Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 35 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
35
Dung lượng
272,14 KB
Nội dung
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
In this lab IS-IS is slightly different than in other labs so please
read the questions very carefully.
We are going to extend IS-IS to PE4 across ASBR1 and ASBR2. In
this lab ASBRs will become the P routers.
Task 14.1:
♦ Configure IS-IS between RR1, PE1, PE2, and PE3.
♦ IS-IS AREA NET 48.0000
♦ IS-IS RR1 AREA NET 48.0000.0254.0254
♦ IS-IS Level 1 in RR1: Configure IS-IS Level 1 only for both
interfaces by using a single command.
♦ RR1: Advertise VLAN20 and VLAN30, including the Loopback in
Level 1.
♦ Use best practices to advertise Loopbacks under IS-IS.
♦ Configure RR1 such that all changes in IS-IS are sent to logging
console
♦ PE1 IS-IS AREA NET 48.0000.0001.0001.00 Level 1
♦ PE2 IS-IS AREA NET 48.0000.0002.0002.00 Level 1
♦ CORRECTION!!! PE3 IS-IS AREA NET 48.0000.0003.0003.00
Level 1
PE1
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface FastEthernet0/0
description to PE3 VLAN31
ip address 172.16.13.1 255.255.255.0
ip router isis
speed 100
full-duplex
isis circuit-type level-1
!
interface Serial0/0
description to Inter-AS ASBR1
1
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
encapsulation frame-relay
no keepalive
!
interface Serial0/0.101 multipoint
description to Inter-AS ASBR1 ISIS
ip address 172.16.222.1 255.255.255.0
ip router isis
frame-relay map clns 201 broadcast
frame-relay map ip 172.16.222.1 201 broadcast
frame-relay map ip 172.16.222.2 201 broadcast
no frame-relay inverse-arp
!
interface FastEthernet0/1
description to PE2 VLAN21
ip address 172.16.12.1 255.255.255.0
ip router isis
speed 100
full-duplex
isis circuit-type level-1
!
router isis
net 48.0000.0001.0001.00
log-adjacency-changes all
passive-interface Loopback0
maximum-paths 1
hostname PE2-RACK1
!
interface Loopback0
ip address 10.1.1.2 255.255.255.255
!
interface Ethernet0/0
no ip address
half-duplex
!
interface Ethernet0/0.20
description to RR - VLAN 20
encapsulation dot1Q 20
ip address 172.16.20.2 255.255.255.0
ip router isis
tag-switching ip
isis circuit-type level-1
!
interface Ethernet0/0.21
description to PE1 - VLAN 21
encapsulation dot1Q 21
ip address 172.16.12.2 255.255.255.0
ip router isis
no snmp trap link-status
isis circuit-type level-1
!
interface Ethernet0/0.123
description to PE3 - VLAN 123
encapsulation dot1Q 123
2
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
ip address 172.16.123.2 255.255.255.0
ip router isis
!
interface Ethernet0/1
description to BB1-RACK1
ip address 10.12.1.2 255.255.255.0
ip policy route-map unicast-routes
full-duplex
!
router isis
net 48.0000.0002.0002.00
log-adjacency-changes all
passive-interface Loopback0
hostname PE3-RACK1
!
interface Loopback0
ip address 10.1.1.3 255.255.255.255
!
interface Loopback33
ip address 33.33.33.33 255.255.255.0
!
interface Ethernet0/0
no ip address
half-duplex
!
interface Ethernet0/0.23
description to CE2 - VLAN 23
encapsulation dot1Q 23
no snmp trap link-status
!
interface Ethernet0/0.30
description to RR - VLAN 30
encapsulation dot1Q 30
ip address 172.16.30.3 255.255.255.0
ip router isis
isis circuit-type level-1
!
interface Ethernet0/0.31
description to PE1 - VLAN 31
encapsulation dot1Q 31
ip address 172.16.13.3 255.255.255.0
ip router isis
isis circuit-type level-1
!
interface Ethernet0/0.123
description to PE2 - VLAN 123
encapsulation dot1Q 123
ip address 172.16.123.3 255.255.255.0
ip router isis
!
router isis
net 48.0000.0003.0003.00
is-type level-1
3
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
log-adjacency-changes all
passive-interface Loopback0
hostname RR1-RACK1
!
interface Loopback0
ip address 10.1.1.254 255.255.255.255
!
interface Ethernet0/0
no ip address
full-duplex
!
interface Ethernet0/0.20
description to PE2 -VLAN 20
encapsulation dot1Q 20
ip address 172.16.20.254 255.255.255.0
ip router isis
!
interface Ethernet0/0.30
description to PE3 -VLAN 30
encapsulation dot1Q 30
ip address 172.16.30.254 255.255.255.0
ip router isis
!
router isis
net 48.0000.0254.0254.00
is-type level-1
log-adjacency-changes all
passive-interface Loopback0
This task is very similar to Lab 4 and Lab 5 so the explanation of
solutions is not required to avoid unnecessary repetition. The main
focus of this task is on MPLS VPN and IS-IS just an IGP.
Task 14.2:
Task 14.3:
♦ Establish IS-IS Level 1 adjacencies on the link between PE2 and
PE3 over VLAN123
♦ Use best practices to advertise Loopbacks under IS-IS.
♦ Configure PE1 Serial0/0 to ASBR1 Serial 0/2 interface with
frame-relay encapsulation; make sure to use back-to-back serial.
♦ Configure PE1 as sub-interface S0/0.100 multipoint. Use the
DLCI number of your choice on both routers.
4
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
♦ Configure ASBR1 Serial 0/2 interface to PE1 with encapsulation
frame-relay, back-to-back.
♦ On ASBR1, configure using the physical interface instead of a
sub-interface.
♦ Configure all necessary frame-relay parameters to establish
basic IP connectivity from PE1 to ASBR1 such that you do not
depend on Inverse ARP for frame-relay interfaces on PE1 and
ASBR1.
♦ Establish Level 2 IS-IS adjacencies link between PE1 and
ASBR1.
♦ Configure all necessary components to establish IS-IS with PE1
over a multipoint interface.
♦ Make sure you can ping PE1 Loopback0 10.1.1.1 from ASBR1.
♦ ASBR1 IS-IS AREA NET 48.0000.1001.1001.00 Level 2
♦ ASBR2 IS-IS AREA NET 48.0000.2002.2002.00 Level 2
♦ PE4
IS-IS AREA NET 48.0000.4002.4002.00 Level 2
PE4
interface Loopback0
ip address 10.1.1.4 255.255.255.255
!
router isis
net 48.0000.0004.0004.00
is-type level-2-only
log-adjacency-changes all
passive-interface Loopback0
Select your own NET ID number for IS-IS.
interface Loopback0
ip address 10.1.1.200 255.255.255.255
!
router isis
net 48.0000.2002.2002.00
is-type level-2-only
log-adjacency-changes all
passive-interface Loopback0
PE4-RACK1#sho ip route isis
10.0.0.0/32 is subnetted, 2 subnets
5
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
i L2
|
Lab14 Solutions: MPLS VPN
10.1.1.200 [115/10] via 172.16.240.1, FastEthernet0/0
Task 14.4:
♦ Configure ASBR1 S0/0 and S0/1 and ASBR2 S0/0 and S0/1 in
Level 2.
ASBR1-RACK1#sho cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID
ASBR2-RACK1
ASBR2-RACK1
Local Intrfce
Ser 0/0
Ser 0/1
Holdtme
135
135
Capability
R S
R S
Platform
2610
2610
Port ID
Ser 0/0
Ser 0/1
ASBR1-RACK1(config)#int ser 0/0
ASBR1-RACK1(config-if)#ip router isis
ASBR1-RACK1(config-if)#isis circuit-type level-2-only
ASBR1-RACK1(config-if)#int ser 0/1
ASBR1-RACK1(config-if)#ip router isis
ASBR1-RACK1(config-if)#isis circuit-type level-2-only
ASBR2-RACK1(config)#int ser 0/0
ASBR2-RACK1(config-if)#ip router isis
ASBR2-RACK1(config-if)#isis circuit-type level-2-only
ASBR2-RACK1(config-if)#int ser 0/1
ASBR1-RACK1(config-if)#ip router isis
ASBR2-RACK1(config-if)#isis circuit-type level-2-only
♦ Configure IS-IS such that traffic does not get load-balanced
across the two links.
ASBR2-RACK1#sho ip route is
3.0.0.0/24 is subnetted, 1 subnets
i L2
3.3.3.0 [115/30] via 172.16.114.1, Serial0/1
[115/30] via 172.16.113.1, Serial0/0
140.100.0.0/24 is subnetted, 1 subnets
i L2
140.100.2.0 [115/30] via 172.16.114.1, Serial0/1
[115/30] via 172.16.113.1, Serial0/0
172.16.0.0/24 is subnetted, 8 subnets
i L2
172.16.222.0 [115/20] via 172.16.114.1, Serial0/1
[115/20] via 172.16.113.1, Serial0/0
i L2
172.16.30.0 [115/40] via 172.16.114.1, Serial0/1
[115/40] via 172.16.113.1, Serial0/0
i L2
172.16.20.0 [115/40] via 172.16.114.1, Serial0/1
[115/40] via 172.16.113.1, Serial0/0
i L2
172.16.12.0 [115/30] via 172.16.114.1, Serial0/1
[115/30] via 172.16.113.1, Serial0/0
i L2
172.16.13.0 [115/30] via 172.16.114.1, Serial0/1
[115/30] via 172.16.113.1, Serial0/0
10.0.0.0/32 is subnetted, 7 subnets
6
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
i L2
i L2
i L2
i L2
i L2
i L2
|
Lab14 Solutions: MPLS VPN
10.1.1.2 [115/30] via 172.16.114.1, Serial0/1
[115/30] via 172.16.113.1, Serial0/0
10.1.1.3 [115/30] via 172.16.114.1, Serial0/1
[115/30] via 172.16.113.1, Serial0/0
10.1.1.1 [115/20] via 172.16.114.1, Serial0/1
[115/20] via 172.16.113.1, Serial0/0
10.1.1.4 [115/10] via 172.16.240.4, Ethernet0/0
10.1.1.100 [115/10] via 172.16.114.1, Serial0/1
[115/10] via 172.16.113.1, Serial0/0
10.1.1.254 [115/40] via 172.16.114.1, Serial0/1
[115/40] via 172.16.113.1, Serial0/0
ASBR2-RACK1(config)#router isis
ASBR2-RACK1(config-router)#maximum-paths 1
ASBR1-RACK1(config)#router isis
ASBR1-RACK1(config-router)#maximum-paths 1
ASBR1-RACK1#sho ip route isis
3.0.0.0/24 is subnetted, 1 subnets
i L2
3.3.3.0 [115/20] via 172.16.222.1, Serial0/2
140.100.0.0/24 is subnetted, 1 subnets
i L2
140.100.2.0 [115/20] via 172.16.222.1, Serial0/2
172.16.0.0/24 is subnetted, 8 subnets
i L2
172.16.240.0 [115/20] via 172.16.114.2, Serial0/1
i L2
172.16.30.0 [115/30] via 172.16.222.1, Serial0/2
i L2
172.16.20.0 [115/30] via 172.16.222.1, Serial0/2
i L2
172.16.12.0 [115/20] via 172.16.222.1, Serial0/2
i L2
172.16.13.0 [115/20] via 172.16.222.1, Serial0/2
10.0.0.0/32 is subnetted, 7 subnets
i L2
10.1.1.2 [115/20] via 172.16.222.1, Serial0/2
i L2
10.1.1.3 [115/20] via 172.16.222.1, Serial0/2
i L2
10.1.1.1 [115/10] via 172.16.222.1, Serial0/2
i L2
10.1.1.4 [115/20] via 172.16.114.2, Serial0/1
i L2
10.1.1.200 [115/10] via 172.16.114.2, Serial0/1
i L2
10.1.1.254 [115/30] via 172.16.222.1, Serial0/2
♦ Configure PE4 link to ASBR2 in IS-IS Level 2 only.
♦ Configure SP1 and SP2 to communicate and exchange IS-IS
routing table.
♦ PE4 must be able to reach RR1.
PE4-RACK1#ping 10.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/24 ms
7
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
Task 14.5:
♦ Configure RR1 as route-reflector for all backbone routers in AS
65001
♦ Minimize configuration commands for BGP in SP1 core
♦ Configure IPv4 session only
♦ Configure Loopbacks for all PEs as shown in table below.
PE1-AS65001-SP1
Loopback 11
11.11.11.11/24
PE2-AS65001-SP1
Loopback 22
22.22.22.22/24
PE3-AS65001-SP1
Loopback 33
33.33.33.33/24
PE4-AS65001-SP2
Loopback 44
44.44.44.44/24
RR1-AS65001-SP1
Loopback 55
55.55.55.55/24
♦ Advertise Loopbacks in AS65001
♦ RR1 should inject Loopback55 without using network
commands. Make sure only the 55.55.55.55 Loopback gets
injected.
♦ Verify that you can ping all BGP Loopbacks from RR1.
RR1-RACK1
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 172.16.20.0 mask 255.255.255.0
network 172.16.30.0 mask 255.255.255.0
redistribute connected metric 2 route-map allow55
neighbor ibgp peer-group
neighbor ibgp remote-as 65001
neighbor ibgp update-source Loopback0
neighbor ibgp route-reflector-client
neighbor 10.1.1.1 peer-group ibgp
neighbor 10.1.1.2 peer-group ibgp
neighbor 10.1.1.3 peer-group ibgp
no auto-summary
!
route-map allow55 permit 10
match ip address 55
!
access-list 55 permit 55.55.55.0 0.0.0.255 log
This is the template for all PEs to peer with the Route Reflector.
8
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
router bgp 65001
no synchronization
bgp log-neighbor-changes
neighbor 10.1.1.254 remote-as 65001
neighbor 10.1.1.254 update-source Loopback0
no auto-summary
Task 14.6:
♦ SP1 compliant with RFC-3214
This template should be applied to all SP1 routers:
PE1-RACK1(config)#mpls label protocol ldp
PE1-RACK1(config)#mpls ip
PE1-RACK1(config)#int fas 0/0
PE1-RACK1(config-if)#mpls ip
♦ SP2 compliant with RFC-2105
PE4-RACK1(config)#mpls label protocol tdp
PE4-RACK1(config)#mpls ip
PE4-RACK1(config-if)#in fastEthernet 0/0
PE4-RACK1(config-if)#tag-switching ip
For this task make sure that LDP is enabled on all ASBRs, otherwise
the solution will not work.
♦ Configure ASBR1 and ASBR2 as P routers only.
Task 14.7:
The example below applies to all MPLS core routers:
This task will work by default if TDP and LDP configure
Task 14.8: Configure BB2 for legacy MPLS TCP/711 tag
distribution only.
Task 14.9:
Task 14.10:
Task 14.11:
Task 14.12:
9
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
Task 14.13:
In this task make sure you are going to redistribute IS-IS in EIGRP,
otherwise all backbone routes will not match. Based on task 14.11
this requires redistributing between IS-IS and EIGRP.
interface ATM1/0.300 tag-switching
ip address 140.100.2.1 255.255.255.0
mpls label protocol tdp
tag-switching atm vp-tunnel 3 vci-range 33-65535
tag-switching ip
!
router eigrp 100
redistribute isis level-1-2 metric 1544 1000 255 255 4460
network 140.100.2.0 0.0.0.255
no auto-summary
!
router isis
net 48.0000.0001.0001.00
area-password iementor
authentication mode md5 level-2
authentication key-chain iementor level-2
log-adjacency-changes all
redistribute eigrp 100 metric 10 metric-type external level-1-2
redistribute isis ip level-2 into level-1 distribute-list 100
passive-interface Loopback0
maximum-paths 1
BB2-RACK1#sho tag-switching interfaces
Interface
IP
Tunnel
Operational
ATM1/0.300
Yes
No
Yes
(ATM tagging)
BB2-RACK1#sho tag-switching forwarding-table
Local Outgoing
Prefix
Bytes tag
tag
tag or VC
or Tunnel Id
switched
17
3/75
10.1.1.2/32
0
18
3/76
10.1.1.3/32
0
19
3/80
10.1.1.254/32
0
23
3/78
10.1.1.100/32
0
27
3/73
172.16.113.0/24
0
28
3/74
172.16.114.0/24
0
29
3/72
172.16.240.0/24
0
30
3/79
10.1.1.200/32
0
31
3/77
10.1.1.4/32
0
Outgoing
interface
AT1/0.300
AT1/0.300
AT1/0.300
AT1/0.300
AT1/0.300
AT1/0.300
AT1/0.300
AT1/0.300
AT1/0.300
BB2-RACK1#sho tag-switching atm-tdp bindings
Destination: 140.100.2.0/24
Tailend Router ATM1/0.300 3/33 Active, VCD=40
Destination: 172.16.240.0/24
Headend Router ATM1/0.300 (1 hop) 3/72 Active, VCD=79
Destination: 172.16.113.0/24
Headend Router ATM1/0.300 (1 hop) 3/73 Active, VCD=80
10
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
Next Hop
point2point
point2point
point2point
point2point
point2point
point2point
point2point
point2point
point2point
ieMentor CCIE™ Service Provider Workbook v1.0
Destination: 172.16.114.0/24
Headend Router ATM1/0.300
Destination: 10.1.1.2/32
Headend Router ATM1/0.300
Destination: 10.1.1.3/32
Headend Router ATM1/0.300
Destination: 10.1.1.4/32
Headend Router ATM1/0.300
Destination: 10.1.1.100/32
Headend Router ATM1/0.300
Destination: 10.1.1.200/32
Headend Router ATM1/0.300
Destination: 10.1.1.254/32
Headend Router ATM1/0.300
|
Lab14 Solutions: MPLS VPN
(1 hop) 3/74
Active, VCD=81
(1 hop) 3/75
Active, VCD=82
(1 hop) 3/76
Active, VCD=83
(1 hop) 3/77
Active, VCD=84
(1 hop) 3/78
Active, VCD=85
(1 hop) 3/79
Active, VCD=86
(1 hop) 3/80
Active, VCD=87
BB2-RACK1#sho ip route eigrp
172.16.0.0/24 is subnetted, 5 subnets
D EX
172.16.240.0 [170/1915904] via 140.100.2.1, 00:04:15, ATM1/0.300
D EX
172.16.113.0 [170/1915904] via 140.100.2.1, 00:04:15, ATM1/0.300
D EX
172.16.114.0 [170/1915904] via 140.100.2.1, 00:04:15, ATM1/0.300
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D EX
10.1.1.2/32 [170/1915904] via 140.100.2.1, 00:04:15, ATM1/0.300
D EX
10.1.1.3/32 [170/1915904] via 140.100.2.1, 00:04:15, ATM1/0.300
D EX
10.1.1.4/32 [170/1915904] via 140.100.2.1, 00:04:15, ATM1/0.300
D EX
10.1.1.100/32 [170/1915904] via 140.100.2.1, 00:04:15, ATM1/0.300
D EX
10.1.1.200/32 [170/1915904] via 140.100.2.1, 00:04:15, ATM1/0.300
D EX
10.1.1.254/32 [170/1915904] via 140.100.2.1, 00:04:15, ATM1/0.300
BB2
interface ATM1/0.300 tag-switching
ip address 140.100.2.2 255.255.255.0
tag-switching atm vp-tunnel 3 vci-range 33-65535
tag-switching ip
!
router eigrp 100
network 140.100.2.0 0.0.0.255
Å Include Loopback 0 – 4
auto-summary
VPN
ROUTING
CE
GREEN-SITE1
BGP
CE5
GREEN-SITE2
RIP
CE8
IEMENTOR-SITE1
EIGRP
CE2
IEMENTOR-SITE2
STATIC
CE1
Task 14.14:
♦ Configure BB1 in AS57.
11
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
♦ Advertise all interfaces without configuring network statements
in BB1.
♦ Configure BB1 BGP session to PE2 using hash-md5.
router bgp 57
no synchronization
bgp log-neighbor-changes
network 10.12.1.0 mask 255.255.255.0
redistribute connected metric 2
neighbor 10.12.1.2 remote-as 65001
neighbor 10.12.1.2 description to AS65001-SP1-PE2
neighbor 10.12.1.2 password iementor
no auto-summary
Task 14.15:
Configure PE2 to support VPN Green site 1.
♦ Make sure VPN routes exchange is bi-directional.
♦ Configure eBGP as the routing protocol for PE-CE
communication between PE2 and BB1, with BB1 in AS57.
♦ Verify if you can ping Loopbacks of BB1 from PE2.
PE2-RACK1(config-vrf)#ip vrf green
PE2-RACK1(config-vrf)# rd 100:100
PE2-RACK1(config-vrf)#route-target both 100:100
ip vrf green
rd 100:100
route-target export 100:100
route-target import 100:100
PE2-RACK1#config t
Enter configuration commands, one per line. End with CNTL/Z.
PE2-RACK1(config-vrf)#int e 0/1
PE2-RACK1(config-if)#ip vrf forwarding green
% Policy Based Routing is NOT supported for VRF interfaces
% IP-Policy can be used ONLY for marking (set/clear DF bit) on VRF
interfaces
% Interface Ethernet0/1 IP address 10.12.1.2 removed due to enabling VRF
green
PE2-RACK1(config)#int e 0/1
PE2-RACK1(config-if)#ip address 10.12.1.2 255.255.255.0
PE2-RACK1#ping vrf green 10.12.1.1
Type escape sequence to abort.
12
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
Sending 5, 100-byte ICMP Echos to 10.12.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
PE2-RACK1(config)#router bgp 65001
PE2-RACK1(config-router)# address-family ipv4 vrf green
PE2-RACK1(config-router-af)# redistribute connected
PE2-RACK1(config-router-af)# neighbor 10.12.1.1 remote-as 57
PE2-RACK1(config-router-af)# neighbor 10.12.1.1 activate
PE2-RACK1(config-router-af)# no auto-summary
PE2-RACK1(config-router-af)# no synchronization
PE2-RACK1(config-router-af)# exit-address-family
PE2-RACK1#sho ip bgp vpnv4 all summary
Neighbor
V
AS MsgRcvd MsgSent
State/PfxRcd
10.12.1.1
4
57
6
5
TblVer
37
InQ OutQ Up/Down
0
0 00:00:43
PE2-RACK1#sho ip route vrf green
Routing Table: green
Gateway of last resort is not set
18.0.0.0/24 is subnetted, 1 subnets
B
18.2.1.0 [20/2] via 10.12.1.1, 00:00:59
38.0.0.0/24 is subnetted, 1 subnets
B
38.1.1.0 [20/2] via 10.12.1.1, 00:00:59
5.0.0.0/24 is subnetted, 1 subnets
B
5.5.5.0 [20/2] via 10.12.1.1, 00:00:59
156.46.0.0/16 is variably subnetted, 5 subnets, 2 masks
B
156.46.2.0/24 [20/2] via 10.12.1.1, 00:00:59
B
156.46.3.0/24 [20/2] via 10.12.1.1, 00:00:59
B
156.46.1.0/24 [20/2] via 10.12.1.1, 00:00:59
B
156.46.4.0/24 [20/2] via 10.12.1.1, 00:00:59
B
156.46.100.0/22 [20/2] via 10.12.1.1, 00:01:00
8.0.0.0/24 is subnetted, 1 subnets
B
8.1.1.0 [20/2] via 10.12.1.1, 00:01:00
B
209.112.65.0/24 [20/2] via 10.12.1.1, 00:01:00
B
209.112.66.0/24 [20/2] via 10.12.1.1, 00:01:00
10.0.0.0/24 is subnetted, 1 subnets
C
10.12.1.0 is directly connected, Ethernet0/1
B
209.112.67.0/24 [20/2] via 10.12.1.1, 00:01:00
B
209.112.68.0/24 [20/2] via 10.12.1.1, 00:01:00
12.0.0.0/24 is subnetted, 1 subnets
B
12.1.1.0 [20/2] via 10.12.1.1, 00:01:00
B
209.112.69.0/24 [20/2] via 10.12.1.1, 00:01:00
28.0.0.0/24 is subnetted, 1 subnets
B
28.3.1.0 [20/2] via 10.12.1.1, 00:01:00
B
209.112.70.0/24 [20/2] via 10.12.1.1, 00:01:00
PE2-RACK1#ping vrf green 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
13
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
18
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Task 14.16:
CE8 is required to advertise Loopback0 8.8.8.8/24 and Loopback8
88.88.88.1/30 via RIP.
CE8-RACK1(config)#router rip
CE8-RACK1(config-router)# version 2
CE8-RACK1(config-router)# network 8.0.0.0
CE8-RACK1(config-router)# network 88.0.0.0
CE8-RACK1(config-router)# network 10.0.0.0
CE8-RACK1(config-router)# no auto-summary
CE8-RACK1#sho ip rip d
8.0.0.0/8
auto-summary
8.8.8.0/24
directly connected, Loopback0
10.0.0.0/8
auto-summary
10.82.1.0/24
directly connected, FastEthernet0/0
♦ Advertise RIP routes to PE2.
♦ Configure RIP as the routing protocol for PE-CE communication
between PE2 and CE8.
PE2-RACK1(config-subif)#ip vrf forwarding green
% Interface Ethernet0/0.82 IP address 10.82.1.2 removed due to enabling
VRF green
PE2-RACK1(config-subif)#ip address 10.82.1.2 255.255.255.0
PE2-RACK1#sho ip vrf interfaces
Interface
IP-Address
Protocol
Et0/1
10.12.1.2
Et0/0.82
10.82.1.2
VRF
green
green
up
up
PE2-RACK1#sho ip rip database vrf green
8.0.0.0/8
auto-summary
8.8.8.0/24
[1] via 10.82.1.1, 00:00:11, Ethernet0/0.82
10.0.0.0/8
auto-summary
10.12.1.0/24
directly connected, Ethernet0/1
10.82.1.0/24
directly connected, Ethernet0/0.82
♦ Verify if you can ping Loopbacks of VPN Green site 2 from PE2.
PE2-RACK1(config)#router rip
PE2-RACK1(config-router)# address-family ipv4 vrf green
PE2-RACK1(config-router-af)# network 10.0.0.0
PE2-RACK1(config-router-af)# no auto-summary
14
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
PE2-RACK1(config-router-af)# version 2
PE2-RACK1(config-router-af)# exit-address-family
PE2-RACK1#ping vrf green 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Task 14.17:
Site 1 should be able to communicate with site 2.
♦ Limit the amount of routes PE2 receives from site 1 to 18
without using an access-list.
CE8-RACK1#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
ip vrf green
rd 101:101
route-target export 101:101
route-target import 101:101
maximum routes 18 100 reinstall 100
!
router rip
!
address-family ipv4 vrf green
redistribute bgp 65001 metric transparent
network 10.0.0.0
no auto-summary
version 2
exit-address-family
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 10.12.1.0 mask 255.255.255.0
network 22.22.22.0 mask 255.255.255.0
neighbor 10.1.1.254 remote-as 65001
neighbor 10.1.1.254 update-source Loopback0
neighbor 10.12.1.1 remote-as 57
neighbor 10.12.1.1 description Peer to BB1-AS57
no auto-summary
!
address-family ipv4 vrf green
redistribute connected
redistribute rip metric 10
neighbor 10.12.1.1 remote-as 57
15
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
neighbor 10.12.1.1 activate
no auto-summary
no synchronization
exit-address-family
Task 14.18:
♦ CE1 is required to advertise Loopback0 1.1.1.1/24.
♦ Customer’s remote side does not support any routing protocols,
only statics.
♦ Advertise static routes to PE3 from VPN IEMENTOR site 2.
♦ Configure static routing for PE-CE communication between PE3
and CE2.
♦ Verify if you can ping Loopbacks of VPN IEMENTOR site 2 from
PE3.
ip vrf iementor
rd 200:200
route-target export 200:200
route-target import 200:200
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 33.33.33.0 mask 255.255.255.0
neighbor 10.1.1.254 remote-as 65001
neighbor 10.1.1.254 update-source Loopback0
no auto-summary
!
address-family ipv4 vrf iementor
redistribute connected
redistribute static metric 2
no auto-summary
no synchronization
exit-address-family
q
PE3-R q q ACK1(config)#ip route vrf iementor 1.1.1.0 255.255.255.0
10.13.1.1
PE3-RACK1#ping vrf iementor 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
PE3-RACK1#sho ip bgp vpnv4 vrf iementor
Network
Next Hop
Metric LocPrf Weight Path
Route Distinguisher: 200:200 (default for vrf iementor)
16
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
*> 1.1.1.0/24
*> 10.13.1.0/24
|
10.13.1.1
0.0.0.0
Lab14 Solutions: MPLS VPN
2
0
32768 ?
32768 ?
Task 14.19:
♦ PE1 should receive EIGRP routes and place them in IEMENTOR
VPN.
♦ Configure PE1 to accept EIGRP as PE-CE routing protocol.
♦ Verify if you can ping Loopbacks of VPN IEMENTOR site 1 from
PE1.
router eigrp 100
auto-summary
!
address-family ipv4 vrf iementor
network 140.100.1.0 0.0.0.255
no auto-summary
autonomous-system 10
exit-address-family
PE1-RACK1#sho ip route vrf iementor
18.0.0.0/24 is subnetted, 1 subnets
D
18.2.2.0 [90/229888] via 140.100.1.1, 00:09:24, ATM1/0.100
3.0.0.0/24 is subnetted, 1 subnets
D
3.3.3.0 [90/229888] via 140.100.1.1, 00:09:24, ATM1/0.100
140.100.0.0/24 is subnetted, 1 subnets
C
140.100.1.0 is directly connected, ATM1/0.100
8.0.0.0/24 is subnetted, 1 subnets
D
8.2.1.0 [90/229888] via 140.100.1.1, 00:09:24, ATM1/0.100
28.0.0.0/24 is subnetted, 1 subnets
D
28.3.2.0 [90/229888] via 140.100.1.1, 00:09:24, ATM1/0.100
PE1-RACK1#ping vrf iementor 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Task 14.20:
router bgp 65001
bgp log-neighbor-changes
neighbor ibgp peer-group
neighbor ibgp remote-as 65001
neighbor ibgp update-source Loopback0
neighbor 10.1.1.1 peer-group ibgp
neighbor 10.1.1.2 peer-group ibgp
neighbor 10.1.1.3 peer-group ibgp
17
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
neighbor 10.1.1.4 peer-group ibgp
neighbor 10.1.1.100 peer-group ibgp
neighbor 10.1.1.200 peer-group ibgp
!
address-family ipv4
redistribute connected metric 2 route-map allow55
neighbor ibgp route-reflector-client
neighbor 10.1.1.1 activate
neighbor 10.1.1.2 activate
neighbor 10.1.1.3 activate
neighbor 10.1.1.4 activate
neighbor 10.1.1.100 activate
neighbor 10.1.1.200 activate
no auto-summary
no synchronization
network 172.16.20.0 mask 255.255.255.0
network 172.16.30.0 mask 255.255.255.0
exit-address-family
!
address-family vpnv4
neighbor ibgp route-reflector-client
neighbor ibgp send-community extended
neighbor 10.1.1.1 activate
neighbor 10.1.1.2 activate
neighbor 10.1.1.3 activate
neighbor 10.1.1.4 activate
neighbor 10.1.1.100 activate
neighbor 10.1.1.200 activate
exit-address-family
VPN
ROUTING
CE
VPN Solaris Site 1
BGP-AS2
CE2
VPN Solaris Site 2
OSPF-AREA 0
CE6
Task 14.21:
♦ Configure VPN Solaris on CE2 in AS2.
♦ On CE2, do not advertise Loopback0 2.2.2.2/24 to PE3.
CE2-RACK1(config)#router bgp 2
CE2-RACK1(config-router)# no synchronization
CE2-RACK1(config-router)# bgp log-neighbor-changes
CE2-RACK1(config-router)# network 10.23.1.0 mask 255.255.255.0
CE2-RACK1(config-router)# neighbor 10.23.1.3 remote-as 65001
CE2-RACK1(config-router)# no auto-summary
♦ Configure PE4 to accept OSPF in area 0 as PE-CE routing
protocol. Ensure that PE4 receives Loopback 6.6.6.6/24.
18
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
PE4-RACK1(config)#router ospf 200 vrf solaris
*Mar 13 06:25:15.634: %OSPF-4-NORTRID: OSPF process 200 cannot start.
There must be at least one "up" IP interface, for OSPF to useas router ID
PE4-RACK1(config)#interface FastEthernet0/1.600
PE4-RACK1(config-subif)#ip vrf forwarding solaris
% Interface FastEthernet0/1.600 IP address 172.16.60.4 removed due to
enabling VRF iementor
PE4-RACK1(config-subif)#ip addres 172.16.60.4 255.255.255.0
PE4-RACK1(config)#router ospf 200 vrf solaris
PE4-RACK1(config-router)# log-adjacency-changes detail
PE4-RACK1(config-router)# network 172.16.60.0 0.0.0.255 area 0
♦ Verify if you can ping Loopbacks of VPN Solaris site 2 from PE4.
This task is a little tricky because by default 6.6.6.6 won’t get
advertised on its own, even if you configure it under router ospf.
PE4
router ospf 200 vrf solaris
log-adjacency-changes detail
redistribute connected subnets
network 172.16.60.0 0.0.0.255 area 0
CE6
router ospf 200
router-id 6.6.6.6
log-adjacency-changes detail
network 6.6.6.6 0.0.0.0 area 0
network 172.16.60.0 0.0.0.255 area 0
PE4-RACK1#sho ip route vrf solaris
172.16.0.0/24 is subnetted, 1 subnets
C
172.16.60.0 is directly connected, FastEthernet0/1.600
6.6.6.6 is missing.
PE4-RACK1#sho debugging
IP routing:
OSPF adjacency events debugging is on
OSPF events debugging is on
*Mar 13 07:01:16.246: OSPF: Send hello to 224.0.0.5 area 0 on
FastEthernet0/1.600 from 172.16.60.4
19
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
*Mar 13 07:01:19.870: OSPF: Rcv hello from 6.6.6.6 area 0 from
FastEthernet0/1.600 172.16.60.6
*Mar 13 07:01:19.870: OSPF: End of hello processing
*Mar 13 07:01:26.246: OSPF: Send hello to 224.0.0.5 area 0 on
FastEthernet0/1.600 from 172.16.60.4
*Mar 13 07:01:29.870: OSPF: Rcv hello from 6.6.6.6 area 0 from
FastEthernet0/1.600 172.16.60.6
*Mar 13 07:01:29.874: OSPF: End of hello processing
*Mar 13 07:01:36.246: OSPF: Send hello to 224.0.0.5 area 0 on
FastEthernet0/1.600 from 172.16.60.4
*Mar 13 07:01:39.870: OSPF: Rcv hello from 6.6.6.6 area 0 from
FastEthernet0/1.600 172.16.60.6
*Mar 13 07:01:39.870: OSPF: End of hello processing
To resolve this issue a few important steps are required.
PE4-RACK1(config)#int fastEthernet 0/1.600
PE4-RACK1(config-subif)#ip ospf network point-to-point
*Mar 13 07:02:44.558: OSPF: Interface FastEthernet0/1.600 going Down
*Mar 13 07:02:44.562: OSPF: 172.16.60.4 address 172.16.60.4 on FastEthernet0/1.600
is dead, state DOWN
*Mar 13 07:02:44.562: OSPF: Neighbor change Event on interface FastEthernet0/1.600
*Mar 13 07:02:44.562: OSPF: DR/BDR election on FastEthernet0/1.600
*Mar 13 07:02:44.562: OSPF: Elect BDR 6.6.6.6
*Mar 13 07:02:44.562: OSPF: Elect DR 6.6.6.6
*Mar 13 07:02:44.562: OSPF: Elect BDR 6.6.6.6
*Mar 13 07:02:44.562: OSPF: Elect DR 6.6.6.6
*Mar 13 07:02:44.562:
DR: 6.6.6.6 (Id)
BDR: 6.6.6.6 (Id)
*Mar 13 07:02:44.562: OSPF: Flush network LSA immediately
*Mar 13 07:02:44.566: OSPF: Remember old DR 172.16.60.4 (id)
*Mar 13 07:02:44.566: OSPF: 6.6.6.6 address 172.16.60.6 on FastEthernet0/1.600 is
dead, state DOWN
*Mar 13 07:02:44.566: %OSPF-5-ADJCHG: Process 200, Nbr 6.6.6.6 on
FastEthernet0/1.600 from FULL to DOWN, Neighbor Down: Interface do
wn or detached
*Mar 13 07:02:44.5nt fastEthernet 0/1.600
*Mar 13 07:02:44.566: OSPF: DR/BDR election on FastEthernet0/1.600
*Mar 13 07:02:44.566: OSPF: Elect BDR 0.0.0.0
*Mar 13 07:02:44.566: OSPF: Elect DR 0.0.0.0
*Mar 13 07:02:44.566:
DR: none
BDR: none
*Mar 13 07:02:44.570: OSPF: Remember old DR 6.6.6.6 (id)
*Mar 13 07:02:44.570: OSPF: No enable interface to build Net Lsa for interface
Unknown
*Mar 13 07:02:44.570: OSPF: Build network LSA for Unknown, router ID 172.16.60.4
*Mar 13 07:02:44.570: OSPF: Build network LSA for Unknown, router ID 172.16.60.4
*Mar 13 07:02:44.570: OSPF: Interface FastEthernet0/1.600 going Up
*Mar 13 07:02:44.570: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/1.600
from 172.16.60.4
*Mar 13 07:02:45.066: OSPF: Build router LSA for area 0, router ID 172.16.60.4,
seq 0x8000000A
PE4-RACK1#sho ip route vrf solaris
6.0.0.0/24 is subnetted, 1 subnets
O
6.6.6.0 [110/2] via 172.16.60.6, 00:00:45, FastEthernet0/1.600
172.16.0.0/24 is subnetted, 1 subnets
C
172.16.60.0 is directly connected, FastEthernet0/1.600
20
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
Also, make sure 3550-CE6 has the following configuration with
point-to-point, otherwise you will experience problems advertising
Loopbacks.
CE6
interface Loopback0
ip address 6.6.6.6 255.255.255.0
ip ospf network point-to-point
!
interface Vlan600
ip address 172.16.60.6 255.255.255.0
ip ospf network point-to-point
!
router ospf 200
router-id 6.6.6.6
log-adjacency-changes detail
network 6.6.6.6 0.0.0.0 area 0
network 172.16.60.0 0.0.0.255 area 0
PE4-RACK1#ping vrf iementor 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
♦ Configure VPN Solaris on CE2 to advertise default route to the
entire VPN Solaris.
♦ Configure such that CE6 can ping the CE2 Loopback without it
showing up in the routing table.
♦ Only one static route is allowed on CE2. No other statics are
permitted, the solution must be dynamic.
This task requires touching every router in the path from PE4 to
PE3. In some cases some PEs will become P routers such as PE1 for
PE3 and PE4 would be considered a P router. ASBR1 and ASBR2
are the P routers as well.
hostname CE2-RACK1
!
ip cef
no ip domain lookup
mpls label protocol ldp
21
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Null0
no ip unreachables
!
interface Ethernet0/0
description To PE3 E0/0.23
ip address 10.23.1.1 255.255.255.0
half-duplex
!
router bgp 2
no synchronization
bgp log-neighbor-changes
network 10.23.1.0 mask 255.255.255.0
redistribute static metric 2
neighbor 10.23.1.3 remote-as 65001
neighbor 10.23.1.3 default-originate
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Null0
hostname PE3-RACK1
!
ip cef
no ip domain lookup
ip vrf iementor
rd 200:200
route-target export 200:200
route-target import 200:200
!
ip vrf solaris
rd 300:300
route-target export 300:300
route-target import 300:300
!
mpls label protocol ldp
mpls ldp loop-detection
tag-switching tdp router-id Loopback0
!
!
key chain iementor
key 6727
key-string iementorlab
!
interface Loopback0
ip address 10.1.1.3 255.255.255.255
ip ospf network point-to-point
!
interface Loopback33
ip address 33.33.33.33 255.255.255.0
!
22
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
interface Ethernet0/0
no ip address
half-duplex
!
interface Ethernet0/0.13
description to CE1 - VLAN 13
encapsulation dot1Q 13
ip vrf forwarding iementor
ip address 10.13.1.3 255.255.255.0
no snmp trap link-status
!
interface Ethernet0/0.23
description to CE2 - VLAN 23
encapsulation dot1Q 23
ip vrf forwarding solaris
ip address 10.23.1.3 255.255.255.0
no snmp trap link-status
!
interface Ethernet0/0.30
description to RR - VLAN 30
encapsulation dot1Q 30
ip address 172.16.30.3 255.255.255.0
ip router isis
mpls label protocol ldp
tag-switching ip
no snmp trap link-status
isis circuit-type level-1
!
interface Ethernet0/0.31
description to PE1 - VLAN 31
encapsulation dot1Q 31
ip address 172.16.13.3 255.255.255.0
ip router isis
tag-switching ip
no snmp trap link-status
isis circuit-type level-1
!
interface Ethernet0/0.123
description to PE2 - VLAN 123
encapsulation dot1Q 123
ip address 172.16.123.3 255.255.255.0
ip router isis
tag-switching ip
no snmp trap link-status
isis circuit-type level-2-only
isis authentication mode md5 level-2
isis authentication key-chain iementor level-2
!
interface Ethernet0/1
no ip address
half-duplex
!
router isis
net 48.0000.0003.0003.00
is-type level-1
23
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
area-password iementor
authentication mode md5 level-2
authentication key-chain iementor level-2
log-adjacency-changes all
redistribute isis ip level-2 into level-1 distribute-list 100
passive-interface Loopback0
maximum-paths 1
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 33.33.33.0 mask 255.255.255.0
neighbor 10.1.1.254 remote-as 65001
neighbor 10.1.1.254 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 10.1.1.254 activate
neighbor 10.1.1.254 send-community extended
exit-address-family
!
address-family ipv4 vrf solaris
redistribute connected
neighbor 10.23.1.1 remote-as 2
neighbor 10.23.1.1 activate
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf iementor
redistribute connected metric 2
redistribute static metric 2
no auto-summary
no synchronization
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip route vrf iementor 1.1.1.0 255.255.255.0 10.13.1.1
!
access-list 100 permit ip any any log
PE3-RACK1#sho ip route vrf solaris
Routing Table: solaris
Gateway of last resort is 10.23.1.1 to network 0.0.0.0
B
B
C
B*
24
6.0.0.0/24 is subnetted, 1 subnets
6.6.6.0 [200/10] via 10.1.1.4, 00:07:26
172.16.0.0/24 is subnetted, 1 subnets
172.16.60.0 [200/0] via 10.1.1.4, 00:07:40
10.0.0.0/24 is subnetted, 1 subnets
10.23.1.0 is directly connected, Ethernet0/0.23
0.0.0.0/0 [20/0] via 10.23.1.1, 00:45:57
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
hostname PE1-RACK1
!
no ip domain lookup
!
ip vrf iementor
rd 200:200
route-target export 200:200
route-target import 200:200
!
mpls label protocol tdp
tag-switching tdp router-id Loopback0
!
key chain iementor
key 6727
key-string iementorlab
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
ip pim sparse-dense-mode
!
interface Loopback9
ip address 9.9.9.9 255.255.255.255
!
interface Loopback11
description BGP Loopback
ip address 11.11.11.11 255.255.255.0
!
interface FastEthernet0/0
description to PE3 VLAN31
ip address 172.16.13.1 255.255.255.0
ip router isis
speed 100
full-duplex
mpls label protocol ldp
tag-switching mtu 9216
tag-switching ip
isis circuit-type level-1
!
interface Serial0/0
description to Inter-AS ASBR1
mtu 17940
no ip address
encapsulation frame-relay
no keepalive
!
interface Serial0/0.101 multipoint
description to Inter-AS ASBR1 ISIS
ip address 172.16.222.1 255.255.255.0
ip router isis
mpls label protocol ldp
tag-switching ip
clns mtu 9216
isis circuit-type level-2-only
isis authentication mode md5 level-2
isis authentication key-chain iementor level-2
25
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
no isis hello padding
frame-relay map clns 201 broadcast
frame-relay map ip 172.16.222.1 201 broadcast
frame-relay map ip 172.16.222.2 201 broadcast
no frame-relay inverse-arp
!
interface FastEthernet0/1
description to PE2 VLAN21
ip address 172.16.12.1 255.255.255.0
ip router isis
speed 100
full-duplex
mpls label protocol ldp
tag-switching mtu 9216
tag-switching ip
isis circuit-type level-1
isis network point-to-point
!
interface ATM1/0
no ip address
no atm ilmi-keepalive
!
interface ATM1/0.100 point-to-point
ip vrf forwarding iementor
ip address 140.100.1.2 255.255.255.0
pvc 1/100
protocol ip 140.100.1.1 broadcast
encapsulation aal5snap
!
!
interface ATM1/0.300 tag-switching
ip address 140.100.2.1 255.255.255.0
ip router isis
mpls label protocol tdp
tag-switching atm vp-tunnel 3 vci-range 33-65535
tag-switching ip
!
router eigrp 100
auto-summary
!
address-family ipv4 vrf iementor
network 140.100.1.0 0.0.0.255
no auto-summary
autonomous-system 10
exit-address-family
!
router isis
net 48.0000.0001.0001.00
area-password iementor
authentication mode md5 level-2
authentication key-chain iementor level-2
lsp-refresh-interval 90
no hello padding point-to-point
log-adjacency-changes all
redistribute isis ip level-2 into level-1 distribute-list 100
26
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
passive-interface Loopback0
maximum-paths 1
!
router bgp 65001
no synchronization
bgp router-id 10.1.1.1
bgp log-neighbor-changes
network 11.11.11.0 mask 255.255.255.0
network 140.100.1.0 mask 255.255.255.0
neighbor 10.1.1.254 remote-as 65001
neighbor 10.1.1.254 update-source Loopback0
neighbor 140.100.1.1 remote-as 1540
neighbor 140.100.1.1 description To BB2
neighbor 140.100.1.1 password iementor
no auto-summary
!
address-family vpnv4
neighbor 10.1.1.254 activate
neighbor 10.1.1.254 send-community extended
exit-address-family
!
address-family ipv4 vrf iementor
no auto-summary
no synchronization
exit-address-family
!
ip http server
no ip http secure-server
ip classless
ip route 140.100.2.2 255.255.255.255 ATM1/0.300
PE1-RACK1#sho mpls interfaces
Interface
IP
FastEthernet0/0
Yes (ldp)
FastEthernet0/1
Yes (ldp)
Serial0/0.101
Yes (ldp)
ATM1/0.300
Yes (tdp)
Tunnel
Yes
Yes
No
No
Operational
Yes
Yes
Yes
Yes
(ATM labels)
PE1-RACK1#sho mpls ldp discovery
Local LDP Identifier:
10.1.1.1:0
Discovery Sources:
Interfaces:
FastEthernet0/0 (ldp): xmit/recv
LDP Id: 10.1.1.3:0
FastEthernet0/1 (ldp): xmit/recv
LDP Id: 10.1.1.2:0
Serial0/0.101 (ldp): xmit/recv
LDP Id: 10.1.1.100:0
ATM1/0.300 (tdp): xmit/recv
TDP Id: 3.3.3.3:1; IP addr: 140.100.2.2
ASBR1-RACK1#sho mpls interfaces
27
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
Interface
Serial0/0
Serial0/1
Serial0/2
|
Lab14 Solutions: MPLS VPN
IP
Yes (ldp)
Yes (ldp)
Yes (ldp)
Tunnel
No
No
No
Operational
Yes
Yes
Yes
ASBR2-RACK1#sho mpls interfaces
Interface
IP
Ethernet0/0
Yes (ldp)
Serial0/0
Yes (ldp)
Serial0/1
Yes (ldp)
Tunnel
No
No
No
Operational
Yes
Yes
Yes
hostname PE4-RACK1
!
ip cef
no ip domain lookup
ip vrf iementor
rd 200:200
route-target export 200:200
route-target import 200:200
!
ip vrf solaris
rd 300:300
route-target export 300:300
route-target import 300:300
!
mpls label protocol tdp
tag-switching tdp router-id Loopback0
!
!
key chain iementor
key 6727
key-string iementorlab
!
interface Loopback0
ip address 10.1.1.4 255.255.255.255
!
interface Loopback4
ip address 44.44.44.44 255.255.255.0
!
interface FastEthernet0/0
ip address 172.16.240.4 255.255.255.0
ip router isis
speed 100
full-duplex
mpls label protocol ldp
tag-switching ip
isis circuit-type level-2-only
isis authentication mode md5 level-2
isis authentication key-chain iementor level-2
!
interface FastEthernet0/1
description Trunk 3550
no ip address
speed 100
28
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
full-duplex
!
interface FastEthernet0/1.300
description to BB3 VLAN 300
encapsulation dot1Q 300
no snmp trap link-status
!
interface FastEthernet0/1.600
description TO svi 3550-CE6 VPN SOLARIS SITE 2
encapsulation dot1Q 600
ip vrf forwarding solaris
ip address 172.16.60.4 255.255.255.0
ip ospf network point-to-point
no snmp trap link-status
!
router ospf 200 vrf solaris
log-adjacency-changes detail
redistribute connected subnets
redistribute bgp 65001 metric 10 metric-type 1 subnets
network 172.16.60.0 0.0.0.255 area 0
default-information originate always
!
router isis
net 48.0000.4002.4002.00
is-type level-2-only
authentication mode md5 level-2
authentication key-chain iementor level-2
passive-interface Loopback0
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
neighbor 10.1.1.254 remote-as 65001
neighbor 10.1.1.254 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 10.1.1.254 activate
neighbor 10.1.1.254 send-community extended
exit-address-family
!
address-family ipv4 vrf solaris
redistribute ospf 200 metric 10 match internal external 1 external 2
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf iementor
no auto-summary
no synchronization
exit-address-family
PE4-RACK1#sho ip route vrf solaris
Gateway of last resort is 10.1.1.3 to network 0.0.0.0
29
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
O
C
B
B*
|
Lab14 Solutions: MPLS VPN
6.0.0.0/24 is subnetted, 1 subnets
6.6.6.0 [110/2] via 172.16.60.6, 00:11:41, FastEthernet0/1.600
172.16.0.0/24 is subnetted, 1 subnets
172.16.60.0 is directly connected, FastEthernet0/1.600
10.0.0.0/24 is subnetted, 1 subnets
10.23.1.0 [200/0] via 10.1.1.3, 00:11:26
0.0.0.0/0 [200/0] via 10.1.1.3, 00:11:26
PE4-RACK1#traceroute 10.1.1.3
Type escape sequence to abort.
Tracing the route to 10.1.1.3
1
2
3
4
172.16.240.1 [MPLS:
172.16.114.1 [MPLS:
172.16.222.1 [MPLS:
172.16.13.3 16 msec
Label
Label
Label
* 16
26 Exp 0] 36 msec 36 msec 32 msec
22 Exp 0] 24 msec 24 msec 24 msec
18 Exp 0] 24 msec 28 msec 24 msec
msec
CE2-RACK1#ping 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms
Task 14.22:
♦ Configure AAA hosting service for the VPN customers
♦ Configure VPN Green to authenticate for Telnet to
172.16.1.254.
♦ Configure VPN Green to send Network/System and Delay Start
in the VRF mode to 172.16.1.254.
♦ All Telnet sessions from PE1 should authenticate to the VPN
Green AAA server.
aaa group server radius aaa-radius
server 172.16.1.254 auth-port 1645 acct-port 1646
ip vrf forwarding green
ip radius source-interface Loopback172
!
aaa authentication login default group aaa-radius
aaa accounting delay-start vrf green
aaa accounting system default vrf green start-stop group aaa-radius
Task 14.23:
30
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
♦ Configure group iementor SNMPv3 noauth.
♦ Configure username for group ccieuser with the map to group
ieMentor.
♦ Configure all traps for BGP and config traps to be sent to host
3.3.3.254 in VPN IEMENTOR.
PE3-RACK1(config)#snmp-server group iementor v3 noauth
PE3-RACK1(config)#snmp-server user ccieuser group1 v3
*Mar 9 00:00:38.736: Configuring snmpv3 USM user, persisting
snmpEngineBoots. Please Wait...
PE3-RACK1(config)#snmp-server host 3.3.3.254 vrf iementor version 3
noauth ccieuser
snmp-server group iementor v3 noauth
snmp-server user ccieuser group1 v3
snmp-server host 3.3.3.254 vrf iementor version 3 noauth ccieuser
snmp-server user ccieuser group1 v3
snmp-server group group1 v3 noauth notify
*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF0F
snmp-server group iementor v3 noauth
snmp-server host 3.3.3.254 vrf iementor version 3 noauth ccieuser
Task 14.24:
♦ Configure PE3 to support Multi-VRF with CE2
♦ Configure PE3 such that CE2 can receive routes from VPN Green
without redistribution and without import-export VRF. BGP can be
used as that routing protocol that accomplishes this on CE-PE.
In this task, you are required to make changes on CE2 and 3750
and 3550. Remember that one is a VTP server and the other a VTP
client. We will introduce the new VLAN24 to accommodate MultiVRF on CE2. The goal is to make CE2 receive multiple VRF’s
without redistributing and import/exporting routes through RD:
hostname PE3-RACK1
!
ip cef
!
ip vrf green
rd 100:100
route-target export 100:100
route-target import 100:100
31
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
!
ip vrf iementor
rd 200:200
route-target export 200:200
route-target import 200:200
!
ip vrf solaris
rd 300:300
route-target export 300:300
route-target import 300:300
!
interface Ethernet0/0.23
encapsulation dot1Q 23
ip vrf forwarding solaris
ip address 10.23.1.3 255.255.255.0
no snmp trap link-status
!
interface Ethernet0/0.24
encapsulation dot1Q 24
ip vrf forwarding green
ip address 10.24.1.3 255.255.255.0
no snmp trap link-status
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 33.33.33.0 mask 255.255.255.0
neighbor 10.1.1.254 remote-as 65001
neighbor 10.1.1.254 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 10.1.1.254 activate
neighbor 10.1.1.254 send-community extended
exit-address-family
!
address-family ipv4 vrf solaris
redistribute connected
neighbor 10.23.1.1 remote-as 2
neighbor 10.23.1.1 activate
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf green
redistribute connected
neighbor 10.24.1.1 remote-as 2
neighbor 10.24.1.1 activate
no auto-summary
no synchronization
exit-address-family
CE2
32
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
ip vrf green
rd 100:100
route-target export 100:100
route-target import 100:100
!
ip vrf solaris
rd 300:300
route-target export 300:300
route-target import 300:300
!
interface Loopback122
ip vrf forwarding green
ip address 22.22.22.22 255.255.255.0
!
interface Loopback123
ip vrf forwarding solaris
ip address 23.23.23.23 255.255.255.0
!
interface Ethernet0/0.23
encapsulation dot1Q 23
ip vrf forwarding solaris
ip address 10.23.1.1 255.255.255.0
no snmp trap link-status
!
interface Ethernet0/0.24
encapsulation dot1Q 24
ip vrf forwarding green
ip address 10.24.1.1 255.255.255.0
no snmp trap link-status
router bgp 2
no synchronization
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf solaris
redistribute connected
neighbor 10.23.1.3 remote-as 65001
neighbor 10.23.1.3 activate
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf green
redistribute connected
neighbor 10.24.1.3 remote-as 65001
neighbor 10.24.1.3 activate
no auto-summary
no synchronization
exit-address-family
CE2-RACK1#sho ip bgp vpnv4 all summary
Neighbor
V
AS MsgRcvd MsgSent
State/PfxRcd
33
TblVer
InQ OutQ Up/Down
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0
10.23.1.3
10.24.1.3
4 65001
4 65001
524
526
|
Lab14 Solutions: MPLS VPN
526
526
53
53
0
0
VPN
ROUTING
CE
GREEN-SITE1
BGP
CE5
GREEN-SITE2
RIP
CE8
IEMENTOR-SITE1
EIGRP
CE2
IEMENTOR-SITE2
STATIC
CE1
VPN Solaris Site 1
BGP-AS2
CE2
VPN Solaris Site 2
OSPF-AREA 0
CE6
VPN Green Site 3
BGP-AS3
CE7
0 08:39:12
0 08:39:19
Task 14.25: Secure routing protocols:
♦ In VPN Green site 1, secure a protocol session with SP1.
♦ In VPN Green site 2, secure a protocol session with SP1.
♦ In VPN IEMENTOR site 1, secure a protocol session with SP1.
♦ In VPN Solaris site 1, secure a protocol session with PE3.
♦ In VPN Solaris site 2, secure a protocol session with PE4.
Here’s the basic password security template for this task.
router bgp XXX
address-family ipv4 vrf xxx
redistribute connected
neighbor X.X.X.X password iementor
Task 14.26: Controlling Internet routes
♦ Configure BB3 as the Internet backbone router.
♦ Configure IP address 13.1.1.1/24 without advertising to VPN
Green.
♦ Configure BB3 such that the rest of VPN Green can reach
13.1.1.1.
♦ One static route is allowed for making this work.
♦ BB3 session must be password-protected.
34
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
1
20
ieMentor CCIE™ Service Provider Workbook v1.0
|
Lab14 Solutions: MPLS VPN
Configure RR to accept routes from PE4 and also confirm ASBR’s
are passing LDP labels end to end. As soon as you advertise the
default route in BB3, all VPN’s in Green will have reachability to
BB3 without advertising 13.1.1.1 using the default route to reach
that Loopback.
router bgp 3
no synchronization
bgp log-neighbor-changes
network 172.16.30.0 mask 255.255.255.0
redistribute connected metric 2
redistribute static metric 2
neighbor 172.16.30.4 remote-as 65001
neighbor 172.16.30.4 default-originate
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Null0
35
This product is individually licensed.
Copyright® 2005 ieMentor http://www.iementor.com.
[...]... round-trip min/avg/max = 1/3/4 ms PE2-RACK1(config)#router bgp 65001 PE2-RACK1(config-router)# address-family ipv4 vrf green PE2-RACK1(config-router-af)# redistribute connected PE2-RACK1(config-router-af)# neighbor 10.12.1.1 remote-as 57 PE2-RACK1(config-router-af)# neighbor 10.12.1.1 activate PE2-RACK1(config-router-af)# no auto-summary PE2-RACK1(config-router-af)# no synchronization PE2-RACK1(config-router-af)#... exit-address-family VPN ROUTING CE VPN Solaris Site 1 BGP-AS2 CE2 VPN Solaris Site 2 OSPF-AREA 0 CE6 Task 14.21: ♦ Configure VPN Solaris on CE2 in AS2 ♦ On CE2, do not advertise Loopback0 2.2.2.2/24 to PE3 CE2-RACK1(config)#router bgp 2 CE2-RACK1(config-router)# no synchronization CE2-RACK1(config-router)# bgp log-neighbor-changes CE2-RACK1(config-router)# network 10.23.1.0 mask 255.255.255.0 CE2-RACK1(config-router)#... v1.0 | Lab1 4 Solutions: MPLS VPN area-password iementor authentication mode md5 level-2 authentication key-chain iementor level-2 log-adjacency-changes all redistribute isis ip level-2 into level-1 distribute-list 100 passive-interface Loopback0 maximum-paths 1 ! router bgp 65001 no synchronization bgp log-neighbor-changes network 33.33.33.0 mask 255.255.255.0 neighbor 10.1.1.254 remote-as 65001 neighbor... authentication key-chain iementor level-2 lsp-refresh-interval 90 no hello padding point-to-point log-adjacency-changes all redistribute isis ip level-2 into level-1 distribute-list 100 26 This product is individually licensed Copyright® 2005 ieMentor http://www.iementor.com ieMentor CCIE™ Service Provider Workbook v1.0 | Lab1 4 Solutions: MPLS VPN passive-interface Loopback0 maximum-paths 1 ! router... tag-switching ip address 140.100.2.1 255.255.255.0 ip router isis mpls label protocol tdp tag-switching atm vp-tunnel 3 vci-range 3 3-6 5535 tag-switching ip ! router eigrp 100 auto-summary ! address-family ipv4 vrf iementor network 140.100.1.0 0.0.0.255 no auto-summary autonomous-system 10 exit-address-family ! router isis net 48.0000.0001.0001.00 area-password iementor authentication mode md5 level-2... Service Provider Workbook v1.0 | Lab1 4 Solutions: MPLS VPN hostname PE1-RACK1 ! no ip domain lookup ! ip vrf iementor rd 200:200 route-target export 200:200 route-target import 200:200 ! mpls label protocol tdp tag-switching tdp router-id Loopback0 ! key chain iementor key 6727 key-string iementorlab ! interface Loopback0 ip address 10.1.1.1 255.255.255.255 ip pim sparse-dense-mode ! interface Loopback9... Loopback8 88.88.88.1/30 via RIP CE8-RACK1(config)#router rip CE8-RACK1(config-router)# version 2 CE8-RACK1(config-router)# network 8.0.0.0 CE8-RACK1(config-router)# network 88.0.0.0 CE8-RACK1(config-router)# network 10.0.0.0 CE8-RACK1(config-router)# no auto-summary CE8-RACK1#sho ip rip d 8.0.0.0/8 auto-summary 8.8.8.0/24 directly connected, Loopback0 10.0.0.0/8 auto-summary 10.82.1.0/24 directly connected,... http://www.iementor.com ieMentor CCIE™ Service Provider Workbook v1.0 | Lab1 4 Solutions: MPLS VPN PE2-RACK1(config-router-af)# version 2 PE2-RACK1(config-router-af)# exit-address-family PE2-RACK1#ping vrf green 8.8.8.8 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Task 14.17: Site 1 should be... 0.0.0.255 area 0 default-information originate always ! router isis net 48.0000.4002.4002.00 is-type level-2-only authentication mode md5 level-2 authentication key-chain iementor level-2 passive-interface Loopback0 ! router bgp 65001 no synchronization bgp log-neighbor-changes neighbor 10.1.1.254 remote-as 65001 neighbor 10.1.1.254 update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor 10.1.1.254... 172.16.222.2 201 broadcast no frame-relay inverse-arp ! interface FastEthernet0/1 description to PE2 VLAN21 ip address 172.16.12.1 255.255.255.0 ip router isis speed 100 full-duplex mpls label protocol ldp tag-switching mtu 9216 tag-switching ip isis circuit-type level-1 isis network point-to-point ! interface ATM1/0 no ip address no atm ilmi-keepalive ! interface ATM1/0.100 point-to-point ip vrf forwarding ... MPLS VPN 526 526 53 53 0 VPN ROUTING CE GREEN-SITE1 BGP CE5 GREEN-SITE2 RIP CE8 IEMENTOR-SITE1 EIGRP CE2 IEMENTOR-SITE2 STATIC CE1 VPN Solaris Site BGP-AS2 CE2 VPN Solaris Site OSPF-AREA CE6 VPN. .. neighbor 10.1.1.200 activate exit-address-family VPN ROUTING CE VPN Solaris Site BGP-AS2 CE2 VPN Solaris Site OSPF-AREA CE6 Task 14.21: ♦ Configure VPN Solaris on CE2 in AS2 ♦ On CE2, not advertise... protocols: ♦ In VPN Green site 1, secure a protocol session with SP1 ♦ In VPN Green site 2, secure a protocol session with SP1 ♦ In VPN IEMENTOR site 1, secure a protocol session with SP1 ♦ In VPN Solaris