说明案例文案cciers v5 cfg老1207macaddresstableaging time7200

ConfiguretheACMEHeadquartersnetwork(AS12345)asperthefollowingConfigureVTPdomainEnableVTPVersion2onSW1andSw1mustbethevtpserverandsw2mustbethevtpsecureallvtpupdateswithanMD5digestoftheASCIIstringinordertoavoidasmuchaspossibleunknownunicastfloodinginallvlanstheadministratorrequiresthatanydynamicentrieslearnedbyothersw1andsw2mustberetainedfor2hoursbeforebeingrefreshedConfigurethenetworkofthenewyorkoffice(AS34567)asperthefollowingConfigureVTPdomainEnableVTPVersion2onSW3andSW3andsw4mustnotadvertisetheirvlanconfigbutmustforwardvtpadvertisementthattheyreceiveoutheirtrunkports。VTPupdatesmustbesecuredwithMD5ofASCIIstringvtpmodeservervtpversion2vtppasswordmacaddress-tableaging-time马上增加vlan，然后删除vlan，让server的revi高于client vtpversion2vtpmodevtppasswordmacaddress-tableaging-timevtpversion2vtpmodevtppasswordvtpversion2vtpmodevtppasswordConfigureyournetworkasperthefollowingCompletetheconfigofallvlanssothatallroutersthatarelocatedACME'sheadquarters(AS12345)andnewyorkoffice(AS34567)canpingtheirdirectlyconnectedneighboursallfourswitches(sw1-sw4)musthavedot1qtrunksthatdonotrelynegotiationdonotconfigureanyensurethatthefollowingunusedportsonallfourswitchesareshutdownandconfiguredasaccessportsinvlan999e3/0-e3/3areunusedonsw1andsw2e1/0-e1/3areunusedonsw3andsw4e3/0-e3/3areunused onsw3andsw4vlan14,15,23,24,35,46,57,67,999SW1VLAN预配interfacerangee2/0- interfacerangee3/0-3 interfaceEthernet0/0switchportmodeaccessswitchportaccessvlan15interfaceEthernet0/1switchportmodeaccessswitchportaccessvlan23interfaceEthernet0/2switchportmodeaccessswitchportaccessvlan35interfaceEthernet0/3switchportmodeaccessswitchportaccessvlan14interfaceEthernet1/0switchportmodeaccessswitchportaccessvlan24interfaceEthernet1/1switchportmodeaccessswitchportaccessvlan57interfaceEthernet1/2switchportmodeaccessswitchportaccessvlan46interfaceEthernet1/3switchportmodeaccessswitchportaccessvlan67vlaninterfacerangee2/0- interfacerangee3/0-3 switchportmodeaccessswitchportswitchportmodeaccessswitchportaccessvlan14interfaceEthernet0/1switchportmodeaccessswitchportaccessvlan24interfaceEthernet0/2switchportmodeaccessswitchportaccessvlan23interfaceEthernet0/3switchportmodeaccessswitchportaccessvlan46interfaceEthernet1/0switchportmodeaccessswitchportaccessvlan15interfaceEthernet1/1switchportmodeaccessswitchportaccessvlan35interfaceEthernet1/2switchportmodeaccessswitchportaccessvlan67interfaceEthernet1/3switchportmodeaccessswitchportaccessvlan57interfacerangee2/0- interfacerangee1/0-3,e3/0- interfaceEthernet0/0switchportmodeaccessswitchportaccessvlan38interfaceEthernet0/1switchportmodeaccessswitchportaccessvlan89interfaceEthernet0/2switchportmodeaccessswitchportaccessvlan310interfaceEthernet0/3switchportmodeaccessswitchportaccessvlan111interfacerangee2/0- interfacerangee1/0-3,e3/0- switchportmodeaccessswitchportaccessvlan89interfaceEthernet0/1switchportmodeaccessswitchportaccessvlan49interfaceEthernet0/2switchportmodeaccessswitchportaccessvlan111interfaceEthernet0/3switchportmodeaccessswitchportaccessvlan411configuretheACMEnetworkasperthefollowingsw1mustbetherootswitchforalloddvlansandmustbethebackupforallevenvlanssw2mustbetherootswitchforallevenvlansandmustbethebackupforalloddvlans sw3mustbetherootswitchforalloddvlansandmustbethebackupforallevenvlanssw4mustbetherootswitchforallevenvlansandmustbethebackupforalloddvlans explicitlyconfiguretherootandbackuproles,assumingthatotherswitcheswithdefaultconfigurationmayeventuallybeaddedinthenetworkinthefutureAllswitchesmustmaintainonestpinstanceperusethestpmodethathasonlythreepossibleallaccessportsmustimmediatelytransationtotheforwardingstateuponlinkupandtheymuststillparticipateinstp.usesinglecommandperswitchtoenablethis Accessportsmustautomaticallyshutdowniftheyreceiveanybpduandanadministratormuststillmanuallyre-enabletheport.useasinglecommandperswitchtoenablethisfeature.spanning-treeportfastdefaultspanning-treeportfastbpduguarddefaultspanning-treevlan1,15,23,35,57,67,999priority0spanning-treevlan14,24,46priorityspanning-treeportfastdefaultspanning-treeportfastbpduguardspanning-treevlan14,24,46priorityspanning-treeportfastdefaultspanning-treeportfastbpduguarddefaultspanning-treevlan1,49,89,111,411,999priority0spanning-treespanning-treevlan34,38,310priorityspanning-treeportfastdefaultspanning-treeportfastbpduguardspanning-treevlan34,38,310priority TheWANlinksmustrelyonalayer2protocolthatsupportslinknegotiationandauthentication. TheServiceproviderexpectsbothR18andR19tocompletethreewayhandshakebyprovidingtheexpectedresponseofachallangethatissentbyR63R18mustusetheusernameACME-R18andpasswordR19mustusetheusernameACME-R19andpasswordnonopeerneighbor-route32interfaces4/0pppchaphostnameACME-R18pppchappasswordCCIEnointerfaces4/0pppchaphostnameACME-R19pppchappasswordCCIEnoSection2:Layer3ImplementOSPFinBGPASconfiguretheospfprocessidto12345andsettherouteridtointerfacelo0onallsevenrouters theinterfacelo0ateachroutermustbeseenasaninternalospfprefixbyallotherensurethatospfisnotrunningonanyinterfacethatisfacinganotherAS.useanymethodtoaccomplishthisrequirementSW1andSW2mustnotparticipateinroutingatdonotchangethedefaultospfcostofanyinterfaceinR1mustseethefollowingospfroutesintheroutingR1#shiproute/8isvariablysubnetted,17subnets,2O/32[110/21]via4d20hethernete0/2O/32[110/21]via4d20hethernete0/2O/32[110/21]via4d20hethernete0/2O/32[110/21]via4d20hethernete0/1O/32[110/21]via4d20hethernete0/1O/32[110/21]via4d20hethernete0/1O/30[110/30]via4d20hethernet[110/30]via4d20hethernete0/2 2/30[110/20]via4d20hethernete0/1 6/30[110/20]via4d20hethernete0/2 0/30[110/20]via4d20hethernete0/2 4/30[110/30]via4d20hethernete0/1[110/30]via4d20hethernete0/2 8/30[110/20]via4d20hethernete0/1routerrouterospfrouter-idnetwork55arouterospfrouter-idnetwork55arouterospfrouter-idnetwork55arouterospfrouter-idnetwork55arouterospfrouter-idnetwork55arouterospfrouter-idnetwork55arouterospfrouter-idnetwork55arouterospf max-metricrouter- ImplementEIGRPinBGPASConfigureEIGRPIPv4unicastautonomoussystemtheinterfacelo0mustbeseenasaninternalEIGRPprefixbyallotherensuretheeigrpisnotrunningonanyinterfacethatisfacinganotherASuseanymethodtoaccomplishthisusingasinglecommandononeswitchonlyensurethatR8installstwoequal-costrouteforthefollowingthreelo0atusingasinglecommandononeswitchonlyensurethatR9installstwoequalcostrouteforthefollowingthreelo0atroutereigrp34567noauto-summarynetworkroutereigrp34567noauto-summarynetworkroutereigrp45678noauto-summarynetworkroutereigrp34567noauto-summarynetworkroutereigrp34567noauto-summarynetworkintvlandelayroutereigrp34567noauto-summarynetworkintvlandelayImplementEIGRPinBGPASconfigureeigrpinAS45678accordingtothefollowingConfigureEIGRPIPv4unicastautonomoussystem45678theinterfacelo0mustbeseenasaninternalEIGRPprefixbyallotherensuretheeigrpisnotrunningonanyinterfacethatisfacinganotherASuseanymethodtoaccomplishthisrequirement.sw5andsw6arelayer3switchesandmustconfigureonallthreeroutersR15,16,17useeigrpwith64bitdonotchangetheinterfacebandwidthonanyphysicalinterfaceinASroutereigrpaddress-familyipv4autonomous-system45678networktopologynoauto-routereigrpaddress-familyipv4autonomous-system45678networktopologynoauto-routereigrpaddress-familyipv4autonomous-system45678networktopologybasenoauto-vlan5,55interfacerange0/0-accessvlanroutereigrp45678noauto-summarynetworkvlanVLAN,vlaninterfacerange0/0-accessvlanroutereigrp45678noauto-summarynetwork:keychainkeykeyroutereigrpCCIEaf-interfacee0/1authenticationmodemd5authenticationmodemd5key1key1ImplementEIGRPinBGPASConfigureEIGRPIPv4forACMEAPACOfficesasperbelowConfigureEIGRPIPv4unicastautonomoussystemtheinterfacelo0ateachroutermustbeseenasaninternaleigrpprefixbyallotherensurethateigrpisnotrunningonanyinterfacethatisfacinganotherASuseanymethodtoaccomplishthisrequirementR17istheDMVPNhub,R18,R19asthespoke,usethepre-configtunnelDonotchangeanyother routereigrpnoauto-summary routereigrp45678 ImplementBGPinBGPASBGPispartiallyconfiguredinACMEheadquarters,completetheconfigasrequiredconfiguretheBGPinACME,sHQ(AS12345)accordingtothefollowingrequirementsR1mustbetheipv4route-reflectorforBGPR1mustusepeergroupR4andR5mustnotestablishanyBGPsessionatanyAllbgproutersmustusetheirintlo0astheirrouter-Disablethedefaultipv4unicastaddressfamilyforpeeringsessionestablishmentinallbgproutersconfigureebgpbetweenACME'sSanFranciscoandSanJosesitesaccordingtothefollowingrequirementsR20istheCErouterandusedebgptoconnecttothemanagesservicesthatareprovidedbythePEroutersR2andR3R20mustestablishebgppeeringswithbothR2andR3foreveryR20mustadvertisethefollowingprefixtoalltheBGP.../8summary- /8summary-R20mustadvertiseadefaultroutetoallofitsbgppeersexcepttoandrouterbgpbgprouter-idnobgpdefaultipv4-unicastneighboriBGPpeer-groupneighboriBGPremote-as12345neighboriBGPupdate-sourceloopback0neighborpeer-groupiBGPneighborpeer-groupiBGPneighborpeer-groupiBGPneighborpeer-groupiBGPaddress-familyipv4unicastneighborneighborneighborneighboractivaterouterbgpbgprouter-idnobgpdefaultipv4-neighborupdate-sourceloopback0address-familyipv4unicastneighborrouterbgpbgprouter-idnobgpdefaultipv4-neighborremote-asneighborupdate-sourceloopback0address-familyipv4unicastneighborrouterbgpbgprouter-idnobgpdefaultipv4-address-familyipv4unicastaddress-familyipv4unicastrouterbgpbgprouter-idnobgpdefaultipv4-neighborupdate-sourceloopback0address-familyipv4unicastneighbor

IntIpaddress29routerbgpbgprouter-id0neighborremote-asneighborremote-asneighborremote-asneighborremote-asneighborremote-asneighborremote-asneighborremote-asneighborremote-asneighborremote-asneighborremote-as12345address-familyipv4unicastnetwork0masknetworkmasknetwork28maskrouterbgpaddress-familyipv4vrfneighborremote-asaddress-familyipv4vrfBLUEneighborremote-asaddress-familyipv4vrfREDneighborremote-asaddress-familyipv4vrfneighborremote-asaddress-familyipv4vrfINETneighborremote-asrouterbgpaddress-familyipv4vrfneighborremote-asaddress-familyipv4vrfBLUEneighborremote-asaddress-familyipv4vrfREDneighborremote-asaddress-familyipv4vrfneighborremote-asaddress-familyipv4vrfINETneighborremote-asImplementBGPinBGPASrequiredconfigureIBGPinAS34567accordingtothefollowingrequirements：SW3andSW4mustnotestablishanybgpsessionatanyAllbgproutersmustusetheirintlo0astheirrouter-configurefullmeshIBGPpeeringbetweenallfourroutersuseanyconfigurationR9mustbeselectedasthepreferredexitpointfortrafficdestinedtoremoteR11mustselectedasthenextpreferredexitincaseR9DisableIPv4unicastonalldevicesinASnoBGPspeakermustusenetworkstatementunderthebgprouterensurethatallthebgpnexthopisnevermarkedasunreachableaslongasintlo0oftheremotepeerisknownviaigpallfourbgproutersmustestablishebgppeeringswiththeirneighbouringASshownindiagram3(bgpallfourbgproutersmustredistributeeigrpintoR9andR11mustredistributeonlytheBGPdefaultrouteintoensurethatR9istheonlyrouterthatseesthedefaultasabgprouteandthatallotherrouters(R8,R10,R11)seeitasaneigrpexternalrouterbgpbgprouter-idnobgpdefaultipv4-neighbor update-sourceloopbackneighborremote-as10001address-familyipv4unicastneighborredistributeeigrprouterbgpbgprouter-idnobgpdefaultipv4-bgpdefaultlocal-preference300neighborremote-as34567neighborremote-asneighborremote-as30000address-familyipv4unicastneighborneighborredistributeeigrpipprefix-listDEFAULTpermit/0route-mapDEFAULTpermit10matchipaddressprefix-listDEFAULTroutereigrp34567redistributebgp34567route-mapDEFAULTmetric10001002551routerbgpbgprouter-id

nobgpdefaultipv4-neighborremote-as20001address-familyipv4unicastneighborneighborredistributeeigrprouterbgpbgprouter-id1bgpdefaultlocal-preference200neighborremote-as34567neighborremote-asneighborremote-asneighborremote-as30000address-familyipv4unicastneighborneighborneighborredistributeeigrpipprefix-listDEFAULTpermit/0route-mapDEFAULTpermit10matchipaddressprefix-listDEFAULTroutereigrp34567redistributebgp34567route-mapDEFAULTmetric10001002551ImplementBGPinBGPAS45678andConfigureEBGPinACME'sAPACregion(AS45678andAS65222)accordingtotheSW5andSW6mustnotestablishanybgpsessionatanyAllbgproutersmustusetheirintlo0astheirrouter-noibgppeeringsessionsareallowedinAS R15mustestablishanEBGPpeeringwithAS10003andmustreceivedefaultrouteaswellasotherprefix.R15mustredistributebgpintpoeigrpandvice R15mustalsoadvertiseanaggregateprefix/24toAS10003andmustsupressallcomponentprefixes R16,17,18,19mustestablishanebgppeeringwithAS20003andmustrecenveadefaultrouteaswellasotherprefixR16,17,18,19mustnotadvertiseanyprefixtoAS aslongasR15isoperational,R16,17,18,19mustprefertheEIGRPdefaultrouteovertheEBGPdefaultroutedonotcreateanyvrfanywhereinordertoaccomplishtheaboverouterbgpbgprouter-id5neighborremote-as10003address-familyipv4unicastredistributeeigrpaggregate-addresssummary-onlyroutereigrpCCIEaddress-familyipv4autonomous-system45678topologybaseredistributebgp45678metric10001002551routerbgpbgprouter-id6neighborremote-as20003address-familyipv4unicastnetworkrouterbgpbgprouter-id7neighborremote-as20003address-familyipv4unicastnetworkrouterbgpbgprouter-id8neighborremote-as20003address-familyipv4unicastnetworkrouterbgpbgprouter-idnonobgpdefaultipv4-neighborremote-as20003address-familyipv4unicastnetworkAllacmeborderroutersinAS12345mustfilterthebgpprefixesthatareadvertisedtotheirSPinvrfINETandmustonlyallowallprefixesthatbelongtoclassA./8andallothervrf'smustpropagateallprefix.AllacmeborderroutersinAS34567mustfilterthebgpprefixesthatareadvertisedtotheirSPinvrfINETandmustonlyallowallprefixesthatbelongtoclassA./8andallothervrf'smustpropagateallprefix.Donotuseanyroute-maporaccess-listtoaccomplishtheabove R13mustroutetrafficprefarablyviaAS20002,useanymethodtoaccomplishthisrequirement AllthreeremotesitesinAS65111mustbeabletopingandtraceroutemustrevealtheexactsamepathasshowninthefollowingoutputR12#pingsoSending5,100-byteICMPEchosto,timeoutis2seconds:Packetsentwithasourceaddressof2R12#traceroutesolo0Typeescapesequencetoabort.ipprefix-list10permit/8le32routerbgp12345address-familyipv4vrfneighborprefix-list10outclearbgpvrfINETipv4unicast*softipprefix-list10permit/8le32routerbgp12345address-familyipv4vrfneighborprefix-list10outclearclearbgpvrfINETipv4unicast*softipprefix-list10permit/8le32routerbgp12345address-familyipv4vrfneighborprefix-list10outclearbgpvrfINETipv4unicast*softipprefix-list10permit/8le32routerbgp12345address-familyipv4vrfneighborprefix-list10outclearbgpvrfINETipv4unicast*softrouterbgpaddress-familyipv4unicastneighborweight200clearip *softipprefix-list10permit/8le32routerbgp34567address-familyneighborprefix-list10outclearip *softrouterbgp34567neighborprefix-list10neighborprefix-list10outclearip *softipprefix-list10permit/8le32routerbgp34567address-familyneighborprefix-list10outclearip *softrouterbgp34567neighborprefix-list10neighborneighborprefix-list10outclearip *softConfigureospfv3intheacmenewyorkofficeasperthefollowingconfiguretheospfprocessid1andsettherouter-idasinterfaceSW4mustbeselectedastheDRonvlan34andmusthavethebestSW3mustbeselectedasthebackupDRonvlan34andmusttakeoverDRifSW4isdownipv6routerospf1router-idintvlanipv6ospfpriority255ipv6ospf1area0intloopipv6ospf1areaintvlanipv6ospf1areaipv6routerospf1router-idintvlanipv6ospfpriority254ipv6ospf1area0intloopipv6ospf1areaintvlanipv6ospf1areaipv6routerospf1inte0/1ipv6ospf1areaintloopipv6ospf1area0NTPIPV6ipv6routerospf1inte0/2ipv6ospf1areaintintloopipv6ospf1areaconfigureacmenetworkasperthefollowingestablishthefourebgppeeringasindicatedon"diagramIPV6donotusethenetworkcommandunderthebgpaddress-familyipv6oneitherR10orR11，bothregionalSPwilladvertisethenecessaryprefixesadvertisetheipv6prefixoninte0/0intobgponbothR12andconfigureyournetworksuchthatanyipv6thatanyusercancommunicatewithanyipv6userthatislocatedandviceversadonotuseanystaticrouteordefaultrouteusethefollowingpingtoverifyyourR12#ping2001:CC1E:BEEF:14:10:1:14::1soipv6general-prefixcisco2001:cc1e:1234::/48intipv6addressciscorouterbgpaddress-familyipv6redistributeospf1matchinternalexternalinclude-connectedipv6routerospf1redistributebgprouterbgpneighbor2001:CC1E:202:11::1remote-as20002address-familyipv6redistributeospf1matchinternalexternalinclude-connecteipv6routerospf1redistributebgprouterbgprouter-idnobgpdefaultipv4-neighbor2001:cc1e:bef:12:201:1:12:1remote-as20001address-familyipv6network2001:cc1e:bef:12::/6routerrouterbgprouter-idnobgpdefaultipv4-neighbor2001:cc1e:bef:14:202:2:14:1remote-as20002address-familyipv6network2001:cc1e:bef:14::/64R18andR19configuretheACMEnetworkasperthefollowingrequirementsonlynetworksegmentswithactivereceiversthatexplicitilyrequirethedatamustreceivethemulticasttrafficintlo0ofR15mustbeconfiguredasuseastandardmethodofdynamicallydistributingthebothR16andR17mustparticipateinthemulticasttotestconfigureinte0/0ofbothR18andR19tojoingroupsw5#pingsovlanreplytorequest0from3msreplytorequestofromipmulticast-routinginterfacee0/1interfacee0/2ippimsparse-ippimbsr-candidateloopback0ippimrp-candidateloopback0ipmulticast-routinginterfacee0/1interfacee0/2ippimsparse-ipmulticast-routinginterfacee0/1interfacee0/2interfacetunnel0ippimsparse-ipmulticast-interfacevlaninterfacevlan55ippimsparse-interfacevlan66ippimsparse-interfacee0/0ippimsparse-modeipigmpjoininterfacetunnelippimsparse-interfacee0/0ippimsparse-modeipigmpjoininterfacetunnelippimsparse-Section3:VPNImplementMPLSVPN-Referto"diagram3BGPtopology"and"diagram4VPN theacmehqnetwork(AS12345)usesMPLSL3VPNinordertoclearlyseparateremotesitenetworks theacmecorporatesecuritypolicesarecentralisedandenforcedattheSanjosesite(AS65112)forallremotesites.Thepoliciesrequirethatalltrafficthatisoriginatedfromanyremotesites(withtheexceptionofnewyorkoffice)configuremplsL3vpnintheacmenetworkaccordingtothefollowingenableldponlyonrequiredinterfacesonallsevenroutersinASusetheinterfacelo0toestablishldpensurethatnomplsinterfacethatbelongstoanyrouterinsAS12345isvisibleonatraceroutethatoriginatesoutsideoftheASR2,3,6and7mustbeconfiguredasPER1,4and5mustbeconfiguredasPmplslabelprotocolmplsldprouter-id interfacee0/1mplsipmplsipmplslabelprotocolmplsldprouter-id interfacee0/0mplsipmplsipmplsipmplslabelprotocolmplsldprouter-id interfacee0/0mplsipmplsipmplsipmplslabelprotocolmplsldprouter-id nomplsippropagate-ttlforwardedinterfacee0/1mplsipmplsmplslabelprotocolmplsldprouter-id nomplsippropagate-ttlforwardedinterfacee0/1mplsipmplsmplslabelprotocolmplsldprouter-id nomplsippropagate-ttlforwardedinterfacee0/1mplsipmplsmplslabelprotocolmplsldprouter-id nomplsippropagate-ttlforwardedinterfacee0/1mplsipinterfaceinterfacemplsImplementMPLSVPN-Referto"diagram3BGPtopology"and"diagram4VPNebgppeeringthatarealreadypreconfigured.completealltheconfigsofmplsL3vpnintheacmenetworkaccordingtothefollowingrequirementsR1mustreflectvpnv4prefixesfromanyPEtoanyotherPEinASR2andR3mustestablishebgppeeringwithbothglobalSP(As10001andAS10002)forthefollowingvrf's□R6mustestablishanebgppeeringwiththeregionalSP(AS20001)forthefollowingvrfsR7mustestablishanebgppeeringwiththeregionalSP(AS20002)forthefollowingvrfsallipaddusedforebgppeeringmustpassthebgp'sdirectlyconnectednobgpspeakerisAS12345mayusethenetworkorredistributestatementunderanyaddress-familyofthebgprouterconfigattheendoftheexamscenariotheintee0/0ofthegatewayrouterinanyremotesitemustbeabletoconnecttotheinte0/0ofanyotherremotegatewaythatbelongstoAS65111orAS65222usethefollowingtestsasexamplesofconnectivitychecksR12#pingsoe0/0R12#tracesoe0/0(10hops)routerbgpaddress-familyvpnv4unicastneighborneighborneighborneighboractivateneighboriBGPsend-communityrouterbgpaddress-familyipv4vrfaddress-familyipv4vrfGREENaddress-familyipv4vrfREDaddress-familyipv4vrfaddress-familyipv4vrfINETaddress-familyvpnv4unicastneighborneighborsend-communityrouterbgpaddress-familyipv4vrfaddress-familyipv4vrfGREENaddress-familyipv4vrfREDaddress-familyipv4vrfaddress-familyipv4vrfINETaddress-familyvpnv4unicastneighborneighborsend-communityrouterbgpaddress-familyipv4vrfneighborremote-asaddress-familyipv4vrfBLUEaddress-familyipv4vrfINETaddress-familyvpnv4unicastneighborneighborsend-communityrouterbgpaddress-familyipv4vrfneighborremote-asaddress-familyipv4vrfBLUEaddress-familyipv4vrfINETaddress-familyvpnv4unicastneighborneighborsend-communityrouterbgpbgprouter-id2neighborremote-as20001address-familyipv4unicasneighbornetwork2masknetworkmask

routerbgpbgprouter-id3neighborremote-asneighborremote-as20002address-familyipv4unicasnetwork3masknetworkmaskrouterbgpbgprouter-id4neighborremote-as20002address-familyipv4unictnetwork4masknetworkmaskusethepreconfiguredinttun0onallthethreeroutersinordertoaccomplishR17mustbethehubR18andR19mustbethespokeandmustparticipateinNHRPinformationdisablesendicmpredirectmessageonallthreetunnelconfigurethefollowingparametersonallthethreetunnelbandwidth1000delay10000mtu1400tcpmssauthenticatenhrpusingthestringusenhrpbetwork-idconfignhrpholdtimeto5ensurethatspoketosoketrafficdoesnottransitviatheinterfacetunnelipaddressnoipredirectsdelayipmtuiptcpadjust-mss1380tunnelsource tunnelmodegremultipointipnhrpnetwork-id45678ipnhrpauthentication45678keyipnhrpholdtime300ipnhrpipnhrpmapmulticastdynamicroutereigrpCCIEaddress-familyipv4autonomous-system45678af-interfacetunnel0nosplit-interfacetunnelipaddress8noipredirectsdelayipmtuiptcpadjust-mss1380tunnelsource tunnelmodegremultipointipnhrpnetwork-id45678ipnhrpauthentication45678keyipnhrpholdtime300ipnhrpipnhrpmapipnhrpnhsipipnhrpmapmulticastinterfacetunnelipaddress9noipredirectsdelayipmtuiptcpadjust-mss1380tunnelsource tunnelmodegremultipointipnhrpnetwork-id45678ipnhrpauthentication45678keyipnhrpholdtime300ipnhrpipnhrpmapipnhrpnhs ipnhrpmapmulticastreferto"diagram4VPNsecurethedmvpntunnelusingipsecaccordingtothefollowingconfigureIKEphase1asperthe...useaesencryptionwiththepre-sharedkey...thekeymustappearinplaintextinthe...allipsectunnelsmustbeauthenticatedusingthesameIKEphase1pre-sharedkey...use1024bitsforthekeyexchangeusingthediff-hellmanconfigureasinglepolicyusingpriorityconfigIKEphase2asperthefollowing...useCCIEXFORMastransformset...useDMVPNPROFILEasipsecprofile..useipsecintransport...usetheipsecprotocolespandalgorhtimaeswith128ensurethattheDMVPNcloudissecuredusingaboveparameters.usetunnelprotectioninyourconfigcryptoisakmppolicy10encryptionaesgroup2cryptoisakmpkeyCCIEaddresscryptoipsectransform-setCCIEXFORMesp-aes128modetransportcryptoipsecprofileDMVPNPROFILEsettransform-setCCIEXFORMinterfacetunneltunnelprotectionipsecprofilecryptoisakmppolicyencryptionaesencryptionaesgroup2cryptoisakmpkeyCCIEaddresscryptoipsectransform-setCCIEXFORMesp-aes128modetransportcryptoipsecprofileDMVPNPROFILEsettransform-setCCIEXFORMinterfacetunneltunnelprotectionipsecprofilecryptoisakmppolicy10encryptionaesgroup2cryptoisakmpkeyCCIEaddresscryptoipsectransform-setCCIEXFORMesp-aes128modetransportcryptoipsecprofileDMVPNPROFILEsettransform-setCCIEXFORMinterfacetunneltunnelprotectionipsecprofile 4:InfrastructureconfigureR20inttheacmesanjoseofficeasperthe alluserswhoconnecttoR20viatheconsoleorviaanyofvtylinesusingsshmustbepromptedwiththebelowmessagebeofreanyotherpromptisdisplayedWARNING!ACCESSbannerlogin donotuseanyotherspacesorbannerlogin configureacmenewyorkofficeaspertheandlegitimateusersonlysw3mustdynamicallylearnonlyonemacaddressperportandsavethemacaddressinitsstartupsw3mustshutdowntheportifsecurityviolationoccursonanyofthefourportsintrangee0/0-3switchportport-securityswitchportport-securitymaximum1switchportport-securitymac-addressstickyswitchportswitchportport-securityviolationSection5:InfrastructureconfigureR20inttheacmesanjoseofficeaspertheestablishsshaccessinR20