CCIE Tshoot LAB

 Home /  Course /CCIE Tshoot LAB

CCIE Tshoot LAB


Section 1 - IGP

Instruction and Pre-config:

  • ALS1 and ALS2 are VTP client and DLS1, DLS2 VTP sever
  • Check for Pre-configuration

Task1: RIPv2

Configure RIPv2 on Ac1 with the following conditions

  • No multicast updates to be supported on any interface of the two devices
  • R2 should not receive any Routes of POD except Default Routes
  • There are multiple routes being send by R2 however ALS must only accept class C updates use prefix-list with a Single statement
  • Any routes Received on R2 must have a metric of 10 You are not allowed to do anything on R2 regarding this particular Task

Task2: OSPF Multi Area configuration

Configure OSPF as per Diagram. Ensure Route-ID to be loopback 0 interface only on all device

Advertise ALS1 and DLS1 lo0 in Area 0 and DLS2, ALS2 into Area 1. Area 2 must confirm to RFC 1587 standards to disallow external LSA.

Task3: LSA Filtering

Use Route-map to publish 66.66.66.66 into R3. ALS2 must filter prefix 6.6.6.6, no ACL is allowed. It should also only allow 66.66.66.66 into backbone and no other Route. Ensure that R2 can ping 66.66.66.66

note: you will have to do Task4 before it

Task4: RIP-OSPF Redistribution

Redistribute all RIP routes into OSPF with incremental metric and tag of 2000. Do not Redistribute OSPF into RIP however for connectivity provide with Default Route only to R5. you can't use static or default-Information command.

Task5: EIGRP Hub and Spoke

EIGRP AS-10 is pre configured on DLS1, DLS2 and R1. You need to optimize EIGRP for Hub and spoke setup DLS1 and DLS2 act as Spokes whereas R1 is hub. R1 has three loopback in major network 89.x.x.x. You must Redistribute them into EIGRP however they must appear as Internal routes on DLS1 and DLS2.


Task6: EIGRP-OSPF Mutual Redistribution

Perform Bi-directional Redistribution of EIGRP to OSPF and vice versa on DLS1 and DLS2.

1. Summarize all prefix of 89.x.x.x on DLS1 and DLS2 into OSPF
2. R1 must use DLS1 for vlan100, ALS1 lo0, Vlan35 and all class C routes from R2 your solution can't have more than Two statement in ACL/Prefix-list
3. R1 must use DLS2 for vlan65 ALS2 lo0 and 66.66.66.66



Section 2 - BGP

1. Configure BGP as per Diagram R1 is in AS 65525. ALS1, ALS2, DLS1 and DLS2 are all in AS 65500. Use Peer group for saving memory and better performance

1. Peering should be in the following manner
2. R1 to peer with DLS1 and DLS2
3. ALS1 to peer with DLS1 only
4. ALS2 to peer with DLS2 only
5. DLS1 and DLS2
6. Ensure Peering is done using Loopback0 on all

2. Advertise lo100 in BGP on ALS2 ensure all routers in AS 65500 have this route. Ensure that R1 use DLS1 to reach it you can't use any route filters on neighbours, Local-prefrence, Weight, Med.

3. Create loopback200 on R8 IP address 200.200.200.200. Mark it with community 65525:200 65525:300 65525:400 ensure all router in AS 65500 can see the exact community value for this route

Section 3 - IP Multicast

DSW2 will act as RP and mapping agent. DSW2 should serve group 224.5.5.5, 224.6.6.6.

Use DSW1 vlan100 to join group 224.5.5.5 and 224.6.6.6. R2 will act as source for 224.5.5.5 using lo191 and R6 will be source of 224.6.6.6 using lo66. Ensure both source can ping their groups respectively.

Spare-mode should be used on all

Section 4 - Security

1. Zone based Policy Firewall

Configure ASW2 as firewall create two zones name inbound and outbound put vlan45 into inbound and vlan65 into outbound. put no restriction on ICMP traffic in either direction however do not inspect it in any direction.

a. Allow web and remote management traffic from inbound to outbound sourced from lo66
b. allow telnet towards lo66

note: ensure everything else work properly after Firewall implementation

2. NTP

a. DLS1 as NTP server and R3 as client. use GMT plus 5.30 and current time. password is cisco
b. DLS1 must use lo0 for NTP and should server only 66.66.66.66 for updates

3. NAT

a. Ensure that when Inside host 66.66.66.66 telnet public IP 100.100.100.200 it should land up on DLS2 lo0 which will see the source address as 172.16.65.6.
b. Don't use Dynamic NAT