V 5.2 Ccie SP

CCIE Service Provider Lab Workbook V 5.
2 (V80+)
Imp Note: Solutions are given, by assuming we are working on Rack 05
Section 1 Bridging and Switching:

1.1 Configure IP across Frame-relay network
Frame Relay interfaces are pre-configured as mentioned in diagram.
Pleas make sure only required mappings are configured.
Dynamic DLCI mapping is not allowed.
There is some problem in initial configuration please make sure, all devices
running Frame-relay can ping their neighbor IP address.
Troubleshooting: (Wrong DLCI mapped on R8 for R4, Please correct that)
Notes:
- Frame-relay map configuration on R8 point to wrong IP address for R4, reconfigure it.
- Since dynamic mappings not allowed in this configuration. We need to configure no framerelay
inverse-arp between both R6-R9 and R2-R4
- Clear any previous dynamic mapping happened by clear frame-relay inarp
- After done the changes make sure you need to reload R8-R7 and R4.
R4
interface Serial1/0
no ip address
encapsulation frame-relay
no frame-relay inverse-arp
!
interface Serial1/0.1 point-to-point
ip address 172.5.47.4 255.255.255.0
frame-relay interface-dlci 407
!
interface Serial1/0.2 point-to-point
ip address 172.5.48.4 255.255.255.0
frame-relay interface-dlci 408
R7
interface Serial1/0
ip address 172.5.47.7 255.255.255.0
frame-relay map ip 172.5.47.4 704 broadcast
R8
interface Serial1/0
ip address 172.5.48.8 255.255.255.0
frame-relay map ip 172.5.48.4 804 broadcast
When to Reload?
1. If no frame-relay inverse-arp not configured on interface, configure that and clear farmarelay
inarp and check frame-relay mappings, if you still found mappings, reload the device.
2. Show frame-relay map shows you any 0000 entry.
3. To avoid reload you can shutdown the interface, clear frame inverse arp, default int s0/0
if 0000 still exists, if this doesnt not solve the issue go ahead and reload.
1.2 Configure Vlan 123 on SW2 with the IP address 172.YY.123.12.

No vlan interface except default Vlan 1 is permitted on SW1.
No vlan interface except default Vlan 1 and Vlan 123 are permitted on SW2.
Notes: Check the trunk between SW1 and SW2 will be preconfigured to support this requirement.
SW2
interface Vlan123
ip address 172.5.57.12 255.255.255.0
interface vlan1
no sh
1.3 Define Interface FastEthernet0/5 on SW1 with IP address 192.YY.115.11/24.

No Physical Interface except FastEthernet0/5 on SW1 is permitted to define an
IP address.
Ensure this IP can ping 192.YY.115.5 on R5.
SW1
interface Fastethernet0/5
no switchport
ip address 192.5.115.11 255.255.255.0
1.4. Configure PPP encapsulation and clock rate 252000 on interface connected
to R3 - R8.
Configure PPP encapsulation and clock rate 252000 on interface connected to R1
- R7.
Notes:
- Once configured the PPP encapsulation. Verify the clock rate on R1 R7 and R3 - R8.
- Issue show controllers serial2/1 command to check the interface type (DCE or DTE) and
current clock rate.
- change the clock rate only on the DCE router.
- My case both R8 and R7 were the DCE interface.
R8
interface Serial1/1
encapsulation ppp
clockrate 252000
R7
interface Serial1/2
encapsulation ppp
clockrate 252000
Section 2 Core IGP
2.1 OSPF
OSPF is pre-configured in AS 278 devices R2, R7 and R8 on interfaces mentioned
in bellow table.
All devices are pre-configured for OSPF Area 0.
Initial configuration has some problem, make all devices can ping each other
loopback 0 interfaces.
Dont advertise any additional interface except mentioned in bellow chart:
Router Name
Interface
Area
Rack05R2
Loopback0
OSPF Area 0
GigabitEthernet0/0.27
OSPF Area 0
OSPF Area 0
Rack05R7
Loopback0
OSPF Area 0
OSPF Area 0
Rack05R8
Loopback0
OSPF Area 0
OSPF Area 0
OSPF Area 0
OSPF Area 0
Notes: OPSF dead Interval is configured on R2 like bellow:
After the correct configuration and connectivity, OPSF peering will not come up due to timers
mismatch, match the timers like bellow:
R2
router ospf 278
network 5.5.2.2 0.0.0.0 area 0
network 5.5.27.2 0.0.0.0 area 0
network 5.5.28.2 0.0.0.0 area 0
R7
router ospf 278
network 5.5.7.7 0.0.0.0 area 0
network 5.5.27.7 0.0.0.0 area 0
network 5.5.78.7 0.0.0.0 area 0
int GigabitEthernet0/0.27
ip ospf dead-interval 30
R8
router ospf 278
network 5.5.8.8 0.0.0.0 area 0
network 5.5.78.8 0.0.0.0 area 0
network 5.5.28.8 0.0.0.0 area 0
Verification:
R2
R7
R8
2.2 Make sure R2 could never be a designated router in AS 278.

R2
interface GigabitEthernet0/0.27
ip ospf priority 0
ip ospf priority 0
Verification:
2.3 R2, R7 and R8 should assign automatic metric to their interfaces as shown
bellow:
Interface
Type
Metric
Loopback
Auto
metric 1
GigabitEthernet
Auto
metric 10
FastEthernet Auto
metric
100
Ethernet
Auto
metric 1000
On R2, R7 and R8
router ospf 278
auto-cost reference-bandwidth 10000
Verification:
R2
R7
R8 Will output is with wrong configs to let you know difference.
2.4 Configure ISIS level-1 PDU in AS 69 R6 and R9 interfaces as shown in

bellow table:
OR
2.4 Configure ISIS level-2 PDU in AS 69 R6 and R9 interfaces as shown in
bellow table:
Router
Name
Interface Area
R6
Loopback0
47.0069
FastEthernet0/0.69
47.0069
R9
Loopback0
47.0069
FastEthernet0/0.69
47.0069
FastEthernet0/0.99
47.0069
Notes: Answer is based on Level-1 Question, if you get question for Level-2 just change the
IS-TYPE to LEVEL-2
R6
router isis
net 47.0069.0000.0000.0006.00
is-type level-1
!
interface FastEthernet0/0.69
ip router isis
! interface Loopback0
ip router isis
R9
router isis
net 47.0069.0000.0000.0009.00
is-type level-2-only
metric-style wide
!
ip router isis
!
interface Loopback0
ip router isis
! interface FastEthernet0/0.99
ip router isis
Verification:
2.5 Change metric for R6 and R9 interfaces, as shown in bellow sh ip route

output of R6 and R9:
Router Name
Interface
Metric
R6
Loopback0
256
FastEthernet0/0.69
10
R9
Loopback0
80
FastEthernet0/0.69
10
FastEthernet0/0.99
10
Notes: Make sure u mention ISIS level with metric command.
R9
int lo0
isis metric 70 level-2
R6
int lo0
isis metric 246 level-2
Verification: bellow output need to update based on old question, not this one please
manipulated according to above question.
2.6 Only R6 and R9 in AS 69 are going to run ISIS in near future.

Reduce LSP advertisement for Vlan 69 by avoiding DIS election.
R6
int f0/0.69
isis network point-to-point
no isis csnp-interval 10
R9
int f0/0.69
isis network point-to-point
no isis csnp-interval 10
Notes: we have multiple ways to reduce LSP packets, but this question has stated reduce LSP
via avoiding DIS election, so simply we can use network point to point, and make sure we
remove CSNP interval 10. This is bug in Cisco IOS, when ever we use network P2P for CLNS
interface, Isis csnp-interval 10 added automatically, make sure we remove this. And whenever u
will reload the router this will be added automatically again to CLNS P2P interfaces, make
sure u remove this each time you reload the device.
Verification:
You wont be able to find DIS info:
Section 3 BGP
3.1 Basic BGP IPv4 Unicast has been pre-configured in AS 278 for R2, R7 and
R8.
All devices in AS 278 are using their loopback 0 address as update source.
Each device in AS 278 having 2 IBGP neighbors.
Configure BGP so that IPv4 Unicast update should not be sent to any peer
unless they are explicitly stated to send.
Advertise all loopback0 addresses in AS 278.
Initial configuration has some problem; please troubleshoot those so that R2,
R7 and R8 can see each other as IBGP neighbors.

Troubleshooting: Update source is not configured between R2 and R7, correct that. And
advertise all the loop backs.
R2
router bgp 278
bgp router-id 5.5.2.2
no bgp default ipv4-unicast
neighbor 5.5.8.8 remote-as 278
neighbor 5.5.8.8 update-source Loopback0
!
address-family ipv4
neighbor 5.5.8.8 activate
neighbor 5.5.8.8 send-community both
network 5.5.2.2 mask 255.255.255.255
exit-address-family
R7
router bgp 278
!
address-family ipv4
network 5.5.7.7 mask 255.255.255.255
exit-address-family
R8
router bgp 278
!
address-family ipv4
network 5.5.8.8 mask 255.255.255.255
exit-address-family
3.2 Basic BGP IPv4 Unicast has been pre-configured in AS 69 for R6 and R9.
Configure BGP so that IPv4 Unicast update should not be sent to any other peer
unless they are explicitly stated to send.
Both are using their loopback 0 address as update source.
Advertise all loopback0 addresses in AS 69.
Make sure they can each other loopback0 in BGP IPv4 Unicast routing table.
Notes: Configure and advertise routes.
R6
router bgp 69
!
address-family ipv4
network 5.5.6.6 mask 255.255.255.255
exit-address-family
R9
router bgp 69
!
address-family ipv4
network 5.5.9.9 mask 255.255.255.255
network 5.5.9.9 mask 255.255.255.25
exit-address-family
3.3 R6 needs to have peering with Backbone (BB2) with IP address 150.2.YY.254
which is located in AS 254.
Configure R6 to establish a BGP IPv4 Unicast peering session with Backbone.
Backbone has pre-configured R6 as in AS YY.
Configure BGP IPv4 Unicast peering between R2 and R6, R6 and R8. They should
use directly connected interface IP for establishing BGP session.
Make sure after peering AS 278 and AS 69 can ping each other loopback0
addresses.
AS 278 and AS 69 should be able to ping 197.67.Z.0 networks learned from BB2
with source of their loopback 0 addresses.
Inter-AS network links like YY.YY.28.0 or 150.2.YY.0 of AS 278, 69, 254 are
not allowed to advertise either in BGP or IGP.
Notes: Configure EBGP peering and check the routes and neighbor status. Make sure you have
configured next-hop-self on all ASBRs to Local routers. Sh ip bgp summary, sh ip bgp
R2
router bgp 278
! address-family ipv4
neighbor 5.5.8.8 next-hop-self
exit-address-family
R8
router bgp 278
!
address-family ipv4

exit-address-family
R6
router bgp 69
neighbor 150.200.5.254 local-as 10 no-prepend
!
address-family ipv4
exit-address-family
Verification:
Verification:
Verification:
Verification:
Verification:
3.4 Route learned from BB2 should have additional community 278:278 in AS 278
and 69:69 in AS 69.
Or
3.4 Route learned from BB2 should have additional communities 278:278, 69:69
in AS 278 and AS 69.
Notes: Make sure you have configured IP BGP community new-format, and send community end to
end to achieve this. Routes learned via backbone will already have a community value 254:254,
make sure you have this community on R6 for routes learned via Backbone.
Sh ip bgp backbone route.
Bellow answer is for question at Top:
R6
ip community-list standard 254:254 permit 254:254 (Use backbone routes existing community)
! route-map BB2_IN permit 10
set community 69:69 additive
!
route-map AS_267_OUT permit 10
match community 254:254
set community 278:278 254:254
!
!
router bgp 69
address-family ipv4
neighbor 5.5.26.2 route-map AS_267_OUT out
neighbor 5.5.68.8 route-map AS_267_OUT out
neighbor 150.200.5.254 route-map BB2_IN in
Verification:
3.5 Configure AS 278 access BB2 using the using the R8 as primary exit and R2
as a backup.
Configure AS 278 so that traffic from AS 278 to AS 69 should use R2 as
primary, if link between R2 and R6 is down should re-rout to any available
path.
OR
Configure R2 to ensure that traffic from R7 destined to AS 69 chooses R2 as
primary exit point and R8 as a backup.
Configure R2 to ensure that traffic from R7 destined to Backbone (197.68.Z.0)
choose R8 as primary exit point and R2 as a backup.
Notes: Please verify via trace from R7 and R8.This question they usually change for each
candidate, be careful and do good practice of change paths and analyzing long term impacts on
VPNv4 route control question.
Bellow answer is for question on Top:
R2
ip community-list standard 254:254 permit 254:254
route-map FROM_R6_IN permit 10
match community 254:254
set local-preference 99
!
route-map FROM_R6_IN permit 20
!
router bgp 278
add ipv4
nei 5.5.26.6 route-map FROM_R6_IN in
Verification:
Section 4 MPLS
4.1 Enable MPLS on AS 278 interface specified in bellow table.
Use Industry Standard label distribution protocol to propagate labels.
Configure AS 278 devices loopback0 address as their router ID
Dont enable MPLS on any additional interfaces than shown in bellow chart:
Router
Interfaces
R2
GigabitEthernet 0/0.27
R8
R7
Notes: Verify via, sh mpls ldp nei/discovery, sh mpls interface

Make sure cef is enabled on all mpls ldp enabled routers. In lab on 3600, and 2600 series
routers cef is disabled by default, please enable that.
R2
mpls ldp router-id Loopback0 force
mpls label protocol ldp
! interface GigabitEthernet0/0.27
mpls ip
!
mpls ip
R7

mpls ip
!
mpls ip
R8
mpls ip
!
Verification:
4.2 Enable MPLS on AS 69 interface specified in bellow table.

Use Industry Standard Label distribution Protocol to propagate labels.
Configure AS 69 devices loopback0 address as their router ID
Dont enable MPLS on any additional interfaces than shown in bellow table:
R6
FastEthernet0/0.69
R9
FastEthernet0/0.69
R6
!
mpls ip
R9
!
mpls ip
Verification:
4.3 AS 278 has decided to test MPLS Traffic Engineering feature between R2 and
R8 loopback2.
To make this test successful enable MPLS Traffic Engineering support in AS 278
and reserve 20 Mbit on required interfaces.
Path from R2 and R8 lo2 should transit R7.
R2
mpls traffic-eng tunnels
!
router ospf 278
mpls traffic-eng router-id Loopback2
mpls traffic-eng area 0
!
ip rsvp bandwidth 20000
R7
!
router ospf 278
!
!
R8
!
router ospf 278
!
Verification:
Output Ommitted
Verification:
4.4 Create Tunnel 28 on R2 and Tunnel 82 on R8, both should access their
loopback2 IP address via these tunnels.
Explicit path is not allowed to achieve this.
Tunnel should use 5 Mbit of reserved RSVP bandwidth.
Two static routes are allowed, one on each device.
OR
Static route is not permitted to achieve this
Make sure traffic from R2 loopback2 to R8 loopback2 should use Tunnel 28 and
traffic from R8 loopback2 to R2 loopback2 should use Tunnel 82.
Notes: Do only as done bellow. Answer is based on static route question
R8
interface Tunnel82
ip unnumbered Loopback2
tunnel destination 5.5.2.22
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng bandwidth 5000
tunnel mpls traffic-eng path-option 1 dynamic
ip route 5.5.2.22 255.255.255.255 tunnel 82
R2
interface Tunnel28
ip unnumbered Loopback2
tunnel destination 5.5.8.88
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng bandwidth 5000
tunnel mpls traffic-eng path-option 1 dynamic
ip route 5.5.8.88 255.255.255.255 tunnel 28
Vrification:
Section 5 MPLS VPN

VRF Name
ABC Site 1
ABC Site 2
ABC Site 3
XYZ Site 1
XYZ Site 2
RD Value
278:78
278:2
69:9
35:35
35:35
RT Value
278:78
278:2
69:9
35:35
35:35
5.1 MP-IBGP (BGP VPNv4 Unicast) in AS 278 is pre-configured, but there are
some issues left in configuration, please troubleshoot those and make sure R2
and R8 have BGP VPNv4 Unicast peering with R7.
Peering between except above, other devices in AS 278 is not allowed.
Devices in AS 278 should use their loopback0 as source of peering.
MP-BGP Unicast should not be sent to any other device than specified in
question.
Notes:
R7 is already configured as VPNv4 RR.
Check both neighbors of R7 and make sure next-hop-self is configured on ASBRS for IPV4 before
starting MPBGP configs.
R2
router bgp 278
!
address-family vpnv4
R7
router bgp 278
!
neighbor 5.5.2.2 route-ref
neighbor 5.5.8.8 route-ref
R8
router bgp 278
!
5.2 MP-IBGP (BGP VPNv4 Unicast) in AS 69 is pre-configured, but there are some
issues left in configuration, please troubleshoot those and make sure R6 and
R9 have BGP VPNv4 Unicast peering with each other.
Devices in AS 69 should use their loopback0 as a source for BGP VPNv4 Unicast
session between them.
Notes: Check and correct, probably need to activate both in their VPNv4 AFI
R6
router bgp 69
! address-family vpnv4
R9
router bgp 69
!
Verification:
Verification:
5.3 ABC Site-1

The ABC Company site 1 uses BGP as routing protocol to connect PE routers R7
and R8.
Customer router R4 is located in AS 34.
Configure R7 and advertise Loopback1 and WAN interface 172.YY.47.0/24 in to
BGP address family for Customer ABC.
Configure R8 and advertise Loopback1 and WAN interface 172.YY.48.0/24 in to
BGP address family for customer ABC.
Configure R4 to peer with PE routers R7 and R8 via BGP IPv4 Unicast and
advertise R4 loopback0 network in to BGP.
Configure OSPF Area 0 between R3 and R4 to advertise interfaces mentioned
bellow:
R3
FastEthernet0/0.34
R4
FastEthernet0/0.34
FastEthernet0/0.44
Other interfaces on R3 and R4 are not allowed to advertise in to OSPF.
After the OSPF and BGP configuration in ABC Site1, Please ensure R7 and R8
have all the ABC Site1 routes in their routing table to company ABC.
Notes: Instead of redistribute connected always try to use network command, if not prohibited
in question.
R7
ip vrf ABC
rd 278:278
route-target export 278:78
route-target import 278:78
!
interface Serial1/0
ip vrf forwarding ABC
ip address 172.5.47.7 255.255.255.0
!
int lo1
ip address 172.5.7.7 255.255.255.0
!
router bgp 278
address-family ipv4 vrf ABC
network 172.5.7.0 mask 255.255.255.0
R8
ip vrf ABC
rd 278:278
! interface Serial1/0
ip address 172.5.48.8 255.255.255.0
!
int lo1
ip address 172.5.8.8 255.255.255.0
!
router bgp 278
network 172.5.8.0 mask 255.255.255.0
R4
router bgp 34
no bgp default ipv4-unicast --------(Optional)
!
address-family ipv4
network 172.5.4.4 mask 255.255.255.255
network 172.5.47.0 mask 255.255.255.0
network 172.5.48.0 mask 255.255.255.0
exit-address-family
int lo1
ip add 172.5.4.44 255.255.255.255
!
router ospf 34
redistribute bgp 34 subnets
network 172.5.34.4 0.0.0.0 area 0
network 172.5.4.44 0.0.0.0 area 0
R3
router ospf 34
network 172.5.3.3 0.0.0.0 area 0

network 172.5.34.3 0.0.0.0 area 0
!
int f0/0.33
enca do 33
ip add 172.5.33.33 255.255.255.0
Verification:
Output is taken after configuring ABC Site 2 as well:
Verification:
Verification:
5.4 ABC Site-2

Company ABC site 2 is running RIP V2 as routing protocol with PE router R2.
Make sure PE R2 is getting 199.172.7.0 (0-7) networks in RIP and BGP address
family for Customer ABC, after configuring RIP on R2.
Customer ABC site-2 also uses EIGRP to connect the PE router R2.
Ensure R2 is getting all Site 2 EIGRP routes as internal route in PE EIGRP
address family for Customer ABC.
Configure EIGRP between R1 and R2 for the interfaces shown in the table:
R2
Loopback1, FastEthernet0/1.12
R1
FastEthernet0/1.12, FastEthernet0/0.11, Loopback0
Test connectivity for ABC Site-2 between R1 and BB-1 and make sure R1 is able
to ping 199.172.X.0 networks.
Use only Import Method to make connectivity between ABC Site-1 and 2 and make
sure all PE routers in AS 278 has routes of ABC sites in their Customer
routing table.
Notes: Ping and test connectivity to Backbone, better to create filter ACL before using the
network command in to RIP vrf Address family. No auto summary and ver 2 should be specified in
to vrf address family instead of Global RIP process. Specify interface while using distribute
list.
Question will not say any thing about EIGRP VRF AS Number on R2, please check on R1 what is
configured there, if EIGRP not configured on R1,use the process ID you will use for R9 and R5.
R2
ip vrf ABC
rd 278:2
ip address 150.100.5.2 255.255.255.0
!
ip address 172.5.12.2 255.255.255.0
!
enca dot 13
ip address 172.5.22.22 255.255.255.0
!
int lo1
ip address 172.5.2.2 255.255.255.255
router eigrp 1

network 172.5.12.0 0.0.0.255
network 172.5.22.0 0.0.0.255
no auto-summary
autonomous-system 100
exit-address-family
!
router rip
network 150.100.5.0
no auto-summary
version 2
distri 10 in GigabitEthernet0/0.10
access-list 10 permit 192.68.1.0 0.0.7.255
R1
router eigrp 100
network 172.5.1.1 0.0.0.0
network 172.5.12.1 0.0.0.255
Lets make vpn connectivity: Please do Ping Check between ABC Site 1 and Site 2
R2
router rip
add ipv4 vrf ABC
red bgp 278 met tra
red eigrp 100 met 1
!
router eig 1
add ipv4 vrf ABC
red bgp 278 metric 1000 100 255 1 1500
red rip metric 1000 100 255 1 1500
!
router bgp 278
add ipv4 vrf ABC
red rip
red eigrp 100
network 172.5.2.2 mask 255.255.255.255
R7/R8
ip vrf ABC
rout im 278:2
R4
router ospf 34
redistribute bgp 34 subnets
! router bgp 34
add ipv4
red ospf 34 mat i e
Verification:
Verification:
Verification:
Verification:
Verification:
Verification:
Verification:
5.5 Inter-AS VPN

Configure R7 and R9 to exchange MP-EBGP VPNv4 Unicast updates.
Other devices in AS 278 and AS 69 should not exchange VPNv4 Unicast updates to
each other.
BGP IPv4 routes are not permitted to redistribute in to IGP.
Notes: Killer question. Dont put any extra efforts and care about unnecessary labels
otherwise create big issue.
R9
router bgp 69
neighbor 5.5.7.7 ebgp
!
add vpn
neighbor 5.5.7.7 next-hop-unchanged
!
add ipv4
nei 5.5.6.6 send-label
R7
router bgp 278
neighbor 5.5.9.9 ebg
!
add vpn
neighbor 5.5.9.9 next-hop-unchanged
!
add ipv4
R6
router bgp 69
no bgp default route filter
!
add ipv4
!
set mpls-label
R2
router bgp 278
add ipv4
route-map FROM_R6_IN permit 20 ----- Route-map is applied for BGP IPV4 Route Control Question
match mpls-label
R8
router bgp 278
add ipv4
Verification:
Understand IGP and BGP Label on R6, R2, R8, R9 and R7
Verification:
Verification:
5.6 ABC Site-3

ABC Company Site-3 uses EIGRP to exchange routing information with Service
Provider.
Configure EIGRP between R5 and R9 and make sure R9 gets ABC Site-3 routes as
EIGRP internal routes.
Configure PE routers and Route Reflectors so that all ABC sites could access
to each other.
Notes: EIGRP Autonomous System Number should be same on R1, R2, R9 and R5 to achieve this.
R9
router eig 1
add ipv4 vrf ABC
red bgp 69 metric 1000 100 255 1 1500 ----- You can use any value you like
network 172.5.59.0 0.0.0.255
!
router bgp 69
add ipv4 vrf ABC
red eigrp 100
!
ip vrf ABC
route im 278:2
rout im 278:78
R5
router eigrp 100
net 172.5.5.5 0.0.0.0
net 172.5.59.0 0.0.0.255
R2/R7/R8
ip vrf ABC
rout im 69:9
Verification:
5.7 VPN Route Control

A) Configure R7 so that VPN traffic coming from ABC Site-1 Selects R7 as
Primary exit.
OR
Configure R7 and R8 so that VPN traffic coming from ABC Site-1 Selects R7 as
Primary exit.
B) Configure R7 so that VPN traffic coming from ABC Site-1 Selects R2 as
Primary exit and R8 as backup exit to reach ABC Site-3
OR
Configure R7 and R8 so that VPN traffic coming from ABC Site-1 Selects R2 as
Primary exit and R8 as backup exit to reach ABC Site-3
Notes: Do exactly whats done here or make big issues and loop, this need a big explanation.
if your basics are good you will be able to understand.
Lets discuss details in Remote Troubleshooting Sections, not giving here answer for all
questions.
R7
Router bgp 278
!
neighbor 172.5.47.4 route-map P_C_R4_OUT out
exit-address-family
!
route-map P_C_R4_OUT permit 10
set origin igp
set mpls-label
Verification:
Verification:
2. ABC Site-3 should use link between R6-R8 to access ABC Site-1 and ABC Site1.
R6
ip as-path access-list 278 permit ^278$
!
route-map P_C_R6_IN
match as-path 278
match mpls-label
!
route-map P_C_R6_IN permit 20

!
router bgp 69
add ipv4
nei 5.5.68.8 route-map P_C_R6_IN in
Verification:
5.9 L2TPV3 Interworking

Create VRF PPP-FR on R5 with RD 51:51.
Configure R5 Frame-relay Interface S1/1 and Loopback2 under this VRF.
PPP-FR Site-2 uses R9 PE router to reach PPP-FR Site-1 at R1.
PPP-FR Site-1 R1 connects to Service Provider router R7 via Serial PPP Link
and connects R7 on Interface Serial1/1.
IP addresses are not allowed to configure on PE routers to make this
connectivity. Configure PPP-FR L2TPV3 Interworking on R7 and R9 to achieve
this.
Configure RIP V2 on interfaces shown in the table, and ensure PPP-FR Site-1
and PPP-FR Site-2 can communicate with each other.
Device
Interface
R1
Loopback2, Serial1/1
R5
Loopback0, Serial 1/1
R1
ip vrf PPP-FR
rd 51:51
! interface Loopback1
ip vrf forwarding PPP-FR
ip address 172.5.1.11 255.255.255.255
!
interface Serial1/2
ip address 172.5.15.1 255.255.255.0
encapsulation ppp
ip ospf network point-to-point
! router ospf 200 vrf PPP-FR
network 172.5.1.11 0.0.0.0 area 0
network 172.5.15.1 0.0.0.0 area 0
R5
ip vrf PPP-FR
rd 51:51
!
interface Loopback1
ip address 172.5.5.55 255.255.255.255
!
interface Serial1/2
ip address 172.5.15.5 255.255.255.0
encapsulation fram
fram map ip 172.5.15.1 100 br
ip ospf net point-to-point
! router ospf 200 vrf PPP-FR
network 172.5.1.55 0.0.0.0 area 0
network 172.5.15.5 0.0.0.0 area 0
R7
pseudowire-class L2TPV3
encapsulation l2tpv3
interworking ip
ip local interface Loopback0
ip tos value 160
!
interface Serial1/2
encapsulation ppp
clock rate 252000
xconnect 5.5.9.9 79 pw-class L2TPV3
R9
encapsulation l2tpv3
interworking ip
ip local interface Loopback0
ip tos value 160
!
frame switching
interface Serial1/2
encapsulation fram
fram intf-type dce
fram interface-dlci 100 switch
clock rate 252000
!
connect PPP-FR Serial1/2 100 l2transport
xconnect 5.5.7.7 79 pw-class L2TPV3
Verification:
Verification:
5.9 ATOM PPP VLAN Interworking

Create VRF PPP-ETH on R3 with RD 123:123.
Configure R3 Serial Interface S1/1 and Loopback2 under this VRF.
PPP-ETH Site-2 uses R8 PE router to reach PPP-ETH Site-1 at SW2.

PPP-ETH Site-1 SW2 connects to Service Provider router R7 via Vlan 123.
IP addresses are not allowed to configure on PE routers to make this
connectivity. Configure PPP-VLAN Interworking on R7 and R8 to achieve this.
Configure OSPF on interfaces shown in the table, and ensure PPP-ETH Site-1 and
PPP-ETH Site-2 can communicate with each other.
Device
Interface
R3
SW2
Loopback0, Vlan 123
R3
ip vrf PPP-ETH
rd 123:123
! int lo1
ip vrf forwarding PPP-ETH
ip address 172.5.3.33 255.255.255.255
!
int s1/1
ip vrf forwarding PPP-ETH
ip address 172.5.123.3 255.255.255.0
encapsulation ppp
no shutdown
!
router ospf 200 vrf PPP-ETH
log-adjacency-changes
network 172.5.123.3 0.0.0.0 area 0
network 172.5.3.33 0.0.0.0 area 0
SW2
interface Vlan123
ip address 172.5.123.12 255.255.255.0
!
interface Loopback0
ip address 172.5.12.12 255.255.255.255
! router ospf 200
network 172.5.12.12 0.0.0.0 area 0
network 172.5.123.12 0.0.0.0 area
R8
pseudowire-class ATOM
encapsulation mpls
interworking ip
!
interface Serial1/1
encapsulation ppp
clockrate 252000
xconnect 5.5.7.7 78 pw-class ATOM
no sh
R7
pseudowire-class ATOM
encapsulation mpls
interworking ip
encapsulation dot1Q 123
xconnect 5.5.8.8 78 pw-class ATOM

Verification:
Verification:
Verification:
Verification:
5.10 CSC
ABC Site-1 (AS 34) and ABC Site-2 (AS 50) are two POPs of a Service Provider,
who provides VPN services to his customers and contracted AS 278 and AS 69 to
act as transit Service Providers to carrier supporting carrier VPN.
Configure AS 278, AS 69 AS 34 to support this so that AS 45 (POPs AS 34, AS
50) can provide VPN services to his Customer Company XYZ.
Network 172.YY.47.0 and 172.YY.48.0 are not allowed to enable LDP/TDP.
Configure a VPNv4 BGP Unicast between R3 (AS34) and R5 (AS 50) to support this
requirement.
Use their Loopback0 interfaces as update source.
Create VRF XYZ on R3 and R5 with RD/RT 35:35, and configure bellow interfaces
on R3 and R5 in to this VRF.
Device
Interface
R5
Loopback1, FastEthernet0/0
R3
Configure RIP V2 as IGP for XYZ Site-2 between R5 and SW2, bellow interfaces
should be advertised in to RIP V2.
Device
Interface
R5
SW2
Ensure Customer XYZ Site-1 and Site-2 have full reachability to each other and
make sure SW1 routing table output should be as following:
Note: if you are unable to ping R5 interface from SW1, enable cef on R5 and reload both SW1
and R5, you will be able to ping. This is because R5 is 2600 series router, and CEF is
disabled by default. Cisco has not enabled during the vrf XYZ creation, thats why vrf doesnt
have separate CEF table. Once you will enable the CEF and reload the device, CEF table will be
created and you will be able to ping. BGP AS Number they change in this lab for R3 and R5,
sometimes they run IBGP, sometimes EBGP.
R5
ip vrf XYZ
rd 34:34
!
interface Loopback2
ip vrf for XYZ
ip address 172.5.55.55 255.255.255.255
ip vrf for XYZ
ip address 172.5.115.5 255.255.255.0
!
router bgp 50
! address-family vpnv4
neighbor 172.5.3.3 send-community extended
exit-address-family
! address-family ipv4 vrf XYZ
redistribute rip
redistribute connected
no synchronization
exit-address-family
router rip
!
address-family ipv4 vrf XYZ
redistribute bgp 50 metric 3
mpls ip
R9
mpls ip
R7
router bgp 278
neighbor 172.5.47.4 send-label
R8
router bgp 278
R4
router bgp 34
add ipv4
! int f0/0.34
mpls ip
mpls label pro tdp
R3
int f0/0.34
mpls ip
mpls label pro tdp
!
ip vrf XYZ
rd 34:34
!
ip vrf forwarding XYZ
ip address 172.5.33.3 255.255.255.0
ip vrf forwarding XYZ
ip address 172.5.35.3 255.255.255.0
!
router bgp 34
bgp log-neighbor-changes
!
neighbor 172.5.5.5 send-community extended

exit-address-family
!
address-family ipv4 vrf XYZ
redistribute connected
no synchronization
exit-address-family
SW1
Configure RIP and test ping to R3
Verification:
Verification:
Verification:
Section 6 Multicast
6.1 PIM Sparse Mode
Configure PIM SM in AS 278 and AS 69 as per bellow chart.
Device
R2
R7
R8
R6
R9
Interface
Loopback0, GigabitEthernet0/0.26, GigabitEthernet0/0.27, GigabitEthernet0/0.28
Loopback0, GigabitEthernet0/0.27, GigabitEthernet0/0.78
Loopback0, GigabitEthernet0/0.28, GigabitEthernet0/0.78
Loopback0, FastEthernet0/0.26, FastEthernet0/0.69
R2
interface Loopback0
ip pim sparse-mode
!
ip pim sparse-mode
ip pim sparse-mode
!
ip pim sparse-mode
R7
interface Loopback0
ip pim sparse-mode
!
ip pim sparse-mode
ip igmp join-group 239.255.1.1
ip pim sparse-mode
R8
interface Loopback0
ip pim sparse-mode
!
ip pim sparse-mode
!
ip pim sparse-mode
!
ip pim bsr-candidate Loopback0 0
ip pim rp-candidate Loopback0
Verification:
Verification:
6.2 Configure RP PIM V2 in AS 278 and AS 69.

R2, R7 and R8 are in same multicast domain, and use R8 Loopback0 address PIM2
RP.
R6 and R9 are in same multicast domain, and use R6 Loopback0 address RP BSR.
Make sure RP information should cross the AS boundaries.
R7 lo0 joins group 239.255.7.7 and all devices in AS 278 should reach this
group.
R6
interface Loopback0
ip pim sparse-mode
!
interface f0/0.26
ip pim sparse-mode
!
interface f0/0.69
ip pim sparse-mode
!
R9
interface Loopback0
ip pim sparse-mode
!
interface f0/0.69
ip pim sparse-mode
Verification:
6.3 Inter-AS Multicast

Configure MSDP between AS 278 and AS 69 on R8 and R6.
Both RPs should be able to inform each other if any multicast source becomes
active in their Domain.
Make sure R6 and R9 can ping the Multicast group 239.255.7.7.
R6
ip msdp peer 5.5.8.8 connect-source Loopback0 remote-as 278
!
ip pim bsr-border
R2
ip pim bsr-border
R8
ip msdp peer 5.5.6.6 connect-source Loopback0 remote-as 69
Verification:
Verification:
6.4 Multicast VPN

Configure Multicast Routing in Customer ABC-Site-1
Configure PIM SM on interfaces shown bellow:
Device
Interface
R3
R4
Loopback0, FastEthernet0/0.34, FastEthernet0/0.44, Serial1/0.1, Serial1/0.2
R7
R8
Loopback, Serial1/0
6.5 Configure R4 Loopback0 as RP BSR for ABC Site-1.

R3 f0/0.34 joins multicast group 239.255.3.3, make sure all devices in ABC
Site-1 should be able to ping this group.
R4
int lo0
ip pim sparse-mode
!
int s1/0.1
ip pim sparse-mode
!
int s1/0.2
ip pim sparse-mode
!
int f0/0.34
ip pim sparse-mode
!
R3
int lo0
ip pim sparse-mode
ip igmp join-group 239.255.3.3
! int f0/0.34
ip pim sparse-mode
Verification:
Verification:
6.6 Enable PIM SM in ABC Site-2 as per bellow table:

Device
Interface
R1
R2
Loopback1, GigabitEthernet0/0.12
R1
int lo0
ip pim sparse-mode
!
int f0/0.12
ip pim sparse-mode
R2
ip multicast-routing vrf ABC
ip pim sparse-mode
! int lo1
ip pim sparse-mode
!
ip pim sparse-mode
Verification:
6.7 Configure AS 278 to support Multicast services between ABC Site-1 and ABC
Site-2.
Make sure R1 can get RP information and ping multicast group 239.255.3.3.
R2
ip vrf ABC
mdt default 238.0.0.1
R7
interface s1/0
ip pim sparse-mode
!
int lo1
ip pim sparse-mode
!
ip vrf ABC
R8
interface s1/0
ip pim sparse-mode
!
int lo1
ip pim sparse-mode
!
ip vrf ABC
Verification:
Section 7 SP Security, QOS and Management

7.1 Secure EGRIP peering between ABC Site-3 R5 and AS 69 R9 with messagedigest.
R5
key chain Cisco
key 1
key-string Cisco
int f0/0.59
ip authen mode eigrp 100 md5
ip authen key-chain eigrp 100 Cisco
R9
key chain Cisco
key 1
key-string Cisco
int f0/0.59
ip authen mode eigrp 100 md5
ip authen key-chain eigrp 100 Cisco
Verification:
7.2 To make LDP session secure between R5 and R9 configure MD-5 authentication
between both LDP neighbors.
R5
mpls ldp neighbor 172.5.59.9 password cisco
R9
mpls ldp neighbor vrf ABC 172.5.5.5 password cisco
mpls ldp discovery transport-address interface
Verification:
7.3 Protect AS 69 from spoof attacks use uRPF feature to achieve this and make
sure this doesnt interfere AS 278 accesses to AS 69.
access-list 101 permit ip host 5.5.2.2 5.5.0.0 0.0.255.255
access-list 101 permit ip 5.5.27.0 0.0.0.255 5.5.0.0 0.0.255.255
ip verify unicast source reachable-via any 101
!
ip verify unicast source reachable-via any 101
Verification:
7.4 Configure R7 and R8 so that AS 278 and AS 69 have IP Precedence 5 for all
L2TPv3 Packets.
R7
ip tos value 160
R9
ip tos value 160
Verification:
7.5 NTP
Configure R9 as a stratum 6 NTP Server.
Enable NTP service in AS 278 to get time from R9 in AS 69.
Ensure clock of R2, R7 and R8 is synchronized from R9.
ABC Site-1 devices R3 and R4 should get their clock synchronized with R8; R8
will be acting as time source for them.
Notes: this doesnt work in Dynamips but will work smoothly in Lab.
R9
clock timezone GMT 5 30
ntp master 6
ntp source lo0
R2
ntp server 5.5.9.9 prefer
ntp peer 5.5.8.8
ntp peer 5.5.7.7
ntp source lo0
R7
ntp peer 5.5.8.8
ntp peer 5.5.2.2
ntp source lo0
R8

ntp peer 5.5.9.9 source lo0 prefer
ntp peer 5.5.2.2 source lo0
ntp peer 5.5.7.7 source lo0
ntp peer vrf ABC 172.4.3.3
ntp peer vrf ABC 172.4.4.4
R4
ntp peer 172.5.3.3
ntp source lo0
R3
ntp peer 172.5.4.4
ntp source lo0

V 5.2 Ccie SP

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

V 5.2 Ccie SP

Загружено:

Авторское право:

Доступные форматы

CCIE Service Provider Lab Workbook V 5.

Imp Note: Solutions are given, by assuming we are working on Rack 05

Section 1 Bridging and Switching:

1.2 Configure Vlan 123 on SW2 with the IP address 172.YY.123.12.

1.3 Define Interface FastEthernet0/5 on SW1 with IP address 192.YY.115.11/24.

Section 2 Core IGP

Notes: OPSF dead Interval is configured on R2 like bellow:

2.2 Make sure R2 could never be a designated router in AS 278.

R8 Will output is with wrong configs to let you know difference.

2.4 Configure ISIS level-1 PDU in AS 69 R6 and R9 interfaces as shown in

2.5 Change metric for R6 and R9 interfaces, as shown in bellow sh ip route

2.6 Only R6 and R9 in AS 69 are going to run ISIS in near future.

R7 and R8 can see each other as IBGP neighbors.

neighbor 5.5.2.2 next-hop-self

Notes: Verify via, sh mpls ldp nei/discovery, sh mpls interface

mpls label protocol ldp

4.2 Enable MPLS on AS 69 interface specified in bellow table.

Notes: Do only as done bellow. Answer is based on static route question

Section 5 MPLS VPN

5.3 ABC Site-1

network 172.5.3.3 0.0.0.0 area 0

5.4 ABC Site-2

address-family ipv4 vrf ABC

5.5 Inter-AS VPN

5.6 ABC Site-3

5.7 VPN Route Control

route-map P_C_R6_IN permit 20

5.9 L2TPV3 Interworking

5.9 ATOM PPP VLAN Interworking

PPP-ETH Site-2 uses R8 PE router to reach PPP-ETH Site-1 at SW2.

xconnect 5.5.8.8 78 pw-class ATOM

neighbor 172.5.5.5 send-community extended

6.2 Configure RP PIM V2 in AS 278 and AS 69.

6.3 Inter-AS Multicast

6.4 Multicast VPN

6.5 Configure R4 Loopback0 as RP BSR for ABC Site-1.

6.6 Enable PIM SM in ABC Site-2 as per bellow table:

Section 7 SP Security, QOS and Management

clock timezone GMT 5 30

Вам также может понравиться