CCIE Lab Workbook
Cisco Certified Internetwork Expert
Service Provider version 4
Luke Bibby, CCIEx2 #45527
Disclaimer
This workbook is intended to be used as a study tool for the Cisco Certified Internetworking Expert (CCIE) Service Provider (SP) exam. It is designed to cover as many topics as can possible in a single lab but with an emphasis on building up the topology from the ground up. Each lab will have a specific focus and I have tried to incorporate as many different variations in it as I can will still keeping it practical. Through repeated configuration of, for example, MPLS-TE Auto-tunnels, the configuration should become second nature and will save you time in the real exam.
The topology and requirements in the workbook were created by me and are not intended to reflect the actual CCIE SP lab exam; any similarities are accidental and purely coincidental.
This workbook is provided with absolutely no Service Level Agreements (SLAs). I have will always try my best to release content on a regular basis but this will be dependent on several factors including project workload, personal commitments, etc. Any help with typos or errata is greatly appreciated and can be sent directly to me at
This document is currently in DRAFT status.
More Information
The topology in this workbook was originally created with a mix of SDRs, ASR1000, and virtual routing platforms such as XRv and CSR1000v. I have recreated it entirely to work in Virtual Internet Routing Lab (VIRL) or Unified Networking Lab (UNL) using a mix of IOS on Linux (IOL), CSR1000v, and XRv instances.
UNL:
VIRL:
Some features do not work well or at all in a virtual platform so I have adapted the workbook where required by purposely using one platform over another at certain “choke points” or by steering traffic away from certain routers.
Accompanying Files
Please download any Initial configuration archives required for the lab
Table of Contents
Disclaimer
More Information
Accompanying Files
Table of Contents
Lab 1 – Inter-Autonomous System Virtual Private Network
Lab 1 Topology
Lab 1 Interface Addressing
Internal Addressing
AS4 Site 1
AS4 Site 2
AS100
AS200
AS100 to AS200
AS100 to AS4
AS200 to AS4
Lab 1.1 – Inter-AS Layer 3 Unicast VPN – Option A
IGP Routing
AS100
AS200
Intra-AS Label Switched Paths
AS100
AS200
Internal BGP
AS100
AS200
Inter-AS L3 Unicast VPN
AS100 to AS200
PE-CE Routing
AS100 to AS4
AS200 to AS4
Local Protection
AS100
AS200
OAM
AS100
Lab 1.2 – Inter-AS Layer 3 Unicast VPN – Option B
Inter-AS L3 Unicast VPN
AS100 to AS200
Lab 1.3 – Inter-AS Layer 3 Unicast VPN – Option C (both variants)
Inter-AS L3 Unicast VPN
AS100 to AS200
PE-CE Routing
AS4
Lab 2 – Hierarchical Virtual Private Network
Lab 2 Topology
Lab 2 Interface Addressing
Internal Addressing
AS4 Site 1
AS4 Site 2
AS577 Site 1
AS577 Site 2
AS100 Site 1
AS100 Site 2
AS300
Global Addressing
AS100 Site 1 to AS300
AS300 to AS100 Site 2
AS100 Site 1 to AS4 Site 1
AS100 Site 1 to AS577 Site 1
AS100 Site 2 to AS4 Site 2
AS100 Site 2 to AS577 Site 2
Lab 2.1 – Carrier Supporting Carrier Layer 3 Unicast and Multi-VRF CE
IGP Routing
AS100 Site 2
Intra-AS Label Switched Paths
AS100 Site 1
AS100 Site 2
AS300
Internal BGP
AS100 Site 1
AS100 Site 1 to AS100 Site 2
Lab 3 – Multicast Virtual Private Network
Lab 3 – Topology
Lab 3.1 – MVPN Profile 0 – PIM/GRE Default MDT
IGP Routing
AS100
Intra-AS Label Switched Paths
AS100
Internal BGP
AS100
Layer 3 Unicast VPN and PE-CE Routing
Multicast VPN
AS100
Security
Management Plane Protection
User database security
Lab 1 – Inter-Autonomous System Virtual Private Network
Lab 1 Topology
Lab 1 Interface Addressing
Internal Addressing
AS4 Site 1
Link / Prefix / Device 1 / Device 2AS 4 Site 1 Transit Links
as4ce1-as4ce2 / 4.1.188.0/30
2004:1:188::/64 / as100ce1:e0/0 / as100ce2:g0/0/0/0
AS 4 Site 1 Loopbacks
a4ce1 / 4.1.0.1/32
2004:1::1/128 / as4ce1:loop0 / -
a4ce2 / 4.1.0.1/32
2004:1::1/128 / as4ce2:loop0 / -
AS4 Site 2
Link / Prefix / Device 1 / Device 2AS 4 Site 2 Transit Links
- / - / - / -
AS 4 Site 2 Loopbacks
a4ce3 / 4.1.0.3/32
2004:1::3/128 / as4ce3:loop0 / -
AS100
Link / Prefix / Device 1 / Device 2AS 100 Transit Links
as100pe1- as100p1 / 204.44.1.0/30 / as100pe1:g0/0/0/2 / as100p1:g0/0/0/0
as100pe1- as100pe2 / 204.44.1.4/30 / as100pe1:g0/0/0/1 / as100p1:gig1
as100pe2- as100p2 / 204.44.1.8/30 / as100pe2:g3 / as100p2:e0/0
as100pe2- as100rr1 / 204.44.1.12/30 / as100pe2:g4 / as100rr1:g0/0/0/0
as100p1- as100p2 / 204.44.1.16/30 / as100p1:g0/0/0/1 / as100p1:e0/1
as100p1- as100pe3 / 204.44.1.20/30 / as100pe1:g0/0/0/2 / as100p1:g1
as100p2- as100rr1 / 204.44.1.28/30 / as100p2:e0/2 / as100p1:g0/0/0/1
as100p2- as100rr2 / 204.44.1.32/30 / as100p2:e0/3 / as100p1:e0/0
as100p2- as100pe4 / 204.44.1.36/30 / as100p2:e1/1 / as100p1:gig1
as100pe3-as100pe4 / 204.44.1.40/30 / as100pe3:gig2 / as100pe4:gig3
as100pe3-as100pe4 / 204.44.1.44/30 / as100pe3:gig2 / as100pe4:gig3
AS 100 Loopbacks
as100pe1 / 204.44.0.1/32 / as100pe1:loop0 / -
as100pe2 / 204.44.0.2/32 / as100pe2:loop0 / -
as100pe3 / 204.44.0.3/32 / as100pe3:loop0 / -
as100pe4 / 204.44.0.4/32 / as100pe4:loop0 / -
as100p1 / 204.44.0.5/32 / as100p1:loop0 / -
as100p2 / 204.44.0.6/32 / as100p2:loop0 / -
as100rr1 / 204.44.0.7/32 / as100rr1:loop0 / -
as100rr2 / 204.44.0.8/32 / as100rr2:loop0 / -
AS200
Link / Prefix / Device 1 / Device 2AS 200 Transit Links
as100pe3- as200pe1 / 10.198.1.0/30 / as200pe1:g0/0/0/2 / as200rr1:g0/0/0/0
as200pe1- as200pe2 / 10.198.1.4/30 / as200pe1:g0/0/0/1 / as200pe2:gig2
as200rr1- as200pe3 / 204.44.1.8/30 / as200rr1:g0/0/0/1 / as100pe3:g1
as200rr1- as200pe3 / 204.44.1.12/30 / as200rr1:g0/0/0/2 / as100pe3:g2
as200pe2- as200rr2 / 204.44.1.16/30 / as200pe2:g3 / as200rr2:e0/0
as200rr1- as200rr2 / 204.44.1.20/30 / as200rr1:g0/0/0/3 / as200rr2:e0/1
as200rr2- as200pe4 / 204.44.1.24/30 / as200rr2:e0/2 / as200pe4:gig2
as200pe3- as200pe4 / 204.44.1.32/30 / as200pe3:e0/2 / as200pe4:gig1
AS 200 Loopbacks
as200pe1 / 10.198.0.1/32 / as200pe1:loop0 / -
as200pe2 / 10.198.0.2/32 / as200pe2:loop0 / -
as200pe3 / 10.198.0.3/32 / as200pe3:loop0 / -
as200pe4 / 10.198.0.4/32 / as200pe4:loop0 / -
as200rr1 / 10.198.0.5/32 / as200rr1:loop0 / -
as200rr1 / 10.198.0.6/32 / as200rr2:loop0 / -
AS100 to AS200
Link / Prefix / Device 1 / Device 2AS 100 to AS200 Peering Links
as100pe3- as200pe1 / 204.44.50.0/31
2204:44.55::0/127 / as100pe1:g3 / as200pe1:g0/0/0/0
as100pe4- as200pe2 / 2204.44.50.2/31
2204:44.55::2/127 / as100pe3:g4 / as200pe2:gig1
AS100 to AS4
Link / Prefix / Device 1 / Device 2AS 100 to AS200 Peering Links
as100pe1- as4ce1 / 204.44.100.0/31
2204:44:100:1::/64 / as100pe1:g0/0/0/0 / as4pe1:e0/1
as100pe2- as4ce2 / 204.44.100.2/31
2204:44:100:2::/64 / as100pe3:g4 / as4pe2:gig0/0/0/1
AS200 to AS4
Link / Prefix / Device 1 / Device 2AS 100 to AS200 Peering Links
as200pe3- as4ce3 / 197.200.42.0/31
2197:200:42:1::/127 / as200pe3:g4 / as4ce3:e0/0
Lab 1.1 – Inter-AS Layer 3 Unicast VPN – Option A
IGP Routing
AS100
- Use IS-IS process “as100-isis” as the IGP
- Use the NET area 49.0001
- Ensure that all routers only establish L2 adjacencies using the shortest number of commands possible
- Hello messages must use MD5 authentication with the key “cisco123hello” and LSPs with the key “cisco123lsp”
- At the end of the configuration for this section, the LSDB should look as follows:
as100p2#show isis database
Tag as100-isis:
IS-IS Level-2 Link State Database:
LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
as100pe1.00-00 0x00000004 0x44EB 1032 0/0/0
as100pe2.00-00 0x00000004 0x1F10 1082 0/0/0
as100pe3.00-00 0x00000219 0x3559 1093 0/0/0
as100pe4.00-00 0x00000007 0x070E 1106 0/0/0
as100p1.00-00 0x00000006 0xDF8A 668 0/0/0
as100p2.00-00 * 0x00000008 0xED26 1039 0/0/0
as100rr1.00-00 0x00000007 0xE3FC 1189 0/0/1
as100rr2.00-00 0x00000004 0x9340 1174 0/0/1
- At the end of the configuration for this section, the RIB should look as follows
as100p2#show ip route isis | begin Gateway
Gateway of last resort is not set
204.44.0.0/32 is subnetted, 8 subnets
i L2 204.44.0.1 [115/20] via 204.44.1.9, 00:05:38, Ethernet0/0
i L2 204.44.0.2 [115/10] via 204.44.1.9, 00:04:56, Ethernet0/0
i L2 204.44.0.3 [115/20] via 204.44.1.38, 00:04:43, Ethernet1/1
i L2 204.44.0.4 [115/10] via 204.44.1.38, 00:04:32, Ethernet1/1
i L2 204.44.0.5 [115/30] via 204.44.1.38, 00:05:38, Ethernet1/1
[115/30] via 204.44.1.9, 00:05:38, Ethernet0/0
i L2 204.44.0.7 [115/10] via 204.44.1.30, 00:09:15, Ethernet0/2
i L2 204.44.0.8 [115/10] via 204.44.1.34, 00:06:50, Ethernet0/3
AS200
- Use OSPFv2 process “200” as the IGP
- All routers should have all interfaces in area 0.0.0.0
- Statically configure the Router IDs to the Loopback0 interface IPv4 address
- Configure MD5 authentication at the area level using the key “cisco123ospf”
- At the end of the configuration for this section, the RIB should look as follows:
as200pe4#show ip route ospf | begin Gateway
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
O E1 10.198.0.1/32 [110/23] via 10.198.1.33, 00:02:41, GigabitEthernet1
O E1 10.198.0.2/32 [110/24] via 10.198.1.33, 00:02:41, GigabitEthernet1
O E1 10.198.0.3/32 [110/21] via 10.198.1.33, 00:02:41, GigabitEthernet1
O E1 10.198.0.5/32 [110/22] via 10.198.1.33, 00:02:41, GigabitEthernet1
O E1 10.198.0.6/32 [110/21] via 10.198.1.25, 00:02:41, GigabitEthernet2
- Ensure that every transit link does not require the generation of a Network LSA
Intra-AS Label Switched Paths
AS100
- Create a full mesh RSVP-TE LSPs between each PE routers using a dynamic method for creating RSVP-TE LSPs
- Ensure that tunnels new tunnel instantiations use the tunnel number range 1500-1600
- The signaled bandwidth of the TE tunnel should be 500Kbps
- Ensure that the as100pe1-as100p1 link is excluded from the CSPF run by manipulating the link attribute flags and the tunnel affinity
- Ensure that 75% of link bandwidth can be reserved by RSVP
AS200
- Create a full mesh of MP2P LSPs using LDP
- Authenticate LDP sessions using the key “cisco123ldp”
- Use the minimum number of commands to enable LDP on internal transit interfaces
Internal BGP
AS100
- Configure as100rr1 and as100rr2 are VPNv4 and VPNv6 route reflectors in the cluster “100”
- Establish IBGP peerings from each PE router to the RRs
- Statically configure the Router IDs to the Loopback0 interface IPv4 address
- Authenticate the sessions using the key “cisco123ibgp”
- Ensure that peer templates are used in IOS and session-groups and af-groups in IOS-XR
- On the RR as100rr1 (IOS-XR), ensure that the neighbor config blocks have no more configuration than shown below
RP/0/0/CPU0:as100rr1#show run router bgp
Sat Mar 19 12:18:02.341 UTC
router bgp 100
!
<omitted>
!
neighbor 204.44.0.1
use neighbor-group ibgp-peers-afgroup
!
neighbor 204.44.0.2
use neighbor-group ibgp-peers-afgroup
!
<omitted>
- No AFI/SAFIs should be enabled by default unless explicitly configured
AS200
- Configure as200rr1 and 2 are VPNv4 and VPNv6 route reflectors in the cluster “200”
- Establish IBGP peerings from each PE router to the RRs
- Statically configure the Router IDs to the Loopback0 interface IPv4 address
- Authenticate the sessions using the key “cisco123ibgp”
- Ensure that peer templates are used in IOS and session-groups and af-groups in IOS-XR
- No AFI/SAFIs should be enabled by default unless explicitly configured
Inter-AS L3 Unicast VPN
AS100 to AS200
- Configure an RFC2547/4364 Option A MPLS/BGP VPN to provide connectivity between the HQ site of AS4 (attached to AS100) and the spoke site of AS4 (attached to AS200)
- Ensure that the primary path for IPv4 traffic is through the as100pe4-as200pe2 link and IPv6 traffic is through the as100pe3-as200pe1 link
- Use the VRFs defined on the PE routers
- Use whatever VRF naming and VLAN number(s) that you want on the ASBRs; re-use the addressing from the global routing table on the ASBR-ASBR link
- For any new BGP sessions created, the BGP transport must be IPv4 only
- At the end of the configuration, the VRF routing table on as100pe1 should look something like this (note the next hops):
RP/0/0/CPU0:as100pe1#show route vrf as4s1-vrf ipv6 2004:1::3
Sun Mar 20 01:34:53.466 UTC
Routing entry for 2004:1::3/128
Known via "bgp 100", distance 200, metric 0
Tag 200, type internal
Installed Mar 20 01:34:51.866 for 00:00:01
Routing Descriptor Blocks
::ffff:204.44.0.3, from ::ffff:204.44.0.7
Nexthop in Vrf: "default", Table: "default", IPv4 Unicast, Table Id: 0xe0000000
Route metric is 0
No advertising protos.
RP/0/0/CPU0:as100pe1#show route vrf as4s1-vrf 4.1.0.3
Sun Mar 20 01:34:58.995 UTC
Routing entry for 4.1.0.3/32
Known via "bgp 100", distance 200, metric 0
Tag 200, type internal
Installed Mar 20 01:29:56.116 for 00:05:02
Routing Descriptor Blocks
204.44.0.4, from 204.44.0.7
Nexthop in Vrf: "default", Table: "default", IPv4 Unicast, Table Id: 0xe0000000
Route metric is 0
No advertising protos.
PE-CE Routing
AS100 to AS4
- Configure OSPFv2 and OSFPv3 as the PE-CE routing protocol for IPv4 and IPv6
- Consider the as4ce1-as4ce2 link as a backdoor link and ensure that traffic between the loopback interface IP addresses traverses the MPLS network rather than the backdoor link
- Ensure that the routes show up as intra-area (O) routes
- Ensure that any new links created as part of this configuration are only present on the minimum number of routers necessary to get the configuration to work
AS200 to AS4
- Configure OSPFv2 and OSFPv3 as the PE-CE routing protocol for IPv4 and IPv6
Local Protection
AS100
- Use the autotunnel backup feature to create one-hop tunnels to protect against link failure
- Ignore tunnel affinities when establishing backup tunnels
AS200
- Enable the LFA per-prefix feature on the PE routers to facilitate repair paths for loopback addresses
OAM
AS100
- Ensure that the traceroute mpls tool can be used end to end between the PE routers
Lab 1.2 – Inter-AS Layer 3 Unicast VPN – Option B
Inter-AS L3 Unicast VPN
AS100 to AS200
- Configure an RFC2547/4364 Option B MPLS/BGP VPN to provide connectivity between the HQ site of AS4 (attached to AS100) and the spoke site of AS4 (attached to AS200)
- Ensure that the primary path for IPv4 traffic is through the as100pe4-as200pe2 link and IPv6 traffic is through the as100pe3-as200pe1 link
- Use the VRFs defined on the PE routers; the ASBRs should not have any VRFs defined
- Each AS should not expose their Route Target addressing schema to each other
- For the VPN service route exchange from AS100 to AS200, use RT 1009:2009
- For the VPN service route exchange from AS200 to AS100, use RT 2009:1009
- Ensure that only the ASBRs see these temporary RTs
- All new BGP sessions should use MD5 authentication with the key “cisco123ebgp”
- Once the configuration is completed, the routing table on as4ce1 should look as follows for networks received from the spoke AS4 site:
as4ce1#show ip route 4.1.0.3
Routing entry for 4.1.0.3/32
Known via "ospf 4", distance 110, metric 11, type inter area
Last update from 204.44.100.0 on Ethernet0/1, 00:00:33 ago
Routing Descriptor Blocks:
* 204.44.100.0, from 204.44.0.1, 00:00:33 ago, via Ethernet0/1
Route metric is 11, traffic share count is 1
- At the end of the configuration, the VRF routing table on as100pe1 should look something like this (note the next hops):
RP/0/0/CPU0:as100pe1#show route vrf as4s1-vrf ipv4 bgp
Sun Mar 20 21:59:46.033 UTC
B 4.1.0.2/32 [200/2] via 204.44.0.2 (nexthop in vrf default), 00:22:25
B 4.1.0.3/32 [200/0] via 204.44.0.4 (nexthop in vrf default), 00:15:35
B 197.200.42.0/31 [200/0] via 204.44.0.4 (nexthop in vrf default), 00:15:35
B 204.44.100.2/31 [200/0] via 204.44.0.2 (nexthop in vrf default), 00:22:25
B 204.44.100.5/32 [200/0] via 204.44.0.2 (nexthop in vrf default), 09:51:09
RP/0/0/CPU0:as100pe1#show route vrf as4s1-vrf ipv6 bgp
Sun Mar 20 21:59:48.923 UTC
B 2004:1::2/128
[200/1] via ::ffff:204.44.0.2 (nexthop in vrf default), 00:06:28
B 2004:1::3/128
[200/0] via ::ffff:204.44.0.3 (nexthop in vrf default), 00:06:00
B 2004:1:188::/64
[200/2] via ::ffff:204.44.0.2 (nexthop in vrf default), 00:06:28
B 2197:200:42:1::/127
[200/0] via ::ffff:204.44.0.3 (nexthop in vrf default), 00:06:00
B 2204:44:100::5/128
[200/0] via ::ffff:204.44.0.2 (nexthop in vrf default), 09:51:12
Lab 1.3 – Inter-AS Layer 3 Unicast VPN – Option C (both variants)
Inter-AS L3 Unicast VPN
AS100 to AS200
- Configure an RFC2547/4364 Option C MPLS/BGP VPN to provide connectivity between the HQ site of AS4 (attached to AS100) and the spoke site of AS4 (attached to AS200)
- Use the VRFs defined on the PE routers; the ASBRs should not have any VRFs defined
- Each AS should not expose their Route Target addressing schema to each other
- For the VPN service route exchange from AS100 to AS200, use RT 1009:2009
- For the VPN service route exchange from AS200 to AS100, use RT 2009:1009
- Ensure that only the RRs in each AS see these temporary RTs
- In AS100, the ASBR must not redistribute the labelled unicast route to the RRs or PE routers in AS200
- For existing IBGP sessions, you are only allowed to activate new AFI/SAFIs in AS100
- The RRs must establish the multihop EBGP VPN sessions between each other
- All new EBGP sessions should use MD5 authentication with the key “cisco123ebgp”
- All new EBGP sessions on the ASBRs must use route maps to filter incoming and outgoing updates
- Do NOT remove the overload bit on the RRs
- At the end of the configuration, a traceroute from AS4 site 1 to AS4 site 2 should look similar to below (the hint here is about the path from as200pe1 to as200pe3 or as20pe4; not specifically which exit point the traffic leaves on)
as4ce1#traceroute 4.1.0.3 source loop0 numeric
Type escape sequence to abort.
Tracing the route to 4.1.0.3
VRF info: (vrf in name/id, vrf out name/id)
1 204.44.100.0 1 msec 1 msec 1 msec
2 204.44.1.6 [MPLS: Labels 25/33/21 Exp 0] 18 msec 15 msec 13 msec
3 204.44.1.10 [MPLS: Labels 27/33/21 Exp 0] 21 msec 31 msec 31 msec
4 204.44.1.38 [MPLS: Labels 33/21 Exp 0] 31 msec 30 msec 30 msec
5 204.44.50.3 [MPLS: Labels 22/21 Exp 0] 31 msec 31 msec 31 msec
6 10.198.1.5 [MPLS: Labels 24006/21 Exp 0] 31 msec 30 msec 31 msec
7 10.198.1.2 [MPLS: Labels 24005/21 Exp 0] 30 msec 32 msec 30 msec
8 197.200.42.0 [MPLS: Label 21 Exp 0] 16 msec 16 msec 72 msec
9 197.200.42.1 15 msec * 14 msec
PE-CE Routing
AS4
- Configure EBGP as the PE-CE routing protocol for IPv4 and IPv6 unicast
- Configure an IBGP session between the CE routers for IPv4 and IPv6 unicast
- Protect control plane loops in the customer network using a BGP feature on the PE routers
Lab 2 – Hierarchical Virtual Private Network
Lab 2 Topology
Lab 2 Interface Addressing
Internal Addressing
AS4 Site 1
Link / Prefix / Device 1 / Device 2AS 4 Site 1 Loopbacks
a4s1ce1 / 4.1.0.1/32
2004:1::1/128 / as4s1ce1:loop0 / -
a4s1ce3 / 4.1.0.3/32
2004:1::3/128 / as4s1ce1:loop0 / -
AS4 Site 2
Link / Prefix / Device 1 / Device 2AS 4 Site 2 Loopbacks
a4s2ce2 / 4.1.0.2/32
2004:1::2/128 / as4ce2:loop0 / -
AS577 Site 1
Link / Prefix / Device 1 / Device 2AS 4 Site 1 Loopbacks
a577s1ce1 / 57.7.243.1/32
2057:57:243::1/128 / as577ce1:loop0 / -
AS577 Site 2
Link / Prefix / Device 1 / Device 2AS 4 Site 2 Loopbacks
a577s1ce2 / 57.7.243.2/32
2057:57:243::1/128 / as577ce2:loop0 / -
AS100 Site 1
Link / Prefix / Device 1 / Device 2AS 100 Transit Links
as100s1pe1- as100p1 / 204.44.1.0/30 / as100s1pe1:g0/0/0/2 / as100s1p1:g0/0/0/0
as100s1pe1- as100s1pe2 / 204.44.1.4/30 / as100s1pe1:g0/0/0/1 / as100s1p1:gig1
as100s1pe2- as100s1p2 / 204.44.1.8/30 / as100s1pe2:g3 / as100s1p2:e0/0
as100s1pe2- as100s1rr1 / 204.44.1.12/30 / as100s1pe2:g4 / as100s1rr1:g0/0/0/0
as100s1p1- as100s1p2 / 204.44.1.16/30 / as100s1p1:g0/0/0/1 / as100s1p1:e0/1
as100s1p1- as100s1pe3 / 204.44.1.20/30 / as100s1pe1:g0/0/0/2 / as100s1p1:g1
as100s1p2- as100s1rr1 / 204.44.1.28/30 / as100s1p2:e0/2 / as100s1p1:g0/0/0/1
as100s1p2- as100s1rr2 / 204.44.1.32/30 / as100s1p2:e0/3 / as100s1p1:e0/0
as100s1p2- as100s1pe4 / 204.44.1.36/30 / as100s1p2:e1/1 / as100s1p1:gig1
as100s1pe3-as100s1pe4 / 204.44.1.40/30 / as100s1pe3:gig2 / as100s1pe4:gig3
as100s1pe3-as100s1pe4 / 204.44.1.44/30 / as100s1pe3:gig2 / as100s1pe4:gig3
AS 100 Loopbacks
as100s1pe1 / 204.44.0.1/32 / as100s1pe1:loop0 / -
as100s1pe2 / 204.44.0.2/32 / as100s1pe2:loop0 / -
as100s1pe3 / 204.44.0.3/32 / as100s1pe3:loop0 / -
as100s1pe4 / 204.44.0.4/32 / as100s1pe4:loop0 / -
as100s1p1 / 204.44.0.5/32 / as100s1p1:loop0 / -
as100s1p2 / 204.44.0.6/32 / as100s1p2:loop0 / -
as100s1rr1 / 204.44.0.7/32 / as100s1rr1:loop0 / -
as100s1rr2 / 204.44.0.8/32 / as100s1rr2:loop0 / -
AS100 Site 2
Link / Prefix / Device 1 / Device 2AS 200 Transit Links
as100s2rr1- as100s2p1 / 10.198.1.0/30 / as100s2rr1:g0/0/0/1 / as100s2p1:e0/0
as100s2rr1- as100s2p2 / 10.198.1.4/30 / as100s2rr1:g0/0/0/2 / as100s2p1:e0/1
as100s2rr1- as100s2rr2 / 10.198.1.8/30 / as100s2rr1:g0/0/0/3 / as100s2rr2:e0/1
as100s2rr2- as100s2pe3 / 10.198.1.12/30 / as100s2rr2:e0/1 / as100s2pe3:e0/1
as100s2p1-as100s2pe3 / 10.198.1.16/30 / as100s2p1:e0/2 / as100s2pe3:e0/2
as100s2pe3-as100s2mce1 / 200.198.100.0/31
2200:198:100::/127 / as100s2pe3:e0/0 / as100s2mce1:g0/0/0/0
AS 200 Loopbacks
as100s2rr1 / 10.198.0.1/32 / as100s2rr1:loop0 / -
as100s2rr2 / 10.198.0.2/32 / as100s2rr2:loop0 / -
as100s2pe3 / 10.198.0.3/32 / as100s2pe3:loop0 / -
as100s2p1 / 10.198.0.4/32 / as100s2pe4:loop0 / -
as100s2mce1 / 10.198.0.5/32 / as100s2mce1:loop0 / -
AS300
Link / Prefix / Device 1 / Device 2AS 300 Transit Links
as300pe1- as300p1 / 10.144.129.0/30 / as300pe1:g3 / as300p1:e0/1
as300p1- as300pe2 / 10.144.129.4/30 / as300p1:e0/0 / as300pe2:gig0/0/0/0
AS 300 Loopbacks
as300pe1 / 10.144.130.1/32 / as300pe1:loop0 / -
as300pe2 / 10.144.130.2/32 / as300pe3:loop0 / -
as300p1 / 10.144.130.3/32 / as300p2:loop0 / -
Global Addressing
AS100 Site 1 to AS300
Link / Prefix / Device 1 / Device 2AS 100 to AS200 Peering Links
as100s1pe3-as300pe1 / 111.79.231.0/31 / as100s1pe3:g3 / as300pe1:g4
as100s1pe4- as300pe1 / 111.79.231.2/31 / as100s1pe4:g4 / as300pe1:g1
AS300 to AS100 Site 2
Link / Prefix / Device 1 / Device 2AS 100 to AS200 Peering Links
as100s2rr1-as300pe2 / 111.79.231.4/31 / as100s2rr1:g0/0/0/0 / as300pe2:g0/0/0/2
as100s2rr2- as300pe2 / 111.79.231.4/31 / as100s2rr1:g0/0/0/1 / as300pe2:g0/0/0/1
AS100 Site 1 to AS4 Site 1
Link / Prefix / Device 1 / Device 2AS 100 to AS200 Peering Links
as100s1pe1- as4s1ce1 / 204.44.100.0/31
2204:44:100:1::/64 / as100s1pe1:g0/0/0/0 / as4s1ce1:e0/1
as100s1pe1- as4s1ce3 / 204.44.100.4/31
2204:44:100:4::/64 / as100s1pe1:g0/0/0/3 / as4s1ce3:e0/0
AS100 Site 1 to AS577 Site 1
Link / Prefix / Device 1 / Device 2AS 100 to AS200 Peering Links
as100s1pe2- as577s1ce1 / 204.44.100.2/31
2204:44:100:2::/64 / as100s1pe2:g2 / as577s1ce1:e0/0
AS100 Site 2 to AS4 Site 2
Link / Prefix / Device 1 / Device 2AS 100 to AS200 Peering Links
as100s2mce1- as4ce2 / 200.198.100.2/31
2200:198:100::2/127 / as100s2mce1:g0/0/0/1 / as4s2ce2:e0/0
AS100 Site 2 to AS577 Site 2
Link / Prefix / Device 1 / Device 2AS 100 to AS200 Peering Links
as100s2mce1- as577s2ce2 / 197.200.42.2/31
2200:198:100::2/127 / as100s2mce1:g0/0/0/2 / as577s2ce2:e0/0
Lab 2.1 – Carrier Supporting Carrier Layer 3 Unicast and Multi-VRF CE
IGP Routing
AS100 Site 2
- Configure the router(s) in AS100S2 such that their routing tables only contain host routes for internal routers.
- Do not use the OSPF prefix suppression feature
- Below is an example of the routing table for as100s2pe3
as100s2pe3#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
O E2 10.198.0.1/32 [110/20] via 10.198.1.17, 00:00:01, Ethernet0/2
[110/20] via 10.198.1.13, 00:00:11, Ethernet0/1
O E2 10.198.0.2/32 [110/20] via 10.198.1.13, 00:00:11, Ethernet0/1
O E2 10.198.0.4/32 [110/20] via 10.198.1.17, 00:00:01, Ethernet0/2
Intra-AS Label Switched Paths
AS100 Site 1
- Create a full mesh RSVP-TE LSPs between each PE routers using a static method for creating RSVP-TE LSPs
- The signaled bandwidth of the TE tunnel should be 100kbps
- The as100s1pe1-as100s1p1 and as100s1p1-as100s1pe3 are considered legacy links and should be avoided unless there is no other valid path
- Do not use explicit paths
- Do not use affinity and attribute sets
- Do not change the IGP metric
- The as100s1pe2-as100s1pe4 RSVP-TE tunnel must be setup using explicit paths and must traverse through as100s1rr1 without modifying pre-existing configuration on as100s1rr1
- Ensure that 500Kbps of link bandwidth can be reserved by RSVP
AS100 Site 2
- Create a full mesh of MP2P LSPs using LDP
- Authenticate LDP sessions using the key “cisco123ldp”
- Use the minimum number of commands to enable LDP on internal transit interfaces
AS300
- Create a full mesh of MP2P LSPs using LDP
- Authenticate LDP sessions using the key “cisco123ldp”; Do not use per-neighbor statements to do this
- Use the minimum number of commands to enable LDP on internal transit interfaces
Internal BGP
AS100 Site 1
- Configure as100s1rr1 and as100s1rr2 are VPNv4 and VPNv6 route reflectors in the cluster “100”
- Establish IBGP peerings from each PE router to the RRs
- Statically configure the Router IDs to the Loopback0 interface IPv4 address
- Authenticate the sessions using the key “cisco123ibgp”
- Ensure that peer templates are used in IOS and session-groups and af-groups in IOS-XR
- On the RR as100s1rr2 (IOS), the BGP neighbor table should look similar to below at the end of this section
as100rr2#show bgp vpnv4 unicast all summary
BGP router identifier 204.44.0.8, local AS number 100
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
*204.44.0.1 4 100 17 19 1 0 0 00:13:49 0
*204.44.0.2 4 100 4 4 1 0 0 00:02:40 0
*204.44.0.3 4 100 2 2 1 0 0 00:00:34 0
*204.44.0.4 4 100 2 2 1 0 0 00:00:23 0
*204.44.0.7 4 100 12 11 1 0 0 00:08:54 0
* Dynamically created based on a listen range command
Dynamically created neighbors: 5, Subnet ranges: 1
BGP peergroup ibgp-peers-grp listen range group members:
204.44.0.0/24
Total dynamically created neighbors: 5/(10 max), Subnet ranges: 1
- No AFI/SAFIs should be enabled by default unless explicitly configured
AS100 Site 1 to AS100 Site 2
- Configure a full mesh of VPNv4 and VPNv6 unicast IBGP sessions between the PE routers in AS100 site 2 to the VPN route reflectors in AS100 Site 1
- Statically configure the Router IDs to the Loopback0 interface IPv4 address
- Authenticate the sessions using the key “cisco123ibgp”
Lab 3 – Multicast Virtual Private Network
Lab 3 – Topology
Lab 3.1 – MVPN Profile 0 – PIM/GRE Default MDT