Thursday, January 28, 2016

L3VPN task #3. CE-PE routing using ISIS and BGP.

Topology:



Use configuration from L3VPN task #2 as initial configuration for this task.

Requirements: 

1. Customer A.
         1.1 Remove static routing configuration from the previous task.
         1.2 Use ISIS as routing protocol on routers R6 & R7, and between Customer A and SP routers.
         1.3 Configure ISIS protocol to only create Level-2 databases.

2. Customer B.
         2.1 Remove OSPF routing configuration from the previous task.
         2.2 Use BGP as routing protocol between Customer B and SP routers. Both customer routers                    should use AS #48. Each router should advertise it's /24 range into eBGP.
         2.3 Customer routers should see the BGP route towards the other site with "correct" AS-PATH                  of "17 48 i".
         

Solution:

Highlight the text below to reveal the solution.

This task requires understanding of using ISIS and eBGP for CE-PE routing

Requirement #1 - configure "is-type" of level-2 on routers R6, R7, R5 and R2 to only create Level-2                                databases. Redistribute between ISIS and BGP on PE routers, note to redistribute                                  the correct ISIS level routes. 

Requirement #2 - The challenge in this task is that routers R4 and R8 are useing the same AS                                           number. In order to keep the AS-PATH as required, configure "allowas-in" on                                     eBGP session towards the PE router. 
                              Note that IOS-XR has an additional loop prevention feature, which does not exist                                 in IOS. Router R3 will not advertise the prefix 10.10.4.0/24 to R8, unless                                               "as-path-loopcheck" is disable in the vrf configuration. 
                              Also note that IOS-XR requires explicit configuration of inbound and outbound                                   route-policy for eBGP peers, otherwise no prefixes will be advertised or accepted                                 from neighbor. 


R2:


!
interface Ethernet1/1
 vrf forwarding CUST_A
 ip address 17.0.27.2 255.255.255.0
 ip router isis CUST_A
!
router isis CUST_A
 vrf CUST_A
 net 49.0007.0000.0000.0002.00
 is-type level-2-only
 redistribute bgp 17
!
router bgp 17
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 17.0.1.1 remote-as 17
 neighbor 17.0.1.1 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 17.0.1.1 activate
  neighbor 17.0.1.1 send-community both
 exit-address-family
 !
 address-family ipv4 vrf CUST_A
  redistribute connected
  redistribute isis CUST_A level-1-2
 exit-address-family
 !
 address-family ipv4 vrf CUST_B
  redistribute connected
  neighbor 17.0.24.4 remote-as 48
  neighbor 17.0.24.4 activate
 exit-address-family
!


R3:


router bgp 17
 address-family vpnv4 unicast
 !
 neighbor 17.0.1.1
  remote-as 17
  update-source Loopback0
  address-family vpnv4 unicast
  !
 !
 vrf CUST_B
  rd 48:1
  address-family ipv4 unicast
   as-path-loopcheck out disable
   redistribute connected
  !
  neighbor 17.0.38.8
   remote-as 48
   address-family ipv4 unicast
    route-policy ANY in
    route-policy ANY out
   !
  !
 !
!

R4:


router bgp 48
 address-family ipv4 unicast
  network 10.10.4.0/24
 !
 neighbor 17.0.24.2
  remote-as 17
  address-family ipv4 unicast
   route-policy ANY in
   allowas-in 2
   route-policy ANY out
  !
 !
!


R5:


!
interface Ethernet1/0
 vrf forwarding CUST_A
 ip address 17.0.56.5 255.255.255.0
 ip router isis CUST_A
!
!
router isis CUST_A
 vrf CUST_A
 net 49.0006.0000.0000.0005.00
 is-type level-2-only
 redistribute bgp 17
!
router bgp 17
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 17.0.1.1 remote-as 17
 neighbor 17.0.1.1 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 17.0.1.1 activate
  neighbor 17.0.1.1 send-community both
 exit-address-family
 !
 address-family ipv4 vrf CUST_A
  redistribute connected
  redistribute isis CUST_A level-1-2
 exit-address-family
!

R6:


!
interface Loopback0
 ip address 192.168.6.6 255.255.255.255
 ip router isis CCIE
!
interface Ethernet0/0
 ip address 17.0.56.6 255.255.255.0
 ip router isis CCIE
!
router isis CCIE
 net 49.0006.0000.0000.0006.00
 is-type level-2-only
!

R7:


!
interface Loopback0
 ip address 192.168.7.7 255.255.255.255
 ip router isis CCIE
!
interface Ethernet0/0
 ip address 17.0.27.7 255.255.255.0
 ip router isis CCIE
!
router isis CCIE
 net 49.0007.0000.0000.0007.00
 is-type level-2-only


R8:

!
router bgp 48
 bgp log-neighbor-changes
 network 10.10.8.0 mask 255.255.255.0
 neighbor 17.0.38.3 remote-as 17
 neighbor 17.0.38.3 allowas-in 2
!


Verification:

Customer B: 

RP/0/0/CPU0:R4#sho bgp
Wed Jan  6 22:03:31.296 UTC
BGP router identifier 10.10.4.4, local AS number 48
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0xe0000000   RD version: 26
BGP main routing table version 26
BGP scan interval 60 secs

Status codes: s suppressed, d damped, h history, * valid, > best
              i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network            Next Hop            Metric LocPrf Weight Path
*> 10.10.4.0/24       0.0.0.0                  0         32768 i
*> 10.10.8.0/24       17.0.24.2                              0 17 48 i
*> 17.0.24.0/24       17.0.24.2                0             0 17 ?
*> 17.0.38.0/24       17.0.24.2                              0 17 ?

Processed 4 prefixes, 4 paths

RP/0/0/CPU0:R4#sh route
Wed Jan  6 22:03:32.876 UTC

Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
       U - per-user static route, o - ODR, L - local, G  - DAGR
       A - access/subscriber, a - Application route, (!) - FRR Backup path

Gateway of last resort is not set

S    10.10.4.0/24 is directly connected, 16:56:46, Null0
L    10.10.4.4/32 is directly connected, 1d19h, Loopback0
B    10.10.8.0/24 [20/0] via 17.0.24.2, 16:46:35
C    17.0.24.0/24 is directly connected, 1d19h, GigabitEthernet0/0/0/0
L    17.0.24.4/32 is directly connected, 1d19h, GigabitEthernet0/0/0/0
B    17.0.38.0/24 [20/0] via 17.0.24.2, 16:46:35


RP/0/0/CPU0:R4#traceroute 10.10.8.8 source 10.10.4.4
Wed Jan  6 22:03:52.455 UTC

Type escape sequence to abort.
Tracing the route to 10.10.8.8

 1  17.0.24.2 0 msec  0 msec  0 msec
 2  17.0.13.3 [MPLS: Label 16007 Exp 0] 0 msec  0 msec  0 msec
 3  17.0.38.8 0 msec  0 msec  0 msec

R8#show bgp
BGP table version is 15, local router ID is 10.10.8.8
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.10.4.0/24     17.0.38.3                              0 17 48 i
 *>  10.10.8.0/24     0.0.0.0                  0         32768 i
 *>  17.0.24.0/24     17.0.38.3                              0 17 ?
 r>  17.0.38.0/24     17.0.38.3                0             0 17 ?

Customer A: 

R7#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      17.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C        17.0.27.0/24 is directly connected, Ethernet0/0
L        17.0.27.7/32 is directly connected, Ethernet0/0
i L2     17.0.56.0/24 [115/10] via 17.0.27.2, 19:40:41, Ethernet0/0
      192.168.6.0/32 is subnetted, 1 subnets
i L2     192.168.6.6 [115/10] via 17.0.27.2, 19:33:51, Ethernet0/0
      192.168.7.0/32 is subnetted, 1 subnets
C        192.168.7.7 is directly connected, Loopback0
R7#trace
R7#traceroute 192.168.6.6 sou
R7#traceroute 192.168.6.6 source lo0
Type escape sequence to abort.
Tracing the route to 192.168.6.6
VRF info: (vrf in name/id, vrf out name/id)
  1 17.0.27.2 5 msec 4 msec 5 msec
  2 17.0.56.5 [MPLS: Label 22 Exp 0] 4 msec 5 msec 5 msec
  3 17.0.56.6 5 msec 5 msec 5 msec

R7#show isis database

Tag CCIE:
IS-IS Level-2 Link State Database:
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
R2.00-00              0x00000060   0xBF2F        1167              0/0/0
R2.01-00              0x0000005B   0xEF89        1139              0/0/0
R7.00-00            * 0x00000065   0x1EC5        884               0/0/0


R6#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      17.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
i L2     17.0.27.0/24 [115/10] via 17.0.56.5, 19:40:58, Ethernet0/0
C        17.0.56.0/24 is directly connected, Ethernet0/0
L        17.0.56.6/32 is directly connected, Ethernet0/0
      192.168.6.0/32 is subnetted, 1 subnets
C        192.168.6.6 is directly connected, Loopback0
      192.168.7.0/32 is subnetted, 1 subnets
i L2     192.168.7.7 [115/10] via 17.0.56.5, 19:40:58, Ethernet0/0


Tuesday, January 26, 2016

L3VPN task #2. CE-PE routing using OSPF - part 2.

Topology:



Use configuration from L3PVN task #1 as initial configuration for this task.

Requirements: 

1. Change the configuration so SP network structure won't be visible to customer users when running     traceroute command from one site to another. 
2. Add link between routers R4 and R8. Include this link in OSPF area 0. 
3. Configure the network so traffic between routers R4 and R8 use SP cloud when available, and             direct R4-R8 link as backup only. 

Solution:

Highlight the text below to reveal the solution.

This task requires understanding of the following technologies and features: 
MPLS TTL propagation
OSPF Sham links

Requirement #1 - disable MPLS TTL propagation on SP routers to "hide" the SP network topology. 
Requirement #2 & 3 - Sham link is required in order to prefer L3VPN link over the backdoor link                                           between sites. Note that you also need to increase the cost of the backdoor link                                     to make it the less preferred path. 

R1 & R5: 


!
no mpls ip propagate-ttl
!


R2: 



!
no mpls ip propagate-ttl
!
interface Loopback1
 vrf forwarding CUST_B
 ip address 17.0.2.4 255.255.255.255
!
router ospf 1 vrf CUST_B
 router-id 2.2.2.2
 domain-id type 0005 value 000000000001
 area 0 sham-link 17.0.2.4 17.0.3.8
 redistribute bgp 17 subnets
!

R3:


interface Loopback1
 vrf CUST_B
 ipv4 address 17.0.3.8 255.255.255.255
!
router ospf CUST_B
 vrf CUST_B
  router-id 3.3.3.3
  domain-id type 0005 value 000000000001
  redistribute bgp 17
  area 0
   sham-link 17.0.3.8 17.0.2.4
    cost 1
   !
   interface GigabitEthernet0/0/0/1
   !
  !
 !
!
mpls ip-ttl-propagate disable
!

R4:

!
interface GigabitEthernet0/0/0/1
 bandwidth 1000
 ipv4 address 10.10.48.4 255.255.255.0
!
router ospf 1
 router-id 10.10.4.4
 area 0
  interface Loopback0
  !
  interface GigabitEthernet0/0/0/0
  !
  interface GigabitEthernet0/0/0/1
  !
 !
!

R8: 

!
interface Ethernet0/1
 bandwidth 1000
 ip address 10.10.48.8 255.255.255.0
 ip ospf 1 area 0
!


Verification:

TTL propagation disable: 

Before: 

R8#traceroute 10.10.4.4 source lo0
Type escape sequence to abort.
Tracing the route to 10.10.4.4
VRF info: (vrf in name/id, vrf out name/id)
  1 17.0.38.3 1 msec 1 msec 1 msec
  2 17.0.13.1 [MPLS: Labels 16/25 Exp 0] 3 msec 3 msec 3 msec
  3 17.0.24.2 [MPLS: Label 25 Exp 0] 2 msec 1 msec 1 msec
  4 17.0.24.4 3 msec *  2 msec

After: 

R8#traceroute 10.10.4.4 source lo0 numeric
Type escape sequence to abort.
Tracing the route to 10.10.4.4
VRF info: (vrf in name/id, vrf out name/id)
  1 17.0.38.3 7 msec 1 msec 1 msec
  2 17.0.13.1 [MPLS: Labels 16/25 Exp 0] 3 msec 3 msec 2 msec
  3 17.0.24.4 2 msec *  2 msec


Backdoor link R4-R8: 

R8#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O        10.10.4.4/32 [110/22] via 17.0.38.3, 11:25:37, Ethernet0/0
C        10.10.8.8/32 is directly connected, Loopback0
C        10.10.48.0/24 is directly connected, Ethernet0/1
L        10.10.48.8/32 is directly connected, Ethernet0/1
      17.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O E2     17.0.2.4/32 [110/1] via 17.0.38.3, 11:36:30, Ethernet0/0
O E2     17.0.3.8/32 [110/1] via 17.0.38.3, 11:32:26, Ethernet0/0
O        17.0.24.0/24 [110/21] via 17.0.38.3, 11:25:37, Ethernet0/0
C        17.0.38.0/24 is directly connected, Ethernet0/0
L        17.0.38.8/32 is directly connected, Ethernet0/0


RP/0/0/CPU0:R4#show route
Tue Jan  5 20:08:27.798 UTC

Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
       U - per-user static route, o - ODR, L - local, G  - DAGR
       A - access/subscriber, a - Application route, (!) - FRR Backup path

Gateway of last resort is not set

L    10.10.4.4/32 is directly connected, 17:42:48, Loopback0
O    10.10.8.8/32 [110/13] via 17.0.24.2, 11:26:24, GigabitEthernet0/0/0/0
C    10.10.48.0/24 is directly connected, 11:41:55, GigabitEthernet0/0/0/1
L    10.10.48.4/32 is directly connected, 11:41:55, GigabitEthernet0/0/0/1
O E2 17.0.2.4/32 [110/1] via 17.0.24.2, 11:32:57, GigabitEthernet0/0/0/0
O E2 17.0.3.8/32 [110/1] via 17.0.24.2, 11:34:18, GigabitEthernet0/0/0/0
C    17.0.24.0/24 is directly connected, 17:42:48, GigabitEthernet0/0/0/0
L    17.0.24.4/32 is directly connected, 17:42:48, GigabitEthernet0/0/0/0
O    17.0.38.0/24 [110/12] via 17.0.24.2, 11:27:31, GigabitEthernet0/0/0/0


R2#show ip ospf sham-links
Sham Link OSPF_SL0 to address 17.0.3.8 is up
Area 0 source address 17.0.2.4
  Run as demand circuit
  DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40,
    Hello due in 00:00:04
    Adjacency State FULL (Hello suppressed)
    Index 2/2, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec

R2#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           0   FULL/  -           -        17.0.3.8        OSPF_SL0
10.10.4.4         1   FULL/DR         00:00:36    17.0.24.4       Ethernet1/0


RP/0/0/CPU0:R3#show ospf vrf CUST_B neighbor
Tue Jan  5 20:10:22.499 UTC

* Indicates MADJ interface

Neighbors for OSPF CUST_B, VRF CUST_B

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2         1     FULL/  -           -        17.0.2.4        OSPF_SL0
    Neighbor is up for 11:34:53
10.10.8.8       1     FULL/BDR        00:00:32    17.0.38.8       GigabitEthernet0/0/0/1
    Neighbor is up for 17:23:05

RP/0/0/CPU0:R3#show ospf vrf CUST_B sham-links
Tue Jan  5 20:10:32.229 UTC

Sham Links for OSPF CUST_B, VRF CUST_B

Sham Link OSPF_SL0 to address 17.0.2.4 is up
Area 0, source address 17.0.3.8
IfIndex = 2
  Run as demand circuit
  DoNotAge LSA allowed., Cost of using 1
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:08
    Adjacency State FULL (Hello suppressed)
    Number of DBD retrans during last exchange 0
    Index 2/2, retransmission queue length 0, number of retransmission 0
    First 0(0)/0(0) Next 0(0)/0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec

Sunday, January 24, 2016

L3VPN task #1. CE-PE routing using static routing and OSPF.

Topology:



Routers R3 and R4 are IOS-XR routers, the rest are IOS routers.
Service Provider routers are R2, R2, R3 & R5.
Customer A routers are R4 and R8.
Customer B routers are R6 and R7.
Links between PE and CE routers are numbered from the SP address space.
Example link R2-R4 is allocated prefix 17.0.24/24
Configure loopback0 interfaces and links between all routers for initial configuration.

Requirements: 


1. Configure ISIS as SP IGP. 
2. Minimize the number of iBGP sessions in SP network. 
3. In iBGP, only exchange address-families required for this task. 
4. Provide connectivity between routers of Customer A - R6 and R7. Do not use any dynamic routing     protocols. Customer A routers do not have any other links, except those depicted in this topology.  
5. Provide connectivity between routers of Customer B - R4 and R8. Customer B use OSPF as IGP,       with all interfaces configured in area 0. Customer B routers should see each other prefixes as               IA OSPF routes. 

Solution:

Highlight the text below to reveal the solution.

This task requires understanding of the following technologies:
ISIS
OSPF
MP-BGP
MPLS L3VPN

Requirement #2 - configure R1 as route-reflector to minimize the amount of iBGP sessions in SP network. 
Requirement #3 - disable ipv4 address family in SP BGP. only vpnv4 address family is required for                                this task. 
Requirement #4 - configure static default routes on Customer A routers. on PE routers, redistribute static and connected. 

Requirement #5 - configure OSPF on PE-CE links. in order for routes to appear as OSPF IA, OSPF                                  domain should match between the PE routers R2 and R3. In this solution, domain-                                id from IOS-XR R3 was manually configured on IOS R2 router. 

R1:


!
interface Loopback0
 ip address 17.0.1.1 255.255.255.255
 ip router isis CCIE
!
interface Ethernet0/0
 ip address 17.0.12.1 255.255.255.0
 ip router isis CCIE
!
interface Ethernet0/1
 ip address 17.0.13.1 255.255.255.0
 ip router isis CCIE
!
interface Ethernet0/2
 ip address 17.0.15.1 255.255.255.0
 ip router isis CCIE
!
!
router isis CCIE
 mpls ldp autoconfig
 net 49.0017.0000.0000.0001.00
 is-type level-2-only
!
router bgp 17
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor CLIENTS peer-group
 neighbor CLIENTS remote-as 17
 neighbor CLIENTS update-source Loopback0
 neighbor 17.0.2.2 peer-group CLIENTS
 neighbor 17.0.3.3 peer-group CLIENTS
 neighbor 17.0.5.5 peer-group CLIENTS
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor CLIENTS send-community both
  neighbor CLIENTS route-reflector-client
  neighbor 17.0.2.2 activate
  neighbor 17.0.3.3 activate
  neighbor 17.0.5.5 activate
 exit-address-family
!

R2:


!
vrf definition CUST_A
 rd 67:1
 route-target export 67:1
 route-target import 67:1
 !
 address-family ipv4
 exit-address-family
!
vrf definition CUST_B
 rd 48:1
 route-target export 48:1
 route-target import 48:1
 !
 address-family ipv4
 exit-address-family
!
!
interface Loopback0
 ip address 17.0.2.2 255.255.255.255
 ip router isis CCIE
!
interface Ethernet0/0
 ip address 17.0.12.2 255.255.255.0
 ip router isis CCIE
!
!
interface Ethernet1/0
 vrf forwarding CUST_B
 ip address 17.0.24.2 255.255.255.0
 ip ospf 1 area 0
!
interface Ethernet1/1
 vrf forwarding CUST_A
 ip address 17.0.27.2 255.255.255.0
!
!
router ospf 1 vrf CUST_B
 router-id 2.2.2.2
 domain-id type 0005 value 000000000001
 redistribute bgp 17 subnets
!
router isis CCIE
 mpls ldp autoconfig
 net 49.0017.0000.0000.0002.00
 is-type level-2-only
!
router bgp 17
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 17.0.1.1 remote-as 17
 neighbor 17.0.1.1 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 17.0.1.1 activate
  neighbor 17.0.1.1 send-community both
 exit-address-family
 !
 address-family ipv4 vrf CUST_A
  redistribute connected
  redistribute static
 exit-address-family
 !
 address-family ipv4 vrf CUST_B
  redistribute connected
  redistribute ospf 1
 exit-address-family
!
ip route vrf CUST_A 192.168.7.0 255.255.255.0 17.0.27.7
!

R3:


vrf CUST_B
 address-family ipv4 unicast
  import route-target
   48:1
  !
  export route-target
   48:1
  !
 !
!
!
interface Loopback0
 ipv4 address 17.0.3.3 255.255.255.255
!
interface GigabitEthernet0/0/0/0
 ipv4 address 17.0.13.3 255.255.255.0
!
interface GigabitEthernet0/0/0/1
 vrf CUST_B
 ipv4 address 17.0.38.3 255.255.255.0
!
router isis CCIE
 is-type level-2-only
 net 49.0017.0000.0000.0003.00
 interface Loopback0
  address-family ipv4 unicast
  !
 !
 interface GigabitEthernet0/0/0/0
  address-family ipv4 unicast
  !
 !
!
router ospf CUST_B
 vrf CUST_B
  router-id 3.3.3.3
  domain-id type 0005 value 000000000001
  redistribute bgp 17
  area 0
   interface GigabitEthernet0/0/0/1
   !
  !
 !
!
router bgp 17
 address-family vpnv4 unicast
 !
 neighbor 17.0.1.1
  remote-as 17
  update-source Loopback0
  address-family vpnv4 unicast
  !
 !
 vrf CUST_B
  rd 48:1
  address-family ipv4 unicast
   redistribute ospf CUST_B
  !
 !
!
!
mpls ldp
 interface GigabitEthernet0/0/0/0
 !
!

R4:

!
interface Loopback0
 ipv4 address 10.10.4.4 255.255.255.255
!
interface GigabitEthernet0/0/0/0
 ipv4 address 17.0.24.4 255.255.255.0
!
router ospf 1
 router-id 10.10.4.4
 area 0
  interface Loopback0
  !
  interface GigabitEthernet0/0/0/0
  !
 !
!

R5:


!
vrf definition CUST_A
 rd 67:1
 route-target export 67:1
 route-target import 67:1
 !
 address-family ipv4
 exit-address-family
!
!
interface Loopback0
 ip address 17.0.5.5 255.255.255.255
 ip router isis CCIE
!
interface Ethernet0/0
 ip address 17.0.15.5 255.255.255.0
 ip router isis CCIE
!
!
interface Ethernet1/0
 vrf forwarding CUST_A
 ip address 17.0.56.5 255.255.255.0
!
!
router isis CCIE
 mpls ldp autoconfig
 net 49.0017.0000.0000.0005.00
 is-type level-2-only
!
router bgp 17
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 17.0.1.1 remote-as 17
 neighbor 17.0.1.1 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 17.0.1.1 activate
  neighbor 17.0.1.1 send-community both
 exit-address-family
 !
 address-family ipv4 vrf CUST_A
  redistribute connected
  redistribute static
 exit-address-family
!
ip route vrf CUST_A 192.168.6.0 255.255.255.0 17.0.56.6
!

R6:

!
interface Loopback0
 ip address 192.168.6.6 255.255.255.255
!
interface Ethernet0/0
 ip address 17.0.56.6 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 17.0.56.5
!

R7:

!
interface Loopback0
 ip address 192.168.7.7 255.255.255.255
!
interface Ethernet0/0
 ip address 17.0.27.7 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 17.0.27.2
!


R8:


!
interface Loopback0
 ip address 10.10.8.8 255.255.255.255
 ip ospf 1 area 0
!
interface Ethernet0/0
 ip address 17.0.38.8 255.255.255.0
 ip ospf 1 area 0
!
router ospf 1
 router-id 10.10.8.8
!



Verification:



R1#show bgp all
For address family: IPv4 Unicast


For address family: VPNv4 Unicast

BGP table version is 19, local router ID is 17.0.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 48:1
 *>i 10.10.4.4/32     17.0.2.2                11    100      0 ?
 *>i 10.10.8.8/32     17.0.3.3                 2    100      0 ?
 *>i 17.0.24.0/24     17.0.2.2                 0    100      0 ?
 *>i 17.0.38.0/24     17.0.3.3                 0    100      0 ?
Route Distinguisher: 67:1
 *>i 17.0.27.0/24     17.0.2.2                 0    100      0 ?
 *>i 17.0.56.0/24     17.0.5.5                 0    100      0 ?
 *>i 192.168.6.0      17.0.5.5                 0    100      0 ?
 *>i 192.168.7.0      17.0.2.2                 0    100      0 ?
     Network          Next Hop            Metric LocPrf Weight Path

For address family: IPv4 Multicast

R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      17.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
C        17.0.1.1/32 is directly connected, Loopback0
i L2     17.0.2.2/32 [115/20] via 17.0.12.2, 10:12:16, Ethernet0/0
i L2     17.0.3.3/32 [115/20] via 17.0.13.3, 10:09:16, Ethernet0/1
i L2     17.0.5.5/32 [115/20] via 17.0.15.5, 10:12:06, Ethernet0/2
C        17.0.12.0/24 is directly connected, Ethernet0/0
L        17.0.12.1/32 is directly connected, Ethernet0/0
C        17.0.13.0/24 is directly connected, Ethernet0/1
L        17.0.13.1/32 is directly connected, Ethernet0/1
C        17.0.15.0/24 is directly connected, Ethernet0/2
L        17.0.15.1/32 is directly connected, Ethernet0/2


R2# show bgp all
For address family: IPv4 Unicast


For address family: VPNv4 Unicast

BGP table version is 25, local router ID is 17.0.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 48:1 (default for vrf CUST_B)
 *>  10.10.4.4/32     17.0.24.4               11         32768 ?
 *>i 10.10.8.8/32     17.0.3.3                 2    100      0 ?
 *>  17.0.24.0/24     0.0.0.0                  0         32768 ?
 *>i 17.0.38.0/24     17.0.3.3                 0    100      0 ?
Route Distinguisher: 67:1 (default for vrf CUST_A)
 *>  17.0.27.0/24     0.0.0.0                  0         32768 ?
 *>i 17.0.56.0/24     17.0.5.5                 0    100      0 ?
 *>i 192.168.6.0      17.0.5.5                 0    100      0 ?
 *>  192.168.7.0      17.0.27.7                0         32768 ?
     Network          Next Hop            Metric LocPrf Weight Path

For address family: IPv4 Multicast

RP/0/0/CPU0:R3#show bgp all all
Tue Jan  5 08:01:07.307 UTC

Address Family: VPNv4 Unicast
-----------------------------

BGP router identifier 17.0.3.3, local AS number 17
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0x0   RD version: 0
BGP main routing table version 20
BGP scan interval 60 secs

Status codes: s suppressed, d damped, h history, * valid, > best
              i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network            Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 48:1 (default for vrf CUST_B)
*>i10.10.4.4/32       17.0.2.2                11    100      0 ?
*> 10.10.8.8/32       17.0.38.8                2         32768 ?
*>i17.0.24.0/24       17.0.2.2                 0    100      0 ?
*> 17.0.38.0/24       0.0.0.0                  0         32768 ?

Processed 4 prefixes, 4 paths


RP/0/0/CPU0:R4#show route ipv4
Tue Jan  5 08:01:36.885 UTC

Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
       U - per-user static route, o - ODR, L - local, G  - DAGR
       A - access/subscriber, a - Application route, (!) - FRR Backup path

Gateway of last resort is not set

L    10.10.4.4/32 is directly connected, 05:35:58, Loopback0
O IA 10.10.8.8/32 [110/3] via 17.0.24.2, 05:14:04, GigabitEthernet0/0/0/0
C    17.0.24.0/24 is directly connected, 05:35:58, GigabitEthernet0/0/0/0
L    17.0.24.4/32 is directly connected, 05:35:58, GigabitEthernet0/0/0/0
O IA 17.0.38.0/24 [110/2] via 17.0.24.2, 05:14:04, GigabitEthernet0/0/0/0

R8# sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 2 subnets
O IA     10.10.4.4 [110/21] via 17.0.38.3, 05:15:04, Ethernet0/0
C        10.10.8.8 is directly connected, Loopback0
      17.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O IA     17.0.24.0/24 [110/11] via 17.0.38.3, 05:15:06, Ethernet0/0
C        17.0.38.0/24 is directly connected, Ethernet0/0
L        17.0.38.8/32 is directly connected, Ethernet0/0


R8#traceroute 10.10.4.4 source 10.10.8.8 numeric
Type escape sequence to abort.
Tracing the route to 10.10.4.4
VRF info: (vrf in name/id, vrf out name/id)
  1 17.0.38.3 1 msec 0 msec 0 msec
  2 17.0.13.1 [MPLS: Labels 16/25 Exp 0] 2 msec 2 msec 2 msec
  3 17.0.24.2 [MPLS: Label 25 Exp 0] 2 msec 1 msec 1 msec
  4 17.0.24.4 3 msec *  3 msec


R6#             traceroute 192.168.7.7 source 192.168.6.6 numeric
Type escape sequence to abort.
Tracing the route to 192.168.7.7
VRF info: (vrf in name/id, vrf out name/id)
  1 17.0.56.5 5 msec 6 msec 4 msec
  2 17.0.15.1 [MPLS: Labels 16/22 Exp 0] 6 msec 5 msec 7 msec
  3 17.0.27.2 [MPLS: Label 22 Exp 0] 5 msec 5 msec 5 msec
  4 17.0.27.7 5 msec 6 msec 6 msec



Thursday, January 21, 2016

MPLS task #3. Tuning and security.

Topology:




Use configuration from MPLS task #2 as initial configuration for this task.

Requirements: 

1. All routers shall retain the LDP bindings received from the neighbor peer, in the event of interface failure between the routers. 
2. Routers R1, R2, R6 and R3 shall include Fault Tolerant TLV in LDP initiation message. 
3. Authenticate the LDP sessions between the routers. 
       3.1 Use password "WEAK" for sessions R1-R2, R1-R6, R4-R3, R4-R5. 
       3.2 Use password "STRONG" for all other sessions. 
       3.3 Use the minimal possible number of commands to configure the authentication. 

Solution:

Highlight the text below to reveal the solution.

This task requires understanding of MPLS LDP authentication configuration options, MPLS LDP graceful-restart and MPLS LDP session-protection

Requirement #1 - configure MPLS LDP session protection on all routers. 
Requirement #2 - configure routers R1, R2, R6 and R3 for MPLS LDP graceful-restart. Graceful                                      restart is negotiated by including FT TLV in initiation message. 

Requirement #3 - configure authentication for LDP neighbors. In order to minimize the number of                                  commands required, use fallback password feature, so not to configure password                                  for every neighbor pair. 


R1: 


!
mpls ldp password fallback WEAK
mpls ldp graceful-restart
mpls ldp session protection
!

R2:

!
mpls ldp password fallback STRONG
mpls ldp neighbor 16.0.1.1 password WEAK
mpls ldp explicit-null
mpls ldp graceful-restart
mpls ldp session protection
!

R3:

!
mpls ldp
 graceful-restart
 router-id 16.0.3.3
 neighbor
  password encrypted 13362320242223
  16.0.4.4:0 password encrypted 15252E2D2F
 !
 session protection
 address-family ipv4
  label
   local
    advertise
     explicit-null
    !
   !
  !
 !
 interface GigabitEthernet0/0/0/0
  address-family ipv4
  !
 !
 interface GigabitEthernet0/0/0/1
 !
 interface GigabitEthernet0/0/0/2
 !
!

R4:


!
mpls ldp
 router-id 16.0.4.4
 neighbor
  password encrypted 113E3C243C
 !
 session protection
 address-family ipv4
 !
!

R5:


!
mpls ldp password fallback STRONG
mpls ldp neighbor 16.0.4.4 password WEAK
mpls ldp session protection
!


R6:

!
mpls ldp password fallback STRONG
mpls ldp neighbor 16.0.1.1 password WEAK
mpls ldp graceful-restart
mpls ldp session protection
!

R7:

!
mpls ldp password fallback STRONG
mpls ldp session protection
!

Verification:


R1#show mpls ldp neighbor 16.0.2.2 detail
    Peer LDP Ident: 16.0.2.2:0; Local LDP Ident 16.0.1.1:0
        TCP connection: 16.0.2.2.22140 - 16.0.1.1.646; MD5 on
        Password: not required, fallback, in use
        State: Oper; Msgs sent/rcvd: 54/54; Downstream; Last TIB rev sent 69
        Up time: 00:29:14; UID: 13; Peer Id 0;
        LDP discovery sources:
          Ethernet0/0; Src IP addr: 16.0.12.2
            holdtime: 15000 ms, hello interval: 5000 ms
          Targeted Hello 16.0.1.1 -> 16.0.2.2, active, passive;
            holdtime: infinite, hello interval: 10000 ms
        Addresses bound to peer LDP Ident:
          16.0.12.2       16.0.26.2       16.0.25.2       16.0.23.2
          16.0.2.2
        Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
        Clients: Dir Adj Client
        LDP Session Protection enabled, state: Ready
            duration: 86400 seconds
        Capabilities Sent:
          [Dynamic Announcement (0x0506)]
          [Typed Wildcard (0x050B)]
        Capabilities Received:
          [Dynamic Announcement (0x0506)]
          [Typed Wildcard (0x050B)]


RP/0/0/CPU0:R3#show mpls ldp neighbor 16.0.2.2:0 detail
Mon Jan  4 15:17:56.091 UTC

Peer LDP Identifier: 16.0.2.2:0
  TCP connection: 16.0.2.2:646 - 16.0.3.3:26985; MD5 on
  Graceful Restart: Yes (Reconnect Timeout: 120 sec, Recovery: 0 sec)
  Session Holdtime: 180 sec
  State: Oper; Msgs sent/rcvd: 52/52; Downstream-Unsolicited
  Up time: 00:27:33
  LDP Discovery Sources:
      GigabitEthernet0/0/0/0
      Targeted Hello (16.0.3.3 -> 16.0.2.2, active)
  Addresses bound to this peer:
      16.0.2.2       16.0.12.2      16.0.23.2      16.0.25.2
      16.0.26.2
  Peer holdtime: 180 sec; KA interval: 60 sec; Peer state: Estab
  NSR: Disabled
  Clients: Session Protection
  Session Protection:
    Enabled, state: Ready
    Duration: 86400 sec
  Capabilities:
    Sent:
      0x508  (MP: Point-to-Multipoint (P2MP))
      0x509  (MP: Multipoint-to-Multipoint (MP2MP))
      0x50b  (Typed Wildcard FEC)
    Received:
      0x50b  (Typed Wildcard FEC)