CCIE SP Practice Lab - clnv.s3.amazonaws.com · CCIE SP Practice Lab Lizabete Cacic, Technical...
Transcript of CCIE SP Practice Lab - clnv.s3.amazonaws.com · CCIE SP Practice Lab Lizabete Cacic, Technical...
CCIE SP Practice Lab
Lizabete Cacic, Technical Leader
Lukasz Bromirski, System Engineering Manager
LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Sun Tzu – The Art of War
“If you know the enemy and yourself,
you need no fear the results of a hundred battles”
LTRCCIE-3401
• CCIE SP Lab Format
• LabTorial Overview
• Hands-on Lab
• Troubleshoot Lab
• Diagnostic Lab
• Configuration Lab
• Lab Review
• Questions & Answers
Agenda
CCIE SP Lab Format
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CCIE SP v4.1 – Unified Exam Topics
7LTRCCIE-3401
Domains Written Lab
1. Core Routing 25% 30%
2. Service Provider Architecture and Services 21% 22%
3. Access and Aggregation 18% 21%
4. High Availability and Fast Convergence 14% 15%
5. Service Provider Security, Operation, and Management 12% 12%
6. Evolving Technologies 10% n/a
https://learningnetwork.cisco.com/community/certifications/ccie_service_provider/written_exam_v4/exam-topics
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CCIE Passing Criteria
8LTRCCIE-3401
• 120 min • Optional +30min
• Independent incidents • Console access to the devices
• Topology specif c for TS scenarios
• 60 min • No Optional time
• Independent tickets • No Console access to the devices
• Multiple source of information (like diagrams, emails, and logs)
• 300 min (5h) • Optional - 30min (if used in TS)
• Dependent items • Console access to the devices
• Topology specif c for conf guration scenario
LabTorial Overview
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Login Page
10LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CCIE SP Lab Exam Format
11LTRCCIE-3401
Web-based delivery
(2h) (5h)
Optional
+ 30 min
Optional
- 30 min (60 min)
about 10 to 12
minutes in average
per question
6 minutes per
question in
average
about 10 to 12
minutes in average
per question
Hands-on Lab
TroubleshootingModule
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14Presentation ID
CCIE SP Troubleshoot – CiscoLive! Barcelona 2018
• LDP – 2 points
• mLDP – 2 points
• L2VPN – 1 point
• L3VPN – 2 points
• QoS – 2 points
• BGP PIC – 2 points
• Control Plane Security – 2 points
Duration: 60m / Total points: 13
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
AS 4142
CE41
CE42
CE43
AS 45
CE45
CE46
AS 46
PE13
PE12 P14
CE44
PE16
RR25
P15PE11
RR17
AS 100
PE23
PE31AS 200
AS 300
PE21
PE24PE22
AS 44AS 43Lab topologyTroubleshooting
Loopback0: 10.0.0.x/32, where x is the Router No.
XR interfaces begin with G0/0/0/x
The last octet of an IP address is the Router No. + mask /24
/0 /1
/4 /2
/0
/1
/2
/4
/3
/1
/0
/2
/1/0
/0
/1 /2/5
/3
/0
/2
/1
/0
/3
/1
/4g2
g3
g3
g2
10.1.1
g2 g3
g2
g5g4
g6 g2
g2
g2
g2g4 g3
g6 g2
g5
g2/3
10.3.41
g4g5
g3
g2
g3
g5
g3
g4
g6
10.2.41
10.2.42
10.1.9
g4
g3
g7
g5 10.1.8
10.1.3
10.1.6
10.1.7
10.1.11
172.16.3
172.16.1192.168.1
192.168.7
192.168.5
192.168.8
192.168.4
192.168.6
10.2.44
LTRCCIE-3401 15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Trouble Ticket 1: LDP
AS100 operations engineer notices that the LDP sessions on PE11 are down. Your task is to fix this issue.
Score: 2 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
TS – Ticket 1: LDP
RP/0/0/CPU0:PE11#sh mpls ldp neighbor
[empty]
RP/0/0/CPU0:PE11#sh mpls ldp discovery
Local LDP Identifier: 10.0.0.11:0
Discovery Sources:
Interfaces:
GigabitEthernet0/0/0/0 : xmit
VRF: 'default' (0x60000000)
GigabitEthernet0/0/0/1 : xmit/recv
VRF: 'default' (0x60000000)
LDP Id: 10.0.0.13:0, Transport address: 10.0.0.13
Hold time: 15 sec (local:15 sec, peer:15 sec)
Established: Jan 08 03:14:14.935 (00:18:15 ago)
[..]
17LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ticket 1: Solution: TCP process is down
RP/0/0/CPU0:PE11(admin)#sh process tcp
Mon Jan 01 20:36:11.962 UTC
Job Id: 399
PID: 1241295
Executable path: /disk0/iosxr-fwding-6.1.3/bin/tcp
Instance #: 1
Version ID: 00.00.0000
Respawn: ON
Respawn count: 4
Last started: Sat Jan 13 13:03:46 2018
Process state: Killed (last exit status : 94)
Package state: Normal
Process group: dlrsc
core: MAINMEM
Max. core: 0
Level: 181
Placement: None
startup_path: /pkg/startup/tcp.startup
Ready: 0.119s
RP/0/0/CPU0:PE11#sh tcp brief
tcp_show_list_bag_generic: TCP process not running or invalid tuple on this node
18LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ticket 1: Solution: Start a TCP process which crashed.
RP/0/0/CPU0:PE11#admin
RP/0/0/CPU0:PE11(admin)#process start tcp location all
19LTRCCIE-3401
Open a TAC case immediately!
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ticket 1: Verification
RP/0/0/CPU0:PE11#sh mpls ldp neighbor
Peer LDP Identifier: 10.0.0.14:0
TCP connection: 10.0.0.14:54446 - 10.0.0.11:646
Graceful Restart: No
Session Holdtime: 180 sec
State: Oper; Msgs sent/rcvd: 13/28; Downstream-Unsolicited
Up time: 00:03:13
[..]
Peer LDP Identifier: 10.0.0.13:0
TCP connection: 10.0.0.13:15524 - 10.0.0.11:646
Graceful Restart: No
Session Holdtime: 180 sec
State: Oper; Msgs sent/rcvd: 10/10; Downstream-Unsolicited
Up time: 00:00:44
[..]
20LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Trouble Ticket 2: mLDP
ISP AS200 prepares their core to migration to mLDP. There is an issue with a transmission between a simulated source on PE22 and CE45. Your task is to fix this issue. The expected result is depicted on the following picture.
Score: 2 points
RP/0/0/CPU0:PE22#ping vrf cust45 233.2.2.2 sou 10.3.0.22 tim 1 repeat 2
Reply to request 0 from 10.0.0.45, 1 ms
Reply to request 1 from 10.0.0.45, 9 ms
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
TS – Ticket 2: mLDP
RP/0/0/CPU0:PE22#sh mpls mldp bindings
No entries in the table to display
RP/0/0/CPU0:PE23#sh mrib vrf cust45 route 233.2.2.2
[..]
(10.3.0.22,233.2.2.2) RPF nbr: 0.0.0.0 Flags: RPF
Up: 00:06:39
Outgoing Interface List
GigabitEthernet0/0/0/3 Flags: F NS, Up: 00:06:39
RP/0/0/CPU0:PE22#sh mrib vrf cust45 route 233.2.2.2
No matching routes in MRIB route-DB
22LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ticket 2: Solution: Configure the inband mode.
PE22, PE23:
route-policy mldp1
set core-tree mldp-inband
end-policy
23LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ticket 2: Verification
RP/0/0/CPU0:PE22#sh mpls mldp bindings
Sun Jan 03 06:26:11.372 UTC
mLDP MPLS Bindings database
LSP-ID: 0x00001 Paths: 2 Flags:
0x00001 P2MP 10.0.0.22 [vpnv4 1:45 10.3.0.22 233.2.2.2]
Local Label: 24014
Remote Label: 24009 NH: 192.168.3.23 Inft: GigabitEthernet0/0/0/3
RP/0/0/CPU0:PE23#sh mpls mldp bind
Sun Jan 03 06:26:46.628 UTC
mLDP MPLS Bindings database
LSP-ID: 0x00001 Paths: 2 Flags:
0x00001 P2MP 10.0.0.22 [vpnv4 1:45 10.3.0.22 233.2.2.2]
Local Label: 24009 Active
Remote Label: 1048577 Inft: Imdtcust45 RPF-ID: 6 TIDv4/v6: 0xE0000011/0x0
RP/0/0/CPU0:PE22#ping vrf cust45 233.2.2.2 sou 10.3.0.22 tim 1 repeat 2
Reply to request 0 from 10.0.0.45, 1 ms
Reply to request 1 from 10.0.0.45, 9 ms
24LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Trouble Ticket 3: L2VPN
AS100 and AS200 offer L2VPN service to CE44 and CE46. There is no communication between CE44 and CE46 because the pseudowire is down. Your task is to identify the issue and fix it.
After this task is completed, CE44 and CE46 should be able to learn each other loopback ipv4 address via RIP.
Notes
• You are not allowed to run LDP between ASs.
• Because of virtualization environment CE46 is not able to ping CE44 and vice-versa.
Score: 1 point
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
TS – Ticket 3: L2VPN
26LTRCCIE-3401
PE15#sh mpls l2transport vc
Local intf Local circuit Dest address VC ID Status
------------- -------------------------- --------------- ---------- ----------
Gi5.10 Eth VLAN 10 10.1.0.24 44 DOWN
CE44#ping 10.4.4.46
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.46, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
TS – Ticket 3: L2VPN
27LTRCCIE-3401
PE15#sh mpls l2 vc det
Local interface: Gi5.10 up, line protocol up, Eth VLAN 10 up
Interworking type is Ethernet
Destination address: 10.1.0.24, VC ID: 44, VC status: down
Last error: Local access circuit is not ready for label advertise
Output interface: none, imposed label stack {}
Preferred path: not configured
Default path: no route
No adjacency
Create time: 06:18:27, last status change time: 04:46:07
Last label FSM state change time: 04:46:07
Signaling protocol: LDP, peer unknown
Targeted Hello: 10.1.0.15(LDP Id) -> 10.1.0.24, LDP is DOWN, no binding
[..]
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
TS – Ticket 3: L2VPN
28LTRCCIE-3401
PE15#sh ip route 10.1.0.24
Routing entry for 10.1.0.24/32
Known via "bgp 100", distance 200, metric 0
Tag 200, type internal
Last update from 10.0.0.16 00:28:02 ago
Routing Descriptor Blocks:
* 10.0.0.16, from 10.0.0.17, 00:28:02 ago
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 200
MPLS label: 24008
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
TS – Ticket 3: L2VPN
29LTRCCIE-3401
RP/0/0/CPU0:PE16#sh cef 10.1.0.24
10.1.0.24/32, version 799, drop adjacency, internal 0x1000001 0x0 (ptr 0xa1422e74) [1],
0x0 (0xa13edb00), 0x808 (0xa1583280)
Updated Jan 02 02:28:04.722
Prefix Len 32, traffic index 0, precedence n/a, priority 4
via 172.16.3.22/32, 0 dependencies, recursive, bgp-ext [flags 0x6020]
path-idx 0 NHID 0x0 [0xa0db7294 0x0]
recursion-via-/32
unresolved
local label 24008
labels imposed {24006}
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ticket 3: Solution: Configure static routes to resolve NH
PE16:
!
router static
address-family ipv4 unicast
172.16.3.22/32 GigabitEthernet0/0/0/3
!
PE22:
!
router static
address-family ipv4 unicast
172.16.3.16/32 GigabitEthernet0/0/0/0
!
30LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ticket 3: Verification
RP/0/0/CPU0:PE16#sh cef 10.1.0.24/32
[..]
Prefix Len 32, traffic index 0, precedence n/a, priority 4
via 172.16.3.22/32, 5 dependencies, recursive, bgp-ext [flags 0x6020]
path-idx 0 NHID 0x0 [0xa15ebff4 0x0]
recursion-via-/32
next hop 172.16.3.22/32 via 24011/0/21
local label 24008
next hop 172.16.3.22/32 Gi0/0/0/3 labels imposed {ImplNull 24006}
RP/0/0/CPU0:PE22#sh cef 10.1.0.15/32
[..]
Prefix Len 32, traffic index 0, precedence n/a, priority 4
via 172.16.3.16/32, 3 dependencies, recursive, bgp-ext [flags 0x6020]
path-idx 0 NHID 0x0 [0xa15eb7f4 0x0]
recursion-via-/32
next hop 172.16.3.16/32 via 24008/0/21
local label 24007
next hop 172.16.3.16/32 Gi0/0/0/0 labels imposed {ImplNull 24009}
31LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ticket 3: Verification
PE15#sh mpls l2transport vc
Local intf Local circuit Dest address VC ID Status
------------- -------------------------- --------------- ---------- ----------
Gi5.10 Eth VLAN 10 10.1.0.24 44 UP
CE44#ping 10.4.4.46
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.46, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 7/8/11 ms
32LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Trouble Ticket 4: L3VPN
There is no communication between CE45 and CE42. This customer uses L3VPN services offered by AS100 and AS200. Your task is to fix this issue.
Score: 2 points
CE45#sh ip route 10.0.0.42
% Subnet not in table
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
TS – Ticket 4: L3VPN
34LTRCCIE-3401
PE23#sh bgp vrf cust45 summ
[..]
Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd
192.168.7.45 0 45 179 163 0 0 0 08:19:10 Idle
RP/0/0/CPU0:PE23#sh cef vrf cust45 10.0.0.42
10.0.0.42/32, version 37, internal 0x1000001 0x0 (ptr 0xa1408874) [1], 0x0 (0x0), 0x208
(0xa1583140)
Updated Jan 02 23:25:19.750
Prefix Len 32, traffic index 0, precedence n/a, priority 3
via 10.0.0.21/32, 0 dependencies, recursive [flags 0x6000]
path-idx 0 NHID 0x0 [0xa0f92294 0x0]
recursion-via-/32
next hop VRF - 'default', table - 0xe0000000
unresolved
labels imposed {34}
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ticket 4: Solution: Fix eBGP session and LSP
PE23:
!
interface GigabitEthernet0/0/0/3
ipv6 add 2001:0:45::23/64
!
PE11:
!
interface Loopback0
ip address 10.0.0.21 255.255.255.255
!
35LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ticket 4: Verification
RP/0/0/CPU0:PE23#sh cef vrf cust45 10.0.0.42
10.0.0.42/32, version 7, internal 0x1000001 0x0 (ptr 0xa1408874) [1], 0x0 (0x0), 0x208
(0xa1583140)
Updated Jan 04 17:49:31.931
Prefix Len 32, traffic index 0, precedence n/a, priority 3
via 10.0.0.21/32, 3 dependencies, recursive [flags 0x6000]
path-idx 0 NHID 0x0 [0xa15eb7f4 0x0]
recursion-via-/32
next hop VRF - 'default', table - 0xe0000000
next hop 10.0.0.21/32 via 24003/0/21
next hop 192.168.1.21/32 Gi0/0/0/0 labels imposed {ImplNull 29}
36LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ticket 4: Verification
CE45#sh ip route 10.0.0.42
Routing entry for 10.0.0.42/32
Known via "bgp 45", distance 20, metric 0
Tag 200, type external
Last update from 192.168.7.23 00:12:34 ago
Routing Descriptor Blocks:
* 192.168.7.23, from 192.168.7.23, 00:12:34 ago
Route metric is 0, traffic share count is 1
AS Hops 3
Route tag 200
MPLS label: none
CE45#ping 10.0.0.42 sou 10.0.0.45
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.42, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.45
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/12/35 ms
37LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Trouble Ticket 5: QoS
CE42 implemented QoS recently, since then when congestion occurs, BFD session goes down. Your task is to fix this issue.
Note: You do not need to fix a BFD session.
Score: 2 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
TS – Ticket 5: QoS
CE42#sh policy-map int g2
GigabitEthernet2
Service-policy output: as4142-out
Class-map: bfd (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: ip dscp cs7 (56)
Queueing
queue limit 416 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
bandwidth 100000 kbps
[..]
39LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ticket 5: Solution: Match correct markings
CE42(config)#class-map match-any bfd
CE42(config-cmap)#no match ip dscp cs7
CE42(config-cmap)# match ip dscp cs6
40LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ticket 5: Verification
CE42#sh policy-map int g2
GigabitEthernet2
Service-policy output: as4142-out
Class-map: bfd (match-any)
117 packets, 7949 bytes
5 minute offered rate 1000 bps, drop rate 0000 bps
Match: ip dscp cs6 (48)
Queueing
queue limit 416 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 60/4187
bandwidth 100000 kbps
[..]
41LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Trouble Ticket 6: BGP PIC
An AS100 operations engineer notices that there is no backup entry in the FIB on PE12 for the 10.0.0.43/32 prefix even though BGP PIC is configured. Your task is to fix this issue.
Note: Do not change the BGP sessions.
Score: 2 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
TS – Ticket 6: BGP PIC
PE12#sh bgp vpnv4 unicast all | i 10.0.0.43/32|Disti
Route Distinguisher: 1:1 (default for vrf cust1)
*>i 10.0.0.43/32 10.0.0.11 0 100 0 43 i
Route Distinguisher: 1:43
*>i 10.0.0.43/32 10.0.0.11 0 100 0 43 i
PE12#sh ip cef vrf cust1 10.0.0.43/32 detail
10.0.0.43/32, epoch 0, flags [rib defined all labels]
recursive via 10.0.0.11 label 24007
nexthop 10.1.5.13 GigabitEthernet5 label 24000-(local:20)
nexthop 10.1.9.14 GigabitEthernet3 label 19-(local:20)
43LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ticket 6: Solution: Change RD on one of PEs
PE15:
!
ip vrf cust43
no rd 1:43
CTRL+Z
ip vrf cust43
rd 43:43
route-target export 1:43
route-target import 1:43
!
router bgp 100
add ipv4 unicast vrf cust43
nei 10.3.43.43 remote-as 43
!
44LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ticket 6: Verification
45LTRCCIE-3401
PE12#sh ip cef vrf cust1 10.0.0.43/32 det
10.0.0.43/32, epoch 0, flags [rib defined all labels]
recursive via 10.0.0.11 label 24007
nexthop 10.1.5.13 GigabitEthernet5 label 24000-(local:20)
nexthop 10.1.9.14 GigabitEthernet3 label 19-(local:20)
recursive via 10.0.0.15 label 36, repair
nexthop 10.1.5.13 GigabitEthernet5 label 24002-(local:21)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Trouble Ticket 7: Control Plane Security
PE16 must be protected in a way that BGP sessions initialized from AS300 are blocked; however, a BGP session with PE31 must be established. Your task is to fix the configuration that meets this requirement.
Score: 2 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
TS – Ticket 7: Control Plane Security
RP/0/0/CPU0:PE16#sh tcp brief
PCB VRF-ID Recv-Q Send-Q Local Address Foreign Address State
[..]
0x1216c7e8 0x60000000 0 0 172.16.4.16:179 172.16.4.31:36188 ESTAB
[..]
RP/0/0/CPU0:PE31#sh tcp brief
[..]
0x1215b26c 0x60000000 0 0 172.16.5.31:60068 172.16.3.16:179 SYNSENT
0x1216c7e8 0x60000000 0 0 172.16.4.31:179 172.16.4.16:36188 ESTAB
[..]
47LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ticket 7: Solution: Correct ACL configurations
PE16:
!
ipv4 access-list as300-in
10 deny tcp any any eq bgp
20 permit ipv4 any any
!
PE31:
!
ipv4 access-list as100-in
10 deny tcp any eq bgp any
20 permit ipv4 any any
!
48LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ticket 7: Verification
49LTRCCIE-3401
RP/0/0/CPU0:PE16#sh tcp brief
PCB VRF-ID Recv-Q Send-Q Local Address Foreign Address State
[..]
0x1216992c 0x60000000 0 0 172.16.4.16:36028 172.16.4.31:179 ESTAB
[..]
Diagnostics Module
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51LTRCCIE-3401
CCIE SP Diagnostics – CiscoLive! Barcelona 2018
• IGP – 1 point
• MPLS-TE – 1 point
• LISP – 1 point
• PE-CE – 1 point
• Failure Detection – 1 point
Duration: 30m / Total points: 5
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
AS 4142
CE41
CE42
CE43
AS 45
CE45
CE46
AS 46
PE13
PE12 P14
CE44
PE16
RR25
P15PE11
RR17
AS 100
PE23
PE31AS 200
AS 300
PE21
PE24PE22
AS 44AS 43Lab topologyDiagnostics
Loopback0: 10.0.0.x/32, where x is the Router No.
XR interfaces begin with G0/0/0/x
The last octet of an IP address is the Router No. + mask /24
/0 /1
/4 /2
/0
/1
/2
/4
/3
/1
/0
/2
/1/0
/0
/1 /2/5
/3
/0
/2
/1
/0
/3
/1
/4g2
g3
g3
g2
10.1.1
g2 g3
g2
g5g4
g6 g2
g2
g2
g2g4 g3
g6 g2
g5
g2/3
10.3.41
g4g5
g3
g2
g3
g5
g3
g4
g6
10.2.41
10.2.42
10.1.9
g4
g3
g7
g5 10.1.8
10.1.3
10.1.6
10.1.7
10.1.11
172.16.3
172.16.1192.168.1
192.168.7
192.168.5
192.168.8
192.168.4
192.168.6
10.2.44
LTRCCIE-3401 52
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 1: IGP
CE46 10.0.0.46 can't communicate with CE45 10.0.0.45. An operation engineer found that an LSP between PE23 and PE24 is broken. Indicate what is the root cause of this issue?
a) The MP-BGP next hop 10.0.0.23 is advertised as an OSPF type external route instead of intra- or inter-area.
b) There is a conflict of advertised prefixes in the network between PE23 and an another router.
c) PE23 does not assign a label to 10.0.0.0/24.
d) The LSP is broken as the MP-BGP next hop 10.0.0.23 is not advertised as the /32 prefix but with the /24 mask.
e) PE23 breaks an LSP by the aggregation of prefixes to 10.0.0.0/24.
53LTRCCIE-3401
Score: 1 point
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 1: EmailFrom: Chris (Support) <[email protected]>Date: Thu, Jun 15, 2017 at 1:34 PMTo: Brad Whooley<[email protected]>Subject: No ip reachability
Brad,
We migrated OSPF areas on couple of our devices. As far as I can see something is wrong with the data plane. Prefixes are advertised correctly. I am waiting for a guy to compare an old config with the current one. Meanwhile I will nail down this issue.
Regards,
Chris
=========================================================
From: Brad Whooley<[email protected]>Date: Thu, Jun 15, 2017 at 1:12 PMTo: Support <[email protected]>Subject: No ip reachability
Hi,
We lost connectivity between CE45 and CE46 last night. Did you do anything? Can you check what may be an issue?
Kind regards,
Brad
54LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 1: Output
PE24#sh ip route 10.1.0.23
Routing entry for 10.1.0.23/32
Known via "ospf 1", distance 110, metric 3, type intra area
Last update from 192.168.5.22 on GigabitEthernet2, 1w4d ago
Routing Descriptor Blocks:
* 192.168.5.22, from 10.0.0.23, 1w4d ago, via GigabitEthernet2
Route metric is 3, traffic share count is 1
PE24#sh ip route | i 10.0.0.0/24
O E2 10.0.0.0/24 [110/20] via 192.168.5.22, 1w4d, GigabitEthernet2
PE24#sh mpls for 10.1.0.23
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
20 24004 10.1.0.23/32 0 Gi2 192.168.5.22
PE24#traceroute 10.1.0.23
Type escape sequence to abort.
Tracing the route to 10.1.0.23
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.5.22 [MPLS: Label 24004 Exp 0] 4 msec 3 msec 3 msec
2 192.168.3.23 3 msec * 3 msec
55LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 1: Output
PE24#sh ip cef vrf cust46 10.0.0.45 det
10.0.0.45/32, epoch 0, flags [rib defined all labels]
recursive via 10.0.0.23 label 24005
recursive via 10.0.0.0/24
nexthop 192.168.5.22 GigabitEthernet2 label 24018-(local:30)
RP/0/0/CPU0:PE22#sh mpls for | i 24018
24018 Unlabelled 10.0.0.0/24 Gi0/0/0/3 192.168.3.23 39070
RP/0/0/CPU0:PE22#sh route 10.1.0.23
Routing entry for 10.1.0.23/32
Known via "ospf 1", distance 110, metric 2, type intra area
Installed Jan 14 08:47:58.026 for 1w4d
Routing Descriptor Blocks
192.168.3.23, from 10.0.0.23, via GigabitEthernet0/0/0/3
Route metric is 2 No advertising protos.
56LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 1: Output
RP/0/0/CPU0:PE22#sh mpls ldp bindings 10.0.0.23/24
10.0.0.0/24, rev 54
Local binding: label: 24018
Remote bindings: (1 peers)
Peer Label
----------------- ---------
10.1.0.24:0 30
RP/0/0/CPU0:PE23#sh mpls ldp bindings 10.0.0.23/24
10.0.0.0/24, rev 0 (no route)
No local binding
Remote bindings: (1 peers)
Peer Label
----------------- ---------
10.0.0.22:0 24018
57LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 1: Output
RP/0/0/CPU0:PE22#sh mpls ldp bindings 10.0.0.23/32
10.0.0.23/32, rev 0 (no route)
No local binding
Remote bindings: (1 peers)
Peer Label
----------------- ---------
10.0.0.23:0 ExpNullv4
RP/0/0/CPU0:PE23#sh mpls ldp bindings 10.0.0.23/32
10.0.0.23/32, rev 22
Local binding: label: ImpNull
No remote bindings
58LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 2: MPLS-TE
The traffic from CE41 10.0.0.46 to CE44 10.0.0.44 should go via P14.The MPLS-TE tunnel 111 is configured on PE11 to PE15 but it is not working as expected. What is a root cause of this issue?
59LTRCCIE-3401
device
issuePath Error
No route to destination
Failed link P14-P16
Loose object in a path
Wrong explicit-path
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 2: Email
From: NOC-global <[email protected]>Date: Wed, Aug 9, 2017 at 7:51 PMTo: Provisioning <[email protected]> Subject: Core network down [SR12436343]
Here are outputs. It does not look like as an issue with routing or labels. Traffic via T111 is not going through. Shall I shut down thisinterface or will you verify a cfg? Please let me know asap. Some customers are becoming edgy.
=========================================================
From: Provisioning <[email protected]>Date: Wed, Aug 9, 2017 at 7:11 PMTo: NOC-global <[email protected]> Subject: Core network down [SR12436343]
Hi
Derek who configured TE tunnels is out of the office after his shift. I can have a look within an hour. Send us outputs from sh mpls traffic-eng tunnels det, sh route and sh mpls for.
Regards,
Paul
=========================================================
From: NOC-global <[email protected]>Date: Wed, Aug 9, 2017 at 2:09 PMTo: Provisioning <[email protected]> Subject: Core network down [SR12436343]
Team,
The core of the network is broken with your recent changes. Please have a look at this case and rollback to the previous configuration.
Regards
60LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 2: Output
61LTRCCIE-3401
RP/0/0/CPU0:PE11#sh mpls traffic-eng tunnels det
Tue Jan 16 22:15:53.024 UTC
Name: tunnel-te111 Destination: 10.1.6.15 Ifhandle:0xd0
Signalled-Name: PE11_t111
Status:
Admin: up Oper: up Path: valid Signalling: connected
path option 10, type dynamic (Basis for Setup, path weight 20)
path option 5, type explicit divert2
Last PCALC Error: Tue Jan 16 22:15:51 2018
Info: Path-option is skipped because it is held down
Last Signalled Error : Tue Jan 16 22:15:51 2018
Info: [23] PathErr(23,769)-(system) at 10.1.3.13
G-PID: 0x0800 (derived from egress interface properties)
[..]
RP/0/0/CPU0:PE11#sh explicit-paths n divert2
Path divert2 status enabled
10: next-address strict 10.0.0.13
20: next-address loose 10.0.0.14
15: next-address strict 10.1.5.12
30: next-address strict 10.1.3.13
40: next-address strict 10.0.0.15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 2: Output
62LTRCCIE-3401
RP/0/0/CPU0:PE11#sh route 10.1.6.15
Routing entry for 10.1.6.0/24
Known via "isis AS100", distance 115, metric 11, type level-2
Installed Jan 16 22:15:51.334 for 1w2d
Routing Descriptor Blocks
10.1.6.15, from 10.0.0.15, via tunnel-te111
Route metric is 11
No advertising protos.
P14#sh ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 10.255.0.121 YES TFTP up up
GigabitEthernet2 10.1.3.14 YES TFTP up up
GigabitEthernet3 10.1.9.14 YES TFTP up up
GigabitEthernet4 10.1.2.14 YES TFTP up up
GigabitEthernet5 10.1.8.14 YES TFTP administratively down down
GigabitEthernet6 unassigned YES unset administratively down down
GigabitEthernet7 10.1.11.14 YES TFTP up up
Loopback0 10.0.0.14 YES TFTP up up
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 2: Output
63LTRCCIE-3401
RP/0/0/CPU0:P13#sh mpls traffic-eng tunnels det
LSP Tunnel 10.0.0.11 111 [24] is signalled, Signaling State: up
Tunnel Name: PE11_t111 Tunnel Role: Mid
InLabel: GigabitEthernet0/0/0/1, 24007
OutLabel: GigabitEthernet0/0/0/4, implicit-null
Signalling Info:
Src 10.0.0.11 Dst 10.1.6.15, Tun ID 111, Tun Inst 24, Ext ID 10.0.0.11
Router-IDs: upstream 10.0.0.11
local 10.0.0.13
downstream 10.0.0.15
Bandwidth: 10000 kbps (CT0) Priority: 7 7 DSTE-class: 0
Soft Preemption: None
SRLGs: not collected
Path Info:
Incoming Address: 10.1.1.13
Incoming:
Explicit Route:
Strict, 10.1.1.13
Strict, 10.1.6.15
Strict, 10.0.0.15
Outgoing:
Explicit Route:
Strict, 10.1.6.15
Strict, 10.0.0.15
[..]
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 2: Output
64LTRCCIE-3401
PE12#sh mpls traffic-eng tunnels det
P2P TUNNELS/LSPs:
P2MP TUNNELS:
P2MP SUB-LSPS:
P14#sh mpls traffic-eng tunnels det
P2P TUNNELS/LSPs:
P2MP TUNNELS:
P2MP SUB-LSPS:
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 3: LISP
Customer XYZ opened a case regards to LISP. Apparently there is no reachability to the subnet 10.4.42.0/24 in AS4142 from the WAN. Indicate which show command help you identify the root cause? Also which device would you apply this command?
65LTRCCIE-3401
Device:
CE42
CE41
CE44
PE15
Show command:
sh lisp site 10.4.42.0/24
sh lisp instance-id 0 ipv4 database
sh lisp instance-id 0 ipv4 map-cache
sh lisp platform
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 3: Email
From: Benjamin <[email protected]>Date: Mon, Sep 18, 2017 at 6:57 AMTo: Michael <[email protected]> Subject: LISP site down
Mike,
What about the LISP database? Do you have all entries there?
Regards
=========================================================
From: Michael <[email protected]> Date: Mon, Sep 18, 2017 at 6:53 AMTo: Benjamin <[email protected]>Subject: LISP site down
Hi Ben
Find the outputs attached. We did not change anything, I suppose. We had a switchover to CE41 from CE42. Maybe this router neverhas been tested.
Regards,
Paul
=========================================================
From: Benjamin <[email protected]>Date: Mon, Sep 18, 2017 at 6:34 AMTo: Michael <[email protected]> Subject: LISP site down
Hi,
As discussed through a phone please send us the outputs of your CE devices. Did you change you settings?
Regards
Ben
66LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 3: Output
67LTRCCIE-3401
CE44#sh lisp site 10.4.42.0/24
LISP Site Registration Information
Site name: AS4142
Allowed configured locators:
10.2.41.41
10.2.42.42
Requested EID-prefix:
EID-prefix: 10.4.42.0/24
[..]
State: complete
Registration errors:
Authentication failures: 0
Allowed locators mismatch: 2
ETR 10.2.41.41, last registered 1w2d, no proxy-reply, map-notify
TTL 1d00h, no merge, hash-function sha1, nonce 0x2491A8B9-0xE0F8DEA0
state complete, no security-capability
xTR-ID 0x26E07475-0x467BADA9-0x52A6B114-0x4D12CBE7
site-ID unspecified
sourced by reliable transport
Locator Local State Pri/Wgt Scope
10.2.41.41 yes admin-down 255/10 IPv4 none
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 3: Output
68LTRCCIE-3401
CE41#sh lisp instance-id 0 ipv4 database
LISP ETR IPv4 Mapping Database for EID-table default (IID 0), LSBs: 0x1
Entries total 2, no-route 1, inactive 0
10.2.42.0/24
Locator Pri/Wgt Source State
10.2.41.41 1/10 cfg-intf site-self, reachable
10.4.42.0/24 *** NO ROUTE TO EID PREFIX ***
Locator Pri/Wgt Source State
10.2.41.41 1/10 cfg-intf site-self, reachable
CE42#sh lisp instance-id 0 ipv4 database
LISP ETR IPv4 Mapping Database for EID-table default (IID 0), LSBs: 0x1
Entries total 1, no-route 0, inactive 0
10.2.42.0/24
Locator Pri/Wgt Source State
10.2.42.42 1/10 cfg-intf site-self, reachable
PE15#sh lisp instance-id 0 ipv4 database
% LISP is not running.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 3: Output
69LTRCCIE-3401
CE41#sh lisp instance-id 0 ipv4 map-cache
LISP IPv4 Mapping Cache for EID-table default (IID 0), 2 entries
0.0.0.0/0, uptime: 1w3d, expires: never, via static-send-map-request
Negative cache entry, action: send-map-request
10.4.42.0/24, uptime: 1w3d, expires: never, via away, self, send-map-request
Negative cache entry, action: send-map-request
CE42#sh lisp instance-id 0 ipv4 map-cache
LISP IPv4 Mapping Cache for EID-table default (IID 0), 1 entries
0.0.0.0/0, uptime: 1w3d, expires: never, via static-send-map-request
Negative cache entry, action: send-map-request
CE44#sh lisp platform
Parallel LISP instance limit: 2000
RLOC forwarding support:
IPv4 RLOC, local: OK
IPv6 RLOC, local: OK
MAC RLOC, local: Unsupported
IPv4 RLOC, remote: OK
IPv6 RLOC, remote: OK
MAC RLOC, remote: Unsupported
Latest supported config style: Service and instance
Current config style: implied instance 0
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 4: PE-CE
To prefer a backbone network over a backdoor link the AS100 engineers configured a sham-link between PE11 and PE12. But this SL adjacency does not come up. What is a reason for that?
a) There is a domain-id mismatch.
b) There is a domain-tag mismatch.
c) Router-id of PE11 is not visible on PE12.
d) PE12 is not an ASBR.
e) The IP endpoint of a sham-link 10.3.0.12 is not reachable.
70LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 4: EmailFrom: level2 <[email protected]>Date: Fri, Jun 16, 2017 at 8:20 PMTo: level1 <[email protected]>Subject: Cust1 traffic optimization [SR46455234]
Hi Lora,
Did you redistribute those endpoint to OSPF? You cannot do this. Just advertise them to BGP and that's all. Other prefixes can be redistributed from BGP to OSPF. Send us the latest configs. Did you use additional settings in OSPF like domain-id? This should not be relevant but to have intra-area routes it is better to set the same id.
Regards,
Jason
=========================================================
From: level1 <[email protected]>Date: Fri, Jun 16, 2017 at 6:18 PMTo: level2 <[email protected]>Subject: Cust1 traffic optimization [SR46455234]
Hi Team,
We want to escalate the ticket SR46455234. A customer wants to send the traffic over our backbone not a backdoor link. Engineering team prepared a configuration of a sham-link but it does not go up. Strange. IP addresses of endpoints are advertised to BGP, we can ping them. Please support.
Kind regards,
Lora
71LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 4: Output
72LTRCCIE-3401
RP/0/0/CPU0:PE11#sh ospf vrf cust1 int brief
* Indicates MADJ interface, (P)Indicates fast detect hold down state
Interfaces for OSPF 2, VRF cust1
Interface PID Area IP Address/Mask Cost State Nbrs F/
COSPF_SL0 2 0 - 1 DOWN 0/0
Gi0/0/0/4 2 0 10.2.41.11/24 1 DR 1/1
PE12#sh ip ospf int brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
SL1 2 0 0.0.0.0/0 1 P2P 0/0
Gi6 2 0 10.2.42.12/24 1 BDR 1/1
PE12#sh ip ospf database
OSPF Router with ID (0.0.0.12) (Process ID 2)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
0.0.0.12 0.0.0.12 1395 0x800001D8 0x004658 1
10.0.0.11 10.0.0.11 1094 0x800001C1 0x004C79 1
10.0.0.41 10.0.0.41 1680 0x800001B9 0x00AEA7 4
10.0.0.42 10.0.0.42 679 0x800001CC 0x005DBE 4
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 4: Output
73LTRCCIE-3401
PE12#sh ip route vrf cust1 10.3.0.11
Routing Table: cust1
Routing entry for 10.3.0.11/32
Known via "bgp 100", distance 200, metric 0, type internal
Last update from 10.0.0.11 1w3d ago
Routing Descriptor Blocks:
* 10.0.0.11 (default), from 10.0.0.17, 1w3d ago, recursive-via-host
Route metric is 0, traffic share count is 1
AS Hops 0
MPLS label: 24009
MPLS Flags: MPLS Required
RP/0/0/CPU0:PE11#sh route vrf cust1 10.3.0.12
Routing entry for 10.3.0.12/32
Known via "bgp 100", distance 200, metric 0, type internal
Installed Jan 16 00:15:37.530 for 1w3d
Routing Descriptor Blocks
10.0.0.12, from 10.0.0.17
Nexthop in Vrf: "default", Table: "default", IPv4 Unicast, Table Id: 0xe0000000
Route metric is 0 No advertising protos.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 4: Output
74LTRCCIE-3401
PE12#sh ip ospf border-routers det
OSPF Router with ID (0.0.0.12) (Process ID 2)
Base Topology (MTID 0)
Internal Router Routing Table
Codes: i - Intra-area route, I - Inter-area route
i 10.0.0.11 [3] via 10.2.42.42, GigabitEthernet6, ABR, Area 0, SPF 47
Source 10.0.0.11, PDB SPF 59, path flag: none
Flags: PathList
RP/0/0/CPU0:PE11#sh ospf 2 vrf cust1
VRF cust1 in Routing Process "ospf 2" with ID 10.0.0.11
Role: Primary Active
NSR (Non-stop routing) is Enabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
It is an area border router
Primary Domain ID: 0x5:0x000000650200
[..]
PE12#sh ip ospf
Routing Process "ospf 2" with ID 0.0.0.12
Domain ID type 0x0005, value 0x000000640200
[..]
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 5: Failure Detection
What is a BFD detection time between CE42 and PE12?
a) It is more than 3 seconds.
b) It is 3 seconds or more.
c) It is between 2 and 3 seconds.
d) It is subsecond.
75LTRCCIE-3401
Score: 1 point
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 5: EmailFrom: Niki (Support) <[email protected]>Date: Thu, Jun 15, 2017 at 1:34 PMTo: Matthias (Support) <[email protected]> Subject: BFD detection time
Hi Matt,
Yes, I think so. Let's check the current setting. What is the interval time?
Regards,
Niki
=========================================================
From: Matthias(Support) <[email protected]> Date: Thu, Jun 15, 2017 at 1:12 PMTo: Niki (Support) <[email protected]> Subject: BFD detection time
Niki,
The customer wants to confirm what will be the current detection time with BFD? Is it just interval * multiplier? They had slow convergence and complained to our service massively.
Kind regards,
Matt
76LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 5: OutputPE12#sh bfd nei det
IPv4 Sessions
NeighAddr LD/RD RH/RS State Int
10.2.42.42 4097/4097 Up Up Gi6
Session state is UP and using echo function with 1000 ms interval.
Session Host: Software
OurAddr: 10.2.42.12
Handle: 1
Local Diag: 0, Demand mode: 0, Poll bit: 0
MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3
Received MinRxInt: 1000000, Received Multiplier: 3
Holddown (hits): 0(0), Hello (hits): 1000(62152)
Rx Count: 62161, Rx Interval (ms) min/max/avg: 1/1046/875 last: 830 ms ago
Tx Count: 62164, Tx Interval (ms) min/max/avg: 1/1022/875 last: 488 ms ago
Elapsed time watermarks: 0 0 (last: 0)
Registered protocols: CEF BGP
Uptime: 00:19:08
Last packet: Version: 1 - Diagnostic: 0
State bit: Up - Demand bit: 0
Poll bit: 0 - Final bit: 0
C bit: 0
Multiplier: 3 - Length: 24
My Discr.: 4097 - Your Discr.: 4097
Min tx interval: 1000000 - Min rx interval: 1000000
Min Echo interval: 1000000
77LTRCCIE-3401
CCIE SP DiagnosticsAnswers
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 1: Output
PE24#sh ip cef vrf cust46 10.0.0.45 det
10.0.0.45/32, epoch 0, flags [rib defined all labels]
recursive via 10.0.0.23 label 24005
recursive via 10.0.0.0/24
nexthop 192.168.5.22 GigabitEthernet2 label 24018-(local:30)
RP/0/0/CPU0:PE22#sh mpls for | i 24018
24018 Unlabelled 10.0.0.0/24 Gi0/0/0/3 192.168.3.23 39070
RP/0/0/CPU0:PE23#sh mpls ldp bindings 10.0.0.23/24
10.0.0.0/24, rev 0 (no route)
No local binding
Remote bindings: (1 peers)
Peer Label
----------------- ---------
10.0.0.22:0 24018
79LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 1: Answer
ANSWER: PE23 does not allocate a label to 10.0.0.0/24.Key:
a) The external route can be a next hop for an MP-BGP session.
b) No conflicts or duplications.
c) PE23 does not assign a label to 10.0.0.0/24 and this is a root cause.
d) The LSP is broken but not because of lack of a host route.
e) A /24 aggregate does not break an LSP.
CONCLUSION: A /24 prefix can be a BGP next-hop for L3VPN sessions.
80LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 2: Output
81LTRCCIE-3401
RP/0/0/CPU0:PE11#sh mpls traffic-eng tunnels det
Tue Jan 16 22:15:53.024 UTC
Name: tunnel-te111 Destination: 10.1.6.15 Ifhandle:0xd0
Signalled-Name: PE11_t111
Status:
Admin: up Oper: up Path: valid Signalling: connected
path option 10, type dynamic (Basis for Setup, path weight 20)
path option 5, type explicit divert2
Last PCALC Error: Tue Jan 16 22:15:51 2018
Info: Path-option is skipped because it is held down
Last Signalled Error : Tue Jan 16 22:15:51 2018
Info: [23] PathErr(23,769)-(system) at 10.1.3.13
G-PID: 0x0800 (derived from egress interface properties)
[..]
RP/0/0/CPU0:PE11#sh explicit-paths n divert2
Path divert2 status enabled
10: next-address strict 10.0.0.13
20: next-address loose 10.0.0.14
15: next-address strict 10.1.5.12
30: next-address strict 10.1.3.13
40: next-address strict 10.0.0.15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 2: Answer
ANSWER: Wrong explicit path on PE11Clue:
The explicit path divert2 is going through PE13, PE12, PE14 and back to PE13.
82LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 3: Output
83LTRCCIE-3401
CE41#sh lisp instance-id 0 ipv4 database
LISP ETR IPv4 Mapping Database for EID-table default (IID 0), LSBs: 0x1
Entries total 2, no-route 1, inactive 0
10.2.42.0/24
Locator Pri/Wgt Source State
10.2.41.41 1/10 cfg-intf site-self, reachable
10.4.42.0/24 *** NO ROUTE TO EID PREFIX ***
Locator Pri/Wgt Source State
10.2.41.41 1/10 cfg-intf site-self, reachable
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 3: Answer
ANSWER: The command "sh lisp instance-id 0 ipv4 database" on CE41.Clue:
The prefix 10.4.42.0/24 is not reachable on CE41.
84LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 4: Output
85LTRCCIE-3401
PE12#sh ip ospf border-routers det
OSPF Router with ID (0.0.0.12) (Process ID 2)
Base Topology (MTID 0)
Internal Router Routing Table
Codes: i - Intra-area route, I - Inter-area route
i 10.0.0.11 [3] via 10.2.42.42, GigabitEthernet6, ABR, Area 0, SPF 47
Source 10.0.0.11, PDB SPF 59, path flag: none
Flags: PathList
After adding "redistribute bgp" on PE11
PE12#*Jan 02 23:26:40.005: %OSPF-5-ADJCHG: Process 2, Nbr 10.0.0.11 on OSPF_SL1 from LOADING to FULL, Loading
Done
PE12#sh ip ospf border-routers det
OSPF Router with ID (0.0.0.12) (Process ID 2)
Base Topology (MTID 0)
Internal Router Routing Table
Codes: i - Intra-area route, I - Inter-area route
i 10.0.0.11 [1] via 10.3.0.11, OSPF_SL1, ABR/ASBR, Area 0, SPF 48
Source 10.0.0.11, PDB SPF 61, path flag: none
Flags: PathList
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 4: Answer
ANSWER: PE12 is not an ASBR.Clue:
Note that XR has to be an ASBR. To make PE12 the XE does not have to be an ASBR.
86LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 5: OutputPE12#sh bfd nei det
IPv4 Sessions
NeighAddr LD/RD RH/RS State Int
10.2.42.42 4097/4097 Up Up Gi6
Session state is UP and using echo function with 1000 ms interval.
Session Host: Software
OurAddr: 10.2.42.12
Handle: 1
Local Diag: 0, Demand mode: 0, Poll bit: 0
MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3
Received MinRxInt: 1000000, Received Multiplier: 3
Holddown (hits): 0(0), Hello (hits): 1000(62152)
Rx Count: 62161, Rx Interval (ms) min/max/avg: 1/1046/875 last: 830 ms ago
Tx Count: 62164, Tx Interval (ms) min/max/avg: 1/1022/875 last: 488 ms ago
Elapsed time watermarks: 0 0 (last: 0)
Registered protocols: CEF BGP
Uptime: 00:19:08
Last packet: Version: 1 - Diagnostic: 0
State bit: Up - Demand bit: 0
Poll bit: 0 - Final bit: 0
C bit: 0
Multiplier: 3 - Length: 24
My Discr.: 4097 - Your Discr.: 4097
Min tx interval: 1000000 - Min rx interval: 1000000
Min Echo interval: 1000000
87LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Task 5: Answer
ANSWER: It is between 2 and 3 seconds.
88LTRCCIE-3401
2 examples
of failures
lost 3 packets
detection > 2 sec
BFD 1000ms BFD 1000ms BFD 1000ms
lost 3 packets
detection < 3 sec
t
ConfigurationModule
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90LTRCCIE-3401
CCIE SP Configuration – CiscoLive! Barcelona 2018
• Domain 1
• IGP – 2 points
• BGP – 2 points
• MPLS LDP – 3 points
• MPLS/TE – 3 points
• Domain 2
• L2VPN – 2 points
• L3VPN – 3 points
• IPv6 transition – 2 points
Duration: 2h30m / Total points: 23
• Domain 3
• PE-CE connectivity – 3 points
• QoS – 2 points
• Multicast – 2 points
• Domain 4
• System HA (LDP protection/sync) – 2 points
• FC (IP FRR or MPLS TE/FRR) – 2 points
• Domain 5
• Control Plane security – 2 points
• Infrastructure security – 2 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Lab topologyConfiguration
AS 64
CE101
CE110
AS 78
CE111
CE102
AS 24
CE23
CE24
AS 24
CE21
CE22
AS 42
PE301
PE21PE11 PE13
PE12 P16
P14 PE15 P25 PE23
PE22P24
AS 78
AS 64
AS 109 AS 901
AS 42
PE12 is IPv4/IPv6 RRP16 is VPNv4 RR
10.100/162001:10:100::/48
/5 /2
/4/3
/00/1
0/1
.13.X
.12.X
.36.X
/1/2
/0
/1
/2
/3 /4
/5
.26.X /2
/3/4
.56.X
/5/6
.45.X
.24.X
/2
/3
/4
/2
/3/4
/5
/6
/3
/4
/5
PE22 is IPv4/IPv6/VPNv4 RR
20.200/162001:20:200::/48
/1
/2 /3
/4
/5
.12.X
/1
/1 .24.X
/3 /4
.45.X
/0
/1
/2
/3
/2
/3
/4
/5
.35.X
/1
/2
/3
/2 /3/1
0/1
0/1
0/1
1.9.13.X/24
1.9.55.X/24
172.16.101.X
172.16.102.X
172.16.10.X
172.16.11.X
/1
/1
192.168.21.X
192.168.22.X
192.168.24.X
192.168.23.X
/6
/1.66
/1.66
AS 19 AS 91
IS-IS Level-2
OSPF Area 0
IS-IS Level-1
OSPFv2
MP-BGP
OSPFv2
EIGRP
(IPv4 and IPv6)
EIGRP
(IPv4 and IPv6)
RIPv2
RIPv2
SP-300
Customer42
Site 2
Customer42
Site 1
Customer24
Site 2
Customer24
Site 1
Customer78
Site 2
Customer78
Site 1
Customer64
Site 1
Customer64
Site 2
MP-BGP
LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D1 Task 1: IGP for AS109
IS-IS Level-1 and Level-2 areas are configured on SP-109 as depicted on the diagram. Your tasks are:
• Advertise the IPv4 and IPv6 addresses only for the Loopback 0 interface.
• Loopback 0 interface of PE12 and P16 must be in both Level-1 and Level-2 areas.
• IS-IS metrics of IPv6 prefixes must be independently calculated from IPv4 prefixes.
Note: You cannot leak Level-2 prefixes into the Level-1 area.
Score: 2 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Lab topologyConfiguration
AS 64
CE101
CE110
AS 78
CE111
CE102
AS 24
CE23
CE24
AS 24
CE21
CE22
AS 42
PE301
PE21PE11 PE13
PE12 P16
P14 PE15 P25 PE23
PE22P24
AS 78
AS 64
AS 109 AS 901
AS 42
PE12 is IPv4/IPv6 RRP16 is VPNv4 RR
10.100/162001:10:100::/48
/5 /2
/4/3
/00/1
0/1
.13.X
.12.X
.36.X
/1/2
/0
/1
/2
/3 /4
/5
.26.X /2
/3/4
.56.X
/5/6
.45.X
.24.X
/2
/3
/4
/2
/3/4
/5
/6
/3
/4
/5
PE22 is IPv4/IPv6/VPNv4 RR
20.200/162001:20:200::/48
/1
/2 /3
/4
/5
.12.X
/1
/1 .24.X
/3 /4
.45.X
/0
/1
/2
/3
/2
/3
/4
/5
.35.X
/1
/2
/3
/2 /3/1
0/1
0/1
0/1
1.9.13.X/24
1.9.55.X/24
172.16.101.X
172.16.102.X
172.16.10.X
172.16.11.X
/1
/1
192.168.21.X
192.168.22.X
192.168.24.X
192.168.23.X
/6
/1.66
/1.66
AS 19 AS 91
IS-IS Level-2
OSPF Area 0
IS-IS Level-1
OSPFv2
MP-BGP
OSPFv2
EIGRP
(IPv4 and IPv6)
EIGRP
(IPv4 and IPv6)
RIPv2
RIPv2
SP-300
Customer42
Site 2
Customer42
Site 1
Customer24
Site 2
Customer24
Site 1
Customer78
Site 2
Customer78
Site 1
Customer64
Site 1
Customer64
Site 2
MP-BGP
LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D1 Task 1: Configuration
94LTRCCIE-3401
PE12, PE13:
!router isis 109address-family ipv4 unicastadvertise passive-only
!address-family ipv6 unicastadvertise passive-onlyno single-topology
!interface Loopback0passiveaddress-family ipv4 unicast!address-family ipv6 unicast!
!interface GigabitEthernet0/0/0/xcircuit-type [level-1|level-2-only]
!
PE11, P16, P14, PE15:
!router isis 109is-type [level-1|level-2-only]advertise passive-onlypassive-interface Loopback0!address-family ipv6advertise passive-onlymulti-topology
!interface GigabitEthernetxisis circuit-type [level-1|level-2-only]!
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D1 Task 1: VerificationPE15#sh isis neiTag 109:System Id Type Interface IP Address State Holdtime Circuit IdPE12 L1 Gi4 10.100.25.2 UP 26 00P14 L1 Gi2 10.100.45.4 UP 26 03P16 L1 Gi3 10.100.56.6 UP 25 05
PE15#sh ip route isis[..]
10.0.0.0/8 is variably subnetted, 12 subnets, 3 masksi L1 10.100.0.2/32 [115/20] via 10.100.45.4, 00:20:39, GigabitEthernet2i L1 10.100.0.4/32 [115/10] via 10.100.45.4, 00:20:39, GigabitEthernet2i L1 10.100.0.6/32 [115/10] via 10.100.56.6, 00:20:39, GigabitEthernet3
PE15#sh ipv6 route isis[..]I1 2001:10:100::2/128 [115/20] via FE80::F816:3EFF:FE13:3C52, GigabitEthernet2I1 2001:10:100::4/128 [115/10] via FE80::F816:3EFF:FE13:3C52, GigabitEthernet2I1 2001:10:100::6/128 [115/10] via FE80::F816:3EFF:FEA0:DB36, GigabitEthernet3
95LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D1 Task 1: VerificationPE15#sh isis neiTag 109:System Id Type Interface IP Address State Holdtime Circuit IdPE12 L1 Gi4 10.100.25.2 UP 26 00P14 L1 Gi2 10.100.45.4 UP 26 03P16 L1 Gi3 10.100.56.6 UP 25 05
PE15#sh ip route isis[..]
10.0.0.0/8 is variably subnetted, 12 subnets, 3 masksi L1 10.100.0.2/32 [115/20] via 10.100.45.4, 00:20:39, GigabitEthernet2i L1 10.100.0.4/32 [115/10] via 10.100.45.4, 00:20:39, GigabitEthernet2i L1 10.100.0.6/32 [115/10] via 10.100.56.6, 00:20:39, GigabitEthernet3
PE15#sh ipv6 route isis[..]I1 2001:10:100::2/128 [115/20] via FE80::F816:3EFF:FE13:3C52, GigabitEthernet2I1 2001:10:100::4/128 [115/10] via FE80::F816:3EFF:FE13:3C52, GigabitEthernet2I1 2001:10:100::6/128 [115/10] via FE80::F816:3EFF:FEA0:DB36, GigabitEthernet3
96LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D1 Task 2: TE for AS109 and AS901
Apply the BGP traffic engineering that meets the following recommendations:
• SP-109 must prefer SP-300 path when sending traffic towards SP-901.
• The next preferred path from SP-109 towards SP-901 must be PE13 and PE21 link.
• SP-901 must prefer P25 and PE15 link when sending traffic towards SP-109 and also
towards SP-300.
• Only if P25 and PE15 link fails, SP-901 can follow the shortest path to reach
SP-109 and also to reach SP-300.
Score: 2 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D1 Task 2: TE for AS109 – PE13 configuration
RP/0/0/CPU0:PE13#sh rpl route-policy AS19
route-policy AS19
set local-preference 3000
done
end-policy
!
RP/0/0/CPU0:PE13#sh rpl route-policy AS901
route-policy AS901
set local-preference 2000
done
end-policy
!
98LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D1 Task 2: TE for AS109 – PE13 configuration
RP/0/0/CPU0:PE13#sh running-config router bgp | utility egrep "neigh|route-pol”
neighbor 19.3.0.1
route-policy AS19 in
neighbor 1.9.13.21
route-policy AS901 in
neighbor 2001:19:3::1
route-policy AS19 in
neighbor 2001:1:9:13::21
route-policy AS901 in
99LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D1 Task 2: TE for AS109 – PE25 configuration
P25#sh running-config | s ^route-map
route-map AS901 permit 10
set local-preference 1000
P25#sh running-config | s router bgp
router bgp 901
[...]
address-family ipv4
neighbor 1.9.55.15 route-map AS901 in
address-family ipv6
neighbor 2001:1:9:55::15 route-map AS901 in
100LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D1 Task 3: LDP for AS109 and AS901
Configure LSR in SP-901 to customize the label range assignments. Each router must use
label range calculated using the following formula:
• 2X00-2X99 (where X is the router number (the last digit of the router ID))
• Cisco IOS XRv nodes must use the following formula:
• 16X00-16X99
• example: for PE21, the router ID is 1, for PE22 the router ID is 2, and so on.
Configure LSR in SP-901 to rely on IGP to enable LDP.
Score: 3 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D1 Task 3: Label range for AS901
PE21#sh run | i range
mpls label range 2100 2199
RP/0/0/CPU0:PE22#sh running-config | i range
mpls label range table 0 16200 16299
102LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D1 Task 3:MPLS LDP autoconfiguration for AS901 – IOS/IOS-XE
PE21#sh running-config | s router ospf 901
router ospf 901
mpls ldp autoconfig
passive-interface Loopback0
PE21#sh mpls interfaces detail
Interface GigabitEthernet0/2:
Type Unknown
IP labeling enabled (ldp):
IGP config
103LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D1 Task 3:MPLS LDP autoconfiguration for AS901 – IOS-XR
RP/0/0/CPU0:PE22#sh running-config router ospf
router ospf 901
area 0
mpls ldp auto-config
interface Loopback0
passive enable
RP/0/0/CPU0:PE22#sh mpls ldp interface
Sun Jan 21 21:27:04.211 UTC
Interface GigabitEthernet0/0/0/0 (0x40)
VRF: 'default' (0x60000000)
Enabled via config: IGP Auto-config
Interface GigabitEthernet0/0/0/1 (0x60)
VRF: 'default' (0x60000000)
Enabled via config: IGP Auto-config
104LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D1 Task 4: Tunnel in AS109
Create MPLS Traffic Engineering tunnels that meet the following requirements:
• Build a Tunnel from PE11 to PE15 via PE13, P16, and P14. This MPLS TE tunnel must be
used to carry the Layer 3 VPN traffic of the Customer64 (CE101 and CE102).
• Traffic from CE102 towards CE101 must be guaranteed as well, and it must follow this
path: P16 P14 PE12 PE13.
Note: Manipulation of IGP metrics is not treated as a guarantee of the path.
Score: 3 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D1 Task 4: MPLS TE
106LTRCCIE-3401
PE11:!interface Tunnel1365ip unnumbered Loopback0tunnel mode mpls traffic-engtunnel destination 10.100.0.5tunnel mpls traffic-eng autoroute destinationtunnel mpls traffic-eng path-option 10 explicit name T1365
!ip explicit-path name T1365 enableindex 10 next-address 10.100.0.3index 20 next-address loose 10.100.0.6index 30 next-address 10.100.0.4
!
PE11#sh ip route 10.100.0.5Routing entry for 10.100.0.5/32
Known via "static", distance 1, metric 0 (connected)Routing Descriptor Blocks:* directly connected, via Tunnel1365
Route metric is 0, traffic share count is 1
Inter-Area TE
Loose hop required
pointing at ABR
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D1 Task 4: MPLS TE
107LTRCCIE-3401
CE101#trace 13.101.13.2 sou 13.101.13.1[..]VRF info: (vrf in name/id, vrf out name/id)
1 172.16.101.1 3 msec 5 msec 2 msec2 10.100.12.2 [MPLS: Labels 16205/509 Exp 0] 12 msec 6 msec 31 msec3 10.100.24.4 [MPLS: Labels 400/509 Exp 0] 11 msec 6 msec 6 msec4 172.16.102.1 [MPLS: Label 509 Exp 0] 9 msec 8 msec 7 msec5 172.16.102.254 6 msec * 7 msec
CE101#trace 13.101.13.2 sou 13.101.13.1[..]VRF info: (vrf in name/id, vrf out name/id)
1 172.16.101.1 1 msec 1 msec 2 msec2 10.100.13.3 [MPLS: Labels 16300/509 Exp 0] 7 msec 8 msec 8 msec3 10.100.36.6 [MPLS: Labels 613/509 Exp 0] 6 msec 17 msec 8 msec4 10.100.46.4 [MPLS: Labels 405/509 Exp 0] 26 msec 11 msec 17 msec5 172.16.102.1 [MPLS: Label 509 Exp 0] 12 msec 6 msec 5 msec6 172.16.102.254 16 msec * 11 msec
Without MPLS TE
With tunnel T1365
Traceroute after
a L3VPN task.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D1 Task 4: MPLS TE
108LTRCCIE-3401
PE15:!interface Tunnel5642ip unnumbered Loopback0tunnel mode mpls traffic-engtunnel destination 10.100.0.2tunnel mpls traffic-eng autoroute destinationtunnel mpls traffic-eng path-option 10 explicit name T5642
!ip explicit-path name T5642 enableindex 10 next-address 10.100.0.6index 20 next-address 10.100.0.4index 30 next-address 10.100.0.2
!
PE12:!interface tunnel-te231ipv4 unnumbered Loopback0autoroute announcedestination 10.100.0.1path-option 10 explicit name T231
!explicit-path name T231index 10 next-address strict ipv4 unicast 10.100.0.3index 20 next-address strict ipv4 unicast 10.100.0.1
!
2 Tunnels as
10.100.0.1 is not
reachable from Level-1
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D1 Task 4: MPLS TE
109LTRCCIE-3401
CE102#trace 13.101.13.1 sou 13.101.13.2[..]VRF info: (vrf in name/id, vrf out name/id)
1 172.16.102.1 2 msec 1 msec 5 msec2 10.100.45.4 [MPLS: Labels 404/16209/101 Exp 0] 9 msec 9 msec 10 msec3 10.100.24.2 [MPLS: Labels 16209/101 Exp 0] 8 msec 10 msec 5 msec4 172.16.101.1 [MPLS: Label 101 Exp 0] 9 msec 6 msec 7 msec5 172.16.101.254 7 msec * 8 msec
CE102#trace 13.101.13.1 sou 13.101.13.2[..]VRF info: (vrf in name/id, vrf out name/id)
1 172.16.102.1 1 msec 2 msec 4 msec2 10.100.56.6 [MPLS: Labels 610/16209/101 Exp 0] 12 msec 10 msec 6 msec3 10.100.46.4 [MPLS: Labels 402/16209/101 Exp 0] 11 msec 8 msec 14 msec4 10.100.24.2 [MPLS: Labels 16209/101 Exp 0] 8 msec 8 msec 11 msec5 10.100.23.3 [MPLS: Labels 16301/101 Exp 0] 9 msec 11 msec 12 msec6 172.16.101.1 [MPLS: Label 101 Exp 0] 8 msec 11 msec 8 msec7 172.16.101.254 10 msec * 11 msec
Without MPLS TE
With 2 tunnels:
T5642 + T231
Traceroute after
a L3VPN task.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D2 Task 1: CE21 and CE22 service
SP-901 must provide an IP-transparent connection to be used by Customer42 (CE21 and CE22).
• CE21 and CE22 must use Gig0/1.66 interface for this connection.
• The service must use control word.
CE21 must assign an IPv6 address to CE22 (Gig 0/1.66), automatically.
• CE21 must use IPv6 only on GigabitEthernet 0/1.66 sub-interface.
• CE22 must be able to reach CE21 directly using the assigned IPv6 address over the service provided
by SP-901.
• Use the 2001:192:168:21::/64 network for this configuration.
Score: 2 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D2 Task 1: xconnect for AS901
RP/0/0/CPU0:PE22#sh running-config router ospf
PE21#sh running-config interface gigabitEthernet 0/5.66
!
interface GigabitEthernet0/5.66
encapsulation dot1Q 66
no cdp enable
xconnect 20.200.0.3 66 encapsulation mpls pw-class AS901
end
PE21#sh running-config | s pseudowire
pseudowire-class AS901
encapsulation mpls
control-word
111LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D2 Task 1: IPv6 autoconfiguration for CE21
CE21#sh run int gi0/1.66
interface GigabitEthernet0/1.66
encapsulation dot1Q 66
ipv6 address 2001:192:168:21::1/64
no cdp enable
end
CE21#sh ipv6 int gi0/1.66 prefix
IPv6 Prefix Advertisements GigabitEthernet0/1.66
PD default [LA] Valid lifetime 2592000, preferred lifetime 604800
AD 2001:192:168:21::/64 [LA] Valid lifetime 2592000, preferred lifetime 604800
112LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D2 Task 1: IPv6 autoconfiguration for CE22
CE22#sh run int gi0/1.66
Building configuration...Current configuration : 103 bytes!
interface GigabitEthernet0/1.66
encapsulation dot1Q 66
ipv6 address autoconfig
no cdp enable
end
CE22#sh ipv6 int gi0/1.66
GigabitEthernet0/1.66 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::F816:3EFF:FE50:6FFE
No Virtual link-local address(es):
Stateless address autoconfig enabled
Global unicast address(es):
2001:192:168:21:F816:3EFF:FE50:6FFE, subnet is 2001:192:168:21::/64 [EUI/CAL/PRE]
valid lifetime 2591867 preferred lifetime 604667
113LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D2 Task 2: L3VPN for AS109 and AS901
MP-iBGP VPNv4 and VPNv6 peering have been configured on both SP-109 and SP-901. Your task is to complete the L3VPN configuration on both service providers to allow communication between sites of Customer24, Customer42, Customer64, and Customer78.
Note: Traffic cannot be leaked between customers.
Score: 3 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D3 Task 1: Example for AS_64PE11#sh vrf AS_64
Name Default RD Protocols InterfacesAS_64 64:64 ipv4,ipv6 Gi5
PE11#sh ip route vrf AS_6413.0.0.0/32 is subnetted, 2 subnetsD 13.101.13.1 [90/10880] via 172.16.101.254, 3d08h, GigabitEthernet5B 13.101.13.2 [200/100] via 10.100.0.5, 09:24:56
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masksC 172.16.101.0/24 is directly connected, GigabitEthernet5L 172.16.101.1/32 is directly connected, GigabitEthernet5B 172.16.102.0/24 [200/0] via 10.100.0.5, 09:24:56
PE11#sh running-config | s router bgprouter bgp 109[…]neighbor 10.100.0.2 remote-as 109neighbor 10.100.0.2 update-source Loopback0neighbor 10.100.0.6 remote-as 109neighbor 10.100.0.6 update-source Loopback0neighbor 2001:10:100::2 remote-as 109neighbor 2001:10:100::2 update-source Loopback0neighbor 2001:10:100::6 remote-as 109neighbor 2001:10:100::6 update-source Loopback0
115LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D3 Task 1: Example for AS_64 (continued)address-family ipv4
network 10.100.0.0 mask 255.255.0.0network 10.100.0.1 mask 255.255.255.255aggregate-address 10.100.0.0 255.255.0.0neighbor 10.100.0.2 activateneighbor 10.100.0.2 next-hop-selfneighbor 10.100.0.2 send-label
exit-address-familyaddress-family vpnv4neighbor 10.100.0.6 activateneighbor 10.100.0.6 send-community extendedexit-address-familyaddress-family vpnv6neighbor 2001:10:100::6 activateneighbor 2001:10:100::6 send-community extended
exit-address-familyaddress-family ipv4 vrf AS_64redistribute connectedredistribute eigrp 64 metric 100
exit-address-familyaddress-family ipv6 vrf AS_64redistribute connectedredistribute eigrp 64 metric 100
exit-address-family
116LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D2 Task 2: L3VPN
117LTRCCIE-3401
PE11:!router bgp 109neighbor 10.100.0.2 remote-as 109neighbor 10.100.0.2 update-source Lo0address-family ipv4 unicastnetwork 10.100.0.1 mask 255.255.255.255neighbor 10.100.0.2 activateneighbor 10.100.0.2 next-hop-self neighbor 10.100.0.2 send-label
!
PE12:!router bgp 109ibgp policy out enforce-modificationsaddress-family ipv4 unicastnetwork 10.100.0.2/32allocate-label all
!neighbor 10.100.0.1address-family ipv4 labeled-unicastroute-reflector-clientnext-hop-self
!
PE15 is in the Level-1 area and
there is no 10.100.0.1/32
advertised via IS-IS. Thus
RFC3107 is needed.
PE12 acts as an inline RR,
assigns a BGP label for
10.100.0.1/32.
Additional cfg to the
required in L3VPN.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D2 Task 2: L3VPN
118LTRCCIE-3401
PE12:!router bgp 109neighbor 10.100.0.5remote-as 109update-source Loopback0address-family ipv4 labeled-unicastroute-reflector-clientnext-hop-self
!
PE15:!router bgp 109neighbor 10.100.0.2remote-as 109neighbor 10.100.0.2 update-source Loopback0!address-family ipv4network 10.100.0.5 mask 255.255.255.255neighbor 10.100.0.2 activateneighbor 10.100.0.2 next-hop-selfneighbor 10.100.0.2 send-label
!
PE15 receives 10.100.0.1/32 with
a BGP label allocated by PE12.
Additional cfg to the
required in L3VPN.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D2 Task 2: VerificationPE12#sh bgp ipv4 labeled-unicast labels | utility egrep "Label|10.100.0.1/32"
Network Next Hop Rcvd Label Local Label*>i10.100.0.1/32 10.100.0.1 3 16209
PE15#sh ip cef vrf AS_64 13.101.13.1 det13.101.13.1/32, epoch 0, flags [rib defined all labels]
recursive via 10.100.0.1 label 101recursive via 10.100.0.2 label 16209
nexthop 10.100.45.4 GigabitEthernet2 label [404|implicit-null]-(local:503)repair: attached-nexthop 10.100.25.2 GigabitEthernet4
CE102#trace 13.101.13.1 sou 13.101.13.2Type escape sequence to abort.Tracing the route to 13.101.13.1VRF info: (vrf in name/id, vrf out name/id)
1 172.16.102.1 4 msec 3 msec 3 msec2 10.100.45.4 [MPLS: Labels 404/16209/101 Exp 0] 6 msec 6 msec 5 msec3 10.100.24.2 [MPLS: Labels 16209/101 Exp 0] 6 msec 5 msec 5 msec4 172.16.101.1 [MPLS: Label 101 Exp 0] 5 msec 5 msec 7 msec5 172.16.101.254 7 msec * 6 msec
119LTRCCIE-3401
Additional cfg to the
required in L3VPN.
RFC3107 in action
Label 16209 is to
10.100.0.1/32
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D2 Task 3: IPv6 Transition
Configure on AS-901 to provide IPv6 to IPv4 translation, so that the IPv6 address of the Loopback 0 of the PE23 is translated to IPv4. PE23 should be able to connect to 30.3.1.1 on PE301.
Notes:
• You can choose any IPv4/IPv6 address required to complete this task.
• Use PE21 as a translator.
Score: 2 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D2 Task 3: IPv6 Transition
121LTRCCIE-3401
PE21:!interface GigabitEthernet0/2nat64 enable!interface GigabitEthernet0/3nat64 enable
!interface GigabitEthernet0/6nat64 enable
!nat64 prefix stateful 2006:BEEF::/96nat64 v4v6 static 30.3.1.1 2006:BEEF::1E03:101nat64 v6v4 static 2001:20:200::3 93.3.0.3!router ospfv3 901address-family ipv6 unicastredistribute static
!router bgp 901address-family ipv4redistribute static
!
2006:BEEF::/96 and
93.3.0.3 are any taken
addresses.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D2 Task 3: VerificationPE23#sh ipv6 route 2006:BEEF::1E03:101Routing entry for 2006:BEEF::/96
Known via "ospf 901", distance 110, metric 20, type extern 2Route count is 1/1, share count 0Routing paths:
FE80::F816:3EFF:FE79:3161, GigabitEthernet0/2From FE80::F816:3EFF:FE79:3161Last updated 00:21:33 ago
PE21#sh ipv6 route 2006:BEEF::1E03:101Routing entry for 2006:BEEF::/96Known via "static", distance 1, metric 0Redistributing via ospf 901Route count is 1/1, share count 0Routing paths:
::100.0.0.1, NVI1
PE21#sh ip route 93.3.0.3Routing entry for 93.3.0.3/32
Known via "static", distance 0, metric 0Redistributing via bgp 901Advertised by bgp 901Routing Descriptor Blocks:* directly connected, via NVI1
122LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D2 Task 3: VerificationPE23#telnet 2006:BEEF::1E03:101 /source-interface lo0 /ipv6Trying 2006:BEEF::1E03:101 ... OpenUser Access VerificationUsername: ciscoPassword: PE301#sh users
Line User Host(s) Idle Location0 con 0 idle 00:01:02
* 1 vty 0 cisco idle 00:00:00 93.3.0.3Interface User Mode Idle Peer Address
PE21#sh nat64 transProto Original IPv4 Translated IPv4
Translated IPv6 Original IPv6----------------------------------------------------------- 30.3.1.1 2006:BEEF::1E03:101
--- ---tcp 30.3.1.1:23 [2006:BEEF::1E03:101]:23
93.3.0.3:48577 [2001:20:200::3]:48577--- --- ---
93.3.0.3 2001:20:200::3Total number of translations: 3
123LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D3 Task 1: Routing protocols on PE-CE edge
Enable the PE-CE routing protocol as per the following requirements:
• Configure EIGRP for both IPv4 and IPv6 for Customer64 (CE101 and CE102).
• Configure RIPv2 for Customer78 (CE111 and CE110).
• Make sure metric for routes exchanged over service provider backbone is adjusted by SP-109 by 10.
• Configure OSPFv2 for Customer42 (CE21 and CE22).
• Configure BGP for Customer24.
• Make sure both IPv4 and IPv6 networks are exchanged.
• There is a full reachability between both sites.
• SP-901 must use AS number 500 for this peering.
Score: 3 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D3 Task 1: Verification for AS64CE101#sh running-config | s router eigrprouter eigrp AS64address-family ipv4 unicast autonomous-system 64af-interface Loopback0passive-interface
exit-af-interface! topology baseexit-af-topologynetwork 13.0.0.0network 172.16.0.0exit-address-familyaddress-family ipv6 unicast autonomous-system 64af-interface Loopback0passive-interface
exit-af-interfacetopology baseexit-af-topologyexit-address-family
125LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D3 Task 1: Verification for AS64 (continued)CE101#sh ip route eigrp | b ^DD 13.101.13.2 [90/16000] via 172.16.101.1, 00:09:36, GigabitEthernet0/1
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masksD 172.16.102.0/24
[90/15360] via 172.16.101.1, 00:09:36, GigabitEthernet0/1
CE101#sh ipv6 route eigrp | b ^DD 2001:13:101:13::2/128 [90/16000]
via FE80::F816:3EFF:FE6B:3ED5, GigabitEthernet0/1EX 2001:172:16:102::/64 [170/51205120]
via FE80::F816:3EFF:FE6B:3ED5, GigabitEthernet0/1
CE101#ping 2001:13:101:13::2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2001:13:101:13::2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 10/13/23 ms
CE101#ping 2001:172:16:102::254Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2001:172:16:102::254, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/27 ms
126LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D3 Task 1: Verification for AS78CE23#sh running-config | s router bgprouter bgp 24bgp log-neighbor-changesno bgp default ipv4-unicastneighbor 2001:192:168:23::1 remote-as 500neighbor 192.168.23.1 remote-as 500!address-family ipv4network 23.23.0.3 mask 255.255.255.255neighbor 192.168.23.1 activateneighbor 192.168.23.1 allowas-in 1exit-address-family!address-family ipv6network 2001:23:23::3/128neighbor 2001:192:168:23::1 activateneighbor 2001:192:168:23::1 allowas-in 1
exit-address-family
127LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D3 Task 1: Verification for AS78 (continued)CE23#sh ip route | b ^BB 23.23.0.4 [20/0] via 192.168.23.1, 1d16h
192.168.23.0/24 is variably subnetted, 2 subnets, 2 masksC 192.168.23.0/24 is directly connected, GigabitEthernet0/1L 192.168.23.254/32 is directly connected, GigabitEthernet0/1B 192.168.24.0/24 [20/0] via 192.168.23.1, 1d16h
CE23#sh ipv6 route | b ^B[…]B 2001:23:23::4/128 [20/0]
via FE80::F816:3EFF:FE88:DC3E, GigabitEthernet0/1[…]B 2001:192:168:24::/64 [20/0]
via FE80::F816:3EFF:FE88:DC3E, GigabitEthernet0/1
CE23#traceroute 23.23.0.4 source lo0Type escape sequence to abort.Tracing the route to 23.23.0.4VRF info: (vrf in name/id, vrf out name/id)
1 192.168.23.1 [AS 901] 3 msec 3 msec 5 msec2 20.200.12.2 [MPLS: Label 16210 Exp 0] 7 msec 6 msec 7 msec3 192.168.24.254 [AS 901] 9 msec * 6 msec
128LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D3 Task 2: QoS
Configure a policy to remark IPP=5 to EXP=3 for the traffic using a PW from PE23 to PE21. Reserve 10Mbps for the traffic with EXP=3 going out of this PW from PE21 to CE21.
Note: No reservation is needed through the core at this moment.
Score: 2 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D3 Task 2: QoSPE23:!class-map match-all ipv6match precedence 5!
policy-map pw1class ipv6set mpls experimental imposition 3
!interface GigabitEthernet0/3.66service-policy input pw1!
130LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D3 Task 2: QoSPE21:! class-map match-all exp3match mpls experimental topmost 3class-map match-all qos3match qos-group 3
!policy-map pw1-outclass qos3bandwidth 10000
policy-map pw1class exp3set qos-group 3
!interface GigabitEthernet0/2service-policy input pw1
!interface GigabitEthernet0/5service-policy output pw1-out
!
131LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D3 Task 2: VerificationCE22#ping ipv6Target IPv6 address: 2001:192:168:21::1Repeat count [5]: 3Datagram size [100]: Timeout in seconds [2]: Extended commands? [no]: ySource address or interface: g0/1.66UDP protocol? [no]: Verbose? [no]: Precedence [0]: 5Include hop by hop option? [no]: Include destination option? [no]: Sweep range of sizes? [no]: Type escape sequence to abort.Sending 3, 100-byte ICMP Echos to 2001:192:168:21::1, timeout is 2 seconds:!!!Success rate is 100 percent (3/3), round-trip min/avg/max = 6/7/8 ms
132LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D3 Task 2: VerificationPE23#sh policy-map int g0/3.66GigabitEthernet0/3.66
Service-policy input: pw1
Class-map: ipv6 (match-all)5 packets, 590 bytes5 minute offered rate 0000 bps, drop rate 0000 bpsMatch: precedence 5QoS Set
mpls experimental imposition 5Packets marked 5
Class-map: class-default (match-any)11 packets, 1042 bytes5 minute offered rate 0000 bps, drop rate 0000 bpsMatch: any
133LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D3 Task 2: VerificationPE21#sh policy-map int g0/2GigabitEthernet0/2Service-policy input: pw1
Class-map: exp3 (match-all)5 packets, 680 bytes5 minute offered rate 0000 bps, drop rate 0000 bpsMatch: mpls experimental topmost 3QoS Set
qos-group 3Packets marked 5
[..]
PE21#sh policy-map int g0/5GigabitEthernet0/5Service-policy output: pw1-out
Class-map: qos3 (match-all)5 packets, 590 bytes5 minute offered rate 0000 bps, drop rate 0000 bpsMatch: qos-group 3Queueingqueue limit 64 packets(queue depth/total drops/no-buffer drops) 0/0/0(pkts output/bytes output) 5/590bandwidth 10000 kbps
[..]
134LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D3 Task 3: Multicast
Enable multicast traffic on Customer78 that meets the following requirements:
• SP-109 must use mLDP as the core MDT.
• SP-109 must use PIM SP in the VRF.
• CE110 must be the source of the multicast traffic.
• CE111 must be the receiver.
• PE12 must be the RP.
Note: You can choose PIM SP or SSM in the core.
Score: 2 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D3 Task 3: Multicast
136LTRCCIE-3401
PE12, PE13:
!ipv4 access-list ssm110 permit ipv4 host 233.1.1.1 any
!route-policy mldp1
set core-tree mldp-inbandend-policy!mpls ldpmldplogging notificationsaddress-family ipv4
!multicast-routingaddress-family ipv4interface Loopback0enable
!mdt source Loopback0
!
PE12, PE13:
[cont. multicast-routing]! vrf AS_78address-family ipv4mdt source Loopback0interface all enablemdt mldp in-band-signaling ipv4
!multicast-routing!router pimvrf AS_78address-family ipv4rp-address 172.16.10.1rpf topology route-policy mldp1interface GigabitEthernet0/0/0/[5|3]enable
! ssm range ssm1 !
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D3 Task 3: VerificationCE110#ping 225.1.1.1 repeat 5Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 225.1.1.1, timeout is 2 seconds:Reply to request 0 from 13.13.13.11, 46 msReply to request 0 from 13.13.13.11, 52 msReply to request 0 from 13.13.13.11, 46 msReply to request 1 from 13.13.13.11, 13 ms[..]
PE13#sh mpls mldp bindmLDP MPLS Bindings database
LSP-ID: 0x00001 Paths: 2 Flags:0x00001 P2MP 10.100.0.2 [vpnv4 78:78 * 225.1.1.1]
Local Label: 16302 ActiveRemote Label: 1048577 Inft: ImdtAS/78 RPF-ID: 3 TIDv4/v6: 0xE0000011/0x0
LSP-ID: 0x00002 Paths: 2 Flags:0x00002 P2MP 10.100.0.2 [vpnv4 78:78 13.13.13.10 225.1.1.1]
Local Label: 16303 ActiveRemote Label: 1048577 Inft: ImdtAS/78 RPF-ID: 4 TIDv4/v6: 0xE0000011/0x0
LSP-ID: 0x00003 Paths: 2 Flags:0x00003 P2MP 10.100.0.2 [vpnv4 78:78 172.16.10.254 225.1.1.1]
Local Label: 16304 ActiveRemote Label: 1048577 Inft: ImdtAS/78 RPF-ID: 5 TIDv4/v6: 0xE0000011/0x0
137LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D3 Task 3: VerificationPE12#sh mrib vrf AS_78 route 225.1.1.1
(*,225.1.1.1) RPF nbr: 172.16.10.1 Flags: C RPFUp: 00:06:08Incoming Interface List
Decapstunnel0 Flags: A, Up: 00:06:08Outgoing Interface List
GImdtAS/78 Flags: F LMI, Up: 00:06:08
(13.13.13.10,225.1.1.1) RPF nbr: 172.16.10.254 Flags: L RPFUp: 00:00:46Incoming Interface List
GigabitEthernet0/0/0/5 Flags: A, Up: 00:00:46Outgoing Interface List
ImdtAS/78 Flags: F LMI, Up: 00:00:44GImdtAS/78 Flags: F LMI, Up: 00:00:46
(172.16.10.254,225.1.1.1) RPF nbr: 172.16.10.254 Flags: L RPFUp: 00:00:46Incoming Interface List
GigabitEthernet0/0/0/5 Flags: A, Up: 00:00:46Outgoing Interface List
GImdtAS/78 Flags: F LMI, Up: 00:00:46
138LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D4 Task 1: LSP protection
Configure SP-901 in a such way to make sure routers will establish additional direct sessions for LDP in case link between them goes down.
Score: 2 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D4 Task 1:LSP protection in AS901 – IOS/IOS-XE
PE21#sh running-config | i ^mpls ldp
mpls ldp session protection
mpls ldp discovery targeted-hello accept
PE21#sh mpls ldp neighbor
Peer LDP Ident: 20.200.0.4:0; Local LDP Ident 20.200.0.1:0
TCP connection: 20.200.0.4.25218 - 20.200.0.1.646
State: Oper; Msgs sent/rcvd: 1621/1626; Downstream
Up time: 23:23:37
LDP discovery sources:
GigabitEthernet0/2, Src IP addr: 20.200.14.4
Targeted Hello 20.200.0.1 -> 20.200.0.4, active, passive
Peer LDP Ident: 20.200.0.3:0; Local LDP Ident 20.200.0.1:0
[...]
LDP discovery sources:
Targeted Hello 20.200.0.1 -> 20.200.0.3, active, passive
140LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D4 Task 1:LSP protection in AS901 – IOS/IOS-XE and IOS-XR
RP/0/0/CPU0:PE22#sh running-config mpls ldp
mpls ldp router-id 20.200.0.2
session protection
address-family ipv4
!
!
RP/0/0/CPU0:PE22#sh mpls ldp neighbor | utility egrep "Peer LDP|Targeted”
Sun Jan 21 22:42:43.980 UTC
Peer LDP Identifier: 20.200.0.5:0
Targeted Hello (20.200.0.2 -> 20.200.0.5, active)
Peer LDP Identifier: 20.200.0.4:0
Targeted Hello (20.200.0.2 -> 20.200.0.4, active)
Peer LDP Identifier: 20.200.0.1:0
Targeted Hello (20.200.0.2 -> 20.200.0.1, active)
141LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D4 Task 2: IS-IS optimization
Enable IP FRR in SP-109 for all prefixes in the IGP database.
Score: 2 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D4 Task 2: IS-IS IP FRR – IOS/IOS-XE
P14#sh running-config | s ^router isis
router isis 109
net 49.0109.0000.0004.00
fast-reroute per-prefix level-2 all
P14#sh ip route repair-paths
[...]
10.0.0.0/8 is variably subnetted, 21 subnets, 3 masks
S 10.100.0.0/16 is directly connected, Null0
i L2 10.100.0.1/32 [115/11] via 10.100.24.2, 23:31:59, GigabitEthernet2
Repair Path: 10.100.45.5, via GigabitEthernet3
[RPR][115/20] via 10.100.45.5, 23:31:59, GigabitEthernet3
143LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D4 Task 2: IS-IS IP FRR – IOS-XR
RP/0/0/CPU0:PE13#sh running-config router isis | utility egrep "interface|fast-”
interface GigabitEthernet0/0/0/0
fast-reroute per-prefix
interface GigabitEthernet0/0/0/1
fast-reroute per-prefix
[...]
RP/0/0/CPU0:PE13#sh route isis
Sun Jan 21 22:48:44.425 UTC
i L2 10.100.0.1/32 [115/101] via 10.100.23.2, 23:29:53, GigabitEthernet0/0/0/2 (!)
[115/1] via 10.100.13.1, 23:29:53, GigabitEthernet0/0/0/0
144LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D5 Task 1: Peering security
Service providers must increase network security. Your tasks are:
• Make sure PE13 and PE301 establish eBGP peering using maximum TTL value and discard any TCP request with lower TTL values.
• Configure PE21 for receiving up to 1000 prefixes from PE301.
• At 75% mark, router must send a warning message.
• If the limit is breached, the session must be reset.
• PE21 must wait 3 minutes before initialing or accepting a new session in this case.
Score: 2 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D5 Task 1: PE13 and PE301 eBGP peering protection
RP/0/0/CPU0:PE13#sh running-config router bgp
[...]
router bgp 109
neighbor 19.3.0.1
remote-as 19
ttl-security
[...]
PE301#sh running-config | s router bgp
router bgp 300
[...]
neighbor 19.3.0.13 remote-as 109
neighbor 19.3.0.13 ttl-security hops 1
146LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D5 Task 1: PE21 eBGP peering protection
PE21#sh running-config | s router bgp
router bgp 901
[...]
address-family ipv4
neighbor 91.3.0.1 maximum-prefix 1000 restart 3
address-family ipv6
neighbor 2001:91:3::1 maximum-prefix 1000 restart 3
147LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D5 Task 2: VPN traffic control
On PE21 and PE23, make sure routers check for spoofing of source addresses. Should such activity be detected, spoofed traffic must be dropped, and a message must be logged identifying both IP addressing information, as well as, the Layer 4 information such as in the following example:
denied tcp 16.16.14.1(5403) -> 21.200.0.1(23), 1 packet
Score: 2 points
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
D5 Task 2: PE21 and PE23 uRPF configuration
PE21#sh run int gi0/5 | i interf|verify
interface GigabitEthernet0/5
ip verify unicast source reachable-via rx 2699
[...]
PE21#sh ip access-lists 2699
Extended IP access list 2699
10 deny ip any any log
149LTRCCIE-3401
Questions & Answers
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs• LABCCIE-3007: CCIE SP – Troubleshoot MPLS
• LABCCIE-3008: CCIE SP – DIAG module
• LABCCIE-3009: CCIE SP – Troubleshooting IGP
• LABCCIE-3010: CCIE SP – Multicast VPN
• LABCCIE-3011: CCIE SP – Fast Convergence
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• CCIE SP workbook on CLN• https://learningnetworkstore.cisco.com/cisco-ccie-expert-training/level-for-service-provider-v4-1-lab-workbook-360-sp-04-wkb-core-020997
• CCIE SP study group
• https://learningnetwork.cisco.com/groups/ccie-sp-study-group
151LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Become a Cisco Subject Matter Expert
• Do you consider yourself a Subject Matter Expert?
• Would like to lend your expertise to the Cisco Certification Exam?
152LTRCCIE-3401
http://www.cisco.com/go/certsme
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
Thank you
References
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Preparation Materials
• Configuration Guide, Products, Technology
• Cisco Tools, Cisco Press, Whitepapers
• Cisco Learning Network (CLN)
• Design Zone, Cisco Forums
• Cisco Training Program
• External Resources
https://supportforums.cisco.com
http://docwiki.cisco.com
www.cisco.com/go/documentation
www.cisco.com/go/tools
158LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Recommended Reading
159LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service Provider Cisco Education Offerings
Course Description Cisco Certification
Deploying Cisco Service Provider Network Routing
(SPROUTE) & Advanced (SPADVROUTE)
Implementing Cisco Service Provider Next-Generation
Core Network Services (SPCORE)
Edge Network Services (SPEDGE)
SPROUTE covers the implementation of routing protocols (OSPF, IS-IS, BGP),
route manipulations, and HA routing features; SPADVROUTE covers advanced
routing topics in BGP, multicast services including PIM-SM, and IPv6;
SPCORE covers network services, including MPLS-LDP, MPLS traffic engineering,
QoS mechanisms, and transport technologies;
SPEDGE covers network services, including MPLS Layer 3 VPNs, Layer 2 VPNs,
and Carrier Ethernet services; all within SP IP NGN environments.
CCNP Service Provider®
Building Cisco Service Provider Next-Generation
Networks, Part 1&2 (SPNGN1), (SPNGN2)
The two courses introduce networking technologies and solutions, including OSI
and TCP/IP models, IPv4/v6, switching, routing, transport types, security, network
management, and Cisco OS (IOS and IOS XR).
CCNA Service Provider®
Implementing Cisco Service Provider Mobility UMTS
Networks (SPUMTS);
Implementing Cisco Service Provider Mobility CDMA
Networks (SPCDMA);
Implementing Cisco Service Provider Mobility LTE
Networks (SPLTE)
The three courses (SPUMTS, SPCDMA, SPLTE) cover knowledge and skills
required to understand products, technologies, and architectures that are found in
Universal Mobile Telecommunications Systems (UMTS) and Code Division Multiple
Access (CDMA) packet core networks, plus their migration to Long-Term Evolution
(LTE) Evolved Packet Systems (EPS), including Evolved Packet Core (EPC) and
Radio Access Networks (RANs).
Cisco Service Provider Mobility
CDMA to LTE Specialist;
Cisco Service Provider Mobility UMTS
to LTE Specialist
Implementing and Maintaining Cisco Technologies
Using IOS XR (IMTXR)
Service Provider/Enterprise engineers to implement, verification-test, and optimize
core/edge technologies in a Cisco IOS XR environment.
Cisco IOS XR Specialist
160
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth
LTRCCIE-3401