disclaimer - web viewthis workbook is intended to be used as a study tool for the cisco certified...

CCIE Lab Workbook

Cisco Certified Internetwork ExpertService Provider version 4

Luke Bibby, CCIE x2 #45527

DisclaimerThis workbook is intended to be used as a study tool for the Cisco Certified Internetworking Expert (CCIE) Service Provider (SP) exam. It is designed to cover as many topics as can possible in a single lab but with an emphasis on building up the topology from the ground up. Each lab will have a specific focus and I have tried to incorporate as many different variations in it as I can will still keeping it practical. Through repeated configuration of, for example, MPLS-TE Auto-tunnels, the configuration should become second nature and will save you time in the real exam.

The topology and requirements in the workbook were created by me and are not intended to reflect the actual CCIE SP lab exam; any similarities are accidental and purely coincidental.

This workbook is provided with absolutely no Service Level Agreements (SLAs). I have will always try my best to release content on a regular basis but this will be dependent on several factors including project workload, personal commitments, etc. Any help with typos or errata is greatly appreciated and can be sent directly to me at [email protected]

This document is currently in DRAFT status.

More InformationThe topology in this workbook was originally created with a mix of SDRs, ASR1000, and virtual routing platforms such as XRv and CSR1000v. I have recreated it entirely to work in Virtual Internet Routing Lab (VIRL) or Unified Networking Lab (UNL) using a mix of IOS on Linux (IOL), CSR1000v, and XRv instances.

UNL: http://www.unetlab.com/VIRL: http://virl.cisco.com/

Some features do not work well or at all in a virtual platform so I have adapted the workbook where required by purposely using one platform over another at certain “choke points” or by steering traffic away from certain routers.

Accompanying FilesPlease download any Initial configuration archives required for the lab

http://virl.cisco.com/

http://www.unetlab.com/

mailto:[email protected]

Table of Contents

DISCLAIMER 2

MORE INFORMATION 2

ACCOMPANYING FILES 2

TABLE OF CONTENTS 3

LAB 1 – INTER-AUTONOMOUS SYSTEM VIRTUAL PRIVATE NETWORK 6

LAB 1 TOPOLOGY 7

LAB 1 INTERFACE ADDRESSING 8

INTERNAL ADDRESSING 8AS4 SITE 1 8AS4 SITE 2 8AS100 8AS200 9AS100 TO AS200 10AS100 TO AS4 10AS200 TO AS4 10

LAB 1.1 – INTER-AS LAYER 3 UNICAST VPN – OPTION A 11

IGP ROUTING 11AS100 11AS200 11INTRA-AS LABEL SWITCHED PATHS 12AS100 12AS200 12INTERNAL BGP 12AS100 12AS200 13INTER-AS L3 UNICAST VPN 13AS100 TO AS200 13PE-CE ROUTING 14AS100 TO AS4 14AS200 TO AS4 14LOCAL PROTECTION 14AS100 14AS200 14OAM 14AS100 14

LAB 1.2 – INTER-AS LAYER 3 UNICAST VPN – OPTION B 15

INTER-AS L3 UNICAST VPN 15AS100 TO AS200 15

LAB 1.3 – INTER-AS LAYER 3 UNICAST VPN – OPTION C (BOTH VARIANTS) 17

INTER-AS L3 UNICAST VPN 17AS100 TO AS200 17PE-CE ROUTING 18AS4 18

LAB 2 – HIERARCHICAL VIRTUAL PRIVATE NETWORK 19

LAB 2 TOPOLOGY 20

LAB 2 INTERFACE ADDRESSING 21

INTERNAL ADDRESSING 21AS4 SITE 1 21AS4 SITE 2 21AS577 SITE 1 21AS577 SITE 2 21AS100 SITE 1 21AS100 SITE 2 22AS300 23GLOBAL ADDRESSING 23AS100 SITE 1 TO AS300 23AS300 TO AS100 SITE 2 23AS100 SITE 1 TO AS4 SITE 1 23AS100 SITE 1 TO AS577 SITE 1 24AS100 SITE 2 TO AS4 SITE 2 24AS100 SITE 2 TO AS577 SITE 2 24

LAB 2.1 – CARRIER SUPPORTING CARRIER LAYER 3 UNICAST AND MULTI-VRF CE 25

IGP ROUTING 25AS100 SITE 2 25INTRA-AS LABEL SWITCHED PATHS 25AS100 SITE 1 25AS100 SITE 2 26AS300 26INTERNAL BGP 26AS100 SITE 1 26AS100 SITE 1 TO AS100 SITE 2 27

LAB 3 – MULTICAST VIRTUAL PRIVATE NETWORK 28

LAB 3 – TOPOLOGY 29

LAB 3.1 – MVPN PROFILE 0 – PIM/GRE DEFAULT MDT 30

IGP ROUTING 30AS100 30INTRA-AS LABEL SWITCHED PATHS 30

AS100 30INTERNAL BGP 30AS100 30LAYER 3 UNICAST VPN AND PE-CE ROUTING 31MULTICAST VPN 32AS100 32SECURITY 32MANAGEMENT PLANE PROTECTION 32USER DATABASE SECURITY 32

LAB 3.2 – MVPN PROFILE 1 – MLDP MP2MP DEFAULT MDT WITH PIM C-MULTICAST ROUTING 33

IGP ROUTING 33AS300 33INTRA-AS LABEL SWITCHED PATHS 33AS300 33INTERNAL BGP 33AS100 33AS300 34INTER-AS MPLS UNICAST VPN 34AS100 TO AS300 34PE-CE ROUTING 34AS300 TO AS4 34MULTICAST VPN 34AS100 34CONFIGURATION MANAGEMENT 34CONFIGURATION BACKUP 34

Lab 1 – Inter-Autonomous System Virtual Private Network

Lab 1 Topology

Lab 1 Interface Addressing

Internal AddressingAS4 Site 1

Link Prefix Device 1 Device 2AS 4 Site 1 Transit Links

as4ce1-as4ce2 4.1.188.0/302004:1:188::/64

as100ce1:e0/0 as100ce2:g0/0/0/0

AS 4 Site 1 Loopbacksa4ce1 4.1.0.1/32

2004:1::1/128as4ce1:loop0 -

a4ce2 4.1.0.1/322004:1::1/128

as4ce2:loop0 -

AS4 Site 2Link Prefix Device 1 Device 2

AS 4 Site 2 Transit Links- - - -

AS 4 Site 2 Loopbacksa4ce3 4.1.0.3/32

2004:1::3/128as4ce3:loop0 -

AS100Link Prefix Device 1 Device 2

AS 100 Transit Linksas100pe1- as100p1 204.44.1.0/30 as100pe1:g0/0/0/2 as100p1:g0/0/0/0

as100pe1- as100pe2 204.44.1.4/30 as100pe1:g0/0/0/1 as100p1:gig1

as100pe2- as100p2 204.44.1.8/30 as100pe2:g3 as100p2:e0/0

as100pe2- as100rr1 204.44.1.12/30 as100pe2:g4 as100rr1:g0/0/0/0

as100p1- as100p2 204.44.1.16/30 as100p1:g0/0/0/1 as100p1:e0/1

as100p1- as100pe3 204.44.1.20/30 as100pe1:g0/0/0/2 as100p1:g1

as100p2- as100rr1 204.44.1.28/30 as100p2:e0/2 as100p1:g0/0/0/1

as100p2- as100rr2 204.44.1.32/30 as100p2:e0/3 as100p1:e0/0

as100p2- as100pe4 204.44.1.36/30 as100p2:e1/1 as100p1:gig1

as100pe3-as100pe4 204.44.1.40/30 as100pe3:gig2 as100pe4:gig3

as100pe3-as100pe4 204.44.1.44/30 as100pe3:gig2 as100pe4:gig3

AS 100 Loopbacksas100pe1 204.44.0.1/32 as100pe1:loop0 -

as100pe2 204.44.0.2/32 as100pe2:loop0 -

as100pe3 204.44.0.3/32 as100pe3:loop0 -

as100pe4 204.44.0.4/32 as100pe4:loop0 -

as100p1 204.44.0.5/32 as100p1:loop0 -

as100p2 204.44.0.6/32 as100p2:loop0 -

as100rr1 204.44.0.7/32 as100rr1:loop0 -

as100rr2 204.44.0.8/32 as100rr2:loop0 -


AS 200 Transit Linksas100pe3- as200pe1 10.198.1.0/30 as200pe1:g0/0/0/2 as200rr1:g0/0/0/0

as200pe1- as200pe2 10.198.1.4/30 as200pe1:g0/0/0/1 as200pe2:gig2

as200rr1- as200pe3 204.44.1.8/30 as200rr1:g0/0/0/1 as100pe3:g1

as200rr1- as200pe3 204.44.1.12/30 as200rr1:g0/0/0/2 as100pe3:g2

as200pe2- as200rr2 204.44.1.16/30 as200pe2:g3 as200rr2:e0/0

as200rr1- as200rr2 204.44.1.20/30 as200rr1:g0/0/0/3 as200rr2:e0/1

as200rr2- as200pe4 204.44.1.24/30 as200rr2:e0/2 as200pe4:gig2

as200pe3- as200pe4 204.44.1.32/30 as200pe3:e0/2 as200pe4:gig1


as200pe2 10.198.0.2/32 as200pe2:loop0 -

as200pe3 10.198.0.3/32 as200pe3:loop0 -

as200pe4 10.198.0.4/32 as200pe4:loop0 -

as200rr1 10.198.0.5/32 as200rr1:loop0 -

as200rr1 10.198.0.6/32 as200rr2:loop0 -

AS100 to AS200Link Prefix Device 1 Device 2

AS 100 to AS200 Peering Linksas100pe3- as200pe1 204.44.50.0/31

2204:44.55::0/127as100pe1:g3 as200pe1:g0/0/0/0

as100pe4- as200pe2 2204.44.50.2/312204:44.55::2/127

as100pe3:g4 as200pe2:gig1


AS 100 to AS200 Peering Linksas100pe1- as4ce1 204.44.100.0/31

2204:44:100:1::/64as100pe1:g0/0/0/0 as4pe1:e0/1

as100pe2- as4ce2 204.44.100.2/312204:44:100:2::/64

as100pe3:g4 as4pe2:gig0/0/0/1


AS 100 to AS200 Peering Linksas200pe3- as4ce3 197.200.42.0/31

2197:200:42:1::/127as200pe3:g4 as4ce3:e0/0

Lab 1.1 – Inter-AS Layer 3 Unicast VPN – Option A

IGP RoutingAS100

Use IS-IS process “as100-isis” as the IGP Use the NET area 49.0001 Ensure that all routers only establish L2 adjacencies using the shortest number of

commands possible Hello messages must use MD5 authentication with the key “cisco123hello” and LSPs

with the key “cisco123lsp” At the end of the configuration for this section, the LSDB should look as follows:

as100p2#show isis database

Tag as100-isis:IS-IS Level-2 Link State Database:LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OLas100pe1.00-00 0x00000004 0x44EB 1032 0/0/0as100pe2.00-00 0x00000004 0x1F10 1082 0/0/0as100pe3.00-00 0x00000219 0x3559 1093 0/0/0as100pe4.00-00 0x00000007 0x070E 1106 0/0/0as100p1.00-00 0x00000006 0xDF8A 668 0/0/0as100p2.00-00 * 0x00000008 0xED26 1039 0/0/0as100rr1.00-00 0x00000007 0xE3FC 1189 0/0/1as100rr2.00-00 0x00000004 0x9340 1174 0/0/1

At the end of the configuration for this section, the RIB should look as follows

as100p2#show ip route isis | begin GatewayGateway of last resort is not set

204.44.0.0/32 is subnetted, 8 subnetsi L2 204.44.0.1 [115/20] via 204.44.1.9, 00:05:38, Ethernet0/0i L2 204.44.0.2 [115/10] via 204.44.1.9, 00:04:56, Ethernet0/0i L2 204.44.0.3 [115/20] via 204.44.1.38, 00:04:43, Ethernet1/1i L2 204.44.0.4 [115/10] via 204.44.1.38, 00:04:32, Ethernet1/1i L2 204.44.0.5 [115/30] via 204.44.1.38, 00:05:38, Ethernet1/1 [115/30] via 204.44.1.9, 00:05:38, Ethernet0/0i L2 204.44.0.7 [115/10] via 204.44.1.30, 00:09:15, Ethernet0/2i L2 204.44.0.8 [115/10] via 204.44.1.34, 00:06:50, Ethernet0/3

AS200 Use OSPFv2 process “200” as the IGP All routers should have all interfaces in area 0.0.0.0 Statically configure the Router IDs to the Loopback0 interface IPv4 address Configure MD5 authentication at the area level using the key “cisco123ospf” At the end of the configuration for this section, the RIB should look as follows:

as200pe4#show ip route ospf | begin Gateway

NoteLoad all of the initial configurations

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 8 subnets, 2 masksO E1 10.198.0.1/32 [110/23] via 10.198.1.33, 00:02:41, GigabitEthernet1O E1 10.198.0.2/32 [110/24] via 10.198.1.33, 00:02:41, GigabitEthernet1O E1 10.198.0.3/32 [110/21] via 10.198.1.33, 00:02:41, GigabitEthernet1O E1 10.198.0.5/32 [110/22] via 10.198.1.33, 00:02:41, GigabitEthernet1O E1 10.198.0.6/32 [110/21] via 10.198.1.25, 00:02:41, GigabitEthernet2

Ensure that every transit link does not require the generation of a Network LSA

Intra-AS Label Switched PathsAS100

Create a full mesh RSVP-TE LSPs between each PE routers using a dynamic method for creating RSVP-TE LSPs

Ensure that tunnels new tunnel instantiations use the tunnel number range 1500-1600

The signaled bandwidth of the TE tunnel should be 500Kbps Ensure that the as100pe1-as100p1 link is excluded from the CSPF run by

manipulating the link attribute flags and the tunnel affinity Ensure that 75% of link bandwidth can be reserved by RSVP

AS200 Create a full mesh of MP2P LSPs using LDP Authenticate LDP sessions using the key “cisco123ldp” Use the minimum number of commands to enable LDP on internal transit interfaces

Internal BGPAS100

Configure as100rr1 and as100rr2 are VPNv4 and VPNv6 route reflectors in the cluster “100”

Establish IBGP peerings from each PE router to the RRs Statically configure the Router IDs to the Loopback0 interface IPv4 address Authenticate the sessions using the key “cisco123ibgp” Ensure that peer templates are used in IOS and session-groups and af-groups in IOS-

XR On the RR as100rr1 (IOS-XR), ensure that the neighbor config blocks have no more

configuration than shown below

RP/0/0/CPU0:as100rr1#show run router bgp Sat Mar 19 12:18:02.341 UTCrouter bgp 100!<omitted>!neighbor 204.44.0.1 use neighbor-group ibgp-peers-afgroup ! neighbor 204.44.0.2 use neighbor-group ibgp-peers-afgroup !

<omitted>

No AFI/SAFIs should be enabled by default unless explicitly configured

AS200 Configure as200rr1 and 2 are VPNv4 and VPNv6 route reflectors in the cluster “200” Establish IBGP peerings from each PE router to the RRs Statically configure the Router IDs to the Loopback0 interface IPv4 address Authenticate the sessions using the key “cisco123ibgp” Ensure that peer templates are used in IOS and session-groups and af-groups in IOS-

XR No AFI/SAFIs should be enabled by default unless explicitly configured

Inter-AS L3 Unicast VPN AS100 to AS200

Configure an RFC2547/4364 Option A MPLS/BGP VPN to provide connectivity between the HQ site of AS4 (attached to AS100) and the spoke site of AS4 (attached to AS200)

Ensure that the primary path for IPv4 traffic is through the as100pe4-as200pe2 link and IPv6 traffic is through the as100pe3-as200pe1 link

Use the VRFs defined on the PE routers Use whatever VRF naming and VLAN number(s) that you want on the ASBRs; re-use

the addressing from the global routing table on the ASBR-ASBR link For any new BGP sessions created, the BGP transport must be IPv4 only At the end of the configuration, the VRF routing table on as100pe1 should look

something like this (note the next hops):

RP/0/0/CPU0:as100pe1#show route vrf as4s1-vrf ipv6 2004:1::3Sun Mar 20 01:34:53.466 UTC

Routing entry for 2004:1::3/128 Known via "bgp 100", distance 200, metric 0 Tag 200, type internal Installed Mar 20 01:34:51.866 for 00:00:01 Routing Descriptor Blocks ::ffff:204.44.0.3, from ::ffff:204.44.0.7 Nexthop in Vrf: "default", Table: "default", IPv4 Unicast, Table Id: 0xe0000000 Route metric is 0 No advertising protos.

RP/0/0/CPU0:as100pe1#show route vrf as4s1-vrf 4.1.0.3 Sun Mar 20 01:34:58.995 UTC

Routing entry for 4.1.0.3/32 Known via "bgp 100", distance 200, metric 0 Tag 200, type internal Installed Mar 20 01:29:56.116 for 00:05:02 Routing Descriptor Blocks 204.44.0.4, from 204.44.0.7 Nexthop in Vrf: "default", Table: "default", IPv4 Unicast, Table Id: 0xe0000000

Route metric is 0 No advertising protos.

PE-CE Routing AS100 to AS4

Configure OSPFv2 and OSFPv3 as the PE-CE routing protocol for IPv4 and IPv6 Consider the as4ce1-as4ce2 link as a backdoor link and ensure that traffic between

the loopback interface IP addresses traverses the MPLS network rather than the backdoor link

o Ensure that the routes show up as intra-area (O) routeso Ensure that any new links created as part of this configuration are only

present on the minimum number of routers necessary to get the configuration to work

AS200 to AS4 Configure OSPFv2 and OSFPv3 as the PE-CE routing protocol for IPv4 and IPv6

Local ProtectionAS100

Use the autotunnel backup feature to create one-hop tunnels to protect against link failure

Ignore tunnel affinities when establishing backup tunnels

AS200 Enable the LFA per-prefix feature on the PE routers to facilitate repair paths for

loopback addresses

OAM AS100

Ensure that the traceroute mpls tool can be used end to end between the PE routers

Lab 1.2 – Inter-AS Layer 3 Unicast VPN – Option B

Inter-

AS L3 Unicast VPN AS100 to AS200

Configure an RFC2547/4364 Option B MPLS/BGP VPN to provide connectivity between the HQ site of AS4 (attached to AS100) and the spoke site of AS4 (attached to AS200)

Ensure that the primary path for IPv4 traffic is through the as100pe4-as200pe2 link and IPv6 traffic is through the as100pe3-as200pe1 link

Use the VRFs defined on the PE routers; the ASBRs should not have any VRFs defined Each AS should not expose their Route Target addressing schema to each other

o For the VPN service route exchange from AS100 to AS200, use RT 1009:2009o For the VPN service route exchange from AS200 to AS100, use RT 2009:1009o Ensure that only the ASBRs see these temporary RTs

All new BGP sessions should use MD5 authentication with the key “cisco123ebgp” Once the configuration is completed, the routing table on as4ce1 should look as

follows for networks received from the spoke AS4 site:

as4ce1#show ip route 4.1.0.3 Routing entry for 4.1.0.3/32 Known via "ospf 4", distance 110, metric 11, type inter area Last update from 204.44.100.0 on Ethernet0/1, 00:00:33 ago Routing Descriptor Blocks: * 204.44.100.0, from 204.44.0.1, 00:00:33 ago, via Ethernet0/1 Route metric is 11, traffic share count is 1

NoteLoad all of the initial configurations. There is a lot more initial configuration in this lab than the previous because all of the IGP, label distribution, IBGP, and PE-CE routing is taken care of.

It would be wise to run some basic verification checks on the pre-config load such as checking LSPs, BGP sessions, etc. Run these checks before attempting the requirements of this lab to rule out any issues with the pre-config load.

E.g. Check forwarding paths

RP/0/0/CPU0:as100pe1#traceroute 204.44.0.3 source 204.44.0.1 numeric Sun Mar 20 12:17:14.437 UTC

Type escape sequence to abort.Tracing the route to 204.44.0.3

1 204.44.1.6 [MPLS: Label 20 Exp 0] 0 msec 0 msec 0 msec 2 204.44.1.10 [MPLS: Label 25 Exp 0] 0 msec 0 msec 0 msec 3 204.44.1.38 [MPLS: Label 21 Exp 0] 0 msec 0 msec 9 msec 4 204.44.1.46 0 msec * 0 msec

At the end of the configuration, the VRF routing table on as100pe1 should look something like this (note the next hops):

RP/0/0/CPU0:as100pe1#show route vrf as4s1-vrf ipv4 bgpSun Mar 20 21:59:46.033 UTC

B 4.1.0.2/32 [200/2] via 204.44.0.2 (nexthop in vrf default), 00:22:25B 4.1.0.3/32 [200/0] via 204.44.0.4 (nexthop in vrf default), 00:15:35B 197.200.42.0/31 [200/0] via 204.44.0.4 (nexthop in vrf default), 00:15:35B 204.44.100.2/31 [200/0] via 204.44.0.2 (nexthop in vrf default), 00:22:25B 204.44.100.5/32 [200/0] via 204.44.0.2 (nexthop in vrf default), 09:51:09

RP/0/0/CPU0:as100pe1#show route vrf as4s1-vrf ipv6 bgpSun Mar 20 21:59:48.923 UTC

B 2004:1::2/128 [200/1] via ::ffff:204.44.0.2 (nexthop in vrf default), 00:06:28B 2004:1::3/128 [200/0] via ::ffff:204.44.0.3 (nexthop in vrf default), 00:06:00B 2004:1:188::/64 [200/2] via ::ffff:204.44.0.2 (nexthop in vrf default), 00:06:28B 2197:200:42:1::/127 [200/0] via ::ffff:204.44.0.3 (nexthop in vrf default), 00:06:00B 2204:44:100::5/128 [200/0] via ::ffff:204.44.0.2 (nexthop in vrf default), 09:51:12

Lab 1.3 – Inter-AS Layer 3 Unicast VPN – Option C (both variants)

Inter-

AS L3 Unicast VPN AS100 to AS200

Configure an RFC2547/4364 Option C MPLS/BGP VPN to provide connectivity between the HQ site of AS4 (attached to AS100) and the spoke site of AS4 (attached to AS200)

Use the VRFs defined on the PE routers; the ASBRs should not have any VRFs defined Each AS should not expose their Route Target addressing schema to each other

o For the VPN service route exchange from AS100 to AS200, use RT 1009:2009o For the VPN service route exchange from AS200 to AS100, use RT 2009:1009o Ensure that only the RRs in each AS see these temporary RTs

In AS100, the ASBR must not redistribute the labelled unicast route to the RRs or PE routers in AS200

For existing IBGP sessions, you are only allowed to activate new AFI/SAFIs in AS100 The RRs must establish the multihop EBGP VPN sessions between each other All new EBGP sessions should use MD5 authentication with the key “cisco123ebgp” All new EBGP sessions on the ASBRs must use route maps to filter incoming and

outgoing updates Do NOT remove the overload bit on the RRs At the end of the configuration, a traceroute from AS4 site 1 to AS4 site 2 should

look similar to below (the hint here is about the path from as200pe1 to as200pe3 or as20pe4; not specifically which exit point the traffic leaves on)

NoteLoad all of the initial configurations. There is a lot more initial configuration in this lab than the previous because all of the IGP, label distribution, IBGP, and PE-CE routing is taken care of.

It would be wise to run some basic verification checks on the pre-config load such as checking LSPs, BGP sessions, etc. Run these checks before attempting the requirements of this lab to rule out any issues with the pre-config load.

E.g. Check forwarding paths

RP/0/0/CPU0:as100pe1#traceroute 204.44.0.3 source 204.44.0.1 numeric Sun Mar 20 12:17:14.437 UTC

Type escape sequence to abort.Tracing the route to 204.44.0.3

1 204.44.1.6 [MPLS: Label 20 Exp 0] 0 msec 0 msec 0 msec 2 204.44.1.10 [MPLS: Label 25 Exp 0] 0 msec 0 msec 0 msec 3 204.44.1.38 [MPLS: Label 21 Exp 0] 0 msec 0 msec 9 msec 4 204.44.1.46 0 msec * 0 msec

as4ce1#traceroute 4.1.0.3 source loop0 numeric Type escape sequence to abort.Tracing the route to 4.1.0.3VRF info: (vrf in name/id, vrf out name/id) 1 204.44.100.0 1 msec 1 msec 1 msec 2 204.44.1.6 [MPLS: Labels 25/33/21 Exp 0] 18 msec 15 msec 13 msec 3 204.44.1.10 [MPLS: Labels 27/33/21 Exp 0] 21 msec 31 msec 31 msec 4 204.44.1.38 [MPLS: Labels 33/21 Exp 0] 31 msec 30 msec 30 msec 5 204.44.50.3 [MPLS: Labels 22/21 Exp 0] 31 msec 31 msec 31 msec 6 10.198.1.5 [MPLS: Labels 24006/21 Exp 0] 31 msec 30 msec 31 msec 7 10.198.1.2 [MPLS: Labels 24005/21 Exp 0] 30 msec 32 msec 30 msec 8 197.200.42.0 [MPLS: Label 21 Exp 0] 16 msec 16 msec 72 msec 9 197.200.42.1 15 msec * 14 msec

PE-CE RoutingAS4

Configure EBGP as the PE-CE routing protocol for IPv4 and IPv6 unicast Configure an IBGP session between the CE routers for IPv4 and IPv6 unicast Protect control plane loops in the customer network using a BGP feature on the PE

routers

Lab 2 – Hierarchical Virtual Private Network

Lab 2 Topology

Lab 2 Interface Addressing

Internal AddressingAS4 Site 1

Link Prefix Device 1 Device 2AS 4 Site 1 Loopbacks

a4s1ce1 4.1.0.1/322004:1::1/128

as4s1ce1:loop0 -

a4s1ce3 4.1.0.3/322004:1::3/128

as4s1ce1:loop0 -


AS 4 Site 2 Loopbacksa4s2ce2 4.1.0.2/32

2004:1::2/128as4ce2:loop0 -



2057:57:243::1/128as577ce1:loop0 -



2057:57:243::1/128as577ce2:loop0 -


AS 100 Transit Linksas100s1pe1- as100p1 204.44.1.0/30 as100s1pe1:g0/0/0/

2as100s1p1:g0/0/0/0

as100s1pe1- as100s1pe2

204.44.1.4/30 as100s1pe1:g0/0/0/1

as100s1p1:gig1

as100s1pe2- as100s1p2

204.44.1.8/30 as100s1pe2:g3 as100s1p2:e0/0

as100s1pe2- as100s1rr1

204.44.1.12/30 as100s1pe2:g4 as100s1rr1:g0/0/0/0

as100s1p1- as100s1p2

204.44.1.16/30 as100s1p1:g0/0/0/1 as100s1p1:e0/1

as100s1p1- as100s1pe3

204.44.1.20/30 as100s1pe1:g0/0/0/2

as100s1p1:g1

as100s1p2- as100s1rr1

204.44.1.28/30 as100s1p2:e0/2 as100s1p1:g0/0/0/1

as100s1p2- as100s1rr2

204.44.1.32/30 as100s1p2:e0/3 as100s1p1:e0/0

as100s1p2- as100s1pe4

204.44.1.36/30 as100s1p2:e1/1 as100s1p1:gig1

as100s1pe3-as100s1pe4

204.44.1.40/30 as100s1pe3:gig2 as100s1pe4:gig3

as100s1pe3-as100s1pe4

204.44.1.44/30 as100s1pe3:gig2 as100s1pe4:gig3

AS 100 Loopbacksas100s1pe1 204.44.0.1/32 as100s1pe1:loop0 -

as100s1pe2 204.44.0.2/32 as100s1pe2:loop0 -

as100s1pe3 204.44.0.3/32 as100s1pe3:loop0 -

as100s1pe4 204.44.0.4/32 as100s1pe4:loop0 -

as100s1p1 204.44.0.5/32 as100s1p1:loop0 -

as100s1p2 204.44.0.6/32 as100s1p2:loop0 -

as100s1rr1 204.44.0.7/32 as100s1rr1:loop0 -

as100s1rr2 204.44.0.8/32 as100s1rr2:loop0 -


AS 200 Transit Linksas100s2rr1- as100s2p1

10.198.1.0/30 as100s2rr1:g0/0/0/1 as100s2p1:e0/0

as100s2rr1- as100s2p2

10.198.1.4/30 as100s2rr1:g0/0/0/2 as100s2p1:e0/1

as100s2rr1-

as100s2rr2

10.198.1.8/30 as100s2rr1:g0/0/0/3 as100s2rr2:e0/1

as100s2rr2- as100s2pe3

10.198.1.12/30 as100s2rr2:e0/1 as100s2pe3:e0/1

as100s2p1-as100s2pe3

10.198.1.16/30 as100s2p1:e0/2 as100s2pe3:e0/2

as100s2pe3-as100s2mce1

200.198.100.0/312200:198:100::/127

as100s2pe3:e0/0 as100s2mce1:g0/0/0/0

AS 200 Loopbacksas100s2rr1 10.198.0.1/32 as100s2rr1:loop0 -

as100s2rr2 10.198.0.2/32 as100s2rr2:loop0 -

as100s2pe3 10.198.0.3/32 as100s2pe3:loop0 -

as100s2p1 10.198.0.4/32 as100s2pe4:loop0 -

as100s2mce1 10.198.0.5/32 as100s2mce1:loop0 -


AS 300 Transit Linksas300pe1- as300p1 10.144.129.0/30 as300pe1:g3 as300p1:e0/1

as300p1- as300pe2 10.144.129.4/30 as300p1:e0/0 as300pe2:gig0/0/0/0


as300pe2 10.144.130.2/32 as300pe3:loop0 -

as300p1 10.144.130.3/32 as300p2:loop0 -

Global Addressing

AS100 Site 1 to AS300Link Prefix Device 1 Device 2

AS 100 to AS200 Peering Linksas100s1pe3-as300pe1 111.79.231.0/31 as100s1pe3:g3 as300pe1:g4

as100s1pe4- as300pe1

111.79.231.2/31 as100s1pe4:g4 as300pe1:g1

AS300 to AS100 Site 2Link Prefix Device 1 Device 2

AS 100 to AS200 Peering Linksas100s2rr1-as300pe2 111.79.231.4/31 as100s2rr1:g0/0/0/0 as300pe2:g0/0/0/2

as100s2rr2- as300pe2 111.79.231.4/31 as100s2rr1:g0/0/0/1 as300pe2:g0/0/0/1

AS100 Site 1 to AS4 Site 1Link Prefix Device 1 Device 2

AS 100 to AS200 Peering Linksas100s1pe1- as4s1ce1 204.44.100.0/31

2204:44:100:1::/64as100s1pe1:g0/0/0/0 as4s1ce1:e0/1

as100s1pe1- as4s1ce3 204.44.100.4/312204:44:100:4::/64

as100s1pe1:g0/0/0/3 as4s1ce3:e0/0


AS 100 to AS200 Peering Linksas100s1pe2- as577s1ce1

204.44.100.2/312204:44:100:2::/64

as100s1pe2:g2 as577s1ce1:e0/0


AS 100 to AS200 Peering Linksas100s2mce1- as4ce2 200.198.100.2/31

2200:198:100::2/127as100s2mce1:g0/0/0/1 as4s2ce2:e0/0


AS 100 to AS200 Peering Linksas100s2mce1- as577s2ce2

197.200.42.2/312200:198:100::2/127

as100s2mce1:g0/0/0/2 as577s2ce2:e0/0

Lab 2.1 – Carrier Supporting Carrier Layer 3 Unicast and Multi-VRF CE

IG

P RoutingAS100 Site 2

Configure the router(s) in AS100S2 such that their routing tables only contain host routes for internal routers.

Do not use the OSPF prefix suppression feature Below is an example of the routing table for as100s2pe3

as100s2pe3#show ip route ospfCodes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 8 subnets, 2 masksO E2 10.198.0.1/32 [110/20] via 10.198.1.17, 00:00:01, Ethernet0/2 [110/20] via 10.198.1.13, 00:00:11, Ethernet0/1O E2 10.198.0.2/32 [110/20] via 10.198.1.13, 00:00:11, Ethernet0/1O E2 10.198.0.4/32 [110/20] via 10.198.1.17, 00:00:01, Ethernet0/2

Intra-AS Label Switched PathsAS100 Site 1

Create a full mesh RSVP-TE LSPs between each PE routers using a static method for creating RSVP-TE LSPs

The signaled bandwidth of the TE tunnel should be 100kbps The as100s1pe1-as100s1p1 and as100s1p1-as100s1pe3 are considered legacy links

and should be avoided unless there is no other valid patha. Do not use explicit pathsb. Do not use affinity and attribute setsc. Do not change the IGP metric

The as100s1pe2-as100s1pe4 RSVP-TE tunnel must be setup using explicit paths and must traverse through as100s1rr1 without modifying pre-existing configuration on as100s1rr1

Ensure that 500Kbps of link bandwidth can be reserved by RSVP


AS100 Site 2 Create a full mesh of MP2P LSPs using LDP Authenticate LDP sessions using the key “cisco123ldp” Use the minimum number of commands to enable LDP on internal transit interfaces

AS300 Create a full mesh of MP2P LSPs using LDP Authenticate LDP sessions using the key “cisco123ldp”; Do not use per-neighbor

statements to do this Use the minimum number of commands to enable LDP on internal transit interfaces

Internal BGPAS100 Site 1

Configure as100s1rr1 and as100s1rr2 are VPNv4 and VPNv6 route reflectors in the cluster “100”

Establish IBGP peerings from each PE router to the RRs Statically configure the Router IDs to the Loopback0 interface IPv4 address Authenticate the sessions using the key “cisco123ibgp” Ensure that peer templates are used in IOS and session-groups and af-groups in IOS-

XR On the RR as100s1rr2 (IOS), the BGP neighbor table should look similar to below at

the end of this section

as100rr2#show bgp vpnv4 unicast all summary BGP router identifier 204.44.0.8, local AS number 100BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd*204.44.0.1 4 100 17 19 1 0 0 00:13:49 0*204.44.0.2 4 100 4 4 1 0 0 00:02:40 0*204.44.0.3 4 100 2 2 1 0 0 00:00:34 0*204.44.0.4 4 100 2 2 1 0 0 00:00:23 0*204.44.0.7 4 100 12 11 1 0 0 00:08:54 0* Dynamically created based on a listen range commandDynamically created neighbors: 5, Subnet ranges: 1

BGP peergroup ibgp-peers-grp listen range group members: 204.44.0.0/24

Total dynamically created neighbors: 5/(10 max), Subnet ranges: 1


AS100 Site 1 to AS100 Site 2 Configure a full mesh of VPNv4 and VPNv6 unicast IBGP sessions between the PE

routers in AS100 site 2 to the VPN route reflectors in AS100 Site 1 Statically configure the Router IDs to the Loopback0 interface IPv4 address Authenticate the sessions using the key “cisco123ibgp”

Lab 3 – Multicast Virtual Private Network

Lab 3 – Topology

Lab 3.1 – MVPN Profile 0 – PIM/GRE Default MDT

IGP

RoutingAS100

Configure OSPF as the IGP for AS100 with the router ID manually set to the IP address of Loopback0; all interfaces should be in area 0

All OSPF interfaces must authenticate messages using MD5 using the key “cisco123ospf”

Ensure that all Gigabit Ethernet interfaces default to an OSPF cost of 2 Enable a feature on all OSPF interfaces that both suppresses periodic hello messages

and LSA refreshes; use the minimum number of commands across all devices to achieve this


Enable LDP on all IGP-enabled interfaces using the minimum number of commands Manually set the router ID to Loopbak0 Below is the output from a show command on as100p1; configure an LDP feature

that would result in the following output. This command is only required on PE and P routers.

RP/0/0/CPU0:as100p1#show mpls ldp neighbor briefTue Jun 14 03:08:21.881 UTC

Peer GR NSR Up Time Discovery Addresses Labels ipv4 ipv6 ipv4 ipv6 ipv4 ipv6 ----------------- -- --- ---------- ---------- ---------- ------------200.100.0.8:0 N N 00:02:55 1 0 7 0 8 0 200.100.0.1:0 N N 00:02:55 1 0 4 0 8 0 200.100.0.4:0 N N 00:02:55 1 0 3 0 8 0 200.100.0.6:0 N N 00:02:55 1 0 5 0 8 0 200.100.0.2:0 N N 00:02:31 1 0 5 0 8 0 200.100.0.5:0 N N 00:02:01 1 0 5 0 8 0

Internal BGPAS100

Configure as100rr1 as the VPNv4 route reflector for AS100 Establish IBGP peerings from each PE router to the RRs Statically configure the Router IDs to the Loopback0 interface IPv4 address Authenticate the sessions using the key “cisco123ibgp”


AS300 is not used in this scenario

Ensure that peer groups are used in IOS and session-groups and neighbor-groups in IOS-XR


Layer 3 Unicast VPN and PE-CE Routing The PE-CE routing should be setup as per the following diagram

Configure MPLS Layer 3 Unicast VPNs to enable full reachability for loopback networks between all sites for the same customer (e.g. only sites of AS577 should have reachability to each other);

Configure VRFs, route distinguishers, and route targets to support this connectivity. At the end of the configuration, the BGP table on as577s3ce1 should look as follows:

as577s3ce1#show bgp ipv4 unicast BGP table version is 6, local router ID is 5.77.3.1Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incompleteRPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path *> 5.77.1.1/32 200.100.99.8 0 100 ? *> 5.77.2.1/32 200.100.99.8 0 100 577 i *> 5.77.3.1/32 0.0.0.0 0 32768 i

Multicast VPN AS100

Configure the MVPN profile where PIM is required in the core and is used to map multicast streams to LSPs

All PE routers that are part of the MVPN should join the Default MDT Do not configure an RP in AS100 for the PIM core tree. Use any group address for

each MVPN that supports this. AS4 will only use ASM groups; use a dynamic RP discovery method to facilitate

source discovery; make any router the RP AS577 will only use SSM groups. Below is sample output from a ping to a multicast

address on as577s2ce1

as577s2ce1#ping 232.0.0.10 source 5.77.2.1 Type escape sequence to abort.Sending 1, 100-byte ICMP Echos to 232.0.0.10, timeout is 2 seconds:Packet sent with a source address of 5.77.2.1

Reply to request 0 from 200.100.99.5, 8 msReply to request 0 from 200.100.99.9, 17 msReply to request 0 from 200.100.99.5, 12 msReply to request 0 from 200.100.99.9, 11 ms

SecurityManagement Plane Protection

Configure as100pe2 such that only as100pe1 can SSH to its loopback0 network through any interfacess

Do not use an ACL when configuring the filter

User database security Configure a new user on as100pe1 called "spv4” with a password of “cisco” Supply the password to the router in cleartext Ensure that the password is hashed using SHA256 Below is an example of the configuration as a result of above configuration

as100pe1#show run | s usernameusername spv4 secret 8 $8$9YL66uPcL7bwGW$8mRWzM.41OtqnBRI40e7JUOQFfj.5lv7fuPYrpPqHOc

Lab 3.2 – MVPN Profile 1 – mLDP MP2MP Default MDT with PIM C-Multicast Routing

IGP

RoutingAS300

Configure IS-IS as the IGP for AS300 Configure as300pe1 as a Level-2 only router in area 49.0001 Configure as300pe2 as a Level-1 only router in are 49.0002 All IS-IS interfaces must authenticate hello messages using the key “cisco123isis” Ensure that no DIS is elected on any link is AS300 Ensure that as100pe2 installs a default route through as300p1 as a result of the

attached bit set Advertise the loopback0 network on each router and ensure that connectivity works

between as300pe1 and as300pe2


Enable LDP on all IGP-enabled interfaces using the minimum number of commands Manually set the router ID to Loopbak0 Authenticate the LDP messages using the password “cisco123ldp”; do not use per-

neighbor commands to achieve this

Internal BGPAS100

Modify the existing configuration to ensure that routers do not receive updates for VPN routes which have route targets that do not match the import route target list on any local VRF.

o Do not rewrite any route targetso Do not configure any new route targetso Do not configure any new VRFs

As an example, you should not see the following debug output when the above configuration is completed:

*Jun 18 06:06:20.918: BGP(4): 200.100.0.9 rcvd UPDATE w/ attr: nexthop 200.100.0.2, origin ?, localpref 100, metric 1, originator 200.100.0.2, clusterlist 200.100.0.9, extended community RT:577:1*Jun 18 06:06:20.918: BGP(4): 200.100.0.9 rcvd 200.100.0.2:577:5.77.1.1/32, label 24007 -- DENIED due to: extended community not supported;

AS300 Establish an IBGP peering between as300pe1 and as300pe2 in AS300

NoteLoad all of the initial configurations.

Hard code router IDs to the Loopback0 network Configure MD5 authentication with the password “as300ibgp” No AFI/SAFIs should be enabled by default unless explicitly configured

Inter-AS MPLS Unicast VPNAS100 to AS300

Configure an Inter-AS MPLS Unicast VPN between AS100 to AS300 to provide connectivity between all sites of AS4

Use an option which requires as100pe4, as100pe5, and as300pe1 (ASBRs) to have a local VRF configured to support connectivity between AS4 sites

PE-CE RoutingAS300 to AS4

Configure external BGP between as300pe2 and as4s3ce1 in AS300 and AS4, respectively

Advertise the loopback0 network on as4s3ce1 At the end of this configuration, all sites in AS4 should have reachability between the

loopback0 networks.

Multicast VPN AS100

AS100 is looking to deploy next generation MVPNs using multipoint LDP in the core Configure an MVPN profile where mLDP is used in the core for setting up MP2MP

label switched paths but PIM is still used to map multicast streams to LSPs Configure as100p2 as the root node for AS4 and AS577 MVPNs. AS4 has requested redundancy in the mLDP root node to ensure that multicast

streams continue on the default MDT even if as100p2 fails. Use a method that does not create additional mLDP state when as100p2 is still available.

Allow up to 3 data MDTs to be created with a threshold of 5Kbps

Configuration managementConfiguration backup

Configure as100pe1 such that the running configuration is backed up every 5 minutes or when the configuration is written. Use a local filesystem for this

Ensure that a syslog message is generated for every global configuration mode command which is entered

o Ensure that any passwords are hidden from this outputo Ensure that history for 200 commands are stored

disclaimer - web viewthis workbook is intended to be used as a study tool for the cisco certified...

Documents