CCNA Lab - Solution Rev1.0 MPLS VPN

ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN In this lab IS-IS is slightly different than in other labs so please read the questions very carefully. We are going to extend IS-IS to PE4 across ASBR1 and ASBR2. In this lab ASBRs will become the P routers. Task 14.1: ♦ Configure IS-IS between RR1, PE1, PE2, and PE3. ♦ IS-IS AREA NET 48.0000 ♦ IS-IS RR1 AREA NET 48.0000.0254.0254 ♦ IS-IS Level 1 in RR1: Configure IS-IS Level 1 only for both interfaces by using a single command. ♦ RR1: Advertise VLAN20 and VLAN30, including the Loopback in Level 1. ♦ Use best practices to advertise Loopbacks under IS-IS. ♦ Configure RR1 such that all changes in IS-IS are sent to logging console ♦ PE1 IS-IS AREA NET 48.0000.0001.0001.00 Level 1 ♦ PE2 IS-IS AREA NET 48.0000.0002.0002.00 Level 1 ♦ CORRECTION!!! PE3 IS-IS AREA NET 48.0000.0003.0003.00 Level 1 PE1 interface Loopback0 ip address 10.1.1.1 255.255.255.255 ! interface FastEthernet0/0 description to PE3 VLAN31 ip address 172.16.13.1 255.255.255.0 ip router isis speed 100 full-duplex isis circuit-type level-1 ! interface Serial0/0 description to Inter-AS ASBR1 1 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN encapsulation frame-relay no keepalive ! interface Serial0/0.101 multipoint description to Inter-AS ASBR1 ISIS ip address 172.16.222.1 255.255.255.0 ip router isis frame-relay map clns 201 broadcast frame-relay map ip 172.16.222.1 201 broadcast frame-relay map ip 172.16.222.2 201 broadcast no frame-relay inverse-arp ! interface FastEthernet0/1 description to PE2 VLAN21 ip address 172.16.12.1 255.255.255.0 ip router isis speed 100 full-duplex isis circuit-type level-1 ! router isis net 48.0000.0001.0001.00 log-adjacency-changes all passive-interface Loopback0 maximum-paths 1 hostname PE2-RACK1 ! interface Loopback0 ip address 10.1.1.2 255.255.255.255 ! interface Ethernet0/0 no ip address half-duplex ! interface Ethernet0/0.20 description to RR - VLAN 20 encapsulation dot1Q 20 ip address 172.16.20.2 255.255.255.0 ip router isis tag-switching ip isis circuit-type level-1 ! interface Ethernet0/0.21 description to PE1 - VLAN 21 encapsulation dot1Q 21 ip address 172.16.12.2 255.255.255.0 ip router isis no snmp trap link-status isis circuit-type level-1 ! interface Ethernet0/0.123 description to PE3 - VLAN 123 encapsulation dot1Q 123 2 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN ip address 172.16.123.2 255.255.255.0 ip router isis ! interface Ethernet0/1 description to BB1-RACK1 ip address 10.12.1.2 255.255.255.0 ip policy route-map unicast-routes full-duplex ! router isis net 48.0000.0002.0002.00 log-adjacency-changes all passive-interface Loopback0 hostname PE3-RACK1 ! interface Loopback0 ip address 10.1.1.3 255.255.255.255 ! interface Loopback33 ip address 33.33.33.33 255.255.255.0 ! interface Ethernet0/0 no ip address half-duplex ! interface Ethernet0/0.23 description to CE2 - VLAN 23 encapsulation dot1Q 23 no snmp trap link-status ! interface Ethernet0/0.30 description to RR - VLAN 30 encapsulation dot1Q 30 ip address 172.16.30.3 255.255.255.0 ip router isis isis circuit-type level-1 ! interface Ethernet0/0.31 description to PE1 - VLAN 31 encapsulation dot1Q 31 ip address 172.16.13.3 255.255.255.0 ip router isis isis circuit-type level-1 ! interface Ethernet0/0.123 description to PE2 - VLAN 123 encapsulation dot1Q 123 ip address 172.16.123.3 255.255.255.0 ip router isis ! router isis net 48.0000.0003.0003.00 is-type level-1 3 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN log-adjacency-changes all passive-interface Loopback0 hostname RR1-RACK1 ! interface Loopback0 ip address 10.1.1.254 255.255.255.255 ! interface Ethernet0/0 no ip address full-duplex ! interface Ethernet0/0.20 description to PE2 -VLAN 20 encapsulation dot1Q 20 ip address 172.16.20.254 255.255.255.0 ip router isis ! interface Ethernet0/0.30 description to PE3 -VLAN 30 encapsulation dot1Q 30 ip address 172.16.30.254 255.255.255.0 ip router isis ! router isis net 48.0000.0254.0254.00 is-type level-1 log-adjacency-changes all passive-interface Loopback0 This task is very similar to Lab 4 and Lab 5 so the explanation of solutions is not required to avoid unnecessary repetition. The main focus of this task is on MPLS VPN and IS-IS just an IGP. Task 14.2: Task 14.3: ♦ Establish IS-IS Level 1 adjacencies on the link between PE2 and PE3 over VLAN123 ♦ Use best practices to advertise Loopbacks under IS-IS. ♦ Configure PE1 Serial0/0 to ASBR1 Serial 0/2 interface with frame-relay encapsulation; make sure to use back-to-back serial. ♦ Configure PE1 as sub-interface S0/0.100 multipoint. Use the DLCI number of your choice on both routers. 4 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN ♦ Configure ASBR1 Serial 0/2 interface to PE1 with encapsulation frame-relay, back-to-back. ♦ On ASBR1, configure using the physical interface instead of a sub-interface. ♦ Configure all necessary frame-relay parameters to establish basic IP connectivity from PE1 to ASBR1 such that you do not depend on Inverse ARP for frame-relay interfaces on PE1 and ASBR1. ♦ Establish Level 2 IS-IS adjacencies link between PE1 and ASBR1. ♦ Configure all necessary components to establish IS-IS with PE1 over a multipoint interface. ♦ Make sure you can ping PE1 Loopback0 10.1.1.1 from ASBR1. ♦ ASBR1 IS-IS AREA NET 48.0000.1001.1001.00 Level 2 ♦ ASBR2 IS-IS AREA NET 48.0000.2002.2002.00 Level 2 ♦ PE4 IS-IS AREA NET 48.0000.4002.4002.00 Level 2 PE4 interface Loopback0 ip address 10.1.1.4 255.255.255.255 ! router isis net 48.0000.0004.0004.00 is-type level-2-only log-adjacency-changes all passive-interface Loopback0 Select your own NET ID number for IS-IS. interface Loopback0 ip address 10.1.1.200 255.255.255.255 ! router isis net 48.0000.2002.2002.00 is-type level-2-only log-adjacency-changes all passive-interface Loopback0 PE4-RACK1#sho ip route isis 10.0.0.0/32 is subnetted, 2 subnets 5 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 i L2 | Lab14 Solutions: MPLS VPN 10.1.1.200 [115/10] via 172.16.240.1, FastEthernet0/0 Task 14.4: ♦ Configure ASBR1 S0/0 and S0/1 and ASBR2 S0/0 and S0/1 in Level 2. ASBR1-RACK1#sho cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device ID ASBR2-RACK1 ASBR2-RACK1 Local Intrfce Ser 0/0 Ser 0/1 Holdtme 135 135 Capability R S R S Platform 2610 2610 Port ID Ser 0/0 Ser 0/1 ASBR1-RACK1(config)#int ser 0/0 ASBR1-RACK1(config-if)#ip router isis ASBR1-RACK1(config-if)#isis circuit-type level-2-only ASBR1-RACK1(config-if)#int ser 0/1 ASBR1-RACK1(config-if)#ip router isis ASBR1-RACK1(config-if)#isis circuit-type level-2-only ASBR2-RACK1(config)#int ser 0/0 ASBR2-RACK1(config-if)#ip router isis ASBR2-RACK1(config-if)#isis circuit-type level-2-only ASBR2-RACK1(config-if)#int ser 0/1 ASBR1-RACK1(config-if)#ip router isis ASBR2-RACK1(config-if)#isis circuit-type level-2-only ♦ Configure IS-IS such that traffic does not get load-balanced across the two links. ASBR2-RACK1#sho ip route is 3.0.0.0/24 is subnetted, 1 subnets i L2 3.3.3.0 [115/30] via 172.16.114.1, Serial0/1 [115/30] via 172.16.113.1, Serial0/0 140.100.0.0/24 is subnetted, 1 subnets i L2 140.100.2.0 [115/30] via 172.16.114.1, Serial0/1 [115/30] via 172.16.113.1, Serial0/0 172.16.0.0/24 is subnetted, 8 subnets i L2 172.16.222.0 [115/20] via 172.16.114.1, Serial0/1 [115/20] via 172.16.113.1, Serial0/0 i L2 172.16.30.0 [115/40] via 172.16.114.1, Serial0/1 [115/40] via 172.16.113.1, Serial0/0 i L2 172.16.20.0 [115/40] via 172.16.114.1, Serial0/1 [115/40] via 172.16.113.1, Serial0/0 i L2 172.16.12.0 [115/30] via 172.16.114.1, Serial0/1 [115/30] via 172.16.113.1, Serial0/0 i L2 172.16.13.0 [115/30] via 172.16.114.1, Serial0/1 [115/30] via 172.16.113.1, Serial0/0 10.0.0.0/32 is subnetted, 7 subnets 6 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 i L2 i L2 i L2 i L2 i L2 i L2 | Lab14 Solutions: MPLS VPN 10.1.1.2 [115/30] via 172.16.114.1, Serial0/1 [115/30] via 172.16.113.1, Serial0/0 10.1.1.3 [115/30] via 172.16.114.1, Serial0/1 [115/30] via 172.16.113.1, Serial0/0 10.1.1.1 [115/20] via 172.16.114.1, Serial0/1 [115/20] via 172.16.113.1, Serial0/0 10.1.1.4 [115/10] via 172.16.240.4, Ethernet0/0 10.1.1.100 [115/10] via 172.16.114.1, Serial0/1 [115/10] via 172.16.113.1, Serial0/0 10.1.1.254 [115/40] via 172.16.114.1, Serial0/1 [115/40] via 172.16.113.1, Serial0/0 ASBR2-RACK1(config)#router isis ASBR2-RACK1(config-router)#maximum-paths 1 ASBR1-RACK1(config)#router isis ASBR1-RACK1(config-router)#maximum-paths 1 ASBR1-RACK1#sho ip route isis 3.0.0.0/24 is subnetted, 1 subnets i L2 3.3.3.0 [115/20] via 172.16.222.1, Serial0/2 140.100.0.0/24 is subnetted, 1 subnets i L2 140.100.2.0 [115/20] via 172.16.222.1, Serial0/2 172.16.0.0/24 is subnetted, 8 subnets i L2 172.16.240.0 [115/20] via 172.16.114.2, Serial0/1 i L2 172.16.30.0 [115/30] via 172.16.222.1, Serial0/2 i L2 172.16.20.0 [115/30] via 172.16.222.1, Serial0/2 i L2 172.16.12.0 [115/20] via 172.16.222.1, Serial0/2 i L2 172.16.13.0 [115/20] via 172.16.222.1, Serial0/2 10.0.0.0/32 is subnetted, 7 subnets i L2 10.1.1.2 [115/20] via 172.16.222.1, Serial0/2 i L2 10.1.1.3 [115/20] via 172.16.222.1, Serial0/2 i L2 10.1.1.1 [115/10] via 172.16.222.1, Serial0/2 i L2 10.1.1.4 [115/20] via 172.16.114.2, Serial0/1 i L2 10.1.1.200 [115/10] via 172.16.114.2, Serial0/1 i L2 10.1.1.254 [115/30] via 172.16.222.1, Serial0/2 ♦ Configure PE4 link to ASBR2 in IS-IS Level 2 only. ♦ Configure SP1 and SP2 to communicate and exchange IS-IS routing table. ♦ PE4 must be able to reach RR1. PE4-RACK1#ping 10.1.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/24 ms 7 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN Task 14.5: ♦ Configure RR1 as route-reflector for all backbone routers in AS 65001 ♦ Minimize configuration commands for BGP in SP1 core ♦ Configure IPv4 session only ♦ Configure Loopbacks for all PEs as shown in table below. PE1-AS65001-SP1 Loopback 11 11.11.11.11/24 PE2-AS65001-SP1 Loopback 22 22.22.22.22/24 PE3-AS65001-SP1 Loopback 33 33.33.33.33/24 PE4-AS65001-SP2 Loopback 44 44.44.44.44/24 RR1-AS65001-SP1 Loopback 55 55.55.55.55/24 ♦ Advertise Loopbacks in AS65001 ♦ RR1 should inject Loopback55 without using network commands. Make sure only the 55.55.55.55 Loopback gets injected. ♦ Verify that you can ping all BGP Loopbacks from RR1. RR1-RACK1 router bgp 65001 no synchronization bgp log-neighbor-changes network 172.16.20.0 mask 255.255.255.0 network 172.16.30.0 mask 255.255.255.0 redistribute connected metric 2 route-map allow55 neighbor ibgp peer-group neighbor ibgp remote-as 65001 neighbor ibgp update-source Loopback0 neighbor ibgp route-reflector-client neighbor 10.1.1.1 peer-group ibgp neighbor 10.1.1.2 peer-group ibgp neighbor 10.1.1.3 peer-group ibgp no auto-summary ! route-map allow55 permit 10 match ip address 55 ! access-list 55 permit 55.55.55.0 0.0.0.255 log This is the template for all PEs to peer with the Route Reflector. 8 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN router bgp 65001 no synchronization bgp log-neighbor-changes neighbor 10.1.1.254 remote-as 65001 neighbor 10.1.1.254 update-source Loopback0 no auto-summary Task 14.6: ♦ SP1 compliant with RFC-3214 This template should be applied to all SP1 routers: PE1-RACK1(config)#mpls label protocol ldp PE1-RACK1(config)#mpls ip PE1-RACK1(config)#int fas 0/0 PE1-RACK1(config-if)#mpls ip ♦ SP2 compliant with RFC-2105 PE4-RACK1(config)#mpls label protocol tdp PE4-RACK1(config)#mpls ip PE4-RACK1(config-if)#in fastEthernet 0/0 PE4-RACK1(config-if)#tag-switching ip For this task make sure that LDP is enabled on all ASBRs, otherwise the solution will not work. ♦ Configure ASBR1 and ASBR2 as P routers only. Task 14.7: The example below applies to all MPLS core routers: This task will work by default if TDP and LDP configure Task 14.8: Configure BB2 for legacy MPLS TCP/711 tag distribution only. Task 14.9: Task 14.10: Task 14.11: Task 14.12: 9 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN Task 14.13: In this task make sure you are going to redistribute IS-IS in EIGRP, otherwise all backbone routes will not match. Based on task 14.11 this requires redistributing between IS-IS and EIGRP. interface ATM1/0.300 tag-switching ip address 140.100.2.1 255.255.255.0 mpls label protocol tdp tag-switching atm vp-tunnel 3 vci-range 33-65535 tag-switching ip ! router eigrp 100 redistribute isis level-1-2 metric 1544 1000 255 255 4460 network 140.100.2.0 0.0.0.255 no auto-summary ! router isis net 48.0000.0001.0001.00 area-password iementor authentication mode md5 level-2 authentication key-chain iementor level-2 log-adjacency-changes all redistribute eigrp 100 metric 10 metric-type external level-1-2 redistribute isis ip level-2 into level-1 distribute-list 100 passive-interface Loopback0 maximum-paths 1 BB2-RACK1#sho tag-switching interfaces Interface IP Tunnel Operational ATM1/0.300 Yes No Yes (ATM tagging) BB2-RACK1#sho tag-switching forwarding-table Local Outgoing Prefix Bytes tag tag tag or VC or Tunnel Id switched 17 3/75 10.1.1.2/32 0 18 3/76 10.1.1.3/32 0 19 3/80 10.1.1.254/32 0 23 3/78 10.1.1.100/32 0 27 3/73 172.16.113.0/24 0 28 3/74 172.16.114.0/24 0 29 3/72 172.16.240.0/24 0 30 3/79 10.1.1.200/32 0 31 3/77 10.1.1.4/32 0 Outgoing interface AT1/0.300 AT1/0.300 AT1/0.300 AT1/0.300 AT1/0.300 AT1/0.300 AT1/0.300 AT1/0.300 AT1/0.300 BB2-RACK1#sho tag-switching atm-tdp bindings Destination: 140.100.2.0/24 Tailend Router ATM1/0.300 3/33 Active, VCD=40 Destination: 172.16.240.0/24 Headend Router ATM1/0.300 (1 hop) 3/72 Active, VCD=79 Destination: 172.16.113.0/24 Headend Router ATM1/0.300 (1 hop) 3/73 Active, VCD=80 10 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. Next Hop point2point point2point point2point point2point point2point point2point point2point point2point point2point ieMentor CCIE™ Service Provider Workbook v1.0 Destination: 172.16.114.0/24 Headend Router ATM1/0.300 Destination: 10.1.1.2/32 Headend Router ATM1/0.300 Destination: 10.1.1.3/32 Headend Router ATM1/0.300 Destination: 10.1.1.4/32 Headend Router ATM1/0.300 Destination: 10.1.1.100/32 Headend Router ATM1/0.300 Destination: 10.1.1.200/32 Headend Router ATM1/0.300 Destination: 10.1.1.254/32 Headend Router ATM1/0.300 | Lab14 Solutions: MPLS VPN (1 hop) 3/74 Active, VCD=81 (1 hop) 3/75 Active, VCD=82 (1 hop) 3/76 Active, VCD=83 (1 hop) 3/77 Active, VCD=84 (1 hop) 3/78 Active, VCD=85 (1 hop) 3/79 Active, VCD=86 (1 hop) 3/80 Active, VCD=87 BB2-RACK1#sho ip route eigrp 172.16.0.0/24 is subnetted, 5 subnets D EX 172.16.240.0 [170/1915904] via 140.100.2.1, 00:04:15, ATM1/0.300 D EX 172.16.113.0 [170/1915904] via 140.100.2.1, 00:04:15, ATM1/0.300 D EX 172.16.114.0 [170/1915904] via 140.100.2.1, 00:04:15, ATM1/0.300 10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks D EX 10.1.1.2/32 [170/1915904] via 140.100.2.1, 00:04:15, ATM1/0.300 D EX 10.1.1.3/32 [170/1915904] via 140.100.2.1, 00:04:15, ATM1/0.300 D EX 10.1.1.4/32 [170/1915904] via 140.100.2.1, 00:04:15, ATM1/0.300 D EX 10.1.1.100/32 [170/1915904] via 140.100.2.1, 00:04:15, ATM1/0.300 D EX 10.1.1.200/32 [170/1915904] via 140.100.2.1, 00:04:15, ATM1/0.300 D EX 10.1.1.254/32 [170/1915904] via 140.100.2.1, 00:04:15, ATM1/0.300 BB2 interface ATM1/0.300 tag-switching ip address 140.100.2.2 255.255.255.0 tag-switching atm vp-tunnel 3 vci-range 33-65535 tag-switching ip ! router eigrp 100 network 140.100.2.0 0.0.0.255 Å Include Loopback 0 – 4 auto-summary VPN ROUTING CE GREEN-SITE1 BGP CE5 GREEN-SITE2 RIP CE8 IEMENTOR-SITE1 EIGRP CE2 IEMENTOR-SITE2 STATIC CE1 Task 14.14: ♦ Configure BB1 in AS57. 11 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN ♦ Advertise all interfaces without configuring network statements in BB1. ♦ Configure BB1 BGP session to PE2 using hash-md5. router bgp 57 no synchronization bgp log-neighbor-changes network 10.12.1.0 mask 255.255.255.0 redistribute connected metric 2 neighbor 10.12.1.2 remote-as 65001 neighbor 10.12.1.2 description to AS65001-SP1-PE2 neighbor 10.12.1.2 password iementor no auto-summary Task 14.15: Configure PE2 to support VPN Green site 1. ♦ Make sure VPN routes exchange is bi-directional. ♦ Configure eBGP as the routing protocol for PE-CE communication between PE2 and BB1, with BB1 in AS57. ♦ Verify if you can ping Loopbacks of BB1 from PE2. PE2-RACK1(config-vrf)#ip vrf green PE2-RACK1(config-vrf)# rd 100:100 PE2-RACK1(config-vrf)#route-target both 100:100 ip vrf green rd 100:100 route-target export 100:100 route-target import 100:100 PE2-RACK1#config t Enter configuration commands, one per line. End with CNTL/Z. PE2-RACK1(config-vrf)#int e 0/1 PE2-RACK1(config-if)#ip vrf forwarding green % Policy Based Routing is NOT supported for VRF interfaces % IP-Policy can be used ONLY for marking (set/clear DF bit) on VRF interfaces % Interface Ethernet0/1 IP address 10.12.1.2 removed due to enabling VRF green PE2-RACK1(config)#int e 0/1 PE2-RACK1(config-if)#ip address 10.12.1.2 255.255.255.0 PE2-RACK1#ping vrf green 10.12.1.1 Type escape sequence to abort. 12 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN Sending 5, 100-byte ICMP Echos to 10.12.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms PE2-RACK1(config)#router bgp 65001 PE2-RACK1(config-router)# address-family ipv4 vrf green PE2-RACK1(config-router-af)# redistribute connected PE2-RACK1(config-router-af)# neighbor 10.12.1.1 remote-as 57 PE2-RACK1(config-router-af)# neighbor 10.12.1.1 activate PE2-RACK1(config-router-af)# no auto-summary PE2-RACK1(config-router-af)# no synchronization PE2-RACK1(config-router-af)# exit-address-family PE2-RACK1#sho ip bgp vpnv4 all summary Neighbor V AS MsgRcvd MsgSent State/PfxRcd 10.12.1.1 4 57 6 5 TblVer 37 InQ OutQ Up/Down 0 0 00:00:43 PE2-RACK1#sho ip route vrf green Routing Table: green Gateway of last resort is not set 18.0.0.0/24 is subnetted, 1 subnets B 18.2.1.0 [20/2] via 10.12.1.1, 00:00:59 38.0.0.0/24 is subnetted, 1 subnets B 38.1.1.0 [20/2] via 10.12.1.1, 00:00:59 5.0.0.0/24 is subnetted, 1 subnets B 5.5.5.0 [20/2] via 10.12.1.1, 00:00:59 156.46.0.0/16 is variably subnetted, 5 subnets, 2 masks B 156.46.2.0/24 [20/2] via 10.12.1.1, 00:00:59 B 156.46.3.0/24 [20/2] via 10.12.1.1, 00:00:59 B 156.46.1.0/24 [20/2] via 10.12.1.1, 00:00:59 B 156.46.4.0/24 [20/2] via 10.12.1.1, 00:00:59 B 156.46.100.0/22 [20/2] via 10.12.1.1, 00:01:00 8.0.0.0/24 is subnetted, 1 subnets B 8.1.1.0 [20/2] via 10.12.1.1, 00:01:00 B 209.112.65.0/24 [20/2] via 10.12.1.1, 00:01:00 B 209.112.66.0/24 [20/2] via 10.12.1.1, 00:01:00 10.0.0.0/24 is subnetted, 1 subnets C 10.12.1.0 is directly connected, Ethernet0/1 B 209.112.67.0/24 [20/2] via 10.12.1.1, 00:01:00 B 209.112.68.0/24 [20/2] via 10.12.1.1, 00:01:00 12.0.0.0/24 is subnetted, 1 subnets B 12.1.1.0 [20/2] via 10.12.1.1, 00:01:00 B 209.112.69.0/24 [20/2] via 10.12.1.1, 00:01:00 28.0.0.0/24 is subnetted, 1 subnets B 28.3.1.0 [20/2] via 10.12.1.1, 00:01:00 B 209.112.70.0/24 [20/2] via 10.12.1.1, 00:01:00 PE2-RACK1#ping vrf green 5.5.5.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds: !!!!! 13 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. 18 ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms Task 14.16: CE8 is required to advertise Loopback0 8.8.8.8/24 and Loopback8 88.88.88.1/30 via RIP. CE8-RACK1(config)#router rip CE8-RACK1(config-router)# version 2 CE8-RACK1(config-router)# network 8.0.0.0 CE8-RACK1(config-router)# network 88.0.0.0 CE8-RACK1(config-router)# network 10.0.0.0 CE8-RACK1(config-router)# no auto-summary CE8-RACK1#sho ip rip d 8.0.0.0/8 auto-summary 8.8.8.0/24 directly connected, Loopback0 10.0.0.0/8 auto-summary 10.82.1.0/24 directly connected, FastEthernet0/0 ♦ Advertise RIP routes to PE2. ♦ Configure RIP as the routing protocol for PE-CE communication between PE2 and CE8. PE2-RACK1(config-subif)#ip vrf forwarding green % Interface Ethernet0/0.82 IP address 10.82.1.2 removed due to enabling VRF green PE2-RACK1(config-subif)#ip address 10.82.1.2 255.255.255.0 PE2-RACK1#sho ip vrf interfaces Interface IP-Address Protocol Et0/1 10.12.1.2 Et0/0.82 10.82.1.2 VRF green green up up PE2-RACK1#sho ip rip database vrf green 8.0.0.0/8 auto-summary 8.8.8.0/24 [1] via 10.82.1.1, 00:00:11, Ethernet0/0.82 10.0.0.0/8 auto-summary 10.12.1.0/24 directly connected, Ethernet0/1 10.82.1.0/24 directly connected, Ethernet0/0.82 ♦ Verify if you can ping Loopbacks of VPN Green site 2 from PE2. PE2-RACK1(config)#router rip PE2-RACK1(config-router)# address-family ipv4 vrf green PE2-RACK1(config-router-af)# network 10.0.0.0 PE2-RACK1(config-router-af)# no auto-summary 14 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN PE2-RACK1(config-router-af)# version 2 PE2-RACK1(config-router-af)# exit-address-family PE2-RACK1#ping vrf green 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Task 14.17: Site 1 should be able to communicate with site 2. ♦ Limit the amount of routes PE2 receives from site 1 to 18 without using an access-list. CE8-RACK1#ping 5.5.5.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms ip vrf green rd 101:101 route-target export 101:101 route-target import 101:101 maximum routes 18 100 reinstall 100 ! router rip ! address-family ipv4 vrf green redistribute bgp 65001 metric transparent network 10.0.0.0 no auto-summary version 2 exit-address-family ! router bgp 65001 no synchronization bgp log-neighbor-changes network 10.12.1.0 mask 255.255.255.0 network 22.22.22.0 mask 255.255.255.0 neighbor 10.1.1.254 remote-as 65001 neighbor 10.1.1.254 update-source Loopback0 neighbor 10.12.1.1 remote-as 57 neighbor 10.12.1.1 description Peer to BB1-AS57 no auto-summary ! address-family ipv4 vrf green redistribute connected redistribute rip metric 10 neighbor 10.12.1.1 remote-as 57 15 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN neighbor 10.12.1.1 activate no auto-summary no synchronization exit-address-family Task 14.18: ♦ CE1 is required to advertise Loopback0 1.1.1.1/24. ♦ Customer’s remote side does not support any routing protocols, only statics. ♦ Advertise static routes to PE3 from VPN IEMENTOR site 2. ♦ Configure static routing for PE-CE communication between PE3 and CE2. ♦ Verify if you can ping Loopbacks of VPN IEMENTOR site 2 from PE3. ip vrf iementor rd 200:200 route-target export 200:200 route-target import 200:200 ! router bgp 65001 no synchronization bgp log-neighbor-changes network 33.33.33.0 mask 255.255.255.0 neighbor 10.1.1.254 remote-as 65001 neighbor 10.1.1.254 update-source Loopback0 no auto-summary ! address-family ipv4 vrf iementor redistribute connected redistribute static metric 2 no auto-summary no synchronization exit-address-family q PE3-R q q ACK1(config)#ip route vrf iementor 1.1.1.0 255.255.255.0 10.13.1.1 PE3-RACK1#ping vrf iementor 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms PE3-RACK1#sho ip bgp vpnv4 vrf iementor Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 200:200 (default for vrf iementor) 16 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 *> 1.1.1.0/24 *> 10.13.1.0/24 | 10.13.1.1 0.0.0.0 Lab14 Solutions: MPLS VPN 2 0 32768 ? 32768 ? Task 14.19: ♦ PE1 should receive EIGRP routes and place them in IEMENTOR VPN. ♦ Configure PE1 to accept EIGRP as PE-CE routing protocol. ♦ Verify if you can ping Loopbacks of VPN IEMENTOR site 1 from PE1. router eigrp 100 auto-summary ! address-family ipv4 vrf iementor network 140.100.1.0 0.0.0.255 no auto-summary autonomous-system 10 exit-address-family PE1-RACK1#sho ip route vrf iementor 18.0.0.0/24 is subnetted, 1 subnets D 18.2.2.0 [90/229888] via 140.100.1.1, 00:09:24, ATM1/0.100 3.0.0.0/24 is subnetted, 1 subnets D 3.3.3.0 [90/229888] via 140.100.1.1, 00:09:24, ATM1/0.100 140.100.0.0/24 is subnetted, 1 subnets C 140.100.1.0 is directly connected, ATM1/0.100 8.0.0.0/24 is subnetted, 1 subnets D 8.2.1.0 [90/229888] via 140.100.1.1, 00:09:24, ATM1/0.100 28.0.0.0/24 is subnetted, 1 subnets D 28.3.2.0 [90/229888] via 140.100.1.1, 00:09:24, ATM1/0.100 PE1-RACK1#ping vrf iementor 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms Task 14.20: router bgp 65001 bgp log-neighbor-changes neighbor ibgp peer-group neighbor ibgp remote-as 65001 neighbor ibgp update-source Loopback0 neighbor 10.1.1.1 peer-group ibgp neighbor 10.1.1.2 peer-group ibgp neighbor 10.1.1.3 peer-group ibgp 17 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN neighbor 10.1.1.4 peer-group ibgp neighbor 10.1.1.100 peer-group ibgp neighbor 10.1.1.200 peer-group ibgp ! address-family ipv4 redistribute connected metric 2 route-map allow55 neighbor ibgp route-reflector-client neighbor 10.1.1.1 activate neighbor 10.1.1.2 activate neighbor 10.1.1.3 activate neighbor 10.1.1.4 activate neighbor 10.1.1.100 activate neighbor 10.1.1.200 activate no auto-summary no synchronization network 172.16.20.0 mask 255.255.255.0 network 172.16.30.0 mask 255.255.255.0 exit-address-family ! address-family vpnv4 neighbor ibgp route-reflector-client neighbor ibgp send-community extended neighbor 10.1.1.1 activate neighbor 10.1.1.2 activate neighbor 10.1.1.3 activate neighbor 10.1.1.4 activate neighbor 10.1.1.100 activate neighbor 10.1.1.200 activate exit-address-family VPN ROUTING CE VPN Solaris Site 1 BGP-AS2 CE2 VPN Solaris Site 2 OSPF-AREA 0 CE6 Task 14.21: ♦ Configure VPN Solaris on CE2 in AS2. ♦ On CE2, do not advertise Loopback0 2.2.2.2/24 to PE3. CE2-RACK1(config)#router bgp 2 CE2-RACK1(config-router)# no synchronization CE2-RACK1(config-router)# bgp log-neighbor-changes CE2-RACK1(config-router)# network 10.23.1.0 mask 255.255.255.0 CE2-RACK1(config-router)# neighbor 10.23.1.3 remote-as 65001 CE2-RACK1(config-router)# no auto-summary ♦ Configure PE4 to accept OSPF in area 0 as PE-CE routing protocol. Ensure that PE4 receives Loopback 6.6.6.6/24. 18 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN PE4-RACK1(config)#router ospf 200 vrf solaris *Mar 13 06:25:15.634: %OSPF-4-NORTRID: OSPF process 200 cannot start. There must be at least one "up" IP interface, for OSPF to useas router ID PE4-RACK1(config)#interface FastEthernet0/1.600 PE4-RACK1(config-subif)#ip vrf forwarding solaris % Interface FastEthernet0/1.600 IP address 172.16.60.4 removed due to enabling VRF iementor PE4-RACK1(config-subif)#ip addres 172.16.60.4 255.255.255.0 PE4-RACK1(config)#router ospf 200 vrf solaris PE4-RACK1(config-router)# log-adjacency-changes detail PE4-RACK1(config-router)# network 172.16.60.0 0.0.0.255 area 0 ♦ Verify if you can ping Loopbacks of VPN Solaris site 2 from PE4. This task is a little tricky because by default 6.6.6.6 won’t get advertised on its own, even if you configure it under router ospf. PE4 router ospf 200 vrf solaris log-adjacency-changes detail redistribute connected subnets network 172.16.60.0 0.0.0.255 area 0 CE6 router ospf 200 router-id 6.6.6.6 log-adjacency-changes detail network 6.6.6.6 0.0.0.0 area 0 network 172.16.60.0 0.0.0.255 area 0 PE4-RACK1#sho ip route vrf solaris 172.16.0.0/24 is subnetted, 1 subnets C 172.16.60.0 is directly connected, FastEthernet0/1.600 6.6.6.6 is missing. PE4-RACK1#sho debugging IP routing: OSPF adjacency events debugging is on OSPF events debugging is on *Mar 13 07:01:16.246: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/1.600 from 172.16.60.4 19 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN *Mar 13 07:01:19.870: OSPF: Rcv hello from 6.6.6.6 area 0 from FastEthernet0/1.600 172.16.60.6 *Mar 13 07:01:19.870: OSPF: End of hello processing *Mar 13 07:01:26.246: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/1.600 from 172.16.60.4 *Mar 13 07:01:29.870: OSPF: Rcv hello from 6.6.6.6 area 0 from FastEthernet0/1.600 172.16.60.6 *Mar 13 07:01:29.874: OSPF: End of hello processing *Mar 13 07:01:36.246: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/1.600 from 172.16.60.4 *Mar 13 07:01:39.870: OSPF: Rcv hello from 6.6.6.6 area 0 from FastEthernet0/1.600 172.16.60.6 *Mar 13 07:01:39.870: OSPF: End of hello processing To resolve this issue a few important steps are required. PE4-RACK1(config)#int fastEthernet 0/1.600 PE4-RACK1(config-subif)#ip ospf network point-to-point *Mar 13 07:02:44.558: OSPF: Interface FastEthernet0/1.600 going Down *Mar 13 07:02:44.562: OSPF: 172.16.60.4 address 172.16.60.4 on FastEthernet0/1.600 is dead, state DOWN *Mar 13 07:02:44.562: OSPF: Neighbor change Event on interface FastEthernet0/1.600 *Mar 13 07:02:44.562: OSPF: DR/BDR election on FastEthernet0/1.600 *Mar 13 07:02:44.562: OSPF: Elect BDR 6.6.6.6 *Mar 13 07:02:44.562: OSPF: Elect DR 6.6.6.6 *Mar 13 07:02:44.562: OSPF: Elect BDR 6.6.6.6 *Mar 13 07:02:44.562: OSPF: Elect DR 6.6.6.6 *Mar 13 07:02:44.562: DR: 6.6.6.6 (Id) BDR: 6.6.6.6 (Id) *Mar 13 07:02:44.562: OSPF: Flush network LSA immediately *Mar 13 07:02:44.566: OSPF: Remember old DR 172.16.60.4 (id) *Mar 13 07:02:44.566: OSPF: 6.6.6.6 address 172.16.60.6 on FastEthernet0/1.600 is dead, state DOWN *Mar 13 07:02:44.566: %OSPF-5-ADJCHG: Process 200, Nbr 6.6.6.6 on FastEthernet0/1.600 from FULL to DOWN, Neighbor Down: Interface do wn or detached *Mar 13 07:02:44.5nt fastEthernet 0/1.600 *Mar 13 07:02:44.566: OSPF: DR/BDR election on FastEthernet0/1.600 *Mar 13 07:02:44.566: OSPF: Elect BDR 0.0.0.0 *Mar 13 07:02:44.566: OSPF: Elect DR 0.0.0.0 *Mar 13 07:02:44.566: DR: none BDR: none *Mar 13 07:02:44.570: OSPF: Remember old DR 6.6.6.6 (id) *Mar 13 07:02:44.570: OSPF: No enable interface to build Net Lsa for interface Unknown *Mar 13 07:02:44.570: OSPF: Build network LSA for Unknown, router ID 172.16.60.4 *Mar 13 07:02:44.570: OSPF: Build network LSA for Unknown, router ID 172.16.60.4 *Mar 13 07:02:44.570: OSPF: Interface FastEthernet0/1.600 going Up *Mar 13 07:02:44.570: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/1.600 from 172.16.60.4 *Mar 13 07:02:45.066: OSPF: Build router LSA for area 0, router ID 172.16.60.4, seq 0x8000000A PE4-RACK1#sho ip route vrf solaris 6.0.0.0/24 is subnetted, 1 subnets O 6.6.6.0 [110/2] via 172.16.60.6, 00:00:45, FastEthernet0/1.600 172.16.0.0/24 is subnetted, 1 subnets C 172.16.60.0 is directly connected, FastEthernet0/1.600 20 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN Also, make sure 3550-CE6 has the following configuration with point-to-point, otherwise you will experience problems advertising Loopbacks. CE6 interface Loopback0 ip address 6.6.6.6 255.255.255.0 ip ospf network point-to-point ! interface Vlan600 ip address 172.16.60.6 255.255.255.0 ip ospf network point-to-point ! router ospf 200 router-id 6.6.6.6 log-adjacency-changes detail network 6.6.6.6 0.0.0.0 area 0 network 172.16.60.0 0.0.0.255 area 0 PE4-RACK1#ping vrf iementor 6.6.6.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms ♦ Configure VPN Solaris on CE2 to advertise default route to the entire VPN Solaris. ♦ Configure such that CE6 can ping the CE2 Loopback without it showing up in the routing table. ♦ Only one static route is allowed on CE2. No other statics are permitted, the solution must be dynamic. This task requires touching every router in the path from PE4 to PE3. In some cases some PEs will become P routers such as PE1 for PE3 and PE4 would be considered a P router. ASBR1 and ASBR2 are the P routers as well. hostname CE2-RACK1 ! ip cef no ip domain lookup mpls label protocol ldp 21 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN ! interface Loopback0 ip address 2.2.2.2 255.255.255.0 ! interface Null0 no ip unreachables ! interface Ethernet0/0 description To PE3 E0/0.23 ip address 10.23.1.1 255.255.255.0 half-duplex ! router bgp 2 no synchronization bgp log-neighbor-changes network 10.23.1.0 mask 255.255.255.0 redistribute static metric 2 neighbor 10.23.1.3 remote-as 65001 neighbor 10.23.1.3 default-originate no auto-summary ! ip classless ip route 0.0.0.0 0.0.0.0 Null0 hostname PE3-RACK1 ! ip cef no ip domain lookup ip vrf iementor rd 200:200 route-target export 200:200 route-target import 200:200 ! ip vrf solaris rd 300:300 route-target export 300:300 route-target import 300:300 ! mpls label protocol ldp mpls ldp loop-detection tag-switching tdp router-id Loopback0 ! ! key chain iementor key 6727 key-string iementorlab ! interface Loopback0 ip address 10.1.1.3 255.255.255.255 ip ospf network point-to-point ! interface Loopback33 ip address 33.33.33.33 255.255.255.0 ! 22 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN interface Ethernet0/0 no ip address half-duplex ! interface Ethernet0/0.13 description to CE1 - VLAN 13 encapsulation dot1Q 13 ip vrf forwarding iementor ip address 10.13.1.3 255.255.255.0 no snmp trap link-status ! interface Ethernet0/0.23 description to CE2 - VLAN 23 encapsulation dot1Q 23 ip vrf forwarding solaris ip address 10.23.1.3 255.255.255.0 no snmp trap link-status ! interface Ethernet0/0.30 description to RR - VLAN 30 encapsulation dot1Q 30 ip address 172.16.30.3 255.255.255.0 ip router isis mpls label protocol ldp tag-switching ip no snmp trap link-status isis circuit-type level-1 ! interface Ethernet0/0.31 description to PE1 - VLAN 31 encapsulation dot1Q 31 ip address 172.16.13.3 255.255.255.0 ip router isis tag-switching ip no snmp trap link-status isis circuit-type level-1 ! interface Ethernet0/0.123 description to PE2 - VLAN 123 encapsulation dot1Q 123 ip address 172.16.123.3 255.255.255.0 ip router isis tag-switching ip no snmp trap link-status isis circuit-type level-2-only isis authentication mode md5 level-2 isis authentication key-chain iementor level-2 ! interface Ethernet0/1 no ip address half-duplex ! router isis net 48.0000.0003.0003.00 is-type level-1 23 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN area-password iementor authentication mode md5 level-2 authentication key-chain iementor level-2 log-adjacency-changes all redistribute isis ip level-2 into level-1 distribute-list 100 passive-interface Loopback0 maximum-paths 1 ! router bgp 65001 no synchronization bgp log-neighbor-changes network 33.33.33.0 mask 255.255.255.0 neighbor 10.1.1.254 remote-as 65001 neighbor 10.1.1.254 update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor 10.1.1.254 activate neighbor 10.1.1.254 send-community extended exit-address-family ! address-family ipv4 vrf solaris redistribute connected neighbor 10.23.1.1 remote-as 2 neighbor 10.23.1.1 activate no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf iementor redistribute connected metric 2 redistribute static metric 2 no auto-summary no synchronization exit-address-family ! ip route 0.0.0.0 0.0.0.0 172.16.1.1 ip route vrf iementor 1.1.1.0 255.255.255.0 10.13.1.1 ! access-list 100 permit ip any any log PE3-RACK1#sho ip route vrf solaris Routing Table: solaris Gateway of last resort is 10.23.1.1 to network 0.0.0.0 B B C B* 24 6.0.0.0/24 is subnetted, 1 subnets 6.6.6.0 [200/10] via 10.1.1.4, 00:07:26 172.16.0.0/24 is subnetted, 1 subnets 172.16.60.0 [200/0] via 10.1.1.4, 00:07:40 10.0.0.0/24 is subnetted, 1 subnets 10.23.1.0 is directly connected, Ethernet0/0.23 0.0.0.0/0 [20/0] via 10.23.1.1, 00:45:57 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN hostname PE1-RACK1 ! no ip domain lookup ! ip vrf iementor rd 200:200 route-target export 200:200 route-target import 200:200 ! mpls label protocol tdp tag-switching tdp router-id Loopback0 ! key chain iementor key 6727 key-string iementorlab ! interface Loopback0 ip address 10.1.1.1 255.255.255.255 ip pim sparse-dense-mode ! interface Loopback9 ip address 9.9.9.9 255.255.255.255 ! interface Loopback11 description BGP Loopback ip address 11.11.11.11 255.255.255.0 ! interface FastEthernet0/0 description to PE3 VLAN31 ip address 172.16.13.1 255.255.255.0 ip router isis speed 100 full-duplex mpls label protocol ldp tag-switching mtu 9216 tag-switching ip isis circuit-type level-1 ! interface Serial0/0 description to Inter-AS ASBR1 mtu 17940 no ip address encapsulation frame-relay no keepalive ! interface Serial0/0.101 multipoint description to Inter-AS ASBR1 ISIS ip address 172.16.222.1 255.255.255.0 ip router isis mpls label protocol ldp tag-switching ip clns mtu 9216 isis circuit-type level-2-only isis authentication mode md5 level-2 isis authentication key-chain iementor level-2 25 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN no isis hello padding frame-relay map clns 201 broadcast frame-relay map ip 172.16.222.1 201 broadcast frame-relay map ip 172.16.222.2 201 broadcast no frame-relay inverse-arp ! interface FastEthernet0/1 description to PE2 VLAN21 ip address 172.16.12.1 255.255.255.0 ip router isis speed 100 full-duplex mpls label protocol ldp tag-switching mtu 9216 tag-switching ip isis circuit-type level-1 isis network point-to-point ! interface ATM1/0 no ip address no atm ilmi-keepalive ! interface ATM1/0.100 point-to-point ip vrf forwarding iementor ip address 140.100.1.2 255.255.255.0 pvc 1/100 protocol ip 140.100.1.1 broadcast encapsulation aal5snap ! ! interface ATM1/0.300 tag-switching ip address 140.100.2.1 255.255.255.0 ip router isis mpls label protocol tdp tag-switching atm vp-tunnel 3 vci-range 33-65535 tag-switching ip ! router eigrp 100 auto-summary ! address-family ipv4 vrf iementor network 140.100.1.0 0.0.0.255 no auto-summary autonomous-system 10 exit-address-family ! router isis net 48.0000.0001.0001.00 area-password iementor authentication mode md5 level-2 authentication key-chain iementor level-2 lsp-refresh-interval 90 no hello padding point-to-point log-adjacency-changes all redistribute isis ip level-2 into level-1 distribute-list 100 26 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN passive-interface Loopback0 maximum-paths 1 ! router bgp 65001 no synchronization bgp router-id 10.1.1.1 bgp log-neighbor-changes network 11.11.11.0 mask 255.255.255.0 network 140.100.1.0 mask 255.255.255.0 neighbor 10.1.1.254 remote-as 65001 neighbor 10.1.1.254 update-source Loopback0 neighbor 140.100.1.1 remote-as 1540 neighbor 140.100.1.1 description To BB2 neighbor 140.100.1.1 password iementor no auto-summary ! address-family vpnv4 neighbor 10.1.1.254 activate neighbor 10.1.1.254 send-community extended exit-address-family ! address-family ipv4 vrf iementor no auto-summary no synchronization exit-address-family ! ip http server no ip http secure-server ip classless ip route 140.100.2.2 255.255.255.255 ATM1/0.300 PE1-RACK1#sho mpls interfaces Interface IP FastEthernet0/0 Yes (ldp) FastEthernet0/1 Yes (ldp) Serial0/0.101 Yes (ldp) ATM1/0.300 Yes (tdp) Tunnel Yes Yes No No Operational Yes Yes Yes Yes (ATM labels) PE1-RACK1#sho mpls ldp discovery Local LDP Identifier: 10.1.1.1:0 Discovery Sources: Interfaces: FastEthernet0/0 (ldp): xmit/recv LDP Id: 10.1.1.3:0 FastEthernet0/1 (ldp): xmit/recv LDP Id: 10.1.1.2:0 Serial0/0.101 (ldp): xmit/recv LDP Id: 10.1.1.100:0 ATM1/0.300 (tdp): xmit/recv TDP Id: 3.3.3.3:1; IP addr: 140.100.2.2 ASBR1-RACK1#sho mpls interfaces 27 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 Interface Serial0/0 Serial0/1 Serial0/2 | Lab14 Solutions: MPLS VPN IP Yes (ldp) Yes (ldp) Yes (ldp) Tunnel No No No Operational Yes Yes Yes ASBR2-RACK1#sho mpls interfaces Interface IP Ethernet0/0 Yes (ldp) Serial0/0 Yes (ldp) Serial0/1 Yes (ldp) Tunnel No No No Operational Yes Yes Yes hostname PE4-RACK1 ! ip cef no ip domain lookup ip vrf iementor rd 200:200 route-target export 200:200 route-target import 200:200 ! ip vrf solaris rd 300:300 route-target export 300:300 route-target import 300:300 ! mpls label protocol tdp tag-switching tdp router-id Loopback0 ! ! key chain iementor key 6727 key-string iementorlab ! interface Loopback0 ip address 10.1.1.4 255.255.255.255 ! interface Loopback4 ip address 44.44.44.44 255.255.255.0 ! interface FastEthernet0/0 ip address 172.16.240.4 255.255.255.0 ip router isis speed 100 full-duplex mpls label protocol ldp tag-switching ip isis circuit-type level-2-only isis authentication mode md5 level-2 isis authentication key-chain iementor level-2 ! interface FastEthernet0/1 description Trunk 3550 no ip address speed 100 28 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN full-duplex ! interface FastEthernet0/1.300 description to BB3 VLAN 300 encapsulation dot1Q 300 no snmp trap link-status ! interface FastEthernet0/1.600 description TO svi 3550-CE6 VPN SOLARIS SITE 2 encapsulation dot1Q 600 ip vrf forwarding solaris ip address 172.16.60.4 255.255.255.0 ip ospf network point-to-point no snmp trap link-status ! router ospf 200 vrf solaris log-adjacency-changes detail redistribute connected subnets redistribute bgp 65001 metric 10 metric-type 1 subnets network 172.16.60.0 0.0.0.255 area 0 default-information originate always ! router isis net 48.0000.4002.4002.00 is-type level-2-only authentication mode md5 level-2 authentication key-chain iementor level-2 passive-interface Loopback0 ! router bgp 65001 no synchronization bgp log-neighbor-changes neighbor 10.1.1.254 remote-as 65001 neighbor 10.1.1.254 update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor 10.1.1.254 activate neighbor 10.1.1.254 send-community extended exit-address-family ! address-family ipv4 vrf solaris redistribute ospf 200 metric 10 match internal external 1 external 2 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf iementor no auto-summary no synchronization exit-address-family PE4-RACK1#sho ip route vrf solaris Gateway of last resort is 10.1.1.3 to network 0.0.0.0 29 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 O C B B* | Lab14 Solutions: MPLS VPN 6.0.0.0/24 is subnetted, 1 subnets 6.6.6.0 [110/2] via 172.16.60.6, 00:11:41, FastEthernet0/1.600 172.16.0.0/24 is subnetted, 1 subnets 172.16.60.0 is directly connected, FastEthernet0/1.600 10.0.0.0/24 is subnetted, 1 subnets 10.23.1.0 [200/0] via 10.1.1.3, 00:11:26 0.0.0.0/0 [200/0] via 10.1.1.3, 00:11:26 PE4-RACK1#traceroute 10.1.1.3 Type escape sequence to abort. Tracing the route to 10.1.1.3 1 2 3 4 172.16.240.1 [MPLS: 172.16.114.1 [MPLS: 172.16.222.1 [MPLS: 172.16.13.3 16 msec Label Label Label * 16 26 Exp 0] 36 msec 36 msec 32 msec 22 Exp 0] 24 msec 24 msec 24 msec 18 Exp 0] 24 msec 28 msec 24 msec msec CE2-RACK1#ping 6.6.6.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms Task 14.22: ♦ Configure AAA hosting service for the VPN customers ♦ Configure VPN Green to authenticate for Telnet to 172.16.1.254. ♦ Configure VPN Green to send Network/System and Delay Start in the VRF mode to 172.16.1.254. ♦ All Telnet sessions from PE1 should authenticate to the VPN Green AAA server. aaa group server radius aaa-radius server 172.16.1.254 auth-port 1645 acct-port 1646 ip vrf forwarding green ip radius source-interface Loopback172 ! aaa authentication login default group aaa-radius aaa accounting delay-start vrf green aaa accounting system default vrf green start-stop group aaa-radius Task 14.23: 30 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN ♦ Configure group iementor SNMPv3 noauth. ♦ Configure username for group ccieuser with the map to group ieMentor. ♦ Configure all traps for BGP and config traps to be sent to host 3.3.3.254 in VPN IEMENTOR. PE3-RACK1(config)#snmp-server group iementor v3 noauth PE3-RACK1(config)#snmp-server user ccieuser group1 v3 *Mar 9 00:00:38.736: Configuring snmpv3 USM user, persisting snmpEngineBoots. Please Wait... PE3-RACK1(config)#snmp-server host 3.3.3.254 vrf iementor version 3 noauth ccieuser snmp-server group iementor v3 noauth snmp-server user ccieuser group1 v3 snmp-server host 3.3.3.254 vrf iementor version 3 noauth ccieuser snmp-server user ccieuser group1 v3 snmp-server group group1 v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server group iementor v3 noauth snmp-server host 3.3.3.254 vrf iementor version 3 noauth ccieuser Task 14.24: ♦ Configure PE3 to support Multi-VRF with CE2 ♦ Configure PE3 such that CE2 can receive routes from VPN Green without redistribution and without import-export VRF. BGP can be used as that routing protocol that accomplishes this on CE-PE. In this task, you are required to make changes on CE2 and 3750 and 3550. Remember that one is a VTP server and the other a VTP client. We will introduce the new VLAN24 to accommodate MultiVRF on CE2. The goal is to make CE2 receive multiple VRF’s without redistributing and import/exporting routes through RD: hostname PE3-RACK1 ! ip cef ! ip vrf green rd 100:100 route-target export 100:100 route-target import 100:100 31 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN ! ip vrf iementor rd 200:200 route-target export 200:200 route-target import 200:200 ! ip vrf solaris rd 300:300 route-target export 300:300 route-target import 300:300 ! interface Ethernet0/0.23 encapsulation dot1Q 23 ip vrf forwarding solaris ip address 10.23.1.3 255.255.255.0 no snmp trap link-status ! interface Ethernet0/0.24 encapsulation dot1Q 24 ip vrf forwarding green ip address 10.24.1.3 255.255.255.0 no snmp trap link-status ! router bgp 65001 no synchronization bgp log-neighbor-changes network 33.33.33.0 mask 255.255.255.0 neighbor 10.1.1.254 remote-as 65001 neighbor 10.1.1.254 update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor 10.1.1.254 activate neighbor 10.1.1.254 send-community extended exit-address-family ! address-family ipv4 vrf solaris redistribute connected neighbor 10.23.1.1 remote-as 2 neighbor 10.23.1.1 activate no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf green redistribute connected neighbor 10.24.1.1 remote-as 2 neighbor 10.24.1.1 activate no auto-summary no synchronization exit-address-family CE2 32 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN ip vrf green rd 100:100 route-target export 100:100 route-target import 100:100 ! ip vrf solaris rd 300:300 route-target export 300:300 route-target import 300:300 ! interface Loopback122 ip vrf forwarding green ip address 22.22.22.22 255.255.255.0 ! interface Loopback123 ip vrf forwarding solaris ip address 23.23.23.23 255.255.255.0 ! interface Ethernet0/0.23 encapsulation dot1Q 23 ip vrf forwarding solaris ip address 10.23.1.1 255.255.255.0 no snmp trap link-status ! interface Ethernet0/0.24 encapsulation dot1Q 24 ip vrf forwarding green ip address 10.24.1.1 255.255.255.0 no snmp trap link-status router bgp 2 no synchronization bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf solaris redistribute connected neighbor 10.23.1.3 remote-as 65001 neighbor 10.23.1.3 activate no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf green redistribute connected neighbor 10.24.1.3 remote-as 65001 neighbor 10.24.1.3 activate no auto-summary no synchronization exit-address-family CE2-RACK1#sho ip bgp vpnv4 all summary Neighbor V AS MsgRcvd MsgSent State/PfxRcd 33 TblVer InQ OutQ Up/Down This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 10.23.1.3 10.24.1.3 4 65001 4 65001 524 526 | Lab14 Solutions: MPLS VPN 526 526 53 53 0 0 VPN ROUTING CE GREEN-SITE1 BGP CE5 GREEN-SITE2 RIP CE8 IEMENTOR-SITE1 EIGRP CE2 IEMENTOR-SITE2 STATIC CE1 VPN Solaris Site 1 BGP-AS2 CE2 VPN Solaris Site 2 OSPF-AREA 0 CE6 VPN Green Site 3 BGP-AS3 CE7 0 08:39:12 0 08:39:19 Task 14.25: Secure routing protocols: ♦ In VPN Green site 1, secure a protocol session with SP1. ♦ In VPN Green site 2, secure a protocol session with SP1. ♦ In VPN IEMENTOR site 1, secure a protocol session with SP1. ♦ In VPN Solaris site 1, secure a protocol session with PE3. ♦ In VPN Solaris site 2, secure a protocol session with PE4. Here’s the basic password security template for this task. router bgp XXX address-family ipv4 vrf xxx redistribute connected neighbor X.X.X.X password iementor Task 14.26: Controlling Internet routes ♦ Configure BB3 as the Internet backbone router. ♦ Configure IP address 13.1.1.1/24 without advertising to VPN Green. ♦ Configure BB3 such that the rest of VPN Green can reach 13.1.1.1. ♦ One static route is allowed for making this work. ♦ BB3 session must be password-protected. 34 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. 1 20 ieMentor CCIE™ Service Provider Workbook v1.0 | Lab14 Solutions: MPLS VPN Configure RR to accept routes from PE4 and also confirm ASBR’s are passing LDP labels end to end. As soon as you advertise the default route in BB3, all VPN’s in Green will have reachability to BB3 without advertising 13.1.1.1 using the default route to reach that Loopback. router bgp 3 no synchronization bgp log-neighbor-changes network 172.16.30.0 mask 255.255.255.0 redistribute connected metric 2 redistribute static metric 2 neighbor 172.16.30.4 remote-as 65001 neighbor 172.16.30.4 default-originate no auto-summary ! ip classless ip route 0.0.0.0 0.0.0.0 Null0 35 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. [...]... round-trip min/avg/max = 1/3/4 ms PE2-RACK1(config)#router bgp 65001 PE2-RACK1(config-router)# address-family ipv4 vrf green PE2-RACK1(config-router-af)# redistribute connected PE2-RACK1(config-router-af)# neighbor 10.12.1.1 remote-as 57 PE2-RACK1(config-router-af)# neighbor 10.12.1.1 activate PE2-RACK1(config-router-af)# no auto-summary PE2-RACK1(config-router-af)# no synchronization PE2-RACK1(config-router-af)#... exit-address-family VPN ROUTING CE VPN Solaris Site 1 BGP-AS2 CE2 VPN Solaris Site 2 OSPF-AREA 0 CE6 Task 14.21: ♦ Configure VPN Solaris on CE2 in AS2 ♦ On CE2, do not advertise Loopback0 2.2.2.2/24 to PE3 CE2-RACK1(config)#router bgp 2 CE2-RACK1(config-router)# no synchronization CE2-RACK1(config-router)# bgp log-neighbor-changes CE2-RACK1(config-router)# network 10.23.1.0 mask 255.255.255.0 CE2-RACK1(config-router)#... v1.0 | Lab1 4 Solutions: MPLS VPN area-password iementor authentication mode md5 level-2 authentication key-chain iementor level-2 log-adjacency-changes all redistribute isis ip level-2 into level-1 distribute-list 100 passive-interface Loopback0 maximum-paths 1 ! router bgp 65001 no synchronization bgp log-neighbor-changes network 33.33.33.0 mask 255.255.255.0 neighbor 10.1.1.254 remote-as 65001 neighbor... authentication key-chain iementor level-2 lsp-refresh-interval 90 no hello padding point-to-point log-adjacency-changes all redistribute isis ip level-2 into level-1 distribute-list 100 26 This product is individually licensed Copyright® 2005 ieMentor http://www.iementor.com ieMentor CCIE™ Service Provider Workbook v1.0 | Lab1 4 Solutions: MPLS VPN passive-interface Loopback0 maximum-paths 1 ! router... tag-switching ip address 140.100.2.1 255.255.255.0 ip router isis mpls label protocol tdp tag-switching atm vp-tunnel 3 vci-range 3 3-6 5535 tag-switching ip ! router eigrp 100 auto-summary ! address-family ipv4 vrf iementor network 140.100.1.0 0.0.0.255 no auto-summary autonomous-system 10 exit-address-family ! router isis net 48.0000.0001.0001.00 area-password iementor authentication mode md5 level-2... Service Provider Workbook v1.0 | Lab1 4 Solutions: MPLS VPN hostname PE1-RACK1 ! no ip domain lookup ! ip vrf iementor rd 200:200 route-target export 200:200 route-target import 200:200 ! mpls label protocol tdp tag-switching tdp router-id Loopback0 ! key chain iementor key 6727 key-string iementorlab ! interface Loopback0 ip address 10.1.1.1 255.255.255.255 ip pim sparse-dense-mode ! interface Loopback9... Loopback8 88.88.88.1/30 via RIP CE8-RACK1(config)#router rip CE8-RACK1(config-router)# version 2 CE8-RACK1(config-router)# network 8.0.0.0 CE8-RACK1(config-router)# network 88.0.0.0 CE8-RACK1(config-router)# network 10.0.0.0 CE8-RACK1(config-router)# no auto-summary CE8-RACK1#sho ip rip d 8.0.0.0/8 auto-summary 8.8.8.0/24 directly connected, Loopback0 10.0.0.0/8 auto-summary 10.82.1.0/24 directly connected,... http://www.iementor.com ieMentor CCIE™ Service Provider Workbook v1.0 | Lab1 4 Solutions: MPLS VPN PE2-RACK1(config-router-af)# version 2 PE2-RACK1(config-router-af)# exit-address-family PE2-RACK1#ping vrf green 8.8.8.8 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Task 14.17: Site 1 should be... 0.0.0.255 area 0 default-information originate always ! router isis net 48.0000.4002.4002.00 is-type level-2-only authentication mode md5 level-2 authentication key-chain iementor level-2 passive-interface Loopback0 ! router bgp 65001 no synchronization bgp log-neighbor-changes neighbor 10.1.1.254 remote-as 65001 neighbor 10.1.1.254 update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor 10.1.1.254... 172.16.222.2 201 broadcast no frame-relay inverse-arp ! interface FastEthernet0/1 description to PE2 VLAN21 ip address 172.16.12.1 255.255.255.0 ip router isis speed 100 full-duplex mpls label protocol ldp tag-switching mtu 9216 tag-switching ip isis circuit-type level-1 isis network point-to-point ! interface ATM1/0 no ip address no atm ilmi-keepalive ! interface ATM1/0.100 point-to-point ip vrf forwarding ... MPLS VPN 526 526 53 53 0 VPN ROUTING CE GREEN-SITE1 BGP CE5 GREEN-SITE2 RIP CE8 IEMENTOR-SITE1 EIGRP CE2 IEMENTOR-SITE2 STATIC CE1 VPN Solaris Site BGP-AS2 CE2 VPN Solaris Site OSPF-AREA CE6 VPN. .. neighbor 10.1.1.200 activate exit-address-family VPN ROUTING CE VPN Solaris Site BGP-AS2 CE2 VPN Solaris Site OSPF-AREA CE6 Task 14.21: ♦ Configure VPN Solaris on CE2 in AS2 ♦ On CE2, not advertise... protocols: ♦ In VPN Green site 1, secure a protocol session with SP1 ♦ In VPN Green site 2, secure a protocol session with SP1 ♦ In VPN IEMENTOR site 1, secure a protocol session with SP1 ♦ In VPN Solaris