CCIE Security V4 Lab Workbook SAMPLE Sample

Download PDF
10 downloads 367291 Views 554KB Size Report
Comment
Jan 18, 2013 ... Piotr Matusiak. CCIE #19860. R&S, Security. C|EH, CCSI #33705. Narbik Kocharians. CCIE #12410. R&S, Security, SP. CCSI #30832.
Advanced CCIE Routing & Switching v5.0 www.MicronicsTraining.com Narbik Kocharians CCSI, CCIE #12410 R&S, Security, SP

VOL-II CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 1 of 25

Table of content Subject

Page

BGP Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab

1 Establishing Neighbor Adjacency 2 Route Reflectors 3 Conditional Advertisement and BGP Backdoors 4 Route Dampening 5 BGP Aggregation 6 The community Attribute 7 BGP Cost Community 8 BGP Load Balancing 9 Local Preference -I 10 Local Preference -II 11 The AS-Path Attribute 12 The Weight Attribute 13 Multi Exist Discriminator Attribute 14 BGP Filtering 15 Administrative Distance 16 Advanced BGP Configuration 17 BGP Confederation 18 BGP Hiding Local AS Number 19 BGP Allow-AS 20 BGP Automatic-Tag, and AS-Path tag & Table-map 21 4 Byte AS Numbers

5 22 40 60 69 81 98 107 124 134 141 149 158 175 219 227 239 251 259 264 271

MPLS & L3VPNs Lab Lab Lab Lab Lab Lab Lab Lab

1 Configuring LDP 2 Static & RIPv2 Routing in a VPN 3 EIGRP Routing in a VPN 4 EIGRP Site-Of-Origin 5 OSPF Routing in a VPN 6 Back door links and OSPF 7 BGP Routing in a VPN 8 MPLS and NAT

CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

279 333 364 386 407 430 451 463

Page 2 of 25

Lab 9 Route-Targets, Import maps and Export maps Lab 10 Internet Access Method, Partial Internet Routes

475 503

IP Multicasting Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab

1 Configuring IGMP 2 Dense Mode 3 Static RP 4 Auto-RP 5 Auto-RP Filtering & Listener 6 Configuring BSR 7 Configuring MSDP 8 Anycast-RP 9 Configuring SSM 10 Helper-map

CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

524 543 560 578 599 618 630 648 657 667

Page 3 of 25

Lab 3 - EIGRP Routing in a VPN

Lo0 10.1.1.3/32

S1/2 23.1.1.0/24

S1/3

S1/1 12.1.1.0/24

S1/2

Lo0 4.4.4.4/24

R3 P-3

R4 R4

F0/0

F0/1

37.1.1.0/24

47.1.1.0/24

G0/0

R2 PE-2

G0/1.74

R7 PE-7

G0/1.78

10.1.1.2/32 Lo0

10.1.1.7/32 Lo0

78.1.1.0/24

G0/1

R1 R1

R8 R8

1.1.1.1/24 Lo0

8.8.8.8/24 Lo0

Lab Setup: To copy and paste the initial configurations, go to the ”Advanced-init”folder  “MPLS” folder  “Lab-3”.

Task 1 Configure OSPF on the Core MPLS routers R2(PE-2), R3(P-3), and R7(PE-7), you should run OSPF area 0 on the F0/0 interface of R3, G0/0 interface of R7, the S1/3 of R2, S1/2 of R3, and the loopback interfaces of these three routers.

CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 4 of 25

On R2: R2(config)#router ospf 1 R2(config-router)#netw 23.1.1.2 0.0.0.0 area 0 R2(config-router)#netw 10.1.1.2 0.0.0.0 area 0

On R3: R3(config)#router ospf R3(config-router)#netw R3(config-router)#netw R3(config-router)#netw

1 23.1.1.3 0.0.0.0 area 0 37.1.1.3 0.0.0.0 area 0 10.1.1.3 0.0.0.0 area 0

You should see the following console message: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.1.2 on Serial1/2 from LOADING to FULL, Loading Done

On R7: R7(config)#router ospf 1 R7(config-router)#netw 10.1.1.7 0.0.0.0 area 0 R7(config-router)#netw 37.1.1.7 0.0.0.0 area 0 You should see the following console message: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.1.3 on GigabitEthernet0/0 from LOADING to FULL, Loading Done

To verify the configuration: On R2: R2#Show ip route ospf | inc O Gateway of last resort is not set O O O

10.0.0.0/32 10.1.1.3 10.1.1.7 37.0.0.0/24 37.1.1.0

is subnetted, 3 subnets [110/65] via 23.1.1.3, 00:01:48, Serial1/3 [110/66] via 23.1.1.3, 00:00:44, Serial1/3 is subnetted, 1 subnets [110/65] via 23.1.1.3, 00:01:58, Serial1/3

On R3: CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 5 of 25

R3#Show ip route ospf | inc O Gateway of last resort is not set O O

10.0.0.0/32 is subnetted, 3 subnets 10.1.1.2 [110/65] via 23.1.1.2, 00:02:57, Serial1/2 10.1.1.7 [110/2] via 37.1.1.7, 00:01:40, FastEthernet0/0

On R7: R7#Show ip route ospf | inc O Gateway of last resort is not set O O O

10.0.0.0/32 10.1.1.2 10.1.1.3 23.0.0.0/24 23.1.1.0

is subnetted, 3 subnets [110/66] via 37.1.1.3, 00:03:02, GigabitEthernet0/0 [110/2] via 37.1.1.3, 00:03:02, GigabitEthernet0/0 is subnetted, 1 subnets [110/65] via 37.1.1.3, 00:03:02, GigabitEthernet0/0

Task 2 Configure LDP between the core routers. These routers should use their loopback 0 interfaces as their LDP router ID; the core MPLS routers (R2, R3 and R7) should use the following label range: R2 – 200 – 299 R3 – 300 – 399 R7 – 700 – 799

On R2: R2(config)#mpls label protocol ldp R2(config)#mpls ldp router-id lo0 force R2(config)#mpls label range 200 299 R2(config)#int S1/3 R2(config-if)#mpls ip

On R3: R3(config)#mpls label protocol ldp CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 6 of 25

R3(config)#mpls ldp router-id lo0 force R3(config)#mpls label range 300 399 R3(config)#int S1/2 R3(config-if)#mpls ip R3(config)#int f0/0 R3(config-if)#mpls ip You should see the following console message: %LDP-5-NBRCHG: LDP Neighbor 10.1.1.2:0 (1) is UP

On R7: R7(config)#mpls label protocol ldp R7(config)#mpls ldp router-id lo0 force R7(config)#mpls label range 700 799 R7(config)#int G0/0 R7(config-if)#mpls ip You should see the following console message: %LDP-5-NBRCHG: LDP Neighbor 10.1.1.3:0 (1) is UP

To verify the configuration: On R7: R7#Show mpls ldp neighbor Peer LDP Ident: 10.1.1.3:0; Local LDP Ident 10.1.1.7:0 TCP connection: 10.1.1.3.646 - 10.1.1.7.57438 State: Oper; Msgs sent/rcvd: 10/8; Downstream Up time: 00:00:45 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 37.1.1.3 Addresses bound to peer LDP Ident: 37.1.1.3 23.1.1.3 10.1.1.3 R7#Show mpls ldp discovery Local LDP Identifier: CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 7 of 25

10.1.1.7:0 Discovery Sources: Interfaces: GigabitEthernet0/0 (ldp): xmit/recv LDP Id: 10.1.1.3:0

On R2: R2#Show mpls ldp neighbor Peer LDP Ident: 10.1.1.3:0; Local LDP Ident 10.1.1.2:0 TCP connection: 10.1.1.3.24099 - 10.1.1.2.646 State: Oper; Msgs sent/rcvd: 14/13; Downstream Up time: 00:04:45 LDP discovery sources: Serial1/3, Src IP addr: 23.1.1.3 Addresses bound to peer LDP Ident: 37.1.1.3 23.1.1.3 10.1.1.3 R2#Show mpls ldp discovery Local LDP Identifier: 10.1.1.2:0 Discovery Sources: Interfaces: Serial1/3 (ldp): xmit/recv LDP Id: 10.1.1.3:0

On R3: R3#Show mpls ldp neighbor Peer LDP Ident: 10.1.1.2:0; Local LDP Ident 10.1.1.3:0 TCP connection: 10.1.1.2.646 - 10.1.1.3.24099 State: Oper; Msgs sent/rcvd: 14/14; Downstream Up time: 00:05:17 LDP discovery sources: Serial1/2, Src IP addr: 23.1.1.2 Addresses bound to peer LDP Ident: 12.1.1.1 23.1.1.2 10.1.1.2 Peer LDP Ident: 10.1.1.7:0; Local LDP Ident 10.1.1.3:0 TCP connection: 10.1.1.7.57438 - 10.1.1.3.646 State: Oper; Msgs sent/rcvd: 10/12; Downstream Up time: 00:01:48 LDP discovery sources:

CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 8 of 25

FastEthernet0/0, Src IP addr: 37.1.1.7 Addresses bound to peer LDP Ident: 37.1.1.7 47.1.1.7 78.1.1.7

10.1.1.7

R3#Show mpls ldp discovery Local LDP Identifier: 10.1.1.3:0 Discovery Sources: Interfaces: FastEthernet0/0 (ldp): xmit/recv LDP Id: 10.1.1.7:0 Serial1/2 (ldp): xmit/recv LDP Id: 10.1.1.2:0

Task 3 Configure MP-BGP peer session for AS 100 between R2 and R7 as they represent the provider edge routers in this topology. Do not allow the BGP peers to share IPV4 routing information by default. The only bgp peering relationship should be VPNv4.

On R2: R2(config)#router bgp 100 R2(config-router)#No bgp default ipv4-unicast R2(config-router)#neighbor 10.1.1.7 remote-as 100 R2(config-router)#neighbor 10.1.1.7 update-source lo0 R2(config-router)#address-family vpnv4 unicast R2(config-router-af)#neighbor 10.1.1.7 activate

On R7: R7(config)#router bgp 100 R7(config-router)#No bgp default ipv4-unicast R7(config-router)#neighbor 10.1.1.2 remote-as 100 R7(config-router)#neighbor 10.1.1.2 update-source lo0 R7(config-router)#address-family vpnv4 unicast CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 9 of 25

R7(config-router-af)#neighbor 10.1.1.2 activate You should see the following console message: %BGP-5-ADJCHANGE: neighbor 10.1.1.2 Up

To verify the configuration: On R2: R2#Show ip bgp VPNv4 all summary | b Neighbor Neighbor 10.1.1.7

V 4

AS MsgRcvd MsgSent 100 4 4

TblVer 1

InQ OutQ Up/Down State/PfxRcd 0 0 00:01:09 0

On R7: R7#Show ip bgp VPNv4 all summary | b Neighbor Neighbor 10.1.1.2

V 4

AS MsgRcvd MsgSent 100 5 5

TblVer 1

InQ OutQ Up/Down State/PfxRcd 0 0 00:02:34 0

Task 4 Configure VRFs on R2 and R7 and enable VRF forwarding on the interfaces of these two routers based on the following chart. PE R2 R7

VRF 11 44 88

RD 1:10 1:40 1:80

RT 1:148 1:148 1:148

Interface S1/1 G0/1.74 G0/1.78

You should configure an “Address-family” when configuring VRF 88.

On R2: R2(config)#ip vrf 11 R2(config-vrf)#rd 1:10 R2(config-vrf)#route-target both 1:148

CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 10 of 25

R2(config-vrf)#int S1/1 R2(config-if)#ip vrf forwarding 11 R2(config-if)#ip addr 12.1.1.2 255.255.255.0

On R7: R7(config)#ip vrf 44 R7(config-vrf)#rd 1:40 R7(config-vrf)#route-target both 1:148 R7(config-vrf)#int G0/1.74 R7(config-if)#ip vrf forwarding 44 R7(config-if)#ip addr 47.1.1.7 255.255.255.0 Since the task states that an “Address-family” must be configured for VRF 88, the VRF should be configured using the “VRF detinition” instead of “IP VRF” command: R7(config)#vrf definition 88 R7(config-vrf)#rd 1:80 R7(config-vrf)#Address-family ipv4 R7(config-vrf-af)#route-target both 1:148 R7(config)#int G0/1.78 R7(config-if)#vrf forwarding 88 R7(config-if)#ip addr 78.1.1.7 255.255.255.0

To verify the configuration: On R2: R2#Show ip vrf det VRF 11 (VRF Id = 1); default RD 1:10; default VPNID Interfaces: Se1/1 VRF Table ID = 1 Export VPN route-target communities RT:1:148 Import VPN route-target communities RT:1:148 No import route-map No export route-map VRF label distribution protocol: not configured VRF label allocation mode: per-prefix CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 11 of 25

R2#Ping vrf 11 12.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms

On R7: R7#Show ip vrf Name 44 88

Default RD 1:40 1:80

Interfaces Gi0/1.74 Gi0/1.78

R7#Show vrf ipv4 det VRF 44 (VRF Id = 1); default RD 1:40; default VPNID Old CLI format, supports IPv4 only Flags: 0xC Interfaces: Gi0/1.74 Address family ipv4 (Table ID = 1 (0x1)): Flags: 0x0 Export VPN route-target communities RT:1:148 Import VPN route-target communities RT:1:148 No import route-map No global export route-map No export route-map VRF label distribution protocol: not configured VRF label allocation mode: per-prefix VRF 88 (VRF Id = 2); default RD 1:80; default VPNID New CLI format, supports multiple address-families Flags: 0x180C Interfaces: Gi0/1.78 Address family ipv4 (Table ID = 2 (0x2)): Flags: 0x0 Export VPN route-target communities RT:1:148 Import VPN route-target communities

CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 12 of 25

RT:1:148 No import route-map No global export route-map No export route-map VRF label distribution protocol: not configured VRF label allocation mode: per-prefix R7#Ping vrf 44 47.1.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 47.1.1.4, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms R7#Ping vrf 88 78.1.1.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 78.1.1.8, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

Task 5 Configure EIGRP AS 100 between R1 and PE-2, and between PE-7 and, and EIGRP 78 between PE-7 and R8. The customer routers (R1, R4 and R8) should also run EIGRP on their lo0 interfaces. DO NOT configure the “Autonomous-system” command under the “Address-family” when configuring EIGRP between PE-7 and R4. You should use EIGRP named mode when configuring EIGRP on R7 and R8. Use any AS number or name on the PE routers.

To configure the CE Routers:

On R1: R1(config)#router eigrp 100 R1(config-router)#No au R1(config-router)#network 10.1.13.1 0.0.0.0 R1(config-router)#netw 1.1.1.1 0.0.0.0

On R2: CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 13 of 25

R5(config)#router eigrp 100 NOTE: The “Autonomous-system” command is mandatory and it MUST be configured, because the VRF’s configured under the “Router-EIGRP 100” process, will not inherit the AS number from the Global EIGRP process. When configuring the “Autonomous-system” command under the “Address-family” for VRF 11, the tab key can’t be used, because in 15 code upto 15.4T, this command is hidden, therefore, the entire command (Every letter) must be typed. R2(config-router)#Address-family ipv4 vrf 11 R2(config-router-af)#Netw 12.1.1.2 0.0.0.0 R2(config-router-af)#Autonomous-system 100

To verify the configuration: On R2: R2#Show ip route vrf 11 eigrp | b Gate Gateway of last resort is not set D

1.0.0.0/24 is subnetted, 1 subnets 1.1.1.0 [90/2297856] via 12.1.1.1, 00:01:38, Serial1/1

Now that this is configured properly, let’s go to R7 and configure EIGRP on the PE-7 and R4. The rules of the task prohibites the configuration of “Autonomous-system” command under the “Address-family”, therefore, the only other choice here is to configure the “Autonomous-system” command at the end of the “Address-family ipv4 vrf 44”:

On R4: R4(config)#Router eigrp 100 R4(config-router)#Netw 4.4.4.4 0.0.0.0 R4(config-router)#Netw 47.1.1.4 0.0.0.0

On R7: R7(config)#router eigrp 100 R7(config-router)#Address-family ipv4 vrf 44 autonomous-system 100 R7(config-router-af)#Netw 47.1.1.7 0.0.0.0 You should see the following console message: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 47.1.1.4 CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 14 of 25

(GigabitEthernet0/1.74) is up: new adjacency R7#Show ip route vrf 44 eigrp | b Gate Gateway of last resort is not set D

4.0.0.0/24 is subnetted, 1 subnets 4.4.4.0 [90/156160] via 47.1.1.4, 00:02:27, GigabitEthernet0/1.74

Let’s configure EIGRP using the named mode on the PE router (R7) and R8: R7(config)#Router eigrp vrf88 R7(config-router)#Address-family ipv4 vrf 88 autonomous-system 78 R7(config-router-af)#Netw 78.1.1.7 0.0.0.0

On R8: R8(config)#Router eigrp tst R8(config-router)#address-family ipv4 unicast autonomous-system 78 R8(config-router-af)#Netw 8.8.8.8 0.0.0.0 R8(config-router-af)#Netw 78.1.1.8 0.0.0.0 You should see the following console message: %DUAL-5-NBRCHANGE: EIGRP-IPv4 78: Neighbor 78.1.1.7 (GigabitEthernet0/1) is up: new adjacency

To test the configuration: On R7: R7#Show ip route vrf 88 eigrp | b Gate Gateway of last resort is not set D

8.0.0.0/24 is subnetted, 1 subnets 8.8.8.0 [90/103040] via 78.1.1.8, 00:02:57, GigabitEthernet0/1.78

Task 6 Configure the PE routers (R2 and R7) so the CE routers (R1, R4 and R8) can see EIGRP routes advertised from the other CE routers and have reachability to them.

CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 15 of 25

In order to accomplish this task, we must perform mutual redistribution between the IGP that is running on the CEs and the PE router to which they are connected to. This means that on R2 and R7, EIGRP AS 100 and tst must be redistributed into MP-BGP, and MP-BGP must be redistributed back into EIGRP so the customer routers can see each other’s routes. Let’s begin with R2:

On R2: R2(config)#Router bgp 100 R2(config-router)#Address-family ipv4 vrf 11 R2(config-router-af)#redistribute Eigrp 100

To verify the configuration: R2#Show ip bgp vpnv4 all | B Net Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 1:10 (default for vrf 11) *> 1.1.1.0/24 12.1.1.1 2297856 32768 ? *> 12.1.1.0/24 0.0.0.0 0 32768 ?

On R7: R7#Show ip bgp vpnv4 all | b Net Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 1:10 *>i 1.1.1.0/24 10.1.1.2 2297856 100 0 ? *>i 12.1.1.0/24 10.1.1.2 0 100 0 ? Route Distinguisher: 1:40 (default for vrf 44) *>i 1.1.1.0/24 10.1.1.2 2297856 100 0 ? *>i 12.1.1.0/24 10.1.1.2 0 100 0 ? Route Distinguisher: 1:80 (default for vrf 88) *>i 1.1.1.0/24 10.1.1.2 2297856 100 0 ? *>i 12.1.1.0/24 10.1.1.2 0 100 0 ? R7(config)#Router bgp 100 R7(config-router)#address-family ipv4 vrf 44 R7(config-router-af)#Redistribute Eigrp 100 R7(config-router)#address-family ipv4 vrf 88 R7(config-router-af)#Redistribute Eigrp 78

To verify the configuration: CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 16 of 25

On R2: R2#Show ip bgp vpnv4 all | B Net Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 1:10 (default for vrf 11) *> 1.1.1.0/24 12.1.1.1 2297856 32768 ? *>i4.4.4.0/24 10.1.1.7 156160 100 0 ? *>i8.8.8.0/24 10.1.1.7 103040 100 0 ? *> 12.1.1.0/24 0.0.0.0 0 32768 ? *>i47.1.1.0/24 10.1.1.7 0 100 0 ? *>i78.1.1.0/24 10.1.1.7 0 100 0 ? Route Distinguisher: 1:40 *>i4.4.4.0/24 10.1.1.7 156160 100 0 ? *>i47.1.1.0/24 10.1.1.7 0 100 0 ? Route Distinguisher: 1:80 *>i8.8.8.0/24 10.1.1.7 103040 100 0 ? *>i78.1.1.0/24 10.1.1.7 0 100 0 ? So now that the PE routers have all the routes, let’s redistribute BGP into EIGRP on R2(PE-2) and verify this configuration on R1: R2(config)#Router eigrp 100 R2(config-router)#address-family ipv4 vrf 11 R2(config-router-af)#redistribute bgp 100 metric 1 1 1 1 1

To verify this configuration: On R1: R1#Show ip route eigrp | B Gate Gateway of last resort is not set D D EX D D EX

4.0.0.0/24 is subnetted, 1 subnets 4.4.4.0 [90/2300416] via 12.1.1.2, 00:01:01, Serial1/2 8.0.0.0/24 is subnetted, 1 subnets 8.8.8.0 [170/2560512256] via 12.1.1.2, 00:01:01, Serial1/2 47.0.0.0/24 is subnetted, 1 subnets 47.1.1.0 [90/2172416] via 12.1.1.2, 00:01:01, Serial1/2 78.0.0.0/24 is subnetted, 1 subnets 78.1.1.0 [170/2560512256] via 12.1.1.2, 00:01:01, Serial1/2

NOTE: Since R8 is configured in another AS, the routes received from that AS show up as external (EX), whereas, R4’s routes show up as internal because R4 is in the same AS as R1 (AS 100). CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 17 of 25

Let’s go to R7 and redistribute BGP into EIGRP 100 and tst:

On R7: R7(config)#Router eigrp 100 R7(config-router)#address-family ipv4 vrf 44 autonomous-system 100 R7(config-router-af)#Redistribute bgp 100 metric 1 1 1 1 1 The redistributed routes should show up in R4’s routing table, let’s verify:

To verify the configuration: On R4: We can see the sasme result on R4, the routes from R8 are external and from R1 they are internal. R4#Show ip route eigrp | B Gate Gateway of last resort is not set D D EX D D EX

1.0.0.0/24 is subnetted, 1 subnets 1.1.1.0 [90/2300416] via 47.1.1.7, 00:01:16, FastEthernet0/1 8.0.0.0/24 is subnetted, 1 subnets 8.8.8.0 [170/2560002816] via 47.1.1.7, 00:01:16, FastEthernet0/1 12.0.0.0/24 is subnetted, 1 subnets 12.1.1.0 [90/2172416] via 47.1.1.7, 00:01:16, FastEthernet0/1 78.0.0.0/24 is subnetted, 1 subnets 78.1.1.0 [170/2560002816] via 47.1.1.7, 00:01:16, FastEthernet0/1

To test the configuration: On R4: R4#Ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 60/60/60 ms R4#Ping 12.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds: !!!!! CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 18 of 25

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/60/60 ms The last step is to perform the redistribution of BGP into “EIGRP vrf88” for VRF 88 and verify:

On R7: R7(config)#router eigrp vrf88 R7(config-router)#address-family ipv4 vrf 88 autonomous-system 78 R7(config-router-af-topology)#redistr bgp 100 metric 1 1 1 1 1

To verify the configuration: On R8: R8#Show ip route eigrp | b Gate Gateway of last resort is not set R8# There are no routes. Well, the reason for this is because by default the IOS uses a 64 bit metric and when the 64 bit metric is used a metric of “1 1 1 1 1” can not be used because it is to large to fit in the routing tables variable that represents the composite metric, there are few ways to resolve this issue, one way to do this is to change back to 32 bit metric, this solution has to be implemented on both R7 and R8, let’s test this:

On R7: R7(config)#router eigrp vrf88 R7(config-router)#address-family ipv4 vrf 88 autonomous-system 78 R7(config-router-af)#metric version 32bit The “metric version 32bit” is a hidden command, therefore, it must be statically configured.

On R8: R8(config)#router eigrp tst R8(config-router)#address-family ipv4 unicast autonomous-system 78 R8(config-router-af)#metric version 32bit Once the command is entered on both routers, we should wait for EIGRP to resync, the following console message states that the resync has occurred: %DUAL-5-NBRCHANGE: EIGRP-IPv4 78: Neighbor 78.1.1.7 (GigabitEthernet0/1) is resync: route configuration changed CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 19 of 25

To verify the configuration: On R8: NOTE: On R8 all the routes are external. R8#Show ip route eigrp | b Gate Gateway of last resort is not set D EX D EX D EX D EX

1.0.0.0/24 is subnetted, 1 subnets 1.1.1.0 [170/2560002816] via 78.1.1.7, 00:08:47, GigabitEthernet0/1 4.0.0.0/24 is subnetted, 1 subnets 4.4.4.0 [170/2560002816] via 78.1.1.7, 00:08:47, GigabitEthernet0/1 12.0.0.0/24 is subnetted, 1 subnets 12.1.1.0 [170/2560002816] via 78.1.1.7, 00:08:47, GigabitEthernet0/1 47.0.0.0/24 is subnetted, 1 subnets 47.1.1.0 [170/2560002816] via 78.1.1.7, 00:08:47, GigabitEthernet0/1

To test the configuration: On R8: R8#Ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 60/60/60 ms R8#Ping 4.4.4.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms R8#Ping 4.4.4.4 source lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds: Packet sent with a source address of 8.8.8.8 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R8#Ping 1.1.1.1 source lo0 CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 20 of 25

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet sent with a source address of 8.8.8.8 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms To see the IPv4 label and the VPN label a simple “Traceroute” can be used from one customer router to the other. This will ONLY work if the TTL propagation has not been manipulated. R8#Traceroute 1.1.1.1 source Lo0 Numeric Type escape sequence to abort. Tracing the route to 1.1.1.1 VRF info: (vrf in name/id, vrf out name/id) 1 78.1.1.7 4 msec 0 msec 0 msec 2 37.1.1.3 [MPLS: Labels 300/203 Exp 0] 96 msec 96 msec 96 msec 3 12.1.1.2 [MPLS: Label 203 Exp 0] 32 msec 32 msec 32 msec 4 12.1.1.1 32 msec * 32 msec Line 1: The output of the above Traceroute shows that the next hop toward 1.1.1.1 prefix is 78.1.1.7, this is R7. R7 recieves the IP Packet and consults its FIB and imposes label 203 (The “V” Label), then it looks at its RIB and sees that it needs to send this to its BGP peer 2.2.2.2, it adds the top label of 300 and sends it to R3 with the next hop IP address of 37.1.1.3. Line 2: R3 receives a labeled packet, with a top label of 300, it performs an LFIB lookup and realizes that it is the Penultimate Hop Popper (PHP) because it sees the “Imp-null” as the outgoing label, which means label number 3, therefore, it pops the top label as it sends the packet toward R2. Line 3: R2 removes the “V” label and sends the IP packet to R1 with a next hop IP address of 12.1.1.1. To see the labels:

On R7: R7#Show ip bgp vpnv4 vrf 88 labels Network Next Hop Route Distinguisher: 1:80 (88) 1.1.1.0/24 10.1.1.2 4.4.4.0/24 47.1.1.4 8.8.8.0/24 78.1.1.8 12.1.1.0/24 10.1.1.2 47.1.1.0/24 0.0.0.0 78.1.1.0/24 0.0.0.0

CCIE R&S by Narbik Kocharians

In label/Out label nolabel/203 nolabel/nolabel 705/nolabel nolabel/204 nolabel/nolabel(88) 706/nolabel(88)

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 21 of 25

We can also use the following command to see the entry for 1.1.1.0/24 prefix in the LFIB: R7#Sh mpls forwarding-table vrf 88 1.1.1.0 24 Local Label None

Outgoing Label 203

Prefix or Tunnel Id 1.1.1.0/24[V]

Bytes Label Switched 0

Outgoing interface Gi0/0

Next Hop 37.1.1.3

We can clearly see that if the local router receives an IP packet (nolabel) toward 1.1.1.0/24 network, it will attach label 203 with a next hop IP address of 10.1.1.2, but do we need a label for that destination? Let’s see: R7#Show mpls forwarding-table 10.1.1.2 32 Local Label 701

Outgoing Label 300

Prefix or Tunnel Id 10.1.1.2/32

Bytes Label Switched 0

Outgoing interface Gi0/0

Next Hop 37.1.1.3

The local label of 701 will not be used, it is there because of Liberal Label Retention, but the outgoing Label of 300 is what will be imposed as the top label for prefix 10.1.1.2/32 and it will be sent to the next hop IP address of 37.1.1.3 out of the local G0/0 interface. So let’s walk through the control plane and the data plane for both labels, let’s start with the control plane for 1.1.1.2/32, this is the loopback0 interface of R2. Initially each LSR will assign a label to 1.1.1.2/32 prefix, and they will advertise the label that they originated to their LDP neighbor.

On R2: R2#Sh mpls ldp bindings local 10.1.1.2 32 lib entry: 10.1.1.2/32, rev 4 local binding: label: imp-null We can see that R3 received the label advertisement from R2 (10.1.1.2/32), this is label number 3 or the “imp-null”. But locally it assigned label number 300, and it advertises this label to all its neighbors:

On R3: R3#Sh mpls ldp bind 10.1.1.2 32 lib entry: 10.1.1.2/32, rev 8 local binding: label: 300 remote binding: lsr: 10.1.1.2:0, label: imp-null remote binding: lsr: 10.1.1.7:0, label: 701 CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 22 of 25

To see R3’s LDP neighbors: R3#Show mpls ldp neighbor | Inc Peer Peer LDP Ident: 10.1.1.2:0; Local LDP Ident 10.1.1.3:0 Peer LDP Ident: 10.1.1.7:0; Local LDP Ident 10.1.1.3:0 As we can see R3 has R2 (10.1.1.2) and R7 (10.1.1.7) as LDP neighbors, does it advertise that label to R2 even though R2 was the LSR that advertised it to the local router (R3)? Let’s see

On R3: R2#Sh mpls ldp bindings 10.1.1.2 32 lib entry: 10.1.1.2/32, rev 4 local binding: label: imp-null remote binding: lsr: 10.1.1.3:0, label: 300 Yes, it did, and this is called “Liberal Label Retention” where the LSRs advertise the label that they generate for a given prefix to all their neighbors. Let’s go to R7 and verify its LIB:

On R7: R7#Show mpls ldp binding 10.1.1.2 32 lib entry: 10.1.1.2/32, rev 8 local binding: label: 701 remote binding: lsr: 10.1.1.3:0, label: 300 We can clearly see that R7 received label 300 from R3 (10.1.1.3), which means if it even receives a labeled packet with the top label of 701, it will swap that label with 300, but we know that this router (R7) will NOT receive a labeled packet because R7 is the PE and it does not have any other neighbor but R3, this information can be verified using the following show command: R7#Show mpls ldp neighbor | Inc Peer Peer LDP Ident: 10.1.1.3:0; Local LDP Ident 10.1.1.7:0 But what if R7 receives an IP packet destined to 1.1.1.2/32? Well, in that case R7 will consult its FIB and CEF will impose label 300 and it’ll send the packet as a labeled packet. Let’s see that:

CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 23 of 25

R7#Show ip cef 10.1.1.2 10.1.1.2/32 nexthop 37.1.1.3 GigabitEthernet0/0 label 300 So if R7 needs to connect to 1.1.1.2/32, it has to impose label 300 and send it out of its G0/0 interface. Now, let’s see what happens if the local router (R7) needs to forward toward 1.1.1.0/24: R7#Show ip bgp vpnv4 vrf 88 1.1.1.0 BGP routing table entry for 1:80:1.1.1.0/24, version 13 Paths: (1 available, best #1, table 88) Not advertised to any peer Refresh Epoch 1 Local, imported path from 1:10:1.1.1.0/24 (global) 10.1.1.2 (metric 66) from 10.1.1.2 (10.1.1.2) Origin incomplete, metric 2297856, localpref 100, valid, internal, best Extended Community: RT:1:148 Cost:pre-bestpath:128:2297856 (default-2145185791) 0x8800:32768:0 0x8801:100:640000 0x8802:65281:1657856 0x8803:65281:1500 0x8806:0:16843009 mpls labels in/out nolabel/203 rx pathid: 0, tx pathid: 0x0 We can see that the local router (R7) goes to the next hop IP address of 10.1.1.2 to reach 1.1.1.0/24 prefix, we also see on the second last line that if the local router receives an IP packet (nolabel), it will assign label 203, therefore, if the local router receives an IP packet it will impose label 203 to the customer’s (R1) network and it will route it to 1.1.1.2, but the question is what label do we assign for 10.1.1.2/32 prefix? Well if we use the output of the “Show ip cef 10.1.1.2” command on R7 we can see that CEF will impose label 300 and send it to R3 out of its G0/0 interface. When R3 receives the labeled packet, it will only look at the top label because label 203 is the VPN label and it was generated by BGP and it will be advertised to other routers running BGP, so the core routers in this case R3, will receive a labeled packet with the top label of 300, and it will pop that label because it is the PHP router and R2 will receive a labeled packet of 203, so it will pop that label and R1 gets an IP packet. To see this you can use the following command: R2#Show ip bgp vpnv4 vrf 11 1.1.1.0/24 BGP routing table entry for 1:10:1.1.1.0/24, version 2 Paths: (1 available, best #1, table 11) Advertised to update-groups: 1 CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 24 of 25

Local 12.1.1.1 from 0.0.0.0 (10.1.1.2) Origin incomplete, metric 2297856, localpref 100, weight 32768, valid, sourced, best Extended Community: RT:1:148 Cost:pre-bestpath:128:2297856 (default-2145185791) 0x8800:32768:0 0x8801:100:640000 0x8802:65281:1657856 0x8803:65281:1500 0x8806:0:16843009 mpls labels in/out 203/nolabel

Task 7 Erase the startup configuration of these routers and reload them before proceeding to the next lab.

CCIE R&S by Narbik Kocharians

Advanced CCIE R&S Work Book v5.0 © 2015 Narbik Kocharians. All rights reserved

Page 25 of 25

Suggest Documents

CCIE Voice Deep Dive Workbook Volume 1 - Sample

CCIE Voice Deep Dive Workbook Volume 1 - Sample
Read more
CCIE Service Provider v3.0 Sample Lab - Cisco Systems

CCIE Service Provider v3.0 Sample Lab - Cisco Systems
Read more
CCIE Service Provider v3.0 Sample Lab - The Cisco Learning Network

CCIE Service Provider v3.0 Sample Lab - The Cisco Learning Network
Read more
Workbook 1: Sample Lesson

Workbook 1: Sample Lesson
Read more
CCIE Voice Technology Lab Workbook Version 3.0

CCIE Voice Technology Lab Workbook Version 3.0
Read more
CCIE R&S Advanced Lab Workbook - CCBootcamp

CCIE R&S Advanced Lab Workbook - CCBootcamp
Read more
French Workbook Sample - Instant Immersion

French Workbook Sample - Instant Immersion
Read more
SAMPLE SAMPLE

SAMPLE SAMPLE
Read more
Sample Written Information Security Plan

Sample Written Information Security Plan
Read more
Sample Security Assessment Reporting Form

Sample Security Assessment Reporting Form
Read more
SAMPLE-NOTACCURATE - Social Security Choices

SAMPLE-NOTACCURATE - Social Security Choices
Read more
sample material from the Student Workbook

sample material from the Student Workbook
Read more
Sample Lesson from Workbook in PDF

Sample Lesson from Workbook in PDF
Read more
Outlife Your Life Workbook Sample - LifeWay

Outlife Your Life Workbook Sample - LifeWay
Read more
Download a Workbook Sample - Rainbow Resource Center

Download a Workbook Sample - Rainbow Resource Center
Read more
Workbook Sample Unit - Side by Side - Home

Workbook Sample Unit - Side by Side - Home
Read more
JNCIE-SP: Preparation Workbook Sample - Proteus Networks

JNCIE-SP: Preparation Workbook Sample - Proteus Networks
Read more
Appendix A: Sample Teamwork Training Workbook

Appendix A: Sample Teamwork Training Workbook
Read more
TestKing - Cisco CCIE LAB

TestKing - Cisco CCIE LAB
Read more
IPexpert's Preparation Workbook for the Cisco® CCIE™ Security ...

IPexpert's Preparation Workbook for the Cisco® CCIE™ Security ...
Read more
CCIE R&S Lab Workbook Volume I Version 5.0 OSPF ... - CCIE Blog

CCIE R&S Lab Workbook Volume I Version 5.0 OSPF ... - CCIE Blog
Read more
s sample repr sample reprint sample reprint sample ...

s sample repr sample reprint sample reprint sample ...
Read more
Sample Preparation Sample Preparation

Sample Preparation Sample Preparation
Read more
CCIE Routing and Switching Certification Guide v4

CCIE Routing and Switching Certification Guide v4
Read more