ccie datacenter v1 - question set - final release - 03-06-2014 - lab 1 (1)

QUESTION SET

LAB 1

Real Labs V1

www.cciedatacenterlabs.com

1

www.cciedatacenterlabs.com Final Release 03-JUNE-2014

www.cciedatacenterlabs.com www.cciedatacenterlabs.com

This Page is Intentionally Left Blank

`

2



Figure 1 : Logical Topology

3



Figure 1 : Topology with Actual Port Numberings

4



Figure 2 : N1K/UCS Reference Section

Devic

IP Username Password UCS-Cluster-IP 10.1.1.50 Admin Cisco

DC1-FI-0A 10.1.1.51 Admin Cisco DC1-FI-B 10.1.1.52 Admin Cisco

DC1-MDS-1 10.1.1.61 Admin Cisco DC1-N7K-3 10.1.1.24 Admin Cisco DC1-N7K-4 10.1.1.25 Admin Cisco

DC1-N1K(VSM) 10.1.1.212 Admin Cisco

UCS

Pool Name Starting Value Qty UUID-Suffix ccie-dc-uuid 1111-0000000000000001 10

WWPN(Fabric A) ccie-dc-wwpn-a 20:00:00:25:B5:10:10:01 4 WWPN(Fabric B) ccie-dc-wwpn-b 20:00:00:25:B5:10:10:0A 4

WWNN ccie-dc-wwnn 20:00:00:25:B5:11:10:01 4 MACs ccie-dc-mac 00:25:B5:00:00:01 32

Management IPs(KVM) 10.1.1.53/24 7 Management GW 10.1.1.254

Storage Object Value Fabric-A

FC Target WWPN SJ-1(Rack05)

50:00:40:20:02:14:6a:45 BRU(Rack10)

50:00:40:20:14:6b:46 SJ2(Rack06)

50:00:40:20:02:F4:69:54 Fabric-B

FC Target WWPN SJ-1 (Rack05)

50:00:40:21:02:14:6a:45 BRU (Rack09)

50:00:40:21:14:6b:46 SJ2(Rack06)

50:00:40:20:02:F4:69:54 FC SAN Boot

LUN ID 01 San Boot Policy san-boot-dual

Fabric A

Zone Name zone_ucs_vsan100 Fabric B

Zone Name zone_ucs_vsan200 Zone Sets names zs_vsan100, zs_vsan200

Zone names zone_ucs_vsan100, zone_ucs_vsan200

VLAN ID Name/Purpose VLAN ID cont’d Name/Purpose 30 iscsi 70 vm-data

40 esx-mgmt 100 FCoE VLAN for VSAN 50 dmz 200 FCoE VLAN for VSAN

5



SECTION I: Data Center Infra-NXOS points 38 1.1 Data Center 1 – Core Switch Information

In Data Centre 1(DC1), there is one Nexus 7000 switch, DC1-N7K-1 is

the default VDC, where DC1-N7k-3 and DC1-N7K-4 are non-default VDC The device id, port assignment and device name are specified in the

table below. Device Name Id Ports Type DC1-N7K-1 1 Ethernet 3/1-8, Ethernet 4/1-16 Ethernet DC1-N7K-3 3 Ethernet 3/17-24, Ethernet 4/17-24 Ethernet DC1-N7K-4 4 Ethernet 3/25-32, Ethernet 4/25-32 Ethernet

Table 1.1 Device name

Use the following credentials when connecting to these devices:

DC1-N7K-1 Password:cisco Mgmt IP:10.1.1.22 DC1-N7K-3 Password:cisco Mgmt IP:10.1.1.24 DC1-N7K-4 Password:cisco Mgmt IP:10.1.1.25

Table 1.2 Logical device credentials

Assign interfaces to VDCs based on the interface allocation table.

6



1.2 Implement Vlans

N7K1 vlan 80 name DCI-SITE vlan 90 name DCI-DATA

N7K3 vlan 30 name iSCSI vlan 40 name ESX-MGMT vlan 50 name DMZ vlan 70 name VM-DATA vlan 80 name DCI-SITE vlan 90 name DCI-DATA

N7K4 vlan 30 name iSCSI vlan 40 name ESX-MGMT vlan 50 name DMZ vlan 70 name VM-DATA

1.3 Important NXOS L3 Functionality

In Data Center 1(DC1), configure L3 interfaces between Nexus 7000 and

the core switch. The core switch is pre-configured for you, no configuration

is necessary from you part

DC1-N7K-3 Ethernet 4/23 10.4.1.1/30 DC1-N7K-4 Ethernet 4/31 10.4.1.5/30

7



1.4 Implement NXOS L2 Functionality

In Data Center 1 (DC1), configure L2 LACP port-channel between

DC1-N7K-3 & DC1-N7K-4, also configure this port-channel as a trunk port

with jumbo MTU. Prune VLAN 50, 80 and 90 from PO 100.

Configure trunk port on DC1-N7K-3 e3/18 and DC1-N7K-4 e3/26.

Allow only VLAN 50 and make sure the ports immediately transit to

forwarding state. The link to the DMZ will not be up until UCS port config is

completed

Address assignment are specified as follows

Device Name Port channel Member ports DC1-N7K-3 100 Ethernet4/18,4/19 DC1-N7K-4 100 Ethernet4/26,4/27

8



1.5 SVI and Loopback In data center 1(DC1), configure SVI and loopback interfaces.

Address assignment are specified as follows

Device Name Interface IP address Network mask DC1-N7K-3 Loopback 0 10.0.1.3 225.255.255.255 DC1-N7K-3 Vlan 30 10.1.30.124 255.255.255.128 DC1-N7K-3 Vlan 40 10.1.40.252 255.255.255.0 DC1-N7K-4 Loopback 0 10.0.1.4 225.255.255.255 DC1-N7K-4 Vlan 30 10.1.30.125 255.255.255.128 DC1-N7K-4 Vlan 40 10.1.40.253 255.255.255.0

1.6 Implement Spanning-tree Protocol In data center 1(DC1) configure DC1-N7K-3 as the root for all VLAN without

changing the VLAN priority. Enable bridge assurance on the trunk port between

DC1-N7K-3 and DC1-N7K-4

1.7 Implement NXOS High-availability Feature In data center 1(DC1) enable HSRP between DC1-N7K-3 and DC1-N7K-4.

Configure DC1-N7K-3, ensuring it becomes HSRP active router immediately after

configuration is completed address assignment are specified as follows

Device name Interface HSRP group Virtual IP DC1-N7K-3 Vlan 30 0 10.1.30.126 DC1-N7K-3 Vlan 40 0 10.1.40.254 DC1-N7K-4 Vlan 30 0 10.1.30.126 DC1-N7K-4 Vlan 40 0 10.1.40.254

9



1.8 Implement NXOS L3 Routing Protocols In data center 1(DC1) setup OSPF connectivity to the WAN. Core WAN router is preconfigured for you, no configuration or troubleshooting

is required on your part.

Perform the following tasks on DC1-N7K-3.

• Configure OSPF with process id 1. • Use the loopbook 0 address as router ID. • Configure interface Ethernet 4/23 in area 1, MTU size 9100. • Make sure switch doesn’t participate in DR/BDR election on WAN LINK. • Advertise the following SVI into OSPF.

• Vlan 30 • Vlan 40

Perform the following tasks on DC1-N7K-4.

• Configure OSPF with process id 1. • Use the loopback to address as router ID. • Configure interface Ethernet 4/31 in area 1, MTU size 9100. • Make sure switch doesn’t participate in DR/BDR election on WAN LINK. • Advertise the following SVI into OSPF.


10



1.9 Southbound Port-channel connection to UCS FI In Data center 1 (DC1), have DC1-N7K-3 and DC1-N7K-4 configure port-channel

to DC1-FI-A and DC1-FI-B (as shown in diagram).

Use existing L2 and L3 connection between DC1-N7K-3 and DC1-N7K-4.

You are not allowed to add new connections between them.

Make sure LACP primary is on the switch side, not the host side, with

absolute certainty.

Make sure DC1-N7K-3 is both operational and role primary.

Downstream port channel must meet the following requirement.

• LACP • Trunk port • Allow VLAN 30, 40, 70 only • Jumbo frame

You are free to assign a domain number of your choice between DC1-N7K-3 and

DC1- N7K-4.

Remember DC1-N7K-3 and DC1-N7K-4 are logical devices with a same physical

device that share the same management interface.

Configure downstream port-channel as specified below.

Device name Interface Port channel DC1-N7K-3 E4/21 10 DC1-N7K-3 E4/22 20 DC1-N7K-4 E4/29 10 DC1-N7K-4 E4/30 20

11



1.10 Data Center 2 – Core Switch Information

In Data Centre 2(DC2), there is one Nexus 7000 switch, DC2-N7K-1 is

the default VDC, where DC2-N7k-3 and DC2-N7K-4 are non-default VDC The device id, port assignment and device name are specified in the

table below. Device Name Id Ports Type DC2-N7K-1 1 Ethernet 3/1-8, Ethernet 4/1-16 Ethernet DC2-N7K-3 3 Ethernet 3/17-24, Ethernet 4/17-24 Ethernet DC2-N7K-4 4 Ethernet 3/25-32, Ethernet 4/25-32 Ethernet

1.11 Data center 2 - Configure CE and FP VLANS

• Configure Classical Ethernet (CE) VLANs on DC2-N7K-1, DC2-N7K-3 • Configure Fabricpath (FP) VLANs on DC2-N7K-3, DC2-N7K-4, DC2-N5K-1

and DC2-N5K-2 • Configure VLAN as specified in the table 1.13. Do not create unnecessary

VLAN on the device.

VLAN information are specified in the table below.

Vlan ID Name Vlan Mode 31 FP-DATA1 FP 41 FP-DATA2 FP 80 DCI-SITE CE 90 DCI-DATA CE

TABLE 1.12 VLAN NAMES

Device name Vlan DC2-N7K-1 80,90 DC2-N7K-3 31,41,80,90 DC2-N7K-4 31,41 DC2-N5K-1 31,41 DC2-N5K-2 31,41

TABLE 1.13 Switch VLAN Assignments

12



1.12 Implement NXOS L3 functionality In Data Center 2 (DC2) configure L3 interfaces between Nexus 7000 and the core switch

Device name Interface IP address Network mask DC2-N7K-3 Ethernet4/23 10.4.1.9 255.255.255.252 DC2-N7K-4 Ethernet4/31 10.4.1.13 255.255.255.252

13



1.13 Implement NXOS L2 Functionality In DC2, enable L2 multipathing, where DC2-7K-3 and DC2-7k-4 will be the

spine switches, DC2-5K-1 and DC2-5K-2 will be the leaf switches.

Ensure DC2-7K-3 is root for tree 1, and DC2-7K-4 is root for tree 2.

L2 multipathing topology and port assignment are displayed in the diagram

below,

Device Switch id 7k3 30 7k4 40 5k1 300 5k2 400

Table 1.15 L2 multipathing assignment

1.14 SVI and Loopback In Dc2 configure SVIs and loopback interfaces, address assignment are specified as follows

Device name Interface Ip address Network mask 7k3 Loopback 0 10.0.2.3 32 Vlan31 10.1.31.124 25 Vlan41 10.1.41.252 24

7k4 Loopback 0 10.0.2.4 32 Vlan31 10.1.21.125 25 Vlan41 10.1.41.253 24

Table 1.16 SVIs and loopback interface assignment

14



1.15 Implement NXOS High-availability Features In Dc2, enable VRRP between 7k3 and 7k4, configure 7k3 ensure it

becomes VRRP master router immediately after configuration is completed

Device name Interface Vrrp Group Virtual IP 7k3 Vlan 31 2 10.1.31.126 Vlan 41 2 10.1.41.254

7k4 Vlan 31 2 10.1.31.126 Vlan 41 2 10.1.41.254

Table 1.17 VRRP Assignment 1.16 Implement NXOS L3 Routing Protocols In DC2 setup OSPF connectivity to the WAN, core WAN router is preconfigured for

you, no configuration or troubleshooting is required on your part.

Performing the following tasks on DC2-N7K-3 • Configure OSPF with process id 1 • Use the loopback0 address as router-id • Configure int e4/23 in area 2, MTU size 9100 • Make sure switch do not participate in DR/BDR election on WAN link • Advertize the following SVIs into OSPF


Performing the following tasks on DC2-N7K-4:

• Configure OSPF with process id 1 • Use the loopback0 address as router-id • Configure int e4/31 in area 2, MTU size 9100 • Make sure switch do not participate in DR/BDR election on WAN link • Advertize the following SVIs into OSPF:


15



1.17 Southbound port-channel (PO) from N5K to FEX Given the following diagram configure the sub section below

16



1.17.1 Establish A/A PO From N5k To Fabric Extender In Dc2, configure active/active connections from DC2-N5K-1 and DC2-N5K-2 to

the FEX, use Fex 103 and 104 as stated in the diagram above.

You are allowed to configure L2 port channel trunk between DC2-N5K-1 and

DC2-N5K-2 as stated in the diagram above, you are not allowed to add any L3

connections.

Port-channel numbering can be found in the diagram above.

Make sure DC2-N5K-1 is both operational and role primary.

You are free to assign a switch identifier of your choice between DC2-N5K-1 and

DC2-N5K-2 to accomplish the task.

You are free to assign a domain number of your choice between DC2-N5K-1

and DC2-N5K-2 to accomplish the task.

1.17.2 Downstream A/A PO From Fex To UCS Server

In DC2, build downstream port-channel from Fex to Srv4, make sure both

members in the PO are active.

Use port-channel 2000 to complete this task

Downstream port-channel must to meet the following requirement

• Trunk port that transition to forwarding immediately • Remote host does not support LACP • Allow vlan 31 and 41 only

17



1.18 Data Center Interconnect (DCI) You are now required to perform Data center interconnect between DC1 and DC2,

the WAN core is multicast enable, but not MPLS capable.

You are allowed to use DC1-N7K-1 and DC2-N7K-1 to assist you in this task.

Only vlan 90 is required to be extended between DC1 and DC2 and vlan 80 will

stay local to the DC.

You will not need to create additional vlan for this task

You are allowed to use multicast address range of your choice to achieve the task

The rp address is 20.0.0.1 pim sparse-mode is running in the WAN core

To property identify site DC1 and site DC2, you are free to configure a site

identifier of your choice.

18



In DC1 perform the following tasks:

Configure L3 link between DC1-N7K-1 and DC1-N7K-3

Device name Interface IP Address Network Mask DC1-N7K-1 e4/5 10.4.1.18 30 DC1-N7K-3 e4/24 10.4.1.17 30

Configure L2 trunk between DC1-N7K-1 and DC1-N7K-3, only allow vlan 80 and 90

Configure loopback interface on DC1-N7K-1

Device name Interface ip address Network mask DC1-N7K-1 Loopback 0 10.0.1.2 32

Configure SVI 90 on DC1-N7K-3

Int Vlan 90 10.1.90.1/24 After completing above infrastructure tasks, configure VPC tasks as specified in

the question

In DC2 perform the following tasks:

Configure L3 link between DC2-N7K-1 and DC2-N7K-3

Device Name Interface IP Address Network Mask 7k1 e4/5 10.4.1.22 30 7k3 e4/24 10.4.1.21 30

Configure L2 trunk between DC2-N7K-1 and DC2-N7K-3 only allow vlan 80 and 90

Configure loopback interface on DC2-N7K-1

19



Device name Interface ip address Network mask DC2-N7K-1 Loopback 0 10.0.2.2 32

Configure SVI 90 in DC2-N7K-3

Int Vlan 90 10.1.90.2/24

After completion above infrastructure tasks, configure VPC tasks as specified in

the question.

Verify if DCI is successful by pinging SVI 90 from DC1-N7K-3 to DC2-N7K-3.

20



SECTION II: Storage Network points 20

2.1 Implement FC Portchannel ISL and Trunking Refer to the following diagram

Configure a FC port channeling between the DC2-MDS1 and DC2-N5K2 switches.

Create VSAN 200 and allow only this VSAN and VSAN1 across this link.

Use port channel ID22.

21



2.2 Implement FC NPV and NPIV Features

Configure a FC NPV-NPIV F_Port trunking and port channeling link between the

DC2- MDS1 and DC2-N5K1 switches.

Create VSAN 100 and allow only this VSAN and VSAN1 across this link.

Use port-channel ID 21.

2.3 Implement FCoE NPV Features

Create a logical device within DC2-N7K-1, that is capable in FCoE functionality.

Use the following parameters

Device ID Port Allocations DC2-N7K-2 2 Ethernet 3/9-16

Initialize this logical device with the following parameters

Password: cisco Mgmt IP: 10.1.1.33 Mgmt Network mask: 255.255.255.0 Mgmt Gateway: 10.1.1.254 Telnet: Enabled Configure a FCoE NPV-NPIV F_Port trunking and Port-channeling link between the

DC2-N7K-2 and DC2-N5K-1 switches.

Create VSAN 100 and allow only this VSAN across this link.

This link should be configured to use LACP.

Make sure SID/DID/OXID load-balancing is used across this link.

Use port-channel ID 11.

22



2.4 Implement Multihop FCoE Configure a FCoE VE PO between DC2-N7K-2 and DC2-N5K-2 switches.

Create VSAN 200 and allow only this VSAN across this link.

This link should be configured to use LACP.

Make sure SID/DID/OXID load-balancing is used across this link.

Use port channel Id 12.

2.5 Implement IP Storage Based Solution

Configure two FCIP links between the DC1-MDS1 and DC2-MDS1 switches.

Allow both VSANs 200 and 100 across both links.

The GE1/3 ports should be primary, other link should be used for backup only.

Link MTU should be able to accommodate a complete FC frame.

IP address details in the table below:

Use FCIP profile 10 for primary, and FCIP profile 20 for backup.

Device Name Primary Link Address Secondary Link Address DC1-MDS-1 10.3.1.1/30 10.3.1.5/30 DC2-MDS-1 10.3.1.2/30 10.3.1.6/30

23



2.6 Implement FCoE Host configuration Configure the FCOE connections from DC2-SRV-3 and DC2-SRV-4.

DC2-SRV-3 port 1 should be in VSAN/VLAN 200, use vfc 311 for this interface. DC2-SRV-3 port 0 should be in VSAN/VLAN 100, use vfc 20 for this interface. DC2-SRV-4 port 0 should be in VSAN/VLAN 100, use vfc 320 for this interface. DC2-SRV-4 port 1 should be in VSAN/VLAN 200, use vfc 420 for this interface. All required configuration of the host side are preconfigured, you are only required

to configure the N5K side.

24



SECTION III: Unified computing system points 32 3.0 Implement Unified Computing System You are now tasked to implement and configure the computing solution

based on Cisco Unified computing system. DC1 will be hosting your primary

computing cluster. Here you will be implementing a new system

for development purposes. Only basic management access has been

configured. Below are a set of tasks which include setting up the system as

well as configuring some basic service profile. The table in Diagram 2

contains all the resources & pool information you should need to

complete all tasks. Incorporate redundant configuration where

applicable or as directed below. You are required to configure all LAN/SAN

devices within the topology, no access is required to the storage array.

25



26



3.1 Implement UCS Domain infrastructure Referring to Diagram 2 configure the following items.

1. The system should only discover chassis with 2 or more IOM links. 2. Maximum bandwidth between the FI & chassis should be utilized. 3. Configure appropriate VLANs and VSANs as per table in Diagram 2. 4. Aggregate Ethernet uplinks where applicable (refer to topology diagram

above). Use same port channel IDs used on N7K side. 3.2. Configure UCS Infrastructure Connectivity Referring to Diagram 2, configure the following items:

• VLAN 50 should be restricted to the DMZ network (1G uplink) • Corporate network access should include all VLANs except VLAN 50

With UCS in the default Fiber Channel mode, Configure four FC ports from each Fabric interconnect to DC-MDS-1: 1. On DC1-FI-A, Configure a four interface FC Port Channel. Use Channel Group ID 100 on both sides 2. On DC1-FI-B, Configure a four interface FC Port Channel. Use Channel Group ID 200 on both sides

3.3 Create and Implement UCS Resources Referring to Diagram 2, configure the following items:

• Create appropriate pools as per reference table in diagram 2 for UUID, MAC,WWPN, WWNN and KVM Management IPs.

• Configure and activate appropriate ports, zones and zonesets on the DC1-MDS-1.

• Zone all UCS WWPNs for each fabric with their respective target WWPNs.

• Zones should belong to their respective zonesets. Refer to Diagram 2

27



3.4. Create and Implement Basic Service Profile As part of this question and the next, you are required to create a single service profile. Detailed requirement of the service profile are below and continued with question 3.5. Part of your objective is to ensure the previously installed OS successfully boots with your configured service profile.

Note: if object names are not explicitly provided you may use your own naming convention.

Configure the following:

• Create a service profile called RemoteBoot int the root org • The service profile should utilize the resources from pools configured

previously. • This service profile should be restricted to blades with no locals disks

installed. • Configure 1 vHBA per fabric: fc0, fc1. • WWPNs from the respective fabric pool should be used

3.5 Create and Implement Advanced Service Profile For the RemoteBoot service profile started in the previous question, Continue with the following requirement (refer to table below for object names).

• Create an updating vnic template for each fabric, allow corporate network vlans only

• Lan fabric failures should be transparent to the host OS. • Configure 2 vNIC per fabric, utilize vNIC templates previously created • Refer to table below for object names without creating new policies • Ensure cdp is enabled on all vnics by default. • Create and assign a san boot policy that includes redundant path. • Refer to diagram 2 for target information • Associate this service profile with blade 1/1 and boot the blade

28



Object Fabric A Fabric B

Vnic-template name vnic-a vnic-b

vnic names eth0,2 eth1,3

vHBA names fc0 fc1

Boot Policy name san-dual-boot 3.6 Create and Implement UCS Policies Create UCS policies as per the following criteria, modifying only default policies Ensure all changes made on the system require the user to acknowledge them before being implemented. Create a host firmware policy name fwpol-ccie, that contain the latest firmware for only the models of adapters and BIOS in the system, this policy does not need to be applied to any service profile. Create a management firmware policy called fwmgmt-ccie, that contain the latest management firmware for only blade models in the system, this policy does not need to be applied to any service profile 3.7 Configure UCS Authentication The active directory server has been previously configured, your task

is to ensure AD authentication within UCS using directory group map while

maintaining local user access

No access to the AD server is required

29



Refer to table below for active directory details

Active Directory Object Value

Domain Controller 10.1.1.214

Bind User CN=ucs binduser,OU=ciscoucs,DC=ccie,DC=lab

base DN DC=ccie, DC=lab

Port 389

Filter $AMAccountName=$userid

Group Authorization Enabled

Authentication Domain Name ldap-domain

Group Recursion Recursive

Target Attribute Memberof

Ldap provider group

Name ldap-group

AD Group UCS Role

ucsaaa aaa

ucsnetwork network 3.8 Implement Service Profile Clone Clone the “RemoteBoot” service profile with the name “RemoteBoot-clone” Make minimum necessary modifications to clone service profile for association to succeed to blade 1/3 after association completes, the cloned service profile should remain in the power off state

30



SECTION VI: Manage Datacenter Virtualization 4.1 Implement Virtual Switch Module 5 points

The N1Kv has been previously installed, all VMWare configuration has been completed, no access to vCenter or hosts are required. The VSM will contain basic configuration. After reviewing the directives below, make any necessary changes. Refer to diagram 2 for VSM access credentials. Assuming UCS blade has been configured and boot successfully from previous section. There should be 1 VEM module in service and online on your VSM. 4.2 Implement Nexus 1000v to UCS connection 5 points Review the configuration and ensure all configuration complements UCS infrastructure.

31



THANK YOU FOR USING CCIEDATACENTERLABS.

32

ccie datacenter v1 - question set - final release - 03-06-2014 - lab 1 (1)

Documents

ethernet dc1n7k

admin cisco dc1n7k

iscsi vlan

dmz vlan

vmdata vlan

fcoe vlan

admin cisco dc1fi

esxmgmt vlan