 0  
    address-family vpnv4 unicast
        neighbor 100.255.254.4 activate
        neighbor 100.255.254.5 activate
        neighbor 100.255.254.6 activate
    address-family vpnv6 unicast
        neighbor 100.255.254.4 activate
        neighbor 100.255.254.5 activate
        neighbor 100.255.254.6 activate

R4:

ipv6 unicast-routing

mpls label protocol ldp
mpls ldp router-id loopback 0 force
no mpls ip propagate-ttl forwarded
mpls label mode all-vrfs protocol all-afs per-vrf

vrf definition fabd2
no route-taget both 10000:4
route-taget both 10000:1
interface loopback 0
ip address 100.255.254.4 255.255.255.255

router bgp 10000
    bgp router-id 100.255.254.4
    neighbor 100.255.254.3 remote-as 10000
    neighbor 100.255.254.3 update-source Loopback 0
    neighbor 100.255.254.5 remote-as 10000 
    neighbor 100.255.254.5 update-source Loopback 0
    neighbor 100.255.254.6 remote-as 10000 
    neighbor 100.255.254.6 update-source Loopback 0    
    address-family vpnv4 unicast
        neighbor 100.255.254.3 activate
        neighbor 100.255.254.5 activate
        neighbor 100.255.254.6 activate        
    address-family vpnv6 unicast
        neighbor 100.255.254.3 activate
        neighbor 100.255.254.5 activate
        neighbor 100.255.254.6 activate

R5:

mpls label protocol ldp
mpls ldp router-id loopback 0 force
no mpls ip propagate-ttl forwarded
mpls label mode all-vrfs protocol all-afs per-vrf

router bgp 10000
    bgp router-id 100.255.254.5
    neighbor 100.255.254.3 remote-as 10000
    neighbor 100.255.254.3 update-source Loopback 0
    neighbor 100.255.254.4 remote-as 10000 
    neighbor 100.255.254.4 update-source Loopback 0
    neighbor 100.255.254.6 remote-as 10000 
    neighbor 100.255.254.6 update-source Loopback 0
    address-family vpnv4 unicast
        neighbor 100.255.254.3 activate
        neighbor 100.255.254.4 activate
        neighbor 100.255.254.6 activate
    address-family vpnv6 unicast
        neighbor 100.255.254.3 activate
        neighbor 100.255.254.4 activate
        neighbor 100.255.254.6 activate

R6:

mpls label protocol ldp
mpls ldp router-id loopback 0 force
no mpls ip propagate-ttl forwarded
mpls label mode all-vrfs protocol all-afs per-vrf

router bgp 10000
    bgp router-id 100.255.254.6
    neighbor 100.255.254.3 remote-as 10000
    neighbor 100.255.254.3 update-source Loopback 0
    neighbor 100.255.254.4 remote-as 10000 
    neighbor 100.255.254.4 update-source Loopback 0
    neighbor 100.255.254.5 remote-as 10000 
    neighbor 100.255.254.5 update-source Loopback 0
    address-family vpnv4 unicast
        neighbor 100.255.254.3 activate
        neighbor 100.255.254.4 activate
        neighbor 100.255.254.5 activate
    address-family vpnv6 unicast
        neighbor 100.255.254.3 activate
        neighbor 100.255.254.4 activate
        neighbor 100.255.254.5 activate

验证:

查看分支路由:

通过上图可以看到,R1/2的地址信息被隐藏了。

可以看到是每个vrf分配的一个标签,而不是每个前缀分配一个标签,默认是每个前缀分配一个标签。

SECTION 1.11: Fixing Broken DMVPN between DC and branches #3 & #4

Correct the configuration issues resulting in broken DMVPN tunnel connectivity between DC,Branch3 and Branch4 according to these requirements:

依据下列需求修复导致DC、 branch3、 branch4之间 DMVPN隧道连接故障的配置错误。

1.The DMVPN must operate in IPSec-protected phase 3 Mode.
DMVPN必须在受IPsec保护的第 Phase3模式下运行。

2.Using the FVRF approach, safeguard the DMVPN operation against any potential recursive routing issues involving the tunnel.
使用FVRF方法来防止 DMVPN受到任何潜在的递归路由问题影响。

3.Do not create any new VRFs.
请勿创建新的VRFs。

4.Do not change the tunnel source commands on tunnel interfaces.
请勿在更改 Spoke 中 Tunnel Interface 上的 Tunnel Source。

5.On spokes do not add new BGP neighbors; reuse those that are currently up while changing
their VRF membership as needed.

请勿增加新的 BGP 邻居,在需要时,复用当前已存在的VRF成员。

6.It is not allowed to modify configuration on DC R24 to complete this entire task.
此任务中不得修改DC中R24的配置。

解法:

R61:

interface Loopback 0
    vrf forwarding WAN
    ip address 10.6.255.61 255.255.255.255
interface GigabitEthernet0/0
    vrf forwarding WAN
    ip address 100.5.61.2 255.255.255.252

router bgp 65006
    no network 10.6.255.61 mask 255.255.255.255 
    no neighbor 100.5.61.1 remote-as 10000
    adgress-family ipv4 vrf WAN
        network 10.6.255.61 mask-255.255.255.255
        neighbor 100.5.61.1 remote as 10000
        neighbor 100.5.61.1 activate

crypto keyring KR vrf WAN
    pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
no crypto isakmp key cisco address 0.0.0.0
crypto isakmp policy 10
    hash-sha

interface Tunnel 0
    ip mtu 1440
    no ip nhrp map 10.2.255.24 10.200.0.1
    ip nhrp map 10.200.0.1 10.2.255.24
    ip nhrp shortcut
    tunnel vrf WAN

R62:

interface Loopback 0
    vrf forwarding WAN
    ip address 10.6.255.62 255.255.255.255
interface GigabitEthernet0/0
    vrf forwarding WAN
    ip address 100.5.62.2 255.255.255.252

router bgp 65006
    no network 10.6.255.62 mask 255.255.255.255 
    no neighbor 100.5.62.1 remote-as 10000
    adgress-family ipv4 vrf WAN
        network 10.6.255.62 mask-255.255.255.255
        neighbor 100.5.62.1 remote as 10000
        neighbor 100.5.62.1 activate

crypto keyring KR vrf WAN
    pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
no crypto isakmp key cisco address 0.0.0.0
crypto isakmp policy 10
    hash sha

interface Tunnel 0
    ip mtu 1440
     ip nhrp network-id 1010
    ip nhrp shortcut
    tunnel vrf WAN

R70:

router bgp 65007
 address-family IPv4 unicast vrf kiosk
        neighbor 100.6.70.5 remote-as 10000

crypto isakmp policy 10
    hash sha

interface Tunnel 0
    ip mtu 1440
    ip nhrp shortcut
    tunnel vrf WAN

验证:

可以看到,第一次数据是经过了HUB,第二次数据直接spoke到spoke了。

SECTION 1.12: Tuning EIGRP on DMVPN and DMVPN enabled sites

Optimize the DMVPN operation according to these requirements:
依据下列需求优化 DMVPN。

1.Ensure that Branch 3 & Branch 4 can receive only a default route over EIGRP in DMVPN.
确保Branch #3与#4仅依靠EIGRP协议通过DMVPN收到默认路由。

2.The default route origination must be done on R24 without the use of any static routes,
redistribution, or route filtering.

默认路由的起源必须为DC中的R24,不得使用任何静态路由、重分发或路由过滤。

3.It is not allowed to modify the configuration of R61 and R62 in Branch#3 to accomplish this task.
此任务中不得修改 branch#3中的R61/R62的任何配置。

4.It is allowed to add commands to the configuration of R70 in Branch#4 to accomplish this task;
none of the existing configuration on R70 may be removed to accomplish this task.

此任务中允许在 branch#4中的R70上添加命令。此任务中不得删除R70上任何现有的配置。

Configure sw601 and sw602 at Branch#3 according to these requirements:
配置 branch#3中的SW601与SW602

1.Routers R61 and R62 must not send EIGRP queries to SW601 and SW602.
R61与R62不得发送 EIGRP Query至SW601/SW602。

2.Switches SW601 and SW602 must allow advertising any current or future directly connected
network to R61 and R62 after the network is added to EIGRP.

在网络被添加进EIGRP中后,必须允许任何现有以及将来的直连网络被宣告给R61与R62。

3.Switches SW601 and SW602 must continue to propagate the default route received from R61 and
R62 to each other. To select the default route, use a prefix list with a “permit” type entry only.

SW601与SW602必须将从R61与R62处接收到的默认路由传递给对方。仅可使用 Permit 类型的前缀列表来选择默认路由。

4.Switches SW601 and SW602 must not propagate the default route back to R61 and R62.
SW601与SW602不得将默认路由回传至R61与R62处。

5.If the prefix list that allows the propagation of selected EIGRP learned networks between SW601
and SW602 is modified in the future, the same set of networks must be disallowed from being
advertised back to R61 and R62 automatically, without any additional configuration.

如果允许EIGRP路由在SW601与SW602之间传递的前缀列表在将来被更改,必须在没有其他配置的情况下自动禁止将同一组路由回传至R61和R62。

解法:

R24:

router eigrp ccie
    address-family ipv4 unicast autonomous-system 65006
        af-interface Tunnel 0
            no passive-interface 
            summary-address 0.0.0.0 0.0.0.0
        topology basee
            summary-metric 0.0.0.0/0 distance 200 

R70:

router eigrp ccie
    address-family ipv4 unicast autonomous-system 65006
        af-interface Tunnel 0
            no passive-interface

SW601&SW602:

ip prefix list DEFAULT permit 0.0.0.0/0

route-map LEAKMAP permit 10
    match ip address prefix-list DEFAULT
    
route-map DENY-LEAK deny 10
    match ip address prefix-list DEFAULT
    route-map DENY-LEAK permit 20

router eigrp ccie
    address-family ipv4 unicast autonomous-system 65006
        eigrp stub connected leak-map LEAKMAP
        af-interface Vlan 2000
            passive-interfacee
        af-interface Vlan 2001
            passive-interfacee
        topology-base
            distribute-list route-map DENY-LEAK out GigabitEthernet0/1 
            distribute-list-route-map DENY-LEAK out GigabitEthernet0/2

验证:

查看R61/R62/R70是否收到默认路由。

发现R61/R62/R70都有收到EIGRP默认路由,但是SW601/SW602没有收到这个EIGRP的默认路由。

查看SW601/SW602是否获取到默认路由;注意是两条EIGRP默认,如果没有,就重复检查过程。

在R61/62上,可以学到直连路由,但学不到默认路由。

SECTION 1.13: IPv4 Networks on Legacy Branches

On sw211 in DC, complete the DHCP server configuration according to these requirements:
依据下列需求完成DC中SW211的DHCP服务器配置。

1.Create IPv4 DHCP pools named bR3_v2000 and bR3_v2001 for Branch#3 VLANs 2000
(10.6.100.0/24) and 2001 (10.6.101.0/24), respectively.

分别为 Brancht#3上的VLAN2000(10.6.100.0/24)和VLAN2001(10.6.101.0/24)创建名为br3_v2000 br3_v2001的DHCP地址池。

2.Create IPv4 DHCP pool named br_v1 for the subnet 10.7.1.0/24 on Branch#4.
为 Branch#4上的子网10.7.1.0/24创建名为b4_v1的DHCP地址池。

3.In each subnet assign addresses from .101 up to .254 inclusively and the appropriate gateway to
clients.

在每个子网中分配.101至.254的地址以及恰当的网关地址(至客户端)

On Branch#3 complete and correct the configuration on switches sw601, sw602 and sw610 to allow HSRP and DHCP Relay operation in VLANs 2000 and 2001 according to these requirements:
补充并纠正 Branch#3中的配置,以允许HSRP与DHCP中继在VLAN2000和VLAN2001中运行。

1.HSRP must implicitly use the vMAC address range of 0000.0c9f.f000 through 0000.0c9f.ffff.
HSRP必须隐式的使用 0000.0c9f.f000 至 0000.0c9f.ffff 范围内的vMAC地址。

2.The group number must be 100 for VLAN 2000 and 101 for VLAN 2001.
VLAN2000的组号必须为100,VLAN2001的组号必须为101。

3.SW601 must be Active gateway for VLAN 2000 with a priority of 110; the Active role ownership
must be deterministic.

SW601必须是VLAN2000的活动网关,优先级为110;活动角色的所有权必须是确定的。

4.SW602 must be Active gateway for VLAN 2001 with a priority of 110; the Active role ownership
must be deterministic.

SW602必须是VLAN2001的活动网关,优先级为110;活动角色的所有权必须是确定的。

5.5. Each Active switch must track its uplick interface g0/1 and g0/2. If either of these interface
goes down, the Active switch must allow the other switch to become Active. Howeve, it is not
allowed for the tracking to modify the HSRP priority to accomplish this requirements.

如果这些接口中的任意一个发生故障,那么活动的交换机必须允许其他交换机变为活动状态。不得通过 Tracking更改优先级来完成此需求。

6.6. Both
SW601 and SW602 must be configured as DHCP relay agents in both VLANs 2000 and 2001,
pointing toward the DHCP server 10.2.255.211 at sw211. However, at anytime, only the Active
router in the particular VLAN should relay the DHCP messages.

SW601和SW602必须配置为VLAN2000和2001的DHCP中继,指向SW211处的DHCP服务器,地址为 10.2.255.211。但是无论何时,只有处于特定VLAN中的活动路由器应中继DHCP信息。

7.Place host61 and host62 into VLANs 2000 and 2001 respectively and make sure they are
assigned their correct IPv4 configuration.

将Host61与Host62分别置于VLAN2000与VLAN2001中,并确保为其分配正确的IPv4配置。

8.It is not permitted to use any kind of scripting to complete this task.
此任务中不得使用任何形式的脚本来完成。

On Branch#3 complete the configuration of the router r70 according to these requirements:
完成 Branch#4中R70的配置。

1.Assign IP address 10.7.1.1/24 to g0/2.
设置G0/2的接口地址为10.7.1.1/24。

2.Enable DHCP relay on this interface and point it to the DHCP server 10.2.255.211 at sw211.
在此接口上启用DHCP中继并指向SW211上的DHCP服务器10.2.255.211。

3.It is allowed to add one additional missing command to the R70 configuration to allow clients
connected to g0/2 obtain their IPv4 configuration.

在R70的配置中补充一条丢失的命令,以允许连接到G0/2的DHCP客户端获取其IPv4配置。

4.Make sure that host r71 and host r72 are assigned their correct IPv4 configuration.
确保为Host71和Host72分配了正确的IPv4配置。

解法:

SW211:

ip dhcp excluded-address 10.6.100.0 10.6.100.100
ip dhcp excluded-address 10.6.101.0 10.6.101.100
ip dhcp excluded-address 10.7.1.0 10.7.1.100

ip dhcp pool br3_v2000
    network 10.6.100.0 255.255.255.0
    default-router 10.6.100.1

ip dhcp-pool br3_v2001
    network 10.6.101.0 255.255.255.0 
    default-router 10.6.101.1

ip dhcp-pool br4_v1
    network-10.7.1.0-255.255.255.0 
    default-router 10.7.1.1

SW601:

track 11 interface-GigabitEthernet0/1 line-protocol
track 12 interface-GigabitEthernet0/2 line-protocol
track 100 list boolean and
    object-11
    object-12

interface-Vlan2000
    standby version2
    stanbdy 100 priority 110
    standby 100 preempt
    standby 100 track 100 shutdown
    standby 100 name vrg100
    ip helper-address 10.2.255.211 redundancy vrg100
    
interface-Vlan2001
    standby version2
    standby 101 name vrg101
    ip helper-address 10.2.255.211 redundancy vrg101

SW602:

track 11 interface-GigabitEthernet0/1 line-protocol
track 12 interface-GigabitEthernet0/2 line-protocol
track 100 list boolean and
    object-11
    object-12

interface-Vlan2000
    standby version2
    standby 100 name vrg100
    ip helper-address 10.2.255.211 redundancy vrg100
    
interface-Vlan2000
    no standby 0 
    standby version2
    stanbdy 101 priority 110
    standby 101 ip 100.6.101.1
    standby 101 preempt
    standby 101 track 100 shutdown
    standby 101 name vrg101
    ip helper-address 10.2.255.211 redundancy vrg101

SW610:

vlan 2000

interface range Gigabitethernet 2/0-1
    switchport trunk allowed vlan add 2000,2001

interface GigabitEthernet0/0
    switchport mode accesse
    switchport access vlan 2000

interface-GigabitEthernet0/1
    switchport mode accesse
    switchport access vlan 2001

R70:

interface GigabitEthernet0/2
    ip address 10.7.1.1 255.255.255.0
    ip helper-address 10.2.255.211
    
router eigrp ccie
    address-family ipv4 unicast autonomous-system 65006
            network 10.7.1.0 0.0.0.255

验证:

SECTION 1.14 Multicast in FADB2

FABD2 is preparing to enable PIM Sparse Mode multicast routing in its network. As a part of validating the runbooks, FABD2 requires a sanity check to prevent inappropriate use of multicast related configuration commands on different router types.
FABD2 正在准备在其网络中启用 PIM 稀疏模式的组播路由,作为验证 Runbook 的一部分,FABD2 需要进行合理性检查,以防止在不同的路由器类型上错误的使用组播相关的配置命令。

1.First Hop Routers - routers where multicast sources are connected.
第一跳路由器 - 离组播源最近的路由器。

2.Last Hop Routers - Routers where multicast receivers (subscribers) are connected.
最后一跳路由器 - 离终端用户最近的路由器。

3.Intermediary Hop Routers - routers on the path between First Hop and Last Hop routers.
中间跳路由器 - 第一跳路由器与最后一跳路由器之间的路由器。

4.In the table below. for each configuration command, select all router types where the use of the command is appropriate. (select all)
请在下表中选择每条命令所适用的路由器类型。

SECTION 1.15 Extending Connectivity to LaaS Site

Extend the IPv6 connectivity from HQ through the SP into the giosk VRF on the IaaS site according to these requirements.
根据下列需求通过SP将总部的IPv6连接扩展到 IaaS Site上的“giosk”VRF。

1.Set up global IPv6 addressing on the link between r11 and r3.
在R11与R3之间的链路上设置全局IPv6地址。

·on R11,assign 2001:2710:311::2/64 to G0/0.
在R11上,将2001:2710:311::2/64配置至G0/0。
·on R3,assign 2001:2710:311::1/64 to G1.
在R3上,将2001:2710:311::1/64配置至G1。

2.Enable the existing IPv4 BGP session between r11 and r3 to also advertise IPv6 prefixes. Do not
configure a standalone IPv6 BGP session between these two routers.

使R11和R3之间的现有IPv4 BGP会话也可以通告IPv6前缀。但不要在这两个路由器之间配置独立的IPv6BGP会话。

3.Perform bidirectional route redistribution between the IPv6 EIGRP and BGP processes on R11.
在R11上进行IPv6 EIGRP与IPv6 BGP之间的双向重分发。

4.Ensure that all current and future IPv6 prefixes advertised between R11 and R3 will be installed into the RIB of these routers with the next hop address set to the proper global unicast address on their interconnection.
确保在R11与R3之间被通告的任何现有以及将来的IPv6前缀将会被新增至RIB,并将下一跳地址设置为互联时的正确全局单播地址。

5.Any policy that accomplishes this requirement must be applied in the inbound direction.
任何被用于实现此需求的策略必须被应用于入站方向。

6.The giosk VRF on R4 that extends the IPv6 connectivity from R4 to R30 on the IaaS site is a separate VRF independent of FABD2 VRF. any route leaking from FABD2 VRF into giosk VRF must be done on a per-site basis and only for those FABD2 sites that need connectivity with the IaaS site.
R4上的giosk VRF是将IPv6连接从IaaS Site上的R4扩展到R30的独立VRF,独立于FADB2 VRF运行。任何从FABD2 VRF 泄露至giosk VRF的路由都必须基于其各自的Site,并且仅用于那些需要与IaaS连接的FABD2 Site。

7.By configuring R3 and R4 only. ensure that the HQ FABD2 site will have mutual visibility with the IaaS site while preventing.
通过仅配置R3和R4来确保HQ FABD2 Site与IaaS Site可以互访的同时:

7.1.Any other FABD2 site from possibly learning about the routes on the IaaS site.
防止任何其他FABD2 Site获悉IaaS Site上的路由。

7.2.The IaaS site from possibly learning about the routes on any other FABD2 site.
  防止IaaS Site 获悉任何其他FABD2 Site上的路由。

7.3.Use the minimum amount of commands necessary to accomplish this requirement..
  使用尽可能少的命令来完成此需求。

7.4.Do not remove any existing configuration.
  不要移除任何现存的配置。

  7.5.If necessary. You are allowed to use an additional route target with the value of 10000:3681.
  如果必要,你可以使用一个额外的RT,该RT值为10000:3681。

  7.6.Verify that Host11 and Host12 can ping 2001:db8:14::1 located at the IaaS site.
  通过Host11、Host12能Ping通IaaS中的2001:db8:4:14::1来验证结果。

  7.7.It is permitted to modify one existing configuration command on one of the sp routers to meet this requirement.
  允许修改SP中一台设备的一条现存配置命令来满足此需求。

解法:

R11:

interface GigabitEthernet0/0
    ipv6 address 2001:2710:311::2/64

route-map next-hop permit 10
    set ipv6 next-hop 2001:2710:311::1

router eigrp ccie
    address-family ipv6 unicast autonomous-system 65001
        topology base
            redistribute bgp 65001 metric 1000 100 255 1 1500
router bgp 65001
    address-family ipv6
        neighbor 100.3.11.1 activate
        neighbor 100.3.11.1 route-map next-hop in
        redistribute eigrp 65001 include-connect

R3:

vrf definition fabd2
    address-family ipv6
        route-target both 10000:3681

interface Gigabitethernet 1
    vrf forwarding fabd2
    ipv6 address 2001:2710:311::1/64
    
route-map next-hop permit 10
    set ipv6 next-hop 2001:2710:311:2
    
router bgp 10000
    address-family ipv6 vrf fabd2
        neighbor 100.3.11.2 remote-as 65001
        neighbor 100.3.11.2 activate
        neighbor 100.3.11.2 route-map next-hop in
clear bgp vpnv6 unicast * soft

R4:

vrf definition giosk
    address-family ipv6
        route-target both 10000:3681

验证:

重点看这3条IPv6路由,来自AS65001的歌来自AS65003的路由,能看到这三条路由,说明BGP邻居建立正常,vrf RT导入导出正常,接下来AS65001与AS65003之间的互访才能实现。

接下来验证Host11和Host12,可以ping R30的loopback414的IP地址。

SECTION 1.16: Enabling Internet Access for FADB2

Enable highly available internet access for the FABD2 company network according to these requirements:
依据下列需求在FABD2公司的网络中启用高可靠性的 Internet访问。

1.On routers r12, r23 and r24, bring up IPv4 BGP peerings with the ISP. Make sure that a default
route is revceived over these peerings.

在R12、R23和R24上与LSP建立 BGP IPv4对等体并通过他们获取默认路由。

2.On routers r12 and r23 inject default route into OSPF if it is present in the routing table from a
different routing source than the OSPFv2 process 1. On each router, this requirement must be
completed using minimum possible number of commands.

如果R12、R23中现有的默认路由与 OSPFv2进程1中的默认路由来源不同,则在R12、R23上将默认路由下放至OSPF。在每台路由器上使用尽可能少的命令来完成此需求。

3.On router r24 inject a default route into OSPF if and only if it is learned from ISP over BGP. To
accomplish this requirement, it is allowed to use a route-map that references both a prefix-list
and a tag. This requirement must be completed using minimum possible number of commands.

当R24通过BGP从ISP处获取默认路由的时候,将该默认路由下放至OSPF,完成此需求时允许使用 Route-Map的同时引用前缀列表和tag。此需求必须使用最少的命令行来完成。

4.Router r12 may be used as an internet exit for the FABD2 company network only if neither r23
nor r24 are advertising a default route in OSPF. This requirement must be accomplish exclusively
in “router ospf” mode on router r12 without changing the default parameters on routers r23
and r24.

当R23与R24均不通过OSPF通告默认路由时,R12才可为FABD2公司的 Internet出口,此需求必须在R12的 Router OSPF上下文内完成,而不是改变R23和R24上的参数。

5.On routers r12, r23 and r24 configure PAT and translate the entire FABD2 internal network
10.0.0.0/8 to the router address on the link towards the ISP. Create a standard ACL named NAT
for this purpose. Do not use NAT pools.

在R12、R23和R24上与配置PAT并将整个FABD2的内部网络10.0.0.0/8转换为指向SP链路上的ISP地址。创建一个名为nat的标准ACL来完成此需求,不得使用NAT池。

6.Ensure that the internet connectivity of the FABD2 company network makes use of high
availability provided by r12, r23 and r24.

确保FABD2公司的网络连接利用了R12、R23和R24提供的高可用性。

解法:

R12:

router bgp 65001
    bgp router-id 10.1.255.12
    neighbor 200.99.12.1 remote-as 19999
    address-family ipv4
        neighbor 200.99.12.1 activate
        
router ospf 1
default-information-originate metric 200

ip access-list standard NAT
    permit-10.0.0.0 0.255.255.255
    
ip nat inside source list NAT interface GigabitEthernet0/0 overload

interface GigabitEthernet0/0 
ip nat outside

interface range gigabitEthernet 0/1-3
ip nat inside

R23:

router bgp 65002
    bgp router-id 10.2.255.23
    neighbor 200.99.23.1 remote-as 19999
    address-family ipv4
        neighbor 200.99.23.1 activate
        
router ospf 1
default-information-originate

ip access-list standard NAT
    permit-10.0.0.0 0.255.255.255
    
ip nat inside source list NAT interface GigabitEthernet0/0 overload

interface GigabitEthernet0/0 
ip nat outside

interface range gigabitEthernet-0/1-3
ip nat inside

R24:

router bgp 65002
    bgp router-id 10.2.255.24
    neighbor 200.99.24.1 remote-as 19999
    address-family ipv4
        neighbor 200.99.24.1 activate
        
ip prefix-list default-route permit 0.0.0.0/0
route-map B2O permit 10
    match ip address prefix-list default-route
    match tag 19999
        
router ospf 1
default-information-originate route-map B2O

ip access-list standard NAT
    permit-10.0.0.0 0.255.255.255
    
ip nat inside source list NAT interface GigabitEthernet0/0 overload

interface GigabitEthernet0/0 
ip nat outside

interface range gigabitEthernet-0/1-3
ip nat inside

interface tunnel 0
ip nat inside

验证:

查看ospf默认路由。

验证NAT:

断开R24 Gi0/0端口;然后在验证NAT,这时候就会以R23为出口,NAT转换表项出现在R23。

继续断开R23 Gi0/0端口,这个时候只有R12有去往SP0的路由,所以NAT转换表项出现在R12。

SECTION 3.1 Enabling CLl access to r30

1.There is no direct console Access provided to the router R30. moreover, R30 does not accept any remote connections because its vty lines are configured with transport input none.

路由器R30没有通过Console直接连接的途径且不接受任何远程接入,因为该设备vty下Transport input被设置为none。

2.Using restconf, enable remote Access to R30 for all remote Access protocols. According to these requirements:

依据下列需求,使用restconf为R30开启所有的远程访问协议:

3.You can use Host31 to Access router R30 using ip address 10.3.11.1.

你可以使用Host31通过IP地址10.3.11.1访问路由器R30。

4.You can use any method of Accessing the restconf api on R30 from Host31, including curl, Python, or postman.

你可以使用从Host31访问R30上的restconf API的任何方法,包括curl,Python或Postman。

5.You must change the input transport protocol on all configurable vty lines the input transport protocol value setting must be changed from none to all.

必须在所有可配置的vty line中将Transport input 从none改为all。

Important parameters :

重要参数:

important parameters:
用于进行Http认证的用户名与密码:
admin/admin

url
https://10.3.11.1:443/restconf/data/Cisco-IOS-XE-native:native/line/vty http method to retrieve the configLrration。</
用于检索配置的http方法。

get
http-method to modify the configuration
用于修改配置的http方法。

patch
http headers
content-type : application/yang-data+json
accept : application/yang-data+json

recommended curl switcher

推荐的curl参数

-i,-l,-x,-h,-u,-d

Host31用户名与密码均为cisco (小写)

R30用户名与密码均为admin (小写)

进入Linux桌面后,首先查看网络连接是否正常,R30地址是否可以正常访问,具体查看方法为打开LXTerminal,输入ip addr进行查看。

下面一步选择复制代码,可以使用Ctrl+A键选择全部,然后使用Ctrl+C,进行复制。

之后打开LXTerminal,telnet 10.3.11.1。

SECTION 3.2 Using Guest shell and python on r30

1.On R30. enable guestshell and create a Python script named ribdump.py in the guestshell:

在R30上。启用guestshell并在 guestshell中创建一个名为ribdump.py的 Python脚本:

2.If an additional ip network is necessary to start guestshell. you are allowed to use addresses from the range 192.168.255.0/24.this range must not be advertised in any routing protocol.
如果需要额外的IP网络来启动guestshell。您可以使用192.168.255.0/24范围内的地址。此范围不得在任何路由协议中发布。
3.The Python script must be saved under the name ribdump.py in the home directory of the guestshell user.

脚本必须名为ribdump.py且保存于guestshell 用户主目录中。
4.The purpose of the script is to display the complete contents of all routing tables in non-default VRFs created on the router.
该脚本的目的是显示路由器上创建的除默认VRF以外所有路由表的完整内容。

5.The script must execute the Show ip route VRF or show IPv6 route VRF command for every non-default VRF created on the router.depending on what address families are enabled in that VRF.
该脚本必须对路由器上创建的每个非默认VRF执行show ip route VRF或show lPv6 route VRF命令,具体取决于该VRF中启用了哪些地址族。
6.The script must determine the list of created VRFs and enabled address families dynamically every time it is run using, for example, show VRF brief | include IPv.
脚本在每次运行时,必须动态确定已创建的VRF和启用的地址族列表,例如show VRF brief | include lPv。

7.The script must not attempt to display the VRF routing table for an address family that is not enabled in the VRF.
该脚本不得尝试显示未在VRF中启用的地址族的VRF路由表。
8.It must be possible to run the script using the guestshell run Python ribdump.py command from privileged exec Mode.
该脚本必须可以在特权模式的guestshell下运行Python ribdump.py命令来启动。

telnet登录R30后的操作:

1.使用show iox-service命令查看IOx服务是否为开启模式,R30中默认为关闭。

2.进入配置模式,输入iox,开启iox服务。

3.创建一个编号为0的虚拟端口组并为其配置IP地址:

interface virtualportGroup 0
ip address 192.168.255.254 255.255.255.0

4.在应用托管中创建一个ID为guestshell的Linux容器。

app-hosting appid guestshell

5.为该虚拟机指定虚拟网卡、IP地址、子网掩码以及网关地址。

app-vnic management guest-interface 0
    guest-ipaddress 192.168.255.1 netmask 255.255.255.0
app-default-gateway 192.168.255.254 guest-interface 0
name-server0 8.8.8.8

#特权模式下#
guestshell enable
guestshell

6.进入Linux容器后,输入 vi ribdump.py创建python脚本。

import cli
ipv4_name = []
ipv6_name = []
default = "Mgmt-vrf"
vrf = cli.cli("show vrf brief | include ipv")
vrfLine = vrf.split('\n')
for i in vrfLine:
  r = i.split()
  if default in i:
    continue
  if "ipv4" in i:
    ipv4_name.append(r[0])
  if "ipv6" in i:
    ipv6_name.append(r[0])
for i in ipv4_name:
  cli.clip("show ip route vrf "+ i)
for i in ipv6_name:
  cli.clip("show ipv6 route vrf "+ i)

输入完成后,按Esc键,接着输入”:wq”保存退出,再输入exit退出Linux容器。

7.使用 guestshell run python ribdump.py来测试脚本是否正常运行。

SECTION3.3 Automated Configuration Backup Script

1.You are tasked with writing a Python script to back up the configuration of a number of IOS-XE devices through RESTCONF, and store the configurations in text files. the starting section of this script has already been written and contains the following lines:

你的任务是编写Python脚本以通过RESTCONF备份多太IOS-XE设备的配置并将其存储在文本文件中。该脚本的开始部分已经编写完毕,包含以下几行:

#!/usr/bin/Python3
import requests
credentials = [ (192.168.1.1,“admin”,“s3cR3t”),
(192.168.1.2”,“netadmin”, “Oth3rs3cR3t”) ]
Headers = {“Content-Type” : “application/yang-data+json”,
“accept”:“application/yang-data+json”}

2.This script needs to be completed by dragging the individual command lines below into their correct order to allow the script to correctly accomplish its purpose.

通过将下面的各个命令行拖入正确的顺序来完成此脚本,以使其完成符合预期之功能。

3.Indicate the ends of the for block and of the while block by properly placing the “– End of for” and “– End of while” symbols.

通过正确放置“-End of for”和“-While of End”符号来标示for代码块和while代码块的结尾。

4.Drag the lines into their correct order to complete the script as required.

依据脚本的需求将代码行拖入正确的顺序。

5.Make sure to also properly place the “– End of for” and “– End of with” symbols to indicate the end of the respective blocks in code.

确保正确放置”End of for”和”End of with”符号,以指示代码中各个块的结尾。

End of with
Response=request.get(URL,auth=(Login,Password),headers=Headers,verify=False)
for IP,Login,Password in credentials:
URL=f”https://{IP}:443/restconf/data/Cisco-1OS-XE-native:native”
File.write(Response.text)
with open( f”{IP}. conf”,’w” ) as File:
End of for

Answer:

for IP,Login,Password in credentials:
URL=f”https://{IP}:443/restconf/data/Cisco-1OS-XE-native:native”
Response=request.get(URL,auth=(Login,Password),headers=Headers,verify=False)
with open( f”{IP}. conf”,’w” ) as File:
File.write(Response.text)
End of with
End of for

6.There are plans to extend the script to display a list of known IOS- XE devices by their IP addresses and allow the administrator to select which devjces to backup.

现在有计划扩展脚本以按IP地址显示已知IOS-XE设备列表,并允许管理员选择要备份的设备。

7.Aside from other necessary changes in the script, which of the following storage options for the credentiais would allow for the most straightforward implementation.

除了脚本中的其他必要更改之外,credentials 的以下哪些存储选项将允许最直接的实现。

A:
  Credentials = { "192.168.1.1" :("admin",s3cR3t),
                  "192.168.1.2" :("netadmin","0th3rs3cR3t") }
B:
  Credentials = [ ("192.168.1.1”, ”admin ",”s3cR3t")(192.168.1.2,”netadmin”,”Oth3rs3cR3t”) ]
C:
  Credentials = [192.168.1.1, admin, s3cR3t”,192.168.1.2, netadmin,Oth3rs3cR3t” ]
D:
  Credentials =  "192.168.1.1,admin,s3cR3t,”\
                 ”192.168.1.2, netadmin,Oth3rs3cR3t”

Answer:

B:
  Credentials = [ ("192.168.1.1”, ”admin ",”s3cR3t")(192.168.1.2,”netadmin”,”Oth3rs3cR3t”) ]

文章作者: Naraku
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Naraku !
  目录