INE Vol 1 - Lab 8 - Extranet

Another fairly easy review. Extranets using their own import/export of route-targets.

So far no notes or configs to put down seeing as I'm flying through the last (or first) 8 labs.

INE Vol 1 - Lab 7 - Central Services

Also, pretty straight forward, a manipulation of route-targets, importing only the route target of the CS vrf and exporting your own route-target.

INE Vol 1 - Lab 1 thru 6

Pretty straight forward, covers CE-PE routing protocols and static routes. Was a very easy review and not much to say.

Review of IPX Vol 1 for CCIE SP.

Pros:

This volume is a great first step into studying for the CCIE SP Lab. It touches on a wide range of topics and it also focuses on the main portion of the Lab, MPLS. For a Volume 1, it's right where a candidate should start out, especially for someone who isn't familiar with what happens in the core of an MPLS network. The Volume has 25 labs, comes with initial configs, diagrams, and final configs and solutions.

Cons:

The volume could have had more detailed solutions and explanations, although I guess it's assumed that the candidate has some prior experience with these topics like MPLS VPNS, it should not assume some of the outliers, like frame-relay dlci switching or pppoe. I would have really liked this lab if the solutions were more detailed and the explanations discussed the reasoning for the technology.

Overall:

This is great first workbook, it gives you the first bite or taste of what to expect but is by no means an all encompassing volume.

IPX Vol 1 - Lab 25 - Adv. Routing

Task 25.1 - ISIS on multipoint Frame Relay (main interface)

Notes: CLNS operation is different from other routing protocols. Rather then being encapsulated into IP, it operates on the data link layer. Since IP is being mapped across frame, CLNS needs to be mapped across frame as well. This is not an issue when using point-to-point subinterfaces because the frame-relay interface-dlci command sends ALL traffic out the DLCI. Remember to include the broadcast key word at the end.

Config:

R6#sh run int s1/0

Building configuration...

Current configuration : 243 bytes

!

interface Serial1/0

ip address 150.50.46.6 255.255.255.0

ip router isis

encapsulation frame-relay

serial restart-delay 0

frame-relay map clns 604 broadcast

frame-relay map ip 150.50.46.4 604 broadcast

no frame-relay inverse-arp

end

R6#

* Of the Advance Routing in this lab, the only place I stumbled was 25.1.

I'll review my notes for this workbook for myself and then I'll write up a review of IPX Vol1 in my next post and where I think it fits into the grand scheme.

IPX Vol 1 - Lab 24 - Multicast VPN

[DOC CD REF] ** This is a good review of Multicast VPN

Note: Referring to the Doc CD, in the IOS I'm currently using (12.4(20T)), it's required that under BGP, I have to configure BGP MDT SAFI, activate neighbors and send-community.

Excerpt:

Configuring the MDT Address Family in BGP for Multicast VPN

Perform this task to configure an MDT address family session on PE routers to establish MDT peering sessions for MVPN.

The mdt keyword has been added to the address-family ipv4 command to configure an MDT address-family session. MDT address-family sessions are used to pass the source PE address and MDT group address to PIM using Border Gateway Protocol (BGP) MDT Subaddress Family Identifier (SAFI) updates.

Config:

router bgp 256

no bgp default ipv4-unicast

bgp log-neighbor-changes

neighbor 200.0.0.5 remote-as 256

neighbor 200.0.0.5 update-source Loopback0

neighbor 200.0.0.6 remote-as 256

neighbor 200.0.0.6 update-source Loopback0

!

address-family ipv4 mdt

neighbor 200.0.0.5 activate

neighbor 200.0.0.5 send-community extended

neighbor 200.0.0.6 activate

neighbor 200.0.0.6 send-community extended

exit-address-family

!

address-family vpnv4

neighbor 200.0.0.5 activate

neighbor 200.0.0.5 send-community extended

neighbor 200.0.0.6 activate

neighbor 200.0.0.6 send-community extended

exit-address-family

!

address-family ipv4 vrf VPNA

redistribute ospf 1 vrf VPNA

no synchronization

exit-address-family

!

Task 24.9 - Configure PIM sparse-mode on PE to PE links and loopbacks, configure SSM for multicast range 239.1.1.0 to 239.1.1.255, configure PIM spare-dense on VPN facing interfaces.

Config:

R2#sh run | sec pim|interface

interface Loopback0

ip address 200.0.0.2 255.255.255.255

ip pim sparse-mode

interface Serial1/0

no ip address

encapsulation frame-relay

serial restart-delay 0

no frame-relay inverse-arp

interface Serial1/0.24 point-to-point

ip vrf forwarding VPNA

ip address 150.50.24.2 255.255.255.252

ip pim sparse-dense-mode

snmp trap link-status

frame-relay interface-dlci 104

interface Serial1/0.25 point-to-point

ip address 150.50.25.2 255.255.255.252

ip router isis

ip pim sparse-mode

snmp trap link-status

mpls ip

frame-relay interface-dlci 105

interface Serial1/0.26 point-to-point

ip address 150.50.26.2 255.255.255.252

ip router isis

ip pim sparse-mode

snmp trap link-status

mpls ip

frame-relay interface-dlci 106

ip pim ssm range 1

ip pim vrf VPNA rp-address 200.0.0.4

R2#

R2#sh run | i access-list

access-list 1 permit 239.1.1.0 0.0.0.255

R2#Sh run | i multicast

ip multicast-routing

ip multicast-routing vrf VPNA

R2#

Task 24.10 - Enable VPNA for Multicast Routing... configure a default MDT and configure an RP address

Notes:

Here you have enable multicast for the VRF under multicast and enable MDT (multicast distribution tree) under the VRF. Finally, for a specific VRF you can specify the rp-address.

Config:

R2#Sh run | i multicast

ip multicast-routing

ip multicast-routing vrf VPNA

R2#

ip vrf VPNA

rd 256:1

route-target export 256:1

route-target import 256:1

mdt default 239.1.1.1

R2#sh run | sec rp-address

ip pim vrf VPNA rp-address 200.0.0.4

R2#

Task 24.11 - Configure PIM Sparse-Dense on SP facing interfaces on R1..., configure R1 to be a member of group 239.2.2.1...

Notes:

This is basic Multicast configurations.

Config:

R1#sh run | i multicast|rp-address|interface|pim|igmp

ip multicast-routing

interface Loopback0

interface FastEthernet0/0

interface FastEthernet1/0

ip pim sparse-dense-mode

ip igmp join-group 239.2.2.1

interface FastEthernet1/1

ip pim rp-address 200.0.0.4

R1#

IPX Vol 1 - Lab 23 - Traffic Policing

Note:

Again, another quick and simple lab on using MQC to police traffic. Supports 2 bucket policing.

IPX Vol 1 - Lab 21 & 22 Congestion Avoidance & Traffic Classification

Notes:

Labs 21 and 22 are quick labs focusing on Congestion Avoidance and Traffic Classification.

Congestion Avoidance = WRED, you can configure WRED directly under the interface or you can be more specific and use MQC to apply WRED to a specific set of traffic.

Traffic Classification can be done a number of ways, PBR, CAR (or Rate-limit), or MQC.

There's not much to say about these labs as they are quick and to the point.

IPX Vol1 - Lab 20 - CAR

Notes:

For the most part this is a review from R&S studies. Whenever I see CAR, I equate that to 'rate-limit'.

A good review would be using the equations to find Tc, Bc, and Be.

Also, using different ACLs to classify, ie standard, extended, mac-address, and using extended ACLs for IP Prec classification is a good review.

[Doc CD Ref]

IPX Vol 1 - Lab 19 - Carrier Supporting Carrier

Notes: This lab is similar in format as Lab 18 in that it tells you what to configure. Not much thought is required.

The overall idea of Carrier Supporting Carrier (CsC) is that you are utilizing another carrier as a backbone network, ie, using their footprint.

Task 19.5 - Configure IPv4 eBGP on R5 and R2... advertise its MPLS label

Config:

R5#sh run | sec bgp

mpls bgp forwarding

router bgp 156

no bgp default ipv4-unicast

bgp log-neighbor-changes

neighbor 150.50.25.2 remote-as 2

neighbor 200.0.0.6 remote-as 156

neighbor 200.0.0.6 update-source Loopback0

!

address-family vpnv4

neighbor 200.0.0.6 activate

neighbor 200.0.0.6 send-community extended

exit-address-family

!

address-family ipv4 vrf CSC

neighbor 150.50.25.2 remote-as 2

neighbor 150.50.25.2 activate

neighbor 150.50.25.2 send-label

no synchronization

exit-address-family

The highlighted config shows using IPv4 eBGP to send mpls labels while the next task simply asks you to configure ldp.

Task 19.6 - Configure OSPF... LDP on the link between R6 and R8

Config:

R6#sh run | sec bgp

redistribute bgp 156 subnets

router bgp 156

no bgp default ipv4-unicast

bgp log-neighbor-changes

neighbor 200.0.0.5 remote-as 156

neighbor 200.0.0.5 update-source Loopback0

!

address-family vpnv4

neighbor 200.0.0.5 activate

neighbor 200.0.0.5 send-community extended

exit-address-family

!

address-family ipv4 vrf CSC

redistribute ospf 1 vrf CSC

no synchronization

exit-address-family

alias exec sb sh ip bgp

alias exec cb clear ip bgp *

R6#sh run int f1/1

Building configuration...

Current configuration : 128 bytes

!

interface FastEthernet1/1

ip vrf forwarding CSC

ip address 150.50.68.6 255.255.255.0

duplex auto

speed auto

mpls ip

end

R6#

Notice there's no bgp peer with R8, hence, no send-label. However, looking at interface Fa1/1, you see that it's in a VRF AND it's using LDP with R8 to send the labels.

IPX Vol 1 - Lab 18 - Inter AS VPNs

Notes: Regarding this lab, it's pretty straight forward when you are basically configuring what the task tells you to configure. The problem is, that it's too obvious and doesn't require a lot of thought.

There are 2 different ASes that eBGP peer between the PEs. The important thing to remember here is under ipv4 eBGP neighbor statements to "send-label". Also remember the use of "next-hop-self" for reachability into the other AS and "next-hop-unchanged" when receiving routes from the other AS for the CEs.

One other thing to personally note. Task 18.8 uses EIGRP as the CE-PE protocol, I tend to forget to state the "autonomous-system", if you don't it wont peer.

-- Also, the lab doesn't state that you should import the route-target of the other AS' routes but you can do so to test that the CE in one AS is receiving the routes advertised by the CE in the other AS and vice versa.

IPX Vol1 - Lab 17 - MPLS VPN

Pretty basic configurations, some route-target import and export understanding is required. No issues to report.

IPX Vol 1 - Lab 16 - MP-BGP

Task 16.10 - Using VRF Export maps to change the route-target.

Notes: In order to change the route-target of prefixs coming in, create a route-map setting the extcommunity rt to the new rt. Then under the vrf use "export map ", don't apply the route-map to the neighbor.

Config:

ip vrf RED

rd 100:1

export map RT

route-target export 100:1

route-target import 100:1

!

ip prefix-list 100 seq 5 permit 100.100.100.0/24

!

ip prefix-list 200 seq 5 permit 100.100.200.0/24

logging alarm informational

!

route-map RT permit 20

match ip address prefix-list 100

set extcommunity rt 100:100

!

route-map RT permit 30

match ip address prefix-list 200

set extcommunity rt 100:200

!

route-map RT permit 40

set extcommunity rt 100:1

!

Lab 15 - Review this lab.

Marked as a lab to revisit.

IPX Vol 1 - Lab 15 - L2 VPN

Task 15.2 - Configure Frame-Relay DLCI-to-DLCI switching on R4 and R5...

Notes: Remember that the "ip local interface..." needs to be reachable, ie, make sure it's in OSPF in this case.

Also keep in mind that L2TPv3 is found on the Doc CD under 12.4 WAN.

Config:

R4

R4#sh run | sec pseudo

pseudowire-class MYWIRE

encapsulation l2tpv3

ip local interface Loopback0

R4#sh run int s1/0

Building configuration...

Current configuration : 162 bytes

!

interface Serial1/0

no ip address

encapsulation frame-relay

serial restart-delay 0

frame-relay interface-dlci 402 switched

no frame-relay inverse-arp

end

R4#sh run | sec connect

connect R6_R2 Serial1/0 402 l2transport

xconnect 200.0.0.5 5544 pw-class MYWIRE

!

R4#sh run | sec ospf

router ospf 1

log-adjacency-changes

network 150.50.45.1 0.0.0.0 area 0

network 200.0.0.4 0.0.0.0 area 0

Verification:

R4#show l2tun session brief

L2TP Session Information Total tunnels 1 sessions 1

LocID TunID Peer-address State Username, Intf/

sess/cir Vcid, Circuit

19171 43255 200.0.0.5 est,UP 5544, Se1/0:402

R4#show l2tun session

L2TP Session Information Total tunnels 1 sessions 1

LocID RemID TunID Username, Intf/ State Last Chg Uniq ID

Vcid, Circuit

19171 48468 43255 5544, Se1/0:402 est 00:05:20 1

R4#

R5

R5#

R5#sh run | sec pseudo

pseudowire-class MYWIRE

encapsulation l2tpv3

ip local interface Loopback0

R5#sh run int s1/0

Building configuration...

Current configuration : 162 bytes

!

interface Serial1/0

no ip address

encapsulation frame-relay

serial restart-delay 0

frame-relay interface-dlci 506 switched

no frame-relay inverse-arp

end

R5#sh run | sec connect

connect R6_R2 Serial1/0 506 l2transport

xconnect 200.0.0.4 5544 pw-class MYWIRE

!

R5#sh run | sec ospf

router ospf 1

log-adjacency-changes

network 150.50.0.0 0.0.255.255 area 0

network 200.0.0.5 0.0.0.0 area 0

[DOC CD Ref]

[DOC CD Ref 2]

Task 15.3 - Q-in-Q Tunneling on Cat switches

Don't have switches right now.

Task 15.4 - Ethernet L2TPv3 on R1 and R4...

Notes: Same as 15.2, remember to advertise the loopback interface if you're using it in the pseudowire-class. Also, for Ethernet, you can make an xconnect statement right under the FE interface, rather then making a global connect statement

Config:

R1

!

pseudowire-class MYWIRE

encapsulation l2tpv3

ip local interface Loopback0

!

!

!

!

!

interface Loopback0

ip address 200.0.0.1 255.255.255.255

!

interface FastEthernet1/0

no ip address

duplex auto

speed auto

xconnect 200.0.0.4 1144 pw-class MYWIRE

!

[Doc CD Ref]

Task 15.6 PPPoE

Notes: When you configure PPPoE, one side is the PPPoE client and the other side, the server. Configurations are different.

Configs:

R7 - Client Side

!

interface FastEthernet1/0

no ip address

duplex auto

speed auto

pppoe enable

pppoe-client dial-pool-number 1

!

interface Dialer1

ip address negotiated

encapsulation ppp

dialer pool 1

!

R9 - Server Side

!

bba-group pppoe global

virtual-template 1

!

interface FastEthernet1/0

no ip address

duplex auto

speed auto

pppoe enable group global

!

interface Virtual-Template1

ip address 150.50.79.9 255.255.255.0

peer default ip address pool R7

!

ip local pool R7 150.50.79.7

[Can't find Doc CD Ref]

IPX Vol 1 - Lab 14 - HSRP & VRRP

Very simple lab on HSRP and VRRP. There were 2 tasks with a few sub task, took about 10 to 15 minutes to accomplish.

Note to self, can skip this one next time.

IPX Vol 1 - Lab 13 - QoS

This lab focuses on QoS, including MQC, Rate-limit, Multicast Rate-limit, WFQ, and WRED.

Here are some things that I need to watch out for.

Task 13.4 and 13.5 - Generic Traffic Shaping

This task specifically says to configure GTS for Frame Relay. In order to configure GTS for FR, you need ACLs to classify traffic, and then under the interface use the "traffic-shape" command.

And to verify, see below.

Config:

R4#

R4#sh run | sec access-list

access-list 101 permit tcp any any eq telnet

access-list 101 permit tcp any eq telnet any

access-list 101 permit icmp any any

access-list 102 permit tcp any any eq ftp

access-list 102 permit tcp any eq ftp any

access-list 103 permit ip any any

alias exec sa sh access-list

R4#

R4#

R4#sh run int s1/0.24

Building configuration...

Current configuration : 294 bytes

!

interface Serial1/0.24 point-to-point

bandwidth 64

ip address 150.50.24.1 255.255.255.252

snmp trap link-status

traffic-shape group 101 9600 7968 7968 1000

traffic-shape group 102 32000 8000 8000 1000

traffic-shape group 103 22400 7952 7952 1000

frame-relay interface-dlci 401

end

R4#

R4#sh traffic-shape s1/0.24

Interface Se1/0.24

Access Target Byte Sustain Excess Interval Increment Adapt

VC List Rate Limit bits/int bits/int (ms) (bytes) Active

- 101 9600 1992 7968 7968 885 996 -

- 102 32000 2000 8000 8000 250 1000 -

- 103 22400 1988 7952 7952 361 994 -

R4#

Also, in order to configure Adaptive GTS

Config:

R5#

R5#sh run int s1/0.56

Building configuration...

Current configuration : 240 bytes

!

interface Serial1/0.56 point-to-point

ip address 150.50.56.1 255.255.255.252

snmp trap link-status

traffic-shape rate 64000 8000 8000 1000

traffic-shape adaptive 32000

traffic-shape fecn-adapt

frame-relay interface-dlci 506

end

R5#

[Doc CD Reference]

Task 13.7 - CAR

Remember, when a task says CAR, use the rate-limit command. Using ACLs to classify traffic and then combining it with the interface rate-limit command and the direction you can accomplish a single bucket policing.

Task 13.8 - Multicast Rate-limit

This tasks ask you to rate limit the incoming multicast traffic from a range of multicast groups,

226.0.0.1 to 226.0.0.126.

Config:

#sh run int f1/0

Building configuration...

Current configuration : 142 bytes

!

interface FastEthernet1/0

ip address 150.50.12.1 255.255.255.0

ip multicast rate-limit in group-list 25 512

duplex auto

speed auto

end

R1#sh run | sec access-list

access-list 25 deny 226.0.0.127

access-list 25 deny 226.0.0.0

access-list 25 permit 226.0.0.0 0.0.0.127

alias exec sa sh access-list

R1#

[Doc CD Reference]

Passed the SP written.

Took and passed the written.

Now back to doing the labs.

IPX Vol 1 - Lab 12 - Security

Lab 12 deals with Security in a very broad manner. Securing BGP, IGPs, Interfaces, logging, SNMP, NTP, anti-spoofing, Management security, and disabling unnecessary services.

Let's break it down...

12.1 - Accepting a limited amount of BGP prefixes from a neighbor

#neighbor 1.2.3.4 max-prefix 125000

12.2 - Securing BGP, on the destination router, create an ACL to allow the neighbor/source to create a TCP connection on port 179 to the destination router. Allow both sourcing from tcp 179 and destined to 179 on the destination router, then deny any to port 179 and finally permit tcp any and ip any.

12.3 - (a) Advertise a default route to neighbor #nieghbor 1.2.3.4 default-information originate.

Then configure the neighbor to only receive a default route via a prefix-list (0.0.0.0/0).

(b) RFC 1918 prefix-list should look like:

#ip prefix-list RFC1918 permit 10.0.0.0/8 le 32

#ip prefix-list RFC1918 permit 192.168.0.0/16 le 32

#ip prefix-list RFC1918 permit 172.16.0.0/12 le 32

Don't forget the le 32 since subnets of each of these ranges are still RFC1918.

(c) ORF - BGP outbound route filter is used to send a prefix-list upstream so that the filter happens there instead of after getting all the BGP prefixs and then having to filter locally. Saves resources.

#neighbor 1.2.3.4 capability orf prefix-list send

12.4 and 12.5 are OSPF and EIGRP authentication, EIGRP everything is done on the interface while OSPF area authentication is done in the area and then on the interfaces in that area.

12.6 - Anti-Spoofing

(a) to prevent spoofing configure uRPF under an interface.

#ip verify unicast source reachable-via rx allow-default

(b) uRPF in loose mode the router will drop the packet if the route for the source is via a null interface. Configured the same was as (a) plus the routes pointing to null0

(c) using an ACL to block spoofing. Create a standard ACL denying the subnets/hosts in your internal network, then apply inbound on the ingress interface.

(d) redundant

(e) configure ip accounting.

#interface s0/1.26

#ip accounting access-violations

12.7 - Logging - straight forward with the exception of Core dumps. Remember the key work "exception" to configure core dump file name, protocol, and IP addy of the dump server.

12.8 - Interactive Access

(d) SSH server - don't forget to configure a domain-name, crypto key generate rsa, and AAA if necessary.

This section was long and there are definitely some things I knew at one point but have forgotten. Good to review and to deep dive via Narbik's books.

IPX Vol 1 - Lab 11- Traffic Engineering (TE)

This is a straight forward one. TE tunnels are unidirectional, therefore, if you want bidirectional traffic between 2 end points to flow through a certain path, that means 2 tunnels. This task asks the student to prep the topology for MPLS TE, create the TE tunnels (one dynamic path and one explicit path), and verify.

Points to remember:

*prerequisiste: mpls and cef are enabled globally and on the interfaces

1. Must enable TE globally on a router

R1(config)#mpls traffic-eng tunnel

#mpls ldp router-id l0 - This is important as it will be used when creating a TE tunnel as a tunnel destination

2. Must configure TE for the routing protocol (OSPF or ISIS)

R1(config)#router os 1

#mpls traffic-eng router-id l0

#mpls traffic-eng area 0

3. Configure RSVP on the interfaces

R1(config)#interface f1/0

#ip rsvp bandwidth 75000 100 - By default the router will reserve 75% of max-reserveable bandwidth, if not defined

4. Interfaces must support traffice engineering

R1(config)#interface f1/0

#mpls traffic-eng tun

5. If using explicit path

R1(config)#ip explicit-path name ABC

#next-address 1.2.3.4 - the ip is the inbound interface of the next-hop router

#next-address .... - list all the inbound interfaces in order including the destination router

6. Create a tunnel interface

R1(config)#int tun0

#ip unnumber l0

#tun destination 200.0.0.6

#tunn mode mpls traffic-eng

#tun mpls traffic-eng path-option 1 explict name ABC

#tun mpls traffic-eng path-option 2 dynamic

#tun mpls traffic-eng autoroute announce

#tun mpls traffic band 100

There are a few things to remember here, ip addy, tunnel destination, tunnel mode, path options. The autoroute announce is used so that traffic can be forwarded on to the tunnel, it specifies that the IGP (in this case ospf) should use the tunnel when calculating SPF.

7. Specify tunnel priorities for setup and hold (lower is better)

R1(config)#int tun 0

#tunn mpls traffic prio 7 7

IPX Vol 1 - Lab 10 - Multicast

This one was a little jacked up. It started out fine but then towards the end, it went to pieces.

A few things to remember:

- multicast groups 224.0.1.39 and 224.0.1.40 are used for RP announce and discovery respectively.

- ip pim autorp listener used for sparse mode interfaces/routers so that they can receive the rp announce info in dense mode.

- I need to brush up on 10.5 - For BSR, using ip pim bsr-border will ensure dynamic RP announcements from one AS aren't propagated to the neighboring AS. For AutoRP, set up a filter to block traffic e for 224.0.1.39 and .40 and apply the filter with a multicast boundry, ie,

#int s1/0.26

#ip pim sparse-mode

#ip multicast boundary 24

#access-list 24 deny 224.0.1.39

#access-list 24 deny 224.0.1.40

#access-list 24 permit 224.0.0.0 0.15.255.255

IPX Vol 1 - Lab 9 - MPLS

Pretty straight forward for me now, nothing that I stumbled on. Just a few things that can escape you if you don't keep them in the back of your mind.

1. CEF - required to be on the routers to support MPLS
2. #no bgp default ipv4-unicast - used to disable the default behavior of putting "unspecified" commands into the AFI ipv4 unicast. This means, you have to manually go into the AFI and make your configurations.

3. If you don't advertise the WAN link then you have to source your pings from the loopback because there's no route back, since it's not being advertised.

4. BGP Next Hop Self - know when and why you need it.

Most of this is stuff I know but can forget if rushed :)

IPX Vol 1 - Lab 8 - MBGP

Task 8.3 - BGP Dampening.

- Remember that BGP dampening is under the address-family as "bgp dampening route-map ABC" and not a applied to a neighbor.

- To verify, show ip bgp dampening parameters

Restarting... again.

It's been awhile since I've hit the workbooks and it's never good to stop in the middle of something, progress becomes hindered.

I'm back to studying for the CCIE SP lab and this time I'm taking it more seriously.

New Plan!

IPX Vol1 workbook
INE Vol1 workbook

And then assess and make more plans.