Jump to content


143

K8 Q & A - RIKITEE'S

k8 r&s ccie rikitee

812 replies to this topic

#57 ccie000

ccie000

    Advanced Member

  • Members
  • PipPipPip
  • 54 posts
  • 388 thanks

Posted 02 May 2013 - 02:53 PM

View Postkevinwai, on 02 May 2013 - 02:36 PM, said:

Hi, can anyone let me know the password to the shared file? unable to open it after i downloaded.

Many thanks.

http://certcollection.org/forum/topic/175954-k8-q-a-rikitees/page__st__154#entry675923


View PostMOJOE, on 02 May 2013 - 02:36 PM, said:

FRAME-RELAY
Can we not just change the encap from hdlc to frame-relay on the interfaces between R1 and R4 and add ip addresses to the physical interface. Question seems to mention sub-interfaces for the link between R1 and R5 only.

MPLS
R2 and R3 are PE devices , run the BGP and vpnv4 and mpls  <---
I feel that we should just enable vpnv4 on R5 . enable ipv4 on R2 and =R3 for ibgp and vpnv4 to R5. R2 and r3 will be rooute reflector clients of R5.

Let me know what you think!!!

FRAME-RELAY : between R1 and R4 -> no sub-interfaces
MPLS : R5 run vpnv4 route reflection for R2 and R3 and it is client of R1 route reflector

Edited by ccie000, 02 May 2013 - 02:53 PM.


Thanked by 1 Member:
yjp58

#58 wobooo

wobooo

    Advanced Member

  • Members
  • PipPipPip
  • 469 posts
  • 5531 thanks

Posted 02 May 2013 - 04:39 PM

Quote

5.1 Optimize the network
  • Log 10 lines
  • Do not display password
  • Notify the syslog server
  • Send the message to the syslog server 196.10.1.100
  • Also ensure syslog messages are not stored in local flash memory

not clear yet what really mean by 10 lines , but i hope the following commands help:

logging on
logging host 196.10.1.100
no logging file flash:
archive
log config
logging enable
logging size 10
hidekeys
Send logs to syslog server
notify syslog
exit

#59 siddartha13

siddartha13

    Junior Member

  • Members
  • PipPip
  • 6 posts
  • 6 thanks

Posted 02 May 2013 - 04:50 PM

Hello Rikitee and all friends,


It seems there are two topologies for K8 as I saw from others test takers the RIP between SW1-SW4-SW3 and EIGRP 100 only between SW4 and BB3.
It is exactly what my friend got. :mellow:

Please be take care, K8 has a lot of traps inside nearly all subsections. So it is very easy to loose points! :1dribble
Reported faults were mainly trunk portfast, vtp password and domain mistmatch and port protected (maybe a tips from Cisco)

All L2 (even the security) was in the same section. For the LACP part, the wording was something like configure 3 200Mb links on every switches.
Vlans were configured on one switch but nothing more, even the loopback.

First OSPF subsection includes MPLS LDP. VLAN 500 doesn't have to be advertise in area 1 AND in any future area ==>Area-filter 0 out
Area 1 = NSSA and Sw1 must advertise a default route which will be use by other IGP to have the full reachabilty.


For BGP, they include SW4 2 paths and SW3 show ip cef prefix (a screenshot was given) from AS 254 requirements.

For MPLS and QOS, they ask you to configure MPLS Explicit-null on PE.

As you already found, there is a trap with the LFIB on R1, as it is with EIGRP and OSPF.

For Multicast, which seems to be easy, anycast-rp with BSR and filtering group on R2-R3, msdp and accept-register for Vlan 68 on R2-R3 seems to not be enough...

Be carful with the NTP question, as you can encounter a ios bug on the routers for the ntp server command. ntp server vrf only and not hostname or ip too...

Good luck

Edited by siddartha13, 02 May 2013 - 04:51 PM.


Thanked by 3 Members:
solarz , pyke , parkhw36

#60 SanjanaIE

SanjanaIE

    Advanced Member

  • Members
  • PipPipPip
  • 394 posts
  • 20084 thanks

Posted 02 May 2013 - 05:21 PM

R5
int fa0/0
ip address 150.3.10.1 255.255.255.0  change to BB2 prefix

ip address 150.2.10.1 255.255.255.0

Thanked by 1 Member:
RIKITEE

#61 siddartha13

siddartha13

    Junior Member

  • Members
  • PipPip
  • 6 posts
  • 6 thanks

Posted 02 May 2013 - 07:28 PM

Several comments on the first page:

All the first L2 part is ok. You have to put the L2 security on this section. As far as my friend remembered, the L2 security was only in one subsection and you have to configure :

- Switchport protected port + switchport block unicast and multicast on several ports on one switch
- Switchport security for SW1 to R1 and sticky mac-address (1 mac) + violation shut down whitout recovery

- Frame relay is ok as it was already discussed: DCE on R4 and R5 and no keepalive is forbidden to put.

- For OSPF, in addition to the MPLS and prefix filtering + default-route, they ask you to configure DR Priotiry to put SW1 DR on area 0 and area 1 but without R3 and R1 (maybe R5 too) participating to the election. Nothing for SW3 on area 0.

- For BGP, it seems that you can use neigbor peer-group as someone suggested before. The only requirements are the active peering from R1 and the no default IPV4 peering, in addition to the Route-Reflector status.

- For EEM, it was restart and not reload. You have to display a syslog message. Nothing really difficult for this part.

- For GLBP, it seems there is something more to do as he told me he configured the same solution than on the first page but have no points.


Check the feedback from Buddha on the share pages.

Thanked by 2 Members:
sonicmagic2004 , parkhw36

#62 jaihind372

jaihind372

    Advanced Member

  • Members
  • PipPipPip
  • 120 posts
  • 43 thanks

Posted 03 May 2013 - 03:15 AM

I got a 100% in Optimize network so we can safely say that these solutions are correct:
1) Logging
!
logging on
logging host 196.10.1.100    #syslog server address
archive #most important config subsection
log config #log config changes. Enters log config subconfig mode. This results in a log message  "%PARSER-5-CFGLOG_LOGGEDCMD" everytime you make a config change
  logging enable    #self explanatory
  logging size 10   #logs previous 10 commands
  notify syslog contenttype plaintext #automatically shows up in running configonce you configure "notify syslog"
  hidekeys #hides password in the log message. This is required and stated in question
!

I didn't have any requirement of not storing logs in flash so I am not sure about no logging file flash command.


2) EEM. It clearly asks to match "SYS-5-RESTART" and expects the EEM to run when the router is booting up after a reload. So once you get to the initial prompt after router bootup and "SYS-5-RESTART" is displayed, the EEM is supposed to "shut/unshut" Gi0/0 and then Gi0/1.

The solution is straightforward:

event manager applet INTERFACE_BOUNCE
event syslog pattern "SYS-5-RESTART"
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "int g0/0"
action 4.0 cli command "shut"
action 5.0 cli command "no shut"
action 6.0 cli command "int g0/1"
action 7.0 cli command "shut"
action 8.0 cli command "no shut"

Thats 100% secured for one section folks :biggrin:

Edited by jaihind372, 03 May 2013 - 03:31 AM.


Thanked by 10 Members:
Newbie , jaycnlinux , solarz , RouTerBuDDy , ciscothunder , SanjanaIE , RIKITEE , parkhw36 , i9pk , paulno1

#63 runasu

runasu

    Advanced Member

  • Members
  • PipPipPip
  • 53 posts
  • 12 thanks

Posted 03 May 2013 - 03:36 AM

-------------------------------------
1.5 Frame-relay configuration
-------------------------------------
   - Back to back frame-relay between router R5 and R1 and R1 and R4
   - R1 use the sub-interface connect to R5

R1
--
int s0/0
ip add 31.31.14.1 255.255.255.0
encap frame
no keepalive
frame map ip 31.31.14.4 104 broad
frame map ip 31.31.14.1 104
no shut

R4
--
int s0/0
ip add 31.31.14.4 255.255.255.0
encap frame
no keepalive
frame map ip 31.31.14.1 104 broad
frame map ip 31.31.14.4 104
no shut

R1
--
int s0/1
no ip add
encap frame
no keepalive
clock rate 9600
no shut
int s0/1.31 point-to-point
  ip add 31.31.15.1 255.255.255.0
  frame interface-dlci 101
  no shut

int s0/2
no ip add
encap frame
no keepalive
no shut
int s0/2.100 point-to-point
  ip add 100.100.15.1 255.255.255.0
  frame interface-dlci 202
  no shut

R5
--
int s0/0
no ip add
encap frame
no keepalive
no shut
int s0/0.31 point-to-point
  ip add 31.31.15.5 255.255.255.0
  frame interface-dlci 101
  no shut

int s0/1
no ip add
encap frame
no keepalive
no shut
int s0/1.100 point-to-point
  ip add 100.100.15.5 255.255.255.0
  frame interface-dlci 202
  no shut

sh frame-relay map
sh frame-relay pvc
test ping point-to-point

Edited by runasu, 03 May 2013 - 03:39 AM.


Thanked by 1 Member:
RIKITEE

#64 ccie000

ccie000

    Advanced Member

  • Members
  • PipPipPip
  • 54 posts
  • 388 thanks

Posted 03 May 2013 - 06:24 AM

View PostUldisD, on 03 May 2013 - 05:43 AM, said:

Some old reports said that NTP was there????
No NTP?

I had NTP.
http://certcollection.org/forum/topic/175954-k8-q-a-rikitees/page__st__140#entry675744

Thanked by 3 Members:
yjp58 , parkhw36 , jimmyraynn

#65 ramizzz

ramizzz

    Member

  • Members
  • PipPip
  • 36 posts
  • 13 thanks

Posted 03 May 2013 - 08:25 AM

solarz & RIKITEE

its solarz solution but i did configure one command below what you think ??
3.1 Implement multicast part 1
  • Activate PIM on R1,R2,R3,R4,R5,SW1,SW3
  • There should be no unnecessary join and prune in the network
  • There has a client located on the link between R4 and R5
  • Need to create Loopback 1 on R3 and R2 as RP address
  • Both Loopbacks with same IP address 200.100.100.100
  • Use the standard RP-select method
  •     R3 must send the Source active message cache to R2
  • Make a test by doing a static join for the group 232.1.1.1 on f0/1 R4 and ping for this group on SW1

R1
ip cef
ip multicast-routing
!
int lo 0
ip pim sparse-mode
!
int fa 0/0
ip pim sparse-mode
!
int fa 0/1
ip pim sparse-mode
int s 0/0/0
ip pim sparse-mode
!
int s 0/0/1
ip pim sparse-mode
!
ip pim bsr-candidate Loopback0 0


R2

ip cef
ip multicast-routing
!
Int lo 0
ip pim sparse-mode
!
interface Loopback1
ip address 200.100.100.100 255.255.255.255
ip pim sparse-mode
!
int fa 0/0
ip pim sparse-mode
!
int s 0/0/0
ip pim sparse-mode
!
!
ip pim rp-candidate Loopback1
!
router eigrp 31
network 200.100.100.100 0.0.0.0
!
ip msdp peer 31.31.3.3 connect-source Loopback0
ip msdp originator-id Loopback0

R3

ip cef
ip multicast-routing
!
Int lo 0
ip pim sparse-mode
!
interface Loopback1
ip address 200.100.100.100 255.255.255.255
ip pim sparse-mode
!
int fa 0/0
ip pim sparse-mode
!
!
int s 0/0/0
ip pim sparse-mode
!
!
ip pim rp-candidate Loopback1
!
router ospf 31
network 200.100.100.100 0.0.0.0 area 1
!
ip msdp peer 31.31.2.2 connect-source Loopback0
ip msdp originator-id Loopback0
ip msdp sa-request 31.31.2.2 -------------------- add this so the router 3 send active source cache



R4

ip cef
ip multicast-routing
!
int fa 0/1
ip igmp join-group 232.1.1.1
ip pim sparse-mode
!
int s 0/0/0
ip pim sparse-mode
!
int s 0/0/1
ip pim sparse-mode

R5

ip cef
ip multicast-routing
!
int fa 0/1
ip pim sparse-mode
!
int s 0/0/0
ip pim sparse-mode
!
int s 0/0/1
ip pim sparse-mode

SW1

ip cef dis
ip multicast-routing dis
!
int vlan 16
ip pim sparse-mode
!
int vlan 36
ip pim sparse-mode
!
int vlan 68
ip pim sparse-mode

SW3

ip cef dis
ip multicast-routing dis
!
int vlan 18
ip pim sparse-mode
!
int vlan 28
ip pim sparse-mode
!
int vlan 68
ip pim sparse-mode

Thanked by 1 Member:
RIKITEE

#66 iwc1

iwc1

    Junior Member

  • Members
  • PipPip
  • 2 posts
  • 2 thanks

Posted 03 May 2013 - 09:06 AM

4.2 port-security
  • Switch-port protected, not allowed to use private vlans. Should use port security to dynamicly add mac add to the configuration.
  • Five users connect to Vlan 500 ( SW3)
  • These users will connect from SW4 ( Fa0/1 - 5).
  • This ports should move to forwarding quick.
  • These ports should be protected and mac address learn dynamically.
  • Shut down the ports if violation occurs.
SW3
int range Fa 0/1 - 5
sw access vlan 500
sw mode access
spaning-tree portfast
sw port-security
sw port-security maximum 1 vlan 500
sw port-security mac-add sticky
sw port-security violation shutdown
sw protected
no shut

Why port-security on sw3? When a question says that users will connect from sw4. Maybe this is correct

sw4
int range fa0/1 - 5
swi mod access
swi acc vlan 500
span portfast
swi port-sec
swi port-sec mac-addr stick
swi port-sec viol shut
swi protect

sw3
int po34
swi mod trunk
swi port-sec
swi port-sec max 5 vlan 500

Edited by iwc1, 03 May 2013 - 09:09 AM.


Thanked by 1 Member:
RIKITEE

#67 jiangyuefeng

jiangyuefeng

    Junior Member

  • Members
  • PipPip
  • 1 posts
  • 1 thanks

Posted 03 May 2013 - 09:49 AM

thank you ,,, toplogy?

Thanked by 1 Member:
RIKITEE

#68 ccie000

ccie000

    Advanced Member

  • Members
  • PipPipPip
  • 54 posts
  • 388 thanks

Posted 03 May 2013 - 09:52 AM

I'm not sure if we have to use sticky in this section ...

Thanked by 1 Member:
RIKITEE

#69 ciscothunder

ciscothunder

    Member

  • Members
  • PipPip
  • 28 posts
  • 1 thanks

Posted 03 May 2013 - 12:20 PM

I got a working MPLS solution by manipulating the RT , the rest of MPLS and BGP neighboring should be standard.


SW2
ip vrf Site-1
rd 3:3
route-target export 3:3
route-target import 2:2
!
ip vrf Site-2
rd 2:2
route-target export 2:2
route-target import 3:3
!

SW2#ping vrf Site-1 72.72.72.72 source lo1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.72.72.72, timeout is 2 seconds:
Packet sent with a source address of 71.71.71.71
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
SW2#sh ip vrf
  Name Default RD   Interfaces
  Site-1    3:3 Lo1
   Fa1/1
  Site-2    2:2 Lo2
   Fa1/0


SW2#ping vrf Site-2 71.71.71.71 source lo2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 71.71.71.71, timeout is 2 seconds:
Packet sent with a source address of 72.72.72.72
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

SW2#sh ip rout vrf  Site-1

Routing Table: Site-1
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
   D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
   N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
   E1 - OSPF external type 1, E2 - OSPF external type 2
   i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
   ia - IS-IS inter area, * - candidate default, U - per-user static route
   o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/24 is subnetted, 2 subnets
B    1.1.27.0 is directly connected, 01:48:58, FastEthernet1/0
C    1.1.37.0 is directly connected, FastEthernet1/1
71.0.0.0/32 is subnetted, 1 subnets
C    71.71.71.71 is directly connected, Loopback1
72.0.0.0/32 is subnetted, 1 subnets
B    72.72.72.72 is directly connected, 01:48:58, Loopback2

Edited by ciscothunder, 03 May 2013 - 12:25 PM.


Thanked by 1 Member:
MOJOE

#70 ciscothunder

ciscothunder

    Member

  • Members
  • PipPip
  • 28 posts
  • 1 thanks

Posted 03 May 2013 - 12:32 PM

The CE has two VRFs , there is no restriction of configuring RT on CE.


R3
ip vrf Site-1
rd 3:3
route-target export 3:3
route-target import 2:2
!

ip vrf Site-2
rd 2:2
route-target export 2:2
route-target import 3:3
mpls label protocol ldp

Edited by ciscothunder, 03 May 2013 - 12:33 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Organization

Community

Downloads

Test Providers

Site Info


Go to top