Hello All !

This is a full blown CCIE lab I have created from my experience and notes I have been taking over the years. In future I will also provide a SOLUTION guide for this lab…

Fewer than 3 percent of all Cisco certified professionals actually achieve CCIE status. The majority of candidates who take the exam fail at the first attempt because they are not fully prepared. This practise exam will bring as close as possible to actual real CCIE lab.

I will be adding new questions to this topology so you can keep on practising and exploring.

Whenever I cerate a post like this one it takes me at 3 to 4 weeks to prepare all config files, netmaps , diagrams , questions etc …. therefore I would very much appreciate if some of you could kindly subscribe to the blog because firstly it is free and secondly you will be able to receive notifications about all important updates and new posts !

The more I study for my CCIE lab and the more I look into all technologies covered in the lab the more I realise that it is all about experience , I mean you can not expect take the LAB and pass it after completing your written exam , that just would not work at all ! You must spend countless of rack time hours configuring features and learning how protocols interact with one another.

ok let’s begin !

One tiny caveat :

Please not that on the diagram we have two separate connections  from R2 to the frame switch while provided GNS3 net file uses only one. Dirty fix is to use subinterfaces on R2 to remedy this but on the other hand this will introduce more issues when doing OSPF section so of course the easiest way is to amend you NETFILE and simply add another connection from R2 to the FRAME SWITCH , I’ll leave this for you to decide

I have used VISIO this time to create the topologies for the LAB so the following is what you are going to need for this LAB exam :


This GN3 lab set up is what we are going to use for this exam. In case you have not seen or come across my other post here is the details how to build it











ip_addressing diagram_visio



















INITIAL CONFIGS : INITIAL_CONFIGS (just like with my other posts , you build above GNS3 lab on your PC then copy and paste provided configs)

R1 Lo0
R2 Lo0
R3 Lo0
R4 Lo0
R5 Lo0
R6 Lo0
SW1 Lo0
SW2 Lo0
SW3 Lo0
SW4 Lo0



IPv6 addresses on your network as follows:
2007:Cl5:C0:l0::/64—R1 Fa0/0
20O7:Cl5:C0:ll::l/64—R1 S0/0
2007:CI5:C0:ll::2/64—R2 S0/0
2007:Cl5:C0:ll::3/64—R3 S1/0
2007:CI5:C0:l2::2/64—R2 Fa0/1
2007:CI5:C0:l4::2/64—R2 S0/0
2007:CI5:C0:l4::5/64—R5 S0/0
20O7:CI5:C0:l5::3/64—R3 Fa0/0
2007:C!5:C0:!5::4/64—R4 Fa0/0
2007:C!5:C0:!6::5/64—R5 Fa0/1
2007:CI5:CO:i6::6/64—R6 Fa0/1


34 , 45 , 46 , 100 , 200 , 300



Section 1: LAN Switching and Frame Relay (28 Points)

1.1 Configure switches as collapsed backbone network with switches 1 and 2 performing core and distribution functionality and switches 3 and 4 as access switches in your topology. Switches 3 and 4 should connect only to the  core switches. (2 points)

1.2 Switches 1 and 2 should run spanning tree in 802.Iw. switches 3 and 4 should operate in their default spanning-tree mode. (2 points)

1.3 Configure switch l to be the root bridge and switch 2 to be the secondary root bridge for VLANs 1 and 300. (2 points)

1.4 Ensure that you fully utilize the available bandwidth between switches by grouping your inter-Switch Links (ISL) as trunks. Ensure that only dotlq and EtherChannel are supported. (3points)

1.5 Ensure that traffic is distributed on individual Ethernet trunks between switches based on the destination MAC address of individual flows. (2 points)

1.6 Ensure that user interfaces are shut down dynamically by all switches if they link-flap excessively. If they remain stable for 35 seconds, they should be re-enabled.

1.7 Fast Ethernet ports Fa1/0 – Fa1/1 and Fa1/2 will be used for future connectivity on each switch. Configure these ports as access ports  for the VLAN 300 , which should begin forwarding traffic immediately on connection. Devices connected to these ports will dynamically receive IP addresses from a DHCP server, which is due to be connected to port Fa1/0 on sw1 in the future. For security reasons this is the only port on the network where DHCP addresses should be allocated from. Ensure that the switches intercept the DHCP requests and add the ingress port. VLAN and switch MAC address prior to sending on to the DHCP server. Limit DHCP requests to 600 packets per minute per user port. (6 points)

1.8 For additional security, ensure that the user port on switches 1-4 (Fast Ethernet 1-17) can only communicate with the network with IP addresses gained from the DHCP feature configured previously. Use a dynamic feature to ensure that the only information forwarded upon connection is DHCP request packets and then any traffic that matches the DHCP IP information received from the DHCP binding for additional security. (3 points)

1.9 R5 and R6 have been preconfigured with IP addresses on their Ethernet interfaces. Configure R4 and its associated switch port accordingly without using secondary addressing to communicate with R5 and R6.Configure R4 with an IP address of to communicate with R5 and configure R4 with an IP address of to communicate with R6. Configure R4 Fa0/1 and switch 2 Fa1/4 only (3points)

1.10 Your initial Frame Relay configuration has been supplied for the R1-R2-R3 connectivity and R2-R5. Configure each device per Frame-relay Diagram  to ensure that each device is reachable over the Frame Relay network. Use only the indicated DLCIs. (2 points)


Section 2:IPv4 IGP Protocols (22 Points)

Section 2.1: OSPF

2.10 Configure OSPF per OSPF diagram. Use a process ID of 1. Where possible all OSPF configuration should not be configured under the process ID. Do not change the preconfigured interface types where applicable. Configure the loopback interfaces of routers R1 R2 and R3 to be in area O. R4 in area 34. and R5 in area 5. Ensure that the neighbour adjacencies are established throughout(2 points)

2.11 No loopback networks should be advertised as host routes. (1 point)

2.12 Ensure that R1 does not advertise the preconfigured secondary address under interface Fa0/1 of to the OSPF network. Do not use any filtering techniques to achieve this. (2 points)

2.13 R5 should use the Frame Relay link within area 5 for its primary communication to the OSPF network. If this network should fail either at Layer 1 or Layer 2. R5 should form a neighbour relationship with R4 under area 5 to maintain connectivity. Your solution should be dynamic,   ensuring that while the area 5 frame relay link is operational no neighbour relationship exist between R4 and R5. However the ethernet interface of R4 and R5 is reachable by configuration of R5. You are permitted to define neighbour statements between R5 and R4 (4points)

Section 2.2:EIGRP

2.20 Configure Enhanced Interior Gateway Routing Protocol (EIGRP) per Eigrp diagram using an AS number of l. The loopback interfaces of all routers and switches should be advertised within EIGRP. (2 points)

2.21 Ensure that R4 does not install any of the EIGRP loopback routes from any of the switches into its routing table. As such these routes should also not be present in the OSPF network post redistribution. Do not use any route-filtering access control lists (ACL),prefix lists, or admin distance manipulation to achieve this, and perform configuration only on R4. (3 points)

2.22 R4 will have dual equal-cost routes to VLAN300 (network from R5 and R6. Ensure that R4 sends traffic to this destination network to R5 rather than load sharing. Should the route from R5 become unavailable, traffic should be sent to R6. Do not policy route, alter the bandwidth or delay statement on R4 interfaces or use an offset list. Perform your configuration on R4 only. Your solution should be applied to all routes received from R5 and R6 as opposed to solely to the route to network VLAN300. (3 points)

Section 2.3: Redistribution

2.30 Perform mutual redistribution of IGP protocols on R4.All routes should be accessible with the exception of the switch loopback networks because these should not be visible via R4 as noted in an earlier question. EIGRP routes  redistributed within the OSPF network should remain with a fixed cost of 5000 throughout the network. (3 points)

2.31  Configure R4 to redistribute up to only five EIGRP routes and to generate a system warning when the fourth route is redistributed. Do not use any access lists in your solution. (2 points)

Section 3: BGP (14 Points)

3.1 Configure Internal Border Gateway Protocol (iBGP) peering as follow:R1-R3. R2-R3. R6-R5. Sw1-R6. Sw1-R5. Use minimal configuration and use loopback interfaces for your peering. Configure External Border Gateway Protocol (EBGP) peering as follows : R3-R4. R4-R6. R4-R5. R5-R2 Use minimal configuration and use loopback interfaces for your peering with the exception of R4 to R5. Use the AS numbers supplied in BGP diagram. (2 points)

3.2 AS200 is to be used as a backup transit network for traffic between AS100 and AS300. As such if the Frame Relay network between R5 and R2 fails ensure that the peering between R2 and R5 is not maintained via the Ethernet network. Do not use any ACL-type  restrictions or change the existing peering. (2 points)

3.3 Configure a new loopback interlace 2 on R2 of 130.I00.200.1/24 and advertise this into Border Gateway Protocol (BGP) using the network command. Configure R2 in such a way that if the Frame Relay connection between R2 and R5 fails AS300 no longer receives this route.  Do not use any filtering between neighbours or neighbour-specific commands to achieve this. (3 points)

3.4 Configure Hot Standby Router Protocol (HSRP) between R5 and R6 on VLAN300 with R5 the active for .1/24. If the network is no longer visible to AS300. R6 should dynamically become the HSRP active Configure R5 to achieve this solution. (4 points)

3.5 Configure two new loopback interfaces on R1 and R2 of and respectively and advertise these into BGP using the network command. R3 should be configured to allow only BGP routes originated from R1 up to network and from above network only those originated from R2. Use only a single ACL on R3 as part of your solution. (3 points)

Section 4: IPv6 (14Points) 
Configure IPv6 addresses on your network as follows:
2007:Cl5:C0:l0::/64—R1 Fa0/0
20O7:Cl5:C0:ll::l/64—R1 S0/0
2007:CI5:C0:ll::2/64—R2 S0/0
2007:Cl5:C0:ll::3/64—R3 S1/0
2007:CI5:C0:l2::2/64—R2 Fa0/1
2007:CI5:C0:l4::2/64—R2 S0/0
2007:CI5:C0:l4::5/64—R5 S0/0
20O7:CI5:C0:l5::3/64—R3 Fa0/0
2007:C!5:C0:!5::4/64—R4 Fa0/0
2007:C!5:C0:!6::5/64—R5 Fa0/1
2007:CI5:CO:i6::6/64—R6 Fa0/1

Section 4.1: RIPn
4.10 Configure Rowing Information Protocol next generation (RIPng). ensuring that your IPv6 routes are visible throughout your RIPng domain. Do not disable split-horizon. (3 points)

Section 4.2: OSPFv3
4.20 Configure OSPFv3  with a process ID of 1 and with all OSPF interfaces assigned to area 0. (2 points)
4.21 The IPv6 network is deemed to be stable. As such, reduce the number of link-state advertisements (LSA) flooded within the OSPF domain. (2 points)

Section 4.3: Redistribution

4.30 Redistribute RIPng  routes into the OSPFv3 demand (one way). RIP routes should have a fixed cost of 5000 associated to them within the OSPF network. (1 point)

4.31 Ensure that the OSPFv3 network is reachable from the RIP network by a single route of 2007::/16. which should be seen within the RIP domain. Configure R5 only to achieve this. The OSPF domain should continue to receive specific RIPng subnets. (2 points)

4.32 If the serial link fails between the OSPF and RIPng domains, ensure that routing is still possible between R5 and R4 over VLAN45. Do not enable RIP on the VLAN45 interfaces of R4 and R5. Configure R4 and R5 to achieve this and this should be considered an alternative path only in the event of a failure. (3 points) 4.33 Ensure that the summary route configured previously is not seen back on the routing table of R5. Configure only R5 to achieve this. (1 point)

Section 5: QoS (8 Points)

5.1 You are required to configure quality of service (QoS) on switch 1 according to the Cisco QoS baseline model Create a Modular QoS configuration that facilitates the following requirements for all user ports (Fast Ethernet 1-24) (3 points): *** All ports should trust the Differentiated Services Code Point (DSCP) values received from their connecting devices. *** Packets received from the user ports with DSCP values of 10,16,24,28,32,34,46 and 48 should be remarked to DSCP 8 Per Hop Behaviour (PHB CS1) in the event of traffic flowing above 5Mbps on a per port basis. This traffic could be a combination of any of the earlier DSCP values with any source/destination combination. Ensure that a minimum burst value is configured above the 5 Mbps.

5.2 Switch 1 will be connected to a new trusted domain in the future using interface Fa1/0. A DSCP value of AF43 received locally on sw1 should be mapped to AF42 when destined for the new domain. (2 points)

Section 6: Security (8 Points)

6.1 Configure R3 to identify and discard the following custom virus. The virus is characterized by the ASCII characters “VIRUS IS BAD” within the payload and utilizes User Datagram Protocol (UDP) ports 11664 to 11666. The ID of the virus begins on the third character of the payload. The virus originated on VLAN34. (3 points)

6.2 An infected host is on VLAN200 of Ensure that only within BGPAS10 traffic destined for this host is directed to NullO of each local router. You cannot use any ACLs to block traffic to this host specifically, but you can use a static route pointing to NullO for traffic destined to on routers within ASI0. R2 can have an additional static route pointing to NullO. Use a BGP feature on R2 to ensure that traffic to this source is blocked. Prevent unnecessary replies when traffic is passed to the NullO interface for users residing on VLAN100. (3 points)

Section 7: Multicast (6 Points)

7.1 Configure routers R1.R2.R3. and R4 for IPv4 Multicast. Configure R3 to send multicast advertisements of its own time by use of Network Time Protocol (NTP) sourced from interface Fa0/0. Configure Protocol Independent Multicast (PIM) spare mode on all required interfaces. R3 should also be used to advertise its own Fastethernet interface IP address as a rendevous point (RP). R3 should also advertise the IP address you are using for the NTP advertisements which is to be Do not use the command ntp server in any configurations. Routers R1. R2.and R4 should all show a clock synchronized to that of R3. (5 points)


How did you do ? What was your score ? If you scored over 80 and accomplished this within the time frame , well done !!

As soon as I have more time I will add some new questions !!

Please let me know if you spot any mistakes with the config or anything and go ahead as questions !


Enjoy !





About ccie4all
Hello, and welcome to the first post of my CCIE blog This blog has got one simple goal and that is to improve our skills in Cisco Networking field so we can become best engineers on a job market. Wordpress Blog information about the changes made to Gns3 BGP , MPLS and R&S CCIE labs. In order to access and download all provided materials and receive important updates from Gns3 BGP , MPLS and R&S CCIE labs under GNS3 tab in the main header please go ahead and subscribe to ! All other posts have not been affected and can be accessed at any given time. Enjoy ! Tom

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: