www.passenterpriselabs.

com Final Release Lab 1:04-Jun-2021

CCIE Enterprise Infrastructure v1.0 Real Labs

Deploy Module

www.passenterpriselabs.com 1 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Lab Workbook Policy

1. We highly discourage sharing of the workbook hence the workbooks are mapped to Laptop/Desktop
w

MAC address. If one tries to open the workbook on other desktop or laptop than the registered MAC
address; account will get locked and we will not unlock it for any reasons.
w

2. The workbook does not have print access; kindly do not request to enable to print access. However
w

you will have perpetual access to the workbook which you have purchased.
.p

3. One will be provided with free updates up to 120 days from the date of purchase, post that one
need to renew his/her account to access the latest update. However one will continue to have access
as

to their existing workbooks. If you pass the lab within 120 days, you are not eligible for further
updates.
se

4. If one wish to renew their subscription/account, you need to renew within 120 days or before the
account gets expired. Post 120 days one can renew their account however the renewal will be
considered has a new purchase. Hence we encourage one to renew within 120 days of the purchase.
nt

5. The renewal cost is 999 USD if one pay within 120 days, if one fail to renew then the cost will be
er

equivalent of a new purchase. (The renewal price can be changed at any time, without informing the
client)
pr

6. Every workbook is uniquely identified for each user with hidden words. If one shares his/her
is

workbooks with others, and if the system detects the share, the account will be banned and we will not
entertain any explanation of any sort.
el

7. For any queries regarding Questions/Solutions, you can contact us on email:

ab

support@chinesedumps.com or skype @ chinesexams@gmail.com. Response time to any of the

queries is 24 hours.
s

8. We do require CISCO ID and Official email id for security purposes. We do not sell without these
details. We do background verification of the details provided, so request to give us the correct CISCO
.c

ID and official email id.

om

9. The workbooks are in secured pdc format and delivered via email within 24 hours after payment is
received.

10. License is provided for only one Device. And we don’t give license again if the device crashes or
company security policies. Please install license on the device cautiously as the license will not be
provided again.

www.passenterpriselabs.com 2 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

11. We do support devices running Windows OS, Mac OS, Android and Mac iOS only

12. We do not provide Refund in any circumstances once the product is sold.
w

13. This policy is in effect from 23 November 2016 and in immediate effect for new clients and new
w

renewals. Old clients will continue with the old Policies until the accounts get expired.
w

14. If there is any update, one will receive the update automatically on their registered email id.
.p

15. Design Module will be given only 3 days before the CCIE exam
as

16. For any future update you can check our 'updates' page.

17. Labs are always published in phases. For e.g. if there is a new lab we publish it as First, Second,
se

Third ... till Final release.

18. Client who have purchased our worbooks and services and wishes to attempt the lab, need to
nt

consult our experts before their CCIE Lab.

er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 3 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

CCIE Deploy, Operate and Optimize Guidelines

Before you begin, please read these guidelines:
w

Overall module guidelines:

w

1. The network that you will deploy, operate and optimize in this module will be similar, but not
w

necessarily identical, to the network designed in the previous module. All relevant information
that is needed to successfully complete this module can be found in this module itself and
.p

overrides any information that was provided in the previous module.

as

2. Before you start, confirm that all devices in your rack are accessible. During the exam, if any
device becomes locked or inaccessible, you must recover it.
se

3. Your equipment is partially preconfigured. Do not change any of the preconfigured parameters
unless you are specifically told to.
nt

4. The partial configuration on the devices may deliberately contain mistakes and errors which
may need to be corrected, or workarounds applied, in order to complete specific tasks.
er

Therefore, consider troubleshooting as an integral part of this module.

pr

5. Points are awarded only for fully working configurations. No partial scoring is provided. It is
recommended that toward the end of the exam, you go back and test the functionality as per
is

all question requirements.

el

6. If you need clarification on any of the questions, or if you suspect that there might be an issue
with your equipment or exam environment, contact the lab proctor as soon as possible.
ab

7. Item-level feedback can be provided at the question level. Feedback will be processed, but
Cisco will not reach out to you to discuss any feedback provided. You will not be compensated
s

for the time you spend while providing the feedback.

.c

8. Access to select Cisco online documentation is available from your desktop. Access to select 3rd
party product documentation (such as Python) is available from the Resources window under
om

the “External Documentation category”.

9. When you finish the lab exam, make sure that all devices are accessible for the grading proctor
by having them in EXEC mode and closing the console windows. A device that is not accessible
for grading cannot be graded and this may cause you to lose substantial points.

www.passenterpriselabs.com 4 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

10. You have 5 hours to complete this module. Upon finishing the exam, ensure that all devices are
accessible. Any device that is not accessible for grading purposes may cause you to lose
substantial points.
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 5 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Track specific guidelines:

1. There are several end hosts present in the lab topology, named hostXY (for example, host11).
w

They are all identical and they can all be used at your full discretion, including accessing the GUI
of DNA Center, vManage and ISE through Firefox, performing IP connectivity tests, generating
w

or capturing traffic, and performing coding in Python or C.

w

2. All hostXY devices are configured as DHCP clients. Should it be necessary to force the host to
release and renew its DHCP lease, right-click on the icon of the network manager located
.p

between CPU utilization and check applets in the bottom task bar, then unselects “Enable
Networking”, right-click on it again and select “Enable Networking”.
as

3. The web-based GUI of DNA center, vManage and ISE can only be accessed from the hostXY end
hosts, using firefox installed on these end hosts. These servers cannot be accessed directly from
se

the desktop you are just now working with. You must always connect to hostXY as a jump host
and access the DNA center, vManage or ISE from there. Always ignore any SSL/TLS certificate
warnings in Firefox that may be displayed.
nt

4. Devices in the topology may have more interfaces, addresses and routes configured than what
er

is shown in the diagrams and accompanying tables. Ignore such interfaces addresses and routes
entirely, unless a task explicitly requires you to use or modify them.
pr

5. Changing or removing parts of initial running configuration on devices, as opposed to adding

is

new configuration, is allowed only if the task allows or requires it explicitly, or if there is no
other way of accomplishing the task.
el
ab
s .c
om

www.passenterpriselabs.com 6 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Diagram 01: Complete Topology

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 7 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Diagram 02: Complete Topology with IP addressing

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 8 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

1.1: Introduction

Welcome back to the FABD2 company!

w

You will deploy, operate, and optimize our network. The topology you will be working with will be
w

similar, but not necessarily identical to the network that was designed in the previous module and may
include technologies and feature sets not touches upon previously.
w

The best of success!

.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 9 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

1.2: Layer 2 Technologies in HQ

Complete and correct the EtherChannel configuration between switches sw101, sw102, sw110
w

according to these requirements:

w

 At the end of the task, all EtherChannels between switches sw101, sw102, sw110 must be up
and operational including all their physical member links.
w

 Do not create new Port-channel interface; reuse those that already exist on the switches.
.p

 When resolving existing issues, do not change the preconfigured negotiation protocol (if any)
 On EtherChannels that use a negotiation protocol, tune its mode of operation for the shortest
as

link bundling time possible.

Configure spanning tree protocol on switches sw101, sw102, sw110 according to these
se

requirements:


nt

The STP root for VLAN 2000 must be sw101.

 The STP root for VLAN 2001 must be sw102.

er

STP roots must be elected based on bridge priorities.

 On the three switches, have STP perform cost calculations in 32-bit arithmetic.
pr

 On the three switches, use the Rapid STP version and ensure that it can achieve rapid
convergence on all interconnections between the switches.

is

On Sw110, prevent all current and future access mode interfaces from being affected by the
proposal/ Agreement process.
el
ab

2 Points
s .c
om

www.passenterpriselabs.com 10 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

Chinese_dumps_sw110:
w

en
w

sw110#conf t
sw110(config)#spanning-tree mode rapid
w

sw110(config)#spanning-tree pathcost method long

sw110(config)#spanning-tree portfast edge default
.p

sw110(config)#interface range gi1/2-3

as

sw110(config-if-range)#channel-group 2 mode active

se

Chinese_dumps_sw101:

en
nt

sw101#config t
sw101(config)#spanning-tree mode rapid
er

sw101(config)#spanning-tree pathcost method long

sw101(config)#spanning-tree vlan 2000 priority 0
sw101(config)#spanning-tree vlan 1-4094 hello-time 1
pr

sw101(config)#interface range gi1/2-3

is

sw101(config-if-range)#channel-group 1 mode on
el

Chinese_dumps_sw102:
ab

en
sw102#conf t
sw102(config)#spanning-tree mode rapid
s

sw102(config)#spanning-tree pathcost method long

.c

sw102(config)#spanning-tree vlan 2001 priority 0

sw102(config)#spanning-tree vlan 1-4094 hello-time 1
om

sw102(config)#interface range gi1/2-3

sw102(config-if-range)#channel-group 2 mode active

www.passenterpriselabs.com 11 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Verification:

Chinese_dumps_sw110# sh etherchannel summary

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 12 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw102# sh etherchannel summary

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 13 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw101# sh etherchannel summary

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 14 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw110#sh spanning-tree
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 15 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 16 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw101#sh spanning-tree vlan 2000

w
w
w
.p
as
se
nt
er

Chinese_dumps_sw102#sh spanning-tree vlan 2001

pr
is
el
ab
s .c
om

www.passenterpriselabs.com 17 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw110#sh spanning-tree interface g0/0 detail

w
w
w
.p
as
se
nt
er

Chinese_dumps_sw110#sh spanning-tree interface g0/1 detail

pr
is
el
ab
s .c
om

www.passenterpriselabs.com 18 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

1.3: First Hop Redundancy Protocol in HQ

For IPv4, implement an FHRP mechanism on sw101 and sw102 for VLANs 2000 and 2001 according to
w

these requirements:
w

 Use Group number 100 for VLAN 2000 and group number 101 for VLAN 2001.
 Use the first available IPV4 address in the subnet for the address of the virtual router.
w

 For VLAN 2000, sw101 must be preferred gateway; for VLAN 2001, sw102 must be the
.p

preferred gateway. Do not rely on the IPv4 addresses of the switches as role tiebreakers. The
role must determine by an explicit configuration solely on the intended preferred gateway.
as

 Each preferred gateway must monitor the reachability of both routers r11 and r12 using the
loopback IPv4 addresses of the routers by an ICMP Echo. The reachability is to be verified every
5 seconds with a timeout of 400 msec. A router must be declared unreachable as soon as it
se

does not respond to three probes in a row. If both r11 and r12 are declared unreachable from a
preferred gateway, the other switch must be allowed to assume the gateway role.
nt

 Use the FHRP protocol that allows the virtual IPv4 address to match the IPv4 address of a
member router.
er
pr

2 Points
is
el
ab
s .c
om

www.passenterpriselabs.com 19 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

Chinese_dumps_sw101:
w

sw101#en
w

sw101#conf t
sw101(config)#int vlan 2000
w

sw101(config-if)#vrrp 100 ip 10.1.100.1

sw101(config-if)#vrrp 100 priority 105
.p

sw101(config-if)#ip ospf 1 area 0

sw101(config-if)#vrrp 100 track 100
as

sw101(config-if)#exit
se

sw101(config)#int vlan 2001

sw101(config-if)#vrrp 101 ip 10.1.101.1
sw101(config-if)#ip ospf 1 area 0
nt

sw101(config-if)#exit
er

sw101(config)#ip sla 1
sw101(config-ip-sla)#icmp-echo 10.1.255.11 source-interface vlan 2000
pr

sw101(config-ip-sla-echo)#threshold 400
sw101(config-ip-sla-echo)#timeout 400
sw101(config-ip-sla-echo)#frequency 5
is

sw101(config-ip-sla-echo)#exit
sw101(config)#ip sla schedule 1 start-time now life forever
el

sw101(config)#ip sla 2
ab

sw101(config-ip-sla)#icmp-echo 10.1.255.12 source-interface vlan 2000

sw101(config-ip-sla-echo)#threshold 400
sw101(config-ip-sla-echo)#timeout 400
s

sw101(config-ip-sla-echo)#frequency 5
.c

sw101(config-ip-sla-echo)#exit
sw101(config)#ip sla schedule 2 start-time now life forever
om

sw101(config)#track 1 ip sla 1
sw101(config-track)#delay down 10
sw101(config)#exit
sw101(config)#track 2 ip sla 2
sw101(config-track)#delay down 10

www.passenterpriselabs.com 20 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

sw101(config)#track 100 list boolean OR

sw101(config-track)#object 1
sw101(config-track)#object 2
w

sw101(config)#router ospf 1
w

sw101(config-router)#passive-interface vlan 2000

sw101(config-router)#passive-interface vlan 2001
w
.p

Chinese_dumps_sw102:
as

sw102>en
sw102#conf t
sw102(config)#int vlan 2000
se

sw102(config-if)#vrrp 100 ip 10.1.100.1

sw102(config-if)#ip ospf 1 area 0
nt

sw102(config-if)#exit
er

sw102(config)#int vlan 2001

sw102(config-if)#vrrp 101 ip 10.1.101.1
pr

sw102(config-if)#vrrp 101 priority 105

sw102(config-if)#vrrp 101 track 101
is

sw102(config-if)#ip ospf 1 area 0

sw102(config-if)#exit
el

sw102(config)#ip sla 1
ab

sw102(config-ip-sla)#icmp-echo 10.1.255.11 source-interface vlan 2001

sw102(config-ip-sla-echo)#threshold 400
s

sw102(config-ip-sla-echo)#timeout 400
.c

sw102(config-ip-sla-echo)#frequency 5
sw102(config)#exit
om

sw102(config)#ip sla schedule 1 start-time now life forever

www.passenterpriselabs.com 21 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

sw102(config)#ip sla 2
sw102(config-ip-sla-echo)#icmp-echo 10.1.255.12 source-interface vlan 2001
sw102(config-ip-sla-echo)#threshold 400
w

sw102(config-ip-sla-echo)#timeout 400
w

sw102(config-ip-sla-echo)#frequency 5
sw102(config-ip-sla-echo)#exit
w

sw102(config)#ip sla schedule 2 start-time now life forever

.p

sw102(config)#track 1 ip sla 1
as

sw102(config-track)#delay down 10
sw102(config-track)#exit
se

sw102(config)#track 2 ip sla 2
sw102(config-track)#delay down 10
nt

sw102(config-track)#exit
er

sw102(config)#track 101 list Boolean OR

pr

sw102(config-track)#object 1
sw102(config-track)#object 2
is
el

sw102(config)#router ospf 1
sw102(config-router)#passive-interface vlan 2000
sw102(config-router)#passive-interface vlan 2001
ab
s .c
om

www.passenterpriselabs.com 22 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Verification:

Chinese_dumps_sw101#sh vrrp
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 23 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw101#sh track
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 24 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw101#sh ip sla configuration

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 25 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 26 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw102#sh vrrp
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 27 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw102#sh track
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 28 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw102#sh ip sla configuration

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 29 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 30 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

To verify the gateway role:

sw101:
w

- Make the int g0/0 , g0/1 down (shutdown) and check "sh vrrp" , sw102 should be master for
w

both the vlan (2000,2001)

w

sw102: sh vrrp
.p
as
se
nt
er
pr
is
el
ab
s .c
om

Note : If you make the interface of sw101 up , again it should retain its original role

www.passenterpriselabs.com 31 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

sw102:

- Make the int g0/0 , g0/1 down (shutdown) and check "sh vrrp" , sw101 should be master for
w

both the vlan (2000,2001)

w

sw101: sh vrrp
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

Note : If you make the interfaces of sw102 up , again it should retain its original role

www.passenterpriselabs.com 32 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

1.4: OSPFv2 between HQ and DC

Complete and correct the OSPF configuration on the switches sw101, sw102, sw201 and sw202
w

according to these requirements:

w

 Enable OSPFv2 on the redundant interconnections between the DC and HQ sites. Make sure
that OSPF establishes adjacencies on these interconnections and exchanges routing information
w

between the DC and HQ sites.

.p

 Protect the authenticity and integrity of the OSPFv2 sessions on the redundant
interconnections between DC and HQ with the SHA-384 mechanism. Use key ID 1 and a shared
as

secret of “cci3” (without quotes).

 Improve the detection of unreachable OSPFv2 neighbors on the redundant interconnections
between DC and HQ so that OSPF can detect the loss of a neighbor within 300 msec, with the
se

probes being sent every 100 msec. it is not allowed to modify OSPF timers to accomplish this
requirement.
nt
er

3 Points
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 33 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

Note: Try making the interface default if the interface showing not connect
w

Chinese_dumps_sw201:
w

sw201>en
w

sw201#conf t
sw201(config)#key chain DCHQ
.p

sw201(config-keychainn)#key 1
sw201(config-keychain-key)#key-string cci3
as

sw201(config-keychain-key)#cryptographic-algorithm hmac-sha-384
sw201(config)#exit
sw201(config)#exit
se

sw201(config)#int g1/2
sw201(config-if)#ip ospf authentication key-chain DCHQ
nt

sw201(config-if)#ip ospf bfd

sw201(config-if)#bfd interval 100 min_rx 100 multiplier 3
er

sw201(config-if)#exit
pr

sw201#config t
sw201(config)#router ospf 1
sw201(config-router)#no passive-interface g1/2
is

Chinese_dumps_sw202:
el

sw202>en
ab

sw202#conf t
sw202(config)#key chain DCHQ
sw202(config)#key 1
s

sw202(config-keychain)#key-string cci3
.c

sw202(config-keychain)#cryptographic-algorithm hmac-sha-384
sw202(config-keychain)#exit
om

sw202(config)#exit

sw202(config)#int g1/2
sw202(config-if)#ip ospf authentication key-chain DCHQ
sw202(config-if)#ip ospf bfd
sw202(config-if)#bfd interval 100 min_rx 100 multiplier 3
sw202(config)#exit

www.passenterpriselabs.com 34 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

sw202#config t
sw202(config)#router ospf 1
sw202(config)#no passive-interface g1/2
w

Chinese_dumps_sw101:
w

sw101>en
w

sw101#conf t
sw101(config)#key chain HQDC
.p

sw101(config-keychain)#key 1
sw101(config-keychain-key)#key-string cci3
as

sw101(config-keychain-key)#cryptographic-algorithm hmac-sha-384
sw101(config-keychain-key)#exit
sw101(config)#exit
se

sw101(config)#int g0/2
sw101(config-if)#ip ospf authentication key-chain HQDC
nt

sw101(config-if)#ip ospf bfd

sw101(config-if)#bfd interval 100 min_rx 100 multiplier 3
er

Chinese_dumps_sw102 :
pr

sw102>en
sw102#conf t
is

sw102(config)#key chain HQDC

sw102(config-keychain)#key 1
el

sw102(config-keychain-key)#key-string cci3
sw102(config-keychain-key)#cryptographic-algorithm hmac-sha-384
ab

sw102(config-keychain)#exit
sw102(config)#exit
s

sw102(config)#int g0/2
.c

sw102(config-if)#ip ospf authentication key-chain HQDC

sw102(config-if)#ip ospf bfd
om

sw102(config-if)#bfd interval 100 min_rx 100 multiplier 3

www.passenterpriselabs.com 35 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Verification:

Chinese_dumps_sw101#sh key chain

w
w
w
.p
as
se

Chinese_dumps_sw101#sh ip ospf interface g0/2

nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 36 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw101# sh bfd neighbor details

w
w
w
.p
as
se
nt
er
pr
is
el

Chinese_dumps_sw101# sh key ip ospf neighbor

ab
s .c
om

www.passenterpriselabs.com 37 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw102#sh key chain

w
w
w
.p
as

Chinese_dumps_sw102#sh ip os interface g0/2

se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 38 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw102#sh bfd neighbor details

w
w
w
.p
as
se
nt
er
pr
is
el
ab

Chinese_dumps_sw102#sh ip ospf neighbor

s .c
om

www.passenterpriselabs.com 39 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw201#sh key chain

w
w
w
.p
as

Chinese_dumps_sw201#sh ip ospf int g1/2

se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 40 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw201#sh bfd neighbor details

w
w
w
.p
as
se
nt
er
pr
is
el
ab

Chinese_dumps_sw201#sh ip ospf neighbor

s .c
om

www.passenterpriselabs.com 41 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw202# sh key chain

w
w
w
.p

Chinese_dumps_sw202# sh ip os int g1/2

as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 42 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw202#sh bfd neighbor details

w
w
w
.p
as
se
nt
er
pr
is
el
ab

Chinese_dumps_sw202: sh ip ospf neighbor

s .c
om

www.passenterpriselabs.com 43 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

1.5: DHCP IPv4 service for HQ

Enable hosts in HQ VLAN 2000 and VLAN 2001 to obtain their IP configuration via DHCP according to
w

these requirements:
w

 On sw211, create IPv4 DHCP pools named hq_v2000 and hq_v2001 for HQ VLANs 2000 and
2001, respectively. In each subnet, assign addresses from .101 upto .254 inclusively, and the
w

appropriate gateway to clients.

.p

 Enable DHCP snooping on sw110 in VLANs 2000 and 2001 to protect against DHCP-related
attacks.
as

 Place host11 into VLAN 2000.

 Place host12 into VLAN 2001.
 Perform the necessary configuration on switches sw101, sw102, sw110 to enable hosts in
se

VLANs2000 and 2001 to obtain IPv4 configuration through DHCP. The DHCP server running at
sw211 in the DC must be referred to by its loopback IPv4 address 10.2.255.211. Do not disable
nt

the Option 82 insertion, and do not enable DHCP snooping on other switches.
 Verify that host11 and host12 have IP connectivity to the Cisco DNA Center, vManage and ISE
er

running in the DC using their internal (In Band Connectivity) addresses.

pr

2 Points
is
el
ab
s .c
om

www.passenterpriselabs.com 44 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

Chinese_dumps_sw110:
w

sw110>en
w

sw110#conf t
sw110(config)#ip dhcp snooping
w

sw110(config)#ip dhcp snooping vlan 2000 2001

sw110(config)#int range po1,po2
.p

sw110(config-if)#ip dhcp snooping trust

sw110(config-if)#exit
as

sw110(config)#int g0/0
sw110(config-if)#switchport mode access
se

sw110(config-if)#switchport access vlan 2000

sw110(config-if)#exit
nt

sw110(config)#int g0/1
sw110(config-if)#switchport mode access
er

sw110(config-if)#switchport access vlan 2001

sw110(config-if)#exit
pr

Chinese_dumps_sw101:
is

sw101>en
sw101#conf t
el

sw101(config)#int vlan 2000

sw101(config-if)#ip helper-address 10.2.255.211
ab

sw101(config-if)#ip dhcp relay information trusted

sw101(config)#int vlan 2001

s

sw101(config-if)#ip helper-address 10.2.255.211

.c

sw101(config-if)#ip dhcp relay information trusted

sw101(config-if)#exit
om

sw101(config)#exit

www.passenterpriselabs.com 45 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw102:

sw102>en
w

sw102#conf t
sw102(config)#int vlan 2000
w

sw102(config-if)#ip helper-address 10.2.255.211

sw102(config-if)#ip dhcp relay information trusted
w

sw102(config-if)#exit
.p

sw102(config)#int vlan 2001

sw102(config-if)#ip helper-address 10.2.255.211
as

sw102(config-if)#ip dhcp relay information trusted

Chinesedumps.com-sw211:
se

sw211>en
sw211#conf t
nt

sw211(config)#ip dhcp excluded-address 10.1.100.1 10.1.100.100

sw211(config)#ip dhcp pool hq_v2000
er

sw211(config-dhcp)#network 10.1.100.0 /24

sw211(config-dhcp)#default-router 10.1.100.1
pr

sw211(config-dhcp)#exit

sw211(config)#ip dhcp excluded-address 10.1.101.1 10.1.101.100

is

sw211(config)#ip dhcp pool hq_v2001

sw211(config-dhcp)#network 10.1.101.0 /24
el

sw211(config-dhcp)#default-router 10.1.101.1
sw211(config)#exit
ab
s .c
om

www.passenterpriselabs.com 46 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Verification:

Chinese_dumps_sw101#sh run int vlan 2000

w
w
w
.p
as
se
nt
er
pr

Chinese_dumps_sw101#sh run int vlan 2001

is
el
ab
s .c
om

www.passenterpriselabs.com 47 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw102#sh run int vlan 2000

w
w
w
.p
as
se
nt
er

Chinese_dumps_sw102#sh run int vlan 2001

pr
is
el
ab
s .c
om

www.passenterpriselabs.com 48 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw110#sh ip dhcp snooping

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 49 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw110#sh vlan brief

w
w
w
.p
as
se
nt
er

Chinese_dumps_sw110#sh run | s snooping

pr
is
el
ab
s .c
om

www.passenterpriselabs.com 50 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-sw211#sh ip dhcp pool

w
w
w
.p
as
se
nt
er
pr
is
el

Chinesedumps.com-sw211#sh run | s dhcp

ab
s .c
om

www.passenterpriselabs.com 51 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Host 11:
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 52 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Host 12:
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 53 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

1.6: IPv6 in HQ

Implement IPv6 on sw101 and sw102 for switch virtual interfaces (SVIs) Vlan 2000 and Vlan 2001
w

according to these requirements:

w

 Sw101
Interface Vlan2000: 2001:db8:1:100::1/64
w

Interface Vlan2001: 2001:db8:1:101::1/64

 Sw102
.p

Interface Vlan2000: 2001:db8:1:100::2/64

Interface Vlan2001: 2001:db8:1:101::2/64
as

 The configuration must enable hosts in these VLANs to obtain their IPv6 configuration via
SLAAC and keep a stable connectivity with other IPv6 networks.
se

 Use native IPv6 means to provide gateway redundancy, with sw101 being the preferred
gateway in VLAN 2000 and sw102 being the preferred gateway in VLAN 2001. The role must be
determined by an explicit configuration solely on the intended preferred gateway.
nt

 Hosts must be able to detect the failure of the preferred gateway in as little as 3 seconds.
er

1 Point
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 54 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

Chinese_dumps_sw101:
w

sw101>en
w

sw101#conf t
sw101(config)#int vlan 2000
w

sw101(config-if)#ipv6 enable
sw101(config-if)#ipv6 address 2001:db8:1:100::1/64
.p

sw101(config-if)#ipv6 nd router-preference high

sw101(config-if)#ipv6 nd ra lifetime 3
as

sw101(config-if)#ipv6 nd ra interval msec 1000

sw101(config)#int vlan 2001

se

sw101(config-if)#ipv6 enable
sw101(config-if)#ipv6 address 2001:db8:1:101::1/64
sw101(config-if)#ipv6 nd ra lifetime 3
nt

sw101(config-if)#ipv6 nd ra interval msec 1000

er

Chinese_dumps_sw102:
pr

sw102>en
sw102(config)#conf t
is

sw102(config-if)#int vlan 2000

sw102(config-if)#ipv6 enable
el

sw102(config-if)#ipv6 address 2001:db8:1:100::2/64

sw102(config-if)#ipv6 nd ra lifetime 3
ab

sw102(config-if)#ipv6 nd ra interval msec 1000

s

sw102(config)#int vlan 2001

sw102(config-if)#ipv6 enable
.c

sw102(config-if)#ipv6 address 2001:db8:1:101::2/64

om

sw102(config-if)#ipv6 nd router-preference high

sw102(config-if)#ipv6 nd ra lifetime 3
sw102(config-if)#ipv6 nd ra interval msec 1000

www.passenterpriselabs.com 55 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Verification:

Chinese_dumps_sw101#sh run int vlan 2000

w
w
w
.p
as
se
nt
er
pr

Chinese_dumps_sw101#sh run int vlan 2001

is
el
ab
s .c
om

www.passenterpriselabs.com 56 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw102#sh run int vlan 2000

w
w
w
.p
as
se
nt
er

Chinese_dumps_sw102#sh run int vlan 2001

pr
is
el
ab
s .c
om

www.passenterpriselabs.com 57 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw101#sh ipv6 int vlan 2000

w
w
w
.p
as
se
nt
er

Chinese_dumps_sw101#sh ipv6 int vlan 2001

pr
is
el
ab
s .c
om

www.passenterpriselabs.com 58 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw102#sh ipv6 int vlan 2000

w
w
w
.p
as
se
nt
er

Chinese_dumps_sw102#sh ipv6 int vlan 2001

pr
is
el
ab
s .c
om

www.passenterpriselabs.com 59 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

To verify the task:

- Ping from host-11 to both the ipv6 vlan 2000 and 2001(2001:db8:1:100::1 , 2001:db8:1:101::1 )
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 60 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

- Ping from host-12 to both the ipv6 vlan 2000 and 2001(2001:db8:1:100::1 , 2001:db8:1:101::1 )
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 61 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

To verify the switching of gateway roles:

- Traceroute from both host-11 & host-12 to ipv6 loopback address of r11 (2001:db8:1:255::11)
w
w
w
.p
as
se
nt
er

In the above output you can see host11 is using sw101 – vlan 2000 to reach r11
pr
is
el
ab
s .c
om

In the above output you can see host12 is using sw102 – vlan 2001 to reach r11

www.passenterpriselabs.com 62 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

- After we shutdown the vlan 2000 on sw101 , the host11 will switch its gateway to sw102 – vlan
2000
w
w
w
.p
as
se
nt
er
pr
is

- After we shutdown the vlan 2001 on sw102 , the host12 will switch its gateway to sw101 – vlan 2001
el
ab
s .c
om

www.passenterpriselabs.com 63 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 64 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

1.7: IPv6 EIGRP in HQ

In HQ, enable EIGRP for IPv6 on r11, r12, sw101 and sw102 according to these requirements:
w

 Use process name “ccie”(without the quotes) and AS number 65001.

w

 Do not configure any additional IPv6 addresses.


w

IPv6 EIGRP may form adjacencies only over the physical Layer3 interfaces between r11, r12,
sw101 and sw102.
.p

 Prevent IPv6 EIGRP from automatically running on, or advertising attached prefixes from, new
IPv6-enabled interfaces in the future unless allowed explicitly.
as

 Ensure that the attached IPv6 prefixes on SVIs Vlan2000 and Vlan2001 onsw101 and sw102 are
advertised in IPv6 EIGRP and learned on r11 and r12.

se

No route filtering is allowed to accomplish this entire task.

nt

2 Points
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 65 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

Chinese_dumps_sw101:
w

sw101>en
w

sw101#conf t
sw101(config)#router eigrp ccie
w

sw101(config-router)#address-family ipv6 unicast AS 65001

sw101(config-router-af)#af-interface default
.p

sw101(config-router)#shutdown
sw101(config-router)#exit-af-interface
as

sw101(config-router)#af-interface vlan 2000

sw101(config-router-interface)#no shutdown
sw101(config-router-interface)#passive
se

sw101(config-router-interface)#af-interface vlan 2001

sw101(config-router-interface)#no shutdown
sw101(config-router-interface)#passive
nt

sw101(config-router-interface)#af-interface g0/0
sw101(config-router-interface)#no shutdown
er

sw101(config-router-interface)#af-interface g0/1
sw101(config-router-interface)#no shutdown
pr

Chinese_dumps_sw102:
is

sw102>en
el

sw102#conf t
sw102(conifg)#router eigrp ccie
ab

sw102(config-router)#address-family ipv6 unicast AS 65001

sw102(config-router-af)#af-interface default
sw102(conifg-router-af)#shutdown
s

sw102(conifg-router-af)#af-interface vlan 2000

.c

sw102(conifg-router-af)#no shutdown
sw102(conifg-router-af)#passive
om

sw102(conifg-router-af)#af-interface vlan 2001

sw102(conifg-router-af)#no shutdown
sw102(conifg-router-af)#passive
sw102(conifg-router-af)#af-interface g0/0
sw102(conifg-router-af)#no shutdown
sw102(conifg-router-af)#af-interface g0/1
sw102(conifg-router-af)#no shutdown

www.passenterpriselabs.com 66 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_r11:

r11>en
w

r11#conf t
r11(config)#router eigrp ccie
w

r11(config-router)#address-family ipv6 unicast AS 65001

r11(config-router-af)#af-interface default
w

r11(config-router-af)#shutdown
r11(config-router-af)#exit-af-interface
.p

r11(config-router)#af-interface g0/2
as

r11(config-router-af)#no shutdown
r11(config-router-af)#af-interface g0/1
r11(config-router-af)#no shutdown
se

r11(config-router-af)#exit-af-interface

r11(config-router)#af-interface g0/3
nt

r11(config-router-af)#no shutdown
er

Chinesedumps.com-r12:
pr

r12>en
r12#conf t
r12(config)#router eigrp ccie
is

r12(config-router)#address-family ipv6 unicast AS 65001

r12(config-router-af)#af-interface default
el

r12(config-router-af)#shutdown
r12(config-router-af)#exit-af-interface
ab

r12(config-router)#af-interface g0/2
r12(config-router-af)#no shutdown
s

r12(config-router)#af-interface g0/1
.c

r12(config-router-af)#no shutdown
r12(config-router)#af-interface g0/3
om

r12(config-router-af)#no shutdown

www.passenterpriselabs.com 67 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Verification:

Chinese_dumps_sw101:show ipv6 eigrp neighbor

w
w
w
.p
as
se
nt
er
pr

Chinese_dumps_sw101:show ipv6 route eigrp

is
el
ab
s .c
om

www.passenterpriselabs.com 68 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw101:show run | s router eigrp

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 69 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw102:show ipv6 eigrp neighbor

w
w
w
.p
as
se
nt

Chinese_dumps_sw101:show ipv6 route eigrp

er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 70 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_dumps_sw101:show run | s router eigrp

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 71 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r11:show ipv6 eigrp neighbor

w
w
w
.p
as
se

Chinesedumps.com-r11:show ipv6 route eigrp

nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 72 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r11:show run | s router eigrp

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 73 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r12:show ipv6 eigrp neighbor

w
w
w
.p
as
se
nt

Chinesedumps.com-r11:show ipv6 route eigrp

er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 74 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r11:show run | s router eigrp

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 75 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

To verify the task:

- As you can see in the above screenshots for sw101 and sw 102 , there are routes advertised in
w

eigrp because only the physical links are advertised in eigrp on r11 and r12
- To get the routes in eigrp on sw101 and sw102 , add the loopback interface on r11 to eigrp (just
w

for testing purpose)

w

On r11 :
.p

router eigrp ccie

as

address-family ipv6 unicast autonomous-system 65001

se

af-interface Loopback0
no shutdown
exit-af-interface
nt
er

Output:
pr

Sw101:
is
el
ab
s .c
om

- In the above output you can see there is a route present in the eigrp routing table

www.passenterpriselabs.com 76 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Sw102:
w
w
w
.p
as
se
nt

- In the above output you can see there is a route present in the eigrp routing table
er
pr

NOTE : After testing please remove the loopback 0 on r11 from eigrp
is

On r11 :
el

router eigrp ccie

ab

address-family ipv6 unicast autonomous-system 65001

s

af-interface Loopback0
.c

shutdown
exit-af-interface
om

www.passenterpriselabs.com 77 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

1.8: OSPFv2 in DC

Configure devices in the DC according to these requirements:

w

 Switches sw201 and sw202 must establish a stable OSPF adjacency in the FULL state with
w

vedge21 and vedge22 on interface Vlan3999. Any configuration changes and corrections
necessary to meet this requirement may be performed only on the switches, and any
w

mismatched parameters causing the issue must be changed to exactly match the configuration
.p

of the vEdges.
 All OSPF speakers in the DC running Cisco IOS and IOS-XE software must be configured to keep
as

the number of advertised internal routes to an absolute minimum while not impacting the
reachability of the services. This included the reachability of ISE, DNA center, vManage, vBond
and vSmart on their internal (in Band Connectivity) addresses, as well as any existing and future
se

devices in VLAN 4000 on sw201 and sw202. The configuration of this requirement must be
completed exclusively within the “router ospf” and “interface vlan” contexts without causing
nt

any impact to existing OSPF adjacencies.

 Router r24 must advertise two prefixes, 10.6.0.0/15 and 10.200.0.0/24, as Type-5 LSAs in
er

OSPFv2 to provide HQ and DC with the reachability to the DMVPN tunnel and branches #3 and
#4. The configuration of this requirement must be completed exclusively within the “router
pr

ospf” context.
 Any route from the 10.2.0.0/16 range that keeps being advertised in OSPF must continue being
is

advertised as an intra-area route.

 It is not allowed to modify existing areas to accomplish this entire task.
el
ab

4 Points
s .c
om

www.passenterpriselabs.com 78 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

All DC DEVICES except Vedge21 , 22 , vsmart , vbond

w

-------------------------------------
router ospf 1
w

prefix-suppression
w

Chinese_Dumps_sw201, sw202
.p

#conf t
as

(config)#int vlan 3999

(config-if)#ip mtu 1496
se

(config)#interface vlan 4000

(config-if)#ip ospf prefix-suppression disable
nt

Chinese_Dumps_ r24
er

r24#conf t
pr

r24(config)#router ospf 1
r24(config-router)#redistribute eigrp 65006 subnets
r24(config-router)#summary-address 10.6.0.0 255.254.0.0 tag 123
is
el

Chinese_Dumps_SW211:
ab

sw211#conf t
sw211(config)#router ospf 1
sw211(config-router)#passive-interface gi1/1
s

sw211(config-router)#passive-interface gi1/2
.c

sw211(config-router)#passive-interface gi1/3
om

Chinese_Dumps_SW212:

sw212#conf t
sw212(config)#router ospf 1
sw212(config-router)#passive-interface gi1/1
sw212(config-router)#passive-interface gi1/2

www.passenterpriselabs.com 79 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Verification:

Chinese_Dumps_sw201#show ip ospf neighbors

w
w
w
.p
as
se
nt

Chinese_Dumps_sw202#show ip ospf neighbors

er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 80 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

On all IOS and IOS-XE device in DC:

Chinesedumps.com-swXXX#show ip route ospf | in /30

w
w
w
.p
as
se
nt

The routes will be suppressed as we have implemented prefix-suppression

er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 81 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

To verify the reachability go in HQ on any device and try to ping

Chinese_Dumps_r11#show ip ospf neighbors

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

NOTE : The above subnet that is reachable is of vmanage

www.passenterpriselabs.com 82 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

1.9: BGP between HQ/DC and service providers

Configure the BGP peerings between HQ/DC and Global SP#1 and Global SP#2 according to these
w

requirements:
w

 Bring up the BGP peering between HQ r11 and SP#1 r3

 Bring up the BGP peering between DC r21 and SP#1 r3
w

 Bring up the BGP peering between DC r22 and SP#2

.p

 Ensure that the routes learned over eBGP sessions and further advertised in iBGP will be
considered reachable even if the networks on inter-AS links are not advertised in OSPF. The
as

configuration of this requirement must be completed exclusively within the “router bgp”
context.
 On r11, r21 and r22 perform mutual redistribution between OSPFv2 and BGP. However,
se

prevent routes that were injected into OSPF from BGP to be reinjected back into BGP. This
requirement must be solved on r11, r21 and r22 using only a single route-map on each of the
nt

routers and without any reference to ACLs, prefix lists, or route types.
 Prevent HQ and DC from ever communicating through SP#1 r3. All communication between HQ
er

and DC must occur only over the direct sw101/sw201 and sw102/sw202 interconnections. Any
other communication must remain unaffected. This requirement must be solved on r21 and r22
pr

by route filtering based on a well-known mandatory attribute without the use of route maps.
 No command may be removed from the configuration on r11 to accomplish this entire task.
is

 It is allowed to modify existing configuration commands on r21 and r22 to accomplish this
entire task.
el
ab

3 Points
s .c
om

www.passenterpriselabs.com 83 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

Chinesedumps-r11:
w

r11(config)#router bgp 65001

w

r11(config-router)#address-family ipv4
r11(config-router)#neighbor 100.3.11.1 remote-as 10000
w

r11(config-router)#neighbor 100.3.11.1 act

r11(config-router)#distance 200 100.3.11.1 0.0.0.0
.p

r11(config)#router ospf 1
as

r11(config-router)#redistribute bgp 65001 subnets tag 123

r11(config-router)#route-map DENY deny 10

se

r11(config-router)#match tag 123

r11(config-router)#route-map DENY permit 20
nt

r11(config)#router bgp 65001

r11(config-router)#address-family ipv4
er

r11(config-router)#redistribute ospf 1 match internal external 1 external 2 route-map DENY

pr

Chinesedumps-r21:
is

r21#conf t
r21(config)#route-map DENY deny 10
el

r21(config-route-map)#match tag 123

r21(config)#route-map DENY permit 20
ab

r21(config)#ip as-path access-list 100 deny _65001$

r21(config)#ip as-path access-list 100 permit .*
s .c

r21(config)#router bgp 65002

r21(config-router)#neighbor 100.3.21.1 remote-as 10000
om

r21(config-router)#neighbor 10.2.255.22 remote-as 65002

r21(config-router)#neighbor 10.2.255.22 next-hop-self
r21(config-router)#neighbor 10.2.255.22 update-source lo0
r21(config-router)#redistribute ospf 1 match internal external 1 external 2 route-map DENY
r21(config-router)#neighbor 100.3.21.1 filter-list 100 in

r21 (config)#router ospf 1

r21 (config-router)#redistribute bgp 65002 subnets tag 123

www.passenterpriselabs.com 84 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps-r22:

r22#conf t
w

r22(config)#route-map DENY deny 10

w

r22(config-route-map)#match tag 123

r22(config)#route-map DENY permit 20
w

r22(config)#router ospf 1
.p

r22(config-router)#redistribute bgp 65002 subnets tag 123

as

r22(config)#router bgp 65002

r22(config-router)#neighbor 101.22.0.1 remote-as 10001
r22(config-router)#redistribute ospf 1 match internal external 1 external 2 route-map DENY
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 85 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Verification:

Chinese_Dumps_r11#sh bgp ipv4 unicast summary

w
w
w
.p
as
se
nt
er
pr

Chinese_Dumps_r21#sh ip bgp ipv4 unicast summary

is
el
ab
s .c
om

www.passenterpriselabs.com 86 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinese_Dumps_r22# sh ip bgp ipv4 unicast summary

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 87 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

To verify 4th point, we will create a loopback on r3 (int lo1 – 3.3.3.3/24)

- Create int lo1 with ip address 3.3.3.3/24

w

- Go on sw101 or sw102 or r12 and check the OSPF routes

w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 88 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 89 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

To verify 5th point, we will use the previously created loopback on r3 (int lo1 – 3.3.3.3/24)

- int lo1 with ip address 3.3.3.3/24

w

- Remove next-hop-self command from r21 for neighbor 10.2.255.22

- For verification go on r22 and check bgp routes
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

- From above output you can see the route is just showing as an ibgp route and also it is not
present in the routing table of bgp

www.passenterpriselabs.com 90 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

To get the output as per the requirement

- Add next-hop-self command on r21 for neighbor 10.2.255.22

w

- Verify with the same commands as above

w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

From the above output you can see that the 3.3.3.0 loopback is showing as best route and also it is
installed in the routing table.

Note: After performing the verification, please remove the loopback from r3

www.passenterpriselabs.com 91 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

6th point :
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c

From above output you can see the HQ devices are preferring links between sw101 – sw201 & sw102
– sw202 to reach any subnet in DC
om

www.passenterpriselabs.com 92 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

To verify 6th point ,

- Shutdown the link between sw101 – sw201 & sw102 – sw202 and check if you are having
w

reachability to DC subnets via SP-1

w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

From above output you can see the HQ device host 11 cannot reach as the direct link between the
switches sw101 – sw201 & sw102 – sw202

www.passenterpriselabs.com 93 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

1.10: Bringing up VPNv4/VPNv6 in SP#1

Configure routers r3, r4, r5 and r6 in SP#1 according to these requirements:

w

 Configure r3 through r6 for mutual VPNv4 and VPNv6 route exchange without the use of a
w

route reflector. Use Lo0 IPv4 addresses for peering’s.


w

Configure r3 through r6 to assign (allocate/bind) as few unique MPLS labels to all existing and
future VPNv4 and VPNv6 routes as possible.
.p

 On Routers r3 through r6, prevent any existing and future customer from discovering details
about the inner topology of SP#1. It is not allowed to use ACLs to accomplish this requirement.
as

3 Point
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 94 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

Chinesedumps.com-r3:
w

r3>en
w

r3#conf t
r3(config)#router bgp 10000
w

r3(config-router)#neighbor 100.255.254.4 remote-as 10000

r3(config-router)#neighbor 100.255.254.4 update-source lo0
.p

r3(config-router)#neighbor 100.255.254.5 remote-as 10000

r3(config-router)#neighbor 100.255.254.5 update-source lo0
as

r3(config-router)#neighbor 100.255.254.6 remote-as 10000

r3(config-router)#neighbor 100.255.254.6 update-source lo0
r3(config-router)#address-family vpnv4
se

r3(config-router)#neighbor 100.255.254.4 activate

r3(config-router)#neighbor 100.255.254.5 activate
r3(config-router)#neighbor 100.255.254.6 activate
nt

r3(config-router)#address-family vpnv6
r3(config-router)#neighbor 100.255.254.4 activate
er

r3(config-router)#neighbor 100.255.254.5 activate

r3(config-router)#neighbor 100.255.254.6 activate
pr

Chinesedumps.com-r4:
is

r4>en
el

r4#conf t
r4(config)#router bgp 10000
ab

r4(config-router)#neighbor 100.255.254.3 remote-as 10000

r4(config-router)#neighbor 100.255.254.3 update-source lo0
r4(config-router)#neighbor 100.255.254.5 remote-as 10000
s

r4(config-router)#neighbor 100.255.254.5 update-source lo0

.c

r4(config-router)#neighbor 100.255.254.6 remote-as 10000

r4(config-router)#neighbor 100.255.254.6 update-source lo0
om

r4(config-router)#address-family vpnv4
r4(config-router)#neighbor 100.255.254.3 activate
r4(config-router)#neighbor 100.255.254.5 activate
r4(config-router)#neighbor 100.255.254.6 activate
r4(config-router)#address-family vpnv6
r4(config-router)#neighbor 100.255.254.3 activate
r4(config-router)#neighbor 100.255.254.5 activate
r4(config-router)#neighbor 100.255.254.6 activate

www.passenterpriselabs.com 95 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r5:
w

r5>en
r5#conf t
w

r5(config)#router bgp 10000

r5(config-router)#neighbor 100.255.254.3 remote-as 10000
w

r5(config-router)#neighbor 100.255.254.3 update-source lo0

r5(config-router)#neighbor 100.255.254.4 remote-as 10000
.p

r5(config-router)#neighbor 100.255.254.4 update-source lo0

r5(config-router)#neighbor 100.255.254.6 remote-as 10000
as

r5(config-router)#neighbor 100.255.254.6 update-source lo0

r5(config-router)#address-family vpnv4
r5(config-router)#neighbor 100.255.254.3 activate
se

r5(config-router)#neighbor 100.255.254.4 activate

r5(config-router)#neighbor 100.255.254.6 activate
r5(config-router)#address-family vpnv6
nt

r5(config-router)#neighbor 100.255.254.3 activate

r5(config-router)#neighbor 100.255.254.4 activate
er

r5(config-router)#neighbor 100.255.254.6 activate

pr

Chinesedumps.com-r6:

r6>en
is

r6#conf t
r6(config)#router bgp 10000
el

r6(config-router)#neighbor 100.255.254.3 remote-as 10000

r6(config-router)#neighbor 100.255.254.3 update-source lo0
ab

r6(config-router)#neighbor 100.255.254.4 remote-as 10000

r6(config-router)#neighbor 100.255.254.4 update-source lo0
r6(config-router)#neighbor 100.255.254.5 remote-as 10000
s

r6(config-router)#neighbor 100.255.254.5 update-source lo0

.c

r6(config-router)#address-family vpnv4
r6(config-router)#neighbor 100.255.254.3 activate
om

r6(config-router)#neighbor 100.255.254.4 activate

r6(config-router)#neighbor 100.255.254.5 activate
r6(config-router)#address-family vpnv6
r6(config-router)#neighbor 100.255.254.3 activate
r6(config-router)#neighbor 100.255.254.4 activate
r6(config-router)#neighbor 100.255.254.5 activate

www.passenterpriselabs.com 96 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

On all routers r3, r4, r5, r6

w

#conf t
#mpls label mode all-vrfs protocol bgp-vpnv4 per-vrf
w

#mpls label mode all-vrfs protocol bgp-vpnv6 per-vrf

#no mpls ip propagate-ttl forwarded
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 97 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Verification:
w

Chinesedumps.com-r3#sh bgp vpnv4 unicast all summary

w
w
.p
as
se
nt
er
pr

Chinesedumps.com-r3#sh bgp vpnv6 unicast all summary

is
el
ab
s .c
om

www.passenterpriselabs.com 98 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r4#sh bgp vpnv4 unicast all summary

w
w
w
.p
as
se
nt
er
pr

Chinesedumps.com-r4#sh bgp vpnv6 unicast all summary

is
el
ab
s .c
om

www.passenterpriselabs.com 99 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r5#sh bgp vpnv4 unicast all summary

w
w
w
.p
as
se
nt
er
pr

Chinesedumps.com-r5#sh bgp vpnv6 unicast all summary

is
el
ab
s .c
om

www.passenterpriselabs.com 100 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r6#sh bgp vpnv4 unicast all summary

w
w
w
.p
as
se
nt
er
pr
is

Chinesedumps.com-r6#sh bgp vpnv6 unicast all summary

el
ab
s .c
om

www.passenterpriselabs.com 101 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

1.11: Fixing Broken DMVPN between Dc and Branches #3 and #4

Correct the configuration issues resulting in broken DMVPN tunnel connectivity between DC, Branch3
w

and Branch4 according to these requirements:

w

 The DMVPN must operate in IPSec-protected phase 3 mode.

 Using the FVRF approach, safeguard the DMVPN operation against any potential recursive
w

routing issues involving the tunnel.

.p

 Do not create any new VRFs.

 Do not change the tunnel source commands on Tunnel interfaces.
as

 On Spokes, do not add new BGP neighbors; reuse those that are currently up while changing
their VRF membership as needed.

se

It is not allowed to modify configuration on DC r24 to complete this entire task.

nt

3 Point
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 102 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

Chinesedumps.com-r61:
w

r61>en
w

r61#conf t
w

r61(config)#int lo 0
r61(config-if)#vrf forwarding WAN
.p

r61(config-if)#ip address 10.6.255.61 255.255.255.255

r61(config)#int g0/0
as

r61(config-if)#vrf forwarding WAN

r61(config-if)#ip address 100.5.61.2 255.255.255.252
se

r61(config)#router bgp 65006

r61(config-router)#address-family ipv4 vrf WAN
nt

r61(config-router)#network 10.6.255.61 mask 255.255.255.255

r61(config-router)#neighbor 100.5.61.1 remote-as 10000
er

r61(config-router)#neighbor 100.5.61.1 act

r61(config)#interface tunnel 0
pr

r61(config-if)#no ip nhrp map 10.2.255.24 10.200.0.1

r61(config-if)#ip nhrp map 10.200.0.1 10.2.255.24
is

r61(config-if)#no ip nhrp redirect

r61(config-if)#ip nhrp shortcut
el

r61(config-if)#tunnel vrf WAN

r61(config-if)#ip mtu 1440
ab

r61(config)#crypto isakmp policy 10

r61(config)#no hash md5
s

r61(config)#no crypto isakmp key cisco address 0.0.0.0

.c

r61(config)#crypto keyring KR vrf WAN

r61(config)#pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
om

r61(config)#crypto ipsec profile prof

www.passenterpriselabs.com 103 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

r61(config)#router eigrp ccie

r61(config-router)#address-family ipv4 unicast autonomous-system 65006
r61(config-af-interface)#af-interface default
w

r61(config-af-interface)#passive-interface
r61(config-router)#exit-af-interface
w

r61(config-af-interface)#af-interface Tunnel0
r61(config-af-interface)#no passive-interface
w

r61(config-af-interface)#exit-af-interface
.p

Chinesedumps.com-r62:
as

r62>en
r62#conf t
r62(config)#int lo 0
se

r62(config-if)#vrf forwarding WAN

r62(config-if)#ip address 10.6.255.62 255.255.255.255
nt

r62(config)#int g0/0
r62(config-if)#vrf forwarding WAN
er

r62(config-if)#ip address 100.6.62.2 255.255.255.252

r62(config-if)#router bgp 65006
pr

r62(config-if)#address-family ipv4 vrf WAN

r62(config-if)#network 10.6.255.62 mask 255.255.255.255
r62(config-if)#neighbor 100.6.62.1 remote-as 10000
is

r62(config)#int tunnel 0
el

r62(config-if)#no ip nhrp map 10.2.255.24 10.200.0.1

r62(config-if)#ip nhrp map 10.200.0.1 10.2.255.24
ab

r62(config-if)#no ip nhrp redirect

r62(config-if)#ip nhrp network-id 1010
r62(config-if)#tunnel vrf WAN
s

r62(config-if)#ip mtu 1440

.c

r62(config-if)#ip nhrp shortcut

om

r62(config)#crypto isakmp policy 10

r62(config)#no hash md5
r62(config)#no crypto isakmp key cisco address 0.0.0.0
r62(config)#crypto keyring KR vrf WAN
r62(config)#pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
r62(config)#crypto ipsec profile prof

www.passenterpriselabs.com 104 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

r61(config)#router eigrp ccie

r61(config-router)#address-family ipv4 unicast autonomous-system 65006
r61(config-af-interface)#af-interface default
w

r61(config-af-interface)#passive-interface
r61(config-router)#exit-af-interface
w

r61(config-af-interface)#af-interface Tunnel0
r61(config-af-interface)#no passive-interface
w

r61(config-af-interface)#exit-af-interface
.p

Chinesedumps.com-r70:
as

r70>en
r70#conf t
r70(config)#int tunnel 0
se

r70(config-if)#tunnel vrf WAN

r70(config-if)#ip mtu 1440
r70(config-if)#no ip nhrp redirect
nt

r70(config-if)#ip nhrp shortcut

er

r70(config)#crypto isakmp policy 10

r70(config)#no hash md5
pr

r70(config)#crypto ipsec profile prof

is

r70(config)#router eigrp ccie

el

r70(config-router)#address-family ipv4 unicast autonomous-system 65006

r70(config-router)#af-interface Tunnel0
ab

r70(config-af-interface)#no passive-interface
r70(config-router)#exit-af-interface
s .c
om

www.passenterpriselabs.com 105 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution Steps:

Match the crypto configs on r24 and then configure the spokes (r70 , r61 ,r62)
w

Faults On Spoke :
w

1. Hashing needs to be removed on spokes as there is no hash configured on r24 in pre-

w

configuration
crypto isakmp policy 10
.p

no hash md5
as

2.
a. On r24 legacy key is configured
b. on spokes we will need to complete the key ring configuration for isakmp
se

crypto keyring KR vrf WAN

pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
3. The DMVPN must operate in IPSec-protected phase 3 mode.
nt

a. On hub (r24)" ip nhrp redirect " : - This command says that we are running phase 3 mode
b. On Spokes (r61,r62,r70) “ ip nhrp shortcut ”
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 106 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Verification:

Chinesedumps.com-r61#sh crypto session

w
w
w
.p
as
se
nt
er
pr

Chinesedumps.com-r61#sh dmvpn
is
el
ab
s .c
om

www.passenterpriselabs.com 107 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r61#sh ip eigrp neighbor

w
w
w
.p
as
se

Chinesedumps.com-r61#sh ip nhrp detail

nt
er
pr
is
el
ab

Chinesedumps.com-r61#ping 10.200.0.70
s .c
om

www.passenterpriselabs.com 108 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r61#traceroute 10.200.0.70
w
w
w
.p
as
se

Chinesedumps.com-r62#sh crypto session

nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 109 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r62#sh dmvpn
w
w
w
.p
as
se
nt
er
pr
is

Chinesedumps.com-r62#sh ip nhrp detail

el
ab
s .c
om

www.passenterpriselabs.com 110 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r70#sh crypto session

w
w
w
.p
as
se
nt
er

Chinesedumps.com-r70#sh dmvpn
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 111 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r70#sh ip nhrp detail

w
w
w
.p
as
se

Chinesedumps.com-r24#sh ip eigrp neighbor

nt
er
pr
is
el

Chinesedumps.com-r24#sh ip route eigrp

ab
s .c
om

www.passenterpriselabs.com 112 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r24#sh ip nhrp detail

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 113 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

1.12: Tuning EIGRP on DMVPN and DMVPN-enabled Sites

Optimize the DMVPN operation according to these requirements:

w

 Ensure that Branches #3 and #4 receive only a default route over EIGRP in DMVPN.
w

 The default route origination must be done on DC r24 without the use of any static routes,
w

redistribution, or route filtering.

 It is not allowed to modify the configuration of r61 and r62 in Branch #3 to accomplish this task;
.p

 It is allowed to add commands to the configuration of r70 in branch #4 to accomplish this task;
none of the existing configuration on r70 may be removed to accomplish this task.
as

Configure sw601 and sw602 at Branch#3 according to these requirements:

se

 Routers r61 and r62 must not send EIGRP queries to sw601 and sw602.
 Switches sw601 and sw602 must allow advertising any current or future directly connected
nt

network to r61 and r62 after the network is added to EIGRP.

 Switches Sw601 and sw602 must continue to propagate the default route received from r61
er

and r62 to each other. To select the default route, use a prefix list with a “permit”- type entry
only.
pr

 Switches sw601 and sw602 must not propagate the default route back to r61 and r62.
 If the prefix list that allows the propagation of selected EIGRP-learned networks between
is

sw601 and sw602 is modified in the future, the same set of networks must be disallowed from
being advertised back to r61 and r62 automatically, without any additional commands
el
ab

3 Points
s .c
om

www.passenterpriselabs.com 114 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

Chinesedumps-r24:
w

r24>en
w

r24#conf t
r24(config)#router eigrp ccie
w

r24(config-router)#address-family ipv4 as 65006

r24(config-router)#network 10.200.0.0 0.0.0.255
.p

r24(config-router)#af-interface tunnel 0
r24(config-router)#summary-address 0.0.0.0/0
as

r24(config-router)#topology base
se

Chinesedumps-r70:

r70#conf t
nt

r70(config)#router eigrp ccie

r70(config-router)#address-family ipv4 as 65006
er

r70(config-router)#af-interface tunnel 0
r70(config-router)#no passive
pr

Chinesedumps-sw601# & sw602:

is

sw>en
el

sw#conf t
sw(config)#ip prefix-list ALLOW-DEF seq 5 permit 0.0.0.0/0
ab

sw(config)#route-map ALLOW-DEF permit 10

sw (config)#match ip address prefix-list ALLOW-DEF
s

sw (config)##route-map BLOCK-DEF deny 10

.c

sw (config)##match ip address prefix-list ALLOW-DEF

sw (config)##route-map BLOCK-DEF permit 20
om

www.passenterpriselabs.com 115 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

sw (config)#router eigrp ccie

sw (config)#address-family ipv4 unicast autonomous-system 65006
sw (config-router)##eigrp stub connected leak-map ALLOW-DEF
w

sw (config-router)#af-interface vlan 2000

sw (config-router)#passive
w

sw (config)#af-interface vlan 2001

sw (config-if)#passive
w

sw (config-if)#topology base
sw (config-if)#distribute-list route-map BLOCK-DEF out GigabitEthernet0/1
.p

sw (config-if)#distribute-list route-map BLOCK-DEF out GigabitEthernet0/2

as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 116 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Verification:

Chinesedumps-r61:
w
w
w
.p
as
se
nt
er
pr

Chinesedumps-r62:
is
el
ab
s .c
om

www.passenterpriselabs.com 117 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps-r70:
w
w
w
.p
as
se
nt

While checking the default route information is present on sw601 & sw602
er

Chinesedumps-sw601:sh ip route
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 118 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Found that r61 was not sending default route on sw601 (same for sw602)

Issue :
w

- While working performed a check on r61 (sh ip eigrp neighbor)

w

- Found that there was no neighborship between r61 and sw601 , sw602
w
.p
as
se
nt
er

- From the above output you can see that sw 601 is only neighbor with sw 602
pr

- To confirm the neighborship issue on r61 : sh run | s router eigrp

is
el
ab
s .c
om

- From above output you can see that in eigrp af-interface default is made passive and only
tunnel interface is removed from passive state

www.passenterpriselabs.com 119 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

NOTE : Whenever we make an interface passive in eigrp the router stops sending eigrp messages
including Hello messages and the devices need Hello messages for neighborship
w

- To resolve the neighborship issue :

w

On r61 and r62:

w

router eigrp ccie

address-family ipv4 unicast autonomous-system 65006
.p

af-interface GigabitEthernet0/2
no passive-interface
as

exit-af-interface

af-interface GigabitEthernet0/3
se

no passive-interface
exit-af-interface
nt

- After removing the connected interface on r61 and r62 to the downstream switches from
passive-interface we are getting the default route information on sw601 and sw602
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 120 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 121 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

 To verify “Switches sw601 and sw602 must not propagate the default route back to r61 and
r62.”
- Shutdown the interface on r62 that is connected to r6 in SP 1
w

On r62:
w

Int g0/0
w

Shutdown
.p
as
se
nt
er
pr
is
el
ab
s .c

- After shutting down the interface on r62 we can see from the above output that there is no
om

default route in the routing table

www.passenterpriselabs.com 122 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

- If we check on sw601 or sw602 they should have the default route present in the routing table
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 123 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

1.13: IPv4 Networks on Legacy Branches

On sw211 in DC, complete the DHCP server configuration according to these requirements:
w

 Create IPv4 DHCP pools named br3_v2000 and br3_v2001 for Branch #3 VLANs 2000
w

(10.6.100.0/24) and 2001 (10.6.101.0/24) respectively.


w

Create IPv4 DHCP pool named br4_v1 for the subnet 10.7.1.0/24 on branch #4.
 In each subnet, assign addresses from .101 up to .254 inclusively, and the appropriate gateway
.p

to clients.
as

On Branch #3, Complete and correct the configuration on switches sw601, sw602 and sw610 to allow
HSRP and DHCP relay operation in VLANs 2000 and 2001 according to these requirements:
se

 HSRP must implicitly use the vMAC address range of 0000.0c9f.f000 through 0000.0c9f.ffff
 The group member must be 100 for VLAN 2000 and 101 for VLAN 2001
nt

 Sw601 must be the Active gateway for VLAN 2000 with a priority of 110; the Active role
ownership must be deterministic
er

 Sw602 must be the Active gateway for VLAN 2001 with a priority of 110; the Active role
ownership must be deterministic
pr

 Each active switch must track its uplink interfaces gi0/1 and gi0/2 if either of these interfaces
goes down; the active switch must allow the other switch to become Active. However, it is not
is

allowed for the tracking to modify the HSRP priority to accomplish this requirement.
 Both sw601 and sw602 must be configured as DHCP relay agents in both VLANs 2000 and 2001,
el

pointing toward the DHCP server 10.2.255.211 at sw211. However, at any time, only the Active
router in the particular VLAN should relay the DHCP messages.
ab

 Place host61 and host62 into VLANs 2000 and 2001, respectively, and make sure they are
assigned their correct IPv4 configuration.
s

It is not permitted to use any kind of scripting to complete this task.

.c

On Branch #4, complete the configuration of the router r70 according to these requirements;
om

 Assign IP address 10.7.1.1/24 to gi0/2

 Enable DHCP relay on this interface and point it to the DHCP server 10.2.255.211 at sw211
 It is allowed to add one additional missing command to the r70 configuration to allow DHCP
clients connected to gi0/2 obtain their IPv4 configuration.
 Make sure that host71 and host72 are assigned their correct IPv4 configuration.
2 Points

www.passenterpriselabs.com 124 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

Chinesedumps.com-sw211:
w

sw211>en
w

sw211#conf t
sw211(config-dhcp)#ip dhcp excluded-address 10.6.100.1 10.6.100.100
w

sw211(config)#ip dhcp pool br3_v2000

sw211(config-dhcp)#network 10.6.100.0 /24
.p

sw211(config-dhcp)#default-router 10.6.100.1
as

sw211(config-dhcp)#ip dhcp excluded-address 10.6.101.1 10.6.101.100

sw211(config)#ip dhcp pool br3_v2001
sw211(config-dhcp)#network 10.6.101.0 /24
se

sw211(config-dhcp)#default-router 10.6.101.1

sw211(config-dhcp)#ip dhcp excluded-address 10.7.1.1 10.7.1.100

nt

sw211(config)#ip dhcp pool br4_v1

sw211(config-dhcp)#network 10.7.1.0 /24
er

sw211(config-dhcp)#default-router 10.7.1.1
pr

Chinesedumps.com-sw601:
is

sw601>en
sw601#conf t
el

sw601(config)#int vlan 2000

sw601(config-if)#standby version 2
ab

sw601(config-if)#standby 100 ip 10.6.100.1

sw601(config-if)#standby 100 preempt
sw601(config-if)#standby 100 priority 110
s

sw601(config-if)#standby 100 track 1 shut

.c

sw601(config-if)#standby 100 track 2 shut

sw601(config-if)#standby 100 name VLAN2K
om

sw601(config-if)#ip helper-address 10.2.255.211 redundancy VLAN2K

sw601(config)#int vlan 2001

sw601(config-if)#standby 101 ip 10.6.101.1
sw601(config-if)#standby version 2
sw601(config-if)#standby 101 name VLAN2K1
sw601(config-if)#ip helper-address 10.2.255.211 redundancy VLAN2K1

www.passenterpriselabs.com 125 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

sw601(config-if)#track 1 interface g0/1 line-protocol

sw601(config-if)#track 2 interface g0/0 line-protocol
w

Chinesedumps.com-sw602:
w

sw602>en
w

sw602#conf t
sw602 (config)#int vlan 2001
.p

sw602 (config-if)#standby version 2

sw602 (config-if)#no standby 0 ip 10.6.101.1
as

sw602 (config-if)#standby 101 ip 10.6.101.1

sw602 (config-if)#standby 101 priority 110
sw602 (config-if)#standby 101 preempt
se

sw602 (config-if)#standby 101 track 1 shut

sw602 (config-if)#standby 101 track 2 shut
sw602 (config-if)#standby 101 name VLAN2K1
nt

sw602 (config-if)#ip helper-address 10.2.255.211 redundancy VLAN2K1

er

sw602 (config)#int vlan 2000

sw602 (config-if)#standby version 2
pr

sw602 (config-if)#standby 100 ip 10.6.100.1

sw602 (config-if)#standby 100 name VLAN2K
sw602 (config-if)#ip helper-address 10.2.255.211 redundancy VLAN2K
is

sw602 (config-if)#track 1 interface g0/1 line-protocol

el

sw602 (config-if)#track 2 interface g0/0 line-protocol

ab

Chinesedumps.com-sw610:

sw610>en
s

sw610#conf t
.c

sw610(config-if)#int range g2/0-1

sw610(config-if)#switch trunk allowed vlan add 2001
om

sw610(config)#int g0/0
sw610(config-if)#switchport mode access
sw610(config-if)#switchport access vlan 2000

sw610(config)#int g0/1
sw610(config-if)#switchport mode access
sw610(config-if)#switchport access vlan 2001

www.passenterpriselabs.com 126 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r70:

r70>en
w

r70#conf t
r70(config)#interface GigabitEthernet0/2
w

r70(config-if)#ip address 10.7.1.1 255.255.255.0

r70(config-if)#ip helper-address 10.2.255.211
w

r70(config)#router eigrp ccie

.p

r70(config-router)#address-family ipv4 unicast autonomous-system 65006

r70(config-router)#network 10.7.1.0 0.0.0.255
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 127 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Verification:

Chinesedumps.com-r211:
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 128 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-sw601:
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 129 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-sw602:
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 130 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps-host61:
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 131 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps-host62:
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 132 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

 To verify “Each active switch must track its uplink interfaces gi0/1 and gi0/2/ if either of these
interfaces goes down; the active switch must allow the other switch to become Active.
However,, it is not allowed for the tracking to modify the HSRP priority to accomplish this
w

requirement. “
w

- Go on sw601 and shutdown the interface g0/2 or g0/1 , and then check on sw602 that it should
w

become the gateway now for vlan 2000

.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 133 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

- Go on sw602 and shutdown the interface g0/2 or g0/1, and then check on sw601 that it should
become the gateway now for vlan 2001
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 134 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps-host71:
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 135 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps-host72:
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 136 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

1.14: Multicast in FABD2

FABD2 is preparing to enable PIM Sparse mode multicast routing in its network. As a part of validating
w

the runbooks, FABD2 requires a sanity check to prevent inappropriate use of multicast-related
configuration commands on different router types:
w

 First Hop Routers – routers where multicast sources are connected

w

 Last Hop Routers- routers where multicast receivers (subscribers) are connected

.p

Intermediary Hop Routers- routers on the path between First Hop and Last Hop routers

In the Table below, for each configuration command, select all router type where the use of the
as

command is appropriate. (Select all that apply)

se

Router Type
Command Intermediary Hop
First Hop Router Last Hop Router
Router
nt

ip pim register-source   
ip igmp version   
er

ip pim spt-threshold   
ip pim rp-address   
pr

ip pim sparse-mode   
is

2 points
el
ab

Answer:

Router Type
s

Command Intermediary Hop

First Hop Router Last Hop Router
.c

Router
ip pim register-source   
om

ip igmp version   
ip pim spt-threshold   
ip pim rp-address   
ip pim sparse-mode   

www.passenterpriselabs.com 137 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

1.15: Extending Connectivity to laaS Site

Extend the IPv6 connectivity from HQ through the SP into the giosk VRF on the laaS site according to
w

these requirements:
w

Set up global IPv6 addressing on the link between r11 and r3

w

 On r11, assign 2001:2710:311::2/64 to g0/0

 On r3, assign 2001:2710:311::1/64 to g1
.p

 Enable the existing IPv4 BGP session between r11 and r3 to also advertise IPv6 prefixes. Do not
configure a standalone IPv6 BGP session between these two routers.
as

 Perform bidirectional route redistribution between the IPv6 EIGRP and BGP processes on r11
 Ensure that all current and future IPv6 prefixes advertised between r11 and r3 will be installed
se

into the RIB of these routers with the next hop address set to the proper global unicast address
on their interconnection. Any policy that accomplishes this requirement must be applied in the
nt

inbound direction.
 The giosk VRF on r4 that extends the IPv6 connectivity from r4 to r30 on the laaS site is a
er

separate VRF independent of fabd2 VRF. Any route leaking from fabd2 VRF into giosk VRF must
be done on per-site basis and only for those FABD2 sites that need connectivity in the laaS site.
pr

 By configuring r3 and r4 only, ensure that the HQ FABD2 site will have mutual visibility with the
laaS site while preventing
is

 Any other FABD2 site from possibly learning about the routes on the laaS site
 The laaS site from possibly learning about the routes on any other FABD2 site
el

 Use the minimum amount of commands necessary to accomplish this requirement. Do not
remove any existing configuration. If necessary, you are allowed to use an additional route
ab

target with the value of 10000:3681.

 Verify that host11 and host12 can ping 2001:db8:14::1 located at the laaS site. It is permitted to
s

modify one existing configuration command on one of the SP routers to meet this requirement
.c
om

3 Points

www.passenterpriselabs.com 138 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

Chinese_Dumps_r11:
w

r11(config-if)#int gi0/0
w

r11(config-if)#ipv6 address 2001:2710:311::2/64

w

r11(config-if)#route-map NH-IPV6 per 10

r11(config-if)#set ipv6 next-hop 2001:2710:311::1
.p

r11(config)#router bgp 65001

as

r11(config-router)#address-family ipv6
r11(config-router)#address-family ipv6 unicast
r11(config-router)#neighbor 100.3.11.1 remote-as 10000
se

r11(config-router)#neighbor 100.3.11.1 route-map NH-IPV6 in

r11(config-router)#redistribute eigrp 65001
nt

r11(config)#router eigrp ccie

r11(config-router)#address-family ipv6 unicast autonomous-system 65001
er

r11(config-router)#topology base
r11(config-router)#redistribute bgp 65001 metric 100 50 255 1 1500
pr

Chinese_Dumps_r4:
is

r4(config)#vrf definition giosk

r4(config)#route-target import 10000:3681
el

r4(config)#int lo0
ab

r4(config-if)#ip address 100.255.254.4 255.255.255.255

Chinese_Dumps_r3:
s .c

r3(config)#vrf definition fabd2

r3(config)#route-target export 10000:3681
om

r3(config)#route-target import 10000:414

r3(config-vrf)#address-family ipv6
r3(config-af)#exit-address-family

www.passenterpriselabs.com 139 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

r3(config)#int g1
r3(config-if)#ipv6 address 2001:2710:311::1/64
r3(config-if)#route-map NH-IPV6 per 10
w

r3(config-if)#set ipv6 next-hop 2001:2710:311::2

w

r3(config-if)#router bgp 10000

r3(config-router)#address-family ipv6 vrf fabd2
w

r3(config-router)#neighbor 100.3.11.2 remote-as 65001

r3(config-router)#neighbor 100.3.11.2 route-map NH-IPV6 in
.p

------------------------------------------------------------------------
as

To test R30 connectivity as per question, I created a loopback interface on R30

se

interface Loopback414
no ip address
ipv6 address 2001:DB8:14::1/128
nt

ipv6 enable
er
pr

NOTE : On r4 there is loopback in pre-configs with /31 mask , we need to correct the loopback mask
to /32
is
el
ab
s .c
om

www.passenterpriselabs.com 140 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Verification:

Chinesedumps-r3: sh bgp vpnv6 unicast all

w
w
w
.p
as
se
nt
er
pr

Chinesedumps-r11: sh bgp ipv6 unicast neighbors 100.3.11.1 advertised-routes

is
el
ab
s .c
om

www.passenterpriselabs.com 141 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps-r3: sh ip route vrf fabd2 100.4.30.5

w
w
w
.p
as
se
nt

- From above output we can see that the giosk network (100.4.30.5) is present on r3 in fabd2
er

- And in the below output on r5 we can see that the giosk network (100.4.30.5) is not present in
fabd2
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 142 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

 Verify that host11 and host12 can ping 2001:db8:14::1 located at the laaS site.

Chinesedumps-sw101: sh ipv6 route

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 143 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps-sw101:
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 144 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps-r11: sh bgp ipv6 unicast

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 145 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps-host11:
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 146 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 147 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps-host12:
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 148 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

1.16: Enabling Internet Access for FABD2

Enable highly available internet access for the FABD2 company network according to these
w

requirements:
w

 On routers r12, r23 and r24, bring up IPv4 BGP peerings with the ISP, make sure that a default
route is received over these peerings
w

 On router r12 and r23, inject default route into OSPF if it present in the routing table from a
.p

different routing source than the OSPFv2 process 1. On each router, this requirement must be
completed using the minimum possible number of commands
as

 On route r24, inject default route into OSPF if any only if it is learned from ISP over BGP. To
accomplish this requirement, it is allowed to use a route-map that referenced both a prefix-list
and tag. This requirement must be completed using the minimum possible number of
se

commands
 Router r12 may be used as an internet exit for the FABD2 company network only if neither r23
nt

nor r24 are advertising the default route in OSPF. This requirement must be accomplished
exclusively in “router ospf” mode on router r12 without changing the default parameters on
er

routers r23 and r24

 On routers r12, r23 and r24, configure PAT and translate the entire FABD2 internal network
pr

10.0.0.0/8 to the router address on the link toward the ISP. Create a standard ACL named NAT
for this purpose. Do not use NAT pools
is

 Ensure that the internet connectivity of the FABD2 company network makes use of the highly
availability provided by r12, r23 and r24.
el
ab

1 Point
s .c
om

www.passenterpriselabs.com 149 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

Chinesedumps.com-r12:
w

r12(config)#router bgp 65001

w

r12(config-router)#address-family ipv4 unicast

r12(config-router)#neighbor 200.99.12.1 remote-as 19999
w

r12(config-router)#neighbor 200.99.12.1 activate

.p

r12(config)#router ospf 1
as

r12(config-router)#default-information originate

r12(config)#int g0/0
se

r12(config-if)#ip nat outside

r12(config)#int range g0/1-3
r12(config-if)#ip nat inside
nt

r12(config)#int lo0
r12(config-if)#ip nat inside
er

r12(config-if)#ip access-list standard NAT

r12(config-std-acl)#permit 10.0.0.0 0.255.255.255
pr

r12(config)#ip nat inside source list NAT interface g0/0 overload

Chinesedumps.com-r23:
is

r23(config)#router bgp 65002

el

r23(config-router)#neighbor 200.99.23.1 remote-as 19999

r23(config)#router ospf 1
ab

r23(config-router)#default-information originate metric-type 1

r23(config)#int g1
s

r23(config-if)#ip nat outside

.c

r23(config)#int range g2-4

r23(config-if)#ip nat inside
om

r23(config)#int lo0
r23(config-if)#ip nat inside
r23(config-if)#ip access-list standard NAT
r23(config-if)#permit 10.0.0.0 0.255.255.255
r23(config-if)#ip nat inside source list NAT interface g1 overload

www.passenterpriselabs.com 150 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r24:

r24(config)#router bgp 65002

w

r24(config-router)#neighbor 200.99.24.1 remote-as 19999

w

r24(config)#ip prefix-list DEFAULT permit 0.0.0.0/0

w

r24(config)#route-map ISP permit 10

r24(config-route-map)#match ip address prefix-list DEFAULT
.p

r24(config-route-map)#match tag 19999

as

r24(config)#router ospf 1
r24(config-router)#default-information originate route-map ISP metric-type 1
se

r24(config)#interface g1
r24(config-if)#ip nat outside
r24(config-if)#int range g2-4,tunnel 0
nt

r24(config-if)#ip nat inside

r24(config-if)#int lo0
er

r24(config-if)#ip nat inside

r24(config-if)#ip access-list standard NAT
pr

r24(config-if)#permit 10.0.0.0 0.255.255.255

r24(config-if)#ip nat inside source list NAT interface g1 overload
is

r24(config)#router eigrp ccie

r24(config-router)#address-family ipv4 unicast autonomous-system 65006
el

r24(config-router-af)#topology base
r24(config-router-af)#summary-metric 0.0.0.0/0 distance 254
ab
s .c
om

www.passenterpriselabs.com 151 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Verification:

Chinesedumps-r12: sh bgp ipv4 unicast summary

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 152 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r24:sh ip route
w
w
w
.p
as
se
nt
er
pr

Chinesedumps.com-r23:sh bgp ipv4 unicast summary

is
el
ab
s .c
om

www.passenterpriselabs.com 153 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r23:sh ip route
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 154 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Chinesedumps.com-r24: sh bgp ipv4 unicast summary

w
w
w
.p
as
se
nt
er

Chinesedumps.com-r24: sh ip route
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 155 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

2.1: Correcting the IP addresses of Managed switches in DNA center

After Cisco DNA center first achieves IP connectivity with the managed switches in Branches #1 and #2,
w

it will place them into maintenance mode due to their serial number being different from the one DNA
center remember. In addition, their management IP addresses in DNA Center will be automatically
w

changed by appending them with the “.dummy.com” string. As a result, after an initial contact, DNA
Center will lose connectivity with the switches unless their management IP addresses are corrected in
w

the DNA center settings.

.p

Correct the IP addresses of managed switches in the DNA center according to the following
requirements:
as

 Use any host, such as host11, to access the DNA Center GUI website at https://203.0.113.11
se

URL.
 Execute the Provision – Devices – Inventory – Global – Actions – Inventory - Resync Device
action in DNA Center on all switches before proceeding further.
nt

 DNA Center API reference and sandbox is available at https://203.0.113.11/dna/apitester URL.

 The /network/device/update-maintenance-device-ip-address API call description and sandbox
er

are available in the Inventory section of the API reference.

 Use the /network-device/update-maintenance-device-ip address API call to correct the IP
pr

addresses of the switches in Branches #1 and #2 by removing the appended text.

is

Note: These IP addresses cannot be changed from DNA Center GUI directly because they will become
automatically invalidated again. This is a built-in DNA Center behavior.
el
ab

3 points
s .c
om

www.passenterpriselabs.com 156 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

Step 1:
w

Access DNA Center and then go to PROVISION

w
w
.p
as
se
nt

Above Output will be displayed for all the 3 switches (sw400 , sw501 , sw502 )
er

Step 2:
pr

To complete the task you have to go to below URL

is

https://10.2.254.11/dna/apitester
el
ab
s .c
om

Click on Inventory option

www.passenterpriselabs.com 157 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 3:

Scroll down and Click on network-device

w
w
w
.p
as
se
nt
er

Step 4:

- Scroll down and click on /network/device-update-maintainance-device-ip-address

pr
is
el
ab
s .c
om

www.passenterpriselabs.com 158 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 5:

- Scroll down and at the right hand side you will see Model Schema
w

- Just click inside the box where the code is written

w
w
.p
as
se
nt
er
pr

Step 6:

- The code will be copied in the right side blank box

is

- Then change the NewMgmtIpAddress – “10.4.255.11” ,

existMgmtIpAddress – “10.4.255.11.dummy.com”
el

{
ab

"newMgmtIpAddress": "10.4.1.2",
"existMgmtIpAddress": "10.4.255.11dummy.com"
}
s .c
om

www.passenterpriselabs.com 159 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021
w
w
w
.p
as
se

Step 7:
nt

- Scroll down and click Try it out button

er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 160 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

2.2: Completing VN Configuration in DNA center

Using the DNA Center GUI, perform configuration tasks according to these requirements:
w

 Add new virtual Network named IoT for the internet-of-things network on the Branches #1 & #2
w

 Create new address pools for the IoT VN named Branch1-For IoT and Branch2-For IoT on the
w

global level, and branch1-IoT and Branch2-IoT on the Branch level.

 For Branch #1 loT VN, allocate the subnet 10.4.198.0/24 and the gateway IP address 10.4.198.1.
.p

 For Branch #2 loT VN, allocate the subnet 10.5.198.0/24, and the gateway IP address
10.5.198.1.
as

 Associate the Branch1-loT and Branch2-loT pools with the loT VN on the respective branches.
 Complete the configuration of the address pools for the Guest VN in the DNA Center so that
se

Branch #1 and Branch #2 can accommodate guest connections. If a new address pool needs to
be created and an address range allocated to it, follow the established addressing plan.
 Correct the addressing information currently defined for the Branch2-For Employees and
nt

Branch2-Employees address pool.

 For all address pools, use the DHCP server 10.2.255.211 to allocate addresses to clients.
er

On sw211, complete the DHCP server configuration according to these requirements:

pr

 Create four new DHCP pools for the loT and Employees VNs on respective branches
is

o Pool named br1_iot for Branch #1 loT VN

o Pool named br1_emp for Branch #1 Employees VN
el

o Pool named br2_iot for Branch #2 loT VN

o Pool named br2_emp for Branch #2 Employees VN
ab

 In each subset, assign addresses from .101 up to .254 inclusively, and the appropriate gateway
to clients.
s .c

3 Points
om

www.passenterpriselabs.com 161 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

Step 1:
w
w

www.chinesedumps.com
w
.p
as

Configure DHCP server under network setting 10.2.255.211. Click Save.

Note: The pools that will be pre-configured will not have DHCP server attached with them , so we
se

need to add DHCP server before moving forward to create other pools

How to add DHCP to preconfigured IP Pools :

nt

a. Go under Provision > Fabric > Default LAN_FABRIC

er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 162 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

b. Select Branch1 and go under Host Onboarding and Select Employees VN

w
w
w
.p
as
se
nt

c. Then got Actions and delete the associated to Employee VN

er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 163 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

d. After deleting go under Design > Network Settings > IP pools

e. Select Branch1_Emp pool and add DHCP server and reserve it to Fabric again
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

f. Edit the Branch1_Emp pool and add DHCP as shown and then save it
g. Just again add the pool to fabric

www.passenterpriselabs.com 164 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 2:

Under IP Address pool on global level

w

Click Add
w
w
.p
as

www.chinesedumps.com
se
nt

Fill in info Branch1-ForIoT

er

IP 10.4.198.0/24
pr

Select the DHCP pool created in step 1. Repeat for Branch 2.

is
el

Step 3:
ab

Go under each branch under Global and click Reserve

s .c
om

www.chinesedumps.com

www.passenterpriselabs.com 165 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Name the IP pool Branch1-IoT

w

www.chinesedumps.com
w
w
.p
as
se

Select the Global pool created in step 2 for Branch1.

nt

Select prefix length /24

er

Select the DHCP server 10.2.255.211

pr

Click reserve.
is

Repeat for Branch 2

el

(Verify that the employee IP pool have the DHCP server selected and have the correct gateway and is
ab

reserved under Branch 1 and 2)

s

(If a new Guest IP pool is needed to be created. Configure them in the same way as IoT but different
.c

IP range)
om

Step 4:

www.chinesedumps.com

www.passenterpriselabs.com 166 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Under Policy>Virtual Network. Click Create Virtual Network.

Enter the name IoT

w

Step 5:
w

Under Provisioning>Fabric select Branch 1.

w

Select Host Onboarding > Virual Networks and click Add Virtual Network
.p

www.chinesedumps.com
as
se
nt

www.chinesedumps.com
er
pr

Select the VN IoT and click update. The click on the Grey VN Iot
is

www.chinesedumps.com
el
ab

www.chinesedumps.com
s .c
om

www.passenterpriselabs.com 167 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

www.chinesedumps.com
w
w
w
.p
as

www.chinesedumps.com
se

Select the IP Address pool for Branch1-IoT

Repeat for Branch 2

nt

(If needed add the created IP pool to the Guest VN)

er

Step 6:
pr

DCHP server on sw211

is

ip dchp exclude10.4.198.1 10.1.100.100

el

ip dchp exclude 10.5.198.1 10.1.101.100

ab

ip dhcp pool br1_iot

network 10.4.198.0 /24
default-router 10.4.198.1
s

exit
.c

ip dhcp pool br2_iot

om

network 10.5.198.0 /24

default-router 10.5.198.1

www.passenterpriselabs.com 168 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

2.3: Mapping SDA VNs to SD-WAN VPNs

Using vManage GUI, perform configuration tasks according to these requirements:

w

 Use any host, such as host11, to access the vManage GUI website at https://203.0.113.21 URL.
w

 Create three new SD-WAN VPNs to carry the SDA VN traffic

o VPN ID 198 for IoT VN
w

o VPN ID 199 for Guest VN

.p

o VPN ID 200 for Employees VN

 On Branch #1 and Branch #2 vEdges, for each of these VPNs:
as

o Create a new sub-interface on the interface toward the SDA border switch. Align the
VLAN ID and IP address on the sub interface with the configuration generated by DNA
se

Center on the border switches for the appropriate VN.

o Peer the vEdge and the SDA border switch using iBGP. Ensure full reachability between
all locations of the same VPN.
nt
er

4 Points
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 169 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

Step 1:
w

Select the device template where the Branch Vedges are attached. Click the Three dots <…> and Edit
w

Device Template.
w
.p

www.chinesedumps.com
as
se

Go under Service VPN and click Add VPN

nt
er
pr

www.chinesedumps.com
is
el
ab

On the bottom of the page click Create VPN Template

s

www.chinesedumps.com
.c
om

www.passenterpriselabs.com 170 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Give the template a name and add the VPN number 198
w

www.chinesedumps.com
w
w
.p
as

www.chinesedumps.com
se

Under Advertise OMP Click on for BGP

nt
er
pr

www.chinesedumps.com
is
el

Click Save and repeat for VPN 199 and 200

ab
s .c
om

www.passenterpriselabs.com 171 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 2:

Select all three VPNs and click Next

w
w

www.chinesedumps.com
w
.p
as
se

Pick BGP and VPN Interface Ethernet

nt
er

www.chinesedumps.com
pr
is

www.chinesedumps.com
el

Press the BGP drop down bar and press create template.
ab

Give the template a name.

s

Leave BGP AS number to Device specific

.c

Under Unicast Address Family click New Redistribute and under Protocol choose OMP and click Add.
om

www.passenterpriselabs.com 172 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021
w

www.chinesedumps.com
w
w
.p

www.chinesedumps.com
as

Under Neighbor Click New Neighbor.

se

Change Address to device specific and click Add. Then Click Save
nt
er

www.chinesedumps.com
pr
is
el

Step 3:
ab

a. Create the VPN interface Template

b. Click Create new VPN Interface Ethernet Template
s

c. Give the template a name and description.

d. Change Shutdown to be Global No
.c

e. Change Interface Name to be Device specific

om

www.passenterpriselabs.com 173 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

www.chinesedumps.com
w

www.chinesedumps.com
w
w
.p
as
se

Change IPv4 Address to be device specific.

nt

www.chinesedumps.com
er
pr

Under Advanced change the MTU to be Global 1496 and click Save.
is

www.chinesedumps.com
el
ab

Add both template that was created and click Add and the press Update\
s .c
om

www.chinesedumps.com

www.passenterpriselabs.com 174 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Click the three dots on the right to add the deivces values <…> For branch1 Router vEdge 40 Set BGP AS
number to 65004 and Vedge 51 and 52 AS 65005
w

www.chinesedumps.com
w
w
.p

Place cursor on the three dots <…> to verify the interfaces.

as
se
nt
er
pr
is
el
ab

Repeat for Vedge 51 and 52.

s

Then click Update and Next and push the config to the devices.
.c

Step 4:
om

*Configure the SDA Border switches Sw 400, Sw 501 and Sw 502.

*DNA center should have generated VRFs for Employee VN, Guest VN and IoT VN.

www.passenterpriselabs.com 175 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Under Sw 400

Interface Vlan 198

w

Vrf forwarding IoT

Ip add 10.4.198.2 255.255.255.0
w

Interface Vlan 199

Vrf forwarding Guest
w

Ip add 10.4.199.2 255.255.255.0

.p

Interface Vlan 200

Vrf forwarding Employees
as

Ip add 10.4.200.2 255.255.255.0

Router bgp 65004

se

Address-family ipv4 vrf IoT

Neighbor 10.4.198.1 remote-as 65004
Neighbor 10.4.198.1 activate
nt

Network 10.4.1.0 mask 255.255.255.0

er

Address-family ipv4 vrf Guest

Neighbor 10.4.199.1 remote-as 65004
pr

Neighbor 10.4.199.1 activate

Network 10.4.2.0 mask 255.255.255.0
is

Address-family ipv4 vrf Employees

Neighbor 10.4.200.1 remote-as 65004
el

Neighbor 10.4.200.1 activate

Network 10.4.3.0 mask 255.255.255.0
ab

Add Network statement of the IP pools that was created in DNAC in question 2.1
Repeat this configuration for switch 501 and 502
s .c
om

www.passenterpriselabs.com 176 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

2.4: Configuring SD-WAN VPN Route Leaking

To allow the traditional parts of the FABD2 network to communication with the employees and IoT
w

VPNs/VNs, configure route leaking in SD-WAN according to these requirements:

w

 Prefixes in the IoT VPN 198 must be imported into the existing SDA Underlay VPN 999 and
w

tagged with the tag value of 198

 Prefixes in the Employees VPN 200 must be imported into the existing SDA underlay VPN 999
.p

and tagged with the tag value of 200

 Prefixes in the SDA underlay VPN 999 advertised form the DC that are within the 10.4.0.0/15
as

range must be rejected. Other prefixes in the SDA underlay VPN 999 advertise from DC must be
accepted and also imported into IoT VPN 198 and Employees VPN 200
se

 Redistribution from OMP into OSPF on Branches #1 and #2 in VPN 999 must exclude vRoutes
tagged with values 198 or 200.
 Place host41 into Employees VN. Place host51 into IoT VN. Make sure both hosts receive their
nt

IP settings from DHCP.

 Ensure that the IoT and Employees VPNs on Branches #1 and #2 have reachability to Branches
er

#3 and #4. It is allowed to modify the VPN 999 OMP settings to accomplish this requirement.
pr

3 Points
is
el
ab
s .c
om

www.passenterpriselabs.com 177 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

Step 1:
w

In vManage GUI go to Configuration tab and select Policies

w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 178 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 2:

Under Policies Select Centralized policy and click on add

w
w
w
.p
as
se
nt
er
pr

Step 3:
is

Now under centralized Policy check in the site tab which sites are pre-configured then hit NEXT at the
bottom of the page
el
ab
s .c
om

www.passenterpriselabs.com 179 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 5:

Click on Add Topology and select Custom Control

w
w
w
.p
as
se
nt
er
pr
is

Step 6:
el

Add a Sequence Type and add a Route Control Policy

ab
s .c
om

www.passenterpriselabs.com 180 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 7:

Select VPN list under Match Conditions and add a new VPN list
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 181 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 8:

Select the New VPN list created

w

Go to Actions Tab
w

Select Accept
w

Select Export to and create a New VPN list VPN 999 (If not present already)
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 182 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 9:

Select the VPN 999 in Export to

w

Click on OMP Tag

w

Add OMP Tag as 198 and Save Match and Actions

w
.p
as
se
nt
er
pr
is
el

Step 10:
ab

Repeat step 7, Step 8, Step 9 for VPN 200

Just in OMP Tag select 200

s .c
om

www.passenterpriselabs.com 183 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 11:

In Default Actions select Accept

w
w
w
.p
as
se
nt

Step 12:
er

Enter Name and Description and Save Control Policy

pr
is
el
ab
s .c
om

www.passenterpriselabs.com 184 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 13:

Click on Add Topology and select Custom Control to add another Policy
w
w
w
.p
as
se
nt
er
pr
is

Step 14:
el

Add a Sequence Type and add a Route Control Policy

ab
s .c
om

www.passenterpriselabs.com 185 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 15:

Add New Sequence

w

Select Prefix-list
w

Add New-Prefix-list
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 186 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Click on VPN and select VPN 999

w
w
w
.p
as
se

Step 16:

Add another Sequence Rule for VPN 999

nt

Select VPN 999 from VPN list

er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 187 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Go to Actions

Select Accept
w

Select Export To and add a NEW VPN LIST

w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 188 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021
w
w
w
.p
as
se

Select VPN list 198-200 under Export To and Save Match and Actions

Step 17:
nt

In Default Actions select Accept

er
pr
is
el
ab
s .c
om

Also Give Name and Description

www.passenterpriselabs.com 189 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

After adding Hit next 2 times

w
w
w
.p
as
se
nt

Step 18:
er

Under Add Policy

pr

Policy Name
is

Description
el

Under Import-DC
ab

In New Site List in Outbound List Select Branch 1 and Branch 2

In New Site List in Inbound List Select DC

s .c

Under Import-Branch
om

In New Site List in Inbound List Select Branch 1 and Branch 2

In New Site List in Outbound List Select DC

www.passenterpriselabs.com 190 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021
w
w
w
.p
as
se

Also Add New Site-list as DC

nt

Then Save Policy

er

Step 19:

Create a Localized Policy

pr
is
el
ab
s .c
om

www.passenterpriselabs.com 191 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 192 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Click on Add Route Policy

w
w
w
.p
as

Add Name of the Policy

se

Add Description
nt

Create Sequence Rule for 198 and 200 as below

er
pr
is
el
ab
s

In Default Action select Accept

.c
om

www.passenterpriselabs.com 193 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021
w
w
w
.p

Hit NEXT
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 194 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 20:

Go Under Device Template

w

Select Branch 1 Device Template

w

Under Branch 1 Device Template Go to Additional Templates

w

Add Policy
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 195 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Go to Branch 1 OSPF VPN 999 Feature Template and add the tag under New redistribution
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c

Click on Update
om

Repeat the Step 20 for Branch 2

www.passenterpriselabs.com 196 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

2.5: Handling Guest Traffic

The guest VN/VPN on Branches #1 and #2 must remain isolated from the rest of the company network.
w

It is only allowed to reach internet through r23 and r24 in the DC. Enable internet connectivity for the
Guest VPN according to these requirements:
w

 On vedge21 and vedge22, place the ge0/2 interfaces into the Guest VPN 199.
 On r23 and r24, create a new VRF named Guest using the RD of 65002:199, and place the gi4
w

interfaces into this VRF.

.p

 Assign addresses to these interfaces:

 R23 gi4: 10.2.123.1/24
as

 R24 gi4: 10.2.224.1/24

 Vedge21 ge0/2: 10.2.123.2/24
 Vedge22 ge0/2: 10.2.224.2/24
se

 Peer r23 and vedge21 in the Guest VRF/VPN using iBGP.

 Peer r24 and vedge22 in the Guest VRF/VPN using iBGP.
nt

 Ensure that r23 and r24 learn the routes in the Guest VRF/VPN over iBGP.
 On r23 and r24, configure a static default route in the Guest VRF and point it to the ISP’s IP
er

address 200.99.23.1 or 200.99.24.1 as appropriate. Advertise this default route in iBGP to

vedge21 and vedge22.
pr

 On r23 and r24, configure PAT to allow the Guest VPN to access internet by translating it to the
router address on the link toward the ISP. Reuse the NAT ACL already created on the router. Do
is

not use NAT pools.

el

Configure r23 as the DHCP server for Guest VPN according to these requirements:
ab

 Create Loopback1 interface on r23 associated with the Guest VRF and having the IP address
10.2.255.211/32
s

 Advertise this prefix in BGP toward vedge21.

.c

 Create DHCP pool named br1_guest for branch #1 Guest subnet.

 Create DHCP Pool names br2_guest for branch #2 Guest subnet.
om

 Explicitly associate both DHCP pools with the VRF guest.

 In each subnet, assign addresses from .101 up to .254 inclusively, and the appropriate gateway
to clients.
 Associate host42 and host52 with the guest VN in DNAC, and make sure that both hosts receive
the appropriate address.
 Make sure that host42 and host52 can ping 8.8.8.8 in the ISP cloud
4 Points
www.passenterpriselabs.com 197 www.ccieenterpriselabs.com
www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

r23
w

router bgp 65002

neighbor 200.99.23.1 remote 19999
w

vrf def Guest

w

rd 65002:199
address-fam ipv4
.p

exit
as

int gi 4
vrf for Guest
ip add 10.2.123.1 255.255.255.0
se

ip nat inside

int gi 1
nt

ip nat out
exit
er

ip access-list stand NAT

pr

permit 10.0.0.0 0.255.255.255

exit
is

router bgp 65002

el

address-fam ipv4 vrf Guest

neighbor 10.2.123.2 remote 65002
network 10.2.255.211 mask 255.255.255.255
ab

net 0.0.0.0 mask 0.0.0.0

s

ip nat inside list NAT int gig 1 vrf Guest overload

.c

ip route vrf Guest 0.0.0.0 0.0.0.0 200.99.23.1 global

om

int loo1
vrf for Guest
ip add 10.2.255.211
exit

www.passenterpriselabs.com 198 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

ip dhcp class branch1

exit
w

ip dhcp pool br1_guest

network 10.4.199.0 /24
w

default-router 10.4.199.1
class branch1
w

address range 10.4.199.101 10.4.199.254

.p

ip dhcp class branch2

exit
as

ip dhcp pool br2_guest

network 10.5.199.0 /24
se

default-router 10.5.199.1
class branch2
address range 10.5.199.101 10.5.199.254
nt

ip dhcp use connected vrf

er

r24
pr

vrf def Guest

rd 65002:199
is

address-fam ipv4
exit
el

int gi 4
ab

vrf for Guest

ip add 10.2.224.1 255.255.255.0
ip nat inside
s .c

int gi 1
ip nat out
om

ip access-list stand NAT

permit 10.0.0.0 0.255.255.255
exit

www.passenterpriselabs.com 199 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

router bgp 65002

address-fam ipv4 vrf Guest
neighbor 10.2.224.2 remote 65002
w

network 0.0.0.0 mask 0.0.0.0

w

ip nat inside list NAT int gig 1 vrf Guest overload

ip route vrf Guest 0.0.0.0 0.0.0.0 200.99.23.1 global
w

ip dhcp use connected vrf

.p

Step 1:
as

In DC Device Templates
se

Under Service VPN add VPN 199 (Guest)

Under VPN 199 add Interface Template and BGP Template

nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 200 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 201 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021
w
w
w
.p
as
se
nt
er
pr

Click SAVE
is

Click Update in DC Device Template

el

Step 2:
ab

Go Under DNAC
s

Go to Provision > Fabric Default LAN Fabric

.c
om

www.passenterpriselabs.com 202 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021
w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 203 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Select Branch 1
w
w
w
.p
as
se
nt
er

Go to Host Onboarding
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 204 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Select the details as per below screenshot

w
w
w
.p
as
se
nt
er

Then SAVE and Apply

pr
is
el
ab
s .c
om

www.passenterpriselabs.com 205 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

2.6: Support for silent Hosts in Branch #2

This item consists of multiple questions. You may need to scroll down to be able to see all questions.
w

In future, Branch #2 will be equipped with IP-based IoT endpoints operating in speak-when-spoken-to
mode, also called silent hosts. Which of the following SDA features enables a working connectivity with
w

these IoT endpoints?

w

o Native Multicast
o Endpoint Mobility
.p

o Layer 2 Flooding
o Layer 2 Extension
as

In the statement below, select one of the options from the drop-down list to complete the sentence
se

and form a correct statement.

For SDA to support silent hosts, ___________________Select Option__________________________

nt

in the underlay as a prerequisite.

er

Options:
o IP multicast routing with PIM-SM must be enabled
pr

o No additional capability aside from unicast IP connectivity is required

o IS-IS must be used as a routing protocol
o DHCP Snooping must be enabled
is
el
ab

3 Points
s

Answer: Layer 2 Flooding

.c

Answer: IP Multicast routing with PIM-SM must be enabled

om

www.passenterpriselabs.com 206 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

3.1: Enabling CLI access to r30

There is no direct console access provided to the router r30. Moreover, r30 does not accept any
w

remote connections because its VTY lines are configured with transport input none. Using RESTCONF,
enable remote access to r30 for all remote access protocols, according to these requirements:
w

 You can use host31 to access router r30 using IP address 10.3.11.1
w

 You can use any method of accessing the RESTCONF API on r30 from host31, including curl,
.p

Python, or Postman
 You must change the input transport protocol on all configurable VTY lines
as

 The input transport protocol value setting must be changed from none to all

Important parameters:
se

 Username/password for HTTP authentication

 admin/admin
nt

 URL
er

 https://10.3.11.1:443/restconf/data/Cisco-IOS-XE-native/line/vty
 HTTP method to retrieve the configuration
pr

 GET
 HTTP method to modify the configuration
is

 PATCH
 HTTP headers
el

 Content-Type: application/yang-data+json
 Accept: application/yang-data+json
ab

 Recommended curl switches

o –i,-k,-X,-H,-u,-d
s .c

2 Points
om

www.passenterpriselabs.com 207 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

On Chinesedumps.com-r30:
w

Chinesedumps.com-r30#conf t
w

Chinesedumps.com-r30(config)# ip http server

Chinesedumps.com-r30(config)# ip http authentication local
w

Chinesedumps.com-r30(config)# ip http secure-server

.p

Chinesedumps.com-r30(config)# username admin privi 15 secret admin

as

Chinesedumps.com-r30(config)# restconf

Chinesedumps.com-r30(config)#interface GigabitEthernet2
se

Chinesedumps.com-r30(config-if)#no shutdown
Chinesedumps.com-r30(config-if)#ip address 10.3.11.1 255.255.255.0
Chinesedumps.com-r30(config-if)#negotiation auto
nt
er

Step 1:
pr

Open Linux machine host31 and check reachability for r30 , also check restconf reachability
is
el
ab
s .c
om

www.passenterpriselabs.com 208 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 2:

From linux Machine open Postman

w
w
w
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 209 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 3:

In postman select Create a request

w
w
w
.p

www.chinesedumps.com
as

www.chinesedumps.com
se
nt
er

www.chinesedumps.com
pr

Step 4:
is

Go under Authorization tab

el
ab
s .c

www.chinesedumps.com
om

www.chinesedumps.com

www.passenterpriselabs.com 210 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 5:

Under Type select Basic Auth

w
w
w

www.chinesedumps.com
.p
as
se
nt
er
pr
is

www.chinesedumps.com
el
ab

Step 6:

Insert Username/Pasword : admin/admin

s .c

www.chinesedumps.com
om

www.passenterpriselabs.com 211 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 7:

Select Setting and then Default setting

w
w
w
.p

www.chinesedumps.com
as
se

Step 8:
nt

Turn off the SSL Certificate verification

er
pr

www.chinesedumps.com
is
el
ab
s .c
om

NOTE: This step 8 is sometimes not mandatory to perform in LAB

www.passenterpriselabs.com 212 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 9:

Select Headers tab and create to header

w

 HTTP headers
w

 Content-Type: application/yang-data+json
 Accept: application/yang-data+json
w
.p

www.chinesedumps.com
as
se
nt

Step 10:
er

Enter the URL under GET and hit SEND

pr

 URL
is

 https://10.3.11.1:443/restconf/data/Cisco-IOS-XE-native:native/line/vty
el
ab
s .c

www.chinesedumps.com
om

www.passenterpriselabs.com 213 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 11:

The above step 10 will generate an output in Body tab

w

Copy the generated output

w
w
.p

www.chinesedumps.com
as
se

www.chinesedumps.com
nt
er

Step 12:
pr

Paste the generated output in Body > RAW

is
el
ab

www.chinesedumps.com
s .c
om

www.passenterpriselabs.com 214 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Step 13:

Change the transport input option from “none” to “all”

w

Then Patch the output by selecting Patch from the list

w
w

www.chinesedumps.com
.p
as
se

www.chinesedumps.com
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 215 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Verification:

Go to CLI of r30 and run command show run | s line

w
w
w
.p
as

www.chinesedumps.com
se
nt
er
pr
is
el

www.chinesedumps.com
ab
s .c
om

www.passenterpriselabs.com 216 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

3.2: Using Guest shell and python on r30

On r30, enable guestshell and create a python script named ribdump.py in the guestshell according to
w

these requirements:
w

 If an additional IP network is necessary to start guestshell, you are allowed to use addresses
w

from the range 192.168.255.0/24. This range must not be advertised in any routing protocol.
 The python script must be saved under the name ribdump.py in the home directory of the
.p

guestshell user.
 The purpose of the script is to display the complete contents of all routing tables in non-default
as

VRFs created on the router.

 The script must execute the show ip route vrf… or show ipv6 route vrf… command for every
se

non default VRF created on the router, depending on what address families are enabled in that
VRF.
 The script must determine the list of created VRFs and enabled address families dynamically
nt

every time it is run using, for example, show vrf brief | include ipv
 The script must not attempt to display the VRF routing table for an address family that is not
er

enabled in the VRF.

 It must be possible to run the script using the guestshell run python ribdump.py command from
pr

privileged EXEC mode.

is

3 Points
el
ab
s .c
om

www.passenterpriselabs.com 217 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

- Need to enable Guestshell which needs IOX service to run

w

- Intent of script
- Execute command "show vrf brief | include ipv" and store output in a variable named vrf
w

- Run for loop for each vrf in variable vrf

- Check if ipv4 and ipv6 address family is in the vrf
w

- And execute the "show ipvx route vrf x" command per vrf, keep the output in variable and print
the variable
.p
as

Chinesedumps.com-r30

r30#conf t
se

r30(config)#iox

r30(config)#interface VirtualPortGroup0
nt

r30(config-if)#ip address 192.168.255.1 255.255.255.0

r30(config)#exit
er

r30(config)#app-hosting appid guestshell

pr

r30(config)#app-vnic gateway1 virtualportgroup 0 guest-interface 0

r30(config)#guest-ipaddress 192.168.255.2 netmask 255.255.255.0
r30(config)#app-default-gateway 192.168.255.1 guest-interface 0
is

r30(config)#name-server0 8.8.8.8
r30(config)#end
el

*Block this prefix to get advertised out in case connected redistribute or network statement is
ab

advertising this subnet

*create a prefix list to deny 192.168.255./24 and allow everything else
*apply on bgp neighbor
s .c

r30#guestshell enable
om

*wait untili guestshell is enabled

r30#guestshell run bash

www.passenterpriselabs.com 218 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

*you will get its Linux BASH shell (most of linux bash shell commands will run)
*create a file named rib dump using vi editor (better learn the shortcut/commands to use vi editor)
w

vi ribdump.py
w

The above command will edit the ribdump.py file

w

To insert into the editor hit “ i ”

.p

Paste the below Script in the file and save

as

Script : Be mindful of indentation used else script will fail

import sys
se

import cli

vrf = cli.execute('show vrf brief | include ipv')

nt

for line in vrf.splitlines():

ipv4 = False
er

ipv6 = False
vrfString = line.split()
pr

if(vrfString[2] == "ipv4"):
ipv4 = True
elif(vrfString[2] == "ipv6"):
is

ipv6 = True
elif(vrfString[2] == "ipv4,ipv6"):
el

ipv4 = True
ipv6 = True
ab

if(ipv4 == True):
vrfv4 = cli.execute('show ip route vrf ' + vrfString[0])
print(vrfv4)
s

if(ipv6 == True):
.c

vrfv6 = cli.execute('show ipv6 route vrf ' + vrfString[0])

print(vrfv6)
om

www.passenterpriselabs.com 219 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

To exit the editor :

Press ESC then :wq

w

Then run the file with the below command

w

guestshell run python ribdump.py

w

guestshell ls
.p
as
se
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 220 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Alternate Solution:

Chinesedumps.com-r30
w

conf t
w

iox
w

interface VirtualPortGroup0
ip address 192.168.255.1 255.255.255.0
.p

ip nat inside
exit
as

ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 overload

ip access-list standard GS_NAT_ACL

se

permit 192.168.0.0 0.0.255.255

app-hosting appid guestshell

nt

app-vnic gateway1 virtualportgroup 0 guest-interface 0

guest-ipaddress 192.168.255.2 netmask 255.255.255.0
er

app-default-gateway 192.168.255.1 guest-interface 0

name-server0 8.8.8.8
pr

end

int gi1.100
is

ip nat outside
el

guestshell enable
guestshell run bash
ab

vi ripdump.py
s

The above command will edit the ribdump.py file

.c

To insert into the editor hit “ i ”

om

Paste the below Script in the file and save

www.passenterpriselabs.com 221 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Script : Be mindful of indentation used else script will fail

import sys
w

import cli
w

vrf = cli.execute('show vrf brief | include ipv')

for line in vrf.splitlines():
w

ipv4 = False
ipv6 = False
.p

vrfString = line.split()
if(vrfString[2] == "ipv4"):
as

ipv4 = True
elif(vrfString[2] == "ipv6"):
ipv6 = True
se

elif(vrfString[2] == "ipv4,ipv6"):
ipv4 = True
ipv6 = True
nt

if(ipv4 == True):
vrfv4 = cli.execute('show ip route vrf ' + vrfString[0])
er

print(vrfv4)
if(ipv6 == True):
pr

vrfv6 = cli.execute('show ipv6 route vrf ' + vrfString[0])

print(vrfv6)
is

To exit the editor :

el

Press ESC then :wq

ab

Then run the file with the below command

guestshell run python ribdump.py

s .c
om

www.passenterpriselabs.com 222 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

3.3: Automated Configuration Backup Script

This item consists of multiple questions. You may need to scroll down to be able to see all questions.
w

You are tasked with writing a python script to back up the configuration of a number of IOS-XE devices
through RESTCONF, and store the configurations in text files. The starting section of this script has
w

already been written and contains the following lines:

w

#!/usr/bin/python3
.p

import requests
as

Credentials = * (“192.168.1.1”, “admin”, “s3cr3t”),

(“192.168.1.2”, “netadmin”, “0th3rs3cr3t”) +
se

Headers = , “Content-Type” : “application/yang-data+Jason”,

“Accept” : “application/yang-data+Jason” -
nt

This script needs to be completed by dragging the individual’s command lines below into their correct
order to allow the script to correctly accomplish its purpose. Indicate the ends of the for block and of
er

the while block by properly placing the “- -End of for” and “- - End of while” symbols.
pr

Drag the lines into their correct order to complete the script as required. Make sure to also properly
place the “- - End of for” and “- - End of with” symbols to indicate the end of the respective blocks in
is

code.
el

-- End of with Command

Response= requests.get (URL,auth=(Login,Password),headers=Headers,verify=False) Command
ab

For IP,Login,Password in Credentials: Command

URL=f”https://,IP-:443/restconf/data/Cisco-IOS-XE-native:native” Command
File.write(Response.text) Command
s

With open(f”,IP-.conf”,”w”) as File: Command

.c

-- End of for Command

om

www.passenterpriselabs.com 223 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

There are plans to extend the script to display a list of known IOS-XE devices by their IP addresses and
allow the administrator to select which devices to backup. Aside from other necessary changes in the
script, which of the following storage options for the credentials would allow for the most straight
w

forward implementation?
w

o Credentials = * ("192.168.1.1”, “admin”, “s3cr3t”),

(“192.168.1.2”, “netadmin”, “oth3rs3cr3t”) +
w

o Credentials = , “192.168.1.1” : (“admin”, “s3cr3t”),

“192.168.1.2”: (“netadmin”, “ oth3rs3cr3t”) -
.p

o Credentials = “192.168.1.1,admin,s3cr3t,” \
“192.168.1.2,netadmin,oth3rs3cr3t”
as

o Credentials = * “192.168.1.1, admin, s3cr3t”,

“192.168.1.2, netadmin, oth3rs3cr3t” +
se

2 Points
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 224 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021

Solution:

for IP,Login,Password in credentials:

w

URL=f"https://{ip}:443/restconf/data/cisco-IOS-XE-native:native"
Response=request.get(URL,auth=(login,Password),headers=Headers,verify=false)
w

with open(f"{ip}.conf,"w") as file:

w

file.write(reponse.text)let
end of with
.p

end of for
as
se

Answer: B
nt
er
pr
is
el
ab
s .c
om

www.passenterpriselabs.com 225 www.ccieenterpriselabs.com

www.passenterpriselabs.com Final Release Lab 1:04-Jun-2021
w
w
w
.p
as
se
nt
er

Thank You for choosing www.passenterpriselabs.com Workbooks.

pr
is
el
ab
s .c
om

www.passenterpriselabs.com 226 www.ccieenterpriselabs.com