CCIE SP Practice Lab - clnv.s3.amazonaws.com · CCIE SP Practice Lab Lizabete Cacic, Technical...

CCIE SP Practice Lab

Lizabete Cacic, Technical Leader

Lukasz Bromirski, System Engineering Manager

LTRCCIE-3401

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#LTRCCIE-3401

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

Sun Tzu – The Art of War

“If you know the enemy and yourself,

you need no fear the results of a hundred battles”

LTRCCIE-3401

• CCIE SP Lab Format

• LabTorial Overview

• Hands-on Lab

• Troubleshoot Lab

• Diagnostic Lab

• Configuration Lab

• Lab Review

• Questions & Answers

Agenda

CCIE SP Lab Format


CCIE SP v4.1 – Unified Exam Topics

7LTRCCIE-3401

Domains Written Lab

1. Core Routing 25% 30%

2. Service Provider Architecture and Services 21% 22%

3. Access and Aggregation 18% 21%

4. High Availability and Fast Convergence 14% 15%

5. Service Provider Security, Operation, and Management 12% 12%

6. Evolving Technologies 10% n/a

https://learningnetwork.cisco.com/community/certifications/ccie_service_provider/written_exam_v4/exam-topics

https://learningnetwork.cisco.com/community/certifications/ccie_service_provider/written_exam_v4/exam-topics


CCIE Passing Criteria

8LTRCCIE-3401

• 120 min • Optional +30min

• Independent incidents • Console access to the devices

• Topology specif c for TS scenarios

• 60 min • No Optional time

• Independent tickets • No Console access to the devices

• Multiple source of information (like diagrams, emails, and logs)

• 300 min (5h) • Optional - 30min (if used in TS)

• Dependent items • Console access to the devices

• Topology specif c for conf guration scenario

LabTorial Overview


Login Page

10LTRCCIE-3401


CCIE SP Lab Exam Format

11LTRCCIE-3401

Web-based delivery

(2h) (5h)

Optional

+ 30 min

Optional

- 30 min (60 min)

about 10 to 12

minutes in average

per question

6 minutes per

question in

average

about 10 to 12

minutes in average

per question

Hands-on Lab

TroubleshootingModule

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14Presentation ID

CCIE SP Troubleshoot – CiscoLive! Barcelona 2018

• LDP – 2 points

• mLDP – 2 points

• L2VPN – 1 point

• L3VPN – 2 points

• QoS – 2 points

• BGP PIC – 2 points

• Control Plane Security – 2 points

Duration: 60m / Total points: 13


AS 4142

CE41

CE42

CE43

AS 45

CE45

CE46

AS 46

PE13

PE12 P14

CE44

PE16

RR25

P15PE11

RR17

AS 100

PE23

PE31AS 200

AS 300

PE21

PE24PE22

AS 44AS 43Lab topologyTroubleshooting

Loopback0: 10.0.0.x/32, where x is the Router No.

XR interfaces begin with G0/0/0/x

The last octet of an IP address is the Router No. + mask /24

/0 /1

/4 /2

/0

/1

/2

/4

/3

/1

/0

/2

/1/0

/0

/1 /2/5

/3

/0

/2

/1

/0

/3

/1

/4g2

g3

g3

g2

10.1.1

g2 g3

g2

g5g4

g6 g2

g2

g2

g2g4 g3

g6 g2

g5

g2/3

10.3.41

g4g5

g3

g2

g3

g5

g3

g4

g6

10.2.41

10.2.42

10.1.9

g4

g3

g7

g5 10.1.8

10.1.3

10.1.6

10.1.7

10.1.11

172.16.3

172.16.1192.168.1

192.168.7

192.168.5

192.168.8

192.168.4

192.168.6

10.2.44

LTRCCIE-3401 15


Trouble Ticket 1: LDP

AS100 operations engineer notices that the LDP sessions on PE11 are down. Your task is to fix this issue.

Score: 2 points


TS – Ticket 1: LDP

RP/0/0/CPU0:PE11#sh mpls ldp neighbor

[empty]

RP/0/0/CPU0:PE11#sh mpls ldp discovery

Local LDP Identifier: 10.0.0.11:0

Discovery Sources:

Interfaces:

GigabitEthernet0/0/0/0 : xmit

VRF: 'default' (0x60000000)

GigabitEthernet0/0/0/1 : xmit/recv


LDP Id: 10.0.0.13:0, Transport address: 10.0.0.13

Hold time: 15 sec (local:15 sec, peer:15 sec)

Established: Jan 08 03:14:14.935 (00:18:15 ago)

[..]

17LTRCCIE-3401


Ticket 1: Solution: TCP process is down

RP/0/0/CPU0:PE11(admin)#sh process tcp

Mon Jan 01 20:36:11.962 UTC

Job Id: 399

PID: 1241295

Executable path: /disk0/iosxr-fwding-6.1.3/bin/tcp

Instance #: 1

Version ID: 00.00.0000

Respawn: ON

Respawn count: 4

Last started: Sat Jan 13 13:03:46 2018

Process state: Killed (last exit status : 94)

Package state: Normal

Process group: dlrsc

core: MAINMEM

Max. core: 0

Level: 181

Placement: None

startup_path: /pkg/startup/tcp.startup

Ready: 0.119s

RP/0/0/CPU0:PE11#sh tcp brief

tcp_show_list_bag_generic: TCP process not running or invalid tuple on this node

18LTRCCIE-3401


Ticket 1: Solution: Start a TCP process which crashed.

RP/0/0/CPU0:PE11#admin

RP/0/0/CPU0:PE11(admin)#process start tcp location all

19LTRCCIE-3401

Open a TAC case immediately!


Ticket 1: Verification

RP/0/0/CPU0:PE11#sh mpls ldp neighbor

Peer LDP Identifier: 10.0.0.14:0

TCP connection: 10.0.0.14:54446 - 10.0.0.11:646

Graceful Restart: No

Session Holdtime: 180 sec

State: Oper; Msgs sent/rcvd: 13/28; Downstream-Unsolicited

Up time: 00:03:13

[..]


TCP connection: 10.0.0.13:15524 - 10.0.0.11:646

Graceful Restart: No

Session Holdtime: 180 sec

State: Oper; Msgs sent/rcvd: 10/10; Downstream-Unsolicited

Up time: 00:00:44

[..]

20LTRCCIE-3401


Trouble Ticket 2: mLDP

ISP AS200 prepares their core to migration to mLDP. There is an issue with a transmission between a simulated source on PE22 and CE45. Your task is to fix this issue. The expected result is depicted on the following picture.

Score: 2 points

RP/0/0/CPU0:PE22#ping vrf cust45 233.2.2.2 sou 10.3.0.22 tim 1 repeat 2

Reply to request 0 from 10.0.0.45, 1 ms



TS – Ticket 2: mLDP

RP/0/0/CPU0:PE22#sh mpls mldp bindings

No entries in the table to display

RP/0/0/CPU0:PE23#sh mrib vrf cust45 route 233.2.2.2

[..]

(10.3.0.22,233.2.2.2) RPF nbr: 0.0.0.0 Flags: RPF

Up: 00:06:39

Outgoing Interface List

GigabitEthernet0/0/0/3 Flags: F NS, Up: 00:06:39

RP/0/0/CPU0:PE22#sh mrib vrf cust45 route 233.2.2.2

No matching routes in MRIB route-DB

22LTRCCIE-3401


Ticket 2: Solution: Configure the inband mode.

PE22, PE23:

route-policy mldp1

set core-tree mldp-inband

end-policy

23LTRCCIE-3401



RP/0/0/CPU0:PE22#sh mpls mldp bindings

Sun Jan 03 06:26:11.372 UTC

mLDP MPLS Bindings database

LSP-ID: 0x00001 Paths: 2 Flags:

0x00001 P2MP 10.0.0.22 [vpnv4 1:45 10.3.0.22 233.2.2.2]

Local Label: 24014

Remote Label: 24009 NH: 192.168.3.23 Inft: GigabitEthernet0/0/0/3

RP/0/0/CPU0:PE23#sh mpls mldp bind

Sun Jan 03 06:26:46.628 UTC

mLDP MPLS Bindings database

LSP-ID: 0x00001 Paths: 2 Flags:

0x00001 P2MP 10.0.0.22 [vpnv4 1:45 10.3.0.22 233.2.2.2]

Local Label: 24009 Active

Remote Label: 1048577 Inft: Imdtcust45 RPF-ID: 6 TIDv4/v6: 0xE0000011/0x0

RP/0/0/CPU0:PE22#ping vrf cust45 233.2.2.2 sou 10.3.0.22 tim 1 repeat 2



24LTRCCIE-3401


Trouble Ticket 3: L2VPN

AS100 and AS200 offer L2VPN service to CE44 and CE46. There is no communication between CE44 and CE46 because the pseudowire is down. Your task is to identify the issue and fix it.

After this task is completed, CE44 and CE46 should be able to learn each other loopback ipv4 address via RIP.

Notes

• You are not allowed to run LDP between ASs.

• Because of virtualization environment CE46 is not able to ping CE44 and vice-versa.

Score: 1 point


TS – Ticket 3: L2VPN

26LTRCCIE-3401

PE15#sh mpls l2transport vc

Local intf Local circuit Dest address VC ID Status

------------- -------------------------- --------------- ---------- ----------

Gi5.10 Eth VLAN 10 10.1.0.24 44 DOWN

CE44#ping 10.4.4.46

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.4.4.46, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)



27LTRCCIE-3401

PE15#sh mpls l2 vc det

Local interface: Gi5.10 up, line protocol up, Eth VLAN 10 up

Interworking type is Ethernet

Destination address: 10.1.0.24, VC ID: 44, VC status: down

Last error: Local access circuit is not ready for label advertise

Output interface: none, imposed label stack {}

Preferred path: not configured

Default path: no route

No adjacency

Create time: 06:18:27, last status change time: 04:46:07

Last label FSM state change time: 04:46:07

Signaling protocol: LDP, peer unknown

Targeted Hello: 10.1.0.15(LDP Id) -> 10.1.0.24, LDP is DOWN, no binding

[..]



28LTRCCIE-3401

PE15#sh ip route 10.1.0.24

Routing entry for 10.1.0.24/32

Known via "bgp 100", distance 200, metric 0

Tag 200, type internal

Last update from 10.0.0.16 00:28:02 ago

Routing Descriptor Blocks:

* 10.0.0.16, from 10.0.0.17, 00:28:02 ago

Route metric is 0, traffic share count is 1

AS Hops 1

Route tag 200

MPLS label: 24008



29LTRCCIE-3401

RP/0/0/CPU0:PE16#sh cef 10.1.0.24

10.1.0.24/32, version 799, drop adjacency, internal 0x1000001 0x0 (ptr 0xa1422e74) [1],

0x0 (0xa13edb00), 0x808 (0xa1583280)

Updated Jan 02 02:28:04.722

Prefix Len 32, traffic index 0, precedence n/a, priority 4

via 172.16.3.22/32, 0 dependencies, recursive, bgp-ext [flags 0x6020]

path-idx 0 NHID 0x0 [0xa0db7294 0x0]

recursion-via-/32

unresolved

local label 24008

labels imposed {24006}


Ticket 3: Solution: Configure static routes to resolve NH

PE16:

!

router static

address-family ipv4 unicast

172.16.3.22/32 GigabitEthernet0/0/0/3

!

PE22:

!

router static

address-family ipv4 unicast

172.16.3.16/32 GigabitEthernet0/0/0/0

!

30LTRCCIE-3401



RP/0/0/CPU0:PE16#sh cef 10.1.0.24/32

[..]



path-idx 0 NHID 0x0 [0xa15ebff4 0x0]

recursion-via-/32

next hop 172.16.3.22/32 via 24011/0/21

local label 24008

next hop 172.16.3.22/32 Gi0/0/0/3 labels imposed {ImplNull 24006}

RP/0/0/CPU0:PE22#sh cef 10.1.0.15/32

[..]



path-idx 0 NHID 0x0 [0xa15eb7f4 0x0]

recursion-via-/32

next hop 172.16.3.16/32 via 24008/0/21

local label 24007


31LTRCCIE-3401



PE15#sh mpls l2transport vc

Local intf Local circuit Dest address VC ID Status

------------- -------------------------- --------------- ---------- ----------

Gi5.10 Eth VLAN 10 10.1.0.24 44 UP

CE44#ping 10.4.4.46



.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 7/8/11 ms

32LTRCCIE-3401


Trouble Ticket 4: L3VPN

There is no communication between CE45 and CE42. This customer uses L3VPN services offered by AS100 and AS200. Your task is to fix this issue.

Score: 2 points

CE45#sh ip route 10.0.0.42

% Subnet not in table



34LTRCCIE-3401

PE23#sh bgp vrf cust45 summ

[..]

Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd

192.168.7.45 0 45 179 163 0 0 0 08:19:10 Idle

RP/0/0/CPU0:PE23#sh cef vrf cust45 10.0.0.42

10.0.0.42/32, version 37, internal 0x1000001 0x0 (ptr 0xa1408874) [1], 0x0 (0x0), 0x208

(0xa1583140)

Updated Jan 02 23:25:19.750


via 10.0.0.21/32, 0 dependencies, recursive [flags 0x6000]

path-idx 0 NHID 0x0 [0xa0f92294 0x0]

recursion-via-/32

next hop VRF - 'default', table - 0xe0000000

unresolved

labels imposed {34}


Ticket 4: Solution: Fix eBGP session and LSP

PE23:

!

interface GigabitEthernet0/0/0/3

ipv6 add 2001:0:45::23/64

!

PE11:

!

interface Loopback0

ip address 10.0.0.21 255.255.255.255

!

35LTRCCIE-3401



RP/0/0/CPU0:PE23#sh cef vrf cust45 10.0.0.42

10.0.0.42/32, version 7, internal 0x1000001 0x0 (ptr 0xa1408874) [1], 0x0 (0x0), 0x208

(0xa1583140)

Updated Jan 04 17:49:31.931


via 10.0.0.21/32, 3 dependencies, recursive [flags 0x6000]

path-idx 0 NHID 0x0 [0xa15eb7f4 0x0]

recursion-via-/32

next hop VRF - 'default', table - 0xe0000000

next hop 10.0.0.21/32 via 24003/0/21


36LTRCCIE-3401



CE45#sh ip route 10.0.0.42


Known via "bgp 45", distance 20, metric 0

Tag 200, type external

Last update from 192.168.7.23 00:12:34 ago


* 192.168.7.23, from 192.168.7.23, 00:12:34 ago


AS Hops 3

Route tag 200

MPLS label: none

CE45#ping 10.0.0.42 sou 10.0.0.45



Packet sent with a source address of 10.0.0.45

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 6/12/35 ms

37LTRCCIE-3401


Trouble Ticket 5: QoS

CE42 implemented QoS recently, since then when congestion occurs, BFD session goes down. Your task is to fix this issue.

Note: You do not need to fix a BFD session.

Score: 2 points


TS – Ticket 5: QoS

CE42#sh policy-map int g2

GigabitEthernet2

Service-policy output: as4142-out

Class-map: bfd (match-any)

0 packets, 0 bytes

5 minute offered rate 0000 bps, drop rate 0000 bps

Match: ip dscp cs7 (56)

Queueing

queue limit 416 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

bandwidth 100000 kbps

[..]

39LTRCCIE-3401


Ticket 5: Solution: Match correct markings

CE42(config)#class-map match-any bfd

CE42(config-cmap)#no match ip dscp cs7

CE42(config-cmap)# match ip dscp cs6

40LTRCCIE-3401



CE42#sh policy-map int g2

GigabitEthernet2

Service-policy output: as4142-out

Class-map: bfd (match-any)

117 packets, 7949 bytes

5 minute offered rate 1000 bps, drop rate 0000 bps

Match: ip dscp cs6 (48)

Queueing

queue limit 416 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 60/4187

bandwidth 100000 kbps

[..]

41LTRCCIE-3401


Trouble Ticket 6: BGP PIC

An AS100 operations engineer notices that there is no backup entry in the FIB on PE12 for the 10.0.0.43/32 prefix even though BGP PIC is configured. Your task is to fix this issue.

Note: Do not change the BGP sessions.

Score: 2 points


TS – Ticket 6: BGP PIC

PE12#sh bgp vpnv4 unicast all | i 10.0.0.43/32|Disti

Route Distinguisher: 1:1 (default for vrf cust1)

*>i 10.0.0.43/32 10.0.0.11 0 100 0 43 i

Route Distinguisher: 1:43

*>i 10.0.0.43/32 10.0.0.11 0 100 0 43 i

PE12#sh ip cef vrf cust1 10.0.0.43/32 detail

10.0.0.43/32, epoch 0, flags [rib defined all labels]

recursive via 10.0.0.11 label 24007

nexthop 10.1.5.13 GigabitEthernet5 label 24000-(local:20)


43LTRCCIE-3401


Ticket 6: Solution: Change RD on one of PEs

PE15:

!

ip vrf cust43

no rd 1:43

CTRL+Z

ip vrf cust43

rd 43:43

route-target export 1:43

route-target import 1:43

!

router bgp 100

add ipv4 unicast vrf cust43

nei 10.3.43.43 remote-as 43

!

44LTRCCIE-3401



45LTRCCIE-3401

PE12#sh ip cef vrf cust1 10.0.0.43/32 det





recursive via 10.0.0.15 label 36, repair



Trouble Ticket 7: Control Plane Security

PE16 must be protected in a way that BGP sessions initialized from AS300 are blocked; however, a BGP session with PE31 must be established. Your task is to fix the configuration that meets this requirement.

Score: 2 points


TS – Ticket 7: Control Plane Security


PCB VRF-ID Recv-Q Send-Q Local Address Foreign Address State

[..]

0x1216c7e8 0x60000000 0 0 172.16.4.16:179 172.16.4.31:36188 ESTAB

[..]


[..]

0x1215b26c 0x60000000 0 0 172.16.5.31:60068 172.16.3.16:179 SYNSENT

0x1216c7e8 0x60000000 0 0 172.16.4.31:179 172.16.4.16:36188 ESTAB

[..]

47LTRCCIE-3401


Ticket 7: Solution: Correct ACL configurations

PE16:

!

ipv4 access-list as300-in

10 deny tcp any any eq bgp

20 permit ipv4 any any

!

PE31:

!

ipv4 access-list as100-in

10 deny tcp any eq bgp any

20 permit ipv4 any any

!

48LTRCCIE-3401



49LTRCCIE-3401


PCB VRF-ID Recv-Q Send-Q Local Address Foreign Address State

[..]

0x1216992c 0x60000000 0 0 172.16.4.16:36028 172.16.4.31:179 ESTAB

[..]

Diagnostics Module

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51LTRCCIE-3401

CCIE SP Diagnostics – CiscoLive! Barcelona 2018

• IGP – 1 point

• MPLS-TE – 1 point

• LISP – 1 point

• PE-CE – 1 point

• Failure Detection – 1 point

Duration: 30m / Total points: 5


AS 4142

CE41

CE42

CE43

AS 45

CE45

CE46

AS 46

PE13

PE12 P14

CE44

PE16

RR25

P15PE11

RR17

AS 100

PE23

PE31AS 200

AS 300

PE21

PE24PE22

AS 44AS 43Lab topologyDiagnostics

Loopback0: 10.0.0.x/32, where x is the Router No.

XR interfaces begin with G0/0/0/x

The last octet of an IP address is the Router No. + mask /24

/0 /1

/4 /2

/0

/1

/2

/4

/3

/1

/0

/2

/1/0

/0

/1 /2/5

/3

/0

/2

/1

/0

/3

/1

/4g2

g3

g3

g2

10.1.1

g2 g3

g2

g5g4

g6 g2

g2

g2

g2g4 g3

g6 g2

g5

g2/3

10.3.41

g4g5

g3

g2

g3

g5

g3

g4

g6

10.2.41

10.2.42

10.1.9

g4

g3

g7

g5 10.1.8

10.1.3

10.1.6

10.1.7

10.1.11

172.16.3

172.16.1192.168.1

192.168.7

192.168.5

192.168.8

192.168.4

192.168.6

10.2.44

LTRCCIE-3401 52


Task 1: IGP

CE46 10.0.0.46 can't communicate with CE45 10.0.0.45. An operation engineer found that an LSP between PE23 and PE24 is broken. Indicate what is the root cause of this issue?

a) The MP-BGP next hop 10.0.0.23 is advertised as an OSPF type external route instead of intra- or inter-area.

b) There is a conflict of advertised prefixes in the network between PE23 and an another router.

c) PE23 does not assign a label to 10.0.0.0/24.

d) The LSP is broken as the MP-BGP next hop 10.0.0.23 is not advertised as the /32 prefix but with the /24 mask.

e) PE23 breaks an LSP by the aggregation of prefixes to 10.0.0.0/24.

53LTRCCIE-3401

Score: 1 point


Task 1: EmailFrom: Chris (Support) <[email protected]>Date: Thu, Jun 15, 2017 at 1:34 PMTo: Brad Whooley<[email protected]>Subject: No ip reachability

Brad,

We migrated OSPF areas on couple of our devices. As far as I can see something is wrong with the data plane. Prefixes are advertised correctly. I am waiting for a guy to compare an old config with the current one. Meanwhile I will nail down this issue.

Regards,

Chris

=========================================================

From: Brad Whooley<[email protected]>Date: Thu, Jun 15, 2017 at 1:12 PMTo: Support <[email protected]>Subject: No ip reachability

Hi,

We lost connectivity between CE45 and CE46 last night. Did you do anything? Can you check what may be an issue?

Kind regards,

Brad

54LTRCCIE-3401


Task 1: Output

PE24#sh ip route 10.1.0.23


Known via "ospf 1", distance 110, metric 3, type intra area

Last update from 192.168.5.22 on GigabitEthernet2, 1w4d ago


* 192.168.5.22, from 10.0.0.23, 1w4d ago, via GigabitEthernet2


PE24#sh ip route | i 10.0.0.0/24

O E2 10.0.0.0/24 [110/20] via 192.168.5.22, 1w4d, GigabitEthernet2

PE24#sh mpls for 10.1.0.23

Local Outgoing Prefix Bytes Label Outgoing Next Hop

Label Label or Tunnel Id Switched interface

20 24004 10.1.0.23/32 0 Gi2 192.168.5.22

PE24#traceroute 10.1.0.23


Tracing the route to 10.1.0.23

VRF info: (vrf in name/id, vrf out name/id)

1 192.168.5.22 [MPLS: Label 24004 Exp 0] 4 msec 3 msec 3 msec

2 192.168.3.23 3 msec * 3 msec

55LTRCCIE-3401


Task 1: Output

PE24#sh ip cef vrf cust46 10.0.0.45 det



recursive via 10.0.0.0/24


RP/0/0/CPU0:PE22#sh mpls for | i 24018

24018 Unlabelled 10.0.0.0/24 Gi0/0/0/3 192.168.3.23 39070

RP/0/0/CPU0:PE22#sh route 10.1.0.23


Known via "ospf 1", distance 110, metric 2, type intra area

Installed Jan 14 08:47:58.026 for 1w4d

Routing Descriptor Blocks

192.168.3.23, from 10.0.0.23, via GigabitEthernet0/0/0/3

Route metric is 2 No advertising protos.

56LTRCCIE-3401


Task 1: Output

RP/0/0/CPU0:PE22#sh mpls ldp bindings 10.0.0.23/24

10.0.0.0/24, rev 54

Local binding: label: 24018

Remote bindings: (1 peers)

Peer Label

----------------- ---------

10.1.0.24:0 30


10.0.0.0/24, rev 0 (no route)

No local binding


Peer Label

----------------- ---------

10.0.0.22:0 24018

57LTRCCIE-3401


Task 1: Output


10.0.0.23/32, rev 0 (no route)

No local binding


Peer Label

----------------- ---------

10.0.0.23:0 ExpNullv4


10.0.0.23/32, rev 22

Local binding: label: ImpNull

No remote bindings

58LTRCCIE-3401


Task 2: MPLS-TE

The traffic from CE41 10.0.0.46 to CE44 10.0.0.44 should go via P14.The MPLS-TE tunnel 111 is configured on PE11 to PE15 but it is not working as expected. What is a root cause of this issue?

59LTRCCIE-3401

device

issuePath Error

No route to destination

Failed link P14-P16

Loose object in a path

Wrong explicit-path


Task 2: Email

From: NOC-global <[email protected]>Date: Wed, Aug 9, 2017 at 7:51 PMTo: Provisioning <[email protected]> Subject: Core network down [SR12436343]

Here are outputs. It does not look like as an issue with routing or labels. Traffic via T111 is not going through. Shall I shut down thisinterface or will you verify a cfg? Please let me know asap. Some customers are becoming edgy.

=========================================================

From: Provisioning <[email protected]>Date: Wed, Aug 9, 2017 at 7:11 PMTo: NOC-global <[email protected]> Subject: Core network down [SR12436343]

Hi

Derek who configured TE tunnels is out of the office after his shift. I can have a look within an hour. Send us outputs from sh mpls traffic-eng tunnels det, sh route and sh mpls for.

Regards,

Paul

=========================================================

From: NOC-global <[email protected]>Date: Wed, Aug 9, 2017 at 2:09 PMTo: Provisioning <[email protected]> Subject: Core network down [SR12436343]

Team,

The core of the network is broken with your recent changes. Please have a look at this case and rollback to the previous configuration.

Regards

60LTRCCIE-3401


Task 2: Output

61LTRCCIE-3401

RP/0/0/CPU0:PE11#sh mpls traffic-eng tunnels det

Tue Jan 16 22:15:53.024 UTC

Name: tunnel-te111 Destination: 10.1.6.15 Ifhandle:0xd0

Signalled-Name: PE11_t111

Status:

Admin: up Oper: up Path: valid Signalling: connected

path option 10, type dynamic (Basis for Setup, path weight 20)

path option 5, type explicit divert2

Last PCALC Error: Tue Jan 16 22:15:51 2018

Info: Path-option is skipped because it is held down

Last Signalled Error : Tue Jan 16 22:15:51 2018

Info: [23] PathErr(23,769)-(system) at 10.1.3.13

G-PID: 0x0800 (derived from egress interface properties)

[..]

RP/0/0/CPU0:PE11#sh explicit-paths n divert2

Path divert2 status enabled

10: next-address strict 10.0.0.13

20: next-address loose 10.0.0.14





Task 2: Output

62LTRCCIE-3401

RP/0/0/CPU0:PE11#sh route 10.1.6.15


Known via "isis AS100", distance 115, metric 11, type level-2



10.1.6.15, from 10.0.0.15, via tunnel-te111

Route metric is 11

No advertising protos.

P14#sh ip int brief

Interface IP-Address OK? Method Status Protocol

GigabitEthernet1 10.255.0.121 YES TFTP up up




GigabitEthernet5 10.1.8.14 YES TFTP administratively down down

GigabitEthernet6 unassigned YES unset administratively down down


Loopback0 10.0.0.14 YES TFTP up up


Task 2: Output

63LTRCCIE-3401

RP/0/0/CPU0:P13#sh mpls traffic-eng tunnels det

LSP Tunnel 10.0.0.11 111 [24] is signalled, Signaling State: up

Tunnel Name: PE11_t111 Tunnel Role: Mid

InLabel: GigabitEthernet0/0/0/1, 24007

OutLabel: GigabitEthernet0/0/0/4, implicit-null

Signalling Info:

Src 10.0.0.11 Dst 10.1.6.15, Tun ID 111, Tun Inst 24, Ext ID 10.0.0.11

Router-IDs: upstream 10.0.0.11

local 10.0.0.13

downstream 10.0.0.15

Bandwidth: 10000 kbps (CT0) Priority: 7 7 DSTE-class: 0

Soft Preemption: None

SRLGs: not collected

Path Info:

Incoming Address: 10.1.1.13

Incoming:

Explicit Route:

Strict, 10.1.1.13

Strict, 10.1.6.15

Strict, 10.0.0.15

Outgoing:

Explicit Route:

Strict, 10.1.6.15

Strict, 10.0.0.15

[..]


Task 2: Output

64LTRCCIE-3401

PE12#sh mpls traffic-eng tunnels det

P2P TUNNELS/LSPs:

P2MP TUNNELS:

P2MP SUB-LSPS:

P14#sh mpls traffic-eng tunnels det

P2P TUNNELS/LSPs:

P2MP TUNNELS:

P2MP SUB-LSPS:


Task 3: LISP

Customer XYZ opened a case regards to LISP. Apparently there is no reachability to the subnet 10.4.42.0/24 in AS4142 from the WAN. Indicate which show command help you identify the root cause? Also which device would you apply this command?

65LTRCCIE-3401

Device:

CE42

CE41

CE44

PE15

Show command:

sh lisp site 10.4.42.0/24

sh lisp instance-id 0 ipv4 database

sh lisp instance-id 0 ipv4 map-cache

sh lisp platform


Task 3: Email

From: Benjamin <[email protected]>Date: Mon, Sep 18, 2017 at 6:57 AMTo: Michael <[email protected]> Subject: LISP site down

Mike,

What about the LISP database? Do you have all entries there?

Regards

=========================================================

From: Michael <[email protected]> Date: Mon, Sep 18, 2017 at 6:53 AMTo: Benjamin <[email protected]>Subject: LISP site down

Hi Ben

Find the outputs attached. We did not change anything, I suppose. We had a switchover to CE41 from CE42. Maybe this router neverhas been tested.

Regards,

Paul

=========================================================

From: Benjamin <[email protected]>Date: Mon, Sep 18, 2017 at 6:34 AMTo: Michael <[email protected]> Subject: LISP site down

Hi,

As discussed through a phone please send us the outputs of your CE devices. Did you change you settings?

Regards

Ben

66LTRCCIE-3401


Task 3: Output

67LTRCCIE-3401

CE44#sh lisp site 10.4.42.0/24

LISP Site Registration Information

Site name: AS4142

Allowed configured locators:

10.2.41.41

10.2.42.42

Requested EID-prefix:

EID-prefix: 10.4.42.0/24

[..]

State: complete

Registration errors:

Authentication failures: 0

Allowed locators mismatch: 2

ETR 10.2.41.41, last registered 1w2d, no proxy-reply, map-notify

TTL 1d00h, no merge, hash-function sha1, nonce 0x2491A8B9-0xE0F8DEA0

state complete, no security-capability

xTR-ID 0x26E07475-0x467BADA9-0x52A6B114-0x4D12CBE7

site-ID unspecified

sourced by reliable transport

Locator Local State Pri/Wgt Scope

10.2.41.41 yes admin-down 255/10 IPv4 none


Task 3: Output

68LTRCCIE-3401

CE41#sh lisp instance-id 0 ipv4 database

LISP ETR IPv4 Mapping Database for EID-table default (IID 0), LSBs: 0x1

Entries total 2, no-route 1, inactive 0

10.2.42.0/24

Locator Pri/Wgt Source State

10.2.41.41 1/10 cfg-intf site-self, reachable

10.4.42.0/24 *** NO ROUTE TO EID PREFIX ***






10.2.42.0/24



PE15#sh lisp instance-id 0 ipv4 database

% LISP is not running.


Task 3: Output

69LTRCCIE-3401

CE41#sh lisp instance-id 0 ipv4 map-cache

LISP IPv4 Mapping Cache for EID-table default (IID 0), 2 entries

0.0.0.0/0, uptime: 1w3d, expires: never, via static-send-map-request

Negative cache entry, action: send-map-request

10.4.42.0/24, uptime: 1w3d, expires: never, via away, self, send-map-request


CE42#sh lisp instance-id 0 ipv4 map-cache

LISP IPv4 Mapping Cache for EID-table default (IID 0), 1 entries

0.0.0.0/0, uptime: 1w3d, expires: never, via static-send-map-request


CE44#sh lisp platform

Parallel LISP instance limit: 2000

RLOC forwarding support:

IPv4 RLOC, local: OK

IPv6 RLOC, local: OK

MAC RLOC, local: Unsupported

IPv4 RLOC, remote: OK

IPv6 RLOC, remote: OK

MAC RLOC, remote: Unsupported

Latest supported config style: Service and instance

Current config style: implied instance 0


Task 4: PE-CE

To prefer a backbone network over a backdoor link the AS100 engineers configured a sham-link between PE11 and PE12. But this SL adjacency does not come up. What is a reason for that?

a) There is a domain-id mismatch.

b) There is a domain-tag mismatch.

c) Router-id of PE11 is not visible on PE12.

d) PE12 is not an ASBR.

e) The IP endpoint of a sham-link 10.3.0.12 is not reachable.

70LTRCCIE-3401


Task 4: EmailFrom: level2 <[email protected]>Date: Fri, Jun 16, 2017 at 8:20 PMTo: level1 <[email protected]>Subject: Cust1 traffic optimization [SR46455234]

Hi Lora,

Did you redistribute those endpoint to OSPF? You cannot do this. Just advertise them to BGP and that's all. Other prefixes can be redistributed from BGP to OSPF. Send us the latest configs. Did you use additional settings in OSPF like domain-id? This should not be relevant but to have intra-area routes it is better to set the same id.

Regards,

Jason

=========================================================

From: level1 <[email protected]>Date: Fri, Jun 16, 2017 at 6:18 PMTo: level2 <[email protected]>Subject: Cust1 traffic optimization [SR46455234]

Hi Team,

We want to escalate the ticket SR46455234. A customer wants to send the traffic over our backbone not a backdoor link. Engineering team prepared a configuration of a sham-link but it does not go up. Strange. IP addresses of endpoints are advertised to BGP, we can ping them. Please support.

Kind regards,

Lora

71LTRCCIE-3401


Task 4: Output

72LTRCCIE-3401

RP/0/0/CPU0:PE11#sh ospf vrf cust1 int brief

* Indicates MADJ interface, (P)Indicates fast detect hold down state

Interfaces for OSPF 2, VRF cust1

Interface PID Area IP Address/Mask Cost State Nbrs F/

COSPF_SL0 2 0 - 1 DOWN 0/0

Gi0/0/0/4 2 0 10.2.41.11/24 1 DR 1/1

PE12#sh ip ospf int brief

Interface PID Area IP Address/Mask Cost State Nbrs F/C

SL1 2 0 0.0.0.0/0 1 P2P 0/0

Gi6 2 0 10.2.42.12/24 1 BDR 1/1

PE12#sh ip ospf database

OSPF Router with ID (0.0.0.12) (Process ID 2)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count

0.0.0.12 0.0.0.12 1395 0x800001D8 0x004658 1

10.0.0.11 10.0.0.11 1094 0x800001C1 0x004C79 1

10.0.0.41 10.0.0.41 1680 0x800001B9 0x00AEA7 4

10.0.0.42 10.0.0.42 679 0x800001CC 0x005DBE 4


Task 4: Output

73LTRCCIE-3401

PE12#sh ip route vrf cust1 10.3.0.11

Routing Table: cust1


Known via "bgp 100", distance 200, metric 0, type internal

Last update from 10.0.0.11 1w3d ago


* 10.0.0.11 (default), from 10.0.0.17, 1w3d ago, recursive-via-host


AS Hops 0

MPLS label: 24009

MPLS Flags: MPLS Required

RP/0/0/CPU0:PE11#sh route vrf cust1 10.3.0.12


Known via "bgp 100", distance 200, metric 0, type internal



10.0.0.12, from 10.0.0.17

Nexthop in Vrf: "default", Table: "default", IPv4 Unicast, Table Id: 0xe0000000

Route metric is 0 No advertising protos.


Task 4: Output

74LTRCCIE-3401

PE12#sh ip ospf border-routers det


Base Topology (MTID 0)

Internal Router Routing Table

Codes: i - Intra-area route, I - Inter-area route

i 10.0.0.11 [3] via 10.2.42.42, GigabitEthernet6, ABR, Area 0, SPF 47

Source 10.0.0.11, PDB SPF 59, path flag: none

Flags: PathList

RP/0/0/CPU0:PE11#sh ospf 2 vrf cust1

VRF cust1 in Routing Process "ospf 2" with ID 10.0.0.11

Role: Primary Active

NSR (Non-stop routing) is Enabled

Supports only single TOS(TOS0) routes

Supports opaque LSA

It is an area border router

Primary Domain ID: 0x5:0x000000650200

[..]

PE12#sh ip ospf

Routing Process "ospf 2" with ID 0.0.0.12

Domain ID type 0x0005, value 0x000000640200

[..]


Task 5: Failure Detection

What is a BFD detection time between CE42 and PE12?

a) It is more than 3 seconds.

b) It is 3 seconds or more.

c) It is between 2 and 3 seconds.

d) It is subsecond.

75LTRCCIE-3401

Score: 1 point


Task 5: EmailFrom: Niki (Support) <[email protected]>Date: Thu, Jun 15, 2017 at 1:34 PMTo: Matthias (Support) <[email protected]> Subject: BFD detection time

Hi Matt,

Yes, I think so. Let's check the current setting. What is the interval time?

Regards,

Niki

=========================================================

From: Matthias(Support) <[email protected]> Date: Thu, Jun 15, 2017 at 1:12 PMTo: Niki (Support) <[email protected]> Subject: BFD detection time

Niki,

The customer wants to confirm what will be the current detection time with BFD? Is it just interval * multiplier? They had slow convergence and complained to our service massively.

Kind regards,

Matt

76LTRCCIE-3401


Task 5: OutputPE12#sh bfd nei det

IPv4 Sessions

NeighAddr LD/RD RH/RS State Int

10.2.42.42 4097/4097 Up Up Gi6

Session state is UP and using echo function with 1000 ms interval.

Session Host: Software

OurAddr: 10.2.42.12

Handle: 1

Local Diag: 0, Demand mode: 0, Poll bit: 0

MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3

Received MinRxInt: 1000000, Received Multiplier: 3

Holddown (hits): 0(0), Hello (hits): 1000(62152)

Rx Count: 62161, Rx Interval (ms) min/max/avg: 1/1046/875 last: 830 ms ago

Tx Count: 62164, Tx Interval (ms) min/max/avg: 1/1022/875 last: 488 ms ago

Elapsed time watermarks: 0 0 (last: 0)

Registered protocols: CEF BGP

Uptime: 00:19:08

Last packet: Version: 1 - Diagnostic: 0

State bit: Up - Demand bit: 0

Poll bit: 0 - Final bit: 0

C bit: 0

Multiplier: 3 - Length: 24

My Discr.: 4097 - Your Discr.: 4097

Min tx interval: 1000000 - Min rx interval: 1000000

Min Echo interval: 1000000

77LTRCCIE-3401

CCIE SP DiagnosticsAnswers


Task 1: Output

PE24#sh ip cef vrf cust46 10.0.0.45 det



recursive via 10.0.0.0/24


RP/0/0/CPU0:PE22#sh mpls for | i 24018

24018 Unlabelled 10.0.0.0/24 Gi0/0/0/3 192.168.3.23 39070


10.0.0.0/24, rev 0 (no route)

No local binding


Peer Label

----------------- ---------

10.0.0.22:0 24018

79LTRCCIE-3401


Task 1: Answer

ANSWER: PE23 does not allocate a label to 10.0.0.0/24.Key:

a) The external route can be a next hop for an MP-BGP session.

b) No conflicts or duplications.

c) PE23 does not assign a label to 10.0.0.0/24 and this is a root cause.

d) The LSP is broken but not because of lack of a host route.

e) A /24 aggregate does not break an LSP.

CONCLUSION: A /24 prefix can be a BGP next-hop for L3VPN sessions.

80LTRCCIE-3401


Task 2: Output

81LTRCCIE-3401

RP/0/0/CPU0:PE11#sh mpls traffic-eng tunnels det

Tue Jan 16 22:15:53.024 UTC

Name: tunnel-te111 Destination: 10.1.6.15 Ifhandle:0xd0

Signalled-Name: PE11_t111

Status:

Admin: up Oper: up Path: valid Signalling: connected

path option 10, type dynamic (Basis for Setup, path weight 20)

path option 5, type explicit divert2

Last PCALC Error: Tue Jan 16 22:15:51 2018

Info: Path-option is skipped because it is held down

Last Signalled Error : Tue Jan 16 22:15:51 2018

Info: [23] PathErr(23,769)-(system) at 10.1.3.13

G-PID: 0x0800 (derived from egress interface properties)

[..]

RP/0/0/CPU0:PE11#sh explicit-paths n divert2

Path divert2 status enabled


20: next-address loose 10.0.0.14





Task 2: Answer

ANSWER: Wrong explicit path on PE11Clue:

The explicit path divert2 is going through PE13, PE12, PE14 and back to PE13.

82LTRCCIE-3401


Task 3: Output

83LTRCCIE-3401




10.2.42.0/24



10.4.42.0/24 *** NO ROUTE TO EID PREFIX ***




Task 3: Answer

ANSWER: The command "sh lisp instance-id 0 ipv4 database" on CE41.Clue:

The prefix 10.4.42.0/24 is not reachable on CE41.

84LTRCCIE-3401


Task 4: Output

85LTRCCIE-3401






i 10.0.0.11 [3] via 10.2.42.42, GigabitEthernet6, ABR, Area 0, SPF 47


Flags: PathList

After adding "redistribute bgp" on PE11

PE12#*Jan 02 23:26:40.005: %OSPF-5-ADJCHG: Process 2, Nbr 10.0.0.11 on OSPF_SL1 from LOADING to FULL, Loading

Done






i 10.0.0.11 [1] via 10.3.0.11, OSPF_SL1, ABR/ASBR, Area 0, SPF 48


Flags: PathList


Task 4: Answer

ANSWER: PE12 is not an ASBR.Clue:

Note that XR has to be an ASBR. To make PE12 the XE does not have to be an ASBR.

86LTRCCIE-3401


Task 5: OutputPE12#sh bfd nei det

IPv4 Sessions

NeighAddr LD/RD RH/RS State Int

10.2.42.42 4097/4097 Up Up Gi6

Session state is UP and using echo function with 1000 ms interval.

Session Host: Software

OurAddr: 10.2.42.12

Handle: 1

Local Diag: 0, Demand mode: 0, Poll bit: 0

MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3

Received MinRxInt: 1000000, Received Multiplier: 3

Holddown (hits): 0(0), Hello (hits): 1000(62152)

Rx Count: 62161, Rx Interval (ms) min/max/avg: 1/1046/875 last: 830 ms ago

Tx Count: 62164, Tx Interval (ms) min/max/avg: 1/1022/875 last: 488 ms ago

Elapsed time watermarks: 0 0 (last: 0)

Registered protocols: CEF BGP

Uptime: 00:19:08

Last packet: Version: 1 - Diagnostic: 0

State bit: Up - Demand bit: 0

Poll bit: 0 - Final bit: 0

C bit: 0

Multiplier: 3 - Length: 24

My Discr.: 4097 - Your Discr.: 4097

Min tx interval: 1000000 - Min rx interval: 1000000

Min Echo interval: 1000000

87LTRCCIE-3401


Task 5: Answer

ANSWER: It is between 2 and 3 seconds.

88LTRCCIE-3401

2 examples

of failures

lost 3 packets

detection > 2 sec

BFD 1000ms BFD 1000ms BFD 1000ms

lost 3 packets

detection < 3 sec

t

ConfigurationModule

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90LTRCCIE-3401

CCIE SP Configuration – CiscoLive! Barcelona 2018

• Domain 1

• IGP – 2 points

• BGP – 2 points

• MPLS LDP – 3 points

• MPLS/TE – 3 points

• Domain 2



• IPv6 transition – 2 points

Duration: 2h30m / Total points: 23

• Domain 3

• PE-CE connectivity – 3 points

• QoS – 2 points

• Multicast – 2 points

• Domain 4

• System HA (LDP protection/sync) – 2 points

• FC (IP FRR or MPLS TE/FRR) – 2 points

• Domain 5

• Control Plane security – 2 points

• Infrastructure security – 2 points


Lab topologyConfiguration

AS 64

CE101

CE110

AS 78

CE111

CE102

AS 24

CE23

CE24

AS 24

CE21

CE22

AS 42

PE301

PE21PE11 PE13

PE12 P16

P14 PE15 P25 PE23

PE22P24

AS 78

AS 64

AS 109 AS 901

AS 42

PE12 is IPv4/IPv6 RRP16 is VPNv4 RR

10.100/162001:10:100::/48

/5 /2

/4/3

/00/1

0/1

.13.X

.12.X

.36.X

/1/2

/0

/1

/2

/3 /4

/5

.26.X /2

/3/4

.56.X

/5/6

.45.X

.24.X

/2

/3

/4

/2

/3/4

/5

/6

/3

/4

/5

PE22 is IPv4/IPv6/VPNv4 RR

20.200/162001:20:200::/48

/1

/2 /3

/4

/5

.12.X

/1

/1 .24.X

/3 /4

.45.X

/0

/1

/2

/3

/2

/3

/4

/5

.35.X

/1

/2

/3

/2 /3/1

0/1

0/1

0/1

1.9.13.X/24

1.9.55.X/24

172.16.101.X

172.16.102.X

172.16.10.X

172.16.11.X

/1

/1

192.168.21.X

192.168.22.X

192.168.24.X

192.168.23.X

/6

/1.66

/1.66

AS 19 AS 91

IS-IS Level-2

OSPF Area 0

IS-IS Level-1

OSPFv2

MP-BGP

OSPFv2

EIGRP

(IPv4 and IPv6)

EIGRP

(IPv4 and IPv6)

RIPv2

RIPv2

SP-300

Customer42

Site 2

Customer42

Site 1

Customer24

Site 2

Customer24

Site 1

Customer78

Site 2

Customer78

Site 1

Customer64

Site 1

Customer64

Site 2

MP-BGP

LTRCCIE-3401


D1 Task 1: IGP for AS109

IS-IS Level-1 and Level-2 areas are configured on SP-109 as depicted on the diagram. Your tasks are:

• Advertise the IPv4 and IPv6 addresses only for the Loopback 0 interface.

• Loopback 0 interface of PE12 and P16 must be in both Level-1 and Level-2 areas.

• IS-IS metrics of IPv6 prefixes must be independently calculated from IPv4 prefixes.

Note: You cannot leak Level-2 prefixes into the Level-1 area.

Score: 2 points


Lab topologyConfiguration

AS 64

CE101

CE110

AS 78

CE111

CE102

AS 24

CE23

CE24

AS 24

CE21

CE22

AS 42

PE301

PE21PE11 PE13

PE12 P16

P14 PE15 P25 PE23

PE22P24

AS 78

AS 64

AS 109 AS 901

AS 42

PE12 is IPv4/IPv6 RRP16 is VPNv4 RR

10.100/162001:10:100::/48

/5 /2

/4/3

/00/1

0/1

.13.X

.12.X

.36.X

/1/2

/0

/1

/2

/3 /4

/5

.26.X /2

/3/4

.56.X

/5/6

.45.X

.24.X

/2

/3

/4

/2

/3/4

/5

/6

/3

/4

/5

PE22 is IPv4/IPv6/VPNv4 RR

20.200/162001:20:200::/48

/1

/2 /3

/4

/5

.12.X

/1

/1 .24.X

/3 /4

.45.X

/0

/1

/2

/3

/2

/3

/4

/5

.35.X

/1

/2

/3

/2 /3/1

0/1

0/1

0/1

1.9.13.X/24

1.9.55.X/24

172.16.101.X

172.16.102.X

172.16.10.X

172.16.11.X

/1

/1

192.168.21.X

192.168.22.X

192.168.24.X

192.168.23.X

/6

/1.66

/1.66

AS 19 AS 91

IS-IS Level-2

OSPF Area 0

IS-IS Level-1

OSPFv2

MP-BGP

OSPFv2

EIGRP

(IPv4 and IPv6)

EIGRP

(IPv4 and IPv6)

RIPv2

RIPv2

SP-300

Customer42

Site 2

Customer42

Site 1

Customer24

Site 2

Customer24

Site 1

Customer78

Site 2

Customer78

Site 1

Customer64

Site 1

Customer64

Site 2

MP-BGP

LTRCCIE-3401


D1 Task 1: Configuration

94LTRCCIE-3401

PE12, PE13:

!router isis 109address-family ipv4 unicastadvertise passive-only

!address-family ipv6 unicastadvertise passive-onlyno single-topology

!interface Loopback0passiveaddress-family ipv4 unicast!address-family ipv6 unicast!

!interface GigabitEthernet0/0/0/xcircuit-type [level-1|level-2-only]

!

PE11, P16, P14, PE15:

!router isis 109is-type [level-1|level-2-only]advertise passive-onlypassive-interface Loopback0!address-family ipv6advertise passive-onlymulti-topology

!interface GigabitEthernetxisis circuit-type [level-1|level-2-only]!


D1 Task 1: VerificationPE15#sh isis neiTag 109:System Id Type Interface IP Address State Holdtime Circuit IdPE12 L1 Gi4 10.100.25.2 UP 26 00P14 L1 Gi2 10.100.45.4 UP 26 03P16 L1 Gi3 10.100.56.6 UP 25 05

PE15#sh ip route isis[..]

10.0.0.0/8 is variably subnetted, 12 subnets, 3 masksi L1 10.100.0.2/32 [115/20] via 10.100.45.4, 00:20:39, GigabitEthernet2i L1 10.100.0.4/32 [115/10] via 10.100.45.4, 00:20:39, GigabitEthernet2i L1 10.100.0.6/32 [115/10] via 10.100.56.6, 00:20:39, GigabitEthernet3

PE15#sh ipv6 route isis[..]I1 2001:10:100::2/128 [115/20] via FE80::F816:3EFF:FE13:3C52, GigabitEthernet2I1 2001:10:100::4/128 [115/10] via FE80::F816:3EFF:FE13:3C52, GigabitEthernet2I1 2001:10:100::6/128 [115/10] via FE80::F816:3EFF:FEA0:DB36, GigabitEthernet3

95LTRCCIE-3401


D1 Task 1: VerificationPE15#sh isis neiTag 109:System Id Type Interface IP Address State Holdtime Circuit IdPE12 L1 Gi4 10.100.25.2 UP 26 00P14 L1 Gi2 10.100.45.4 UP 26 03P16 L1 Gi3 10.100.56.6 UP 25 05

PE15#sh ip route isis[..]

10.0.0.0/8 is variably subnetted, 12 subnets, 3 masksi L1 10.100.0.2/32 [115/20] via 10.100.45.4, 00:20:39, GigabitEthernet2i L1 10.100.0.4/32 [115/10] via 10.100.45.4, 00:20:39, GigabitEthernet2i L1 10.100.0.6/32 [115/10] via 10.100.56.6, 00:20:39, GigabitEthernet3

PE15#sh ipv6 route isis[..]I1 2001:10:100::2/128 [115/20] via FE80::F816:3EFF:FE13:3C52, GigabitEthernet2I1 2001:10:100::4/128 [115/10] via FE80::F816:3EFF:FE13:3C52, GigabitEthernet2I1 2001:10:100::6/128 [115/10] via FE80::F816:3EFF:FEA0:DB36, GigabitEthernet3

96LTRCCIE-3401


D1 Task 2: TE for AS109 and AS901

Apply the BGP traffic engineering that meets the following recommendations:

• SP-109 must prefer SP-300 path when sending traffic towards SP-901.

• The next preferred path from SP-109 towards SP-901 must be PE13 and PE21 link.

• SP-901 must prefer P25 and PE15 link when sending traffic towards SP-109 and also

towards SP-300.

• Only if P25 and PE15 link fails, SP-901 can follow the shortest path to reach

SP-109 and also to reach SP-300.

Score: 2 points


D1 Task 2: TE for AS109 – PE13 configuration

RP/0/0/CPU0:PE13#sh rpl route-policy AS19

route-policy AS19

set local-preference 3000

done

end-policy

!

RP/0/0/CPU0:PE13#sh rpl route-policy AS901

route-policy AS901


done

end-policy

!

98LTRCCIE-3401



RP/0/0/CPU0:PE13#sh running-config router bgp | utility egrep "neigh|route-pol”

neighbor 19.3.0.1

route-policy AS19 in

neighbor 1.9.13.21


neighbor 2001:19:3::1


neighbor 2001:1:9:13::21


99LTRCCIE-3401



P25#sh running-config | s ^route-map

route-map AS901 permit 10


P25#sh running-config | s router bgp

router bgp 901

[...]

address-family ipv4

neighbor 1.9.55.15 route-map AS901 in

address-family ipv6

neighbor 2001:1:9:55::15 route-map AS901 in

100LTRCCIE-3401


D1 Task 3: LDP for AS109 and AS901

Configure LSR in SP-901 to customize the label range assignments. Each router must use

label range calculated using the following formula:

• 2X00-2X99 (where X is the router number (the last digit of the router ID))

• Cisco IOS XRv nodes must use the following formula:

• 16X00-16X99

• example: for PE21, the router ID is 1, for PE22 the router ID is 2, and so on.

Configure LSR in SP-901 to rely on IGP to enable LDP.

Score: 3 points


D1 Task 3: Label range for AS901

PE21#sh run | i range

mpls label range 2100 2199

RP/0/0/CPU0:PE22#sh running-config | i range

mpls label range table 0 16200 16299

102LTRCCIE-3401


D1 Task 3:MPLS LDP autoconfiguration for AS901 – IOS/IOS-XE

PE21#sh running-config | s router ospf 901

router ospf 901

mpls ldp autoconfig

passive-interface Loopback0

PE21#sh mpls interfaces detail

Interface GigabitEthernet0/2:

Type Unknown

IP labeling enabled (ldp):

IGP config

103LTRCCIE-3401


D1 Task 3:MPLS LDP autoconfiguration for AS901 – IOS-XR

RP/0/0/CPU0:PE22#sh running-config router ospf

router ospf 901

area 0

mpls ldp auto-config

interface Loopback0

passive enable

RP/0/0/CPU0:PE22#sh mpls ldp interface

Sun Jan 21 21:27:04.211 UTC

Interface GigabitEthernet0/0/0/0 (0x40)


Enabled via config: IGP Auto-config

Interface GigabitEthernet0/0/0/1 (0x60)


Enabled via config: IGP Auto-config

104LTRCCIE-3401


D1 Task 4: Tunnel in AS109

Create MPLS Traffic Engineering tunnels that meet the following requirements:

• Build a Tunnel from PE11 to PE15 via PE13, P16, and P14. This MPLS TE tunnel must be

used to carry the Layer 3 VPN traffic of the Customer64 (CE101 and CE102).

• Traffic from CE102 towards CE101 must be guaranteed as well, and it must follow this

path: P16 P14 PE12 PE13.

Note: Manipulation of IGP metrics is not treated as a guarantee of the path.

Score: 3 points


D1 Task 4: MPLS TE

106LTRCCIE-3401

PE11:!interface Tunnel1365ip unnumbered Loopback0tunnel mode mpls traffic-engtunnel destination 10.100.0.5tunnel mpls traffic-eng autoroute destinationtunnel mpls traffic-eng path-option 10 explicit name T1365

!ip explicit-path name T1365 enableindex 10 next-address 10.100.0.3index 20 next-address loose 10.100.0.6index 30 next-address 10.100.0.4

!

PE11#sh ip route 10.100.0.5Routing entry for 10.100.0.5/32

Known via "static", distance 1, metric 0 (connected)Routing Descriptor Blocks:* directly connected, via Tunnel1365


Inter-Area TE

Loose hop required

pointing at ABR


D1 Task 4: MPLS TE

107LTRCCIE-3401

CE101#trace 13.101.13.2 sou 13.101.13.1[..]VRF info: (vrf in name/id, vrf out name/id)

1 172.16.101.1 3 msec 5 msec 2 msec2 10.100.12.2 [MPLS: Labels 16205/509 Exp 0] 12 msec 6 msec 31 msec3 10.100.24.4 [MPLS: Labels 400/509 Exp 0] 11 msec 6 msec 6 msec4 172.16.102.1 [MPLS: Label 509 Exp 0] 9 msec 8 msec 7 msec5 172.16.102.254 6 msec * 7 msec


1 172.16.101.1 1 msec 1 msec 2 msec2 10.100.13.3 [MPLS: Labels 16300/509 Exp 0] 7 msec 8 msec 8 msec3 10.100.36.6 [MPLS: Labels 613/509 Exp 0] 6 msec 17 msec 8 msec4 10.100.46.4 [MPLS: Labels 405/509 Exp 0] 26 msec 11 msec 17 msec5 172.16.102.1 [MPLS: Label 509 Exp 0] 12 msec 6 msec 5 msec6 172.16.102.254 16 msec * 11 msec

Without MPLS TE

With tunnel T1365

Traceroute after

a L3VPN task.


D1 Task 4: MPLS TE

108LTRCCIE-3401

PE15:!interface Tunnel5642ip unnumbered Loopback0tunnel mode mpls traffic-engtunnel destination 10.100.0.2tunnel mpls traffic-eng autoroute destinationtunnel mpls traffic-eng path-option 10 explicit name T5642

!ip explicit-path name T5642 enableindex 10 next-address 10.100.0.6index 20 next-address 10.100.0.4index 30 next-address 10.100.0.2

!

PE12:!interface tunnel-te231ipv4 unnumbered Loopback0autoroute announcedestination 10.100.0.1path-option 10 explicit name T231

!explicit-path name T231index 10 next-address strict ipv4 unicast 10.100.0.3index 20 next-address strict ipv4 unicast 10.100.0.1

!

2 Tunnels as

10.100.0.1 is not

reachable from Level-1


D1 Task 4: MPLS TE

109LTRCCIE-3401


1 172.16.102.1 2 msec 1 msec 5 msec2 10.100.45.4 [MPLS: Labels 404/16209/101 Exp 0] 9 msec 9 msec 10 msec3 10.100.24.2 [MPLS: Labels 16209/101 Exp 0] 8 msec 10 msec 5 msec4 172.16.101.1 [MPLS: Label 101 Exp 0] 9 msec 6 msec 7 msec5 172.16.101.254 7 msec * 8 msec


1 172.16.102.1 1 msec 2 msec 4 msec2 10.100.56.6 [MPLS: Labels 610/16209/101 Exp 0] 12 msec 10 msec 6 msec3 10.100.46.4 [MPLS: Labels 402/16209/101 Exp 0] 11 msec 8 msec 14 msec4 10.100.24.2 [MPLS: Labels 16209/101 Exp 0] 8 msec 8 msec 11 msec5 10.100.23.3 [MPLS: Labels 16301/101 Exp 0] 9 msec 11 msec 12 msec6 172.16.101.1 [MPLS: Label 101 Exp 0] 8 msec 11 msec 8 msec7 172.16.101.254 10 msec * 11 msec

Without MPLS TE

With 2 tunnels:

T5642 + T231

Traceroute after

a L3VPN task.


D2 Task 1: CE21 and CE22 service

SP-901 must provide an IP-transparent connection to be used by Customer42 (CE21 and CE22).

• CE21 and CE22 must use Gig0/1.66 interface for this connection.

• The service must use control word.

CE21 must assign an IPv6 address to CE22 (Gig 0/1.66), automatically.

• CE21 must use IPv6 only on GigabitEthernet 0/1.66 sub-interface.

• CE22 must be able to reach CE21 directly using the assigned IPv6 address over the service provided

by SP-901.

• Use the 2001:192:168:21::/64 network for this configuration.

Score: 2 points


D2 Task 1: xconnect for AS901

RP/0/0/CPU0:PE22#sh running-config router ospf

PE21#sh running-config interface gigabitEthernet 0/5.66

!

interface GigabitEthernet0/5.66

encapsulation dot1Q 66

no cdp enable

xconnect 20.200.0.3 66 encapsulation mpls pw-class AS901

end

PE21#sh running-config | s pseudowire

pseudowire-class AS901

encapsulation mpls

control-word

111LTRCCIE-3401


D2 Task 1: IPv6 autoconfiguration for CE21

CE21#sh run int gi0/1.66



ipv6 address 2001:192:168:21::1/64

no cdp enable

end

CE21#sh ipv6 int gi0/1.66 prefix

IPv6 Prefix Advertisements GigabitEthernet0/1.66

PD default [LA] Valid lifetime 2592000, preferred lifetime 604800

AD 2001:192:168:21::/64 [LA] Valid lifetime 2592000, preferred lifetime 604800

112LTRCCIE-3401


D2 Task 1: IPv6 autoconfiguration for CE22

CE22#sh run int gi0/1.66

Building configuration...Current configuration : 103 bytes!



ipv6 address autoconfig

no cdp enable

end

CE22#sh ipv6 int gi0/1.66

GigabitEthernet0/1.66 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::F816:3EFF:FE50:6FFE

No Virtual link-local address(es):

Stateless address autoconfig enabled

Global unicast address(es):

2001:192:168:21:F816:3EFF:FE50:6FFE, subnet is 2001:192:168:21::/64 [EUI/CAL/PRE]

valid lifetime 2591867 preferred lifetime 604667

113LTRCCIE-3401


D2 Task 2: L3VPN for AS109 and AS901

MP-iBGP VPNv4 and VPNv6 peering have been configured on both SP-109 and SP-901. Your task is to complete the L3VPN configuration on both service providers to allow communication between sites of Customer24, Customer42, Customer64, and Customer78.

Note: Traffic cannot be leaked between customers.

Score: 3 points


D3 Task 1: Example for AS_64PE11#sh vrf AS_64

Name Default RD Protocols InterfacesAS_64 64:64 ipv4,ipv6 Gi5

PE11#sh ip route vrf AS_6413.0.0.0/32 is subnetted, 2 subnetsD 13.101.13.1 [90/10880] via 172.16.101.254, 3d08h, GigabitEthernet5B 13.101.13.2 [200/100] via 10.100.0.5, 09:24:56

172.16.0.0/16 is variably subnetted, 3 subnets, 2 masksC 172.16.101.0/24 is directly connected, GigabitEthernet5L 172.16.101.1/32 is directly connected, GigabitEthernet5B 172.16.102.0/24 [200/0] via 10.100.0.5, 09:24:56

PE11#sh running-config | s router bgprouter bgp 109[…]neighbor 10.100.0.2 remote-as 109neighbor 10.100.0.2 update-source Loopback0neighbor 10.100.0.6 remote-as 109neighbor 10.100.0.6 update-source Loopback0neighbor 2001:10:100::2 remote-as 109neighbor 2001:10:100::2 update-source Loopback0neighbor 2001:10:100::6 remote-as 109neighbor 2001:10:100::6 update-source Loopback0

115LTRCCIE-3401


D3 Task 1: Example for AS_64 (continued)address-family ipv4

network 10.100.0.0 mask 255.255.0.0network 10.100.0.1 mask 255.255.255.255aggregate-address 10.100.0.0 255.255.0.0neighbor 10.100.0.2 activateneighbor 10.100.0.2 next-hop-selfneighbor 10.100.0.2 send-label

exit-address-familyaddress-family vpnv4neighbor 10.100.0.6 activateneighbor 10.100.0.6 send-community extendedexit-address-familyaddress-family vpnv6neighbor 2001:10:100::6 activateneighbor 2001:10:100::6 send-community extended

exit-address-familyaddress-family ipv4 vrf AS_64redistribute connectedredistribute eigrp 64 metric 100

exit-address-familyaddress-family ipv6 vrf AS_64redistribute connectedredistribute eigrp 64 metric 100

exit-address-family

116LTRCCIE-3401


D2 Task 2: L3VPN

117LTRCCIE-3401

PE11:!router bgp 109neighbor 10.100.0.2 remote-as 109neighbor 10.100.0.2 update-source Lo0address-family ipv4 unicastnetwork 10.100.0.1 mask 255.255.255.255neighbor 10.100.0.2 activateneighbor 10.100.0.2 next-hop-self neighbor 10.100.0.2 send-label

!

PE12:!router bgp 109ibgp policy out enforce-modificationsaddress-family ipv4 unicastnetwork 10.100.0.2/32allocate-label all

!neighbor 10.100.0.1address-family ipv4 labeled-unicastroute-reflector-clientnext-hop-self

!

PE15 is in the Level-1 area and

there is no 10.100.0.1/32

advertised via IS-IS. Thus

RFC3107 is needed.

PE12 acts as an inline RR,

assigns a BGP label for

10.100.0.1/32.

Additional cfg to the

required in L3VPN.


D2 Task 2: L3VPN

118LTRCCIE-3401

PE12:!router bgp 109neighbor 10.100.0.5remote-as 109update-source Loopback0address-family ipv4 labeled-unicastroute-reflector-clientnext-hop-self

!

PE15:!router bgp 109neighbor 10.100.0.2remote-as 109neighbor 10.100.0.2 update-source Loopback0!address-family ipv4network 10.100.0.5 mask 255.255.255.255neighbor 10.100.0.2 activateneighbor 10.100.0.2 next-hop-selfneighbor 10.100.0.2 send-label

!

PE15 receives 10.100.0.1/32 with

a BGP label allocated by PE12.


required in L3VPN.


D2 Task 2: VerificationPE12#sh bgp ipv4 labeled-unicast labels | utility egrep "Label|10.100.0.1/32"

Network Next Hop Rcvd Label Local Label*>i10.100.0.1/32 10.100.0.1 3 16209

PE15#sh ip cef vrf AS_64 13.101.13.1 det13.101.13.1/32, epoch 0, flags [rib defined all labels]

recursive via 10.100.0.1 label 101recursive via 10.100.0.2 label 16209

nexthop 10.100.45.4 GigabitEthernet2 label [404|implicit-null]-(local:503)repair: attached-nexthop 10.100.25.2 GigabitEthernet4

CE102#trace 13.101.13.1 sou 13.101.13.2Type escape sequence to abort.Tracing the route to 13.101.13.1VRF info: (vrf in name/id, vrf out name/id)

1 172.16.102.1 4 msec 3 msec 3 msec2 10.100.45.4 [MPLS: Labels 404/16209/101 Exp 0] 6 msec 6 msec 5 msec3 10.100.24.2 [MPLS: Labels 16209/101 Exp 0] 6 msec 5 msec 5 msec4 172.16.101.1 [MPLS: Label 101 Exp 0] 5 msec 5 msec 7 msec5 172.16.101.254 7 msec * 6 msec

119LTRCCIE-3401


required in L3VPN.

RFC3107 in action

Label 16209 is to

10.100.0.1/32


D2 Task 3: IPv6 Transition

Configure on AS-901 to provide IPv6 to IPv4 translation, so that the IPv6 address of the Loopback 0 of the PE23 is translated to IPv4. PE23 should be able to connect to 30.3.1.1 on PE301.

Notes:

• You can choose any IPv4/IPv6 address required to complete this task.

• Use PE21 as a translator.

Score: 2 points


D2 Task 3: IPv6 Transition

121LTRCCIE-3401

PE21:!interface GigabitEthernet0/2nat64 enable!interface GigabitEthernet0/3nat64 enable

!interface GigabitEthernet0/6nat64 enable

!nat64 prefix stateful 2006:BEEF::/96nat64 v4v6 static 30.3.1.1 2006:BEEF::1E03:101nat64 v6v4 static 2001:20:200::3 93.3.0.3!router ospfv3 901address-family ipv6 unicastredistribute static

!router bgp 901address-family ipv4redistribute static

!

2006:BEEF::/96 and

93.3.0.3 are any taken

addresses.


D2 Task 3: VerificationPE23#sh ipv6 route 2006:BEEF::1E03:101Routing entry for 2006:BEEF::/96

Known via "ospf 901", distance 110, metric 20, type extern 2Route count is 1/1, share count 0Routing paths:

FE80::F816:3EFF:FE79:3161, GigabitEthernet0/2From FE80::F816:3EFF:FE79:3161Last updated 00:21:33 ago

PE21#sh ipv6 route 2006:BEEF::1E03:101Routing entry for 2006:BEEF::/96Known via "static", distance 1, metric 0Redistributing via ospf 901Route count is 1/1, share count 0Routing paths:

::100.0.0.1, NVI1

PE21#sh ip route 93.3.0.3Routing entry for 93.3.0.3/32

Known via "static", distance 0, metric 0Redistributing via bgp 901Advertised by bgp 901Routing Descriptor Blocks:* directly connected, via NVI1

122LTRCCIE-3401


D2 Task 3: VerificationPE23#telnet 2006:BEEF::1E03:101 /source-interface lo0 /ipv6Trying 2006:BEEF::1E03:101 ... OpenUser Access VerificationUsername: ciscoPassword: PE301#sh users

Line User Host(s) Idle Location0 con 0 idle 00:01:02

* 1 vty 0 cisco idle 00:00:00 93.3.0.3Interface User Mode Idle Peer Address

PE21#sh nat64 transProto Original IPv4 Translated IPv4

Translated IPv6 Original IPv6----------------------------------------------------------- 30.3.1.1 2006:BEEF::1E03:101

--- ---tcp 30.3.1.1:23 [2006:BEEF::1E03:101]:23

93.3.0.3:48577 [2001:20:200::3]:48577--- --- ---

93.3.0.3 2001:20:200::3Total number of translations: 3

123LTRCCIE-3401


D3 Task 1: Routing protocols on PE-CE edge

Enable the PE-CE routing protocol as per the following requirements:

• Configure EIGRP for both IPv4 and IPv6 for Customer64 (CE101 and CE102).

• Configure RIPv2 for Customer78 (CE111 and CE110).

• Make sure metric for routes exchanged over service provider backbone is adjusted by SP-109 by 10.

• Configure OSPFv2 for Customer42 (CE21 and CE22).

• Configure BGP for Customer24.

• Make sure both IPv4 and IPv6 networks are exchanged.

• There is a full reachability between both sites.

• SP-901 must use AS number 500 for this peering.

Score: 3 points


D3 Task 1: Verification for AS64CE101#sh running-config | s router eigrprouter eigrp AS64address-family ipv4 unicast autonomous-system 64af-interface Loopback0passive-interface

exit-af-interface! topology baseexit-af-topologynetwork 13.0.0.0network 172.16.0.0exit-address-familyaddress-family ipv6 unicast autonomous-system 64af-interface Loopback0passive-interface

exit-af-interfacetopology baseexit-af-topologyexit-address-family

125LTRCCIE-3401


D3 Task 1: Verification for AS64 (continued)CE101#sh ip route eigrp | b ^DD 13.101.13.2 [90/16000] via 172.16.101.1, 00:09:36, GigabitEthernet0/1

172.16.0.0/16 is variably subnetted, 3 subnets, 2 masksD 172.16.102.0/24

[90/15360] via 172.16.101.1, 00:09:36, GigabitEthernet0/1

CE101#sh ipv6 route eigrp | b ^DD 2001:13:101:13::2/128 [90/16000]

via FE80::F816:3EFF:FE6B:3ED5, GigabitEthernet0/1EX 2001:172:16:102::/64 [170/51205120]

via FE80::F816:3EFF:FE6B:3ED5, GigabitEthernet0/1

CE101#ping 2001:13:101:13::2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2001:13:101:13::2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 10/13/23 ms

CE101#ping 2001:172:16:102::254Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2001:172:16:102::254, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/27 ms

126LTRCCIE-3401


D3 Task 1: Verification for AS78CE23#sh running-config | s router bgprouter bgp 24bgp log-neighbor-changesno bgp default ipv4-unicastneighbor 2001:192:168:23::1 remote-as 500neighbor 192.168.23.1 remote-as 500!address-family ipv4network 23.23.0.3 mask 255.255.255.255neighbor 192.168.23.1 activateneighbor 192.168.23.1 allowas-in 1exit-address-family!address-family ipv6network 2001:23:23::3/128neighbor 2001:192:168:23::1 activateneighbor 2001:192:168:23::1 allowas-in 1

exit-address-family

127LTRCCIE-3401


D3 Task 1: Verification for AS78 (continued)CE23#sh ip route | b ^BB 23.23.0.4 [20/0] via 192.168.23.1, 1d16h

192.168.23.0/24 is variably subnetted, 2 subnets, 2 masksC 192.168.23.0/24 is directly connected, GigabitEthernet0/1L 192.168.23.254/32 is directly connected, GigabitEthernet0/1B 192.168.24.0/24 [20/0] via 192.168.23.1, 1d16h

CE23#sh ipv6 route | b ^B[…]B 2001:23:23::4/128 [20/0]

via FE80::F816:3EFF:FE88:DC3E, GigabitEthernet0/1[…]B 2001:192:168:24::/64 [20/0]

via FE80::F816:3EFF:FE88:DC3E, GigabitEthernet0/1

CE23#traceroute 23.23.0.4 source lo0Type escape sequence to abort.Tracing the route to 23.23.0.4VRF info: (vrf in name/id, vrf out name/id)

1 192.168.23.1 [AS 901] 3 msec 3 msec 5 msec2 20.200.12.2 [MPLS: Label 16210 Exp 0] 7 msec 6 msec 7 msec3 192.168.24.254 [AS 901] 9 msec * 6 msec

128LTRCCIE-3401


D3 Task 2: QoS

Configure a policy to remark IPP=5 to EXP=3 for the traffic using a PW from PE23 to PE21. Reserve 10Mbps for the traffic with EXP=3 going out of this PW from PE21 to CE21.

Note: No reservation is needed through the core at this moment.

Score: 2 points


D3 Task 2: QoSPE23:!class-map match-all ipv6match precedence 5!

policy-map pw1class ipv6set mpls experimental imposition 3

!interface GigabitEthernet0/3.66service-policy input pw1!

130LTRCCIE-3401


D3 Task 2: QoSPE21:! class-map match-all exp3match mpls experimental topmost 3class-map match-all qos3match qos-group 3

!policy-map pw1-outclass qos3bandwidth 10000

policy-map pw1class exp3set qos-group 3

!interface GigabitEthernet0/2service-policy input pw1

!interface GigabitEthernet0/5service-policy output pw1-out

!

131LTRCCIE-3401


D3 Task 2: VerificationCE22#ping ipv6Target IPv6 address: 2001:192:168:21::1Repeat count [5]: 3Datagram size [100]: Timeout in seconds [2]: Extended commands? [no]: ySource address or interface: g0/1.66UDP protocol? [no]: Verbose? [no]: Precedence [0]: 5Include hop by hop option? [no]: Include destination option? [no]: Sweep range of sizes? [no]: Type escape sequence to abort.Sending 3, 100-byte ICMP Echos to 2001:192:168:21::1, timeout is 2 seconds:!!!Success rate is 100 percent (3/3), round-trip min/avg/max = 6/7/8 ms

132LTRCCIE-3401


D3 Task 2: VerificationPE23#sh policy-map int g0/3.66GigabitEthernet0/3.66

Service-policy input: pw1

Class-map: ipv6 (match-all)5 packets, 590 bytes5 minute offered rate 0000 bps, drop rate 0000 bpsMatch: precedence 5QoS Set

mpls experimental imposition 5Packets marked 5

Class-map: class-default (match-any)11 packets, 1042 bytes5 minute offered rate 0000 bps, drop rate 0000 bpsMatch: any

133LTRCCIE-3401


D3 Task 2: VerificationPE21#sh policy-map int g0/2GigabitEthernet0/2Service-policy input: pw1

Class-map: exp3 (match-all)5 packets, 680 bytes5 minute offered rate 0000 bps, drop rate 0000 bpsMatch: mpls experimental topmost 3QoS Set

qos-group 3Packets marked 5

[..]

PE21#sh policy-map int g0/5GigabitEthernet0/5Service-policy output: pw1-out

Class-map: qos3 (match-all)5 packets, 590 bytes5 minute offered rate 0000 bps, drop rate 0000 bpsMatch: qos-group 3Queueingqueue limit 64 packets(queue depth/total drops/no-buffer drops) 0/0/0(pkts output/bytes output) 5/590bandwidth 10000 kbps

[..]

134LTRCCIE-3401


D3 Task 3: Multicast

Enable multicast traffic on Customer78 that meets the following requirements:

• SP-109 must use mLDP as the core MDT.

• SP-109 must use PIM SP in the VRF.

• CE110 must be the source of the multicast traffic.

• CE111 must be the receiver.

• PE12 must be the RP.

Note: You can choose PIM SP or SSM in the core.

Score: 2 points


D3 Task 3: Multicast

136LTRCCIE-3401

PE12, PE13:

!ipv4 access-list ssm110 permit ipv4 host 233.1.1.1 any

!route-policy mldp1

set core-tree mldp-inbandend-policy!mpls ldpmldplogging notificationsaddress-family ipv4

!multicast-routingaddress-family ipv4interface Loopback0enable

!mdt source Loopback0

!

PE12, PE13:

[cont. multicast-routing]! vrf AS_78address-family ipv4mdt source Loopback0interface all enablemdt mldp in-band-signaling ipv4

!multicast-routing!router pimvrf AS_78address-family ipv4rp-address 172.16.10.1rpf topology route-policy mldp1interface GigabitEthernet0/0/0/[5|3]enable

! ssm range ssm1 !


D3 Task 3: VerificationCE110#ping 225.1.1.1 repeat 5Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 225.1.1.1, timeout is 2 seconds:Reply to request 0 from 13.13.13.11, 46 msReply to request 0 from 13.13.13.11, 52 msReply to request 0 from 13.13.13.11, 46 msReply to request 1 from 13.13.13.11, 13 ms[..]

PE13#sh mpls mldp bindmLDP MPLS Bindings database

LSP-ID: 0x00001 Paths: 2 Flags:0x00001 P2MP 10.100.0.2 [vpnv4 78:78 * 225.1.1.1]

Local Label: 16302 ActiveRemote Label: 1048577 Inft: ImdtAS/78 RPF-ID: 3 TIDv4/v6: 0xE0000011/0x0

LSP-ID: 0x00002 Paths: 2 Flags:0x00002 P2MP 10.100.0.2 [vpnv4 78:78 13.13.13.10 225.1.1.1]


LSP-ID: 0x00003 Paths: 2 Flags:0x00003 P2MP 10.100.0.2 [vpnv4 78:78 172.16.10.254 225.1.1.1]


137LTRCCIE-3401


D3 Task 3: VerificationPE12#sh mrib vrf AS_78 route 225.1.1.1

(*,225.1.1.1) RPF nbr: 172.16.10.1 Flags: C RPFUp: 00:06:08Incoming Interface List

Decapstunnel0 Flags: A, Up: 00:06:08Outgoing Interface List

GImdtAS/78 Flags: F LMI, Up: 00:06:08

(13.13.13.10,225.1.1.1) RPF nbr: 172.16.10.254 Flags: L RPFUp: 00:00:46Incoming Interface List

GigabitEthernet0/0/0/5 Flags: A, Up: 00:00:46Outgoing Interface List

ImdtAS/78 Flags: F LMI, Up: 00:00:44GImdtAS/78 Flags: F LMI, Up: 00:00:46

(172.16.10.254,225.1.1.1) RPF nbr: 172.16.10.254 Flags: L RPFUp: 00:00:46Incoming Interface List

GigabitEthernet0/0/0/5 Flags: A, Up: 00:00:46Outgoing Interface List

GImdtAS/78 Flags: F LMI, Up: 00:00:46

138LTRCCIE-3401


D4 Task 1: LSP protection

Configure SP-901 in a such way to make sure routers will establish additional direct sessions for LDP in case link between them goes down.

Score: 2 points


D4 Task 1:LSP protection in AS901 – IOS/IOS-XE

PE21#sh running-config | i ^mpls ldp

mpls ldp session protection

mpls ldp discovery targeted-hello accept

PE21#sh mpls ldp neighbor

Peer LDP Ident: 20.200.0.4:0; Local LDP Ident 20.200.0.1:0

TCP connection: 20.200.0.4.25218 - 20.200.0.1.646

State: Oper; Msgs sent/rcvd: 1621/1626; Downstream

Up time: 23:23:37

LDP discovery sources:

GigabitEthernet0/2, Src IP addr: 20.200.14.4

Targeted Hello 20.200.0.1 -> 20.200.0.4, active, passive

Peer LDP Ident: 20.200.0.3:0; Local LDP Ident 20.200.0.1:0

[...]

LDP discovery sources:

Targeted Hello 20.200.0.1 -> 20.200.0.3, active, passive

140LTRCCIE-3401


D4 Task 1:LSP protection in AS901 – IOS/IOS-XE and IOS-XR

RP/0/0/CPU0:PE22#sh running-config mpls ldp

mpls ldp router-id 20.200.0.2

session protection

address-family ipv4

!

!

RP/0/0/CPU0:PE22#sh mpls ldp neighbor | utility egrep "Peer LDP|Targeted”

Sun Jan 21 22:42:43.980 UTC


Targeted Hello (20.200.0.2 -> 20.200.0.5, active)





141LTRCCIE-3401


D4 Task 2: IS-IS optimization

Enable IP FRR in SP-109 for all prefixes in the IGP database.

Score: 2 points


D4 Task 2: IS-IS IP FRR – IOS/IOS-XE

P14#sh running-config | s ^router isis

router isis 109

net 49.0109.0000.0004.00

fast-reroute per-prefix level-2 all

P14#sh ip route repair-paths

[...]

10.0.0.0/8 is variably subnetted, 21 subnets, 3 masks

S 10.100.0.0/16 is directly connected, Null0

i L2 10.100.0.1/32 [115/11] via 10.100.24.2, 23:31:59, GigabitEthernet2

Repair Path: 10.100.45.5, via GigabitEthernet3

[RPR][115/20] via 10.100.45.5, 23:31:59, GigabitEthernet3

143LTRCCIE-3401


D4 Task 2: IS-IS IP FRR – IOS-XR

RP/0/0/CPU0:PE13#sh running-config router isis | utility egrep "interface|fast-”


fast-reroute per-prefix


fast-reroute per-prefix

[...]

RP/0/0/CPU0:PE13#sh route isis

Sun Jan 21 22:48:44.425 UTC

i L2 10.100.0.1/32 [115/101] via 10.100.23.2, 23:29:53, GigabitEthernet0/0/0/2 (!)

[115/1] via 10.100.13.1, 23:29:53, GigabitEthernet0/0/0/0

144LTRCCIE-3401


D5 Task 1: Peering security

Service providers must increase network security. Your tasks are:

• Make sure PE13 and PE301 establish eBGP peering using maximum TTL value and discard any TCP request with lower TTL values.

• Configure PE21 for receiving up to 1000 prefixes from PE301.

• At 75% mark, router must send a warning message.

• If the limit is breached, the session must be reset.

• PE21 must wait 3 minutes before initialing or accepting a new session in this case.

Score: 2 points


D5 Task 1: PE13 and PE301 eBGP peering protection

RP/0/0/CPU0:PE13#sh running-config router bgp

[...]

router bgp 109

neighbor 19.3.0.1

remote-as 19

ttl-security

[...]

PE301#sh running-config | s router bgp

router bgp 300

[...]

neighbor 19.3.0.13 remote-as 109

neighbor 19.3.0.13 ttl-security hops 1

146LTRCCIE-3401


D5 Task 1: PE21 eBGP peering protection

PE21#sh running-config | s router bgp

router bgp 901

[...]

address-family ipv4

neighbor 91.3.0.1 maximum-prefix 1000 restart 3

address-family ipv6

neighbor 2001:91:3::1 maximum-prefix 1000 restart 3

147LTRCCIE-3401


D5 Task 2: VPN traffic control

On PE21 and PE23, make sure routers check for spoofing of source addresses. Should such activity be detected, spoofed traffic must be dropped, and a message must be logged identifying both IP addressing information, as well as, the Layer 4 information such as in the following example:

denied tcp 16.16.14.1(5403) -> 21.200.0.1(23), 1 packet

Score: 2 points


D5 Task 2: PE21 and PE23 uRPF configuration

PE21#sh run int gi0/5 | i interf|verify

interface GigabitEthernet0/5

ip verify unicast source reachable-via rx 2699

[...]

PE21#sh ip access-lists 2699

Extended IP access list 2699

10 deny ip any any log

149LTRCCIE-3401

Questions & Answers


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs• LABCCIE-3007: CCIE SP – Troubleshoot MPLS

• LABCCIE-3008: CCIE SP – DIAG module

• LABCCIE-3009: CCIE SP – Troubleshooting IGP

• LABCCIE-3010: CCIE SP – Multicast VPN

• LABCCIE-3011: CCIE SP – Fast Convergence

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• CCIE SP workbook on CLN• https://learningnetworkstore.cisco.com/cisco-ccie-expert-training/level-for-service-provider-v4-1-lab-workbook-360-sp-04-wkb-core-020997

• CCIE SP study group

• https://learningnetwork.cisco.com/groups/ccie-sp-study-group

151LTRCCIE-3401

https://learningnetworkstore.cisco.com/cisco-ccie-expert-training/level-for-service-provider-v4-1-lab-workbook-360-sp-04-wkb-core-020997

https://learningnetwork.cisco.com/groups/ccie-sp-study-group


Become a Cisco Subject Matter Expert

• Do you consider yourself a Subject Matter Expert?

• Would like to lend your expertise to the Cisco Certification Exam?

152LTRCCIE-3401

http://www.cisco.com/go/certsme

http://www.cisco.com/go/certsme


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#LTRCCIE-3401


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

http://ciscolive.com/Online

http://www.ciscolive.com/global/on-demand-library/

Thank you

References


Preparation Materials

• Configuration Guide, Products, Technology

• Cisco Tools, Cisco Press, Whitepapers

• Cisco Learning Network (CLN)

• Design Zone, Cisco Forums

• Cisco Training Program

• External Resources

https://supportforums.cisco.com

http://docwiki.cisco.com

www.cisco.com/go/documentation

www.cisco.com/go/tools

158LTRCCIE-3401

https://supportforums.cisco.com/

http://docwiki.cisco.com/

http://www.cisco.com/go/documentation

http://www.cisco.com/go/tools

CCIE SP Practice Lab - clnv.s3.amazonaws.com · CCIE SP Practice Lab Lizabete Cacic, Technical...

Documents

Transcript of CCIE SP Practice Lab - clnv.s3.amazonaws.com · CCIE SP Practice Lab Lizabete Cacic, Technical...