Beruflich Dokumente
Kultur Dokumente
10.b
Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has
no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an
agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and
agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper
Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should
consult the software license for further details.
Contents
Lab 1: Implementing Device Infrastructure (Detailed) . . . . . . . . . . . . . . . . . . . . . . . 1-1
Part 1: Implementing Device Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
This five-day course is designed to serve as the ultimate preparation for the Juniper Networks
Certified Internet Expert—Service Provider (JNCIE-SP) exam. The course focuses on caveats and
tips useful for potential test candidates and emphasizes hands-on practice through a series of
timed lab simulations. On the final day of the course, students are given a six-hour lab simulation
emulating the testing topics and environment from the real exam. All labs in this course are
facilitated by Junosphere virtual lab devices and are available after hours for additional practice
time. This course is based on Junos OS Release 10.3.
Objectives
After successfully completing this course:
• Students will be better prepared for success in taking the actual JNCIE-SP exam.
• Students will be well-versed in exam topics, environment, and conditions.
Intended Audience
This course benefits individuals who have already honed their skills on service provider
technologies and could use some practice and tips in preparation for the JNCIE-SP exam.
Course Level
JNCIE Service Provider Bootcamp is an advanced-level course.
Prerequisites
Students should have passed the Juniper Networks Certified Internet Professional—Service
Provider (JNCIP-SP) written exam or achieved an equal level of expertise through Education
Services courseware and hands-on experience.
Day 1
Chapter 1: Course Introduction
Chapter 2: Exam Strategies
Chapter 3: Device Infrastructure
Lab 1: Implementing Device Infrastructure
Chapter 4: IGP Implementation
Lab 2 and Lab 3: IGP Implementation
Day 2
Chapter 5: IGP Troubleshooting
Lab 4 and Lab 5: IGP Troubleshooting
Chapter 6: BGP Implementation
Lab 6: BGP Implementation
Chapter 7: BGP Troubleshooting
Lab 7: BGP Troubleshooting
Day 3
Chapter 8: Multicast Implementation
Lab 8: Multicast Implementation and Troubleshooting
Chapter 9: Class of Service Implementation
Lab 9: Class of Service Implementation and Troubleshooting
Day 4
Chapter 10: MPLS Implementation
Lab 10: MPLS Implementation and Troubleshooting
Chapter 11: MPLS VPN Implementation
Lab 11: MPLS VPNs Implementation and Troubleshooting
Day 5
JNCIE-SP Full Lab Simulation
Franklin Gothic Normal text. Most of what you read in the Lab Guide
and Student Guide.
CLI Input Text that you must enter. lab@San_Jose> show route
GUI Input Select File > Save, and type
config.ini in the Filename field.
CLI Undefined Text where the variable’s value is Type set policy policy-name.
the user’s discretion or text where
ping 10.0.x.y
the variable’s value as shown in
GUI Undefined the lab guide might differ from the Select File > Save, and type
value the user must input filename in the Filename field.
according to the lab topology.
Overview
In this lab, you will be given a list of tasks specific to device infrastructure to accomplish in
a timed setting. You will have 1 hour to complete the simulation.
The lab is available in two formats. In the high-level format, you are given only the list of
tasks to be accomplished. To better prepare you for the real JNCIE exam, we recommend
that you make your best effort at accomplishing the tasks with only the high-level lab
guide.
The lab is also available in a detailed format. The detailed format contains a discussion
regarding the interpretation of each task, followed by step-by-step instructions. You might
find more than one method for accomplishing each task.
By completing this lab, you will perform the following tasks:
• Configure the aggregated Ethernet interfaces ae0, ae1, and ae2. Refer to the
Lab 1 diagram for the routers and member interfaces associated with these
aggregated Ethernet interfaces.
• Configure all aggregated Ethernet interfaces to monitor the member links to
ensure that both ends of the bundle are connected to the correct group.
Configure R4 to initiate this process for all aggregated Ethernet interfaces.
• Ensure that the aggregated Ethernet bundle between R2 and R4 always
supports a bandwidth capacity of at least 2.5 Gbps. Traffic must not be
forwarded across this bundle if this requirement is not met at any time.
• Enable graceful restart for all routing protocols except BGP and OSPF on the
internal routers.
• High availability is required for the DC3 router connected to R3 and R5.
Configure a VRRP group in which R3 is the master for the 172.20.20.0/24
range. R5 must acquire mastership if three of R3’s internal interfaces fail. If a
failover condition occurs for the VRRP group, and that failover condition is
restored, R3 must not regain mastership. Refer to the Lab 1 diagram for the
specific interfaces and virtual IP addresses.
In this lab part, you will become familiar with the configuring, monitoring, and testing
of high availability features found in the Junos operating system. You will first
explore the usage of aggregated Ethernet interfaces. Then, you will enable graceful
restart on the routers. Next, you will configure and monitor the usage of VRRP. You
will then become familiar with the features in the Junos OS that allow an
administrator to secure and monitor Junos devices. You will configure a user
account to authenticate with a RADIUS server. You will then configure firewall filters
to protect the devices in your network. Then, you will configure the routers to
periodically backup the configurations to a server. Next, you will become familiar
with the basic functions of Junos automation. You will configure the routers to load a
commit script from a remote server.
Note
We recommend that you spend some time
investigating the current operation of your
routers. During the real exam, you might be
given routers that are operating
inefficiently. Investigating operating issues
now might save you a lot of time
troubleshooting strange issues later.
TASK 1
Access the CLI for your routers using either the console, Telnet, or SSH as directed
by your instructor. Refer to the management network diagram for the IP address
associated with your devices. Log in as user lab with the password lab123.
Configure the aggregated Ethernet interfaces ae0, ae1, and
ae2. Refer to the Lab 1 diagram for the routers and member
interfaces associated with these aggregated Ethernet
interfaces.
TASK INTERPRETATION
The task appears to be a simple one, but problems might arise if the Ethernet
aggregated device count is not set properly. For example, even though R5 has only
one aggregated Ethernet interface, setting the Ethernet aggregated device count to
1 will result in a non-operational ae2 interface. The device count for R5 must be set
to 3 or higher. This setting results in the creation of interfaces ae0, ae1, and ae2,
which is expected for this task.
After the Ethernet device count is set, associate the correct member interfaces with
the correct aggregated Ethernet bundle. Then, configure the aggregated Ethernet
interface as you would any other Gigabit interface on the router.
TASK COMPLETION
• R1:
R1 (ttyd0)
login: lab
Password:
lab@R1> configure
Entering configuration mode
[edit]
lab@R1# set chassis aggregated-devices ethernet device-count 2
[edit]
lab@R1# edit interfaces
[edit interfaces]
lab@R1# set ge-0/0/4 gigether-options 802.3ad ae1
[edit interfaces]
lab@R1# set ge-0/0/5 gigether-options 802.3ad ae1
[edit interfaces]
lab@R1# edit ae1
commit complete
• R2:
R2 (ttyd0)
login: lab
Password:
lab@R2> configure
Entering configuration mode
[edit]
lab@R2# set chassis aggregated-devices ethernet device-count 1
[edit]
lab@R2# edit interfaces
[edit interfaces]
lab@R2# set ge-0/0/6 gigether-options 802.3ad ae0
[edit interfaces]
lab@R2# set ge-0/0/7 gigether-options 802.3ad ae0
[edit interfaces]
lab@R2# set ge-0/0/8 gigether-options 802.3ad ae0
[edit interfaces]
lab@R2# edit ae0
commit complete
• R4:
R4 (ttyd0)
login: lab
Password:
lab@R4> configure
Entering configuration mode
[edit]
lab@R4# set chassis aggregated-devices ethernet device-count 3
[edit]
lab@R4# edit interfaces
[edit interfaces]
lab@R4# set ge-0/0/6 gigether-options 802.3ad ae1
[edit interfaces]
lab@R4# set ge-0/0/7 gigether-options 802.3ad ae1
[edit interfaces]
lab@R4# set ge-0/0/9 gigether-options 802.3ad ae0
[edit interfaces]
lab@R4# set ge-0/0/10 gigether-options 802.3ad ae0
[edit interfaces]
lab@R4# set ge-0/0/11 gigether-options 802.3ad ae0
[edit interfaces]
lab@R4# set ge-0/0/12 gigether-options 802.3ad ae2
[edit interfaces]
lab@R4# set ge-0/0/13 gigether-options 802.3ad ae2
[edit interfaces]
lab@R4# edit ae0
[edit interfaces]
lab@R4# edit ae1
[edit interfaces]
lab@R4# edit ae2
[edit interfaces]
lab@R4# show
...
ge-0/0/6 {
description "Connection to R1 ae1";
gigether-options {
802.3ad ae1;
}
}
ge-0/0/7 {
description "Connection to R1 ae1";
gigether-options {
802.3ad ae1;
}
}
...
ge-0/0/9 {
description "Connection to R2 ae0";
gigether-options {
802.3ad ae0;
}
}
ge-0/0/10 {
description "Connection to R2 ae0";
gigether-options {
802.3ad ae0;
}
}
ge-0/0/11 {
description "Connection to R2 ae0";
gigether-options {
802.3ad ae0;
}
}
ge-0/0/12 {
description "Connection to R5 ae2";
[edit interfaces]
lab@R4# commit
commit complete
• R5:
R5 (ttyd0)
login: lab
Password:
lab@R5> configure
Entering configuration mode
[edit]
lab@R5# set chassis aggregated-devices ethernet device-count 3
[edit]
lab@R5# edit interfaces
[edit interfaces]
lab@R5# set ge-0/0/8 gigether-options 802.3ad ae2
[edit interfaces]
lab@R5# edit ae2
commit complete
TASK VERIFICATION
All aggregated Ethernet bundles terminate on R4, which allows you to verify all the
bundles from one router. Issuing the show interfaces terse | match ae*
command displays which member interfaces are associated with aggregated
Ethernet bundles. This command also displays the status of each aggregated
Ethernet interface.
However, we recommend issuing ping tests to ensure that the interfaces are
functional. A few ping replies from each router allows you to determine if the
aggregated Ethernet bundles are operational.
[edit interfaces]
lab@R4# run show interfaces terse | match ae*
Interface Admin Link Proto Local Remote
ge-0/0/6.0 up up aenet --> ae1.0
ge-0/0/7.0 up up aenet --> ae1.0
ge-0/0/9.0 up up aenet --> ae0.0
ge-0/0/10.0 up up aenet --> ae0.0
ge-0/0/11.0 up up aenet --> ae0.0
ge-0/0/12.0 up up aenet --> ae2.0
ge-0/0/13.0 up up aenet --> ae2.0
ae0 up up
ae0.0 up up inet 172.27.0.6/30
ae1 up up
ae1.0 up up inet 172.27.0.9/30
ae2 up up
ae2.0 up up inet 172.27.0.21/30
inet6 fe80::5668:290f:fc7a:9f2b
tap up up
vlan up down
[edit interfaces]
lab@R4# run ping 172.27.0.5 detail count 2
PING 172.27.0.5 (172.27.0.5): 56 data bytes
64 bytes from 172.27.0.5 via ae0.0: icmp_seq=0 ttl=64 time=3.920 ms
64 bytes from 172.27.0.5 via ae0.0: icmp_seq=1 ttl=64 time=3.558 ms
[edit interfaces]
lab@R4# run ping 172.27.0.10 detail count 2
PING 172.27.0.10 (172.27.0.10): 56 data bytes
64 bytes from 172.27.0.10 via ae1.0: icmp_seq=0 ttl=64 time=2.379 ms
64 bytes from 172.27.0.10 via ae1.0: icmp_seq=1 ttl=64 time=2.577 ms
[edit interfaces]
lab@R4# run ping 172.27.0.22 detail count 2
PING 172.27.0.22 (172.27.0.22): 56 data bytes
64 bytes from 172.27.0.22 via ae2.0: icmp_seq=0 ttl=64 time=2.552 ms
64 bytes from 172.27.0.22 via ae2.0: icmp_seq=1 ttl=64 time=2.615 ms
TASK INTERPRETATION
LACP must be configured on each router that has an aggregated Ethernet interface.
However, the key to this task is to configure R4 with the active command under
LACP. This configuration allows R4 to initiate the communication for all aggregated
Ethernet interfaces. Routers R1, R2, and R5 must set their LACP modes to
passive for their respective bundles.
commit complete
• R2:
[edit interfaces ae0]
lab@R2# set aggregated-ether-options lacp passive
commit complete
• R4:
[edit interfaces]
lab@R4# set ae0 aggregated-ether-options lacp active
[edit interfaces]
lab@R4# set ae1 aggregated-ether-options lacp active
[edit interfaces]
lab@R4# set ae2 aggregated-ether-options lacp active
[edit interfaces]
lab@R4# show
...
ae0 {
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family inet {
address 172.27.0.6/30;
}
}
}
ae1 {
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family inet {
address 172.27.0.9/30;
[edit interfaces]
lab@R4# commit
commit complete
• R5:
[edit interfaces ae2]
lab@R5# set aggregated-ether-options lacp passive
commit complete
TASK VERIFICATION
The following output displays which member interfaces for the aggregated Ethernet
bundles are in the active mode. R4’s output shows that its local interface, which is
designated with the keyword Actor, is in the Active state. The remote interface of
the local interface, which is designated with the keyword Partner, is in the
Passive state.
[edit interfaces]
lab@R4# run show lacp interfaces
Aggregated interface: ae0
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
ge-0/0/10 Actor No No Yes Yes Yes Yes Fast Active
ge-0/0/10 Partner No No Yes Yes Yes Yes Fast Passive
ge-0/0/11 Actor No No Yes Yes Yes Yes Fast Active
ge-0/0/11 Partner No No Yes Yes Yes Yes Fast Passive
ge-0/0/9 Actor No No Yes Yes Yes Yes Fast Active
ge-0/0/9 Partner No No Yes Yes Yes Yes Fast Passive
LACP protocol: Receive State Transmit State Mux State
ge-0/0/10 Current Fast periodic Collecting distributing
ge-0/0/11 Current Fast periodic Collecting distributing
ge-0/0/9 Current Fast periodic Collecting distributing
TASK INTERPRETATION
With all three Gigabit links functional, the aggregated Ethernet link between R2 and
R4 currently has a bandwidth capacity of 3 Gbps. If any of the links fails, the
bandwidth capacity will drop below the required 2.5 Gbps. To accomplish this task
you must enable the minimum-links statement with a value of 3. This value will
allow the routers to take the aggregated Ethernet interface down if one of the three
member links fails. Remember to enable this command on both R2 and R4; failure
to do so will cause one router to view the bundle as operational.
TASK COMPLETION
• R2:
[edit interfaces ae0]
lab@R2# set aggregated-ether-options minimum-links 3
• R4:
[edit interfaces]
lab@R4# set ae0 aggregated-ether-options minimum-links 3
[edit interfaces]
lab@R4# commit
TASK VERIFICATION
Issuing the show interfaces ae0 command enables you to determine if the
interface is configured to go down if fewer than three operational member links are
associated with it.
We can test this functionality by disabling any member interface of ae0. Once a
member interface is disabled, the aggregated Ethernet interface is declared down.
Note
Remember to delete the disable
statement from any interfaces that were
taken down to test failover scenarios.
Forgetting to do so might result in a point
deduction elsewhere in the exam.
[edit interfaces]
lab@R4# run show interfaces ae0 | match minimum
Flow control: Disabled, Minimum links needed: 3, Minimum bandwidth needed: 0
[edit interfaces]
lab@R4# run show interfaces terse | match ae0
ge-0/0/9.0 up up aenet --> ae0.0
ge-0/0/10.0 up up aenet --> ae0.0
ge-0/0/11.0 up up aenet --> ae0.0
ae0 up up
ae0.0 up up inet 172.27.0.6/30
[edit interfaces]
lab@R4# set ge-0/0/9 disable
[edit interfaces]
lab@R4# commit
commit complete
[edit interfaces]
lab@R4# run show interfaces terse | match ae0
ge-0/0/9.0 up down aenet --> ae0.0
ge-0/0/10.0 up up aenet --> ae0.0
ge-0/0/11.0 up up aenet --> ae0.0
ae0 up down
ae0.0 up down inet 172.27.0.6/30
[edit interfaces]
lab@R4# commit
commit complete
TASK 4
Enable Graceful Restart for all routing protocols except
BGP and OSPF on the internal routers.
TASK INTERPRETATION
Turning on graceful restart is accomplished by enabling it globally under the [edit
routing-options] hierarchy. Then, you must disable it for any routing protocols
in which you do not want it to participate.
In this task, all internal routers must have graceful restart disabled for BGP. Only R5
is running OSPF and requires that graceful restart be disabled for it.
TASK COMPLETION
• R1:
[edit interfaces ae1]
lab@R1# top edit routing-options
[edit routing-options]
lab@R1# set graceful-restart
[edit routing-options]
lab@R1# top edit protocols bgp
commit complete
• R2:
[edit interfaces ae0]
lab@R2# top edit routing-options
[edit routing-options]
lab@R2# top edit protocols bgp
commit complete
• R3:
R3 (ttyd0)
login: lab
Password:
lab@R3> configure
Entering configuration mode
[edit]
lab@R3# edit routing-options
[edit routing-options]
lab@R3# set graceful-restart
[edit routing-options]
lab@R3# top edit protocols bgp
commit complete
• R4:
[edit interfaces]
lab@R4# top edit routing-options
[edit routing-options]
lab@R4# set graceful-restart
[edit routing-options]
lab@R4# top edit protocols bgp
commit complete
• R5:
[edit routing-options]
lab@R5# set graceful-restart
[edit routing-options]
lab@R5# top edit protocols bgp
commit complete
TASK VERIFICATION
To check the status of graceful restart, you must examine each routing protocol for
which it is enabled or disabled. The following output displays the status of graceful
restart for BGP, OSPF, and IS-IS on R5. It is currently disabled for BGP and OSPF, but
it is enabled for IS-IS.
[edit protocols ospf]
lab@R5# run show bgp neighbor | match graceful
Options: <GracefulRestartHelperDisabled>
Options: <GracefulRestartHelperDisabled>
TASK INTERPRETATION
This task might seem straightforward, but be careful with the condition that R3
cannot regain mastership if it is lost. By default, VRRP is set to preempt mastership,
which means that R3 will regain mastership once the failover condition is restored.
Add the no-preempt command to R3’s configuration to accommodate this
requirement. It is not necessary to set this command on R5.
www.juniper.net Implementing Device Infrastructure (Detailed) • Lab 1–19
JNCIE Service Provider Bootcamp
Also, be careful of the VRRP priority values you assign to R3 and R4 in relation to the
interface tracking values set on R3. The interface tracking values must cause a
failover only if R3’s ge-0/0/1, ge-0/0/2, and ge-0/0/3 interfaces fail. Set the total of
all three interface tracking values to bring R3’s VRRP priority just below R5’s VRRP
priority.
TASK COMPLETION
• R3:
[edit protocols bgp]
lab@R3# top edit interfaces ge-0/0/4
commit complete
• R5:
[edit protocols ospf]
lab@R5# top edit interfaces ge-0/0/9
commit complete
TASK VERIFICATION
The show vrrp detail command contains all the information necessary to
determine the status of the VRRP group. Specifically, it gives you the state of the
VRRP member, the VRRP priority, the preempt status, the virtual IP address, and the
interfaces being tracked. From this output you can see if all the conditions of this
task are met.
You can test a failover condition by setting the necessary interfaces on R3 to the
disabled state. First, set the ge-0/0/1 and ge-0/0/2 interfaces to the disabled state
and commit the configuration. R3 retains mastership for the VRRP group. Set the
ge-0/0/3 interface on R3 to the disabled state and commit the configuration again.
R3 loses mastership to R5. You can now test if R5 will retain the mastership if R3’s
recently disabled interfaces are restored. Delete the disable statements that you
recently configured on R3’s interfaces and issue the show vrrp detail
command again. R5 now retains mastership for the VRRP as per the conditions in
the task.
• R5:
[edit interfaces ge-0/0/9 unit 0 family inet address 172.20.20.5/24 vrrp-group
1]
lab@R5# run show vrrp detail
Physical interface: ge-0/0/9, Unit: 0, Address: 172.20.20.5/24
Index: 77, SNMP ifIndex: 531, VRRP-Traps: disabled
Interface state: up, Group: 1, State: backup, VRRP Mode: Active
Priority: 100, Advertisement interval: 1, Authentication type: none
Delay threshold: 100, Computed send rate: 0
Preempt: yes, Accept-data mode: no, VIP count: 1, VIP: 172.20.20.100
Dead timer: 2.835s, Master priority: 174, Master router: 172.20.20.3
Virtual router uptime: 00:32:35
Tracking: disabled
• R3:
[edit interfaces ge-0/0/4 unit 0 family inet address 172.20.20.3/24 vrrp-group
1]
lab@R3# up 5
[edit interfaces]
lab@R3# set ge-0/0/1 disable
[edit interfaces]
lab@R3# set ge-0/0/2 disable
[edit interfaces]
lab@R3# commit
commit complete
[edit interfaces]
lab@R3# set ge-0/0/3 disable
[edit interfaces]
lab@R3# commit
commit complete
[edit interfaces]
lab@R3# run show vrrp detail
Physical interface: ge-0/0/4, Unit: 0, Address: 172.20.20.3/24
Index: 73, SNMP ifIndex: 519, VRRP-Traps: disabled
Interface state: up, Group: 1, State: backup, VRRP Mode: Active
Priority: 99, Advertisement interval: 1, Authentication type: none
Delay threshold: 100, Computed send rate: 0
Preempt: no, Accept-data mode: no, VIP count: 1, VIP: 172.20.20.100
Dead timer: 2.821s, Master priority: 100, Master router: 172.20.20.5
Virtual router uptime: 01:08:45
Tracking: enabled
Current priority: 99, Configured priority: 174
Priority hold time: disabled
Interface tracking: enabled, Interface count: 3
Interface Int state Int speed Incurred priority cost
ge-0/0/1.0 down 0 25
ge-0/0/2.0 down 0 25
ge-0/0/3.0 down 0 25
Route tracking: disabled
[edit interfaces]
lab@R3# delete ge-0/0/1 disable
[edit interfaces]
lab@R3# delete ge-0/0/2 disable
[edit interfaces]
lab@R3# commit
commit complete
[edit interfaces]
lab@R3# run show vrrp detail
Physical interface: ge-0/0/4, Unit: 0, Address: 172.20.20.3/24
Index: 73, SNMP ifIndex: 519, VRRP-Traps: disabled
Interface state: up, Group: 1, State: backup, VRRP Mode: Active
Priority: 174, Advertisement interval: 1, Authentication type: none
Delay threshold: 100, Computed send rate: 0
Preempt: no, Accept-data mode: no, VIP count: 1, VIP: 172.20.20.100
Dead timer: 2.848s, Master priority: 100, Master router: 172.20.20.5
Virtual router uptime: 01:09:01
Tracking: enabled
Current priority: 174, Configured priority: 174
Priority hold time: disabled
Interface tracking: enabled, Interface count: 3
Interface Int state Int speed Incurred priority cost
ge-0/0/1.0 up 1g 0
ge-0/0/2.0 up 1g 0
ge-0/0/3.0 up 1g 0
Route tracking: disabled
TASK 6
High availability is required for the data centers, DC1 and
DC2, that are connected to R2 and R4. Configure two VRRP
groups in which R2 is the master for the 172.20.21.0/24
range in VRRP group 100. R4 is the master for the
172.20.22.0/24 range in VRRP group 200. Use 802.1q tag
values that match the corresponding VRRP group identifiers.
If the link between R2 and R1 fails, R4 must acquire
mastership for VRRP group 100. If any member interface of
the ae0 interface fails, R2 must acquire mastership for
VRRP group 200. Refer to the Lab 1 diagram for the specific
interfaces and virtual IP addresses.
[edit interfaces ge-0/0/3 unit 100 family inet address 172.20.21.2/24 vrrp-group
100]
lab@R2# set virtual-address 172.20.21.100
[edit interfaces ge-0/0/3 unit 100 family inet address 172.20.21.2/24 vrrp-group
100]
lab@R2# set priority 200
[edit interfaces ge-0/0/3 unit 100 family inet address 172.20.21.2/24 vrrp-group
100]
lab@R2# set track interface ge-0/0/1 priority-cost 101
[edit interfaces ge-0/0/3 unit 100 family inet address 172.20.21.2/24 vrrp-group
100]
lab@R2# up 4
[edit interfaces ge-0/0/3 unit 200 family inet address 172.20.22.2/24 vrrp-group
200]
lab@R2# set virtual-address 172.20.22.200
[edit interfaces ge-0/0/3 unit 200 family inet address 172.20.22.2/24 vrrp-group
200]
lab@R2# set priority 100
[edit interfaces ge-0/0/3 unit 200 family inet address 172.20.22.2/24 vrrp-group
200]
lab@R2# up 4
commit complete
• R4:
[edit protocols bgp]
lab@R4# top edit interfaces ge-0/0/2
[edit interfaces ge-0/0/2 unit 100 family inet address 172.20.21.4/24 vrrp-group
100]
lab@R4# set virtual-address 172.20.21.100
[edit interfaces ge-0/0/2 unit 100 family inet address 172.20.21.4/24 vrrp-group
100]
lab@R4# set priority 100
[edit interfaces ge-0/0/2 unit 100 family inet address 172.20.21.4/24 vrrp-group
100]
lab@R4# up 4
[edit interfaces ge-0/0/2 unit 200 family inet address 172.20.22.4/24 vrrp-group
200]
lab@R4# set virtual-address 172.20.22.200
[edit interfaces ge-0/0/2 unit 200 family inet address 172.20.22.4/24 vrrp-group
200]
lab@R4# set priority 200
[edit interfaces ge-0/0/2 unit 200 family inet address 172.20.22.4/24 vrrp-group
200]
lab@R4# set track interface ae0 priority-cost 101
commit complete
TASK VERIFICATION
The show vrrp detail command produces all necessary information to verify
this task. Then, by disabling a member interface in the ae0 bundle, you can examine
the failover process of VRRP group 200. Then, by disabling the ge-0/0/1 interface
on R2, you can see the failover process of VRRP group 100.
Note
Remember to delete the disable
statement from any interfaces that were
taken down to test failover scenarios.
Forgetting to do so might result in a point
deduction elsewhere in the exam.
commit complete
commit complete
• R2:
[edit interfaces ge-0/0/3]
lab@R2# run show vrrp detail
Physical interface: ge-0/0/3, Unit: 100, Vlan-id: 100, Address: 172.20.21.2/24
Index: 77, SNMP ifIndex: 528, VRRP-Traps: disabled
Interface state: up, Group: 100, State: master, VRRP Mode: Active
Priority: 200, Advertisement interval: 1, Authentication type: none
Delay threshold: 100, Computed send rate: 0
Preempt: yes, Accept-data mode: no, VIP count: 1, VIP: 172.20.21.100
Advertisement Timer: 0.576s, Master router: 172.20.21.2
Virtual router uptime: 00:59:59, Master router uptime: 00:59:51
Virtual Mac: 00:00:5e:00:01:64
Tracking: enabled
Current priority: 200, Configured priority: 200
Priority hold time: disabled
Interface tracking: enabled, Interface count: 1
Interface Int state Int speed Incurred priority cost
ge-0/0/1.0 up 1g 0
Route tracking: disabled
commit complete
[edit system]
lab@R1# set radius-server 172.27.155.1 secret Juniper
• R2:
[edit interfaces ge-0/0/3]
lab@R2# top edit system
[edit system]
lab@R2# set radius-server 172.27.155.1 secret Juniper
• R3:
[edit interfaces]
lab@R3# top edit system
[edit system]
lab@R3# set radius-server 172.27.155.1 secret Juniper
• R4:
[edit interfaces ge-0/0/2]
lab@R4# top edit system
[edit system]
lab@R4# set radius-server 172.27.155.1 secret Juniper
• R5:
[edit interfaces ge-0/0/9 unit 0 family inet address 172.20.20.5/24 vrrp-group
1]
lab@R5# top edit system
[edit system]
lab@R5# set radius-server 172.27.155.1 secret Juniper
TASK VERIFICATION
Communication with the RADIUS server cannot be verified yet.
TASK 8
Configure two local users, jack and jill, on all internal
routers and provide them with full access to the routers.
TASK INTERPRETATION
This task requires you to configure two local users and assign them the
super-user class. The passwords that are given to them is completely up to you.
However, remember these passwords because you will use them to verify the users
authorization levels.
TASK COMPLETION
• R1:
[edit system]
lab@R1# set login user jack class super-user authentication plain-text-password
New password:
Retype new password:
[edit system]
lab@R1# set login user jill class super-user authentication plain-text-password
New password:
Retype new password:
[edit system]
lab@R1# commit
commit complete
• R2:
[edit system]
lab@R2# set login user jack class super-user authentication plain-text-password
New password:
Retype new password:
[edit system]
lab@R2# set login user jill class super-user authentication plain-text-password
New password:
Retype new password:
[edit system]
lab@R2# commit
commit complete
• R3:
[edit system]
lab@R3# set login user jack class super-user authentication plain-text-password
[edit system]
lab@R3# set login user jill class super-user authentication plain-text-password
New password:
Retype new password:
[edit system]
lab@R3# commit
commit complete
• R4:
[edit system]
lab@R4# set login user jack class super-user authentication plain-text-password
New password:
Retype new password:
[edit system]
lab@R4# set login user jill class super-user authentication plain-text-password
New password:
Retype new password:
[edit system]
lab@R4# commit
commit complete
• R5:
[edit system]
lab@R5# set login user jack class super-user authentication plain-text-password
New password:
Retype new password:
[edit system]
lab@R5# set login user jill class super-user authentication plain-text-password
New password:
Retype new password:
[edit system]
lab@R5# commit
commit complete
TASK VERIFICATION
To verify the task, log out of the router and then log in as user jack or jill. Once
you have logged in to the router, issue the show cli authorization command
to view the permissions assigned to the user.
[edit system]
lab@R1# exit configuration-mode
Exiting configuration mode
R1 (ttyd0)
login: jack
Password:
jack@R1> exit
R1 (ttyd0)
login: lab
Password:
TASK INTERPRETATION
In this task, you create a user template that the router uses to assign permissions to
users who first authenticate with the RADIUS server. In this user template, you
define a custom class that gives full permissions but restricts the users from issuing
any commands that contain the statements restart, reboot, power-off, or
halt.
TASK COMPLETION
• R1:
lab@R1> configure
Entering configuration mode
[edit]
lab@R1# edit system login
commit complete
• R2:
[edit system]
lab@R2# edit login
commit complete
• R3:
[edit system]
lab@R3# edit login
commit complete
• R4:
[edit system]
lab@R4# edit login
commit complete
• R5:
lab@R5> configure
Entering configuration mode
[edit system]
lab@R5# edit login
commit complete
TASK VERIFICATION
Currently, the RADIUS server is not usable, which means the design user template
cannot be tested in this manner. However, you can move the user jack to the
design class, commit the configuration, log out, and log in as jack to test the user
template.
Note
Remember to return jack to the
super-user class when you finish
testing the user template. Forgetting to do
so might result in a point deduction in the
exam.
lab@R1> exit
R1 (ttyd0)
login: jack
Password:
[edit]
jack@R1# edit system login
commit complete
Exiting configuration mode
jack@R1> exit
R1 (ttyd0)
login: lab
Password:
TASK INTERPRETATION
This task is similar to the previous task in which you must create a user template.
However, even though it is possible to accomplish this task by issuing a list of
deny-commands, as you did in the previous task, it is not recommended. Doing so
would be time consuming and it is possible that a necessary command would not
make it on the list.
A superior method to accomplish this task is to give the support user template the
necessary permissions.
TASK COMPLETION
• R1:
lab@R1> configure
Entering configuration mode
[edit]
lab@R1# edit system login
commit complete
commit complete
• R3:
[edit system login]
lab@R3# set class support-class permissions [ view view-configuration ]
commit complete
• R4:
[edit system login]
lab@R4# set class support-class permissions [ view view-configuration ]
commit complete
• R5:
[edit system login]
lab@R5# set class support-class permissions [ view view-configuration ]
commit complete
Note
Remember to return jack to the
super-user class when you finish testing
the user template. Forgetting to do so might
result in a point deduction in the exam.
commit complete
Exiting configuration mode
lab@R1> exit
R1 (ttyd0)
login: jack
Password:
jack@R1> configure
^
unknown command.
jack@R1> exit
R1 (ttyd0)
login: lab
Password:
commit complete
TASK 11
Allow jack and jill to authenticate locally on the routers
only if the RADIUS server is unreachable.
TASK INTERPRETATION
By default, the router allows only local users to log in. To change this behavior, you
must configure the router to authenticate with the RADIUS server under the [edit
system] hierarchy.
Once under the [edit system] hierarchy level use the
authentication-order command to configure the router to authenticate users
with the RADIUS server. Using only the radius option will enable the router to
authenticate all users with the RADIUS server. If the router cannot communicate
with the RADIUS server, it then allows local authentication to be used. However, if
the password and radius options are used, local users can log in to the router
even if the RADIUS server is reachable.
TASK COMPLETION
• R1:
[edit system login]
lab@R1# up
[edit system]
lab@R1# set authentication-order ?
Possible completions:
[ Open a set of values
password Traditional password authentication
radius Remote Authentication Dial-In User Service
tacplus TACACS+ authentication services
Lab 1–44 • Implementing Device Infrastructure (Detailed) www.juniper.net
JNCIE Service Provider Bootcamp
[edit system]
lab@R1# set authentication-order radius
[edit system]
lab@R1# commit
commit complete
• R2:
[edit system login]
lab@R2# up
[edit system]
lab@R2# set authentication-order radius
[edit system]
lab@R2# commit
commit complete
• R3:
[edit system login]
lab@R3# up
[edit system]
lab@R3# set authentication-order radius
[edit system]
lab@R3# commit
commit complete
• R4:
[edit system login]
lab@R4# up
[edit system]
lab@R4# set authentication-order radius
[edit system]
lab@R4# commit
commit complete
• R5:
[edit system login]
lab@R5# up
[edit system]
lab@R5# set authentication-order radius
commit complete
TASK VERIFICATION
You have the opportunity to verify this task because the RADIUS server is currently
unreachable. Simply log out of the router and attempt to log in as user jack. You
will receive a delay while the router attempts to contact the RADIUS server. The
Local password prompt is displayed because the RADIUS server is unreachable.
Enter the password you gave to the user jack at the Local password prompt to
log in to the router again.
[edit system]
lab@R1# exit configuration-mode
Exiting configuration mode
lab@R1> exit
R1 (ttyd0)
login: jack
Password:
Local password:
R1 (ttyd0)
login: lab
Password:
Local password:
• R1:
lab@R1> configure
Entering configuration mode
[edit]
lab@R1# edit system ports
commit complete
• R2:
[edit system]
lab@R2# edit ports
commit complete
commit complete
• R4:
[edit system]
lab@R4# edit system ports
commit complete
• R5:
[edit system]
lab@R5# edit system ports
commit complete
TASK VERIFICATION
Attempt to log in to the router with user root and access is denied. You do not know
the current password for user root. You must change root password to verify this
step. This confirms that you have accomplished the task by denying root access
through the console port.
Note
Receiving the Local password prompt
is expected because of the authentication
order we specified in a previous step.
commit complete
lab@R1> exit
R1 (ttyd0)
login: root
Password:
Local password:
Login incorrect
login: lab
Password:
Local password:
[edit firewall]
lab@R5# show | no-more
family inet {
filter protect-re {
term RSVP-allow {
from {
protocol rsvp;
}
then accept;
}
term LDP-allow {
from {
protocol [ tcp udp ];
port ldp;
}
then accept;
[edit firewall]
lab@R5# commit
commit complete
TASK VERIFICATION
There is no simple way to verify if a firewall filter is working. You must test each term
individually and some terms are not verifiable at this time.
You can easily verify the essential protocols running on the router by issuing
operational commands. Issue the show rsvp neighbor, show ldp
neighbor, show ospf neighbor, show isis adjacency, and show vrrp
commands to verify these protocols are maintaining their states.
You can test the two terms for SSH by originating SSH connections from different IP
addresses. For example, you can initiate an SSH connection from R1 and by default
the source address of the connection will be assigned from an internal interface.
Then you can initiate another SSH connection from R1 and add the source option
with a non 172.27.0.0/16 IP address that is assigned to the router. The first SSH
connection succeeds and the second times out.
Unfortunately, you cannot test the term configured for RADIUS at this time. This
service is not currently operational in the test bed.
• R5:
[edit firewall]
lab@R5# run show rsvp neighbor
RSVP neighbor: 2 learned
Address Idle Up/Dn LastChange HelloInt HelloTx/Rx MsgRcvd
172.27.0.26 0 1/0 3:00 9 22/22 14
172.27.0.21 0 1/0 1:00 9 9/9 7
[edit firewall]
lab@R5# run show ldp neighbor
Address Interface Label space ID Hold time
172.27.0.26 ge-0/0/1.0 172.27.255.3:0 13
172.27.0.21 ae2.0 172.27.255.4:0 10
[edit firewall]
lab@R5# run show ospf neighbor
Address Interface State ID Pri Dead
172.27.0.101 ge-0/0/9.0 Full 172.27.0.50 128 37
[edit firewall]
lab@R5# run show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/9.0 up 1 master Active A 0.758 lcl 172.20.20.5
vip 172.20.20.100
• R2:
[edit]
lab@R2# run ssh 172.27.255.5
The authenticity of host '172.27.255.5 (172.27.255.5)' can't be established.
RSA key fingerprint is 0c:d7:22:f8:ae:60:7b:60:12:40:df:e2:b4:2f:d1:c7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.27.255.5' (RSA) to the list of known hosts.
lab@172.27.255.5's password:
--- JUNOS 10.3-20110523_pvt_predator_a.0 built 2011-05-23 04:17:01 UTC
lab@R5> exit
[edit]
lab@R2# run ssh 172.27.255.5 source 172.20.21.2
ssh: connect to host 172.27.255.5 port 22: Operation timed out
TASK 14
Log and silently discard all instances of IPv4 or IPv6
traffic that are coming from transit peers and have the
source address of 172.27.0.0/16 or 2008:4498::/32. This
information must be recoverable after a reboot.
[edit firewall]
lab@R5# edit family inet6 filter block-ipv6-int
[edit firewall]
lab@R5# show
family inet {
...
filter block-ipv4-int {
term int-src {
from {
source-address {
172.27.0.0/16;
}
}
then {
syslog;
discard;
}
}
term allow-rest {
then accept;
}
}
}
family inet6 {
filter block-ipv6-int {
term int-src {
from {
source-address {
2008:4498::/32;
}
}
then {
syslog;
discard;
}
}
term allow-rest {
then accept;
}
}
}
...
[edit firewall]
lab@R5# top edit system syslog file int-src-violations
commit complete
• R2:
[edit system]
lab@R2# top edit firewall family inet filter block-ipv4-int
[edit firewall]
lab@R2# edit family inet6 filter block-ipv6-int
commit complete
TASK VERIFICATION
You can verify this task by logging in to the VR-device and pinging the directly
connected interfaces of routers R2 and R5 from T1 and T2, respectively. Then, you
can view the recently created syslog for the recording of the violation.
• VR-device:
root@vr-device> ping 172.27.0.37 routing-instance transit1 count 2
PING 172.27.0.37 (172.27.0.37): 56 data bytes
• R2:
[edit interfaces ge-0/0/2]
lab@R2# run show log int-src-violations
Jun 29 02:34:21 R2 clear-log[61969]: logfile cleared
Jun 29 02:35:24 R2 fwdd[1082]: PFE_FW_SYSLOG_IP: FW: ge-0/0/2.0 D icmp
172.27.0.38 172.27.0.37 8 0 (1 packets)
Jun 29 02:35:25 R2 fwdd[1082]: PFE_FW_SYSLOG_IP: FW: ge-0/0/2.0 D icmp
172.27.0.38 172.27.0.37 8 0 (1 packets)
Jun 29 02:35:42 R2 fwdd[1082]: PFE_FW_SYSLOG_IP6_ICMP: FW: ge-0/0/2.0 D
icmpv6 SA 820:9844:9844:0:0:0:0:200 DA 2ff:0:0:0:0:100:ff:100 type 135
code 0 (1 packets)
Jun 29 02:35:44 R2 last message repeated 2 times
• R5:
[edit interfaces ge-0/0/5]
lab@R5# run show log int-src-violations
Jun 29 02:36:02 R5 clear-log[67535]: logfile cleared
Jun 29 02:36:07 R5 last message repeated 6 times
Jun 29 02:37:23 R5 fwdd[1155]: PFE_FW_SYSLOG_IP: FW: ge-0/0/5.0 D icmp
172.27.0.58 172.27.0.57 8 0 (1 packets)
Jun 29 02:37:24 R5 fwdd[1155]: PFE_FW_SYSLOG_IP: FW: ge-0/0/5.0 D icmp
172.27.0.58 172.27.0.57 8 0 (1 packets)
Jun 29 02:37:39 R5 fwdd[1155]: PFE_FW_SYSLOG_IP6_ICMP: FW: ge-0/0/5.0 D
icmpv6 SA 820:9844:0:0:0:0:0:200 DA 2ff:0:0:0:0:100:ff:100 type 135 code
0 (1 packets)
Jun 29 02:37:42 R5 last message repeated 2 times
TASK 15
On router R4, configure the syslog file Monitor-Agg-Eth to
only log information associated with its local aggregated
Ethernet interfaces. To conserve space on the routers,
there can be only 20 files of this information stored
locally. Each file can be no more than 1 MB in size.
TASK INTERPRETATION
To complete this task, you must configure the syslog file Monitor-agg-Eth on
router R4 to the facility level of any and the severity level of any. There must not be
anymore then 20 files stored locally and each of those files cannot be larger then
1 MB. Then, you must configure the syslog to only collect information in regards to
R4’s local aggregated Ethernet interfaces. To accomplish this part of the task, you
must use the match option. Through the use of regular expressions you can
configure the syslog file to collect only the necessary information.
TASK COMPLETION
[edit system ports]
lab@R4# up 1 edit syslog file Monitor-Agg-Eth
commit complete
TASK VERIFICATION
To verify this task, set the disable option on R4’s local aggregated Ethernet
interfaces, commit the configuration, delete the disable option, and commit the
configuration again. Then, examine the Monitor-Agg-Eth syslog file for evidence
of recent activity on the aggregated Ethernet interfaces.
[edit system syslog file Monitor-Agg-Eth]
lab@R4# top set interfaces ae0 disable
commit complete
commit complete
TASK INTERPRETATION
To complete this task, you must configure the syslog utility to use the
interactive-commands facility when sending information to the syslog server
located at 172.27.155.1. Instead of specifying a file name for the syslog, use the
host statement instead, which allows you to specify the server’s IP address.
TASK COMPLETION
• R1:
[edit system ports]
lab@R1# up 1 edit syslog host 172.27.155.1
commit complete
• R2:
[edit interfaces ge-0/0/2]
lab@R2# top edit syslog host 172.27.155.1
commit complete
• R3:
[edit system ports]
lab@R3# up 1 edit syslog host 172.27.155.1
commit complete
• R4:
[edit system syslog file Monitor-Agg-Eth]
lab@R4# up
commit complete
• R5:
[edit interfaces ge-0/0/5]
lab@R5# top edit system syslog host 172.27.155.1
commit complete
TASK VERIFICATION
Note
You must log in to the internal server using
the root username and the password
Clouds to verify this task.
To verify this task, issue a few commands on any of the routers and then log in to the
internal server. Once you log in to the internal server, issue the cat/etc/var/
log/messages command. This command displays the syslog messages that
arrived from you entering commands on the router.
• R1:
[edit system syslog host 172.27.155.1]
lab@R1# top
[edit]
lab@R1# edit system syslog host 172.27.155.1
TASK INTERPRETATION
To complete this task, configuration archiving must be configured. Configure the
router to send its configuration using SCP every 15 minutes. Be aware that the
transmit interval is configured in minutes. Configure the transmit-interval
statement with a value of 15 to complete this part.
The syntax for SCP to transfer the configuration is as follows “scp://
username:password@172.27.155.1:/var/tmp/”. Be sure to encase the
command in quotes. Failing to do so results in a syntax error.
TASK COMPLETION
• R1:
[edit system syslog host 172.27.155.1]
lab@R1# up 2
commit complete
• R2:
[edit system syslog host 172.27.155.1]
lab@R2# up 2
[edit system]
lab@R2# edit archival
commit complete
• R3:
[edit system syslog host 172.27.155.1]
lab@R3# up 2
[edit system]
lab@R3# edit archival
commit complete
• R4:
[edit system syslog host 172.27.155.1]
lab@R4# up 2
[edit system]
lab@R4# edit archival
commit complete
• R5:
[edit system syslog host 172.27.155.1]
lab@R5# up 2
[edit system]
lab@R5# edit archival
commit complete
TASK VERIFICATION.
Note
You must log in to the internal server using
the root username and the password
Clouds to verify this task.
To verify this task, you must access the internal server and examine the /var/tmp/
directory. However, the minimum transfer interval is 15 minutes. You might need to
come back to this task after working through the lab further to examine the files.
[root@centos /]# ls /var/tmp/
R1_juniper.conf.gz_20110629_212753
R2_juniper.conf.gz_20110629_212751
R3_juniper.conf.gz_20110629_212737
R4_juniper.conf.gz_20110628_225807
R5_juniper.conf.gz_20110627_225747
vr-device_juniper.conf.gz_20110629_105758
TASK 18
The backbone-mtu.slax commit script is available to assist
you in checking core interface MTU values. The commit
script is located on the internal server at 172.27.155.1 in
the /etc/ directory. Because the commit script might change
in the future, configure all internal routers to refresh
and retrieve the commit script through SCP. Use the root
username with the password Clouds to authenticate with the
internal server.
TASK INTERPRETATION
To complete this task, you must first configure the router to communicate with the
internal server using SCP. Remember to specify the username and the directory in
which the file is located. Even though you specify the commit script name after the
file statement, you must also specify the commit script name in the source.
commit complete
• R2:
[edit system archival]
lab@R2# up 1 edit scripts commit
commit complete
commit complete
• R4:
[edit system archival]
lab@R4# up 1 edit scripts commit
commit complete
• R5:
[edit system archival]
lab@R5# up 1 edit scripts commit
commit complete
TASK VERIFICATION
You can verify this task by examining the warning message you receive when you
issue a commit. If you do not receive a warning message or if the commit fails, the
task is not complete.
[edit system scripts commit]
lab@R1# commit
warning: MTU on backbone interface ge-0/0/3.0 is not set to 4484 (1514) Please
change the interface's physical MTU to 4484
warning: MTU on backbone interface ge-0/0/6.0 is not set to 4484 (1514) Please
change the interface's physical MTU to 4484
commit complete
TASK 19
Change any interface physical MTU value to the MTU value
the commit script recommends.
TASK INTERPRETATION
The commit script you applied in the last task detects physical MTU values on core
interfaces that are incorrect. Do as the commit script advises and change the
physical MTU values to what it recommends.
TASK COMPLETION
• R1:
[edit system scripts commit]
[edit interfaces]
lab@R1# set ge-0/0/3 mtu 4484
[edit interfaces]
lab@R1# set ge-0/0/6 mtu 4484
[edit interfaces]
lab@R1# commit
commit complete
• R2:
[edit system scripts commit]
lab@R2# top edit interfaces
[edit interfaces]
lab@R2# set ge-0/0/1 mtu 4484
[edit interfaces]
lab@R2# commit
commit complete
• R3:
[edit system scripts commit]
lab@R3# top edit interfaces
[edit interfaces]
lab@R3# set ge-0/0/1 mtu 4484
[edit interfaces]
lab@R3# set ge-0/0/2 mtu 4484
[edit interfaces]
lab@R3# set ge-0/0/3 mtu 4484
[edit interfaces]
lab@R3# commit
commit complete
• R4:
[edit system scripts commit]
lab@R4# top edit interfaces
[edit interfaces]
lab@R4# set ge-0/0/5 mtu 4484
[edit interfaces]
lab@R4# commit
• R5:
[edit system scripts commit]
lab@R5# top edit interfaces
[edit interfaces]
lab@R5# set ge-0/0/1 mtu 4484
[edit interfaces]
lab@R5# commit
commit complete
TASK VERIFICATION
If the commit script does not issue a warning about an incorrect interface MTU value
then this task is complete.
Overview
In this lab, you will be given a list of tasks specific to IS-IS implementation to accomplish
in a timed setting. You will have 1 hour and 15 minutes to complete the simulation.
The lab is available in two formats. In the high-level format, you are given only the list of
tasks to be accomplished. To better prepare you for the real JNCIE exam, we recommend
that you make your best effort at accomplishing the tasks with only the high-level lab
guide.
The lab is also available in a detailed format. The detailed format contains a discussion
regarding the interpretation of each task, followed by step-by-step instructions. You might
find more than one method for accomplishing each task.
By completing this lab, you will perform the following tasks:
• Routers R1, R2, R3, R4, and R5 must be configured to participate in your IS-IS
domain. Each router’s system ID must be based on its loopback address.
Configure each router to support only one IS-IS adjacency per router pairing.
Loss of R3 or R4 must not isolate any internal router. Configure the IS-IS areas
and levels as shown in the “Lab 2: IS-IS Implementation” diagram.
• The loopback addresses of R1 and R2 must not appear in the routing table of
R5. However, loopback address to loopback address reachability from all
internal routers is required.
• The routes associated with the link between R2 and T1, and the routes
associated with the link between R5 and T2 must appear as internal IS-IS
routes within your network. However, the IPv6 routes from these links must not
appear in R1’s routing table but must appear in R2’s routing table. The [edit
routing-options] hierarchy level on R1 cannot be altered to accomplish
this task.
• Configure R1 to receive RIP routes from C1. Then configure R1 to send a
summary route to C1 only when R2’s loopback address is present in R1’s
routing table. This summary route should represent your internal IPv4 address
space. The routes received from C1 must be present in area 49.0001 as IS-IS
external routes. These individual routes must not appear in the routing table of
R5. However, you must ensure that R5 can reach these destinations.
In this lab part, you will become familiar with implementing IS-IS as the IGP in your
network. You will be given a list of tasks that will require you to configure and
monitor IS-IS operations.
Note
We recommend that you spend some time
investigating the current operation of your
routers. During the real exam, you might be
given routers that are operating
inefficiently. Investigating operating issues
now might save you a lot of time
troubleshooting strange issues later.
TASK 1
Routers R1, R2, R3, R4, and R5 must be configured to
participate in your IS-IS domain. Each router’s system ID
must be based on its loopback address. Configure each
router to support only one IS-IS adjacency per router
pairing. Loss of R3 or R4 must not isolate any internal
router. Configure the IS-IS areas and levels as shown in
the “Lab 2: IS-IS Implementation” diagram.
Question: Which AFI value must you use for the IS-IS
areas?
TASK INTERPRETATION
This task can be split into two smaller tasks, and then you can proceed with each
task. First, you must base the system ID for each router using its corresponding
loopback address. The method you use to do this can vary, but as long as the
system ID in the ISO address resembles the IPv4 address on the loopback interface,
the criterion for this part of the task is complete.
Second, you must configure each router to have only one IS-IS adjacency per router
pairing. Each interface can only participate in Level 1 or Level 2, but not both. This
excludes the loopback interface because no router pairing can occur from it
participating in Level 1 and Level 2.
Confusion might be caused when attempting to decide which area ID you must
assign to R3 and R4. R1 and R2 must form Level 1 adjacencies with R3 and R4,
which requires R3 and R4 to have the same area ID as R1 and R2. To complete this
part of the task, configure the area ID of 49.0001 on R1, R2, R3, and R4; then
configure the area ID of 49.0002 on R5.
Note
The last part of this task not only applies to
this task but all remaining tasks for the
IS-IS part of this lab. For example, when
applying a policy that leaks routes from one
level to the other, ensure that the loss of R3
or R4 does not stop the leaking of the
routes into that level.
TASK COMPLETION
• R1:
R1 (ttyd0)
login: lab
Password:
[edit]
lab@R1# edit interfaces
[edit interfaces]
lab@R1# set lo0.0 family iso address 49.0001.0172.0027.2551.00
[edit interfaces]
lab@R1# set ge-0/0/3.0 family iso
[edit interfaces]
lab@R1# set ge-0/0/6.0 family iso
[edit interfaces]
lab@R1# set ae1.0 family iso
[edit interfaces]
lab@R1# top edit protocols isis
commit complete
Lab 2–4 • IS-IS Implementation (Detailed) www.juniper.net
JNCIE Service Provider Bootcamp
• R2:
R2 (ttyd0)
login: lab
Password:
[edit]
lab@R2# edit interfaces
[edit interfaces]
lab@R2# set lo0.0 family iso address 49.0001.0172.0027.2552.00
[edit interfaces]
lab@R2# set ge-0/0/1.0 family iso
[edit interfaces]
lab@R2# set ae0.0 family iso
[edit interfaces]
lab@R2# top edit protocols isis
[edit interfaces]
lab@R2# commit
• R3:
R3 (ttyd0)
login: lab
Password:
[edit]
lab@R3# edit interfaces
[edit interfaces]
lab@R3# set lo0.0 family iso address 49.0001.0172.0027.2553.00
[edit interfaces]
lab@R3# set ge-0/0/1.0 family iso
[edit interfaces]
lab@R3# set ge-0/0/3.0 family iso
[edit interfaces]
lab@R3# top edit protocols isis
commit complete
• R4:
R4 (ttyd0)
login: lab
Password:
[edit]
lab@R4# edit interfaces
[edit interfaces]
lab@R4# set lo0.0 family iso address 49.0001.0172.0027.2554.00
[edit interfaces]
lab@R4# set ge-0/0/5.0 family iso
[edit interfaces]
lab@R4# set ae0.0 family iso
[edit interfaces]
lab@R4# set ae1.0 family iso
[edit interfaces]
lab@R4# set ae2.0 family iso
• R5:
R5 (ttyd0)
login: lab
Password:
[edit]
lab@R5# edit interfaces
[edit interfaces]
lab@R5# set lo0.0 family iso address 49.0002.0172.0027.2555.00
[edit interfaces]
lab@R5# set ge-0/0/1.0 family iso
[edit interfaces]
lab@R5# set ae2.0 family iso
[edit interfaces]
lab@R5# top edit protocols isis
commit complete
TASK VERIFICATION
You can verify the IS-IS address applied to the loopback interface by issuing the
show interface terse lo0.0 command on each router. Each router should
have an IS-IS address that contains the AFI and area values of 49.0001 or 49.0002,
and a system ID that represents the routers IPv4 loopback address.
You can verify the number of adjacencies per router pairing by issuing the show
isis adjacency command. Each router must only have one Level 1 or one
Level 2 adjacency per router pairing. You can obtain further info on the number of
adjacencies per interface by issuing the show isis interface detail
command, but this is unnecessary to verify this task.
• R1:
[edit protocols isis]
lab@R1# run show interfaces terse lo0.0
Interface Admin Link Proto Local Remote
lo0.0 up up inet 172.27.255.1 --> 0/0
iso 49.0003.0172.0027.2551
• R2:
[edit protocols isis]
lab@R2# run show interfaces terse lo0.0
Interface Admin Link Proto Local Remote
lo0.0 up up inet 172.27.255.2 --> 0/0
iso 49.0003.0172.0027.2552
• R3:
[edit protocols isis]
lab@R3# run show interfaces terse lo0.0
Interface Admin Link Proto Local Remote
lo0.0 up up inet 172.27.255.3 --> 0/0
iso 49.0003.0172.0027.2553
• R4:
[edit protocols isis]
lab@R4# run show interfaces lo0.0 terse
Interface Admin Link Proto Local Remote
lo0.0 up up inet 172.27.255.4 --> 0/0
iso 49.0003.0172.0027.2254
• R5:
[edit protocols isis]
lab@R5# run show interfaces terse lo0.0
Interface Admin Link Proto Local Remote
lo0.0 up up inet 172.27.255.5 --> 0/0
iso 49.0003.0172.0027.2555
[edit routing-options]
lab@R3# set aggregate route 172.27.255/30
[edit routing-options]
lab@R3# top edit policy-options policy-statement leak-routes
commit complete
• R4:
[edit protocols isis]
lab@R4# top edit routing-options
[edit routing-options]
lab@R4# set aggregate route 172.27.255/30
[edit routing-options]
lab@R4# top edit policy-options policy-statement leak-routes
commit complete
TASK VERIFICATION
To verify this task, examine the routing tables on R3, R4, and R5. The recently
configured aggregate route and the routes for R1’s and R2’s loopback addresses
should be present on R3 and R4. An external IS-IS route that represents R1’s and
R2’s loopback addresses should be present on R5. The individual routes for the
loopback addresses of R1 and R2 should be absent from R5. Then, ensure
loopback address to loopback address reachability by issuing pings from R5 to all
other internal routers.
• R3:
[edit protocols isis]
lab@R3# run show route 172.27.255/30
• R4:
[edit protocols isis]
lab@R4# run show route 172.27.255/30
TASK INTERPRETATION
In the first part of this task, you must enable IS-IS on the ge-0/0/5 interface on R5
and the ge-0/0/2 interface on R2. Then you must place these interfaces within the
IS-IS protocol of the respective routers. Place these interfaces into passive mode to
inject these interface routes as internal routes in your IS-IS domain. Route leaking
on R3 and R4 is required to advertise these routes to R1 and R2. Update your
recently configured route leaking policy to accomplish this part of the task.
The last task states that the IPv6 routes associated with these links cannot be
present in R1’s routing table. If the task allowed you to alter the [edit
routing-options] hierarchy level, you could simply add the IPv6 prefix in
question to the martian route list, but this is not a method you can use to
accomplish this task. Also, you cannot use route leaking to accomplish this task
because R2 must have this route in its routing table. The only means necessary to
accomplish this task is to disable IPv6 routing on R2 by issuing the
no-ipv6-routing command under the [edit protocols isis] hierarchy
level.
TASK COMPLETION
• R2:
[edit protocols isis]
lab@R2# set interface ge-0/0/2 passive
commit complete
• R5:
[edit protocols isis]
lab@R5# set interface ge-0/0/5 passive
commit complete
• R3:
[edit protocols isis]
lab@R3# top edit policy-options policy-statement leak-routes term r5-IPv4-int
commit complete
• R4:
[edit protocols isis]
lab@R4# top edit policy-options policy-statement leak-routes term r5-IPv4-int
commit complete
• R1:
[edit protocols isis]
lab@R1# set no-ipv6-routing
commit complete
TASK VERIFICATION
You can verify this task by examining the routing tables on R1, R2, and R5. The
necessary routes must appear in those routing tables. Also, verify that the IPv6
routes from R2 and R5 do not appear in R1’s routing table.
• R1:
[edit protocols isis]
lab@R1# run show route protocol isis
• R2:
[edit protocols isis]
lab@R2# run show route protocol isis
• R5:
[edit protocols isis]
lab@R5# run show route protocol isis
TASK INTERPRETATION
To complete this task, you must first configure R1 to exchange RIP routes with C1.
You must configure a generate route on R1 that is attached to a policy that allows it
to accept only R2’s loopback address as a contributing route, and then export this
generate route into RIP through a policy. The RIP routes on R1 that are being
received from C1 must now be exported into IS-IS.
[edit routing-options]
lab@R1# set generate route 172.27/16 policy isis-present
[edit routing-options]
lab@R1# top edit policy-options policy-statement rip-out term gen-rip
commit complete
• R3:
[edit policy-options policy-statement leak-routes]
lab@R3# top set routing-options aggregate route 172.16.16/21
commit complete
• R4:
[edit policy-options policy-statement leak-routes]
lab@R4# top set routing-options aggregate route 172.16.16/21
commit complete
TASK VERIFICATION
To verify this task, examine the routing tables of R1 and R5. The RIP routes should
be present on R1 and the summary route should be present on R5. Next, examine
the generate route on R1 using the show route 172.16.16/21 exact
detail command. In this output, you can see that the only contributing route is the
loopback address of R2. To ensure R1 is advertising the generate route to C1, issue
the show route advertising-protocol rip 172.27.0.29 command.
Then, to ensure reachability from R5 to the prefixes C1 is advertising, issue the
ping 172.16.16.1 detail count 2 command on R5.
• R1:
[edit policy-options policy-statement isis-present term isis]
lab@R1# run show route 172.16.16/21
• R5:
[edit protocols isis]
lab@R5# run show route 172.16.16/21
commit complete
• R4:
[edit policy-options policy-statement leak-routes term lvl-1-ext]
lab@R4# top set level 2 wide-metrics-only
commit complete
• R5:
[edit protocols isis]
lab@R5# up 1 edit ospf
commit complete
TASK VERIFICATION
To verify this task, examine the routing tables on R1, R2, and R4. The 10.22.0.0/21
prefix appears on R1 and R2 with a metric value that is less than 84. The same
prefix appears on R4 with a metric value that is greater than 300.
• R1:
[edit protocols isis]
lab@R1# run show route 10.22/21
• R2:
[edit protocols isis]
lab@R2# run show route 10.22/21
• R4:
[edit policy-options policy-statement leak-routes term lvl-2-ext]
lab@R4# run show route 10.22/21
TASK INTERPRETATION
To complete this task, you must redistribute the 10.100.100.0/24 static route found
on R2 and R4 into IS-IS. Redistributing the static route on R2 is fairly
straightforward, however you must leak this route into Level 2 to accomplish the
redundancy criterion. It might be helpful to add a tag value to the route when you
redistribute it into IS-IS. This allows you to easily identify the route in the route
leaking policy found on R3.
To redistribute the static route on R4, you must add two terms to R4’s route leaking
policy. The first term must redistribute the route into Level 2. The second term must
redistribute the route into Level 1. However, when injecting the route into Level 1,
you must add a metric value that makes it less preferable than the static route R2 is
injecting into Level 1.
Then, you must configure a route leaking policy on R3 to leak the 10.100.100.0/24
prefix, that is present in Level 1, into Level 2. This satisfies the redundancy criterion
for this task.
TASK COMPLETION
• R2:
[edit protocols isis]
lab@R2# set export static-isis
commit complete
• R4:
[edit policy-options policy-statement leak-routes term lvl-2-ext]
lab@R4# up 1 edit term static-DC-lvl-1
commit complete
• R3:
[edit protocols isis]
lab@R3# top edit policy-options policy-statement leak-routes term
DC1-lvl-1-to-lvl-2
commit complete
TASK VERIFICATION
To verify this task, examine the routing tables on R1 and R5 for the primary routes.
Then examine the IS-IS link state databases on R1 and R5 for the backup routes. In
the IS-IS link state database, each router will have two LSPs for the route. R1 has
LSPs from R2 and R4 that contain the 10.100.100.0/24 prefix, however the LSP
from R2 has a lower metric for the route. R5 has LSPs from R3 and R4 that contain
the 10.100.100.0/24 prefix, however the LSP from R4 has a lower metric for the
route.
• R1:
[edit protocols isis]
lab@R1# run show route 10.100.100/24
[edit policy-options]
lab@R1# run show isis database detail R2
IS-IS level 1 link-state database:
[edit policy-options]
lab@R1# run show isis database detail R4
IS-IS level 1 link-state database:
• R5:
[edit protocols isis]
lab@R5# run show route 10.100.100/24
TASK INTERPRETATION
To achieve sub-second failover capabilities with all Level 2 adjacencies, you must
configure BFD on the interfaces that require it. Configure BFD with a
minimum-interval value of 333 milliseconds or less. This gives a Detect
time value of less than one second.
To complete the next part of this task, you must adjust the hold-time value for all
Level 1 adjacencies to 6 seconds. Alternatively, you can configure the
hello-interval value to 2 seconds which results in a 6 second hold-time
value. There is no need to configure non-DR interfaces differently than DR
interfaces. Configuring all Level 1 interfaces with a hold-time value of 6 results in
DR interfaces having a hold-time value of 2. If you configure DR interfaces with a
hold-time value of 2 the resulting hold-time value is actually 1 second.
TASK COMPLETION
• R1:
[edit protocols isis]
lab@R1# set interface all level 1 hold-time 6
commit complete
• R2:
[edit policy-options policy-statement static-isis term DC1-prefix]
lab@R2# top edit protocols isis
commit complete
• R3:
[edit policy-options policy-statement leak-routes term DC1-lvl-1-to-lvl-2]
lab@R3# top edit protocols isis
commit complete
• R4:
[edit policy-options policy-statement leak-routes]
lab@R4# top edit protocols isis
commit complete
• R5:
[edit protocols isis]
lab@R5# set interface all bfd-liveness-detection minimum-interval 150
commit complete
TASK VERIFICATION
To verify the hold-time values, issue the show isis interface detail
command on R1, R2, R3, and R4. To verify the BFD detection and failover timers,
issue the show bfd session command on R3, R4, and R5.
• R1:
[edit protocols isis]
lab@R1# run show isis interface detail
IS-IS interface database:
ae1.0
Index: 76, State: 0x6, Circuit id: 0x1, Circuit type: 1
LSP interval: 100 ms, CSNP interval: 10 s
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
1 1 64 10 2.000 6 R4.04 (not us)
ge-0/0/3.0
Index: 77, State: 0x6, Circuit id: 0x2, Circuit type: 1
LSP interval: 100 ms, CSNP interval: 10 s
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
1 1 64 10 0.666 2 R1.02 (us)
ge-0/0/6.0
Index: 74, State: 0x6, Circuit id: 0x3, Circuit type: 1
LSP interval: 100 ms, CSNP interval: 10 s
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
1 1 64 10 0.666 2 R1.03 (us)
lo0.0
Index: 65, State: 0x6, Circuit id: 0x1, Circuit type: 0
LSP interval: 100 ms, CSNP interval: disabled
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
1 0 64 0 Passive
2 0 64 0 Passive
lo0.32768
Index: 64, State: 0x4, Circuit id: 0x1, Circuit type: 0
Lab 2–42 • IS-IS Implementation (Detailed) www.juniper.net
JNCIE Service Provider Bootcamp
LSP interval: 100 ms, CSNP interval: disabled
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
1 0 64 0 Passive
2 0 64 0 Passive
• R2:
[edit protocols isis]
lab@R2# run show isis interface detail
IS-IS interface database:
ae0.0
Index: 74, State: 0x6, Circuit id: 0x1, Circuit type: 1
LSP interval: 100 ms, CSNP interval: 10 s
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
1 1 64 10 2.000 6 R4.05 (not us)
ge-0/0/1.0
Index: 70, State: 0x6, Circuit id: 0x1, Circuit type: 1
LSP interval: 100 ms, CSNP interval: 10 s
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
1 1 64 10 2.000 6 R1.02 (not us)
ge-0/0/2.0
Index: 71, State: 0x4, Circuit id: 0x1, Circuit type: 0
LSP interval: 100 ms, CSNP interval: 10 s
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
1 0 64 10 Passive
2 0 64 10 Passive
lo0.0
Index: 65, State: 0x6, Circuit id: 0x1, Circuit type: 0
LSP interval: 100 ms, CSNP interval: disabled
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
1 0 64 0 Passive
2 0 64 0 Passive
lo0.32768
Index: 64, State: 0x4, Circuit id: 0x1, Circuit type: 0
LSP interval: 100 ms, CSNP interval: disabled
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
1 0 64 0 Passive
2 0 64 0 Passive
• R3:
[edit protocols isis]
lab@R3# run show isis interface detail
IS-IS interface database:
ge-0/0/1.0
Index: 70, State: 0x6, Circuit id: 0x1, Circuit type: 1
LSP interval: 100 ms, CSNP interval: 10 s
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
1 1 64 10 2.000 6 R1.03 (not us)
2 sessions, 2 clients
Cumulative transmit rate 13.3 pps, cumulative receive rate 13.3 pps
• R4:
[edit protocols isis]
lab@R4# run show isis interface detail
IS-IS interface database:
ae0.0
Index: 75, State: 0x6, Circuit id: 0x5, Circuit type: 1
LSP interval: 100 ms, CSNP interval: 10 s
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
1 1 64 10 0.666 2 R4.05 (us)
ae1.0
Index: 76, State: 0x6, Circuit id: 0x4, Circuit type: 1
LSP interval: 100 ms, CSNP interval: 10 s
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
1 1 64 10 0.666 2 R4.04 (us)
ae2.0
Index: 77, State: 0x6, Circuit id: 0x3, Circuit type: 2
LSP interval: 100 ms, CSNP interval: 10 s
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
2 1 64 10 3.000 9 R4.03 (us)
ge-0/0/5.0
Index: 73, State: 0x6, Circuit id: 0x2, Circuit type: 2
LSP interval: 100 ms, CSNP interval: 10 s
2 sessions, 2 clients
Cumulative transmit rate 13.3 pps, cumulative receive rate 13.3 pps
• R5:
[edit protocols isis]
lab@R5# run show bfd session
Detect Transmit
Address State Interface Time Interval Multiplier
172.27.0.21 Up ae2.0 0.450 0.150 3
172.27.0.26 Up ge-0/0/1.0 0.450 0.150 3
2 sessions, 2 clients
Cumulative transmit rate 13.3 pps, cumulative receive rate 13.3 pps
TASK 8
Configure the routers in both areas to authenticate hello
PDUs using the unencrypted password of Juniper. Configure
the routers in area 49.0001 to authenticate LSPs using the
encrypted password of JuniperRocks. No routing disruption
can occur between R3 and R4 during this process.
TASK INTERPRETATION
To accomplish this task, configure hello authentication using a plain text password
on R1, R2, R3, and R4. R1 and R2 require this authentication for all of their
interfaces. R3 requires this authentication for interface ge-0/0/1; and R4 requires
this authentication for interfaces ae0 and ae1.
commit complete
• R2:
[edit protocols isis]
lab@R2# set interface all level 1 hello-authentication-type simple
commit complete
• R3:
[edit protocols isis]
lab@R3# set interface ge-0/0/1 level 1 hello-authentication-type simple
commit complete
• R4:
[edit protocols isis]
lab@R4# set interface ae0 level 1 hello-authentication-type simple
commit complete
• R5:
[edit protocols isis]
lab@R5# set interface all level 2 hello-authentication-type simple
Commit complete
TASK VERIFICATION
To verify this task, issue the show isis authentication command on all the
internal routers. Also, examine the IS-IS adjacencies to ensure that they are
maintained. You must temporarily remove the no-authentication-check
option on R3 and R4 to truly verify this task. Remember to replace the option once
you are done verifying the task.
• R3:
[edit protocols isis]
lab@R3# delete no-authentication-check
commit complete
• R4:
[edit protocols isis]
lab@R4# delete no-authentication-check
commit complete
• R1:
[edit protocols isis]
lab@R1# run show isis authentication
Interface Level IIH Auth CSN Auth PSN Auth
ae1.0 1 Simple MD5 MD5
ge-0/0/3.0 1 Simple MD5 MD5
ge-0/0/6.0 1 Simple MD5 MD5
• R2:
[edit protocols isis]
lab@R2# run show isis authentication
• R5:
[edit protocols isis]
lab@R5# run show isis authentication
Interface Level IIH Auth CSN Auth PSN Auth
ae2.0 2 Simple None None
ge-0/0/1.0 2 Simple None None
• R3:
[edit protocols isis]
lab@R3# set no-authentication-check
commit complete
• R4:
[edit protocols isis]
lab@R4# set no-authentication-check
commit complete
TASK 9
All IS-IS LSPs should be valid for one hour.
TASK INTERPRETATION
To complete this task, you must adjust the LSP lifetime on each internal router to
3,600 seconds. This allows the LSPs to remain valid in the IS-IS link state database
for 1 hour.
TASK COMPLETION
• R1:
[edit protocols isis]
lab@R1# set lsp-lifetime 3600
commit complete
• R2:
[edit protocols isis]
lab@R2# set lsp-lifetime 3600
commit complete
• R3:
[edit protocols isis]
lab@R3# set lsp-lifetime 3600
commit complete
• R4:
[edit protocols isis]
lab@R4# set lsp-lifetime 3600
commit complete
commit complete
TASK VERIFICATION
To verify this task, issue the show isis overview command on each internal
router. This command displays the current LSP lifetime value for the local router.
• R1
[edit protocols isis]
lab@R1# run show isis overview
Instance: master
Router ID: 172.27.255.1
Adjacency holddown: enabled
Maximum Areas: 3
LSP life time: 3600
Attached bit evaluation: enabled
SPF delay: 200 msec, SPF holddown: 5000 msec, SPF rapid runs: 3
IPv4 is enabled
Traffic engineering: enabled
Restart: Enabled
Restart duration: 210 sec
Helper mode: Enabled
Level 1
Internal route preference: 15
External route preference: 160
Wide metrics are enabled
Level 2
Internal route preference: 18
External route preference: 165
Wide metrics are enabled, Narrow metrics are enabled
• R2:
[edit protocols isis]
lab@R2# run show isis overview
Instance: master
Router ID: 172.27.255.2
Adjacency holddown: enabled
Maximum Areas: 3
LSP life time: 3600
Attached bit evaluation: enabled
SPF delay: 200 msec, SPF holddown: 5000 msec, SPF rapid runs: 3
IPv4 is enabled, IPv6 is enabled
Traffic engineering: enabled
Restart: Enabled
Restart duration: 210 sec
Helper mode: Enabled
• R3:
[edit protocols isis]
lab@R3# run show isis overview
Instance: master
Router ID: 172.27.255.3
Adjacency holddown: enabled
Maximum Areas: 3
LSP life time: 3600
Attached bit evaluation: enabled
SPF delay: 200 msec, SPF holddown: 5000 msec, SPF rapid runs: 3
IPv4 is enabled, IPv6 is enabled
Traffic engineering: enabled
Restart: Enabled
Restart duration: 210 sec
Helper mode: Enabled
Level 1
Internal route preference: 15
External route preference: 160
Wide metrics are enabled, Narrow metrics are enabled
Level 2
Internal route preference: 18
External route preference: 165
Wide metrics are enabled
• R4:
[edit protocols isis]
lab@R4# run show isis overview
Instance: master
Router ID: 172.27.255.4
Adjacency holddown: enabled
Maximum Areas: 3
LSP life time: 3600
Attached bit evaluation: enabled
SPF delay: 200 msec, SPF holddown: 5000 msec, SPF rapid runs: 3
IPv4 is enabled, IPv6 is enabled
Traffic engineering: enabled
Restart: Enabled
Restart duration: 210 sec
Helper mode: Enabled
Level 1
Internal route preference: 15
External route preference: 160
Wide metrics are enabled, Narrow metrics are enabled
• R5:
[edit protocols isis]
lab@R5# run show isis overview
Instance: master
Router ID: 172.27.255.5
Adjacency holddown: enabled
Maximum Areas: 3
LSP life time: 3600
Attached bit evaluation: enabled
SPF delay: 200 msec, SPF holddown: 5000 msec, SPF rapid runs: 3
IPv4 is enabled, IPv6 is enabled
Traffic engineering: enabled
Restart: Enabled
Restart duration: 210 sec
Helper mode: Enabled
Level 1
Internal route preference: 15
External route preference: 160
Wide metrics are enabled, Narrow metrics are enabled
Level 2
Internal route preference: 18
External route preference: 165
Wide metrics are enabled
Overview
In this lab, you will be given a list of tasks specific to OSPF implementation to accomplish
in a timed setting. You will have 1 hour and 15 minutes to complete the simulation.
The lab is available in two formats. In the high-level format, you are given only the list of
tasks to be accomplished. To better prepare you for the real JNCIE exam, we recommend
that you make your best effort at accomplishing the tasks with only the high-level lab
guide.
The lab is also available in a detailed format. The detailed format contains a discussion
regarding the interpretation of each task, followed by step-by-step instructions. You might
find more than one method for accomplishing each task.
By completing this lab, you will perform the following tasks:
• Configure all internal routers to route traffic using OSPF. Configure the OSPF
areas as shown on the “Lab 3: OSPF Implementation” diagram.
• Ensure that no OSPF DR or BDR exists among your internal routers.
• Routers R1, R3, and R4 must authenticate all OSPF exchanges within Area 0
using the unencrypted password of Juniper.
• Ensure that all OSPF links with the following bandwidth values are assigned
the following OSPF cost values.
– 1 Gbps = 50
– 2 Gbps = 25
– 3 Gbps = 16
• If R4 reboots, configure it to wait 240 seconds after the OSPF instance has
started before passing transit traffic.
• Configure the OSPF adjacencies over the ae0 link to be declared down if 2
hello packets are missed.
• The interface routes for the links between R5 and T2, and R2 and T1 must
appear on Area 0 routers as internal OSPF routes. No OSPF adjacencies can
form over these links.
In this lab part, you will become familiar with implementing OSPF as the IGP in your
network. You will be given a list of tasks that will require you to configure and
monitor OSPF operations.
TASK 1
Configure all internal routers to route traffic using OSPF.
Configure the OSPF areas as shown on the “Lab 3: OSPF
Implementation” diagram.
TASK INTERPRETATION
To complete this task, you must configure the OSPF area boundaries as shown on
the “Lab 2: IGP Implementation—OSPF” diagram. However, if you read on to the
seventh task for this part, you will find that you must redistribute IPv6 routes into
OSPF. This requires you to configure OSPFv2 and OSPFv3 to accommodate both
IPv4 and IPv6 routes within your network. Configuring both protocols now will save
you time and effort.
Although not explicitly shown, place the loopback interface within Area 0 if the router
is participating in Area 0. For non-Area 0 routers, place the loopback interface in the
area in which the routers reside. This part of the task is only necessary for OSPFv2
and is not applicable for OSPFv3.
TASK COMPLETION
• R1:
[edit]
lab@R1# edit protocols ospf
commit complete
• R2:
[edit]
lab@R2# edit protocols ospf
commit complete
• R3:
[edit]
lab@R3# edit protocols ospf
commit complete
• R4:
[edit]
lab@R4# edit protocols ospf
commit complete
• R5:
[edit]
lab@R5# edit protocols ospf
commit complete
TASK VERIFICATION
Issue the show ospf neighbors and show ospf3 neighbors commands
on all internal routers to verify the operation of OSPFv2 and OSPFv3. The task is
complete if all adjacencies reach the Full state.
• R1:
[edit protocols ospf3]
lab@R1# run show ospf neighbor
Address Interface State ID Pri Dead
172.27.0.9 ae1.0 Full 172.27.255.4 128 39
172.27.0.13 ge-0/0/6.0 Full 172.27.255.3 128 39
172.27.0.2 ge-0/0/3.0 Full 172.27.255.2 128 35
• R3:
[edit protocols ospf3]
lab@R3# run show ospf neighbor
Address Interface State ID Pri Dead
172.27.0.14 ge-0/0/1.0 Full 172.27.255.1 128 33
172.27.0.18 ge-0/0/2.0 Full 172.27.255.4 128 34
172.27.0.25 ge-0/0/3.0 Full 172.27.255.5 128 32
• R4:
[edit protocols ospf3]
lab@R4# run show ospf neighbor
Address Interface State ID Pri Dead
172.27.0.10 ae1.0 Full 172.27.255.1 128 36
172.27.0.17 ge-0/0/5.0 Full 172.27.255.3 128 32
172.27.0.5 ae0.0 Full 172.27.255.2 128 38
172.27.0.22 ae2.0 Full 172.27.255.5 128 37
• R5:
[edit protocols ospf3]
lab@R5# run show ospf neighbor
Address Interface State ID Pri Dead
172.27.0.21 ae2.0 Full 172.27.255.4 128 35
172.27.0.26 ge-0/0/1.0 Full 172.27.255.3 128 37
TASK INTERPRETATION
You might believe you can accomplish this task by setting the OSPF interface priority
value to 0, which renders the router ineligible to be the DR or BDR for that broadcast
domain. However, doing so causes all OSPF adjacencies to become stuck in the
two-way state so LSA exchanges cannot occur.
To accomplish this task, you must configure all OSPF links with point-to-point
interfaces. Because the router does not consider the link to be a broadcast domain
there is no need for a DR or BDR. Technically, you must also set the loopback
interface for all routers as an OSPF point-to-point or passive interface. Although,
failing to do so on a real exam will likely not result in point loss.
TASK COMPLETION
• R1:
[edit protocols ospf3]
lab@R1# set area 0 interface ae1 interface-type p2p
commit complete
• R2:
[edit protocols ospf3]
lab@R2# set area 1 interface ae0 interface-type p2p
commit complete
• R3:
[edit protocols ospf3]
lab@R3# set area 0 interface ge-0/0/2 interface-type p2p
commit complete
• R4:
[edit protocols ospf3]
lab@R4# set area 0 interface ge-0/0/5 interface-type p2p
commit complete
• R5:
[edit protocols ospf3]
lab@R5# set area 2 interface ge-0/0/1 interface-type p2p
commit complete
TASK VERIFICATION
To verify this task, issue the show ospf interface and show ospf3
interface commands. The State field must indicate either PtToPt or
DRother for the task to be complete.
• R1:
[edit protocols ospf]
lab@R1# run show ospf interface
Interface State Area DR ID BDR ID Nbrs
ae1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
ge-0/0/6.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
lo0.0 DRother 0.0.0.0 0.0.0.0 0.0.0.0 0
ge-0/0/3.0 PtToPt 0.0.0.1 0.0.0.0 0.0.0.0 1
• R2:
[edit protocols ospf]
lab@R2# run show ospf interface
• R3:
[edit protocols ospf]
lab@R3# run show ospf interface
Interface State Area DR ID BDR ID Nbrs
ge-0/0/1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
ge-0/0/2.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
lo0.0 DRother 0.0.0.0 0.0.0.0 0.0.0.0 0
ge-0/0/3.0 PtToPt 0.0.0.2 0.0.0.0 0.0.0.0 1
• R4:
[edit protocols ospf]
lab@R4# run show ospf interface
Interface State Area DR ID BDR ID Nbrs
ae1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
ge-0/0/5.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
lo0.0 DRother 0.0.0.0 0.0.0.0 0.0.0.0 0
ae0.0 PtToPt 0.0.0.1 0.0.0.0 0.0.0.0 1
ae2.0 PtToPt 0.0.0.2 0.0.0.0 0.0.0.0 1
• R5:
[edit protocols ospf]
lab@R5# run show ospf interface
Interface State Area DR ID BDR ID Nbrs
ae2.0 PtToPt 0.0.0.2 0.0.0.0 0.0.0.0 1
ge-0/0/1.0 PtToPt 0.0.0.2 0.0.0.0 0.0.0.0 1
lo0.0 DRother 0.0.0.2 0.0.0.0 0.0.0.0 0
TASK INTERPRETATION
To complete this task configure the interfaces that are within Area 0 on R1, R3, and
R4 to use plain text authentication. Then use a key value of Juniper.
TASK COMPLETION
• R1:
[edit protocols ospf]
lab@R1# set area 0 interface ae1 authentication simple-password Juniper
commit complete
• R3:
[edit protocols ospf]
lab@R3# set area 0 interface ge-0/0/1 authentication simple-password Juniper
commit complete
commit complete
TASK VERIFICATION
To verify this task, issue the show ospf neighbor command on R1, R3, and R4.
If the OSPF adjacencies in Area 0 remain in the Full state, then the task is
complete.
• R1:
[edit protocols ospf]
lab@R1# run show ospf neighbor
Address Interface State ID Pri Dead
172.27.0.9 ae1.0 Full 172.27.255.4 128 37
172.27.0.13 ge-0/0/6.0 Full 172.27.255.3 128 33
172.27.0.2 ge-0/0/3.0 Full 172.27.255.2 128 34
• R3:
[edit protocols ospf]
lab@R3# run show ospf neighbor
Address Interface State ID Pri Dead
172.27.0.14 ge-0/0/1.0 Full 172.27.255.1 128 36
172.27.0.18 ge-0/0/2.0 Full 172.27.255.4 128 33
172.27.0.25 ge-0/0/3.0 Full 172.27.255.5 128 39
• R4:
[edit protocols ospf]
lab@R4# run show ospf neighbor
Address Interface State ID Pri Dead
172.27.0.10 ae1.0 Full 172.27.255.1 128 36
172.27.0.17 ge-0/0/5.0 Full 172.27.255.3 128 39
172.27.0.5 ae0.0 Full 172.27.255.2 128 39
172.27.0.22 ae2.0 Full 172.27.255.5 128 37
TASK 4
Ensure that all OSPF links with the following bandwidth
values are assigned the following OSPF cost values.
– 1 Gbps = 50
– 2 Gbps = 25
– 3 Gbps = 16
TASK INTERPRETATION
At first, this task might seem complex with the cost, or metric, values that you must
apply to different interfaces. One very time-consuming method to accomplish this
task is to configure each OSPF interface to the specific metric value that the task
lists. This method is inferior and unnecessary. The quick and superior method is to
use the reference-bandwidth command, which automatically calculates
interface cost values. To complete this task, use the reference-bandwidth
command with a value of 50g on each router.
Note
Remember to configure OSPFv2 and
OSPFv3 with the correct
reference-bandwidth value.
Forgetting to do so results in two different
routing topologies.
TASK COMPLETION
• R1:
[edit protocols ospf]
lab@R1# set reference-bandwidth 50g
commit complete
• R2:
[edit protocols ospf]
lab@R2# set reference-bandwidth 50g
commit complete
commit complete
• R4:
[edit protocols ospf]
lab@R4# set reference-bandwidth 50g
commit complete
• R5:
[edit protocols ospf]
lab@R5# set reference-bandwidth 50g
commit complete
TASK VERIFICATION
To verify this task, issue show ospf interface detail and show ospf3
interface detail commands on each internal router. The output must display
the cost values defined by the task.
• R1:
[edit protocols ospf]
lab@R1# run show ospf interface detail
Interface State Area DR ID BDR ID Nbrs
ae1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
Type: P2P, Address: 172.27.0.10, Mask: 255.255.255.252, MTU: 1500, Cost: 25
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: MD5, Active key ID: 1, Start time: 1970 Jan 1 00:00:00 UTC
Protection type: None
Topology default (ID 0) -> Cost: 25
ge-0/0/6.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
• R2:
[edit protocols ospf]
lab@R2# run show ospf interface detail
Interface State Area DR ID BDR ID Nbrs
ae0.0 PtToPt 0.0.0.1 0.0.0.0 0.0.0.0 1
Type: P2P, Address: 172.27.0.5, Mask: 255.255.255.252, MTU: 1500, Cost: 16
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: None
Protection type: None
Topology default (ID 0) -> Cost: 16
• R3:
[edit protocols ospf]
lab@R3# run show ospf interface detail
Interface State Area DR ID BDR ID Nbrs
ge-0/0/1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
Type: P2P, Address: 172.27.0.13, Mask: 255.255.255.252, MTU: 1500, Cost: 50
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: MD5, Active key ID: 1, Start time: 1970 Jan 1 00:00:00 UTC
Protection type: None
Topology default (ID 0) -> Cost: 50
ge-0/0/2.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
Type: P2P, Address: 172.27.0.17, Mask: 255.255.255.252, MTU: 1500, Cost: 50
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: MD5, Active key ID: 1, Start time: 1970 Jan 1 00:00:00 UTC
Protection type: None
Topology default (ID 0) -> Cost: 50
lo0.0 DRother 0.0.0.0 0.0.0.0 0.0.0.0 0
Type: LAN, Address: 172.27.255.3, Mask: 255.255.255.255, MTU: 65535, Cost: 0
Adj count: 0, Passive
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: None
• R4:
[edit protocols ospf]
lab@R4# run show ospf interface detail
Interface State Area DR ID BDR ID Nbrs
ae1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
Type: P2P, Address: 172.27.0.9, Mask: 255.255.255.252, MTU: 1500, Cost: 25
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: MD5, Active key ID: 1, Start time: 1970 Jan 1 00:00:00 UTC
Protection type: None
Topology default (ID 0) -> Cost: 25
ge-0/0/5.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
Type: P2P, Address: 172.27.0.18, Mask: 255.255.255.252, MTU: 1500, Cost: 50
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: MD5, Active key ID: 1, Start time: 1970 Jan 1 00:00:00 UTC
Protection type: None
Topology default (ID 0) -> Cost: 50
lo0.0 DRother 0.0.0.0 0.0.0.0 0.0.0.0 0
Type: LAN, Address: 172.27.255.4, Mask: 255.255.255.255, MTU: 65535, Cost: 0
Adj count: 0, Passive
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
• R5:
[edit protocols ospf]
lab@R5# run show ospf interface detail
Interface State Area DR ID BDR ID Nbrs
ae2.0 PtToPt 0.0.0.2 0.0.0.0 0.0.0.0 1
Type: P2P, Address: 172.27.0.22, Mask: 255.255.255.252, MTU: 1500, Cost: 25
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
TASK INTERPRETATION
To complete this task, you must configure R4 to enter the overloaded mode for
240 seconds with OSPFv2 and OSPFv3 when the router reboots. Use the
overload timeout 240 command at the [edit protocols ospf] and
[edit protocols ospf3] hierarchy levels to accomplish this task.
commit complete
TASK VERIFICATION
To verify this task, examine a prefix from a router that is reachable through R4; this
cannot be an address that resides on R4. Next, you can reboot the router, or bounce
the OSPF protocol, and examine the prefix again. Traffic now avoids R4 for
240 seconds. However, verifying this task by rebooting R4, or bouncing OSPF, might
take more time than it is worth. You can also verify this task by removing the
timeout option and examining prefixes that route through R4.
Note
If you verify this task by removing the
timeout option, be sure to replace it once
you finish your verification.
• R5:
[edit protocols ospf]
lab@R5# run show route 172.27.255.2
• R4:
[edit protocols ospf]
lab@R4# delete overload timeout
commit complete
• R5:
[edit protocols ospf]
lab@R5# run show route 172.27.255.2
• R4:
[edit protocols ospf]
lab@R4# up 1 set ospf3 overload timeout 240
commit complete
• R5:
[edit protocols ospf]
lab@R5# run show route 172.27.255.2
TASK COMPLETION
• R2:
[edit protocols ospf]
root@R2# set area 1 interface ae0 dead-interval 20
commit complete
• R4:
[edit protocols ospf]
root@R4# set area 1 interface ae0 dead-interval 20
commit complete
TASK VERIFICATION
To verify this task, issue the show ospf interface ae0.0 detail |
match hello and show ospf3 interface ae0.0 detail | match
hello commands on R2 and R4. The output displays a hello-interval of
10 seconds and a dead-interval of 20 seconds, if you previously adjusted the
dead-interval. If you previously adjusted the hello-interval, then the
hello-interval of 20 seconds and a dead-interval of 40 seconds is
shown. Either way the adjacencies will be declared down if 2 hello packets are
missed.
• R2:
[edit protocols ospf]
root@R2# run show ospf interface ae0.0 detail | match hello
• R4:
[edit protocols ospf]
root@R4# run show ospf interface ae0.0 detail | match hello
Hello: 10, Dead: 20, ReXmit: 5, Not Stub
TASK INTERPRETATION
To complete this task, you must apply the OSPF passive option to R5’s ge-0/0/5
interface and R2’s ge-0/0/2 interface, which places these interfaces in their
respective areas.
As with previous tasks, this task applies to OSPFv2 and OSPFv3. Remember to
configure the passive option for the necessary interfaces within each protocol.
TASK COMPLETION
• R2:
[edit protocols ospf]
root@R2# set area 1 interface ge-0/0/2 passive
commit complete
commit complete
TASK VERIFICATION
Issue the show ospf interface ge-0/0/2.0 detail and show ospf3
interface ge-0/0/2.0 detail commands on R2. Then issue the show
ospf interface ge-0/0/5.0 detail and show ospf3 interface
ge-0/0/5.0 detail commands on R5. These commands display the current
interface mode, which should be passive.
Examine the routing table of an ABR to determine if the interface routes are now
internal OSPF routes. If the two IPv4 and the two IPv6 routes in question appear in
the ABR’s routing table as internal OSPF routes, this task is complete.
• R2:
[edit protocols ospf]
root@R2# run show ospf interface ge-0/0/2.0 detail
Interface State Area DR ID BDR ID Nbrs
ge-0/0/2.0 DRother 0.0.0.1 0.0.0.0 0.0.0.0 0
Type: LAN, Address: 172.27.0.37, Mask: 255.255.255.252, MTU: 1500, Cost: 50
Adj count: 0, Passive
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: None
Protection type: None
Topology default (ID 0) -> Passive, Cost: 50
• R5:
[edit protocols ospf]
root@R5# run show ospf interface ge-0/0/5.0 detail
Interface State Area DR ID BDR ID Nbrs
ge-0/0/5.0 DRother 0.0.0.2 0.0.0.0 0.0.0.0 0
Type: LAN, Address: 172.27.0.57, Mask: 255.255.255.252, MTU: 1500, Cost: 50
Adj count: 0, Passive
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
• R1:
[edit protocols ospf]
root@R1# run show route 172.27.0.56/30
TASK INTERPRETATION
To complete this task, configure the RIP protocol on R1 to exchange RIP routes with
C1. When R1 receives the RIP routes, create an aggregate route that represents
these routes, and redistribute that aggregate route into OSPF.
The key requirement of this task is to have this summary route appear on R2.
Currently, Area 1 is not an OSPF stub area and Type 5 LSAs are accepted; the
summary route from R1 is present on R2 without further intervention. This part of
the task might seem simple, but keep in mind for later tasks that because of this
task, Area 1 must not restrict Type 5 LSAs.
TASK COMPLETION
• R1:
[edit protocols ospf]
lab@R1# up 1 edit rip group rip
commit complete
commit complete
TASK VERIFICATION
To verify this task examine R2’s routing table for the external OSPF route that
represents the RIP routes.
• R2:
[edit protocols ospf]
lab@R2# run show route 172.16.16/21
commit complete
commit complete
• R5:
[edit protocols ospf]
lab@R5# up 1 edit rip group rip
commit complete
commit complete
TASK VERIFICATION
To verify this task, issue the show route 10.22/21 command on R1, R4, and
R5. Each router must have specific routing information that points towards R3 for
the RIP routes advertised by DC3. Then, the routers must have a less specific
10.22.0.0/21 route that points towards R5. Then, R5 must prefer the external OSPF
routes over its locally received RIP routes for this prefix. Once you verify these
criteria, you can consider the task complete.
• R1:
[edit protocols ospf]
lab@R1# run show route 10.22/21
• R4:
[edit protocols ospf]
lab@R4# run show route 10.22/21
• R5:
[edit protocols ospf]
lab@R5# run show route 10.22/21
TASK INTERPRETATION
Restricting LSA flooding is a function of OSPF stub areas. A totally-stubby area
restricts the flooding of Type 5 and Type 3 LSAs into the area, however the ABR
injects a default route as a Type 3 LSA. To accomplish this task, you must configure
Area 2 as a not-so-stubby totally-stubby area. This results in both ABRs injecting
default routes into the area as Type 7 LSAs.
You must configure the R3 to inject its default routes, one for IPv4 and one for IPv6,
with a metric value of 10. Then, configure R4 to inject its default routes, one for IPv4
and one for IPv6, with a metric value of 5. This action creates a problem when
attempting to ensure R5 uses R3 to reach unknown destinations. To overcome this
restriction, configure R3 to attach a metric type value of 1 to its default routes, then
configure R4 to attach a metric type value of 2 to its default routes.
Note
As with previous tasks, remember about
OSPFv3. You must configure both protocols
for this task.
commit complete
• R4:
[edit protocols ospf]
lab@R4# set area 2 nssa default-lsa default-metric 5
commit complete
• R5:
[edit protocols ospf]
lab@R5# set area 2 nssa
commit complete
TASK VERIFICATION
To verify this task, examine the OSPF database and routing table on R5. The OSPF
database must not contain any Type 3 or Type 5 LSAs. The routing table must direct
traffic to R3 to reach unknown destinations.
• R5:
[edit protocols ospf]
lab@R5# run show ospf database
TASK INTERPRETATION
To complete this task, you must first configure a policy on R5 that exports the
172.27.0.96/28 prefix into OSPF. Then the other routers in your OSPF domain
distribute this route as a Type 5 LSA. This Type 5 LSA is now present on R2 and you
must configure an import policy that blocks this route from being installed into R2’s
routing table.
TASK COMPLETION
• R5:
[edit protocols ospf]
lab@R5# top edit policy-options policy-statement interface-routes term DC3
commit complete
• R2:
[edit protocols ospf]
lab@R2# top edit policy-options policy-statement ospf-import term DC3
commit complete
TASK VERIFICATION
To verify this task examine the link state database on R2 for the presence of the
external LSA that represents the 172.27.0.96/28 prefix. Then issue the show
route 172.27.0.96/28 command on R2. The external LSA in question should
be present in the database and the prefix must not be present in the routing table.
• R2:
[edit protocols ospf]
lab@R2# run show ospf database external
OSPF AS SCOPE link state database
Type ID Adv Rtr Seq Age Opt Cksum Len
Extern 10.22.0.0 172.27.255.4 0x80000019 17 0x22 0x16d2 36
Extern 10.22.1.0 172.27.255.3 0x8000001d 648 0x22 0x495f 36
Extern 10.22.2.0 172.27.255.3 0x8000001c 1691 0x22 0x4068 36
Extern 10.22.3.0 172.27.255.3 0x8000001c 1562 0x22 0x3572 36
Extern 10.22.4.0 172.27.255.3 0x8000001c 1430 0x22 0x2a7c 36
Extern 10.22.5.0 172.27.255.3 0x8000001c 1300 0x22 0x1f86 36
Extern 10.22.6.0 172.27.255.3 0x8000001c 909 0x22 0x1490 36
Extern 10.22.7.0 172.27.255.3 0x8000001c 778 0x22 0x99a 36
Extern 172.16.16.0 172.27.255.1 0x80000020 1128 0x22 0x788c 36
Extern 172.27.0.96 172.27.255.4 0x80000001 115 0x22 0xcc34 36
commit complete
• R3:
[edit protocols ospf3]
lab@R3# up 1 edit ospf area 2
commit complete
• R4:
[edit protocols ospf3]
lab@R4# up 1 edit ospf area 2
commit complete
TASK VERIFICATION
To verify this task, examine the routing table on R3 and R4. You must see the
specific OSPF external routes that represent the static routes that R5 redistributed
into OSPF earlier. Then, examine the routing table on R2—it must contain the
summary route which represents the specific OSPF external routes. This task is
complete if R2 only has the summary route and lacks the specific OSPF external
routes.
• R3:
[edit protocols ospf area 0.0.0.2]
lab@R3# run show route 10.255/19
• R4:
[edit protocols ospf area 0.0.0.2]
lab@R4# run show route 10.255/19
• R2:
[edit protocols ospf]
lab@R2# run show route 10.255/19
Overview
In this lab, you will be given a list of tasks specific to IS-IS troubleshooting to accomplish in
a timed setting. You will have 1 hour to complete the simulation.
The lab is available in two formats. In the high-level format, you are given only the list of
tasks to be accomplished. To better prepare you for the real JNCIE exam, we recommend
that you make your best effort at accomplishing the tasks with only the high-level lab
guide.
The lab is also available in a detailed format. The detailed format contains a discussion
regarding the interpretation of each task, followed by step-by-step instructions. You might
find more than one method for accomplishing each task.
By completing this lab, you will perform the following tasks:
– Ensure that all IS-IS adjacencies have reached the Up state. Any
adjacencies that require authentication must authenticate properly.
– Ensure that all routers have IPv4 and IPv6 IS-IS routes present in their
routing tables.
– Ensure that the loss of any interface on a router cannot remove a router
from the IS-IS topology.
– To reduce the size of the IS-IS link-state database ensure that the
interface routes of all core facing interfaces are not present in the
database. However, you must ensure that all routers can ping each
other’s loopback addresses.
– R4 is using the ae1 link to send traffic to the loopback address of R1.
Ensure that this traffic uses the ae0 link if the ae1 link fails.
– Ensure that R5 can communicate with the destinations advertised by the
customer router attached to R1. Also, ensure that R5 is receiving this
routing information from R3 and R4. You can verify this step by pinging
the 172.16.16.1 address.
In this lab part, you will examine and troubleshoot a malfunctioning network which
has incorporated IS-IS as its IGP. You are given a list of criteria that your network
must meet to consider this lab part complete.
TASK 1
Access the CLI for your routers using either the console, Telnet, or SSH as directed
by your instructor. Refer to the management network diagram for the IP address
associated with your devices. Log in as user lab with the password lab123.
Ensure that all IS-IS adjacencies have reached the Up
state. Any adjacencies that require authentication must
authenticate properly.
TASK INTERPRETATION
When you examine your network you will find many problems that affect the IS-IS
adjacency formations. You must examine each router and fix any problems that are
restricting the adjacencies from reaching the Up state.
TASK COMPLETION
You must now examine the network for malfunctioning IS-IS adjacencies. A good
place to start is to issue the show isis adjacencies command on each router.
You will notice that no adjacencies have formed on any of the routers. This malady
can be caused by many different issues and so it is best to examine the interfaces
on the routers using the show isis interface and show interface
terse | match down commands.
• R1:
R1 (ttyd0)
login: lab
Password:
[edit]
lab@R1# run show isis adjacency
[edit]
lab@R1# run show isis interface
IS-IS interface database:
Interface L CirID Level 1 DR Level 2 DR L1/L2 Metric
ae1.0 1 0x1 R1.00 Disabled 15/15
ge-0/0/3.0 1 0x1 R1.00 Disabled 30/30
ge-0/0/6.0 0 0x1 Disabled Disabled 30/30
lo0.0 0 0x1 Passive Passive 0/0
lo0.32768 0 0x1 Passive Passive 0/0
[edit]
lab@R1# run show interfaces terse | match down
• R2:
R2 (ttyd0)
login: lab
Password:
[edit]
lab@R2# run show isis adjacency
[edit]
lab@R2# run show isis interface
IS-IS interface database:
Interface L CirID Level 1 DR Level 2 DR L1/L2 Metric
ae0.0 1 0x1 Down Disabled 10/10
ge-0/0/2.0 0 0x1 Passive Passive 10/10
lo0.0 0 0x1 Passive Passive 0/0
lo0.32768 0 0x1 Passive Passive 0/0
[edit]
lab@R2# run show interfaces terse | match down
ge-0/0/7 down up
ge-0/0/7.0 up down aenet --> ae0.0
ae0 up down
ae0.0 up down inet 172.27.0.5/30
vlan up down
• R3:
R3 (ttyd0)
login: lab
Password:
[edit]
lab@R3# run show isis adjacency
[edit]
lab@R3# run show isis interface
IS-IS interface database:
Interface L CirID Level 1 DR Level 2 DR L1/L2 Metric
ge-0/0/3.0 2 0x1 Disabled Point to Point 1/1
lo0.0 0 0x1 Disabled Passive 0/0
[edit]
• R4:
R4 (ttyd0)
login: lab
Password:
[edit]
lab@R4# run show isis adjacency
[edit]
lab@R4# run show isis interface
IS-IS interface database:
Interface L CirID Level 1 DR Level 2 DR L1/L2 Metric
ae0.0 1 0x2 Down Disabled 10/10
lo0.0 0 0x1 Disabled Passive 0/0
[edit]
lab@R4# run show interfaces terse | match down
ae0 up down
ae0.0 up down inet 172.27.0.6/30
vlan up down
• R5:
R5 (ttyd0)
login: lab
Password:
[edit]
lab@R5# run show isis adjacency
[edit]
lab@R5# run show isis interface
IS-IS interface database:
Interface L CirID Level 1 DR Level 2 DR L1/L2 Metric
ae2.0 2 0x1 Disabled R5.00 99/99
ge-0/0/1.0 2 0x1 Disabled R5.00 199/199
ge-0/0/5.0 0 0x1 Passive Passive 199/199
lo0.0 0 0x1 Passive Passive 0/0
lo0.32768 0 0x1 Passive Passive 0/0
[edit]
lab@R5# run show interfaces terse | match down
To rectify the current issues seen on R1, you must take the ge-0/0/6 interface out of
the IS-IS disabled state. Simply removing the interface under IS-IS accomplishes this
task because the interface all statement has previously been configured.
commit complete
• R2:
[edit]
lab@R2# edit interfaces
[edit interfaces]
lab@R2# show ge-0/0/7
description "Connection to R4 AE0";
disable;
gigether-options {
802.3ad ae0;
}
[edit interfaces]
lab@R2# delete ge-0/0/7 disable
[edit interfaces]
lab@R2# show ge-0/0/1
description "Connection to R1";
unit 0 {
family inet {
address 172.27.0.2/30;
}
family inet6 {
address 2008:4498::2/126;
}
}
[edit interfaces]
lab@R2# set ge-0/0/1.0 family iso
[edit interfaces]
lab@R2# commit
commit complete
[edit interfaces]
[edit interfaces]
lab@R2# run show isis interface
IS-IS interface database:
Interface L CirID Level 1 DR Level 2 DR L1/L2 Metric
ae0.0 1 0x1 R2.00 Disabled 3/3
ge-0/0/1.0 1 0x2 R2.00 Disabled 10/10
ge-0/0/2.0 0 0x1 Passive Passive 10/10
lo0.0 0 0x1 Passive Passive 0/0
lo0.32768 0 0x1 Passive Passive 0/0
• R3:
[edit]
lab@R3# run show interfaces terse ge*
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 10.94.170.10/20
ge-0/0/1 up up
ge-0/0/1.0 up up inet 172.27.0.13/30
inet6 2008:4489::d/126
fe80::5668:29ff:fe7a:93b2/64
ge-0/0/2 up up
ge-0/0/2.0 up up inet 172.27.0.17/30
inet6 2008:4489::13/126
fe80::5668:29ff:fe7a:b48b/64
ge-0/0/3 up up
ge-0/0/3.0 up up inet 172.27.0.26/30
iso
inet6 2008:4489::1a/126
fe80::5668:29ff:fe7a:9ac9/64
ge-0/0/4 up up
ge-0/0/4.0 up up inet 172.27.0.103/28
ge-0/0/5 up up
ge-0/0/5.0 up up inet 138.1.2.4/24
[edit]
lab@R3# edit interfaces
[edit interfaces]
lab@R3# set ge-0/0/1.0 family iso
[edit interfaces]
lab@R3# set ge-0/0/2.0 family iso
[edit interfaces]
lab@R3# top edit protocols isis
commit complete
• R4:
[edit]
lab@R4# run monitor traffic interface ae1.0 detail no-resolve
Address resolution is OFF.
Listening on ae1.0, capture size 1514 bytes
[edit]
lab@R4# edit protocols isis
commit complete
• R1:
[edit protocols isis]
lab@R1# run show isis adjacency
Interface System L State Hold (secs) SNPA
ge-0/0/6.0 0172.0027.2553 1 Up 1 56:68:29:7a:93:b2
• R2:
[edit interfaces]
lab@R2# run show isis adjacency
• R3:
[edit protocols isis]
lab@R3# run show isis adjacency
Interface System L State Hold (secs) SNPA
ge-0/0/1.0 0172.0027.2551! 1 Up 4 56:68:29:7a:8e:3a
ge-0/0/2.0 R4 2 Up 22 56:68:29:7a:85:91
ge-0/0/3.0 R5 2 Up 8 56:68:29:7a:b2:4d
• R4:
[edit protocols isis]
lab@R4# run show isis adjacency
Interface System L State Hold (secs) SNPA
ae2.0 R5 2 Up 18 52:54:0:0:4b:4
ge-0/0/5.0 R3 2 Up 7 56:68:29:7a:b4:8b
• R5:
[edit]
lab@R5# run show isis adjacency
Interface System L State Hold (secs) SNPA
ae2.0 R4 2 Up 8 52:54:0:1:0:4
ge-0/0/1.0 R3 2 Up 21 56:68:29:7a:9a:c9
It still appears that most routers have some very serious issues with forming IS-IS
adjacencies. To troubleshoot these issues further, you must take a closer look at the
protocol interaction by enabling traceoptions. Configure traceoptions on R1 and R2.
These traceoptions should contain the flags error detail and hello detail.
After you create the traceoptions, commit the configuration and wait 1 minute
before viewing the traceoptions file. This gives the router time to populate the file
with helpful information concerning the IS-IS adjacency issues.
• R1:
[edit protocols isis]
lab@R1# set traceoptions file isis-adj-issue.log
commit complete
commit complete
Note
Fixing the adjacency issue with R2 now
appears to have broken the adjacency with
R3, which is why you must check and
re-check the status of your network while
you configure or troubleshoot. A task might
be designed to break a previously
completed task, and you might not notice it
until later in the exam, at which point it is
very difficult to troubleshoot the new issue.
Examine the traceoptions on R1 again to view the problem with the adjacency with
R3. You might also notice in the previous output that R1 believes R2 is found
through its ae1 and ge-0/0/3 interface, which signifies another issue that must be
addressed later.
• R1:
[edit protocols isis]
lab@R1# run show log isis-adj-issue.log | match ge-0/0/6
Jul 29 21:11:34.622705 ISIS L1 periodic xmit to 01:80:c2:00:00:14 interface
ge-0/0/6.0
Jul 29 21:11:34.623333 Received L1 LAN IIH, source id 0172.0027.2553 on ge-0/0/
6.0
• R3:
[edit protocols isis]
lab@R3# run show interfaces lo0.0 terse
Interface Admin Link Proto Local Remote
lo0.0 up up inet 172.27.255.3 --> 0/0
iso 49.0002.0172.0027.2553
commit complete
• R1:
[edit protocols isis]
lab@R1# run show isis adjacency
Interface System L State Hold (secs) SNPA
ae1.0 R2 1 Up 7 52:54:0:1:0:3
ge-0/0/3.0 R2 1 Up 1 56:68:29:7a:ab:5b
ge-0/0/6.0 0172.0027.2553 1 Up 1 56:68:29:7a:93:b2
• R2:
Now, configure the traceoptions on R2 with the flags that were mentioned earlier.
[edit interfaces]
lab@R2# top edit protocols isis
commit complete
• R4:
[edit protocols isis]
lab@R4# run show interfaces lo0.0 terse
Interface Admin Link Proto Local Remote
lo0.0 up up inet 172.27.255.4 --> 0/0
iso 49.0001.0172.0027.2554
• R2:
[edit protocols isis]
lab@R2# top delete interfaces lo0.0 family iso
commit complete
• R1:
[edit protocols isis]
lab@R1# deactivate traceoptions
commit complete
• R2:
[edit protocols isis]
lab@R2# deactivate traceoptions
commit complete
TASK VERIFICATION
To verify this task, issue the show isis adjacency command on all routers.
Each router must have the correct adjacencies in the Up state.
• R1:
[edit protocols isis]
lab@R1# run show isis adjacency
Interface System L State Hold (secs) SNPA
ae1.0 0172.0027.2554 1 Up 8 52:54:0:1:0:3
ge-0/0/3.0 R2 1 Up 1 56:68:29:7a:ab:5b
ge-0/0/6.0 0172.0027.2553 1 Up 1 56:68:29:7a:93:b2
• R3:
[edit protocols isis]
lab@R3# run show isis adjacency
Interface System L State Hold (secs) SNPA
ge-0/0/1.0 0172.0027.2551! 1 Up 5 56:68:29:7a:8e:3a
ge-0/0/2.0 R4 2 Up 25 56:68:29:7a:85:91
ge-0/0/3.0 R5 2 Up 7 56:68:29:7a:b2:4d
• R4:
[edit protocols isis]
lab@R4# run show isis adjacency
Interface System L State Hold (secs) SNPA
ae0.0 0172.0027.2552 1 Up 4 52:54:0:0:c0:2
ae1.0 0172.0027.2551! 1 Up 21 52:54:0:0:4:3
ae2.0 R5 2 Up 24 52:54:0:0:4b:4
ge-0/0/5.0 R3 2 Up 7 56:68:29:7a:b4:8b
• R5:
[edit]
lab@R5# run show isis adjacency
Interface System L State Hold (secs) SNPA
ae2.0 R4 2 Up 6 52:54:0:1:0:4
ge-0/0/1.0 R3 2 Up 25 56:68:29:7a:9a:c9
TASK 2
Ensure that all routers have IPv4 and IPv6 IS-IS routes
present in their routing tables.
TASK INTERPRETATION
By default, IS-IS allows for the routing of IPv4 and IPv6 packets. Examine each router
for IPv4 and IPv6 IS-IS routes. If a router is missing either, troubleshoot the issue to
bring the proper routes into the routing tables.
TASK COMPLETION
Start by examining the routing tables on all routers.
• R1:
[edit protocols isis]
lab@R1# run show route summary
Router ID: 172.27.255.1
• R2:
[edit protocols isis]
lab@R2# run show route summary
Router ID: 172.27.255.2
• R3:
[edit protocols isis]
lab@R3# run show route summary
Router ID: 172.27.255.3
• R4:
[edit protocols isis]
lab@R4# run show route summary
Router ID: 172.27.255.4
• R5:
[edit]
lab@R5# run show route summary
Router ID: 172.27.255.1
After viewing the routing tables on each router, you will notice that R1 has no IPv4 or
IPv6 IS-IS routes. R2, R3, R4, and R5 have IPv4 IS-IS routes, but no IPV6 IS-IS routes.
Issuing the show isis overview command on each router can help lead you in
the right direction.
• R1:
[edit protocols isis]
lab@R1# run show isis overview
Instance: master
Router ID: 172.27.255.1
Adjacency holddown: enabled
Maximum Areas: 3
LSP life time: 3600
Reference bandwidth: 4230196224
Attached bit evaluation: enabled
SPF delay: 200 msec, SPF holddown: 5000 msec, SPF rapid runs: 3
Traffic engineering: enabled
Restart: Enabled
Restart duration: 210 sec
Helper mode: Enabled
Level 1
Internal route preference: 15
External route preference: 160
Prefix export limit: 2
Wide metrics are enabled, Narrow metrics are enabled
Level 2
Internal route preference: 18
External route preference: 165
Wide metrics are enabled, Narrow metrics are enabled
• R2:
[edit protocols isis]
lab@R2# run show isis overview
Instance: master
Router ID: 172.27.255.2
Adjacency holddown: enabled
Maximum Areas: 3
LSP life time: 3600
Reference bandwidth: 4230196224
Attached bit evaluation: enabled
• R3:
[edit protocols isis]
lab@R3# run show isis overview
Instance: master
Router ID: 172.27.255.3
Adjacency holddown: enabled
Maximum Areas: 3
LSP life time: 3600
Reference bandwidth: 4230196224
Attached bit evaluation: enabled
SPF delay: 200 msec, SPF holddown: 5000 msec, SPF rapid runs: 3
IPv4 is enabled
Traffic engineering: enabled
Restart: Enabled
Restart duration: 210 sec
Helper mode: Enabled
Level 1
Internal route preference: 15
External route preference: 160
Wide metrics are enabled, Narrow metrics are enabled
Level 2
Internal route preference: 18
External route preference: 165
Wide metrics are enabled
• R4:
[edit protocols isis]
lab@R4# run show isis overview
Instance: master
Router ID: 172.27.255.4
Adjacency holddown: enabled
Maximum Areas: 3
LSP life time: 3600
Reference bandwidth: 4230196224
Attached bit evaluation: enabled
SPF delay: 200 msec, SPF holddown: 5000 msec, SPF rapid runs: 3
IPv4 is enabled
Traffic engineering: enabled
Restart: Enabled
• R5:
[edit]
lab@R5# run show isis overview
Instance: master
Router ID: 172.27.255.1
Adjacency holddown: enabled
Maximum Areas: 3
LSP life time: 3600
Reference bandwidth: 4230196224
Attached bit evaluation: enabled
SPF delay: 200 msec, SPF holddown: 5000 msec, SPF rapid runs: 3
Overload bit at startup is set
Overload high metrics: disabled
Allow route leaking: disabled
IPv4 is enabled
Traffic engineering: enabled
Restart: Enabled
Restart duration: 210 sec
Helper mode: Enabled
Level 1
Internal route preference: 15
External route preference: 160
Wide metrics are enabled, Narrow metrics are enabled
Level 2
Internal route preference: 151
External route preference: 151
Wide metrics are enabled
Check the configuration of each router for statements that disable IPv4 or IPv6
routing for IS-IS. Then, remove any statements that might be causing these
problems.
• R1:
[edit protocols isis]
lab@R1# show
inactive: traceoptions {
file isis-adj-issue;
flag error detail;
flag hello detail;
}
export isis-out;
reference-bandwidth 30g;
lsp-lifetime 3600;
no-ipv4-routing;
no-ipv6-routing;
...
commit complete
• R2:
[edit protocols isis]
lab@R2# show
inactive: traceoptions {
file isis-adj-issue;
flag error detail;
flag hello detail;
}
export static-isis;
commit complete
• R3:
[edit protocols isis]
lab@R3# show
export [ leak-routes ospf-isis ];
reference-bandwidth 30g;
lsp-lifetime 3600;
no-authentication-check;
no-ipv6-routing;
level 2 wide-metrics-only;
...
commit complete
• R4:
[edit protocols isis]
lab@R4# show
export leak-routes;
reference-bandwidth 30g;
lsp-lifetime 3600;
no-ipv6-routing;
level 2 wide-metrics-only;
...
commit complete
commit complete
Examining the routing table gives some very interesting results. R1 and R2 still do
not have any IPv4 or IPv6 IS-IS routes. Issuing the show isis adjacency
command on the routers also reveals confusing results. The adjacency between R1
and R2 has been lost, and all routers with Level 1 adjacencies are not resolving their
partners host names.
• R1:
[edit protocols isis]
lab@R1# run show route summary
Router ID: 172.27.255.1
• R3:
[edit protocols isis]
lab@R3# run show route summary
Router ID: 172.27.255.3
• R4:
[edit protocols isis]
lab@R4# run show route summary
Router ID: 172.27.255.4
• R5:
[edit protocols isis]
lab@R5# run show route summary
Router ID: 172.27.255.1
Monitoring the traffic on R1’s ge-0/0/3 interface reveals that the issue is a
misconfigured IPv4 address on that interface. Configuring the correct IPv4 address
on the ge-0/0/3 interface resolves the adjacency issue.
Unlike the other Level 1 adjacencies, the system name resolves to the host name
with the adjacency between R1 and R2. An undiscovered problem still exists that is
causing the other Level 1 adjacencies to fail host name resolution.
commit complete
TASK VERIFICATION
After resolving the adjacency issue between R1 and R2, all routers now have IPv4
and IPv6 IS-IS routes. However, it is obvious that a great deal of routing information
is still missing. For the moment, this task can be considered complete, but keep in
mind that later tasks could cause specific routes to disappear which will cause you
to revisit this task.
• R1:
[edit interfaces ge-0/0/3 unit 0]
lab@R1# run show route summary
Router ID: 172.27.255.1
• R2:
[edit protocols isis]
lab@R2# run show route summary
Router ID: 172.27.255.2
• R4:
[edit protocols isis]
lab@R4# run show route summary
Router ID: 172.27.255.4
• R5:
[edit]
lab@R5# run show route summary
Router ID: 172.27.255.1
• R2:
[edit protocols isis]
lab@R2# run show interfaces lo0.0 terse
Interface Admin Link Proto Local Remote
lo0.0 up up inet 172.27.255.2 --> 0/0
iso 49.0001.0172.0027.2552
• R3:
[edit protocols isis]
lab@R3# run show interfaces lo0.0 terse
Interface Admin Link Proto Local Remote
lo0.0 up up inet 172.27.255.3 --> 0/0
iso 49.0001.0172.0027.2553
• R4:
[edit protocols isis]
lab@R4# run show interfaces lo0.0 terse
Interface Admin Link Proto Local Remote
lo0.0 up up inet 172.27.255.4 --> 0/0
iso 49.0001.0172.0027.2554
[edit]
lab@R5# run show interfaces terse
Interface Admin Link Proto Local Remote
...
inet6 2008:4498::39/126
fe80::5668:29ff:fe7a:87ca/64
ge-0/0/6 up up
ge-0/0/6.0 up up inet 138.1.2.6/24
ge-0/0/7 up up
ge-0/0/7.0 up up aenet --> ae2.0
ge-0/0/8 up up
ge-0/0/8.0 up up aenet --> ae2.0
ge-0/0/9 up up
ge-0/0/9.0 up up inet 172.27.0.105/28
ae0 up down
ae1 up down
ae2 up up
ae2.0 up up inet 172.27.0.22/30
iso 49.0002.0172.0027.2555
inet6 2008:4489::16/126
fe80::5254:ff:fe00:4b04/64
...
From the previous outputs, you can see that R5 has the ISO address applied to its
ae2 interface. If the ae2 link goes down for any reason, R5 will be removed from the
IS-IS topology. To fix this issue, you must remove the ISO address from the ae2
interface, and apply it to the loopback interface.
• R5:
[edit protocols isis]
lab@R5# top edit interfaces
[edit interfaces]
lab@R5# delete ae2.0 family iso address 49.0002.0172.0027.2555.00
[edit interfaces]
lab@R5# set lo0.0 family iso address 49.0002.0172.0027.2555.00
[edit interfaces]
lab@R5# commit
commit complete
TASK INTERPRETATION
For this task, you must create and apply a policy on each router that blocks direct
routes from being exported into IS-IS. However, allow each router to advertise its
loopback address. Also, ensure that you allow R1 and R5 to advertise the direct
routes associated with their interfaces that are running in the IS-IS passive mode.
Then, ensure that each router can ping every other router’s loopback address. If
there are any problems, troubleshoot the issues until they are resolved.
TASK COMPLETION
• R1:
[edit interfaces ge-0/0/3 unit 0]
lab@R1# top edit policy-options policy-statement local-routes term
allowed-interfaces
commit complete
• R2:
[edit protocols isis]
lab@R2# top edit policy-options policy-statement local-routes term
allowed-interfaces
commit complete
• R3:
[edit protocols isis]
lab@R3# top edit policy-options policy-statement local-routes term
allowed-interfaces
commit complete
• R4:
[edit protocols isis]
lab@R4# top edit policy-options policy-statement local-routes term
allowed-interfaces
commit complete
commit complete
• R1:
[edit protocols isis]
lab@R1# run show route protocol isis
• R3:
[edit protocols isis]
lab@R3# run show route protocol isis
• R4:
[edit protocols isis]
lab@R4# run show route protocol isis
• R5:
[edit protocols isis]
lab@R5# run show route protocol isis
The core-facing interface routes are no longer present, but R1 and R2 still have no
way to reach R3’s, R4’s, or R5’s loopback addresses. Examining the IS-IS link-state
database on R1 and R2 reveals that they are not receiving LSPs from R3, R4, and
R5. The reverse is true if you examine the databases on R3, R4, and R5. This means
that R1 and R2 are not receiving LSPs from R3 and R4 with the attached bit set.
This does not allow R1 and R2 to install a default route to reach prefixes that are out
of their area.
• R1:
[edit protocols isis]
lab@R1# run show isis database
IS-IS level 1 link-state database:
LSP ID Sequence Checksum Lifetime Attributes
R1.00-00 0x5 0xab56 2312 L1 Overload
R2.00-00 0x3 0x4450 2285 L1 Overload
R2.02-00 0x1 0xd3d3 2202 L1
• R2:
[edit protocols isis]
lab@R2# run show isis database
IS-IS level 1 link-state database:
LSP ID Sequence Checksum Lifetime Attributes
R1.00-00 0x5 0xab56 2300 L1 Overload
R2.00-00 0x3 0x4450 2276 L1 Overload
R2.02-00 0x1 0xd3d3 2194 L1
3 LSPs
• R3:
[edit protocols isis]
lab@R3# run show isis database
IS-IS level 1 link-state database:
LSP ID Sequence Checksum Lifetime Attributes
R3.00-00 0x3 0xb05d 1412 L1 L2 Attached
R3.02-00 0x1 0x8f7 1354 L1 L2
2 LSPs
• R4:
[edit protocols isis]
lab@R4# run show isis database
IS-IS level 1 link-state database:
LSP ID Sequence Checksum Lifetime Attributes
R4.00-00 0x4 0x2a4f 1382 L1 L2 Attached
R4.02-00 0x1 0x95b1 1316 L1 L2
R4.03-00 0x1 0xb7ad 1341 L1 L2
3 LSPs
Enabling the correct traceoptions flags can help you determine if LSP authentication
failure is occurring. Activate the traceoptions on R1 and R2, remove the hello
detail flag, and add the csn detail flag. Then, change the file name to
lsp-auth-issue.log to differentiate it with the last traceoptions file you
created.
• R1:
[edit protocols isis]
lab@R1# activate traceoptions
commit complete
commit complete
• R2:
[edit protocols isis]
lab@R2# activate traceoptions
commit complete
commit complete
From the previous output, it is obvious that LSP authentication failure is occurring.
Because these exchanges are encrypted, it is impossible to decipher exactly what
key is being used. However, the first task only stipulates that the authentication
must remain in place, you are not required to use the current authentication keys.
You can change the keys to something completely different.
• R1:
[edit protocols isis]
lab@R1# set level 1 authentication-key juniper
commit complete
• R2:
[edit protocols isis]
lab@R2# set level 1 authentication-key juniper
commit complete
• R3:
[edit protocols isis]
lab@R3# set level 1 authentication-key juniper
commit complete
• R4:
commit complete
• R1:
[edit protocols isis]
lab@R1# run show isis adjacency
Interface System L State Hold (secs) SNPA
ae1.0 R4 1 Up 6 52:54:0:1:0:3
ge-0/0/3.0 R2 1 Up 1 56:68:29:7a:ab:5b
ge-0/0/6.0 R3 1 Up 1 56:68:29:7a:93:b2
• R2:
[edit protocols isis]
lab@R2# run show isis adjacency
Interface System L State Hold (secs) SNPA
ae0.0 R4 1 Up 1 52:54:0:1:0:2
ge-0/0/1.0 R1 1 Up 4 56:68:29:7a:a0:ed
The System field now resolves to the host name for all Level 1 adjacencies. R1 and
R2 are now receiving LSPs from R3 and R4 which contain an attached bit. This
allows them to install a default IS-IS route into their routing tables.
Now you can ping to verify loopback to loopback reachability. Remember to source
the pings from the local router’s loopback address.
• R1:
[edit protocols isis]
lab@R1# run ping 172.27.255.2 source 172.27.255.1 count 2 rapid
PING 172.27.255.2 (172.27.255.2): 56 data bytes
!!
--- 172.27.255.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.059/3.821/4.582/0.761 ms
• R2:
[edit protocols isis]
lab@R2# run ping 172.27.255.1 source 172.27.255.2 count 2 rapid
PING 172.27.255.1 (172.27.255.1): 56 data bytes
!!
--- 172.27.255.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.498/3.008/3.517/0.509 ms
• R3:
[edit protocols isis]
lab@R3# run ping 172.27.255.1 source 172.27.255.3 count 2 rapid
PING 172.27.255.1 (172.27.255.1): 56 data bytes
!!
--- 172.27.255.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.494/4.146/4.798/0.652 ms
• R4:
[edit protocols isis]
lab@R4# run ping 172.27.255.1 source 172.27.255.4 count 2 rapid
PING 172.27.255.1 (172.27.255.1): 56 data bytes
!!
--- 172.27.255.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.498/3.141/3.783/0.642 ms
• R5:
[edit protocols isis]
lab@R5# run ping 172.27.255.1 source 172.27.255.5 count 2 rapid
PING 172.27.255.1 (172.27.255.1): 56 data bytes
!!
--- 172.27.255.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
• R2:
[edit protocols isis]
lab@R2# run traceroute 172.27.255.5 source 172.27.255.2
traceroute to 172.27.255.5 (172.27.255.5) from 172.27.255.2, 30 hops max, 40
byte packets
1 172.27.0.6 (172.27.0.6) 9.892 ms 9.158 ms 9.819 ms
2 * * *
3 * * *
...
28 * * *
29 * * *
30 * * *
• R5:
[edit protocols isis]
lab@R5# run traceroute 172.27.255.2 source 172.27.255.5
traceroute to 172.27.255.2 (172.27.255.2) from 172.27.255.5, 30 hops max, 40
byte packets
1 172.27.0.101 (172.27.0.101) 5.918 ms 5.079 ms 5.860 ms
2 172.27.0.105 (172.27.0.105) 5.673 ms 5.204 ms 5.875 ms
3 172.27.0.101 (172.27.0.101) 6.666 ms 6.516 ms 6.561 ms
4 172.27.0.105 (172.27.0.105) 6.662 ms 6.215 ms 6.464 ms
5 172.27.0.101 (172.27.0.101) 7.162 ms 7.212 ms 7.936 ms
6 172.27.0.105 (172.27.0.105) 7.590 ms 8.848 ms 7.245 ms
7 172.27.0.101 (172.27.0.101) 8.755 ms 8.134 ms 8.856 ms
8 172.27.0.105 (172.27.0.105) 8.698 ms 8.208 ms 8.908 ms
9 172.27.0.101 (172.27.0.101) 9.628 ms 9.214 ms 8.839 ms
...
Lab 4–48 • IS-IS Troubleshooting (Detailed) www.juniper.net
JNCIE Service Provider Bootcamp
• R5:
[edit protocols isis]
lab@R5# run show route 172.27.255.1
commit complete
TASK VERIFICATION
To verify this task, ping the loopback address of each router. Remember to source
the ping from the local routers loopback address. Also, examine the routing table to
ensure no core interface routes are present.
• R1:
[edit protocols isis]
lab@R1# run ping 172.27.255.2 source 172.27.255.1 count 2 rapid
PING 172.27.255.2 (172.27.255.2): 56 data bytes
!!
--- 172.27.255.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.339/5.521/7.703/2.182 ms
• R2:
[edit protocols isis]
lab@R2# run ping 172.27.255.1 source 172.27.255.2 count 2 rapid
PING 172.27.255.1 (172.27.255.1): 56 data bytes
!!
--- 172.27.255.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.693/3.893/4.093/0.200 ms
• R3:
[edit protocols isis]
lab@R3# run ping 172.27.255.1 source 172.27.255.3 count 2 rapid
PING 172.27.255.1 (172.27.255.1): 56 data bytes
!!
--- 172.27.255.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.523/2.904/3.285/0.381 ms
• R4:
[edit protocols isis]
lab@R4# run ping 172.27.255.1 source 172.27.255.4 count 2 rapid
PING 172.27.255.1 (172.27.255.1): 56 data bytes
!!
--- 172.27.255.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.874/2.181/2.488/0.307 ms
• R5:
[edit protocols isis]
lab@R5# run ping 172.27.255.1 source 172.27.255.5 count 2 rapid
commit complete
• R4:
[edit protocols isis]
lab@R4# run show route 172.27.255.1
With the ae1 link being non-operational, the traffic uses the ge-0/0/5 interface on
R4 to reach R1. To begin troubleshooting this issue, ensure that the interface metric
for ae0 is lower than the interface metric for ge-0/0/5. Also, it might be helpful to
examine the IS-IS link-state database for further clues.
To resolve this problem, you must have R2 advertise its LSP without the overload bit
set. Examine R2’s configuration to attempt to determine why this is occurring.
• R2:
[edit protocols isis]
lab@R2# show
inactive: traceoptions {
file lsp-auth-issue.log;
flag error detail;
flag csn detail;
}
export [ static-isis local-routes ];
reference-bandwidth 30g;
lsp-lifetime 3600;
level 2 disable;
level 1 {
authentication-key "$9$Mm1L7VgoGqmTwYmTz3tpWLx"; ## SECRET-DATA
authentication-type md5;
prefix-export-limit 1;
}
interface ge-0/0/2.0 {
passive;
}
interface all {
level 1 {
hello-authentication-key "$9$IjshyeLxdgoGvWoGDif5IEc"; ## SECRET-DATA
hello-authentication-type simple;
hold-time 6;
R2 is not using the overload statement and the show isis overview
command does not show that the overload bit is set. It is time to take a closer look
at the internal IS-IS operations on R2. Enable IS-IS traceoptions on R2 with only the
error detail flag set. Then, wait a minute for the traceoptions file to fill up with
information.
• R2:
[edit protocols isis]
lab@R2# activate traceoptions
commit complete
commit complete
commit complete
• R1:
[edit protocols isis]
lab@R1# top delete interfaces ae1 disable
commit complete
TASK 6
Ensure that R5 can communicate with the destinations
advertised by the customer router attached to R1. Also,
ensure that R5 is receiving this routing information from
R3 and R4. You can verify this step by pinging the
172.16.16.1 address.
TASK INTERPRETATION
This task requires you to enable communication between R5 and the destinations
that are being advertised by the customer router.
TASK COMPLETION
When examining R5’s routing table, you will find that it does not contain any routing
information for the 172.16.16.0/21 prefix range. After further examination of the
routing tables of the other routers, you will find that only R1 has routing information
for these prefixes.
• R1:
[edit protocols isis]
lab@R1# run show route 172.16.16/21
• R2:
[edit protocols isis]
lab@R2# run show route 172.16.16/21
• R3:
[edit protocols isis]
lab@R3# run show route 172.16.16/21
• R4:
[edit protocols isis]
lab@R4# run show route 172.16.16/21
• R5:
[edit protocols isis]
lab@R5# run show route 172.16.16/21
If you remember from early outputs R1 is currently overloaded. This might have
something to do with the prefix-export-limit statement that it has
configured.
• R1:
[edit protocols isis]
lab@R1# run show isis database
IS-IS level 1 link-state database:
LSP ID Sequence Checksum Lifetime Attributes
R1.00-00 0x47 0x892a 3596 L1 Overload
R2.00-00 0x33 0xd0df 2679 L1
R2.02-00 0x30 0xa07f 2889 L1
R3.00-00 0x2d 0xfb92 1716 L1 L2 Attached
R3.02-00 0x27 0xf1bf 2128 L1 L2
R4.00-00 0x2b 0xf436 727 L1 L2 Attached
R4.02-00 0x23 0x9f9f 1960 L1 L2
R4.03-00 0x2 0xec4a 877 L1 L2
8 LSPs
commit complete
• R2:
[edit protocols isis]
lab@R2# run show route 172.16.16/21
• R3:
[edit protocols isis]
lab@R3# run show route 172.16.16/21
• R4:
[edit protocols isis]
lab@R4# run show route 172.16.16/21
• R5:
[edit protocols isis]
lab@R5# run show route 172.16.16/21
The routing information is now present on all routers participating in Level 1, but it
still is not present on R5.
• R3:
[edit protocols isis]
lab@R3# top edit policy-options policy-statement leak-routes term lvl-1-ext
• R4:
[edit protocols isis]
lab@R4# top edit policy-options policy-statement leak-routes term lvl-1-ext
Remove the level 1 match condition from the route leaking policies on R3 and
R4. Then, examine the routing table on R5 for the routing information.
• R3:
[edit policy-options policy-statement leak-routes term lvl-1-ext]
lab@R3# delete from level 1
commit complete
• R4:
[edit policy-options policy-statement leak-routes term lvl-1-ext]
lab@R4# delete from level 1
commit complete
• R3:
[edit policy-options policy-statement leak-routes term lvl-1-ext]
lab@R3# run show route 172.16.16/21
• R4:
[edit policy-options policy-statement leak-routes term lvl-1-ext]
lab@R4# run show route 172.16.16/21
• R3:
[edit policy-options policy-statement leak-routes term lvl-1-ext]
lab@R3# top set routing-options aggregate route 172.16.16.0/21 preference 14
commit complete
commit complete
TASK VERIFICATION
To verify this task, examine the IS-IS link-state database to ensure R5 is receiving a
copy of the summary route from R3 and R4. Then, ping the 172.16.16.1 address to
ensure communication. Remember to source the ping from the loopback address of
R5.
• R5:
[edit protocols isis]
lab@R5# run show isis database R3 detail | match 172.16.16.0/21
IP prefix: 172.16.16.0/21 Metric: 10 Internal Up
Overview
In this lab, you will be given a list of tasks specific to OSPF troubleshooting to accomplish
in a timed setting. You will have 1 hour to complete the simulation.
The lab is available in two formats. In the high-level format, you are given only the list of
tasks to be accomplished. To better prepare you for the real JNCIE exam, we recommend
that you make your best effort at accomplishing the tasks with only the high-level lab
guide.
The lab is also available in a detailed format. The detailed format contains a discussion
regarding the interpretation of each task, followed by step-by-step instructions. You might
find more than one method for accomplishing each task.
By completing this lab, you will perform the following tasks:
– Ensure that all OSPF adjacencies have reached the Full state. Any
adjacencies that require authentication must authenticate properly to
reach the Full state.
– Ensure that each router can reach the loopback address of all other
routers in the network.
– R4 has been unstable in the past and must remain overloaded. However,
there will be consistently over 1.5 Gbps of traffic coming from DC3 that
will be using R5. For this reason, ensure that R4 must be the primary exit
of Area 2 for unknown destinations.
– Most traffic exiting Area 1 is using R1 because of the stability problems of
R4. However, the 1 Gbps link between R1 and R2 cannot handle the load.
Ensure that R1 is used as the primary exit point for all IPv4 traffic in
Area 1. However, IPv4 traffic cannot use R4 as the secondary exit point
for the area. Ensure that R4 is used as the primary exit point for all IPv6
traffic in Area 1. However, IPv6 traffic cannot use R1 as the secondary
exit point for the area.
– Ensure that R2 can reach the destinations located on the T2 router;
which are in the 10.255.0.0/19 prefix range. You can ping the
10.255.3.1 addresses to verify this step.
In this lab part, you will examine and troubleshoot a malfunctioning network which
has incorporated OSPF as its IGP. You are given a list of criteria that your network
must meet to consider this lab part complete.
TASK 1
Ensure that all OSPF adjacencies have reached the Full
state. Any adjacencies that require authentication must
authenticate properly to reach the Full state.
TASK INTERPRETATION
Examine each router’s OSPFv2 and OSPFv3 adjacencies. Troubleshoot any
adjacency issues you find until the adjacencies reach the Full state.
TASK COMPLETION
• R1:
R1 (ttyd0)
login: lab
Password:
[edit]
lab@R1# run show ospf neighbor
Address Interface State ID Pri Dead
172.27.0.9 ae1.0 Exchange 172.27.255.5 128 38
[edit]
lab@R1# run show ospf3 neighbor
ID Interface State Pri Dead
172.27.255.5 ae1.0 Full 128 18
Neighbor-address fe80::5254:ff:fe01:3
• R2:
R2 (ttyd0)
login: lab
Password:
[edit]
lab@R2# run show ospf neighbor
[edit]
lab@R2# run show ospf3 neighbor
• R3:
R3 (ttyd0)
login: lab
Password:
[edit]
lab@R3# run show ospf neighbor
Address Interface State ID Pri Dead
172.27.0.18 ge-0/0/2.0 Full 172.27.255.5 128 27
172.27.0.25 ge-0/0/3.0 Full 172.27.255.5 128 27
[edit]
lab@R3# run show ospf3 neighbor
ID Interface State Pri Dead
172.27.255.5 ge-0/0/2.0 Full 128 8
Neighbor-address fe80::5668:29ff:fe7a:8591
172.27.255.5 ge-0/0/3.0 Full 128 27
Neighbor-address fe80::5668:29ff:fe7a:b24d
• R4:
R4 (ttyd0)
login: lab
Password:
[edit]
lab@R4# run show ospf neighbor
Address Interface State ID Pri Dead
172.27.0.10 ae1.0 ExStart 172.27.255.1 128 34
172.27.0.17 ge-0/0/5.0 Full 172.27.255.3 128 29
[edit]
lab@R4# run show ospf3 neighbor
• R5:
R5 (ttyd0)
login: lab
Password:
[edit]
lab@R5# run show ospf neighbor
Address Interface State ID Pri Dead
172.27.0.26 ge-0/0/1.0 Full 172.27.255.3 128 27
[edit]
lab@R5# run show ospf3 neighbor
ID Interface State Pri Dead
172.27.255.3 ge-0/0/1.0 Full 128 26
Neighbor-address fe80::5668:29ff:fe7a:9ac9
[edit]
lab@R1# run show ospf3 interface
Interface State Area DR ID BDR ID Nbrs
ae1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
ge-0/0/6.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 0
ge-0/0/3.0 PtToPt 1.0.0.1 0.0.0.0 0.0.0.0 0
• R2:
[edit]
lab@R2# run show ospf interface
Interface State Area DR ID BDR ID Nbrs
ae0.0 PtToPt 0.0.0.1 0.0.0.0 0.0.0.0 0
ge-0/0/1.0 PtToPt 0.0.0.1 0.0.0.0 0.0.0.0 0
ge-0/0/2.0 DRother 0.0.0.1 0.0.0.0 0.0.0.0 0
lo0.0 DRother 0.0.0.1 0.0.0.0 0.0.0.0 0
[edit]
lab@R2# run show ospf3 interface
Interface State Area DR ID BDR ID Nbrs
ae0.0 PtToPt 0.0.0.1 0.0.0.0 0.0.0.0 0
ge-0/0/1.0 PtToPt 0.0.0.1 0.0.0.0 0.0.0.0 0
ge-0/0/2.0 DRother 0.0.0.1 0.0.0.0 0.0.0.0 0
• R3:
[edit]
lab@R3# run show ospf interface
Interface State Area DR ID BDR ID Nbrs
ge-0/0/1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 0
ge-0/0/2.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
lo0.0 DRother 0.0.0.0 0.0.0.0 0.0.0.0 0
ge-0/0/3.0 PtToPt 0.0.0.2 0.0.0.0 0.0.0.0 1
[edit]
lab@R3# run show ospf3 interface
Interface State Area DR ID BDR ID Nbrs
ge-0/0/1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 0
ge-0/0/2.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
ge-0/0/3.0 PtToPt 0.0.0.2 0.0.0.0 0.0.0.0 1
[edit]
lab@R4# run show ospf3 interface
Interface State Area DR ID BDR ID Nbrs
ae1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
ge-0/0/5.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
ae0.0 PtToPt 0.0.0.1 0.0.0.0 0.0.0.0 0
ae2.0 PtToPt 0.0.0.2 0.0.0.0 0.0.0.0 0
• R5:
[edit]
lab@R5# run show ospf interface
Interface State Area DR ID BDR ID Nbrs
ae2.0 PtToPt 0.0.0.2 0.0.0.0 0.0.0.0 0
ge-0/0/1.0 PtToPt 0.0.0.2 0.0.0.0 0.0.0.0 1
ge-0/0/5.0 DRother 0.0.0.2 0.0.0.0 0.0.0.0 0
lo0.0 DRother 0.0.0.2 0.0.0.0 0.0.0.0 0
[edit]
lab@R5# run show ospf3 interface
Interface State Area DR ID BDR ID Nbrs
ae2.0 PtToPt 0.0.0.2 0.0.0.0 0.0.0.0 0
ge-0/0/1.0 PtToPt 0.0.0.2 0.0.0.0 0.0.0.0 1
ge-0/0/5.0 DRother 0.0.0.2 0.0.0.0 0.0.0.0 0
On R1, change Area 1.0.0.1 to Area 1 in OSPFv3. Then, examine its OSPFv3
adjacency states.
• R1:
[edit]
lab@R1# edit protocols ospf3
commit complete
For now, remove the nssa statement from R2 for Area 1 under OSPFv2 and
OSPFv3. Then examine the OSPF adjacencies on R2.
• R2:
[edit]
lab@R2# edit protocols
[edit protocols]
lab@R2# delete ospf area 1 nssa
[edit protocols]
lab@R2# delete ospf3 area 1 nssa
[edit protocols]
lab@R2# commit
commit complete
[edit protocols]
lab@R2# run show ospf neighbor
[edit protocols]
lab@R2# run show ospf3 neighbor
ID Interface State Pri Dead
172.27.255.5 ae0.0 Full 128 31
Neighbor-address fe80::5254:ff:fe01:2
172.27.255.1 ge-0/0/1.0 Full 128 10
Neighbor-address fe80::5668:29ff:fe7a:a0ed
Now that all the OSPF adjacencies have reached the Full state on R2, return to R1
and troubleshoot the adjacency issue with R4.
Although, monitoring the interface will allow you to discover the problem,
traceoptions is also a viable troubleshooting tool as well. Configure traceoptions on
R1 for OSPFv2 and OSPFv3. Configure the flag error detail and the flag
hello detail statements under the traceoptions.
• R1:
[edit protocols ospf3]
lab@R1# up 1
[edit protocols]
lab@R1# set ospf traceoptions file ospf-adj.log
[edit protocols]
lab@R1# set ospf traceoptions flag hello detail
[edit protocols]
lab@R1# set ospf traceoptions flag error detail
[edit protocols]
lab@R1# set ospf3 traceoptions file ospf-adj.log
[edit protocols]
lab@R1# set ospf3 traceoptions flag hello detail
[edit protocols]
lab@R1# set ospf3 traceoptions flag error detail
[edit protocols]
lab@R1# commit
commit complete
[edit protocols]
lab@R1# run show log ospf-adj.log | find 172.27.0.13
Aug 2 18:03:26.458628 OSPF rcvd Hello 172.27.0.13 -> 224.0.0.5 (ge-0/0/6.0 IFL
73 area 0.0.0.0)
Aug 2 18:03:26.458666 Version 2, length 44, ID 172.27.255.3, area 0.0.0.0
Aug 2 18:03:26.458685 checksum 0x0, authtype 1
Aug 2 18:03:26.458701 mask 255.255.255.0, hello_ivl 5, opts 0x2, prio 128
Aug 2 18:03:26.458718 dead_ivl 20, DR 0.0.0.0, BDR 0.0.0.0
Aug 2 18:03:26.458737 OSPF packet ignored: netmask 255.255.255.0 mismatch from
172.27.0.13 on intf ge-0/0/6.0 area 0.0.0.0
...
[edit protocols]
lab@R1# run show log ospf-adj.log | match fe80 | match ge-0/0/6
Aug 7 00:49:24.800280 OSPF rcvd Hello fe80::5668:29ff:fe7a:93b2 -> ff02::5
(ge-0/0/6.0 IFL 73 area 0.0.0.0)
Aug 7 00:49:24.800382 OSPF packet ignored: hello interval mismatch 20 from
fe80::5668:29ff:fe7a:93b2 on intf ge-0/0/6.0 area 0.0.0.0
Aug 7 00:49:44.695623 OSPF rcvd Hello fe80::5668:29ff:fe7a:93b2 -> ff02::5
(ge-0/0/6.0 IFL 73 area 0.0.0.0)
Aug 7 00:49:44.695733 OSPF packet ignored: hello interval mismatch 20 from
fe80::5668:29ff:fe7a:93b2 on intf ge-0/0/6.0 area 0.0.0.0
...
[edit protocols]
lab@R1# run show log ospf-adj.log | find 172.27.0.9
Monitor the ae1 interface on R1 to discover the adjacency problem between R1 and
R4.
• R1:
[edit protocols]
lab@R1# run monitor traffic interface ae1 detail no-resolve
Address resolution is OFF.
Listening on ae1, capture size 1514 bytes
...
18:24:19.203897 In IP (tos 0xc0, ttl 1, id 2632, offset 0, flags [none],
proto: OSPF (89), length: 52) 172.27.0.9 > 224.0.0.5: OSPFv2, Database
Description, length 32
Router-ID 172.27.255.5, Backbone Area, Authentication Type: simple (1)
Simple text password: Juniper
Options [External, Opaque], DD Flags [Init, More, Master], MTU: 1496,
Sequence: 0xac1eecd6
18:24:19.204948 Out IP (tos 0xc0, ttl 1, id 39476, offset 0, flags [none],
proto: OSPF (89), length: 112) 172.27.0.10 > 224.0.0.5: OSPFv2, Database
Description, length 92
Router-ID 172.27.255.1, Backbone Area, Authentication Type: simple (1)
Simple text password: Juniper
Options [External, Opaque], DD Flags [none], MTU: 1500, Sequence:
0xac1eecd6
Advertising Router 172.27.255.1, seq 0x80000043, age 1575s, length 28
Router LSA (1), LSA-ID: 172.27.255.1
Options: [External, Demand Circuit]
Advertising Router 172.27.255.1, seq 0x80000023, age 289s, length 8
Summary LSA (3), LSA-ID: 172.27.0.0
Options: [External, Demand Circuit]
Advertising Router 172.27.255.1, seq 0x8000001b, age 718s, length 16
External LSA (5), LSA-ID: 172.16.16.0
Options: [External, Demand Circuit]
www.juniper.net OSPF Troubleshooting (Detailed) • Lab 5–11
JNCIE Service Provider Bootcamp
Question: What can you determine from the output?
Change the IPv4 netmask on R3’s ge-0/0/1 interface from /24 to /30. Next,
change the OSPFv3 hello-interval and dead-interval on R1’s ge-0/0/6
interface to 20 and 60, respectively. Then change the family inet mtu value
to 1496 on R1’s ae1 interface. Alternatively, you can change the family inet
mtu value on R4 to 1500. Examine the status of the OSPF adjacencies once you
have committed the configuration. Also, remember to deactivate the
traceoptions.
• R3:
[edit]
lab@R3# edit interfaces ge-0/0/1
commit complete
• R1:
[edit protocols]
lab@R1# deactivate ospf traceoptions
[edit protocols]
lab@R1# deactivate ospf3 traceoptions
[edit protocols]
lab@R1# set ospf3 area 0 interface ge-0/0/6.0 hello-interval 20 dead-interval 60
[edit protocols]
lab@R1# top edit interfaces ae1.0
commit complete
Examine R4 and R5 for the source of the incorrect router ID. Correct any problems
that you find.
• R5:
[edit]
lab@R5# run show interfaces terse lo0.0
Interface Admin Link Proto Local Remote
lo0.0 up up inet 172.27.255.5 --> 0/0
inet6 ::172.27.255.5/32
fe80::5668:290f:fc7a:b8a3
• R4:
[edit]
lab@R4# run show interfaces terse lo0.0
Interface Admin Link Proto Local Remote
lo0.0 up up inet 172.27.255.5 --> 0/0
inet6 ::172.27.255.4/32
fe80::5668:290f:fc7a:8eed
[edit]
lab@R4# delete interfaces lo0.0 family inet address 172.27.255.5/32
[edit]
lab@R4# set interfaces lo0.0 family inet address 172.27.255.4
[edit]
lab@R4# commit
commit complete
[edit]
lab@R4# run show ospf3 neighbor
ID Interface State Pri Dead
172.27.255.1 ae1.0 Full 128 16
Neighbor-address fe80::5254:ff:fe00:403
172.27.255.3 ge-0/0/5.0 Full 128 9
Neighbor-address fe80::5668:29ff:fe7a:b48b
172.27.255.2 ae0.0 Full 128 39
Neighbor-address fe80::5254:ff:fe00:c002
172.27.255.5 ae2.0 Exchange 128 37
Neighbor-address fe80::5254:ff:fe00:4b04
Changing the loopback address of R4 to the correct address did not solve the
problem between R4 and R5, but it is a step in the right direction. Monitor the ae2
interface on R4 to troubleshoot this problem further.
• R4:
[edit]
lab@R4# run monitor traffic interface ae2.0 detail no-resolve
Address resolution is OFF.
Listening on ae2.0, capture size 1514 bytes
17:09:18.074283 In IP6 (class 0xc0, hlim 1, next-header: OSPF (89), length: 28)
fe80::5254:ff:fe00:4b04 > ff02::5: OSPFv3, Database Description, length 28
Router-ID 172.27.255.5, Area 0.0.0.2
Options [V6, Router], DD Flags [Init, More, Master], MTU 1486,
DD-Sequence 0xac1c26fb
17:09:18.075175 Out IP6 (class 0xc0, hlim 1, next-header: OSPF (89), length: 88)
fe80::5254:ff:fe01:4 > ff02::5: OSPFv3, Database Description, length 88
Router-ID 172.27.255.4, Area 0.0.0.2
Options [V6, Router], DD Flags [none], MTU 1500, DD-Sequence 0xac1c26fb
Advertising Router 172.27.255.4, seq 0x80000001, age 29s, length 8
NSSA LSA (7), Area Local Scope, LSA-ID 0.0.0.1
Advertising Router 172.27.255.4, seq 0x80000001, age 37s, length 32
Intra-Area Prefix LSA (9), Area Local Scope, LSA-ID 0.0.0.1
Advertising Router 172.27.255.4, seq 0x80000001, age 37s, length 44
Link LSA (8), Link Local Scope, LSA-ID 0.0.0.4
...
Fix the OSPF adjacency problems by configuring matching dead interval values and
matching MTU values where applicable.
• R4:
[edit]
lab@R4# edit protocols ospf area 2
commit complete
• R5:
[edit]
lab@R5# edit interfaces ae2
commit complete
• R4:
[edit protocols ospf area 0.0.0.2]
lab@R4# run show ospf neighbor
Address Interface State ID Pri Dead
172.27.0.10 ae1.0 Full 172.27.255.1 128 35
172.27.0.17 ge-0/0/5.0 Full 172.27.255.3 128 26
172.27.0.5 ae0.0 Full 172.27.255.2 128 19
172.27.0.22 ae2.0 Full 172.27.255.5 128 37
TASK VERIFICATION
To verify this task, examine the OSPFv2 and OSPFv3 adjacencies on each router. If
all the adjacencies reach the Full state, then the task is complete.
• R1:
[edit interfaces ae1 unit 0]
lab@R1# run show ospf neighbor
Address Interface State ID Pri Dead
172.27.0.9 ae1.0 Full 172.27.255.4 128 32
172.27.0.13 ge-0/0/6.0 Full 172.27.255.3 128 19
172.27.0.2 ge-0/0/3.0 Full 172.27.255.2 128 29
• R2:
[edit protocols]
lab@R2# run show ospf neighbor
Address Interface State ID Pri Dead
172.27.0.6 ae0.0 Full 172.27.255.4 128 16
172.27.0.1 ge-0/0/1.0 Full 172.27.255.1 128 27
[edit protocols]
lab@R2# run show ospf3 neighbor
ID Interface State Pri Dead
172.27.255.4 ae0.0 Full 128 39
Neighbor-address fe80::5254:ff:fe01:2
172.27.255.1 ge-0/0/1.0 Full 128 10
Neighbor-address fe80::5668:29ff:fe7a:a0ed
• R3:
[edit interfaces ge-0/0/1]
lab@R3# run show ospf neighbor
Address Interface State ID Pri Dead
172.27.0.14 ge-0/0/1.0 Full 172.27.255.1 128 17
172.27.0.18 ge-0/0/2.0 Full 172.27.255.4 128 26
172.27.0.25 ge-0/0/3.0 Full 172.27.255.5 128 25
• R4:
[edit protocols ospf area 0.0.0.2]
lab@R4# run show ospf neighbor
Address Interface State ID Pri Dead
172.27.0.10 ae1.0 Full 172.27.255.1 128 35
172.27.0.17 ge-0/0/5.0 Full 172.27.255.3 128 29
172.27.0.5 ae0.0 Full 172.27.255.2 128 16
172.27.0.22 ae2.0 Full 172.27.255.5 128 36
• R5:
[edit interfaces ae2]
lab@R5# run show ospf neighbor
Address Interface State ID Pri Dead
172.27.0.21 ae2.0 Full 172.27.255.4 128 38
172.27.0.26 ge-0/0/1.0 Full 172.27.255.3 128 25
• R2:
[edit protocols]
lab@R2# run ping 172.27.255.1 rapid count 2
PING 172.27.255.1 (172.27.255.1): 56 data bytes
36 bytes from 172.27.0.26: Time to live exceeded
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 a5b5 0 0000 01 01 bcb6 172.27.0.5 172.27.255.1
.36 bytes from 172.27.0.26: Time to live exceeded
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 a5b7 0 0000 01 01 bcb4 172.27.0.5 172.27.255.1
.
--- 172.27.255.1 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
[edit protocols]
lab@R2# run ping 172.27.255.3 rapid count 2
PING 172.27.255.3 (172.27.255.3): 56 data bytes
!!
--- 172.27.255.3 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.876/4.392/4.908/0.516 ms
[edit protocols]
lab@R2# run ping 172.27.255.4 rapid count 2
PING 172.27.255.4 (172.27.255.4): 56 data bytes
!!
--- 172.27.255.4 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.887/4.476/5.064/0.588 ms
[edit protocols]
lab@R2# run ping 172.27.255.5 rapid count 2
PING 172.27.255.5 (172.27.255.5): 56 data bytes
!!
--- 172.27.255.5 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 5.887/6.425/6.963/0.538 ms
• R4:
[edit protocols ospf area 0.0.0.2]
lab@R4# run ping 172.27.255.1 rapid count 2
PING 172.27.255.1 (172.27.255.1): 56 data bytes
36 bytes from 172.27.0.105: Time to live exceeded
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 a2b2 0 0000 01 01 bfac 172.27.0.18 172.27.255.1
.36 bytes from 172.27.0.105: Time to live exceeded
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 a2b3 0 0000 01 01 bfab 172.27.0.18 172.27.255.1
.
--- 172.27.255.1 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
• R5:
[edit interfaces ae2]
lab@R5# run ping 172.27.255.1 rapid count 2
PING 172.27.255.1 (172.27.255.1): 56 data bytes
36 bytes from 172.27.0.105: Time to live exceeded
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 49ee 0 0000 01 01 186a 172.27.0.25 172.27.255.1
.36 bytes from 172.27.0.105: Time to live exceeded
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 49f2 0 0000 01 01 1866 172.27.0.25 172.27.255.1
.
--- 172.27.255.1 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
Issuing a traceroute from any router helps pinpoint the area in which the routing
loop is occurring.
• R2:
[edit protocols]
lab@R2# run traceroute 172.27.255.1
traceroute to 172.27.255.1 (172.27.255.1), 30 hops max, 40 byte packets
1 172.27.0.1 (172.27.0.1) 8.902 ms 8.087 ms 8.137 ms
2 172.27.0.13 (172.27.0.13) 9.504 ms 10.524 ms 13.744 ms
3 172.27.0.105 (172.27.0.105) 10.694 ms 11.224 ms 11.853 ms
4 172.27.0.26 (172.27.0.26) 8.692 ms 14.503 ms 8.565 ms
5 172.27.0.105 (172.27.0.105) 12.784 ms 14.159 ms 13.812 ms
...
29 172.27.0.105 (172.27.0.105) 40.676 ms 36.593 ms 37.463 ms
30 172.27.0.26 (172.27.0.26) 36.736 ms 21.349 ms 23.143 ms
Examine the routing tables of R2, R3, and R5 to gather more information on the
routing loop.
• R2:
[edit protocols]
lab@R2# run show route 172.27.255.1
• R3:
[edit interfaces ge-0/0/1]
lab@R3# run show route 172.27.255.1
• R5:
[edit interfaces ae2]
lab@R5# run show route 172.27.255.1
Examine R1 to ensure that it is properly advertising its loopback address into the
network. Fix any problems that you might find.
• R1:
[edit interfaces ae1 unit 0]
lab@R1# run show ospf interface lo0.0 detail
Interface State Area DR ID BDR ID Nbrs
lo0.0 DRother 0.0.0.0 0.0.0.0 0.0.0.0 0
Type: LAN, Address: 172.27.25.1, Mask: 255.255.255.255, MTU: 65535, Cost: 0
Adj count: 0, Passive
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: None
Protection type: None
Topology default (ID 0) -> Passive, Cost: 0
• R1:
[edit interfaces ae1 unit 0]
lab@R1# up 2 edit lo0.0
commit complete
TASK VERIFICATION
This task is complete when each router can reach the loopback address of every
other router in the internal network.
• R1:
[edit interfaces lo0 unit 0]
lab@R1# run ping 172.27.255.2 rapid count 2
PING 172.27.255.2 (172.27.255.2): 56 data bytes
!!
• R2:
[edit protocols]
lab@R2# run ping 172.27.255.1 rapid count 2
PING 172.27.255.1 (172.27.255.1): 56 data bytes
!!
--- 172.27.255.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.358/3.678/3.997/0.319 ms
[edit protocols]
lab@R2# run ping 172.27.255.3 rapid count 2
PING 172.27.255.3 (172.27.255.3): 56 data bytes
!!
--- 172.27.255.3 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.395/5.136/5.876/0.740 ms
[edit protocols]
lab@R2# run ping 172.27.255.4 rapid count 2
PING 172.27.255.4 (172.27.255.4): 56 data bytes
!!
--- 172.27.255.4 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.279/3.189/4.099/0.910 ms
• R3:
[edit interfaces ge-0/0/1]
lab@R3# run ping 172.27.255.1 rapid count 2
PING 172.27.255.1 (172.27.255.1): 56 data bytes
!!
--- 172.27.255.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.183/3.539/3.896/0.357 ms
• R4:
[edit protocols ospf area 0.0.0.2]
lab@R4# run ping 172.27.255.1 rapid count 2
PING 172.27.255.1 (172.27.255.1): 56 data bytes
!!
--- 172.27.255.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 5.877/5.917/5.956/0.039 ms
• R5:
[edit interfaces ae2]
lab@R5# run ping 172.27.255.1 rapid count 2
PING 172.27.255.1 (172.27.255.1): 56 data bytes
!!
--- 172.27.255.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.963/5.235/5.507/0.272 ms
TASK INTERPRETATION
To complete this task you must configure Area 2 to use R4 as the primary exit for any
unknown destinations. This task is complicated by the criterion that R4 must remain
in the overloaded state. You must configure Area 2 to use R4 for any traffic for which
R5 does not have specific routing information. Note that this task applies to OSPFv2
and OSPFv3.
TASK COMPLETION
Begin this task by examining the default routes on R5 in the routing table. Then,
examine the default LSAs in the OSPF link-state database.
• R5:
[edit interfaces ae2]
lab@R5# run show route 0/0 exact detail
On R4 in Area 2, change the metric type value for the default LSA to 1 for OSPFv2
and OSPFv3. Alternatively, you can simply remove the default-type statement
and R4 will advertise the default LSA with a Type 1 metric.
• R4:
[edit protocols ospf area 0.0.0.2]
lab@R4# show
nssa {
default-lsa {
default-metric 1;
metric-type 2;
type-7;
}
no-summaries;
}
area-range 10.255.0.0/19 restrict;
interface ae2.0 {
interface-type p2p;
hello-interval 5;
dead-interval 40;
}
Lab 5–32 • OSPF Troubleshooting (Detailed) www.juniper.net
JNCIE Service Provider Bootcamp
commit complete
TASK VERIFICATION
To verify this task, examine the routing table on R5. If the default route points
towards R4, then this task is complete.
• R5:
[edit interfaces ae2]
lab@R5# run show route 0/0 exact
TASK INTERPRETATION
Completing this task requires you to turn Area 1 into a totally stubby area.
Configuring only a stub area might satisfy the criteria of this task, however a totally
stubby area will force more traffic to use the designated ABR.
TASK COMPLETION
To complete this task, configure R1 and R4 as ABRs for Area 1. Then configure
Area 1 to be a totally stubby area. Next, configure R1 as the primary exit point for
IPv4 traffic by using the no-summaries and default-metric commands
under Area 1 in OSPFv2. When configuring Area 1 under OSPFv3 on R1, set the
no-summaries command but omit the default-metric command. Then,
configure R4 as the primary exit point for IPv6 traffic by using the no-summaries
and default-metric commands under Area 1 in OSPFv3. When configuring
Area 1 under OSPFv2 on R4 set the no-summaries command but omit the
default-metric command.
Remember to configure R2 as a stub router within Area 1. Forgetting to do so causes
R2 to lose all of its OSPF adjacencies.
• R1:
[edit interfaces lo0 unit 0]
lab@R1# top edit protocols ospf area 1
commit complete
• R4:
[edit protocols ospf3 area 0.0.0.2]
lab@R4# up 2 edit ospf area 1
commit complete
• R2:
[edit protocols]
lab@R2# set ospf area 1 stub
[edit protocols]
lab@R2# set ospf3 area 1 stub
[edit protocols]
lab@R2# commit
commit complete
TASK VERIFICATION
To verify this task, examine the inet.0 and inet6.0 routing tables on R2. If R1 is the
primary exit point for IPv4 traffic, and R4 is the primary exit point for all IPv6 traffic,
the task is complete.
• R2:
[edit protocols]
lab@R2# run show route protocol ospf table inet.0
[edit protocols]
lab@R2# run show route protocol ospf table inet6.0
[edit protocols]
lab@R2# run ping 10.255.3.1 count 2
PING 10.255.3.1 (10.255.3.1): 56 data bytes
36 bytes from 172.27.0.1: Destination Net Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 9eb8 0 0000 40 01 21d4 172.27.0.2 10.255.3.1
Examine the routing table on R1, R3, and R4 to gain further insight on the problem.
• R1:
[edit protocols ospf area 0.0.0.1]
lab@R1# run show route 10.255.3.1
• R4:
[edit protocols ospf3 area 0.0.0.1]
lab@R4# run show route 10.255.3.1
commit complete
• R4:
[edit protocols ospf area 0.0.0.2]
lab@R4# delete nssa area-range 10.255.0.0/19 restrict
commit complete
TASK VERIFICATION
To verify this task, ping the 10.255.3.1 address from R2. If R2 can communicate
with the 10.255.3.1 address then the task is complete.
• R2:
[edit protocols]
lab@R2# run ping 10.255.3.1 rapid count 2
PING 10.255.3.1 (10.255.3.1): 56 data bytes
!!
--- 10.255.3.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 6.648/7.057/7.467/0.410 ms
Overview
In this lab, you will implement a BGP network including IBGP, EBGP, and routing policies
according to the provided task list. You will have 2.5 hours to complete the lab.
The lab is available in two formats. In the high-level format, you are given only the list of
tasks to be accomplished. To better prepare you for the real JNCIE exam, we recommend
that you make your best effort at accomplishing the tasks with only the high-level lab
guide.
The lab is also available in a detailed format. The detailed format contains a discussion
regarding the interpretation of each task, followed by step-by-step instructions.
By completing this lab, you will perform the following tasks:
• Configure the IBGP network. Your IBGP network must be designed using route
reflection and must contain one route reflection cluster. All IBGP sessions must
use the lo0.0 interface IP address. The failure of a link or router in the
network must not result in any connectivity issues or isolation of clients.
• All IBGP sessions in your autonomous system (AS) must be authenticated
using MD5 authentication.
• Configure a BGP session to the customer 2 (C2), peer (P), and transit (T)
neighbors. Configure the EBGP session to C2 to load-balance over the two links
that connect R5 and C2. Only one BGP session should be used. A static route is
permissible to complete this task.
• Configure the R2 router to use load balancing over the two peering sessions
with T1 and T2 routers.
• All peer (P), transit provider (T1, T2), and C2 IPv4 prefixes should be active and
reachable on all routers in your AS.
• Routers C1 and C3 belong to the same customer, which uses IPv6 routing.
Configure a BGP session to C1 and C3 routers. Both C1 and C3 routers should
be able to communicate with each other as well as with the transit routers T1
and T2 using IPv6. IPv6 packet forwarding in your AS is not permitted.
• The direct IPv6 routes on C1-R3 and C3-R4 links must be reachable from the
customer remote routers C3 and C1, respectively.
In this lab part, you will log in to your assigned routers and configure as well as verify
the BGP network. In addition to establishing the BGP network you will implement
BGP routing policies. The IBGP network will be designed using route reflection.
Note
We recommend that you spend some time
carefully reading all the tasks before you
start configuring routers step by step. This
approach allows you to better develop your
strategy, which is especially important in
BGP routing policy.
login: lab
Password:
login: lab
Password:
login: lab
Password:
login: lab
Password:
login: lab
Password:
login: lab
Password:
TASK 2
Configure the IBGP network. Your IBGP network must be
designed using Route Reflection and must contain one Route
Reflection cluster. All IBGP sessions must use the lo0.0
interface IP address. The failure of a link or router in
the network must not result in any connectivity issues or
isolation of clients.
[edit]
lab@R1# set routing-options autonomous-system 3895077211
[edit]
lab@R1# show routing-options
router-id 172.27.255.1;
autonomous-system 3895077211
[edit]
lab@R1# edit protocols bgp group cluster-1
commit complete
Exiting configuration mode
lab@R1>
• R2:
lab@R2> configure
Entering configuration mode
[edit]
lab@R2# show routing-options
router-id 172.27.255.2;
autonomous-system 3895077211;
[edit]
lab@R2# edit protocols bgp group cluster-1
commit complete
Exiting configuration mode
lab@R2>
• R3:
lab@R3> configure
Entering configuration mode
[edit]
lab@R3# set routing-options autonomous-system 3895077211
[edit]
lab@R3# show routing-options
router-id 172.27.255.3;
autonomous-system 3895077211;
[edit]
lab@R3# edit protocols bgp group cluster-1
commit complete
Exiting configuration mode
lab@R3>
• R4:
lab@R4> configure
Entering configuration mode
[edit]
lab@R4# set routing-options autonomous-system 3895077211
[edit]
lab@R4# show routing-options
[edit]
lab@R4# edit protocols bgp group cluster-1
commit complete
Exiting configuration mode
lab@R4>
[edit]
lab@R5# set routing-options autonomous-system 3895077211
[edit]
lab@R5# show routing-options
router-id 172.27.255.5;
autonomous-system 3895077211;
[edit]
lab@R5# edit protocols bgp group cluster-1
commit complete
Exiting configuration mode
lab@R5>
TASK VERIFICATION
Verify that IBGP sessions are established successfully.
• R1:
lab@R1> show bgp summary
Groups: 1 Peers: 2 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.27.255.3 3895077211 130 129 0 0 57:15 0/
0/0/0 0/0/0/0
172.27.255.4 3895077211 27 26 0 0 11:06 0/
0/0/0 0/0/0/0
• R3:
lab@R3> show bgp summary
Groups: 2 Peers: 4 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.27.255.1 3895077211 131 132 0 0 58:28 0/
0/0/0 0/0/0/0
172.27.255.2 3895077211 130 130 0 0 58:24 0/
0/0/0 0/0/0/0
172.27.255.4 3895077211 29 29 0 0 12:07 0/
0/0/0 0/0/0/0
172.27.255.5 3895077211 17 15 0 0 6:24 0/
0/0/0 0/0/0/0
• R4:
lab@R4> show bgp summary
Groups: 2 Peers: 4 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.27.255.1 3895077211 28 30 0 0 12:25 0/
0/0/0 0/0/0/0
172.27.255.2 3895077211 28 29 0 0 12:21 0/
0/0/0 0/0/0/0
172.27.255.3 3895077211 28 29 0 0 12:13 0/
0/0/0 0/0/0/0
172.27.255.5 3895077211 16 16 0 0 6:26 0/
0/0/0 0/0/0/0
• R5:
lab@R5> show bgp summary
Groups: 1 Peers: 2 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.27.255.3 3895077211 15 17 0 0 6:36 0/
0/0/0 0/0/0/0
Lab 6–10 • BGP Implementation (Detailed) www.juniper.net
JNCIE Service Provider Bootcamp
172.27.255.4 3895077211 15 16 0 0 6:32 0/
0/0/0 0/0/0/0
TASK 3
All IBGP sessions in your autonomous system must be
authenticated using MD5 authentication.
TASK INTERPRETATION
The task is straight forward. You must configure md5 authentication for all the IBGP
sessions from each of your routers. The task does not specify what key must be
used, so you can use whatever key you wish. In this detailed guide we use “juniper”.
TASK COMPLETION
• R1:
lab@R1> configure
Entering configuration mode
[edit]
lab@R1# set protocols bgp group cluster-1 authentication-key juniper
[edit]
lab@R1# commit and-quit
commit complete
Exiting configuration mode
lab@R1>
• R2:
lab@R2> configure
Entering configuration mode
[edit]
lab@R2# set protocols bgp group cluster-1 authentication-key juniper
[edit]
lab@R2# commit and-quit
commit complete
Exiting configuration mode
lab@R2>
• R3:
lab@R3> configure
Entering configuration mode
[edit]
lab@R3# set protocols bgp group cluster-1 authentication-key juniper
[edit]
lab@R3# set protocols bgp group internal authentication-key juniper
commit complete
Exiting configuration mode
lab@R3>
• R4:
lab@R4> configure
Entering configuration mode
[edit]
lab@R4# set protocols bgp group cluster-1 authentication-key juniper
[edit]
lab@R4# set protocols bgp group internal authentication-key juniper
[edit]
lab@R4# commit and-quit
commit complete
Exiting configuration mode
lab@R4>
• R5:
lab@R5> configure
Entering configuration mode
[edit]
lab@R5# set protocols bgp group cluster-1 authentication-key juniper
[edit]
lab@R5# commit and-quit
commit complete
Exiting configuration mode
lab@R5>
TASK VERIFICATION
You can verify authentication is configured by reviewing the neighbors for each
router. The output will not display what the key being used is. To simplify the outputs
use the show bgp neighbor | match "Peer: 172.27.255|Authentication
key" command.
• R1:
lab@R1> show bgp neighbor | match "Peer: 172.27.255|Authentication key"
Peer: 172.27.255.3+56190 AS 3895077211 Local: 172.27.255.1+179 AS 3895077211
Authentication key is configured
Peer: 172.27.255.4+179 AS 3895077211 Local: 172.27.255.1+56737 AS 3895077211
Authentication key is configured
• R3:
lab@R3> show bgp neighbor | match "Peer: 172.27.255|Authentication key"
Peer: 172.27.255.1+179 AS 3895077211 Local: 172.27.255.3+56190 AS 3895077211
Authentication key is configured
Peer: 172.27.255.2+56748 AS 3895077211 Local: 172.27.255.3+179 AS 3895077211
Authentication key is configured
Peer: 172.27.255.4+50303 AS 3895077211 Local: 172.27.255.3+179 AS 3895077211
Authentication key is configured
Peer: 172.27.255.5+61030 AS 3895077211 Local: 172.27.255.3+179 AS 3895077211
Authentication key is configured
• R4:
lab@R4> show bgp neighbor | match "Peer: 172.27.255|Authentication key"
Peer: 172.27.255.1+56737 AS 3895077211 Local: 172.27.255.4+179 AS 3895077211
Authentication key is configured
Peer: 172.27.255.2+51719 AS 3895077211 Local: 172.27.255.4+179 AS 3895077211
Authentication key is configured
Peer: 172.27.255.3+179 AS 3895077211 Local: 172.27.255.4+50303 AS 3895077211
Authentication key is configured
Peer: 172.27.255.5+57711 AS 3895077211 Local: 172.27.255.4+179 AS 3895077211
Authentication key is configured
• R5:
lab@R5> show bgp neighbor | match "Peer: 172.27.255|Authentication key"
Peer: 172.27.255.3+179 AS 3895077211 Local: 172.27.255.5+61030 AS 3895077211
Authentication key is configured
Peer: 172.27.255.4+179 AS 3895077211 Local: 172.27.255.5+57711 AS 3895077211
Authentication key is configured
TASK 4
Configure a BGP session to C2 Customer, Peer (P) and
Transit (T) neighbors. Configure the EBGP session to C2 to
load balance over the two links that connect R5 and C2.
There should only be one BGP session used. A static route
is permissible to complete this task.
TASK COMPLETION
• R1:
lab@R1> configure
Entering configuration mode
[edit]
lab@R1# set protocols bgp group T1 type external
[edit]
lab@R1# set protocols bgp group T1 peer-as 1342930876
[edit]
lab@R1# set protocols bgp group T1 neighbor 172.27.0.34
[edit]
lab@R1# set protocols bgp group P type external
[edit]
lab@R1# set protocols bgp group P peer-as 2087403078
[edit]
lab@R1# set protocols bgp group P neighbor 172.27.0.30
[edit]
lab@R1# show protocols bgp
group cluster-1 {
type internal;
local-address 172.27.255.1;
authentication-key "$9$v5P8xd24Zk.5bs.5QFAtM8X"; ## SECRET-DATA
neighbor 172.27.255.3;
neighbor 172.27.255.4;
}
group T1 {
type external;
peer-as 1342930876;
neighbor 172.27.0.34;
}
group P {
type external;
peer-as 2087403078;
Lab 6–14 • BGP Implementation (Detailed) www.juniper.net
JNCIE Service Provider Bootcamp
neighbor 172.27.0.30;
}
[edit]
lab@R1# commit and-quit
commit complete
Exiting configuration mode
lab@R1>
• R2:
lab@R2> configure
Entering configuration mode
[edit]
lab@R2# set protocols bgp group T1-T2 type external
[edit]
lab@R2# set protocols bgp group T1-T2 peer-as 1342930876
[edit]
lab@R2# set protocols bgp group T1-T2 neighbor 172.27.0.66
[edit]
lab@R2# set protocols bgp group T1-T2 neighbor 172.27.0.38
[edit]
lab@R2# show protocols bgp
group cluster-1 {
type internal;
local-address 172.27.255.2;
authentication-key "$9$AMDcuBElK8db2cyb24aiHtuO"; ## SECRET-DATA
neighbor 172.27.255.3;
neighbor 172.27.255.4;
}
group T1-T2 {
type external;
peer-as 1342930876;
neighbor 172.27.0.66;
neighbor 172.27.0.38;
}
[edit]
lab@R2# commit and-quit
commit complete
Exiting configuration mode
lab@R2>
• R3:
lab@R3> configure
Entering configuration mode
[edit]
lab@R3# set protocols bgp group P peer-as 2087403078
[edit]
lab@R3# set protocols bgp group P neighbor 172.27.0.62
[edit]
lab@R3# show protocols bgp
group cluster-1 {
type internal;
local-address 172.27.255.3;
authentication-key "$9$XeSNVYJGifT3goT369OBxNd"; ## SECRET-DATA
cluster 0.0.0.1;
neighbor 172.27.255.1;
neighbor 172.27.255.2;
neighbor 172.27.255.5;
}
group internal {
type internal;
local-address 172.27.255.3;
authentication-key "$9$j9kmT69pRhrz3hrev7Nik."; ## SECRET-DATA
neighbor 172.27.255.4;
}
group P {
type external;
peer-as 2087403078;
neighbor 172.27.0.62;
}
[edit]
lab@R3# commit and-quit
commit complete
Exiting configuration mode
lab@R3>
• R5:
lab@R5> configure
Entering configuration mode
[edit]
lab@R5# set routing-options static route 202.202.0.1/32 next-hop 172.27.0.50
[edit]
lab@R5# set routing-options static route 202.202.0.1/32 next-hop 172.27.0.74
[edit]
lab@R5# show routing-options
static {
route 202.202.0.1/32 next-hop [ 172.27.0.50 172.27.0.74 ];
}
[edit]
lab@R5# set protocols bgp group C2 type external
[edit]
lab@R5# set protocols bgp group C2 multihop
[edit]
lab@R5# set protocols bgp group C2 local-address 172.27.255.5
[edit]
lab@R5# set protocols bgp group C2 peer-as 65512
[edit]
lab@R5# set protocols bgp group C2 neighbor 202.202.0.1
[edit]
lab@R5# show protocols bgp
group cluster-1 {
type internal;
local-address 172.27.255.5;
authentication-key "$9$xfz-b2ZUH5Qn4aQn/CB17-V"; ## SECRET-DATA
neighbor 172.27.255.3;
neighbor 172.27.255.4;
}
group C2 {
type external;
multihop;
local-address 172.27.255.5;
peer-as 65512;
neighbor 202.202.0.1;
}
[edit]
lab@R5# commit and-quit
commit complete
Exiting configuration mode
lab@R5>
TASK VERIFICATION
Verify that EBGP sessions are established successfully. You should also verify that
the routes received from the C2 neighbor at the R5 router shows two physical next
hops.
• R1:
lab@R1> show bgp summary
Groups: 3 Peers: 4 Down peers: 0
• R2:
lab@R2> show bgp summary
Groups: 2 Peers: 4 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 1745 871 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.27.0.38 1342930876 576 95 0 0 42:45 11/
861/861/0 0/0/0/0
172.27.0.66 1342930876 504 96 0 0 42:49
860/860/860/0 0/0/0/0
172.27.255.3 3895077211 153 576 0 0 1:07:47 0/
24/24/0 0/0/0/0
172.27.255.4 3895077211 145 568 0 0 1:05:04 0/
0/0/0 0/0/0/0
• R3:
lab@R3> show bgp summary
Groups: 3 Peers: 5 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 1786 24 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.27.0.62 2087403078 89 90 0 0 39:57 24/
24/24/0 0/0/0/0
172.27.255.1 3895077211 639 155 0 0 1:09:00 0/
884/884/0 0/0/0/0
172.27.255.2 3895077211 578 157 0 0 1:09:09 0/
871/871/0 0/0/0/0
172.27.255.4 3895077211 148 150 0 0 1:06:10 0/
0/0/0 0/0/0/0
172.27.255.5 3895077211 146 146 0 0 1:04:46 0/
7/7/0 0/0/0/0
• R5:
lab@R5> show bgp summary
Groups: 2 Peers: 3 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 31 7 0 0 0 0
[edit]
lab@R2# set protocols bgp group T1-T2 multipath
[edit]
lab@R2# commit and-quit
commit complete
Exiting configuration mode
lab@R2>
[edit]
lab@R1# set protocols bgp group cluster-1 export nhs
[edit]
lab@R1# show protocols bgp group cluster-1
type internal;
local-address 172.27.255.1;
authentication-key "$9$v5P8xd24Zk.5bs.5QFAtM8X"; ## SECRET-DATA
export nhs;
neighbor 172.27.255.3;
neighbor 172.27.255.4;
[edit]
lab@R1# commit and-quit
commit complete
Exiting configuration mode
lab@R1>
• R2:
lab@R2> configure
Entering configuration mode
[edit]
lab@R2# edit policy-options policy-statement nhs
[edit]
lab@R2# set protocols bgp group cluster-1 export nhs
[edit]
lab@R2# show protocols bgp group cluster-1
type internal;
local-address 172.27.255.2;
authentication-key "$9$AMDcuBElK8db2cyb24aiHtuO"; ## SECRET-DATA
export nhs;
neighbor 172.27.255.3;
neighbor 172.27.255.4;
[edit]
lab@R2# commit and-quit
commit complete
Exiting configuration mode
lab@R2>
• R3:
lab@R3> configure
Entering configuration mode
[edit]
lab@R3# edit policy-options policy-statement nhs
[edit]
lab@R3# set protocols bgp group cluster-1 export nhs
[edit]
lab@R3# show protocols bgp group cluster-1
type internal;
local-address 172.27.255.3;
authentication-key "$9$XeSNVYJGifT3goT369OBxNd"; ## SECRET-DATA
export nhs;
cluster 0.0.0.1;
neighbor 172.27.255.1;
neighbor 172.27.255.2;
neighbor 172.27.255.5;
[edit]
lab@R3# set protocols bgp group internal export nhs
[edit]
lab@R3# show protocols bgp group internal
type internal;
local-address 172.27.255.3;
authentication-key "$9$j9kmT69pRhrz3hrev7Nik."; ## SECRET-DATA
export nhs;
neighbor 172.27.255.4;
[edit]
lab@R3# commit and-quit
commit complete
Exiting configuration mode
lab@R3>
[edit]
lab@R5# edit policy-options policy-statement nhs
[edit]
lab@R5# set protocols bgp group cluster-1 export nhs
[edit]
lab@R5# show protocols bgp group cluster-1
type internal;
local-address 172.27.255.5;
authentication-key "$9$xfz-b2ZUH5Qn4aQn/CB17-V"; ## SECRET-DATA
export nhs;
neighbor 172.27.255.3;
neighbor 172.27.255.4;
[edit]
lab@R5# commit and-quit
commit complete
Exiting configuration mode
lab@R5>
• R2:
lab@R2> show route 202.202/24
• R3:
lab@R3> show route 111.111.1/24
• R4:
lab@R4> show route 111.111.1/24
• R5:
lab@R5> show route 111.111.1/24
TASK 7
Routers C1 and C3 belong to the same customer, which uses
IPv6 routing. Provide the communication between C1 and C3
over your AS. Both C1 and C3 routers must be able to
communicate with the Transit routers T1 and T2 using IPv6.
IPv6 packet forwarding in your AS is not permitted.
TASK INTERPRETATION
In this task, the IPv6 forwarding in your network is not allowed but communication
must be provided between C1, C3, T1, and T2. 6PE is the application that can be
used to solve the problem. 6PE requires the network running MPLS, which is
preconfigured in your topology. Your task now is to configure 6PE on the four PE
routers servicing the IPv6 topology.
TASK COMPLETION
Configure core-facing interfaces on R1, R2, R3, and R4 to support family inet6.
Configure AS-external interfaces on R1 and R2 to support family inet6 with
IPv4-compatible IPv6 addresses. Configure AS-external interfaces on R3 and R4 to
support family inet6 with IPv6 native addresses.
Configure IBGP on R1, R2, R3, R4 to support 6PE signaling. Configure EBGP on R1
and R2 to support family IPv6. Configure EBGP on R3 and R4 as native IPv6 BGP.
Configure MPLS on R1, R2, R3, R4 to support IPv6 tunneling.
• R1:
lab@R1> configure
Entering configuration mode
[edit]
lab@R1# edit interfaces
[edit interfaces]
lab@R1# set ge-0/0/2 unit 0 family inet6 address ::172.27.0.33/126
[edit interfaces]
lab@R1# set ge-0/0/3 unit 0 family inet6
[edit interfaces]
lab@R1# set ge-0/0/6 unit 0 family inet6
[edit interfaces]
lab@R1# set ae0 unit 0 family inet6
[edit interfaces]
lab@R1# show ge-0/0/2
description "Connection to T1";
[edit interfaces]
lab@R1# show ge-0/0/3
description "Connection to R2";
unit 0 {
family inet {
address 172.27.0.1/30;
}
family inet6;
family mpls;
}
[edit interfaces]
lab@R1# show ae0
description "Connection to R4";
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family inet {
address 172.27.0.10/30;
}
family inet6;
family mpls;
}
[edit interfaces]
lab@R1# top
[edit]
lab@R1# set protocols bgp group cluster-1 family inet unicast
[edit]
lab@R1# set protocols bgp group cluster-1 family inet6 labeled-unicast
explicit-null
[edit]
lab@R1# show protocols bgp group cluster-1
type internal;
local-address 172.27.255.1;
family inet {
unicast;
}
family inet6 {
labeled-unicast {
explicit-null;
}
}
authentication-key "$9$v5P8xd24Zk.5bs.5QFAtM8X"; ## SECRET-DATA
export nhs;
neighbor 172.27.255.3;
neighbor 172.27.255.4;
[edit]
lab@R1# set protocols bgp group T1 family inet unicast
[edit]
lab@R1# set protocols bgp group T1 family inet6 unicast
[edit]
lab@R1# show protocols bgp group T1
type external;
family inet {
unicast;
}
family inet6 {
unicast;
}
peer-as 1342930876;
neighbor 172.27.0.34;
[edit]
lab@R1# set protocols mpls ipv6-tunneling
[edit]
lab@R1# show protocols mpls
ipv6-tunneling;
interface ge-0/0/3.0;
interface ge-0/0/6.0;
interface ae0.0;
[edit]
lab@R1# commit and-quit
commit complete
Exiting configuration mode
lab@R1>
[edit]
lab@R2# edit interfaces
[edit interfaces]
lab@R2# set ge-0/0/1 unit 0 family inet6
[edit interfaces]
lab@R2# set ge-0/0/2 unit 0 family inet6 address ::172.27.0.37/126
[edit interfaces]
lab@R2# set ge-0/0/3 unit 0 family inet6 address ::172.27.0.65/126
[edit interfaces]
lab@R2# set ge-0/0/4 unit 0 family inet6
[edit interfaces]
lab@R2# show ge-0/0/1
description "Connection to R1";
unit 0 {
family inet {
address 172.27.0.2/30;
}
family inet6;
family mpls;
}
[edit interfaces]
lab@R2# show ge-0/0/2
description "Connection to T2";
unit 0 {
family inet {
address 172.27.0.37/30;
}
family inet6 {
address ::172.27.0.37/126;
}
}
[edit interfaces]
lab@R2# show ge-0/0/3
description "Connection to T1";
unit 0 {
family inet {
address 172.27.0.65/30;
}
family inet6 {
address ::172.27.0.65/126;
}
}
[edit interfaces]
lab@R2# top
[edit]
lab@R2# set protocols bgp group cluster-1 family inet unicast
[edit]
lab@R2# set protocols bgp group cluster-1 family inet6 labeled-unicast
explicit-null
[edit]
lab@R2# show protocols bgp group cluster-1
type internal;
local-address 172.27.255.2;
family inet {
unicast;
}
family inet6 {
labeled-unicast {
explicit-null;
}
}
authentication-key "$9$AMDcuBElK8db2cyb24aiHtuO"; ## SECRET-DATA
export nhs;
neighbor 172.27.255.3;
neighbor 172.27.255.4;
[edit]
lab@R2# set protocols bgp group T1-T2 family inet unicast
[edit]
lab@R2# set protocols bgp group T1-T2 family inet6 unicast
[edit]
lab@R2# show protocols bgp group T1-T2
type external;
family inet {
unicast;
}
family inet6 {
unicast;
}
peer-as 1342930876;
multipath;
[edit]
lab@R2# set protocols mpls ipv6-tunneling
[edit]
lab@R2# show protocols mpls
ipv6-tunneling;
interface ge-0/0/1.0;
interface ge-0/0/4.0;
[edit]
lab@R2# commit and-quit
commit complete
Exiting configuration mode
lab@R2>
• R3:
lab@R3> configure
Entering configuration mode
[edit]
lab@R3# edit interfaces
[edit interfaces]
lab@R3# set ge-0/0/1 unit 0 family inet6
[edit interfaces]
lab@R3# set ge-0/0/2 unit 0 family inet6
[edit interfaces]
lab@R3# set ge-0/0/3 unit 0 family inet6
[edit interfaces]
lab@R3# set ge-0/0/4 unit 0 family inet6 address 2008:4498::1/64
[edit interfaces]
lab@R3# show ge-0/0/1
description "Connection to R1";
unit 0 {
family inet {
address 172.27.0.13/30;
}
family inet6;
family mpls;
}
[edit interfaces]
lab@R3# show ge-0/0/2
description "Connection to R4";
unit 0 {
[edit interfaces]
lab@R3# show ge-0/0/3
description "Connection to R5";
unit 0 {
family inet {
address 172.27.0.26/30;
}
family inet6;
family mpls;
}
[edit interfaces]
lab@R3# show ge-0/0/4
description "Connection to C1";
unit 0 {
family inet6 {
address 2008:4498::1/64;
}
}
[edit interfaces]
lab@R3# top
[edit]
lab@R3# set protocols bgp group cluster-1 family inet unicast
[edit]
lab@R3# set protocols bgp group cluster-1 family inet6 labeled-unicast
explicit-null
[edit]
lab@R3# show protocols bgp group cluster-1
type internal;
local-address 172.27.255.3;
family inet {
unicast;
}
family inet6 {
labeled-unicast {
explicit-null;
}
}
authentication-key "$9$XeSNVYJGifT3goT369OBxNd"; ## SECRET-DATA
export nhs;
cluster 0.0.0.1;
neighbor 172.27.255.1;
neighbor 172.27.255.2;
neighbor 172.27.255.5;
[edit]
lab@R3# set protocols bgp group internal family inet unicast
[edit]
lab@R3# set protocols bgp group internal family inet6 labeled-unicast
explicit-null
[edit]
lab@R3# show protocols bgp group internal
type internal;
local-address 172.27.255.3;
family inet {
unicast;
}
family inet6 {
labeled-unicast {
explicit-null;
}
}
authentication-key "$9$j9kmT69pRhrz3hrev7Nik."; ## SECRET-DATA
export nhs;
neighbor 172.27.255.4;
[edit]
lab@R3# set protocols bgp group C1 type external
[edit]
lab@R3# set protocols bgp group C1 peer-as 65432
[edit]
lab@R3# set protocols bgp group C1 as-override
[edit]
lab@R3# set protocols bgp group C1 neighbor 2008:4498::2
[edit]
lab@R3# show protocols bgp group C1
type external;
peer-as 65432;
as-override;
neighbor 2008:4498::2;
[edit]
lab@R3# set protocols mpls ipv6-tunneling
[edit]
lab@R3# show protocols mpls
ipv6-tunneling;
interface ge-0/0/1.0;
interface ge-0/0/2.0;
interface ge-0/0/3.0;
commit complete
Exiting configuration mode
lab@R3>
• R4:
lab@R4> configure
Entering configuration mode
[edit]
lab@R4# edit interfaces
[edit interfaces]
lab@R4# set ge-0/0/1 unit 0 family inet6
[edit interfaces]
lab@R4# set ge-0/0/2 unit 0 family inet6 address 2008:4498:0:1::1/64
[edit interfaces]
lab@R4# set ge-0/0/4 unit 0 family inet6
[edit interfaces]
lab@R4# set ge-0/0/5 unit 0 family inet6
[edit interfaces]
lab@R4# set ae0 unit 0 family inet6
[edit interfaces]
lab@R4# show ge-0/0/1
description "Connection to R2";
unit 0 {
family inet {
address 172.27.0.6/30;
}
family inet6;
family mpls;
}
[edit interfaces]
lab@R4# show ge-0/0/2
description "Connection to C3";
unit 0 {
family inet6 {
address 2008:4498:0:1::1/64;
}
}
[edit interfaces]
lab@R4# show ge-0/0/4
description "Connection to R5";
unit 0 {
[edit interfaces]
lab@R4# show ge-0/0/5
description "Connection to R3";
unit 0 {
family inet {
address 172.27.0.18/30;
}
family inet6;
family mpls;
}
[edit interfaces]
lab@R4# show ae0
description "Connection to R1";
aggregated-ether-options {
lacp {
passive;
}
}
unit 0 {
family inet {
address 172.27.0.9/30;
}
family inet6;
family mpls;
}
[edit interfaces]
lab@R4# top
[edit]
lab@R4# set protocols bgp group cluster-1 family inet unicast
[edit]
lab@R4# set protocols bgp group cluster-1 family inet6 labeled-unicast
explicit-null
[edit]
lab@R4# show protocols bgp group cluster-1
type internal;
local-address 172.27.255.4;
family inet {
unicast;
}
family inet6 {
labeled-unicast {
explicit-null;
}
[edit]
lab@R4# set protocols bgp group internal family inet unicast
[edit]
lab@R4# set protocols bgp group internal family inet6 labeled-unicast
explicit-null
[edit]
lab@R4# show protocols bgp group internal
type internal;
local-address 172.27.255.4;
family inet {
unicast;
}
family inet6 {
labeled-unicast {
explicit-null;
}
}
authentication-key "$9$EFaSlM7-waZj8XZjHqQzhSr"; ## SECRET-DATA
neighbor 172.27.255.3;
[edit]
lab@R4# set protocols bgp group C3 type external
[edit]
lab@R4# set protocols bgp group C3 peer-as 65432
[edit]
lab@R4# set protocols bgp group C3 as-override
[edit]
lab@R4# set protocols bgp group C3 neighbor 2008:4498:0:1::2
[edit]
lab@R4# show protocols bgp group C3
type external;
peer-as 65432;
as-override;
neighbor 2008:4498:0:1::2;
[edit]
lab@R4# set protocols mpls ipv6-tunneling
[edit]
lab@R4# show protocols mpls
ipv6-tunneling;
interface ge-0/0/1.0;
[edit]
lab@R4# commit and-quit
commit complete
Exiting configuration mode
lab@R4>
TASK VERIFICATION
Verify that BGP sessions with family inet6 support are established successfully.
Verify that IPv4-mapped IPv6 loopback addresses are reachable in inet6.3 table.
Verify that R1, R2, R3, and R4 exchange with IPv6 routes.
• R1:
lab@R1> show bgp summary
Groups: 3 Peers: 4 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 930 895 0 0 0 0
inet6.0 65 33 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.27.0.30 2087403078 455 1393 0 0 3:27:21 24/
24/24/0 0/0/0/0
172.27.0.34 1342930876 583 177 0 0 1:17:52
Establ
inet.0: 860/860/860/0
inet6.0: 1/1/1/0
172.27.255.3 3895077211 84 491 0 1 34:26
Establ
inet.0: 11/35/35/0
inet6.0: 16/32/32/0
172.27.255.4 3895077211 46 455 0 1 18:07
Establ
inet.0: 0/11/11/0
inet6.0: 16/32/32/0
::ffff:172.27.255.2/128
*[LDP/20] 01:19:19, metric 10
> to 172.27.0.2 via ge-0/0/3.0
::ffff:172.27.255.3/128
*[LDP/20] 01:19:19, metric 10
> to 172.27.0.13 via ge-0/0/6.0
• R2:
lab@R2> show bgp summary
Groups: 2 Peers: 4 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 3489 1745 0 0 0 0
inet6.0 68 34 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.27.0.38 1342930876 615 137 0 0 59:31
Establ
inet.0: 861/861/861/0
inet6.0: 1/1/1/0
172.27.0.66 1342930876 543 137 0 0 59:34
Establ
inet.0: 860/860/860/0
inet6.0: 1/1/1/0
172.27.255.3 3895077211 517 512 0 1 44:55
Establ
inet.0: 0/884/884/0
inet6.0: 16/33/33/0
::ffff:172.27.255.1/128
*[LDP/20] 01:00:08, metric 10
> to 172.27.0.1 via ge-0/0/1.0
::ffff:172.27.255.3/128
*[LDP/20] 01:00:08, metric 20
to 172.27.0.6 via ge-0/0/4.0, Push 299792
> to 172.27.0.1 via ge-0/0/1.0, Push 299808
::ffff:172.27.255.4/128
*[LDP/20] 01:00:08, metric 10
> to 172.27.0.6 via ge-0/0/4.0
::ffff:172.27.255.5/128
*[LDP/20] 01:00:08, metric 20
> to 172.27.0.6 via ge-0/0/4.0, Push 299776
• R3:
lab@R3> show bgp summary
Groups: 4 Peers: 6 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 1786 895 0 0 0 0
inet6.0 34 33 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.27.0.62 2087403078 470 1423 0 0 3:35:12 24/
24/24/0 0/0/0/0
172.27.255.1 3895077211 527 119 0 0 50:49
Establ
inet.0: 860/884/884/0
inet6.0: 1/1/1/0
172.27.255.2 3895077211 525 529 0 0 50:45
Establ
inet.0: 11/871/871/0
inet6.0: 0/1/1/0
172.27.255.4 3895077211 550 548 0 1 34:18
Establ
inet.0: 0/0/0/0
inet6.0: 16/16/16/0
172.27.255.5 3895077211 113 527 0 0 50:41
Establ
inet.0: 0/7/7/0
2008:4498::2 65432 112 116 0 0 50:33
Establ
inet6.0: 16/16/16/0
::ffff:172.27.255.1/128
*[LDP/20] 00:51:15, metric 10
> to 172.27.0.14 via ge-0/0/1.0
::ffff:172.27.255.2/128
*[LDP/20] 00:51:15, metric 20
> to 172.27.0.14 via ge-0/0/1.0, Push 299824
to 172.27.0.18 via ge-0/0/2.0, Push 299824
::ffff:172.27.255.4/128
*[LDP/20] 00:51:15, metric 10
> to 172.27.0.18 via ge-0/0/2.0
• R4:
lab@R4> show bgp summary
Groups: 3 Peers: 5 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 1786 895 0 0 0 0
inet6.0 34 33 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.27.255.1 3895077211 499 89 0 0 37:58
Establ
inet.0: 884/884/884/0
inet6.0: 1/1/1/0
172.27.255.2 3895077211 497 501 0 0 37:54
Establ
inet.0: 11/871/871/0
inet6.0: 0/1/1/0
172.27.255.3 3895077211 555 556 0 0 37:46
Establ
inet.0: 0/24/24/0
inet6.0: 16/16/16/0
172.27.255.5 3895077211 85 499 0 0 37:50
Establ
inet.0: 0/7/7/0
2008:4498:0:1::2 65432 84 88 0 0 37:42
Establ
inet6.0: 16/16/16/0
::ffff:172.27.255.1/128
*[LDP/20] 00:38:23, metric 5
> to 172.27.0.10 via ae0.0
::ffff:172.27.255.2/128
*[LDP/20] 00:38:23, metric 10
> to 172.27.0.5 via ge-0/0/1.0
TASK 8
The direct IPv6 routes on C1-R3 and C3-R4 links must be
reachable from the Customer remote routers C3 and C1
respectively.
TASK INTERPRETATION
You must apply a redistribution policy at R3 and R4.
TASK COMPLETION
• R3:
lab@R3> configure
Entering configuration mode
[edit]
lab@R3# edit policy-options policy-statement IPv6-direct
[edit]
lab@R3# set protocols bgp group internal export IPv6-direct
[edit]
lab@R3# show protocols bgp group internal
type internal;
local-address 172.27.255.3;
family inet {
unicast;
}
family inet6 {
labeled-unicast {
explicit-null;
}
}
authentication-key "$9$j9kmT69pRhrz3hrev7Nik."; ## SECRET-DATA
export [ nhs IPv6-direct ];
neighbor 172.27.255.4;
[edit]
lab@R3# commit and-quit
commit complete
Exiting configuration mode
lab@R3>
• R4:
lab@R4> configure
Entering configuration mode
[edit]
lab@R4# edit policy-options policy-statement IPv6-direct
[edit]
lab@R4# set protocols bgp group internal export IPv6-direct
[edit]
lab@R4# show protocols bgp group internal
type internal;
local-address 172.27.255.4;
family inet {
unicast;
}
family inet6 {
labeled-unicast {
explicit-null;
}
}
authentication-key "$9$EFaSlM7-waZj8XZjHqQzhSr"; ## SECRET-DATA
export IPv6-direct;
neighbor 172.27.255.3;
[edit]
lab@R4# commit and-quit
commit complete
Exiting configuration mode
lab@R4>
TASK VERIFICATION
Verify that the redistribution policy is applied at R3 and R4.
• R3:
lab@R3> show route advertising-protocol bgp 2008:4498::2 2008:4498:0:1::/64
• R4:
lab@R4> show route advertising-protocol bgp 2008:4498:0:1::2 2008:4498::/64
TASK 9
Ensure that no more than 12 prefixes are accepted from
Customer routers C1 and C3. If this limit is exceeded the
router should generate the syslog message but the session
should remain active.
TASK INTERPRETATION
When prefix limit is configured in BGP, the default action is to generate the syslog
message, therefore you must configure only the limit, without specifying other
options.
TASK COMPLETION
• R3:
lab@R3> configure
Entering configuration mode
[edit]
lab@R3# set protocols bgp group C1 family inet6 unicast prefix-limit maximum 12
[edit]
lab@R3# show protocols bgp group C1
type external;
family inet6 {
unicast {
prefix-limit {
[edit]
lab@R3# commit and-quit
commit complete
Exiting configuration mode
lab@R3>
• R4:
lab@R4> configure
Entering configuration mode
[edit]
lab@R4# set protocols bgp group C3 family inet6 unicast prefix-limit maximum 12
[edit]
lab@R4# show protocols bgp group C3
type external;
family inet6 {
unicast {
prefix-limit {
maximum 12;
}
}
}
peer-as 65432;
as-override;
neighbor 2008:4498:0:1::2;
[edit]
lab@R4# commit and-quit
commit complete
Exiting configuration mode
lab@R4>
TASK VERIFICATION
Verify that you have correctly configured the prefix limit.
• R3:
lab@R3> show log messages | match "Configured maximum"
Jun 29 07:48:51 R3 rpd[1078]: 2008:4498::2 (External AS 65432): Configured
maximum prefix-limit(12) exceeded for inet6-unicast nlri: 16
TASK 10
All BGP sessions state changes should be logged to syslog.
TASK INTERPRETATION
The task is fairly straight forward. You must configure the log-updown option
under the BGP protocol for every router.
TASK COMPLETION
• R1:
lab@R1> configure
Entering configuration mode
[edit]
lab@R1# set protocols bgp log-updown
[edit]
lab@R1# commit and-quit
commit complete
Exiting configuration mode
lab@R1>
• R2:
lab@R2> configure
Entering configuration mode
[edit]
lab@R2# set protocols bgp log-updown
[edit]
lab@R2# commit and-quit
commit complete
Exiting configuration mode
lab@R2>
• R3:
lab@R3> configure
Entering configuration mode
[edit]
lab@R3# set protocols bgp log-updown
commit complete
Exiting configuration mode
lab@R3>
• R4:
lab@R4> configure
Entering configuration mode
[edit]
lab@R4# set protocols bgp log-updown
[edit]
lab@R4# commit and-quit
commit complete
Exiting configuration mode
lab@R4>
• R5:
lab@R5> configure
Entering configuration mode
[edit]
lab@R5# set protocols bgp log-updown
[edit]
lab@R5# commit and-quit
commit complete
Exiting configuration mode
lab@R5>
TASK VERIFICATION
Verify that all BGP sessions state changes are logged to syslog.
• R1:
lab@R1> clear bgp neighbor
Cleared 4 connections
Note
The next several steps are comprised of
policy tasks. To most efficiently implement
the BGP policy tasks, we will discuss each
policy task in a separate step, however, the
tasks will be completed together in a later
step.
TASK 11
Implement an inbound policy for the Transit routers that
prefers the inbound IPv4 traffic to come from the T1
router.
TASK INTERPRETATION
The prefixes advertised by R2 to T2 should look inferior to the ones advertised by R1
and R2 to T1. Routers to apply the policy: R2.
TASK 12
Implement an outbound policy for the Transit routers that
ensures the outbound IPv4 traffic exits your AS at the R2
router.
TASK INTERPRETATION
The prefixes received from T1 and T2 should be advertised to IBGP neighbors with
better preference by R2. Routers to apply the policy: R2.
TASK 13
Ensure that the traffic going to the destinations
advertised by the P router prefers R3 as the exit point.
TASK INTERPRETATION
The task is straightforward. Routers to apply the policy: R3.
TASK 14
Routes received from the P router should not be advertised
to T1 or T2 or vise-versa.
TASK INTERPRETATION
The task is straightforward. Routers to apply the policy: R1, R2, R3.
Note
The example solution provided in this
section is one of several possible
approaches. You can accomplish the task
by designing your policies in different way.
TASK COMPLETION
• R1:
lab@R1> configure
Entering configuration mode
[edit]
lab@R1# edit routing-options
[edit routing-options]
lab@R1# set rib inet6.0 aggregate route 2008:4498::/32
[edit routing-options]
lab@R1# set aggregate route 172.27.0.0/16
[edit routing-options]
lab@R1# show
rib inet6.0 {
aggregate {
route 2008:4498::/32;
}
}
aggregate {
route 172.27.0.0/16;
}
router-id 172.27.255.1;
autonomous-system 3895077211;
[edit routing-options]
lab@R1# top edit policy-options
[edit policy-options]
lab@R1# set community C2-routes members 7211:65512
[edit policy-options]
lab@R1# set community P-routes members 7211:1111
[edit policy-options]
lab@R1# set community T1-routes members 7211:2222
[edit policy-options]
lab@R1# set community T2-routes members 7211:3333
[edit policy-options]
lab@R1# edit policy-statement from-T1
[edit policy-options]
lab@R1# edit policy-statement to-T1
[edit policy-options]
lab@R1# edit policy-statement from-P
[edit policy-options]
lab@R1# edit policy-statement to-P
[edit]
lab@R1# set protocols bgp group T1 import from-T1
[edit]
lab@R1# set protocols bgp group T1 export to-T1
[edit]
lab@R1# set protocols bgp group P import from-P
[edit]
lab@R1# set protocols bgp group P export to-P
[edit]
lab@R1# commit and-quit
commit complete
Exiting configuration mode
lab@R1>
[edit]
lab@R2# edit routing-options
[edit routing-options]
lab@R2# set rib inet6.0 aggregate route 2008:4498::/32
[edit routing-options]
lab@R2# set aggregate route 172.27.0.0/16
[edit routing-options]
lab@R2# show
rib inet6.0 {
aggregate {
route 2008:4498::/32;
}
}
aggregate {
route 172.27.0.0/16;
}
router-id 172.27.255.2;
autonomous-system 3895077211;
[edit routing-options]
lab@R2# top edit policy-options
[edit policy-options]
lab@R2# set community C2-routes members 7211:65512
[edit policy-options]
lab@R2# set community P-routes members 7211:1111
[edit policy-options]
lab@R2# set community T1-routes members 7211:2222
[edit policy-options]
lab@R2# set community T2-routes members 7211:3333
[edit policy-options]
lab@R2# edit policy-statement from-T1
[edit policy-options]
lab@R2# edit policy-statement to-T1
[edit policy-options]
lab@R2# edit policy-statement from-T2
[edit policy-options]
lab@R2# edit policy-statement to-T2
[edit]
lab@R2# set protocols bgp group T1-T2 neighbor 172.27.0.66 import from-T1
[edit]
lab@R2# set protocols bgp group T1-T2 neighbor 172.27.0.66 export to-T1
[edit]
lab@R2# set protocols bgp group T1-T2 neighbor 172.27.0.38 import from-T2
[edit]
lab@R2# commit and-quit
commit complete
Exiting configuration mode
lab@R2>
• R3:
lab@R3> configure
Entering configuration mode
[edit]
lab@R3# edit routing-options
[edit routing-options]
lab@R3# set aggregate route 172.27.0.0/16
[edit routing-options]
lab@R3# show
aggregate {
route 172.27.0.0/16;
}
router-id 172.27.255.3;
autonomous-system 3895077211;
[edit routing-options]
lab@R3# top edit policy-options
[edit policy-options]
lab@R3# set community C2-routes members 7211:65512
[edit policy-options]
lab@R3# set community P-routes members 7211:1111
[edit policy-options]
lab@R3# set community T1-routes members 7211:2222
[edit policy-options]
lab@R3# set community T2-routes members 7211:3333
[edit policy-options]
lab@R3# edit policy-statement from-P
[edit policy-options]
lab@R3# edit policy-statement to-P
[edit]
lab@R3# set protocols bgp group P import from-P
[edit]
lab@R3# set protocols bgp group P export to-P
[edit]
lab@R3# commit and-quit
commit complete
Exiting configuration mode
lab@R3>
• R5:
lab@R5> configure
Entering configuration mode
[edit]
lab@R5# edit routing-options
[edit routing-options]
lab@R5# set aggregate route 172.27.0.0/16
[edit routing-options]
lab@R5# show
static {
route 202.202.0.1/32 next-hop [ 172.27.0.50 172.27.0.74 ];
}
aggregate {
route 172.27.0.0/16;
}
router-id 172.27.255.5;
autonomous-system 3895077211;
[edit routing-options]
lab@R5# top edit policy-options
[edit policy-options]
lab@R5# set community C2-routes members 7211:65512
[edit policy-options]
lab@R5# set community P-routes members 7211:1111
[edit policy-options]
lab@R5# set community T1-routes members 7211:2222
[edit policy-options]
lab@R5# set community T2-routes members 7211:3333
[edit policy-options]
lab@R5# edit policy-statement from-C2
[edit policy-options]
lab@R5# edit policy-statement to-C2
[edit]
lab@R5# set protocols bgp group C2 import from-C2
[edit]
lab@R5# set protocols bgp group C2 export to-C2
[edit]
lab@R5# commit and-quit
commit complete
Exiting configuration mode
lab@R5>
TASK VERIFICATION
Verify that all BGP policy tasks are correctly configured.
• R1:
lab@R1> show route advertising-protocol bgp 172.27.0.34 172.27.0.0/16
lab@R1> show route table inet.0 protocol bgp terse | match "(/2[5-9])|(/3[0-2])"
• R2:
lab@R2> show route advertising-protocol bgp 172.27.0.66 172.27.0.0/16
lab@R2> show route table inet.0 protocol bgp terse | match "(/2[5-9])|(/3[0-2])"
• R3:
lab@R3> show route advertising-protocol bgp 172.27.0.62 172.27.0.0/16
lab@R3> show route table inet.0 protocol bgp terse | match "(/2[5-9])|(/3[0-2])"
• R4:
lab@R4> show route 111.111.1/24
• R5:
lab@R5> show route advertising-protocol bgp 202.202.0.1 172.27.0.0/16
In this lab part, you will redesign the IBGP topology using a confederation network.
TASK 20
Migrate the existing IBGP network to Confederation. Route
Reflection is not permitted. No router in your AS may have
more than two IBGP and CBGP neighbors altogether. The
failure of a link or router in the network must not result
in any connectivity issues or isolation of routers.
[edit]
lab@R1# delete routing-options autonomous-system
[edit]
lab@R1# edit routing-options
[edit routing-options]
lab@R1# set autonomous-system 65000
[edit routing-options]
lab@R1# set confederation 3895077211
[edit routing-options]
lab@R1# set confederation members 65000
[edit routing-options]
lab@R1# set confederation members 65001
[edit routing-options]
lab@R1# set confederation members 65002
[edit routing-options]
lab@R1# show
rib inet6.0 {
aggregate {
route 2008:4498::/32;
}
}
aggregate {
route 172.27.0.0/16;
}
router-id 172.27.255.1;
autonomous-system 65000;
confederation 3895077211 members [ 65000 65001 65002 ];
[edit routing-options]
lab@R1# top
[edit]
lab@R1# delete protocols bgp group cluster-1
commit complete
Exiting configuration mode
lab@R1>
• R2:
lab@R2> configure
Entering configuration mode
[edit]
lab@R2# delete routing-options autonomous-system
[edit]
lab@R2# edit routing-options
[edit routing-options]
lab@R2# set confederation 3895077211
[edit routing-options]
lab@R2# set confederation members 65000
[edit routing-options]
lab@R2# set confederation members 65001
[edit routing-options]
lab@R2# set confederation members 65002
[edit routing-options]
lab@R2# show
rib inet6.0 {
aggregate {
route 2008:4498::/32;
}
}
aggregate {
route 172.27.0.0/16;
}
router-id 172.27.255.2;
autonomous-system 65001;
confederation 3895077211 members [ 65000 65001 65002 ];
[edit routing-options]
lab@R2# top
[edit]
lab@R2# delete protocols bgp group cluster-1
[edit]
lab@R2# edit protocols bgp group IBGP
commit complete
Exiting configuration mode
lab@R2>
• R3:
lab@R3> configure
Entering configuration mode
[edit]
lab@R3# delete routing-options autonomous-system
[edit]
lab@R3# edit routing-options
[edit routing-options]
lab@R3# set autonomous-system 65000
[edit routing-options]
lab@R3# set confederation 3895077211
[edit routing-options]
lab@R3# set confederation members 65000
[edit routing-options]
lab@R3# set confederation members 65001
[edit routing-options]
lab@R3# set confederation members 65002
[edit routing-options]
lab@R3# show
[edit routing-options]
lab@R3# top
[edit]
lab@R3# delete protocols bgp group cluster-1
[edit]
lab@R3# delete protocols bgp group internal
[edit]
lab@R3# edit protocols bgp group IBGP
commit complete
Exiting configuration mode
lab@R3>
• R4:
lab@R4> configure
Entering configuration mode
[edit]
lab@R4# delete routing-options autonomous-system
[edit]
lab@R4# edit routing-options
[edit routing-options]
lab@R4# set autonomous-system 65001
[edit routing-options]
lab@R4# set confederation 3895077211
[edit routing-options]
lab@R4# set confederation members 65000
[edit routing-options]
lab@R4# set confederation members 65001
[edit routing-options]
lab@R4# show
router-id 172.27.255.4;
autonomous-system 65001;
confederation 3895077211 members [ 65000 65001 65002 ];
[edit routing-options]
lab@R4# top
[edit]
lab@R4# delete protocols bgp group cluster-1
[edit]
lab@R4# delete protocols bgp group internal
[edit]
lab@R4# edit protocols bgp group IBGP
commit complete
Exiting configuration mode
lab@R4>
• R5:
lab@R5> configure
Entering configuration mode
[edit]
lab@R5# delete routing-options autonomous-system
[edit]
lab@R5# edit routing-options
[edit routing-options]
lab@R5# set autonomous-system 65002
[edit routing-options]
lab@R5# set confederation members 65000
[edit routing-options]
lab@R5# set confederation members 65001
[edit routing-options]
lab@R5# set confederation members 65002
[edit routing-options]
lab@R5# show
static {
route 202.202.0.1/32 next-hop [ 172.27.0.50 172.27.0.74 ];
}
aggregate {
route 172.27.0.0/16;
}
router-id 172.27.255.5;
autonomous-system 65002;
confederation 3895077211 members [ 65000 65001 65002 ];
[edit routing-options]
lab@R5# top
[edit]
lab@R5# set interfaces ge-0/0/1 unit 0 family inet6
[edit]
lab@R5# set interfaces ge-0/0/2 unit 0 family inet6
[edit]
lab@R5# set protocols mpls ipv6-tunneling
[edit]
lab@R5# delete protocols bgp group cluster-1
[edit]
lab@R5# edit protocols bgp group CBGP
commit complete
Exiting configuration mode
lab@R5>
TASK VERIFICATION
Verify that IBGP sessions are established successfully and the external routes are
active and reachable on all routers in your AS.
• R1:
lab@R1> show bgp summary
Groups: 4 Peers: 4 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 1773 889 0 0 0 0
inet6.0 36 35 0 0 0 0
• R2:
lab@R2> show bgp summary
Groups: 4 Peers: 4 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 1744 1734 0 0 0 0
inet6.0 38 36 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.27.0.38 1342930876 650 171 0 0 1:15:34
Establ
inet.0: 856/861/856/0
inet6.0: 1/1/1/0
172.27.0.66 1342930876 578 172 0 0 1:15:38
Establ
inet.0: 855/860/855/0
inet6.0: 1/1/1/0
172.27.255.1 65000 1012 643 0 0 1:15:33
Establ
inet.0: 23/23/23/0
inet6.0: 17/18/18/0
172.27.255.4 65001 80 551 0 0 33:14 Establ
inet.0: 0/0/0/0
inet6.0: 17/18/18/0
• R3:
lab@R3> show bgp summary
Groups: 4 Peers: 4 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 897 889 0 0 0 0
inet6.0 34 34 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.27.0.62 2087403078 158 161 0 0 1:11:18 16/
24/23/0 0/0/0/0
172.27.255.1 65000 626 163 0 0 1:11:10
Establ
inet.0: 866/866/866/0
inet6.0: 18/18/18/0
172.27.255.5 65002 542 575 0 0 29:20
Establ
inet.0: 7/7/7/0
inet6.0: 0/0/0/0
2008:4498::2 65432 158 162 0 0 1:11:14
Establ
inet6.0: 16/16/16/0
• R4:
lab@R4> show bgp summary
Groups: 3 Peers: 3 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 912 889 0 0 0 0
inet6.0 52 34 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
• R5
lab@R5> show bgp summary
Groups: 2 Peers: 3 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 1771 889 0 0 0 0
inet6.0 69 35 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.27.255.3 65000 701 708 0 0 1:44:42
Establ
inet.0: 882/882/882/0
inet6.0: 35/35/35/0
172.27.255.4 65001 707 648 0 0 1:44:33
Establ
inet.0: 0/882/882/0
inet6.0: 0/34/34/0
202.202.0.1 65512 699 699 0 0 1:44:51 7/
7/7/0 0/0/0/0
Overview
In this lab, you will have to troubleshoot a BGP network including IBGP, EBGP, and routing
policies according to the provided task list. You will have 1.5 hours to complete the lab.
The lab is available in two formats. In the high-level format, you are given only the list of
tasks to be accomplished. To better prepare you for the real JNCIE exam, we recommend
that you make your best effort at accomplishing the tasks with only the high-level lab
guide.
The lab is also available in a detailed format. The detailed format contains a discussion
regarding the interpretation of each task, followed by step-by-step instructions.
The initial lab setup is shown below:
• OSPF is the core IGP protocol. The OSPF domain is divided into two areas. R1
and R2 routers are located in Area 0, R5 router is in Area 1. R3 and R4 routers
are ABRs with links in both Area 0 and Area 1.
• LDP is configured as the core MPLS protocol on all routers in your AS.
• Your IBGP network is configured using route reflection design with one route
reflection cluster and two route reflectors: R3 and R4. All IBGP sessions use
the lo0.0 interface IP address.
• All IBGP sessions in your autonomous system are authenticated using MD5
authentication using the key juniper.
• BGP next-hop-self policy is used to resolve the BGP next hop for IPv4 prefixes
on all routers in your AS except for R4.
• EBGP over IPv4 sessions are configured to C2 Customer, Peer (P), and Transit
(T) neighbors. EBGP session to C2 is configured to load balance over the two
links that connect R5 and C2 using only one BGP session.
• EBGP over IPv6 sessions are configured to C1 and C3 routers. The
communication among C1, C3, and the Transit routers T1 and T2 is provided
using 6PE technology.
• The R3 and R4 are configured with prefix limit with maximum 12 prefixes
allowed from customer routers C1 and C3. If this limit is exceeded, the routers
should generate the syslog message but the sessions should remain active.
In this lab part, you will troubleshoot and repair the BGP sessions using CLI
operational mode commands and then using CLI configuration mode to adjust the
BGP settings to ensure that all BGP sessions are operational and can convey routing
for the required address families.
Note
We recommend that you to carefully
examine the initial setup checklist before
you start troubleshooting.
login: ops
Password:
login: ops
Password:
login: ops
Password:
login: ops
Password:
login: ops
Password:
login: lab
Password:
• R2:
R2 (ttyd0)
login: lab
Password:
login: lab
Password:
• R4:
R4 (ttyd0)
login: lab
Password:
• R5:
R5 (ttyd0)
login: lab
Password:
[edit]
lab@R1# set protocols bgp group IBGP authentication-key juniper
[edit]
lab@R1# commit
commit complete
[edit]
lab@R1# run show bgp summary
Groups: 3 Peers: 4 Down peers: 0
[edit]
lab@R2# set protocols ospf area 0 interface lo0.0
[edit]
lab@R2# commit
commit complete
[edit]
lab@R2# run show bgp summary
Groups: 3 Peers: 4 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 3478 1735 0 0 0 0
inet6.0 2 1 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.27.0.38 1342930876 1155 682 0 0 5:05:58
856/861/856/0 0/0/0/0
172.27.0.66 1342930876 1154 682 0 0 5:05:54
855/860/855/0 0/0/0/0
172.27.255.3 3895077211 416 481 0 0 58
Establ
inet.0: 1/879/879/0
inet6.0: 1/1/1/0
172.27.255.4 3895077211 413 410 0 0 6
Establ
[edit]
lab@R2# run show bgp neighbor 172.27.0.38
Peer: 172.27.0.38+51554 AS 1342930876 Local: 172.27.0.37+179 AS 3895077211
Type: External State: Established Flags: <Sync>
Last State: OpenConfirm Last Event: RecvKeepAlive
Last Error: None
Export: [ to-T2 ] Import: [ from-T2 ]
Options: <Preference LogUpDown PeerAS Multipath Refresh>
Holdtime: 90 Preference: 170
Number of flaps: 0
edit]
lab@R2# show protocols bgp group T1-T2
type external;
peer-as 1342930876;
multipath;
neighbor 172.27.0.66 {
import from-T1;
export to-T1;
}
neighbor 172.27.0.38 {
import from-T2;
export to-T2;
}
[edit]
lab@R2# set protocols bgp group T1-T2 family inet unicast
[edit]
lab@R2# set protocols bgp group T1-T2 family inet6 unicast
[edit]
lab@R2# commit
commit complete
[edit]
lab@R3# set protocols bgp group Clients neighbor 172.27.255.4
[edit]
lab@R3# set protocols bgp group C1 traceoptions file bgp-trace.log
[edit]
lab@R3# set protocols bgp group C1 traceoptions flag open detail
[edit]
lab@R3# run show log bgp-trace.log
Jul 29 05:28:34 trace_on: Tracing to "/var/log/bgp-trace.log" started
Jul 29 05:30:23.428658 advertising receiving-speaker only capability to
neighbor 2008:4498::2 (External AS 65432)
Jul 29 05:30:23.428743 bgp_send: sending 59 bytes to 2008:4498::2 (External AS
65432)
Jul 29 05:30:23.428772
Jul 29 05:30:23.428772 BGP SEND 2008:4498::1+64511 -> 2008:4498::2+179
Jul 29 05:30:23.428800 BGP SEND message type 1 (Open) length 59
Jul 29 05:30:23.428827 BGP SEND version 4 as 23456 holdtime 90 id 172.27.255.3
parmlen 30
Jul 29 05:30:23.428851 BGP SEND MP capability AFI=2, SAFI=1
Jul 29 05:30:23.428874 BGP SEND Refresh capability, code=128
Jul 29 05:30:23.428898 BGP SEND Refresh capability, code=2
Jul 29 05:30:23.428924 BGP SEND Restart capability, code=64, time=120, flags=
Jul 29 05:30:23.430615 BGP SEND 4 Byte AS-Path capability (65), as_num
3895077211
Jul 29 05:30:23.434276 advertising receiving-speaker only capability to
neighbor 2008:4498::2 (External AS 65432)
Jul 29 05:30:23.437365
Jul 29 05:30:23.437365 BGP RECV 2008:4498::2+179 -> 2008:4498::1+64511
Jul 29 05:30:23.437425 BGP RECV message type 1 (Open) length 59
Jul 29 05:30:23.437451 BGP RECV version 4 as 65422 holdtime 90 id 201.201.0.1
parmlen 30
Jul 29 05:30:23.437475 BGP RECV MP capability AFI=2, SAFI=1
Jul 29 05:30:23.437498 BGP RECV Refresh capability, code=128
Jul 29 05:30:23.437522 BGP RECV Refresh capability, code=2
Jul 29 05:30:23.437546 BGP RECV Restart capability, code=64, time=120, flags=
Jul 29 05:30:23.437570 BGP RECV 4 Byte AS-Path capability (65), as_num 65422
Jul 29 05:30:23.437636 bgp_process_open:2691: NOTIFICATION sent to 2008:4498::2
(External AS 65432): code 2 (Open Message Error) subcode 2 (bad peer AS
number), Reason: peer 2008:4498::2 (External AS 65432) claims 65422, 65432
configured
Jul 29 05:30:23.437662 bgp_send: sending 21 bytes to 2008:4498::2 (External AS
65432)
Jul 29 05:30:23.437689
Jul 29 05:30:23.437689 BGP SEND 2008:4498::1+64511 -> 2008:4498::2+179
Jul 29 05:30:23.437715 BGP SEND message type 3 (Notification) length 21
Jul 29 05:30:23.437739 BGP SEND Notification code 2 (Open Message Error) subcode
2 (bad peer AS number)
The output shows that the remote peer (C1) has incorrectly configured AS 65422.
You cannot change the EBGP peer configuration, hence you must change the R3
peer-as setting.
[edit]
lab@R3# set protocols bgp group C1 peer-as 65422
[edit]
lab@R3# commit
commit complete
[edit]
lab@R3# run show bgp summary
Groups: 3 Peers: 6 Down peers: 2
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 1768 890 0 0 0 0
inet6.0 18 17 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.27.0.62 2087403078 733 1231 0 0 5:32:31 24/
24/24/0 0/0/0/0
172.27.255.1 3895077211 583 111 0 0 45:59
Establ
inet.0: 855/878/878/0
inet6.0: 1/1/1/0
172.27.255.2 3895077211 994 475 0 0 27:31
Establ
inet.0: 11/866/866/0
inet6.0: 0/1/1/0
172.27.255.4 3895077211 0 0 0 0 9:14
Active
172.27.255.5 3895077211 0 0 0 0 5:50:16
Connect
2008:4498::2 65422 7 9 0 0 2:08 Establ
inet6.0: 16/16/16/0
The output shows that all sessions except for R4 (172.27.255.4) and R5
(172.27.255.5) are established successfully and the peers negotiated the required
address families.
• R4:
Synopsis: The source of peering problems:
– R1 is authentication key mismatch;
– R2 is bidirectional IGP reachability. R2 loopback address is not
known in OSPF;
– R3 is absence of IBGP session configured;
– R5 is bidirectional IGP reachability, most probably incorrect routing
configuration on R5;
– C3 is misconfigured BGP prefix limit action.
lab@R4> configure
Entering configuration mode
[edit]
lab@R4# set protocols bgp group Clients neighbor 172.27.255.3
[edit]
lab@R4# delete protocols bgp group C3 family inet6 unicast prefix-limit teardown
[edit]
lab@R4# commit
commit complete
[edit]
lab@R4# run show bgp summary
Groups: 2 Peers: 5 Down peers: 1
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 1768 890 0 0 0 0
inet6.0 34 33 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.27.255.1 3895077211 554 150 0 0 1:03:34
Establ
inet.0: 878/878/878/0
inet6.0: 1/1/1/0
172.27.255.2 3895077211 965 514 0 0 44:28
Establ
inet.0: 11/866/866/0
inet6.0: 0/1/1/0
172.27.255.3 3895077211 420 420 0 0 2:31
Establ
inet.0: 1/24/24/0
inet6.0: 16/16/16/0
172.27.255.5 3895077211 0 0 0 0 5:57:10
Connect
2008:4498:0:1::2 65432 8 11 0 0 2:27
Establ
inet6.0: 16/16/16/0
The output shows that all sessions except for R5 (172.27.255.5) are established
successfully and the peers negotiated the required address families.
• R5:
Synopsis: The source of peering problems:
– R3 is incorrectly configured routing;
– R4 is incorrectly configured routing;
– C2 is misconfigured BGP parameters.
lab@R5> configure
Entering configuration mode
[edit]
lab@R5# set protocols bgp group C2 traceoptions file bgp-trace.log
[edit]
lab@R5# set protocols bgp group C2 traceoptions flag all detail
[edit]
lab@R5# delete routing-options aggregate route 172.27.0.0/16
[edit]
lab@R5# commit
commit complete
[edit]
lab@R5# run show log bgp-trace.log
[edit]
lab@R5# commit
commit complete
[edit]
lab@R5# run show bgp summary
Groups: 2 Peers: 3 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 1787 890 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.27.255.3 3895077211 433 23 0 0 9:14
867/890/890/0 0/0/0/0
172.27.255.4 3895077211 434 24 0 0 9:21 16/
890/890/0 0/0/0/0
202.202.0.1 65512 519 515 0 0 1:36 7/
7/7/0 0/0/0/0
The output shows that all sessions are established successfully and the peers
negotiated the required address families.
TASK 5
All Peer (P), Transit provider (T1, T2) and C2 IPv4
prefixes, except of the prefixes with mask shorter than /8
or longer than /24, must be active and reachable on all
routers in your AS.
inet.0: 917 destinations, 3481 routes (912 active, 0 holddown, 1700 hidden)
+ = Active Route, - = Last Active, * = Both
inet.0: 917 destinations, 3481 routes (912 active, 0 holddown, 1700 hidden)
+ = Active Route, - = Last Active, * = Both
inet.0: 917 destinations, 3481 routes (912 active, 0 holddown, 1700 hidden)
+ = Active Route, - = Last Active, * = Both
inet.0: 917 destinations, 2636 routes (912 active, 0 holddown, 1700 hidden)
Prefix Nexthop MED Lclpref AS path
* 35.0.0.0/8 172.27.0.34 100 1342930876 8918
237 I
The output shows that the route 35/8 is received from R3 with the original BGP next
hop 172.27.0.34. The problem is related to next-hop-self policy on R1.
lab@R2> show route 172.27.0.34
inet.0: 917 destinations, 2636 routes (912 active, 0 holddown, 1700 hidden)
+ = Active Route, - = Last Active, * = Both
inet.0: 917 destinations, 3481 routes (912 active, 0 holddown, 1700 hidden)
Prefix Nexthop MED Lclpref AS path
* 35.0.0.0/8 172.27.255.4 100 1342930876 8918
237 I
The output shows another problem with BGP next hop. The 35/8 route is received
from R4 with BGP next hop set to R4 loopback address. This output indicates that
R4 incorrectly changes next hop to self for certain prefixes.
lab@R2> show route protocol bgp terse | match "(/2[5-9])|(/3[0-2])"
* 150.150.13.0/25 B 170 100 172.27.0.1 2087403078 I
inet.0: 917 destinations, 2636 routes (912 active, 0 holddown, 1700 hidden)
150.150.13.0/25 (2 entries, 1 announced)
*BGP Preference: 170/-101
Next hop type: Indirect
Next-hop reference count: 96
Source: 172.27.255.3
Next hop type: Router, Next hop index: 262142
Next hop: 172.27.0.1 via ge-0/0/1.0
Next hop: 172.27.0.6 via ge-0/0/4.0, selected
Protocol next hop: 172.27.255.3
Indirect next hop: 90f20f0 262143
State: <Active Int Ext>
Local AS: 3895077211 Peer AS: 3895077211
inet.0: 917 destinations, 2636 routes (912 active, 0 holddown, 1700 hidden)
+ = Active Route, - = Last Active, * = Both
inet.0: 909 destinations, 949 routes (64 active, 0 holddown, 878 hidden)
+ = Active Route, - = Last Active, * = Both
inet.0: 909 destinations, 949 routes (64 active, 0 holddown, 878 hidden)
+ = Active Route, - = Last Active, * = Both
inet.0: 909 destinations, 949 routes (64 active, 0 holddown, 878 hidden)
inet.0: 909 destinations, 949 routes (64 active, 0 holddown, 878 hidden)
+ = Active Route, - = Last Active, * = Both
inet.0: 909 destinations, 949 routes (64 active, 0 holddown, 878 hidden)
+ = Active Route, - = Last Active, * = Both
inet.0: 909 destinations, 949 routes (64 active, 0 holddown, 878 hidden)
+ = Active Route, - = Last Active, * = Both
[edit]
lab@R1# set policy-options policy-statement NHS term 1 from protocol bgp
[edit]
lab@R1# set policy-options policy-statement NHS term 1 from route-type external
[edit]
lab@R1# set policy-options policy-statement NHS term 1 then next-hop self
[edit]
lab@R1# set protocols bgp group IBGP export NHS
[edit]
lab@R1# commit
commit complete
[edit]
lab@R1# run show route advertising-protocol bgp 172.27.255.3 35/8
[edit]
lab@R1# run show route advertising-protocol bgp 172.27.255.4 35/8
[edit]
lab@R1# run show route advertising-protocol bgp 172.27.0.34 172.27/16
[edit]
lab@R1# set policy-options policy-statement to-T1 term 3 from rib inet6.0
[edit]
lab@R1# set policy-options policy-statement to-T1 term 3 from route-filter
2008:4498::/32 longer
[edit]
lab@R1# set policy-options policy-statement to-T1 term 3 then reject
[edit]
lab@R1# commit
commit complete
[edit]
lab@R1# run show route advertising-protocol bgp 172.27.0.34 table inet6.0
[edit]
lab@R2# show policy-options policy-statement from-T1
term 1 {
from {
as-path AS1342930876;
route-filter 0.0.0.0/0 prefix-length-range /8-/24;
}
to rib inet.0;
then accept;
}
term 2 {
to rib inet6.0;
then accept;
}
term 3 {
then reject;
}
[edit]
lab@R2# show policy-options policy-statement from-T2
term 1 {
from {
as-path AS1342930876;
route-filter 0.0.0.0/0 prefix-length-range /8-/24;
}
to rib inet.0;
then accept;
}
term 2 {
to rib inet6.0;
then accept;
}
term 3 {
then reject;
}
[edit]
lab@R2# delete policy-options policy-statement from-T1 term 1 from as-path
[edit]
lab@R2# delete policy-options policy-statement from-T1 term 1 from as-path
[edit]
lab@R2# commit
commit complete
[edit]
lab@R2# run show route hidden terse
[edit]
lab@R2# run show route advertising-protocol bgp 172.27.255.3 35/8
[edit]
lab@R2# run show route advertising-protocol bgp 172.27.255.4 35/8
[edit]
lab@R2# run show route advertising-protocol bgp 172.27.0.38 172.27/16
[edit]
lab@R2# run show route advertising-protocol bgp 172.27.0.38 table inet6.0
[edit]
lab@R3# show protocols bgp group P
type external;
export to-P;
peer-as 2087403078;
neighbor 172.27.0.62;
[edit]
lab@R3# set policy-options policy-statement from-P term 1 from protocol bgp
[edit]
lab@R3# set policy-options policy-statement from-P term 1 from route-filter
0.0.0.0/0 prefix-length-range /8-/24
[edit]
lab@R3# set policy-options policy-statement from-P term 1 then accept
[edit]
lab@R3# set policy-options policy-statement from-P term 2 then reject
[edit]
lab@R3# show policy-options policy-statement from-P
term 1 {
from {
protocol bgp;
route-filter 0.0.0.0/0 prefix-length-range /8-/24;
}
then accept;
}
term 2 {
then reject;
}
[edit]
lab@R3# set protocols bgp group P import from-P
[edit]
lab@R3# commit
commit complete
[edit]
lab@R3# run show route protocol bgp terse | match "(/2[5-9])|(/3[0-2])"
[edit]
lab@R3# run show route hidden
[edit]
lab@R5# run show route advertising-protocol bgp 172.27.255.3 202.202/24
[edit]
lab@R5# run show route advertising-protocol bgp 172.27.255.4 202.202/24
[edit]
lab@R5# set policy-options policy-statement from-C2 term 1 then
local-preference 200
[edit]
lab@R5# show policy-options policy-statement from-C2
term 1 {
then {
local-preference 200;
}
}
[edit]
lab@R5# set protocols bgp group C2 import from-C2
[edit]
lab@R5# run show route advertising-protocol bgp 172.27.255.3 202.202/24
[edit]
lab@R5# run show route advertising-protocol bgp 172.27.255.4 202.202/24
[edit]
lab@R3# set policy-options policy-statement LOCAL-RANGE term 1 from
route-filter 172.27.0.0/16 exact
[edit]
lab@R3# set policy-options policy-statement LOCAL-RANGE term 1 then next-hop
172.27.0.26
[edit]
lab@R3# set policy-options policy-statement LOCAL-RANGE term 1 then accept
[edit]
lab@R3# show policy-options policy-statement LOCAL-RANGE
term 1 {
from {
protocol aggregate;
route-filter 172.27.0.0/16 exact;
}
[edit]
lab@R3# set protocols bgp group Clients neighbor 172.27.255.5 export NHS
[edit]
lab@R3# set protocols bgp group Clients neighbor 172.27.255.5 export LOCAL-RANGE
[edit]
lab@R3# show protocols bgp group Clients
type internal;
local-address 172.27.255.3;
family inet {
unicast;
}
family inet6 {
labeled-unicast {
explicit-null;
}
}
authentication-key "$9$H.fz9A0hSe36SevW-dk.P"; ## SECRET-DATA
export [ NHS IPv6-DIRECT ];
cluster 0.0.0.1;
neighbor 172.27.255.1;
neighbor 172.27.255.2;
neighbor 172.27.255.5 {
export [ NHS LOCAL-RANGE ];
}
neighbor 172.27.255.4;
[edit]
lab@R3# commit
commit complete
[edit]
lab@R3# run show route advertising-protocol bgp 172.27.255.5 172.27/16
• R4:
lab@R4> configure
Entering configuration mode
[edit]
lab@R4# set routing-options aggregate route 172.27.0.0/16
[edit]
lab@R4# set policy-options policy-statement LOCAL-RANGE term 1 from
route-filter 172.27.0.0/16 exact
[edit]
lab@R4# set policy-options policy-statement LOCAL-RANGE term 1 then next-hop
172.27.0.21
[edit]
lab@R4# set policy-options policy-statement LOCAL-RANGE term 1 then accept
[edit]
lab@R4# show policy-options policy-statement LOCAL-RANGE
term 1 {
from {
protocol aggregate;
route-filter 172.27.0.0/16 exact;
}
then {
next-hop 172.27.0.21;
accept;
}
}
[edit]
lab@R4# set protocols bgp group Clients neighbor 172.27.255.5 export NHS
[edit]
lab@R4# set protocols bgp group Clients neighbor 172.27.255.5 export LOCAL-RANGE
[edit]
lab@R4# show protocols bgp group Clients
type internal;
local-address 172.27.255.4;
family inet {
unicast;
}
family inet6 {
labeled-unicast {
explicit-null;
}
}
authentication-key "$9$R01crvxNboJDWLJDikTQEcy"; ## SECRET-DATA
export [ NHS IPv6-DIRECT ];
cluster 0.0.0.1;
neighbor 172.27.255.1;
neighbor 172.27.255.2;
neighbor 172.27.255.5 {
export [ NHS LOCAL-RANGE ];
}
neighbor 172.27.255.3;
[edit]
lab@R4# commit
commit complete
[edit]
lab@R4# run show route advertising-protocol bgp 172.27.255.5 172.27/16
[edit]
lab@R4# delete protocols bgp group Clients neighbor 172.27.255.5 export NHS
[edit]
lab@R4# delete policy-options policy-statement NHS
[edit]
lab@R4# commit
commit complete
Now check that traffic to 150.150/24 destinations takes the optimal path at R2.
• R2:
lab@R2> traceroute 150.150.0.1
traceroute to 150.150.0.1 (150.150.0.1), 30 hops max, 40 byte packets
1 172.27.0.1 (172.27.0.1) 7.066 ms 6.874 ms 6.904 ms
2 150.150.0.1 (150.150.0.1) 7.875 ms 9.434 ms 9.811 ms
The output shows that the traffic takes the optimal path.
• R4:
[edit]
lab@R4# exit
Exiting configuration mode
Overview
In this lab, you will be given a list of tasks specific to implementing and troubleshooting
multicast which you will need to accomplish within a specific time frame. You will have
1 hour to complete the simulation.
The lab is available in two formats. In the high-level format, you are given only the list of
tasks to be accomplished. To better prepare you for the real JNCIE exam, we recommend
that you make your best effort at accomplishing the tasks with only the high-level lab
guide.
The lab is also available in a detailed format. The detailed format contains a discussion
regarding the interpretation of each task, followed by step-by-step instructions. You might
find more than one method for accomplishing each task.
By completing this lab, you will perform the following tasks:
• Configure all routers to participate in protocol independent multicast (PIM).
• Ensure that R1 and R2 are rendezvous points (RPs) for all groups in the PIM
domain. All routers should use the closest RP. You must use the virtual IP
address of 172.27.255.11. The RP configuration must support only IPv4.
• Group 224.2.2.2 is critical for Rec2, and they have requested that the
multicast traffic always use the same path to keep traffic loss to a minimum
(except in the event of a failure). You cannot use policy, and you cannot alter
routes in inet.0 to accomplish this task. One static route can be used if needed
to accomplish this task.
• Ensure that joins to source are load-balanced for groups sourced from S1.
In this lab part, you will log in to your assigned routers and ensure that you are
running the correct startup configuration file for this lab. Refer to the network
diagram for this lab for topological and configuration details. You will then configure
PIM. You must ensure the RP are configured within the guidelines defined by the
tasks in this lab.
Note
We recommend that you spend some time
investigating the current operation of your
routers. During the exam, you might be
given routers that are operating
inefficiently. Investigating operating issues
now might save you time troubleshooting
strange issues later.
INITIAL TASK
Access the CLI for your routers using either the console, Telnet, or SSH as directed
by your instructor. Refer to the management network diagram for the IP address
associated with your devices. Log in as user lab with the password lab123. Verify
OSPF is configured and neighborships are up, and that only the interfaces
connecting the routers have an OSPF neighborship.
TASK COMPLETION
• R1:
R1 (ttyd0)
login: lab
Password:
lab@R1>
• R2:
R2 (ttyd0)
login: lab
lab@R2>
• R3:
R3 (ttyd0)
login: lab
Password:
lab@R3>
• R4:
R4 (ttyd0)
login: lab
Password:
lab@R4>
• R5:
R5 (ttyd0)
login: lab
Password:
lab@R5>
TASK 1
Configure all routers to participate in PIM.
Note
We recommend that you include the
configuration steps for the second task
while you are configuring the first task. This
approach will save you some time and
effort as you move through the tasks of this
lab.
TASK 2
Ensure that R1 and R2 are RPs for all groups in the PIM
domain. All routers should use the closest RP. You must use
the virtual IP address of 172.27.255.11. The RP
configuration must only be able to support IPv4.
[edit]
lab@R1# set interfaces lo0 unit 0 family inet address 172.27.255.1/32 primary
[edit]
lab@R1# set interfaces lo0 unit 0 family inet address 172.27.255.11/32
[edit]
lab@R1# show interfaces lo0
unit 0 {
family inet {
address 172.27.255.1/32 {
primary;
}
address 172.27.255.11/32;
}
}
[edit]
lab@R1# set protocols msdp group anycast-rp local-address 172.27.255.1
[edit]
lab@R1# set protocols msdp group anycast-rp peer 172.27.255.2
[edit]
lab@R1# set protocols pim rp local address 172.27.255.11
[edit]
lab@R1# set protocols pim interface ge-0/0/0 disable
[edit]
lab@R1# show protocols
msdp {
group anycast-rp {
local-address 172.27.255.1;
peer 172.27.255.2;
}
}
...
pim {
rp {
local {
address 172.27.255.11;
}
}
interface all;
interface ge-0/0/0.0 {
disable;
}
}
[edit]
lab@R1# commit
commit complete
[edit]
lab@R1#
• R2:
lab@R2> configure
Entering configuration mode
[edit]
lab@R2# set interfaces lo0 unit 0 family inet address 172.27.255.2/32 primary
[edit]
lab@R2# set interfaces lo0 unit 0 family inet address 172.27.255.11/32
[edit]
lab@R2# show interfaces lo0
unit 0 {
family inet {
address 172.27.255.2/32 {
primary;
}
address 172.27.255.11/32;
}
}
[edit]
lab@R2# set protocols msdp group anycast-rp local-address 172.27.255.2
[edit]
lab@R2# set protocols msdp group anycast-rp peer 172.27.255.1
[edit]
lab@R2# set protocols pim rp local address 172.27.255.11
[edit]
lab@R2# set protocols pim interface all
[edit]
lab@R2# set protocols pim interface ge-0/0/0 disable
[edit]
lab@R2# show protocols
msdp {
group anycast-rp {
local-address 172.27.255.2;
peer 172.27.255.1;
}
}
...
pim {
rp {
local {
address 172.27.255.11;
}
}
interface all;
interface ge-0/0/0.0 {
disable;
}
}
[edit]
lab@R2# commit
commit complete
[edit]
lab@R2#
• R3:
lab@R3> configure
Entering configuration mode
[edit]
lab@R3# set protocols pim rp static address 172.27.255.11
[edit]
lab@R3# set protocols pim interface all
[edit]
lab@R3# show protocols pim
rp {
static {
address 172.27.255.11;
}
}
interface all;
interface ge-0/0/0.0 {
disable;
}
[edit]
lab@R3# commit
commit complete
[edit]
lab@R3#
• R4:
lab@R4> configure
Entering configuration mode
[edit]
lab@R4# set protocols pim rp static address 172.27.255.11
[edit]
lab@R4# set protocols pim interface all
[edit]
lab@R4# set protocols pim interface ge-0/0/0 disable
[edit]
lab@R4# show protocols pim
rp {
static {
address 172.27.255.11;
}
}
interface all;
interface ge-0/0/0.0 {
disable;
}
[edit]
lab@R4# commit
commit complete
[edit]
lab@R5# set protocols pim rp static address 172.27.255.11
[edit]
lab@R5# set protocols pim interface all
[edit]
lab@R5# set protocols pim interface ge-0/0/0 disable
[edit]
lab@R5# show protocols pim
rp {
static {
address 172.27.255.11;
}
}
interface all;
interface ge-0/0/0.0 {
disable;
}
[edit]
lab@R5# commit
commit complete
[edit]
lab@R5#
TASK VERIFICATION
Begin your verification by reviewing the status of the RPs on R1 and R2. Verify that
R1 and R2 are local RPs and that they are the RPs for all groups.
• R1:
[edit]
lab@R1# exit
Exiting configuration mode
RP: 172.27.255.11
Learned via: static configuration
Time Active: 2d 12:44:52
Holdtime: 0
Device Index: 130
Subunit: 32769
www.juniper.net Multicast Implementation and Troubleshooting (Detailed) • Lab 8–9
JNCIE Service Provider Bootcamp
Interface: ppd0.32769
Group Ranges:
224.0.0.0/4
Anycast PIM local address used: 172.27.255.1
lab@R1>
• R2:
[edit]
lab@R2# exit
Exiting configuration mode
RP: 172.27.255.11
Learned via: static configuration
Time Active: 2d 12:34:33
Holdtime: 0
Device Index: 130
Subunit: 32769
Interface: ppd0.32769
Group Ranges:
224.0.0.0/4
Anycast PIM local address used: 172.27.255.2
lab@R2>
• R2:
lab@R2> show msdp
Peer address Local address State Last up/down Peer-Group SA Count
172.27.255.1 172.27.255.2 Established 2d 13:03:21 anycast-rp 2/2
Finally, you must verify that all other routers use the closest RP. View the status of
the RP on all other routers. Make sure that the active groups using the RP matches
the join to RP. Then check that the join to RP upstream neighbor matches the
shortest path to the RP..
• R3:
[edit]
lab@R3# exit
Exiting configuration mode
RP: 172.27.255.11
Learned via: static configuration
Time Active: 2d 13:08:19
Holdtime: 0
Device Index: 131
Subunit: 32769
Interface: ppe0.32769
Group Ranges:
224.0.0.0/4
Active groups using RP:
224.1.1.1
Group: 224.1.1.1
Source: *
RP: 172.27.255.11
Flags: sparse,rptree,wildcard
Upstream interface: ge-0/0/1.0
Upstream neighbor: 172.27.0.14
Upstream state: Join to RP
Downstream neighbors:
Interface: ge-0/0/4.0
172.27.0.58 State: Join Flags: SRW Timeout: 156
Group: 224.1.1.1
Source: 172.27.0.30
Flags: sparse,spt
Upstream interface: ge-0/0/1.0
Upstream neighbor: 172.27.0.14
Upstream state: None, Join to Source
Keepalive timeout: 328
Downstream neighbors:
Interface: ge-0/0/3.0
172.27.0.25 State: Join Flags: S Timeout: 176
Interface: ge-0/0/4.0
172.27.0.58 State: Join Flags: S Timeout: 156
lab@R3>
• R4:
[edit]
lab@R4# exit
Exiting configuration mode
RP: 172.27.255.11
Learned via: static configuration
Time Active: 2d 13:21:14
Holdtime: 0
Device Index: 131
Subunit: 32769
Interface: ppe0.32769
Group Ranges:
224.0.0.0/4
Active groups using RP:
224.3.3.3
224.2.2.2
224.1.1.1
Group: 224.1.1.1
Source: *
RP: 172.27.255.11
Flags: sparse,rptree,wildcard
Upstream interface: ae0.0
Upstream neighbor: 172.27.0.10
Upstream state: Join to RP
Group: 224.1.1.1
Source: 172.27.0.30
Flags: sparse
Upstream interface: ae0.0
Upstream neighbor: 172.27.0.10
Upstream state: Prune to RP
Keepalive timeout:
Downstream neighbors:
Interface: ge-0/0/4.0 (pruned)
172.27.0.22 State: Prune Flags: SR Timeout: 161
Group: 224.2.2.2
Source: *
RP: 172.27.255.11
Flags: sparse,rptree,wildcard
Upstream interface: ae0.0
Upstream neighbor: 172.27.0.10
Upstream state: Join to RP
Downstream neighbors:
Interface: ge-0/0/4.0
172.27.0.22 State: Join Flags: SRW Timeout: 150
Group: 224.2.2.2
Source: 172.27.0.38
Flags: sparse,spt
Upstream interface: ge-0/0/1.0
Upstream neighbor: 172.27.0.5
Upstream state: Join to Source, Prune to RP
Keepalive timeout: 344
Downstream neighbors:
Interface: ge-0/0/4.0
172.27.0.22 State: Join Flags: S Timeout: 150
lab@R4>
RP: 172.27.255.11
Learned via: static configuration
Time Active: 2d 13:25:44
Holdtime: 0
Device Index: 131
Subunit: 32769
Interface: ppe0.32769
Group Ranges:
224.0.0.0/4
Active groups using RP:
224.3.3.3
224.2.2.2
224.1.1.1
Group: 224.1.1.1
Source: *
RP: 172.27.255.11
Flags: sparse,rptree,wildcard
Upstream interface: ge-0/0/2.0
Upstream neighbor: 172.27.0.21
Upstream state: Join to RP
Downstream neighbors:
Interface: ge-0/0/4.0
172.27.1.4 State: Join Flags: SRW Timeout: 180
Group: 224.1.1.1
Source: 172.27.0.30
Flags: sparse,spt
Upstream interface: ge-0/0/1.0
Upstream neighbor: 172.27.0.26
Upstream state: Join to Source, Prune to RP
Keepalive timeout: 304
Downstream neighbors:
Interface: ge-0/0/4.0
172.27.1.4 State: Join Flags: S Timeout: 180
Group: 224.2.2.2
Source: *
RP: 172.27.255.11
Flags: sparse,rptree,wildcard
Upstream interface: ge-0/0/2.0
Upstream neighbor: 172.27.0.21
Upstream state: Join to RP
Downstream neighbors:
Interface: ge-0/0/4.0
172.27.1.2 State: Join Flags: SRW Timeout: 172
Group: 224.2.2.2
Source: 172.27.0.38
Flags: sparse,spt
Upstream interface: ge-0/0/2.0
Upstream neighbor: 172.27.0.21
Upstream state: None, Join to Source
Keepalive timeout: 356
Downstream neighbors:
Interface: ge-0/0/4.0
172.27.1.2 State: Join Flags: S Timeout: 172
lab@R5>
[edit]
lab@R5# edit routing-options
[edit routing-options]
lab@R5# set rib-groups to_inet.2 import-rib [inet.0 inet.2]
[edit routing-options]
lab@R5# set rib-groups rpf_inet.2 import-rib inet.2
[edit routing-options]
lab@R5# set interface-routes rib-group inet to_inet.2
[edit routing-options]
lab@R5# show
interface-routes {
rib-group inet to_inet.2;
}
static {
route 0.0.0.0/0 next-hop 10.94.175.254;
}
rib-groups {
to_inet.2 {
import-rib [ inet.0 inet.2 ];
www.juniper.net Multicast Implementation and Troubleshooting (Detailed) • Lab 8–17
JNCIE Service Provider Bootcamp
}
rpf_inet.2 {
import-rib inet.2;
}
}
[edit routing-options]
lab@R5# top edit protocols
[edit protocols]
lab@R5# set ospf rib-group to_inet.2
[edit protocols]
lab@R5# set pim rib-group inet rpf_inet.2
[edit protocols]
lab@R5# show
ospf {
rib-group to_inet.2;
area 0.0.0.0 {
interface all;
interface ge-0/0/0.0 {
disable;
}
}
}
pim {
rib-group inet rpf_inet.2;
rp {
static {
address 172.27.255.11;
}
}
interface all;
interface ge-0/0/0.0 {
disable;
}
}
[edit protocols]
lab@R5# commit
commit complete
[edit protocols]
lab@R5#
• R4:
lab@R4> configure
Entering configuration mode
[edit]
lab@R4# edit routing-options
[edit routing-options]
lab@R4# set rib-groups rpf_inet.2 import-rib inet.2
[edit routing-options]
lab@R4# set interface-routes rib-group inet to_inet.2
[edit routing-options]
lab@R4# show
interface-routes {
rib-group inet to_inet.2;
}
static {
route 0.0.0.0/0 next-hop 10.94.175.254;
}
rib-groups {
to_inet.2 {
import-rib [ inet.0 inet.2 ];
}
rpf_inet.2 {
import-rib inet.2;
}
}
[edit routing-options]
lab@R4# top edit protocols
[edit protocols]
lab@R4# set ospf rib-group to_inet.2
[edit protocols]
lab@R4# set pim rib-group inet rpf_inet.2
[edit protocols]
lab@R4# show
ospf {
rib-group to_inet.2;
area 0.0.0.0 {
interface all;
interface ge-0/0/0.0 {
disable;
}
}
}
pim {
rib-group inet rpf_inet.2;
rp {
static {
address 172.27.255.11;
}
}
[edit protocols]
lab@R4# commit
commit complete
[edit protocols]
lab@R4#
TASK VERIFICATION
We begin by verifying which table the RPF check is using to the RP and source, and
that the routing table shows the correct routes for the RP and source.
• R5:
[edit protocols]
lab@R5# run show multicast rpf 172.27.0.38
Multicast RPF table: inet.2 , 22 entries
172.27.0.36/30
Protocol: OSPF
Interface: ge-0/0/2.0
Neighbor: 172.27.0.21
[edit protocols]
lab@R5# run show multicast rpf 172.27.255.11
Multicast RPF table: inet.2 , 22 entries
172.27.255.11/32
Protocol: OSPF
Interface: ge-0/0/1.0
Neighbor: 172.27.0.26
[edit protocols]
lab@R5# run show route 172.27.0.38
[edit protocols]
lab@R5# run show route 172.27.255.11
TASK CORRECTION
To ensure that 172.27.0.21 is preferred to match the SPT path in the inet.2 table,
you must make the 172.27.0.21 more preferred. A static route can be used to
resolve this issue. Make sure to apply the same inet.2 configuration on R4.
• R5:
[edit protocols]
lab@R5# top edit routing-options
[edit routing-options]
lab@R5# set rib inet.2 static route 172.27.255.11/32 next-hop 172.27.0.21
[edit routing-options]
lab@R5# show
interface-routes {
rib-group inet to_inet.2;
}
rib inet.2 {
static {
route 172.27.255.11/32 next-hop 172.27.0.21;
}
}
[edit routing-options]
lab@R5# commit
commit complete
[edit routing-options]
lab@R5#
• R4:
[edit protocols]
lab@R4# top edit routing-options
[edit routing-options]
lab@R4# set rib inet.2 static route 172.27.255.11/32 next-hop 172.27.0.5
[edit routing-options]
lab@R4# show
interface-routes {
rib-group inet to_inet.2;
}
rib inet.2 {
static {
route 172.27.255.11/32 next-hop 172.27.0.5;
}
}
static {
route 0.0.0.0/0 next-hop 10.94.175.254;
}
rib-groups {
to_inet.2 {
import-rib [ inet.0 inet.2 ];
}
rpf_inet.2 {
import-rib inet.2;
}
}
[edit routing-options]
lab@R4# commit
commit complete
172.27.0.36/30
Protocol: OSPF
Interface: ge-0/0/2.0
Neighbor: 172.27.0.21
[edit routing-options]
lab@R5# run show multicast rpf 172.27.255.11
Multicast RPF table: inet.2 , 22 entries
172.27.255.11/32
Protocol: Static
Interface: ge-0/0/2.0
Neighbor: 172.27.0.21
[edit routing-options]
lab@R5# run show route 172.27.0.38
[edit routing-options]
lab@R5# run show route 172.27.255.11
[edit routing-options]
lab@R5# run show pim join extensive 224.2.2.2
Instance: PIM.master Family: INET
R = Rendezvous Point Tree, S = Sparse, W = Wildcard
Group: 224.2.2.2
Source: *
RP: 172.27.255.11
Flags: sparse,rptree,wildcard
Upstream interface: ge-0/0/2.0
Upstream neighbor: 172.27.0.21
Upstream state: Join to RP
Downstream neighbors:
Interface: ge-0/0/4.0
172.27.1.2 State: Join Flags: SRW Timeout: 170
Group: 224.2.2.2
Source: 172.27.0.38
Flags: sparse,spt
Upstream interface: ge-0/0/2.0
Upstream neighbor: 172.27.0.21
Upstream state: None, Join to Source
Keepalive timeout: 318
Downstream neighbors:
Interface: ge-0/0/4.0
172.27.1.2 State: Join Flags: S Timeout: 170
• R4:
[edit routing-options]
lab@R4# run show multicast rpf 172.27.0.38
Multicast RPF table: inet.2 , 23 entries
172.27.0.36/30
Protocol: OSPF
Interface: ge-0/0/1.0
Neighbor: 172.27.0.5
[edit routing-options]
lab@R4# run show multicast rpf 172.27.255.11
Multicast RPF table: inet.2 , 23 entries
172.27.255.11/32
Protocol: Static
Interface: ge-0/0/1.0
Neighbor: 172.27.0.5
[edit routing-options]
lab@R4# run show route 172.27.0.38
[edit routing-options]
lab@R4# run show route 172.27.255.11
[edit routing-options]
lab@R4# run show pim join extensive 224.2.2.2
Instance: PIM.master Family: INET
R = Rendezvous Point Tree, S = Sparse, W = Wildcard
Group: 224.2.2.2
Source: *
RP: 172.27.255.11
Flags: sparse,rptree,wildcard
Upstream interface: ge-0/0/1.0
Upstream neighbor: 172.27.0.5
Upstream state: Join to RP
Downstream neighbors:
Interface: ge-0/0/4.0
172.27.0.22 State: Join Flags: SRW Timeout: 188
Group: 224.2.2.2
Source: 172.27.0.38
Flags: sparse,spt
Upstream interface: ge-0/0/1.0
Upstream neighbor: 172.27.0.5
Upstream state: None, Join to Source
Keepalive timeout: 335
Downstream neighbors:
TASK 4
Ensure that joins to source are load-balanced for groups
sourced from S1.
TASK INTERPRETATION
If you view the lab diagram, R5 should have two equal paths to S1. Also, verify that
R5 has equal cost paths to S1. To load balance across the equal cost paths, simply
configure the PIM option join-load-balance on R5.
TASK COMPLETION
First verify the status of the routes and PIM joins on R5.
[edit routing-options]
lab@R5# run show route 172.27.0.30
[edit routing-options]
lab@R5# run show pim join extensive 224.1.1.1
Instance: PIM.master Family: INET
R = Rendezvous Point Tree, S = Sparse, W = Wildcard
Group: 224.1.1.1
Source: *
RP: 172.27.255.11
Flags: sparse,rptree,wildcard
Upstream interface: ge-0/0/2.0
Upstream neighbor: 172.27.0.21
Upstream state: Join to RP
Downstream neighbors:
Group: 224.1.1.1
Source: 172.27.0.30
Flags: sparse,spt
Upstream interface: ge-0/0/2.0
Upstream neighbor: 172.27.0.21
Upstream state: None, Join to Source
Keepalive timeout: 359
Downstream neighbors:
Interface: ge-0/0/4.0
172.27.1.4 State: Join Flags: S Timeout: 150
[edit routing-options]
lab@R5# run show pim join extensive 224.3.3.3
Instance: PIM.master Family: INET
R = Rendezvous Point Tree, S = Sparse, W = Wildcard
Group: 224.3.3.3
Source: *
RP: 172.27.255.11
Flags: sparse,rptree,wildcard
Upstream interface: ge-0/0/2.0
Upstream neighbor: 172.27.0.21
Upstream state: Join to RP
Downstream neighbors:
Interface: ge-0/0/4.0
172.27.1.3 State: Join Flags: SRW Timeout: 198
Group: 224.3.3.3
Source: 172.27.0.30
Flags: sparse,spt
Upstream interface: ge-0/0/2.0
Upstream neighbor: 172.27.0.21
Upstream state: None, Join to Source
Keepalive timeout: 347
Downstream neighbors:
Interface: ge-0/0/4.0
172.27.1.3 State: Join Flags: S Timeout: 198
Now that you have verified load balancing is not occurring, configure the option to
load balance under PIM.
• R5:
[edit routing-options]
lab@R5# top edit protocols pim
commit complete
Group: 224.1.1.1
Source: *
RP: 172.27.255.11
Flags: sparse,rptree,wildcard
Upstream interface: ge-0/0/2.0
Upstream neighbor: 172.27.0.21
Upstream state: Join to RP
Downstream neighbors:
Interface: ge-0/0/4.0
172.27.1.4 State: Join Flags: SRW Timeout: 205
Group: 224.1.1.1
Source: 172.27.0.30
Flags: sparse,spt
Upstream interface: ge-0/0/1.0
Upstream neighbor: 172.27.0.26
Upstream state: Join to Source, Prune to RP
Keepalive timeout: 353
Downstream neighbors:
Interface: ge-0/0/4.0
172.27.1.4 State: Join Flags: S Timeout: 205
Group: 224.3.3.3
Source: *
RP: 172.27.255.11
Flags: sparse,rptree,wildcard
Upstream interface: ge-0/0/2.0
Upstream neighbor: 172.27.0.21
Upstream state: Join to RP
Downstream neighbors:
Interface: ge-0/0/4.0
172.27.1.3 State: Join Flags: SRW Timeout: 200
Overview
In this lab, you will be given a list of tasks specific to implementing and troubleshooting
class of service that you will need to accomplish within a specific time frame. You will
have 2 hours to complete the simulation.
The lab is available in two formats. In the high-level format, you are given only the list of
tasks to be accomplished. To better prepare you for the real JNCIE exam, we recommend
that you make your best effort at accomplishing the tasks with only the high-level lab
guide.
The lab is also available in a detailed format. The detailed format contains a discussion
regarding the interpretation of each task, followed by step-by-step instructions. You might
find more than one method for accomplishing each task.
By completing this lab, you will perform the following tasks:
• Configure a scheduler named jncie-cos on all routers with the following
criteria:
– The expedited-forwarding queue should have the high priority with 10%
allocation of traffic;
– The assured-forwarding queue should have medium-high priority with 5%
allocation of traffic;
– The best-effort queue should have low priority with 80% allocation of
traffic;
– The network-connect queue should have low priority with 5% traffic
allocation; and
– Apply the scheduler on all interfaces.
• Configure a MF classifier named voice on R5:
– The classifier should match any traffic with DSCP EF markings and place
this traffic into the EF queue;
– The classifier should match any TCP traffic destined to port 2000 and
place this traffic on the AF queue; and
– Place this classifier on traffic coming from the C1 router.
www.juniper.net Class of Service Implementation and Troubleshooting (Detailed) • Lab 9–1
10.b.10.3
JNCIE Service Provider Bootcamp
• Configure a MF classifier named internet on R1:
– Match all traffic and place into the best effort queue and mark as
high loss drop profile; and
– Place this classifier on all traffic coming from the C2 router.
• Configure a rewrite marker named jncie-rw on R5:
– Mark all traffic on the expedited-forwarding queue as DSCP EF; and
– Mark all traffic on the assured-forwarding queue as DSCP AF21.
• Configure a behavior aggregate classifier named jncie-ba on R3, and
R4:
– Place all traffic with inet-precedence 5 into the expedited-forwarding
queue; and
– Place all traffic with inet-precedence 3 into the assured-forwarding
queue.
• Configure a filter named jncie-police on R3 and R4:
– Send any traffic marked as DSCP 21 and exceeding 50 Mb to the
best effort queue and mark it as loss priority high;
– Send any traffic marked as DSCP 46 and exceeding 100 Mb to the
best effort queue and mark it as loss priority low; and
– Apply the policer to the interfaces facing R5.
• Configure a behavior aggregate classifier on R2:
– Place all traffic marked with 802.1p number 5 on the expedited
forwarding queue; and
– Apply this to the interface facing the VPLS CE2 device.
• Configure a rewrite marker named vpls-rw on R2:
– Mark all traffic in the expedited queue to EXP 5.
In this lab part, you will log in to your assigned routers and ensure that you are
running the correct startup configuration file for this lab. Refer to the network
diagram for this lab for topological and configuration details. You will then configure
various CoS settings depending on the outlined requirements. You must ensure that
all the CoS requirements are met based on the task guidelines.
Note
We recommend that you spend some time
investigating the current operation of your
routers. During the real exam, you might be
given routers that are operating
inefficiently. Investigating operating issues
now might save you a lot of time
troubleshooting strange issues later.
TASK 1
Configure a scheduler-map named jncie-cos on all routers.
Map each queue to the following set of criteria:
• The expedited-forwarding queue should have the high
priority with a 10% transmit rate;
• The assured-forwarding queue should have
medium-high priority with a 5% transmit rate;
• The best-effort queue should have low priority with
a 80% transmit rate;
• The network-connect queue should have low priority
with a 5% transmit rate; and
• Apply the scheduler on all gigabit interfaces.
Note
When you have a repetitive task on the
exam, take advantage of Notepad access
for copy and paste operations.
TASK INTERPRETATION
The task is requesting a simple scheduler-map configuration to be applied on all
interfaces. It lays out all the necessary criteria and it includes instructions to use a
specific name for the scheduler-map, but it does not seem to matter what you use to
name the schedulers themselves. The rest of the instructions are straightforward.
lab@R1# show
interfaces {
ge-* {
scheduler-map jncie-cos;
}
}
scheduler-maps {
jncie-cos {
forwarding-class expedited-forwarding scheduler ef;
forwarding-class assured-forwarding scheduler af;
forwarding-class best-effort scheduler be;
forwarding-class network-control scheduler nc;
}
}
schedulers {
ef {
transmit-rate percent 10;
priority high;
}
af {
Note
Make sure you verify with the proctor if the
external device is accessible and if its using
a routing instance.
Note
To be more efficient when doing the ping
command, take advantage of the rapid
and count statements.
Note
During the exam, we recommend that you
over-configure rather than under-configure.
If a task does not explicitly mention a step,
and if the extra configuration does not
conflict with any other task in the exam, it is
a good idea to perform the additional
configuration steps.
TASK COMPLETION
• R5:
lab@R5> configure
Entering configuration mode
lab@R5# edit class-of-service rewrite-rules dscp jncie-rw
[edit class-of-service rewrite-rules dscp jncie-rw]
lab@R5# set forwarding-class expedited-forwarding loss-priority high code-point
ef
[edit class-of-service rewrite-rules dscp jncie-rw]
lab@R5# set forwarding-class expedited-forwarding loss-priority low code-point
ef
[edit class-of-service rewrite-rules dscp jncie-rw]
lab@R5# set forwarding-class expedited-forwarding loss-priority medium-high
code-point ef
[edit class-of-service rewrite-rules dscp jncie-rw]
lab@R5# set forwarding-class expedited-forwarding loss-priority medium-low
code-point ef
[edit class-of-service rewrite-rules dscp jncie-rw]
lab@R5# copy forwarding-class expedited-forwarding to forwarding-class
assured-forwarding
[edit class-of-service rewrite-rules dscp jncie-rw]
[edit class-of-service]
lab@R5# set interfaces ge-0/0/1 unit 0 rewrite-rules dscp jncie-rw
[edit class-of-service]
lab@R5# set interfaces ge-0/0/2 unit 0 rewrite-rules dscp jncie-rw
[edit class-of-service]
lab@R5# commit
TASK VERIFICATION
Remember that the rewrite of bits is an egress operation in Junos OS. Ensure that
the correct rewrite marker is applied by looking at the output of the show
class-of-service interface and the show class-of-service
rewrite-rule type dscp operational commands.
• R5:
[edit class-of-service]
lab@R5# run show class-of-service interface ge-0/0/1
Physical interface: ge-0/0/1, Index: 134
Queues supported: 8, Queues in use: 4
Scheduler map: <default>, Index: 2
• R1 and R2:
[edit class-of-service]
lab@R1# run ping 172.27.255.5 rapid count 20 tos 160
PING 172.27.255.5 (172.27.255.5): 56 data bytes
!!!!!!!!!!!!!!!!!!!!
--- 172.27.255.5 ping statistics ---
20 packets transmitted, 20 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.308/4.660/7.511/1.103 ms
[edit class-of-service]
lab@R1# run ping 172.27.255.5 rapid count 20 tos 96
PING 172.27.255.5 (172.27.255.5): 56 data bytes
!!!!!!!!!!!!!!!!!!!!
--- 172.27.255.5 ping statistics ---
20 packets transmitted, 20 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.268/4.578/6.781/1.004 ms
• R3 and R4:
[edit class-of-service classifiers inet-precedence jncie-ba]
lab@R3# run show interfaces ge-0/0/3 extensive | find "Queue counter"
Queue counters: Queued packets Transmitted packets Dropped packets
0 best-effort 30 30 0
1 expedited-fo 20 20 0
2 assured-forw 20 20 0
3 network-cont 34 34 0
[edit firewall]
lab@R3# set policer ef if-exceeding bandwidth-limit 100m burst-size-limit 15000
[edit firewall]
lab@R3# set policer ef then forwarding-class best-effort
[edit firewall]
lab@R3# set policer ef then loss-priority low
[edit firewall]
lab@R3# copy policer ef to policer af21
[edit firewall]
lab@R3# edit policer af21
[edit firewall]
lab@R3# set family inet filter jncie-police term 1 from dscp af21
[edit firewall]
lab@R3# set family inet filter jncie-police term 1 then policer af21
[edit firewall]
lab@R3# set family inet filter jncie-police term 2 from dscp ef
[edit firewall]
lab@R3# set family inet filter jncie-police term 2 then policer ef
[edit firewall]
lab@R3# set family inet filter jncie-police term 3 then accept
[edit firewall]
lab@R3# top set interfaces ge-0/0/4.0 family inet filter input jncie-police
[edit firewall]
lab@R3# commit
TASK VERIFICATION
During the exam, you cannot generate enough traffic to see if the filter is working
properly. Verification for this task can easily be done by double checking the
configuration. Confirm that the filter has the correct name and is applied to the right
interface and remember to apply an accept term to the filter.
TASK 7
Configure a behavior aggregate classifier on R2 named
vpls-ba:
• Place all traffic marked with 802.1p number 5 on the
expedited forwarding queue; and
• Apply this classifier to the interface facing the
VPLS CE1 device.
• VR-device:
lab@vrdevice> show route table VPLS-CE protocol local terse
Overview
In this lab, you will be given a list of tasks specific to implementing and troubleshooting
MPLS which you will need to accomplish within a specific time frame. You will have
1.5 hours to complete the simulation.
The lab is available in two formats. In the high-level format, you are given only the list of
tasks to be accomplished. To better prepare you for the real JNCIE exam, we recommend
that you make your best effort at accomplishing the tasks with only the high-level lab
guide.
The lab is also available in a detailed format. The detailed format contains a discussion
regarding the interpretation of each task, followed by step-by-step instructions. Some
tasks might include multiple methods for accomplishing each task.
By completing this lab, you will perform the following tasks:
• Configure the RSVP LSPs, defined in the LSP tables, through your network and
ensure all LSPs are up and functional.
• R2 is not allowed to run RSVP to signal its LSPs. You must route between R2
and R5 using a LSP. You must also ensure that the failure of any transit router
does not prevent the exchange of labels between R2 and R5. LDP is prohibited
on R3.
• Ensure that the r1-to-r5 LSP has two unique paths. The primary path
should traverse R4 while the secondary path should use a different path and
be signaled and ready for use.
• Configure the administrative groups defined in the Admin table on all RSVP
routers. Apply these administrative groups to the appropriate links as
illustrated on the Lab 6 diagram. Ensure that the r3-to-r4 LSP avoids the
R3-R4 link.
• Configure the r5-to-r1 LSP to reserve 450 Mbps of bandwidth across the
network.
• Create a bypass to improve convergence time for the r5-to-r1 LSP in the
event of a R4-R1 link failure. Ensure bandwidth reservation is honored and the
best available path is chosen.
In this lab part, you will log in to your assigned routers and configure the
label-switched paths (LSPs) required to transport traffic through your core network.
You must ensure all LSPs are created within the guidelines defined by the tasks in
this lab.
INITIAL TASK
Access the CLI for your routers using either the console, Telnet, or SSH as directed
by your instructor. Refer to the management network diagram for the IP address
associated with your devices. Log in as user lab with the password lab123.
TASK COMPLETION
• R1:
R1 (ttyd0)
login: lab
Password:
login: lab
Password:
login: lab
Password:
login: lab
Password:
login: lab
Password:
login: lab
Password:
TASK 1
Configure the LSPs, defined in the following LSP tables,
through your network and ensure all LSPs are up and
functional.
Note
We recommend that you include the
configuration steps for the third task while
you are configuring the first task. This
approach will save you time and effort as
you move through the tasks of this lab.
R1
R3
R4
R5
[edit]
lab@R1# edit protocols mpls
commit complete
Exiting configuration mode
lab@R1>
• R3:
[edit]
lab@R3# set protocols rsvp interface all
[edit]
lab@R3# edit protocols mpls
commit complete
Exiting configuration mode
lab@R3>
• R4:
[edit]
lab@R4# set protocols rsvp interface ae0
[edit]
lab@R4# set protocols rsvp interface ge-0/0/4
[edit]
lab@R4# set protocols rsvp interface ge-0/0/5
commit complete
Exiting configuration mode
lab@R4>
• R5:
[edit]
lab@R5# set protocols rsvp interface all
[edit]
lab@R5# edit protocols mpls
commit complete
Exiting configuration mode
lab@R5>
TASK VERIFICATION
Begin your verification by reviewing the status of your LSPs from the perspective of
R1. If everything is functioning well, move through the rest of the routers on which
you configured LSPs.
• R1:
lab@R1> show mpls lsp
Ingress LSP: 3 sessions
To From State Rt P ActivePath LSPname
172.27.255.3 0.0.0.0 Dn 0 - r1-to-r3
172.27.255.4 0.0.0.0 Dn 0 - r1-to-r4
172.27.255.5 0.0.0.0 Dn 0 - r1-to-r5
Total 3 displayed, Up 0, Down 3
172.27.255.3
From: 0.0.0.0, State: Dn, ActiveRoute: 0, LSPname: r1-to-r3
ActivePath: (none)
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
Primary State: Dn
Priorities: 7 0
SmartOptimizeTimer: 180
Will be enqueued for recomputation in 21 second(s).
172.27.255.4
From: 0.0.0.0, State: Dn, ActiveRoute: 0, LSPname: r1-to-r4
ActivePath: (none)
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
Primary State: Dn
Priorities: 7 0
SmartOptimizeTimer: 180
Will be enqueued for recomputation in 24 second(s).
1 Jun 23 22:39:12.333 CSPF failed: no route toward 172.27.255.4[169 times]
Created: Thu Jun 23 21:17:03 2011
172.27.255.5
From: 0.0.0.0, State: Dn, ActiveRoute: 0, LSPname: r1-to-r5
ActivePath: (none)
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
Primary path-1 State: Dn
Priorities: 7 0
SmartOptimizeTimer: 180
Will be enqueued for recomputation in 25 second(s).
1 Jun 23 22:39:12.334 CSPF failed: no route toward 172.27.255.4[169 times]
Standby path-2 State: Dn
Priorities: 7 0
SmartOptimizeTimer: 180
Will be enqueued for recomputation in 25 second(s).
1 Jun 23 22:39:12.334 CSPF failed: no route toward 172.27.255.3[168 times]
Created: Thu Jun 23 21:17:03 2011
Total 3 displayed, Up 0, Down 3
lab@R1>
TASK CORRECTION
To correct the issue you have to enable family mpls on all interfaces that will be
participating in your MPLS network.
• R1:
lab@R1> configure
Entering configuration mode
[edit]
lab@R1# edit interfaces
[edit interfaces]
lab@R1# set ae0 unit 0 family mpls
[edit interfaces]
lab@R1# set ge-0/0/6 unit 0 family mpls
[edit interfaces]
lab@R1# commit and-quit
commit complete
Exiting configuration mode
lab@R1>
• R3:
lab@R3> configure
Entering configuration mode
[edit]
lab@R3# edit interfaces
[edit interfaces]
lab@R3# set ge-0/0/1 unit 0 family mpls
[edit interfaces]
lab@R3# set ge-0/0/2 unit 0 family mpls
[edit interfaces]
lab@R3# set ge-0/0/3 unit 0 family mpls
commit complete
Exiting configuration mode
lab@R3>
• R4:
lab@R4> configure
Entering configuration mode
[edit]
lab@R4# edit interfaces
[edit interfaces]
lab@R4# set ae0 unit 0 family mpls
[edit interfaces]
lab@R4# set ge-0/0/4 unit 0 family mpls
[edit interfaces]
lab@R4# set ge-0/0/5 unit 0 family mpls
[edit interfaces]
lab@R4# commit and-quit
commit complete
Exiting configuration mode
lab@R4>
• R5:
lab@R5> configure
Entering configuration mode
[edit]
lab@R5# edit interfaces
[edit interfaces]
lab@R5# set ge-0/0/1 unit 0 family mpls
[edit interfaces]
lab@R5# set ge-0/0/2 unit 0 family mpls
[edit interfaces]
lab@R5# commit and-quit
commit complete
Exiting configuration mode
lab@R5>
• R3:
lab@R3> show mpls lsp
Ingress LSP: 3 sessions
To From State Rt P ActivePath LSPname
172.27.255.1 172.27.255.3 Up 10 * r3-to-r1
172.27.255.4 172.27.255.3 Up 0 * r3-to-r4
172.27.255.5 172.27.255.3 Up 10 * r3-to-r5
Total 3 displayed, Up 3, Down 0
• R5:
lab@R5> show mpls lsp
Ingress LSP: 3 sessions
To From State Rt P ActivePath LSPname
172.27.255.1 172.27.255.5 Up 10 * r5-to-r1
172.27.255.3 172.27.255.5 Up 10 * r5-to-r3
172.27.255.4 172.27.255.5 Up 0 * r5-to-r4
Total 3 displayed, Up 3, Down 0
[edit]
lab@R1# edit interfaces
[edit interfaces]
lab@R1# set ge-0/0/3 unit 0 family mpls
[edit interfaces]
lab@R1# top
[edit]
lab@R1# set protocols ldp interface ge-0/0/3
[edit]
lab@R1# set protocols ldp interface lo0
[edit]
lab@R1# set protocols mpls label-switched-path r1-to-r5 ldp-tunneling
[edit]
lab@R1# commit and-quit
commit complete
Exiting configuration mode
lab@R1>
• R2:
[edit]
lab@R2# edit interfaces
[edit interfaces]
lab@R2# set ge-0/0/1 unit 0 family mpls
www.juniper.net MPLS Implementation and Troubleshooting (Detailed) • Lab 10–15
JNCIE Service Provider Bootcamp
[edit interfaces]
lab@R2# set ge-0/0/4 unit 0 family mpls
[edit interfaces]
lab@R2# top
[edit]
lab@R2# set protocols ldp interface all
[edit]
lab@R2# commit and-quit
commit complete
Exiting configuration mode
lab@R2>
• R4:
lab@R4> configure
Entering configuration mode
[edit]
lab@R4# set interfaces ge-0/0/1 unit 0 family mpls
[edit]
lab@R4# set protocols ldp interface lo0
[edit]
lab@R4# set protocols ldp interface ge-0/0/1
[edit]
lab@R4# set protocols mpls label-switched-path r4-to-r5 ldp-tunneling
[edit]
lab@R4# commit and-quit
commit complete
Exiting configuration mode
lab@R4>
• R5:
lab@R5> configure
Entering configuration mode
[edit]
lab@R5# set protocols ldp interface lo0
[edit]
lab@R5# set protocols mpls label-switched-path r5-to-r1 ldp-tunneling
[edit]
lab@R5# set protocols mpls label-switched-path r5-to-r4 ldp-tunneling
commit complete
Exiting configuration mode
lab@R5>
TASK VERIFICATION
Begin your verification by reviewing the status of your LSPs from the perspective of
R1. If everything is functioning well, move on through the rest of the routers on
which you configured LDP.
• R1:
lab@R1> show ldp interface
Interface Label space ID Nbr count Next hello
ge-0/0/3.0 172.27.255.1:0 1 4
lo0.0 172.27.255.1:0 1 0
• R2:
lab@R2> show ldp interface
Interface Label space ID Nbr count Next hello
lo0.0 172.27.255.2:0 0 0
ge-0/0/1.0 172.27.255.2:0 1 4
ge-0/0/4.0 172.27.255.2:0 1 2
• R4:
lab@R4> show ldp interface
Interface Label space ID Nbr count Next hello
lo0.0 172.27.255.4:0 1 0
ge-0/0/1.0 172.27.255.4:0 1 2
• R5:
lab@R5> show ldp interface
Interface Label space ID Nbr count Next hello
lo0.0 172.27.255.5:0 2 0
TASK INTERPRETATION
If you followed the instructions in the first task, you have already completed this
task. If you did not include this task when you configured your RSVP LSPs then you
should complete this task now. You can refer to the detailed steps outlined in the
first task to complete this third task.
TASK 4
Configure the administrative groups, defined in the Admin
Groups table, on all RSVP routers. Apply these
administrative groups to the appropriate links as
illustrated on the Lab 6 diagram. Ensure that the r3-to-r4
LSP avoids the R3-R4 link.
Admin Groups
plat 1
gold 2
silver 3
bronze 4
TASK INTERPRETATION
This task requires you to configure the administrative groups defined in the table.
Apply these groups to the appropriate links and ensure that you apply the additional
constraints to the defined LSP r3-to-r4 by excluding the bronze admin group.
TASK COMPLETION
• R1:
lab@R1> configure
Entering configuration mode
[edit]
lab@R1# edit protocols mpls
lab@R1>
• R3:
lab@R3> configure
Entering configuration mode
[edit]
lab@R3# edit protocols mpls
commit complete
Exiting configuration mode
lab@R3>
• R4:
lab@R4> configure
Entering configuration mode
[edit]
lab@R4# edit protocols mpls
commit complete
Exiting configuration mode
lab@R4>
• R5:
lab@R5> configure
Entering configuration mode
[edit]
lab@R5# edit protocols mpls
commit complete
Exiting configuration mode
lab@R5>
TASK VERIFICATION
Begin your verification by ensuring that all MPLS interfaces have the correct
administrative groups applied. While on R3, you should also verify that the
constraints that you applied to the r3-to-r4 LSP have taken effect. You can do
this by reviewing the extensive information for the particular LSP.
• R1:
lab@R1> show mpls interface
Interface State Administrative groups
ge-0/0/3.0 Up <none>
ge-0/0/6.0 Up gold
ae0.0 Up plat
• R3:
lab@R3> show mpls interface
Interface State Administrative groups
ge-0/0/1.0 Up gold
ge-0/0/2.0 Up bronze
ge-0/0/3.0 Up plat
172.27.255.4
From: 172.27.255.3, State: Up, ActiveRoute: 0, LSPname: r3-to-r4
ActivePath: (primary)
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary State: Up
Priorities: 7 0
SmartOptimizeTimer: 180
Exclude: bronze
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 2)
172.27.0.25 S 172.27.0.21 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
172.27.0.25 172.27.0.21
11 Jun 28 20:05:29.311 Record Route: 172.27.0.25 172.27.0.21
10 Jun 28 20:05:29.311 Up
9 Jun 28 20:05:29.272 Originate Call
8 Jun 28 20:05:29.272 CSPF: computation result accepted 172.27.0.25
172.27.0.21
7 Jun 28 20:05:29.271 Clear Call
6 Jun 28 20:03:35.359 Selected as active path
5 Jun 28 20:03:35.357 Record Route: 172.27.0.18
4 Jun 28 20:03:35.357 Up
3 Jun 28 20:03:35.344 Originate Call
2 Jun 28 20:03:35.344 CSPF: computation result accepted 172.27.0.18
1 Jun 28 20:03:05.623 CSPF: could not determine self
Created: Tue Jun 28 20:03:05 2011
Total 1 displayed, Up 1, Down 0
• R5:
lab@R5> show mpls interface
Interface State Administrative groups
ge-0/0/1.0 Up plat
ge-0/0/2.0 Up gold
TASK 5
Configure the r5-to-r1 LSP to reserve 450 Mbps of bandwidth
across the network.
TASK INTERPRETATION
This task indicates that you must assign a bandwidth reservation to the LSP that you
created from r5-to-r1.
TASK COMPLETION
• R5:
lab@R5> configure
Entering configuration mode
[edit]
lab@R5# edit protocols mpls
commit complete
Exiting configuration mode
lab@R5>
TASK VERIFICATION
On R5, verify that the r5-to-r1 LSP is requesting the bandwidth and the LSP has
been signaled. You can also see the reservation by looking at the RSVP interfaces.
• R5:
lab@R5> show mpls lsp name r5-to-r1 extensive
Ingress LSP: 3 sessions
TASK 6
Create a bypass to improve convergence time for the
r5-to-r1 LSP in the event of a R4-R1 link failure. Ensure
bandwidth reservation is honored and the best available
path is chosen.
[edit]
lab@R4# set protocols rsvp interface ae0.0 link-protection bandwidth 450m
[edit]
lab@R4# commit and-quit
commit complete
Exiting configuration mode
lab@R4>
• R5:
lab@R5> configure
Entering configuration mode
[edit]
lab@R5# set protocols mpls label-switched-path r5-to-r1 link-protection
[edit]
lab@R5# commit and-quit
commit complete
Exiting configuration mode
lab@R5>
TASK VERIFICATION
Begin your verification by looking at the LSP from the perspective of the ingress
router (R5). After determining that link-protection is being requested for the LSP,
move to R4 and verify that the RSVP interface you configured is creating a bypass
LSP.
172.27.255.1
From: 172.27.255.5, State: Up, ActiveRoute: 10, LSPname: r5-to-r1
ActivePath: (primary)
Link protection desired
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary State: Up
Priorities: 7 0
Bandwidth: 450Mbps
SmartOptimizeTimer: 180
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 2)
172.27.0.21 S 172.27.0.10 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
172.27.255.4(flag=0x21) 172.27.0.21(flag=1 Label=300080)
172.27.255.1(flag=0x20) 172.27.0.10(Label=3)
Total 1 displayed, Up 1, Down 0
• R4:
lab@R4> show rsvp interface ae0.0 extensive
ae0.0 Index 75, State Ena/Up
NoAuthentication, NoAggregate, NoReliable, LinkProtection
HelloInterval 9(second)
Address 172.27.0.9
ActiveResv 3, PreemptionCnt 0, Update threshold 10%
Subscription 100%,
bc0 = ct0, StaticBW 2Gbps
ct0: StaticBW 2Gbps, AvailableBW 1.55Gbps
MaxAvailableBW 2Gbps = (bc0*subscription)
ReservedBW [0] 450Mbps[1] 0bps[2] 0bps[3] 0bps[4] 0bps[5] 0bps[6] 0bps[7]
0bps
Protection: On, Bypass: 1, LSP: 1, Protected LSP: 1, Unprotected LSP: 0
3 Jun 29 00:56:37 New bypass Bypass->172.27.0.10
2 Jun 29 00:41:35 Delete bypass Bypass->172.27.0.10, configuration changed
172.27.255.1
From: 172.27.255.4, LSPstate: Up, ActiveRoute: 0
LSPname: Bypass->172.27.0.10
LSPtype: Static Configured
Suggested label received: -, Suggested label sent: -
Recovery label received: -, Recovery label sent: 299968
Resv style: 1 SE, Label in: -, Label out: 299968
Time left: -, Since: Wed Jun 29 00:56:39 2011
Tspec: rate 450Mbps size 450Mbps peak Infbps m 20 M 1500
Port number: sender 1 receiver 55417 protocol 0
Type: Bypass LSP
Number of data route tunnel through: 1
Number of RSVP session tunnel through: 0
PATH rcvfrom: localclient
Adspec: sent MTU 1500
Path MTU: received 1500
PATH sentto: 172.27.0.17 (ge-0/0/5.0) 2 pkts
RESV rcvfrom: 172.27.0.17 (ge-0/0/5.0) 2 pkts
Explct route: 172.27.0.17 172.27.0.14
Record route: <self> 172.27.0.17 172.27.0.14
Total 1 displayed, Up 1, Down 0
TASK 7
Ensure that all MPLS packets that transit the R1-R4 link
are load balanced across both member links of the
Aggregated Ethernet bundle. The contents of the outer label
as well as the IP packet should be used by the load
balancing algorithm.
TASK INTERPRETATION
This task indicates that you must alter the hash key being used by the forwarding
table when deciding what interface next-hop to use for MPLS traffic traversing the
aggregated Ethernet interface.
Based on the requirements, you must use the first label as well as the IP payload
when calculating the physical interface to send the MPLS traffic out. You must make
this configuration change on both R1 and R4 to meet the requirements of the task.
TASK COMPLETION
• R1:
lab@R1> configure
Entering configuration mode
[edit]
lab@R1# set forwarding-options hash-key family mpls label-1 payload ip
[edit]
lab@R1# commit and-quit
commit complete
Exiting configuration mode
lab@R1>
[edit]
lab@R4# set forwarding-options hash-key family mpls label-1 payload ip
[edit]
lab@R4# commit and-quit
commit complete
Exiting configuration mode
lab@R4>
TASK VERIFICATION
Because no transit traffic is traversing your core network, you need no verification
steps for this particular task. If you configured the hash algorithm as illustrated in
the detailed steps, then everything should be working correctly.
TASK 8
Ensure that the entire core network appears as two hops for
any transit traffic.
TASK INTERPRETATION
This task indicates that you must alter the default TTL behavior. Even though all
devices in your MPLS network are running the Junos OS, you must use the
no-propagate-ttl option. You must use this option because LDP is not
supported by the no-decrement-ttl feature. You must configure the
no-propagate-ttl option for all MPLS LSP on all routers.
TASK COMPLETION
• R1:
lab@R1> configure
Entering configuration mode
[edit]
lab@R1# set protocols mpls no-propagate-ttl
[edit]
lab@R1# commit and-quit
commit complete
Exiting configuration mode
lab@R1>
• R2:
lab@R2> configure
Entering configuration mode
[edit]
lab@R2# commit and-quit
commit complete
Exiting configuration mode
lab@R2>
• R3:
lab@R3> configure
Entering configuration mode
[edit]
lab@R3# set protocols mpls no-propagate-ttl
[edit]
lab@R3# commit and-quit
commit complete
Exiting configuration mode
lab@R3>
• R4:
lab@R4> configure
Entering configuration mode
[edit]
lab@R4# set protocols mpls no-propagate-ttl
[edit]
lab@R4# commit and-quit
commit complete
Exiting configuration mode
lab@R4>
• R5:
lab@R5> configure
Entering configuration mode
[edit]
lab@R5# set protocols mpls no-propagate-ttl
[edit]
lab@R5# commit and-quit
commit complete
Exiting configuration mode
lab@R5>
Note
For verification, you can traceroute through
your MPLS core using the vr-device router.
Each virtual routing instance acting as a
external provider has a loopback address
assigned to it. You can use these
addresses to verify TTL behavior. Before
verifying, you must resignal all the LSPs for
this change to take effect.
TASK VERIFICATION
Verify that the changes you made have taken effect using traceroute.
Clear your MPLS LSPs on all routers using the clear mpls lsp command. This
will allow the TTL changes to be altered in the sessions.
Move to the VR-device.
Move to your open session on the VR-device and verify your changes by tracerouting
from one of the virtual routers through your core network to another virtual router.
For simplicity, use the traceroute 174.100.0.1 source 177.100.0.1
routing-instance customer2 command on the VR-device. This will
traceroute through the core using the r5-to-r1 LSP.
lab@vr-device> traceroute 174.100.0.1 source 177.100.0.1 routing-instance
customer2
traceroute to 174.100.0.1 (174.100.0.1) from 177.100.0.1, 30 hops max, 40 byte
packets
1 172.27.0.49 (172.27.0.49) 7.073 ms 7.696 ms 5.292 ms
2 172.27.0.10 (172.27.0.10) 8.747 ms 7.251 ms 7.771 ms
3 174.100.0.1 (174.100.0.1) 6.737 ms 9.255 ms 9.958 ms
STOP Tell your instructor that you have completed Lab 10.
Overview
In this lab, you will be given a list of tasks specific to implementing and troubleshooting
MPLS VPNs which you will need to accomplish within a specific time frame. You will have
3 hours to complete the simulation.
The lab is available in two formats. In the high-level format, you are given only the list of
tasks to be accomplished. To better prepare you for the real JNCIE exam, we recommend
that you make your best effort at accomplishing the tasks with only the high-level lab
guide.
The lab is also available in a detailed format. The detailed format contains a discussion
regarding the interpretation of each task, followed by step-by-step instructions. Some
tasks might include multiple methods for accomplishing each task.
By completing this lab, you will perform the following tasks:
• Create a Layer 3 VPN named vpn-1, connecting the following sites: CE-1,
CE-2, CE-3, and CE-4. The CE-3 and CE-4 sites peer using BGP. The CE-1 and
CE-2 are using OSPF Area 0. Ensure all the CE routers can ping the remote
directly connected PE-CE links.
• The CE-1 and CE-2 routers share a backdoor OSPF connection. Ensure that
CE-1 and CE-2 prefer to send traffic through the Layer 3 VPN. The internal
connection between CE-1 and CE-2 has an interface metric of 10.
• You are required to provide Internet access for vpn-1 on the R1 PE router. You
are allowed to use one static route to complete this task.
• On R1, ensure that vpn-1 traffic destined to CE-1 uses the r1-to-r5-one
LSP and traffic destined to CE-3 uses the r1-to-r5-two LSP.
• Configure a VPLS Layer 2 VPN named vpn-2 between CE-5 and CE-6 using
VLAN 200. Make sure the VPN uses the VPN RFC 4448 encapsulation and
uses BGP as the VPN signalling protocol. The maximum number of MAC
addresses learned by the VPLS domain should be limited to 500 on each
PE-CE link. Ensure that broadcast and multicast traffic will be policed to
50 Mbps for all sites before entering the MPLS domain.
In this lab part, you will log in to your assigned routers and configure a Layer 3 VPN.
Refer to network diagram for this lab for topological and configuration details. You
will be required to configure additional features and functionality to your VPN as
defined in the tasks for this lab.
Note
We recommend that you spend some time
investigating the current operation of your
routers. During the real exam, you might be
given routers that are operating
inefficiently. Investigating operating issues
now might save you a lot of time
troubleshooting strange issues later.
INITIAL TASK
Access the CLI for your routers using either the console, Telnet, or SSH as directed
by your instructor. Refer to the management network diagram for the IP address
associated with your devices. Log in as user lab with the password lab123.
TASK COMPLETION
• R1:
R1 (ttyd0)
login: lab
Password:
login: lab
Password:
login: lab
Password:
login: lab
Password:
login: lab
Password:
login: lab
Password:
TASK 1
Create a Layer 3 VPN called vpn-1, connecting the following
sites: CE-1, CE-2, CE-3, and CE-4. The CE-3 and CE-4 sites
peer using BGP. The CE-1 and CE-2 are using OSPF area 0.
Ensure all the CE routers can ping the remote directly
connected PE-CE links.
TASK INTERPRETATION
To complete this task, you must configure a VPN routing instance on routers R1, R5,
and R4 to connect the specified CE devices. Begin by configuring the routing
instance on R5 because two peerings exist. Include the appropriate interfaces for
the VPN instance. Define a Type 1 route distinguisher using the local loopback
address, to uniquely identify the source of the route advertisements. Define the VPN
route target as target:65100:100. This target is used to identify which MP-BGP
routes to accept. Configure an external BGP peering to CE-3 from your routing
instance, using the information outlined on the lab diagram. Note, that because
both sites are peering using the same AS, you must configure the BGP groups with
as-override. Using this option allows the PE to advertise the remote routes into
the site. Configure an OSPF peering to the CE-1 router from your routing instance.
You must create a routing policy to export your BGP routes into OSPF on R4 and R5,
so that the routes learned from your MP-BGP and EBGP peers can be shared with
the OSPF CE routers. On R5, you must include the direct route for the interface
connecting to CE-3 to ensure that this route is sent from both R4 and R5 into the
OSPF network.
[edit]
lab@R5# set protocols bgp group internal family inet unicast
[edit]
lab@R5# set protocols bgp group internal family inet-vpn unicast
[edit]
lab@R5# edit routing-instances vpn-1
[edit]
lab@R5# edit policy-options policy-statement bgp-to-ospf
[edit policy-options]
lab@R5# edit policy-statement ospf-to-bgp
[edit]
lab@R5# edit routing-instances vpn-1
commit complete
Exiting configuration mode
lab@R5>
• R4:
lab@R4> configure
Entering configuration mode
[edit]
lab@R4# set protocols bgp group internal family inet unicast
[edit]
lab@R4# set protocols bgp group internal family inet-vpn unicast
[edit]
lab@R4# edit routing-instances vpn-1
[edit]
lab@R4# edit policy-options policy-statement bgp-to-ospf
[edit]
lab@R4# edit routing-instances vpn-1
commit complete
Exiting configuration mode
lab@R4>
• R1:
lab@R1> configure
Entering configuration mode
[edit]
lab@R1# set protocols bgp group internal family inet unicast
[edit]
lab@R1# set protocols bgp group internal family inet-vpn unicast
[edit]
lab@R1# edit routing-instances vpn-1
commit complete
Exiting configuration mode
lab@R1>
TASK VERIFICATION
Begin your verification by reviewing the status of your PE to CE neighborships. To
simplify the outputs, you should include the instance option with the show
command and specify the VPN name. Review the vpn-1.inet.0 routing table to
verify that you have the remote networks for the directly connected interface. You
can include the terse option to quickly see what networks are there without all the
extra detailed information.
You should also log into the VR-device and verify the routing tables for each of the CE
devices. Finally, verify that you can ping from the local CE interface to the remote CE
interfaces for all of your CE routers.
You do not need to verify every detail from each device because if it is working on
one or two routers, it should be working on all.
You might want to review the contents of the bgp.l3vpn.0 routing table to see
which routes are being learned from which PE router by using the route distinguisher
that is prepended to the prefix.
Note
During the verification phase of the first
task, you must determine which routes are
being sent from which CE device. You can
determine this by systematically reviewing
the VRF tables and isolating the routes. To
save you some time during this step, the CE
devices in your Layer 3 VPN are listed below
with the routes they should be sending:
CE-1 = 65.100.0.0/24 to 65.100.4.0/24
CE-2 = 65.100.5.0/24 to 65.100.9.0/24
CE-3 = 65.100.10.0/24 to 65.100.14.0/24
CE-4 = 65.100.15.0/24 to 65.100.19.0/24
• R5:
lab@R5> show bgp summary instance vpn-1
Groups: 1 Peers: 1 Down peers: 0
• R1:
lab@R1> show bgp summary instance vpn-1
Groups: 1 Peers: 1 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
vpn-1.inet.0 42 26 0 0 0 0
vpn-1.mdt.0 0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.27.0.34 65100 7859 279724 0 0 2d 11:33:04
Establ
vpn-1.inet.0: 5/5/5/0
• R4:
lab@R4> show ospf neighbor instance vpn-1
Address Interface State ID Pri Dead
172.27.0.42 ge-0/0/3.0 Full 65.100.255.2 128 34
TASK 2
The CE-1 and CE-2 routers share a backdoor OSPF connection.
Ensure that CE-1 and CE-2 prefer to send traffic through
the Layer 3 VPN. The internal connection between CE-1 and
CE-2 has an interface metric of 10.
TASK INTERPRETATION
To complete this task, you must ensure that the VPN connection appears as an
internal route, which allows you to alter the link metric to make the VPN more
preferred than the existing connection between CE-1 and CE-2 to allow the VPN to
appear as a internal link, you must configure a sham link between R4 and R5. As a
requirement for sham links, you must include a loopback address. Configure a
secondary loopback unit using 65.100.255.14 on R4 and 65.100.255.15 on R5.
Add this interface to the VPN. The loopback interface address is used as the local
and remote address for the sham link. Finally, you must add a metric to the sham
link that is lower than the existing connection between CE-1 and CE-2, which has a
metric of 10.
TASK COMPLETION
• R4:
lab@R4> configure
Entering configuration mode
[edit]
lab@R4# set interfaces lo0.1 family inet address 65.100.255.14
[edit]
lab@R4# edit routing-instances vpn-1
commit complete
Exiting configuration mode
lab@R4>
• R5:
lab@R5> configure
Entering configuration mode
[edit]
lab@R5# set interfaces lo0.1 family inet address 65.100.255.15
[edit]
lab@R5# edit routing-instances vpn-1
commit complete
Exiting configuration mode
lab@R5>
TASK VERIFICATION
Begin your verification by reviewing the OSPF database for CE-1. Remember this
device is in a routing instance, so you have to include the instance CE-1 with
your show commands. After verifying you have the router LSAs for R4 and R5, review
your CE-1 OSPF route for the loopback address of CE-2 (65.100.255.2). This route
should point to R5 as the next hop and avoid the original link between CE-1 and
CE-2. You can include the extensive option to see the IP address for the next hop.
• CE-1:
lab@vr-device> show ospf database instance CE-1
[edit]
lab@R1# edit routing-options
[edit routing-options]
lab@R1# set static route 65.100.0/16 next-table vpn-1.inet.0
[edit routing-options]
lab@R1# set rib-groups rib-1 import-rib [inet.0 vpn-1.inet.0]
[edit routing-options]
lab@R1# set interface-routes rib-group rib-1
[edit routing-options]
lab@R1# top edit protocols
[edit protocols]
lab@R1# set ospf rib-group rib-1
[edit protocols]
lab@R1# set bgp group internal family inet unicast rib-group rib-1
commit complete
Exiting configuration mode
lab@R1>
TASK VERIFICATION
Begin your verification by reviewing the vpn-1.inet.0 routing table on R1 to
verify that you now have all the Internet routes. Next, verify that you have the Internet
routes in the vpn-1.inet.0 routing table on R5. While on R5, verify that you have
the 65.100.0.0/16 route in the inet.0 routing table. Once you have verified the
routes are present, ping from the main instance to the loopback address on R5 that
is assigned to the routing instance. This action can be accomplished using the ping
65.100.255.15 count 5 command. This command will illustrate that you can
pass traffic from the main instance through R1 into the VPN to R5. You can do
additional verification if you want.
• R1:
lab@R1> show route table vpn-1.inet.0 terse
• R5:
lab@R5> show route table vpn-1.inet.0 terse
TASK 4
On R1, ensure that vpn-1 traffic destined to CE-1 uses the
r1-to-r5-one LSP and traffic destined to CE-3 uses the
r1-to-r5-two LSP.
TASK INTERPRETATION
To complete this task, you must create two additional unique communities on R5.
You must add these communities to the routes learned from the each of the CE
neighbors before advertising them through MP-BGP to the other PE routers.
Remember to also create and add the target community to these routes before
you accept and advertise them to your MP-BGP peers. Remember to include the
direct routes when adding the communities to the BGP routes. To add additional
communities to your MP-BGP routes, you must manually create a vrf-export
and vrf-import policies on R5, and remove the vrf-target statement.
You must then create a policy on R1 to alter the next-hop LSP in the forwarding table
based on which community tag is present in the BGP route.You must define the
communities and values on R1 also.
[edit]
lab@R5# edit policy-options
[edit policy-options]
lab@R5# set community vpn-1 members target:65100:100
[edit policy-options]
lab@R5# set community ce-1 members 65100:1
[edit policy-options]
lab@R5# set community ce-3 members 65100:3
[edit policy-options]
lab@R5# edit policy-statement vpn-export
commit complete
Exiting configuration mode
lab@R5>
• R1:
lab@R1> configure
Entering configuration mode
[edit]
lab@R1# edit policy-options
[edit policy-options]
lab@R1# set community ce-1 members 65100:1
[edit policy-options]
lab@R1# set community ce-3 members 65100:3
[edit]
lab@R1# set routing-options forwarding-table export set-lsp
[edit]
lab@R1# commit and-quit
commit complete
Exiting configuration mode
lab@R1>
TASK VERIFICATION
You can easily verify this task on R1 by reviewing the selected next hops for the CE
prefixes advertised by the R5 router in the VRF routing table. Routes from CE-1
should show only a next-hop of LSP r1-to-r5-one and routes learned from
CE-3 should show only the next-hop of r1-to-r5-two.
• R1:
lab@R1> show route table vpn-1.inet.0
[edit]
lab@R2# set interfaces ge-0/0/3 vlan-tagging
[edit]
lab@R2# set interfaces ge-0/0/3 encapsulation extended-vlan-vpls
[edit]
lab@R2# set interfaces ge-0/0/3 unit 200 vlan-id 200 family vpls
[edit]
lab@R2# edit protocols bgp group internal
[edit firewall]
lab@R2# set policer policer-1 if-exceeding bandwidth-limit 50m
[edit firewall]
lab@R2# set policer policer-1 if-exceeding burst-size-limit 1m
[edit firewall]
lab@R2# set policer policer-1 then discard
[edit firewall]
lab@R2# edit family vpls filter police-vpls
commit complete
Exiting configuration mode
lab@R2>
• R5:
lab@R5> configure
Entering configuration mode
[edit]
lab@R5# set interfaces ge-0/0/5 vlan-tagging
[edit]
lab@R5# set interfaces ge-0/0/5 encapsulation extended-vlan-vpls
[edit]
lab@R5# set interfaces ge-0/0/5 unit 200 vlan-id 200 family vpls
[edit]
lab@R5# edit protocols bgp group internal
[edit firewall]
lab@R5# set policer policer-1 if-exceeding burst-size-limit 1m
[edit firewall]
lab@R5# set policer policer-1 then discard
[edit firewall]
lab@R5# edit family vpls filter police-vpls
commit complete
Exiting configuration mode
lab@R5>
TASK VERIFICATION
Begin your verification on R2 by reviewing the VPLS connections. After verifying that
your VPLS session is up and functioning, move to the VR-device and use the ping
utility to ping through your newly created VPLS connection.
• R2:
lab@R2> show vpls connections
Layer-2 VPN connections:
Instance: vpn-2
Local site: ce-5 (5)
connection-site Type St Time last up # Up trans
6 rmt Up Jul 27 02:30:21 2011 1
Remote PE: 172.27.255.5, Negotiated control-word: No
Incoming label: 262150, Outgoing label: 262157
Local interface: lsi.1048576, Status: Up, Encapsulation: VPLS
Description: Intf - vpls vpn-2 local site 5 remote site 6
• VR-device:
lab@vr-device> ping 51.100.0.2 routing-instance CE-5 count 5
PING 51.100.0.2 (51.100.0.2): 56 data bytes
64 bytes from 51.100.0.2: icmp_seq=0 ttl=64 time=10.073 ms
64 bytes from 51.100.0.2: icmp_seq=1 ttl=64 time=10.594 ms
64 bytes from 51.100.0.2: icmp_seq=2 ttl=64 time=11.183 ms
64 bytes from 51.100.0.2: icmp_seq=3 ttl=64 time=7.548 ms
64 bytes from 51.100.0.2: icmp_seq=4 ttl=64 time=14.563 ms
TASK 6
You must extend vpn-3 connecting CE-7 to CE-8 using a
inter-provider solution with ISP-A. You must not configure
a routing instance on R3. The address of the remote PE will
be learned from ISP-A. The Remote PE is using the route
target value of target:60001:101. Use the information in
the lab diagram for this lab to complete this task.
TASK INTERPRETATION
To complete this task, you must configure an inter-provider VPN using Option C
because you cannot use R3 as a PE device. The R3 can be only an ASBR and you
must configure an external BGP peering to ISP-A’s ASBR. Your R1 router will be the
PE, using multihop EBGP peering to establish the MP-BGP neighborship with ISP-A.
Because you must learn the remote PEs address through BGP, start by configuring
R3’s EBGP peering to ISP-A. You must create a policy to advertise the loopback
address for R1 to ISP-A. You must include both the inet.0 route and the inet.3
route in your policy. You must enable family inet labeled-unicast rib
inet.3 on all BGP peerings between R1 and ISP-A, to maintain the label and
advertise the inet.3 route as well as unlabeled routes. Remember that you also need
regular inet unicast routes. To exchange inet.3 routes with ISP-A, you must enable
family mpls on your interface that connects R3 to ISP-A.
[edit]
lab@R3# set interfaces ge-0/0/4 unit 0 family mpls
[edit]
lab@R3# edit protocols bgp group internal
commit complete
Exiting configuration mode
lab@R3>
• R1:
lab@R1> configure
Entering configuration mode
[edit]
lab@R1# edit routing-instances vpn-3
commit complete
Exiting configuration mode
lab@R1>
TASK VERIFICATION
Begin your verification on R3 by checking that the EBGP session is established to
ISP-A. Next, make sure that you have the remote PE’s loopback address in your
inet.3 routing table on R3.
After verifying R3, move to R1 and verify that your multi-hop EBGP peering is
established to the remote PE. You can also use the same output to verify that your
PE to CE BGP peering is established and working. Next, verify that you have the
loopback address in your inet.3 routing table. The next table you want to verify is the
VRF routing table. Finally, move to the VR-device and verify reachability by pinging
85.100.255.1 from the CE-7 routing instance.
• R1:
lab@R1> show bgp summary
Groups: 4 Peers: 7 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 1 1 0 0 0 0
bgp.l3vpn.0 42 42 0 0 0 0
inet.3 1 1 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
95.100.255.2 60001 1681 1691 0 0 12:50:22
Establ
inet.0: 0/0/0/0
bgp.l3vpn.0: 6/6/6/0
• VR-device:
lab@vr-device> ping 85.100.255.1 routing-instance CE-7 count 5
PING 85.100.255.1 (85.100.255.1): 56 data bytes
64 bytes from 85.100.255.1: icmp_seq=0 ttl=64 time=12.549 ms
64 bytes from 85.100.255.1: icmp_seq=1 ttl=64 time=18.650 ms
64 bytes from 85.100.255.1: icmp_seq=2 ttl=64 time=8.579 ms
64 bytes from 85.100.255.1: icmp_seq=3 ttl=64 time=9.561 ms
64 bytes from 85.100.255.1: icmp_seq=4 ttl=64 time=7.556 ms
STOP Tell your instructor that you have completed Lab 11.