IPexpert's CCIE R&S (v5) Mock Lab Workbook (Vol. 2) Lab 5 DSG

July 29, 2017 | Author: veracespedes | Category: Ip Address, License, Router (Computing), Implied Warranty, Copyright
Share Embed Donate


Short Description

Descripción: IPexpert's CCIE R&S (v5) Mock Lab Workbook (Vol. 2) Lab 5 DSG...

Description

for Cisco's CCIE Routing & Switching Lab Exam, Lab 5

(v5)

CCIE Routing & Switching Volume 2 Detailed Solution Guide Lab 5 Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Table of Contents Lab 5: Troubleshooting Section :: Detailed Solutions.................................................................................................10 Detailed Solution Guide ...........................................................................................................................................10 General Rules ...........................................................................................................................................................10 Pre-Setup ..................................................................................................................................................................11 Incident 1..................................................................................................................................................................12 Incident 2..................................................................................................................................................................28 Incident 3 .................................................................................................................................................................37 Incident 4..................................................................................................................................................................45 Incident 5..................................................................................................................................................................51 Incident 6..................................................................................................................................................................57 Incident 7..................................................................................................................................................................64 Incident 8..................................................................................................................................................................70 Incident 9..................................................................................................................................................................78 Incident 10 ...............................................................................................................................................................84 Lab 5: Diagnostic Section :: Detailed Solutions .......................................................................................................... 89 Detailed Solution Guide ...........................................................................................................................................89 General Rules ...........................................................................................................................................................89 Ticket 1 .....................................................................................................................................................................90 Ticket 2 .................................................................................................................................................................. 125 Ticket 3 .................................................................................................................................................................. 132 Lab 5: Configuration Section :: Detailed Solutions ...................................................................................................140 Detailed Solution Guide ........................................................................................................................................ 140 General Rules ........................................................................................................................................................ 140 Pre-Setup ............................................................................................................................................................... 141 Section 1.0: Layer 2 Technologies........................................................................................................................ 149 Section 2.0: IP Routing ......................................................................................................................................... 177 Section 3.0: IPv4 VPN Technology ....................................................................................................................... 249 Section 4.0: IP Security ......................................................................................................................................... 267 Section 5.0: Infrastructure Services ..................................................................................................................... 272 Technical Verification and Support .............................................................................................................................275

2|Page

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

iPexpert's End-User License Agreement END USER LICENSE FOR ONE (1) PERSON ONLY IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING MATERIALS. This is a legally binding agreement between you and IPEXPERT, the “Licensor,” from whom you have licensed the IPEXPERT training materials (the “Training Materials”). By using the Training Materials, you agree to be bound by the terms of this License, except to the extent these terms have been modified by a written agreement (the “Governing Agreement”) signed by you (or the party that has licensed the Training Materials for your use) and an executive officer of Licensor. If you do not agree to the License terms, the Licensor is unwilling to license the Training Materials to you. In this event, you may not use the Training Materials, and you should promptly contact the Licensor for return instructions. The Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual authorized to use the Training Materials throughout the term of this License. Copyright and Proprietary Rights The Training Materials are the property of IPEXPERT, Inc. ("IPEXPERT") and are protected by United States and International copyright laws. All copyright, trademark, and other proprietary rights in the Training Materials and in the Training Materials, text, graphics, design elements, audio, and all other materials originated by IPEXPERT at its site, in its workbooks, scenarios and courses (the "IPEXPERT Information") are reserved to IPEXPERT. The Training Materials cannot be used by or transferred to any other person. You may not rent, lease, loan, barter, sell or time-share the Training Materials or accompanying documentation. You may not reverse engineer, decompile, or disassemble the Training Materials. You may not modify, or create derivative works based upon the Training Materials in whole or in part. You may not reproduce, store, upload, post, transmit, download or distribute in any form or by any means, electronic, mechanical, recording or otherwise any part of the Training Materials and IPEXPERT Information other than printing out or downloading portions of the text and images for your own personal, non-commercial use without the prior written permission of IPEXPERT. You shall observe copyright and other restrictions imposed by IPEXPERT. You may not use the Training Materials or IPEXPERT Information in any manner that infringes the rights of any person or entity. Exclusions of Warranties THE TRAINING MATERIALS AND DOCUMENTATION ARE PROVIDED “AS IS.” LICENSOR HEREBY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW THE LIMITATION OF INCIDENTAL DAMAGES OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. This agreement gives you specific legal rights, and you may have other rights that vary from state to state. Choice of Law and Jurisdiction This Agreement shall be governed by and construed in accordance with the laws of the State of Michigan, without reference to any conflict of law principles. You agree that any litigation or other proceeding between you and Licensor in connection with the Training Materials shall be brought in the Michigan state or courts located in Port Huron, Michigan, and you consent to the jurisdiction of such courts to decide the matter. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods shall not apply to this License. If any provision of this Agreement is held invalid, the remainder of this License shall continue in full force and effect. Limitation of Claims and Liability ANY ACTION ON ANY CLAIM AGAINST IPEXPERT MUST BE BROUGHT BY THE USER WITHIN ONE (1) YEAR FOLLOWING THE DATE THE CLAIM FIRST ACCRUED, OR SHALL BE DEEMED WAIVED. IN NO EVENT WILL THE LICENSOR’S LIABILITY UNDER, ARISING OUT OF, OR RELATING TO THIS AGREEMENT EXCEED THE AMOUNT PAID TO LICENSOR FOR THE TRAINING MATERIALS. LICENSOR SHALL NOT BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, REGARDLESS OF WHETHER

Version 5.1B

3|Page

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. WITHOUT LIMITING THE FOREGOING, LICENSOR WILL NOT BE LIABLE FOR LOST PROFITS, LOSS OF DATA, OR COSTS OF COVER. Entire Agreement This is the entire agreement between the parties and may not be modified except in writing signed by both parties.

U.S. Government - Restricted Rights The Training Materials and accompanying documentation are “commercial computer Training Materials” and “commercial computer Training Materials documentation,” respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use, modification, reproduction release, performance, display, or disclosure of the Training Materials and accompanying documentation by the U.S. Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement. IF YOU DO NOT AGREE WITH THE ABOVE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING MATERIALS AND CONTACT LICENSOR FOR INSTRUCTIONS ON RETURN OF THE TRAINING MATERIALS.

4|Page

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Welcome, and Thank You! On behalf of the entire iPexpert team, I'd personally like to thank you for putting your greatest certification journey in our hands, and trusting us to deliver cutting-edge training to help you accomplish this goal. Although there is no way to guarantee a 100% pass rate on the CCIE Lab, my team and I feel extremely confident that your chances of passing will improve dramatically with the use of our training materials. -Respectfully, Wayne A. Lawson II, CCIE #5244 (Emeritus) / Founder & CEO - iPexpert, Inc.

Feedback At iPexpert, we value the feedback (both positive and constructive) offered by our clientele. Our dedication to offering the best tools and content to help students succeed could not be possible without your comments and suggestions. Your feedback is what continually keeps us enhancing our product portfolio, and it is greatly appreciated. If there is anything you'd like us to know, please do so via the [email protected] alias. In addition, when you pass your CCIE Lab exam, we want to hear about it! Please email your Full Name (used in the CCIE Verification Tool), CCIE number and the track to [email protected] and let us know how iPexpert played a role in your success. We would like to be sure you're welcomed into the "CCIE Club" appropriately, by sending you a gift for your accomplishment.

Technical Support and Freebies To conclude, we are also proud to lead the industry with multiple support options at your disposal, free of charge. Our online support community has attracted a membership of your peers from around the world, and is monitored on a daily basis by our instructors and our students. We also consistently publish technical articles / papers on our blog. You can also follow up on Facebook, Twitter, LinkedIn, Google+ and YouTube for more in-depth discussion on current industry trends and CCIE preparation tips. Lastly, referrals are very important to us. It tells us that; 1) you like, value, and approve of our training and 2) it helps us to continue to grow as a company. If you have any of your peers who you feel will value the use of any of our training materials, please send us their name, email address, telephone number and what certification and track you feel that they're interested in. If your referral makes a purchase, we will provide you with in-house credit that can be used at any time. If your referrals exceed a certain threshold, we will also include a gift card of your choice (either an American Express or Amazon gift card). Version 5.1B

5|Page

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

How to Use This Lab Preparation Workbook In 2014 Cisco announced a new CCIE Routing and Switching blueprint for their V5 version of the Lab exam. This change was one of the biggest changes we've seen over the 14 years since we've been delivering cutting-edge CCIE training materials. The changes consisted of a modification of the lab structure to now include:

• A restructure of the way the lab is delivered. You will first have to complete a Troubleshooting section where you'll have access to the rack that Cisco provides you to do so. The next section consists of the Diagnostics section, which is done without access to your rack. The third section is the Configuration section, which is the actual "lab" that most people focus on, and have been primarily concerned about in the past. With this new lab structure, it's VERY IMPORTANT that you are well prepared for all three Sections of the lab exam. At any point, you could fail the lab exam if you don't receive enough points in 1 of the 3 sections.

• Cisco has also made a drastic change in the topology that you'll be given. It's common knowledge at the time of this book's publication that the topology you're given has gone from their previous 6 to 8 router / 4 switch topology (seen in the labs previous to V4), to a topology that could potentially consist of up to 40 routers and 8 switches. It's imperative that you work through practice scenarios on a large topology so you're familiar with the intricacies and technological specifics that can be introduced with a topology that large.

• Cisco has also changed their retake policy, which now requires their CCIE candidates to wait longer durations before their next attempt(s). Below we have listed Cisco's new policy.

• And, finally, Cisco has created this impressive blueprint and broken it into sections. Cisco provides you with the 5 section titles and the number of points so you're able to understand how their grading works and how much focus and attention is placed on that various section. The primary section outline is provided below; however, we have not provided all of the topics and subtopics that Cisco has provided. We recommend that you reference Cisco's website URL which provides these details for the Routing and Switching V5 Lab - which will require you to have a CCO and Cisco Learning Network login prior to being given access. That URL was found here at the date of this book's publication.

6|Page

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Cisco's New Retake Policy

Cisco R&S V5 Blueprint (Primary Sections w/ Assigned Point Values) • • • • •

Layer 2 Technologies: 20% Layer 3 Technologies: 40% VPN Technologies: 20% Infrastructure Security: 5% Infrastructure Services: 15%

How to Use This Lab Preparation Workbook Throughout this workbook, you'll be asked to reference various diagrams and to pre-load configurations. These pre-loaded configurations will be automatically loaded when you're utilizing our online rack rental solution. All diagrams are provided in a .zip file that's accessed when you're logged into your iPexpert's Member's Area. If you're asked to reference a table, it will be located within this actual workbook, unless otherwise noted.

Additional Information Pertaining to Cisco's CCIE R&S Lab Exam NOTE The following information has been obtained from Cisco's Learning Network. We are not affiliated with, or endorsed in any way by Cisco.

Version 5.1B

7|Page

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 About the CCIE Lab Exam The CCIE Lab Exam is an eight-hour, hands-on exam, which requires you to configure and troubleshoot a series of complex networks to given specifications. Knowledge of troubleshooting is an important skill and candidates are expected to diagnose and solve issues as part of the CCIE lab exam. You will not configure end-user systems, but are responsible for all devices residing in the network (hubs, etc.). Point values and testing criteria are provided. More detail is found on the Routing and Switching Lab Exam Blueprint and the list of Lab Equipment and IOS Versions.

Cost The Lab Exam cost does not include travel and lodging expenses. Costs may vary due to exchange rates and local taxes (VAT, GST). You are responsible for any fees your financial institution charges to complete the payment transaction. Price not confirmed and is subject to change until full payment is made. For more information on the Lab Exam Registration please reference the Take Your Lab Exam tab.

Lab Environment The Cisco documentation is available in the lab room, but the exam assumes knowledge of the more common protocols and technologies. The documentation can be navigated using the index. No outside reference materials are permitted in the lab room. You must report any suspected equipment issues to the proctor during the exam; adjustments cannot be made once the exam is over.

Lab Exam Grading The labs are graded by proctors, who ensure that all the criteria have been met. They will use automatic tools to gather data from the routers in order to perform preliminary evaluations. Candidates must reach a minimum threshold in all three sections and achieve an overall passing score.

Lab Format The CCIE Routing and Switching Lab exam consists of a 2-hour Troubleshooting section, a 30-minute Diagnostic section, and a 5 hour Configuration section. Candidates may choose to borrow up to 30 minutes from the Configuration section and use it in the Troubleshooting section.

8|Page

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 Results You can review your lab exam results online (login required), usually within 48 hours. Results are Pass/Fail and failing score reports indicate major topic areas where additional study and preparation may be useful.

Reevaluation of Lab Results A Reread involves having a second proctor load your configurations into a rack to re-create the test and re-score the entire exam. Rereads are available for the Routing and Switching, and Service Provider technology tracks. A Review involves having a second proctor verify your answers and any applicable system-generated debug data saved from your exam. Reviews are available for all other tracks.

Payment Terms Make your request within 14 days following your exam date by using the "Request for Reread" link next to your lab record. A Reread costs $1000.00 USD and a Review costs $400.00 USD. Payment is made online via credit card and your Reread or Review will be initiated upon successful payment. You may not cancel the appeal request once the process has been initiated. Refunds are given only when results change from fail to pass.

Troubleshooting The CCIE Routing and Switching Lab exam features a 2-hour troubleshooting section. Candidates will be presented with a series of trouble tickets for preconfigured networks and need to diagnose and resolve the network fault or faults. As with the configuration section, the network must be up and running for a candidate to receive credit. Candidates who finish the troubleshooting section early may proceed on to the diagnostic section, but they will not be allowed to go back to troubleshooting.

NOTE This concludes any referenced content seen or found on Cisco's Learning Network.

Version 5.1B

9|Page

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Lab 5: Troubleshooting Section :: Detailed Solutions Detailed Solution Guide This part of the material is designed to provide our students with the exact commands to use, when to use them, and also the various show commands that will allow you to understand what you're looking for. In addition, the instructor has provided some detail as to why the various solutions have been used versus another potential command set that would have accomplished the same outcome.

General Rules • • • •

You may modify, but not delete or remove any prefix-lists, route-maps, or access-lists. Do not modify any IP addressing on any interfaces. The BB routers are not accessible. All routers have an interface loopback 0 with the address 10.x.x.x, where x is the router number. ISP routers have a loopback address of 10.10x.10x.10x. BB routers have a loopback address of 100.x.x.x .Switches have loopback addresses of 172.xx.xx.xx. • MPLS routers have a loopback address of 10.x.x.x /32. • Static/default routes are NOT allowed unless otherwise stated in the task. • Save your configurations often.

10 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Pre-Setup Please login to your vRack and load the initial Configuration. This lab is intended to be used with online rack access. Connect to the terminal server and complete the troubleshooting tasks as detailed below.

Version 5.1B

11 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Diagram 5.1

12 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Diagram 5.2

Version 5.1B

13 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Diagram 5.3

14 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Diagram 5.4

Version 5.1B

15 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Incident 1

(3 points)

• Users from remote branch-1 have lost connectivity to the IPexpert HQ office. • The users mentioned that they can still reach the other remote branches. • Fix the issues so that remote branch-1 can reach the HQ and all the remote branches, the outputs should match the output below:

16 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R24 R24#sh ip route eigrp D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks D EX

10.4.4.0/24 [170/542771200] via 192.168.24.6, 03:11:05, Serial2/0

D

10.13.13.0/24 [90/27008000] via 40.40.40.13, 00:00:16, Tunnel66

D

10.15.15.0/24 [90/27033600] via 40.40.40.13, 00:00:16, Tunnel66

D EX

10.23.23.0/24 [170/28288000] via 40.40.40.23, 00:00:09, Tunnel66

D EX

10.25.25.0/24 [170/28288000] via 40.40.40.25, 00:00:09, Tunnel66 172.5.0.0/24 is subnetted, 1 subnets

D

172.5.5.0 [90/27033600] via 40.40.40.13, 00:00:16, Tunnel66 172.16.0.0/24 is subnetted, 4 subnets

D

172.16.200.0 [90/26905856] via 40.40.40.13, 00:00:16, Tunnel66

D

172.16.214.0 [90/26905600] via 40.40.40.13, 00:00:16, Tunnel66

D

172.16.215.0 [90/26905600] via 40.40.40.13, 00:00:16, Tunnel66

D

172.16.216.0 [90/26931200] via 40.40.40.13, 00:00:16, Tunnel66

D EX

192.168.0.0/16 [170/542771200] via 192.168.24.6, 03:11:05, Serial2/0

D

192.168.13.0/24 [90/34036062] via 192.168.24.6, 03:11:05, Serial2/0

D

192.168.15.0/24 [90/27417600] via 40.40.40.13, 00:00:16, Tunnel66

D

192.168.23.0/24 [90/44276062] via 192.168.24.6, 03:11:05, Serial2/0

D

192.168.25.0/24 [90/23796062] via 192.168.24.6, 03:11:05, Serial2/0

D

192.168.74.0/24 [90/34036062] via 192.168.24.6, 03:11:05, Serial2/0

D

192.168.76.0/24 [90/23796062] via 192.168.24.6, 03:11:05, Serial2/0

R24#traceroute 10.23.23.23 Type escape sequence to abort. Tracing the route to 10.23.23.23 VRF info: (vrf in name/id, vrf out name/id) 1 40.40.40.23 37 msec 37 msec *

Version 5.1B

17 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Solution First, start out by going to R24 and looking at the routing table:

R24 R24#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C

10.24.24.0/24 is directly connected, Loopback0

L

10.24.24.24/32 is directly connected, Loopback0 40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C

40.40.40.0/24 is directly connected, Tunnel66

L

40.40.40.24/32 is directly connected, Tunnel66

D EX

192.168.0.0/16 [170/542771200] via 192.168.24.6, 2w0d, Serial2/0

D

192.168.13.0/24 [90/34036062] via 192.168.24.6, 2w0d, Serial2/0

D

192.168.15.0/24 [90/34036062] via 192.168.24.6, 5d22h, Serial2/0

D

192.168.23.0/24 [90/44276062] via 192.168.24.6, 2w0d, Serial2/0 192.168.24.0/24 is variably subnetted, 2 subnets, 2 masks

C

192.168.24.0/24 is directly connected, Serial2/0

L

192.168.24.24/32 is directly connected, Serial2/0

D

192.168.25.0/24 [90/23796062] via 192.168.24.6, 2w0d, Serial2/0

D

192.168.74.0/24 [90/34036062] via 192.168.24.6, 2w0d, Serial2/0

D

192.168.76.0/24 [90/23796062] via 192.168.24.6, 2w0d, Serial2/0

18 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 At this point, we can see that there are no routes being learned via EIGRP pointing to the tunnel interface. Next we will go and verify the DMVPN tunnel status:

R24 R24#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ========================================================================

Interface: Tunnel66, IPv4 NHRP Details Type:Spoke, NHRP Peers:1,

# Ent

Peer NBMA Addr Peer Tunnel Add State

UpDn Tm Attrb

----- --------------- --------------- ----- -------- ----1 192.168.13.13

40.40.40.13

IKE 00:00:30

S

At this point, the issue in the incident has been identified and we know that it seems as we are having an IKE issue. This would lead us to verify the ISAKMP (IKE Phase 1) status:

R24 R24#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst

src

state

192.168.13.13

192.168.24.24

MM_NO_STATE

0 ACTIVE

192.168.13.13

192.168.24.24

MM_NO_STATE

0 ACTIVE (deleted)

Version 5.1B

conn-id status

19 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 The ISAKMP status of "MM_NO_STATE" indicates that ISAKMP SA has been created but nothing else has happened yet, indicating we might have some sort of a connectivity issue. Let's verify basic connectivity between R24 to the HUB router R13:

R24 R24#ping 192.168.13.13 source s2/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.13.13, timeout is 2 seconds: Packet sent with a source address of 192.168.24.24 ..... Success rate is 0 percent (0/5)

R24#traceroute 192.168.13.13 numeric source s2/0 Type escape sequence to abort. Tracing the route to 192.168.13.13 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.24.6 9 msec 9 msec 9 msec 2

*

*

*

3

*

*

*

We have successfully identified a connectivity issue, we are stopping at ISP6 router so there may be an issue on ISP6 - we shall now go over to ISP6 and verify the configurations starting with the NAT configurations, since the diagram indicates NAT is enabled on ISP6 router.

ISP6 ISP6#show ip nat statistics Total active translations: 8 (2 static, 6 dynamic; 8 extended) Peak translations: 30, occurred 00:01:27 ago Outside interfaces: Serial4/0 Inside interfaces: Serial2/1 Hits: 305173

Misses: 0

CEF Translated packets: 304516, CEF Punted packets: 480 Expired translations: 59 Dynamic mappings: -- Inside Source [Id: 1] access-list 100 interface Serial4/0 refcount 6

20 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

ISP6#sh ip nat translations Pro Inside global

Inside local

Outside local

Outside global

icmp 192.168.76.6:4

192.168.24.24:4

192.168.13.13:4

192.168.13.13:4

udp 192.168.76.6:500

192.168.24.24:500

192.168.13.13:500

192.168.13.13:500

udp 192.168.76.6:500

192.168.24.24:500

192.168.13.13:500

192.168.13.13:500

udp 192.168.76.6:500

192.168.24.24:500

192.168.13.13:500

192.168.13.13:500

udp 192.168.76.6:500

192.168.24.24:500

192.168.13.13:500

192.168.13.13:500

udp 192.168.76.6:500

192.168.24.24:500

192.168.13.13:500

192.168.13.13:500

udp 192.168.24.24:500

192.168.76.6:500

---

---

---

---

udp 192.168.24.24:4500 192.168.76.6:4500

We now see that there are 2 static and 6 dynamic translations, after looking at the active sessions we can immediately notice that the last two lines indicate that we might have a wrong NAT mapping.

ISP6 ISP6#sh run | include nat|interface interface Loopback0 … interface Ethernet1/0 interface Ethernet1/1 interface Ethernet1/2 interface Ethernet1/3 interface Serial2/0 interface Serial2/1 ip nat inside interface Serial4/0 ip nat outside ip nat inside source list 100 interface Serial4/0 overload ip nat inside source static udp 192.168.76.6 500 192.168.24.24 500 extendable ip nat inside source static udp 192.168.76.6 4500 192.168.24.24 4500 extendable

At this point, we can clearly see the mapping is reversed, whereas 192.168.24.24 is the inside local and 192.168.76.6 should be the inside global. Modify the NAT configuration and verify again:

Version 5.1B

21 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

ISP6 ISP6(config)#no ip nat inside source static udp 192.168.76.6 500 192.168.24.24 500 extendable ISP6(config)#no ip nat inside source static udp 192.168.76.6 4500 192.168.24.24 4500 extendable ISP6(config)#ip nat inside source static udp 192.168.24.24 500 192.168.76.6 500 extendable ISP6(config)#ip nat inside source static udp 192.168.24.24 4500 192.168.76.6 4500 extendable ISP6(config)#do sh ip nat translations Pro Inside global

Inside local

Outside local

Outside global

udp 192.168.76.6:500

192.168.24.24:500

192.168.13.13:500

192.168.13.13:500

udp 192.168.76.6:500

192.168.24.24:500

---

---

udp 192.168.76.6:4500

192.168.24.24:4500 192.168.13.13:4500 192.168.13.13:4500

udp 192.168.76.6:4500

192.168.24.24:4500 ---

---

R24 R24#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst

src

state

conn-id status

192.168.13.13

192.168.24.24

MM_KEY_EXCH

1017 ACTIVE

192.168.13.13

192.168.24.24

MM_NO_STATE

1016 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

The last output indicates we still have an issue with the ISAKMP (IKE Phase 1) and according to the state message of "MM_KEY_EXCH", we can identify that there's an ISAKMP authentication issue. We will go over to R24 and R13 and verify the pre-shared keys match exactly:

R24 R24#sh run | sec crypto crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key &IPX address 0.0.0.0 crypto ipsec transform-set DMVPN-IPX-SET esp-aes esp-sha-hmac mode transport crypto ipsec profile DMVPN-IPX set transform-set DMVPN-IPX-SET

22 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R13 R13#sh run | sec crypto crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key $IPX address 0.0.0.0 crypto ipsec transform-set DMVPN-IPX-SET esp-aes esp-sha-hmac mode transport crypto ipsec profile DMVPN-IPX set transform-set DMVPN-IPX-SET

At this point, we have identified the second fault - incorrect pre-shared key configured on the remote spoke (R24). Modify the pre-shared key and verify again:

NOTE Always modify according to the Hub configurations, and not the other way around.

R24 R24#conf t R24(config)#no crypto isakmp key &IPX address 0.0.0.0 R24(config)#crypto isakmp key $IPX address 0.0.0.0

R24(config)#do show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ==========================================================================

Interface: Tunnel66, IPv4 NHRP Details Type:Spoke, NHRP Peers:1,

# Ent

Peer NBMA Addr Peer Tunnel Add State

UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

Version 5.1B

23 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 1 192.168.13.13

40.40.40.13

UP 00:00:24

S

R24#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst

src

state

conn-id status

192.168.13.13

192.168.24.24

QM_IDLE

1032 ACTIVE

192.168.13.13

192.168.24.24

MM_NO_STATE

1031 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

The state message of "QM_IDLE" indicates that the ISAKMP negotiations are complete. Phase 1 successfully completed. It remains authenticated with its peer and may be used for subsequent Quick Mode exchanges. Now we will reverify the route table output for R24:

R24 R24#sh ip route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks D

10.13.13.0/24 [90/27008000] via 40.40.40.13, 00:08:15, Tunnel66

D

10.15.15.0/24 [90/27033600] via 40.40.40.13, 00:08:15, Tunnel66 172.5.0.0/24 is subnetted, 1 subnets

D

172.5.5.0 [90/27033600] via 40.40.40.13, 00:08:15, Tunnel66 172.6.0.0/24 is subnetted, 1 subnets

D

172.6.6.0 [90/27059200] via 40.40.40.13, 00:08:15, Tunnel66 172.16.0.0/24 is subnetted, 6 subnets

D

172.16.56.0 [90/26905856] via 40.40.40.13, 00:08:15, Tunnel66

D

172.16.100.0 [90/26931456] via 40.40.40.13, 00:08:15, Tunnel66

D

172.16.200.0 [90/26905856] via 40.40.40.13, 00:08:15, Tunnel66

D

172.16.214.0 [90/26905600] via 40.40.40.13, 00:08:15, Tunnel66

D

172.16.215.0 [90/26905600] via 40.40.40.13, 00:08:15, Tunnel66

D

172.16.216.0 [90/26931200] via 40.40.40.13, 00:08:15, Tunnel66

D EX

192.168.0.0/16 [170/542771200] via 192.168.24.6, 2w0d, Serial2/0

D

192.168.13.0/24 [90/34036062] via 192.168.24.6, 2w0d, Serial2/0

D

192.168.15.0/24 [90/27417600] via 40.40.40.13, 00:08:15, Tunnel66

D

192.168.23.0/24 [90/44276062] via 192.168.24.6, 2w0d, Serial2/0

D

192.168.25.0/24 [90/23796062] via 192.168.24.6, 2w0d, Serial2/0

D

192.168.74.0/24 [90/34036062] via 192.168.24.6, 2w0d, Serial2/0

D

192.168.76.0/24 [90/23796062] via 192.168.24.6, 2w0d, Serial2/0

24 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

If we look close enough, we can see that we are still missing the remote branches routes. Remember, we must match exactly to the given output! Go back to the Hub (R13) check for the remote branches routes, notice the highlighted routes we are missing at the far end:

R13 R13#sh ip route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks D

10.15.15.0/24 [90/409600] via 172.16.214.2, 2w0d, Ethernet0/1

D EX

10.23.23.0/24 [170/27008000] via 40.40.40.23, 6d01h, Tunnel66

D EX

10.24.24.0/24 [170/27008000] via 40.40.40.24, 00:17:20, Tunnel66

D EX

10.25.25.0/24 [170/27008000] via 40.40.40.25, 6d01h, Tunnel66



R13#show run interface tun66 Building configuration... Current configuration : 355 bytes ! interface Tunnel66 ip address 40.40.40.13 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 300 ip nhrp authentication IPX-CCIE ip nhrp map multicast dynamic ip nhrp network-id 54321 ip tcp adjust-mss 1360 tunnel source Serial5/0 tunnel mode gre multipoint tunnel key 1234567 tunnel protection ipsec profile DMVPN-IPX !

Version 5.1B

25 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 Take a closer look at the tunnel interface, recall that we have a point-to-multipoint tunnel interface and for EIGRP the split-horizon is turned on by default. Modify the EIGRP configuration and check the output on R24 again:

R13 R13(config)#interface tunnel66 R13(config-if)#no ip split-horizon eigrp 300

R24 R24#show ip route eigrp … Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks D

10.13.13.0/24 [90/27008000] via 40.40.40.13, 00:22:25, Tunnel66

D

10.15.15.0/24 [90/27033600] via 40.40.40.13, 00:22:25, Tunnel66

D EX

10.23.23.0/24 [170/28288000] via 40.40.40.23, 00:00:30, Tunnel66

D EX

10.25.25.0/24 [170/28288000] via 40.40.40.25, 00:00:30, Tunnel66 172.5.0.0/24 is subnetted, 1 subnets

D

172.5.5.0 [90/27033600] via 40.40.40.13, 00:22:25, Tunnel66 172.6.0.0/24 is subnetted, 1 subnets

D

172.6.6.0 [90/27059200] via 40.40.40.13, 00:22:25, Tunnel66 172.16.0.0/24 is subnetted, 6 subnets

D

172.16.56.0 [90/26905856] via 40.40.40.13, 00:22:25, Tunnel66

D

172.16.100.0 [90/26931456] via 40.40.40.13, 00:22:25, Tunnel66

D

172.16.200.0 [90/26905856] via 40.40.40.13, 00:22:25, Tunnel66

D

172.16.214.0 [90/26905600] via 40.40.40.13, 00:22:25, Tunnel66

D

172.16.215.0 [90/26905600] via 40.40.40.13, 00:22:25, Tunnel66

D

172.16.216.0 [90/26931200] via 40.40.40.13, 00:22:25, Tunnel66

D EX

192.168.0.0/16 [170/542771200] via 192.168.24.6, 2w0d, Serial2/0

D

192.168.13.0/24 [90/34036062] via 192.168.24.6, 2w0d, Serial2/0

D

192.168.15.0/24 [90/27417600] via 40.40.40.13, 00:22:25, Tunnel66

D

192.168.23.0/24 [90/44276062] via 192.168.24.6, 2w0d, Serial2/0

D

192.168.25.0/24 [90/23796062] via 192.168.24.6, 2w0d, Serial2/0

D

192.168.74.0/24 [90/34036062] via 192.168.24.6, 2w0d, Serial2/0

D

192.168.76.0/24 [90/23796062] via 192.168.24.6, 2w0d, Serial2/0

26 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Summary of Changes R24 conf t no crypto isakmp key &IPX address 0.0.0.0 crypto isakmp key $IPX address 0.0.0.0 end

R13 conf t interface tunnel66 no ip split-horizon eigrp 300 end

ISP6 conf t no ip nat inside source static udp 192.168.76.6 500 192.168.24.24 500 extendable no ip nat inside source static udp 192.168.76.6 4500 192.168.24.24 4500 extendable ip nat inside source static udp 192.168.24.24 500 192.168.76.6 500 extendable ip nat inside source static udp 192.168.24.24 4500 192.168.76.6 4500 extendable end

Version 5.1B

27 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Incident 2

(1 point)

• Users that are located in VLAN100 of the IPexpert HQ office have lost access to the Server which is located in VLAN200.

• Isolate and fix the issues so R10 is reachable from R14. The outputs should match the below:

28 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R14 R14#ping 172.16.200.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.200.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

R14#traceroute 172.16.200.2 num Type escape sequence to abort. Tracing the route to 172.16.200.2 VRF info: (vrf in name/id, vrf out name/id) 1 172.16.100.1 1 msec 0 msec 0 msec 2 172.16.56.5 0 msec 0 msec 1 msec 3 172.16.200.2 0 msec *

0 msec

Solution The incident states that we should be able to reach the server in VLAN200, we will start by checking for connectivity.

R14 R14#sh ip route … Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C

10.14.14.0/24 is directly connected, Loopback0

L

10.14.14.14/32 is directly connected, Loopback0 172.16.0.0/32 is subnetted, 1 subnets

R14#sh ip interface br | e ass Interface

IP-Address

OK? Method Status

Protocol

Loopback0

10.14.14.14

YES manual up

up

Version 5.1B

29 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 Next we will want to identify R14's interface , in order to verify the configurations on that port .

R14 R14#sh cdp ne Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID

Local Intrfce

Holdtme

SW6

Eth 0/1

157

Capability R S

Platform

Port ID Eth 1/2

Total cdp entries displayed : 1

R14#sh run interface e0/1 Building configuration...

Current configuration : 81 bytes ! interface Ethernet0/1 ip address dhcp client-id Ethernet0/1 hostname R14 end

We can see that R14 is supposed to be assigned an IP address via DHCP, now we need to check SW6 interface configuration and follow the DHCP related configs trail.

SW6 SW6#sh run interface e1/2 Building configuration... Current configuration : 142 bytes ! interface Ethernet1/2 switchport access vlan 100 switchport mode access duplex auto spanning-tree portfast ip dhcp snooping trust end

SW6#sh run interface vlan100

30 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 Building configuration... Current configuration : 126 bytes !

interface Vlan100 ip address 172.16.100.1 255.255.255.0 ip helper-address 10.13.13.13 ip helper-address 10.15.15.15

The DHCP configurations on SW6 seem to be correct, we can also see that we are doing DHCP relay towards R13 and R15 , next we will have to check their configurations.

R13 R13#sh run | sec dhcp ip dhcp excluded-address 172.16.200.1 ip dhcp excluded-address 172.16.100.1 172.16.100.99 ip dhcp excluded-address 172.16.100.101 172.16.100.254 ip dhcp pool VLAN200 network 172.16.200.0 255.255.255.0 default-router 172.16.200.1 dns-server 172.16.200.1 domain-name ipexpert.com ip dhcp pool VLAN100 network 172.16.100.0 255.255.255.0 default-router 172.16.100.1 dns-server 172.16.100.1 domain-name ipexpert.com ip dhcp pool VLAN200-HOST host 172.16.200.2 255.255.255.0 client-identifier 01aa.bbcc.000a.00 default-router 172.16.200.1 dns-server 172.16.200.1 domain-name ipexpert.com ip dhcp pool VLAN100-HOST host 172.16.100.100 255.255.255.0 client-identifier 01aa.bbcc.000a.10 default-router 172.16.100.1 dns-server 172.16.100.1 domain-name ipexpert.com

Version 5.1B

31 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R15 R15#sh run | sec dhcp ip dhcp excluded-address 172.16.200.1 ip dhcp excluded-address 172.16.100.1 172.16.100.99 ip dhcp excluded-address 172.16.100.101 172.16.100.254 ip dhcp pool VLAN200 network 172.16.200.0 255.255.255.0 default-router 172.16.200.1 dns-server 172.16.200.1 domain-name ipexpert.com ip dhcp pool VLAN100 network 172.16.100.0 255.255.255.0 default-router 172.16.100.1 dns-server 172.16.100.1 domain-name ipexpert.com ip dhcp pool VLAN200-HOST host 172.16.200.2 255.255.255.0 client-identifier 01aa.bbcc.000a.00 default-router 172.16.200.1 dns-server 172.16.200.1 domain-name ipexpert.com ip dhcp pool VLAN100-HOST host 172.16.100.100 255.255.255.0 client-identifier 01aa.bbcc.000a.10 default-router 172.16.100.1 dns-server 172.16.100.1 domain-name ipexpert.com

32 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R14 R14#sh interface e0/1 Ethernet0/1 is up, line protocol is up Hardware is AmdP2, address is aabb.cc00.0e10 (bia aabb.cc00.0e10) Internetwork address will be negotiated using DHCP MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:04, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 871067 packets input, 62888524 bytes, 0 no buffer Received 750287 broadcasts (106 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 174722 packets output, 21433219 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 6 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out

At this point, we will make sure that the dhcp pools settings for VLAN100 are correct: default-route, dns-server, subnet, host ip address, client-identifier -- all these need to match the diagram given to us. We want to quickly obtain the correct mac-address to be used as the client-identifier (according to the previous output the mac-add seems to be different).

NOTE Notice that we have logging turned off on all devices, to quickly ident ify faults it is advised to turn these on.

Version 5.1B

33 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R13 / R15 conf t logging monitor 7 logging buffered 7 logging console 7 end debug dhcp det debug ip dhcp server events

We will want to quickly trigger a DHCP discover packet to be sent from R14 towards the DHCP server routers:

R14 conf t interface e0/1 shutdown no shutdown end

R13 / R15 *Mar 28 03:49:34.199: DHCPD: client's VPN is . *Mar 28 03:49:34.199: DHCPD: No option 125 *Mar 28 03:49:34.199: DHCPD: Sending notification of DISCOVER: *Mar 28 03:49:34.199:

DHCPD: htype 1 chaddr aabb.cc00.0e10

*Mar 28 03:49:34.199:

DHCPD: remote id 020a0000ac10d80201000000

*Mar 28 03:49:34.199:

DHCPD: circuit id 00000000

*Mar 28 03:49:34.199: DHCPD: DHCPDISCOVER received from client 01aa.bbcc.000e.10 through relay 172.16.100.1. *Mar 28 03:49:34.199: DHCPD: Seeing if there is an internally specified pool class: *Mar 28 03:49:34.199:

DHCPD: htype 1 chaddr aabb.cc00.0e10

*Mar 28 03:49:34.199:

DHCPD: remote id 020a0000ac10d80201000000

*Mar 28 03:49:34.199:

DHCPD: circuit id 00000000

*Mar 28 03:49:34.199: DHCPD: Allocate an address without class information (172.16.100.0) *Mar 28 03:49:34.199: DHCPD: subnetwork [172.16.100.1,172.16.100.254] in address pool VLAN100 is empty. *Mar 28 03:49:34.199: DHCPD: Sending notification of ASSIGNMENT FAILURE: *Mar 28 03:49:34.199:

34 | P a g e

DHCPD: htype 1 chaddr aabb.cc00.0e10

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 *Mar 28 03:49:34.199:

DHCPD: remote id 020a0000ac10d80201000000

*Mar 28 03:49:34.199:

DHCPD: circuit id 00000000

*Mar 28 03:49:34.199: DHCPD: Sending notification of ASSIGNMENT_FAILURE: *Mar 28 03:49:34.199:

DHCPD: due to: POOL EXHAUSTED

*Mar 28 03:49:34.199:

DHCPD: htype 1 chaddr aabb.cc00.0e10

The pool says it is exhausted, we can also see that the client-identifier is different, let's modify this:

R13 / R15 RX(config)#ip dhcp pool VLAN100-HOST RX(dhcp-config)#no client-identifier 01aa.bbcc.000a.10 RX(dhcp-config)#client-identifier 01aa.bbcc.000e.10

R14 R14(config)#interface e0/1 R14(config-if)#shutdown R14(config-if)#no shutdown

Let us now recheck the connectivity towards VLAN200 server:

R14 R14#sh ip route … Gateway of last resort is 172.16.100.1 to network 0.0.0.0

S*

0.0.0.0/0 [254/0] via 172.16.100.1 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C

10.14.14.0/24 is directly connected, Loopback0

L

10.14.14.14/32 is directly connected, Loopback0 172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks

C

172.16.100.0/24 is directly connected, Ethernet0/1

L

172.16.100.100/32 is directly connected, Ethernet0/1

S

172.16.216.2/32 [254/0] via 172.16.100.1, Ethernet0/1

R14#ping 172.16.200.2 Type escape sequence to abort.

Version 5.1B

35 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 Sending 5, 100-byte ICMP Echos to 172.16.200.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms R14#

Summary of Changes R13 / R15 conf t ip dhcp pool VLAN100-HOST no client-identifier 01aa.bbcc.000a.10 client-identifier 01aa.bbcc.000e.10 end

36 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Incident 3

(2 points)

• ISP3 is trying to reach ISP2 network of 10.102.102.0 /24 but is unsuccessful. • Isolate and fix the issues so that it is reachable from ISP3, the outputs should match the below: ISP3#ping 10.102.102.102 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.102.102.102, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 11/16/20 ms

Version 5.1B

37 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Solution First, verify that ISP3 has no connectivity to ISP2 network 10.102.102.0/24:

ISP3 ISP3#traceroute 10.102.102.102 Type escape sequence to abort. Tracing the route to 10.102.102.102 VRF info: (vrf in name/id, vrf out name/id) 1 132.56.78.10 8 msec 9 msec 8 msec 2 132.56.78.10 !H

*

!H

With the above traceroute command, we have established that there might be an issue from ISP1 towards ISP2, let's take a look at ISP1 config:

ISP1 ISP1#sh cdp ne Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID

Local Intrfce

Holdtme

Capability

Platform

Port ID

ISP3.global.com

Ser 3/0

161

R B

Ser 3/0

R2

Ser 2/0

169

R B

Ser 2/2

ISP2

Ser 2/2

154

R B

Ser 2/2

Total cdp entries displayed : 3

ISP1#sh ppp all Interface/ID OPEN+ Nego* Fail-

Stage

Peer Address

Peer Name

------------ --------------------- -------- --------------- -------------------Se2/2

LCP+ CHAP+ IPCP+ IPV> LocalT

0.0.0.0

ISP2

Se2/0

LCP+ CHAP+ IPCP+ IPV> LocalT

132.56.78.2

R2

Se3/0

LCP+ CHAP+ IPCP+ IPV> LocalT

132.56.78.9

ISP3

With the above output, we identified that ISP2 has no peer address for its PPP link. The reasons for that can be:

• wrong ppp credentials

38 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

• wrong encapsulation • wrong ppp method of authentication • missing local credentials for identifying the remote side (or vice versa) Let's look closer at the connection of ISP1 ISP2 configuration:

ISP1 ISP1#sh run | sec 2/2|username|pool ip dhcp pool PPP-POOL network 132.56.78.4 255.255.255.252 username R2 password 0 CC1E username ISP3 password 0 CC1E username ISP2 password 0 CC1E interface Serial2/2 ip address 132.56.78.6 255.255.255.252 encapsulation ppp no peer neighbor-route peer default ip address pool PPP-P00L ipv6 address 2001:CC1E:112::1/64 ipv6 ospf 1 area 0 ppp max-failure 3 ppp authentication chap ppp chap hostname ISP1 ppp chap password 0 CC1E

ISP2 ISP2#sh run | sec 2/2|username username ISP1 password 0 CC1E interface Serial2/2 ip address negotiated encapsulation ppp ipv6 address 2001:CC1E:112::2/64 ipv6 ospf 1 area 0 ppp authentication chap ppp chap hostname ISP2 ppp chap password 0 CC1E serial restart-delay 0

Version 5.1B

39 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

NOTE Notice that we have logging turned off on all devices. To quickly identify faults it is advised to turn these on.

ISP1 / ISP2 conf t logging monitor 7 logging buffered 7 logging console 7 end debug ppp authentication debug ppp negotiation

ISP1 … *Mar 28 04:27:18.313: Se2/2 LCP:

AuthProto CHAP (0x0305C22305)

*Mar 28 04:27:18.313: Se2/2 LCP:

MagicNumber 0x098CF2A3 (0x0506098CF2A3)

*Mar 28 04:27:18.313: Se2/2 LCP: O CONFACK [REQsent] id 1 len 15 *Mar 28 04:27:18.313: Se2/2 LCP:

AuthProto CHAP (0x0305C22305)

*Mar 28 04:27:18.313: Se2/2 LCP:

MagicNumber 0x098CF2A3 (0x0506098CF2A3)

*Mar 28 04:27:18.313: Se2/2 LCP: Event[Receive ConfReq+] State[REQsent to ACKsent] *Mar 28 04:27:18.314: Se2/2 LCP: I CONFACK [ACKsent] id 1 len 15 *Mar 28 04:27:18.314: Se2/2 LCP:

AuthProto CHAP (0x0305C22305)

*Mar 28 04:27:18.314: Se2/2 LCP:

MagicNumber 0xFC64C302 (0x0506FC64C302)

*Mar 28 04:27:18.314: Se2/2 LCP: Event[Receive ConfAck] State[ACKsent to Open] *Mar 28 04:27:18.323: Se2/2 PPP: Phase is AUTHENTICATING, by both *Mar 28 04:27:18.323: Se2/2 CHAP: O CHALLENGE id 1 len 25 from "ISP1" *Mar 28 04:27:18.323: Se2/2 LCP: State is Open *Mar 28 04:27:18.327: Se2/2 CHAP: I CHALLENGE id 1 len 25 from "ISP2" *Mar 28 04:27:18.327: Se2/2 PPP: Sent CHAP SENDAUTH Request *Mar 28 04:27:18.327: Se2/2 PPP: Received SENDAUTH Response PASS *Mar 28 04:27:18.327: Se2/2 CHAP: Using hostname from interface CHAP *Mar 28 04:27:18.328: Se2/2 CHAP: Using password from AAA *Mar 28 04:27:18.328: Se2/2 CHAP: O RESPONSE id 1 len 25 from "ISP1" *Mar 28 04:27:18.332: Se2/2 CHAP: I RESPONSE id 1 len 25 from "ISP2" *Mar 28 04:27:18.332: Se2/2 PPP: Phase is FORWARDING, Attempting Forward *Mar 28 04:27:18.332: Se2/2 PPP: Phase is AUTHENTICATING, Unauthenticated User

40 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 *Mar 28 04:27:18.332: Se2/2 PPP: Sent CHAP LOGIN Request *Mar 28 04:27:18.333: Se2/2 PPP: Received LOGIN Response PASS *Mar 28 04:27:18.333: Se2/2 IPCP: Authorizing CP *Mar 28 04:27:18.337: Se2/2 PPP: Phase is AUTHENTICATING, Authenticated User *Mar 28 04:27:18.337: Se2/2 CHAP: O SUCCESS id 1 len 4 *Mar 28 04:27:18.337: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/2, changed state to up *Mar 28 04:27:18.337: Se2/2 PPP: Outbound cdp packet dropped, line protocol not up *Mar 28 04:27:18.337: Se2/2 PPP: Phase is UP *Mar 28 04:27:18.339: Se2/2 IPCP: I CONFREQ [REQsent] id 1 len 10 *Mar 28 04:27:18.339: Se2/2 IPCP:

Address 0.0.0.0 (0x030600000000)

*Mar 28 04:27:18.339: Se2/2 IPCP AUTHOR: Start. *Mar 28 04:27:18.339: Se2/2 IPCP AUTHOR: Done.

Her address 0.0.0.0, we want 0.0.0.0 Her address 0.0.0.0, we want 0.0.0.0

*Mar 28 04:27:18.339: Se2/2 IPCP: Cannot satisfy pool request *Mar 28 04:27:18.340: Se2/2 IPCP: Neither side knows remote address *Mar 28 04:27:18.340: Se2/2 IPCP: O CONFREJ [REQsent] id 1 len 10 *Mar 28 04:27:18.340: Se2/2 IPCP:

Address 0.0.0.0 (0x030600000000)

*Mar 28 04:27:18.340: Se2/2 IPCP: Event[Receive ConfReq-] State[REQsent to REQsent]

The debug output reveals with no doubt that an address cannot be assigned due to a pool issue, also the authentication passed successfully. Further to the debug output if we look further into the actual configs we can identify 2 of the faults:

• The "peer default ip address pool xxx" syntax is incorrect. • The pool name is wrong, should be PPP-POOL instead of PPP-P00L . • mistyped "0" instead of "O". Let's correct these and check for reachability from ISP3.

ISP1 ISP1(config)#no ip dhcp pool PPP-POOL ISP1(config)#ip local pool PPP-POOL 132.56.78.5 132.56.78.5 ISP1(config)#interface serial2/2 ISP1(config-if)#shutdown ISP1(config-if)#no peer default ip address pool PPP-P00L ISP1(config-if)#peer default ip address pool PPP-POOL ISP1(config-if)#no shutdown

Version 5.1B

41 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

ISP3 ISP3#traceroute 10.102.102.102 num Type escape sequence to abort. Tracing the route to 10.102.102.102 VRF info: (vrf in name/id, vrf out name/id) 1 132.56.78.10 8 msec 8 msec 8 msec 2 132.56.78.10 !H

*

!H

Seems as if we still have an issue; let's go to ISP2 and verify some configs:

ISP2 ISP2#sh ip aliases Address Type

IP Address

Port

Interface

10.102.102.102

ISP2#sh ppp all Interface/ID OPEN+ Nego* Fail-

Stage

Peer Address

Peer Name

------------ --------------------- -------- --------------- -------------------Se2/2

LCP+ CHAP+ IPCP+ IPV> LocalT

132.56.78.6

ISP1

We can see that the ppp negotiation is successful and we have an ip address assigned to our interface, but it seems that we have no route to get back to ISP3. Since we are forbidden to use static routes or remove configs, we shall modify the configs while respecting these restrictions:

42 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

ISP2 ISP2(config)#interface serial2/2 ISP2(config-if)#shutdown ISP2(config-if)#ppp ipcp route default ISP2(config-if)#no shutdown

ISP2#sh ip route Gateway of last resort is not set

S*

0.0.0.0/0 [1/0] via 132.56.78.6 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C

10.102.102.0/24 is directly connected, Loopback0

L

10.102.102.102/32 is directly connected, Loopback0 132.56.0.0/16 is variably subnetted, 6 subnets, 2 masks

R

132.56.78.0/30 [120/1] via 132.56.78.6, 00:00:24

R

132.56.78.2/32 [120/1] via 132.56.78.6, 00:00:24

C

132.56.78.5/32 is directly connected, Serial2/2

C

132.56.78.6/32 is directly connected, Serial2/2

R

132.56.78.8/30 [120/1] via 132.56.78.6, 00:00:24

R

132.56.78.9/32 [120/1] via 132.56.78.6, 00:00:24

ISP3 ISP3#traceroute 10.102.102.102 Type escape sequence to abort. Tracing the route to 10.102.102.102 VRF info: (vrf in name/id, vrf out name/id) 1 132.56.78.10 9 msec 9 msec 9 msec 2 132.56.78.5 17 msec *

17 msec

ISP3#ping 10.102.102.102 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.102.102.102, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 17/17/18 ms

As you can see from the ping results above, network 10.102.102.0/24 is now reachable from ISP3 as the incident requested. Version 5.1B

43 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Summary of Changes ISP1 conf t no ip dhcp pool PPP-POOL ip local pool PPP-POOL 132.56.78.5 132.56.78.5 interface serial2/2 no peer default ip address pool PPP-P00L peer default ip address pool PPP-POOL

ISP2 conf t interface serial2/2 ppp ipcp route default

44 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Incident 4

(2 points)

• Starbucks Coffee branch-1 cannot communicate with Starbucks branch-2. • Troubleshoot and fix the issues so that both sites have reachability. • The outputs should match the below: R16#ping 10.20.20.20 source lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.20.20.20, timeout is 2 seconds: Packet sent with a source address of 10.16.16.16 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms R20#ping 10.16.16.16 so lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.16.16.16, timeout is 2 seconds: Packet sent with a source address of 10.20.20.20

Version 5.1B

45 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Solution Let’s first look at the output from the specified command in the incident to determine where to focus our efforts. We will start by testing the reachability:

R16 R16#ping 10.20.20.20 source l0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.20.20.20, timeout is 2 seconds: Packet sent with a source address of 10.16.16.16 .. Success rate is 0 percent (0/2)

R20 R20#ping 10.16.16.16 so lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.16.16.16, timeout is 2 seconds: Packet sent with a source address of 10.20.20.20 ..... Success rate is 0 percent (0/5)

The connectivity check is unsuccessful. We will now review configs of the central router according to the diagram and see if full reachability is available from there.

R18 R18#sh ip route Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks B

10.16.16.0/24 [20/0] via 132.56.16.16, 2w1d

C

10.18.18.0/24 is directly connected, Loopback0

L

10.18.18.18/32 is directly connected, Loopback0 132.56.0.0/16 is variably subnetted, 7 subnets, 3 masks

C

132.56.16.0/24 is directly connected, Ethernet0/0

L

132.56.16.18/32 is directly connected, Ethernet0/0

46 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 C

132.56.20.0/24 is directly connected, Ethernet0/1

L

132.56.20.18/32 is directly connected, Ethernet0/1

C

132.56.78.12/30 is directly connected, Serial2/0

L

132.56.78.13/32 is directly connected, Serial2/0

C

132.56.78.14/32 is directly connected, Serial2/0

The given output reveals to us that we are missing a route towards network 10.20.20.0/24. We will now try and investigate why R18 doesn't learn any routes from R20.

R18 R18#sh ip bgp summary BGP router identifier 10.18.18.18, local AS number 62566 BGP table version is 5, main routing table version 5 … Neighbor

V

AS MsgRcvd MsgSent

TblVer

InQ OutQ Up/Down

State/PfxRcd

132.56.16.16

4

65501

24090

24089

5

0

0 2w1d

132.56.20.20

4

65502

0

0

1

0

0 00:09:22 Active

1

R18#ping 132.56.20.20 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 132.56.20.20, timeout is 2 seconds: .....

Success rate is 0 percent (0/5)

Obviously something is wrong between these two routers R18 R20, we can't even ping from one to the other, and the bgp neighborship is down as well. The issue might be a Layer1-Layer2. According to the diagram VLAN1820 is the L2 vlan used to connect these two, thus we should check the switch.

R18 R18#sh cdp ne Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID

Local Intrfce

Holdtme

ISP3.global.com

Ser 2/0

129

R B

Ser 3/3

SW7

Eth 0/0

169

R S

Eth 0/3

SW8

Eth 0/1

176

R S

Eth 0/2

Version 5.1B

Capability

Platform

Port ID

47 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

SW8 SW8#sh run interface e0/2 Building configuration... interface Ethernet0/2 switchport access vlan 1820 switchport mode access duplex auto spanning-tree portfast end

SW8#sh interface status Port

Name

Status

Vlan

Duplex

Et0/0

connected

1618

auto

auto unknown

Et0/1

connected

1

auto

auto unknown

Et0/2

connected

1820

auto

auto unknown

Et0/3

connected

1

auto

auto unknown

Et1/0

connected

1

auto

auto unknown

Et1/1

err-disabled 1802

auto

auto unknown

Et1/2

connected

auto

auto unknown

1

Speed Type



We can immediately identify that we have one interface which state is "err-disabled", if we look further we can see that the err-disabled is caused due to port-security violation policy and the macaddress is incorrect . The second fault seen here is a mistyped vlan id # (1802) instead of (1820).

NOTE The err-disabled port can also be identified if we make sure to enabled the logging on the switch and flapping the interface "up" / "down".

SW8 SW8#sh run interface e1/1 Building configuration...

Current configuration : 274 bytes ! interface Ethernet1/1 switchport access vlan 1802

48 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky aabb.cc00.1410 duplex auto spanning-tree portfast ip dhcp snooping trust

SW8#sh port-security Secure Port

MaxSecureAddr

CurrentAddr

(Count)

(Count)

SecurityViolation

Security Action

(Count)

--------------------------------------------------------------------------Et1/1 Shutdown

1

1

1

--------------------------------------------------------------------------Total Addresses in System (excluding one mac per port)

: 0

Max Addresses limit in System (excluding one mac per port) : 4096

Let's fix these two faults and see if the problem is solved:

SW8 conf t logging monitor 7 logging buffered 7 logging console 7 interface e1/1 shutdown no shutdown end

SW8(config-if)# *Mar 28 08:46:38.435: %PM-4-ERR_DISABLE: psecure-violation error detected on Et1/1, putting Et1/1 in err-disable state

SW8(config-if)# *Mar 28 08:46:38.436: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aabb.c000.1410 on port Ethernet1/1.

SW8(config)#interface e1/1

Version 5.1B

49 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 SW8(config-if)#shutdown SW8(config-if)#switchport access vlan 1820 SW8(config-if)#no switchport port-security mac-address sticky SW8(config-if)#switchport port-security mac-address sticky SW8(config-if)#no shutdown

Since the switch interface is configured with the "sticky" feature, removing and re-enabling the sticky feature allows the switch to learn a new mac-address and save it into its config for future use. Once this was modified the switch immediately brings the interface to the "up" state, and we can re-test for reachability between the branches.

R16 R16#ping 10.20.20.20 source l0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.20.20.20, timeout is 2 seconds: Packet sent with a source address of 10.16.16.16 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

R20 R20#ping 10.16.16.16 so lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.16.16.16, timeout is 2 seconds: Packet sent with a source address of 10.20.20.20 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms

Summary of Changes SW8 conf t interface e1/1 shutdown switchport access vlan 1820 no switchport port-security mac-address sticky switchport port-security mac-address sticky no shutdown

50 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Incident 5

(1 point)

• The Global Provider network engineer is having IPv6 connectivity issues between the Data Center and their DR site and cannot reach one of their IPv6 Management web sites.

• Fix the issue so that the following sequence of commands produces the same relevant result: ISP3#ping www.global.com Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:50:50::50, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 25/28/30 ms

ISP3#telnet www.global.com 80 Translating "www.global.com"...domain server (255.255.255.255) Trying 2001:50:50::50, 80 ... Open get HTTP/1.1 400 Bad Request

Version 5.1B

51 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 Date: Wed, 04 Feb 2015 11:01:43 GMT Server: cisco-IOS Accept-Ranges: none

400 Bad Request [Connection to www.global.com closed by foreign host]

Solution The incident states that we should be able to access the web site, we will start by checking to see if we have a proper DNS resolving:

ISP3 ISP3#ping www.global.com Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:50:50::50, timeout is 2 seconds: AAAAA Success rate is 0 percent (0/5)

There is a DNS resolving of the hostname www.global.com to an IPv6 address, but it doesn't seem to be successful, instead we are receiving a "AAAAA" ping response which indicates "Administrative unreachable". Administrative unreachable usually happens when we have an ACL blocking the traffic. We will now want to isolate the cause and quickly identify all the faults , thus we will check to see if the web site is reachable via port 80 HTTP.

ISP3 ISP3#telnet www.global.com 80 Translating "www.global.com"...domain server (255.255.255.255) Trying 2001:50:50::50, 80 ... % Destination unreachable; gateway or host down

No success, at this point we should investigate and check for an IPv6 access-list along the path to our destination of 2001:50:50::50 which exists on R50.

R2 R2#sh ipv6 access-list

52 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

ISP1 ISP1#sh ipv6 access-list

R50 R50#sh ipv6 access-list IPv6 access list IPv6-WEB permit tcp host 2001:50:50::50 eq www host 2001:CC1E:113::2 sequence 5 host 2001:50:50::50 host 2001:CC1E:113::2 sequence 10

permit icmp

deny tcp any host 2001:50:50::50 eq www (1 match) sequence 15 deny icmp any any (5 matches) sequence 20 permit ipv6 any any (66197 matches) sequence 25

R50#sh ipv6 interface | inc line|access Serial2/0 is up, line protocol is up Inbound access list IPv6-WEB Serial2/1 is up, line protocol is up Inbound access list IPv6-WEB Loopback0 is up, line protocol is up

There is a mis-configuration of the IPv6 access-list. Since the ACL is applied inbound on R50 then sequence 5 & 10 should be reversed allowing the traffic instead of blocking it; notice the fact that we are also missing hit counts on these lines. Let's modify this and see what happens.

R50 R50(config)#no ipv6 access-list IPv6-WEB R50(config)#ipv6 access-list IPv6-WEB R50(config-ipv6-acl)#sequence 5 permit tcp host 2001:CC1E:113::2 host 2001:50:50::50 eq 80 R50(config-ipv6-acl)#sequence 10 permit icmp host 2001:CC1E:113::2 host 2001:50:50::50 R50(config-ipv6-acl)#sequence 15 deny tcp any host 2001:50:50::50 eq 80 R50(config-ipv6-acl)#sequence 20 deny icmp any any R50(config-ipv6-acl)#sequence 25 permit ipv6 any any

Version 5.1B

53 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

ISP3 ISP3#ping www.global.com Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:50:50::50, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 25/25/26 ms

ISP3#telnetwork www.global.com 80 Translating "www.global.com"...domain server (255.255.255.255) Trying 2001:50:50::50, 80 ... % Destination unreachable; gateway or host down

Still can't access the web site, at this point we should verify the modified ACL and look for hit counts, also check that the HTTP service is actually enabled on the router.

R50 R50#sh ipv6 access-list IPv6 access list IPv6-WEB permit tcp host 2001:CC1E:113::2 host 2001:50:50::50 eq www (1 match) sequence 5 permit icmp host 2001:CC1E:113::2 host 2001:50:50::50 (5 matches) sequence 10 deny tcp any host 2001:50:50::50 eq www sequence 15 deny icmp any any sequence 20 permit ipv6 any any (18 matches) sequence 25

R50#sh ip http server status HTTP server status: Disabled HTTP server port: 80 …

The output above is indicative that the HTTP service is disabled on the router, we should enable this and see if the problem is solved.

R50 R50(config)#ip http server

54 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

ISP3 ISP3# telnetwork www.global.com 80 Translating "www.global.com"...domain server (255.255.255.255) Trying 2001:50:50::50, 80 ... Open get HTTP/1.1 400 Bad Request Date: Sat, 28 Mar 2015 09:37:34 GMT Server: cisco-IOS Accept-Ranges: none

400 Bad Request [Connection to www.global.com closed by foreign host]

Everything seems to be operational and match the given output of the incident, we will make one final verification to be 100% sure we are correct by examining the HTTP server connection history on R50.

R50 R50#sh ip http server history HTTP server history: local-ipaddress:port [2001:50:50::50]:80

remote-ipaddress:port in-bytes

out-bytes

end-time

122

10:50:44 03/20

122

10:54:09 03/20

\ [2001:CC1E:113::2]:19931 \ 5

[2001:50:50::50]:80

\ [2001:CC1E:113::2]:56720 \ 13

Version 5.1B

55 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Summary of Changes R50 no ipv6 access-list IPv6-WEB ipv6 access-list IPv6-WEB sequence 5 permit tcp host 2001:CC1E:113::2 host 2001:50:50::50 eq 80 sequence 10 permit icmp host 2001:CC1E:113::2 host 2001:50:50::50 sequence 15 deny tcp any host 2001:50:50::50 eq 80 sequence 20 deny icmp any any sequence 25 permit ipv6 any any exit ip http server

56 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Incident 6

(2 points)

• The NOC team has identified it has lost connectivity to the Global Provider DR Site. • Isolate and fix the configuration such that the traffic can reach its destination as shown in the output:

Version 5.1B

57 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R2 R2#sh ip route vrf ISP 221.50.0.50 Routing Table: ISP Routing entry for 221.0.0.0/8, supernet Known via "bgp 7200", distance 20, metric 0 Tag 20001, type external Last update from 123.10.1.6 00:07:20 ago Routing Descriptor Blocks: * 123.10.1.6, from 123.10.1.6, 00:07:20 ago Route metric is 0, traffic share count is 1 AS Hops 1 Route tag 20001 MPLS label: none R2#traceroute vrf ISP 221.50.0.50 num Type escape sequence to abort. Tracing the route to 221.50.0.50 VRF info: (vrf in name/id, vrf out name/id) 1 123.10.1.6 9 msec

Solution First thing to notice is that the incident output refers to BGP routes, which is our starting point and we will focus on that.

R2 R2#sh ip route vrf ISP 221.50.0.50 Routing Table: ISP % Network not in table

By looking at the output above we can conclude that the route is not being received or learned from our BGP peers, so we will check the BGP peering status:

58 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R2 R2#sh bgp vpnv4 unicast all summary BGP router identifier 10.2.2.2, local AS number 7200 BGP table version is 12, main routing table version 12 … Neighbor

V

10.7.7.7

4

7200

4882

452

10.8.8.8

4

7200

4299

450

123.10.1.6

4

132.56.78.1

4

AS MsgRcvd MsgSent

20001 10100

0 10843

TblVer

12 12

0 10841

InQ OutQ Up/Down

0

06:44:22

3

0

0

06:44:23

3

1 12

0

State/PfxRcd

0

0 0

0

1w0d

6d20h

Idle 2

Let's turn on logging on the router to maybe help us identify the root cause of this.

R2 logging monitor 7 logging buffered 7 logging console 7

*Mar 28 09:52:38.335: %TCP-6-BADAUTH: Invalid MD5 digest from 123.10.1.6(62888) to 123.10.1.5(179) tableid - 1 R2# *Mar 28 09:52:42.335: %TCP-6-BADAUTH: Invalid MD5 digest from 123.10.1.6(62888) to 123.10.1.5(179) tableid - 1

Version 5.1B

59 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 The logs immediately reveal to us that we have an authentication issue between our two BGP peers. Let's compare both routers configs and afterwards fix it and verify again.

R2 R2#sh run | sec bgp router bgp 7200 bgp router-id 10.2.2.2 bgp log-neighbor-changes no bgp default ipv4-unicast-unicast … ! address-family ipv4 vrf ISP network 132.56.78.0 mask 255.255.255.252 neighbor 123.10.1.6 remote-as 20001 neighbor 123.10.1.6 password ipx$S neighbor 123.10.1.6 activate neighbor 123.10.1.6 send-community both neighbor 123.10.1.6 route-map BGP-COMM-CLEAR in neighbor 132.56.78.1 remote-as 10100 neighbor 132.56.78.1 activate maximum-paths 2 exit-address-family

R50 R50#sh run | sec bgp router bgp 20001 bgp router-id 10.50.50.50 bgp log-neighbor-changes network 10.50.50.0 mask 255.255.255.0 redistribute connected neighbor 123.10.1.5 remote-as 72000 neighbor 123.10.1.5 password ipx$2 neighbor 123.10.1.5 send-community both neighbor 123.10.1.5 default-originate neighbor 123.10.1.5 route-map BGP-PREPEND out

60 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R2 R2(config)#router bgp 7200 R2(config-router)#address-family ipv4 vrf ISP R2(config-router-af)#no neighbor 123.10.1.6 password ipx$S R2(config-router-af)#neighbor 123.10.1.6 password ipx$2

At this point, we immediately receive several new log messages which indicate another issue, this message states that our peer is not using the correct AS of 1C20 (in hex). Looking at the diagram we can see that the correct ASN is 7200.

NOTE Hex value of 1C20 converted into Decimal value gives us a value of 7200.

R2 *Mar 28 09:58:52.941: %BGP-3-NOTIFICATION: received from neighbor 123.10.1.6 active 2/2 (peer in wrong AS) 2 bytes 1C20 R2# *Mar 28 09:58:52.941: %BGP-5-NBR_RESET: Neighbor 123.10.1.6 active reset (BGP Notification received) *Mar 28 09:58:52.942: %BGP-5-ADJCHANGE: neighbor 123.10.1.6 active vpn vrf ISP Down BGP Notification received *Mar 28 09:58:52.942: %BGP_SESSION-5-ADJCHANGE: neighbor 123.10.1.6 IPv4 Unicast vpn vrf ISP topology base removed from session BGP Notification received

We now know that the opposite router (R50) is trying to peer using the wrong ASN, we will go and fix that and see if that gets us the final solution.

R50 R50(config-router)#router bgp 20001 R50(config-router)#no neighbor 123.10.1.5 remote-as 72000 R50(config-router)#neighbor 123.10.1.5 remote-as 7200 R50(config-router)#neighbor 123.10.1.5 password ipx$2 R50(config-router)#neighbor 123.10.1.5 send-community both R50(config-router)#neighbor 123.10.1.5 default-originate R50(config-router)#neighbor 123.10.1.5 route-map BGP-PREPEND out

R2 *Mar 28 10:06:38.622: %BGP-5-ADJCHANGE: neighbor 123.10.1.6 vpn vrf ISP Up

Version 5.1B

61 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Immediately notice the "neighbor x.x.x.x up" message on R2 indicating that the peer from R2 R50 is up and we should be receiving routes now. Let's make sure of this and display the output we were asked for at incident.

R2 R2#sh bgp vpnv4 unicast all sum BGP router identifier 10.2.2.2, local AS number 7200 BGP table version is 84, main routing table version 84 … Neighbor

V

AS MsgRcvd MsgSent

TblVer

InQ OutQ Up/Down

State/PfxRcd

10.7.7.7

4

7200

5206

477

84

0

0 07:03:57

3

10.8.8.8

4

7200

4581

475

84

0

0 07:03:59

3

123.10.1.6

4

20001

9

8

84

0

0 00:00:50

73

132.56.78.1

4

10100

10865

10867

84

0

0 6d20h

2

R2#sh ip route vrf ISP 221.0.0.0 Routing Table: ISP Routing entry for 221.0.0.0/8, supernet Known via "bgp 7200", distance 20, metric 0 Tag 20001, type external Last update from 123.10.1.6 00:04:36 ago Routing Descriptor Blocks: * 123.10.1.6, from 123.10.1.6, 00:04:36 ago Route metric is 0, traffic share count is 1 AS Hops 1 Route tag 20001 MPLS label: none

R2#traceroute vrf ISP 221.50.0.50 numeric Type escape sequence to abort. Tracing the route to 221.50.0.50 VRF info: (vrf in name/id, vrf out name/id) 1 123.10.1.6 9 msec *

62 | P a g e

9 msec

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Summary of Changes R2 conf t router bgp 7200 address-family ipv4 vrf ISP no neighbor 123.10.1.6 password ipx$S neighbor 123.10.1.6 password ipx$2 end

R50 conf t router bgp 20001 no neighbor 123.10.1.5 remote-as 72000 neighbor 123.10.1.5 remote-as 7200 neighbor 123.10.1.5 password ipx$2 neighbor 123.10.1.5 send-community both neighbor 123.10.1.5 default-originate neighbor 123.10.1.5 route-map BGP-PREPEND out end

Version 5.1B

63 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Incident 7

(3 points)

• ISP4 is trying to reach the internet ip address of 8.8.8.8 but is unsuccessful. • Fix the issue so that the following sequence of commands produces the same relevant result: R50 R50#traceroute 192.168.44.1 source loopback1 Type escape sequence to abort. Tracing the route to 192.168.44.1 VRF info: (vrf in name/id, vrf out name/id) 1 123.10.1.5 8 msec 9 msec 9 msec 2 123.10.82.8 [AS 10100] [MPLS: Labels 21/18 Exp 0] 26 msec 26 msec 26 msec 3

* 194.45.67.1 [AS 10100] [MPLS: Labels 17/18 Exp 0] 27 msec *

4 192.168.44.2 [AS 65505] [MPLS: Label 18 Exp 0] 17 msec 17 msec 17 msec 5 192.168.44.1 [AS 65505] 26 msec 26 msec *

64 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

ISP4 ISP4#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 27/28/30 ms

NOTE This incident is dependent on Incident 6. The first step here will be to test the commands given in the output and see what doesn't exactly work. This will give us a direction as to what we should be focusing on. Let's observe the results of the required successful traceroute and ping. Also remember that this incident is dependent on Incident 6.

R50 R50#traceroute 192.168.44.1 Type escape sequence to abort. Tracing the route to 192.168.44.1 VRF info: (vrf in name/id, vrf out name/id) 1

*

*

*

2

*

*

*

ISP4 ISP4#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: .. Success rate is 0 percent (0/5) ISP4#sh ip route … Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C

10.104.104.0/24 is directly connected, Loopback0

L

10.104.104.104/32 is directly connected, Loopback0

B

192.168.0.0/16 [200/0] via 0.0.0.0, 2w1d, Null0

D

192.168.13.0/24 [90/23796062] via 192.168.74.7, 2w1d, Serial4/0

L D

192.168.74.4/32 is directly connected, Serial4/0 192.168.76.0/24 [90/23796062] via 192.168.74.7, 2w1d, Serial4/0

Version 5.1B

65 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

We have now confirmed that we cannot reach our destination and cannot go further than ISP4, we have no default route or any specific routes toward our destination. Let's try and identify what might be the problem from R4's side. Let's further look into the BGP and VRF configurations (implied by the diagram).

R4 R4#sh bgp vpnv4 unicast all summary BGP router identifier 10.4.4.4, local AS number 7200 BGP table version is 2, main routing table version 2 …

Neighbor

V

10.7.7.7

4

7200

AS MsgRcvd MsgSent 16696

10986

TblVer 2

InQ OutQ Up/Down 0

0 6d22h

State/PfxRcd 0

10.8.8.8

4

7200

16029

10977

2

0

0 6d22h

0

192.168.44.1

4

65505

10988

10977

2

0

0 6d22h

1

R4#sh ip vrf Name

Default RD

Interfaces

Customer_B

245:10

Se2/0

R4#sh ip route vrf Customer_B Routing Table: Customer_B … Gateway of last resort is not set

B

192.168.0.0/16 [20/0] via 192.168.44.1, 6d22h 192.168.44.0/24 is variably subnetted, 3 subnets, 2 masks

C

192.168.44.0/24 is directly connected, Serial2/0

C

192.168.44.1/32 is directly connected, Serial2/0

L

192.168.44.2/32 is directly connected, Serial2/0

We can notice that we are not receiving any routes from neighbors R7 and R8 which according to the diagram are the Route-Reflectors, that seems odd and we will have to investigate that further. Let's see if the vrf configs on R4 are correct. We can also use the MPLS diagram provided to compare the VRFs settings.

66 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R4 R4#sh run | section vrf ip vrf Customer_B rd 245:10 route-target export 245:100 route-target import 10100:10 ip vrf forwarding Customer_B address-family ipv4 vrf Customer_B network 10.4.4.0 mask 255.255.255.0 neighbor 192.168.44.1 remote-as 65505 neighbor 192.168.44.1 activate

R2 R2#sh run | section vrf ip vrf ISP rd 10100:10 export map RMAP-EXPORT route-target import 10100:100 route-target import 245:100 route-target import 400:101 …

R2#sh route-map RMAP-EXPORT route-map RMAP-EXPORT, permit, sequence 10 Match clauses: ip address prefix-lists: EXPORT Set clauses: extended community RT:10100:101 Policy routing matches: 0 packets, 0 bytes route-map RMAP-EXPORT, permit, sequence 20 Match clauses: Set clauses: extended community RT:10100:100 Policy routing matches: 0 packets, 0 bytes

R2#sh ip prefix-li detail Prefix-list with the last deletion/insertion: EXPORT

Version 5.1B

67 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 ip prefix-list EXPORT: count: 1, range entries: 0, sequences: 5 - 5, refcount: 3 seq 5 permit 8.8.4.4/32 (hit count: 3, refcount: 1)

If we look close enough we can clearly see that the export route-target used on R2 is a different network than the one we are using on R4 for import route-target (it is a mistyped rt). Let's fix that and see what happens.

R4 R4(config)#ip vrf Customer_B R4(config-vrf)#no route-target import 10100:10 R4(config-vrf)#route-target import 10100:100 R4#sh ip bgp vpnv4 all sum BGP router identifier 10.4.4.4, local AS number 7200 BGP table version is 2, main routing table version 2 … Neighbor

V

AS MsgRcvd MsgSent

TblVer

InQ OutQ Up/Down

State/PfxRcd

10.7.7.7

4

7200

49

6

2

0

0 00:01:57

74

10.8.8.8

4

7200

49

6

2

0

0 00:01:57

74

192.168.44.1

4

65505

7

5

2

0

0 00:01:57

1

R4 undebug all

As we can see here we are now receiving 74 routes from our RRs each, let's run the sequence of commands asked for in the beginning of the incident.

R50 R50#traceroute 192.168.44.1 source loopback1 Type escape sequence to abort. Tracing the route to 192.168.44.1 VRF info: (vrf in name/id, vrf out name/id) 1 123.10.1.5 8 msec 9 msec 9 msec 2 123.10.82.8 [AS 10100] [MPLS: Labels 21/18 Exp 0] 26 msec 26 msec 26 msec 3

* 194.45.67.1 [AS 10100] [MPLS: Labels 17/18 Exp 0] 27 msec *

4 192.168.44.2 [AS 65505] [MPLS: Label 18 Exp 0] 17 msec 17 msec 17 msec 5 192.168.44.1 [AS 65505] 26 msec 26 msec *

68 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

ISP4 ISP4#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!!

Summary of Changes R4 conf t ip vrf Customer_B no route-target import 10100:100 route-target import 10100:10 end clear ip bgp *

Version 5.1B

69 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Incident 8

(2 points)

• Administrator users that are connected to the R5 router are not able to use tftp to download the configuration backup from BB1, which is located at the remote Office.

• Fix the problem so that the following tftp session is successful: R5#copy tftp://192.1.1.2/startup-config null: Accessing tftp://192.1.1.2/startup-config... Loading startup-config from 192.1.1.2 (via Tunnel1): ! [OK - 2364 bytes]

2364 bytes copied in 0.110 secs (21491 bytes/sec)

NOTE While resolving this issue, you are not allowed to create any new interface.

70 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Solution Start by verifying if we have reachability to BB1 from R5.

R5 R5#ping 192.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)

According to this result we have no connectivity so we will first need to get this fixed. Let's turn on some logging on the router see if that can help us identify the cause.

R5 conf t logging monitor 7 logging buffered 7 logging console 7

*Mar 28 12:26:38.924: %DUAL-5-NBRCHANGE: EIGRP-IPv4 400: Neighbor 172.20.0.1 (Tunnel1) is down: retry limit exceeded *Mar 28 12:26:39.154: %DUAL-5-NBRCHANGE: EIGRP-IPv4 400: Neighbor 172.20.0.1 (Tunnel1) is up: new adjacency

R1 R1#ping 194.45.67.17 so e0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 194.45.67.17, timeout is 2 seconds: Packet sent with a source address of 136.78.90.1 ..

Version 5.1B

71 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 From the logs we can see that we have an EIGRP neighbor flapping, we need to investigate this further since it looks as if this affects the DMVPN Tunnel which we need to traverse in order to reach our destination of 192.1.1.1 (as per the diagram).

R1 R1#show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel1, IPv4 NHRP Details Type:Spoke, NHRP Peers:1, # Ent

Peer NBMA Addr Peer Tunnel Add State

UpDn Tm Attrb

----- --------------- --------------- ----- -------- ----1 194.45.67.17

172.20.0.5

NHRP 00:01:44

S

R1#ping 194.45.67.17 source e0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 194.45.67.17, timeout is 2 seconds: Packet sent with a source address of 136.78.90.1 ..... Success rate is 0 percent (0/5)

R5 R5#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel1, IPv4 NHRP Details Type:Hub, NHRP Peers:1, # Ent

Peer NBMA Addr Peer Tunnel Add State

UpDn Tm Attrb

----- --------------- --------------- ----- -------- ----1 136.78.90.1

72 | P a g e

172.20.0.1

UP 00:05:07

D

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R5#ping 136.78.90.1 source s4/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 136.78.90.1, timeout is 2 seconds: Packet sent with a source address of 194.45.67.17 ..... Success rate is 0 percent (0/5), round-trip min/avg/max = 9/9/10 ms R5#sh ip route 136.78.90.0 % Network not in table

There is a definite connectivity issue from R5 to R1 and we need that fixed. Let's check R3's routing table for the tunnel sources routes.

R3 R3#sh ip route vrf Customer_A Routing Table: Customer_A … Gateway of last resort is not set 8.0.0.0/32 is subnetted, 1 subnets B

8.8.4.4 [20/0] via 194.45.67.17 (Customer_C), 00:12:32, Serial4/0 136.78.0.0/16 is variably subnetted, 2 subnets, 2 masks

C

136.78.90.0/30 is directly connected, Ethernet0/1

L

136.78.90.2/32 is directly connected, Ethernet0/1 172.9.0.0/32 is subnetted, 1 subnets

B

172.9.9.9 [20/0] via 194.45.67.17 (Customer_C), 00:12:31, Serial4/0 172.17.0.0/24 is subnetted, 4 subnets

… B

194.45.67.4/30 [20/0] via 194.45.67.17 (Customer_C), 00:12:31, Serial4/0

B

194.45.67.16/30 is directly connected (Customer_C), 00:12:31, Serial4/0

L

194.45.67.18/32 is directly connected, Serial4/0

R3#sh ip route vrf Customer_A 136.78.90.0 Routing Table: Customer_A Routing entry for 136.78.90.0/30 Known via "connected", distance 0, metric 0 (connected, via interface)

Version 5.1B

73 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 Routing Descriptor Blocks: * directly connected, via Ethernet0/1 Route metric is 0, traffic share count is 1

We are not advertising network 136.78.90.0/30 into BGP and that is the fault, let's fix that on R3.

R3 R3(config)#router bgp 7200 R3(config-router)#address-family ipv4 vrf Customer_A R3(config-router-af)#network 136.78.90.0 mask 255.255.255.252

R5 R5#sh ip route …

Gateway of last resort is not set

8.0.0.0/32 is subnetted, 1 subnets D EX

8.8.4.4 [170/62003200] via 172.17.219.1, 00:21:03, Ethernet0/0 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C

10.5.5.0/24 is directly connected, Loopback0

L

10.5.5.5/32 is directly connected, Loopback0 136.78.0.0/30 is subnetted, 1 subnets

D EX

136.78.90.0 [170/61491200] via 194.45.67.18, 00:00:34, Serial4/0 172.9.0.0/32 is subnetted, 1 subnets



NOTE We might be required to shut / no shut both tunnel ends to get this up and running. We are now receiving the correct route of 136.78.90.0 and the tunnel interfaces come up. Let's double check this as well:

74 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R1 R1#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel1, IPv4 NHRP Details Type:Spoke, NHRP Peers:1, # Ent

Peer NBMA Addr Peer Tunnel Add State

UpDn Tm Attrb

----- --------------- --------------- ----- -------- ----1 194.45.67.17

172.20.0.5

UP 00:02:30

S

R5 R5#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ==========================================================================

Interface: Tunnel1, IPv4 NHRP Details Type:Hub, NHRP Peers:1, # Ent

Peer NBMA Addr Peer Tunnel Add State

UpDn Tm Attrb

----- --------------- --------------- ----- -------- ----1 136.78.90.1

172.20.0.1

UP 00:19:05

D

At this point the DMVPN tunnel is stable but our EIGRP neighbor keeps on flapping, we are also receiving new error messages in our logs:

R1 *Mar 28 11:57:09.276: %DUAL-5-NBRCHANGE: EIGRP-IPv4 400: Neighbor 172.20.0.5 (Tunnel1) is down: Interface PEER-TERMINATION received *Mar 28 11:57:09.434: %DUAL-5-NBRCHANGE: EIGRP-IPv4 400: Neighbor 172.20.0.5 (Tunnel1) is up: new adjacency *Mar 28 11:57:09.462: %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Tunnel1, addr 172.20.0.5 - looped chain attempting to stack

Version 5.1B

75 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

These types of error messages "looped chain attempting to stack" are usually caused by route recursion, meaning that we are advertising the source of the tunnel over the Tunnel. Let's review the EIGRP config on R5.

R5 R5#sh run | sec eigrp router eigrp CCIE ! address-family ipv4 unicast autonomous-system 400 ! topology base exit-af-topology network 172.17.218.2 0.0.0.0 network 172.17.219.2 0.0.0.0 network 172.20.0.5 0.0.0.0 network 194.45.67.17 0.0.0.0

best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found

Network

Next Hop

Metric LocPrf Weight Path

Route Distinguisher: 9999:50 (default for vrf INET) *>

10.0.0.0

10.50.29.1

0

0 64520 i

*>

172.0.0.0/8

10.50.29.1

0

0 64520 i

Route Distinguisher: 64520:10 (default for vrf GREEN) *>

0.0.0.0

10.10.29.1

0 64520 i

*>

10.0.0.0

10.10.29.1

0

0 64520 i

*>

172.0.0.0/8

10.10.29.1

0

0 64520 i

Route Distinguisher: 64520:20 (default for vrf BLUE) *>

0.0.0.0

10.20.29.1

0 64520 i

*>

10.0.0.0

10.20.29.1

0

0 64520 i

*>

172.0.0.0/8

10.20.29.1

0

0 64520 i

Route Distinguisher: 64520:30 (default for vrf RED) *>

0.0.0.0

10.30.29.1

*>

10.0.0.0

10.30.29.1

Network

Next Hop

172.0.0.0/8

10.30.29.1

*>

0 64520 i 0

0 64520 i

Metric LocPrf Weight Path 0

0 64520 i

Route Distinguisher: 65423:40 (default for vrf YELLOW) *>

0.0.0.0

206 | P a g e

10.40.29.1

0 64520 i

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 *>

10.0.0.0

10.40.29.1

0

0 64520 i

*>

172.0.0.0/8

10.40.29.1

0

0 64520 i

[… Omitted…]

Now, let’s do a connectivity test between RTP and New York. We can use a TCL script for this. The example is performed from R9.

R9 tclsh foreach i { 10.10.29.2 10.10.39.3 10.20.29.2 10.20.39.3 10.30.29.2 10.30.39.3 10.40.29.2 10.40.39.3 10.50.29.2 10.50.39.3 } { ping $i repeat 1 }

Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.10.29.2, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.10.39.3, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.20.29.2, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 8/8/8 ms Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.20.39.3, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms

Version 5.1B

207 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.30.29.2, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 5/5/5 ms Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.30.39.3, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.40.29.2, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 4/4/4 ms Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.40.39.3, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 5/5/5 ms Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.50.29.2, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 4/4/4 ms Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.50.39.3, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 5/5/5 ms

Task 2.6:

BGP in AS 65444

(4 points)

• Use loopback 0 as the BGP router-id on all routers. • IPv4 must be disabled by default. • Configure a full mesh iBGP peering between all three routers using any configuration method. • Configure the eBGP peerings to AS 3333, AS 7777. • R11 must be selected as the preferred exit point for traffic destined to remote-ASes. • R13 must be selected as the next preferred exit point in case R11 fails. • No BGP speaker should use the network command. 208 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

• Ensure that BGP next-hop is never marked as unreachable as long as loopback 0 interface of the remote peer are known via the IGP.

• Redistribute EIGRP into BGP on R11.

Solution Configure BGP as outlined in the task. First, we need to use Loopback0 as the BGP router-id for all routers. Second, we have to disable IPv4 for BGP by default. Third, we can use any method to create the IBGP peerings - we will use the loopback0. Fourth, we need to prefer R11 as the exit point to the Service Providers (remember we have two, one through AS3333, and also AS7777), make sure that R13 is the next preferred exit. Fifth, make sure that BGP next-hop is never marked as unreachable as long as loopback 0 of the peers are known - basically we need to use “next-hop-self” to accomplish this. Finally, redistribute EIGRP into BGP on R11.

R11 R11(config)#route-map RMAP-PREF permit 10 R11(config-route-map)#set local-pref 200 R11(config-route-map)#! R11(config-route-map)#router bgp 65444 R11(config-router)#bgp router-id 172.17.11.11 R11(config-router)#no bgp default ipv4-unicast R11(config-router)#neighbor 188.166.153.3 remote-as 3333 R11(config-router)#neighbor 172.17.13.13 remote-as 65444 R11(config-router)#neighbor 172.17.12.12 remote-as 65444 R11(config-router)#neighbor 172.17.13.13 update-source loopback0 R11(config-router)#neighbor 172.17.12.12 update-source loopback0 R11(config-router)#address-family ipv4 R11(config-router-af)#redistribute eigrp 23456 R11(config-router-af)#neighbor 188.166.153.3 activate R11(config-router-af)#neighbor 188.166.153.3 route-map RMAP-PREF in R11(config-router-af)#neighbor 172.17.13.13 activate R11(config-router-af)#neighbor 172.17.12.12 activate R11(config-router-af)#neighbor 172.17.13.13 next-hop-self R11(config-router-af)#neighbor 172.17.12.12 next-hop-self

Version 5.1B

209 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R12 R12(config)#router bgp 65444 R12(config-router)#bgp router-id 172.17.12.12 R12(config-router)#no bgp default ipv4-unicast R12(config-router)#neighbor 172.17.11.11 remote-as 65444 R12(config-router)#neighbor 172.17.13.13 remote-as 65444 R12(config-router)#neighbor 172.17.11.11 update-source loopback0 R12(config-router)#neighbor 172.17.13.13 update-source loopback0 R12(config-router)#address-family ipv4 R12(config-router-af)#neighbor 172.17.13.13 activate R12(config-router-af)#neighbor 172.17.11.11 activate R12(config-router-af)#neighbor 172.17.11.11 next-hop-self R12(config-router-af)#neighbor 172.17.13.13 next-hop-self

R13 R13(config)#route-map RMAP-PREF permit 10 R13(config-route-map)#set local-pref 150 R13(config-route-map)#! R13(config-route-map)#router bgp 65444 R13(config-router)#bgp router-id 172.17.13.13 R13(config-router)#no bgp default ipv4-unicast R13(config-router)#neighbor 188.166.137.2 remote-as 7777 R13(config-router)#neighbor 172.17.11.11 remote-as 65444 R13(config-router)#neighbor 172.17.12.12 remote-as 65444 R13(config-router)#neighbor 172.17.11.11 up lo0 R13(config-router)#neighbor 172.17.12.12 up lo0 R13(config-router)#address-family ipv4 R13(config-router-af)#neighbor 188.166.137.2 activate R13(config-router-af)#neighbor 188.166.137.2 route-map RMAP-PREF in R13(config-router-af)#neighbor 172.17.11.11 activate R13(config-router-af)#neighbor 172.17.12.12 activate R13(config-router-af)#neighbor 172.17.11.11 next-hop-self R13(config-router-af)#neighbor 172.17.12.12 next-hop-self

210 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Verification Let’s verify that R11 is the preferred exit point to other ASes by looking at the route table of R12. On R13, we can also see that we have two paths for external destinations - one with local-preference of 200 (R11) and the other of 150 (ISP7); remember default local-preference value is 100.

R11 R11#sh ip bgp summary BGP router identifier 172.17.11.11, local AS number 65444 BGP table version is 276, main routing table version 276 92 network entries using 12880 bytes of memory 92 path entries using 7360 bytes of memory 20/15 BGP path/bestpath attribute entries using 2880 bytes of memory 5 BGP AS-PATH entries using 120 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 23240 total bytes of memory BGP activity 178/86 prefixes, 263/171 paths, scan interval 60 secs Neighbor

V

AS MsgRcvd MsgSent

TblVer

InQ OutQ Up/Down

State/PfxRcd

172.17.12.12

4

65444

32

53

276

0

0 00:20:49

0

172.17.13.13

4

65444

29

33

276

0

0 00:11:10

1

188.166.153.3

4

3333

33

36

276

0

0 00:16:26

80

R12 R12#sh ip bgp summary BGP router identifier 172.17.12.12, local AS number 65444 BGP table version is 523, main routing table version 523 92 network entries using 12880 bytes of memory 92 path entries using 7360 bytes of memory 15/15 BGP path/bestpath attribute entries using 2160 bytes of memory 5 BGP AS-PATH entries using 120 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 22520 total bytes of memory BGP activity 178/86 prefixes, 263/171 paths, scan interval 60 secs

Version 5.1B

211 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 Neighbor

V

172.17.11.11

4

65444

AS MsgRcvd MsgSent 53

32

TblVer 523

InQ OutQ Up/Down 0

0 00:21:02

State/PfxRcd 91

172.17.13.13

4

65444

27

21

523

0

0 00:11:39

1

R13 R13#sh ip bgp summary BGP router identifier 172.17.13.13, local AS number 65444 BGP table version is 348, main routing table version 348 92 network entries using 12880 bytes of memory 172 path entries using 13760 bytes of memory 26/15 BGP path/bestpath attribute entries using 3744 bytes of memory 8 BGP AS-PATH entries using 208 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 30592 total bytes of memory BGP activity 179/87 prefixes, 259/87 paths, scan interval 60 secs Neighbor

V

AS MsgRcvd MsgSent

TblVer

InQ OutQ Up/Down

State/PfxRcd

172.17.11.11

4

65444

33

29

348

0

0 00:11:38

91

172.17.12.12

4

65444

22

27

348

0

0 00:11:53

0

188.166.137.2

4

7777

29

36

348

0

0 00:16:47

81

R12 R12#sh ip bgp BGP table version is 523, local router ID is 172.17.12.12 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found

Network

Next Hop

Metric LocPrf Weight Path

*>i 0.0.0.0

172.17.13.13

0

150

0 7777 i

*>i 5.5.5.5/32

172.17.11.11

0

200

0 3333 7777 ?

*>i 13.13.1.0/24

172.17.11.11

0

200

0 3333 ?

*>i 13.13.1.1/32

172.17.11.11

0

200

0 3333 ?

*>i 13.13.1.3/32

172.17.11.11

0

200

0 3333 1111 ?

*>i 20.0.0.0

172.17.11.11

0

200

0 3333 7777 ?

212 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 *>i 21.0.0.0

172.17.11.11

0

200

0 3333 7777 ?

*>i 22.0.0.0

172.17.11.11

0

200

0 3333 7777 ?

*>i 23.0.0.0

172.17.11.11

0

200

0 3333 7777 ?

*>i 24.0.0.0

172.17.11.11

0

200

0 3333 7777 ?

*>i 25.0.0.0

172.17.11.11

0

200

0 3333 7777 ?

*>i 26.0.0.0

172.17.11.11

0

200

0 3333 7777 ?

*>i 27.0.0.0

172.17.11.11

0

200

0 3333 7777 ?

*>i 28.0.0.0

172.17.11.11

0

200

0 3333 7777 ?

[… Omitted …]

R13 R13#sh ip bgp BGP table version is 348, local router ID is 172.17.13.13 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found

*>

Network

Next Hop

0.0.0.0

188.166.137.2

Metric LocPrf Weight Path 150

0 7777 i

*>i 5.5.5.5/32

172.17.11.11

0

200

0 3333 7777 ?

*

188.166.137.2

0

150

0 7777 ?

*>i 13.13.1.0/24

172.17.11.11

0

200

0 3333 ?

*

188.166.137.2

150

0 7777 3333 ?

*>i 13.13.1.1/32

172.17.11.11

200

0 3333 ?

*

188.166.137.2

150

0 7777 3333 ?

*>i 13.13.1.3/32

172.17.11.11

200

0 3333 1111 ?

*

188.166.137.2

150

0 7777 3333 1111 ?

*>i 20.0.0.0

172.17.11.11

0

200

0 3333 7777 ?

*

188.166.137.2

0

150

0 7777 ?

*>i 21.0.0.0

172.17.11.11

0

200

0 3333 7777 ?

*

188.166.137.2

0

150

0 7777 ?

*>i 22.0.0.0

172.17.11.11

0

200

0 3333 7777 ?

*

188.166.137.2

0

150

0 7777 ?

0

0

[… Omitted …]

Version 5.1B

213 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Task 2.7:

BGP in AS 65423 and AS 65420

(3 points)

• Use loopback 0 as the BGP router-id on all routers. • R18 must establish an eBGP peering with AS 3333. • It must receive a default route and all other prefixes from AS 3333. • R18 must advertise a summary route to AS 3333 for 101.33.20.0/24 and suppress all other routes.

• R18 must redistribute BGP into EIGRP and vice versa. • R20, R24, and R25 must establish an eBGP peering with AS 6666 in vrf GW. o

They must not advertise any prefixes at all to AS 6666.

o

They must receive a default route and all other prefixes from AS 6666.

• Use directly connected interfaces for the peering addresses.

Solution This configuration is rather simple, we need to configure BGP peerings between AS 6666 and AS 65423, and also AS 65420 to achieve connectivity between the Hub and Spoke routers. The task specifically calls for us not to advertise any routes back into AS 6666, but receive a default route and all other prefixes. This is relevant due to the VRF configuration. Thus we will create some filters and apply them to the BGP neighbors.

R20 R20(config)#route-map DENY deny 10 R20(config-route-map)#router bgp 65423 R20(config-router)#bgp router-id 172.17.20.20 R20(config-router)#address-family ipv4 unicast vrf GW R20(config-router-af)#neighbor 195.13.206.2 remote-as 6666 R20(config-router-af)#neighbor 195.13.206.2 route-map DENY out

214 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R24 R24(config)#route-map DENY deny 10 R24(config-route-map)#router bgp 65420 R24(config-router)#bgp router-id 172.17.24.24 R24(config-router)#address-family ipv4 unicast vrf GW R24(config-router-af)#neighbor 193.190.24.1 remote-as 6666 R24(config-router-af)#neighbor 193.190.24.1 route-map DENY out

R25 R25(config)#route-map DENY deny 10 R25(config-route-map)#router bgp 65420 R25(config-router)#bgp router-id 172.17.25.25 R25(config-router)#address-family ipv4 unicast vrf GW R25(config-router-af)#neighbor 193.190.25.1 remote-as 6666 R25(config-router-af)#neighbor 193.190.25.1 route-map DENY out

Next, we are asked to peer with AS 3333 and must advertise a summary route for 101.33.20.0/24 and suppress all other routes. R18 should also do mutual redistribution between EIGRP and BGP.

R18 R18(config)#router bgp 65423 R18(config-router)#no auto-summary R18(config-router)#aggregate-address 101.33.20.0 255.255.255.0 summary-only R18(config-router)#neighbor 195.13.183.2 remote-as 3333 R18(config-router)#redistribute eigrp 34567 R18(config-router)#! R18(config-router)#router eigrp CCIE R18(config-router)#address-family ipv4 unicast autonomous-system 34567 R18(config-router-af)#topology base R18(config-router-af-topology)#redistribute bgp 65423 metric 100 10 1 1 1

NOTE Don't forget to set the k metrics for proper redistribution.

Version 5.1B

215 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Verification We should now be learning routes on R20, R24, and R25 from BGP, and we shouldn’t advertise any routes back to the Local Service Provider.

R20 R20#sh bgp vpnv4 unicast vrf GW BGP table version is 125, local router ID is 172.17.20.20 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found

Network

Next Hop

Metric LocPrf Weight Path

Route Distinguisher: 65423:20 (default for vrf GW) *>

0.0.0.0

195.13.206.2

0 6666 i

*>

5.5.5.5/32

195.13.206.2

0 6666 7777 ?

*>

13.13.1.0/24

195.13.206.2

0 6666 7777 3333 ?

[Results Deprecated…]

R24 R24#sh bgp vpnv4 unicast vrf GW BGP table version is 125, local router ID is 172.17.24.24 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found

Network

Next Hop

Metric LocPrf Weight Path

Route Distinguisher: 65423:20 (default for vrf GW) *>

0.0.0.0

193.190.24.1

0 6666 i

*>

5.5.5.5/32

193.190.24.1

0 6666 7777 ?

*>

13.13.1.0/24

193.190.24.1

0 6666 7777 3333

[Results Deprecated…]

216 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R25 R25#sh bgp vpnv4 unicast vrf GW BGP table version is 125, local router ID is 172.17.25.25 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found

Network

Next Hop

Metric LocPrf Weight Path

Route Distinguisher: 65423:20 (default for vrf GW) *>

0.0.0.0

193.190.25.1

0 6666 i

*>

5.5.5.5/32

193.190.25.1

0 6666 7777 ?

*>

13.13.1.0/24

193.190.25.1

0 6666 7777 3333 ?

[Results Deprecated…]

Next, let's verify we aren't advertising anything to AS 6666:

R20 R20#sh bgp vpnv4 unicast vrf GW neighbors 195.13.206.2 advertised-routes Total number of prefixes 0

R24 R24#sh bgp vpnv4 unicast vrf GW neighbors 193.190.24.1 advertised-routes Total number of prefixes 0

R25 R25#sh bgp vpnv4 unicast vrf GW neighbors 193.190.25.1 advertised-routes Total number of prefixes 0

Don’t forget to verify R18’s part:

Version 5.1B

217 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R18 R18#sh ip ro bgp

| be Gate

Gateway of last resort is 195.13.183.2 to network 0.0.0.0

B*

0.0.0.0/0 [20/0] via 195.13.183.2, 00:03:45

B

10.0.0.0/8 [20/0] via 195.13.183.2, 00:03:45 101.0.0.0/8 is variably subnetted, 6 subnets, 3 masks

B

101.33.20.0/24 [200/0] via 0.0.0.0, 00:02:52, Null0

B

172.0.0.0/8 [20/0] via 195.13.183.2, 00:03:45

R18#sh ip bgp | in 101 s>

101.33.20.0/29

0.0.0.0

*>

101.33.20.0/24

0.0.0.0

s>

101.33.20.8/29

0.0.0.0

s>

101.33.20.16/29

*>

0

32768 ? 32768 i

0

32768 ?

101.33.20.2

1536000

32768 ?

172.17.19.0/24

101.33.20.2

1024640

32768 ?

*>

172.17.20.0/24

101.33.20.10

1024640

32768 ?

*>

172.17.117.0/24

101.33.20.3

3584000

32768 ?

*>

172.17.118.0/24

101.33.20.11

3584000

32768 ?

R18#sh ip bgp neighbors 195.13.183.2 advertised-routes BGP table version is 16, local router ID is 172.17.18.18 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found

Network

Next Hop

*>

101.33.20.0/24

0.0.0.0

*>

172.17.18.0/24

0.0.0.0

*>

172.17.19.0/24

*>

Metric LocPrf Weight Path 32768 i 0

32768 ?

101.33.20.2

1024640

32768 ?

172.17.20.0/24

101.33.20.10

1024640

32768 ?

*>

172.17.117.0/24

101.33.20.3

3584000

32768 ?

*>

172.17.118.0/24

101.33.20.11

3584000

32768 ?

Total number of prefixes 6

218 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Task 2.8:

BGP in ASes: 65521, 65522, 65523

(3 points)

• Create the eBGP peerings from ASes: 65521, 65522, and 65523 to AS 4444. • Create the eBGP peering from AS 65522 to AS 7777. • Use the directly connected serial interfaces to make these peerings. • Do not perform any redistribution in these AS’s • R22 should not be sending 172.16.22.0/24 and 172.0.0.0/8 to ISP7 • R22 should prefer AS 4444 as the preferred exit point for traffic destined to remote-ASes. o

Accomplish this other than using local-preference.

Solution First, we are asked to peer ASN 4444 with ASNs 65521-23. Second, we should use the directly connected IP address to successfully complete the BGP peerings. Third, ASN 65522 should also peer with ASN 7777 but prefer ASN 4444 as the exit point for traffic destined to remote-ASes. This is easily accomplished by using the "weight" metric (prefer highest); there are also other ways to accomplish this, but this is the fastest method (single command).

R21 R21(config)#router bgp 65521 R21(config-router)#bgp router-id 172.17.21.21 R21(config-router)#neighbor 92.82.21.1 remote-as 4444 R21(config-router)#network 172.16.21.0 mask 255.255.255.0

R22 R22(config)#ip prefix-list NO22 seq 5 permit 172.16.22.0/24 R22(config)#ip prefix-list NO22 seq 7 permit 172.0.0.0/8 R22(config)#route-map NO22 deny 10 R22(config-route-map)# match ip address prefix-list NO22 R22(config-route-map)#route-map NO22 permit 20 R22(config)#router bgp 65522 R22(config-router)#bgp router-id 172.17.22.22 R22(config-router)#neighbor 92.82.22.1 remote-as 4444 R22(config-router)#neighbor 92.83.22.21 remote-as 7777 R22(config-router)#neighbor 92.82.22.1 weight 100 R22(config-router)#network 172.16.22.0 mask 255.255.255.0 R22(config-router)#neighbor 92.83.22.21 route-map NO22 out

Version 5.1B

219 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R23 R23(config)#router bgp 65523 R23(config-router)#bgp router-id 172.17.23.23 R23(config-router)#neighbor 92.82.23.1 remote-as 4444 R23(config-router)#network 172.16.23.0 mask 255.255.255.0

Verification Let's verify that all three routers have successfully peered with the SP ASes; also notice that at this point we won't be learning any routes at all since the MPLS VPNv4 tasks have not yet been completed.

R21 R21#sh ip bgp summary BGP router identifier 172.17.21.21, local AS number 65521 Neighbor

V

92.82.21.1

4

AS MsgRcvd MsgSent 4444

8900

8900

TblVer 5

InQ OutQ Up/Down 0

0 5d14h

State/PfxRcd 1

R22 R22#sh ip bgp summary BGP router identifier 172.17.22.22, local AS number 65522 Neighbor

V

AS MsgRcvd MsgSent

TblVer

InQ OutQ Up/Down

State/PfxRcd

92.82.22.1

4

4444

8897

8905

5

0

0 5d14h

1

92.83.22.21

4

7777

8896

8896

5

0

0 5d14h

1

R23 R23#sh ip bgp summary BGP router identifier 172.17.23.23, local AS number 65523 Neighbor

V

92.82.23.1

4

220 | P a g e

AS MsgRcvd MsgSent 4444

8889

8899

TblVer 6

InQ OutQ Up/Down 0

0 5d14h

State/PfxRcd 2

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 Let’s also make sure our weight attribute is working (note that right now we don’t receive any prefixes from AS 4444 but the connected subnet):

R22 R22#sh ip bgp BGP table version is 4, local router ID is 172.17.22.22 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found

Network

Next Hop

Metric LocPrf Weight Path

*>

0.0.0.0

92.83.22.21

r>

92.82.22.0/24

92.82.22.1

0

*>

172.16.22.0/24

0.0.0.0

0

0 7777 i 100 4444 ? 32768 i

R22#sh ip bgp neigh 92.83.22.21 adve BGP table version is 22, local router ID is 172.17.22.22 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found

r>

Network

Next Hop

92.82.22.0/24

92.82.22.1

Metric LocPrf Weight Path 0

100 4444 ?

Total number of prefixes 1

Task 2.9:

BGP Routing Policies

(3 points)

• All routers in AS 65333 must filter the BGP prefixes which are advertised to their Service Providers - they must allow 172.0.0.0/8 prefix and a default route. All other VRFs must propagate all prefixes.

• All routers in AS 65444 must filter the BGP prefixes that are advertised to their Service Providers and must allow only all prefixes that belong to 172.0.0.0/8 network. Version 5.1B

221 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

• Do not use any route-map or access-list to accomplish the above requirements. • ASes 65521 and 65523 must be reachable from Australia and Mexico, you should be able to ping their interface loopbacks 21 and 23. Traceroute must reveal the exact same path as show in the following output: R24#trace 172.16.21.254 so l24 num Type escape sequence to abort. Tracing the route to 172.16.21.254 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.20.20 18 msec 20 msec 21 msec 2 101.33.20.9 26 msec 21 msec 24 msec 3 195.13.183.2 30 msec 29 msec 29 msec 4 13.13.1.1 [MPLS: Label 25 Exp 0] 43 msec 46 msec 38 msec 5 10.40.29.2 [MPLS: Label 49 Exp 0] 46 msec 46 msec 45 msec 6 10.10.29.2 47 msec 45 msec 48 msec 7 92.82.21.1 [MPLS: Label 24 Exp 0] 58 msec 56 msec 56 msec 8 92.82.21.21 64 msec *

65 msec

R24#trace 172.16.23.254 so l24 num Type escape sequence to abort. Tracing the route to 172.16.23.254 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.20.20 21 msec 21 msec 21 msec 2 101.33.20.9 22 msec 21 msec 22 msec 3 195.13.183.2 30 msec 26 msec 29 msec 4 13.13.1.1 [MPLS: Label 25 Exp 0] 46 msec 50 msec 43 msec 5 10.40.29.2 [MPLS: Label 49 Exp 0] 43 msec 46 msec 46 msec 6 10.30.29.2 47 msec 47 msec 47 msec 7 92.82.23.1 [MPLS: Label 27 Exp 0] 57 msec 57 msec 57 msec 8 92.82.23.23 65 msec *

222 | P a g e

64 msec

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R25 R25#trace 172.16.21.254 so l25 num Type escape sequence to abort. Tracing the route to 172.16.21.254 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.20.20 43 msec 19 msec 21 msec 2 101.33.20.9 21 msec 21 msec 21 msec 3 195.13.183.2 29 msec 21 msec 30 msec 4 13.13.1.1 [MPLS: Label 25 Exp 0] 47 msec 41 msec 47 msec 5 10.40.29.2 [MPLS: Label 49 Exp 0] 46 msec 46 msec 48 msec 6 10.10.29.2 48 msec 48 msec 47 msec 7 92.82.21.1 [MPLS: Label 24 Exp 0] 58 msec 57 msec 57 msec 8 92.82.21.21 64 msec *

64 msec

R25#trace 172.16.23.254 so l25 num Type escape sequence to abort. Tracing the route to 172.16.23.254 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.20.20 21 msec 21 msec 21 msec 2 101.33.20.9 21 msec 21 msec 22 msec 3 195.13.183.2 23 msec 29 msec 30 msec 4 13.13.1.1 [MPLS: Label 25 Exp 0] 45 msec 46 msec 47 msec 5 10.40.29.2 [MPLS: Label 49 Exp 0] 48 msec 46 msec 46 msec 6 10.30.29.2 47 msec 45 msec 47 msec 7 92.82.23.1 [MPLS: Label 27 Exp 0] 50 msec 56 msec 52 msec 8 92.82.23.23 63 msec *

Version 5.1B

65 msec

223 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R21 R21#ping 172.16.25.254 so lo021 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.25.254, timeout is 2 seconds: Packet sent with a source address of 172.16.21.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 57/59/63 ms

R21#ping 172.16.24.254 so lo021 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.24.254, timeout is 2 seconds: Packet sent with a source address of 172.16.21.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 55/59/61 ms

R23 R23#ping 172.16.24.254 so l23 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.24.254, timeout is 2 seconds: Packet sent with a source address of 172.16.23.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 58/60/61 ms

R23#ping 172.16.25.254 so l23 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.25.254, timeout is 2 seconds: Packet sent with a source address of 172.16.23.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 59/60/62 ms

Solution This task needs to be precisely done. For all routers in ASN 65333 we need to filter the prefixes advertised and should allow the class A 172.0.0.0/8 prefix+default route alone. The routers in ASN 65444 should also filter prefixes to their Service Providers and allow all prefixes belonging to Class A 172.0.0.0/8. Further, all these filtering should be done without the use of route-maps/access-lists, we will be using prefix-lists as the means for the desired result. Finally, we will verify connectivity between Australia and Mexico branch to these three ASes. 224 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R2 R2(config)#ip prefix-list BGP-OUT permit 172.0.0.0/8 R2(config)#ip prefix-list BGP-OUT permit 0.0.0.0/0 R2(config)#router bgp 65333 R2(config-router)#address-family vpnv4 R2(config-router-af)#neighbor 92.82.12.1 prefix-list BGP-OUT out

R3 R3(config)#ip prefix-list BGP-OUT permit 172.0.0.0/8 R3(config)#ip prefix-list BGP-OUT permit 0.0.0.0/0 R3(config)#router bgp 65333 R3(config-router)#address-family vpnv4 R3(config-router-af)#neighbor 92.82.32.2 prefix-list BGP-OUT out

R4 R4(config)#ip prefix-list BGP-OUT permit 172.0.0.0/8 R4(config)#ip prefix-list BGP-OUT permit 0.0.0.0/0 R4(config)#router bgp 65333 R4(config-router)#address-family vpnv4 R4(config-router-af)#neighbor 92.82.44.2 prefix-list BGP-OUT out

R11 R11(config)#ip prefix-list BGP-OUT permit 172.0.0.0/8 le 32 R11(config)#router bgp 65444 R11(config-router)#address-family ipv4 R11(config-router-af)#neighbor 188.166.153.3 prefix-list BGP-OUT out

R13 R13(config)#ip prefix-list BGP-OUT permit 172.0.0.0/8 le 32 R13(config)#router bgp 65444 R13(config-router)#address-family ipv4 R13(config-router-af)#neighbor 188.166.137.2 prefix-list BGP-OUT out

Version 5.1B

225 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Verification Let's start by verifying that we are successfully advertising the filtered prefixes according to the tasks instructions.

NOTE This verification output is dependent on later tasks, you will need to return to this task by the end of the workbook to re-verify the desired output.

R2, R3, R4 R2#sh bgp all neighbors 92.82.12.1 advertised-routes

[Output omitted…]

For address family: VPNv4 Unicast BGP table version is 54, local router ID is 172.17.2.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found

Network

Next Hop

Metric LocPrf Weight Path

Route Distinguisher: 9999:50 (default for vrf INET) *>

172.0.0.0/8

10.50.29.1

0

0 64520 i

Route Distinguisher: 64520:10 (default for vrf GREEN) *>

0.0.0.0

10.10.29.1

*>

172.0.0.0/8

10.10.29.1

0 64520 i 0

0 64520 i

Route Distinguisher: 64520:20 (default for vrf BLUE) *>

0.0.0.0

10.20.29.1

*>

172.0.0.0/8

10.20.29.1

0 64520 i 0

0 64520 i

Route Distinguisher: 64520:30 (default for vrf RED) *>

0.0.0.0

10.30.29.1

*>

172.0.0.0/8

10.30.29.1

0 64520 i 0

0 64520 i

Route Distinguisher: 65423:40 (default for vrf YELLOW) *>

0.0.0.0

10.40.29.1

*>

172.0.0.0/8

10.40.29.1

Network

Next Hop

226 | P a g e

0 64520 i 0

0 64520 i

Metric LocPrf Weight Path

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Total number of prefixes 9

Repeat the same command for R3 and R4 to verify the filtering – just don’t forget to replace the neighbor IP address. Do the same verification for ASN 65444 to see that we met the requirements.

R11 & R13 R11#sh bgp all neighbors 188.166.153.3 advertised-routes For address family: IPv4 Unicast BGP table version is 103, local router ID is 172.17.11.11 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found

Network

Next Hop

*>

172.17.11.0/24

0.0.0.0

*>

172.17.12.0/24

*>

Metric LocPrf Weight Path 0

32768 ?

101.33.10.10

1029760

32768 ?

172.17.13.0/24

101.33.10.6

1045120

32768 ?

*>

172.17.115.0/24

101.33.10.6

3599360

32768 ?

*>

172.17.116.0/24

101.33.10.10

3584000

32768 ?

Total number of prefixes 5

Repeat the same command for R13 to verify the filtering, replace the neighbor IP address. Last, notice that we can't verify the connectivity to Australia and Mexico offices, we are dependent on almost all of the topology and tasks. We will have to verify this after we complete all tasks. These are the outputs you should be receiving, make sure to match the outputs exactly.

Version 5.1B

227 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R25 R25#trace 172.16.21.254 so l25 num Type escape sequence to abort. Tracing the route to 172.16.21.254 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.20.20 43 msec 19 msec 21 msec 2 101.33.20.9 21 msec 21 msec 21 msec 3 195.13.183.2 29 msec 21 msec 30 msec 4 13.13.1.1 [MPLS: Label 25 Exp 0] 47 msec 41 msec 47 msec 5 10.40.29.2 [MPLS: Label 49 Exp 0] 46 msec 46 msec 48 msec 6 10.10.29.2 48 msec 48 msec 47 msec 7 92.82.21.1 [MPLS: Label 24 Exp 0] 58 msec 57 msec 57 msec 8 92.82.21.21 64 msec *

64 msec

R25#trace 172.16.23.254 so l25 num Type escape sequence to abort. Tracing the route to 172.16.23.254 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.20.20 21 msec 21 msec 21 msec 2 101.33.20.9 21 msec 21 msec 22 msec 3 195.13.183.2 23 msec 29 msec 30 msec 4 13.13.1.1 [MPLS: Label 25 Exp 0] 45 msec 46 msec 47 msec 5 10.40.29.2 [MPLS: Label 49 Exp 0] 48 msec 46 msec 46 msec 6 10.30.29.2 47 msec 45 msec 47 msec 7 92.82.23.1 [MPLS: Label 27 Exp 0] 50 msec 56 msec 52 msec 8 92.82.23.23 63 msec *

228 | P a g e

65 msec

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R24 R24#trace 172.16.21.254 so l24 num Type escape sequence to abort. Tracing the route to 172.16.21.254 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.20.20 18 msec 20 msec 21 msec 2 101.33.20.9 26 msec 21 msec 24 msec 3 195.13.183.2 30 msec 29 msec 29 msec 4 13.13.1.1 [MPLS: Label 25 Exp 0] 43 msec 46 msec 38 msec 5 10.40.29.2 [MPLS: Label 49 Exp 0] 46 msec 46 msec 45 msec 6 10.10.29.2 47 msec 45 msec 48 msec 7 92.82.21.1 [MPLS: Label 24 Exp 0] 58 msec 56 msec 56 msec 8 92.82.21.21 64 msec *

65 msec

R24#trace 172.16.23.254 so l24 num Type escape sequence to abort. Tracing the route to 172.16.23.254 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.20.20 21 msec 21 msec 21 msec 2 101.33.20.9 22 msec 21 msec 22 msec 3 195.13.183.2 30 msec 26 msec 29 msec 4 13.13.1.1 [MPLS: Label 25 Exp 0] 46 msec 50 msec 43 msec 5 10.40.29.2 [MPLS: Label 49 Exp 0] 43 msec 46 msec 46 msec 6 10.30.29.2 47 msec 47 msec 47 msec 7 92.82.23.1 [MPLS: Label 27 Exp 0] 57 msec 57 msec 57 msec 8 92.82.23.23 65 msec *

Version 5.1B

64 msec

229 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R21 R21#ping 172.16.25.254 so lo021 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.25.254, timeout is 2 seconds: Packet sent with a source address of 172.16.21.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 57/58/60 ms

R21#ping 172.16.24.254 so lo021 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.24.254, timeout is 2 seconds: Packet sent with a source address of 172.16.21.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 57/59/64 ms

R23 R23#ping 172.16.25.254 so lo023 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.25.254, timeout is 2 seconds: Packet sent with a source address of 172.16.23.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 57/60/64 ms

R23#ping 172.16.24.254 so lo023 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.24.254, timeout is 2 seconds: Packet sent with a source address of 172.16.23.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 58/58/59 ms

230 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Task 2.10: IPv6 OSPF

(3 points)

• Assign IPv6 addresses according to the IPv6 diagram and table below:

Table 5.12 Device

Interface

IPv6 Address

R2

e0/0

2004::23:1/112

e0/1.26

2004::26:5/112

e0/0

2004::23:2/112

e0/1.37

2004::37:9/112

e0/1.26

2004::26:6/112

e0/1.64

2004::64:13/112

e0/1.37

2004::37:10/112

e0/1.75

2004::75:17/112

R4

e0/1

2004::64:14/112

R5

e0/1

2004::75:18/112

R3 R6 R7

• Also advertise loopbacks0 of the above mentioned routers. • Configure the OSPF process ID 12345. • All routers should support Multi-AF OSPF. • Do not enable OSPF on any interfaces that are not referenced in the IPv6 diagram/table. • R2 must be elected as the DR on VLAN23, R3 must be selected as the backup DR on VLAN23 and should take over if R2 is down.

• Configure OSPF Areas: 0,10,20,30,40.

Solution First step, configuring IPv6 addresses, was already done for us – the addresses are already configured on the interfaces. Second step to this task is to configure OSPF process ID 12345 but make sure it supports multi address-family (ipv4/ipv6, etc.), thus we will be using OSPFv3 which is the only one that supports this (neither OSPFv2 nor IPv6 OSPFv2 support multi address-families). Second, enable OSPFv3 only on required interfaces by issuing 1 command at the interface level. Third, make R2 the elected OSPF designated router on VLAN23, while also making sure that R3 will take over once R2 is down. Version 5.1B

231 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

NOTE Remember that the ipv6 unicast-routing command globally enables IPv6 Routing and must be the first IPv6 command executed on the router.

R2 R2(config)#ipv6 unicast-routing R2(config)#router ospfv3 12345 R2(config-router)#address-family ipv6 unicast R2(config-router-af)#router-id 172.17.2.2 R2(config-router-af)#interface e0/1.26 R2(config-subif)#ospfv3 12345 ipv6 area 10 R2(config-subif)#interface e0/0 R2(config-if)#ospfv3 12345 ipv6 area 0 R2(config-if)#ospfv3 12345 ipv6 priority 255 R2(config-if)#interface lo0 R2(config-if)#ospfv3 12345 ipv6 area 0

R3 R3(config)#ipv6 unicast-routing R3(config)#router ospfv3 12345 R3(config-router)#address-family ipv6 unicast R3(config-router-af)#router-id 172.17.3.3 R3(config-router-af)#interface e0/1.37 R3(config-subif)#ospfv3 12345 ipv6 area 20 R3(config-subif)#interface e0/0 R3(config-if)#ospfv3 12345 ipv6 area 0 R3(config-if)#ospfv3 12345 ipv6 priority 254 R3(config-if)#interface lo0 R3(config-if)#ospfv3 12345 ipv6 area 0

R6 R6(config)#ipv6 unicast-routing R6(config)#router ospfv3 12345 R6(config-router)#address-family ipv6 unicast R6(config-router-af)#router-id 172.17.6.6 R6(config-router-af)#interface e0/1.64 R6(config-subif)#ospfv3 12345 ipv6 area 30

232 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 R6(config-subif)#interface e0/1.26 R6(config-subif)#ospfv3 12345 ipv6 area 10 R6(config-subif)#interface lo0 R6(config-if)#ospfv3 12345 ipv6 area 10

R7 R7(config)#ipv6 unicast-routing R7(config)#router ospfv3 12345 R7(config-router)#address-family ipv6 unicast R7(config-router-af)#router-id 172.17.7.7 R7(config-router-af)#interface e0/1.75 R7(config-subif)#ospfv3 12345 ipv6 area 40 R7(config-subif)#interface e0/1.37 R7(config-subif)#ospfv3 12345 ipv6 area 20 R7(config-subif)#interface lo0 R7(config-if)#ospfv3 12345 ipv6 area 20

Next step is to configure OSPFv3 Area30 and Area 40. The process is very similar to the EIGRP process, however, you do not need to enable it globally. Once OSPFv3 is enabled on an interface, the router enables the process globally. Now the tricky part, we need to be able and have reachability to Areas 30,40 but if we look closely we can see that these areas don't have a direct connection to the Backbone Area 0. We will overcome this obstacle by configuring "virtual-link" connections for each area.

Version 5.1B

233 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Diagram 5.13

234 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R2 R2(config)#router ospfv3 12345 R2(config-router)#address-family ipv6 unicast R2(config-router-af)#area 10 virtual-link 172.17.6.6

R3 R3(config)#router ospfv3 12345 R3(config-router)#address-family ipv6 unicast R3(config-router-af)#area 20 virtual-link 172.17.7.7

R6 R6(config)#router ospfv3 12345 R6(config-router)#address-family ipv6 unicast R6(config-router-af)#area 10 virtual-link 172.17.2.2

R7 R7(config)#router ospfv3 12345 R7(config-router)#address-family ipv6 unicast R7(config-router-af)#area 20 virtual-link 172.17.3.3

R4 R4(config)#router ospfv3 12345 R4(config-router)#address-family ipv6 unicast R4(config-router-af)#router-id 172.17.4.4 R4(config-router-af)#interface e0/1 R4(config-if)#ospfv3 12345 ipv6 area 30 R4(config-if)#interface lo0 R4(config-if)#ospfv3 12345 ipv6 area 30

Version 5.1B

235 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R5 R5(config)#router ospfv3 12345 R5(config-router)#address-family ipv6 unicast R5(config-router-af)#router-id 172.17.5.5 R5(config-router-af)#interface e0/1 R5(config-if)#ospfv3 12345 ipv6 area 40 R5(config-if)#interface lo0 R5(config-if)#ospfv3 12345 ipv6 area 40

Verification We can verify the requirements of this task by first looking at the routing table of R2 and R3. It should hold OSPF inter-area and intra-area routes.

R2 R2#sh ipv6 route ospf IPv6 Routing Table - default - 20 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, ls - LISP site ld - LISP dyn-EID, a - Application O

2001::3/128 [110/10] via FE80::A8BB:CCFF:FE00:300, Ethernet0/0

OI

2001::4/128 [110/20] via FE80::A8BB:CCFF:FE00:610, Ethernet0/1.26

OI

2001::5/128 [110/30] via FE80::A8BB:CCFF:FE00:300, Ethernet0/0

O

2001::6/128 [110/10] via FE80::A8BB:CCFF:FE00:610, Ethernet0/1.26

OI

2001::7/128 [110/20] via FE80::A8BB:CCFF:FE00:300, Ethernet0/0

OI

2004::37:0/112 [110/20] via FE80::A8BB:CCFF:FE00:300, Ethernet0/0

OI

2004::37:9/128 [110/10]

236 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 via FE80::A8BB:CCFF:FE00:300, Ethernet0/0 OI

2004::64:0/112 [110/20] via FE80::A8BB:CCFF:FE00:610, Ethernet0/1.26

OI

2004::75:0/112 [110/30] via FE80::A8BB:CCFF:FE00:300, Ethernet0/0

R3 R3#sh ipv6 route ospf IPv6 Routing Table - default - 20 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, ls - LISP site ld - LISP dyn-EID, a - Application O

2001::2/128 [110/10] via FE80::A8BB:CCFF:FE00:200, Ethernet0/0

OI

2001::4/128 [110/30] via FE80::A8BB:CCFF:FE00:200, Ethernet0/0

OI

2001::5/128 [110/20] via FE80::A8BB:CCFF:FE00:710, Ethernet0/1.37

OI

2001::6/128 [110/20] via FE80::A8BB:CCFF:FE00:200, Ethernet0/0

O

2001::7/128 [110/10] via FE80::A8BB:CCFF:FE00:710, Ethernet0/1.37

OI

2004::26:0/112 [110/20] via FE80::A8BB:CCFF:FE00:200, Ethernet0/0

OI

2004::26:5/128 [110/10] via FE80::A8BB:CCFF:FE00:200, Ethernet0/0

OI

2004::64:0/112 [110/30] via FE80::A8BB:CCFF:FE00:200, Ethernet0/0

OI

2004::75:0/112 [110/20] via FE80::A8BB:CCFF:FE00:710, Ethernet0/1.37

Version 5.1B

237 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 Next, check to see who is the designated router and backup designated router for VLAN 23.

R2 R2#sh ospfv3 int ethernet 0/0 Ethernet0/0 is up, line protocol is up Link Local Address FE80::A8BB:CCFF:FE00:200, Interface ID 3 Area 0, Process ID 12345, Instance ID 0, Router ID 172.17.2.2 Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 255 Designated Router (ID) 172.17.2.2, local address FE80::A8BB:CCFF:FE00:200 Backup Designated router (ID) 172.17.3.3, local address FE80::A8BB:CCFF:FE00:300 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:07 Graceful restart helper support enabled Index 1/2/3, flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 0, maximum is 8 Last flood scan time is 0 msec, maximum is 1 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 172.17.3.3

(Backup Designated Router)

Suppress hello for 0 neighbor(s)

Next, although we should've already identified areas 30,40 prefixes in our routing table, we will verify the virtual-link status.

R6 R6#sh ospfv3 virtual-links OSPFv3 12345 address-family ipv6 (router-id 172.17.6.6) Virtual Link OSPFv3_VL0 to router 172.17.2.2 is up Interface ID 33, IPv6 address 2004::26:5 Run as demand circuit DoNotAge LSA allowed. Transit area 10, via interface Ethernet0/1.26, Cost of using 10 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Adjacency State FULL (Hello suppressed) Index 1/1/3, retransmission queue length 0, number of retransmission 0

238 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0) Last retransmission scan length is 0, maximum is 0 Last retransmission scan time is 0 msec, maximum is 0 msec

R7 R7#sh ospfv3 virtual-links OSPFv3 12345 address-family ipv6 (router-id 172.17.7.7) Virtual Link OSPFv3_VL0 to router 172.17.3.3 is up Interface ID 33, IPv6 address 2004::37:9 Run as demand circuit DoNotAge LSA allowed. Transit area 20, via interface Ethernet0/1.37, Cost of using 10 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Adjacency State FULL (Hello suppressed) Index 1/1/3, retransmission queue length 0, number of retransmission 0 First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0) Last retransmission scan length is 0, maximum is 0 Last retransmission scan time is 0 msec, maximum is 0 msec

We indeed see each of these routes. Now, let’s verify full connectivity of the IPv6 topology using a TCL script.

R2 & R3 tclsh foreach address { 2001::2 2001::3 2001::4 2001::5 2001::6 2001::7 } { ping $address repeat 1 source lo0}

Version 5.1B

239 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Task 2.11: IPv6 BGP

(3 points)

• Assign the IPv6 addressing according to the following table:

Table 5.14 Device

Interface

IPv6 Address

R4

s2/0

2004::44:1/112

R5

s2/0

2004::54:5/112

R21

s2/0

2004::21:21/112

R23

s2/0

2004::23:23/112

• Configure IPv6 eBGP peerings between ASes 65521, 65523 and 65333 with AS 4444. o

Only add the interfaces that are in the IPv6 diagram.

• Redistribute OSPF into BGP on R4. • Perform mutual redistribution between OSPF and BGP on R5. • No BGP speaker should use the network command. • Do not use any static route or default route anywhere. • Verify that loopback 21 of R21 and loopback23 of R23 have full connectivity to R2's, and R3's loopback addresses; also the following outputs should match: R21#ping 2001::2 source Lo21 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::2, timeout is 2 seconds: Packet sent with a source address of 2021::21 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/17 ms

R21#ping 2001::3 source Lo21 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::3, timeout is 2 seconds: Packet sent with a source address of 2021::21 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 15/16/18 ms

240 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R21#traceroute ipv6 2001::2 Type escape sequence to abort. Tracing the route to 2001::2

1 2004::21:1 8 msec 9 msec 8 msec 2 2004::44:1 [AS 4444] 16 msec 16 msec 17 msec 3 2004::64:13 [AS 65333] 17 msec 16 msec 17 msec 4 2004::26:5 [AS 65333] 17 msec 17 msec 17 msec

R21#traceroute ipv6 2001::3 Type escape sequence to abort. Tracing the route to 2001::3

1 2004::21:1 9 msec 8 msec 8 msec 2 2004::54:5 [AS 4444] 18 msec 17 msec 18 msec 3 2004::75:17 [AS 65333] 17 msec 17 msec 17 msec 4 2004::37:9 [AS 65333] 18 msec 16 msec 17 msec

R23 R23#ping ipv6 2001::2 source lo23 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::2, timeout is 2 seconds: Packet sent with a source address of 2023::23 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/17/18 ms

R23#ping ipv6 2001::3 source lo23 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::3, timeout is 2 seconds: Packet sent with a source address of 2023::23 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 13/16/18 ms

Version 5.1B

241 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Solution The first step is (IPv6 addresses) is pre-configured. Always look at initial configs so you don’t waste time configuring things which are already in place. The second step to this task is to configure the eBGP peerings for ASN 65521 and 65523 with ASN 4444 without using any network statements. Third, we need to peer ASN 65333 with ASN 4444 and properly configure mutual redistribution between the IPv6 BGP and the OSPFv3 protocols.

R4 R4(config)#ipv6 unicast-routing R4(config)#router bgp 65333 R4(config-router)#neighbor 2004::44:2 remote-as 4444 R4(config-router)#address-family ipv6 unicast R4(config-router-af)#redistribute ospf 12345 match internal external include-connected R4(config-router-af)#neighbor 2004::44:2 activate

R5 R5(config)#ipv6 unicast-routing R5(config)#router bgp 65333 R5(config-router)#neighbor 2004::54:4 remote-as 4444 R5(config-router)#address-family ipv6 unicast R5(config-router-af)#redistribute ospf 12345 match internal external include-connected R5(config-router-af)#neighbor 2004::54:4 activate R5(config-router-af)#router ospfv3 12345 R5(config-router)#address-family ipv6 unicast R5(config-router-af)#redistribute bgp 65333

R21 R21(config)#ipv6 unicast-routing R21(config)#router bgp 65521 R21(config-router)#neighbor 2004::21:1 remote-as 4444 R21(config-router)#address-family ipv6 unicast R21(config-router-af)#redistribute connected R21(config-router-af)#neighbor 2004::21:1 activate

242 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R23 R23(config)#ipv6 unicast-routing R23(config)#router bgp 65523 R23(config-router)#neighbor 2004::23:1 remote-as 4444 R23(config-router)#address-family ipv6 unicast R23(config-router-af)#redistribute connected R23(config-router-af)#neighbor 2004::23:1 activate

Verification Let's verify that we meet all the task requirements by pinging from R21, and R23 towards R2 and R3. Also, we should match the exact tracer command output given in the task. We should have full reachability from R21, and R22 towards R2, and R3 as well as all the rest.

R21 R21#ping 2001::2 source Lo21 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::2, timeout is 2 seconds: Packet sent with a source address of 2021::21 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/17 ms R21#ping 2001::3 source Lo21 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::3, timeout is 2 seconds: Packet sent with a source address of 2021::21 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 15/16/18 ms R21#traceroute ipv6 2001::2 Type escape sequence to abort. Tracing the route to 2001::2 1 2004::21:1 8 msec 9 msec 8 msec 2 2004::44:1 [AS 4444] 16 msec 16 msec 17 msec 3 2004::64:13 [AS 65333] 17 msec 16 msec 17 msec 4 2004::26:5 [AS 65333] 17 msec 17 msec 17 msec

Version 5.1B

243 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 R21#traceroute ipv6 2001::3 Type escape sequence to abort. Tracing the route to 2001::3 1 2004::21:1 9 msec 8 msec 8 msec 2 2004::54:5 [AS 4444] 18 msec 17 msec 18 msec 3 2004::75:17 [AS 65333] 17 msec 17 msec 17 msec 4 2004::37:9 [AS 65333] 18 msec 16 msec 17 msec

R23 R23#ping ipv6 2001::2 source lo23 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::2, timeout is 2 seconds: Packet sent with a source address of 2023::23 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/17/18 ms

R23#ping ipv6 2001::3 source lo23 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001::3, timeout is 2 seconds: Packet sent with a source address of 2023::23 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 13/16/18 ms

OK, this is our final reachability test. And of course, we are going to use our favorite testing mechanism, a TCL script to accomplish this.

R21 tclsh foreach address { 2001::2 2001::3 2001::4 2001::5 2001::6 2001::7 } { ping ipv6 $address repeat 1 so loop21}

244 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R23 tclsh foreach address { 2001::2 2001::3 2001::4 2001::5 2001::6 2001::7 2021::21 2001::21 2023::23 2001::23 } { ping ipv6 $address repeat 1 source l23}

Task 2.12: IPv4 Multicast

(3 points)

• SW8 is a multicast server on interface Loopback 0. • The rendezvous point must be dynamically discovered using standard methods. • R18's loopback 0 interface must be the elected RP. • To test configure R19, R24, and R25 loopback0 to join group 232.8.8.8 as multicast receivers. • All devices in ASN 65423 and ASN 65420 must participate in multicast routing. • A ping to 232.8.8.8 must result in a response from R19, R24, and R25 loopback 0 interfaces as displayed in the following output below: SW8#ping 232.8.8.8 source lo0 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 232.8.8.8, timeout is 2 seconds: Packet sent with a source address of 172.17.118.118

Reply to request 0 from 172.17.19.19, 1 ms Reply to request 0 from 172.17.25.25, 22 ms Reply to request 0 from 172.17.24.24, 18 ms

Version 5.1B

245 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Solution Several things we need to notice before we start. First, the task asks us to configure a Rendezvous Point (RP) and that it must be discovered using standard methods. So, we need to use sparse-mode and BSR candidate. The RP should be R18's loopback 0 interface. Also, we are explicitly told that all devices must participate, although R20,R18, and SW7 have no receivers. There also aren't any specifications to enable multicast ONLY for the interfaces needed, but it is still a good practice. To simulate multicast receivers R19, R24, and R25 should join multicast group 232.8.8.8.

NOTE Remember the ip multicast-routing command globally enables IP multicast routing and must be the first multicast command executed on the router.

R18 R18(config)#ip multicast-routing R18(config)#interface e0/0 R18(config-if)#ip pim sparse-mode R18(config-if)#interface e0/1 R18(config-if)#ip pim sparse-mode R18(config-if)#int lo0 R18(config-if)#ip pim sparse-mode R18(config-if)#ip pim rp-candidate loopback0 R18(config)#ip pim bsr-candidate loopback0

R19 R19(config)#ip multicast-routing R19(config)#interface e0/0 R19(config-if)#ip pim sparse-mode R19(config-if)#interface e0/1 R19(config-if)#ip pim sparse-mode R19(config-if)#int lo0 R19(config-if)#ip pim sparse-mode R19(config-if)#ip igmp join-group 232.8.8.8

Configure PIM sparse-mode on R20, R24, and R25. Specifically don't forget about the tunnel interfaces of these routers. 246 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R20 R20(config)#ip multicast-routing R20(config)#interface e0/0 R20(config-if)#ip pim sparse-mode R20(config-if)#interface e0/1 R20(config-if)#ip pim sparse-mode R20(config-if)#int tun0 R20(config-if)#ip pim sparse-mode

Also, we need to configure the multicast receivers using igmp-join.

R24 R24(config)#ip multicast-routing R24(config)#int tun0 R24(config-if)#ip pim sparse-mode R24(config-if)#int lo0 R24(config-if)#ip pim sparse-mode R24(config-if)#ip igmp join-group 232.8.8.8

R25 R25(config)#ip multicast-routing R25(config)#int tun0 R25(config-if)#ip pim sparse-mode R25(config-if)#int lo0 R25(config-if)#ip pim sparse-mode R25(config-if)#ip igmp join-group 232.8.8.8

Verification NOTE You will not be able verify this task until DMVPN is up and running. To verify this task we will ping 232.8.8.8 from SW8 (the multicast server), this must result in a response from R19, R24, and R25 which are the multicast receivers.

Version 5.1B

247 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

SW8 SW8#ping 232.8.8.8 source lo0 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 232.8.8.8, timeout is 2 seconds: Packet sent with a source address of 172.17.118.118

Reply to request 0 from 172.17.19.19, 1 ms Reply to request 0 from 172.17.25.25, 22 ms Reply to request 0 from 172.17.24.24, 18 ms

If something is not functioning properly, we should start by methodically verifying the PIM neighborships between the devices, then proceed to identify if there are any routing issues which might be affecting our RPF check.

248 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

Section 3.0: IPv4 VPN Technology Task 3.1:

MPLS VPN

(16 points) (3 points)

• Refer to the BGP diagram and VPN topology. • The global and regional Service providers have agreed to transport the iPexpert VPNs via PE to PE eBGP peering that are already fully configured.

• Complete the configuration of mpls L3VPN in the iPexpert network according to the following requirements: o

Enable LDP only on required interfaces on all seven routers in AS 65333.

o

Use the interface Lo0 to establish LDP Peerings.

o

R2, R3, R4 and R5 must be configured as PE routers.

o

R6, R7 and R1 must be configured as P routers.

o

Use only one command to achieve this.

o

Ensure that no MPLS interface that belongs to any router in AS 65333 is visible on a traceroute that originates outside of the AS.

Solution There is a lot going on in this task. Not to mention, it requires the configuration of the next task as well to work properly. Let’s take it step by step. First, let’s enable MPLS throughout the MPLS Core network. Second, use the loopback0 interface to establish the LDP peerings.

R2 R2(config)#ip cef R2(config)#mpls ldp router-id lo0 force R2(config)#interface range e0/0,e0/1.26 R2(config-if-range)#mpls ip R2(config-if-range)#interface s2/2 R2(config-if)#mpls ip

Version 5.1B

249 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R3 R3(config)#ip cef R3(config)#mpls ldp router-id lo0 force R3(config)#interface range e0/0,e0/1.37 R3(config-if-range)#mpls ip R3(config-if-range)#interface s2/3 R3(config-if)#mpls ip

R4 R4(config)#ip cef R4(config)#mpls ldp router-id lo0 force R4(config)#interface range e0/0,e0/1 R4(config-if-range)#mpls ip R4(config-if-range)#interface s2/0 R4(config-if)#mpls ip

R5 R5(config)#ip cef R5(config)#mpls ldp router-id lo0 force R5(config)#interface range e0/0,e0/1 R5(config-if-range)#mpls ip

Next, we were asked to enable LDP on R6, R7, and R1 using only one command.

R1, R6, R7 RX(config)#ip cef RX(config)#mpls ldp router-id lo0 force RX(config)#router ospf 12345 RX(config-router)#mpls ldp autoconfig area 0

250 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 Last, we need to ensure that the routers in the MPLS domain cannot be visible on a traceroute that originates from outside of the AS. This is used to control the generation of the time-to-live (TTL) field in the MPLS header when labels are first added to an IP packet, this command is used in the global configuration mode.

R1-R7 RX(config-router)#no mpls ip propagate-ttl forwarded

Verification At this point, the only thing we can verify is the LDP relationships. We can glean the status of LDP by looking at R1 which should have a peering with all the MPLS routers. We expect only 2 LDP neighbors.

R1 R1#show mpls ldp neighbor | include Peer|State Peer LDP Ident: 172.17.6.6:0; Local LDP Ident 172.17.1.1:0 State: Oper; Msgs sent/rcvd: 9050/9060; Downstream Peer LDP Ident: 172.17.7.7:0; Local LDP Ident 172.17.1.1:0 State: Oper; Msgs sent/rcvd: 9070/9066; Downstream

Next, we can also take a peak in R1's mpls forwarding table to see if we have all ldp-id address of all router peers we are expecting.

R1 R1#sh mpls forwarding-table Local

Outgoing

Prefix

Bytes Label

Outgoing

Label

Label

or Tunnel Id

Switched

interface

16

16

101.33.1.0/30

0

Et0/0

101.33.1.25

16

101.33.1.0/30

0

Et0/1

101.33.1.30

17

Pop Label

101.33.1.4/30

0

Et0/0

101.33.1.25

18

Pop Label

101.33.1.8/30

0

Et0/1

101.33.1.30

19

Pop Label

101.33.1.12/30

0

Et0/0

101.33.1.25

20

Pop Label

101.33.1.16/30

0

Et0/1

101.33.1.30

21

19

101.33.1.20/30

0

Et0/0

101.33.1.25

19

101.33.1.20/30

0

Et0/1

101.33.1.30

22

22

172.17.2.0/24

0

Et0/0

101.33.1.25

23

23

172.17.3.0/24

0

Et0/1

101.33.1.30

24

24

172.17.4.0/24

0

Et0/0

101.33.1.25

25

25

172.17.5.0/24

0

Et0/1

101.33.1.30

Version 5.1B

Next Hop

251 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 26

Pop Label

172.17.6.0/24

0

Et0/0

101.33.1.25

27

Pop Label

172.17.7.0/24

0

Et0/1

101.33.1.30

Later we will do the full verification of MPLS VRF VPN’s after the next section.

Task 3.2:

MPLS VPN Connectivity

(5 points)

• R1 must reflect VPNv4 prefixes from any PE to any other PE in AS 65333. • R2 and R3 must establish an eBGP peering with both Service Providers (AS 1111 and AS 2222 ) for the following VRF‘s: o

GREEN

o

BLUE

o

RED

o

YELLOW

o

INET

• R4 must establish an eBGP peering with the Service Providers AS 4444 for the following VRF‘s: o

GREEN

o

BLUE

o

RED

• No BGP speaker in AS 65333 may use the “network” statement under any address-family of the BGP router configuration.

• Peer between ASN 65333 (R2, R3) and ASN 64520 (R9). Each sub-interface should have its own BGP peering in its respective VRF.

Solution First, let’s configure the VRF’s that are to be used for the MPLS VPN’s on all P/PE devices that are missing this configuration. This is a requirement to get the MPLS VPN’s to work correctly. The VRF’s are listed in the BGP diagram.

252 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R1, R5 RX(config)#ip vrf BLUE RX(config-vrf)# rd 64520:20 RX(config-vrf)# route-target export 20:20 RX(config-vrf)# route-target import 20:20 RX(config-vrf)#! RX(config-vrf)#ip vrf GREEN RX(config-vrf)# rd 64520:10 RX(config-vrf)# route-target export 10:10 RX(config-vrf)# route-target import 10:10 RX(config-vrf)#! RX(config-vrf)#ip vrf INET RX(config-vrf)# rd 9999:50 RX(config-vrf)# route-target export 50:50 RX(config-vrf)# route-target import 50:50 RX(config-vrf)#! RX(config-vrf)#ip vrf RED RX(config-vrf)# rd 64520:30 RX(config-vrf)# route-target export 30:30 RX(config-vrf)# route-target import 30:30 RX(config-vrf)#! RX(config-vrf)#ip vrf YELLOW RX(config-vrf)# rd 65423:40 RX(config-vrf)# route-target export 40:40 RX(config-vrf)# route-target import 40:40

Version 5.1B

253 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 R4 will only peer for BLUE, GREEN and RED (read the next task):

R4 R4(config)#ip vrf BLUE R4(config-vrf)# rd 64520:20 R4(config-vrf)# route-target export 20:20 R4(config-vrf)# route-target import 20:20 R4(config-vrf)#! R4(config-vrf)#ip vrf GREEN R4(config-vrf)# rd 64520:10 R4(config-vrf)# route-target export 10:10 R4(config-vrf)# route-target import 10:10 R4(config-vrf)#! R4(config-vrf)#ip vrf RED R4(config-vrf)# rd 64520:30 R4(config-vrf)# route-target export 30:30 R4(config-vrf)# route-target import 30:30

Next, we need to configure R1 as the VPNv4 route-reflector for ASN 65333. Let's configure that. The restriction to pay attention to - we cannot use any “network” statement under the address-family of the BGP configuration.

R1 R1(config)#router bgp 65333 R1(config-router)#address-family vpnv4 R1(config-router-af)#neighbor IBGP route-reflector-client R1(config-router-af)#neighbor 172.17.2.2 activate R1(config-router-af)#neighbor 172.17.3.3 activate R1(config-router-af)#neighbor 172.17.4.4 activate R1(config-router-af)#neighbor 172.17.5.5 activate

R2-R5 RX(config)#router bgp 65333 RX(config-router)#address-family vpnv4 RX(config-router-af)#neighbor 172.17.1.1 activate RX(config-router-af)#neighbor 172.17.1.1 next-hop-self

254 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

NOTE The remaining part of this task was configured earlier (peerings with ASes 1111,2222, 4444 and 64520).

Verification R1 R1#sh bgp all summary

| be VPNv4

For address family: VPNv4 Unicast BGP router identifier 172.17.1.1, local AS number 65333 BGP table version is 55, main routing table version 55 27 network entries using 4104 bytes of memory 47 path entries using 3760 bytes of memory 19/17 BGP path/bestpath attribute entries using 2888 bytes of memory 19 BGP AS-PATH entries using 520 bytes of memory 5 BGP extended community entries using 120 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 11392 total bytes of memory BGP activity 213/93 prefixes, 805/585 paths, scan interval 60 secs

Neighbor

V

AS MsgRcvd MsgSent

TblVer

InQ OutQ Up/Down

State/PfxRcd

172.17.2.2

4

65333

31

40

55

0

0 00:01:53

20

172.17.3.3

4

65333

29

41

55

0

0 00:01:50

20

172.17.4.4

4

65333

16

38

55

0

0 00:01:48

7

172.17.5.5

4

65333

7

37

55

0

0 00:01:46

0

R2 R2#sh bgp all summary

| be VPNv4

For address family: VPNv4 Unicast BGP router identifier 172.17.2.2, local AS number 65333 BGP table version is 60, main routing table version 60 27 network entries using 4104 bytes of memory 27 path entries using 2160 bytes of memory 19/17 BGP path/bestpath attribute entries using 2888 bytes of memory 2 BGP rrinfo entries using 48 bytes of memory 14 BGP AS-PATH entries using 368 bytes of memory 5 BGP extended community entries using 120 bytes of memory

Version 5.1B

255 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 9688 total bytes of memory BGP activity 219/99 prefixes, 605/480 paths, scan interval 60 secs Neighbor

V

AS MsgRcvd MsgSent

TblVer

InQ OutQ Up/Down

10.10.29.1

4

64520

442

435

60

0

0 06:32:11

3

10.20.29.1

4

64520

441

435

60

0

0 06:32:09

3

10.30.29.1

4

64520

442

435

60

0

0 06:32:11

3

10.40.29.1

4

64520

422

419

60

0

0 06:13:37

3

Neighbor

V

AS MsgRcvd MsgSent

TblVer

10.50.29.1

4

64520

420

414

60

0

0 06:13:36

2

92.82.12.1

4

1111

453

470

60

0

0 06:21:36

6

172.17.1.1

4

65333

59

51

60

0

0 00:19:32

7

InQ OutQ Up/Down

State/PfxRcd

State/PfxRcd

R3 R3#sh bgp all summary

| be VPNv4

For address family: VPNv4 Unicast BGP router identifier 172.17.3.3, local AS number 65333 BGP table version is 51, main routing table version 51 27 network entries using 4104 bytes of memory 47 path entries using 3760 bytes of memory 30/17 BGP path/bestpath attribute entries using 4560 bytes of memory 2 BGP rrinfo entries using 48 bytes of memory 20 BGP AS-PATH entries using 544 bytes of memory 5 BGP extended community entries using 120 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 13136 total bytes of memory BGP activity 217/97 prefixes, 689/464 paths, scan interval 60 secs Neighbor

V

10.10.39.1

4

64520

442

437

51

0

0 06:33:03

3

10.20.39.1

4

64520

445

436

51

0

0 06:33:06

3

10.30.39.1

4

64520

442

439

51

0

0 06:33:03

3

10.40.39.1

4

64520

423

419

51

0

0 06:14:04

Neighbor

V

AS MsgRcvd MsgSent

TblVer

10.50.39.1

4

64520

422

417

51

0

0 06:14:37

2

92.82.32.2

4

2222

293

302

51

0

0 03:57:20

6

172.17.1.1

4

65333

62

49

51

0

0 00:20:23

27

256 | P a g e

AS MsgRcvd MsgSent

TblVer

InQ OutQ Up/Down

InQ OutQ Up/Down

State/PfxRcd

3 State/PfxRcd

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R4 R4#sh bgp all su | be VPNv4 For address family: VPNv4 Unicast BGP router identifier 172.17.4.4, local AS number 65333 BGP table version is 67, main routing table version 67 16 network entries using 2432 bytes of memory 17 path entries using 1360 bytes of memory 13/12 BGP path/bestpath attribute entries using 1976 bytes of memory 2 BGP rrinfo entries using 48 bytes of memory 13 BGP AS-PATH entries using 344 bytes of memory 3 BGP extended community entries using 72 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 6232 total bytes of memory BGP activity 234/104 prefixes, 441/310 paths, scan interval 60 secs

Neighbor

V

92.82.44.2

4

4444

490

518

67

0

0 06:31:22

8

172.17.1.1

4

65333

124

58

67

0

0 00:29:21

9

Task 3.3:

AS MsgRcvd MsgSent

TblVer

InQ OutQ Up/Down

State/PfxRcd

DMVPN

(4 points)

• Configure DMVPN in ASN 34567 as per the following requirements: o

Use the preconfigured interface tunnel0 on R20, R24, and R25 in order to accomplish this task.

o

R20 must be configured as DMVPN hub.

o

Use interface s2/0 as the source address of the tunnel on each device,

o

except for R20 which uses interface s2/2.

o

R24 and R25 must be the spokes and must participate in the NHRP information exchange.

o

Place the tunnel source interfaces in VRF GW.

o

Disable send ICMP redirect messages on all three tunnel interfaces.

• Configure the following parameter on all three tunnel interface: Version 5.1B

257 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

o

Bandwidth: 1000 kbps

o

Delay: 10000 msec

o

IP MTU: 1400 Bytes

o

TCP MSS: 1380 Bytes

o

NHRP Authentication: "DMVPNk6y"

o

NHRP network-id: 34567

o

NHRP hold time: 10 min

o

Tunnel Key: 34567

• Ensure that spoke-to-spoke traffic does not transit via the hub.

Solution This task is a little tricky. First of all we notice that this needs to be a tunnel which is VRF aware, which affects the way of configuring the DMVPN and its encryption later on. We are also asked to make sure the spoke routers R24 and R25 participate in the NHRP information exchange, also spoketo-spoke should not transit via the hub making this a Phase-3 DMVPN deployment. Let's configure the DMVPN hub on R20. Assign all the parameters as outlined in the task such as bandwidth, delay and tcp-mss adjust. Configure ip nhrp redirect so that the spokes can connect to each other without going through the hub (phase 3). Lastly, disable EIGRP split-horizon.

R20 R20(config)#interface tunnel0 R20(config-if)#no ip redirects R20(config-if)#tunnel vrf GW R20(config-if)#ip nhrp map multicast dynamic R20(config-if)#ip nhrp network-id 34567 R20(config-if)#ip nhrp holdtime 600 R20(config-if)#ip nhrp auth DMVPNk6y R20(config-if)#ip nhrp redirect R20(config-if)#bandwidth 1000 R20(config-if)#delay 1000 R20(config-if)#ip mtu 1400 R20(config-if)#ip tcp adjust-mss 1380

258 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 R20(config-if)#tunnel key 34567 R20(config-if)#tunnel source s2/2 R20(config-if)#tunnel destination dynamic R20(config-if)#tunnel mode gre multipoint R20(config-if)#! R20(config-if)#router eigrp CCIE R20(config-router)#address-family ipv4 unicast autonomous-system 34567 R20(config-router-af)#af-interface tun0 R20(config-router-af-interface)#no split-horizon R20(config-router-af-interface)#no next-hop-self

Now, let's configure the DMVPN spokes.

R24 R24(config)#interface tunnel0 R24(config-if)#no ip redirects R24(config-if)#tunnel vrf GW R24(config-if)#ip nhrp map 192.168.20.20 195.13.206.1 R24(config-if)#ip nhrp map multicast 195.13.206.1 R24(config-if)#ip nhrp nhs 192.168.20.20 R24(config-if)#ip nhrp network-id 34567 R24(config-if)#ip nhrp holdtime 600 R24(config-if)#ip nhrp auth DMVPNk6y R24(config-if)#ip nhrp shortcut R24(config-if)#bandwidth 1000 R24(config-if)#delay 1000 R24(config-if)#ip mtu 1400 R24(config-if)#ip tcp adjust-mss 1380 R24(config-if)#tunnel key 34567 R24(config-if)#tunnel source s2/0 R24(config-if)#tunnel mode gre multipoint

Version 5.1B

259 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R25 R25(config)#interface tunnel0 R25(config-if)#no ip redirects R25(config-if)#tunnel vrf GW R25(config-if)#ip nhrp map 192.168.20.20 195.13.206.1 R25(config-if)#ip nhrp map multicast 195.13.206.1 R25(config-if)#ip nhrp nhs 192.168.20.20 R25(config-if)#ip nhrp network-id 34567 R25(config-if)#ip nhrp holdtime 600 R25(config-if)#ip nhrp auth DMVPNk6y R25(config-if)#ip nhrp shortcut R25(config-if)#bandwidth 1000 R25(config-if)#delay 1000 R25(config-if)#ip mtu 1400 R25(config-if)#ip tcp adjust-mss 1380 R25(config-if)#tunnel key 34567 R25(config-if)#tunnel source s2/0 R25(config-if)#tunnel mode gre multipoint

Verification Let's verify this, first we will go to the HUB router (R20) and check to see if all spokes are properly registered.

R20 R20#sh ip nhrp 192.168.20.24/32 via 192.168.20.24 Tunnel0 created 5d13h, expire 00:08:10 Type: dynamic, Flags: unique registered used nhop NBMA address: 193.190.24.24 192.168.20.25/32 via 192.168.20.25 Tunnel0 created 5d13h, expire 00:08:17 Type: dynamic, Flags: unique registered used nhop NBMA address: 193.190.25.25 R20#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket

260 | P a g e

Version 5.1B

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5 # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ======================================================================= Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2, # Ent

Peer NBMA Addr Peer Tunnel Add State

UpDn Tm Attrb

----- --------------- --------------- ----- -------- ----1 193.190.24.24

192.168.20.24

UP

5d13h

D

1 193.190.25.25

192.168.20.25

UP

5d13h

D

Next, let's see the NHRP mapping on the spokes side.

R24 R24#sh ip nhrp 192.168.20.20/32 via 192.168.20.20 Tunnel0 created 5d14h, never expire Type: static, Flags: used NBMA address: 195.13.206.1

R25 R25#sh ip nhrp 192.168.20.20/32 via 192.168.20.20 Tunnel0 created 5d14h, never expire Type: static, Flags: used NBMA address: 195.13.206.1

Last, we need to see that we successfully configured DMVPN phase-3. We will ping the other remote site, the first ping initiates the dynamic tunnel creation. And the next packets should flow directly through the dynamic tunnel. We will take a traceroute before and after to identify this behavior.

NOTE To see the correct outputs matching below, you should now go back to Task 2.4 and configure EIGRP between the routers so they can start exchanging the prefixes over the Cloud. Once you are done with Task 2.4, Task 2.12 (multicasting) should be also working at that point.

Version 5.1B

261 | P a g e

iPexpert's Detailed Solution Guide for Cisco's CCIE Routing and Switching Lab Exam, Volume 2, Lab 5

R24 R24#traceroute 172.16.25.254 source lo24 Type escape sequence to abort. Tracing the route to 172.16.25.254 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.20.20 21 msec 192.168.20.25 21 msec R24#sh ip nhrp 192.168.20.20/32 via 192.168.20.20 Tunnel0 created 5d14h, never expire Type: static, Flags: used NBMA address: 195.13.206.1 192.168.20.25/32 via 192.168.20.25 Tunnel0 created 00:00:52, expire 00:09:07 Type: dynamic, Flags: router used nhop NBMA address: 193.190.25.25 R24#traceroute 172.16.25.254 source lo24 Type escape sequence to abort. Tracing the route to 172.16.25.254 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.20.25 21 msec *

Task 3.4:

22 msec

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF