CCIE Deploy, Operate and Optimize guidelines

Before you begin, please read these guidelines

Overall module guidelines

1.The network that you will deploy, operate and optimize in thismodule will be similar, but not necessarily identical. to the network designed in the previous module. All relevant information that is needed to successfully complete this module can be found in this module itself and overrides any information that was provided in the previous module.

2.Before you start, confirm that all devices in your rack are accessible. During the exam, if any device be ecomes ocked or inaccessible. you must recover.

3.Your equipment is partially preconfigured. Do not change any of the preconfigured parameters unless you are specifically told to.

4.The partial configuration on the devices may deliberately contain mistakes and errors which may need to be corrected. or workarounds applied, in order to complete specific tasks. Therefore consider troubleshooting as an integral part of this module.

5.Points are awarded only for fully working configurations. No partial scoring is provided. It is recommended that toward the end of the exam. you go back and test the functionality as per all question requirements.

6.If you need clarification on any of the questions, or if you suspect that there might be an issue with your equipment or exam environment, contact the lab proctor as soon as possible.

7.Item-level feedback can be provided at the question level Feedback will be processed, but Cisco will not reach out to you to discuss any feedback provided. You will not be compensated for the time you spend while providing the feedback.

8.Access to select cisco online documentation is available from your desktop. Access to select 3rd party product documentation(such as Python) is available from the Resources window under the
External Documentation category.

在考试过程中,您将被允许从桌面访冋思科在线文档。并可在“外部文档类别”下的资源窗口访问选择的第三方产品文档(如 Python)。

9.When you finish the lab exam. make sure that all devices are accessible for the grading proctor by having them in EXEC mode and closing the console windows. A device that is not accessible for grading cannot be graded and this may cause you to lose substantial oints.

10.You have 5 hours to complete this module. Upon finishing the exam, ensure that all devices are accessible. Any device that is not accessible for grading purposes may cause you to lose substantial points.

Track specific guidelines

1.There are several end hosts present in the lab topology, named hostXY(for example, host11). They are all identical and they can all be used at your full discretion, including accessing the gui of DNA Center, vManage and ise through Firefox, performing IP connectivity tests, generating or capturing traffic, and performing coding in Python or C.
拓扑中将会有几台终端设备,名为 hostY(如host11)。它们都是相同的且可以完全自由裁量使用,包括通过 Firefox访问 DNA Center GUI、 MAnage或ISE,执行TP连通性测试、生成或捕获流量、以及在 Python或C语言进行编程。

2.All hosty devices are configured as dhcp clients Should it be necessary to force the host to release and renew its dhcp leaseright-click on the icon of the network manager located between CPU utilization and check applets in the bottom task bar. then unselect Enable Networking, right-click on it again and select Enable Networking.
所有的 hostY设备均为DHCP客户端。当需要手动释放IP地址或更新DHCP租约时,请右键单击位于底部任务栏右方CPU利用率旁的网络管理器图标,然后取消选择” Enable Networking”,再次右键单击该图标并选择” Enable Networking”。

3.The web-based gui of dna center vManage and Ise can only be accessed from the hostXY end hosts, using firefox installed on these end hosts These servers cannot be accessed directly from the desktop you are just now working with. You must always connect to hostxY as a jump host and access the dNA center, vManage or Ise from there. Always ignore any SSL/TLS certificate warnings in Firefox that may be displayed.
DNA Center、 vManage和ISE的 Web GUI将只能通过安装在这些Host上的 Firefox中访问。这些服务器无法直接从您正在使用的终端中访问(即考场的电脑)。您将始终以 HostY 作为跳板,并从那里访问 DNA Center, vManage和ISE请忽略Firefox中可能显示的任何SSL/TLS证书警告。

4.Devices in the topology may have more interfaces. addresses and routes configured than what is shown in the diagrams and accompanying tables. Ignore such interfaces addresses and routes entirely, unless a task explicitly requires you to use or modify them.

5.Changing or removing parts of initial running configurationon devices, as opposed to adding new configuration, is allowed onlyif the task allows or requires it explicitly or if there is no other way of accomplishing the task.

SECTION 2.3: Mapping SDA VNs to SD-WAN VPNs

Using vManage gui, perform configuration tasks:

使用vManage GUI 完成配置任务:

1.Use any Host. such as Access the vManage gui website at url.

使用任何主机如 Host11 来访问 URLhttps://,即vManage GUI。

2.Create three new sd-wan VPNs to carry the sda vn traffic.

创建三个新的SD-WAN VPN来承载sda vn流量。

2.1.VPN id 198 for iot vn.

为虚拟网络 iot 指定 VPN ID 198。

2.2.VPN id 199 for guest vn.

为虚拟网络 guest 指定 VPN ID 199。

2.3.VPN id 200 for employees vn.

为虚拟网络 employees 指定 VPN ID 200。

on branch #1 and branch #2 vEdges, for each_of these VPNs:

在 Branch#1 和 Branch#2 的 vEdge 中为上述每个 VPN 执行下列配置:

1.Create a new subinterface on the interface toward the sda border switch, align the VLAN id and ip address on the subinterface with the configuration generated by DNA Center on the border switches for the appropriate vn.


2.Peer the vEdge and the sda border switch using IBGP. ensure full reachability between all locations of the same VPN.








SECTION 2.4:Configuring SD-WAN VPN Route Leaking

1.To allow the traditional parts of the FABD2 network to communicate with the employees and iot VPNs/vns. configure route leaking in sd-wan:


2.prefixes in the iot VPN 198 must be imported into the existing sda underlay VPN 999 and tagged with the tag value of 198.

VPN iot中的前缀必须被导入至现存的SDA Underlay VPN 999中,并使用tag 198标记。

3.prefixes in the employees VPN 200 must be imported into the existing sda underlay VPN 999 and tagged with the tag value of 200.

VPN employees中的前缀必须被导入至现存的SDA Underlay VPN 999中,并使用tag 200标记。

4.prefixes in the sda underlay VPN 999 advertised from the DC that are within the range must be rejected.

SDA Underlay VPN 999中,从DC中通告的10.4.0.0/15范围内的前缀必须被拒绝。

5.other prefixes in the sda underlay VPN 999 advertised from the DC must be accepted and also imported into iot VPN 198 and employees VPN 200.

SDA Underlay VPN 999中,从DC中通告的其他前缀必须被接受且必须导入至iot VPN 198与employees VPN 200中。

6.redistribution from omp into OSPF on branches #1 and #2 in VPN 999 must exclude vroutes tagged with values 198 or 200.

在Branch#1和Branch#2上重分发omp至OSPF,但必须排除标记为198和200的vroute。 Host41 into employees vn.

将Host41置入虚拟网络employees。 Host51 into iot vn.


6.3.make sure both Hosts receive their ip settings from DHCP.


6.4.ensure that the iot and employees VPNs on branches #1 and #2 have reachability to branches #3 and #4.

确保Branch#1与Branch#2上的iot与employees VPN拥有通往Branch#3与Branch#4的可达性。 is allowed to modify the VPN 999 omp settings to accomplish this requirement.

允许修改VPN 999中的OMP设置来完成此需求。







SECTION 2.5:Handling Guest Traffic

1.The guest vn/VPN on branches #l and #2 must remain isolated from the rest of the company is only allowed to reach internet through R23 and R24 in the DC.

Branch#1与Branch#2上的guest VPN/VN必须与公司网络的其他部分保持隔离。仅允许其通过DC中的R23与R24访问Internet。

1.1.enable internet connectivity for the guest VPN:


1.2.on vEdge21 and the ge0/2 interfaces into the guest VPN 199.

在vEdge21与22上,将ge0/2接口置入guest VPN199。

1.3.on R23 and R24.create a new VRF named guest using the rd of 65002:199. and place the gi4 interfaces into this VRF.

在 R23 与 R24 上,使用 RD 65002:199 创建一个名为 guest 的新VRF并将接口 gi4 置入该VRF。

2.assign addresses to these interfaces:

为下列接口分配 IP 地址。

·R23 gi4: 
·R24 gi4:
·vEdge21 ge0/2: 
·vEdge22 ge0/2:

3.Peer R23 and vEdge21 in the guest VRF/VPN using IBGP.

在guest VRF/VPN 中使R23 与vEdge21 建立 IBGP 对等体。

4.Peer R24 and vEdge22 in the guest VRF/VPN using IBGP.

在guest VRF/VPN 中使R24 与vEdge22 建立 IBGP 对等体。

5.Ensure that R23 and R24 learn the routes in the guest VRF/VPN over IBGP.

确保 R23 与 R24 通过 IBGP 来学习 guest VRF/VPN 中的路由。

6.On R23 and R24. configure a static default route in the guest VRF and point it to the ISP’s ip address or as appropriate.

在 R23 与 R24 中为 guest VRF 配置静态默认路由,并据需要将其指向 ISP 的IP 地址 或。

6.1.Advertise this default route in IBGP to vEdge21 and vEdge22.

在 IBGP 中将此默认路由通告至 vEdge21 和vEdge22。

6.2.On R23 and R24, configure pat to allow the guest VPN to Access internet by translating it to the router address on the link toward the ISP.

在 R23 和 R24 上,配置 PAT 以允许 guest VPN 通过将其转换路由器与ISP互联的IP地址来访问Internet。

6.3.Reuse the nat acl already created on the router.

复用路由器上巳创建的 NAT ACL。

6.4.Do not use nat pools.

不得使用 NAT 池。

6.5.Configure R23 as the DHCP server for guest VPN:

将R23配置为guest VPN的DHCP服务器:

6.6.Create looopback1 interface on R23 associated with the guest VRF and having the ip address advertise this prefix in BGP toward vEdge21.

在R23 上创建loopback1 接口,将此接口与 VRF guest 关联,IP 地址为 并在 BGP 中向vEdge21 通告此前缀。

6.7.Create DHCP pool named br1_guest for branch #1 guest subnet.

为Branch#1 中Guest 子网创建名为 br1_guest 之地址池。

6.8.create DHCP pool named br2_guest for branch #2 guest subnet.

为Branch#2 中Guest 子网创建名为 br2_guest 之地址池。

6.9.Explicitly associate both DHCP pools with the VRF guest.

明确的将两个 DHCP 池与VRF guest 关联。

6.10.In each subnet. Assign addresses from.101 up to.254 inclusively and the appropriate gateway to clients.

在每个子网中分配.101 至.254 的地址以及恰当的网关地址(至客户端)

6.11.Associate Host42 and Host52 with the guest vn in DNAc. and make sure that both Hosts receive the appropriate address.

将Host42 和Host52 与 DNAC 中的虚拟网络 guest 关联,并确保两个主机获取到适当的地址。

6.12.make sure that Host42 and Host52 can ping in the ISP cloud.

确保Host42 与 Host52 能Ping 通ISP 中的。



ip dhcp use vrf remote

vrf definition Guest
    rd 65002:199
    address-family ipv4

interface loopback 1
    vrf forwarding Guest 
    ip address

interface ethernet0/3(考场是G4口)
    vrf forwarding Guest
    ip address
ip dhcp excluded-address vrf Guest
ip dhcp excluded-address vrf Guest

ip dhcp pool br1_guest
    vrf Guest

ip dhcp pool br2_guest
    vrf Guest

ip route vrf Guest global

router bgp 65002
    address-family ipv4 vrf Guest
        network mask
        network mask
        neighbor remote-as 65002
        neighbor activate 
        neighbor next-hop-self 
ip nat inside source list NAT interface Ethernet0/0(考场是g1口) vrf Guest overload


vrf definition Guest
    rd 65002:199
    address-family ipv4
interface ethernet0/3(考场是G4口)
    vrf forwarding Guest
    ip address
ip route vrf Guest global

router bgp 65002
    address-family ipv4 vrf Guest
        network mask
        neighbor remote-as 65002
        neighbor activate 
        neighbor next-hop-self 
ip nat inside source list NAT interface Ethernet0/0(考场是g1口) vrf Guest overload








SECTION 2.6: Support for Silent Hosts in Branch #2

1.In future, branch #2 will be equipped with ip-based iot endpoints operating in speak-when-spoken-to Mode, also called silent Hosts. Which of the following SDa features enables a working connectivity with these iot endpoints?
在未来, Branch#2将配备一些基于 IP 的 iot 终端,这些终端设备以 “Speak-When- Spoken-To” 模式 (也称为静默主机) 运行。以下哪些SDA功能可实现与这些 IoT 终端的正常连接?

A. Layer 2 Flooding

B. Layer 2 Extension

C. Native Multicast

D. Endpoint Mobility


2.In the statement below, select one of the options from the drop-down list to complete the sentence and form a correct statement.


For SDA to support silent Hosts_______________________________in the underlay as a prerequisite.

为了使 SDA 支持静默主机,在 Underlay网络中_______________________________是提前条件。

A. IP Multicast routing with PIM-SM must be enabled

B. DHCP snooping must be enabled
开启 DHCP Snooping

C. is-is must be used as a routing protocol

D. NO additional capability aside from unicast iP connectivity is required


文章作者: Naraku
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Naraku !