CCNA Lab - Solution Rev1.0 Advanced MPLS I

ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I Task 15.1: ♦ Configure VPN Green site 1 such as to prevent communication to site 2. ♦ Configure VPN Green site 1 to talk to site 3. This task requires you to reconfigure VPNs to split in to multiple VPNs by using different RDs, which will allow you to control routes from one site to another. PE2 ip vrf green-site1 rd 1:1 route-target export 1:1 route-target import 1:1 ! ip vrf green-site2 rd 2:2 route-target export 2:2 route-target import 2:2 ! interface Ethernet0/0.82 description to CE8 -VLAN 82 VPN Green Site 2 encapsulation dot1Q 82 ip vrf forwarding green-site2 ip address 10.82.1.2 255.255.255.0 ip rip send version 2 ip rip receive version 2 ! interface Ethernet0/1 description to BB1-RACK1 ip vrf forwarding green-site1 ip address 10.12.1.2 255.255.255.0 ! router rip version 2 network 10.0.0.0 ! address-family ipv4 vrf green-site2 redistribute bgp 65001 metric transparent network 10.0.0.0 no auto-summary version 2 exit-address-family ! router bgp 65001 no synchronization bgp log-neighbor-changes network 22.22.22.0 mask 255.255.255.0 neighbor 10.1.1.254 remote-as 65001 1 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I neighbor 10.1.1.254 update-source Loopback0 neighbor 10.12.1.1 remote-as 57 neighbor 10.12.1.1 description Peer to BB1-AS57 neighbor 10.12.1.1 password iementor no auto-summary ! address-family vpnv4 neighbor 10.1.1.254 activate neighbor 10.1.1.254 send-community extended exit-address-family ! address-family ipv4 vrf green-site2 redistribute connected redistribute rip metric 5 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf green-site1 redistribute connected neighbor 10.12.1.1 remote-as 57 neighbor 10.12.1.1 activate no auto-summary no synchronization exit-address-family In PE4 you need to inject RD 1:1 to allow PE4 to receive routes bidirectionally from green-site1. Otherwise, you won’t be able to communicate with the two VPNs. You can import/export on greensite3, or you can use export 1:1 on green-site3 and export 3:3 on green-site1, or import/export on PE4. The solutions will work in both cases. PE4 ip vrf green-site3 rd 3:3 route-target export 3:3 route-target export 1:1 route-target import 3:3 route-target import 1:1 ! interface FastEthernet0/1.300 description to BB3 VLAN 300 encapsulation dot1Q 300 ip vrf forwarding green-site3 ip address 172.16.30.4 255.255.255.0 no snmp trap link-status ! router bgp 65001 no synchronization bgp log-neighbor-changes 2 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I redistribute connected neighbor 10.1.1.254 remote-as 65001 no auto-summary ! address-family vpnv4 neighbor 10.1.1.254 activate neighbor 10.1.1.254 send-community extended exit-address-family ! address-family ipv4 vrf green-site3 neighbor 172.16.30.3 remote-as 3 neighbor 172.16.30.3 activate no auto-summary no synchronization exit-address-family PE4-RACK1#sho ip route vrf green-site3 Gateway of last resort is 172.16.30.3 to network 0.0.0.0 B B B B B B B B B B B B B B B B C B B B B B B B B 3 153.46.0.0/16 is variably subnetted, 5 subnets, 2 masks 153.46.4.0/24 [20/2] via 172.16.30.3, 12:18:05 153.46.3.0/24 [20/2] via 172.16.30.3, 12:18:05 153.46.2.0/24 [20/2] via 172.16.30.3, 12:18:05 153.46.1.0/24 [20/2] via 172.16.30.3, 12:18:05 153.46.100.0/22 [20/2] via 172.16.30.3, 12:18:05 138.1.0.0/24 is subnetted, 1 subnets 138.1.1.0 [20/2] via 172.16.30.3, 12:18:05 18.0.0.0/24 is subnetted, 1 subnets 18.2.1.0 [200/2] via 10.1.1.2, 12:18:47 38.0.0.0/24 is subnetted, 3 subnets 38.3.1.0 [20/2] via 172.16.30.3, 12:18:06 38.2.1.0 [20/2] via 172.16.30.3, 12:18:06 38.1.1.0 [200/2] via 10.1.1.2, 12:18:48 5.0.0.0/24 is subnetted, 1 subnets 5.5.5.0 [200/2] via 10.1.1.2, 12:18:48 156.46.0.0/16 is variably subnetted, 5 subnets, 2 masks 156.46.2.0/24 [200/2] via 10.1.1.2, 12:18:48 156.46.3.0/24 [200/2] via 10.1.1.2, 12:18:48 156.46.1.0/24 [200/2] via 10.1.1.2, 12:18:48 156.46.4.0/24 [200/2] via 10.1.1.2, 12:18:48 156.46.100.0/22 [200/2] via 10.1.1.2, 12:18:48 172.16.0.0/24 is subnetted, 1 subnets 172.16.30.0 is directly connected, FastEthernet0/1.300 7.0.0.0/24 is subnetted, 1 subnets 7.7.7.0 [20/2] via 172.16.30.3, 12:18:06 213.112.68.0/24 [20/2] via 172.16.30.3, 12:18:06 8.0.0.0/24 is subnetted, 1 subnets 8.1.1.0 [200/2] via 10.1.1.2, 12:18:48 213.112.69.0/24 [20/2] via 172.16.30.3, 12:18:06 209.112.65.0/24 [200/2] via 10.1.1.2, 12:18:48 213.112.70.0/24 [20/2] via 172.16.30.3, 12:18:06 209.112.66.0/24 [200/2] via 10.1.1.2, 12:18:48 10.0.0.0/24 is subnetted, 1 subnets 10.12.1.0 [200/0] via 10.1.1.2, 12:18:48 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 B B B B B B B B B B B* | Lab15 Solutions: Advanced MPLS I 209.112.67.0/24 [200/2] via 10.1.1.2, 12:18:48 209.112.68.0/24 [200/2] via 10.1.1.2, 12:18:48 12.0.0.0/24 is subnetted, 1 subnets 12.1.1.0 [200/2] via 10.1.1.2, 12:18:48 213.112.65.0/24 [20/2] via 172.16.30.3, 12:18:06 209.112.69.0/24 [200/2] via 10.1.1.2, 12:18:48 28.0.0.0/24 is subnetted, 1 subnets 28.3.1.0 [200/2] via 10.1.1.2, 12:18:48 13.0.0.0/24 is subnetted, 1 subnets 13.1.1.0 [20/2] via 172.16.30.3, 12:18:06 213.112.66.0/24 [20/2] via 172.16.30.3, 12:18:06 209.112.70.0/24 [200/2] via 10.1.1.2, 12:18:48 213.112.67.0/24 [20/2] via 172.16.30.3, 12:18:06 0.0.0.0/0 [20/0] via 172.16.30.3, 12:18:06 BB3-RACK1#ping 5.5.5.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/16 ms Task 15.2: . ip vrf iementor-site1 rd 33:33 route-target export 33:33 route-target export 2:2 route-target import 33:33 route-target import 2:2 ! interface ATM1/0.100 point-to-point ip vrf forwarding iementor-site1 ip address 140.100.1.2 255.255.255.0 pvc 1/100 protocol ip 140.100.1.1 broadcast encapsulation aal5snap ! router eigrp 100 redistribute isis level-1-2 metric 1544 1000 255 255 4460 network 140.100.2.0 0.0.0.255 auto-summary ! address-family ipv4 vrf iementor-site1 redistribute bgp 65001 metric 1544 100 255 255 1500 network 140.100.1.0 0.0.0.255 no auto-summary autonomous-system 10 exit-address-family ! router bgp 65001 4 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I no synchronization bgp router-id 10.1.1.1 bgp log-neighbor-changes network 11.11.11.0 mask 255.255.255.0 network 140.100.1.0 mask 255.255.255.0 neighbor 10.1.1.254 remote-as 65001 neighbor 10.1.1.254 update-source Loopback0 neighbor 140.100.1.1 remote-as 1540 neighbor 140.100.1.1 description To BB2 neighbor 140.100.1.1 password iementor no auto-summary ! address-family vpnv4 neighbor 10.1.1.254 activate neighbor 10.1.1.254 send-community extended exit-address-family ! address-family ipv4 vrf iementor-site1 redistribute eigrp 10 metric 5 no auto-summary no synchronization exit-address-family PE1-RACK1#sho ip bgp vpnv4 vrf iementor-site1 BGP table version is 15, local router ID is 10.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Route Distinguisher: 33:33 (default for vrf iementor-site1) *> 3.3.3.0/24 140.100.1.1 5 32768 *> 8.2.1.0/24 140.100.1.1 5 32768 *>i8.8.8.0/24 10.1.1.2 5 100 0 *>i10.82.1.0/24 10.1.1.2 0 100 0 *> 18.2.2.0/24 140.100.1.1 5 32768 *> 28.3.2.0/24 140.100.1.1 5 32768 *> 140.100.1.0/24 0.0.0.0 0 32768 Path ? ? ? ? ? ? ? CE8-RACK1#sho ip route rip 18.0.0.0/24 is subnetted, 1 subnets R 18.2.2.0 [120/6] via 10.82.1.2, 00:00:00, FastEthernet0/0.82 3.0.0.0/24 is subnetted, 1 subnets R 3.3.3.0 [120/6] via 10.82.1.2, 00:00:00, FastEthernet0/0.82 140.100.0.0/24 is subnetted, 1 subnets R 140.100.1.0 [120/1] via 10.82.1.2, 00:00:00, FastEthernet0/0.82 8.0.0.0/24 is subnetted, 2 subnets R 8.2.1.0 [120/6] via 10.82.1.2, 00:00:00, FastEthernet0/0.82 28.0.0.0/24 is subnetted, 1 subnets R 28.3.2.0 [120/6] via 10.82.1.2, 00:00:00, FastEthernet0/0.82 CE8-RACK1#ping 3.3.3.3 5 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms Your goal here is to exchange routes from CE8 and BB2. Task 15.3: ♦ VPN Green Site 1 ♦ VPN Green Site 2 ♦ VPN Green Site 3 ♦ VPN Solaris Site 1 ♦ VPN Solaris Site 2 ♦ VPN IEMENTOR Site 1 ♦ VPN IEMENTOR Site 2 PE3-RACK1(config)#ip vrf mgt PE3-RACK1(config-vrf)# rd 66:66 PE3-RACK1(config-vrf)# route-target PE3-RACK1(config-vrf)# route-target PE3-RACK1(config-vrf)# route-target PE3-RACK1(config-vrf)# route-target PE3-RACK1(config-vrf)# route-target PE3-RACK1(config-vrf)# route-target PE3-RACK1(config-vrf)# route-target PE3-RACK1(config-vrf)# route-target PE3-RACK1(config-vrf)# route-target PE3-RACK1(config-vrf)# route-target PE3-RACK1(config-vrf)# route-target PE3-RACK1(config-vrf)# route-target export export export export export import import import import import export import 66:66 1:1 2:2 33:33 3:3 66:66 1:1 2:2 33:33 3:3 300:300 300:300 3550-CE6(config)#int fastEthernet 0/3 3550-CE6(config-if)#switchport trunk allowed vlan add 66,67 PE3-RACK1(config)#interface Ethernet0/0.66 PE3-RACK1(config-subif)# encapsulation dot1Q 66 PE3-RACK1(config-subif)# description to Manage VPN's PE3-RACK1(config-subif)# ip vrf forwarding mgt PE3-RACK1(config-subif)# ip address 192.168.1.3 255.255.255.0 PE3-RACK1(config-subif)# no snmp trap link-status PE3-RACK1(config-subif)#interface Ethernet0/0.67 PE3-RACK1(config-subif)# encapsulation dot1Q 67 6 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 PE3-RACK1(config-subif)# PE3-RACK1(config-subif)# PE3-RACK1(config-subif)# PE3-RACK1(config-subif)# | Lab15 Solutions: Advanced MPLS I description to Manage IGP Core ip address 192.168.2.3 255.255.255.0 ip router isis no snmp trap link-status PE3-RACK1(config-subif)# isis circuit-type level-1 Å For IGP to be sent to the MGT Switch 3750-M-CE4(config)#interface Vlan66 3750-M-CE4(config-if)# description Managment for VPN's 3750-M-CE4(config-if)# ip address 192.168.1.1 255.255.255.0 3750-M-CE4(config-if)#interface Vlan67 3750-M-CE4(config-if)# description to Manage IGP Routers 3750-M-CE4(config-if)# ip address 192.168.2.1 255.255.255.0 3750-M-CE4(config)#router isis 3750-M-CE4(config-router)# net 48.0000.0067.0067.00 3750-M-CE4(config-router)# is-type level-1 3750-M-CE4(config-router)# area-password iementor 3750-M-CE4(config-router)# metric-style wide 3750-M-CE4(config-router)# log-adjacency-changes all 3750-M-CE4#sho ip route isis 140.100.0.0/16 is variably subnetted, 3 subnets, 2 masks i L1 140.100.2.2/32 [115/30] via 192.168.2.3, Vlan67 i L1 140.100.2.0/24 [115/30] via 192.168.2.3, Vlan67 157.46.0.0/16 is variably subnetted, 4 subnets, 2 masks i L1 157.46.3.0/24 [115/30] via 192.168.2.3, Vlan67 i L1 157.46.2.0/24 [115/30] via 192.168.2.3, Vlan67 i L1 157.46.1.0/24 [115/30] via 192.168.2.3, Vlan67 i L1 157.46.4.0/22 [115/30] via 192.168.2.3, Vlan67 172.16.0.0/24 is subnetted, 9 subnets i ia 172.16.240.0 [115/50] via 192.168.2.3, Vlan67 i ia 172.16.222.0 [115/30] via 192.168.2.3, Vlan67 i L1 172.16.20.0 [115/30] via 192.168.2.3, Vlan67 i L1 172.16.12.0 [115/30] via 192.168.2.3, Vlan67 i L1 172.16.13.0 [115/20] via 192.168.2.3, Vlan67 i ia 172.16.123.0 [115/20] via 192.168.2.3, Vlan67 i ia 172.16.113.0 [115/40] via 192.168.2.3, Vlan67 i ia 172.16.114.0 [115/40] via 192.168.2.3, Vlan67 10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks i L1 10.1.1.2/32 [115/30] via 192.168.2.3, Vlan67 i L1 10.1.1.3/32 [115/10] via 192.168.2.3, Vlan67 i L1 10.1.1.1/32 [115/20] via 192.168.2.3, Vlan67 i ia 10.1.1.4/32 [115/50] via 192.168.2.3, Vlan67 i ia 10.1.1.100/32 [115/30] via 192.168.2.3, Vlan67 i ia 10.1.1.200/32 [115/40] via 192.168.2.3, Vlan67 i L1 10.1.1.254/32 [115/20] via 192.168.2.3, Vlan67 i L1 210.112.4.0/24 [115/30] via 192.168.2.3, Vlan67 i L1 210.112.3.0/24 [115/30] via 192.168.2.3, Vlan67 12.0.0.0/24 is subnetted, 2 subnets i L1 12.2.1.0 [115/30] via 192.168.2.3, Vlan67 i L1 210.112.2.0/24 [115/30] via 192.168.2.3, Vlan67 7 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I i L1 210.112.1.0/24 [115/30] via 192.168.2.3, Vlan67 This confirms that now 3750 can reach the IGP routers. 3750-M-CE4#ping 10.1.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms 3750-M-CE4(config-if)#router bgp 66 IP routing not enabled 3750-M-CE4(config)#ip routing 3750-M-CE4(config)#router bgp 66 3750-M-CE4(config-router)#neighbor 192.168.1.3 remote-as 65001 PE3-RACK1(config-router)# address-family ipv4 vrf mgt PE3-RACK1(config-router-af)# neighbor 192.168.1.1 remote-as 66 PE3-RACK1(config-router-af)# neighbor 192.168.1.1 activate PE3-RACK1(config-router-af)#redistribute connected PE3-RACK1(config-router-af)# no auto-summary PE3-RACK1(config-router-af)# no synchronization 3750-M-CE4#sho ip bgp summary Neighbor V AS MsgRcvd MsgSent 192.168.1.3 4 65001 13 5 TblVer 44 Å don’t forget! InQ OutQ Up/Down State/PfxRcd 0 0 00:01:00 43 This confirms that now 3750 can reach VPN’s routes. 3750-M-CE4#ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms 3750-M-CE4#ping 5.5.5.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms 3750-M-CE4(config)#interface loopback 64 3750-M-CE4(config-if)#ip address 67.67.67.67 255.255.255.0 3750-M-CE4(config-if)#ip telnet source-interface loopback 64 3750-M-CE4(config)#access-list 67 permit 67.67.67.0 0.0.0.255 log 3750-M-CE4(config)#router bgp 66 3750-M-CE4(config-router)#neighbor 192.168.1.3 distribute-list 67 out 8 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I 1d11h: %BGP-5-ADJCHANGE: neighbor 192.168.1.3 Up 1d11h: %SEC-6-IPACCESSLOGS: list 67 permitted 67.67.67.0 1 packetsho ip bgp summary Task 15.4: Configure VPN Green site 1 to send default-route to all VPN Green sites. BB1-RACK1(config-router)#router bgp 57 BB1-RACK1(config-router)#neighbor 10.12.1.2 default-originate BB1-RACK1(config-router)#redistribute static metric 2 BB1-RACK1(config)#ip route 0.0.0.0 0.0.0.0 Null0 PE2-RACK1#sho ip route vrf green-site1 | include 0.0.0.0/0 B* 0.0.0.0/0 [20/0] via 10.12.1.1, 00:01:24 This task is very tricky because it is asking to send a default route to all VPN Greens, which means that by default a default gateway is only propagated in vpn-green site1 only. In the next step we need to advertise the default route only from vpn-green 1 site to vpn-green site 2 and site 3. PE2-RACK1(config)#route-map default permit 10 PE2-RACK1(config-route-map)# match ip address 17 PE2-RACK1(config-route-map)#access-list 17 permit 0.0.0.0 log PE2-RACK1(config)#ip vrf green-site1 PE2-RACK1(config-vrf)# rd 1:1 PE2-RACK1(config-vrf)# route-target export 1:1 PE2-RACK1(config-vrf)# route-target export 2:2 PE2-RACK1(config-vrf)# route-target import 1:1 PE2-RACK1(config-vrf)#ip vrf green-site2 PE2-RACK1(config-vrf)# rd 2:2 PE2-RACK1(config-vrf)# import map default PE2-RACK1(config-vrf)# route-target export 2:2 PE2-RACK1(config-vrf)# route-target import 2:2 Routing Table: green-site2 Gateway of last resort is 10.12.1.1 to network 0.0.0.0 R C B* 8.0.0.0/24 is subnetted, 1 subnets 8.8.8.0 [120/1] via 10.82.1.1, 00:00:23, Ethernet0/0.82 10.0.0.0/24 is subnetted, 1 subnets 10.82.1.0 is directly connected, Ethernet0/0.82 0.0.0.0/0 [20/0] via 10.12.1.1 (green-site1), 00:15:39 *Mar 3 14:38:02.772: %SEC-6-IPACCESSLOGS: list 17 permitted 0.0.0.0 2 packets Task 15.5: 9 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I ♦ BB1 is sending 209.112.0.0/24 to VPN Green ♦ Configure VRF Green such that only 209.112.69.0 does not get suppressed; everything else is suppressed. This task requires denying 209.112.69.0 from being suppressed. The only show output related to this task is of the database, not the routing table. Let’s take a look at the database before the solutions are shown. PE2-RACK1(config)#router bgp 65001 PE2-RACK1(config-router)#address-family ipv4 vrf green-site1 PE2-RACK1(config-router-af)#aggregate-address 209.112.0.0 255.255.0.0 summary-only PE2-RACK1#sho ip bgp vpnv4 vrf green-site1 | include 209 *> 209.112.0.0/16 0.0.0.0 32768 s> 209.112.65.0 10.12.1.1 2 0 s> 209.112.66.0 10.12.1.1 2 0 s> 209.112.67.0 10.12.1.1 2 0 s> 209.112.68.0 10.12.1.1 2 0 s> 209.112.69.0 i 57 57 57 57 ? ? ? ? 10.12.1.1 2 0 57 ? 10.12.1.1 2 0 57 ? Å we need to exclude 69 s> 209.112.70.0 Let’s exclude 69 from the suppress table. PE2-RACK1(config)#router bgp 65001 PE2-RACK1(config-router)#address-family ipv4 vrf green-site1 PE2-RACK1(config-router-af)#redistribute connected PE2-RACK1(config-router-af)#neighbor 10.12.1.1 remote-as 57 PE2-RACK1(config-router-af)#neighbor 10.12.1.1 activate PE2-RACK1(config-router-af)#aggregate-address 209.112.0.0 255.255.0.0 suppress-map suppress69 PE2-RACK1(config)#access-list 69 deny 209.112.69.0 log PE2-RACK1(config)#access-list 69 permit any log PE2-RACK1(config)#route-map suppress69 permit 10 PE2-RACK1(config-route-map)#match ip address 69 PE2-RACK1#sho ip bgp vpnv4 vrf green-site1 | include 209 *> 209.112.0.0/16 0.0.0.0 32768 s> 209.112.65.0 10.12.1.1 2 0 s> 209.112.66.0 10.12.1.1 2 0 s> 209.112.67.0 10.12.1.1 2 0 s> 209.112.68.0 10.12.1.1 2 0 *> 209.112.69.0 10.12.1.1 2 0 s> 209.112.70.0 10.12.1.1 2 0 10 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. i 57 57 57 57 57 57 ? ? ? ? ? ? ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I Task 15.6: ♦ CORRECTION!!! BB2 is sending the 157.46.0.0 networks to VPN IEMENTOR ♦ CORRECTION!!! Summarize all BB2 networks into 157.46.0.0, while preserving AS1540 for SP1. ♦ Configure VRF IEMENTOR such that only 157.46.0.0 is injected inside the VPN. ♦ Summarization/suppressing from BB2 are not allowed. ♦ You are permitted to use one access-list only. PE1-RACK1(config)#router eigrp 100 PE1-RACK1(config-router)#address-family ipv4 vrf iementor-site1 PE1-RACK1(config-router-af)#redistribute bgp 65001 metric 1544 100 255 255 1500 route-map allow157 PE1-RACK1(config-router-af)#network 140.100.1.0 0.0.0.255 PE1-RACK1(config-router-af)#no auto-summary PE1-RACK1(config-router-af)#autonomous-system 10 PE1-RACK1(config-router-af)#exit-address-family PE1-RACK1(config-router)#router bgp 65001 PE1-RACK1(config-router)# address-family vpnv4 PE1-RACK1(config-router-af)# neighbor 10.1.1.254 activate PE1-RACK1(config-router-af)# neighbor 10.1.1.254 send-community extended PE1-RACK1(config-router-af)# exit-address-family PE1-RACK1(config-router)# address-family ipv4 vrf iementor-site1 PE1-RACK1(config-router-af)# redistribute eigrp 10 metric 5 PE1-RACK1(config-router-af)# no auto-summary PE1-RACK1(config-router-af)# no synchronization PE1-RACK1(config-router-af)# aggregate-address 157.46.0.0 255.255.0.0 as-set summary-only PE1-RACK1(config-router-af)# exit-address-family PE1-RACK1(config-router)#route-map allow157 permit 10 PE1-RACK1(config-route-map)# match ip address 157 PE1-RACK1(config)#access-list 157 permit ip 157.46.0.0 0.0.255.255 host 255.255.0.0 RR1-RACK1#sho ip bgp vpnv4 all | include 157 *>i157.46.0.0 10.1.1.1 0 100 Task 15.7: VPN Details http://www.faqs.org/rfcs/rfc2685.html PE2-RACK1(config)#ip vrf green-site1 PE2-RACK1(config-vrf)#rd 1:1 11 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. 0 ? ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I PE2-RACK1(config-vrf)#vpn id B1:6727 Task 15.8: ♦ Re-Configure PE2 BB1 VPN Green site 1 in AS57 ♦ Re-Configure PE2 CE8 VPN Green site 2 in AS57 ♦ Configure such that site 1 can communicate with site 2’s Loopbacks and vise versa. By default, this task will not work if you want to use the same AS number. BGP will reject each other’s ASs and won’t be able to propagate all routes. This task can be solved with the following steps: PE2-RACK1(config)#ip vrf green-site1 PE2-RACK1(config-vrf)# rd 1:1 PE2-RACK1(config-vrf)# vpn id B1:6727 PE2-RACK1(config-vrf)# route-target export 1:1 PE2-RACK1(config-vrf)# route-target export 2:2 PE2-RACK1(config-vrf)# route-target import 1:1 PE2-RACK1(config-vrf)#ip vrf green-site2 PE2-RACK1(config-vrf)# rd 2:2 PE2-RACK1(config-vrf)# route-target export 2:2 PE2-RACK1(config-vrf)# route-target export 1:1 PE2-RACK1(config-vrf)# route-target import 2:2 PE2-RACK1(config-vrf)#router bgp 65001 PE2-RACK1(config-router)# no synchronization PE2-RACK1(config-router)# bgp log-neighbor-changes PE2-RACK1(config-router)# network 22.22.22.0 mask 255.255.255.0 PE2-RACK1(config-router)# neighbor 10.1.1.254 remote-as 65001 PE2-RACK1(config-router)# neighbor 10.1.1.254 update-source Loopback0 PE2-RACK1(config-router)# no auto-summary PE2-RACK1(config-router)# address-family vpnv4 PE2-RACK1(config-router-af)# neighbor 10.1.1.254 activate PE2-RACK1(config-router-af)# neighbor 10.1.1.254 send-community extended PE2-RACK1(config-router-af)# exit-address-family PE2-RACK1(config-router)# address-family ipv4 vrf green-site2 PE2-RACK1(config-router-af)# redistribute connected PE2-RACK1(config-router-af)# neighbor 10.82.1.1 remote-as 57 PE2-RACK1(config-router-af)# neighbor 10.82.1.1 activate PE2-RACK1(config-router-af)# neighbor 10.82.1.1 as-override PE2-RACK1(config-router-af)# no auto-summary PE2-RACK1(config-router-af)# no synchronization PE2-RACK1(config-router-af)# exit-address-family PE2-RACK1(config-router)# address-family ipv4 vrf green-site1 PE2-RACK1(config-router-af)# redistribute connected PE2-RACK1(config-router-af)# neighbor 10.12.1.1 remote-as 57 PE2-RACK1(config-router-af)# neighbor 10.12.1.1 activate PE2-RACK1(config-router-af)# neighbor 10.12.1.1 as-override PE2-RACK1(config-router-af)# no auto-summary 12 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I PE2-RACK1(config-router-af)# no synchronization PE2-RACK1(config-router-af)# exit-address-family Task 15.9: ♦ RE-Configure SP1 to avoid any routing loops that can possibly come from AS82. ♦ Use all best practices to prevent routing loops on AS82 and SP1. ♦ The path should be selected and controlled by a route-map. PE2-RACK1(config)#ip vrf green PE2-RACK1(config-vrf)# rd 100:100 PE2-RACK1(config-vrf)# route-target export 100:100 PE2-RACK1(config-vrf)# route-target import 100:100 PE2-RACK1(config-vrf)#interface Ethernet0/0.82 PE2-RACK1(config-subif)# encapsulation dot1Q 82 PE2-RACK1(config-subif)# ip vrf forwarding green PE2-RACK1(config-subif)# ip address 10.82.1.2 255.255.255.0 PE2-RACK1(config-subif)#router bgp 65001 PE2-RACK1(config-router)# address-family ipv4 vrf green PE2-RACK1(config-router-af)# redistribute connected PE2-RACK1(config-router-af)# neighbor 10.82.1.1 remote-as 82 PE2-RACK1(config-router-af)# neighbor 10.82.1.1 activate PE2-RACK1(config-router-af)# neighbor 10.82.1.1 as-override PE2-RACK1(config-router-af)# neighbor 10.82.1.1 route-map SOO in PE2-RACK1(config-router-af)# no auto-summary PE2-RACK1(config-router-af)# no synchronization PE2-RACK1(config-router-af)# exit-address-family PE2-RACK1(config-router)#access-list 13 permit any log PE2-RACK1(config)#route-map SOO permit 10 PE2-RACK1(config-route-map)# match ip address 13 PE2-RACK1(config-route-map)# set extcommunity soo 1:13 PE3-RACK1(config)#ip vrf green PE3-RACK1(config-vrf)# rd 100:100 PE3-RACK1(config-vrf)# route-target export 100:100 PE3-RACK1(config-vrf)# route-target import 100:100 PE3-RACK1(config-vrf)#interface Ethernet0/0.23 PE3-RACK1(config-subif)# description to CE2 - VLAN 23 PE3-RACK1(config-subif)# encapsulation dot1Q 23 PE3-RACK1(config-subif)# ip vrf forwarding green PE3-RACK1(config-subif)# ip address 10.23.1.3 255.255.255.0 PE3-RACK1(config-subif)# no snmp trap link-status PE3-RACK1(config-subif)#router bgp 65001 PE3-RACK1(config-router)#address-family ipv4 vrf green PE3-RACK1(config-router-af)#redistribute connected PE3-RACK1(config-router-af)#neighbor 10.23.1.1 remote-as 82 13 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I PE3-RACK1(config-router-af)#neighbor 10.23.1.1 activate PE3-RACK1(config-router-af)#neighbor 10.23.1.1 as-override PE3-RACK1(config-router-af)#neighbor 10.23.1.1 route-map SOO in PE3-RACK1(config-router-af)#no auto-summary PE3-RACK1(config-router-af)#no synchronization PE3-RACK1(config-router-af)#exit-address-family PE3-RACK1(config-router)#route-map SOO permit 10 PE3-RACK1(config-route-map)# match ip address 13 PE3-RACK1(config-route-map)# set extcommunity soo 1:13 PE3-RACK1(config-route-map)#access-list 13 permit any log CE2-RACK1(config)#router bgp 82 CE2-RACK1(config-router)# no synchronization CE2-RACK1(config-router)# bgp log-neighbor-changes CE2-RACK1(config-router)# network 2.2.2.0 mask 255.255.255.0 CE2-RACK1(config-router)# network 10.23.1.0 mask 255.255.255.0 CE2-RACK1(config-router)# neighbor 10.1.1.8 remote-as 82 CE2-RACK1(config-router)# neighbor 10.23.1.3 remote-as 65001 CE2-RACK1(config-router)# no auto-summary CE2-RACK1# sho ip bgp Network Next Hop *> 2.2.2.0/24 0.0.0.0 *>i8.8.8.0/24 10.1.1.8 * 10.23.1.0/24 10.23.1.3 *> 0.0.0.0 *> 10.82.1.0/24 10.23.1.3 * i 10.82.1.2 Metric LocPrf Weight Path 0 32768 i 0 100 0 i 0 0 65001 ? 0 32768 i 0 65001 ? 0 100 0 65001 ? CE8-RACK1(config)#router bgp 82 CE8-RACK1(config-router)# no synchronization CE8-RACK1(config-router)# bgp log-neighbor-changes CE8-RACK1(config-router)# network 8.8.8.0 mask 255.255.255.0 CE8-RACK1(config-router)# neighbor 10.1.1.2 remote-as 82 CE8-RACK1(config-router)# neighbor 10.82.1.2 remote-as 65001 CE8-RACK1(config-router)# no auto-summary CE8-RACK1#sho ip bgp Network *>i2.2.2.0/24 *> 8.8.8.0/24 * 10.23.1.0/24 *>i i10.82.1.0/24 Next Hop 10.1.1.2 0.0.0.0 10.82.1.2 10.1.1.2 10.23.1.3 10.82.1.2 Metric LocPrf Weight Path 0 100 0 i 0 32768 i 0 65001 ? 0 100 0 i 0 100 0 65001 ? 0 0 65001 ? PE3-RACK1#sho ip bgp vpnv4 all 2.2.2.2 BGP routing table entry for 3:3:0.0.0.0/0, version 2 Paths: (1 available, best #1, no table) Flag: 0x820 Not advertised to any peer 14 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I 3 10.1.1.4 (metric 40) from 10.1.1.254 (55.55.55.55) Origin IGP, metric 0, localpref 100, valid, internal, best Extended Community: RT:1:1 RT:3:3 Originator: 44.44.44.44, Cluster list: 55.55.55.55, mpls labels in/out nolabel/39 BGP routing table entry for 66:66:0.0.0.0/0, version 32 Paths: (1 available, best #1, table mgt) Flag: 0x820 Not advertised to any peer 3, imported path from 3:3:0.0.0.0/0 10.1.1.4 (metric 40) from 10.1.1.254 (55.55.55.55) Origin IGP, metric 0, localpref 100, valid, internal, best Extended Community: RT:1:1 RT:3:3 Originator: 44.44.44.44, Cluster list: 55.55.55.55, mpls labels in/out nolabel/39 BGP routing table entry for 100:100:2.2.2.0/24, version 58 Paths: (2 available, best #1, table green) Flag: 0x820 Advertised to non peer-group peers: 10.1.1.254 82 10.23.1.1 from 10.23.1.1 (2.2.2.2) Origin IGP, metric 0, localpref 100, valid, external, best Extended Community: SoO:1:13 RT:100:100, mpls labels in/out 46/nolabel 82 10.1.1.2 (metric 20) from 10.1.1.254 (55.55.55.55) Origin IGP, metric 0, localpref 100, valid, internal Extended Community: SoO:1:13 RT:100:100 Originator: 22.22.22.22, Cluster list: 55.55.55.55, mpls labels in/out 46/39 PE3-RACK1#sho ip bgp vpnv4 all 8.8.8.8 BGP routing table entry for 3:3:0.0.0.0/0, version 2 Paths: (1 available, best #1, no table) Not advertised to any peer 3 10.1.1.4 (metric 40) from 10.1.1.254 (55.55.55.55) Origin IGP, metric 0, localpref 100, valid, internal, best Extended Community: RT:1:1 RT:3:3 Originator: 44.44.44.44, Cluster list: 55.55.55.55, mpls labels in/out nolabel/39 BGP routing table entry for 66:66:0.0.0.0/0, version 32 Paths: (1 available, best #1, table mgt) Advertised to non peer-group peers: 192.168.1.1 3, imported path from 3:3:0.0.0.0/0 10.1.1.4 (metric 40) from 10.1.1.254 (55.55.55.55) Origin IGP, metric 0, localpref 100, valid, internal, best Extended Community: RT:1:1 RT:3:3 Originator: 44.44.44.44, Cluster list: 55.55.55.55, mpls labels in/out nolabel/39 BGP routing table entry for 100:100:8.8.8.0/24, version 59 15 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I Paths: (2 available, best #1, table green) Advertised to non peer-group peers: 10.1.1.254 82 10.23.1.1 from 10.23.1.1 (2.2.2.2) Origin IGP, localpref 100, valid, external, best Extended Community: SoO:1:13 RT:100:100, mpls labels in/out 53/nolabel 82 10.1.1.2 (metric 20) from 10.1.1.254 (55.55.55.55) Origin IGP, metric 0, localpref 100, valid, internal Extended Community: SoO:1:13 RT:100:100 Originator: 22.22.22.22, Cluster list: 55.55.55.55, mpls labels in/out 53/43 Task 15.10: ♦ Re-configure VPN Green site 2 to AS8. ♦ Configure PE2 peering with VPN Green site 2 (CE8) in AS8. ♦ Configure PE2 peering with VPN Green site 1 (BB1/CE5) in AS57. ♦ Configure VPN Green site 2 to send a summary address of 8.0.0.0/8, while preserving AS Path. ♦ Configure BB1 such that the LocPrf for 8.8.8.0 is set to 200. ♦ Configure BB1 such that the LocPrf for 88.88.88.0 is set to 300. ♦ All other networks should be blocked on ♦ Verify communication from BB1 to CE8. This task has a few problems. When you summarize 8.0.0.0/8, make sure don’t forget the 8.1.1.0/24 routes coming from BB1. You would need to exclude this from the aggregate list so there is no conflict of a summary. Configure the aggregate first without excluding the 8.1.1.0 route so you can test that behavior, then follow the solution steps to resolve this problem. PE2-RACK1(config)#router bgp 65001 PE2-RACK1(config-router)# no synchronization 16 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I PE2-RACK1(config-router)# bgp log-neighbor-changes PE2-RACK1(config-router)# network 22.22.22.0 mask 255.255.255.0 PE2-RACK1(config-router)# neighbor 10.1.1.254 remote-as 65001 PE2-RACK1(config-router)# neighbor 10.1.1.254 update-source Loopback0 PE2-RACK1(config-router)# no auto-summary PE2-RACK1(config-router)# address-family vpnv4 PE2-RACK1(config-router-af)# neighbor 10.1.1.254 activate PE2-RACK1(config-router-af)# neighbor 10.1.1.254 send-community extended PE2-RACK1(config-router-af)# exit-address-family PE2-RACK1(config-router)# address-family ipv4 vrf green PE2-RACK1(config-router-af)# redistribute connected PE2-RACK1(config-router-af)# neighbor 10.12.1.1 remote-as 57 PE2-RACK1(config-router-af)# neighbor 10.12.1.1 activate PE2-RACK1(config-router-af)# neighbor 10.82.1.1 remote-as 8 PE2-RACK1(config-router-af)# neighbor 10.82.1.1 activate PE2-RACK1(config-router-af)# neighbor 10.82.1.1 default-originate PE2-RACK1(config-router-af)# neighbor 10.82.1.1 distribute-list 2 out PE2-RACK1(config-router-af)# no auto-summary PE2-RACK1(config-router-af)# no synchronization PE2-RACK1(config-router-af)# aggregate-address 8.0.0.0 255.0.0.0 as-set summary-only suppress-map excludebb3 PE2-RACK1(config-router-af)# exit-address-family PE2-RACK1(config)#access-list 2 permit 0.0.0.0 log PE2-RACK1(config)#access-list 128 deny ip 8.1.1.0 0.0.0.255 host 255.255.255.0 log PE2-RACK1(config)#access-list 128 deny ip 8.8.8.0 0.0.0.255 host 255.255.255.0 log PE2-RACK1(config)#access-list 128 permit ip any any PE2-RACK1(config)#route-map excludebb3 permit 10 PE2-RACK1(config-route-map)# match ip address 128 PE2-RACK1#sho ip bgp vpnv4 vrf green BGP table version is 56, local router ID is 22.22.22.22 Status codes: s suppressed, d damped, h history, * valid, > best, i internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 100:100 (default for vrf green) *> 0.0.0.0 10.12.1.1 0 57 i *>i2.2.2.0/24 10.1.1.3 0 100 0 82 i *> 5.5.5.0/24 10.12.1.1 2 0 57 ? *> 8.0.0.0 0.0.0.0 100 32768 {57,8} ? *> 8.1.1.0/24 10.12.1.1 2 0 57 ? *> 8.8.8.0/24 10.82.1.1 0 0 8 i *> 10.12.1.0/24 0.0.0.0 0 32768 ? * 10.12.1.1 0 0 57 i *>i10.23.1.0/24 10.1.1.3 0 100 0 ? *> 10.82.1.0/24 0.0.0.0 0 32768 ? * 10.82.1.1 0 0 8 i *> 12.1.1.0/24 10.12.1.1 2 0 57 ? *> 18.2.1.0/24 10.12.1.1 2 0 57 ? *> 28.3.1.0/24 10.12.1.1 2 0 57 ? 17 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 *> *> *> *> *> *> *> *> *> *> *> *> *> 38.1.1.0/24 88.88.88.0/24 156.46.1.0/24 156.46.2.0/24 156.46.3.0/24 156.46.4.0/24 156.46.100.0/22 209.112.65.0 209.112.66.0 209.112.67.0 209.112.68.0 209.112.69.0 209.112.70.0 10.12.1.1 10.82.1.1 10.12.1.1 10.12.1.1 10.12.1.1 10.12.1.1 10.12.1.1 10.12.1.1 10.12.1.1 10.12.1.1 10.12.1.1 10.12.1.1 10.12.1.1 | Lab15 Solutions: Advanced MPLS I 2 0 2 2 2 2 2 2 2 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 57 ? 8 i 57 ? 57 ? 57 ? 57 ? 57 ? 57 ? 57 ? 57 ? 57 ? 57 ? 57 ? BB1-RACK1(config)#router bgp 57 BB1-RACK1(config-router)# no synchronization BB1-RACK1(config-router)# bgp log-neighbor-changes BB1-RACK1(config-router)# network 10.12.1.0 mask 255.255.255.0 BB1-RACK1(config-router)# redistribute connected metric 2 BB1-RACK1(config-router)# redistribute static metric 2 BB1-RACK1(config-router)# neighbor 10.12.1.2 remote-as 65001 BB1-RACK1(config-router)# neighbor 10.12.1.2 description to AS65001-SP1PE2 BB1-RACK1(config-router)# neighbor 10.12.1.2 default-originate BB1-RACK1(config-router)# neighbor 10.12.1.2 route-map Local_Pref in BB1-RACK1(config-router)# no auto-summary BB1-RACK1(config-router)#access-list 8 permit 8.8.8.0 log BB1-RACK1(config)#access-list 88 permit 88.88.88.0 log BB1-RACK1(config)#route-map Local_Pref permit 10 BB1-RACK1(config-route-map)# match ip address 8 BB1-RACK1(config-route-map)# set local-preference 200 BB1-RACK1(config-route-map)#route-map Local_Pref permit 20 BB1-RACK1(config-route-map)# match ip address 88 BB1-RACK1(config-route-map)# set local-preference 300 BB1-RACK1#sho ip route bg 8.0.0.0/24 is subnetted, 2 subnets B 8.8.8.0 [20/0] via 10.12.1.2, 00:47:32 88.0.0.0/24 is subnetted, 1 subnets B 88.88.88.0 [20/0] via 10.12.1.2, 00:47:32 BB1-RACK1#sho ip bgp BGP table version is 21, local router ID is 209.112.70.1 Status codes: s suppressed, d damped, h history, * valid, > best, i internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete *> *> *> *> 18 Network 5.5.5.0/24 8.1.1.0/24 8.8.8.0/24 10.12.1.0/24 Next Hop 0.0.0.0 0.0.0.0 10.12.1.2 0.0.0.0 Metric LocPrf Weight Path 2 32768 ? 2 32768 ? 200 0 65001 8 i 0 32768 i This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 *> *> *> *> *> *> *> *> *> *> *> *> *> *> *> 12.1.1.0/24 18.2.1.0/24 28.3.1.0/24 38.1.1.0/24 88.88.88.0/24 156.46.1.0/24 156.46.2.0/24 156.46.3.0/24 156.46.4.0/24 156.46.100.0/22 209.112.65.0 209.112.66.0 209.112.67.0 209.112.68.0 209.112.69.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 10.12.1.2 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 | Lab15 Solutions: Advanced MPLS I 2 2 2 2 300 2 2 2 2 2 2 2 2 2 2 32768 32768 32768 32768 0 32768 32768 32768 32768 32768 32768 32768 32768 32768 32768 ? ? ? ? 65001 8 i ? ? ? ? ? ? ? ? ? ? CE8-RACK1(config)#router bgp 8 CE8-RACK1(config-router)# no synchronization CE8-RACK1(config-router)# bgp log-neighbor-changes CE8-RACK1(config-router)# network 8.8.8.0 mask 255.255.255.0 CE8-RACK1(config-router)# network 10.82.1.0 mask 255.255.255.0 CE8-RACK1(config-router)# network 88.88.88.0 mask 255.255.255.0 CE8-RACK1(config-router)# neighbor 10.82.1.2 remote-as 65001 CE8-RACK1(config-router)# no auto-summary CE8-RACK1#sho ip route bg B* 0.0.0.0/0 [20/0] via 10.82.1.2, 00:27:28 CE8-RACK1#sho ip bgp BGP table version is 268, local router ID is 8.8.8.8 Status codes: s suppressed, d damped, h history, * valid, > best, i internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete *> *> *> *> Network 0.0.0.0 8.8.8.0/24 10.82.1.0/24 88.88.88.0/24 Next Hop 10.82.1.2 0.0.0.0 0.0.0.0 0.0.0.0 Metric LocPrf Weight 0 0 32768 0 32768 0 32768 Path 65001 i i i i BB1-RACK1#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Task 15.11: Modifying MED’s: ♦ Configure the MED of 8.0.0.0/8 on BB1 to be 2000. 19 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I ♦ Configure the MED of 88.88.88.0/24 on BB1 to be 3000. BB1-RACK1(config)#route-map Local_Pref permit 10 BB1-RACK1(config-route-map)# match ip address 8 BB1-RACK1(config-route-map)# set local-preference 200 BB1-RACK1(config-route-map)# set metric 2000 BB1-RACK1(config-route-map)#route-map Local_Pref permit 20 BB1-RACK1(config-route-map)# match ip address 88 BB1-RACK1(config-route-map)# set metric 3000 BB1-RACK1(config-route-map)# set local-preference 300 BB1-RACK1(config-route-map)#router bgp 57 BB1-RACK1(config-router)# no synchronization BB1-RACK1(config-router)# bgp log-neighbor-changes BB1-RACK1(config-router)# network 10.12.1.0 mask 255.255.255.0 BB1-RACK1(config-router)# redistribute connected metric 2 BB1-RACK1(config-router)# redistribute static metric 2 BB1-RACK1(config-router)# neighbor 10.12.1.2 remote-as 65001 BB1-RACK1(config-router)# neighbor 10.12.1.2 description to AS65001-SP1PE2 BB1-RACK1(config-router)# neighbor 10.12.1.2 default-originate BB1-RACK1(config-router)# neighbor 10.12.1.2 route-map Local_Pref in BB1-RACK1(config-router)# no auto-summary BB1-RACK1#sho ip bgp BGP table version is 21, local router ID is 209.112.70.1 Status codes: s suppressed, d damped, h history, * valid, > best, i internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete *> *> *> *> *> *> *> *> *> *> *> *> *> *> *> *> *> Network 5.5.5.0/24 8.1.1.0/24 8.8.8.0/24 10.12.1.0/24 12.1.1.0/24 18.2.1.0/24 28.3.1.0/24 38.1.1.0/24 88.88.88.0/24 156.46.1.0/24 156.46.2.0/24 156.46.3.0/24 156.46.4.0/24 156.46.100.0/22 209.112.65.0 209.112.66.0 209.112.67.0 Next Hop 0.0.0.0 0.0.0.0 10.12.1.2 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 10.12.1.2 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Metric LocPrf Weight Path 2 32768 ? 2 32768 ? 2000 200 0 65001 8 i 0 32768 i 2 32768 ? 2 32768 ? 2 32768 ? 2 32768 ? 3000 300 0 65001 8 i 2 32768 ? 2 32768 ? 2 32768 ? 2 32768 ? 2 32768 ? 2 32768 ? 2 32768 ? 2 32768 ? Task 15.12: ♦ Configure PE2 such that you can generate a ping sourced from VPN Green to communicate with 172.16.123.2. 20 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I ♦ Configure PE2 such that BB1 can ping 172.16.123.2. VPN must remain in a VRF mode. ♦ Two static routes are allowed. Make sure to allow 172.16.123.0/24 to BB1 to test this task. Include 172.16.123.0 in your access list. BB1-RACK1(config)#access-list 8 permit 172.16.123.0 log BB1-RACK1(config)#route-map Local_Pref permit 10 BB1-RACK1(config-route-map)# match ip address 8 BB1-RACK1(config-route-map)# set metric 2000 BB1-RACK1(config-route-map)# set local-preference 200 PE2-RACK1(config)#router bgp 65001 PE2-RACK1(config-router)# no synchronization PE2-RACK1(config-router)# bgp log-neighbor-changes PE2-RACK1(config-router)# no auto-summary PE2-RACK1(config-router)# address-family ipv4 vrf green PE2-RACK1(config-router-af)# redistribute connected PE2-RACK1(config-router-af)# redistribute static metric 2 PE2-RACK1(config-router-af)# neighbor 10.12.1.1 remote-as 57 PE2-RACK1(config-router-af)# neighbor 10.12.1.1 activate PE2-RACK1(config-router-af)# neighbor 10.82.1.1 remote-as 8 PE2-RACK1(config-router-af)# neighbor 10.82.1.1 activate PE2-RACK1(config-router-af)# no auto-summary PE2-RACK1(config-router-af)# no synchronization PE2-RACK1(config-router-af)# exit-address-family PE2-RACK1(config-router)#ip route 10.12.1.0 255.255.255.0 Ethernet0/1 PE2-RACK1(config)#ip route vrf green 172.16.123.2 255.255.255.255 Ethernet0/0.123 172.16.123.3 PE2-RACK1#sho ip bgp vpnv4 vrf green | include 172 *> 172.16.123.0/24 172.16.123.3 2 *> 172.16.123.2/32 0.0.0.0 2 32768 ? 32768 ? BB1-RACK1#ping 172.16.123.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.123.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms 21 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. [...]... PE2-RACK1(config-router-af)# neighbor 10.82.1.1 activate PE2-RACK1(config-router-af)# neighbor 10.82.1.1 as-override PE2-RACK1(config-router-af)# no auto-summary PE2-RACK1(config-router-af)# no synchronization PE2-RACK1(config-router-af)# exit-address-family PE2-RACK1(config-router)# address-family ipv4 vrf green-site1 PE2-RACK1(config-router-af)# redistribute connected PE2-RACK1(config-router-af)# neighbor... remote-as 82 PE2-RACK1(config-router-af)# neighbor 10.82.1.1 activate PE2-RACK1(config-router-af)# neighbor 10.82.1.1 as-override PE2-RACK1(config-router-af)# neighbor 10.82.1.1 route-map SOO in PE2-RACK1(config-router-af)# no auto-summary PE2-RACK1(config-router-af)# no synchronization PE2-RACK1(config-router-af)# exit-address-family PE2-RACK1(config-router)#access-list 13 permit any log PE2-RACK1(config)#route-map... PE1-RACK1(config-router-af)#exit-address-family PE1-RACK1(config-router)#router bgp 65001 PE1-RACK1(config-router)# address-family vpnv4 PE1-RACK1(config-router-af)# neighbor 10.1.1.254 activate PE1-RACK1(config-router-af)# neighbor 10.1.1.254 send-community extended PE1-RACK1(config-router-af)# exit-address-family PE1-RACK1(config-router)# address-family ipv4 vrf iementor-site1 PE1-RACK1(config-router-af)# redistribute eigrp 10 metric 5... PE2-RACK1(config-router)# address-family vpnv4 PE2-RACK1(config-router-af)# neighbor 10.1.1.254 activate PE2-RACK1(config-router-af)# neighbor 10.1.1.254 send-community extended PE2-RACK1(config-router-af)# exit-address-family PE2-RACK1(config-router)# address-family ipv4 vrf green-site2 PE2-RACK1(config-router-af)# redistribute connected PE2-RACK1(config-router-af)# neighbor 10.82.1.1 remote-as 57 PE2-RACK1(config-router-af)#... remote-as 57 PE2-RACK1(config-router-af)# neighbor 10.12.1.1 activate PE2-RACK1(config-router-af)# neighbor 10.12.1.1 as-override PE2-RACK1(config-router-af)# no auto-summary 12 This product is individually licensed Copyright® 2005 ieMentor http://www.iementor.com ieMentor CCIE™ Service Provider Workbook v1.0 | Lab1 5 Solutions: Advanced MPLS I PE2-RACK1(config-router-af)# no synchronization PE2-RACK1(config-router-af)#... 13 This product is individually licensed Copyright® 2005 ieMentor http://www.iementor.com ieMentor CCIE™ Service Provider Workbook v1.0 | Lab1 5 Solutions: Advanced MPLS I PE3-RACK1(config-router-af)#neighbor 10.23.1.1 activate PE3-RACK1(config-router-af)#neighbor 10.23.1.1 as-override PE3-RACK1(config-router-af)#neighbor 10.23.1.1 route-map SOO in PE3-RACK1(config-router-af)#no auto-summary PE3-RACK1(config-router-af)#no... PE3-RACK1(config-router-af)#no synchronization PE3-RACK1(config-router-af)#exit-address-family PE3-RACK1(config-router)#route-map SOO permit 10 PE3-RACK1(config-route-map)# match ip address 13 PE3-RACK1(config-route-map)# set extcommunity soo 1:13 PE3-RACK1(config-route-map)#access-list 13 permit any log CE2-RACK1(config)#router bgp 82 CE2-RACK1(config-router)# no synchronization CE2-RACK1(config-router)#... PE2-RACK1(config-router-af)# neighbor 10.82.1.1 distribute-list 2 out PE2-RACK1(config-router-af)# no auto-summary PE2-RACK1(config-router-af)# no synchronization PE2-RACK1(config-router-af)# aggregate-address 8.0.0.0 255.0.0.0 as-set summary-only suppress-map excludebb3 PE2-RACK1(config-router-af)# exit-address-family PE2-RACK1(config)#access-list 2 permit 0.0.0.0 log PE2-RACK1(config)#access-list... PE2-RACK1(config-router)# address-family ipv4 vrf green PE2-RACK1(config-router-af)# redistribute connected PE2-RACK1(config-router-af)# neighbor 10.12.1.1 remote-as 57 PE2-RACK1(config-router-af)# neighbor 10.12.1.1 activate PE2-RACK1(config-router-af)# neighbor 10.82.1.1 remote-as 8 PE2-RACK1(config-router-af)# neighbor 10.82.1.1 activate PE2-RACK1(config-router-af)# neighbor 10.82.1.1 default-originate... PE2-RACK1(config-router-af)# redistribute connected PE2-RACK1(config-router-af)# redistribute static metric 2 PE2-RACK1(config-router-af)# neighbor 10.12.1.1 remote-as 57 PE2-RACK1(config-router-af)# neighbor 10.12.1.1 activate PE2-RACK1(config-router-af)# neighbor 10.82.1.1 remote-as 8 PE2-RACK1(config-router-af)# neighbor 10.82.1.1 activate PE2-RACK1(config-router-af)# no auto-summary PE2-RACK1(config-router-af)# ... product is individually licensed Copyright® 2005 ieMentor http://www.iementor.com ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I no synchronization bgp router-id... synchronization 16 This product is individually licensed Copyright® 2005 ieMentor http://www.iementor.com ieMentor CCIE™ Service Provider Workbook v1.0 | Lab15 Solutions: Advanced MPLS I PE2-RACK1(config-router)#... extended exit-address-family ! address-family ipv4 vrf iementor-site1 redistribute eigrp 10 metric no auto-summary no synchronization exit-address-family PE1-RACK1#sho ip bgp vpnv4 vrf iementor-site1