8/8/2019 Lab v5

1/48

1

CCIE Service Provider Lab Workbook

Section 1 Bridging and Switching:1.1 Configure IP across Frame-relay network Frame Relay interfaces are pre-configured asmentioned in diagram. Please make sure only required mappings are configured.Dynamic DLCI mapping is not allowed. There is some problem in initial configuration pleasemake sure, all devices running Frame-relay can ping their neighbor IP address.

Router Name DLCI Router name DLCI

R2 208 R8 802

R6 609 R9 906

R1 107 R7 701

Troubleshooting: (Wrong DLCI mapped on R6 for R9, Please correct that)Notes: Check on R1 R2 R6 R7 R8 and R9 for frame relay dynamic mappings by command sh fram map, if you find anydynamic entry, configure no fram inverse arp on that serial interface and reload the router and check again after reboot,there should be single mapping for connected neighbor.

8/8/2019 Lab v5

2/48

2

When to Reload?1. No frame-relay inverse-arp not exists on interface, configure that and check frame-relay mappings, if you found anyreload the device.2. Show frame-relay map shows you any 0000 entry.3. To avoid reload you can shutdown the interface, clear frame inverse arp, default int s0/0 if 0000 still exists, if thisdoesnt not solve the issue go ahead and reload.

R2interface Serial1/0

ip address 5.5.28.2 255.255.255.0encapsulation frame-relayno frame-relay inverse-arpframe-relay map ip 5.5.28.8 208 broadcastR8interface Serial1/0ip address 5.5.28.8 255.255.255.0encapsulation frame-relayno frame-relay inverse-arpframe-relay map ip 5.5.28.8 802 broadcastR6interface Serial1/0ip address 5.5.69.6 255.255.255.0encapsulation frame-relay

no frame-relay inverse-arpframe-relay map ip 5.5.69.9 609 broadcastR9interface Serial1/0ip address 5.5.69.9 255.255.255.0encapsulation frame-relayno frame-relay inverse-arpframe-relay map ip 5.5.69.6 906 broadcastR1interface Serial1/0ip address 172.5.17.1 255.255.255.0encapsulation frame-relayno frame-relay inverse-arp

frame-relay map ip 172.5.17.7 107 broadcastR7interface Serial1/0ip address 172.5.17.7 255.255.255.0encapsulation frame-relayno frame-relay inverse-arpframe-relay map ip 172.5.17.1 701 broadcast

1.2 Configure IP Address YY.YY.26.10 for management vlan on SW1; make sure Admin in vlan26 can telnet to SW1.Notes: Configure IP address to vlan 26 on SW1, check the line vty on SW1, that should be already configured passwordand login enabled on that. Verify all the vlans and trunks weather those working properly or not.

interface vlan26ip add 5.5.26.10 255.255.255.0no shline vty 0 4password ciscologin

8/8/2019 Lab v5

3/48

3

1.3 Configure Frame-relay Traffic Shaping between R1 & R7 as specified bellow:

CIR 2048 kbpsMin Cir 1024 kbpsBC 256 kbps

When interface queue exceeds to 30 packets Speed should be throttle down to Min CIR.Traffic shaping question no more in lab; by any chance if you get that.Steps:1. Physical interface enable frame-relay traffic-shaping.2. map-class frame-relay XXXX.3. Configure cir, mincir and bc4. Most important, dont forget configuring frame-relay adaptive-shaping interface-congestion.5. Apply to interface-dlci

R1map-class frame-relay R1-R7frame-relay cir 2048000Created by ACS

frame-relay bc 256000frame-relay mincir 1024000frame-relay adaptive-shaping interface-congestion 30int s1/0frame-relay traffic-shapingframe-relay interface-dlci 107class R1-R7R7map-class frame-relay R7-R1frame-relay cir 2048000frame-relay bc 256000frame-relay mincir 1024000frame-relay adaptive-shaping interface-congestion 30

int s1/0frame-relay traffic-shapingframe-relay interface-dlci 107class R7-R1

Verification

8/8/2019 Lab v5

4/48

4

1.4 Customer ABC has decided to PPP Over Ethernet at his Site1 to meet up this requirementconfigure PPPOE between R1 ISP AS 267 PE Router R6. Customer router R1 should initiatethe session and R6 should respond. Client device R1 is expecting a dynamic ip address172.10.16.1/24 assigned from ISP PE router. Configure CHAP for authentication, usernameCCIE password CCIE. R6 is already configured bellow AAA commands:aaa new-modelaaa authentication login default line none

Notes Dont forget to enable vpdn on both routers R1 and R6.R1 doesn't support DDR.R6 preconfigured with AAA bellow commands:aaa authentication login default login lineR6 Pre-configured ip address 172.10.16.6/24 on interface FastEthernet3/0.

8/8/2019 Lab v5

5/48

5

Dont remove it; you will break the initial configuration and loose the marks.First and Recommended Answer:Steps:1- Add ip unnumbered under both virtual & dialer interfaces.2- Add ip address dhcp on physical client interface.3- Add ip vrf for on the server physical interface in VPN Section.4- Configure everything else on virtual / dialer interfaces (Routing, MPLS, and Multicast).5- If multicast doesnt work, add it on physical on both sides, but this rare situation.Be very careful while dealing with AAA or you will find yourself locked in the router R6.

R1vpdn enable!bba pppoe globalinterface FastEthernet0/1pppoe enable group globalpppoe-cl dial 1interface Dialer1ip address dhcpip mtu 1492encapsulation pppdialer pool 1ppp chap hostname CCIEppp chap password 0 CCIER6aaa authentication ppp PPPOE localusername CCIE password CCIEip dhcp excluded-address 172.5.16.2 172.5.16.254!ip dhcp pool PPPOEnetwork 172.5.16.0 255.255.255.0vpdn enable!bba pppoe global

!interface FastEthernet0/1ip address 172.5.16.6 255.255.255.0pppoe enable!interface Virtual-Template16ip unn FastEthernet0/1peer default ip address pool PPPOEppp authentication chap callin PPPOE!bba pppoe globalvirtual-template 16

Verification

8/8/2019 Lab v5

6/48

6

Second Answer:R1vpdn enable!vpdn-group 1request-dialinprotocol pppoeORbba pppoe global

interface FastEthernet0/1mac-address 9876.5432.1abcpppoe enablepppoe-client dial-pool-number 1!interface Dialer1ip address dhcpip dhcp client client-id Fa0/1dialer pool 1ip mtu 1492

8/8/2019 Lab v5

7/48

7

encapsulation pppppp chap hostname CCIEppp chap password CCIE

R6vpdn enable!

vpdn-group 1accept-dialinprotocol pppoevirtual-template 1ORbba pppoe globalvirtual-template 1aaa authentication ppp PPPoE localusername CCIE password CCIE!ip dhcp pool PPPOEnetwork 172.5.16.1 255.255.255.0client-identifier 0198.7654.321a.bc!interface FastEthernet0/1ip address 172.5.16.6 255.255.255.0pppoe enable!interface Virtual-Template1ip unnumbered FastEthernet0/1peer default ip address dhcp-pool PPPOEppp authentication chap callin PPPoE

How to get Client ID

1) Configure DHCP Pool and Host IP without client identifier.2) Debug ip dhcp server packet (You can get the client ID)*May 22 17:55:07.187: DHCPD: DHCPDISCOVER received from client 0198.7654.321a.bc on interfaceVirtual-Access1.1.3) Add client-ID to host IP.4) Refresh DHCP binding and clear client dialer interface.5) Client should now obtain an IP-address from the host based pool.Useful commands:Clear pppoe alldebug pppoe packet

Verification

8/8/2019 Lab v5

8/48

8

Section 2 IGP:2.1 ISIS has been preconfigured in AS 267 with some problems, make sure youtroubleshoot those to make the connectivity as per desired conditions.Refer bellow table to configure ISIS Area and Interfaces:Area Router Name Interface49.00YY R2 Loopback0, GigabitEthernet0/0.26, GigabitEthernet0/0.2749.00YY R6 Loopback0, GigabitEthernet0/0.26,GigabitEthernet0/0.6749.10YY R7 Loopback0, Loopback1, GigabitEthernet0/0.27, GigabitEthernet0/0.67No other interfaces except the one mentioned in the table are allowed to runISIS in AS 267.2.2 One new Level-1 router will be added in AS 267 between PE routers R2 & R6,

this new router needs to have ISIS external route for ISIS Level-2 routes AS267 in his routing table.Dont use route map feature to achieve this requirement.

Troubleshooting: (Wrong Net ID is configured on R7)Notes: check the routes of loop backs and ping them, apart from this test ping the Clns Netaddresses of neighbors.

8/8/2019 Lab v5

9/48

9

R2router isisnet 49.1010.0000.0000.0002.00redistribute isis ip level-2 into level-1 distribute-list 100access-list 100 permit ip any any!interface GigabitEthernet0/0.27isis circuit-type level-2ip router isis!interface GigabitEthernet0/0.26isis circuit-type level-1ip router isis!int lo0ip router isis

R7router isisnet 47.0055.0000.0000.0007.00is-type level-2-only!interface GigabitEthernet0/0.27ip router isis!interface GigabitEthernet0/0.67ip router isis!int lo0 and lo1ip router isisR6router isisnet 49.1010.0000.0000.0006.00redistribute isis ip level-2 into level-1 distribute-list 100

access-list 100 permit ip any any!interface GigabitEthernet0/0.26ip router isisisis circuit-type level-1!interface GigabitEthernet0/0.67isis circuit-type level-2ip router isis!int lo0ip router isis

Verification

8/8/2019 Lab v5

10/48

10

2.3 Whenever AS 267 Vlan26 link gets down routers should be able detect this change assoon as possible and make sure, bellow optimization is in effect during that:Fast-detect ChangesFastest convergenceLowest calculating timeOptimized router performance, less bandwidth consumption, less CPU utilizationand memory uses.R2/R6router isisispf level-1

interface GigabitEthernet0/0.26isis hello-interval minimal level-1no isis hello paddingVerification

8/8/2019 Lab v5

11/48

11

2.4 Configure ISIS Level-2 or OSPF Area 0 sometimes, in AS 89 between R8-R9.Optimize the performance by reducing Link State packet being sent on linkbetween R8 and R9 by only avoiding DIS/DR election.49.00YY or OSPF 0 R8 Loopback0, GigabitEthernet0/0.8949.10YY or OSPF 0 R9 Loopback0, FastEthernet0/0.89No other interfaces except the one mentioned in the table are allowed to runISIS or OSPF in AS 267 and AS 89.Notes: Please do needful and make sure you use network point to point in both protocols onboth routers interfaces. Use any one ISIS or OSPF as per your question in exam.

R8router isisnet 49.1202.0000.0000.0002.00is-type level-2-only

int GigabitEthernet0/0.89ip router isisisis network point-to-pointno isis csnp-interval 10R9router isisnet 49.1209.0000.0000.0009.00is-type level-2-onlyint f0/0.89ip router isisisis network point-to-pointno isis csnp-interval 10

OSPF ConfigurationR8router ospf 89net 5.5.89.8 0.0.0.0 area 0net 5.5.8.8 0.0.0.0 area 0!interface GigabitEthernet0/0.89

8/8/2019 Lab v5

12/48

12

ip ospf network point-to-pointR9router ospf 89net 5.5.89.9 0.0.0.0 area 0net 5.5.9.9 0.0.0.0 area 0!interface FastEthernet0/0.89ip ospf network point-to-pointVerificationOutput includes Next Question:

2.5 AS 89 routers participate in only level-2 ISIS adjacencies.As an optimization, ensure that no IS-IS adjacencies are attempted on theirrespective loopback0 interfaces.Notes: If so use passive interface lo0 command to advertise loopbacks dont use ip router isisunder loopbacksR8/R9router isispassive-interface loopback0

2.6 Assume that only R8 and R9 on Vlan 89 are running IS-IS.

8/8/2019 Lab v5

13/48

13

Reduce the LSP link state by avoiding the Designated IS election on VLAN_89.Notes: Use network point to point and remove csnp interval 10 commands after using networkpoint to pointR8/R9int G/F0/0.89ip router isisisis network point-to-pointno isis csnp-interval 10

Verification

2.7 Explicitly configure ISIS in AS 89 to treat the R8 and R9 loopback0

interfaces with the highest priority during ISIS RIB installation, and verifywhether this is in effect.Notes: verify via sh isis rib, make sure you see tag appended to lo0, They change thisquestion for candidates so be sure you read that carefully and answer accordingly.R8router isisip route priority high tag 100interface Loopback0isis tag 100

8/8/2019 Lab v5

14/48

14

R9router isisip route priority high tag 100interface Loopback0isis tag 100Verification

2.8 Metric of R9 loopback 0 in R8 routing table should be 80, and of R8

loopback 0 256 R9 routing table.Notes: Make sure u mention ISIS level with metric command.R8router isismetric-style wide!int lo0isis metric 246 level-2R9router isismetric-style wide!int lo0

isis metric 70 level-2Verification

Section 3 BGP:3.1 BGP is already configured is AS 267, please troubleshoot and configure asper bellow requirement:IBGP is preconfigured in AS 267, all the neighbors are using loopback0 for theunicast updates, there is one problem in the pre configuration, needs to fix.

8/8/2019 Lab v5

15/48

15

IBGP is configured between the R2, R6 and R7 for the Unicast BGP updates. R6is the Route-Reflector for this setup.3.2 BGP is already configured is AS 89, please troubleshoot and configure asper bellow requirement:IBGP is preconfigured in AS 89, all the neighbors are using loopback0 for theunicast updates, there is one problem in the pre configuration, needs to fix.3.3 Configure EBGP between R2-R8, R6-R9, and R8-BB2 with local as YY.R2-R8 and R6-R9 are using their physical interfaces as BGP peering address.

BB2 (Autonomous System 254) IP Address, Needs to be referred from diagram.BB2 will advertise five routes 197.68.Z.0/24, make sure these propagated inboth Autonomous Systems (AS YY and AS 10YY).3.4 Advertise all loopback0 in AS 267 with community value 267:1 and 89:1 inAS 89, make sure all can ping each other loopback0.Make sure BB2 routes are reachable from AS 267 and AS 89, while sourcing withLoopback0 interfaces of both Autonomous Systems.

Troubleshooting: Update source is not configured between R2 and R7, R6 missing RR command forR7. Advertise all the loopbacks 0. Make sure you use ip bgp community new format and sendcommunity end to end in top to bottom format.R8router bgp 89bgp router-id 5.5.8.8no bgp default ipv4-unicastneighbor 5.5.9.9 remote-as 89neighbor 5.5.9.9 update-source Loopback0neighbor 5.5.28.2 remote-as 267neighbor 150.2.10.254 remote-as 254neighbor 150.2.10.254 local-as 10 no-prepend!address-family ipv4neighbor 5.5.9.9 activate

neighbor 5.5.9.9 send-communityneighbor 5.5.9.9 next-hop-selfneighbor 5.5.28.2 activateneighbor 5.5.28.2 send-communityneighbor 150.2.10.254 activateneighbor 150.2.10.254 send-communitynetwork 5.5.8.8 mask 255.255.255.255 route-map Cnetwork 200.1.1.1 mask 255.255.255.255!route-map Cset community 89:1

R9router bgp 89bgp router-id 5.5.0.9no bgp default ipv4-unicastneighbor 5.5.8.8 remote-as 89neighbor 5.5.8.8 update-source Loopback0neighbor 5.5.69.6 remote-as 267!

8/8/2019 Lab v5

16/48

16

address-family ipv4neighbor 5.5.8.8 activateneighbor 5.5.8.8 send-communityneighbor 5.5.8.8 next-hop-selfneighbor 5.5.69.6 activateneighbor 5.5.69.6 send-communitynetwork 5.5.9.9 mask 255.255.255.255 route-map C!route-map Cset community 89:1

R6router bgp 267bgp router-id 5.5.6.6no bgp default ipv4-unicastneighbor 5.5.2.2 remote-as 267neighbor 5.5.2.2 update-source Loopback0neighbor 5.5.7.7 remote-as 267neighbor 5.5.7.7 update-source Loopback0neighbor 5.5.69.9 remote-as 89!address-family ipv4neighbor 5.5.2.2 activateneighbor 5.5.2.2 send-communityneighbor 5.5.2.2 route-reflector-clientneighbor 5.5.2.2 next-hop-selfneighbor 5.5.7.7 activateneighbor 5.5.7.7 send-communityneighbor 5.5.7.7 route-reflector-clientneighbor 5.5.7.7 next-hop-selfneighbor 5.5.69.9 activateneighbor 5.5.69.9 send-communitynetwork 5.5.6.6 mask 255.255.255.255 route-map C!

route-map Cset community 267:1R2router bgp 267bgp router-id 5.5.2.2no bgp default ipv4-unicastneighbor 5.5.6.6 remote-as 267neighbor 5.5.6.6 update-source Loopback0neighbor 5.5.7.7 remote-as 267neighbor 5.5.7.7 update-source Loopback0neighbor 5.5.28.8 remote-as 254!address-family ipv4

neighbor 5.5.6.6 activateneighbor 5.5.6.6 send-communityneighbor 5.5.6.6 next-hop-selfneighbor 5.5.28.8 activateneighbor 5.5.28.8 send-communitynetwork 5.5.2.2 mask 255.255.255.255 route-map C!route-map Cset community 267:1

8/8/2019 Lab v5

17/48

17

R7router bgp 267bgp router-id 5.5.7.7no bgp default ipv4-unicastneighbor 5.5.6.6 remote-as 267neighbor 5.5.6.6 update-source Loopback0!

address-family ipv4neighbor 5.5.6.6 activateneighbor 5.5.6.6 send-communitynetwork 5.5.7.7 mask 255.255.255.255 route-map Croute-map Cset community 267:1

Verification

Verification

8/8/2019 Lab v5

18/48

18

Verification

3.4 BGP Best Path Selection:1. AS 267 routers R2/R7/R6 access AS 89 devices R8/R9 should prefer R2 asprimary exit.

8/8/2019 Lab v5

19/48

19

2. AS 89 routers R8/R9 access AS 267 devices R2/R6/R7 should prefer R8 asprimary exit.3. AS 267 routers R2/R7/R6 access AS 254 BB2 routes should prefer R8 asprimary exit.4. Configure only on R2 and R8.

Notes: Check via trace and analyze impact on coming vpn section.R2router bgp 267add ipv4neighbor 5.5.28.8 route-map IP_RC in!ip community-list standard 254:1 permit 254:1 (Check the backbone routes to find exact value)ip community-list standard 89:1 permit 89:1!route-map IP_RC permit 10match community 89:1set local-preference 200!route-map IP_RC permit 20match community 254:1set local-preference 50R8router bgp 89add ipv4neighbor 5.5.28.2 route-map IP_RC in!ip community-list standard 267:1 permit 267:1!route-map IP_RC permit 10match community 267:1set local-preference 200!

route-map IP_RC permit 20

Verification

3.5 BGP conditional advertisement:AS267 is visiting WEB server 197.68.1.0 located in AS 254 router BB2 however,if WEB server goes down configure a loopback200 with ip address 200.1.1.1/32in AS 267 router R8, in such away that till 197.68.1.0 is in the R8 routingtable it should not announce loopback200 to R2. Once 197.68.1.0 (BB2 webserver) is down R8 starts advertising loopback200 to R2.

8/8/2019 Lab v5

20/48

20

Optimize timers between EBGP peers R2 and R8 to detect this change ASAP.Notes: Please check with instructor, backbone needs to receive route of R8 loopback 200, ifnot then filter the Loopback 200 route from being advertised to backbone and R9.A: ip bgp fast-external-failover permit (on by default)B: bgp scan-time 5(min)-60(def, max) the default scanning interval is 15 seconds.C EBGP neighbor timer should be minimum.

R8router bgp 89add ipv4network 200.1.1.1 mask 255.255.255.255(Block this route from being advertised to Backbone and R9 or this will reach to AS 267 via R9-R6)neighbor 5.5.28.2 advertise-map ADV non-exist-map NONEXISTinterface Loopback200ip address 200.1.1.1 255.255.255.255ip prefix-list LO_200 seq 5 permit 200.1.1.1/32!ip prefix-list WS seq 5 permit 197.68.1.0/24route-map ADV permit 10

match ip address prefix-list LO_200route-map NONEXIST permit 10match ip address prefix-list WS

VerificationShutdown the Backbone link or block web server route coming from Backbone. And check thatconditional route.

Section 4 MPLS:4.1 Enable MPLS on AS 267 interface specified in bellow table.Use Industry Standard label distribution protocol to propagate labels.Configure AS 267 devices loopback0 address as their router IDDont enable MPLS on any additional interfaces than shown in bellow table:Routers Enable MPLS OnR2 GigabitEthernet0/0.27 GigabitEthernet0/0.26

8/8/2019 Lab v5

21/48

21

R6 GigabitEthernet0/0.26 GigabitEthernet0/0.67R7 GigabitEthernet0/0.27 GigabitEthernet0/0.67

4.2 Configure MPLS label distribution on AS 89.Configure Industry Standard label distribution protocol to propagate labels.Configure AS 89 devices loopback0 address as their router IDMake sure R8-R9 should not advertise label for any additional interfaceexcept their loopback0 interfaces.

Dont enable MPLS on any additional interfaces than shown in bellow table:Routers Enable MPLS OnR8 GigabitEthernet0/0.89R9 GigabitEthernet0/0.89

Notes: Verify via, sh mpls ldp nei / discovery, sh mpls interface.Make sure cef is enabled on all mpls ldp enabled routers. In lab on 3600, and 2600 seriesrouters cef is disabled by default, please enable that.R2mpls ldp router-id Loopback0 force

mpls label protocol ldp!interface GigabitEthernet0/0.27mpls ip!interface GigabitEthernet0/0.26mpls ipR6mpls ldp router-id Loopback0 forcempls label protocol ldpinterface GigabitEthernet0/0.26mpls ip!

interface GigabitEthernet0/0.67mpls ipR7mpls ldp router-id Loopback0 forcempls label protocol ldpinterface GigabitEthernet0/0.67mpls ipinterface GigabitEthernet0/0.27mpls ip

R8/R9

mpls ldp router-id Loopback0 forcempls label protocol ldpno mpls ldp advertise-labelsmpls ldp advertise-labels for Local_Loopsip access-list standard Local_Loopspermit 5.5.8.8permit 5.5.9.9!(Make sure you enable mpls ip after configuring commands on top)!

8/8/2019 Lab v5

22/48

22

interface G/F0/0.89mpls ip

4.2 ISP 267 has planned to add a new router on VLAN 27 This router needs tobuild LDP session with R2 and R7 IP addresses (YY.YY.27.2 YY.YY.27.3).Configure R2 / R7 to be ready for this new connection in near future.R2Int g0/0.27mpls ldp discovery transport-address interfaceR7Int g0/0.27mpls ldp discovery transport-address interface

Verification:

8/8/2019 Lab v5

23/48

23

4.3 ATM Cell-Mode tag-switching:AS 267 PE routers R6 connects to an ISP ATMSP to provide connectivity betweenCustomer ABC Sites, IP address 192.5. YY.1 (192.6.5.1) needs to be configuredon R6 ATM Interface the ATMSP PE router ip address is 192.5.YY.254;VPI 30+2*YY-1VCI 30+2*YY,Control-VC VPI 30+2*YY-1 VCI 32Configure OSPF 100 between R6 and ATMSP ATM SP will advertise two routes thatinclude 192.5.YY.254/24 and 192.5.0.254/32.Advertise ISP 267 all Core routes to the ATM-SP via OSPF 100.Make sure ISP 267 Core routers R2/R7/R6 can ping the ATMSP routes.

Notes: Please do as done bellow or we will loose marks of this question, they will provideproper sheet about the values of VPI VCI, so dont be confused or worried.R6:interface ATM2/0.1 mplsip address 192.5.10.1 255.255.255.0mpls label protocol both

8/8/2019 Lab v5

24/48

24

mpls ipmpls atm control-vc 49 32 (Use value what ever there in lab)mpls atm vpi 49-50 vci-range 33-65535 (Use value what ever there in lab)!router ospf 100redistribute connected subnetredistribute static subnetsredistribute isis level-1-2 subnetsnetwork 192.5.10.1 0.0.0.0 area 0distribute-list TO_ATM_SP outrouter isisredistribute ospf 100 level-1-2ip access-list standard TO_ATM_SPpermit 5.5.2.2permit 5.5.6.6permit 5.5.7.7permit 192.5.0.10permit 5.5.26.0 0.0.0.255permit 5.5.27.0 0.0.0.255permit 5.5.67.0 0.0.0.255

Verification:

8/8/2019 Lab v5

25/48

25

4.4 MPLS Traffic EngineeringAS YY has planned to implement MPLS Traffic Engineering to solve the highutilization problem between R2 and R6 interfaces. This traffic is beinggenerated form R6.Enable RSVP and MPLS Traffic Engineering in AS 267 to setup TrafficEngineering on required transit interfaces.

Tunnel bandwidth should be 5 Mbit.Two static routes are allowed to accomplish this.Configure Tunnel from R6 to R2 and this should transit R7.

R6mpls traffic-eng tunnels!router isismetric-style widempls traffic-eng router-id Loopback0

mpls traffic-eng level-2!interface GigabitEthernet0/0.67mpls traffic-eng tunnelsip rsvp bandwidth 5000!router isismpls traffic-eng router-id Loopback0mpls traffic-eng level-2interface Tunnel62ip unnumbered Loopback0tunnel destination 5.5.2.2tunnel mode mpls traffic-engtunnel mpls traffic-eng bandwidth 5000tunnel mpls traffic-eng path-option 1 explicit name 672!ip explicit-path name 672 enablenext-address 5.5.67.7next-address 5.5.27.2!ip route 5.5.2.2 255.255.255.255 tunnel 62

R2mpls traffic-eng tunnels!router isismetric-style widempls traffic-eng router-id Loopback0mpls traffic-eng level-2!interface GigabitEthernet0/0.27mpls traffic-eng tunnelsip rsvp bandwidth 5000R7

8/8/2019 Lab v5

26/48

26

router isismetric-style widempls traffic-eng router-id Loopback0mpls traffic-eng level-2!interface GigabitEthernet0/0.27mpls traffic-eng tunnelsip rsvp bandwidth 5000!interface GigabitEthernet0/0.67mpls traffic-eng tunnelsip rsvp bandwidth 5000

Verification:

Section 5 MPLS VPN:

8/8/2019 Lab v5

27/48

27

VRF Name RD Value RT ValueABC Site 1 267:6 267:6ABC Site 2 267:3 267:3ABC Site 3 267:6 267:6XYZ Site 2 267:27 267:27XYZ Site 2 267:27 267:27Notes: All vrfs are already configured in lab, you need to verify and do import.

5.1 MP IBGP is Preconfigured in AS 267. R2 is configured to act as RouteReflector for Autonomous System 267 for BGP VPNv4 unicast.Devices in AS 267 should use their loopback0 as a source for BGP VPNv4 Unicastsession.There is one issue with the pre configuration, make sure and correct that.MP-IBGP Unicast should not be sent to any other device than specified inquestion.

5.2 MP IBGP is preconfigured in AS 89. R8 and R9 have been configured peeringfor BGP VPNv4 unicast.Devices in AS 89 should use their loopback0 as a source for BGP VPNv4 Unicastsession.MP-BGP Unicast should not be sent to any other device than specified inquestion.

R2router bgp 267neighbor 5.5.7.7 remote-as 267

neighbor 5.5.7.7 update-source Loopback0!address-family vpnv4neighbor 5.5.6.6 activateneighbor 5.5.6.6 send-community extendedneighbor 5.5.6.6 route-reflector-clientneighbor 5.5.7.7 activateneighbor 5.5.7.7 send-community extendedneighbor 5.5.7.7 route-reflector-clientR6router bgp 267address-family vpnv4neighbor 5.5.2.2 activate

neighbor 5.5.2.2 send-community extendedR7router bgp 267address-family vpnv4neighbor 5.5.2.2 activateneighbor 5.5.2.2 send-community extendedR8router bgp 89address-family vpnv4neighbor 5.5.9.9 activate

8/8/2019 Lab v5

28/48

28

neighbor 5.5.9.9 send-community extendedneighbor 5.5.9.9 next-hop-self (Will be needed in next questions)R9router bgp 89address-family vpnv4neighbor 5.5.8.8 activateneighbor 5.5.8.8 send-community extended

5.3 ABC Site 1VRF ABC is preconfigured on R6.Configure OSPF in ABC Site 1 on R1 have been already configured.Configure OSPF 200 as the PE-CE routing protocol for ABC site-1.Enable OSPF 200 on R8 and R7 for networks specified bellow:R6 172.YY.16.6 OSPF 200 Area 0R1 172.YY.16.1 OSPF 200 Area 0After configuration, make sure R6 all the VRF ABC Site 1 routes in BGP addressfamily for Customer ABC.Notes: MTU has been already matched in 1st question on dialer of R1.R6router ospf 200 vrf ABCredistribute bgp 267 subnetsnetwork 172.5.6.6 0.0.0.0 area 0network 172.5.16.6 0.0.0.0 area 0!router bgp 267address-family ipv4 vrf ABCredistribute ospf 200 vrf ABC match internal external 1 external 2R1router ospf 200network 172.5.11.11 0.0.0.0 area 0network 172.5.16.1 0.0.0.0 area 0

Verification:

8/8/2019 Lab v5

29/48

29

5.4 ABC Site 2Customer ABC has decided to run RIP-V2 as the PE-CE routing protocol betweenR2-BB1 for ABC Site 2.Provider router R2 should get only first 7 routes of network 197.68.Z.0 fromBB1Additionally configure Site of Origin value YY:XX for ABC site 2 routeslearned from BB1.After the configuration make sure both ABC Sites routes should appear on R2

and R6 VPN table.Make sure Customer ABC Site 1 and Site 2 access each other.R2router rip!address-family ipv4 vrf ABCver 2redistribute bgp 267 metric transnetwork 150.1.0.0

8/8/2019 Lab v5

30/48

30

distribute-list FROM_BB1 in FastEthernet0/0.50!ip access-list standard FROM_BB1permit 199.172.0.0 0.0.3.255router bgp 267address-family ipv4 vrf ABCred riproute-map sooset extcommunity soo yy:xx!int g0/0.50ip vrf site-map soo

R2ip vrf ABCroute-target import 267:6R6ip vrf ABCroute-target import 267:3Verification:

5.5 XYZ site 1ISP 267 has agreed to provide MPLS VPN Service to Customer XYZ, to make thiswork configure R2 and R7 as PE routers.Customer XYZ has agreed to run OSPF Process ID 100 as IGP.

Advertise networks which are in bellow table on R2 and R7 respectively to formOSPF adjacencies with Customer XYZ routers R1 and R3.R2 172.YY.23.2 OSPF 100 Area 0R7 172.YY.17.7 OSPF 100 Area 0Notes:R1 is preconfigured vrf lite for XYZ site and preconfigured OSPF 100 area 0 on R1 and R3.No need to use capability vrf-lite in OSPF on R1 that works smoothly without.R1ip vrf XYZrd 267:27!interface Loopback0ip vrf for XYZ

ip address 172.5.1.1 255.255.255.0interface FastEthernet0/0.13ip vrf for XYZencapsulation dot1Q 13ip address 172.5.13.1 255.255.255.0!interface Serial1/0ip vrf for XYZip address 172.5.17.1 255.255.255.0

8/8/2019 Lab v5

31/48

31

encapsulation frame-relayip ospf network point-to-point!router ospf 100 vrf XYZnetwork 172.5.1.1 0.0.0.0 area 0network 172.5.13.1 0.0.0.0 area 0network 172.5.17.1 0.0.0.0 area 0

R7router ospf 100 vrf XYZdomain-id 7.7.7.7redistribute bgp 267 metric-type 1 subnetsnetwork 172.5.17.7 0.0.0.0 area 0!router bgp 267address-family ipv4 vrf XYZredistribute ospf 100 vrf XYZ mat i eR2router ospf 100 vrf XYZredistribute bgp 267 subnetsnetwork 172.5.23.2 0.0.0.0 area 0!router bgp 267address-family ipv4 vrf XYZredistribute ospf 100 vrf XYZ mat i eR3router ospf 100network 172.5.3.3 0.0.0.0 area 0network 172.5.13.3 0.0.0.0 area 0network 172.5.23.3 0.0.0.0 area 0

Verification:

5.6 Inter-AS Option 2 and 3 merger option, Configure between R7 and R8.AS 89 has agreed to provide VPN services to AS 267, Configure EBGP peeringbetween R7 and R8.Notes: Check the solution properly and make sure you understand the trick of this question.R7router bgp 267neighbor 5.5.8.8 ebgp-multihop 267

8/8/2019 Lab v5

32/48

32

neighbor 5.5.8.8 update-source Loopback0address-family vpnv4neighbor 5.5.8.8 activateneighbor 5.5.8.8 send-community extendedR8router bgp 89no bgp default route filterneighbor 5.5.7.7 remote-as 267neighbor 5.5.7.7 ebgp-multihop 255neighbor 5.5.7.7 update-source Loopback0!add ipv4neighbor 5.5.28.2 send-label!address-family vpnv4neighbor 5.5.7.7 activateneighbor 5.5.7.7 send-community extended

R9router bgp 89!add ipv4neighbor 5.5.69.6 send-labelR6router bgp 267add ipv4neighbor 5.5.69.9 send-label!ip community-list standard 89:1 permit 89:1!route-map T_Lmatch commu 89:1match mpls-labelrouter isis

redistribute bgp 267 level-1-2 route-map T_LR2router bgp 267add ipv4neighbor 5.5.28.8 send-label!ip community-list standard 89:1 permit 89:1!route-map T_Lmatch commu 89:1match mpls-label!router isis

redistribute bgp 267 level-1-2 route-map T_LNotes: Better to add match mpls-label in to route maps applied for route control on R2 and R8.

Verification:Bellow things you need to be sure on R7:

8/8/2019 Lab v5

33/48

33

Bellow things you need to be sure on R2:

Bellow things you need to be sure on R6:

Bellow things you need to be sure on R8:

Verification:

8/8/2019 Lab v5

34/48

34

Bellow things you need to be sure on R8:

5.7 ABC Site 3Customer ABC has decided to run RIP V2 as IGP in Site 2.Enable RIP V2 between R8-R4 and advertise networks given in bellow table:R4 172.YY.48.0 RIP V2R4 172.YY.4.4 RIP V2R8 172.YY.48.0 RIP V2Make sure ABC site 1 and Site 3 access each other and ping should not pass viaABC Site 2.

Notes: R4 is preconfigured, do sh ip bgp vpnv4 on R6 and R8, check you are getting all theroutes, check the next hop for those vpn routes, after determining that ping the next hopsform global table and check mpls forwarding table u have transport label for those next hops.import already done in lab for this section. If not getting Site 3 routes on R6, then reloadthe R7 or do hard clear bgp on R7.

R8router rip!address-family ipv4 vrf ABCver 2

redistribute bgp 89 metric transnetwork 172.5.0.0router bgp 89address-family ipv4 vrf ABCredistribute ripR4router ripver 2network 172.5.0.0R7router bgp 267no bgp defaul route filterPLEASE DO IMPORT OF RT.

Verification:

8/8/2019 Lab v5

35/48

35

5.8 XYZ site 2

Customer XYZ has agreed to run BGP 65531 as IGP at his Site 2.Configure EBGP between R9 and R5, BGP AS is 65531.Advertise networks which are in bellow table on R5 in to BGP.R5 172.YY.59.0 BGP 65531R5 172.YY.5.5 BGP 65531Notes: import already done, R5 is 2600 u can face strange behavior if R5 is unable toadvertise routes in to bgp, please reload this. Do the required chk for next hop and label.R9 only will have forwarding label for R8, and you will be getting all the vpn routes withnext hop of R8 due to LDP conditions, we pointed next-hop-self between R8 R9 each other.R9router bgp 89add ipv4 vrf XYZ

nei 172.10.59.5 remote 65531nei 172.10.59.5 activateR5router bgp 65531nei 172.10.59.5 remote 89nei 172.10.59.5 activatered connected (U can use network command)

Verification:

5.9 VPN Route Control:Configure R7 as primary exit for XYZ Site 1.

8/8/2019 Lab v5

36/48

36

Make sure R2 acts as backup when link between R1 R7 is down.Even if R1-R3 Link gets down, R1 and R3 should be able to access each othervia AS 267.Notes: Domain ID is required to solve this issue, configure better metric on R7.R7router ospf 100 vrf XYZdomain-id 7.7.7.7redistribute bgp 267 metric-type 1 subnetsVerification:

Verification:

5. Configure ISP AS 267 to establish MP-EBGP session with ATM SP AS 254,peering IP address ATM SP is 192.5.0.254.ATM SP has configured R7 loopback1 192.5.0.1 for BGP peering address.ATM has configured R7 in BGP AS YY.Customer ABC Site 1 should be able to access three routes learned from ATM SP.5.1.1.0/24

8/8/2019 Lab v5

37/48

37

129.29.20/24200.2.1.0/24ATM SP RT is 129.29.2.9:1.R7router bgp 267neighbor 192.5.0.254 remote-as 254neighbor 192.5.0.254 local-as 10 no-prependneighbor 192.5.0.254 ebgp-multihop 255neighbor 192.5.0.254 update-source Loopback1

!address-family vpnv4neighbor 192.5.0.254 activateneighbor 192.5.0.254 send-community extendedneighbor 192.5.0.254 next-hop-unchangedR6:ip vrf ABCroute-target import 129.29.2.9:1

Verification:

Check labels do ping, so far you got over the VPN trap, till here your answers are 100%correct, and those will be for next sections as well.Great Job Buddy!No Internet question in this Lab any more.

Section 6 Multicast:6.1 Configure multicast routing for AS 267, enable PIM-sparse-mode oninterfaces in given table.R6 should be RP for this multicast domain; this should announce himself as aBSR router.Router Name Interfaces

8/8/2019 Lab v5

38/48

38

R2 Loopback0,GigabitEthernet0/0.27, GigabitEthernet0/0.26,Serial1/0R6 Loopback0,FastEthernet0/0.27, FastEthernet0/0.67R7 Loopback0,GigabitEthernet0/0.27, GigabitEthernet0/0.676.2 Configure multicast routing for AS 89, enable PIM-sparse-mode oninterfaces given in bellow table.R8 should be the Static RP for AS 89.R8 Loopback0, FastEthernet0/0.89R9 Loopback0, FastEthernet0/0.89

Note: Enable IP Multicast routing on all required devices.Dont miss to enable ip multicast-routing on required routers.R6ip multicast-routingip mroute 5.5.2.2 255.255.255.255 5.5.26.2int lo0ip pim sparse-modeint g0/0.67ip pim sparse-modeint g0/0.26

ip pim sparse-modeip pim bsr-candidate Loopback0 0ip pim rp-candidate Loopback0R2ip multicast-routingint lo0ip pim sparse-modeint g0/0.27ip pim sparse-modeint g0/0.26ip pim sparse-modeint s1/0ip pim bsr-border

ip pim sparse-modeip multicast boundary 24 (No Need but better to use)access-list 24 deny 224.1.0.39access-list 24 deny 224.1.0.40access-list 24 permit any

R7ip multicast-routingint lo0ip pim sparse-modeint g0/0.27

ip pim sparse-modeip igmp join-group 239.7.7.7int g0/0.67ip pim sparse-modeR8ip multicast-routingint lo0ip pim sparse-modeint g0/0.89

8/8/2019 Lab v5

39/48

39

ip pim sparse-modeint s1/0ip pim bsr-borderip multicast boundary 24 (No Need but better to use)access-list 24 deny 224.1.0.39access-list 24 deny 224.1.0.40access-list 24 permit anyip pim rp-address 5.5.8.8R9ip multicast-routingint lo0ip pim sparse-mode!int g0/0.89ip pim sparse-mode

Verification:

8/8/2019 Lab v5

40/48

40

6.2 Enable MSDP between AS 267 and AS 89.RP info should not leak between AS 278 and 89.R6ip msdp peer 5.5.8.8 connect-source Loopback0 remote-as 89R8ip msdp peer 5.5.6.6 connect-source Loopback0 remote-as 267Verification:

Verification:

6.3 Enable PIM SM in ABC Site 1 and Site 3, R1 interface f0/0.11 needs to be configured asStatic RP.R1ip multicast-routinginterface Dialer1ip pim sparse-modeint f0/0.11ip pim sparse-mode

8/8/2019 Lab v5

41/48

41

ip igmp join-group 239.11.11.11ip pim rp-address 172.5.11.1R6ip multicast-routing vrf ABCip pim vrf ABC rp-address 172.5.11.1ip vrf ABCmdt default 239.1.1.1mdt data 239.6.6.0 0.0.0.255 threshold 100interface Virtual-Template16ip pim sparse-mode

R8ip multicast-routing vrf ABCip pim vrf ABC rp-address 172.5.11.1interface GigabitEthernet0/0.48ip pim sparse-modeip vrf ABCmdt default 239.1.1.1mdt data 239.8.8.0 0.0.0.255 threshold 100R4ip multicast-routingip pim rp-address 172.5.11.1interface GigabitEthernet0/0.48ip pim sparse-mode

Section 7 Security and Management:All the questions of v3.1-2-3 are here, you will get some of thesenot all7.1 R8 filters some BGP routes from BB2 use Prefix-list to achieve this filtering.Following prefixes need to be filtered:

RFC1918MulticastAS 267 and 89 loopback0 RoutesAlso Protect AS 89 from ICMP attack coming from Backbone.R8ip prefix-list RFC1918_OTHERS seq 5 deny 5.5.0.0/16 le 32ip prefix-list RFC1918_OTHERS seq 10 deny 172.16.0.0/12 le 32ip prefix-list RFC1918_OTHERS seq 15 deny 192.168.0.0/16 le 32ip prefix-list RFC1918_OTHERS seq 20 deny 10.0.0.0/8 le 32ip prefix-list RFC1918_OTHERS seq 25 deny 224.0.0.0/4 le 32ip prefix-list RFC1918_OTHERS seq 30 permit 0.0.0.0/0 le 32router bgp 89add ipv4neighbor 150.2.10.254 prefix-list RFC1918_OTHERS in!access-list 101 permit icmp any any!interface GigabitEthernet0/0.60rate-limit input access-group 101 6400000 8000 8000 conform-action transmit exceed-action drop

Verification:

8/8/2019 Lab v5

42/48

42

7.2 Make sure, traffic coming from AS 254 BB2, must have the source address inthe routing table of PE router R8 in AS 89, all violations should be logged torouters buffers.R8logging bufferedint GigabitEthernet0/0.60ip verify unicast source reachable via rx 155access-list ext 155 deny ip any any log

7.3 Configure LDP Encryption in AS 267 between R2/R7/R6.R2mpls ldp neighbor 5.5.7.7 password Cisco

mpls ldp neighbor 5.5.27.7 password Cisco (because of transport-add interface)mpls ldp neighbor 5.5.6.6 password CiscoR7Mpls ldp neighbor 5.5.2.2 password CiscoMpls ldp neighbor 5.5.27.2 password CiscoMpls ldp neighbor 5.5.6.6 password CiscoR6Mpls ldp neighbor 5.5.2.2 password CiscoMpls ldp neighbor 5.5.2.2 password Cisco

7.4 To make the PE-CE peering secure configure BGP encryption between R9 R5.

R9 continuously receives BGP setup session from hostility Host in XYZ Site 2POP. Please Block this.R5router bgp 65531nei 172.10.59.9 password ciscoR9router bgp 89add ipv4 vrf XYZnei172.10.59.5 password ciscoaccess-list 179 permit tcp host 172.10.58.8 host 172.10.58.5 eq bgpaccess-list 179 deny tcp any host 172.10.58.5 eq bgpaccess-list 179 permit tcp host 172.10.58.8 eq bgp host 172.10.58.5access-list 179 deny tcp any eq bgp host 172.10.58.5

access-list 179 permit ip any anyinter faceethernet0/0.58ip access-group 179 in

7.5 Telnet Access Control Limit Telnet access to R6 to allow only address from other routers loopback

8/8/2019 Lab v5

43/48

43

address. All other telnet traffic to the routers should be dropped. You cannot use VTY ACLs, interface-based ACLs, or RACLs to achieve thisrequirement.R6ip access-list extended T_Cdeny tcp host 5.5.2.2 any eq telnetdeny tcp host 5.5.6.6 any eq telnetdeny tcp host 5.5.7.7 any eq telnet

deny tcp host 192.5.0.10 any eq telnetpermit tcp any any eq telnetclass-map match-any T_Lmatch access-group name T_Cpolicy-map CoPP_TLclass T_Ldropcontrol-planeservice-policy input CoPP_TL

Do Telnet and Check Hits

7.6 Configure Traffic Engineering priority for Tunnel configured on R6.int t62tunn mpl tra pri 0 0

7.7 Configure R9 to remark IP TOS field of packets that may have experimentalbit set and coming from ISP core to R5.This remark should done before the Customer traffic is sent to R5 use the

bellow mappingsMPLS Experimental QOS Group IP Precedence

0 0 01 1 1

2 2 23 3 34 4 4

8/8/2019 Lab v5

44/48

44

5 5 56 6 67 7 7

class-map match-all M5match mpls experimental topmost 5

class-map match-all M4match mpls experimental topmost 4class-map match-all M7match mpls experimental topmost 7class-map match-all M6match mpls experimental topmost 6class-map match-all M1match mpls experimental topmost 1class-map match-all M0match mpls experimental topmost 0class-map match-all M3match mpls experimental topmost 3class-map match-all M2match mpls experimental topmost 2policy-map MQclass M7set qos-group 7class M6set qos-group 6class M5set qos-group 5class M4set qos-group 4class M3set qos-group 3class M2set qos-group 2

class M1set qos-group 1class M0set qos-group 0

class-map match-all Q1match qos-group 1class-map match-all Q0match qos-group 0class-map match-all Q3match qos-group 3

class-map match-all Q2match qos-group 2class-map match-all Q5match qos-group 5class-map match-all Q4match qos-group 4class-map match-all Q7match qos-group 7class-map match-all Q6

8/8/2019 Lab v5

45/48

45

match qos-group 6policy-map QPclass Q7set ip precedence 7class Q6set ip precedence 6class Q5set ip precedence 5class Q4set ip precedence 4class Q3set ip precedence 3class Q2set ip precedence 2class Q1set ip precedence 1class Q0set ip precedence 0

interface s1/0service-policy input MQinterface FastEthernet0/0.89Service-policy output QPVerification:

8/8/2019 Lab v5

46/48

46

7.8 Protect the AS 89 PE router R9 from possible attack by switching-off thefollowing services:Proxy-arpCDPHTTPRedirectUnreachableR9R9 Global configuration:

no cdp runno ip http serverno service httpno ip icmp redirectOn all R9 interfaces:no ip redirectsno ip unreachableno ip proxy-arpno cdp enable

8/8/2019 Lab v5

47/48

47

7.9 NBAR, AS267 has applications to access BB2 this application runs on tcp50001, 50002, 50003, requires configuring on R6 guaranteed Bandwidth 1M.R6ip nbar port-map custom-01 tcp 50001 50002 50003 (for old ios)Orip nbar custom toas89 tcp range 50001 50003

class-mapmatch-any PORTmatch protocol toas89 or custom-01policy-map NBARclass PORTbandwidth 1000interface s1/0ip nbar protocol-discoveryservice-policy output NBAR

7.9 On Vlan 89, there is a host with Mac-address 0009.8765.abcd.

This host is generating excessive traffic.R9 is configured as gateway for this host.Limit the all traffic coming from this host to AS 89 to 2 Mbit.R8&R9Int g0/0.89Rate-limit out access-group rate-limit 150 20000003 75000 750000 conform-action transmitexceed-action drop!Access-list rate-limit 150 0009.8765.abcd

7.10 Configure R2 to export netflow to host 10.10.26.101 on port 9999.R2 monitors only inbound S1/0 packet-size, count, and origin-as.R2interface s1/0

ip flow ingress!ip flow-export version 9 origin-asip flow-export source loopback0ip flow-export destination 10.10.26.101 9999

7.11 Setup a RMON alarm to monitor R6 S1/0 queue size.If queue size exceeds to 40, R6 generates a log msg interface s1/0 queuefull.If queue size=0 R6 generates a log msg interface s1/0 queue ok.

Logging Interval = 30MIB = ifOutQLensnmp-server community public ROsnmp-server ifindex persistsnmp-server enable traps syslogrmon event 1 log trap public description "serial1/0 output queue full" owner mermon event 2 log trap public description "serial1/0 queue full OK" owner meno rmon alarm 1 ifOutQLen.1 30 absolute rising-threshold 40 1 falling-threshold 0 2 owner mermon alarm 1 ifOutQLen.4 30 absolute rising-threshold 40 1 falling-threshold 0 2 owner me

8/8/2019 Lab v5

48/48

Notes: enable snmp-server ifindex persist to check the value of interface via command:snmp-server ifindex persistCheck the value viaShow snmp mib ifmib ifindexTo see S1/0 ifindex=4

7.12 Event Management

Configure R8 to monitor the syslog for this exact text pattern:%BGP-5-ADJCHANGE: neighbor YY.YY.28.2 Down Peer closed the sessionIf this text pattern is seen, create the following critical level syslogentry:EBGP IPv4 Unicast peering to R2 is downlogging onlogging monitor criticalsnmp-server enable traps bgp state-changessnmp-server enable traps event-managersnmp-server enable traps syslogevent manager applet LOGevent syslog pattern "%BGP-5-ADJCHANGE: neighbor 5.5.28.2 Down Peer closed the session"

action 1.0 syslog priority critical msg "EBGP IPV4 Peering to R2 Down"

AS Migration Question for R8.Do change only for R2 and R8 neighbor ship not for others:

R8router bgp 89neighbor 5.5.28.2 local-as 254 no-prepend replace-as dual-asR2:router bgp 267neighbor 5.5.28.8 remote-as 254