Scenario 1
Scenario 2
Scenario 1
ENCOR Skills Assessment (Scenario 1)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Topology
Addressing Table
| Device | Interface | IPv4 Address | IPv6 Address | IPv6 Link-Local |
|---|---|---|---|---|
| R1 | G0/0/0 | 209.165.200.225/27 | 2001:db8:200::1/64 | fe80::1:1 |
| G0/0/1 | 10.0.10.1/24 | 2001:db8:100:1010::1/64 | fe80::1:2 | |
| S0/1/0 | 10.0.13.1/24 | 2001:db8:100:1013::1/64 | fe80::1:3 | |
| R2 | G0/0/0 | 209.165.200.226/27 | 2001:db8:200::2/64 | fe80::2:1 |
| Loopback0 | 2.2.2.2/32 | 2001:db8:2222::1/128 | fe80::2:3 | |
| R3 | G0/0/1 | 10.0.11.1/24 | 2001:db8:100:1011::1/64 | fe80::3:2 |
| S0/1/0 | 10.0.13.3/24 | 2001:db8:100:1013::3/64 | fe80::3:3 | |
| D1 | G1/0/11 | 10.0.10.2/24 | 2001:db8:100:1010::2/64 | fe80::d1:1 |
| VLAN 100 | 10.0.100.1/24 | 2001:db8:100:100::1/64 | fe80::d1:2 | |
| VLAN 101 | 10.0.101.1/24 | 2001:db8:100:101::1/64 | fe80::d1:3 | |
| VLAN 102 | 10.0.102.1/24 | 2001:db8:100:102::1/64 | fe80::d1:4 | |
| D2 | G1/0/11 | 10.0.11.2/24 | 2001:db8:100:1011::2/64 | fe80::d2:1 |
| VLAN 100 | 10.0.100.2/24 | 2001:db8:100:100::2/64 | fe80::d2:2 | |
| VLAN 101 | 10.0.101.2/24 | 2001:db8:100:101::2/64 | fe80::d2:3 | |
| VLAN 102 | 10.0.102.2/24 | 2001:db8:100:102::2/64 | fe80::d2:4 | |
| A1 | VLAN 100 | 10.0.100.3/23 | 2001:db8:100:100::3/64 | fe80::a1:1 |
| PC1 | NIC | 10.0.100.5/24 | 2001:db8:100:100::5/64 | EUI-64 |
| PC2 | NIC | DHCP | SLAAC | EUI-64 |
| PC3 | NIC | DHCP | SLAAC | EUI-64 |
| PC4 | NIC | 10.0.100.6/24 | 2001:db8:100:100::6/64 | EUI-64 |
Objectives
- Part 1: Build the Network and Configure Basic Device Settings and Interface Addressing
- Part 2: Configure the Layer 2 Network and Host Support
- Part 3: Configure Routing Protocols
- Part 4: Configure First-Hop Redundancy
- Part 5: Configure Security
- Part 6: Configure Network Management Features
- Part 7: Cleanup
Background / Scenario
In this skills assessment, you are responsible for completing the configuration of the network so there is full end-to-end reachability, so the hosts have reliable default gateway support, and so that management protocols are operational within the “Company Network” part of the topology. Be careful to verify that your configurations meet the provided specifications and that the devices perform as required.
Note: The routers used with CCNP hands-on labs are Cisco 4221 routers with Cisco IOS XE Release 16.9.4 (universalk9 image). The switches used in the labs are Cisco Catalyst 3650 switches with Cisco IOS XE Release 16.9.4 (universalk9 image) and Cisco Catalyst 2960s with Cisco IOS Release 15.2(2) (lanbasek9 image). Other routers, switches, and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands available and the output produced might vary from what is shown in the labs.
Note: Make sure that the switches have been erased and have no startup configurations. If you are unsure, contact your instructor.
Note: The default Switch Database Manager (SDM) template on a Catalyst 2960 does not support IPv6. You must change the default SDM template to the dual-ipv4-and-ipv6 default template using the sdm prefer dual-ipv4-and-ipv6 default global configuration command. Changing the template will require a reboot.
Instructor Note: Refer to the Instructor Lab Manual for the procedures to initialize and reload devices.
Instructor Note: This skills assessment presumes that Part 1: Build the Network and Configure Basic Device Settings is not a graded or timed component of the exercise.
Instructor Note: The Configure Security task requires the student to implement a AAA solution using a RADIUS server. Cisco Networking Academy provides a AAA Server VM. If this VM is not available, make sure to modify the instructions and scoring rubric to reflect Local AAA.
Instructor Note: In the interest of time, it may be appropriate to modify some of the requirements from “all devices” to a select device.
Required Resources
• 3 Routers (Cisco 4221 with Cisco IOS XE Release 16.9.4 universal image or comparable)
• 2 Switches (Cisco 3650 with Cisco IOS XE release 16.9.4 universal image or comparable)
• 1 Switch (Cisco 2960 with Cisco IOS release 15.2 lanbase image or comparable)
• 4 PCs (Choice of operating system with a terminal emulation program)
• Console cables to configure the Cisco IOS devices via the console ports
• Ethernet and serial cables as shown in the topology
Part 1: Build the Network and Configure Basic Device Settings and Interface Addressing
In Part 1, you will set up the network topology and configure basic settings and interface addressing.
Step 1: Cable the network as shown in the topology.
Attach the devices as shown in the topology diagram, and cable as necessary.
Step 2: Configure basic settings for each device.
a. Console into each device, enter global configuration mode, and apply the basic settings. The startup configurations for each device are provided below.
Router R1
hostname R1 ipv6 unicast-routing no ip domain lookup banner motd # R1, ENCOR Skills Assessment, Scenario 1 # line con 0 exec-timeout 0 0 logging synchronous exit interface g0/0/0 ip address 209.165.200.225 255.255.255.224 ipv6 address fe80::1:1 link-local ipv6 address 2001:db8:200::1/64 no shutdown exit interface g0/0/1 ip address 10.0.10.1 255.255.255.0 ipv6 address fe80::1:2 link-local ipv6 address 2001:db8:100:1010::1/64 no shutdown exit interface s0/1/0 ip address 10.0.13.1 255.255.255.0 ipv6 address fe80::1:3 link-local ipv6 address 2001:db8:100:1013::1/64 no shutdown exit
Router R2
hostname R2 ipv6 unicast-routing no ip domain lookup banner motd # R2, ENCOR Skills Assessment, Scenario 1 # line con 0 exec-timeout 0 0 logging synchronous exit interface g0/0/0 ip address 209.165.200.226 255.255.255.224 ipv6 address fe80::2:1 link-local ipv6 address 2001:db8:200::2/64 no shutdown exit interface Loopback 0 ip address 2.2.2.2 255.255.255.255 ipv6 address fe80::2:3 link-local ipv6 address 2001:db8:2222::1/128 no shutdown exit
Router R3
hostname R3 ipv6 unicast-routing no ip domain lookup banner motd # R3, ENCOR Skills Assessment, Scenario 1 # line con 0 exec-timeout 0 0 logging synchronous exit interface g0/0/1 ip address 10.0.11.1 255.255.255.0 ipv6 address fe80::3:2 link-local ipv6 address 2001:db8:100:1011::1/64 no shutdown exit interface s0/1/0 ip address 10.0.13.3 255.255.255.0 ipv6 address fe80::3:3 link-local ipv6 address 2001:db8:100:1010::2/64 no shutdown exit
Switch D1
hostname D1 ip routing ipv6 unicast-routing no ip domain lookup banner motd # D1, ENCOR Skills Assessment, Scenario 1 # line con 0 exec-timeout 0 0 logging synchronous exit vlan 100 name Management exit vlan 101 name UserGroupA exit vlan 102 name UserGroupB exit vlan 999 name NATIVE exit interface g1/0/11 no switchport ip address 10.0.10.2 255.255.255.0 ipv6 address fe80::d1:1 link-local ipv6 address 2001:db8:100:1010::2/64 no shutdown exit interface vlan 100 ip address 10.0.100.1 255.255.255.0 ipv6 address fe80::d1:2 link-local ipv6 address 2001:db8:100:100::1/64 no shutdown exit interface vlan 101 ip address 10.0.101.1 255.255.255.0 ipv6 address fe80::d1:3 link-local ipv6 address 2001:db8:100:101::1/64 no shutdown exit interface vlan 102 ip address 10.0.102.1 255.255.255.0 ipv6 address fe80::d1:4 link-local ipv6 address 2001:db8:100:102::1/64 no shutdown exit ip dhcp excluded-address 10.0.101.1 10.0.101.109 ip dhcp excluded-address 10.0.101.141 10.0.101.254 ip dhcp excluded-address 10.0.102.1 10.0.102.109 ip dhcp excluded-address 10.0.102.141 10.0.102.254 ip dhcp pool VLAN-101 network 10.0.101.0 255.255.255.0 default-router 10.0.101.254 exit ip dhcp pool VLAN-102 network 10.0.102.0 255.255.255.0 default-router 10.0.102.254 exit interface range g1/0/1-10, g1/0/12-24, g1/1/1-4 shutdown exit
Switch D2
hostname D2 ip routing ipv6 unicast-routing no ip domain lookup banner motd # D2, ENCOR Skills Assessment, Scenario 1 # line con 0 exec-timeout 0 0 logging synchronous exit vlan 100 name Management exit vlan 101 name UserGroupA exit vlan 102 name UserGroupB exit vlan 999 name NATIVE exit interface g1/0/11 no switchport ip address 10.0.11.2 255.255.255.0 ipv6 address fe80::d1:1 link-local ipv6 address 2001:db8:100:1011::2/64 no shutdown exit interface vlan 100 ip address 10.0.100.2 255.255.255.0 ipv6 address fe80::d2:2 link-local ipv6 address 2001:db8:100:100::2/64 no shutdown exit interface vlan 101 ip address 10.0.101.2 255.255.255.0 ipv6 address fe80::d2:3 link-local ipv6 address 2001:db8:100:101::2/64 no shutdown exit interface vlan 102 ip address 10.0.102.2 255.255.255.0 ipv6 address fe80::d2:4 link-local ipv6 address 2001:db8:100:102::2/64 no shutdown exit ip dhcp excluded-address 10.0.101.1 10.0.101.209 ip dhcp excluded-address 10.0.101.241 10.0.101.254 ip dhcp excluded-address 10.0.102.1 10.0.102.209 ip dhcp excluded-address 10.0.102.241 10.0.102.254 ip dhcp pool VLAN-101 network 10.0.101.0 255.255.255.0 default-router 10.0.101.254 exit ip dhcp pool VLAN-102 network 10.0.102.0 255.255.255.0 default-router 10.0.102.254 exit interface range g1/0/1-10, g1/0/12-24, g1/1/1-4 shutdown exit
Switch A1
hostname A1 no ip domain lookup banner motd # A1, ENCOR Skills Assessment, Scenario 1 # line con 0 exec-timeout 0 0 logging synchronous exit vlan 100 name Management exit vlan 101 name UserGroupA exit vlan 102 name UserGroupB exit vlan 999 name NATIVE exit interface vlan 100 ip address 10.0.100.3 255.255.255.0 ipv6 address fe80::a1:1 link-local ipv6 address 2001:db8:100:100::3/64 no shutdown exit interface range f0/5-22 shutdown exit
b. Save the running configuration to startup-config on all devices.
c. Configure PC 1 and PC 4 host addressing as shown in the addressing table. Assign a default gateway address of 10.0.100.254 which will be the HSRP virtual IP address used in Part 4.
Part 2: Configure the Layer 2 Network and Host Support
In this part of the Skills Assessment, you will complete the Layer 2 network configuration and set up basic host support. At the end of this part, all the switches should be able to communicate. PC2 and PC3 should receive addressing from DHCP and SLAAC.
Your configuration tasks are as follows:
| Task# | Task | Specification | Points |
|---|---|---|---|
| 2.1 | Onall switches, configure IEEE 802.1Q trunk interfaces on interconnectingswitch links | Enable 802.1Q trunk links between:
| 6 |
| 2.2 | On all switches, change the nativeVLAN on trunk links. | Use VLAN 999 as the native VLAN. | 6 |
| 2.3 | On all switches, enable theRapid Spanning-Tree Protocol. | Use Rapid Spanning Tree. | 3 |
| 2.4 | On D1 and D2, configure the appropriate RSTP root bridges based on the information in the topology diagram. D1 and D2 must provide backup in case of root bridge failure. | Configure D1 and D2 as root forthe appropriate VLANs with mutually supporting priorities in case of switchfailure. | 2 |
| 2.5 | On all switches, create LACP EtherChannels as shown in thetopology diagram. | Use the following channel numbers:
| 3 |
| 2.6 | On all switches, configure host accessports connecting to PC1, PC2, PC3, and PC4. | Configure access ports with appropriate VLAN settings as shown in the topology diagram. Host ports should transition immediately to forwarding state. | 4 |
| 2.7 | Verify IPv4 DHCP services. | PC2 and PC3 are DHCP clients and should be receiving valid IPv4 addresses. | 1 |
| 2.8 | Verify local LAN connectivity. | PC1 should successfully ping:
PC2 should successfully ping:
PC3 should successfully ping:
PC4 should successfully ping:
| 1 |
Instructor Verification:
Issue show interfaces trunk command on D1; output should appear as below. Verify tasks 2.1, 2.2, and 2.5 on Switch D1.
D1# show interface trunk Port Mode Encapsulation Status Native vlan Po1 on 802.1q trunking 999 Po12 on 802.1q trunking 999 Port Vlans allowed on trunk Po1 1-4094 Po12 1-4094 Port Vlans allowed and active in management domain Po1 1,100-102,999 Po12 1,100-102,999 Port Vlans in spanning tree forwarding state and not pruned Po1 1,100-102,999 Po12 1,100-102,999
Issue show run | include spanning-tree command on D1; output show appear as below. Verify tasks 2.3 and 2.4 on Switch D1.
D1# show run | include spanning-tree spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree vlan 100,102 priority 24576 spanning-tree vlan 101 priority 28672 spanning-tree portfast
Issue show run interface g1/0/23 command on D1; output should appear as below. Verify task 2.6 on Switch D1.
D1# show run interface g1/0/23 Building configuration... Current configuration : 115 bytes ! interface GigabitEthernet1/0/23 switchport access vlan 100 switchport mode access spanning-tree portfast end
Issue show interfaces trunk command on D2; output should appear as below. Verify task 2.5 on Switch D2.
D2# show interfaces trunk Port Mode Encapsulation Status Native vlan Po2 on 802.1q trunking 999 Po12 on 802.1q trunking 999 Port Vlans allowed on trunk Po2 1-4094 Po12 1-4094 Port Vlans allowed and active in management domain Po2 1,100-102,999 Po12 1,100-102,999 Port Vlans in spanning tree forwarding state and not pruned Po2 1,100-102,999 Po12 1,100-102,999
Issue show run | include spanning-tree command on D2; output should appear as below. Verify tasks 2.3 and 2.4 on Switch D2.
D2# show run | include spanning-tree spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree vlan 100,102 priority 28672 spanning-tree vlan 101 priority 24576 spanning-tree portfast
Issue show run interface g1/0/23 command on D2; output should appear as below. Verify task 2.6 on Switch D2.
D2# show run interface g1/0/23 Building configuration... Current configuration : 115 bytes ! interface GigabitEthernet1/0/23 switchport access vlan 102 switchport mode access spanning-tree portfast
Issue show run interface f0/23 and show run interface f0/24 commands on A1; output should appear as below. Verify task 2.6 on Switch A1.
A1# show run interface f0/23 Building configuration... Current configuration : 115 bytes ! interface FastEthernet0/23 switchport access vlan 101 switchport mode access spanning-tree portfast edge end A1# show run interface f0/24 Building configuration... Current configuration : 115 bytes ! interface FastEthernet0/24 switchport access vlan 100 switchport mode access spanning-tree portfast edge end
Part 3: Configure Routing Protocols
In this part, you will configure IPv4 and IPv6 routing protocols. At the end of this part, the network should be fully converged. IPv4 and IPv6 pings to the Loopback 0 interface from D1 and D2 should be successful.
Note: Pings from the hosts will not be successful because their default gateways are pointing to the HSRP address which will be enabled in Part 4.
Your configuration tasks are as follows:
| Task# | Task | Specification | Points |
|---|---|---|---|
| 3.1 | On the “Company Network” (i.e.,R1, R3, D1, and D2), configure single-area OSPFv2 in area 0. | Use OSPF Process ID 4 and assign the following router-IDs:
On R1, R3, D1, and D2, advertise all directly connected networks / VLANs in Area 0.
Disable OSPFv2 advertisements on:
| 8 |
| 3.2 | On the “Company Network” (i.e.,R1, R3, D1, and D2), configure classic single-area OSPFv3 in area 0. | Use OSPF Process ID 6 and assign the following router-IDs:
On R1, R3, D1, and D2, advertise all directly connected networks / VLANs in Area 0.
Disable OSPFv3 advertisements on:
| 8 |
| 3.3 | On R2 in the “ISP Network”, configureMP-BGP. | Configure two default static routes via interface Loopback 0:
Configure R2 in BGP ASN 500 and use the router-id 2.2.2.2. Configure and enable an IPv4 and IPv6 neighbor relationship with R1 in ASN 300. In IPv4 address family, advertise:
In IPv6 address family, advertise:
| 4 |
| 3.4 | On R1 in the “ISP Network”,configure MP-BGP. | Configure two static summary routes to interface Null 0:
Configure R1 in BGP ASN 300 and use the router-id 1.1.1.1.
In IPv6 address family:
| 4 |
Instructor Verification:
Issue show run | section ^router ospf on R1, R3, D1, and D2; output should appear as below. Verify task 3.1 on each device.
R1# show run | section ^router ospf router ospf 4 router-id 0.0.4.1 network 10.0.10.0 0.0.0.255 area 0 network 10.0.13.0 0.0.0.255 area 0 default-information originate R3# show run | section ^router ospf router ospf 4 router-id 0.0.4.3 network 10.0.11.0 0.0.0.255 area 0 network 10.0.13.0 0.0.0.255 area 0 D1# show run | section ^router ospf router ospf 4 router-id 0.0.4.131 passive-interface default no passive-interface GigabitEthernet1/0/11 network 10.0.10.0 0.0.0.255 area 0 network 10.0.100.0 0.0.0.255 area 0 network 10.0.101.0 0.0.0.255 area 0 network 10.0.102.0 0.0.0.255 area 0 D2# show run | section ^router ospf router ospf 4 router-id 0.0.4.132 passive-interface default no passive-interface GigabitEthernet1/0/11 network 10.0.11.0 0.0.0.255 area 0 network 10.0.100.0 0.0.0.255 area 0 network 10.0.101.0 0.0.0.255 area 0 network 10.0.102.0 0.0.0.255 area 0
Issue show run | section ^ipv6 router and show ipv6 ospf interface brief on R1, R3, D1, and D2; output should appear as below. Verify task 3.2 on each device.
R1# show run | section ^ipv6 router ipv6 router ospf 6 router-id 0.0.6.1 default-information originate R1# show ipv6 ospf interface brief Interface PID Area Intf ID Cost State Nbrs F/C Se0/1/0 6 0 7 49 P2P 1/1 Gi0/0/1 6 0 6 1 DR 1/1 R3# show run | section ^ipv6 router ipv6 router ospf 6 router-id 0.0.6.3 R3# show ipv6 ospf interface brief Interface PID Area Intf ID Cost State Nbrs F/C Se0/1/0 6 0 7 50 P2P 1/1 Gi0/0/1 6 0 6 1 DR 1/1 D1# show run | section ^ipv6 router ipv6 router ospf 6 router-id 0.0.6.131 passive-interface default no passive-interface GigabitEthernet1/0/11 D1# show ipv6 ospf interface brief Interface PID Area Intf ID Cost State Nbrs F/C Vl102 6 0 41 1 DR 0/0 Vl101 6 0 40 1 DR 0/0 Vl100 6 0 39 1 DR 0/0 Gi1/0/11 6 0 38 1 BDR 1/1 D2# show run | section ^ipv6 router ipv6 router ospf 6 router-id 0.0.6.132 passive-interface default no passive-interface GigabitEthernet1/0/11 D2# show ipv6 ospf interface brief Interface PID Area Intf ID Cost State Nbrs F/C Vl102 6 0 41 1 DR 0/0 Vl101 6 0 40 1 DR 0/0 Vl100 6 0 39 1 DR 0/0 Gi1/0/11 6 0 38 1 BDR 1/1
Issue show run | section bgp and show run | include route on R2; output should appear as below. Verify task 3.3.
R2# show run | section router bgp router bgp 500 bgp router-id 2.2.2.2 bgp log-neighbor-changes neighbor 2001:DB8:200::1 remote-as 300 neighbor 209.165.200.225 remote-as 300 ! address-family ipv4 network 0.0.0.0 network 2.2.2.2 mask 255.255.255.255 no neighbor 2001:DB8:200::1 activate neighbor 209.165.200.225 activate exit-address-family ! address-family ipv6 network ::/0 network 2001:DB8:2222::/128 neighbor 2001:DB8:200::1 activate exit-address-family R2# show run | include route router bgp 500 bgp route-id 2.2.2.2 ip route 0.0.0.0 0.0.0.0 Loopback0 ipv6 route ::/0 Loopback0
Issue show run | section bgp on R1; output should appear as below. Verify task 3.4.
R1# show run | section bgp router bgp 300 bgp router-id 1.1.1.1 bgp log-neighbor-changes neighbor 2001:DB8:200::2 remote-as 500 neighbor 209.165.200.226 remote-as 500 ! address-family ipv4 network 10.0.0.0 no neighbor 2001:DB8:200::2 activate neighbor 209.165.200.226 activate exit-address-family ! address-family ipv6 network 2001:DB8:100::/48 neighbor 2001:DB8:200::2 activate exit-address-family
Verify Routing Tables:
Issue show ip route | include O|B on R1; output should appear as below. Verify that OSPF and BGP for IPv4 are working properly.
R1# show ip route | include O|B
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
B* 0.0.0.0/0 [20/0] via 209.165.200.2, 01:51:16
B 2.2.2.2 [20/0] via 209.165.200.2, 01:51:16
O 10.0.11.0/24 [110/50] via 10.0.13.3, 01:24:41, Serial0/1/0
O 10.0.100.0/24 [110/2] via 10.0.10.2, 01:49:44, GigabitEthernet0/0/1
O 10.0.101.0/24 [110/2] via 10.0.10.2, 01:49:44, GigabitEthernet0/0/1
O 10.0.102.0/24 [110/2] via 10.0.10.2, 01:49:44, GigabitEthernet0/0/1Issue show ipv6 route command on R1; should appear as below. Verify that OSPFv3 for IPv6 is working properly.
R1# show ipv6 route
IPv6 Routing Table - default - 13 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect, RL - RPL, O - OSPF Intra, OI - OSPF Inter
OE1 - OSPF ext 1, OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1
ON2 - OSPF NSSA ext 2, a - Application
B ::/0 [20/0]
via FE80::2:1, GigabitEthernet0/0/0
S 2001:DB8:100::/48 [1/0]
via Null0, directly connected
O 2001:DB8:100:100::/64 [110/2]
via FE80::D1:1, GigabitEthernet0/0/1
O 2001:DB8:100:101::/64 [110/2]
via FE80::D1:1, GigabitEthernet0/0/1
O 2001:DB8:100:102::/64 [110/2]
via FE80::D1:1, GigabitEthernet0/0/1
C 2001:DB8:100:1010::/64 [0/0]
via GigabitEthernet0/0/1, directly connected
L 2001:DB8:100:1010::1/128 [0/0]
via GigabitEthernet0/0/1, receive
O 2001:DB8:100:1011::/64 [110/50]
via FE80::3:3, Serial0/1/0
C 2001:DB8:100:1013::/64 [0/0]
via Serial0/1/0, directly connected
L 2001:DB8:100:1013::1/128 [0/0]
via Serial0/1/0, receive
C 2001:DB8:200::/64 [0/0]
via GigabitEthernet0/0/0, directly connected
L 2001:DB8:200::1/128 [0/0]
via GigabitEthernet0/0/0, receive
L FF00::/8 [0/0]
via Null0, receiveIssue show ip route ospf | begin Gateway command on R3; output should appear as below. Verify that OSPF for IPv4 is working properly.
R3# show ip route ospf | begin Gateway
Gateway of last resort is 10.0.13.1 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 10.0.13.1, 01:56:36, Serial0/1/0
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
O 10.0.10.0/24 [110/51] via 10.0.13.1, 01:56:47, Serial0/1/0
O 10.0.100.0/24 [110/2] via 10.0.11.2, 01:30:02, GigabitEthernet0/0/1
O 10.0.101.0/24 [110/2] via 10.0.11.2, 01:30:02, GigabitEthernet0/0/1
O 10.0.102.0/24 [110/2] via 10.0.11.2, 01:30:02, GigabitEthernet0/0/1Issue the show ipv6 route ospf command on R3; output should appear as below. Verify that OSPFv3 for IPv6 is working properly.
R3# show ipv6 route ospf
IPv6 Routing Table - default - 10 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect, RL - RPL, O - OSPF Intra, OI - OSPF Inter
OE1 - OSPF ext 1, OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1
ON2 - OSPF NSSA ext 2, a - Application
OE2 ::/0 [110/1], tag 6
via FE80::1:3, Serial0/1/0
O 2001:DB8:100:100::/64 [110/2]
via FE80::D1:1, GigabitEthernet0/0/1
O 2001:DB8:100:101::/64 [110/2]
via FE80::D1:1, GigabitEthernet0/0/1
O 2001:DB8:100:102::/64 [110/2]
via FE80::D1:1, GigabitEthernet0/0/1
O 2001:DB8:100:1013::/64 [110/99]
via FE80::1:3, Serial0/1/0Part 4: Configure First Hop Redundancy
In this part, you will configure HSRP version 2 to provide first-hop redundancy for hosts in the “Company Network”.
Your configuration tasks are as follows:
| Task# | Task | Specification | Points |
|---|---|---|---|
| 4.1 | On D1, create IP SLAs that test the reachability of R1interface G0/0/1. | Create two IP SLAs.
The IP SLAs will test availability of R1 G0/0/1 interface every 5 seconds.
The tracked objects should notify D1 if the IP SLA state changes from down to up after 10 seconds, or from up to down after 15 seconds. | 2 |
| 4.2 | On D2, create IP SLAs that testthe reachability of R3 interface G0/0/1. | Create two IP SLAs.
The IP SLAs will test availability of R3 G0/0/1 interface every 5 seconds.
The tracked objects should notify D1 if the IP SLA state changes from down to up after 10 seconds, or from up to down after 15 seconds. | 2 |
| 4.3 | On D1, configure HSRPv2. | D1 is the primary router for VLANs 100 and 102; therefore, their priority will also be changed to 150. Configure HSRP version 2. Configure IPv4 HSRP group 104 for VLAN 100:
Configure IPv4 HSRP group 114 for VLAN 101:
Configure IPv4 HSRP group 124 for VLAN 102:
Configure IPv6 HSRP group 106 for VLAN 100:
Configure IPv6 HSRP group 116 for VLAN 101:
Configure IPv6 HSRP group 126 for VLAN 102:
| 8 |
| On D2, configure HSRPv2. | D2 is the primary router for VLAN 101; therefore, the priority will also be changed to 150. Configure HSRP version 2. Configure IPv4 HSRP group 104 for VLAN 100:
Configure IPv4 HSRP group 114 for VLAN 101:
Configure IPv4 HSRP group 124 for VLAN 102:
Configure IPv6 HSRP group 106 for VLAN 100:
Configure IPv6 HSRP group 116 for VLAN 101:
Configure IPv6 HSRP group 126 for VLAN 102:
|
Instructor Verification:
Issue the show run | section ip sla command on D1; output should appear as below. Verify task 4.1 and bullet 3 of task 4.3 for Switch D1.
D1# show run | section ip sla track 4 ip sla 4 delay down 10 up 15 track 6 ip sla 6 delay down 10 up 15 ip sla 4 icmp-echo 10.0.10.1 frequency 5 ip sla schedule 4 life forever start-time now ip sla 6 icmp-echo 2001:DB8:100:1010::1 frequency 5 ip sla schedule 6 life forever start-time now
Issue the show standby brief command on D1; output should appear as below. Verify task 4.3.
D1# show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl100 104 150 P Active local 10.0.100.2 10.0.100.254
Vl100 106 150 P Active local FE80::D2:2 FE80::5:73FF:FEA0:6A
Vl101 114 100 P Standby 10.0.101.2 local 10.0.101.254
Vl101 116 100 P Standby FE80::D2:3 local FE80::5:73FF:FEA0:74
Vl102 124 150 P Active local 10.0.102.2 10.0.102.254
Vl102 126 150 P Active local FE80::D2:4 FE80::5:73FF:FEA0:7EIssue the show run | section ip sla command on D2; output should appear as below. Verify task 4.2 and bullet 3 of task 4.3 for Switch D2.
D2# show run | section ip sla track 4 ip sla 4 delay down 10 up 15 track 6 ip sla 6 delay down 10 up 15 ip sla 4 icmp-echo 10.0.11.1 frequency 5 ip sla schedule 4 life forever start-time now ip sla 6 icmp-echo 2001:DB8:100:1011::1 frequency 5 ip sla schedule 6 life forever start-time now
Part 5: Security
In this part you will configure various security mechanisms on the devices in the topology.
Your configuration tasks are as follows:
| Task# | Task | Specification | Points |
|---|---|---|---|
| 5.1 | On all devices, secure privileged EXEC using the SCRYPTencryption algorithm. | Password: cisco12345cisco | 3 |
| 5.2 | On all devices, create a localuser and secure it using the SCRYPT encryption algorithm. | SCRYPT encrypted account specifics:
| 3 |
| 5.3 | On all devices (except R2), enableAAA. | Enable AAA. | 2 |
| 5.4 | On all devices (except R2),configure the RADIUS server specifics. | RADIUS server specifics:
| 2 |
| 5.5 | On all devices (except R2),configure the AAA authenticationmethod list. | AAA authentication specifics:
| 2 |
| 5.6 | Verify the AAA service on alldevices (except R2). | Log out and log in to all devices (except R2) using the username raduser and the password upass123. You should be successful. | 2 |
Instructor Verification:
Issue show run | include secret on each device; output should appear as below. Verify task 5.1 and 5.2.
R1# show run | include secret enable secret 9 $9$0C3pnVdgrnhnY9$uzGA.WZfcLg5IhuyJu22mIf.YyZ/83VgqbO3rXBDuwo username sadmin privilege 15 secret 9 $9$XCO4pzqbRT.3EP$ymouLOQI5/o0FOkYDtA1ztejFra67MnkJJ5Y3bhyQe6
Issue show run aaa | exclude ! on all devices except R2; output should appear as below. Verify tasks 5.3, 5.4 and 5.5.
R1# show run aaa | exclude ! aaa authentication login default group radius local username sadmin privilege 15 secret 9 $9$XCO4pzqbRT.3EP$ymouLOQI5/o0FOkYDtA1ztejFra67MnkJJ5Y3bhyQe6 radius server RADIUS address ipv4 10.0.100.6 auth-port 1812 acct-port 1813 key $trongPass aaa new-model aaa session-id common
Telnet from PC3 in the topology to any device other than R2. Log in using the username raduser and password upass123. Successful login verify that AAA is working and task 5.6.
Part 6: Configure Network Management Features
In this part, you will configure various network management features.
Your configuration tasks are as follows:
| Task# | Task | Specification | Points |
|---|---|---|---|
| 6.1 | On all devices, set the local clock to the current UTC time. | Setthe local clock to the current UTC time. | 3 |
| 6.2 | Configure R2 as an NTP master. | Configure R2 as an NTP master at stratum level 3. | 1 |
| 6.3 | Configure NTP on R1, R3, D1, D2,and A1. | Configure NTP as follows:
| 5 |
| 6.4 | Configure Syslog on all devicesexcept R2. | Syslogs should be sent to PC1 at 10.0.100.5 at the WARNING level. | 5 |
| 6.5 | Configure SNMPv2c on all devicesexcept R2. | SNMPv2 specifics:
| 10 |
Instructor Verification:
Verify the current UTC time.
Issue the show clock command on R2; output should indicate the correct current UTC time. This verifies task 6.1 on R2.
Issue the show run | include ntp command on R2; output should appear as below. This verifies task 6.2.
R2# show run | include ntp
ntp master 3Issue the show ntp status | include stratum command on R1; output should appear as below. This verifies task 6.3 on router R1.
R1# show ntp status | include stratum
Clock is synchronized, stratum 4, reference is 2.2.2.2Issue the show ntp status | include stratum command on R3, D1, D2, and A1. Output should appear as below. This verifies task 6.3 on these devices.
A1# show ntp status | include stratum
Clock is synchronized, stratum 5, reference is 10.0.10.1Issue the show run | include logging command on all devices except R2; output should appear as below. This verifies task 6.4 on these devices.
R1# show run | include logging
logging trap warnings
logging host 10.0.100.5
logging synchronousIssue the show ip access-list SNMP-NMS command on all devices except R2; output should appear as below. This confirms task 6.5.
D1# show ip access-list SNMP-NMS
Standard IP access list SNMP-NMS
10 permit 10.0.100.5Issue the show run | include snmp command on all devices except R2; output should appear as below. This verifies bullet 2 of task 6.5.
R1# show run | include snmp snmp-server community ENCORSA RO SNMP-NMS snmp-server contact Cisco Student snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps config snmp-server enable traps bgp snmp-server host 10.0.100.5 version 2c ENCORSA R3# show run | include snmp snmp-server community ENCORSA RO SNMP-NMS snmp-server contact Cisco Student snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps config snmp-server host 10.0.100.5 version 2c ENCORSA D1# show run | include snmp snmp-server community ENCORSA RO SNMP-NMS snmp-server contact Cisco Student snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps config snmp-server host 10.0.100.5 version 2c ENCORSA D2# show run | include snmp snmp-server community ENCORSA RO SNMP-NMS snmp-server contact Cisco Student snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps config snmp-server host 10.0.100.5 version 2c ENCORSA A1# show run | include snmp snmp-server community ENCORSA RO SNMP-NMS snmp-server contact Cisco Student snmp-server enable traps config snmp-server host 10.0.100.5 version 2c ENCORSA
Part 7: Cleanup
NOTE: DO NOT PROCEED WITH CLEANUP UNTIL YOUR INSTRUCTOR HAS GRADED YOUR SKILLS ASSESSMENT AND HAS INFORMED YOU THAT YOU MAY BEGIN CLEANUP.
Unless directed otherwise by the instructor, restore host computer network connectivity, and then turn off power to the host computers.
Remove NVRAM configuration files (if saved) and vlan databases from all devices before turning them off or reloading them.
Device Configurations (Answers)
Listed below are the configuration commands used to create the skills assessment
Part 2 Commands
Switch D1
interface range g1/0/1-4 switchport mode trunk switchport trunk native vlan 999 channel-group 12 mode active no shutdown exit interface range g1/0/5-6 switchport mode trunk switchport trunk native vlan 999 channel-group 1 mode active no shutdown exit spanning-tree mode rapid-pvst spanning-tree vlan 100,102 root primary spanning-tree vlan 101 root secondary interface g1/0/23 switchport mode access switchport access vlan 100 spanning-tree portfast no shutdown exit end
Switch D2
interface range g1/0/1-4 switchport mode trunk switchport trunk native vlan 999 channel-group 12 mode active no shutdown exit interface range g1/0/5-6 switchport mode trunk switchport trunk native vlan 999 channel-group 2 mode active no shutdown exit ! spanning-tree mode rapid-pvst spanning-tree vlan 101 root primary spanning-tree vlan 100,102 root secondary ! interface g1/0/23 switchport mode access switchport access vlan 102 spanning-tree portfast no shutdown exit end
Switch A1
spanning-tree mode rapid-pvst interface range f0/1-2 switchport mode trunk switchport trunk native vlan 999 channel-group 1 mode active no shutdown exit interface range f0/3-4 switchport mode trunk switchport trunk native vlan 999 channel-group 2 mode active no shutdown exit interface f0/23 switchport mode access switchport access vlan 101 spanning-tree portfast no shutdown exit interface f0/24 switchport mode access switchport access vlan 100 spanning-tree portfast no shutdown exit end
Part 3 Commands (Routing Protocols)
Router R1
router ospf 4 router-id 0.0.4.1 network 10.0.10.0 0.0.0.255 area 0 network 10.0.13.0 0.0.0.255 area 0 default-information originate exit ipv6 router ospf 6 router-id 0.0.6.1 default-information originate exit interface g0/0/1 ipv6 ospf 6 area 0 exit interface s0/1/0 ipv6 ospf 6 area 0 exit ! ip route 10.0.0.0 255.0.0.0 null0 ipv6 route 2001:db8:100::/48 null0 ! router bgp 300 bgp router-id 1.1.1.1 neighbor 209.165.200.226 remote-as 500 neighbor 2001:db8:200::2 remote-as 500 address-family ipv4 unicast neighbor 209.165.200.226 activate no neighbor 2001:db8:200::2 activate network 10.0.0.0 mask 255.0.0.0 exit-address-family address-family ipv6 unicast no neighbor 209.165.200.226 activate neighbor 2001:db8:200::2 activate network 2001:db8:100::/48 exit-address-family
Router R2
ip route 0.0.0.0 0.0.0.0 loopback 0 ipv6 route ::/0 loopback 0 router bgp 500 bgp router-id 2.2.2.2 neighbor 209.165.200.225 remote-as 300 neighbor 2001:db8:200::1 remote-as 300 address-family ipv4 neighbor 209.165.200.225 activate no neighbor 2001:db8:200::1 activate network 2.2.2.2 mask 255.255.255.255 network 0.0.0.0 exit-address-family address-family ipv6 no neighbor 209.165.200.225 activate neighbor 2001:db8:200::1 activate network 2001:db8:2222::/128 network ::/0 exit-address-family
Router R3
router ospf 4 router-id 0.0.4.3 network 10.0.11.0 0.0.0.255 area 0 network 10.0.13.0 0.0.0.255 area 0 exit ipv6 router ospf 6 router-id 0.0.6.3 exit interface g0/0/1 ipv6 ospf 6 area 0 exit interface s0/1/0 ipv6 ospf 6 area 0 exit end
Switch D1
router ospf 4 router-id 0.0.4.131 network 10.0.100.0 0.0.0.255 area 0 network 10.0.101.0 0.0.0.255 area 0 network 10.0.102.0 0.0.0.255 area 0 network 10.0.10.0 0.0.0.255 area 0 passive-interface default no passive-interface g1/0/11 exit ipv6 router ospf 6 router-id 0.0.6.131 passive-interface default no passive-interface g1/0/11 exit interface g1/0/11 ipv6 ospf 6 area 0 exit interface vlan 100 ipv6 ospf 6 area 0 exit interface vlan 101 ipv6 ospf 6 area 0 exit interface vlan 102 ipv6 ospf 6 area 0 exit end
Switch D2
router ospf 4 router-id 0.0.4.132 network 10.0.100.0 0.0.0.255 area 0 network 10.0.101.0 0.0.0.255 area 0 network 10.0.102.0 0.0.0.255 area 0 network 10.0.11.0 0.0.0.255 area 0 passive-interface default no passive-interface g1/0/11 exit ipv6 router ospf 6 router-id 0.0.6.132 passive-interface default no passive-interface g1/0/11 exit interface g1/0/11 ipv6 ospf 6 area 0 exit interface vlan 100 ipv6 ospf 6 area 0 exit interface vlan 101 ipv6 ospf 6 area 0 exit interface vlan 102 ipv6 ospf 6 area 0 exit end
Part 4 Commands (FHRP/SLA)
Switch D1
ip sla 4 icmp-echo 10.0.10.1 frequency 5 exit ip sla 6 icmp-echo 2001:db8:100:1010::1 frequency 5 exit ip sla schedule 4 life forever start-time now ip sla schedule 6 life-forever start-time now track 4 ip sla 4 delay down 10 up 15 exit track 6 ip sla 6 delay down 10 up 15 exit interface vlan 100 standby version 2 standby 104 ip 10.0.100.254 standby 104 priority 150 standby 104 preempt standby 104 track 4 decrement 60 standby 106 ipv6 autoconfig standby 106 priority 150 standby 106 preempt standby 106 track 6 decrement 60 exit interface vlan 101 standby version 2 standby 114 ip 10.0.101.254 standby 114 preempt standby 114 track 4 decrement 60 standby 116 ipv6 autoconfig standby 116 preempt standby 116 track 6 decrement 60 exit interface vlan 102 standby version 2 standby 124 ip 10.0.102.254 standby 124 priority 150 standby 124 preempt standby 124 track 4 decrement 60 standby 126 ipv6 autoconfig standby 126 priority 150 standby 126 preempt standby 126 track 6 decrement 60 exit end
Switch D2
ip sla 4 icmp-echo 10.0.11.1 frequency exit ip sla 6 icmp-echo 2001:db8:100:1011::1 frequency exit ip sla schedule 4 life forever start-time now ip sla schedule 6 life forever start-time now track 4 ip sla 4 delay down 10 up 15 exit track 6 ip sla 6 delay down 10 up 15 exit interface vlan 100 standby version 2 standby 104 ip 10.0.100.254 standby 104 preempt standby 104 track 4 decrement 60 standby 106 ipv6 autoconfig standby 106 preempt standby 106 track 6 decrement 60 exit interface vlan 101 standby version 2 standby 114 ip 10.0.101.254 standby 114 priority 150 standby 114 preempt standby 114 track 4 decrement 60 standby 116 ipv6 autoconfig standby 116 priority 150 standby 116 preempt standby 116 track 6 decrement 60 exit interface vlan 102 standby version 2 standby 124 ip 10.0.102.254 standby 124 preempt standby 124 track 4 decrement 60 standby 126 ipv6 autoconfig standby 126 preempt standby 126 track 6 decrement 60 exit end
Part 5 Commands (Security)
All Devices:
enable algorithm-type SCRYPT secret cisco12345cisco username sadmin privilege 15 algorithm-type SCRYPT secret cisco12345cisco ! All devices except R2: aaa new-model radius server RADIUS address ipv4 10.0.100.6 auth-port 1812 acct-port 1813 key $trongPass exit aaa authentication login default group radius local end
Part 6 Commands (Net Management)
Set local clock to UTC on all devices.
Router R2:
ntp master 3 end
Router R1
! enable and enter password ntp server 2.2.2.2 logging trap warning logging host 10.0.100.5 logging on ip access-list standard SNMP-NMS permit host 10.0.100.5 exit snmp-server contact Cisco Student snmp-server community ENCORSA ro SNMP-NMS snmp-server host 10.0.100.5 version 2c ENCORSA snmp-server ifindex persist snmp-server enable traps bgp snmp-server enable traps config snmp-server enable traps ospf end
Router R3
ntp server 10.0.10.1 logging trap warning logging host 10.0.100.5 logging on ip access-list standard SNMP-NMS permit host 10.0.100.5 exit snmp-server contact Cisco Student snmp-server community ENCORSA ro SNMP-NMS snmp-server host 10.0.100.5 version 2c ENCORSA snmp-server ifindex persist snmp-server enable traps config snmp-server enable traps ospf end
Switch D1
ntp server 10.0.10.1 logging trap warning logging host 10.0.100.5 logging on ip access-list standard SNMP-NMS permit host 10.0.100.5 exit snmp-server contact Cisco Student snmp-server community ENCORSA ro SNMP-NMS snmp-server host 10.0.100.5 version 2c ENCORSA snmp-server ifindex persist snmp-server enable traps config snmp-server enable traps ospf end
Switch D2
ntp server 10.0.10.1 logging trap warning logging host 10.0.100.5 logging on ip access-list standard SNMP-NMS permit host 10.0.100.5 exit snmp-server contact Cisco Student snmp-server community ENCORSA ro SNMP-NMS snmp-server host 10.0.100.5 version 2c ENCORSA snmp-server enable traps config snmp-server enable traps ospf end
Switch A1
ntp server 10.0.10.1 logging trap warning logging host 10.0.100.5 logging on ip access-list standard SNMP-NMS permit host 10.0.100.5 exit snmp-server contact Cisco Student snmp-server community ENCORSA ro SNMP-NMS snmp-server host 10.0.100.5 version 2c ENCORSA snmp-server ifindex persist snmp-server enable traps config snmp-server enable traps ospf end
Device Configurations (Final)
Router R1
R1# show run Building configuration... Current configuration : 3406 bytes ! version 16.9 service timestamps debug datetime msec service timestamps log datetime msec platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname R1 ! boot-start-marker boot-end-marker ! enable secret 9 $9$0C3pnVdgrnhnY9$uzGA.WZfcLg5IhuyJu22mIf.YyZ/83VgqbO3rXBDuwo ! aaa new-model ! aaa authentication login default group radius local ! aaa session-id common ! no ip domain lookup ! login on-success log ! subscriber templating ! ipv6 unicast-routing multilink bundle-name authenticated ! spanning-tree extend system-id ! username sadmin privilege 15 secret 9 $9$XCO4pzqbRT.3EP$ymouLOQI5/o0FOkYDtA1ztejFra67MnkJJ5Y3bhyQe6 ! redundancy mode none ! interface GigabitEthernet0/0/0 ip address 209.165.200.225 255.255.255.224 negotiation auto ipv6 address FE80::1:1 link-local ipv6 address 2001:DB8:200::1/64 ! interface GigabitEthernet0/0/1 ip address 10.0.10.1 255.255.255.0 negotiation auto ipv6 address FE80::1:2 link-local ipv6 address 2001:DB8:100:1010::1/64 ipv6 ospf 6 area 0 ! interface Serial0/1/0 ip address 10.0.13.1 255.255.255.0 ipv6 address FE80::1:3 link-local ipv6 address 2001:DB8:100:1013::1/64 ipv6 ospf 6 area 0 ! interface Serial0/1/1 no ip address ! router ospf 4 router-id 0.0.4.1 network 10.0.10.0 0.0.0.255 area 0 network 10.0.13.0 0.0.0.255 area 0 default-information originate ! router bgp 300 bgp router-id 1.1.1.1 bgp log-neighbor-changes neighbor 2001:DB8:200::2 remote-as 500 neighbor 209.165.200.226 remote-as 500 ! address-family ipv4 network 10.0.0.0 no neighbor 2001:DB8:200::2 activate neighbor 209.165.200.226 activate exit-address-family ! address-family ipv6 network 2001:DB8:100::/48 neighbor 2001:DB8:200::2 activate exit-address-family ! ip forward-protocol nd no ip http server ip http secure-server ip route 10.0.0.0 255.0.0.0 Null0 ! ip access-list standard SNMP-NMS permit 10.0.100.5 logging trap warnings logging host 10.0.100.5 ipv6 route 2001:DB8:100::/48 Null0 ipv6 router ospf 6 router-id 0.0.6.1 default-information originate ! snmp-server community ENCORSA RO SNMP-NMS snmp-server contact Cisco Student snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps config snmp-server enable traps bgp snmp-server host 10.0.100.5 version 2c ENCORSA ! radius server RADIUS address ipv4 10.0.100.6 auth-port 1812 acct-port 1813 key $trongPass ! control-plane ! banner motd ^C R1, ENCOR Skills Assessment, Scenario 1 ^C ! line con 0 exec-timeout 0 0 logging synchronous transport input none stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ntp server 2.2.2.2 ! end
Router R2
R2# show run Building configuration... Current configuration : 2029 bytes ! version 16.9 service timestamps debug datetime msec service timestamps log datetime msec platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname R2 ! boot-start-marker boot-end-marker ! enable secret 9 $9$kWM5eeaWgcjgDk$klw0rmhA2j9zzPN13oTIYc/.yk9aczrrDxNq4rUNf5c ! no aaa new-model ! no ip domain lookup ! login on-success log ! subscriber templating ! ipv6 unicast-routing multilink bundle-name authenticated ! spanning-tree extend system-id ! username sadmin privilege 15 secret 9 $9$xfCWZaD1xuZ5Q.$rje2SE7dafmrTg87ls/vn.PNtMXbaL3kfmN3Jr08yNU ! redundancy mode none ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ipv6 address FE80::2:3 link-local ipv6 address 2001:DB8:2222::1/128 ! interface GigabitEthernet0/0/0 ip address 209.165.200.226 255.255.255.224 negotiation auto ipv6 address FE80::2:1 link-local ipv6 address 2001:DB8:200::2/64 ! interface GigabitEthernet0/0/1 no ip address negotiation auto ! router bgp 500 bgp router-id 2.2.2.2 bgp log-neighbor-changes neighbor 2001:DB8:200::1 remote-as 300 neighbor 209.165.200.225 remote-as 300 ! address-family ipv4 network 0.0.0.0 network 2.2.2.2 mask 255.255.255.255 no neighbor 2001:DB8:200::1 activate neighbor 209.165.200.225 activate exit-address-family ! address-family ipv6 network ::/0 network 2001:DB8:2222::/128 neighbor 2001:DB8:200::1 activate exit-address-family ! ip forward-protocol nd no ip http server ip http secure-server ip route 0.0.0.0 0.0.0.0 Loopback0 ! ipv6 route ::/0 Loopback0 ! control-plane ! banner motd ^C R2, ENCOR Skills Assessment, Scenario 1 ^C ! line con 0 exec-timeout 0 0 logging synchronous transport input none stopbits 1 line aux 0 stopbits 1 line vty 0 4 login ! ntp master 3 ! end
Router R3
R3# show run Building configuration... Current configuration : 2765 bytes ! version 16.9 service timestamps debug datetime msec service timestamps log datetime msec platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname R3 ! boot-start-marker boot-end-marker ! enable secret 9 $9$X1WR7NQHvbYXHY$HevkjyeTexlsUxwhnwaZWeh/VEB3CIoGxlPSJ9O.F6o ! aaa new-model ! aaa authentication login default group radius local ! aaa session-id common ! no ip domain lookup ! login on-success log ! subscriber templating ! ipv6 unicast-routing multilink bundle-name authenticated ! spanning-tree extend system-id ! username sadmin privilege 15 secret 9 $9$y02cJ/kvRKO7DI$eYITN996n5QFlG2zu7OoHu2RLPwbw/8v8lO4nv/n8Aw ! redundancy mode none ! interface GigabitEthernet0/0/0 no ip address negotiation auto ! interface GigabitEthernet0/0/1 ip address 10.0.11.1 255.255.255.0 negotiation auto ipv6 address FE80::3:2 link-local ipv6 address 2001:DB8:100:1011::1/64 ipv6 ospf 6 area 0 ! interface Serial0/1/0 ip address 10.0.13.3 255.255.255.0 ipv6 address FE80::3:3 link-local ipv6 address 2001:DB8:100:1010::2/64 ipv6 ospf 6 area 0 ! interface Serial0/1/1 no ip address ! router ospf 4 router-id 0.0.4.3 network 10.0.11.0 0.0.0.255 area 0 network 10.0.13.0 0.0.0.255 area 0 ! ip forward-protocol nd no ip http server ip http secure-server ! ip access-list standard SNMP-NMS permit 10.0.100.5 logging trap warnings logging host 10.0.100.5 ipv6 router ospf 6 router-id 0.0.6.3 ! snmp-server community ENCORSA RO SNMP-NMS snmp-server contact Cisco Student snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps config snmp-server host 10.0.100.5 version 2c ENCORSA ! radius server RADIUS address ipv4 10.0.100.6 auth-port 1812 acct-port 1813 key $trongPass ! control-plane ! banner motd ^C R3, ENCOR Skills Assessment, Scenario 1 ^C ! line con 0 exec-timeout 0 0 logging synchronous transport input none stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ntp server 10.0.10.1 ! end
Switch D1
D1# show run Building configuration... Current configuration : 8260 bytes ! version 16.9 no service pad service timestamps debug datetime msec service timestamps log datetime msec no platform punt-keepalive disable-kernel-core ! hostname D1 ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 9 $9$RWOFeoZQQ/zqJk$rEnKpZ9Dx6asfA/16o3cPHR3hYQvn2gFiZuybdaFo82 ! aaa new-model ! aaa authentication login default group radius local ! aaa session-id common switch 1 provision ws-c3650-24ps ! ip routing ! no ip domain lookup ip dhcp excluded-address 10.0.101.1 10.0.101.109 ip dhcp excluded-address 10.0.101.141 10.0.101.254 ip dhcp excluded-address 10.0.102.1 10.0.102.109 ip dhcp excluded-address 10.0.102.141 10.0.102.254 ! ip dhcp pool VLAN-101 network 10.0.101.0 255.255.255.0 default-router 10.0.101.254 ! ip dhcp pool VLAN-102 network 10.0.102.0 255.255.255.0 default-router 10.0.102.254 ! login on-success log ipv6 unicast-routing ! license boot level ipservicesk9 ! diagnostic bootup level minimal ! spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree vlan 100,102 priority 24576 spanning-tree vlan 101 priority 28672 ! username sadmin privilege 15 secret 9 $9$yBNV4PYk3Zdpak$N2uvIju4cfG5jQsynRkIv0EHas6ivCZRAtkztAnLiVo ! redundancy mode sso ! transceiver type all monitoring ! track 4 ip sla 4 delay down 10 up 15 ! track 6 ip sla 6 delay down 10 up 15 ! class-map match-any system-cpp-police-topology-control description Topology control class-map match-any system-cpp-police-sw-forward description Sw forwarding, L2 LVX data, LOGGING class-map match-any system-cpp-default description Inter FED, EWLC control, EWLC data class-map match-any system-cpp-police-sys-data description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFLSAMPLED DATA, RPF Failed class-map match-any system-cpp-police-punt-webauth description Punt Webauth class-map match-any system-cpp-police-l2lvx-control description L2 LVX control packets class-map match-any system-cpp-police-forus description Forus Address resolution and Forus traffic class-map match-any system-cpp-police-multicast-end-station description MCAST END STATION class-map match-any system-cpp-police-multicast description Transit Traffic and MCAST Data class-map match-any system-cpp-police-l2-control description L2 control class-map match-any system-cpp-police-dot1x-auth description DOT1X Auth class-map match-any system-cpp-police-data description ICMP redirect, ICMP_GEN and BROADCAST class-map match-any system-cpp-police-stackwise-virt-control description Stackwise Virtual class-map match-any non-client-nrt-class class-map match-any system-cpp-police-routing-control description Routing control and Low Latency class-map match-any system-cpp-police-protocol-snooping description Protocol snooping class-map match-any system-cpp-police-dhcp-snooping description DHCP snooping class-map match-any system-cpp-police-system-critical description System Critical and Gold Pkt ! policy-map system-cpp-policy ! ! interface Port-channel1 switchport trunk native vlan 999 switchport mode trunk ! interface Port-channel12 switchport trunk native vlan 999 switchport mode trunk ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address negotiation auto ! interface GigabitEthernet1/0/1 switchport trunk native vlan 999 switchport mode trunk channel-group 12 mode active ! interface GigabitEthernet1/0/2 switchport trunk native vlan 999 switchport mode trunk channel-group 12 mode active ! interface GigabitEthernet1/0/3 switchport trunk native vlan 999 switchport mode trunk channel-group 12 mode active ! interface GigabitEthernet1/0/4 switchport trunk native vlan 999 switchport mode trunk channel-group 12 mode active ! interface GigabitEthernet1/0/5 switchport trunk native vlan 999 switchport mode trunk channel-group 1 mode active ! interface GigabitEthernet1/0/6 switchport trunk native vlan 999 switchport mode trunk channel-group 1 mode active ! interface GigabitEthernet1/0/7 shutdown ! interface GigabitEthernet1/0/8 shutdown ! interface GigabitEthernet1/0/9 shutdown ! interface GigabitEthernet1/0/10 shutdown ! interface GigabitEthernet1/0/11 no switchport ip address 10.0.10.2 255.255.255.0 ipv6 address FE80::D1:1 link-local ipv6 address 2001:DB8:100:1010::2/64 ipv6 ospf 6 area 0 ! interface GigabitEthernet1/0/12 shutdown ! interface GigabitEthernet1/0/13 shutdown ! interface GigabitEthernet1/0/14 shutdown ! interface GigabitEthernet1/0/15 shutdown ! interface GigabitEthernet1/0/16 shutdown ! interface GigabitEthernet1/0/17 shutdown ! interface GigabitEthernet1/0/18 shutdown ! interface GigabitEthernet1/0/19 shutdown ! interface GigabitEthernet1/0/20 shutdown ! interface GigabitEthernet1/0/21 shutdown ! interface GigabitEthernet1/0/22 shutdown ! interface GigabitEthernet1/0/23 switchport access vlan 100 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/24 shutdown ! interface GigabitEthernet1/1/1 shutdown ! interface GigabitEthernet1/1/2 shutdown ! interface GigabitEthernet1/1/3 shutdown ! interface GigabitEthernet1/1/4 shutdown ! interface Vlan1 no ip address ! interface Vlan100 ip address 10.0.100.1 255.255.255.0 standby version 2 standby 104 ip 10.0.100.254 standby 104 priority 150 standby 104 preempt standby 104 track 4 decrement 60 standby 106 ipv6 autoconfig standby 106 priority 150 standby 106 preempt standby 106 track 6 decrement 60 ipv6 address FE80::D1:2 link-local ipv6 address 2001:DB8:100:100::1/64 ipv6 ospf 6 area 0 ! interface Vlan101 ip address 10.0.101.1 255.255.255.0 standby version 2 standby 114 ip 10.0.101.254 standby 114 preempt standby 114 track 4 decrement 60 standby 116 ipv6 autoconfig standby 116 preempt standby 116 track 6 decrement 60 ipv6 address FE80::D1:3 link-local ipv6 address 2001:DB8:100:101::1/64 ipv6 ospf 6 area 0 ! interface Vlan102 ip address 10.0.102.1 255.255.255.0 standby version 2 standby 124 ip 10.0.102.254 standby 124 priority 150 standby 124 preempt standby 124 track 4 decrement 60 standby 126 ipv6 autoconfig standby 126 priority 150 standby 126 preempt standby 126 track 6 decrement 60 ipv6 address FE80::D1:4 link-local ipv6 address 2001:DB8:100:102::1/64 ipv6 ospf 6 area 0 ! router ospf 4 router-id 0.0.4.131 passive-interface default no passive-interface GigabitEthernet1/0/11 network 10.0.10.0 0.0.0.255 area 0 network 10.0.100.0 0.0.0.255 area 0 network 10.0.101.0 0.0.0.255 area 0 network 10.0.102.0 0.0.0.255 area 0 ! ip forward-protocol nd ip http server ip http secure-server ! ip access-list standard SNMP-NMS permit 10.0.100.5 ! ip sla 4 icmp-echo 10.0.10.1 frequency 5 ip sla schedule 4 life forever start-time now ip sla 6 icmp-echo 2001:DB8:100:1010::1 frequency 5 ip sla schedule 6 life forever start-time now logging trap warnings logging host 10.0.100.5 ipv6 router ospf 6 router-id 0.0.6.131 passive-interface default no passive-interface GigabitEthernet1/0/11 ! snmp-server community ENCORSA RO SNMP-NMS snmp-server contact Cisco Student snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps config snmp-server host 10.0.100.5 version 2c ENCORSA snmp ifmib ifindex persist ! radius server RADIUS address ipv4 10.0.100.6 auth-port 1812 acct-port 1813 key $trongPass ! control-plane service-policy input system-cpp-policy ! banner motd ^C D1, ENCOR Skills Assessment, Scenario 1 ^C ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 5 15 ! ntp server 10.0.10.1 ! end
Switch D2
D2# show run Building configuration... Current configuration : 8208 bytes ! version 16.9 no service pad service timestamps debug datetime msec service timestamps log datetime msec no platform punt-keepalive disable-kernel-core ! hostname D2 ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 9 $9$CQubYNwHPhsPpE$QWfTfAlfzmWD3ELHkcFNzlDlp24FkpjLnGBRMPbUNow ! aaa new-model ! aaa authentication login default group radius local ! aaa session-id common switch 1 provision ws-c3650-24ps ! ip routing ! no ip domain lookup ip dhcp excluded-address 10.0.101.1 10.0.101.209 ip dhcp excluded-address 10.0.101.241 10.0.101.254 ip dhcp excluded-address 10.0.102.1 10.0.102.209 ip dhcp excluded-address 10.0.102.241 10.0.102.254 ! ip dhcp pool VLAN-101 network 10.0.101.0 255.255.255.0 default-router 10.0.101.254 ! ip dhcp pool VLAN-102 network 10.0.102.0 255.255.255.0 default-router 10.0.102.254 ! login on-success log ipv6 unicast-routing ! license boot level ipservicesk9 ! diagnostic bootup level minimal ! spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree vlan 100,102 priority 28672 spanning-tree vlan 101 priority 24576 ! username sadmin privilege 15 secret 9 $9$0bnG9yhbASQv9k$geQoMT2qxu1ItBXC5pl/SOR2YeWhqDOW0lsMIsicQDw ! redundancy mode sso ! transceiver type all monitoring ! track 4 ip sla 4 delay down 10 up 15 ! track 6 ip sla 6 delay down 10 up 15 ! class-map match-any system-cpp-police-topology-control description Topology control class-map match-any system-cpp-police-sw-forward description Sw forwarding, L2 LVX data, LOGGING class-map match-any system-cpp-default description Inter FED, EWLC control, EWLC data class-map match-any system-cpp-police-sys-data description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFLSAMPLED DATA, RPF Failed class-map match-any system-cpp-police-punt-webauth description Punt Webauth class-map match-any system-cpp-police-l2lvx-control description L2 LVX control packets class-map match-any system-cpp-police-forus description Forus Address resolution and Forus traffic class-map match-any system-cpp-police-multicast-end-station description MCAST END STATION class-map match-any system-cpp-police-multicast description Transit Traffic and MCAST Data class-map match-any system-cpp-police-l2-control description L2 control class-map match-any system-cpp-police-dot1x-auth description DOT1X Auth class-map match-any system-cpp-police-data description ICMP redirect, ICMP_GEN and BROADCAST class-map match-any system-cpp-police-stackwise-virt-control description Stackwise Virtual class-map match-any non-client-nrt-class class-map match-any system-cpp-police-routing-control description Routing control and Low Latency class-map match-any system-cpp-police-protocol-snooping description Protocol snooping class-map match-any system-cpp-police-dhcp-snooping description DHCP snooping class-map match-any system-cpp-police-system-critical description System Critical and Gold Pkt ! policy-map system-cpp-policy ! interface Port-channel2 switchport trunk native vlan 999 switchport mode trunk ! interface Port-channel12 switchport trunk native vlan 999 switchport mode trunk ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address negotiation auto ! interface GigabitEthernet1/0/1 switchport trunk native vlan 999 switchport mode trunk channel-group 12 mode active ! interface GigabitEthernet1/0/2 switchport trunk native vlan 999 switchport mode trunk channel-group 12 mode active ! interface GigabitEthernet1/0/3 switchport trunk native vlan 999 switchport mode trunk channel-group 12 mode active ! interface GigabitEthernet1/0/4 switchport trunk native vlan 999 switchport mode trunk channel-group 12 mode active ! interface GigabitEthernet1/0/5 switchport trunk native vlan 999 switchport mode trunk channel-group 2 mode active ! interface GigabitEthernet1/0/6 switchport trunk native vlan 999 switchport mode trunk channel-group 2 mode active ! interface GigabitEthernet1/0/7 shutdown ! interface GigabitEthernet1/0/8 shutdown ! interface GigabitEthernet1/0/9 shutdown ! interface GigabitEthernet1/0/10 shutdown ! interface GigabitEthernet1/0/11 no switchport ip address 10.0.11.2 255.255.255.0 ipv6 address FE80::D1:1 link-local ipv6 address 2001:DB8:100:1011::2/64 ipv6 ospf 6 area 0 ! interface GigabitEthernet1/0/12 shutdown ! interface GigabitEthernet1/0/13 shutdown ! interface GigabitEthernet1/0/14 shutdown ! interface GigabitEthernet1/0/15 shutdown ! interface GigabitEthernet1/0/16 shutdown ! interface GigabitEthernet1/0/17 shutdown ! interface GigabitEthernet1/0/18 shutdown ! interface GigabitEthernet1/0/19 shutdown ! interface GigabitEthernet1/0/20 shutdown ! interface GigabitEthernet1/0/21 shutdown ! interface GigabitEthernet1/0/22 shutdown ! interface GigabitEthernet1/0/23 switchport access vlan 102 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/24 shutdown ! interface GigabitEthernet1/1/1 shutdown ! interface GigabitEthernet1/1/2 shutdown ! interface GigabitEthernet1/1/3 shutdown ! interface GigabitEthernet1/1/4 shutdown ! interface Vlan1 no ip address ! interface Vlan100 ip address 10.0.100.2 255.255.255.0 standby version 2 standby 104 ip 10.0.100.254 standby 104 preempt standby 104 track 4 decrement 60 standby 106 ipv6 autoconfig standby 106 preempt standby 106 track 6 decrement 60 ipv6 address FE80::D2:2 link-local ipv6 address 2001:DB8:100:100::2/64 ipv6 ospf 6 area 0 ! interface Vlan101 ip address 10.0.101.2 255.255.255.0 standby version 2 standby 114 ip 10.0.101.254 standby 114 priority 150 standby 114 preempt standby 114 track 4 decrement 60 standby 116 ipv6 autoconfig standby 116 priority 150 standby 116 preempt standby 116 track 6 decrement 60 ipv6 address FE80::D2:3 link-local ipv6 address 2001:DB8:100:101::2/64 ipv6 ospf 6 area 0 ! interface Vlan102 ip address 10.0.102.2 255.255.255.0 standby version 2 standby 124 ip 10.0.102.254 standby 124 preempt standby 124 track 4 decrement 60 standby 126 ipv6 autoconfig standby 126 preempt standby 126 track 6 decrement 60 ipv6 address FE80::D2:4 link-local ipv6 address 2001:DB8:100:102::2/64 ipv6 ospf 6 area 0 ! router ospf 4 router-id 0.0.4.132 passive-interface default no passive-interface GigabitEthernet1/0/11 network 10.0.11.0 0.0.0.255 area 0 network 10.0.100.0 0.0.0.255 area 0 network 10.0.101.0 0.0.0.255 area 0 network 10.0.102.0 0.0.0.255 area 0 ! ip forward-protocol nd ip http server ip http secure-server ! ip access-list standard SNMP-NMS permit 10.0.100.5 ! ip sla 4 icmp-echo 10.0.11.1 frequency 5 ip sla schedule 4 life forever start-time now ip sla 6 icmp-echo 2001:DB8:100:1011::1 frequency 5 ip sla schedule 6 life forever start-time now logging trap warnings logging host 10.0.100.5 ipv6 router ospf 6 router-id 0.0.6.132 passive-interface default no passive-interface GigabitEthernet1/0/11 ! snmp-server community ENCORSA RO SNMP-NMS snmp-server contact Cisco Student snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps config snmp-server host 10.0.100.5 version 2c ENCORSA ! radius server RADIUS address ipv4 10.0.100.6 auth-port 1812 acct-port 1813 key $trongPass ! control-plane service-policy input system-cpp-policy ! banner motd ^C D2, ENCOR Skills Assessment, Scenario 1 ^C ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 5 15 ! ntp server 10.0.10.1 ! end
Switch A1
A1# show run Building configuration... Current configuration : 3102 bytes ! version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname A1 ! boot-start-marker boot-end-marker ! enable secret 9 $9$W4yJyY0jfUFGt3$hgWzRhouqq81DGKiSw3oN3ICGIRFKI1TF9C4Qo2BoGk ! username sadmin privilege 15 secret 9 $9$rlz/oiC6xETwLL$4MFl7ezehKgosutkpnwabhdf83xQOcDXYyW.dvyoneY aaa new-model ! aaa authentication login default group radius local ! aaa session-id common system mtu routing 1500 ! no ip domain-lookup ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface Port-channel1 switchport trunk native vlan 999 switchport mode trunk ! interface Port-channel2 switchport trunk native vlan 999 switchport mode trunk ! interface FastEthernet0/1 switchport trunk native vlan 999 switchport mode trunk channel-group 1 mode active ! interface FastEthernet0/2 switchport trunk native vlan 999 switchport mode trunk channel-group 1 mode active ! interface FastEthernet0/3 switchport trunk native vlan 999 switchport mode trunk channel-group 2 mode active ! interface FastEthernet0/4 switchport trunk native vlan 999 switchport mode trunk channel-group 2 mode active ! interface FastEthernet0/5 shutdown ! interface FastEthernet0/6 shutdown ! interface FastEthernet0/7 shutdown ! interface FastEthernet0/8 shutdown ! interface FastEthernet0/9 shutdown ! interface FastEthernet0/10 shutdown ! interface FastEthernet0/11 shutdown ! interface FastEthernet0/12 shutdown ! interface FastEthernet0/13 shutdown ! interface FastEthernet0/14 shutdown ! interface FastEthernet0/15 shutdown ! interface FastEthernet0/16 shutdown ! interface FastEthernet0/17 shutdown ! interface FastEthernet0/18 shutdown ! interface FastEthernet0/19 shutdown ! interface FastEthernet0/20 shutdown ! interface FastEthernet0/21 shutdown ! interface FastEthernet0/22 shutdown ! interface FastEthernet0/23 switchport access vlan 101 switchport mode access spanning-tree portfast edge ! interface FastEthernet0/24 switchport access vlan 100 switchport mode access spanning-tree portfast edge ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 no ip address shutdown ! interface Vlan100 ip address 10.0.100.3 255.255.255.0 ipv6 address FE80::A1:1 link-local ipv6 address 2001:DB8:100:100::3/64 ! ip default-gateway 10.0.100.254 ip http server ip http secure-server ! ip access-list standard SNMP-NMS permit 10.0.100.5 ! logging trap warnings logging host 10.0.100.5 ! snmp-server community ENCORSA RO SNMP-NMS snmp-server contact Cisco Student snmp-server enable traps config snmp-server host 10.0.100.5 version 2c ENCORSA ! radius server RADIUS address ipv4 10.0.100.6 auth-port 1812 acct-port 1813 key $trongPass ! banner motd ^C A1, ENCOR Skills Assessment, Scenario 1 ^C ! line con 0 exec-timeout 0 0 logging synchronous line vty 5 15 ! ntp server 10.0.10.1 end
Scenario 2
ENCOR Skills Assessment (Scenario 2)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Topology
Addressing Table
| Device | Interface | IPv4 Address | IPv6 Address | IPv6 Link-Local |
|---|---|---|---|---|
| R1 | G0/0/0.1 | 10.0.12.1/24 | 2001:db8:acad:12::1/64 | fe80::1:1 |
| G0/0/0.2 | 10.0.12.1/24 | 2001:db8:acad:12::1/64 | fe80::1:2 | |
| G0/0/1.1 | 10.0.113.1/24 | 2001:db8:acad:113::1/64 | fe80::1:3 | |
| G0/0/1.2 | 10.0.108.1/24 | 2001:db8:acad:108::1/64 | fe80::1:4 | |
| R2 | G0/0/0.1 | 10.0.12.2/24 | 2001:db8:acad:12::2/64 | fe80::2:1 |
| G0/0/0.2 | 10.0.12.2/24 | 2001:db8:acad:12::2/64 | fe80::2:2 | |
| G0/0/1.1 | 10.0.23.2/24 | 2001:db8:acad:23::2/64 | fe80::2:3 | |
| G0/0/1.2 | 10.0.23.2/24 | 2001:db8:acad:23::2/64 | fe80::2:4 | |
| R3 | G0/0/0.1 | 10.0.23.3/24 | 2001:db8:acad:23::3/64 | fe80::3:1 |
| G0/0/0.2 | 10.0.23.3/24 | 2001:db8:acad:23::3/64 | fe80::3:2 | |
| G0/0/1.1 | 10.0.213.1/24 | 2001:db8:acad:213::1/64 | fe80::3:3 | |
| G0/0/1.2 | 10.0.208.1/24 | 2001:db8:acad:208::1/64 | fe80::3:4 | |
| PC1 | NIC | 10.0.113.50/24 | 2001:db8:acad:113::50/64 | EUI-64 |
| PC2 | NIC | 10.0.213.50/24 | 2001:db8:acad:213::50/64 | EUI-64 |
| PC3 | NIC | 10.0.108.50/24 | 2001:db8:acad:108::50/64 | EUI-64 |
| PC4 | NIC | 10.0.208.50/24 | 2001:db8:acad:208::50/64 | EUI-64 |
Objectives
- Part 1: Build the Network and Configure Basic Device Settings.
- Part 2: Configure VRF and Static Routing
- Part 3: Configure L2 Network
- Part 4: Configure Security
- Part 5: Cleanup
Background / Scenario
In this skills assessment, you are responsible for completing the multi-VRF configuration of the network supporting “General Users” and “Special Users”. Upon completion, there should be full end-to-end reachability and the two groups should not be able to communicate with each other. Be sure to verify that your configurations meet the provided specifications and that the devices perform as required.
Note: The routers used with CCNP hands-on labs are Cisco 4221s with Cisco IOS XE Release 16.9.4 (universalk9 image). The switches used in the labs are Cisco Catalyst 3650s with Cisco IOS XE Release 16.9.4 (universalk9 image) and Cisco Catalyst 2960s with Cisco IOS Release 15.2(2) (lanbasek9 image). Other routers, switches, and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands available and the output produced might vary from what is shown in the labs.
Note: Make sure that the switches have been erased and have no startup configurations. If you are unsure, contact your instructor.
Note: The default Switch Database Manager (SDM) template on a Catalyst 2960 does not support IPv6. You must change the default SDM template to the dual-ipv4-and-ipv6 default template using the sdm prefer dual-ipv4-and-ipv6 default global configuration command. Changing the template will require a reboot.
Instructor Note: Refer to the Instructor Lab Manual for the procedures to initialize and reload devices.
Instructor Note: This skills assessment presumes that Part 1: Build the Network and Configure Basic Device Settings and Interface Addressing is not a graded or timed component of the exercise.
Instructor Note: In the interest of time, it may be appropriate to modify some of the requirements from “all devices” to a select device.
Required Resources
- 3 Routers (Cisco 4221 with Cisco IOS XE Release 16.9.4 universal image or comparable)
- 2 Switches (Cisco 3650 with Cisco IOS XE release 16.9.4 universal image or comparable)
- 1 Switch (Cisco 2960 with Cisco IOS release 15.2 lanbase image or comparable)
- 4 PCs (Choice of operating system with a terminal emulation program)
- Console cables to configure the Cisco IOS devices via the console ports
- Ethernet cables as shown in the topology
Instructions
Part 1: Build the Network and Configure Basic Device Settings and Interface Addressing
In Part 1, you will set up the network topology and configure basic settings.
Step 1: Cable the network as shown in the topology.
Attach the devices as shown in the topology diagram, and cable as necessary.
Step 2: Configure basic settings for each device.
a. Console into each device, enter global configuration mode, and apply the basic settings. The startup configurations for each device are provided below.
Router R1
hostname R1 ipv6 unicast-routing no ip domain lookup banner motd # R1, ENCOR Skills Assessment, Scenario 2 # line con 0 exec-timeout 0 0 logging synchronous exit
Router R2
hostname R2 ipv6 unicast-routing no ip domain lookup banner motd # R2, ENCOR Skills Assessment, Scenario 2 # line con 0 exec-timeout 0 0 logging synchronous exit
Router R3
hostname R3 ipv6 unicast-routing no ip domain lookup banner motd # R3, ENCOR Skills Assessment, Scenario 2 # line con 0 exec-timeout 0 0 logging synchronous exit
Switch D1
hostname D1 ip routing ipv6 unicast-routing no ip domain lookup banner motd # D1, ENCOR Skills Assessment, Scenario 2 # line con 0 exec-timeout 0 0 logging synchronous exit vlan 8 name General-Users exit vlan 13 name Special-Users exit
Switch D2
hostname D2 ip routing ipv6 unicast-routing no ip domain lookup banner motd # D2, ENCOR Skills Assessment, Scenario 2 # line con 0 exec-timeout 0 0 logging synchronous exit vlan 8 name General-Users exit vlan 13 name Special-Users exit
Switch A1
hostname A1 ipv6 unicast-routing no ip domain lookup banner motd # A1, ENCOR Skills Assessment, Scenario 2 # line con 0 exec-timeout 0 0 logging synchronous exit vlan 8 name General-Users exit
b. Save the running configuration to startup-config on all devices.
c. Configure PC1, PC2, PC3, and PC4 host addressing as shown in the addressing table.
Part 2: Configure VRF and Static Routing
In this part of the Skills Assessment, you will configure VRF-Lite on all three routers and the appropriate static routes to support end-to-end reachability. At the end of this part, R1 should be able to ping R3 in each VRF.
Your configuration tasks are as follows:
| Task# | Task | Specification | Points |
|---|---|---|---|
| 2.1 | On R1, R2, and R3, configure VRF-Lite VRFs as shown in the topology diagram. | Configure two VRFs: • General-Users • Special-Users The VRFs must support IPv4 and IPv6. | 12 |
| 2.2 | On R1, R2, and R3, configure IPv4 and IPv6 interfaces on each VRF as detailed in the addressing table above. | All routers will use Router-On-A-Stick on their G0/0/1.x interfaces to support separation of the VRFs. Sub-interface 1: • In the Special Users VRF • Use dot1q encapsulation 13 • IPv4 and IPv6 GUA and link-local addresses • Enable the interfaces Sub-interface 2: • In the General Users VRF • Use dot1q encapsulation 8 • IPv4 and IPv6 GUA and link-local addresses • Enable the interfaces | 12 |
| 2.3 | On R1 and R3, configure default static routes pointing to R2. | Configure VRF static routes for both IPv4 and IPv6 in both VRFs. | 8 |
| 2.4 | Verify connectivity in each VRF. | From R1, verify connectivity to R3: • ping vrf General-Users 10.0.208.1 • ping vrf General-Users 2001:db8:acad:208::1 • ping vrf Special-Users 10.0.213.1 • ping vrf Special-Users 2001:db8:acad:213::1 | 4 |
Note: R1 will not be able to ping PC2 or PC 4 yet.
Instructor Verification:
Verify VRF configuration and address assignment using the show ip vrf interfaces command. (Tasks 2.1 and 2.2)
R1# show ip vrf interfaces Interface IP-Address VRF Protocol Gi0/0/0.2 10.0.12.1 General-Users up Gi0/0/1.2 10.0.108.1 General-Users up Gi0/0/0.1 10.0.12.1 Special-Users up Gi0/0/1.1 10.0.113.1 Special-Users up R2# show ip vrf interfaces Interface IP-Address VRF Protocol Gi0/0/1.2 10.0.23.2 General-Users up Gi0/0/0.2 10.0.12.2 General-Users up Gi0/0/1.1 10.0.23.2 Special-Users up Gi0/0/0.1 10.0.12.2 Special-Users up R3# show ip vrf interfaces Interface IP-Address VRF Protocol Gi0/0/0.2 10.0.23.3 General-Users up Gi0/0/1.2 10.0.208.1 General-Users up Gi0/0/0.1 10.0.23.3 Special-Users up Gi0/0/1.1 10.0.213.1 Special-Users up
Verify the static routes (Task 2.3)
R1# show run | inc route ip route vrf General-Users 0.0.0.0 0.0.0.0 10.0.12.2 ip route vrf Special-Users 0.0.0.0 0.0.0.0 10.0.12.2 ipv6 route vrf General-Users ::/0 2001:DB8:ACAD:12::2 ipv6 route vrf Special-Users ::/0 2001:DB8:ACAD:12::2 R2# show run | inc route ip route vrf General-Users 10.0.108.0 255.255.255.0 10.0.12.1 ip route vrf General-Users 10.0.208.0 255.255.255.0 10.0.23.3 ip route vrf Special-Users 10.0.113.0 255.255.255.0 10.0.12.1 ip route vrf Special-Users 10.0.213.0 255.255.255.0 10.0.23.3 ipv6 route vrf General-Users 2001:DB8:ACAD:108::/64 2001:DB8:ACAD:12::1 ipv6 route vrf Special-Users 2001:DB8:ACAD:113::/64 2001:DB8:ACAD:12::1 ipv6 route vrf General-Users 2001:DB8:ACAD:208::/64 2001:DB8:ACAD:23::3 ipv6 route vrf Special-Users 2001:DB8:ACAD:213::/64 2001:DB8:ACAD:23::3 R3# show run | inc route ip route vrf General-Users 0.0.0.0 0.0.0.0 10.0.23.2 ip route vrf Special-Users 0.0.0.0 0.0.0.0 10.0.23.2 ipv6 route vrf Special-Users ::/0 2001:DB8:ACAD:23::2 ipv6 route vrf General-Users ::/0 2001:DB8:ACAD:23::2
Verify IPv4 and IPv6 pings of R3 from R1; all pings should be successful. (Task 2.4)
R1# ping vrf General-Users 10.0.208.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.208.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms R1# ping vrf General-Users 2001:db8:acad:208::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:ACAD:208::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms R1# ping vrf Special-Users 10.0.213.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.213.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms R1# ping vrf Special-Users 2001:db8:acad:213::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:ACAD:213::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Part 3: Configure L2 Network
In this part, you will configure the switches to support host connectivity.
Your configuration tasks are as follows:
| Task# | Task | Specification | Points |
|---|---|---|---|
| 3.1 | On D1, D2, and A1, disable all interfaces. | On D1 and D2, shutdown G1/0/1 to G1/0/24. On A1, shutdown F0/1 – F0/24, G0/1 – G0/2. | 2 |
| 3.2 | On D1 and D2, configure the trunk links to R1 and R3. | Configure and enable the G1/0/11 link as a trunk link. | 4 |
| 3.3 | On D1 and A1, configure the EtherChannel. | On D1, configure and enable: • Interface G1/0/5 and G1/0/6 • Port Channel 1 using PAgP On A1, configure enable: • Interface F0/1 and F0/2 • Port Channel 1 using PAgP | 8 |
| 3.4 | On D1, D2, and A1, configure access ports for PC1, PC2, PC3, and PC4. | Configure and enable the access ports as follows: • On D1, configure interface G1/0/23 as an access port in VLAN 13 and enable Portfast. • On D2, configure interface G1/0/23 as an access port in VLAN 13 and enable Portfast. • On D2, configure interface G1/0/24 as an access port in VLAN 8 and enable Portfast. • On A1, configure interface F0/23 as an access port in VLAN 8 and enable Portfast. | 6 |
| 3.5 | Verify PC to PC connectivity. | From PC1, verify IPv4 and IPv6 connectivity to PC2. From PC3, verify IPv4 and IPv6 connectivity to PC4. | 4 |
Instructor Verification:
Issue the command show interfaces trunk to verify trunk connectivity and settings.
D1# show interfaces trunk Port Mode Encapsulation Status Native vlan Gi1/0/11 on 802.1q trunking 1 Po1 on 802.1q trunking 1 Port Vlans allowed on trunk Gi1/0/11 1-4094 Po1 1-4094 Port Vlans allowed and active in management domain Gi1/0/11 1,8,13 Po1 1,8,13 Port Vlans in spanning tree forwarding state and not pruned Gi1/0/11 1,8,13 Po1 1,8,13
Issue the command show etherchannel summary to verify the etherchannel settings.
D1# show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
A - formed by Auto LAG
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) PAgP Gi1/0/5(P) Gi1/0/6(P)
Issue the command show run interface g1/0/23 or show run interface f0/23 to validate host port settings.
D1# show run interface g1/0/23 Building configuration... Current configuration : 114 bytes ! interface GigabitEthernet1/0/23 switchport access vlan 13 switchport mode access spanning-tree portfast
Verify that PC1 can reach PC2. IPv4 and IPv6 pings from PC1 to PC2 are successful.
Verify that PC3 can reach PC4. IPv4 and IPv6 pings from PC3 to PC4 are successful.
Note: PC1 and PC2 cannot ping PC3 or PC4.
Part 4: Configure Security
In this part you will configure various security mechanisms on the devices in the topology.
Your configuration tasks are as follows:
| Task# | Task | Specification | Points |
|---|---|---|---|
| 5.1 | On all devices, secure privileged EXE mode. | Configure an enable secret as follows: • Algorithm type: SCRYPT • Password: cisco12345cisco. | 6 |
| 5.2 | On all devices, create a local user account. | Configure a local user: • Name: admin • Privilege level: 15 • Algorithm type: SCRYPT • Password: cisco12345cisco. | 6 |
| 5.3 | On all devices, enable AAA and enable AAA authentication. | Enable AAA authentication using the local database on all lines. | 2 |
Instructor Verification:
Issue the command show run | include aaa|username to verify that the AAA settings are configured.
D2# show run | include aaa|username aaa new-model aaa authentication login default local aaa session-id common username admin privilege 15 secret 9 $9$XjgowiPNCh.RRk$CwCEW/a6DqO12aRmLFaBfhhJPW.V/7KuJaqHS5m4RmU
Device Configurations (Answers)
Listed below are the configuration commands used to create the skills assessment
Part 2: VRF and Static Routing (student configures)
Router R1
vrf definition General-Users address-family ipv4 address-family ipv6 exit vrf definition Special-Users address-family ipv4 address-family ipv6 exit interface g0/0/0.1 encapsulation dot1q 13 vrf forwarding Special-Users ip address 10.0.12.1 255.255.255.0 ipv6 address fe80::1:1 link-local ipv6 address 2001:db8:acad:12::1/64 no shutdown exit interface g0/0/0.2 encapsulation dot1q 8 vrf forwarding General-Users ip address 10.0.12.1 255.255.255.0 ipv6 address fe80::1:2 link-local ipv6 address 2001:db8:acad:12::1/64 no shutdown exit interface g0/0/0 no ip address no shutdown exit interface g0/0/1.1 encapsulation dot1q 13 vrf forwarding Special-Users ip address 10.0.113.1 255.255.255.0 ipv6 address fe80::1:3 link-local ipv6 address 2001:db8:acad:113::1/64 no shutdown exit interface g0/0/1.2 encapsulation dot1q 8 vrf forward General-Users ip address 10.0.108.1 255.255.255.0 ipv6 address fe80::1:4 link-local ipv6 address 2001:db8:acad:108::1/64 no shutdown exit interface g0/0/1 no ip address no shutdown exit ip route vrf Special-Users 0.0.0.0 0.0.0.0 10.0.12.2 ip route vrf General-Users 0.0.0.0 0.0.0.0 10.0.12.2 ipv6 route vrf Special-Users ::/0 2001:db8:acad:12::2 ipv6 route vrf General-Users ::/0 2001:db8:acad:12::2 end
Router R2
vrf definition General-Users address-family ipv4 address-family ipv6 exit vrf definition Special-Users address-family ipv4 address-family ipv6 exit interface g0/0/0.1 encapsulation dot1q 13 vrf forwarding Special-Users ip address 10.0.12.2 255.255.255.0 ipv6 address fe80::2:1 link-local ipv6 address 2001:db8:acad:12::2/64 no shutdown exit interface g0/0/0.2 encapsulation dot1q 8 vrf forwarding General-Users ip address 10.0.12.2 255.255.255.0 ipv6 address fe80::2:2 link-local ipv6 address 2001:db8:acad:12::2/64 no shutdown exit interface g0/0/0 no ip address no shutdown exit interface g0/0/1.1 encapsulation dot1q 13 vrf forwarding Special-Users ip address 10.0.23.2 255.255.255.0 ipv6 address fe80::2:3 link-local ipv6 address 2001:db8:acad:23::2/64 no shutdown exit interface g0/0/1.2 encapsulation dot1q 8 vrf forwarding General-Users ip address 10.0.23.2 255.255.255.0 ipv6 address fe80::2:4 link-local ipv6 address 2001:db8:acad:23::2/64 no shutdown exit interface g0/0/1 no ip address no shutdown exit ip route vrf Special-Users 10.0.113.0 255.255.255.0 10.0.12.1 ip route vrf Special-Users 10.0.213.0 255.255.255.0 10.0.23.3 ipv6 route vrf Special-Users 2001:db8:acad:113::/64 2001:db8:acad:12::1 ipv6 route vrf Special-Users 2001:db8:acad:213::/64 2001:db8:acad:23::3 ip route vrf General-Users 10.0.108.0 255.255.255.0 10.0.12.1 ip route vrf General-Users 10.0.208.0 255.255.255.0 10.0.23.3 ipv6 route vrf General-Users 2001:db8:acad:108::/64 2001:db8:acad:12::1 ipv6 route vrf General-Users 2001:db8:acad:208::/64 2001:db8:acad:23::3 end
Router R3
vrf definition General-Users address-family ipv4 address-family ipv6 exit vrf definition Special-Users address-family ipv4 address-family ipv6 exit interface g0/0/0.1 encapsulation dot1q 13 vrf forwarding Special-Users ip address 10.0.23.3 255.255.255.0 ipv6 address fe80::3:1 link-local ipv6 address 2001:db8:acad:23::3/64 no shutdown exit interface g0/0/0.2 encapsulation dot1q 8 vrf forwarding General-Users ip address 10.0.23.3 255.255.255.0 ipv6 address fe80::3:2 link-local ipv6 address 2001:db8:acad:23::3/64 no shutdown exit interface g0/0/0 no ip address no shutdown exit interface g0/0/1.1 encapsulation dot1q 13 vrf forwarding Special-Users ip address 10.0.213.1 255.255.255.0 ipv6 address fe80::3:3 link-local ipv6 address 2001:db8:acad:213::1/64 no shutdown exit interface g0/0/1.2 encapsulation dot1q 8 vrf forward General-Users ip address 10.0.208.1 255.255.255.0 ipv6 address fe80::3:4 link-local ipv6 address 2001:db8:acad:208::1/64 no shutdown exit interface g0/0/1 no ip address no shutdown exit ip route vrf Special-Users 0.0.0.0 0.0.0.0 10.0.23.2 ip route vrf General-Users 0.0.0.0 0.0.0.0 10.0.23.2 ipv6 route vrf Special-Users ::/0 2001:db8:acad:23::2 ipv6 route vrf General-Users ::/0 2001:db8:acad:23::2
Part 3 Switching (student configures)
Switch D1
interface range g1/0/1-24 shutdown exit interface g1/0/11 switchport mode trunk no shutdown exit ! interface g1/0/23 switchport mode access switchport access vlan 13 spanning-tree portfast no shutdown exit interface range g1/0/5-6 switchport mode trunk channel-group 1 mode desirable no shutdown exit
Switch D2
interface range g1/0/1-24 shutdown exit interface g1/0/11 switchport mode trunk no shutdown exit ! interface g1/0/23 switchport mode access switchport access vlan 13 spanning-tree portfast no shutdown exit interface g1/0/24 switchport mode access switchport access vlan 8 spanning-tree portfast no shutdown exit
Switch A1
interface range f0/1-24, g0/1-2 shutdown exit interface f0/23 switchport mode access switchport access vlan 8 spanning-tree portfast no shutdown exit interface range f0/1-2 switchport mode trunk channel-group 1 mode desirable no shutdown exit
Part 4: Security (Student configures)
------------------------------------- All devices: enable algorithm-type scrypt secret cisco12345cisco username admin privilege 15 algorithm-type scrypt secret cisco12345cisco aaa new-model aaa authentication login default local end
Device Configurations (Final)
Router R1
R1# show run Building configuration... Current configuration : 2434 bytes ! version 16.9 service timestamps debug datetime msec service timestamps log datetime msec platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname R1 ! boot-start-marker boot-end-marker ! ! vrf definition General-Users ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition Special-Users ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 9 $9$zoLy2xVn9zcnb.$CFCHOBcQkjBm2C8a7VzDkhM2DCYnF9/aSc4B/FRXO2k ! aaa new-model ! aaa authentication login default local ! aaa session-id common ! no ip domain lookup ! login on-success log ! subscriber templating ! ipv6 unicast-routing multilink bundle-name authenticated ! spanning-tree extend system-id ! username admin privilege 15 secret 9 $9$5N85J1uzgRjVpE$z4mPVfXwPae5qgqpwIC6UgVMGb8Ryf1h9oNg79qhLDc ! redundancy mode none ! interface GigabitEthernet0/0/0 no ip address negotiation auto ! interface GigabitEthernet0/0/0.1 encapsulation dot1Q 13 vrf forwarding Special-Users ip address 10.0.12.1 255.255.255.0 ipv6 address FE80::1:1 link-local ipv6 address 2001:DB8:ACAD:12::1/64 ! interface GigabitEthernet0/0/0.2 encapsulation dot1Q 8 vrf forwarding General-Users ip address 10.0.12.1 255.255.255.0 ipv6 address FE80::1:2 link-local ipv6 address 2001:DB8:ACAD:12::1/64 ! interface GigabitEthernet0/0/1 no ip address negotiation auto ! interface GigabitEthernet0/0/1.1 encapsulation dot1Q 13 vrf forwarding Special-Users ip address 10.0.113.1 255.255.255.0 ipv6 address FE80::1:3 link-local ipv6 address 2001:DB8:ACAD:113::1/64 ! interface GigabitEthernet0/0/1.2 encapsulation dot1Q 8 vrf forwarding General-Users ip address 10.0.108.1 255.255.255.0 ipv6 address FE80::1:4 link-local ipv6 address 2001:DB8:ACAD:108::1/64 ! interface Serial0/1/0 no ip address ! interface Serial0/1/1 no ip address ! ip forward-protocol nd no ip http server ip http secure-server ip route vrf General-Users 0.0.0.0 0.0.0.0 10.0.12.2 ip route vrf Special-Users 0.0.0.0 0.0.0.0 10.0.12.2 ! ipv6 route vrf General-Users ::/0 2001:DB8:ACAD:12::2 ipv6 route vrf Special-Users ::/0 2001:DB8:ACAD:12::2 ! control-plane ! banner motd ^C R1, ENCOR Skills Assessment, Scenario 2 ^C ! line con 0 exec-timeout 0 0 logging synchronous transport input none stopbits 1 line aux 0 stopbits 1 line vty 0 4 login ! end
Router R2
R2# show run Building configuration... Current configuration : 2674 bytes ! version 16.9 service timestamps debug datetime msec service timestamps log datetime msec platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname R2 ! boot-start-marker boot-end-marker ! ! vrf definition General-Users ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 9 $9$zoLy2xVn9zcnb.$CFCHOBcQkjBm2C8a7VzDkhM2DCYnF9/aSc4B/FRXO2k ! vrf definition Special-Users ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! aaa new-model ! aaa authentication login default local ! aaa session-id common ! no ip domain lookup ! login on-success log ! subscriber templating ! ipv6 unicast-routing multilink bundle-name authenticated ! spanning-tree extend system-id ! username admin privilege 15 secret 9 $9$5N85J1uzgRjVpE$z4mPVfXwPae5qgqpwIC6UgVMGb8Ryf1h9oNg79qhLDc ! redundancy mode none ! interface GigabitEthernet0/0/0 no ip address negotiation auto ! interface GigabitEthernet0/0/0.1 encapsulation dot1Q 13 vrf forwarding Special-Users ip address 10.0.12.2 255.255.255.0 ipv6 address FE80::2:1 link-local ipv6 address 2001:DB8:ACAD:12::2/64 ! interface GigabitEthernet0/0/0.2 encapsulation dot1Q 8 vrf forwarding General-Users ip address 10.0.12.2 255.255.255.0 ipv6 address FE80::2:2 link-local ipv6 address 2001:DB8:ACAD:12::2/64 ! interface GigabitEthernet0/0/1 no ip address negotiation auto ! interface GigabitEthernet0/0/1.1 encapsulation dot1Q 13 vrf forwarding Special-Users ip address 10.0.23.2 255.255.255.0 ipv6 address FE80::2:3 link-local ipv6 address 2001:DB8:ACAD:23::2/64 ! interface GigabitEthernet0/0/1.2 encapsulation dot1Q 8 vrf forwarding General-Users ip address 10.0.23.2 255.255.255.0 ipv6 address FE80::2:4 link-local ipv6 address 2001:DB8:ACAD:23::2/64 ! ip forward-protocol nd no ip http server ip http secure-server ip route vrf General-Users 10.0.108.0 255.255.255.0 10.0.12.1 ip route vrf General-Users 10.0.208.0 255.255.255.0 10.0.23.3 ip route vrf Special-Users 10.0.113.0 255.255.255.0 10.0.12.1 ip route vrf Special-Users 10.0.213.0 255.255.255.0 10.0.23.3 ! ipv6 route vrf General-Users 2001:DB8:ACAD:108::/64 2001:DB8:ACAD:12::1 ipv6 route vrf Special-Users 2001:DB8:ACAD:113::/64 2001:DB8:ACAD:12::1 ipv6 route vrf General-Users 2001:DB8:ACAD:208::/64 2001:DB8:ACAD:23::3 ipv6 route vrf Special-Users 2001:DB8:ACAD:213::/64 2001:DB8:ACAD:23::3 ! control-plane ! banner motd ^C R2, ENCOR Skills Assessment, Scenario 2 ^C ! line con 0 exec-timeout 0 0 logging synchronous transport input none stopbits 1 line aux 0 stopbits 1 line vty 0 4 login ! end
Router R3
R3# show run Building configuration... Current configuration : 2434 bytes ! version 16.9 service timestamps debug datetime msec service timestamps log datetime msec platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname R3 ! boot-start-marker boot-end-marker ! vrf definition General-Users ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition Special-Users ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 9 $9$PwSQjbwwojphpx$kxgrCz2K13dVjqVMGVfM1OkVGxXrjPNlKnV1o3abOTM ! aaa new-model ! aaa authentication login default local ! aaa session-id common ! no ip domain lookup ! login on-success log ! subscriber templating ! ipv6 unicast-routing multilink bundle-name authenticated ! spanning-tree extend system-id ! username admin privilege 15 secret 9 $9$ILYL84y3fxGxkx$WJfkbltPJt6.SeJjc6/VqwkVwTimtfdZX6qMMZOh0TI ! redundancy mode none ! interface GigabitEthernet0/0/0 no ip address negotiation auto ! interface GigabitEthernet0/0/0.1 encapsulation dot1Q 13 vrf forwarding Special-Users ip address 10.0.23.3 255.255.255.0 ipv6 address FE80::3:1 link-local ipv6 address 2001:DB8:ACAD:23::3/64 ! interface GigabitEthernet0/0/0.2 encapsulation dot1Q 8 vrf forwarding General-Users ip address 10.0.23.3 255.255.255.0 ipv6 address FE80::3:2 link-local ipv6 address 2001:DB8:ACAD:23::3/64 ! interface GigabitEthernet0/0/1 no ip address negotiation auto ! interface GigabitEthernet0/0/1.1 encapsulation dot1Q 13 vrf forwarding Special-Users ip address 10.0.213.1 255.255.255.0 ipv6 address FE80::3:3 link-local ipv6 address 2001:DB8:ACAD:213::1/64 ! interface GigabitEthernet0/0/1.2 encapsulation dot1Q 8 vrf forwarding General-Users ip address 10.0.208.1 255.255.255.0 ipv6 address FE80::3:4 link-local ipv6 address 2001:DB8:ACAD:208::1/64 ! interface Serial0/1/0 no ip address ! interface Serial0/1/1 no ip address ! ip forward-protocol nd no ip http server ip http secure-server ip route vrf General-Users 0.0.0.0 0.0.0.0 10.0.23.2 ip route vrf Special-Users 0.0.0.0 0.0.0.0 10.0.23.2 ! ipv6 route vrf General-Users ::/0 2001:DB8:ACAD:23::2 ipv6 route vrf Special-Users ::/0 2001:DB8:ACAD:23::2 ! control-plane ! banner motd ^C R3, ENCOR Skills Assessment, Scenario 2 ^C ! line con 0 exec-timeout 0 0 logging synchronous transport input none stopbits 1 line aux 0 stopbits 1 line vty 0 4 login ! end
Switch D1
D1# show run Building configuration... Current configuration : 6728 bytes ! version 16.9 no service pad service timestamps debug datetime msec service timestamps log datetime msec ! Call-home is enabled by Smart-Licensing. service call-home no platform punt-keepalive disable-kernel-core ! hostname D1 ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 9 $9$KO1AyAeTmlkCWU$BjMAxCL19u6FHKKf/81lRNmFhlBHC.rR0Bbw7.i9iNA ! aaa new-model ! aaa authentication login default local ! aaa session-id common switch 1 provision ws-c3650-24ps ! ip routing ! no ip domain lookup ! login on-success log ipv6 unicast-routing ! license boot level ipservicesk9 ! diagnostic bootup level minimal ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! username admin privilege 15 secret 9 $9$x8R/b5GOdIKyqU$ewYxQctKHyXyOSHvPXM6.WvzvhfrIkCoxPygXDmyTxQ ! redundancy mode sso ! transceiver type all monitoring ! class-map match-any system-cpp-police-topology-control description Topology control class-map match-any system-cpp-police-sw-forward description Sw forwarding, L2 LVX data, LOGGING class-map match-any system-cpp-default description Inter FED, EWLC control, EWLC data class-map match-any system-cpp-police-sys-data description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFLSAMPLED DATA, RPF Failed class-map match-any system-cpp-police-punt-webauth description Punt Webauth class-map match-any system-cpp-police-l2lvx-control description L2 LVX control packets class-map match-any system-cpp-police-forus description Forus Address resolution and Forus traffic class-map match-any system-cpp-police-multicast-end-station description MCAST END STATION class-map match-any system-cpp-police-multicast description Transit Traffic and MCAST Data class-map match-any system-cpp-police-l2-control description L2 control class-map match-any system-cpp-police-dot1x-auth description DOT1X Auth class-map match-any system-cpp-police-data description ICMP redirect, ICMP_GEN and BROADCAST class-map match-any system-cpp-police-stackwise-virt-control description Stackwise Virtual class-map match-any non-client-nrt-class class-map match-any system-cpp-police-routing-control description Routing control and Low Latency class-map match-any system-cpp-police-protocol-snooping description Protocol snooping class-map match-any system-cpp-police-dhcp-snooping description DHCP snooping class-map match-any system-cpp-police-system-critical description System Critical and Gold Pkt ! policy-map system-cpp-policy ! interface Port-channel1 switchport mode trunk ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address negotiation auto ! interface GigabitEthernet1/0/1 shutdown ! interface GigabitEthernet1/0/2 shutdown ! interface GigabitEthernet1/0/3 shutdown ! interface GigabitEthernet1/0/4 shutdown ! interface GigabitEthernet1/0/5 switchport mode trunk channel-group 1 mode desirable ! interface GigabitEthernet1/0/6 switchport mode trunk channel-group 1 mode desirable ! interface GigabitEthernet1/0/7 shutdown ! interface GigabitEthernet1/0/8 shutdown ! interface GigabitEthernet1/0/9 shutdown ! interface GigabitEthernet1/0/10 shutdown ! interface GigabitEthernet1/0/11 switchport mode trunk ! interface GigabitEthernet1/0/12 shutdown ! interface GigabitEthernet1/0/13 shutdown ! interface GigabitEthernet1/0/14 shutdown ! interface GigabitEthernet1/0/15 shutdown ! interface GigabitEthernet1/0/16 shutdown ! interface GigabitEthernet1/0/17 shutdown ! interface GigabitEthernet1/0/18 shutdown ! interface GigabitEthernet1/0/19 shutdown ! interface GigabitEthernet1/0/20 shutdown ! interface GigabitEthernet1/0/21 shutdown ! interface GigabitEthernet1/0/22 shutdown ! interface GigabitEthernet1/0/23 switchport access vlan 13 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/24 shutdown ! interface GigabitEthernet1/1/1 ! interface GigabitEthernet1/1/2 ! interface GigabitEthernet1/1/3 ! interface GigabitEthernet1/1/4 ! interface Vlan1 no ip address ! ip forward-protocol nd ip http server ip http secure-server ! control-plane service-policy input system-cpp-policy ! banner motd ^C D1, ENCOR Skills Assessment, Scenario 2 ^C ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 login line vty 5 15 login ! end
Switch D2
D2# show run Building configuration... Current configuration : 6653 bytes ! version 16.9 no service pad service timestamps debug datetime msec service timestamps log datetime msec ! Call-home is enabled by Smart-Licensing. service call-home no platform punt-keepalive disable-kernel-core ! hostname D2 ! ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 9 $9$wOqJe6W8Yasi9k$7Mq8sTne4AGIivudnv6v4G.e30OcRAuXoSGcAa0DohY ! aaa new-model ! aaa authentication login default local ! aaa session-id common switch 1 provision ws-c3650-24ps ! ip routing ! no ip domain lookup ! login on-success log ipv6 unicast-routing ! license boot level ipservicesk9! ! diagnostic bootup level minimal ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! username admin privilege 15 secret 9 $9$1q0osHH4lstBHU$1DhwuWo4f1j.rLppTRRsOB86WpZaJIHSeukQ1a4uPA6 ! redundancy mode sso ! transceiver type all monitoring ! class-map match-any system-cpp-police-topology-control description Topology control class-map match-any system-cpp-police-sw-forward description Sw forwarding, L2 LVX data, LOGGING class-map match-any system-cpp-default description Inter FED, EWLC control, EWLC data class-map match-any system-cpp-police-sys-data description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFLSAMPLED DATA, RPF Failed class-map match-any system-cpp-police-punt-webauth description Punt Webauth class-map match-any system-cpp-police-l2lvx-control description L2 LVX control packets class-map match-any system-cpp-police-forus description Forus Address resolution and Forus traffic class-map match-any system-cpp-police-multicast-end-station description MCAST END STATION class-map match-any system-cpp-police-multicast description Transit Traffic and MCAST Data class-map match-any system-cpp-police-l2-control description L2 control class-map match-any system-cpp-police-dot1x-auth description DOT1X Auth class-map match-any system-cpp-police-data description ICMP redirect, ICMP_GEN and BROADCAST class-map match-any system-cpp-police-stackwise-virt-control description Stackwise Virtual class-map match-any non-client-nrt-class class-map match-any system-cpp-police-routing-control description Routing control and Low Latency class-map match-any system-cpp-police-protocol-snooping description Protocol snooping class-map match-any system-cpp-police-dhcp-snooping description DHCP snooping class-map match-any system-cpp-police-system-critical description System Critical and Gold Pkt ! policy-map system-cpp-policy ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address negotiation auto ! interface GigabitEthernet1/0/1 shutdown ! interface GigabitEthernet1/0/2 shutdown ! interface GigabitEthernet1/0/3 shutdown ! interface GigabitEthernet1/0/4 shutdown ! interface GigabitEthernet1/0/5 shutdown ! interface GigabitEthernet1/0/6 shutdown ! interface GigabitEthernet1/0/7 shutdown ! interface GigabitEthernet1/0/8 shutdown ! interface GigabitEthernet1/0/9 shutdown ! interface GigabitEthernet1/0/10 shutdown ! interface GigabitEthernet1/0/11 switchport mode trunk ! interface GigabitEthernet1/0/12 shutdown ! interface GigabitEthernet1/0/13 shutdown ! interface GigabitEthernet1/0/14 shutdown ! interface GigabitEthernet1/0/15 shutdown ! interface GigabitEthernet1/0/16 shutdown ! interface GigabitEthernet1/0/17 shutdown ! interface GigabitEthernet1/0/18 shutdown ! interface GigabitEthernet1/0/19 shutdown ! interface GigabitEthernet1/0/20 shutdown ! interface GigabitEthernet1/0/21 shutdown ! interface GigabitEthernet1/0/22 shutdown ! interface GigabitEthernet1/0/23 switchport access vlan 13 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/24 switchport access vlan 8 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/1/1 ! interface GigabitEthernet1/1/2 ! interface GigabitEthernet1/1/3 ! interface GigabitEthernet1/1/4 ! interface Vlan1 no ip address ! ip forward-protocol nd ip http server ip http secure-server ! control-plane service-policy input system-cpp-policy ! banner motd ^C D2, ENCOR Skills Assessment, Scenario 2 ^C ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 login line vty 5 15 login ! end
Switch A1
A1# show run Building configuration... Current configuration : 1926 bytes ! version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname A1 ! boot-start-marker boot-end-marker ! enable secret 9 $9$a7qnivVydjhJqa$ehWSSxHj7jf6s7gjbuVc4PLGJY0dv2k.VtPqL1cn0vs ! username admin privilege 15 secret 9 $9$itvXO10OdR7sMq$9ffgjFDlEL2j8T3040Eb21fA/2Cyjb2tHF5rZrWtZKY aaa new-model ! aaa authentication login default local ! aaa session-id common system mtu routing 1500 ! no ip domain-lookup ipv6 unicast-routing ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface Port-channel1 switchport mode trunk ! interface FastEthernet0/1 switchport mode trunk channel-group 1 mode desirable ! interface FastEthernet0/2 switchport mode trunk channel-group 1 mode desirable ! interface FastEthernet0/3 shutdown ! interface FastEthernet0/4 shutdown ! interface FastEthernet0/5 shutdown ! interface FastEthernet0/6 shutdown ! interface FastEthernet0/7 shutdown ! interface FastEthernet0/8 shutdown ! interface FastEthernet0/9 shutdown ! interface FastEthernet0/10 shutdown ! interface FastEthernet0/11 shutdown ! interface FastEthernet0/12 shutdown ! interface FastEthernet0/13 shutdown ! interface FastEthernet0/14 shutdown ! interface FastEthernet0/15 shutdown ! interface FastEthernet0/16 shutdown ! interface FastEthernet0/17 shutdown ! interface FastEthernet0/18 shutdown ! interface FastEthernet0/19 shutdown ! interface FastEthernet0/20 shutdown ! interface FastEthernet0/21 shutdown ! interface FastEthernet0/22 shutdown ! interface FastEthernet0/23 switchport access vlan 8 switchport mode access spanning-tree portfast edge ! interface FastEthernet0/24 shutdown ! interface GigabitEthernet0/1 shutdown ! interface GigabitEthernet0/2 shutdown ! interface Vlan1 no ip address ! ip http server ip http secure-server ! banner motd ^C A1, ENCOR Skills Assessment, Scenario 2 ^C ! line con 0 exec-timeout 0 0 logging synchronous line vty 0 4 login line vty 5 15 login ! end
