8/17/2019 V 5.2 ccie SP

1/61

 

CCIE Service Provider Lab Workbook V 5.2 (V80+)

Imp Note: Solutions are given, by assuming we are working on Rack 05

Section 1 Bridging and Switching:1.1 Configure IP across Frame-relay networkFrame Relay interfaces are pre-configured as mentioned in diagram.Pleas make sure only required mappings are configured.Dynamic DLCI mapping is not allowed.There is some problem in initial configuration please make sure, all devicesrunning Frame-relay can ping their neighbor IP address.Troubleshooting: (Wrong DLCI mapped on R8 for R4, Please correct that)Notes:- Frame-relay map configuration on R8 point to wrong IP address for R4, reconfigure it.

- Since dynamic mappings not allowed in this configuration. We need to configure “no framerelayinverse-arp” between both R6-R9 and R2-R4- Clear any previous dynamic mapping happened by “clear frame-relay inarp”- After done the changes make sure you need to reload R8-R7 and R4.

R4interface Serial1/0no ip addressencapsulation frame-relayno frame-relay inverse-arp

8/17/2019 V 5.2 ccie SP

2/61

!interface Serial1/0.1 point-to-pointip address 172.5.47.4 255.255.255.0frame-relay interface-dlci 407!interface Serial1/0.2 point-to-pointip address 172.5.48.4 255.255.255.0frame-relay interface-dlci 408R7interface Serial1/0ip address 172.5.47.7 255.255.255.0encapsulation frame-relayframe-relay map ip 172.5.47.4 704 broadcastno frame-relay inverse-arpR8interface Serial1/0ip address 172.5.48.8 255.255.255.0encapsulation frame-relayframe-relay map ip 172.5.48.4 804 broadcastno frame-relay inverse-arpWhen to Reload?1. If no frame-relay inverse-arp not configured on interface, configure that and clear farmarelayinarp and check frame-relay mappings, if you still found mappings, reload the device.

2. Show frame-relay map shows you any 0000 entry.3. To avoid reload you can shutdown the interface, clear frame inverse arp, default int s0/0if 0000 still exists, if this doesn’t not solve the issue go ahead and reload.

1.2 Configure Vlan 123 on SW2 with the IP address 172.YY.123.12.No vlan interface except default Vlan 1 is permi tted on SW1.No vlan interface except default Vlan 1 and Vlan 123 are permitted on SW2.Notes: Check the trunk between SW1 and SW2 will be preconfigured to support this requirement.SW2interface Vlan123

ip address 172.5.57.12 255.255.255.0interface vlan1no sh

1.3 Define Interface FastEthernet0/5 on SW1 with IP address 192.YY.115.11/24.No Physical Interface except FastEthernet0/5 on SW1 is permitted to define anIP address.Ensure this IP can ping 192.YY.115.5 on R5.SW1interface Fastethernet0/5no switchportip address 192.5.115.11 255.255.255.0

1.4. Configure PPP encapsulation and clock rate 252000 on interface connectedto R3 - R8.Configure PPP encapsulation and clock rate 252000 on interface connected to R1- R7.Notes:- Once configured the PPP encapsulation. Verify the clock rate on R1 – R7 and R3 - R8.- Issue “show controllers serial2/1’ command to check the interface type (DCE or DTE) andcurrent clock rate.- change the clock rate only on the DCE router.- My case both R8 and R7 were the DCE interface.

8/17/2019 V 5.2 ccie SP

3/61

R8interface Serial1/1encapsulation pppclockrate 252000R7interface Serial1/2encapsulation pppclockrate 252000

Section 2 Core IGP

2.1 OSPFOSPF is pre-configured in AS 278 devices R2, R7 and R8 on interfaces ment ionedin bellow table.

 All devices are pre-configured for OSPF Area 0.Initial conf iguration has some problem, make all devices can ping each otherloopback 0 interfaces.Don’t advertise any additional interface except mentioned in bellow chart:

Router Name Interface AreaRack05R2 Loopback0 OSPF Area 0

GigabitEthernet0/0.27 OSPF Area 0GigabitEthernet0/0.28 OSPF Area 0

Rack05R7 Loopback0 OSPF Area 0GigabitEthernet0/0.27 OSPF Area 0

8/17/2019 V 5.2 ccie SP

4/61

  GigabitEthernet0/0.78 OSPF Area 0Rack05R8 Loopback0 OSPF Area 0

GigabitEthernet0/0.78 OSPF Area 0GigabitEthernet0/0.27 OSPF Area 0

Notes: OPSF dead Interval is configured on R2 like bellow:

 After the correct configuration and connectivity, OPSF peering will not come up due to timersmismatch, match the timers like bellow:

R2router ospf 278network 5.5.2.2 0.0.0.0 area 0network 5.5.27.2 0.0.0.0 area 0network 5.5.28.2 0.0.0.0 area 0R7router ospf 278network 5.5.7.7 0.0.0.0 area 0network 5.5.27.7 0.0.0.0 area 0network 5.5.78.7 0.0.0.0 area 0int GigabitEthernet0/0.27ip ospf dead-interval 30R8router ospf 278network 5.5.8.8 0.0.0.0 area 0network 5.5.78.8 0.0.0.0 area 0network 5.5.28.8 0.0.0.0 area 0

Verification:R2

R7

8/17/2019 V 5.2 ccie SP

5/61

 

R8

2.2 Make sure R2 could never be a designated router in AS 278.R2interface GigabitEthernet0/0.27ip ospf priority 0interface GigabitEthernet0/0.28ip ospf priority 0Verification:

2.3 R2, R7 and R8 should assign automatic metric to their in terfaces as shownbellow:

Interface Type MetricLoopback Auto metric 1GigabitEthernet Auto metric 10FastEthernet Auto metric 100Ethernet Auto metric 1000On R2, R7 and R8router ospf 278auto-cost reference-bandwidth 10000

Verification:R2

R7

8/17/2019 V 5.2 ccie SP

6/61

 

R8 Will output is with wrong configs to let you know difference.

2.4 Configure ISIS level-1 PDU in AS 69 R6 and R9 interfaces as shown inbellow table:OR2.4 Configure ISIS level-2 PDU in AS 69 R6 and R9 interfaces as shown inbellow table:

Router Name Interface AreaR6 Loopback0 47.0069

FastEthernet0/0.69 47.0069R9 Loopback0 47.0069

FastEthernet0/0.69 47.0069FastEthernet0/0.99 47.0069

Notes: Answer is based on Level-1 Question, if you get question for Level-2 just change theIS-TYPE to LEVEL-2R6router isisnet 47.0069.0000.0000.0006.00

is-type level-1!interface FastEthernet0/0.69ip router isis! interface Loopback0ip router isisR9router isisnet 47.0069.0000.0000.0009.00is-type level-2-onlymetric-style wide!interface FastEthernet0/0.69

ip router isis!interface Loopback0ip router isis! interface FastEthernet0/0.99ip router isisVerification:

8/17/2019 V 5.2 ccie SP

7/61

2.5 Change metric for R6 and R9 interfaces, as shown in bellow sh ip route

output of R6 and R9:Router Name Interface MetricR6 Loopback0 256

FastEthernet0/0.69 10R9 Loopback0 80

FastEthernet0/0.69 10FastEthernet0/0.99 10

Notes: Make sure u mention ISIS level with metric command.R9int lo0isis metric 70 level-2R6

int lo0isis metric 246 level-2

Verification: bellow output need to update based on old question, not this one pleasemanipulated according to above question.

2.6 Only R6 and R9 in AS 69 are going to run ISIS in near future.Reduce LSP advertisement for Vlan 69 by avoiding DIS election.R6int f0/0.69isis network point-to-point

no isis csnp-interval 10R9int f0/0.69isis network point-to-pointno isis csnp-interval 10Notes: we have multiple ways to reduce LSP packets, but this question has stated reduce LSPvia avoiding DIS election, so simply we can use network point to point, and make sure weremove CSNP interval 10. This is bug in Cisco IOS, when ever we use network P2P for CLNSinterface, Isis csnp-interval 10 added automatically, make sure we remove this. And whenever uwill reload the router this will be added automatically again to CLNS P2P interfaces, makesure u remove this each time you reload the device.Verification:You won’t be able to find DIS info:

8/17/2019 V 5.2 ccie SP

8/61

 

Section 3 BGP3.1 Basic BGP IPv4 Unicast has been pre-configured in AS 278 for R2, R7 andR8.

 All devices in AS 278 are us ing their loopback 0 address as update source.Each device in AS 278 having 2 IBGP neighbors.Configure BGP so that IPv4 Unicast update should not be sent to any peerunless they are explicitly stated to send.

 Advertise al l loopback0 addresses in AS 278.Initial configuration has some problem; please troubleshoot those so that R2,

8/17/2019 V 5.2 ccie SP

9/61

R7 and R8 can see each other as IBGP neighbors.Troubleshooting: Update source is not configured between R2 and R7, correct that. Andadvertise all the loop backs.

R2router bgp 278bgp router-id 5.5.2.2

no bgp default ipv4-unicastneighbor 5.5.8.8 remote-as 278neighbor 5.5.8.8 update-source Loopback0neighbor 5.5.7.7 remote-as 278neighbor 5.5.7.7 update-source Loopback0!address-family ipv4neighbor 5.5.8.8 activateneighbor 5.5.8.8 send-community bothneighbor 5.5.7.7 activateneighbor 5.5.7.7 send-community bothnetwork 5.5.2.2 mask 255.255.255.255exit-address-family

R7router bgp 278bgp router-id 5.5.7.7no bgp default ipv4-unicastneighbor 5.5.2.2 remote-as 278neighbor 5.5.2.2 update-source Loopback0neighbor 5.5.8.8 remote-as 278neighbor 5.5.8.8 update-source Loopback0!address-family ipv4neighbor 5.5.2.2 activateneighbor 5.5.8.8 activatenetwork 5.5.7.7 mask 255.255.255.255exit-address-familyR8router bgp 278bgp router-id 5.5.8.8no bgp default ipv4-unicastneighbor 5.5.2.2 remote-as 278neighbor 5.5.2.2 update-source Loopback0neighbor 5.5.7.7 remote-as 278neighbor 5.5.7.7 update-source Loopback0!address-family ipv4neighbor 5.5.2.2 activateneighbor 5.5.2.2 send-community bothneighbor 5.5.7.7 activate

neighbor 5.5.7.7 send-community bothnetwork 5.5.8.8 mask 255.255.255.255exit-address-family

3.2 Basic BGP IPv4 Unicast has been pre-configured in AS 69 for R6 and R9.Configure BGP so that IPv4 Unicast update should not be sent to any other peerunless they are explicitly stated to send.Both are using their loopback 0 address as update source.

 Advertise al l loopback0 addresses in AS 69.

8/17/2019 V 5.2 ccie SP

10/61

Make sure they can each other loopback0 in BGP IPv4 Unicast routing table.Notes: Configure and advertise routes.R6router bgp 69bgp router-id 5.5.6.6no bgp default ipv4-unicastneighbor 5.5.9.9 remote-as 69neighbor 5.5.9.9 update-source Loopback0!

address-family ipv4neighbor 5.5.9.9 activateneighbor 5.5.9.9 send-community bothnetwork 5.5.6.6 mask 255.255.255.255exit-address-familyR9router bgp 69bgp router-id 5.5.9.9no bgp default ipv4-unicastneighbor 5.5.6.6 remote-as 69neighbor 5.5.6.6 update-source Loopback0!address-family ipv4neighbor 5.5.6.6 activate

network 5.5.9.9 mask 255.255.255.255network 5.5.9.9 mask 255.255.255.25exit-address-family

3.3 R6 needs to have peering with Backbone (BB2) with IP address 150.2.YY.254which is located in AS 254.Configure R6 to establish a BGP IPv4 Unicast peering session with Backbone.Backbone has pre-configured R6 as in AS YY.Configure BGP IPv4 Unicast peering between R2 and R6, R6 and R8. They should

use directly connected interface IP for establishing BGP session.Make sure after peering AS 278 and AS 69 can ping each other loopback0addresses.

 AS 278 and AS 69 should be able to ping 197.67.Z.0 networks learned from BB2with source of their loopback 0 addresses.Inter-AS network links like YY.YY.28.0 or 150.2.YY.0 of AS 278, 69, 254 arenot allowed to advertise either in BGP or IGP.Notes: Configure EBGP peering and check the routes and neighbor status. Make sure you haveconfigured next-hop-self on all ASBR’s to Local routers. Sh ip bgp summary, sh ip bgp

R2router bgp 278neighbor 5.5.26.6 remote-as 69! address-family ipv4neighbor 5.5.26.6 activateneighbor 5.5.8.8 next-hop-selfneighbor 5.5.7.7 next-hop-selfexit-address-familyR8router bgp 278neighbor 5.5.68.6 remote-as 69!address-family ipv4

8/17/2019 V 5.2 ccie SP

11/61

neighbor 5.5.2.2 next-hop-selfneighbor 5.5.7.7 next-hop-selfneighbor 5.5.68.6 activateexit-address-familyR6router bgp 69neighbor 5.5.26.2 remote-as 278neighbor 5.5.68.8 remote-as 278neighbor 150.200.5.254 remote-as 254neighbor 150.200.5.254 local-as 10 no-prepend!address-family ipv4neighbor 5.5.9.9 next-hop-selfneighbor 5.5.26.2 activateneighbor 5.5.26.2 send-community bothneighbor 5.5.68.8 activateneighbor 5.5.68.8 send-community bothneighbor 150.200.5.254 activateexit-address-family

Verification:

Verification:

8/17/2019 V 5.2 ccie SP

12/61

 

Verification:

8/17/2019 V 5.2 ccie SP

13/61

 

Verification:

8/17/2019 V 5.2 ccie SP

14/61

 

Verification:

8/17/2019 V 5.2 ccie SP

15/61

 

3.4 Route learned from BB2 should have additional community 278:278 in AS 278and 69:69 in AS 69.Or3.4 Route learned from BB2 should have additional communities 278:278, 69:69in AS 278 and AS 69.Notes: Make sure you have configured IP BGP community new-format, and send community end toend to achieve this. Routes learned via backbone will already have a community value 254:254,make sure you have this community on R6 for routes learned via Backbone.Sh ip bgp backbone route.Bellow answer is for question at Top:R6ip community-list standard 254:254 permit 254:254 (Use backbone routes existing community)! route-map BB2_IN permit 10set community 69:69 additive!route-map AS_267_OUT permit 10match community 254:254set community 278:278 254:254

!route-map AS_267_OUT permit 20!router bgp 69address-family ipv4neighbor 5.5.26.2 route-map AS_267_OUT outneighbor 5.5.68.8 route-map AS_267_OUT outneighbor 150.200.5.254 route-map BB2_IN in

Verification:

8/17/2019 V 5.2 ccie SP

16/61

 

3.5 Configure AS 278 access BB2 using the using the R8 as primary exit and R2as a backup.

Configure AS 278 so that traffic from AS 278 to AS 69 should use R2 asprimary, if link between R2 and R6 is down should re-rout to any availablepath.ORConfigure R2 to ensure that traffic from R7 destined to AS 69 chooses R2 asprimary exit point and R8 as a backup.Configure R2 to ensure that traffic from R7 destined to Backbone (197.68.Z.0)choose R8 as primary exit point and R2 as a backup.Notes: Please verify via trace from R7 and R8.This question they usually change for eachcandidate, be careful and do good practice of change paths and analyzing long term impacts onVPNv4 route control question.Bellow answer is for question on Top:R2ip community-list standard 254:254 permit 254:254route-map FROM_R6_IN permit 10match community 254:254set local-preference 99!route-map FROM_R6_IN permit 20set local-preference 200!router bgp 278add ipv4nei 5.5.26.6 route-map FROM_R6_IN in

Verification:

8/17/2019 V 5.2 ccie SP

17/61

 

Section 4 MPLS4.1 Enable MPLS on AS 278 interface specified in bellow table.Use Industry Standard label dist ribut ion protocol to propagate labels.Configure AS 278 devices loopback0 address as their router ID

Don’t enable MPLS on any additional interfaces than shown in bellow chart:Router InterfacesR2 GigabitEthernet 0/0.27

GigabitEthernet 0/0.28R8 GigabitEthernet0/0.28

GigabitEthernet0/1.78R7 GigabitEthernet 0/0.27

GigabitEthernet 0/0.78

Notes: Verify via, sh mpls ldp nei/discovery, sh mpls interfaceMake sure cef is enabled on all mpls ldp enabled routers. In lab on 3600, and 2600 seriesrouters cef is disabled by default, please enable that.R2mpls ldp router-id Loopback0 forcempls label protocol ldp! interface GigabitEthernet0/0.27mpls ip!interface GigabitEthernet0/0.28mpls ipR7mpls ldp router-id Loopback0 force

8/17/2019 V 5.2 ccie SP

18/61

mpls label protocol ldp! interface GigabitEthernet0/0.27mpls ip!interface GigabitEthernet0/0.78mpls ipR8mpls ldp router-id Loopback0 forcempls label protocol ldpinterface GigabitEthernet0/0.28mpls ip!interface GigabitEthernet0/0.78

Verification:

8/17/2019 V 5.2 ccie SP

19/61

 

4.2 Enable MPLS on AS 69 interface specif ied in bellow table.Use Industry Standard Label distribution Protocol to propagate labels.Configure AS 69 devices loopback0 address as their router ID

Don’t enable MPLS on any additional interfaces than shown in bellow table:R6 FastEthernet0/0.69R9 FastEthernet0/0.69R6mpls ldp router-id Loopback0 forcempls label protocol ldp!interface GigabitEthernet0/0.69mpls ipR9mpls ldp router-id Loopback0 forcempls label protocol ldp

!interface GigabitEthernet0/0.69mpls ip

Verification:

8/17/2019 V 5.2 ccie SP

20/61

 

4.3 AS 278 has decided to test MPLS Traffic Engineering feature between R2 andR8 loopback2.To make this test successful enable MPLS Traffic Engineering support in AS 278and reserve 20 Mbit on required interfaces.Path from R2 and R8 lo2 should transit R7.R2

mpls traffic-eng tunnels!router ospf 278mpls traffic-eng router-id Loopback2mpls traffic-eng area 0!interface GigabitEthernet0/0.27mpls traffic-eng tunnelsip rsvp bandwidth 20000R7mpls traffic-eng tunnels!router ospf 278mpls traffic-eng router-id Loopback0mpls traffic-eng area 0!interface GigabitEthernet0/0.27mpls traffic-eng tunnelsip rsvp bandwidth 20000!interface GigabitEthernet0/0.78mpls traffic-eng tunnelsip rsvp bandwidth 20000R8mpls traffic-eng tunnels!router ospf 278

mpls traffic-eng router-id Loopback2mpls traffic-eng area 0!interface GigabitEthernet0/0.78mpls traffic-eng tunnelsip rsvp bandwidth 20000

Verification:

8/17/2019 V 5.2 ccie SP

21/61

 

Output Ommitted

Verification:

4.4 Create Tunnel 28 on R2 and Tunnel 82 on R8, both should access theirloopback2 IP address via these tunnels.

Explicit path is not allowed to achieve this.Tunnel should use 5 Mbit of reserved RSVP bandwidth.Two static routes are allowed, one on each device.ORStatic route is not permit ted to achieve thisMake sure traffic from R2 loopback2 to R8 loopback2 should use Tunnel 28 andtraffic from R8 loopback2 to R2 loopback2 should use Tunnel 82.

Notes: Do only as done bellow. Answer is based on static route question

8/17/2019 V 5.2 ccie SP

22/61

8/17/2019 V 5.2 ccie SP

23/61

Section 5 MPLS VPNVRF Name RD Value RT Value

 ABC Site 1 278:78 278:78 ABC Site 2 278:2 278:2 ABC Site 3 69:9 69:9XYZ Site 1 35:35 35:35XYZ Site 2 35:35 35:35

5.1 MP-IBGP (BGP VPNv4 Unicast) in AS 278 is pre-configured, but there aresome issues left in conf iguration, please troubleshoot those and make sure R2and R8 have BGP VPNv4 Unicast peering with R7.Peering between except above, other devices in AS 278 is not allowed.Devices in AS 278 should use their loopback0 as source of peering.

MP-BGP Unicast should not be sent to any other device than specified inquestion.Notes:R7 is already configured as VPNv4 RR.Check both neighbors of R7 and make sure next-hop-self is configured on ASBR’S for IPV4 beforestarting MPBGP configs.

R2router bgp 278!

8/17/2019 V 5.2 ccie SP

24/61

address-family vpnv4neighbor 5.5.7.7 activateneighbor 5.5.7.7 send-community bothR7router bgp 278!address-family vpnv4neighbor 5.5.2.2 activateneighbor 5.5.2.2 route-refneighbor 5.5.2.2 send-community bothneighbor 5.5.8.8 activateneighbor 5.5.8.8 route-refneighbor 5.5.8.8 send-community bothR8router bgp 278!address-family vpnv4neighbor 5.5.7.7 activateneighbor 5.5.7.7 send-community both

5.2 MP-IBGP (BGP VPNv4 Unicast) in AS 69 is pre-configured, but there are someissues left in conf iguration, please troubleshoot those and make sure R6 andR9 have BGP VPNv4 Unicast peering w ith each other.Devices in AS 69 should use their loopback0 as a source for BGP VPNv4 Unicastsession between them.Notes: Check and correct, probably need to activate both in their VPNv4 AFIR6router bgp 69! address-family vpnv4neighbor 5.5.9.9 activateneighbor 5.5.9.9 send-community bothR9router bgp 69

!address-family vpnv4neighbor 5.5.6.6 activateneighbor 5.5.9.9 send-community both

Verification:

8/17/2019 V 5.2 ccie SP

25/61

 

Verification:

5.3 ABC Site-1The ABC Company site 1 uses BGP as rout ing protocol to connect PE routers R7and R8.Customer router R4 is located in AS 34.Configure R7 and advertise Loopback1 and WAN interface 172.YY.47.0/24 in toBGP address family for Customer ABC.Configure R8 and advertise Loopback1 and WAN interface 172.YY.48.0/24 in toBGP address family for customer ABC.Configure R4 to peer with PE routers R7 and R8 via BGP IPv4 Unicast andadvertise R4 loopback0 network in to BGP.Configure OSPF Area 0 between R3 and R4 to advertise interfaces mentionedbellow:

R3 FastEthernet0/0.34R4 FastEthernet0/0.34

FastEthernet0/0.44Other interfaces on R3 and R4 are not allowed to advert ise in to OSPF.

 After the OSPF and BGP configurat ion in ABC Site1, Please ensure R7 and R8have all the ABC Site1 routes in their rout ing table to company ABC.Notes: Instead of redistribute connected always try to use network command, if not prohibitedin question.

8/17/2019 V 5.2 ccie SP

26/61

R7ip vrf ABCrd 278:278route-target export 278:78route-target import 278:78!interface Serial1/0ip vrf forwarding ABCip address 172.5.47.7 255.255.255.0!int lo1ip vrf forwarding ABCip address 172.5.7.7 255.255.255.0!router bgp 278address-family ipv4 vrf ABCneighbor 172.5.47.4 remote-as 34neighbor 172.5.47.4 activatenetwork 172.5.7.0 mask 255.255.255.0R8ip vrf ABCrd 278:278route-target export 278:78

route-target import 278:78! interface Serial1/0ip vrf forwarding ABCip address 172.5.48.8 255.255.255.0!int lo1ip vrf forwarding ABCip address 172.5.8.8 255.255.255.0!router bgp 278address-family ipv4 vrf ABCneighbor 172.5.48.4 remote-as 34neighbor 172.5.48.4 activate

network 172.5.8.0 mask 255.255.255.0

R4router bgp 34no bgp default ipv4-unicast --------(Optional)neighbor 172.5.47.7 remote-as 278neighbor 172.5.48.8 remote-as 278!address-family ipv4neighbor 172.5.47.7 activateneighbor 172.5.48.8 activate

network 172.5.4.4 mask 255.255.255.255network 172.5.47.0 mask 255.255.255.0network 172.5.48.0 mask 255.255.255.0exit-address-familyint lo1ip add 172.5.4.44 255.255.255.255!router ospf 34redistribute bgp 34 subnetsnetwork 172.5.34.4 0.0.0.0 area 0network 172.5.4.44 0.0.0.0 area 0R3router ospf 34

8/17/2019 V 5.2 ccie SP

27/61

network 172.5.3.3 0.0.0.0 area 0network 172.5.34.3 0.0.0.0 area 0!int f0/0.33enca do 33ip add 172.5.33.33 255.255.255.0

Verification:Output is taken after configuring ABC Site 2 as well:

Verification:

8/17/2019 V 5.2 ccie SP

28/61

 

Verification:

8/17/2019 V 5.2 ccie SP

29/61

5.4 ABC Site-2Company ABC site 2 is running RIP V2 as routing protocol wi th PE router R2.Make sure PE R2 is getting 199.172.7.0 (0-7) networks in RIP and BGP addressfamily for Customer ABC, after configuring RIP on R2.Customer ABC site-2 also uses EIGRP to connect the PE router R2.Ensure R2 is getting all Site 2 EIGRP routes as internal route in PE EIGRPaddress family for Customer ABC.Configure EIGRP between R1 and R2 for the interfaces shown in the table:

R2 Loopback1, FastEthernet0/1.12

R1 FastEthernet0/1.12, FastEthernet0/0.11, Loopback0Test connectivity for ABC Site-2 between R1 and BB-1 and make sure R1 is ableto ping 199.172.X.0 networks.Use only Import Method to make connectivity between ABC Site-1 and 2 and makesure all PE routers in AS 278 has routes of ABC sites in their Customerrouting table.Notes: Ping and test connectivity to Backbone, better to create filter ACL before using thenetwork command in to RIP vrf Address family. No auto summary and ver 2 should be specified into vrf address family instead of Global RIP process. Specify interface while using distributelist.Question will not say any thing about EIGRP VRF AS Number on R2, please check on R1 what isconfigured there, if EIGRP not configured on R1,use the process ID you will use for R9 and R5.

R2ip vrf ABCrd 278:2route-target export 278:2route-target import 278:2route-target import 278:78interface GigabitEthernet0/0.10ip vrf forwarding ABCip address 150.100.5.2 255.255.255.0!

interface GigabitEthernet0/0.12ip vrf forwarding ABCip address 172.5.12.2 255.255.255.0!interface GigabitEthernet0/0.13enca dot 13ip vrf forwarding ABCip address 172.5.22.22 255.255.255.0!int lo1ip vrf forwarding ABCip address 172.5.2.2 255.255.255.255router eigrp 1

8/17/2019 V 5.2 ccie SP

30/61

address-family ipv4 vrf ABCnetwork 172.5.12.0 0.0.0.255network 172.5.22.0 0.0.0.255no auto-summaryautonomous-system 100exit-address-family!router ripaddress-family ipv4 vrf ABCnetwork 150.100.5.0no auto-summaryversion 2distri 10 in GigabitEthernet0/0.10access-list 10 permit 192.68.1.0 0.0.7.255

R1router eigrp 100network 172.5.1.1 0.0.0.0network 172.5.12.1 0.0.0.255

Let’s make vpn connectivity: Please do Ping Check between ABC Site 1 and Site 2 

R2router ripadd ipv4 vrf ABCred bgp 278 met trared eigrp 100 met 1!router eig 1add ipv4 vrf ABCred bgp 278 metric 1000 100 255 1 1500red rip metric 1000 100 255 1 1500autonomous-system 100!router bgp 278

add ipv4 vrf ABCred ripred eigrp 100network 172.5.2.2 mask 255.255.255.255R7/R8ip vrf ABCrout im 278:2R4router ospf 34redistribute bgp 34 subnets! router bgp 34add ipv4red ospf 34 mat i e

Verification:

8/17/2019 V 5.2 ccie SP

31/61

 

Verification:

8/17/2019 V 5.2 ccie SP

32/61

 

Verification:

8/17/2019 V 5.2 ccie SP

33/61

 

Verification:

Verification:

8/17/2019 V 5.2 ccie SP

34/61

 

Verification:

Verification:

8/17/2019 V 5.2 ccie SP

35/61

 

5.5 Inter-AS VPNConfigure R7 and R9 to exchange MP-EBGP VPNv4 Unicast updates.Other devices in AS 278 and AS 69 should not exchange VPNv4 Unicast updates toeach other.BGP IPv4 routes are not permit ted to redistribute in to IGP.Notes: Killer question. Don’t put any extra efforts and care about unnecessary labelsotherwise create big issue.

R9router bgp 69neighbor 5.5.7.7 remote-as 278neighbor 5.5.7.7 update-source Loopback0neighbor 5.5.7.7 ebgp!add vpnneighbor 5.5.7.7 activateneighbor 5.5.7.7 next-hop-unchanged!add ipv4nei 5.5.6.6 send-label

8/17/2019 V 5.2 ccie SP

36/61

R7router bgp 278neighbor 5.5.9.9 remote-as 69neighbor 5.5.9.9 update-source Loopback0neighbor 5.5.9.9 ebg!add vpnneighbor 5.5.9.9 activateneighbor 5.5.9.9 next-hop-unchanged!add ipv4nei 5.5.2.2 send-labelnei 5.5.8.8 send-label

R6router bgp 69no bgp default route filter!add ipv4nei 5.5.26.2 send-labelnei 5.5.68.8 send-labelnei 5.5.9.9 send-label!route-map AS_267_OUT permit 20set mpls-labelR2router bgp 278add ipv4nei 5.5.26.6 send-labelnei 5.5.7.7 send-labelroute-map FROM_R6_IN permit 20 ----- Route-map is applied for BGP IPV4 Route Control Questionmatch mpls-labelR8router bgp 278

add ipv4nei 5.5.68.6 send-labelnei 5.5.7.7 send-label

Verification:Understand IGP and BGP Label on R6, R2, R8, R9 and R7

8/17/2019 V 5.2 ccie SP

37/61

 

Verification:

Verification:

8/17/2019 V 5.2 ccie SP

38/61

 

5.6 ABC Site-3

 ABC Company Site-3 uses EIGRP to exchange routing information with ServiceProvider.Configure EIGRP between R5 and R9 and make sure R9 gets ABC Site-3 routes asEIGRP internal routes.Configure PE routers and Route Reflectors so that all ABC sites could accessto each other.Notes: EIGRP Autonomous System Number should be same on R1, R2, R9 and R5 to achieve this.R9router eig 1add ipv4 vrf ABCred bgp 69 metric 1000 100 255 1 1500 ----- You can use any value you likenetwork 172.5.59.0 0.0.0.255

autonomous-system 100!router bgp 69add ipv4 vrf ABCred eigrp 100!ip vrf ABCroute im 278:2rout im 278:78R5router eigrp 100net 172.5.5.5 0.0.0.0net 172.5.59.0 0.0.0.255

8/17/2019 V 5.2 ccie SP

39/61

R2/R7/R8ip vrf ABCrout im 69:9

Verification:

5.7 VPN Route Control A) Configure R7 so that VPN traff ic coming from ABC Site-1 Selects R7 asPrimary exit.ORConfigure R7 and R8 so that VPN traffic coming from ABC Site-1 Selects R7 asPrimary exit.B) Configure R7 so that VPN traffic coming from ABC Site-1 Selects R2 as

Primary exit and R8 as backup exit to reach ABC Site-3ORConfigure R7 and R8 so that VPN traffic coming from ABC Site-1 Selects R2 asPrimary exit and R8 as backup exit to reach ABC Site-3Notes: Do exactly what’s done here or make big issues and loop, this need a big explanation.if your basics are good you will be able to understand.Let’s discuss details in Remote Troubleshooting Sections, not giving here answer for allquestions.

8/17/2019 V 5.2 ccie SP

40/61

R7Router bgp 278address-family vpnv4neighbor 5.5.8.8 next-hop-self!address-family ipv4 vrf ABCneighbor 172.5.47.4 route-map P_C_R4_OUT outexit-address-family!route-map P_C_R4_OUT permit 10set origin igpset mpls-labelVerification:

Verification:

2. ABC Site-3 should use link between R6-R8 to access ABC Site-1 and ABC Site-1.R6ip as-path access-list 278 permit ^278$!route-map P_C_R6_INmatch as-path 278set local-preference 101match mpls-label!

8/17/2019 V 5.2 ccie SP

41/61

route-map P_C_R6_IN permit 20!router bgp 69add ipv4nei 5.5.68.8 route-map P_C_R6_IN in

Verification:

5.9 L2TPV3 InterworkingCreate VRF PPP-FR on R5 with RD 51:51.Configure R5 Frame-relay Interface S1/1 and Loopback2 under this VRF.PPP-FR Site-2 uses R9 PE router to reach PPP-FR Site-1 at R1.PPP-FR Site-1 R1 connects to Service Provider router R7 via Serial PPP Linkand connects R7 on Interface Serial1/1.

IP addresses are not allowed to configure on PE routers to make thisconnectivity. Conf igure PPP-FR L2TPV3 Interworking on R7 and R9 to achievethis.Configure RIP V2 on interfaces shown in the table, and ensure PPP-FR Site-1and PPP-FR Site-2 can communicate with each other.

Device InterfaceR1 Loopback2, Serial1/1R5 Loopback0, Serial 1/1

8/17/2019 V 5.2 ccie SP

42/61

R1ip vrf PPP-FRrd 51:51! interface Loopback1ip vrf forwarding PPP-FRip address 172.5.1.11 255.255.255.255!interface Serial1/2ip vrf forwarding PPP-FRip address 172.5.15.1 255.255.255.0encapsulation pppip ospf network point-to-point! router ospf 200 vrf PPP-FRnetwork 172.5.1.11 0.0.0.0 area 0network 172.5.15.1 0.0.0.0 area 0R5ip vrf PPP-FRrd 51:51!interface Loopback1ip vrf forwarding PPP-FRip address 172.5.5.55 255.255.255.255!

interface Serial1/2ip vrf forwarding PPP-FRip address 172.5.15.5 255.255.255.0encapsulation framfram map ip 172.5.15.1 100 brip ospf net point-to-point! router ospf 200 vrf PPP-FRnetwork 172.5.1.55 0.0.0.0 area 0network 172.5.15.5 0.0.0.0 area 0

R7

pseudowire-class L2TPV3encapsulation l2tpv3interworking ipip local interface Loopback0ip tos value 160!interface Serial1/2encapsulation pppclock rate 252000xconnect 5.5.9.9 79 pw-class L2TPV3R9pseudowire-class L2TPV3encapsulation l2tpv3

interworking ipip local interface Loopback0ip tos value 160!frame switchinginterface Serial1/2encapsulation framfram intf-type dcefram interface-dlci 100 switchclock rate 252000!connect PPP-FR Serial1/2 100 l2transportxconnect 5.5.7.7 79 pw-class L2TPV3

8/17/2019 V 5.2 ccie SP

43/61

 

Verification:

Verification:

5.9 ATOM PPP – VLAN InterworkingCreate VRF PPP-ETH on R3 with RD 123:123.Configure R3 Serial Interface S1/1 and Loopback2 under this VRF.

8/17/2019 V 5.2 ccie SP

44/61

PPP-ETH Site-2 uses R8 PE router to reach PPP-ETH Site-1 at SW2.PPP-ETH Site-1 SW2 connects to Service Provider router R7 via Vlan 123.IP addresses are not allowed to configure on PE routers to make thisconnectivi ty. Configure PPP-VLAN Interworking on R7 and R8 to achieve this.Configure OSPF on interfaces shown in the table, and ensure PPP-ETH Site-1 andPPP-ETH Site-2 can communicate with each other.

Device InterfaceR3 Loopback2, Serial1/1

SW2 Loopback0, Vlan 123

R3ip vrf PPP-ETHrd 123:123! int lo1ip vrf forwarding PPP-ETHip address 172.5.3.33 255.255.255.255!int s1/1ip vrf forwarding PPP-ETHip address 172.5.123.3 255.255.255.0encapsulation pppno shutdownip ospf network point-to-point!router ospf 200 vrf PPP-ETHlog-adjacency-changesnetwork 172.5.123.3 0.0.0.0 area 0network 172.5.3.33 0.0.0.0 area 0SW2interface Vlan123ip address 172.5.123.12 255.255.255.0ip ospf network point-to-point

!interface Loopback0ip address 172.5.12.12 255.255.255.255! router ospf 200network 172.5.12.12 0.0.0.0 area 0network 172.5.123.12 0.0.0.0 area

R8pseudowire-class ATOMencapsulation mplsinterworking ip

!interface Serial1/1encapsulation pppclockrate 252000xconnect 5.5.7.7 78 pw-class ATOMno shR7pseudowire-class ATOMencapsulation mplsinterworking ip! interface GigabitEthernet0/0.123encapsulation dot1Q 123

8/17/2019 V 5.2 ccie SP

45/61

xconnect 5.5.8.8 78 pw-class ATOMVerification:

Verification:

Verification:

8/17/2019 V 5.2 ccie SP

46/61

 

Verification:

5.10 CSC ABC Site-1 (AS 34) and ABC Site-2 (AS 50) are two POPs of a Service Provider,who provides VPN services to his customers and contracted AS 278 and AS 69 toact as transit Service Providers to carrier supporting carrier VPN.Configure AS 278, AS 69 AS 34 to support this so that AS 45 (POP’s AS 34, AS50) can provide VPN services to his Customer Company XYZ.Network 172.YY.47.0 and 172.YY.48.0 are not allowed to enable LDP/TDP.

8/17/2019 V 5.2 ccie SP

47/61

Configure a VPNv4 BGP Unicast between R3 (AS34) and R5 (AS 50) to support thisrequirement.Use their Loopback0 interfaces as update source.Create VRF XYZ on R3 and R5 with RD/RT 35:35, and configure bellow interfaceson R3 and R5 in to this VRF.

Device InterfaceR5 Loopback1, FastEthernet0/0R3 Loopback1, FastEthernet0/1.33

Configure RIP V2 as IGP for XYZ Site-2 between R5 and SW2, bellow interfacesshould be advertised in to RIP V2.

Device InterfaceR5 Loopback1, FastEthernet0/0SW2 Loopback0, FastEthernet0/5Ensure Customer XYZ Site-1 and Site-2 have full reachability to each other andmake sure SW1 routing table output should be as following:

Note: if you are unable to ping R5 interface from SW1, enable cef on R5 and reload both SW1and R5, you will be able to ping. This is because R5 is 2600 series router, and CEF isdisabled by default. Cisco has not enabled during the vrf XYZ creation, that’s why vrf doesn’thave separate CEF table. Once you will enable the CEF and reload the device, CEF table will becreated and you will be able to ping. BGP AS Number they change in this lab for R3 and R5,sometimes they run IBGP, sometimes EBGP.

R5ip vrf XYZrd 34:34route-target export 34:34route-target import 34:34!interface Loopback2ip vrf for XYZip address 172.5.55.55 255.255.255.255! interface FastEthernet0/0.57

ip vrf for XYZip address 172.5.115.5 255.255.255.0!router bgp 50no bgp default ipv4-unicastneighbor 172.5.3.3 remote-as 34neighbor 172.5.3.3 update-source Loopback0neighbor 172.5.3.3 ebgp! address-family vpnv4neighbor 172.5.3.3 activateneighbor 172.5.3.3 send-community extendedexit-address-family! address-family ipv4 vrf XYZ

8/17/2019 V 5.2 ccie SP

48/61

redistribute ripredistribute connectedno synchronizationexit-address-family

router rip!

address-family ipv4 vrf XYZredistribute bgp 50 metric 3! interface FastEthernet0/0.59mpls ipR9interface FastEthernet0/0.59mpls ipR7router bgp 278address-family ipv4 vrf ABCneighbor 172.5.47.4 send-labelR8router bgp 278address-family ipv4 vrf ABCneighbor 172.5.48.4 send-labelR4router bgp 34add ipv4neighbor 172.5.48.8 send-labelneighbor 172.5.47.7 send-label! int f0/0.34mpls ipmpls label pro tdp

R3int f0/0.34mpls ipmpls label pro tdp!ip vrf XYZrd 34:34route-target export 34:34route-target import 34:34!interface FastEthernet0/0.33ip vrf forwarding XYZip address 172.5.33.3 255.255.255.0! interface FastEthernet0/0.35

ip vrf forwarding XYZip address 172.5.35.3 255.255.255.0!router bgp 34no bgp default ipv4-unicastbgp log-neighbor-changesneighbor 172.5.5.5 remote-as 50neighbor 172.5.5.5 ebgpneighbor 172.5.5.5 update-source Loopback0!address-family vpnv4neighbor 172.5.5.5 activate

8/17/2019 V 5.2 ccie SP

49/61

neighbor 172.5.5.5 send-community extendedexit-address-family!address-family ipv4 vrf XYZredistribute connectedno synchronizationexit-address-familySW1Configure RIP and test ping to R3

Verification:

Verification:

8/17/2019 V 5.2 ccie SP

50/61

 

Verification:

Section 6 Multicast6.1 PIM Sparse ModeConfigure PIM SM in AS 278 and AS 69 as per bellow chart.

8/17/2019 V 5.2 ccie SP

51/61

Device InterfaceR2 Loopback0, GigabitEthernet0/0.26, GigabitEthernet0/0.27, GigabitEthernet0/0.28R7 Loopback0, GigabitEthernet0/0.27, GigabitEthernet0/0.78R8 Loopback0, GigabitEthernet0/0.28, GigabitEthernet0/0.78R6 Loopback0, FastEthernet0/0.26, FastEthernet0/0.69R9 Loopback0, FastEthernet0/0.69, FastEthernet0/0.99

R2interface Loopback0ip pim sparse-mode!interface GigabitEthernet0/0.27ip pim sparse-mode! interface GigabitEthernet0/0.28ip pim sparse-mode!interface GigabitEthernet0/0.26ip pim sparse-modeR7

interface Loopback0ip pim sparse-mode!interface GigabitEthernet0/0.27ip pim sparse-modeip igmp join-group 239.255.1.1! interface GigabitEthernet0/0.78ip pim sparse-modeR8interface Loopback0ip pim sparse-mode!interface GigabitEthernet0/0.28

ip pim sparse-mode!interface GigabitEthernet0/0.78ip pim sparse-mode!ip pim bsr-candidate Loopback0 0ip pim rp-candidate Loopback0

Verification:

8/17/2019 V 5.2 ccie SP

52/61

8/17/2019 V 5.2 ccie SP

53/61

R9interface Loopback0ip pim sparse-mode!interface f0/0.69ip pim sparse-mode

Verification:

6.3 Inter-AS Mult icastConfigure MSDP between AS 278 and AS 69 on R8 and R6.Both RP’s should be able to inform each other if any multicast source becomesactive in their Domain.Make sure R6 and R9 can ping the Multicast group 239.255.7.7.R6ip msdp peer 5.5.8.8 connect-source Loopback0 remote-as 278!interface FastEthernet0/0.26

ip pim bsr-borderR2interface FastEthernet0/0.26ip pim bsr-borderR8ip msdp peer 5.5.6.6 connect-source Loopback0 remote-as 69Verification:

8/17/2019 V 5.2 ccie SP

54/61

 

Verification:

6.4 Mult icast VPN

Configure Multicast Routing in Customer ABC-Site-1Configure PIM SM on interfaces shown bellow:

Device InterfaceR3 Loopback0, FastEthernet0/0.34R4 Loopback0, FastEthernet0/0.34, FastEthernet0/0.44, Serial1/0.1, Serial1/0.2R7 Loopback1, Serial1/0R8 Loopback, Serial1/0

6.5 Configure R4 Loopback0 as RP BSR for ABC Site-1.

R3 f0/0.34 joins mul ticast group 239.255.3.3, make sure all devices in ABCSite-1 should be able to ping this group.R4int lo0ip pim sparse-mode!int s1/0.1ip pim sparse-mode!int s1/0.2ip pim sparse-mode!

8/17/2019 V 5.2 ccie SP

55/61

int f0/0.34ip pim sparse-mode!ip pim bsr-candidate Loopback0 0ip pim rp-candidate Loopback0R3int lo0ip pim sparse-modeip igmp join-group 239.255.3.3! int f0/0.34ip pim sparse-modeVerification:

Verification:

6.6 Enable PIM SM in ABC Site-2 as per bellow table:

Device InterfaceR1 Loopback0, FastEthernet0/0.11, FastEthernet0/0.12R2 Loopback1, GigabitEthernet0/0.12R1int lo0ip pim sparse-mode!int f0/0.12

ip pim sparse-modeR2ip multicast-routing vrf ABCinterface GigabitEthernet0/0.12ip pim sparse-mode! int lo1ip pim sparse-mode!interface GigabitEthernet0/0.13ip pim sparse-mode

8/17/2019 V 5.2 ccie SP

56/61

 

Verification:

6.7 Configure AS 278 to support Multicast services between ABC Site-1 and ABCSite-2.Make sure R1 can get RP information and ping mult icast group 239.255.3.3.R2ip vrf ABC

mdt default 238.0.0.1R7ip multicast-routing vrf ABCinterface s1/0ip pim sparse-mode!int lo1ip pim sparse-mode!ip vrf ABCmdt default 238.0.0.1R8ip multicast-routing vrf ABC

interface s1/0ip pim sparse-mode!int lo1ip pim sparse-mode!ip vrf ABCmdt default 238.0.0.1

Verification:

8/17/2019 V 5.2 ccie SP

57/61

 

Section 7 SP Securi ty, QOS and Management7.1 Secure EGRIP peering between ABC Site-3 R5 and AS 69 R9 with messagedigest.R5key chain Ciscokey 1key-string Cisco

int f0/0.59ip authen mode eigrp 100 md5ip authen key-chain eigrp 100 CiscoR9key chain Ciscokey 1key-string Ciscoint f0/0.59ip authen mode eigrp 100 md5ip authen key-chain eigrp 100 Cisco

8/17/2019 V 5.2 ccie SP

58/61

 

Verification:

7.2 To make LDP session secure between R5 and R9 configure MD-5 authenticationbetween both LDP neighbors.R5mpls ldp neighbor 172.5.59.9 password ciscoR9mpls ldp neighbor vrf ABC 172.5.5.5 password ciscointerface FastEthernet0/0.59mpls ldp discovery transport-address interfaceVerification:

8/17/2019 V 5.2 ccie SP

59/61

8/17/2019 V 5.2 ccie SP

60/61

 R7pseudowire-class L2TPV3ip tos value 160R9pseudowire-class L2TPV3

ip tos value 160Verification:

7.5 NTPConfigure R9 as a stratum 6 NTP Server.Enable NTP service in AS 278 to get time from R9 in AS 69.Ensure clock of R2, R7 and R8 is synchronized from R9.

 ABC Site-1 devices R3 and R4 should get their c lock synchronized with R8; R8will be acting as time source for them.Notes: this doesn’t work in Dynamips but will work smoothly in Lab.R9clock timezone GMT 5 30ntp master 6ntp source lo0

R2clock timezone GMT 5 30ntp server 5.5.9.9 preferntp peer 5.5.8.8ntp peer 5.5.7.7ntp source lo0R7clock timezone GMT 5 30ntp server 5.5.9.9 preferntp peer 5.5.8.8ntp peer 5.5.2.2ntp source lo0R8

8/17/2019 V 5.2 ccie SP

61/61

clock timezone GMT 5 30ntp peer 5.5.9.9 source lo0 preferntp peer 5.5.2.2 source lo0ntp peer 5.5.7.7 source lo0ntp peer vrf ABC 172.4.3.3ntp peer vrf ABC 172.4.4.4R4clock timezone GMT 5 30ntp server 172.5.8.8 preferntp peer 172.5.3.3ntp source lo0R3clock timezone GMT 5 30ntp server 172.5.8.8 preferntp peer 172.5.4.4ntp source lo0