Lab v5

CCIE Service Provider Lab Workbook
Section 1 Bridging and Switching:

1.1 Configure IP across Frame-relay network Frame Relay interfaces are pre-configured as
mentioned in diagram. Please make sure only required mappings are configured.
Dynamic DLCI mapping is not allowed. There is some problem in initial configuration please
make sure, all devices running Frame-relay can ping their neighbor IP address.
Router Name DLCI Router name DLCI

R2 208 R8 802
R6 609 R9 906
R1 107 R7 701
Troubleshooting: (Wrong DLCI mapped on R6 for R9, Please correct that)

Notes: Check on R1 R2 R6 R7 R8 and R9 for frame relay dynamic mappings by command sh fram map, if you find any
dynamic entry, configure no fram inverse arp on that serial interface and reload the router and check again after reboot,
there should be single mapping for connected neighbor.
1
When to Reload?
1. No frame-relay inverse-arp not exists on interface, configure that and check frame-relay mappings, if you found any
reload the device.
2. Show frame-relay map shows you any 0000 entry.
3. To avoid reload you can shutdown the interface, clear frame inverse arp, default int s0/0 if 0000 still exists, if this
doesn’t not solve the issue go ahead and reload.
R2
interface Serial1/0
ip address 5.5.28.2 255.255.255.0
encapsulation frame-relay
no frame-relay inverse-arp
frame-relay map ip 5.5.28.8 208 broadcast
R8
interface Serial1/0
ip address 5.5.28.8 255.255.255.0
R6
interface Serial1/0
ip address 5.5.69.6 255.255.255.0
R9
interface Serial1/0
ip address 5.5.69.9 255.255.255.0
R1
interface Serial1/0
ip address 172.5.17.1 255.255.255.0
R7
interface Serial1/0
ip address 172.5.17.7 255.255.255.0
1.2 Configure IP Address YY.YY.26.10 for management vlan on SW1; make sure Admin in vlan
26 can telnet to SW1.
Notes: Configure IP address to vlan 26 on SW1, check the line vty on SW1, that should be already configured password
and login enabled on that. Verify all the vlans and trunks weather those working properly or not.
interface vlan26
ip add 5.5.26.10 255.255.255.0
no sh
line vty 0 4
password cisco
login
2
1.3 Configure Frame-relay Traffic Shaping between R1 & R7 as specified bellow:
CIR 2048 kbps

Min Cir 1024 kbps
BC 256 kbps
When interface queue exceeds to 30 packets󳰀 Speed should be throttle down to Min CIR.
Traffic shaping question no more in lab; by any chance if you get that.
Steps:
1. Physical interface enable frame-relay traffic-shaping.
2. map-class frame-relay XXXX.
3. Configure cir, mincir and bc
4. Most important, don’t forget configuring frame-relay adaptive-shaping interface-congestion.
5. Apply to interface-dlci
R1
map-class frame-relay R1-R7
frame-relay cir 2048000Created by ACS
frame-relay bc 256000
frame-relay mincir 1024000
frame-relay adaptive-shaping interface-congestion 30
int s1/0
frame-relay traffic-shaping
frame-relay interface-dlci 107
class R1-R7
R7
map-class frame-relay R7-R1
frame-relay cir 2048000
frame-relay bc 256000
frame-relay mincir 1024000
frame-relay adaptive-shaping interface-congestion 30
int s1/0
frame-relay traffic-shaping
frame-relay interface-dlci 107
class R7-R1
Verification
3
1.4 Customer ABC has decided to PPP Over Ethernet at his Site1 to meet up this requirement
configure PPPOE between R1 – ISP AS 267 PE Router R6. Customer router R1 should initiate
the session and R6 should respond. Client device R1 is expecting a dynamic ip address
172.10.16.1/24 assigned from ISP PE router. Configure CHAP for authentication, username
CCIE password CCIE. R6 is already configured bellow AAA commands:
aaa new-model
aaa authentication login default line none
Notes󳰀
Don’t forget to enable vpdn on both routers R1 and R6.
R1 doesn't support DDR.
R6 preconfigured with AAA bellow commands:
aaa authentication login default login line
R6 Pre-configured ip address 172.10.16.6/24 on interface FastEthernet3/0.
4
Don’t remove it; you will break the initial configuration and loose the marks.
First and Recommended Answer:
Steps:
1- Add ip unnumbered under both virtual & dialer interfaces.
2- Add ip address dhcp on physical client interface.
3- Add ip vrf for on the server physical interface in VPN Section.
4- Configure everything else on virtual / dialer interfaces (Routing, MPLS, and Multicast).
5- If multicast doesn’t work, add it on physical on both sides, but this rare situation.
Be very careful while dealing with AAA or you will find yourself locked in the router R6.
R1
vpdn enable
!
bba pppoe global
interface FastEthernet0/1
pppoe enable group global
pppoe-cl dial 1
interface Dialer1
ip address dhcp
ip mtu 1492
encapsulation ppp
dialer pool 1
ppp chap hostname CCIE
ppp chap password 0 CCIE
R6
aaa authentication ppp PPPOE local
username CCIE password CCIE
ip dhcp excluded-address 172.5.16.2 172.5.16.254
!
ip dhcp pool PPPOE
network 172.5.16.0 255.255.255.0
vpdn enable
!
bba pppoe global
!
ip address 172.5.16.6 255.255.255.0
pppoe enable
!
interface Virtual-Template16
ip unn FastEthernet0/1
peer default ip address pool PPPOE
ppp authentication chap callin PPPOE
!
bba pppoe global
virtual-template 16
Verification
5
Second Answer:
R1
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
OR
bba pppoe global
mac-address 9876.5432.1abc
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address dhcp
ip dhcp client client-id Fa0/1
dialer pool 1
ip mtu 1492
6
encapsulation ppp
ppp chap hostname CCIE
ppp chap password CCIE
R6
vpdn enable
!
vpdn-group 1
accept-dialin
protocol pppoe
virtual-template 1
OR
bba pppoe global
virtual-template 1
aaa authentication ppp PPPoE local
username CCIE password CCIE
!
ip dhcp pool PPPOE
network 172.5.16.1 255.255.255.0
client-identifier 0198.7654.321a.bc
!
ip address 172.5.16.6 255.255.255.0
pppoe enable
!
ip unnumbered FastEthernet0/1
peer default ip address dhcp-pool PPPOE
ppp authentication chap callin PPPoE
How to get Client ID

1) Configure DHCP Pool and Host IP without client identifier.
2) Debug ip dhcp server packet (You can get the client ID)
*May 22 17:55:07.187: DHCPD: DHCPDISCOVER received from client 0198.7654.321a.bc on interface
Virtual-Access1.1.
3) Add client-ID to host IP.
4) Refresh DHCP binding and clear client dialer interface.
5) Client should now obtain an IP-address from the host based pool.
Useful commands:
Clear pppoe all
debug pppoe packet
Verification
7
Section 2 IGP:
2.1 ISIS has been preconfigured in AS 267 with some problems, make sure you
troubleshoot those to make the connectivity as per desired conditions.
Refer bellow table to configure ISIS Area and Interfaces:
Area Router Name Interface
49.00YY R2 Loopback0, GigabitEthernet0/0.26, GigabitEthernet0/0.27
49.00YY R6 Loopback0, GigabitEthernet0/0.26,GigabitEthernet0/0.67
49.10YY R7 Loopback0, Loopback1, GigabitEthernet0/0.27, GigabitEthernet0/0.67
No other interfaces except the one mentioned in the table are allowed to run
ISIS in AS 267.
2.2󳰀One new Level-1 router will be added in AS 267 between PE routers R2 & R6,
this new router needs to have ISIS external route for ISIS Level-2 routes AS
267 in his routing table.
Don’t use route map feature to achieve this requirement.
Troubleshooting: (Wrong Net ID is configured on R7)

Notes: check the routes of loop backs and ping them, apart from this test ping the Clns Net
addresses of neighbors.
8
R2
router isis
net 49.1010.0000.0000.0002.00
redistribute isis ip level-2 into level-1 distribute-list 100
access-list 100 permit ip any any
!
interface GigabitEthernet0/0.27
isis circuit-type level-2
ip router isis
!
ip router isis
!
int lo0
ip router isis
R7
router isis
net 47.0055.0000.0000.0007.00
is-type level-2-only
!
ip router isis
!
ip router isis
!
int lo0 and lo1
ip router isis
R6
router isis
net 49.1010.0000.0000.0006.00
redistribute isis ip level-2 into level-1 distribute-list 100
!
ip router isis
!
ip router isis
!
int lo0
ip router isis
Verification
9
2.3 Whenever AS 267 Vlan26 link gets down󳰀 routers should be able detect this change as
soon as possible and make sure, bellow optimization is in effect during that:
Fast-detect Changes
Fastest convergence
Lowest calculating time
Optimized router performance, less bandwidth consumption, less CPU utilization
and memory uses.
R2/R6
router isis
ispf level-1
󳰀
isis hello-interval minimal level-1
no isis hello padding
Verification
10
2.4 Configure ISIS Level-2 or OSPF Area 0 sometimes, in AS 89 between R8-R9.
Optimize the performance by reducing Link State packet being sent on link
between R8 and R9 by only avoiding DIS/DR election.
49.00YY or OSPF 0 R8 Loopback0, GigabitEthernet0/0.89
49.10YY or OSPF 0 R9 Loopback0, FastEthernet0/0.89
No other interfaces except the one mentioned in the table are allowed to run
ISIS or OSPF in AS 267 and AS 89.
Notes: Please do needful and make sure you use network point to point in both protocols on
both router’s interfaces. Use any one ISIS or OSPF as per your question in exam.
R8
router isis
net 49.1202.0000.0000.0002.00
int GigabitEthernet0/0.89
ip router isis
isis network point-to-point
no isis csnp-interval 10
R9
router isis
net 49.1209.0000.0000.0009.00
int f0/0.89
ip router isis
OSPF Configuration
R8
router ospf 89
net 5.5.89.8 0.0.0.0 area 0
net 5.5.8.8 0.0.0.0 area 0
!
11
ip ospf network point-to-point
R9
router ospf 89
net 5.5.89.9 0.0.0.0 area 0
net 5.5.9.9 0.0.0.0 area 0
!
interface FastEthernet0/0.89
Verification
Output includes Next Question:
2.5 AS 89 routers participate in only level-2 ISIS adjacencies.

As an optimization, ensure that no IS-IS adjacencies are attempted on their
respective loopback0 interfaces.
Notes: If so use passive interface lo0 command to advertise loopbacks don’t use ip router isis
under loopbacks
R8/R9
router isis
passive-interface loopback0
2.6 Assume that only R8 and R9 on Vlan 89 are running IS-IS.

12
Reduce the LSP link state by avoiding the Designated IS election on VLAN_89.
Notes: Use network point to point and remove csnp interval 10 commands after using network
point to point
R8/R9
int G/F0/0.89
ip router isis
Verification
2.7 Explicitly configure ISIS in AS 89 to treat the R8 and R9 loopback0

interfaces with the highest priority during ISIS RIB installation, and verify
whether this is in effect.
Notes: verify via sh isis rib, make sure you see tag appended to lo0, They change this
question for candidates so be sure you read that carefully and answer accordingly.
R8
router isis
ip route priority high tag 100
interface Loopback0
isis tag 100
13
R9
router isis
ip route priority high tag 100
interface Loopback0
isis tag 100
Verification
2.8 Metric of R9 loopback 0 in R8 routing table should be 80, and of R8

loopback 0 256 R9 routing table.
Notes: Make sure u mention ISIS level with metric command.
R8
router isis
metric-style wide
!
int lo0
isis metric 246 level-2
R9
router isis
metric-style wide
!
int lo0
isis metric 70 level-2
Verification
Section 3 BGP:
3.1 BGP is already configured is AS 267, please troubleshoot and configure as
per bellow requirement:
IBGP is preconfigured in AS 267, all the neighbors are using loopback0 for the
unicast updates, there is one problem in the pre configuration, needs to fix.
14
IBGP is configured between the R2, R6 and R7 for the Unicast BGP updates. R6
is the Route-Reflector for this setup.
3.2 BGP is already configured is AS 89, please troubleshoot and configure as
per bellow requirement:
IBGP is preconfigured in AS 89, all the neighbors are using loopback0 for the
unicast updates, there is one problem in the pre configuration, needs to fix.
3.3 Configure EBGP between R2-R8, R6-R9, and R8-BB2 with local as YY.
R2-R8 and R6-R9 are using their physical interfaces as BGP peering address.
BB2 (Autonomous System 254) IP Address, Needs to be referred from diagram.
BB2 will advertise five routes 197.68.Z.0/24, make sure these propagated in
both Autonomous Systems (AS YY and AS 10YY).
3.4 Advertise all loopback0 in AS 267 with community value 267:1 and 89:1 in
AS 89, make sure all can ping each other loopback0.
Make sure BB2 routes are reachable from AS 267 and AS 89, while sourcing with
Loopback0 interfaces of both Autonomous Systems.
Troubleshooting: Update source is not configured between R2 and R7, R6 missing RR command for
R7. Advertise all the loopbacks 0. Make sure you use ip bgp community new format and send
community end to end in top to bottom format.
R8
router bgp 89
bgp router-id 5.5.8.8
no bgp default ipv4-unicast
neighbor 5.5.9.9 remote-as 89
neighbor 5.5.9.9 update-source Loopback0
neighbor 150.2.10.254 local-as 10 no-prepend
!
address-family ipv4
neighbor 5.5.9.9 activate
neighbor 5.5.9.9 send-community
neighbor 5.5.9.9 next-hop-self
network 5.5.8.8 mask 255.255.255.255 route-map C
network 200.1.1.1 mask 255.255.255.255
!
route-map C
set community 89:1
R9
router bgp 89
!
15
address-family ipv4
!
route-map C
set community 89:1
R6
router bgp 267
!
address-family ipv4
neighbor 5.5.2.2 route-reflector-client
!
route-map C
set community 267:1
R2
router bgp 267
!
address-family ipv4
!
route-map C
set community 267:1
16
R7
router bgp 267
!
address-family ipv4
route-map C
set community 267:1
Verification
Verification
17
Verification
3.4 BGP Best Path Selection:

1. AS 267 routers R2/R7/R6 access AS 89 devices R8/R9 should prefer R2 as
primary exit.
18
2. AS 89 routers R8/R9 access AS 267 devices R2/R6/R7 should prefer R8 as
primary exit.
3. AS 267 routers R2/R7/R6 access AS 254 BB2 routes should prefer R8 as
primary exit.
4. Configure only on R2 and R8.
Notes: Check via trace and analyze impact on coming vpn section.
R2
router bgp 267
add ipv4
neighbor 5.5.28.8 route-map IP_RC in
!
ip community-list standard 254:1 permit 254:1 (Check the backbone routes to find exact value)
ip community-list standard 89:1 permit 89:1
!
route-map IP_RC permit 10
match community 89:1
set local-preference 200
!
R8
router bgp 89
add ipv4
neighbor 5.5.28.2 route-map IP_RC in
!
!
!
Verification
3.5 BGP conditional advertisement:

AS267 is visiting WEB server 197.68.1.0 located in AS 254 router BB2 however,
if WEB server goes down configure a loopback200 with ip address 200.1.1.1/32
in AS 267 router R8, in such away that till 197.68.1.0 is in the R8 routing
table it should not announce loopback200 to R2. Once 197.68.1.0 (BB2 web
server) is down R8 starts advertising loopback200 to R2.
19
Optimize timers between EBGP peers R2 and R8 to detect this change ASAP.
Notes: Please check with instructor, backbone needs to receive route of R8 loopback 200, if
not then filter the Loopback 200 route from being advertised to backbone and R9.
A: ip bgp fast-external-failover permit (on by default)
B: bgp scan-time 5(min)-60(def, max) the default scanning interval is 15 seconds.
C󲐀 EBGP neighbor timer should be minimum.
R8
router bgp 89
add ipv4
network 200.1.1.1 mask 255.255.255.255
(Block this route from being advertised to Backbone and R9 or this will reach to AS 267 via R9
-R6)
neighbor 5.5.28.2 advertise-map ADV non-exist-map NONEXIST
interface Loopback200
ip address 200.1.1.1 255.255.255.255
ip prefix-list LO_200 seq 5 permit 200.1.1.1/32
!
ip prefix-list WS seq 5 permit 197.68.1.0/24
route-map ADV permit 10
match ip address prefix-list LO_200
route-map NONEXIST permit 10
match ip address prefix-list WS
Verification
Shutdown the Backbone link or block web server route coming from Backbone. And check that
conditional route.
Section 4 MPLS:
4.1 Enable MPLS on AS 267 interface specified in bellow table.
Use Industry Standard label distribution protocol to propagate labels.
Configure AS 267 devices loopback0 address as their router ID
Don’t enable MPLS on any additional interfaces than shown in bellow table:
Routers Enable MPLS On
R2 GigabitEthernet0/0.27 GigabitEthernet0/0.26
20
4.2 Configure MPLS label distribution on AS 89.

Configure Industry Standard label distribution protocol to propagate labels.
Configure AS 89 devices loopback0 address as their router ID
Make sure R8-R9 should not advertise label for any additional interface
except their loopback0 interfaces.
Don’t enable MPLS on any additional interfaces than shown in bellow table:
Routers Enable MPLS On
R8 GigabitEthernet0/0.89
R9 GigabitEthernet0/0.89
Notes: Verify via, sh mpls ldp nei / discovery, sh mpls interface.

Make sure cef is enabled on all mpls ldp enabled routers. In lab on 3600, and 2600 series
routers cef is disabled by default, please enable that.
R2
mpls ldp router-id Loopback0 force
mpls label protocol ldp
!
mpls ip
!
mpls ip
R6
mpls ip
!
mpls ip
R7
mpls ip
mpls ip
R8/R9
no mpls ldp advertise-labels
mpls ldp advertise-labels for Local_Loops
ip access-list standard Local_Loops
permit 5.5.8.8
permit 5.5.9.9
!
(Make sure you enable mpls ip after configuring commands on top)
!
21
interface G/F0/0.89
mpls ip
4.2󳰀ISP 267 has planned to add a new router on VLAN 27󳰀This router needs to
build LDP session with R2 and R7 IP addresses (YY.YY.27.2󳐀YY.YY.27.3).
Configure R2 / R7 to be ready for this new connection in near future.
R2
Int g0/0.27
mpls ldp discovery transport-address interface
R7
Int g0/0.27
mpls ldp discovery transport-address interface
Verification:
22
4.3 ATM Cell-Mode tag-switching:
AS 267 PE routers R6 connects to an ISP ATMSP to provide connectivity between
Customer ABC Sites, IP address 192.5. YY.1 (192.6.5.1) needs to be configured
on R6 ATM Interface󳰀the ATMSP PE router ip address is 192.5.YY.254;
VPI 30+2*YY-1
VCI 30+2*YY,
Control-VC VPI 30+2*YY-1 VCI 32
Configure OSPF 100 between R6 and ATMSP󳰀ATM SP will advertise two routes that
include 192.5.YY.254/24 and 192.5.0.254/32.
Advertise ISP 267 all Core routes to the ATM-SP via OSPF 100.
Make sure ISP 267 Core routers R2/R7/R6 can ping the ATMSP routes.
Notes: Please do as done bellow or we will loose marks of this question, they will provide
proper sheet about the values of VPI VCI, so don’t be confused or worried.
R6:
interface ATM2/0.1 mpls
ip address 192.5.10.1 255.255.255.0
mpls label protocol both
23
mpls ip
mpls atm control-vc 49 32 (Use value what ever there in lab)
mpls atm vpi 49-50 vci-range 33-65535 (Use value what ever there in lab)
!
router ospf 100
redistribute connected subnet
redistribute static subnets
redistribute isis level-1-2 subnets
network 192.5.10.1 0.0.0.0 area 0
distribute-list TO_ATM_SP out
router isis
redistribute ospf 100 level-1-2
ip access-list standard TO_ATM_SP
permit 5.5.2.2
permit 5.5.6.6
permit 5.5.7.7
permit 192.5.0.10
permit 5.5.26.0 0.0.0.255
permit 5.5.27.0 0.0.0.255
permit 5.5.67.0 0.0.0.255
Verification:
24
4.4 MPLS Traffic Engineering
AS YY has planned to implement MPLS Traffic Engineering to solve the high
utilization problem between R2 and R6 interfaces. This traffic is being
generated form R6.
Enable RSVP and MPLS Traffic Engineering in AS 267 to setup Traffic
Engineering on required transit interfaces.
Tunnel bandwidth should be 5 Mbit.
Two static routes are allowed to accomplish this.
Configure Tunnel from R6 to R2 and this should transit R7.
R6
mpls traffic-eng tunnels
!
router isis
metric-style wide
mpls traffic-eng router-id Loopback0
mpls traffic-eng level-2
!
ip rsvp bandwidth 5000
!
router isis
interface Tunnel62
ip unnumbered Loopback0
tunnel destination 5.5.2.2
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng bandwidth 5000
tunnel mpls traffic-eng path-option 1 explicit name 672
!
ip explicit-path name 672 enable
next-address 5.5.67.7
next-address 5.5.27.2
!
ip route 5.5.2.2 255.255.255.255 tunnel 62
R2
!
router isis
metric-style wide
!
R7
25
router isis
metric-style wide
!
!
Verification:
Section 5 MPLS VPN:

26
VRF Name RD Value RT Value
ABC Site 1 267:6 267:6
ABC Site 2 267:3 267:3
ABC Site 3 267:6 267:6
XYZ Site 2 267:27 267:27
XYZ Site 2 267:27 267:27
Notes: All vrf’s are already configured in lab, you need to verify and do import.
5.1 MP IBGP is Preconfigured in AS 267. R2 is configured to act as Route

Reflector for Autonomous System 267 for BGP VPNv4 unicast.
Devices in AS 267 should use their loopback0 as a source for BGP VPNv4 Unicast
session.
There is one issue with the pre configuration, make sure and correct that.
MP-IBGP Unicast should not be sent to any other device than specified in
question.
5.2 MP IBGP is preconfigured in AS 89. R8 and R9 have been configured peering
for BGP VPNv4 unicast.
Devices in AS 89 should use their loopback0 as a source for BGP VPNv4 Unicast
session.
MP-BGP Unicast should not be sent to any other device than specified in
question.
R2
router bgp 267
!
address-family vpnv4
neighbor 5.5.6.6 send-community extended
R6
router bgp 267
R7
router bgp 267
R8
router bgp 89
27
neighbor 5.5.9.9 next-hop-self (Will be needed in next questions)
R9
router bgp 89
5.3 ABC Site 1

VRF ABC is preconfigured on R6.
Configure OSPF in ABC Site 1 on R1 have been already configured.
Configure OSPF 200 as the PE-CE routing protocol for ABC site-1.
Enable OSPF 200 on R8 and R7 for networks specified bellow:
R6 172.YY.16.6 OSPF 200 Area 0
R1 172.YY.16.1 OSPF 200 Area 0
After configuration, make sure R6 all the VRF ABC Site 1 routes in BGP address
family for Customer ABC.
Notes: MTU has been already matched in 1st question on dialer of R1.
R6
router ospf 200 vrf ABC
redistribute bgp 267 subnets
network 172.5.6.6 0.0.0.0 area 0
network 172.5.16.6 0.0.0.0 area 0
!
router bgp 267
address-family ipv4 vrf ABC
redistribute ospf 200 vrf ABC match internal external 1 external 2
R1
router ospf 200
network 172.5.11.11 0.0.0.0 area 0
network 172.5.16.1 0.0.0.0 area 0
Verification:
28
5.4 ABC Site 2
Customer ABC has decided to run RIP-V2 as the PE-CE routing protocol between
R2-BB1 for ABC Site 2.
Provider router R2 should get only first 7 routes of network 197.68.Z.0 from
BB1
Additionally configure Site of Origin value YY:XX for ABC site 2 routes
learned from BB1.
After the configuration make sure both ABC Sites routes should appear on R2
and R6 VPN table.
Make sure Customer ABC Site 1 and Site 2 access each other.
R2
router rip
!
ver 2
redistribute bgp 267 metric trans
network 150.1.0.0
29
distribute-list FROM_BB1 in FastEthernet0/0.50
!
ip access-list standard FROM_BB1
permit 199.172.0.0 0.0.3.255
router bgp 267
red rip
route-map soo
set extcommunity soo yy:xx
!
int g0/0.50
ip vrf site-map soo
R2
ip vrf ABC
route-target import 267:6
R6
ip vrf ABC
route-target import 267:3
Verification:
5.5 XYZ site 1

ISP 267 has agreed to provide MPLS VPN Service to Customer XYZ, to make this
work configure R2 and R7 as PE routers.
Customer XYZ has agreed to run OSPF Process ID 100 as IGP.
Advertise networks which are in bellow table on R2 and R7 respectively to form
OSPF adjacencies with Customer XYZ routers R1 and R3.
R2 172.YY.23.2 OSPF 100 Area 0
R7 172.YY.17.7 OSPF 100 Area 0
Notes:
R1 is preconfigured vrf lite for XYZ site and preconfigured OSPF 100 area 0 on R1 and R3.
No need to use capability vrf-lite in OSPF on R1 that works smoothly without.
R1
ip vrf XYZ
rd 267:27
!
interface Loopback0
ip vrf for XYZ
ip address 172.5.1.1 255.255.255.0
ip vrf for XYZ
encapsulation dot1Q 13
ip address 172.5.13.1 255.255.255.0
!
interface Serial1/0
ip vrf for XYZ
ip address 172.5.17.1 255.255.255.0
30
!
router ospf 100 vrf XYZ
network 172.5.1.1 0.0.0.0 area 0
network 172.5.13.1 0.0.0.0 area 0
network 172.5.17.1 0.0.0.0 area 0
R7
domain-id 7.7.7.7
redistribute bgp 267 metric-type 1 subnets
network 172.5.17.7 0.0.0.0 area 0
!
router bgp 267
address-family ipv4 vrf XYZ
redistribute ospf 100 vrf XYZ mat i e
R2
redistribute bgp 267 subnets
network 172.5.23.2 0.0.0.0 area 0
!
router bgp 267
address-family ipv4 vrf XYZ
redistribute ospf 100 vrf XYZ mat i e
R3
router ospf 100
network 172.5.3.3 0.0.0.0 area 0
network 172.5.13.3 0.0.0.0 area 0
network 172.5.23.3 0.0.0.0 area 0
Verification:
5.6 Inter-AS Option 2 and 3 merger option, Configure between R7 and R8.
AS 89 has agreed to provide VPN services to AS 267, Configure EBGP peering
between R7 and R8.
Notes: Check the solution properly and make sure you understand the trick of this question.
R7
router bgp 267
neighbor 5.5.8.8 ebgp-multihop 267
31
R8
router bgp 89
no bgp default route filter
!
add ipv4
neighbor 5.5.28.2 send-label
!
R9
router bgp 89
!
add ipv4
R6
router bgp 267
add ipv4
!
!
route-map T_L
match commu 89:1
match mpls-label
router isis
redistribute bgp 267 level-1-2 route-map T_L
R2
router bgp 267
add ipv4
!
!
route-map T_L
match commu 89:1
match mpls-label
!
router isis
redistribute bgp 267 level-1-2 route-map T_L
Notes: Better to add match mpls-label in to route maps applied for route control on R2 and R8.
Verification:
Bellow things you need to be sure on R7:
32
Verification:
33
5.7 ABC Site 3

Customer ABC has decided to run RIP V2 as IGP in Site 2.
Enable RIP V2 between R8-R4 and advertise networks given in bellow table:
R4 172.YY.48.0 RIP V2
R4 172.YY.4.4 RIP V2
R8 172.YY.48.0 RIP V2
Make sure ABC site 1 and Site 3 access each other and ping should not pass via
ABC Site 2.
Notes: R4 is preconfigured, do sh ip bgp vpnv4 on R6 and R8, check you are getting all the
routes, check the next hop for those vpn routes, after determining that ping the next hops
form global table and check mpls forwarding table u have transport label for those next hops.
import already done in lab for this section. If not getting Site 3 routes on R6, then reload
the R7 or do hard clear bgp on R7.
R8
router rip
!
ver 2
redistribute bgp 89 metric trans
network 172.5.0.0
router bgp 89
redistribute rip
R4
router rip
ver 2
network 172.5.0.0
R7
router bgp 267
no bgp defaul route filter
PLEASE DO IMPORT OF RT.
Verification:
34
5.8 XYZ site 2
Customer XYZ has agreed to run BGP 65531 as IGP at his Site 2.
Configure EBGP between R9 and R5, BGP AS is 65531.
Advertise networks which are in bellow table on R5 in to BGP.
R5 172.YY.59.0 BGP 65531
R5 172.YY.5.5 BGP 65531
Notes: import already done, R5 is 2600 u can face strange behavior if R5 is unable to
advertise routes in to bgp, please reload this. Do the required chk for next hop and label.
R9 only will have forwarding label for R8, and you will be getting all the vpn routes with
next hop of R8 due to LDP conditions, we pointed next-hop-self between R8 – R9 each other.
R9
router bgp 89
add ipv4 vrf XYZ
nei 172.10.59.5 remote 65531
nei 172.10.59.5 activate
R5
router bgp 65531
nei 172.10.59.5 remote 89
nei 172.10.59.5 activate
red connected (U can use network command)
Verification:
5.9 VPN Route Control:

Configure R7 as primary exit for XYZ Site 1.
35
Make sure R2 acts as backup when link between R1 – R7 is down.
Even if R1-R3 Link gets down, R1 and R3 should be able to access each other
via AS 267.
Notes: Domain ID is required to solve this issue, configure better metric on R7.
R7
domain-id 7.7.7.7
redistribute bgp 267 metric-type 1 subnets
Verification:
Verification:
5. Configure ISP AS 267 to establish MP-EBGP session with ATM SP AS 254,

peering IP address ATM SP is 192.5.0.254.
ATM SP has configured R7 loopback1 192.5.0.1 for BGP peering address.
ATM has configured R7 in BGP AS YY.
Customer ABC Site 1 should be able to access three routes learned from ATM SP.
5.1.1.0/24
36
129.29.20/24
200.2.1.0/24
ATM SP RT is 129.29.2.9:1.
R7
router bgp 267
neighbor 192.5.0.254 local-as 10 no-prepend
!
neighbor 192.5.0.254 next-hop-unchanged
R6:
ip vrf ABC
route-target import 129.29.2.9:1
Verification:
Check labels do ping, so far you got over the VPN trap, till here your answers are 100%
correct, and those will be for next sections as well.
Great Job Buddy!
No Internet question in this Lab any more.
Section 6 Multicast:
6.1 Configure multicast routing for AS 267, enable PIM-sparse-mode on
interfaces in given table.
R6 should be RP for this multicast domain; this should announce himself as a
BSR router.
Router Name Interfaces
37
R2 Loopback0,GigabitEthernet0/0.27, GigabitEthernet0/0.26,Serial1/0
R6 Loopback0,FastEthernet0/0.27, FastEthernet0/0.67
R7 Loopback0,GigabitEthernet0/0.27, GigabitEthernet0/0.67
6.2 Configure multicast routing for AS 89, enable PIM-sparse-mode on
interfaces given in bellow table.
R8 should be the Static RP for AS 89.
R8 Loopback0, FastEthernet0/0.89
R9 Loopback0, FastEthernet0/0.89
Note: Enable IP Multicast routing on all required devices.

Don’t miss to enable ip multicast-routing on required routers.
R6
ip multicast-routing
ip mroute 5.5.2.2 255.255.255.255 5.5.26.2
int lo0
ip pim sparse-mode
int g0/0.67
ip pim sparse-mode
int g0/0.26
ip pim sparse-mode
ip pim bsr-candidate Loopback0 0
ip pim rp-candidate Loopback0
R2
int lo0
ip pim sparse-mode
int g0/0.27
ip pim sparse-mode
int g0/0.26
ip pim sparse-mode
int s1/0
ip pim bsr-border
ip pim sparse-mode
ip multicast boundary 24 (No Need but better to use)
access-list 24 deny 224.1.0.39
access-list 24 permit any
R7
int lo0
ip pim sparse-mode
int g0/0.27
ip pim sparse-mode
ip igmp join-group 239.7.7.7
int g0/0.67
ip pim sparse-mode
R8
int lo0
ip pim sparse-mode
int g0/0.89
38
ip pim sparse-mode
int s1/0
ip pim bsr-border
ip multicast boundary 24 (No Need but better to use)
access-list 24 permit any
ip pim rp-address 5.5.8.8
R9
int lo0
ip pim sparse-mode
!
int g0/0.89
ip pim sparse-mode
Verification:
39
6.2 Enable MSDP between AS 267 and AS 89.
RP info should not leak between AS 278 and 89.
R6
ip msdp peer 5.5.8.8 connect-source Loopback0 remote-as 89
R8
ip msdp peer 5.5.6.6 connect-source Loopback0 remote-as 267
Verification:
Verification:
6.3 Enable PIM SM in ABC Site 1 and Site 3, R1 interface f0/0.11 needs to be configured as
Static RP.
R1
interface Dialer1
ip pim sparse-mode
int f0/0.11
ip pim sparse-mode
40
ip igmp join-group 239.11.11.11
R6
ip multicast-routing vrf ABC
ip pim vrf ABC rp-address 172.5.11.1
ip vrf ABC
mdt default 239.1.1.1
mdt data 239.6.6.0 0.0.0.255 threshold 100
ip pim sparse-mode
R8
ip multicast-routing vrf ABC
ip pim vrf ABC rp-address 172.5.11.1
ip pim sparse-mode
ip vrf ABC
mdt default 239.1.1.1
mdt data 239.8.8.0 0.0.0.255 threshold 100
R4
ip pim sparse-mode
Section 7 Security and Management:

All the questions of v3.1-2-3 are here, you will get some of these
not all
7.1 R8󳰀filters some BGP routes from BB2󳰀use Prefix-list to achieve this filtering.
Following prefixes need to be filtered:
RFC1918
Multicast
AS 267 and 89 loopback0 Routes
Also Protect AS 89 from ICMP attack coming from Backbone.
R8
ip prefix-list RFC1918_OTHERS seq 5 deny 5.5.0.0/16 le 32
ip prefix-list RFC1918_OTHERS seq 30 permit 0.0.0.0/0 le 32
router bgp 89
add ipv4
neighbor 150.2.10.254 prefix-list RFC1918_OTHERS in
!
access-list 101 permit icmp any any
!
rate-limit input access-group 101 6400000 8000 8000 conform-action transmit exceed-action drop
Verification:
41
7.2 Make sure, traffic coming from AS 254 BB2, must have the source address in
the routing table of PE router R8 in AS 89, all violations should be logged to
router’s buffers.
R8
logging buffered
int GigabitEthernet0/0.60
ip verify unicast source reachable via rx 155
access-list ext 155 deny ip any any log
7.3 Configure LDP Encryption in AS 267 between R2/R7/R6.
R2
mpls ldp neighbor 5.5.7.7 password Cisco
mpls ldp neighbor 5.5.27.7 password Cisco (because of transport-add interface)
mpls ldp neighbor 5.5.6.6 password Cisco
R7
Mpls ldp neighbor 5.5.2.2 password Cisco
R6
7.4 To make the PE-CE peering secure configure BGP encryption between R9 – R5.
R9 continuously receives BGP setup session from hostility Host in XYZ Site 2
POP. Please Block this.
R5
router bgp 65531
nei 172.10.59.9 password cisco
R9
router bgp 89
add ipv4 vrf XYZ
nei172.10.59.5 password cisco
access-list 179 permit tcp host 172.10.58.8 host 172.10.58.5 eq bgp
access-list 179 deny tcp any host 172.10.58.5 eq bgp
access-list 179 permit tcp host 172.10.58.8 eq bgp host 172.10.58.5
access-list 179 deny tcp any eq bgp host 172.10.58.5
inter faceethernet0/0.58
ip access-group 179 in
7.5 Telnet Access Control

• Limit Telnet access to R6 to allow only address from other routers loopback
42
address.
• All other telnet traffic to the routers should be dropped.
• You cannot use VTY ACL’s, interface-based ACL’s, or RACL’s to achieve this
requirement.
R6
ip access-list extended T_C
deny tcp host 5.5.2.2 any eq telnet
permit tcp any any eq telnet
class-map match-any T_L
match access-group name T_C
policy-map CoPP_TL
class T_L
drop
control-plane
service-policy input CoPP_TL
Do Telnet and Check Hits
7.6 Configure Traffic Engineering priority for Tunnel configured on R6.

int t62
tunn mpl tra pri 0 0
7.7 Configure R9 to remark IP TOS field of packets that may have experimental
bit set and coming from ISP core to R5.
This remark should done before the Customer traffic is sent to R5 use the
bellow mappings
MPLS Experimental QOS Group IP Precedence
0 0 0
1 1 1
2 2 2
3 3 3
4 4 4
43
5 5 5
6 6 6
7 7 7
class-map match-all M5
match mpls experimental topmost 5
policy-map MQ
class M7
set qos-group 7
class M6
set qos-group 6
class M5
set qos-group 5
class M4
set qos-group 4
class M3
set qos-group 3
class M2
set qos-group 2
class M1
set qos-group 1
class M0
set qos-group 0
class-map match-all Q1
match qos-group 1
match qos-group 0
match qos-group 3
match qos-group 2
match qos-group 5
match qos-group 4
match qos-group 7
44
match qos-group 6
policy-map QP
class Q7
set ip precedence 7
class Q6
set ip precedence 6
class Q5
set ip precedence 5
class Q4
set ip precedence 4
class Q3
set ip precedence 3
class Q2
set ip precedence 2
class Q1
set ip precedence 1
class Q0
set ip precedence 0
interface s1/0
service-policy input MQ
Service-policy output QP
Verification:
45
7.8 Protect the AS 89 PE router R9 from possible attack by switching-off the
following services:
Proxy-arp
CDP
HTTP
Redirect
Unreachable
R9
R9 Global configuration:
no cdp run
no ip http server
no service http
no ip icmp redirect
On all R9 interfaces:
no ip redirects
no ip unreachable
no ip proxy-arp
no cdp enable
46
7.9 NBAR, AS267 has applications to access BB2󳰀this application runs on tcp
50001, 50002, 50003, requires configuring on R6󳰀guaranteed Bandwidth 1M.
R6
ip nbar port-map custom-01 tcp 50001 50002 50003 (for old ios)
Or
ip nbar custom toas89 tcp range 50001 50003
class-mapmatch-any PORT
match protocol toas89 or custom-01
policy-map NBAR
class PORT
bandwidth 1000
interface s1/0
ip nbar protocol-discovery
service-policy output NBAR
7.9 On Vlan 89, there is a host with Mac-address 0009.8765.abcd.

This host is generating excessive traffic.
R9 is configured as gateway for this host.
Limit the all traffic coming from this host to AS 89 to 2 Mbit.
R8&R9
Int g0/0.89
Rate-limit out access-group rate-limit 150 20000003 75000 750000 conform-action transmit
exceed-action drop
!
Access-list rate-limit 150 0009.8765.abcd
7.10 Configure R2 to export netflow to host 10.10.26.101 on port 9999.
R2 monitors only inbound S1/0 packet-size, count, and origin-as.
R2
interface s1/0
ip flow ingress
!
ip flow-export version 9 origin-as
ip flow-export source loopback0
ip flow-export destination 10.10.26.101 9999
7.11 Setup a RMON alarm to monitor R6 S1/0 queue size.

If queue size exceeds to 40, R6 generates a log msg “interface s1/0 queue
full”.
If queue size=0󳰀R6 generates a log msg “interface s1/0 queue ok”.
Logging Interval = 30
MIB = ifOutQLen
snmp-server community public RO
snmp-server ifindex persist
snmp-server enable traps syslog
rmon event 1 log trap public description "serial1/0 output queue full" owner me
rmon event 2 log trap public description "serial1/0 queue full OK" owner me
no rmon alarm 1 ifOutQLen.1 30 absolute rising-threshold 40 1 falling-threshold 0 2 owner me
rmon alarm 1 ifOutQLen.4 30 absolute rising-threshold 40 1 falling-threshold 0 2 owner me
47
Notes: enable snmp-server ifindex persist to check the value of interface via command:
snmp-server ifindex persist
Check the value via
Show snmp mib ifmib ifindex
To see S1/0 ifindex=4
7.12 Event Management

Configure R8 to monitor the syslog for this exact text pattern:
“%BGP-5-ADJCHANGE: neighbor YY.YY.28.2 Down Peer closed the session”
If this text pattern is seen, create the following critical level syslog
entry:
“EBGP IPv4 Unicast peering to R2 is down”
logging on
logging monitor critical
snmp-server enable traps bgp state-changes
snmp-server enable traps event-manager
snmp-server enable traps syslog
event manager applet LOG
event syslog pattern "%BGP-5-ADJCHANGE: neighbor 5.5.28.2 Down Peer closed the session"
action 1.0 syslog priority critical msg "EBGP IPV4 Peering to R2 Down"
AS Migration Question for R8.

Do change only for R2 and R8 neighbor ship not for others:
R8
router bgp 89
neighbor 5.5.28.2 local-as 254 no-prepend replace-as dual-as
R2:
router bgp 267
48

Lab v5

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Lab v5

Hochgeladen von

Copyright:

Verfügbare Formate

CCIE Service Provider Lab Workbook

Section 1 Bridging and Switching:

Router Name DLCI Router name DLCI

Troubleshooting: (Wrong DLCI mapped on R6 for R9, Please correct that)

CIR 2048 kbps

How to get Client ID

Troubleshooting: (Wrong Net ID is configured on R7)

2.5 AS 89 routers participate in only level-2 ISIS adjacencies.

2.6 Assume that only R8 and R9 on Vlan 89 are running IS-IS.

2.7 Explicitly configure ISIS in AS 89 to treat the R8 and R9 loopback0

2.8 Metric of R9 loopback 0 in R8 routing table should be 80, and of R8

3.4 BGP Best Path Selection:

3.5 BGP conditional advertisement:

4.2 Configure MPLS label distribution on AS 89.

Notes: Verify via, sh mpls ldp nei / discovery, sh mpls interface.

Section 5 MPLS VPN:

5.1 MP IBGP is Preconfigured in AS 267. R2 is configured to act as Route

5.3 ABC Site 1

5.5 XYZ site 1

Bellow things you need to be sure on R6:

Bellow things you need to be sure on R8:

5.7 ABC Site 3

5.9 VPN Route Control:

5. Configure ISP AS 267 to establish MP-EBGP session with ATM SP AS 254,

Note: Enable IP Multicast routing on all required devices.

Section 7 Security and Management:

7.5 Telnet Access Control

Do Telnet and Check Hits

7.6 Configure Traffic Engineering priority for Tunnel configured on R6.

7.9 On Vlan 89, there is a host with Mac-address 0009.8765.abcd.

7.11 Setup a RMON alarm to monitor R6 S1/0 queue size.

7.12 Event Management

AS Migration Question for R8.

Das könnte Ihnen auch gefallen