Contents

CCIE DC Full-Scale Lab 1 Tasks

Last updated: May 7, 2014

This workbook is not yet compatible with current DC racks for self-paced study.

Introduction
1. Data Center Infrastructure
2. Data Center Storage Networking
3. Unified Computing
4. Data Center Virtualization


Introduction

  • All devices used in this scenario, with the exception of the UCS and Nexus 7K, will be pre-configured for you with a basic initial configuration before starting. Do not modify or remove this initial configuration, such as pre-configured MGMT0 IP addresses, pre-configured VRFs, pre-configured routing, etc. These initial configs are required to successfully complete this scenario.
  • NX-OS device logins are admin with the password Cciedc01. The UCS Management VM's login is Administrator with the password cisco. Do not modify the admin role on any platform, change the console speed, configure AAA, or make any other configuration changes that would potentially lock you out of the CLI interface. Rack rental tokens will not be refunded in cases where configuration errors on your part cause you or the automation system to be locked out of the devices.
  • Pre-configured MGMT0 addresses for this scenario are as follows:
    • N5K1 – 192.168.101.51/24
    • N5K2 – 192.168.101.52/24
    • MDS1 – 192.168.101.61/24
    • MDS2 – 192.168.101.62/24
    • N7K1 – 192.168.101.71/24
  • Any references to "Y" in this scenario refer to the last octet of the MGMT0 interface.

1. Data Center Infrastructure

1.1 UCS Initialization

  • Connect to UCS Fabric Interconnect A's CLI and use the following options for the initial configuration dialog:
    • Enforce strong passwords: yes
    • Admin password: Cciedc01
    • Cluster: yes
    • Switch fabric: A
    • System name: UCS-FI
    • MGMT0 IP address: 192.168.101.201
    • Netmask: 255.255.255.0
    • Default gateway: 192.168.101.1
    • Cluster IP address: 192.168.101.200
  • Configure UCS FI B to join the cluster and use the IP address 192.168.101.202/24.
  • Enable both Telnet and SSH access to the Fabric Interconnects.

Score: 3 Points

1.2 Nexus 7K VDC Initialization

  • Create three VDCs on N7K1 as follows:
    • VDC 2 named N7K2
    • VDC 3 named N7K3
    • VDC 4 named N7K4
  • Do not inherit the VDC hostname from the default VDC's hostname.
  • Allocate the interfaces to these VDCs according to the diagram. Any unneeded interfaces should be assigned to VDC 0.
  • Connect to these VDCs from the console and configure the admin user with the password Cciedc01.
  • Configure the MGMT0 IP addresses of the VDCs as follows:
    • VDC 2: 192.168.101.72/24
    • VDC 3: 192.168.101.73/24
    • VDC 4: 192.168.101.74/24
  • Enable both telnet and SSH access to all VDCs.

Score: 5 Points

1.3 Initial IP Addressing

  • Configure the higher-numbered M1 port in the diagram between N7K1 and N7K3 as a native layer 3 routed interface using the addresses 10.71.73.Y/24.
  • Configure the M1 ports between N7K2 and N7K4 as layer 3 Port-Channel10. Use LACP for the Port-Channel, and the addresses 10.72.74.Y/24.
  • Configure N7K3 and N7K4's links to the Data Center Interconnect as layer 2 access edge ports in VLANs 1050 and 1051, respectively. Configure interfaces VLAN 1050 and 1051 on N7K3 and N7K4, respectively, with addresses 10.50.73.0/31 and 10.51.74.0/31.

Score: 3 Points

1.4 Layer 3 Routing

  • Configure N7K1 and N7K2 to default to N7K3 and N7K4, respectively.
  • Configure N7K3 and N7K4 to peer BGP with the DCI provider. The provider uses BGP AS 100, whereas N7K3 and N7K4 have been allocated BGP ASes 65001 and 65002, respectively. The DCI provider also requires MD5 authentication using the password DCIPROVIDER.
  • Do not modify any DCI-related configuration on N5K1 or 3750G.
  • When complete, N7K1 and N7K2 should have IP reachability to each other over the DCI.

Score: 5 Points

1.5 FabricPath

  • N5K1 and N7K4 should form Port-Channel20 using LACP on the links connecting them according to the diagram.
  • Configure FabricPath on the port channel as well as the link connecting N7K4 and N5K2 according to the diagram.
  • Create VLANs 200–299 as FabricPath VLANs on these switches.
  • Authenticate all FabricPath IS-IS adjacencies using an MD5 hash of the password FPAUTH.

Score: 6 Points

1.6 vPC+

  • Configure UCS-FI-A to form Port-Channel201 up to N5K1 and N5K2 using the links in the diagram.
  • Configure UCS-FI-B to form Port-Channel202 up to N5K1 and N5K2 using the links in the diagram.
  • From N5K1 and N5K2's perspective, these links should be vPC 201 and 202.
  • vPC 201 and 202 should be 802.1Q trunk links, STP edge ports, and only allow VLANs 200–299.
  • Use the vPC Domain ID 500 and the FabricPath Switch-ID 501.

Score: 6 Points

1.7 FabricPath Traffic Engineering

  • Ensure that N7K4 can use both N5K1 and N5K2 to reach their southbound Classical Ethernet peers in VLANs 200–299.

Score: 5 Points

1.8 Spanning-Tree Protocol Optimization

  • Modify N5K1 and N5K2's Classical Ethernet configuration so that they run the minimum number of spanning-tree instances necessary to deliver traffic from the northbound FabricPath domain into the southbound UCS domain.
  • Any new switches that are attached to the Classical Ethernet domain of N5K1 or N5K2 that have a non-zero STP priority should not be able to be elected the STP root bridge.

Score: 6 Points

1.9 Fabric Extenders

  • N7K3 has two links to each N2K1 and N2K2, which are then used to dual-home to the UCS C200 server. Configure N7K3 to pair with N2K1 and N2K2 as FEX 131 and 132, respectively. Use Port-Channel 131 and 132, respectively.

Score: 5 Points

1.10 OTV

  • Configure OTV on N7K1 and N7K2 to bridge VLANs 200–299 over the Data Center Interconnect.
  • N7K1 should use the Site VLAN and Identifier 3001, and N7K2 should use the Site VLAN and Identifier 3002.
  • Trunk the minimum number of necessary VLANs between N7K1 and N7K3, and N7K2 and N7K4.
  • N7K3 and N7K4 should use PIM Sparse Mode for multicast routing with the DCI, and use the RP address 10.0.0.51, which is hosted by the provider.
  • Multicast Control Plane traffic for the OTV should be tunneled over the DCI using the group 224.71.72.0.
  • Multicast Data Plane traffic originating from N7K1 should use the group range 232.71.71.0/24.
  • Multicast Data Plane traffic originating from N7K2 should use the group range 232.72.72.0/24.
  • Authenticate the IS-IS adjacency between N7K1 and N7K2 using an MD5 hash of the password OTVAUTH.
  • Create Interface VLAN 200 on N7K3 and N7K4 with the IP addresses 192.168.200.Y/24.
  • When complete, N7K3 and N7K4 should be able to ping each other over the DCI through the OTV tunnel, as well as the VMKernel interfaces of the ESXi instances on UCS Blades 1 and 2, and the C200 server. The ESXi addresses are 192.168.200.101, 192.168.200.102, and 192.168.200.104, respectively.

Score: 7 Points


2. Data Center Storage Networking

2.1 Fibre Channel Initialization

  • Configure N5K1, N5K2, UCS-FI-A, and UCS-FI-B's Unified Ports in Fibre Channel mode as shown in the diagram.
  • N5K1's links to MDS1 and N5K2's links to MDS2 should be configured as Port-Channel101 and 102, respectively. The port channels should use dynamic negotiation and be configured as Trunking Expansion ports.
  • N5K1's links to UCS-FI-A and N5K2's links to UCS-FI-B should be configured as Port-Channel 103 and 104, respectively. The port channels should use dynamic negotiation and be configured as non-trunking Fabric ports on the N5K1 and N5K2 sides.

Score: 5 Points

2.2 VSANs and Trunking

  • The SAN A side of the UCS blade servers will use VSAN 103, and the SAN B side will use VSAN 104. Internal to UCS, these should map to VLANs 1103 and 1104, respectively.
  • UCS-FI-A's Port-Channel103 to N5K1 and UCS-FI-B's Port-Channe104 to N5K2 should be non-trunking NP ports in VSANs 103 and 104, respectively.
  • N5K1's Port-Channel101 to MDS1 and N5K2's Port-Channel102 to MDS2 should be TE ports that only forward VSANs 103 and 104, respectively.
  • MDS1 and MDS2's link to the SAN should be F ports in VSANs 103 and 104, respectively.

Score: 6 Points

2.3 Fibre Channel Zoning

  • Configure Enhanced Zoning and Enhanced Device Aliases on both the SAN A and SAN B sides of the UCS blade server.
  • Device Aliases in SAN A should be configured as follows:
    • Alias "FC-SAN-A" pWWN 21:00:00:1b:32:04:5e:dc
    • Alias "BLADE1-SAN-A" pWWN 20:00:00:cc:1e:dc:01:0a
    • Alias "BLADE2-SAN-A" pWWN 20:00:00:cc:1e:dc:02:0a
  • Device Aliases in SAN B should be configured as follows:
    • Alias "FC-SAN-B" pWWN 21:01:00:1b:32:24:5e:dc
    • Alias "BLADE1-SAN-B" pWWN 20:00:00:cc:1e:dc:01:0b
    • Alias "BLADE2-SAN-B" pWWN 20:00:00:cc:1e:dc:02:0b
  • Configure Zoning for SAN A so that both blades can reach "FC-SAN-A" on the A side.
  • Configure Zoning for SAN B so that both blades can reach "FC-SAN-B" on the B side.
  • Use the minimum amount of zones necessary to accomplish this.

Score: 5 Points

2.4 iSCSI Virtual Target

  • The UCS C200 is preconfigured to mount its VMware ESXi Datastores via iSCSI. Configure the network as follows to allow for this.
  • The C200 uses VLAN 202 and the initiator IP address 192.168.202.104/24 for iSCSI, and has the target address configured as 192.168.202.61.
  • The 3750G is preconfigured with VLAN 202 trunking toward N7K3, and an access VLAN 202 assignment toward MDS1.
  • Configure N7K3 so that it trunks only VLAN 202 traffic received from the C200 server toward MDS1.
  • Configure MDS1 so that the C200 server is assigned the pWWN 20:00:00:cc:1e:dc:03:0a.
  • Target LUNs reachable via MDS1's link in VSAN 103 to the FC SAN should be represented with the IQN "iqn.1987-05.com.cisco:05.mds1.01-01.01234567890abcde".
  • Ensure that the C200 is the only initiator that can use this target.
  • Do not add any additional zones to accomplish this.

Score: 6 Points


3. Unified Computing

3.1 Address Pools

  • Configure default pools in the Root ORG on UCS as follows:
    • UUIDs 0000-000000000001 - 0000-000000000080
    • MAC Addresses 00:CC:1E:DC:00:01 – 00:CC:1E:DC:00:FF
    • nWWNs 20:01:00:CC:1E:DC:01:01 - 20:01:00:CC:1E:DC:01:FF
    • Management IPs 192.168.101.210 - 192.168.101.219 (GW 192.168.101.1)

Score: 5 Points

3.2 UCS Service Profile Templates

  • Create a Service Profile Initial Template that will be used for Blades 1 and 2 called PROFILE.
  • UUIDs, MAC Addresses, nWWNs, and Management IPs should be pulled from the previously created default pools.
  • For SAN connectivity, there should be two vHBAs, fc0 on SAN A using VSAN 103, and fc1 on SAN B using VSAN 104.
  • For LAN connectivity, create five vNICs as follows:
    • vNIC0 named VMKernelA on Fabric A in VLAN 200
    • vNIC1 named VMKernelB on Fabric B in VLAN 200
    • vNIC2 named vMotion on Fabric B in VLAN 201
    • vNIC3 named VMGuestsA on Fabric A with VLANs 202 - 210
    • vNIC4 named VMGuestsB on Fabric B with VLANs 202 - 210
  • Ensure that if FI-B loses upstream connectivity that the vMotion NIC does not lose reachability to the rest of the network.
  • If a change in this service profile in the future requires re-association to apply the change, ensure that the administrator is notified before the blade is automatically rebooted.

Score: 6 Points

3.3 Service Profiles

  • Create two Service Profiles from the previously created template called PROFILE1 and PROFILE2 for Blade 1 and Blade 2, respectively.
  • PROFILE1 should be customized as follows:
    • Assign vHBA FC0 the pWNN 20:00:00:cc:1e:dc:01:0a.
    • Assign vHBA FC1 the pWNN 20:00:00:cc:1e:dc:01:0b.
    • Boot to LUN 0 on the SAN target 21:00:00:1b:32:24:5e:dc via FC0 as the primary, and then to LUN 0 on the SAN target 21:01:00:1b:32:24:5e:dc via FC1 if booting via FC0 fails.
  • PROFILE2 should be customized as follows:
    • Assign vHBA FC0 the pWNN 20:00:00:cc:1e:dc:02:0a.
    • Assign vHBA FC1 the pWNN 20:00:00:cc:1e:dc:02:0b.
    • Boot to LUN 0 on the SAN target 21:01:00:1b:32:24:5e:dc via FC1 as the primary, and then to LUN 0 on the SAN target 21:00:00:1b:32:24:5e:dc via FC0 if booting via FC1 fails.
  • Associate PROFILE1 to Blade 1 and PROFILE2 to Blade 2. If successful, the blades should boot their ESXi instances from the SAN.

Score: 6 Points


4. Data Center Virtualization

4.1 Nexus 1000v

  • Nexus 1000v VSMs are pre-installed on the ESXi instances for Blade 1 and Blade 2. The VSM's MGMT0 IP address is 192.168.200.200, and it has a login of admin with the password Cciedc01.
  • Modify the existing N1Kv configuration so that the VEM on Blade 1's ESXi host (192.168.200.101) appears as module 10.
  • The VEM on Blade 2's ESXi host (192.168.200.102) should appear as module 20.
  • The C200's ESXi host (192.168.200.104) should dynamically choose any available VEM slot.

Score: 5 Points

4.2 Private VLANs

  • Virtual Machines (VMs) Win2k8-www-1 through 6 are preconfigured with IP addresses 192.168.255.1 through 6, and they have a pre-defined port-group on the Nexus 1000v. These VMs can be reached through the VMware Console of the vSphere Client and have the username/password combination Administrator/Cciedc01.
  • Create Interface VLAN 204 on N7K3 with the IP address 192.168.255.73/24.
  • Configure Private-VLANs in such a way that all VMs can ping N7K3's VLAN 204 interface, but cannot ping each other.
  • Do not make changes to any other devices besides the Nexus 1000v and N7K3 to accomplish this, including the vCenter server.

Score: 5 Points


^ back to top