Advanced Boot camp Day 1 – Day 4 Technology Labs

Advanced Boot camp Day 1 to Day 4 Technology Labs CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 1 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Day 1 Switching In order to properly configure switches for the CCIE Lab examination the subsequent topics and configurations must be understood. At the time of writing this Technology workbook, 3550s and 3560s were co-resident in the R&S Lab. However by the time of reading this document, you may have 4 x 3560s in your lab. Thus, 3560s are used in the following section labs and for explanatory purposes. MAC Address expiration All modern Cisco switching platforms store and forward Ethernet frames and need to build a Content Addressable Memory (CAM) table to understand which source Mac addresses are connected to which ports. If a switch does not have a CAM table entry for a destination Mac address it must forward the frame out every port. Needless to say, forwarding unicast, multicast, and broadcast to every switch port could cause security as well as bandwidth issues. In volume II we discuss the security issues in great detail, but for now we will use the Mac address expiration to limit the chances of forwarding traffic out every port. Some devices can not or will not send gratuitous ARPs on regular intervals; therefore there is a chance their dynamically learned Mac-addresses may be removed from the CAM table. Instead of allowing the switch to forward traffic destined to this device out every switch port, the Mac address aging timer can be increased from the default (300 seconds) to a greater value. Switch(config)# mac address-table aging-time 4000 (increases timer to a little over an hour) 0 This value disables aging. Static address entries are never aged or removed from the table. 10-1000000 Aging time in seconds. The range is 10 to 1000000 seconds. vlan vlan-id (Optional) Specify the VLAN ID to which to apply the aging time. The range is 1 to 4094. STATIC Mac addresses Unfortunately, there are some devices that can never send gratuitous ARPs to the switch. For these devices we can statically configure their MAC Addresses to avoid flooding. Switch(config)# mac address-table static 1234.1234.1234 vlan 4 interface gigabitethernet0/2 mac-addr Destination MAC address (unicast or multicast) to add to the address table. Packets with this destination address received in the specified VLAN are forwarded to the specified interface. vlan vlan-id Specify the VLAN for which the packet with the specified MAC address is received. The range is 1 to 4094. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 2 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. interface interface-id Interface to which the received packet is forwarded. Valid interfaces include physical ports and port channels. Another useful variant of the static command is the drop option. By including the keyword drop than unicast MAC address filtering will allow the switch to drop traffic with a specific source or destination MAC address. Why only unicast you may ask? This is because multicast creates a multicast Mac-address by using the last 23bits of the Multicast IP address and starting with 01005E. For example, the multicast address of 239.255.0.1 translates to a Macaddress of 01005E7F0001. Secondly, broadcast would also be exempt because they always go to a destination Mac-address of FFFF.FFFF.FFFF. To block (filter) a Mac-address in a switch we would configure something like this: Switch(config)# mac address-table static 1111.1111.1111 vlan 2 drop VLANS Hey, here is a topic that should be pretty familiar. If not, than please read this brief explanation. A Virtual Local Area Network (VLAN) is simply a broadcast domain. In other words, a VLAN is a layer 2 boundary. Typically a VLAN is associated with a Layer 3 subnet, but in reality they are independent. For example, on a SVI (Switched Virtual Interface) AKA, (interface VLAN ) I can configure a primary subnet (IP Address) and several secondary IP addresses. What we do find with VLANs, at least with 3550 or 3560 switches in particular, is that this broadcast domain is usually mapped to an instance of Spanning Tree or PVST. To configure VLANs we need to add them to the VLAN database. Depending on the switch model this is performed from the global configuration or from the VLAN DATABASE prompt (depreciated). Virtual Trunk Protocol (VTP) adds some automation to this process, but for now we assume we are in the default Server Mode and can manually add VLANs to the VLAN database. The recommended method for adding VLANs, when possible is from the global configuration prompt. switch(config)# vlan 100 switch(config-vlan)# name VOICE switch(config-vlan)# exit To assign the new vlans to a switch port you must configure the following: switch(config)# int fa0/1 switch(config-if)# switchport mode access switch(config-if)# switchport access vlan 100 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 3 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Trunks With trunks we can than transport the VLANs we have created over a single uplink. Trunks are said to carry multiple colors or tags. With 802.1Q trunks all vlans are tagged except for the Native Vlan. By default the Native Vlan is VLAN 1, but this can be changed. However, use the same native vlan on both ends of the trunk. Optionally VLANs can be removed (pruned) completely from a trunk if they are not required to traverse the switch. Basic Configuration: switch(config)# int fa0/1 switch(config-if)# switchport trunk encapsulation dot1q switch(config-if)#switchport trunk native vlan 999 switch(config-if)# switchport mode trunk switch(config-if)# switchport trunk native vlan 100 Static VLAN Blocking: switch(config-if)# switchport trunk allowed vlan add <2,3,4> switch(config-if)# switchport trunk allowed vlan remove <5> As mentioned earlier, normally a native VLAN is not tagged for traversing a trunk. This allows the native VLAN to function as a static access VLAN. If for some reason the Trunk (on, auto, or desirable) were not working than the native VLAN would still pass traffic. Contrary to this behavior service providers can tag their customer’s native VLAN so that it can be tunneled over a provider’s leased Ethernet service. If we needed to tag native VLAN traffic into a provider’s connection we would configure the following on the customer edge switch: Switch# configure terminal Switch (config)# vlan dot1q tag native Switch (config)# end VTP Cisco provides the VLAN Trunking Protocol (VTP) to automate the configuration of VLANs. If you recall from the previous VLAN section, in order to add a VLAN to a switch we needed to add the VLAN to the switch’s VLAN database. This exercise could be daunting if we had 100 switches in a large office building. Instead of configuring each switch to support several VLANS, with VTP, you only have to create the VLANs on a switch configured as a server and allow the other switches to dynamically learn the VLANs over their trunks. Best practice is to run these other switches in a read only client mode. If more than one switch is configured as a server than the switch with the highest revision number would control the VLAN database. Transparent mode is a third option that is used to allow VTP information to pass-through a switch but that specific switch will ignore the VTP and refer to its own manually assigned VLANs. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 4 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. It is important to remember that all switches, by default, are VTP servers. The VTP server is where you would create, remove, or modify VLANs. If for some reason you remove a switch from a lab or spares environment that was configured as a server, and then introduce the switch into the production network, even if for only a few minutes before you reconfigure it as a client, if it has a higher revision number it will take control of the VTP database. This VTP server sends advertisements across the VTP domain, every 5 minutes or whenever a change is made in the VLAN database. The advertisement contains all the different VLAN names, VLAN numbers, what switches have ports in what VLANs, and a revision number. Whenever a switch receives an update with a larger revision number than the last one it applied, it applies that revision. VTP switches can operate in three different modes:    Server – the default where all VLAN adds, changes, and removals are allowed Client – where no changes can be made, only new revisions can be received from the VTP server switches. Transparent – where local VLAN information can be changed but that information is not sent out to other switches. Transparent switches also do not apply VTP advertisements from other switches but they do forward those advertisements on. VTP pruning is the process of not sending unnecessary broadcast traffic for VLANs to switches that do not have any ports assigned to those VLANs. Pruning saves bandwidth because broadcasts don’t have to be sent to switches that don’t need them to configure VTP, you use the vtp global configuration mode command. With this command you can specify the following:      VTP domain – the name of the VTP domain. All switches communicating with VTP in the same domain, must have the same VTP domain name. VTP mode – either server, client, or transparent VTP password – a password to control who can and cannot receive VTP information VTP pruning – VTP pruning is either turned on or off VTP version – Be aware that most switches do not support V3 *Note the VTP password is highly recommended to avoid switches from accidentally becoming a VTP server. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 5 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Ether-channel Ether-channel allows a Cisco switch to bond together up to 8 Ethernet ports into a single channel. An Ether-channel uses a single port for spanning-tree purposes. If a link in the channel were to fail than Ethernet frames would simply be forwarded across another port in the channel without relearning the spanning-tree topology. In addition to failover and redundancy, ether-channels can be configured to provide load balancing across each port in the channel. Ether-channels send traffic load across the links in a channel converting the frame from binary to a new numeric value from source or destination Mac-address or IP address. The selected mode weather it is IP or Mac-address is applied to all Ether-channels configured on the switch. If you configured load balancing based on source Mac-addresses than different devices, based on their source Mac-address would be distributed across each port per device. For example, the first device’s source Mac-address would be forwarded on the first port of the Etherchannel, while the second device would be forwarded out the second port of the Etherchannel. While source Mac-address load balancing works well for equally distributing traffic across Ether-channel ports because there are multiple PC devices (sources) going to various destinations, Destination Mac-address load balancing works well with multiple servers or gateways that are accessed by PCs In other words, traffic destined to each server would use a separate port in the Ether-channel. If there is a mixture of end PC devices and servers than source-and-destination Mac-address forwarding is the best method for load balancing. Of course, Mac-address based load balancing is intended for layer Ether-channels. If we were configuring load balancing for layer 3 Ether-channels we would simply use source IP, destination IP, or source/destination load balancing depending on the same scenarios as the Mac-address load balancing. Port Aggregation Protocol Port Aggregation Protocol (PAgP) is a Cisco proprietary method of automatically creating Ether-channel links. PAgP packets are sent between Ethernet ports in order to negotiate the forming of Ethernet-channels. PAgP can not work properly on the following configurations:    Dynamic VLANs. Different speeds or port duplex.. The PAgP modes are explained below. 1. on: PAgP will not run. The channel is forced to come up. 2. off: PAgP will not run. The channel is forced to remain down. 3. auto: PAgP is running passively. The formation of a channel is desired; however, it is not initiated. desirable: PAgP is running actively. The formation of a channel is desired and initiated. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 6 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Link Aggregate Control Protocol (LACP) LACP is a standards based (IEEE 802.3ad) method for configuring Ether-channels. LACP supports four modes of operation:     On: Manual with no without any LACP negotiation Off: The link aggregation will not be formed. Passive: The switch does not initiate the channel but does understand inbound LACP packets. The peer (in active state) initiates negotiation (when it sends out an LACP packet) which we receive and answer, eventually to form the aggregation channel with the peer. P. Active: The link aggregate will be formed if the other end runs in LACP active or passive mode. This is similar to the desirable mode of PAgP. As mentioned previously, both LACP and PAgP are used to dynamically provision Ethernet ports as Ether-channels. If the Ether-channel is manually provisioned by using the mode “on” key word, than neither LACP nor PagP is used. In any case, load balancing using source Macaddress, destination Mac-address, source/destination mac-address or source, destination, source/destination IP addressing can be use with all methods. The following global configuration example displays the load balancing choices available to Ether-channels: The following is an example of a PAgP Layer 2 Ether-channel configuration: Layer 2 switch(config)# interface range fastEthernet0/5 - 8 switch(config-if-range)# switchport mode access switch(config-if-range)# switchport access vlan 100 switch(config-if-range)# channel-group 1 mode desirable The following is an example of a LACP Layer 3 Ether-channel configuration: CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 7 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Layer 3 switch(config)# int port-channel 1 switch(config-if)# no switchport switch(config-if)# ip add 10.1.1.1 255.255.255.0 switch(config)# interface range fastEthernet 0/2 – 4 switch(config-if-range)# no switchport switch(config-if-range)# channel-group 1 mode activeSpanning Tree Spanning Tree By default, the Cisco switch uses 802.1d Per VLAN spanning tree for each configured VLAN. This flavor of Spanning tree is notoriously slow. Typically, 802.1d takes 50 seconds for ports to complete the 5 state (Disabled, Blocking, Listening, Learning, and Forwarding) and to build the tree to the root bridge. Because of this slowness port fast is used to disable listening and learning states for ports with end stations connected and uplink fast is used for ports connected between switches. Even with these improvements 802.1w Rapid Spanning Tree (RSTP) is the configuration of choice for new deployments. RSTP only has three port states (Discarding, Learning, and Forwarding) and is able to converge with a few seconds. RSTP also has included two new port roles (Alternate port and Backup Port). Now take a step back and allow us to drill down into 802.1d so we can further analyze the improvements of 802.1w. In all versions of Spanning Tree we need a root bridge for each VLAN. The following example provides the available options for setting the Root: switch(config)#spanning-tree vlan 2 root primary (macro) or switch(config)# spanning-tree vlan 2 priority 4096 The lower the priority (bridge) is more preferable to become the ROOT The switch that is designated as ROOT only has designated ports to other connected switches. The other switches (non-root) have root ports to the connections that are closest to the ROOT switch, as well as designated ports connected to other switches with a longer path back to the ROOT. Because of a loop free topology when using spanning tree, path costs and port priorities are used to determine which switch and port needs to be blocked. For every VLAN one port in a redundant patch must be blocked. Spanning tree calculates the longest path from ROOT and determines the switch to be blocked. This behavior can be overridden by manipulating the path costs and additionally changing port priorities to manipulate which port (linear) on the longest path is chosen to be blocked. You will notice in this example the layer 2 patch with a longer path cost of 30 is chosen as the segment to block. By manually configuring a higher port priority on SW3, the port on SW4 will be blocked. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 8 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Spanning Tree Diagram RSTP must also designate a ROOT as well as calculating path costs and port priorities. However, instead of optionally enabling uplink fast to reduce the time to failover to redundant uplinks, 802.1w has added Alternative and Backup ports. In the next example an additional path was added between SW3 and SW4. This new uplink can forward frames and if for some reason it were to fail the alternative and backup port, which are blocking would then immediately start forwarding frames. This behavior is very similar to uplink fast in 802.1d. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 9 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. RSTP Diagram SPAN/RSPAN The Switch Port Analyzer (SPAN) is used to monitor traffic from VLANs and/or Ethernet ports on a switch. A very common application for this configuration is to connect a passive intrusion detection system (IDS) or packet sniffing application. Ethereal is packet sniffing software that can be downloaded from: http://www.ethereal.com/download.html. In addition to capturing traffic from a connected switch, RSPAN can be used to capture traffic from remote switch connected to the destination (sniffing port) with a dot1q trunk. The following example displays how to configure a remote span session: Switch 1 switch1(config-vlan)# vlan 5 switch1(config-vlan)# name remote-span switch1(config-vlan)#remote-span switch1(config)# monitor session 1 source interface Fa0/1 both switch1(config)# monitor session 1 destination remote vlan 5 Switch 2 switch1(config)# monitor session 1 source vlan 5 rx switch1(config)# monitor session 1 destination interface fastEthernet 0/12 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 10 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Controlling Telnet Access Telnet is controlled from the VTY lines. The following configuration does not require a password to access the device with privilege 15 access rights but limits access to the VTY line to only the protocol Telnet from only the 1.1.1.1 IP address. line vty 0 4 access-class 1 in exec-timeout 20 0 privilege level 15 no login transport input telnet access-list 1 permit 1.1.1.1 To hide addresses while trying to establish a Telnet session from the router or switch, use the service hide-telnet-address global command. To avoid the router from sending information to an idle telnet session use the service telnetzeroidle command. Data transfer is resumed if the logged in VTY user enters the resume command for the idle session. Normally telnet only sends one character at a time. The service nagle command can improve performance by sending multiple characters in each telnet packet. Strom Control This technique is used to prevent switch ports being overloaded by a broadcast, multicast, or unicast traffic on a per port basis. Storm control creates threshold so excessive traffic is dropped until traffic drops below threshold. The thresholds are set as a percentage of the interface. For example if the traffic is set to 100 it is always permitted and if it were set to 0.0 than that type of traffic is never permitted. The following example illustrates how different thresholds are set for unicast, broadcast, and multicast traffic. switch(config-if)# storm-control broadcast level 25 switch(config-if)# storm-control unicast level 25 switch(config-if)# storm-control multicast level 20 Blocking Blocking prevents unicast or multicast from being flooded into the port when enabled. The default behavior of a switch is to forward the packets with unknown destination MAC addresses to all its ports. This might not always be desirable, especially in terms of security. If you configure a port block feature, then depending on what type of traffic you specified, unicast or multicast packets are not forwarded from one port to another switch(config-if-range)#switchport block ? multicast Block unknown multicast addresses unicast Block unknown unicast addresses CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 11 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Protected Ports Private VLANs will be discussed in Volume II. One thing to note about Private VLAN is that they can not co-exist with VTP version 2 or lower. A workaround for this limitation is to configure a switch in Transparent VTP mode. If for some reason the switch must be a VTP server, than protected ports can be used in a limited manner to provide a subset of the same isolation. A protected port feature is used in those environments where no traffic can be forwarded between two ports on the same switch. This way, one neighbor connected to one port does not see the traffic that is generated by another neighbor connected to the second port. The blocking of traffic (unicast, broadcast, or multicast) only works when both ports are protected. When a protected port is communicating with an unprotected port, the traffic is forwarded in the usual manner. Once the ports are protected, traffic between them can only be forwarded by a Layer 3 device. Sw2(config-if-range)#int range f0/10 -11 Sw2(config-if-range)#switchport protected 802.1X authentication IEEE 802.1x is simply a standard for passing EAP over a wired or wireless LAN. EAP (Extensible Authentication Protocol) traffic is used to authenticate wirelesses devices using supplicants but also functions over wired media. The 802.1X authentication using EAP allows for switch level port authentication. In order to authenticate the actual devices and/or users to an external database, the switch is required to use radius. Radius is the only authentication method supported as of now. The switch works as a proxy between the client and the radius authentication server. The switch encapsulates and de-encapsulates the EAP frames from the client into radius packets . Prior to authentication, the switch ports start in the unauthorized state. This state disallows ingress and egress traffic except 802.1x packets. When a client gets authenticated, the port transitions to the authorized state. If the client doesn’t support 802.1x the port stays in the unauthorized state and no traffic is allowed on the switch. The following states are supported by Cisco switches: • Force-authorized: It bypasses the authentication state and all traffic is allowed. • Force-Unauthorized: The port remains in unauthorized state regardless of clients attempt to get authenticated. • Auto: Enables 802.1x authentication, the switch identifies the client by the MAC address. This example shows how to enable AAA and 802.1X on Fast Ethernet port 0/1: switch(config)# aaa new-model switch(config)# aaa authentication dot1x default group radius local switch(config)# dot1x system-auth-control switch(config)# interface fastethernet 0/1 switch(config-if)# dot1x port-control auto switch(config-if)# end CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 12 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. switch# configure terminal switch(config)# ip radius source-interface Vlan5 switch(config)# radius-server host 10.1.1.1 switch(config)# radius-server key cisco switch(config)# end Macros Macros can be used to group common switch configurations together. Macros, along with the interface-range command helps to reduce the amount of effort needed to deploy switches. Here is useful Macro to be used in the switches for a ping script. Sw1(config)#macro name PING Enter macro commands one per line. End with the character '@'. do do do do do @ ping ping ping ping ping 142.22.12.1 142.22.135.1 144.21.1.1 10.1.27.2 142.22.12.2 Sw1(config)# Sw1(config)#macro global apply PING CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 13 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Switching LAB Scenario This is the first Lab in a series of Labs that will build on themselves. There is no need for initial configurations because this first lab will construct the Layer 2 topology to be used for all other labs in Volume I of this technology workbook. Please save your configurations after each lab to avoid any rework when progressing to other labs. The point of this Lab is to build a new infrastructure for Turn-Key Inc. This company has hired you to interconnect (4) branch locations and (2) data centers. In addition to the internal WAN there are two separate connections, one each to two different ISPs. Turn-key has decided to connect all internal sites with both frame relay and leased Ethernet. Many Layer 2 issues will be encountered in Branch (1), which is a large campus site with many PC users. As the integrator, Turn-key is depending on you to translate their tasks (requirements) into a fully functional system. Each Lab will include several tasks that build towards a completed project. The Turn-key network should be fully functional and tested after completion of all labs. The majority of the Tasks will draw from the Technology section of this workbook and lectures. However, some questions marked with “Bonus” may have not been covered in the lecture and is meant to test your search skills on the Cisco web site. Please refer to: http://www.cisco.com/univercd/home/home.htm. As the labs progress less and less support information is provided in the introduction section of the lab. Topology As previously mentioned LAB 1 will build the Layer 2 infrastructure. At Branch 1 we will have a mixed L2 and L3 environment. This is due to some devices needing so span VLANs across the campus. In the IDF (Access Layer) some VLANs will be routed and others Trunked to the CORE. In addition to the campus network at Branch (1) we will also build a VLAN between several of the routers to imitate a Leased Ethernet service. This Topology is supported inn CCBOOTCAMP’s rack rentals, but should also work in other Rack Rental sites or a home lab with (4) 3560 switches and (8) routers. The next page provides the physical Ethernet topology. As you progress to Lab 2 and others, the topology will include Frame-relay and logical IP addressing and Routing information. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 14 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Physical Diagram CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 15 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Switch: Tasks Task 1 (Basic VLAN): Configure SW1 such that it provides the database for the VLANs in the following table. All other switches should learn the VLANs from SW1. Use a control mechanism to prevent new switches from accidentally controlling the VLAN database when added into the network. Also add the appropriate hostnames and interface descriptions to all devices based on the diagram. VLAN 2 3 4 5 6 7 8 9 10 11 VLAN Name Vlan2_rspan Vlan3_trunked Vlan4_trunked Vlan5_sw1tosw2 Vlan6_sw1tor1 Vlan7_sw2tor1 Vlan8_sw1tosw3 Vlan9_sw3tosw4 Vlan10_Leased Vlan11_sw2tosw4 Task 2 (Load Balance and Trunks): Vlan 3 and 4 should be trunked on a pair (2) of ports between every switch. Ensure that this pair of ports is manually configured, not dynamic. Both VLAN 3 and 4 have several clients in the IDF that connect to the CORE for a single default gateway. Configure load balancing that would best distribute traffic across all layer 2 ports for Vlan 3 and 4. Vlans 3 and 4 are allowed on every Trunk, however Turn-key would like to limit unneeded broadcast on the Trunks, as well as only allowing Vlan 3, 4, and the interconnect VLAN on each trunk. The interconnect VLAN should have a SVI on the switch and be configured to not be tagged on the trunk. For example, VLAN 9 is the interconnect VLAN between sw3 and sw4. Task 3 (Spanning Tree): Configure spanning tree such that Sw1 is the root for Vlan 3,8 and Sw2 in the root for Vlan 4,11. Bonus: Ensure no other switch besides Sw1 or Sw2 will ever be able to become root for these VLAN (3,4,8, and 11)s. Manipulate STP so that ports F0/21, 22 (Po1) on sw3 are blocked for Vlan 3 and 4. In order to reduce failover times, convert the STP configuration from 802.1d to 802.1w PVST. Task 4 (Mac Addresses): Turn-key, Inc. desires to prevent unnecessary unicast traffic from being flooded out switch ports. Configure the switch to best prevent flooding based on the following table. Mac Address Switch Vlan Issue 1111.1111.1111 3 f0/11 3 Gratuitous ARP every 30 min 1112.1112.1112 4 f0/11 3 Never sends Gratuitous ARP 1234.1234.1234 All 4 Detected as rogue device and desire to not forward it. For a server connected to Sw2 f0/16 we want to make sure no unknown unicast are ever flooded into this port. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 16 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Task5 (Monitoring): Turn-key would like to connect a packet sniffer to F0/15 on sw3 to analyze the VLAN10 traffic on R2. Configure a session to allow for these connections. Task6 (IP Addresses): Configure IP addresses *Note, virtual IP addresses will be used later. VLAN VLAN Name Device 2 Vlan2_rspan 3 Vlan3_trunked Sw1 Sw2 virtual 4 Vlan4_trunked Sw1 Sw2 virtual 5 Vlan5_sw1tosw2 Sw1 Sw2 based on the following table: 6 Vlan6_sw1tor1 7 Vlan7_sw2tor1 8 Vlan8_sw1tosw3 9 Vlan9_sw3tosw4 10 Vlan10_Leased 11 Vlan11_sw2tosw4 10.6.6.1/30 10.6.6.2/30 10.7.7.1/30 10.7.7.2/30 10.8.8.1/30 10.8.8.2/30 10.9.9.1/30 10.9.9.2/30 192.168.10.1/24 192.168.10.2/24 192.168.10.3/24 192.168.10.4/24 192.168.10.5/24 192.168.10.6/24 192.168.10.9/24 10.11.11.2/30 10.11.11.1/30 Sw1 R1 Sw2 R1 Sw1 Sw3 Sw3 Sw4 Sw1 R2 R3 R4 R5 R6 R9 AKA BB1 Sw2 Sw4 IP 10.3.3.1/24 10.3.3.2/24 10.3.3.254/24 10.4.4.1/24 10.4.4.2/24 10.4.4.254/24 10.5.5.1/30 10.5.5.2/30 Task7 (802.1x): Ensure sw3 F0/15 is authenticated with 802.1x. There is no Radius available so create a local user/pass user/cisco and make it the fallback. For configuration purposes, point your switch to the radius server at 192.168.2.101. If you are using CCBOOTCAMP rack rental there is a Radius server connected to SW1 F0/24. Task8 (Telnet): On the devices at the Branch location restrict telnet access to only devices from 10.0.0.0. Bonus: only allow telnet access from 8am to 5pm Monday through Friday and log it. Configure the VTY lines such that only telnet and SSH are supported. On R1 configure telnet so that multiple characters are transmitted in each telnet packet. If allowed from the 10.0.0.0 network users should have level 15 privileges without needing to log in. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 17 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Switch: Answers (Don’t peek) Try to complete these labs with minimal looking at the answers. The completed answers will be provided on a thumb drive. Task 1 (Basic VLAN): The VTP and Vlan information was supposed to be configured on SW1: Sw1(config)#vtp domain turnkey Sw1(config)#vtp mode server Sw1(config)#vtp password cisco Sw1(config)#vlan 2 Sw1(config-vlan)#name Vlan2_rspan (same for other Vlans) The other switches 2-4 were supposed to be VTP clients: on the other switches: Swx(config)#vtp mode client Swx(config)#vtp domain turnkey Swx(config)#vtp password cisco In order to prevent accidental Vlan changes we set the VTP password to Cisco The names and interface description should be based from the Table. For example: interface Vlan5 description Vlan5_sw1tosw2 ip address 10.5.5.2 255.255.255.252 To test your configuration issue the following commands: Sw1#sh vtp status VTP Version :2 Configuration Revision : 19 Maximum VLANs supported locally : 1005 Number of existing VLANs : 23 VTP Operating Mode : Server VTP Domain Name : turnkey VTP Pruning Mode : Enabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x3C 0x91 0x78 0x83 0x24 0x75 0xF4 0xB1 Configuration last modified by 0.0.0.0 at 3-1-93 02:03:42 Local updater ID is 10.5.5.1 on interface Vl5 (lowest numbered VLAN interface f Sw1#vlan data Sw1#vlan database Sw1(vlan)#sh current VLAN ISL Id: 1 Name: default Media Type: Ethernet VLAN 802.10 Id: 100001 State: Operational MTU: 1500 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 18 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Backup CRF Mode: Disabled Remote SPAN VLAN: No VLAN ISL Id: 2 Name: Vlan2_rspan Media Type: Ethernet VLAN 802.10 Id: 100002 State: Operational MTU: 1500 Backup CRF Mode: Disabled Remote SPAN VLAN: No VLAN ISL Id: 3 Name: Vlan3_trunked Media Type: Ethernet VLAN 802.10 Id: 100003 State: Operational MTU: 1500 Backup CRF Mode: Disabled Remote SPAN VLAN: No VLAN ISL Id: 4 Name: Vlan4_trunked Media Type: Ethernet VLAN 802.10 Id: 100004 State: Operational MTU: 1500 Backup CRF Mode: Disabled Remote SPAN VLAN: No VLAN ISL Id: 5 Name: Vlan5_sw1tosw3 Media Type: Ethernet VLAN 802.10 Id: 100005 State: Operational MTU: 1500 Backup CRF Mode: Disabled Remote SPAN VLAN: No VLAN ISL Id: 6 Name: Vlan6_sw1tor1 Media Type: Ethernet VLAN 802.10 Id: 100006 State: Operational MTU: 1500 Backup CRF Mode: Disabled Remote SPAN VLAN: No VLAN ISL Id: 7 Name: Vlan7_sw2tor1 Media Type: Ethernet VLAN 802.10 Id: 100007 State: Operational MTU: 1500 Backup CRF Mode: Disabled Remote SPAN VLAN: No VLAN ISL Id: 8 Name: Vlan8_sw1tosw3 Media Type: Ethernet VLAN 802.10 Id: 100008 State: Operational MTU: 1500 Backup CRF Mode: Disabled Remote SPAN VLAN: No CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 19 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. VLAN ISL Id: 9 Name: Vlan9_sw3tosw4 Media Type: Ethernet VLAN 802.10 Id: 100009 State: Operational MTU: 1500 Backup CRF Mode: Disabled Remote SPAN VLAN: No VLAN ISL Id: 10 Name: Vlan10_Leased Media Type: Ethernet VLAN 802.10 Id: 100010 State: Operational MTU: 1500 Backup CRF Mode: Disabled Remote SPAN VLAN: No VLAN ISL Id: 11 Name: Vlan11_sw2tosw4 Media Type: Ethernet VLAN 802.10 Id: 100011 State: Operational MTU: 1500 Backup CRF Mode: Disabled Remote SPAN VLAN: No Task 2 (Load Balance and Trunks): In this task we were supposed to configure manual Ether-channels and trunks from the redundant inter-switch connections, as specified on the following lab diagram. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 20 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Sw1: port-channel load-balance src-dst-mac interface Port-channel1 switchport trunk encapsulation dot1q switchport trunk native vlan 5 switchport trunk allowed vlan 2-5 switchport mode trunk ! interface Port-channel2 switchport trunk encapsulation dot1q switchport trunk native vlan 8 switchport trunk allowed vlan 2-4,8 switchport mode trunk ! ! interface FastEthernet0/19 switchport trunk encapsulation dot1q switchport trunk native vlan 5 switchport trunk allowed vlan 2-5 switchport mode trunk channel-group 1 mode on ! interface FastEthernet0/20 switchport trunk encapsulation dot1q switchport trunk native vlan 5 switchport trunk allowed vlan 2-5 switchport mode trunk channel-group 1 mode on ! interface FastEthernet0/21 switchport trunk encapsulation dot1q switchport trunk native vlan 8 switchport trunk allowed vlan 2-4,8 switchport mode trunk channel-group 2 mode on ! interface FastEthernet0/22 switchport trunk encapsulation dot1q switchport trunk native vlan 8 switchport trunk allowed vlan 2-4,8 switchport mode trunk channel-group 2 mode on interface Vlan1 no ip address shutdown ! interface Vlan3 description Vlan3_trunked ip address 10.3.3.1 255.255.255.0 ! interface Vlan4 description Vlan4_trunked ip address 10.4.4.1 255.255.255.0 ! interface Vlan5 description Vlan5_sw1tosw2 ip address 10.5.5.1 255.255.255.252 ! interface Vlan8 description Vlan8_sw1tosw3 ip address 10.8.8.1 255.255.255.252 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 21 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. For the load balancing, we needed source Mac-address LB closest to the PC devices so that each device would be load balanced based on source Mac addresses to equally use each port in the Ether-channel. On Sw3 and Sw4: port-channel load-balance src-mac The other two switches Sw1 and Sw2 need src-dst-mac because they will be the default gateways for these devices. Task 3 (Spanning Tree): The following configurations were needed on the following devices in order to set the ROOT and Blocked ports per Task 3 specifications: Sw1: spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree vlan 1,3,8 priority 0 Sw2: spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree vlan 4,11 priority 0 Sw3: spanning-tree mode rapid-pvst spanning-tree extend system-id interface Port-channel1 switchport trunk encapsulation dot1q switchport trunk native vlan 9 switchport trunk allowed vlan 2-4,9 switchport mode trunk spanning-tree vlan 3 cost 200000000 ! interface Port-channel2 switchport trunk encapsulation dot1q switchport trunk native vlan 8 switchport trunk allowed vlan 2-4,8 switchport mode trunk Sw4: spanning-tree mode rapid-pvst spanning-tree extend system-id interface Port-channel1 switchport trunk encapsulation dot1q switchport trunk native vlan 9 switchport trunk allowed vlan 2-4,9 switchport mode trunk ! interface Port-channel2 switchport trunk encapsulation dot1q switchport trunk native vlan 11 switchport trunk allowed vlan 2-4,11 switchport mode trunk CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 22 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. To configure the bonus than root guard was needed on Sw3 interface FastEthernet0/19 switchport trunk encapsulation dot1q switchport trunk native vlan 9 switchport trunk allowed vlan 2-4,9 switchport mode trunk channel-group 1 mode on spanning-tree guard root ! interface FastEthernet0/20 switchport trunk encapsulation dot1q switchport trunk native vlan 9 switchport trunk allowed vlan 2-4,9 switchport mode trunk channel-group 1 mode on spanning-tree guard root Task 4 (Mac Addresses): In the first part of this task we are changing the Mac aging timer to be in synch with how often the server sends gratuitous ARPs. Sw3: mac-address-table aging-time 1800 vlan 3 In the next section we must configure a static Mac-address for a device that is unable to send gratuitous ARPs. Sw4: mac-address-table static 1112.1112.1112 vlan 3 interface FastEthernet0/11 The next requirement was to block a Mac-address from all switches: mac-address-table static 1234.1234.1234 vlan 4 drop The Last requirement was to make sure that unicast traffic going to mac-address destinations not known in the CAM table were not flooded into Sw2 port f0/16 interface FastEthernet0/16 switchport block unicast Task5 (Monitoring): The following configuration would setup a monitoring session on sw3 to sniff traffic to/from R2 vlan 10 Sw3 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 23 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. monitor monitor Sw1 monitor monitor session 1 destination interface Fa0/15 session 1 source remote vlan 2 session 1 source interface Fa0/2 session 1 destination remote vlan 2 Task6 (IP Addresses): Configure IP addresses per specifications. Task7 (802.1x): Sw3: username user password 0 cisco aaa new-model aaa authentication dot1x default group radius local dot1x system-auth-control int f0/24 switchport access vlan 3 switchport mode access dot1x pae authenticator dot1x port-control auto ! radius-server host 192.168.2.101 auth-port 1645 acct-port 1646 radius-server source-ports 1645-1646 radius-server key cisco Task8 (Telnet): The first part of the Task asks us to restrict telnet or SSH access to 10.0.0.0 and give those administrators privilege level 15 when they log into the devices. In order to configure the bonus this access must be restricted to Mon-Friday between 9am and 5pm. The following configuration on each device would satisfy the above requirements: ip access-list extended telnet permit ip 10.0.0.0 0.255.255.255 any log time-range weekdays time-range weekdays periodic weekdays 8:00 to 17:00 line vty 0 4 access-class telnet in privilege level 15 transport input telnet ssh line vty 5 15 access-class telnet in privilege level 15 transport input telnet ssh On R1 configure telnet so that multiple characters are transmitted in each telnet packet. R1: service nagle CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 24 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Day 1 Frame Relay Basic Facts  Frame Relay is a Layer 2 protocol.  Serial interfaces use DB-60 connectors.  Connection-oriented to transport data between a DTE device and a Frame Relay switch.  Simple error checking is provided by appending a Frame Check Sequence (FCS) to each frame (similar to a CRC).  No error correction (error checking, but no correction—that’s left to the host).  Frame Relay uses HDLC, PPP, or ISDN/LAPD encapsulations.  Maximum speed of Frame is 45 Mbps. Data Link Connection Identifier (DLCI) DLCI’s are assigned by the Frame Relay circuit provider, and have local significance only. They provide an identifier for the connection between the router at your site and the big Frame Relay switch at the provider. There is often confusion about this, so to make it clear— the DLCI is used only between your site and the provider’s point-of-presence, it has no significance beyond that. DLCI states are:  Deleted—No LMI signal is being received from switch, or no service is available from switch.  Active—Lines are up; connections are active. Routers are exchanging data.  Inactive—Frame relay switch to local connection is working. The remote routers’ connection to the frame switch is not working. Local Management Interface (LMI) LMI provides the control protocol for PVC setup and management. There are three types available: Cisco, ANSI and q.933a (default is Cisco). The service provider will specify the LMI in use. LMI's control data keepalives and verify the dataflow. The LMI type must be identical between the local device (router) and the local Frame Relay switch; it does not have to be identical for the end devices. Encapsulation The encapsulation choices are Cisco and IETF, with Cisco being the default. This designation can be made through DLCI. The encapsulation type must be identical at both end devices. If Cisco devices are used across the entire network, Cisco encapsulation will likely be the encapsulation type; however, since the Cisco encapsulation type is proprietary, if another manufacturer’s devices are used at the Frame Relay endpoints, then IETF encapsulation type will be required. Remember, encapsulation can be set per interface or per destination. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 25 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Split Horizon and Frame Relay Interfaces Split horizon dictates that if a router has received a route advertisement from another router, it will not re-advertise it back out the interface on which it was learned. The default condition for Frame Relay interfaces is:  Physical interfaces—split-horizon is disabled by default  Multipoint sub interfaces—split-horizon is enabled by default  Point-to-point sub interfaces—split-horizon is enabled by default Inverse-ARP Inverse ARP, when enabled is used to automatically map frame-relay DLCIs, which are configured in the frame-relay switch to IP addresses configured on the remote routers. You may be requested to disable frame-relay inverse ARP on you physical or point-to-multipoint sub interface, if so than you can use frame-relay map statements after you disable the inverse-ARP. Secondly, it is best practice to make these changes while the interfaces are shut to avoid rebooting the router later. Inverse-ARP is not recommended for frame-relay hub-and-spoke topologies because it could take inverse-ARP up to 60 seconds to converge from a site failure. In a MESH topology this short coming is not as impacting because every site has an alternate DLCI to every site, but in hub-and-spoke the spokes must always communicate via the hub. Mesh A full mesh requires DLCIs to interconnect PVCs between each router. Total PVCs=2k(k-1) where k=router. Each router would be configured on a common IP subnet. With inverse-ARP turned on at the Physical circuit or sub-interface point-to-multipoint level, no MAP entry is required. However, with inverse-ARP turned off the MAP entries are required. In fact, a MAP entry to one of the DLCIs to a routers own interface IP is required for a router to even ping itself. In order to satisfy the requirement the destination IP address to be in the routing table, there must be a frame-relay map for the destination IP address. The destination IP address can be any IP address including yours. (need a map statement to ping your own interface) For the Multipoint sub interface option, each MAP statement adds a /32 connected interface. And finally whenever MAP statements are required, the optional broadcast keyword must be added to the end of the statement if required for routing protocols or other multicast functionality to work over the frame relay. Hub and spoke Again with Hub-and-spoke, the Routers are configured on a common IP subnet and we have some differences in configuration depending on if inverse-ARP is enabled. A hub-and spoke with inverse are needs to have MAP statements from on the hub to avoid issues with extra DLCIs configured on the frame relay switch. In other words, these frame relay switches in rack rentals typically have DLCIs pre-configured between each device (Mesh) and you would need to over ride this configuration, otherwise you would have a MESH. The same issue with needing MAPs exists with the spokes too. If this hub-and-spoke CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 26 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. configuration were provisioned on a carrier’s network the spokes would not need to have MAP entries because the provider would only configure the needed DLCI back to the Hub site. With Inverse-ARP off, which is the recommended configuration, all routers will have MAP statements from Hub to all spokes and from spokes to hub. Depending on the neighbor requirements of the routing protocol we may find ourselves later adding map statements between spokes or needing to enable the broadcast keyword. Point-to-point In this configuration each P2P sub-interface frame relay connection is own a unique subnet and we must use the frame relay interface-dlci instead of the MAP statement. It doesn’t matter if inverse-ARP in enabled because P2P will connect to whatever is on the other side of the PVC, similar to PPP. However P2P frame relay will listen and respond to inverse-ARP because it is possible to have a Physical interface on one end with inverse-ARP enabled and a P2P sub-interface on the other end. Combination Any combination of P2P or Multipoint (Partial MESH) can be configured with multiple subnets and proper Mapping of DLCIs. #Note, Frame Relay traffic shaping and other QoS related issues will be discussed in Volume II. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 27 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Frame Relay LAB Scenario Turn-Key Inc. has purchased frame relay service from a provider. You must configure each router to connect to the proper DLCI and interface as outlined in the following Lab 2 tasks and from the following diagram that displays the DLCI numbers that correspond to CCBOOTCAMP’s R&S rack rentals. If you are using home equipment or another Rack rental you can simply use different interfaces and DLCIs but try to model this topology as close as possible. Turn-key is using a combination of Leased Ethernet and Frame Relay to interconnect all of their sites. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 28 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Frame Relay DLCI/PVC and IP addressing S0/0/0.2 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 29 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Frame: Tasks Task 1 (Mesh): Configure a mesh between R1, R2, and R3. Configure Physical or Multipoint Sub interfaces based from the above diagram. The diagram contains the subnets for each frame-relay connections. Simply use the router’s ID for the host octet, with the exception of BB1 which is (.9). Inverse ARP is allowed for this MESH only on R1 so configure the framerelay mappings to be dynamic only on R1 but do not allow DLCIs that are not part of this MESH connection to be active on R1. Also add descriptions to the interfaces. Task 2 (Hub and Spoke): Configure a hub and spoke between R3, R5, and R6. R3 is on a sub interface and R5 and 6 are on physical interfaces. No inverse-ARP is allowed at all between these routers. Configure the IP addresses from the above diagram using the router ID as the host octet. Also add descriptions to the interfaces. Task 3 (Point-to-Points): Configure P2P frame relay connections between the various routers as per the above diagram. Configure the IP addresses from the above diagram using the router ID as the host octet. Also add descriptions to the interfaces. Task 4 (PPP): Configure a PPP connection between R7 and R8. We did not include the basic configuration explanation for this in the technology section so you are tasked with using the univerCD at http://www.cisco.com/univercd/home/home.htm and search the 12.4 configuration or command references for PPP examples. (Bonus): configure 2 way authentications between these two routers but allow R7 to send the username ISP1 instead of R7. Also add descriptions to the interfaces. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 30 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Frame: Answers Task 1 (Mesh): Remember to keep your interfaces shut until you have configured all of your frame relay on each interface or sub interface. Sometimes clear frame-relay inarp helps but usually you will have to either reboot or default interface to fix frame relay issues. These simple problems can cost you time in the real Lab. Make sure to test each connection with ping as you no shut the interfaces. R1: interface Serial0/0/0 description MESH_to_R2_R3 ip address 172.16.1.1 255.255.255.0 encapsulation frame-relay no frame-relay inverse-arp IP 104 no frame-relay inverse-arp IP 105 no frame-relay inverse-arp IP 106 no frame-relay inverse-arp IP 107 no frame-relay inverse-arp IP 108 no frame-relay inverse-arp IP 109 no frame-relay inverse-arp IP 110 frame-relay lmi-type ansi R2: interface Serial0/0/0 no ip address encapsulation frame-relay interface Serial0/0/0.1 multipoint description MESH_to_R1_R3 ip address 172.16.1.2 255.255.255.0 frame-relay map ip 172.16.1.3 203 broadcast frame-relay map ip 172.16.1.1 201 broadcast no frame-relay inverse-arp R3: interface Serial0/0/0 no ip address encapsulation frame-relay frame-relay lmi-type ansi ! interface Serial0/0/0.1 multipoint description MESH_to_R1_R2 ip address 172.16.1.3 255.255.255.0 frame-relay map ip 172.16.1.1 301 broadcast frame-relay map ip 172.16.1.2 302 broadcast no frame-relay inverse-arp R1#sh frame-relay map Serial0/0/0 (up): ip 172.16.1.3 dlci 103(0x67,0x1870), dynamic, broadcast, CISCO, status defined, active Serial0/0/0 (up): ip 172.16.1.2 dlci 102(0x66,0x1860), dynamic, broadcast, CISCO, status defined, active CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 31 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. R1#ping 172.16.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 172.16.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms R1#ping 172.16.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 172.16.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/60 ms R1# Task 2 (Hub and Spoke): This one simply needs the proper MAP statements. R3: interface Serial0/0/0.2 multipoint description Hub-and-spoke-R5-R6 ip address 172.16.3.3 255.255.255.0 frame-relay map ip 172.16.3.5 305 broadcast frame-relay map ip 172.16.3.6 306 broadcast frame-relay map ip 172.16.3.3 305 no frame-relay inverse-arp R5: interface Serial0/0/0 description Hub-and-spoke-to-R3-R6 ip address 172.16.3.5 255.255.255.0 encapsulation frame-relay frame-relay map ip 172.16.3.3 503 broadcast frame-relay map ip 172.16.3.5 503 frame-relay map ip 172.16.3.6 503 broadcast no frame-relay inverse-arp frame-relay lmi-type ansi R6: interface Serial0/0/0 description Hub-and-spoke-to-R3-R5 ip address 172.16.3.6 255.255.255.0 encapsulation frame-relay frame-relay map ip 172.16.3.3 603 broadcast frame-relay map ip 172.16.3.5 603 broadcast (This is configured to assist in the Rip section later) frame-relay map ip 172.16.3.6 603 no frame-relay inverse-arp frame-relay lmi-type ansi Task 3 (Point-to-Points): BB1: interface Serial0/0/0.1 point-to-point description P2P-to-R2 ip address 172.16.2.9 255.255.255.0 frame-relay interface-dlci 902 R7: interface Serial0/0/0.1 point-to-point description P2P-to-R2 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 32 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. ip address 172.16.5.7 255.255.255.0 frame-relay interface-dlci 702 R8: interface Serial0/0/0.1 point-to-point description P2P-to-R3 ip address 172.16.6.8 255.255.255.0 frame-relay interface-dlci 803 Configure the opposite on R2 or R3 to connect to the P2P FR connections. Task 4 (PPP): Configure a PPP connection and then enable Chap authentication with Username user password cisco. R7: username R8 password 0 cisco interface Serial0/0/1 description PPP-to-R8 ip address 172.16.4.7 255.255.255.0 encapsulation ppp clock rate 2000000 ppp authentication chap ppp chap hostname user ppp chap password 0 cisco R8: username user password 0 cisco interface Serial0/0/1 description PPP-to-R7 ip address 172.16.4.8 255.255.255.0 encapsulation ppp ppp authentication chap CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 33 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Day 1 RIPv2 There are two versions of RIP—versions 1 and 2—both of which are Distance Vector routing protocols. RIPv1 (version 1) is classful and must use Fixed Length Subnet Masks (FLSM); RIPv2 adds additional features such as classless routing, variable subnet masks (VLSM), and authentication. Both versions use hop count as their only metric and are limited to 15 hops. A hop is simply a single pass through a router. By default, RIP routers send their entire routing table out every interface in 30 seconds increments. Both versions of RIP operate on UDP port 520. However, Ripv1 uses a broadcast and RipV2 uses a multicast 224.0.0.9. A metric of 1 signifies a directly connected network by the advertising router, and 16 as an unreachable network. The timers for update, invalid, holddown, and flush can be manually configured. For the purposes of this workbook and for Lab preparation we will focus on Ripv2. Updates Ripv2 is able to send a mask in the updates that are sent out every 30 seconds so we can use VLSM. If needed the update time can be changed: For example: R8(config-router)#timers basic 20 Changes the updates from 30 to 20 second update intervals. Keep in mind you will need to change it on the other connected neighbors. We can go a step farther and set the invalid, hold down, and flush timers: R8(config-router)#timers basic 20 40 60 120 Also Tags can be used in Ripv2 for redistribution. It is possible to still send or receive Ripv1 updates when configured for RipV2 from the interface level: R8(config-if)#ip rip send version 1 R8(config-if)#ip rip receive version 1 The update timer can be set for just on connected neighbor at the interface level: R8(config-if)#ip rip advertise 20 And lastly, an RIPv2 router can broadcast instead of multicast form an interface using the following command: R8(config-if)#ip rip v2-broadcast Neighbors Connected neighbors simply need RIPv2 enabled globally and a connected network entry and they are ready to exchange updates. Secondly no auto summary needs to be configured if classless summaries are required. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 34 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. router rip network 172.16.0.0 no auto-summary If it is desired to not send updates to interfaces without connected neighbors than the passive interface command can be used. There are two different approaches to using this configuration. The first is to use the <passive-interface default> and the specify which interfaces will allow the updates: Router rip passive-interface default no passive-interface FastEthernet0/0 The second choice is to just do a passive-interface command to the specific interfaces that you desire to disable the updates: Router rip passive-interface f0/0 There are times when broadcast updates or multicast are permitted or limited because of the frame-relay map statements. In these cases, the passive interface commands can be used to suppress the broadcast/multicast with the combination of the neighbor command to send a unicast update to the neighbors IP address: Router rip neighbor 172.16.6.3 And lastly, it is possible to send updates to a neighbor that is not physically connected. Two scenarios come to mind, neighbors over PPP with non-connected and different subnets or a RSPAN session. The former is an advanced topic so we will leave it for Volume II but the ladder is something we can configure with are current bag of tricks. In order to receive RIPv2 updates over a RSPAN session we need to configure: Router rip no validate update source This command makes it so the RIP router doesn’t care who is sending the update. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 35 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Loop Protection The split horizon rule reduces the incidence of routing loops. Split horizon prevents two-node loops between neighbors (tight loops) by not advertising the routes on the same interface from which they were learned. Split horizon also eliminates unnecessary updates. Split horizon with the addition of poison reverse allows the routing protocol to advertise all routes out an interface, but those learned from earlier updates coming into that interface are marked with infinite distance metrics. Poison reverse guards against loops spanning multiple RIP routers. Unfortunately, there are some issues with Split Horizon in a Hub and Spoke Network In a hub and spoke network, routes from remote frame relay sites will not be sent to other remote locations because of the split horizon enabled by default on the sub interfaces. It is possible to disable split horizon but than we loose the loop protection. Disabling Split Horizon will ensure full connectivity between all locations in a hub and spoke topology using RIPv2. Split horizon can be turned off on a sub-interface on the hub with out impacting the other sub-interfaces. If split horizon is enabled, neither auto-summary nor interface summary addresses (those configured with the ip summary-address rip command) are advertised. If summary addresses or a hub router are required than disable split horizon and use filtering or discard routes (null) for preventing loops. Filtering Rip can filter routes by using a distribute list. A distribute list are used to filter the contents of inbound or outbound routing protocol updates. Standard IP access lists are used to define a list against which the contents of the routing updates are matched. Remember that the access list is applied to the contents of the update, not to the source or destination of the routing update packets themselves. The distribute-list command is entered at the global or router configuration levels, and there is an option to apply the list to specific interfaces. For any given routing protocol, it is possible to define one interface-specific distribute-list per interface, and one protocol-specific distribute-list for each process/autonomous-system pair. Here is an example: access-list 1 permit 10.0.0.0 0.255.255.255 access-list 2 permit 172.16.3.0 0.0.0.255 router rip distribute-list 1 in ethernet 0 distribute-list 2 out Because distribute-list can use access-list we can have some very complex filtering using binary. The following example is filtering only the odd prefixes using an access-list based prefix list: Allow only odd routes from 1.1.0.0 from R1 to other routers. Network 1.1.1.0 My network =0 CCIE Routing and Switching 0.0.254.255 Boot Camp Day 1 to 4 Lab Page 36 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. My mask = 1 Binary Octet 1.1.1.0 1.1.3.0 1.1.5.0 128 64 32 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 8 0 0 1 4 21 01 11 01 Mask 11111111.11111111.11111110.00000000 Network 00000001.00000001.00000001.00000000 First host 00000001.00000001.00000001.00000000 2nd host 00000001.00000001.00000011.00000000 The 254 in the inverse mask translates to 11111110 which tells the ACL to not care about anything in that octet except the least significant bit. In this case that position is 1 in the third octet. Only Odd numbers have a 1 in that bit placement. Thus, we have a match for every odd network. Summary In RIPv2 summaries are applied to an interface. You can still use auto summary but it will only summarize to the classful boundary, the summary-address allows for classless summarization r1lab(config-if)# ip summary-address rip 10.20.0.0 255.255.255.0 In order for summaries to work split horizon must be disabled on the interface. However, the interface summary does not insert a NULL0 entry into the routing table so beware of routing loops. Authentication Ripv2 uses a key chain on the interface to protect updates with Clear text or MD5. r1lab(config)# interface s0 r1lab(config-if)# ip rip authentication key-chain cisco r1lab(config-if)# ip rip authentication mode <md5,text> r1lab(config)# key chain cisco r1lab(config-keychain)# key 1 r1lab(config-keychain-key)# key-string cisco Default Routes Default routes can be advertised in RIPv2 in the following ways: • Redistribute static <ip route 0.0.0.0 0.0.0.0 null0 permanent> • Default information originate • <ip default network 1.0.0.0> CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 37 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. RIPv2 LAB Scenario So far, we have setup the basic campus network at Turn-Key Inc’s branch office as well as the leased Ethernet and Frame relay WAN connections between the sites. Normally in a project similar in scope, we would not configure any of the network management or security features until after we have tested the network stability and performance. In most network deployments it is a also a good idea to enable an easy to configure routing protocol so we can test the infrastructure. In this scenario we will use basic rip and a few tweaks to test connectivity. Afterwards, we can enable more complex features and optimize the routing with other protocols. RIP: Tasks Task 1 (Basic RIPv2): Configure every router with RIPv2, including the ISP router R7 and R8. Put the existing connected networks into RIPv2 on each router. Use a single network statement to configure this. After all routers are configured for RIPv2 make any necessary adjustments for sites having difficulties exchanging updates. Now that basic RIPv2 is configured from R1 ping every IP address configured so far to validate and troubleshoot any connectivity issues. (Hint) Create a TCL script to make the ping testing easier moving forward. It is OK the R1 can not ping its own S0/0/0 interface (172.16.1.1). Task 2 (Route Optimization): Turn-key would like us to prove that we can utilize the Leased Ethernet to reach the Branch campus from the ISP and vice versa before they allow us to move forward with implementing other routing protocols. Test Trace routes to the Branch site IP addresses to ensure traffic flows in/out of Vlan10 (192.168.10.0). Task 3 (Authentication): The connections to/from the ISP are not trusted by Turn-key and the customer desires some security for the routing protocols between R2-R7 and R3-R8. Use the most security method with cisco as the password. Task 4 (Hub-and-Spoke): Turn-key would like to not have broadcast or multicast from the routing protocols on this WAN segment between R3-R5-R6. Task 5 (Filtering): only allow even networks to be learned in RIP from R7 to R2 and only allow odd networks to be learned from R8 to R3. Because R7 and R8 have a PPP connection between each other you may need some additional filtering to prevent the routes from passing through the other router. Configure the following loop back and IP addresses on R7 and R8: R7: Int lo0 Ip address Ip address Ip address Ip address Ip address Ip address 130.0.1.1 130.0.2.1 130.0.3.1 130.0.4.1 130.0.5.1 130.0.6.1 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 CCIE Routing and Switching secondary secondary secondary secondary secondary Boot Camp Day 1 to 4 Lab Page 38 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. R8: Int lo0 Ip address Ip address Ip address Ip address Ip address Ip address 131.0.1.1 131.0.2.1 131.0.3.1 131.0.4.1 131.0.5.1 131.0.6.1 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 secondary secondary secondary secondary secondary (Bonus) On the same connections to/from R7/R2 R8/R3 configure RIP so that only updates are sent when route changes occur and not every 30 seconds. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 39 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. RIP: Answers Task 1 (Basic RIPv2): To use the least amount of Network statements, on every router configure: router rip version 2 network 0.0.0.0 no auto-summary On the switches we would configure 10.0.0.0 because SVI interfaces (Vlan) do not configure under 0.0.0.0: router rip version 2 network 10.0.0.0 no auto-summary SW1: also needs 192.168.10.0 for neighbors on the Leased Ethernet Vlan 10 To make sure updates are learned from both R5 and R6 disable split horizon on R3 s0/0/0.2 R3: interface Serial0/0/0.2 multipoint description Hub-and-spoke-R5-R6 ip address 172.16.3.3 255.255.255.0 no ip split-horizon frame-relay map ip 172.16.3.3 305 frame-relay map ip 172.16.3.5 305 broadcast frame-relay map ip 172.16.3.6 306 broadcast no frame-relay inverse-arp To test all the IP address connectivity from R1 use the following TCL script: tclsh foreach address { 10.3.3.1 10.3.3.2 10.4.4.1 10.4.4.2 10.5.5.1 10.5.5.2 10.6.6.1 10.6.6.2 10.7.7.1 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 40 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. 10.7.7.2 10.8.8.1 10.8.8.2 10.9.9.1 10.9.9.2 192.168.10.1 192.168.10.2 192.168.10.3 192.168.10.5 192.168.10.6 192.168.10.9 172.16.1.2 172.16.1.3 172.16.2.2 172.16.2.9 172.16.3.3 172.16.3.5 172.16.3.6 172.16.5.2 172.16.5.7 172.16.6.3 172.16.6.8 } {ping $address} Task 2 (Route Optimization): On R1, R2, R3, R5, and R6 an offset list can be used to manipulate the RIP routing. R1: router rip version 2 offset-list rip in 3 Serial0/0/0 network 0.0.0.0 no auto-summary ip access-list standard rip permit 192.168.10.0 permit 172.16.0.0 0.0.255.255 Show ip route Gateway of last resort is not set R R R R R C R R R 192.168.10.0/24 [120/1] via 10.6.6.1, 00:00:15, FastEthernet0/0 172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks 172.16.4.8/32 [120/3] via 10.6.6.1, 00:00:15, FastEthernet0/0 172.16.4.0/24 [120/3] via 10.6.6.1, 00:00:15, FastEthernet0/0 172.16.5.0/24 [120/2] via 10.6.6.1, 00:00:15, FastEthernet0/0 172.16.6.0/24 [120/2] via 10.6.6.1, 00:00:15, FastEthernet0/0 172.16.1.0/24 is directly connected, Serial0/0/0 172.16.2.0/24 [120/2] via 10.6.6.1, 00:00:17, FastEthernet0/0 172.16.4.7/32 [120/3] via 10.6.6.1, 00:00:17, FastEthernet0/0 172.16.3.0/24 [120/2] via 10.6.6.1, 00:00:17, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks R2: router rip version 2 offset-list rip in 2 Serial0/0/0.1 network 0.0.0.0 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 41 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. no auto-summary ip access-list standard rip permit 10.0.0.0 0.255.255.255 permit 192.168.10.0 Show ip route R R R R R R R R 10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks 10.11.11.0/30 [120/2] via 192.168.10.1, 00:00:09, FastEthernet0/0 10.9.9.0/30 [120/2] via 192.168.10.1, 00:00:09, FastEthernet0/0 10.8.8.0/30 [120/1] via 192.168.10.1, 00:00:09, FastEthernet0/0 10.7.7.0/30 [120/2] via 192.168.10.1, 00:00:09, FastEthernet0/0 10.6.6.0/30 [120/1] via 192.168.10.1, 00:00:09, FastEthernet0/0 10.5.5.0/30 [120/1] via 192.168.10.1, 00:00:09, FastEthernet0/0 10.4.4.0/24 [120/1] via 192.168.10.1, 00:00:09, FastEthernet0/0 10.3.3.0/24 [120/1] via 192.168.10.1, 00:00:09, FastEthernet0/0 R3: router rip version 2 offset-list rip in 2 Serial0/0/0.1 network 0.0.0.0 no auto-summary ip access-list standard rip permit 10.0.0.0 0.255.255.255 permit 192.168.10.0 R R R R R R R R 10.11.11.0/30 [120/2] via 192.168.10.1, 00:00:20, FastEthernet0/0 10.9.9.0/30 [120/2] via 192.168.10.1, 00:00:20, FastEthernet0/0 10.8.8.0/30 [120/1] via 192.168.10.1, 00:00:20, FastEthernet0/0 10.7.7.0/30 [120/2] via 192.168.10.1, 00:00:20, FastEthernet0/0 10.6.6.0/30 [120/1] via 192.168.10.1, 00:00:20, FastEthernet0/0 10.5.5.0/30 [120/1] via 192.168.10.1, 00:00:20, FastEthernet0/0 10.4.4.0/24 [120/1] via 192.168.10.1, 00:00:20, FastEthernet0/0 10.3.3.0/24 [120/1] via 192.168.10.1, 00:00:20, FastEthernet0/0 On R7 and R8 run a TCL script with Trace route: tclsh foreach address { 10.3.3.1 10.3.3.2 10.4.4.1 10.4.4.2 10.5.5.1 10.5.5.2 10.6.6.1 10.6.6.2 10.7.7.1 10.7.7.2 10.8.8.1 10.8.8.2 10.9.9.1 10.9.9.2 } {trace $address} Type escapes sequence to abort. Tracing the route to 10.3.3.1 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 42 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. 1 172.16.5.2 28 msec 28 msec 28 msec 2 192.168.10.1 28 msec 28 msec * Type escape sequence to abort. Tracing the route to 10.3.3.2 1 172.16.5.2 28 msec 28 msec 28 msec 2 192.168.10.1 28 msec 28 msec 28 msec 3 10.3.3.2 28 msec 28 msec * Type escape sequence to abort. Tracing the route to 10.4.4.1 1 172.16.5.2 28 msec 28 msec 28 msec 2 192.168.10.1 28 msec 28 msec * Type escape sequence to abort. Tracing the route to 10.4.4.2 1 172.16.5.2 28 msec 28 msec 28 msec 2 192.168.10.1 28 msec 28 msec 28 msec 3 10.4.4.2 28 msec 28 msec * Type escape sequence to abort. Tracing the route to 10.5.5.1 1 172.16.5.2 28 msec 28 msec 28 msec 2 192.168.10.1 28 msec 28 msec * Type escape sequence to abort. Tracing the route to 10.5.5.2 1 172.16.5.2 28 msec 28 msec 28 msec 2 192.168.10.1 28 msec 28 msec 28 msec 3 10.5.5.2 28 msec 28 msec * Type escape sequence to abort. Tracing the route to 10.6.6.1 1 172.16.5.2 28 msec 28 msec 28 msec 2 192.168.10.1 28 msec 28 msec * Type escape sequence to abort. Tracing the route to 10.6.6.2 1 172.16.5.2 28 msec 28 msec 28 msec 2 192.168.10.1 28 msec 28 msec 28 msec 3 10.6.6.2 28 msec 28 msec * Type escape sequence to abort. Tracing the route to 10.7.7.1 1 172.16.5.2 28 msec 28 msec 28 msec 2 192.168.10.1 28 msec 28 msec 28 msec 3 10.3.3.2 28 msec 76 msec * Type escape sequence to abort. Tracing the route to 10.7.7.2 1 172.16.5.2 28 msec 28 msec 28 msec 2 192.168.10.1 28 msec 28 msec 28 msec 3 10.5.5.2 28 msec 28 msec 28 msec 4 10.7.7.2 28 msec 28 msec * Type escape sequence to abort. Tracing the route to 10.8.8.1 1 172.16.5.2 28 msec 28 msec 28 msec 2 192.168.10.1 28 msec 28 msec * Type escape sequence to abort. Tracing the route to 10.8.8.2 1 172.16.5.2 28 msec 28 msec 28 msec 2 192.168.10.1 28 msec 28 msec 28 msec 3 10.8.8.2 28 msec 28 msec * CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 43 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Type escape sequence to abort. Tracing the route to 10.9.9.1 1 172.16.5.2 28 msec 28 msec 28 msec 2 192.168.10.1 28 msec 28 msec 28 msec 3 10.8.8.2 28 msec 28 msec * Type escape sequence to abort. Tracing the route to 10.9.9.2 1 172.16.5.2 28 msec 28 msec 28 msec 2 192.168.10.1 28 msec 28 msec 28 msec 3 10.8.8.2 28 msec 28 msec 28 msec Task 3 (Authentication): MD5 authentication is the correct answer. On R7 and 8: int s0/0/0.3 ip rip authentication mode md5 ip rip authentication key-chain cisco key chain cisco key 1 key-string cisco On R2 and 3: int s0/0/0.1 ip rip authentication mode md5 ip rip authentication key-chain cisco key chain cisco key 1 key-string cisco Task 4 (Hub-and-Spoke): Passive-interface commands are needed to disable the 224.0.0.9 and neighbor commands allow us to use unicast between RIP routers. Since we disabled split horizon we can opt to connect the spokes together on R5 and R6/ R3: router rip version 2 timers basic 30 180 0 240 passive-interface Serial0/0/0.2 offset-list rip in 2 Serial0/0/0.1 network 0.0.0.0 neighbor 172.16.3.6 neighbor 172.16.3.5 distribute-list ripin in Serial0/0/0.3 R5: router rip version 2 passive-interface Serial0/0/0 network 0.0.0.0 neighbor 172.16.3.6 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 44 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. neighbor 172.16.3.3 no auto-summary R6: router rip version 2 passive-interface Serial0/0/0 network 0.0.0.0 neighbor 172.16.3.5 neighbor 172.16.3.3 no auto-summary R6: debug ip rip Jul 25 19:23:03.615: RIP: received v2 update from 172.16.3.3 on Serial0/0/0 *Jul 25 19:23:03.615: 10.3.3.0/24 via 0.0.0.0 in 2 hops *Jul 25 19:23:03.615: 10.4.4.0/24 via 0.0.0.0 in 2 hops *Jul 25 19:23:03.615: 10.5.5.0/30 via 0.0.0.0 in 2 hops *Jul 25 19:23:03.615: 10.6.6.0/30 via 0.0.0.0 in 2 hops *Jul 25 19:23:03.615: 10.7.7.0/30 via 0.0.0.0 in 3 hops *Jul 25 19:23:03.615: 10.8.8.0/30 via 0.0.0.0 in 2 hops *Jul 25 19:23:03.615: 10.9.9.0/30 via 0.0.0.0 in 3 hops *Jul 25 19:23:03.615: 10.11.11.0/30 via 0.0.0.0 in 3 hops *Jul 25 19:23:03.615: 130.0.2.0/24 via 0.0.0.0 in 3 hops *Jul 25 19:23:03.615: 130.0.4.0/24 via 0.0.0.0 in 3 hops *Jul 25 19:23:03.619: 130.0.6.0/24 via 0.0.0.0 in 3 hops *Jul 25 19:23:03.619: 131.0.1.0/24 via 0.0.0.0 in 2 hops *Jul 25 19:23:03.619: 131.0.3.0/24 via 0.0.0.0 in 2 hops *Jul 25 19:23:03.619: 131.0.5.0/24 via 0.0.0.0 in 2 hops *Jul 25 19:23:03.619: 172.16.1.0/24 via 0.0.0.0 in 1 hops *Jul 25 19:23:03.619: 172.16.2.0/24 via 0.0.0.0 in 2 hops *Jul 25 19:23:03.619: 172.16.3.0/24 via 0.0.0.0 in 1 hops *Jul 25 19:23:03.619: 172.16.5.0/24 via 0.0.0.0 in 2 hops *Jul 25 19:23:03.619: 172.16.6.0/24 via 0.0.0.0 in 1 hops *Jul 25 19:23:03.619: 192.168.10.0/24 via 0.0.0.0 in 1 hops *Jul 25 19:23:06.143: RIP: received v2 update from 172.16.3.5 on Serial0/0/0 *Jul 25 19:23:06.143: 10.3.3.0/24 via 0.0.0.0 in 2 hops *Jul 25 19:23:06.143: 10.4.4.0/24 via 0.0.0.0 in 2 hops *Jul 25 19:23:06.143: 10.5.5.0/30 via 0.0.0.0 in 2 hops *Jul 25 19:23:06.143: 10.6.6.0/30 via 0.0.0.0 in 2 hops *Jul 25 19:23:06.143: 10.7.7.0/30 via 0.0.0.0 in 3 hops *Jul 25 19:23:06.143: 10.8.8.0/30 via 0.0.0.0 in 2 hops *Jul 25 19:23:06.143: 10.9.9.0/30 via 0.0.0.0 in 3 hops *Jul 25 19:23:06.143: 10.11.11.0/30 via 0.0.0.0 in 3 hops *Jul 25 19:23:06.143: 130.0.2.0/24 via 172.16.3.3 in 4 hops *Jul 25 19:23:06.143: 130.0.4.0/24 via 172.16.3.3 in 4 hops *Jul 25 19:23:06.143: 130.0.6.0/24 via 172.16.3.3 in 4 hops *Jul 25 19:23:06.143: 131.0.1.0/24 via 172.16.3.3 in 3 hops *Jul 25 19:23:06.147: 131.0.3.0/24 via 172.16.3.3 in 3 hops *Jul 25 19:23:06.147: 131.0.5.0/24 via 172.16.3.3 in 3 hops *Jul 25 19:23:06.147: 172.16.1.0/24 via 172.16.3.3 in 2 hops *Jul 25 19:23:06.147: 172.16.2.0/24 via 0.0.0.0 in 2 hops *Jul 25 19:23:06.147: 172.16.3.0/24 via 0.0.0.0 in 1 hops *Jul 25 19:23:06.147: 172.16.5.0/24 via 0.0.0.0 in 2 hops *Jul 25 19:23:06.147: 172.16.6.0/24 via 172.16.3.3 in 2 hops *Jul 25 19:23:06.147: 192.168.10.0/24 via 0.0.0.0 in 1 hops Task 5 (Filtering): A distribute-list is needed to filter these routes. Remember RIP waits for the FLUSH time to remove routes. Give it a few minutes and then look at the routing tables. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 45 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. R2: router rip version 2 offset-list rip in 2 Serial0/0/0.1 network 0.0.0.0 distribute-list ripin in Serial0/0/0.3 no auto-summary ip access-list standard ripin permit 130.0.0.0 0.0.254.255 permit 131.0.1.0 0.0.254.255 R R R R R R [120/1] via 172.16.1.3, 00:00:03, Serial0/0/0.1 130.0.0.0/24 is subnetted, 3 subnets 130.0.2.0 [120/1] via 172.16.5.7, 00:00:10, Serial0/0/0.3 130.0.6.0 [120/1] via 172.16.5.7, 00:00:12, Serial0/0/0.3 130.0.4.0 [120/1] via 172.16.5.7, 00:00:12, Serial0/0/0.3 131.0.3.0 [120/2] via 192.168.10.3, 00:00:14, FastEthernet0/0 [120/2] via 172.16.1.3, 00:00:05, Serial0/0/0.1 131.0.1.0 [120/2] via 192.168.10.3, 00:00:16, FastEthernet0/0 [120/2] via 172.16.1.3, 00:00:06, Serial0/0/0.1 131.0.5.0 [120/2] via 192.168.10.3, 00:00:16, FastEthernet0/0 [120/2] via 172.16.1.3, 00:00:06, Serial0/0/0.1 R3: router rip version 2 offset-list rip in 2 Serial0/0/0.1 network 0.0.0.0 distribute-list ripin in Serial0/0/0.3 no auto-summary ip access-list standard ripin permit 130.0.0.0 0.0.254.255 permit 131.0.1.0 0.0.254.255 R R R R R R 130.0.0.0/24 is subnetted, 3 subnets 130.0.2.0 [120/2] via 192.168.10.2, 00:00:19, FastEthernet0/0 [120/2] via 172.16.6.8, 00:00:01, Serial0/0/0.3 [120/2] via 172.16.1.2, 00:00:09, Serial0/0/0.1 130.0.6.0 [120/2] via 192.168.10.2, 00:00:20, FastEthernet0/0 [120/2] via 172.16.6.8, 00:00:03, Serial0/0/0.3 [120/2] via 172.16.1.2, 00:00:10, Serial0/0/0.1 130.0.4.0 [120/2] via 192.168.10.2, 00:00:20, FastEthernet0/0 [120/2] via 172.16.6.8, 00:00:03, Serial0/0/0.3 [120/2] via 172.16.1.2, 00:00:10, Serial0/0/0.1 131.0.0.0/24 is subnetted, 3 subnets 131.0.3.0 [120/1] via 172.16.6.8, 00:00:04, Serial0/0/0.3 131.0.1.0 [120/1] via 172.16.6.8, 00:00:04, Serial0/0/0.3 131.0.5.0 [120/1] via 172.16.6.8, 00:00:04, Serial0/0/0.3 Bonus: Configure on the interface of R2,3,7,and 8 (config-subif)#ip rip triggered to only send updates when changes occur. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 46 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Day 1 EIGRP Overview EIGRP is a Cisco proprietary protocol that combines the attributes of a Link State and a Distance Vector routing protocol. It is considered a ‘hybrid’ routing protocol. EIGRP was released as an enhancement to Cisco's other proprietary routing protocol, IGRP. EIGRP supports automatic route summarization, VLSM addressing, multicast updates, non-periodic updates, unequal-cost load balancing, and independent support for IPX and AppleTalk. EIGRP added many features to overcome the limitations of IGRP:  The Diffusing Update Algorithm (DUAL)  Loop-free networks  Incremental updates instead of periodic (only send changes as they occur)  Knowledge about neighbors as opposed to the entire network  Independent Support for IP, IPX and AppleTalk  Classless routing  Efficient summarization of networks  Efficient use of link bandwidth for routing updates  Authentication  EIGRP uses the same metrics as IGRP Updates EIGRP sends hello packets every 5 seconds on high bandwidth links, like PPP and HDLC leased lines, Ethernet, TR, FDDI and Frame Relay point-to-point and ATM. It sends hello’s every 60 seconds on low bandwidth multipoint links, like FR multipoint and ATM multipoint links.  EIGRP reliable packets are: Update, Query and Reply.  EIGRP unreliable packets are: Hello and Ack. Updates are always transmitted reliably. Updates convey reachability of destinations. On discovery of a new neighbor, update packets are sent so the neighbor can build its topology table. These update packets are unicast. In other cases, such as a link cost change, updates are multicast. Both queries and replies are transmitted reliably. When destinations go into active state, queries and replies are sent. Queries are always multicast unless they are sent in response to a received query. In this case, a reply is unicast back to the successor that originated the query. Replies are always sent in response to queries to indicate to the originator that it does not need to go into active state because it has feasible successors. Replies are unicast to the originator of the query. Authentication Authentication inn EIGRP is very similar to RIP V2 Authentication except for EIGRP only supports MD5 Authentication. EIGRP uses key chains and interface commands to configure authentication. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 47 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. r1lab(config)# interface s0 r1lab(config-if)# ip authentication mode eigrp 222 md5 r1lab(config-if)# ip authentication key-chain eigrp 222 cisco r1lab(config)# key chain cisco r1lab(config-keychain)# key 1 r1lab(config-keychain-key)# key-string ccie Default Routes Default routes can be configured in EIGRP in three different ways: • <ip summary address eigrp 100 0.0.0.0 0.0.0.0> • <ip default network • <redistribute ip route 0.0.0.0 0.0.0.0 null 0> – <redistribute static or network 0.0.0.0 The ip default network must be a classful network that is used as the candidate default network in EIGRP. This method is legacy left over from IGRP. Summarization In EIGRP Auto summary is on by default and it is used to summarize to classful boundaries. No auto-summary allows the router to summarize to bit boundaries. This type of summarization is configured on the interface and split horizon must be disabled for it to work. As you can see in the following example an AD of 5 is assigned to summaries: r1lab(config-if)# ip summary-address eigrp 222 10.2.0.0 255.255.255.0 5 Also there is no way to get rid of the NULL0 entry in EIGRP, it is added to avoid loops. You can set the AD to 255 and it will remove the summary from the originating router’s route table and will still send the summary to another router. Care must be taken to filter the summary from returning by implementing a route map etc. since split horizon is disabled and there would be no Null 0 protection. Metrics DUAL selects primary and backup routes using the composite metric and guarantees that the selected routes are loop free. The primary routes are then moved to a routing table. The rest (up to 6) are stored in the topology table as feasible successors. EIGRP uses the same composite metric as IGRP to determine the best path. The default criteria used are:  Bandwidth—The smallest bandwidth cost between source and destination  Delay—Cumulative interface delay along the path  Reliability—Worst reliability between source and destination depending on keepalives  Load—Utilization on a link between source and destination measured in bits per second on its worst link  MTU—The smallest Maximum Transmission Unit The default for EIGRP is to use only bandwidth and delay when calculating the metric. EIGRP uses the following scaled values to determine the total metric to the network: EIGRP Metric = 256*((K1*Bw) + (K2*Bw)/(256-Load) + (K3*Delay)*(K5/(Reliability + K4))) CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 48 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. The default values for K are: K1 = 1 K2 = 0 K3 = 1 K4 = 0 K5 = 0 For the default, you can simplify the formula as: Metric = Bandwidth + Delay After two routers become neighbors, each will send routing updates (and other packets) to the other using a reliable multicast scheme. For example, assume that router 1 has a series of packets, such as a routing table update, which must be transmitted to routers 1, 3, and 4. Router 1 will send the first packet to the EIGRP multicast address, 224.0.0.10, and then will wait for acknowledgment from each of its neighbors on its Ethernet interface (in this case, routers 2, 3 and 4). Assume that routers 2 and 4 answer the multicast packet, but router 3 does not. Router 1 will wait until the multicast flow timer expires on the Ethernet interface, then send out a special packet, a sequence TLV, telling router 3 not to listen to any further multicast packets from router 1. Router 1 will then continue transmitting the remainder of the update packets as multicast to all other routers on the network. The sequence TLV indicates an out-of-sequence multicast packet. Those routers not listed in the packet enter Conditional Receive (CR) mode, and continue listening to multicast. While there are some routers in this mode, the Conditional Receive bit will be set in multicast packets. In this case, router 1 will send out a sequence TLV with router 3 listed, so routers 2 and 4 will continue listening to further multicast updates. If a router receives an update packet with the init flag set it clearly implies that this packet is the first after a new neighbor relationship has been established. If we clear the IP EIGRP neighbor relationship it will automatically cause the EIGRP neighbor relationship to be restarted. Init Flag There is an 8-bit flag value in the EIGRP header. The rightmost bit is init. When init is set to 0x00000001 the enclosed route entries are treated as the first in a new neighbor relationship. Note that route entries are carried in update packets not hello packets. This debug output displays the Init Sequence increasing only with the update packet: Router# debug eigrp packet EIGRP: Sending HELLO on Ethernet0/1 AS 666, Flags 0x0, Seq 0, Ack 0 EIGRP: Sending HELLO on Ethernet0/1 AS 666, Flags 0x0, Seq 0, Ack 0 EIGRP: Sending HELLO on Ethernet0/1 AS 666, Flags 0x0, Seq 0, Ack 0 EIGRP: Received UPDATE on Ethernet0/1 from 10.23.23.23, AS 666, Flags 0x1, Seq 1, Ack 0 EIGRP: Sending HELLO/ACK on Ethernet0/1 to 10.23.23.23, AS 666, Flags 0x0, Seq 0, Ack 1 EIGRP: Sending HELLO/ACK on Ethernet0/1 to 10.23.23.23, CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 49 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. AS 666, Flags 0x0, Seq 0, Ack 1 EIGRP: Received UPDATE on Ethernet0/1 from 10.23.23.23, AS 666, Flags 0x0, Seq 2, Ack 0  Successor—A route selected as the primary route to reach a destination network specified by the Feasibility Condition. Successors are entries kept in the routing table.  Feasible Successor—A backup route to a specified network. Multiple feasible successors for a destination network can be retained in a topology table. Thus when a route goes down the entire routing table does not have to be recomputed. Feasibility Condition When the receiving router has a Feasible Distance (FD) to a specified network and when it receives an update from a neighbor with a lower advertised or Reported Distance (RD) to that network, the Feasible Condition is met. The neighbor then becomes a Feasible Successor (FS) for that route because it is one hop closer to the destination network. In a meshed network environment, there can be a number of Feasible Successors. The RD for a neighbor to reach a specified network must always be less than the FD for the local router to reach the network. In this way EIGRP avoids routing loops. This is the reason why routes that have RD larger than the FD are not entered into the Topology table. Load Balancing Routes with a metric equal to the minimum metric will be installed in the routing table (equal cost load balancing). Up to six entries in the routing table for the same destination can be stored but the default is four. The number of entries is configured with the maximum-paths command. Unequal cost load balancing will be discussed in Volume II. Networks and Filtering Networks are configured from the routing process just like RIPv2. Passive interface and network commands also work. As for filtering, offset lists and distribute lists work too. EIGRP Stub A STUB set a flag bit in the hello packets and affects what the router will advertise. Typically it is use to send a reduced routing table so it reduces processing on the router and controls what networks are advertised. Four options exist for what a stub router can send: receive-only, summary, connected, and static CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 50 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. EIGRP LAB Scenario Disable RIP and configure EIGRP as per the following diagram. Topology EIGRP: Tasks CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 51 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Task 1 (Basic EIGRP): Configure EIGRP on all Routers and switches. Only use a single network statement on the routers. The switches can be configured as you wish. R7 and R8 will be configured as a stub with only summaries of 172.16.0.0/16, 192.168.10.0/24, and 10.0.0.0/8 being learned from Turnkey but does not use the stub command under the EIGRP routing process to accomplish this. Task 2 (Summaries): Make sure the Branch site only advertises a 10.0.0.0/8 out bound. R1 can also advertises a longer mask for it’s loop back. Configure extra filters to make sure Sw1 is always preferred for the 10.0.0.0 networks. Only Sw1 can have a null 0 route in this Lab Task 3 (Defaults): R2 and R3 should send a default route into EIGRP to reach the ISP routers make sure the ISP routers (R7,R8) do not use this default route. Task 4 (Routing Table): Verify the routing tables in your equipment and make adjustments until they look the same as Task 4. R2: Gateway of last resort is 172.16.5.7 to network 0.0.0.0 C 192.168.10.0/24 is directly connected, FastEthernet0/0 172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks D 172.16.4.8/32 [90/258169856] via 172.16.5.7, 00:12:43, Serial0/0/0.3 D 172.16.4.0/24 [90/258169856] via 172.16.5.7, 00:12:43, Serial0/0/0.3 C 172.16.5.0/24 is directly connected, Serial0/0/0.3 D 172.16.6.0/24 [90/2170112] via 192.168.10.3, 00:12:42, FastEthernet0/0 C 172.16.1.0/24 is directly connected, Serial0/0/0.1 C 172.16.2.0/24 is directly connected, Serial0/0/0.2 D 172.16.4.7/32 [90/258170112] via 192.168.10.3, 00:12:44, FastEthernet0/0 D 172.16.3.0/24 [90/2170112] via 192.168.10.6, 00:12:44, FastEthernet0/0 [90/2170112] via 192.168.10.5, 00:12:44, FastEthernet0/0 [90/2170112] via 192.168.10.3, 00:12:44, FastEthernet0/0 130.0.0.0/24 is subnetted, 6 subnets D 130.0.2.0 [90/2297856] via 172.16.5.7, 00:12:46, Serial0/0/0.3 D 130.0.3.0 [90/2297856] via 172.16.5.7, 00:12:46, Serial0/0/0.3 D 130.0.1.0 [90/2297856] via 172.16.5.7, 00:12:46, Serial0/0/0.3 D 130.0.6.0 [90/2297856] via 172.16.5.7, 00:12:46, Serial0/0/0.3 D 130.0.4.0 [90/2297856] via 172.16.5.7, 00:12:46, Serial0/0/0.3 D 130.0.5.0 [90/2297856] via 172.16.5.7, 00:12:46, Serial0/0/0.3 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks D 10.13.13.0/24 [90/153856] via 192.168.10.3, 00:13:52, FastEthernet0/0 C 10.12.12.0/24 is directly connected, Loopback1 D 10.10.10.0/24 [90/2174869503] via 172.16.1.1, 00:12:46, Serial0/0/0.1 D 10.0.0.0/8 [90/26112] via 192.168.10.1, 00:12:45, FastEthernet0/0 131.0.0.0/24 is subnetted, 6 subnets D 131.0.3.0 [90/2298112] via 192.168.10.3, 00:12:45, FastEthernet0/0 D 131.0.2.0 [90/2298112] via 192.168.10.3, 00:12:45, FastEthernet0/0 D 131.0.1.0 [90/2298112] via 192.168.10.3, 00:12:46, FastEthernet0/0 D 131.0.6.0 [90/2298112] via 192.168.10.3, 00:12:46, FastEthernet0/0 D 131.0.5.0 [90/2298112] via 192.168.10.3, 00:12:46, FastEthernet0/0 D 131.0.4.0 [90/2298112] via 192.168.10.3, 00:12:46, FastEthernet0/0 208.1.1.0/32 is subnetted, 2 subnets D 208.1.1.1 [90/2297856] via 172.16.5.7, 00:12:47, Serial0/0/0.3 D 208.1.1.2 [90/2298112] via 192.168.10.3, 00:12:46, FastEthernet0/0 S* 0.0.0.0/0 [1/0] via 172.16.5.7 R3: Gateway of last resort is 172.16.6.8 to network 0.0.0.0 C 192.168.10.0/24 is directly connected, FastEthernet0/0 172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks D 172.16.4.8/32 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 52 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. [90/258170112] via 192.168.10.2, 00:14:31, FastEthernet0/0 172.16.4.0/24 [90/258169856] via 172.16.6.8, 00:14:31, Serial0/0/0.3 172.16.5.0/24 [90/2170112] via 192.168.10.2, 00:14:31, FastEthernet0/0 172.16.6.0/24 is directly connected, Serial0/0/0.3 172.16.1.0/24 is directly connected, Serial0/0/0.1 172.16.2.0/24 [90/2170112] via 192.168.10.9, 00:14:32, FastEthernet0/0 172.16.4.7/32 [90/258169856] via 172.16.6.8, 00:14:31, Serial0/0/0.3 172.16.3.0/24 is directly connected, Serial0/0/0.2 130.0.0.0/24 is subnetted, 6 subnets D 130.0.2.0 [90/2298112] via 192.168.10.2, 00:14:32, FastEthernet0/0 D 130.0.3.0 [90/2298112] via 192.168.10.2, 00:14:33, FastEthernet0/0 D 130.0.1.0 [90/2298112] via 192.168.10.2, 00:14:33, FastEthernet0/0 D 130.0.6.0 [90/2298112] via 192.168.10.2, 00:14:33, FastEthernet0/0 D 130.0.4.0 [90/2298112] via 192.168.10.2, 00:14:33, FastEthernet0/0 D 130.0.5.0 [90/2298112] via 192.168.10.2, 00:14:33, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.13.13.0/24 is directly connected, Loopback1 D 10.12.12.0/24 [90/153856] via 192.168.10.2, 00:14:39, FastEthernet0/0 D 10.10.10.0/24 [90/2174869503] via 172.16.1.1, 00:14:34, Serial0/0/0.1 D 10.0.0.0/8 [90/26112] via 192.168.10.1, 00:14:33, FastEthernet0/0 131.0.0.0/24 is subnetted, 6 subnets D 131.0.3.0 [90/2297856] via 172.16.6.8, 00:14:32, Serial0/0/0.3 D 131.0.2.0 [90/2297856] via 172.16.6.8, 00:14:32, Serial0/0/0.3 D 131.0.1.0 [90/2297856] via 172.16.6.8, 00:14:32, Serial0/0/0.3 D 131.0.6.0 [90/2297856] via 172.16.6.8, 00:14:34, Serial0/0/0.3 D 131.0.5.0 [90/2297856] via 172.16.6.8, 00:14:34, Serial0/0/0.3 D 131.0.4.0 [90/2297856] via 172.16.6.8, 00:14:34, Serial0/0/0.3 208.1.1.0/32 is subnetted, 2 subnets D 208.1.1.1 [90/2298112] via 192.168.10.2, 00:14:34, FastEthernet0/0 D 208.1.1.2 [90/2297856] via 172.16.6.8, 00:14:34, Serial0/0/0.3 S* 0.0.0.0/0 [1/0] via 172.16.6.8 D D C C D D C R7: Gateway of last resort is not set D C C C D C C C C C C D C 192.168.10.0/24 [90/2170112] via 172.16.5.2, 01:07:04, Serial0/0/0.1 172.16.0.0/16 is variably subnetted, 4 subnets, 3 masks 172.16.4.8/32 is directly connected, Serial0/0/1 172.16.4.0/24 is directly connected, Serial0/0/1 172.16.5.0/24 is directly connected, Serial0/0/0.1 172.16.0.0/16 [90/2681856] via 172.16.5.2, 01:07:03, Serial0/0/0.1 130.0.0.0/24 is subnetted, 6 subnets 130.0.2.0 is directly connected, Loopback0 130.0.3.0 is directly connected, Loopback0 130.0.1.0 is directly connected, Loopback0 130.0.6.0 is directly connected, Loopback0 130.0.4.0 is directly connected, Loopback0 130.0.5.0 is directly connected, Loopback0 10.0.0.0/8 [90/2170368] via 172.16.5.2, 00:16:06, Serial0/0/0.1 208.1.1.0/32 is subnetted, 1 subnets 208.1.1.1 is directly connected, Loopback2 R8: Gateway of last resort is not set D C C D C D C C C 192.168.10.0/24 [90/2170112] via 172.16.6.3, 01:08:33, Serial0/0/0.1 172.16.0.0/16 is variably subnetted, 4 subnets, 3 masks 172.16.4.0/24 is directly connected, Serial0/0/1 172.16.6.0/24 is directly connected, Serial0/0/0.1 172.16.0.0/16 [90/2681856] via 172.16.6.3, 01:08:33, Serial0/0/0.1 172.16.4.7/32 is directly connected, Serial0/0/1 10.0.0.0/8 [90/2170368] via 172.16.6.3, 00:17:33, Serial0/0/0.1 131.0.0.0/24 is subnetted, 6 subnets 131.0.3.0 is directly connected, Loopback0 131.0.2.0 is directly connected, Loopback0 131.0.1.0 is directly connected, Loopback0 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 53 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. C C C 131.0.6.0 is directly connected, Loopback0 131.0.5.0 is directly connected, Loopback0 131.0.4.0 is directly connected, Loopback0 208.1.1.0/32 is subnetted, 1 subnets C 208.1.1.2 is directly connected, Loopback2 Task 5 (Testing): Ping test connectivity to every IP address from Sw3. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 54 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. EIGRP: Answers Task 1 (Basic EIGRP): Configure EIGRP on all Routers and switches. Only use a single network statement on the routers. The switches can be configured as you wish. Only an example of a router and switch are shown because the remainders are redundant; R1: router eigrp 100 network 0.0.0.0 no auto-summary Sw1: router eigrp 100 network 10.0.0.0 network 192.168.10.0 no auto-summary R7 and R8 will be configured as a stub with only summaries of 172.16.0.0/16 , 192.168.10.0/24, and 10.0.0.0/8 being learned form Turn-key but do not use the stub command under the eigrp routing process to accomplish this. To make the ISP routers appear to be a stub we will only send summaries from R2 and R3. The 10.0.0.0/8 was already summarized by Sw1 and R1 sow we just need to summarize 172.16.0.0 and filter it between R7 and R8. R2: router eigrp 100 redistribute static metric 1 1 1 1 1 offset-list zero in 2147483647 Serial0/0/0.1 offset-list zero in 2147483647 Serial0/0/0.2 network 0.0.0.0 no auto-summary (This allows us to used VLSM) interface Serial0/0/0.3 point-to-point ip address 172.16.5.2 255.255.255.0 ip rip triggered ip rip authentication mode md5 ip rip authentication key-chain cisco ip summary-address eigrp 100 172.16.0.0 255.255.0.0 255 (We are setting the AD to 255 to remove the Null0) ip ospf 1 area 6 frame-relay interface-dlci 207 R3: router eigrp 100 redistribute static metric 1 1 1 1 1 offset-list zero in 2147483647 Serial0/0/0.1 offset-list zero in 2147483647 Serial0/0/0.2 network 0.0.0.0 no auto-summary interface Serial0/0/0.3 point-to-point description P2P-to-R6 ip address 172.16.6.3 255.255.255.0 ip rip triggered ip rip authentication mode md5 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 55 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. ip rip authentication key-chain cisco ip summary-address eigrp 100 172.16.0.0 255.255.0.0 255 ip ospf 1 area 5 frame-relay interface-dlci 308 R7: router eigrp 100 network 0.0.0.0 distribute-list prefix null out (Prevent the summaries from going back to Turn-key) distribute-list prefix default in no auto-summary interface Serial0/0/1 description PPP-to-R8 ip address 172.16.4.7 255.255.255.0 encapsulation ppp ip summary-address eigrp 100 172.16.0.0 255.255.0.0 255 (Only send a summary between R7, R8 and no Null 0) delay 1000000 clock rate 2000000 ppp authentication chap ppp chap hostname user ppp chap password 0 cisco ip ip ip ip prefix-list prefix-list prefix-list prefix-list null null null null seq seq seq seq 5 deny 10.0.0.0/8 10 deny 172.16.0.0/16 15 deny 192.168.10.0/24 20 permit 0.0.0.0/0 le 32 (allow the left over networks) R8: Same configuration as R7 basically Task 2 (Summaries): Make sure the Branch site only advertises a 10.0.0.0/8 out bound. R1 can also advertises a longer mask for it’s loop back (10.10.10.0/24). Sw1: interface Vlan10 description Vlan10_Leased ip address 192.168.10.1 255.255.255.0 ip summary-address eigrp 100 10.0.0.0 255.0.0.0 5 (This summary adds a Null0 for loop protection) ! router eigrp 100 network 10.0.0.0 network 192.168.10.0 no auto-summary R1: router eigrp 100 network 0.0.0.0 no auto-summary interface Serial0/0/0 description MESH_to_R2_R3 ip address 172.16.1.1 255.255.255.0 encapsulation frame-relay ip summary-address eigrp 100 10.0.0.0 255.0.0.0 255 leak-map leaky (A leak map allows a more specific mask 10.10.10.0/24 and AD of 255 removes the null0.) ip ospf 1 area 0 no frame-relay inverse-arp IP 104 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 56 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. no frame-relay inverse-arp no frame-relay inverse-arp no frame-relay inverse-arp no frame-relay inverse-arp no frame-relay inverse-arp no frame-relay inverse-arp frame-relay lmi-type ansi IP IP IP IP IP IP 105 106 107 108 109 110 Configure extra filters to make sure Sw1 is always preferred for the 10.0.0.0 networks. Only Sw1 can have a null 0 route in this Lab. This is configured on R2 and R3. R2: router eigrp 100 redistribute static metric 1 1 1 1 1 offset-list zero in 2147483647 Serial0/0/0.1 (This offset set a high metric for the summary over the framerelay) offset-list zero in 2147483647 Serial0/0/0.2 network 0.0.0.0 no auto-summary ip access-list standard zero permit 10.0.0.0 0.255.255.255 (Only matches the 10.0.0.0 summary) Same configuration for R3 Task 3 (Defaults): R2 and R3 should send a default route into EIGRP to reach the ISP routers make sure the ISP routers (R7,R8) do not use this default route. Redistribute a static route to the ISP on both R2 and R3 and filter the default route on R7 and R8. R2: router eigrp 100 redistribute static metric 1 1 1 1 1 (This will redistribute the static default route to R7) offset-list zero in 2147483647 Serial0/0/0.1 offset-list zero in 2147483647 Serial0/0/0.2 network 0.0.0.0 no auto-summary ip route 0.0.0.0 0.0.0.0 172.16.5.7 R3: Basically same configuration as R2 R7: router eigrp 100 network 0.0.0.0 distribute-list prefix null out distribute-list prefix default in (This will prevent the R7 from learning a default route from TurnKey) no auto-summary ip prefix-list default seq 5 permit 10.0.0.0/8 (This only allows the summaries that we desire and prevents the 0.0.0.0) ip prefix-list default seq 10 permit 172.16.0.0/16 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 57 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. ip prefix-list default seq 15 permit 192.168.10.0/24 We could have denied 0.0.0.0 and allowed everything else too. R8 has a similar configuration. Task 4 (Routing Table): Make sure the routing tables for R2, R3, R7, and R8 look the same in your configuration. R2: Gateway of last resort is 172.16.5.7 to network 0.0.0.0 C 192.168.10.0/24 is directly connected, FastEthernet0/0 172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks D 172.16.4.8/32 [90/258169856] via 172.16.5.7, 00:12:43, Serial0/0/0.3 D 172.16.4.0/24 [90/258169856] via 172.16.5.7, 00:12:43, Serial0/0/0.3 C 172.16.5.0/24 is directly connected, Serial0/0/0.3 D 172.16.6.0/24 [90/2170112] via 192.168.10.3, 00:12:42, FastEthernet0/0 C 172.16.1.0/24 is directly connected, Serial0/0/0.1 C 172.16.2.0/24 is directly connected, Serial0/0/0.2 D 172.16.4.7/32 [90/258170112] via 192.168.10.3, 00:12:44, FastEthernet0/0 D 172.16.3.0/24 [90/2170112] via 192.168.10.6, 00:12:44, FastEthernet0/0 [90/2170112] via 192.168.10.5, 00:12:44, FastEthernet0/0 [90/2170112] via 192.168.10.3, 00:12:44, FastEthernet0/0 130.0.0.0/24 is subnetted, 6 subnets D 130.0.2.0 [90/2297856] via 172.16.5.7, 00:12:46, Serial0/0/0.3 D 130.0.3.0 [90/2297856] via 172.16.5.7, 00:12:46, Serial0/0/0.3 D 130.0.1.0 [90/2297856] via 172.16.5.7, 00:12:46, Serial0/0/0.3 D 130.0.6.0 [90/2297856] via 172.16.5.7, 00:12:46, Serial0/0/0.3 D 130.0.4.0 [90/2297856] via 172.16.5.7, 00:12:46, Serial0/0/0.3 D 130.0.5.0 [90/2297856] via 172.16.5.7, 00:12:46, Serial0/0/0.3 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks D 10.13.13.0/24 [90/153856] via 192.168.10.3, 00:13:52, FastEthernet0/0 C 10.12.12.0/24 is directly connected, Loopback1 D 10.10.10.0/24 [90/2174869503] via 172.16.1.1, 00:12:46, Serial0/0/0.1 D 10.0.0.0/8 [90/26112] via 192.168.10.1, 00:12:45, FastEthernet0/0 131.0.0.0/24 is subnetted, 6 subnets D 131.0.3.0 [90/2298112] via 192.168.10.3, 00:12:45, FastEthernet0/0 D 131.0.2.0 [90/2298112] via 192.168.10.3, 00:12:45, FastEthernet0/0 D 131.0.1.0 [90/2298112] via 192.168.10.3, 00:12:46, FastEthernet0/0 D 131.0.6.0 [90/2298112] via 192.168.10.3, 00:12:46, FastEthernet0/0 D 131.0.5.0 [90/2298112] via 192.168.10.3, 00:12:46, FastEthernet0/0 D 131.0.4.0 [90/2298112] via 192.168.10.3, 00:12:46, FastEthernet0/0 208.1.1.0/32 is subnetted, 2 subnets D 208.1.1.1 [90/2297856] via 172.16.5.7, 00:12:47, Serial0/0/0.3 D 208.1.1.2 [90/2298112] via 192.168.10.3, 00:12:46, FastEthernet0/0 S* 0.0.0.0/0 [1/0] via 172.16.5.7 R3: Gateway of last resort is 172.16.6.8 to network 0.0.0.0 C D D D C 192.168.10.0/24 is directly connected, FastEthernet0/0 172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks 172.16.4.8/32 [90/258170112] via 192.168.10.2, 00:14:31, FastEthernet0/0 172.16.4.0/24 [90/258169856] via 172.16.6.8, 00:14:31, Serial0/0/0.3 172.16.5.0/24 [90/2170112] via 192.168.10.2, 00:14:31, FastEthernet0/0 172.16.6.0/24 is directly connected, Serial0/0/0.3 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 58 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. C D D C 172.16.1.0/24 is directly connected, Serial0/0/0.1 172.16.2.0/24 [90/2170112] via 192.168.10.9, 00:14:32, FastEthernet0/0 172.16.4.7/32 [90/258169856] via 172.16.6.8, 00:14:31, Serial0/0/0.3 172.16.3.0/24 is directly connected, Serial0/0/0.2 130.0.0.0/24 is subnetted, 6 subnets D 130.0.2.0 [90/2298112] via 192.168.10.2, 00:14:32, FastEthernet0/0 D 130.0.3.0 [90/2298112] via 192.168.10.2, 00:14:33, FastEthernet0/0 D 130.0.1.0 [90/2298112] via 192.168.10.2, 00:14:33, FastEthernet0/0 D 130.0.6.0 [90/2298112] via 192.168.10.2, 00:14:33, FastEthernet0/0 D 130.0.4.0 [90/2298112] via 192.168.10.2, 00:14:33, FastEthernet0/0 D 130.0.5.0 [90/2298112] via 192.168.10.2, 00:14:33, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.13.13.0/24 is directly connected, Loopback1 D 10.12.12.0/24 [90/153856] via 192.168.10.2, 00:14:39, FastEthernet0/0 D 10.10.10.0/24 [90/2174869503] via 172.16.1.1, 00:14:34, Serial0/0/0.1 D 10.0.0.0/8 [90/26112] via 192.168.10.1, 00:14:33, FastEthernet0/0 131.0.0.0/24 is subnetted, 6 subnets D 131.0.3.0 [90/2297856] via 172.16.6.8, 00:14:32, Serial0/0/0.3 D 131.0.2.0 [90/2297856] via 172.16.6.8, 00:14:32, Serial0/0/0.3 D 131.0.1.0 [90/2297856] via 172.16.6.8, 00:14:32, Serial0/0/0.3 D 131.0.6.0 [90/2297856] via 172.16.6.8, 00:14:34, Serial0/0/0.3 D 131.0.5.0 [90/2297856] via 172.16.6.8, 00:14:34, Serial0/0/0.3 D 131.0.4.0 [90/2297856] via 172.16.6.8, 00:14:34, Serial0/0/0.3 208.1.1.0/32 is subnetted, 2 subnets D 208.1.1.1 [90/2298112] via 192.168.10.2, 00:14:34, FastEthernet0/0 D 208.1.1.2 [90/2297856] via 172.16.6.8, 00:14:34, Serial0/0/0.3 S* 0.0.0.0/0 [1/0] via 172.16.6.8 R7: Gateway of last resort is not set D C C C D C C C C C C D C 192.168.10.0/24 [90/2170112] via 172.16.5.2, 01:07:04, Serial0/0/0.1 172.16.0.0/16 is variably subnetted, 4 subnets, 3 masks 172.16.4.8/32 is directly connected, Serial0/0/1 172.16.4.0/24 is directly connected, Serial0/0/1 172.16.5.0/24 is directly connected, Serial0/0/0.1 172.16.0.0/16 [90/2681856] via 172.16.5.2, 01:07:03, Serial0/0/0.1 130.0.0.0/24 is subnetted, 6 subnets 130.0.2.0 is directly connected, Loopback0 130.0.3.0 is directly connected, Loopback0 130.0.1.0 is directly connected, Loopback0 130.0.6.0 is directly connected, Loopback0 130.0.4.0 is directly connected, Loopback0 130.0.5.0 is directly connected, Loopback0 10.0.0.0/8 [90/2170368] via 172.16.5.2, 00:16:06, Serial0/0/0.1 208.1.1.0/32 is subnetted, 1 subnets 208.1.1.1 is directly connected, Loopback2 R8: Gateway of last resort is not set D C C D C D C C C C C C 192.168.10.0/24 [90/2170112] via 172.16.6.3, 01:08:33, Serial0/0/0.1 172.16.0.0/16 is variably subnetted, 4 subnets, 3 masks 172.16.4.0/24 is directly connected, Serial0/0/1 172.16.6.0/24 is directly connected, Serial0/0/0.1 172.16.0.0/16 [90/2681856] via 172.16.6.3, 01:08:33, Serial0/0/0.1 172.16.4.7/32 is directly connected, Serial0/0/1 10.0.0.0/8 [90/2170368] via 172.16.6.3, 00:17:33, Serial0/0/0.1 131.0.0.0/24 is subnetted, 6 subnets 131.0.3.0 is directly connected, Loopback0 131.0.2.0 is directly connected, Loopback0 131.0.1.0 is directly connected, Loopback0 131.0.6.0 is directly connected, Loopback0 131.0.5.0 is directly connected, Loopback0 131.0.4.0 is directly connected, Loopback0 208.1.1.0/32 is subnetted, 1 subnets CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 59 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. C 208.1.1.2 is directly connected, Loopback2 Task 5 (Testing): Ping test connectivity to every IP address from Sw3. On a switch we need to use a macro: Step 1: Sw4(config)#macro name PING Enter macro commands one per line. End with the character '@'. do do do do do do do do do do do do do do do do do do do do do do do do do do do do do do do do do do do do ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping ping 10.3.3.1 10.3.3.2 10.4.4.1 10.4.4.2 10.5.5.1 10.5.5.2 10.6.6.1 10.6.6.2 10.7.7.1 10.7.7.2 10.8.8.1 10.8.8.2 10.9.9.1 10.9.9.2 192.168.10.1 192.168.10.2 192.168.10.3 192.168.10.5 192.168.10.6 192.168.10.9 172.16.1.2 172.16.1.3 172.16.2.2 172.16.2.9 172.16.3.3 172.16.3.5 172.16.3.6 172.16.5.2 172.16.5.7 172.16.6.3 172.16.6.8 10.10.10.1 10.12.12.1 10.13.13.1 208.1.1.1 208.1.1.2 @ Step 2: Sw4(config)#macro global apply PING CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 60 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. SW1: Sw1#sh ip eigrp topology IP-EIGRP Topology Table for AS(100)/ID(192.168.10.1) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status P 0.0.0.0/0, 2 successors, FD is 2560000512 via 192.168.10.2 (2560000512/2560000256), Vlan10, serno 67 via 192.168.10.3 (2560000512/2560000256), Vlan10 P 10.13.13.0/24, 1 successors, FD is 130816 via 192.168.10.3 (130816/128256), Vlan10 P 10.12.12.0/24, 1 successors, FD is 130816 via 192.168.10.2 (130816/128256), Vlan10 P 10.10.10.0/24, 1 successors, FD is 130816 via 10.6.6.2 (130816/128256), Vlan6 P 10.6.6.0/30, 1 successors, FD is 2816 via Connected, Vlan6 P 10.0.0.0/8, 1 successors, FD is 2816 via Summary (2816/0), Null0 P 10.7.7.0/30, 3 successors, FD is 3072 via 10.5.5.2 (3072/2816), Vlan5 via 10.3.3.2 (3072/2816), Vlan3 via 10.4.4.2 (3072/2816), Vlan4 P 10.9.9.0/30, 1 successors, FD is 3072 Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status via 10.8.8.2 (3072/2816), Vlan8 P 10.11.11.0/30, 3 successors, FD is 3072 via 10.3.3.2 (3072/2816), Vlan3 via 10.4.4.2 (3072/2816), Vlan4 via 10.5.5.2 (3072/2816), Vlan5 P 10.8.8.0/30, 1 successors, FD is 2816 via Connected, Vlan8 P 10.5.5.0/30, 1 successors, FD is 2816 via Connected, Vlan5 P 10.3.3.0/24, 1 successors, FD is 2816 via Connected, Vlan3 P 10.4.4.0/24, 1 successors, FD is 2816 via Connected, Vlan4 P 192.168.10.0/24, 1 successors, FD is 2816 via Connected, Vlan10 P 150.2.3.7/32, 1 successors, FD is 2560000512 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 61 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. via 192.168.10.2 (2560000512/2560000256), Vlan10 P 149.3.3.0/24, 0 successors, FD is Inaccessible via 192.168.10.3 (130816/128256), Vlan10 P 150.3.3.0/24, 1 successors, FD is 130816 via 192.168.10.3 (130816/128256), Vlan10 P 150.2.2.0/24, 0 successors, FD is Inaccessible via 192.168.10.2 (130816/128256), Vlan10 Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status P 150.1.1.0/24, 1 successors, FD is 130816 via 192.168.10.2 (130816/128256), Vlan10 P 151.3.3.0/24, 0 successors, FD is Inaccessible via 192.168.10.3 (130816/128256), Vlan10 P 151.2.2.0/24, 0 successors, FD is Inaccessible via 192.168.10.2 (130816/128256), Vlan10 P 152.3.3.0/24, 0 successors, FD is Inaccessible via 192.168.10.3 (130816/128256), Vlan10 P 152.2.2.0/24, 0 successors, FD is Inaccessible via 192.168.10.2 (130816/128256), Vlan10 P 150.8.8.8/32, 1 successors, FD is 2560000512 via 192.168.10.3 (2560000512/2560000256), Vlan10 P 172.16.5.0/24, 1 successors, FD is 2170112 via 192.168.10.2 (2170112/2169856), Vlan10 P 172.16.6.0/24, 1 successors, FD is 2170112 via 192.168.10.3 (2170112/2169856), Vlan10 P 172.16.1.0/24, 1 successors, FD is 2170112 via 10.6.6.2 (2170112/2169856), Vlan6 P 172.16.2.0/24, 1 successors, FD is 2170112 via 192.168.10.9 (2170112/2169856), Vlan10 P 172.16.3.0/24, 3 successors, FD is 2170112 via 192.168.10.6 (2170112/2169856), Vlan10 via 192.168.10.3 (2170112/2169856), Vlan10 Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 62 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Day 1 Redundancy Hot Standby Router Protocol (HSRP) Hot Standby Router Protocol (HSRP) is a Cisco proprietary redundancy protocol for establishing a fault-tolerant default gateway. The protocol establishes a framework between network routers in order to achieve default gateway failover if the primary gateway should become inaccessible, in close association with a rapid-converging routing protocol like EIGRP or OSPF. By multicasting packets, HSRP sends its hello messages to the multicast address 224.0.0.2 (all routers) using UDP port 1985, to other HSRP-enabled routers, defining priority between the routers. The primary router with the highest configured priority will act as a virtual router with its own IP and MAC address, which the hosts on the local segment will be configured to use as a gateway to the destination in question. If the primary router should fail, or the link to the destination drop, the router with the next-highest priority would take over communications through alternative routes within seconds, without major interruption to network connectivity. HSRP is not a routing protocol as it does not advertise IP routes or affect the routing table in any way. By using HSRP, a set of routers works in concert to present the illusion of a single virtual router to the hosts on a LAN. This set is known as an HSRP group or a standby group. A single router elected from the group is responsible for forwarding the packets that hosts send to the virtual router. This router is known as the Active router. Another router is elected as the Standby router. In the event that the Active router fails, the Standby assumes the packet-forwarding duties of the Active router. Although an arbitrary number of routers may run HSRP, only the Active router forwards the packets sent to the virtual router. To minimize network traffic, only the Active and Standby routers send periodic HSRP messages once the protocol has completed the election process. If the Active router fails, the Standby router takes over as the Active router. If the Standby router fails or becomes the Active router, then another router is elected as the Standby router. On a particular LAN, multiple hot standby groups may coexist and overlap. Each standby group emulates a single virtual router. The individual routers may participate in multiple groups. In this case, the router maintains separate state and timers for each group. Each standby group has a single, well-known MAC address, as well as an IP address. HSRP is designed for networks that require continuous access to resources off the local network. The HSRP default value is 100, and the higher-valued priority defines which router is to be designated as primary active router. HSRP routers exchange three types of multicast messages:  Hello—The hello message passes information about HSRP priority and state information. It also acts as a heartbeat on the primary, making sure the others know it’s alive. By default, hello messages are sent at three second intervals.  Coup—When a standby router takes over the function of an active router, coup message is sent.  Resign—When the active router is about to shut down, or when a router with a higher priority sends its hello message, the active router will send out a resign message. At any time, HSRP-configured routers are in one of the following states: CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 63 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law.  Active—The router is doing what it does, route.  Standby—Waiting, waiting, waiting.  Speaking and listening—The router is sending and receiving hello messages.  Listening—The router is receiving hello messages. The following example configures a SVI interface to have a virtual IP address of 10.2.2.1, which would be used as a default gateway for end-devices. This router’s priority is 120 and if it has the highest priority than after a failure the virtual IP should become active after a delay of 300 seconds. The default hello timers have been set to 5 seconds with 15 seconds causing a standby switch over. configure terminal interface vlan 2 standby ip 10.2.2.1 standby priority 120 preempt delay 300 standby 1 timers 5 15 Virtual Router Redundancy Protocol (VRRP) Virtual Router Redundancy Protocol (VRRP) is a non-proprietary (VENDOR NEUTRAL) redundancy protocol designed to increase the availability of the default gateway servicing hosts on the same subnet. This increased reliability is achieved by advertising a "virtual router" (an abstract representation of master and backup routers acting as a group) as a default gateway to the host(s) instead of one physical router. Two or more physical routers are then configured to stand for the virtual router, with only one doing the actual routing at any given time. If the current physical router that is routing the data on behalf of the virtual router fails, an arrangement is made for another physical router to automatically replace it. The physical router that is currently forwarding data on behalf of the virtual router is called the master router. Physical routers standing by to take over from the master router in case something goes wrong are called backup routers. VRRP can be used over Ethernet, MPLS and token ring networks. Implementations for IPv6 are in development, but not yet available. The VRRP protocol is more widely implemented than its competitors. Vendors like Extreme Networks, Dell, Nokia, Nortel Networks, Cisco Systems, Inc, Allied Telesis, Juniper Networks, Huawei, Foundry Networks, Radware and 3Com Corporation all offer routers and Layer 3 switches that can use the VRRP protocol. VRRP implementations for Linux and BSD are also available. VRRP is not a routing protocol as it does not advertise IP routes or affect the routing table in any way. The following is an example of a router with an IP address of 10.2.2.2 and using a virtual IP of 10.2.2.1 as a gateway for end-devices. interface vlan 2 ip address 10.2.2.2 vrrp 1 ip 10.2.2.1 vrrp 1 priority 150 vrrp 1 timers advertise 4 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 64 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Gateway Load Balancing Protocol (GLBP) Gateway Load Balancing Protocol (GLBP) is a Cisco proprietary protocol that attempts to overcome the limitations of existing redundant router protocols by adding basic load balancing functionality. In addition to being able to set priorities on different gateway routers, GLBP also allows a weighting parameter to be set. Based on this weighting (compared to others in the same virtual router group), ARP requests will be answered with MAC addresses pointing to different routers. Thus, load balancing is not based on traffic load, but rather on the number of hosts that will use each gateway router. The Active Virtual Gateway (AVG) maintains a table of the Virtual Gateway IP address to macaddress mapping of the Active Virtual Forwarders (AVF). When the end hosts ARP than the AVG decides which router AVF’s mac-address to respond to the ARP. In other words, devices will be equally divided between multiple routers with unique mac-addresses but sharing a common virtual IP address. This way DHCP can hand out a single gateway address while the AVG provides the load balancing mechanism. The following example shows a basic GLBP example: Router 1 track 30 interface Serial3/0 line-protocol up delay 30 ! interface FastEthernet1/0 ip address 10.1.1.1 255.255.255.0 duplex full glbp 1 ip 10.1.1.10 glbp 1 weighting 100 lower 95 glbp 1 weighting track 30 glbp 1 forwarder preempt delay minimum 0 Router 2 track 30 interface Serial3/0 line-protocol up delay 30 ! interface FastEthernet1/0 ip address 10.1.1.2 255.255.255.0 duplex full glbp 1 ip 10.1.1.10 glbp 1 priority 95 glbp 1 weighting 100 lower 95 glbp 1 weighting track 30 glbp 1 forwarder preempt delay minimum 0 *Note at the time of writing this workbook the 3560s do not support the GLBP feature. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 65 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. HSRP Lab HSRP: Tasks Task 1 (HSRP): Configure redundancy, such that Sw1 is the gateway for devices on Vlan 3 and Sw2 is the gateway for devices on Vlan 4. If there is a failover and recovery make the routers wait 1 minute prior to reverting back to the primary. Both routers must track their connection to R1. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 66 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. HSRP: Answers Task 1 (HSRP): The answer is to make Sw1 the active router for Vlan 3 and Sw2 the active router for Vlan 4. Both routers need the track command to monitor the status to R1. Sw1: interface Vlan3 description Vlan3_trunked ip address 10.3.3.1 255.255.255.0 standby ip 10.3.3.254 standby priority 255 standby preempt delay minimum 60 standby name Vlan3 standby track FastEthernet0/1 ! interface Vlan4 description Vlan4_trunked ip address 10.4.4.1 255.255.255.0 standby 1 ip 10.4.4.254 standby 1 name Vlan4 Sw1#sh standby Vlan3 - Group 0 State is Active 2 state changes, last state change 01:44:56 Virtual IP address is 10.3.3.254 Active virtual MAC address is 0000.0c07.ac00 Local virtual MAC address is 0000.0c07.ac00 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.935 secs Preemption enabled, delay min 60 secs Active router is local Standby router is 10.3.3.2, priority 100 (expires in 7.207 sec) Priority 255 (configured 255) Track interface FastEthernet0/1 state Up decrement 10 IP redundancy name is "Vlan3" (cfgd) Vlan4 - Group 1 State is Standby 1 state change, last state change 01:44:37 Virtual IP address is 10.4.4.254 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.733 secs Preemption disabled Active router is 10.4.4.2, priority 255 (expires in 7.961 sec) Standby router is local Priority 100 (default 100) IP redundancy name is "Vlan4" (cfgd) Sw1# Sw2: interface Vlan4 standby 1 ip 10.4.4.254 standby 1 priority 255 standby 1 preempt delay minimum 60 standby 1 name Vlan4 standby 1 track FastEthernet0/1 ! interface Vlan3 standby ip 10.3.3.254 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 67 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. standby name Vlan3 SW2#sh standby Vlan3 - Group 0 State is Standby 1 state change, last state change 01:46:08 Virtual IP address is 10.3.3.254 Active virtual MAC address is 0000.0c07.ac00 Local virtual MAC address is 0000.0c07.ac00 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.557 secs Preemption disabled Active router is 10.3.3.1, priority 255 (expires in 7.274 sec) Standby router is local Priority 100 (default 100) IP redundancy name is "Vlan3" (cfgd) Vlan4 - Group 1 State is Active 2 state changes, last state change 01:46:29 Virtual IP address is 10.4.4.254 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.970 secs Preemption enabled, delay min 60 secs Active router is local Standby router is 10.4.4.1, priority 100 (expires in 8.482 sec) Priority 255 (configured 255) Track interface FastEthernet0/1 state Up decrement 10 IP redundancy name is "Vlan4" (cfgd) CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 68 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Day 2 OSPF OSPF is a Link State routing protocol that uses Dijkstra’s shortest path first (SPF) algorithm. OSPF is an open standard (following RFC 1253) and is often used in multi-vendor environments. Several of OSPF’s advantages include fast convergence, classless routing, VLSM support, authentication support, support for much larger inter-networks, the use of areas to minimize routing protocol traffic, and a hierarchical design. Other OSPF Features:  Equal cost load balancing  Multicast routing updates  Route tagging for tagging of external routing information  Classless behavior, which allows the use of discontiguous networks OSPF Network Types  Intra-area—Traffic passed between routers within a single area.  Inter-area—Traffic passed between routers in different areas.  External—Traffic passed between an OSPF router and a router in another autonomous system. – Type 2 Externals use a cost defined at redistribution (default) – Type 1 Externals calculate the actual cost with OSPF Networks can be added to OSPF in three different methods 1. Network command –network 1.1.1.0 0.0.0.255 area 0 2. Redistribute connected 3. Under the interface - ip ospf 1 area 2 RID The OSPF router ID (RID) Identifies an OSPF neighbor. It consists of a Dotted Decimal 32 bit identifier but does not have to be a routable IP address. The value 223.255.255.255 highest possible router ID. Statically setting the Router ID is preferred to allowing the router choose the ID. If a RID is not configured than the router will do the following after an OSPF process is first started, cleared, or the router is rebooted: Uses highest IP address of all configured loopbacks If no loopback is present it uses the highest IP address of an interface If Interfaces are added later the router could choose a different RID after a reboot. Since the RID is used for virtual-link commands, DR election, and must be the same as a BGP RID when synchronization is enabled, it is recommended to manually control the RID. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 69 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Note* Highest Router ID wins DR election – Priority can offset election To configure a RID under the OSPF process than program the following: router-id 1.1.1.1 LSA There are     4 general LSAs Router LSAs (Type 1 LSAs) describe the routers attached to a network. Network LSAs (Type 2 LSAs) describe the networks attached to an OSPF router. Summary LSAs (Type 3 and Type 4 LSAs) condense routing information at area borders. External LSAs (Type 5 and Type 7 LSAs) describe routes to external networks. Type 1 LSAs are router link advertisements that are passed within an area by all OSPF routers. They describe the router links to the network. Type 1 LSAs are only flooded within a particular area. Type 2 LSAs are network link advertisements that are flooded within an area by the Designated Router. They describe ALL the routers attached to specific networks including the DR. These LSAs are flooded only in the originating area. Type 3 LSA are summary link advertisements that are passed between areas. They describe the networks within an area. Type 4 LSAs are summary link advertisements that are passed between areas. They describe the path to the ASBR. Type 4 LSAs do not get flooded into stub areas. Type 5 LSAs are passed between and flooded into areas by ABSRs. They describe routes external to the AS. Stub areas and NSSAs do not receive these LSAs. Type 7 LSAs are NSSA AS-external routes that are flooded by the ASBR. They are similar to Type 5 LSAs, but unlike Type 5 LSAs, which are flooded into multiple areas, Type 7 LSAs are only flooded into NSSAs. Type 7 LSAs are converted to Type 5 LSAs by ABRs before being flooded into the area backbone. Area types Normal Areas: These areas can either be standard areas or transit (backbone) areas. Standard areas are defined as areas that can accept intra-area, inter-area and external routes. The backbone area is the central area to which all other areas in OSPF connect. Note: Intra-area routes refer to updates that are passed within the area. Inter-area routes refer to updates that are passed between areas. External routes refer to updates passed from another routing protocol into the OSPF domain by the Autonomous System Border Router (ASBR). Stub Areas: These areas do not accept routes belonging to external autonomous systems (AS); however, these areas have inter-area and intra-area routes. In order to reach the outside networks, the routers in the stub area use a default route which is injected into the area by the Area Border Router (ABR). A stub area is typically configured in situations where the branch office need not know about all the routes to every other office, instead it could use CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 70 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. a default route to the central office and get to other places from there. Hence the memory requirements of the leaf node routers is reduced, and so is the size of the OSPF database. To define an area as a stub area, use the OSPF router configuration command, area <area id> stub Totally Stub Areas: These areas do not allow routes other than intra-area and the default routes to be propagated within the area. The ABR injects a default route into the area and all the routers belonging to this area use the default route to send any traffic outside the area. To define a totally stub area, use the OSPF router configuration command, area <area id> stub no-summary, on the ABR. NSSA: This type of area allows the flexibility of importing a few external routes into the area while still trying to retain the stub characteristic. Assume that one of the routers in the stub area is connected to an external AS running a different routing protocol, it now becomes the ASBR, and hence the area can no more be called a stub area. However, if the area is configured as a NSSA, then the ASBR generates a NSSA external link-state advertisement (LSA) (Type-7) which can be flooded throughout the NSSA area. These Type-7 LSAs are converted into Type-5 LSAs at the NSSA ABR and flooded throughout the OSPF domain. External network LSAs (type 5), redistributed from other routing protocols into OSPF, are not permitted to flood into a stub area. To define a NSSA, use the OSPF router configuration command, area <area id> nssa If you desire to allow a 0.0.0.0 into the NSSA area in addition to the Type 3,4 summaries than configure area <area id> nssa default-information-originate Totally NSSA: This area still can send the Type 7 LSAs to the ABR but only receives a 0.0.0.0 default route from the ABR. To configure a Totally NSSA configure area <area id> nssa nosummary Summaries There two methods for summarizing networks on OSPF – Area range used to summarize between OSPF areas. Always done on an ABR • area 2 range 208.5.50.0 255.255.255.0 – Summary-address used to summarize external routes redistributed into OSPF. Always done on an ASBR • summary-address 208.5.50.0 255.255.255.0 Summaries will inject a NULL0 route into the routing table. If you are required to remove the NULL0 the following commands can be entered for the OSPF process. • no discard-route internal – used with area range • no discard-route external – used with summary-address OSPF Metrics Every routing protocol has metric used to prefer one route over the other. For OSPF, the metric that is used is cost. With OSPF, the cost is a number that is inversely proportional to the bandwidth of the link. In other words, the higher the cost, the LESS the link is preferred. The lower the cost, the MORE the link is preferred. By default, OSPF load balances on up to four equal cost paths. The formula that OSPF uses to calculate the cost of a link is: Cost = 100,000,000 / bandwidth of the link Or Cost = 108 / bandwidth of the link CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 71 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. For example, a 10Mb 10Base-T Ethernet link’s cost would be calculated as: Cost = 100,000,000 / 10,000,000 = 10 Or Cost = 108 / 107 = 10 With this formula, the cost of a 64k Frame Relay link would be 1562 and the default cost of a T-1 would be 64. So you may be asking, “what about a 100Mb Ethernet link or a Gigabit Ethernet link?” The cost of a 100Mb Ethernet link, or faster, when calculated with this formula, ends up being just 1. Note that the bandwidth of 108 is the same as the bandwidth of 100Mb Ethernet, or 1,0000,0000 (commas are placed to show the 8 zeros, in two sets of 4). This value is the default “reference bandwidth”. This can be changes, thus causing all OSPF cost values to be changed on that router, with the ospf auto-cost reference-bandwidth command. To manually change the cost of a link, you would use the following command on the interface that you wish to change: ip ospf cost {new cost} OSPF prefers Intra Area Path over Inter Area Paths. Passive OSPF Interface With a passive-interface no hello packets are sent and therefore an adjacency will never occur with this interface. OSPF Multicast Addresses  224.0.0.5 is the all-OSPF routers multicast address  224.0.0.6 is the Designated Routers multicast address. Default Routes An OSPF router will need a default route itself before injecting a default route into an area, unless the keyword always is used in the configuration. For example, default-information originate always. OSPF Timers  Default timers for a broadcast network (LAN) are: Hello 10 seconds, Dead 40 seconds.  Default timers for an NBMA network (Frame Relay) are: Hello 30 seconds, Dead 120 seconds. Changing the Hello-interval: interface serial 1/0 ip ospf hello-interval 20 – automatically changes the dead-interval to 80, dead = hello x 4 Changing the Dead-interval: interface serial 1/0 ip ospf dead-interval 50 – does NOT change the hello-interval If you desire to change the hello timer from the dead interval than you must first configure on the interface: ip ospf dead-interval minimal hello-multiplier CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 72 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. For example – to set the hello to 250ms ip ospf dead-interval minimal hello-multiplier 4 Virtual Links Virtual links are used to connect a discontigous OSPF area 0 together without using a GRE tunnel. VLs should be avoided in real word. For lab purposes they are used to connect an area to the backbone through another area – extension of area 0. In order to configure a VL use the router-id so be careful of what number is being used as the ID. If authentication is configured on area 0 it must also be configured on the virtual link and the far side router. OSPF authentication will be covered in Volume II. The following is an example of configuring one side of a virtual link. r1lab(config)# router ospf 1 r1lab(config-router)# area 1 virtual-link 2.2.2.2 It is important to note that a VL cannot traverse over a stub area and if you are required to traverse a VL instead of another connected router with area 0 connectivity you must negate capability transit on the other router. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 73 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. OSPF LAB Scenario Now that we have successfully configured and tested EIGRP for Turn-key Inc., we can move on to OSPF. Turn-key would like us to keep EIGRP configured but disabled on the routers in case we need to roll back. Their desire is for us to enable the same networks in OSPF and for those networks to be seen as OSPF routes in the routing tables. Turn-key believes in hierarchical designs so we must build a hierarchy into the OSPF design. The OSPF must support the Leased Ethernet and Frame Relay networks concurrently and act as a back up if either were to fail. Again Turn-key’s desire is to use the Leased Ethernet to reach the Branch Office from the Data Centers. The following Diagram includes the design for the OSPF topology and Area types: OSPF Topology CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 74 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. OSPF: OSPF Tasks Vlans 3,4,5,8,9,11 Task 1 (Basic OSPF): Add the following loop backs: R1: Lo1 IP address 10.10.10.1 255.255.255.0 R2: Lo1 IP address 10.12.12.1 255.255.255.0 R3: Lo1 IP address 10.13.13.2 255.255.255.0 Add the loop backs and existing networks into OSPF (for the loopbacks use any areas of your choice) but you can not use redistribute connected or network commands from within the OSPF process. Create RIDs that are not currently being routed and use network commands to add networks for the switches at the branch site. On R7 add the even addresses and on R8 add the Odd. This time you must use redistribute connected for the loop back IPs but make sure the PPP network is not added. You can use network commands for the S0/0/0.1. Configure Areas based on the above diagram. Task 2 (Default Route): Add a new loop back to R7 (208.1.1.1/32) and R8 (208.1.2.2/32) and make sure these networks are not redistributed into OSPF from connected. Configure R7 and R8 to be available as default routes using per router costs to reach them in OSPF from R3 and R2. Make sure your routers can ping 208.1.1.1/32 and 208.1.2.2/32 and there is no specific routing table entry for either. Redistribute Rip and OSPF at R8 and only allow 208.1.1.1 and 208.1.2.2 to be exchanged between rip and OSPF. Task 3 (Redundancy): Ensure that if there were any failures to AREA0 that the rest OSPF topology would be operational. The configuration of GRE tunnels is not an acceptable work around. Task 4 (Summaries): Summarize the 10.0.0.0 networks in the branch site to the smallest bit boundaries and advertise them to the other sites not at the branch office. Do not allow any null routes in the routing tables or /32 advertised to any neighbors. Leave the three new loop backs with a /24 subnet in the routing tables, do not try to summarize them with the branch site Task 5 (NBMA): Make sure OSPF is NBMA on the Hub and Spoke and that the hello timer is 250 msec for those interfaces. The hello timer command can not be used to accomplish this. Task 6 (Testing): Ping test connectivity from R1 to every network. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 75 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. OSPF: OSPF Answers Task 1 (Basic OSPF): Deactivating RIPv2 on all routers except R7 and R8 router rip version 2 network 10.0.0.0 distance 255 no auto-summary Sw1: interface Vlan8 description Vlan8_sw1tosw3 ip address 10.8.8.1 255.255.255.252 ip ospf priority 255 (Needed to force DR election) ip ospf mtu-ignore (Mtu mismatch) router ospf 1 router-id 1.1.1.10 (Manually set the RIDs to avoid problems later) log-adjacency-changes no discard-route internal area 0 range 10.0.0.0 255.0.0.0 area 2 virtual-link 1.1.1.1 area 4 virtual-link 1.1.1.20 area 4 virtual-link 1.1.1.40 network 10.3.3.1 0.0.0.0 area 4 network 10.4.4.1 0.0.0.0 area 4 network 10.5.5.1 0.0.0.0 area 4 network 10.6.6.1 0.0.0.0 area 2 network 10.7.7.1 0.0.0.0 area 1 network 10.8.8.1 0.0.0.0 area 4 network 192.168.10.1 0.0.0.0 area 0 Sw2: router ospf 1 router-id 1.1.1.20 log-adjacency-changes no discard-route internal area 1 virtual-link 1.1.1.1 area 4 range 10.0.0.0 255.0.0.0 area 4 virtual-link 1.1.1.10 area 4 virtual-link 1.1.1.30 area 4 virtual-link 1.1.1.40 network 10.3.3.2 0.0.0.0 area 4 network 10.4.4.2 0.0.0.0 area 4 network 10.5.5.2 0.0.0.0 area 4 network 10.7.7.1 0.0.0.0 area 1 network 10.11.11.1 0.0.0.0 area 4 Sw3: interface Vlan9 description vlan9_sw3tosw4 ip address 10.9.9.1 255.255.255.252 ip ospf mtu-ignore (mismatched MTU) ! router ospf 1 router-id 1.1.1.30 log-adjacency-changes CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 76 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. area 4 virtual-link 1.1.1.20 network 10.8.8.2 0.0.0.0 area 4 network 10.9.9.1 0.0.0.0 area 4 Sw4: interface Vlan9 description Vlan9_sw3tosw4 ip address 10.9.9.2 255.255.255.252 ip ospf mtu-ignore ! ! router ospf 1 router-id 1.1.1.40 log-adjacency-changes area 4 range 10.0.0.0 255.0.0.0 area 4 virtual-link 1.1.1.20 area 4 virtual-link 1.1.1.10 network 10.0.0.0 0.255.255.255 area 4 R1: interface Loopback1 ip address 10.10.10.1 255.255.255.0 ip ospf network point-to-point (removes /32) ip ospf 1 area 2 (Alternative to using the network command) ! interface FastEthernet0/0 description Vlan6_sw1tor1 ip address 10.6.6.2 255.255.255.252 ip ospf 1 area 2 duplex auto speed auto ! interface FastEthernet0/1 description Vlan7)sw2tor1 ip address 10.7.7.2 255.255.255.252 ip ospf 1 area 1 duplex auto speed auto ! interface Serial0/0/0 description MESH_to_R2_R3 ip address 172.16.1.1 255.255.255.0 encapsulation frame-relay ip ospf 1 area 0 no frame-relay inverse-arp IP 104 no frame-relay inverse-arp IP 105 no frame-relay inverse-arp IP 106 no frame-relay inverse-arp IP 107 no frame-relay inverse-arp IP 108 no frame-relay inverse-arp IP 109 no frame-relay inverse-arp IP 110 frame-relay lmi-type ansi ! ! router ospf 1 router-id 1.1.1.1 log-adjacency-changes area 0 range 10.0.0.0 255.0.0.0 area 1 virtual-link 1.1.1.20 area 2 virtual-link 1.1.1.10 ! R2: interface Loopback1 ip address 10.12.12.1 255.255.255.0 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 77 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. ip ospf network point-to-point ip ospf 1 area 6 ! interface FastEthernet0/0 description Vlan10_Leased ip address 192.168.10.2 255.255.255.0 ip ospf 1 area 0 duplex auto speed auto !! interface Serial0/0/0.1 multipoint description MESH_to_R1_R3 ip address 172.16.1.2 255.255.255.0 ip ospf 1 area 0 frame-relay map ip 172.16.1.3 203 broadcast (Mesh PVCs to R3 and R1) frame-relay map ip 172.16.1.1 201 broadcast no frame-relay inverse-arp ! interface Serial0/0/0.2 point-to-point description P2P-to-BB1 ip address 172.16.2.2 255.255.255.0 ip ospf 1 area 7 frame-relay interface-dlci 209 ! interface Serial0/0/0.3 point-to-point ip address 172.16.5.2 255.255.255.0 ip rip triggered ip rip authentication mode md5 ip rip authentication key-chain cisco ip ospf 1 area 6 frame-relay interface-dlci 207 ! router ospf 1 router-id 1.1.1.2 log-adjacency-changes area 6 nssa no-summary redistribute static metric-type 1 subnets default-information originate metric-type 1 distribute-list prefix area0 in ! R3: interface Loopback1 ip address 10.13.13.1 255.255.255.0 ip ospf network point-to-point ip ospf 1 area 3 ! interface FastEthernet0/0 description Vlan10_Leased ip address 192.168.10.3 255.255.255.0 ip ospf 1 area 0 duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/0/0 no ip address encapsulation frame-relay frame-relay lmi-type ansi ! interface Serial0/0/0.1 multipoint description MESH_to_R1_R2 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 78 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. ip address 172.16.1.3 255.255.255.0 ip ospf 1 area 0 frame-relay map ip 172.16.1.1 301 broadcast frame-relay map ip 172.16.1.2 302 broadcast no frame-relay inverse-arp ! interface Serial0/0/0.2 multipoint description Hub-and-spoke-R5-R6 ip address 172.16.3.3 255.255.255.0 no ip split-horizon ip ospf dead-interval minimal hello-multiplier 4 ip ospf 1 area 3 frame-relay map ip 172.16.3.3 305 frame-relay map ip 172.16.3.5 305 broadcast frame-relay map ip 172.16.3.6 306 broadcast no frame-relay inverse-arp ! interface Serial0/0/0.3 point-to-point description P2P-to-R6 ip address 172.16.6.3 255.255.255.0 ip rip triggered ip rip authentication mode md5 ip rip authentication key-chain cisco ip ospf 1 area 5 frame-relay interface-dlci 308 router ospf 1 router-id 1.1.1.3 log-adjacency-changes area 0 range 10.0.0.0 255.0.0.0 area 3 stub area 5 nssa redistribute static metric-type 1 subnets neighbor 172.16.3.5 neighbor 172.16.3.6 default-information originate metric-type 1 distribute-list prefix area0 in R5: interface FastEthernet0/0 description Vlan10_Leased ip address 192.168.10.5 255.255.255.0 ip ospf 1 area 0 duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/0/0 description Hub-and-spoke-to-R3-R6 ip address 172.16.3.5 255.255.255.0 encapsulation frame-relay ip ospf dead-interval minimal hello-multiplier 4 ip ospf 1 area 3 frame-relay map ip 172.16.3.3 503 broadcast frame-relay map ip 172.16.3.5 503 broadcast frame-relay map ip 172.16.3.6 503 broadcast no frame-relay inverse-arp frame-relay lmi-type ansi ! interface Serial0/0/1 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 79 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. no ip address clock rate 2000000 ! router ospf 1 router-id 1.1.1.5 log-adjacency-changes area 3 stub neighbor 172.16.3.3 priority 100 distribute-list prefix area0 in R8: interface Loopback0 ip address 131.0.2.1 255.255.255.0 secondary ip address 131.0.3.1 255.255.255.0 secondary ip address 131.0.4.1 255.255.255.0 secondary ip address 131.0.5.1 255.255.255.0 secondary ip address 131.0.6.1 255.255.255.0 secondary ip address 131.0.1.1 255.255.255.0 ip rip advertise 20 ! interface Loopback2 ip address 208.1.1.2 255.255.255.255 ip rip advertise 20 ! interface Serial0/0/0.1 point-to-point description P2P-to-R3 ip address 172.16.6.8 255.255.255.0 ip rip triggered ip rip advertise 20 ip rip authentication mode md5 ip rip authentication key-chain cisco frame-relay interface-dlci 803 ! interface Serial0/0/1 description PPP-to-R7 ip address 172.16.4.8 255.255.255.0 ip rip advertise 20 encapsulation ppp ppp authentication chap ! router ospf 1 router-id 1.1.1.8 log-adjacency-changes area 5 nssa redistribute connected metric-type 1 subnets route-map ospf redistribute rip subnets route-map redist network 172.16.6.8 0.0.0.0 area 5 ! router rip version 2 timers basic 20 40 0 120 redistribute ospf 1 metric 1 route-map ospf2rip passive-interface default no passive-interface Serial0/0/1 network 172.16.0.0 network 0.0.0.0 neighbor 172.16.6.3 no auto-summary To view the basic OSPF configurations for R7,6, and BB1 refer to answers provided in the thumb drive CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 80 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Task 2 (Default Route): Add a new loop back to R7 (208.1.1.1/32) and R8 (208.1.1.2/32) and make sure these networks are not redistributed into OSPF. R7: interface Loopback2 ip address 208.1.1.1 255.255.255.255 router ospf 1 redistribute connected metric-type 1 subnets route-map ospf ip access-list standard ospfevens (This access-list does not permit 208.1.1.1) permit 130.0.0.0 0.0.254.255 ! ! route-map ospf permit 10 match ip address ospfevens R8: same configuration on R8 except: ip access-list standard ospfodd (This access-list does not permit 208.1.1.2) permit 131.0.1.0 0.0.254.255 Configure R7 and R8 to be available as default routes using per router costs to reach them in OSPF from R3 and R2. Make sure your routers can ping 208.1.1.1/32 and 208.1.1.2/32 and there is no specific routing table entry for either. R2: redistribute static metric-type 1 subnets (Redistributes the static route into OSPF as Ex 1) default-information originate metric-type 1 (Sends the 0.0.0.0 to the other OSPF routers with a EX 1) ip route 0.0.0.0 0.0.0.0 172.16.5.7 (The gateway of last resort is R7) R3: router ospf 1 redistribute static metric-type 1 subnets default-information originate metric-type 1 ip route 0.0.0.0 0.0.0.0 172.16.6.8 Task 3 (Redundancy): Since AREA 0 has several points of failure in this topology, it is important to configure virtual links on routers that could potentially become Areas separated from Area 0. The best way to determine where to place the virtual links is draw out the failure scenarios from the OSPF topology. The following VLs were configured for this lab: SW1 router ospf 1 router-id 1.1.1.10 area 2 virtual-link 1.1.1.1 (to R1) area 4 virtual-link 1.1.1.20 (to Sw2) area 4 virtual-link 1.1.1.40 (to Sw4) SW2 router-id 1.1.1.20 area 1 virtual-link 1.1.1.1 (to R1) CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 81 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. area 4 virtual-link 1.1.1.10 (to Sw1) area 4 virtual-link 1.1.1.30 (to Sw3) area 4 virtual-link 1.1.1.40 (to Sw4) SW4 area 4 virtual-link 1.1.1.20 (to Sw2) area 4 virtual-link 1.1.1.10 (to Sw1) R1 area 1 virtual-link 1.1.1.20 (to Sw2) area 2 virtual-link 1.1.1.10 (to Sw1) Sw3 area 4 virtual-link 1.1.1.20 (to sw2) Task 4 (Summaries): Summarize the 10.0.0.0 networks in the branch site to the smallest bit boundaries and do not allow any null routes in the routing tables or /32 advertised to any neighbors. Leave the three new loop backs with a /24 Area range is used to summarize the 10.0.0.0 networks from the switches. The following sites were configured with the area range commands and no discard—route internal to remove the null0 entry from the routing table: Sw4: router ospf 1 no discard-route internal area 4 range 10.0.0.0 255.0.0.0 Sw2: router ospf 1 no discard-route internal area 4 range 10.0.0.0 255.0.0.0 Sw1: router ospf 1 no discard-route internal area 0 range 10.0.0.0 255.0.0.0 On all of the routers external to the branch site a distribute list in was needed to filter out the more specific (longer mask) prefixes. R2,R3,R5,R6, and BB1 router ospf 1 distribute-list prefix area0 in ip ip ip ip prefix-list prefix-list prefix-list prefix-list CCIE Routing and Switching area0 area0 area0 area0 seq seq seq seq 1 2 3 4 permit permit permit permit 10.0.0.0/8 0.0.0.0/32 172.16.0.0/16 le 32 130.0.2.0/24 Boot Camp Day 1 to 4 Lab Page 82 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. ip ip ip ip ip ip ip ip ip ip ip prefix-list prefix-list prefix-list prefix-list prefix-list prefix-list prefix-list prefix-list prefix-list prefix-list prefix-list area0 area0 area0 area0 area0 area0 area0 area0 area0 area0 area0 seq seq seq seq seq seq seq seq seq seq seq 5 permit 130.0.4.0/24 6 permit 130.0.6.0/24 7 permit 130.0.8.0/24 8 permit 131.0.1.0/24 9 permit 131.0.3.0/24 10 permit 131.0.5.0/24 11 permit 131.0.7.0/24 12 permit 10.10.10.0/24 13 permit 10.11.11.0/24 14 permit 10.12.12.0/24 15 permit 10.13.13.0/24 Show IP route on R2: Gateway of last resort is 172.16.5.7 to network 0.0.0.0 C 192.168.10.0/24 is directly connected, FastEthernet0/0 172.16.0.0/24 is subnetted, 5 subnets C 172.16.5.0 is directly connected, Serial0/0/0.3 O IA 172.16.6.0 [110/65] via 192.168.10.3, 01:46:42, FastEthernet0/0 C 172.16.1.0 is directly connected, Serial0/0/0.1 C 172.16.2.0 is directly connected, Serial0/0/0.2 O IA 172.16.3.0 [110/65] via 192.168.10.6, 01:46:42, FastEthernet0/0 [110/65] via 192.168.10.5, 01:46:42, FastEthernet0/0 [110/65] via 192.168.10.3, 01:46:43, FastEthernet0/0 130.0.0.0/24 is subnetted, 3 subnets O N1 130.0.2.0 [110/84] via 172.16.5.7, 01:46:43, Serial0/0/0.3 O N1 130.0.6.0 [110/84] via 172.16.5.7, 01:46:43, Serial0/0/0.3 O N1 130.0.4.0 [110/84] via 172.16.5.7, 01:46:43, Serial0/0/0.3 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O IA 10.13.13.0/24 [110/2] via 192.168.10.3, 01:46:51, FastEthernet0/0 C 10.12.12.0/24 is directly connected, Loopback1 O IA 10.10.10.0/24 [110/3] via 192.168.10.1, 01:46:51, FastEthernet0/0 O IA 10.0.0.0/8 [110/3] via 192.168.10.1, 01:44:24, FastEthernet0/0 131.0.0.0/24 is subnetted, 3 subnets O E1 131.0.3.0 [110/85] via 192.168.10.3, 01:46:51, FastEthernet0/0 O E1 131.0.1.0 [110/85] via 192.168.10.3, 01:46:51, FastEthernet0/0 O E1 131.0.5.0 [110/85] via 192.168.10.3, 01:46:51, FastEthernet0/0 S* 0.0.0.0/0 [1/0] via 172.16.5.7 Task 5 (NBMA): Make sure OSPF is NBMA on the Hub and Spoke and that the hello timer is 250 msec for those interfaces. The hello timer command can not be used to accomplish this. Neighbor commands giving the HUB a priority 255 were used along with the command interface Serial0/0/0 description Hub-and-spoke-to-R3-R6 ip address 172.16.3.5 255.255.255.0 encapsulation frame-relay ip ospf dead-interval minimal hello-multiplier 4 (This command is a multiplier of how many times in 1 second the device will send an OSPF hello.) Task 6 (Testing): Ping test connectivity from R1 to every network. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 83 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. tclsh foreach address { 10.3.3.1 10.3.3.2 10.4.4.1 10.4.4.2 10.5.5.1 10.5.5.2 10.6.6.1 10.6.6.2 10.7.7.1 10.7.7.2 10.8.8.1 10.8.8.2 10.9.9.1 10.9.9.2 192.168.10.1 192.168.10.2 192.168.10.3 192.168.10.5 192.168.10.6 192.168.10.9 172.16.1.2 172.16.1.3 172.16.2.2 172.16.2.9 172.16.3.3 172.16.3.5 172.16.3.6 172.16.5.2 172.16.5.7 172.16.6.3 172.16.6.8 10.10.10.1 10.12.12.1 10.13.13.1 208.1.1.1 208.1.1.2 } {ping $address} Sw1: OSPF Router with ID (1.1.1.10) (Process ID 1) Router Link States (Area 0) Link ID 1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.5 1.1.1.6 1.1.1.9 1.1.1.10 1.1.1.20 1.1.1.30 1.1.1.40 ADV Router 1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.5 1.1.1.6 1.1.1.9 1.1.1.10 1.1.1.20 1.1.1.30 1.1.1.40 Age Seq# Checksum Link count 5 (DNA) 0x80000004 0x00941A 3 568 0x80000008 0x0026F8 2 604 0x80000008 0x0030EB 2 1760 0x80000009 0x008A9A 1 626 0x80000007 0x008C97 1 533 0x80000007 0x008694 1 528 0x80000009 0x005208 4 1 (DNA) 0x80000004 0x00B741 4 6 (DNA) 0x80000002 0x003385 1 5 (DNA) 0x80000002 0x0081DF 2 Net Link States (Area 0) Link ID ADV Router 192.168.10.9 1.1.1.9 Age 534 Seq# Checksum 0x80000006 0x001750 Summary Net Link States (Area 0) CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 84 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. Link ID 10.0.0.0 10.0.0.0 10.3.3.0 10.3.3.0 10.4.4.0 10.4.4.0 10.5.5.0 10.5.5.0 10.6.6.0 10.6.6.0 10.7.7.0 10.7.7.0 10.8.8.0 10.8.8.0 10.9.9.0 10.9.9.0 10.10.10.0 10.10.10.0 10.11.11.0 10.11.11.0 10.12.12.0 10.13.13.0 10.13.13.0 172.16.2.0 172.16.2.0 172.16.3.0 172.16.3.0 172.16.5.0 172.16.6.0 ADV Router Age Seq# Checksum 1.1.1.20 17 (DNA) 0x80000001 0x00809A 1.1.1.40 11 (DNA) 0x80000001 0x0008FE 1.1.1.10 532 0x80000006 0x006DAC 1.1.1.30 13 (DNA) 0x80000001 0x000901 1.1.1.10 532 0x80000006 0x0056C1 1.1.1.30 13 (DNA) 0x80000001 0x00F116 1.1.1.10 532 0x80000006 0x002DEB 1.1.1.30 13 (DNA) 0x80000001 0x00C840 1.1.1.1 11 (DNA) 0x80000001 0x0056CE 1.1.1.10 532 0x80000006 0x001601 1.1.1.1 11 (DNA) 0x80000001 0x003FE3 1.1.1.20 1 (DNA) 0x80000003 0x00C845 1.1.1.10 532 0x80000006 0x00E72B 1.1.1.30 13 (DNA) 0x80000001 0x00798A 1.1.1.10 532 0x80000005 0x00DC34 1.1.1.30 13 (DNA) 0x80000001 0x00629F 1.1.1.1 11 (DNA) 0x80000001 0x000C0E 1.1.1.10 533 0x80000004 0x00D933 1.1.1.10 533 0x80000004 0x00B05D 1.1.1.30 13 (DNA) 0x80000001 0x003EBE 1.1.1.2 573 0x80000004 0x00D140 1.1.1.3 609 0x80000004 0x00B45A 1.1.1.6 389 0x80000004 0x0025A6 1.1.1.2 575 0x80000004 0x0046EF 1.1.1.9 540 0x80000004 0x001C13 1.1.1.3 361 0x80000008 0x002D03 1.1.1.6 389 0x80000006 0x001F10 1.1.1.2 575 0x80000004 0x00250E 1.1.1.3 611 0x80000004 0x00141D Summary ASB Link States (Area 0) Link ID 1.1.1.2 ADV Router Age 1.1.1.9 540 Seq# Checksum 0x80000004 0x007176 Router Link States (Area 1) Link ID 1.1.1.10 ADV Router 1.1.1.10 Age 535 Seq# Checksum Link count 0x80000005 0x00BB68 0 Summary Net Link States (Area 1) Link ID ADV Router 10.3.3.0 1.1.1.10 10.4.4.0 1.1.1.10 10.5.5.0 1.1.1.10 10.6.6.0 1.1.1.10 10.8.8.0 1.1.1.10 10.9.9.0 1.1.1.10 10.10.10.0 1.1.1.10 10.11.11.0 1.1.1.10 172.16.1.0 1.1.1.10 192.168.10.0 1.1.1.10 Age 535 536 537 537 537 537 537 537 537 537 Seq# Checksum 0x80000006 0x006DAC 0x80000006 0x0056C1 0x80000006 0x002DEB 0x80000006 0x001601 0x80000006 0x00E72B 0x80000005 0x00DC34 0x80000004 0x00D933 0x80000004 0x00B05D 0x80000004 0x002B03 0x80000006 0x0015A1 Summary ASB Link States (Area 1) Link ID 1.1.1.2 1.1.1.3 ADV Router Age 1.1.1.10 537 1.1.1.10 537 Seq# Checksum 0x80000004 0x00F233 0x80000004 0x00E83C Router Link States (Area 2) Link ID 1.1.1.1 CCIE Routing and Switching ADV Router Age 1.1.1.1 551 Seq# Checksum Link count 0x80000009 0x005E61 2 Boot Camp Day 1 to 4 Lab Page 85 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. 1.1.1.10 1.1.1.10 537 0x80000007 0x00DB04 1 Net Link States (Area 2) Link ID 10.6.6.1 ADV Router 1.1.1.10 Age 538 Seq# Checksum 0x80000004 0x00CA3A Summary Net Link States (Area 2) Link ID ADV Router Age 10.3.3.0 1.1.1.10 538 10.4.4.0 1.1.1.10 538 10.5.5.0 1.1.1.10 538 10.7.7.0 1.1.1.1 552 10.8.8.0 1.1.1.10 539 10.9.9.0 1.1.1.10 539 10.11.11.0 1.1.1.10 539 172.16.1.0 1.1.1.1 552 172.16.1.0 1.1.1.10 1789 192.168.10.0 1.1.1.10 539 Seq# Checksum 0x80000006 0x006DAC 0x80000006 0x0056C1 0x80000006 0x002DEB 0x80000004 0x0039E6 0x80000006 0x00E72B 0x80000005 0x00DC34 0x80000004 0x00B05D 0x80000004 0x0057E0 0x8000000B 0x001D0A 0x80000006 0x0015A1 Summary ASB Link States (Area 2) Link ID 1.1.1.2 1.1.1.2 1.1.1.3 1.1.1.3 ADV Router 1.1.1.1 1.1.1.10 1.1.1.1 1.1.1.10 Age 552 539 553 540 Seq# Checksum 0x80000004 0x0033FA 0x80000004 0x00F233 0x80000004 0x002904 0x80000004 0x00E83C Router Link States (Area 4) Link ID 1.1.1.10 1.1.1.20 1.1.1.30 1.1.1.40 ADV Router 1.1.1.10 1.1.1.20 1.1.1.30 1.1.1.40 Age 540 534 561 524 Seq# Checksum Link count 0x80000009 0x00111F 4 0x80000009 0x006BA0 4 0x80000009 0x00540D 2 0x8000000A 0x0084B9 2 Net Link States (Area 4) Link ID 10.3.3.2 10.4.4.2 10.5.5.2 10.8.8.1 10.9.9.2 10.11.11.2 ADV Router 1.1.1.20 1.1.1.20 1.1.1.20 1.1.1.10 1.1.1.40 1.1.1.40 Age 535 535 535 541 524 524 Seq# Checksum 0x80000004 0x00BE2B 0x80000004 0x00A740 0x80000004 0x007E6A 0x80000004 0x0034AF 0x80000004 0x008B19 0x80000004 0x00D0D9 Summary Net Link States (Area 4) Link ID ADV Router 10.6.6.0 1.1.1.10 10.7.7.0 1.1.1.20 10.10.10.0 1.1.1.10 172.16.1.0 1.1.1.10 172.16.1.0 1.1.1.20 192.168.10.0 1.1.1.10 Age 541 536 542 542 536 542 Seq# Checksum 0x80000006 0x001601 0x80000006 0x00C248 0x80000004 0x00D933 0x80000004 0x002B03 0x80000004 0x00EE35 0x80000004 0x00199F Summary ASB Link States (Area 4) Link ID 1.1.1.2 1.1.1.2 1.1.1.2 1.1.1.2 1.1.1.3 1.1.1.3 CCIE Routing and Switching ADV Router 1.1.1.10 1.1.1.20 1.1.1.30 1.1.1.40 1.1.1.10 1.1.1.20 Age 542 537 1558 527 543 537 Seq# Checksum 0x80000004 0x00F233 0x80000004 0x00C05A 0x8000000A 0x007892 0x80000004 0x0052B3 0x80000004 0x00E83C 0x80000004 0x00B663 Boot Camp Day 1 to 4 Lab Page 86 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. 1.1.1.3 1.1.1.3 1.1.1.30 1.1.1.40 1558 527 0x8000000A 0x006E9B 0x80000004 0x0048BC Type-5 AS External Link States Link ID 0.0.0.0 0.0.0.0 150.2.3.7 150.8.8.8 CCIE Routing and Switching ADV Router Age 1.1.1.2 583 1.1.1.3 620 1.1.1.2 584 1.1.1.3 620 Seq# Checksum Tag 0x80000005 0x008B9E 1 0x80000004 0x0087A2 1 0x80000004 0x001561 0 0x80000004 0x0085E3 0 Boot Camp Day 1 to 4 Lab Page 87 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs Day 3 BGP BGP version 4 is a path vector routing protocol used to exchange routing information between autonomous systems, and can be considered the routing protocol of the Internet. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISPs). BGP carries information as a sequence of AS numbers, which indicate the autonomous systems that must be used to get to a destination network. BGP is defined inn RFCs 1163, 1267, and 1771. BGP is considered an Exterior Gateway Protocol (EGP) (not to be confused with the obsolete routing protocol also called “EGP”). BGP is designed to prevent loops from forming between systems. There are both internal and external BGP (IBGP and EBGP) configurations. Organizational networks, such as universities and corporations, usually employ an Interior Gateway Protocol (IGP) such as RIP or OSPF for the exchange of routing information within their networks. These networks connect to ISPs, and ISPs use BGP to exchange customer and ISP routes. When BGP is used between autonomous systems (AS), the protocol is referred to as External BGP (EBGP). If a service provider is using BGP to exchange routes within an AS, then the protocol is referred to as Interior BGP (IBGP). BGP neighbors are defined in the configuration, not by their physical location in the network. Even if two routers are physically connected, they are not necessarily neighbors unless they form a TCP connection, which is configured by the network engineer. BGP’s effective use of classless inter-domain routing (CIDR) has been a major factor in slowing the explosive growth of the Internet routing table. CIDR doesn’t rely on classes of IP networks such as Class A, B, and C. In CIDR, a prefix and a mask, such as 197.32.0.0/14, represent a network. This would normally be considered an illegal Class C network, but CIDR handles it just fine. A network is called a super-net when the prefix boundary contains fewer bits than the network’s natural mask. Operation Synchronization/Full Mesh In order to avoid routing loops inside an AS, BGP doesn’t advertise to internal BGP (IBGP) peer routes that are learned via other IBGP peers. Therefore, one must maintain full IBGP mesh within an AS or utilize other techniques such as route reflectors. BGP routing information must be in sync with the Interior Gateway Protocol (IGP) such as OSPF, before advertising transit routes to other ASs. This behavior can be turned off using the Cisco IOS command no sync. However, this isn’t recommended unless all the routers in your BGP AS are running BGP and are fully meshed or the AS in question isn’t a transit AS. The careless use of the no sync command could cause non-BGP routers within an autonomous system to receive traffic for destinations that they don’t have a route for. With synchronization enabled, BGP waits until the IGP has propagated routing information across the autonomous system before advertising transit routes to other ASs. By default, synchronization is enabled on all BGP routers. Things to what out for when synchronization is turned on:  OSPF and BGP must have the same RID  The mask lengths must be the same for IGP and BGP CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 88 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs   BGP only redistributes OSPF internals by default Next-Hop-Self Command In a non-meshed environment such as confederations or route reflectors where you know that a path exists from the current router to a specific address the BGP router command neighbor {ip-address | peer-group-name} next-hop-self can be used to disable next-hop processing. This will cause the current router to advertise itself as the next hop for the specified neighbor, simplifying the network. Other BGP neighbors will then forward packets for that destination to the current router. This would not be useful in a fully meshed environment, since it will result in unnecessary extra hops where there may be a more direct path. Private AS numbers AS numbers from 64512-65535 are private AS numbers. These numbers are very similar in fashion to the RFC 1918 IP addresses of 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. These AS numbers aren’t used anywhere in the Core BGP route tables. They are used to keep the AS number requirement down. Smaller BGP users will often use Private AS numbers and then have them translated to public AS numbers by routers upstream toward the core of the Internet. Many of the larger ISPs may have multiple public AS numbers. Smaller ISPs will usually only have one public AS number There is a manual method of confederations that must strip the private AS information in order to prevent those Autonomous systems from leaking into the Internet. neighbor 1.1.1.1 remove-private-as State Neighbors in BGP must go through the following states in order to form an adjacency:  Idle  Connect o Active – resets the retry timer kickbacks to idle  Open send – version must be 4  Open confirm  Established If there are issues the routers may cycle from Active back to connect. Some of the isues that prevent BGP routers from becoming neighbors are:  Incorrect IP address  Incorrect AS number  No route to source address  TTL to low Attributes BGP metrics are called path attributes and are categorized into well-known and optional Well-known attributes must be recognized by all compliant implementations and vendors whereas optional attributes are only recognized by some implementations (could be private), expected not to be recognized by everyone. Well-known attributes are divided into mandatory and discretionary. The Well-known mandatory attributes must be present in all update messages. The following attributes must be in every BGP update: CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 89 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs    AS-path: A list of the Autonomous Systems (AS) numbers that a route passes through to reach the destination. As the update passes through an AS the AS number is inserted at the beginning of the list. The AS-path attribute has a reverse-order list of AS passed through to get to the destination. Next-hop: The next-hop address that is used to reach the destination. Origin: Indicates how BGP learned a particular route. There are three possible types -IGP (route is internal to the AS), EGP (learned via EBGP), or Incomplete (origin unknown or learned in a different way). Well-known discretionary attributes are optional - they could be present in update messages or not. All well-known attributes are propagated to other BGP neighbors. However, optional BGP attributes are transitive or non-transitive:  Optional transitive attributes o Aggregator: Specifies the router ID and AS of the router that originated an aggregate prefix. Used in conjunction with the atomic aggregate attribute. o Community: Used to group routes that share common properties so that policies can be applied at the group level.  Optional non-transitive attributes o Multi-exit-discriminator (MED): Indicates the preferred path into an AS to external neighbors when multiple paths exist.  Recognized optional attributes are propagated to other neighbors based on their meaning (not constrained by transitive bit) Configuring Attributes Weight The weight attribute is a Cisco-defined attribute used for the path selection process. The weight is configued locally to a router and is not propagated to any other routers. neighbor 1.1.1.1 weight 100 The higher the number the more preferred Origin The origin attribute indicates how BGP learned about a particular route. The origin attribute can have one of three possible values: – IGP—The route is interior to the originating AS. This value is set when the network router configuration command is used to inject the route into BGP. [0] i – EGP—The route is learned via the Exterior Border Gateway Protocol (EGP). [1] e – Incomplete—The origin of the route is unknown or learned in some other way. An origin of incomplete occurs when a route is redistributed into BGP. [?] You can issue the (sh ip bgp) command to view the origin. AS-Path The AS-path attribute is empty when a local route is first inserted in the BGP table. The sender’s AS number is prepended to the AS-path attribute when the routing update crosses the AS boundary. A BGP receiver of BGP routing information can use the AS-path to determine through which AS the information has passed. Therefore, an AS that receives routing information with its own AS number in the AS-path silently ignores the information. Prepend as-path can be used as a metric to make a path appear less optimal. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 90 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs routemap prepend permit 10 match ip address 1 set as-path prepend 100 100 100 Next Hop The Next-hop attribute indicates the next-hop IP address used for packet forwarding and is usually set to the IP address of the sending BGP router. Multi-exit discriminator (MED) The multi-exit discriminator (MED) or metric attribute is used as a suggestion to an external AS regarding the preferred route into the AS that is advertising the metric. The MED only works from directly connected AS. It is not transitive so it has to be configured on every AS in the path. The default MED is 0 which is more preferable if another router within the AS does not enable a MED value. The lower the value the more preferred. A route map is sent with the neighbor command: neighbor 1.1.1.1 route-map med out route-map med permit 10 set metric 200 Local Preference The local preference attribute is used to prefer an exit point from the local autonomous system (AS). Unlike the weight attribute, the local preference attribute is propagated throughout the local AS. If there are multiple exit points from the AS, the local preference attribute is used to select the exit point for a specific route. The default Local Preference is 100. The higher the value is more preferred. route-map local permit 10 set local-preference 200 Communities The community attribute has multiple options and will be explained in detail in Volume II. AS Path Filtering Several scenarios require BGP route filtering based on AS-path. AS paths are filtered using a As-path access filter and regular expressions. The following are examples of regular expressions that are used in AS-path filters: _100_ Going through AS 100 ^100$ Directly connected to AS 100 _100$ Originated in AS 100 ^100_.* networks behind AS 100 ^ [0-9]+$ AS paths one AS long CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 91 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs ^$ networks originated in local AS .* matches everything ip as-path access-list 5 permit .* neighbor 1.1.1.1 filter-list 5 out Order/Preference 1. 2. 3. 4. If the path specifies a next hop that is inaccessible, drop the update. Prefer the path with the largest weight. If the weights are the same, prefer the path with the largest local preference. If the local preferences are the same, prefer the path that was originated by BGP running on this router. 5. If no route was originated, prefer the route that has the shortest AS_path. 6. If all paths have the same AS_path length, prefer the path with the lowest origin type (where IGP is lower than EGP, and EGP is lower than incomplete). 7. If the origin codes are the same, prefer the path with the lowest MED attribute. 8. If the paths have the same MED, prefer the external path over the internal path. 9. If the paths are still the same, prefer the path through the closest IGP neighbor. 10. Prefer the path with the lowest IP address, as specified by the BGP router ID. Aggregation Specify aggregation range in BGP routing process that you would like to summarize. The aggregate will be announced if there is at least one network in the specified range in the BGP table. Individual networks will still be announced in outgoing BGP updates so other option must be enabled to suppress the longer masks. router bgp 1 aggregate-address 172.16.0.0 255.255.0.0 If you desire to remove any longer mask than as the summary only keyword. router bgp 1 aggregate-address 172.16.0.0 255.255.0.0 summary-only If you would like to protect against loops than add AS-set to prevent your own AS from returning. router bgp 1 aggregate-address 172.16.0.0 255.255.0.0 as-set summary-only Other options that can be enabled are:  Attribute maps are used to configure the attributes of the aggregate route since the attributes of the original routes are used by default when summarized  Advertise maps allow the aggregate to inherit the attributes from the specific networks identified in the advertise map. It is important to note the attribute map overrides the advertise map  Suppress maps this command overrides the summary only keyword and suppresses on the routes configured in the suppress map. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 92 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs   Un-suppress maps selectively un-suppresses networks suppressed in a suppress-map Inject maps Used to inject more specific into BGP based on existence of aggregated route or originate default route based on certain route existence CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 93 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs BGP LAB Scenario Turn-key and the two ISP providers have agreed to peer with BGP and to exchange routes. Turn-key has decided to use EIGRP as the IGP and will connect to the ISP with a new OSPF Process between the eBGP peers. AS Topology CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 94 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs BGP: Tasks Task 1 (Basic BGP): Configure R7 to be in AS 1 and R8 in As 2. Configure a static route on R2 and R7 to each others Lo3 address. Also configure Lo4 but do not add static routes for the networks. Disable EIGRP 100 with distance and passive interface default commands on R7 and R8 only. R2: Lo3 Ip address 150.1.1.2/24 Lo4 Ip address 150.2.2.1/24 Ip address 151.2.2.1/24 secondary Ip address 152.2.2.1/24 secondary R7: Lo3 Ip address 150.2.3.7/24 Lo4 Ip address 209.0.0.1/17 Ip address 220.0.0.1/17 secondary Configure static routes between R3 and R8 for Lo3 and add the Lo0 networks without static routes. R3: Lo3 Ip address 150.3.3.2/24 Lo4 Ip address 149.3.3.1/24 Ip address 151.3.3.1/24 secondary Ip address 152.3.3.1/24 secondary R8: Lo3 Ip address 150.8.8.8/24 Lo4 Ip address 190.0.0.1/17 Ip address 160.0.0.1/17 secondary CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 95 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs Use the new Lo3 interface on each of these (4) routers to peer BGP as defined in the above AS topology diagram. R7 and R8 can use their PPP interface to peer. Within AS 3 peer all routers as shown in the diagram and note the bgp confederation identifier can not be used on any of the routers. Give each router the same Router-id that was used previously for OSPF. If there is an existing loop back on the router use that as the update source, if not use the Vlan10 interface when possible. On the connections within AS 65001 make sure you consolidate your commands to reduce the size of the BGP command line configuration. Task 2 (Networks): Advertise the New Loopbacks from R7 and R8 in BGP. Make sure Sw4 can ping them. Advertise the new IP addresses in the new loop backs of R2 and R3 as well as 192.168.10.0 and a summary of the 10.0.0.0 network. Make sure your BGP table in R7 looks like the following: Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop *> 10.0.0.0 150.1.1.2 * 172.16.4.8 *> 149.3.3.0/24 150.1.1.2 * 172.16.4.8 *> 150.2.2.0/24 150.1.1.2 * 172.16.4.8 *> 151.2.2.0/24 150.1.1.2 * 172.16.4.8 *> 151.3.3.0/24 150.1.1.2 * 172.16.4.8 *> 152.2.2.0/24 150.1.1.2 * 172.16.4.8 *> 152.3.3.0/24 150.1.1.2 * 172.16.4.8 * 160.0.0.0/9 150.1.1.2 *> 172.16.4.8 *> 172.16.0.0 150.1.1.2 Network Next Hop * 172.16.4.8 * 190.0.0.0/9 150.1.1.2 *> 172.16.4.8 *> 209.0.0.0/9 0.0.0.0 *> 220.0.0.0/9 0.0.0.0 Metric LocPrf Weight Path 0 03i 023i 03i 023i 0 03i 023i 0 03i 023i 03i 023i 0 03i 023i 03i 023i 032i 0 02i 0 03i Metric LocPrf Weight Path 023i 032i 0 02i 0 32768 i 0 32768 i Task 3 (MEDs): Configure meds such that AS 3 will prefer R8 to reach 209.0.0.1 and 220.0.0.1. and R7 will be a better path to 190.0.0.1 and 160.0.0.1. Make sure you configure R2 and R3 to prevent AS 65001 from being advertised to R7 or R8. Ping the routes from Sw4 and ensure you can still reach them. Task 4 (As-filtering): Configure AS 3 so that is can not be a transit AS between AS1 and As2. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 96 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs BGP: Answers Task 1 (Basic BGP): Configure R7 to be in AS 1 and R8 in As 2. Configure a static route on R2 at R7 to each others Lo3 address. Also configure Lo4 but do not add static routes for the networks. Disable EIGRP 100 on R7 and R8 only. Use the new Lo3 interface on each of these (4) routers to peer BGP as defined in the above AS topology diagram. R7 and R8 can use their PPP interface to peer. R7: router bgp 1 no synchronization bgp router-id 1.1.1.7 bgp log-neighbor-changes neighbor 150.1.1.2 remote-as 3 (This will peer R7 and R2) neighbor 150.1.1.2 ebgp-multihop 3 (This allows the TCP TTL to exceed 1 hop) neighbor 150.1.1.2 update-source Loopback3 (This allows R7 to originate BGP TCP 179 connections from the Lo3) neighbor 172.16.4.8 remote-as 2 no auto-summary ! ip route 150.1.1.2 255.255.255.255 172.16.5.2 (The static Route I used to reach the R2 loopback) R2: router bgp 3 no synchronization bgp router-id 1.1.1.2 bgp log-neighbor-changes neighbor 10.13.13.1 remote-as 3 neighbor 10.13.13.1 update-source Loopback1 neighbor 150.2.3.7 remote-as 1 neighbor 150.2.3.7 ebgp-multihop 3 neighbor 150.2.3.7 update-source Loopback3 neighbor 192.168.10.1 remote-as 65001 neighbor 192.168.10.1 ebgp-multihop 2 neighbor 192.168.10.1 update-source Loopback1 neighbor 192.168.10.9 remote-as 3 neighbor 192.168.10.9 update-source Loopback1 no auto-summary ! ip route 150.2.3.7 255.255.255.255 172.16.5.7 R8: router bgp 2 no synchronization bgp router-id 1.1.1.8 bgp log-neighbor-changes neighbor 150.3.3.2 remote-as 3 neighbor 150.3.3.2 ebgp-multihop 3 neighbor 150.3.3.2 update-source Loopback3 neighbor 172.16.4.7 remote-as 1 no auto-summary ! ip route 150.3.3.2 255.255.255.255 172.16.6.3 R3: router bgp 3 no synchronization CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 97 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs bgp router-id 1.1.1.3 bgp log-neighbor-changes neighbor 10.10.10.1 remote-as 65001 neighbor 10.10.10.1 ebgp-multihop 3 neighbor 10.10.10.1 update-source Loopback1 neighbor 10.12.12.1 remote-as 3 neighbor 10.12.12.1 update-source Loopback1 neighbor 150.8.8.8 remote-as 2 neighbor 150.8.8.8 ebgp-multihop 3 neighbor 150.8.8.8 update-source Loopback3 neighbor 192.168.10.5 remote-as 3 neighbor 192.168.10.5 update-source Loopback1 neighbor 192.168.10.5 route-reflector-client neighbor 192.168.10.6 remote-as 3 neighbor 192.168.10.6 update-source Loopback1 neighbor 192.168.10.6 route-reflector-client no auto-summary ! ip route 150.8.8.8 255.255.255.255 172.16.6.8 Within AS (3), peer all routers as shown in the diagram and note the bgp confederation identifier can not be used on any of the routers. Give each router the same Router-id that was used previously for OSPF. If there is an existing loop back on the router use that as the update source, if not use the Vlan10 interface when possible. On the connections within AS 65001 make sure you consolidate your commands to reduce the size of the BGP command line configuration. AS3 R2: router bgp 3 no synchronization bgp router-id 1.1.1.2 bgp log-neighbor-changes neighbor 10.13.13.1 remote-as 3 (This peers the route reflectors R2 and R3) neighbor 10.13.13.1 update-source Loopback1 neighbor 150.2.3.7 remote-as 1 neighbor 150.2.3.7 ebgp-multihop 3 neighbor 150.2.3.7 update-source Loopback3 neighbor 192.168.10.1 remote-as 65001 (This connects an eBGP manual confederation to Sw1) neighbor 192.168.10.1 ebgp-multihop 2 neighbor 192.168.10.1 update-source Loopback1 neighbor 192.168.10.9 remote-as 3 neighbor 192.168.10.9 update-source Loopback1 neighbor 192.168.10.9 route-reflector-client (Configures BB1 as a route reflector client) no auto-summary BB1: router bgp 3 no synchronization bgp log-neighbor-changes neighbor 10.12.12.1 remote-as 3 neighbor 10.12.12.1 update-source FastEthernet0/0 no auto-summary R3: CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 98 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs router bgp 3 no synchronization bgp router-id 1.1.1.3 bgp log-neighbor-changes neighbor 10.10.10.1 remote-as 65001 neighbor 10.10.10.1 ebgp-multihop 3 neighbor 10.10.10.1 update-source Loopback1 neighbor 10.12.12.1 remote-as 3 neighbor 10.12.12.1 update-source Loopback1 neighbor 150.8.8.8 remote-as 2 neighbor 150.8.8.8 ebgp-multihop 3 neighbor 150.8.8.8 update-source Loopback3 neighbor 192.168.10.5 remote-as 3 neighbor 192.168.10.5 update-source Loopback1 neighbor 192.168.10.5 route-reflector-client neighbor 192.168.10.6 remote-as 3 neighbor 192.168.10.6 update-source Loopback1 neighbor 192.168.10.6 route-reflector-client no auto-summary ! R5: router bgp 3 no synchronization bgp router-id 1.1.1.5 bgp log-neighbor-changes neighbor 10.13.13.1 remote-as 3 neighbor 10.13.13.1 update-source FastEthernet0/0 no auto-summary R6: router bgp 3 no synchronization bgp router-id 1.1.1.6 bgp log-neighbor-changes neighbor 10.13.13.1 remote-as 3 neighbor 10.13.13.1 update-source FastEthernet0/0 no auto-summary On the connections within AS 65001 make sure you consolidate your commands to reduce the size of the BGP command line configuration. AS 65001 SW1: router bgp 65001 no synchronization bgp router-id 1.1.1.10 bgp log-neighbor-changes neighbor Branch peer-group (Peer Group commands are used to group similar BGP commands together for neighbors) neighbor Branch remote-as 65001 neighbor Branch update-source Vlan10 neighbor Branch route-reflector-client (The other switches Sw2,3,and 4 will become route reflector clients) neighbor 10.5.5.2 peer-group Branch neighbor 10.8.8.2 peer-group Branch neighbor 10.9.9.2 peer-group Branch neighbor 10.10.10.1 remote-as 65001 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 99 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs neighbor 10.10.10.1 neighbor 10.10.10.1 neighbor 10.12.12.1 neighbor 10.12.12.1 neighbor 10.12.12.1 no auto-summary ebgp-multihop 2 update-source Vlan10 remote-as 3 ebgp-multihop 2 update-source Vlan10 R1: router bgp 65001 no synchronization bgp router-id 1.1.1.1 bgp log-neighbor-changes neighbor Branch peer-group neighbor Branch remote-as 65001 neighbor Branch update-source Loopback0 neighbor Branch route-reflector-client neighbor 10.5.5.2 peer-group Branch neighbor 10.8.8.2 peer-group Branch neighbor 10.9.9.2 peer-group Branch neighbor 10.13.13.1 remote-as 3 neighbor 10.13.13.1 ebgp-multihop 3 neighbor 10.13.13.1 update-source Loopback0 neighbor 192.168.10.1 remote-as 65001 neighbor 192.168.10.1 update-source Loopback0 no auto-summary Sw2: router bgp 65001 no synchronization bgp router-id 1.1.1.20 bgp log-neighbor-changes neighbor 10.10.10.1 remote-as 65001 neighbor 10.10.10.1 update-source Vlan5 neighbor 192.168.10.1 remote-as 65001 neighbor 192.168.10.1 update-source Vlan5 no auto-summary Sw3: router bgp 65001 no synchronization bgp router-id 1.1.1.30 bgp log-neighbor-changes neighbor 10.10.10.1 remote-as 65001 neighbor 10.10.10.1 update-source Vlan8 neighbor 192.168.10.1 remote-as 65001 neighbor 192.168.10.1 update-source Vlan8 no auto-summary Sw4: router bgp 65001 no synchronization bgp router-id 1.1.1.40 bgp log-neighbor-changes neighbor 10.10.10.1 remote-as 65001 neighbor 10.10.10.1 update-source Vlan9 neighbor 192.168.10.1 remote-as 65001 neighbor 192.168.10.1 update-source Vlan9 no auto-summary CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 100 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs Task 2 (Networks): Advertise the New Loopbacks from R7 and R8 in BGP. Make sure Sw4 can ping them. Advertise the new IP addresses in the new loop backs of R2 and R3 as well as 192.168.10.0 and a summary of the 10.0.0.0 network. Make sure your BGP table in R7 looks like the following: R7: router bgp 1 no synchronization bgp router-id 1.1.1.7 bgp log-neighbor-changes network 209.0.0.0 mask 255.128.0.0 (This configuration advertises these networks into BGP) network 220.0.0.0 mask 255.128.0.0 neighbor 150.1.1.2 remote-as 3 neighbor 150.1.1.2 ebgp-multihop 3 neighbor 150.1.1.2 update-source Loopback3 neighbor 172.16.4.8 remote-as 2 no auto-summary R2: router bgp 3 no synchronization bgp router-id 1.1.1.2 bgp log-neighbor-changes network 10.12.12.0 mask 255.255.255.0 network 150.2.2.0 mask 255.255.255.0 network 151.2.2.0 mask 255.255.255.0 network 152.2.2.0 mask 255.255.255.0 network 172.16.5.0 mask 255.255.255.0 aggregate-address 10.0.0.0 255.0.0.0 summary-only (This command configures a summary only for the 10/8 network) aggregate-address 172.16.0.0 255.255.0.0 summary-only neighbor 10.13.13.1 remote-as 3 neighbor 10.13.13.1 update-source Loopback1 neighbor 150.2.3.7 remote-as 1 neighbor 150.2.3.7 ebgp-multihop 3 neighbor 150.2.3.7 update-source Loopback3 neighbor 192.168.10.1 remote-as 65001 neighbor 192.168.10.1 ebgp-multihop 2 neighbor 192.168.10.1 update-source Loopback1 neighbor 192.168.10.9 remote-as 3 neighbor 192.168.10.9 update-source Loopback1 neighbor 192.168.10.9 route-reflector-client no auto-summary R8: router bgp 2 no synchronization bgp router-id 1.1.1.8 bgp log-neighbor-changes network 160.0.0.0 mask 255.128.0.0 network 190.0.0.0 mask 255.128.0.0 neighbor 150.3.3.2 remote-as 3 neighbor 150.3.3.2 ebgp-multihop 3 neighbor 150.3.3.2 update-source Loopback3 neighbor 172.16.4.7 remote-as 1 no auto-summary R3: router bgp 3 no synchronization bgp router-id 1.1.1.3 bgp log-neighbor-changes network 10.13.13.0 mask 255.255.255.0 network 149.3.3.0 mask 255.255.255.0 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 101 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs network 151.3.3.0 mask 255.255.255.0 network 152.3.3.0 mask 255.255.255.0 network 172.16.6.0 mask 255.255.255.0 aggregate-address 10.0.0.0 255.0.0.0 summary-only aggregate-address 172.16.0.0 255.255.0.0 summary-only neighbor 10.10.10.1 remote-as 65001 neighbor 10.10.10.1 ebgp-multihop 3 neighbor 10.10.10.1 update-source Loopback1 neighbor 10.12.12.1 remote-as 3 neighbor 10.12.12.1 update-source Loopback1 neighbor 150.8.8.8 remote-as 2 neighbor 150.8.8.8 ebgp-multihop 3 neighbor 150.8.8.8 update-source Loopback3 neighbor 192.168.10.5 remote-as 3 neighbor 192.168.10.5 update-source Loopback1 neighbor 192.168.10.5 route-reflector-client neighbor 192.168.10.6 remote-as 3 neighbor 192.168.10.6 update-source Loopback1 neighbor 192.168.10.6 route-reflector-client no auto-summary Sw4: SW4#ping 209.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 209.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 50/57/59 ms SW4# SW4#ping 220.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 220.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 58/58/59 ms SW4# SW4#ping 160.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 160.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 51/60/75 ms SW4# SW4#ping 190.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 190.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 50/57/59 ms SW4# Task 3 (MEDs): Configure meds such that AS 3 will prefer R8 to reach 209.0.0.1 and 220.0.0.1. and R7 will be a better path to 190.0.0.1 and 160.0.0.1. Make sure you configure R2 and R3 to prevent AS 65001 from being advertised to R7 or R8. Ping the routes from Sw4 and ensure you can still reach them. R7: router bgp 1 no synchronization bgp router-id 1.1.1.7 bgp log-neighbor-changes CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 102 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs network 172.16.4.0 mask 255.255.255.0 network 209.0.0.0 mask 255.128.0.0 network 220.0.0.0 mask 255.128.0.0 neighbor 150.1.1.2 remote-as 3 neighbor 150.1.1.2 ebgp-multihop 3 neighbor 150.1.1.2 update-source Loopback3 neighbor 150.1.1.2 route-map med out (This allows us to use a route map to set the med value) neighbor 172.16.4.8 remote-as 2 no auto-summary route-map med permit 10 match ip address prefix-list med set metric 10 (Setting a lower metric for these networks will make them more preferred over R7 ! route-map med permit 20 match ip address prefix-list med2 set metric 200 set as-path prepend 1 ( In BGP AS-Path attribute is more preffered than MED, so we need to give the AS patch an equal value so that MED will be used as a tie breaker) ip ip ! ip ip prefix-list med seq 5 permit 160.0.0.0/9 prefix-list med seq 10 permit 190.0.0.0/9 prefix-list med2 seq 5 permit 209.0.0.0/9 prefix-list med2 seq 10 permit 220.0.0.0/9 R8: router bgp 2 no synchronization bgp router-id 1.1.1.8 bgp log-neighbor-changes network 160.0.0.0 mask 255.128.0.0 network 172.16.4.0 mask 255.255.255.0 network 190.0.0.0 mask 255.128.0.0 neighbor 150.3.3.2 remote-as 3 neighbor 150.3.3.2 ebgp-multihop 3 neighbor 150.3.3.2 update-source Loopback3 neighbor 150.3.3.2 route-map med out neighbor 172.16.4.7 remote-as 1 no auto-summary route-map med permit 10 match ip address prefix-list med set metric 10 ! route-map med permit 20 match ip address prefix-list med2 set metric 200 set as-path prepend 2 ip ip ! ip ip prefix-list med seq 5 permit 209.0.0.0/9 prefix-list med seq 10 permit 220.0.0.0/9 prefix-list med2 seq 5 permit 160.0.0.0/9 prefix-list med2 seq 10 permit 190.0.0.0/9 Task 4 (As-filtering): Configure AS 3 so that is can not be a transit AS between AS1 and As2. To accomplish this task you must use an as path acl to enable a filter list. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 103 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs Day 3 Multicast Refer to slides from lecture or UniversCD for assistance. Multicast Tasks Task 1 (Multicast): Configure Multicast support for R2, R3, and R1. Configure multicast routing such that it can automatically find the RPs in a failure. You can not use Sparse/Dense or Dense mode for this task. Also make sure R1 is configured with the highest priority for any elections. Task 2 (IGMP): On R1 configure to join group 224.2.2.2. After doing this R2 and R3 should be able to ping this group. Task 3 (IGMP): On Sw 4 we are having a problem with Multicast on Vlan 4. For testing purposes configure SW 4 so that multicast is flooded to every switch port. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 104 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs Multicast Answers Task 1 (Multicast): Configure Multicast support for R2, R3, and R1. Configure multicast routing such that it can automatically find the RPs in a failure. You can not use Sparse/Dense or Dense mode for this task. Also make sure R1 is configured with the highest priority for any elections. R1 hostname R1 ip multicast-routing --This Turns on multicast globally ip pim bsr-candidate Serial0/0/0 30 255--------This forces R1 to be the BSR by using the highest priority ip pim rp-candidate Serial0/0/0 priority 255--------This forces R1 to be the RP for 224.2.2.2 by using the highest priority interface FastEthernet0/0 description Vlan6_sw1tor1 ip address 10.6.6.2 255.255.255.252 ip pim sparse-mode------------This enables PIM routing and control traffic ip igmp join-group 224.2.2.2-------This Allows Router 1 to join 224.2.2.2 ip ospf 1 area 2 duplex auto speed auto interface Serial0/0/0 description MESH_to_R2_R3 ip address 172.16.1.1 255.255.255.0 ip pim sparse-mode ------------This enables PIM routing R2 ip multicast-routing ip pim bsr-candidate Serial0/0/0.1 30 100 ip pim rp-candidate Serial0/0/0.1 priority 100 interface Serial0/0/0.1 multipoint description MESH_to_R1_R3 ip address 172.16.1.2 255.255.255.0 ip pim sparse-mode R3 interface Serial0/0/0.1 multipoint description MESH_to_R1_R3 ip address 172.16.1.2 255.255.255.0 ip pim sparse-mode CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 105 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs R3#sh ip pim bsr-router PIMv2 Bootstrap information BSR address: 172.16.1.1 (?) Uptime: 00:03:54, BSR Priority: 255, Hash mask length: 30 Expires: 00:01:15 This system is a candidate BSR Candidate BSR address: 172.16.1.3, priority: 100, hash mask length: 30 Candidate RP: 172.16.1.3(Serial0/0/0.1) Holdtime 150 seconds Advertisement interval 60 seconds Next advertisement in 00:00:16 Candidate RP priority : 100 R3#ping 224.2.2.2 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 224.2.2.2, timeout is 2 seconds: Reply to request 0 from 172.16.1.1, 72 ms R3# Task 2 (IGMP): On R1 configure to join group 224.2.2.2 and only this group. After doing this R2 and R3 should be able to ping this group. Sw1 interface FastEthernet0/0 description Vlan6_sw1tor1 ip address 10.6.6.2 255.255.255.252 ip igmp join-group 224.2.2.2 ip ospf 1 area 2 duplex auto speed auto Task 3 (IGMP): On Sw 4 we are having a problem with Multicast on Vlan 4. For testing purposes configure SW 4 so that multicast is flooded to every switch port. SW4(config)#no ip igmp snooping vlan 4 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 106 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs Day 3 QoS Qos Tasks Task1 (Switch QoS): Enable Automatic QoS features on SW1 such that an IP phone can be connected to any of the ports except for the trunk ports or ports connected between switches or the routers. Also if a PC were to be conncted it should not allow it to send QoS information. On Sw2 configure f0/4 so that it will only ever send traffic at a maximum of 50megs Task2 (MLPP): On R1 and R2, first use MQC to match all voice traffic with a DSCP of 46 and set a priority of 512k. Second match signaling information with a CS3 and set the bandwidth to 64k. Set Best effort traffic to Fair Queue. Configure MLPP to provide fragmentation and interleaving with a delay of 10 and 1460000 as the CIR. Task3 (Congestion Avoidance): Configure congestion avoidance on R5 F0/0. For DSCP AF11 set the min threshold to 10 and when the queue reaches the max threshold of 100 packets set the drop probability to drop 1 out of 10 packets. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 107 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs QoS Answers Task1 (Switch QoS): Enable Automatic QoS features on SW1 such that an IP phone can be connected to any of the ports except for the trunk ports or ports connected between switches or the routers. Also if a PC were to be conncted it should not allow it to send QoS information. On Sw2 configure Sw1(config)#mls qos Sw1(config)#interface range f0/4 – (Choose interfaces without routers or trunks) Sw1(config-if-range)# auto qos voip cisco-phone----- This will only trust QoS from an IP Phone Note the 3560 has 2 input queus and 4 egress queues. The auto QoS command adds the following global configuration: mls qos map cos-dscp 0 8 16 26 32 46 48 56 mls qos srr-queue input bandwidth 90 10 mls qos srr-queue input threshold 1 8 16 mls qos srr-queue input threshold 2 34 66 mls qos srr-queue input buffers 67 33 mls qos srr-queue input cos-map queue 1 threshold 2 1 mls qos srr-queue input cos-map queue 1 threshold 3 0 mls qos srr-queue input cos-map queue 2 threshold 1 2 mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7 mls qos srr-queue input cos-map queue 2 threshold 3 3 5 mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15 mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4567 mls qos srr-queue input dscp-map queue 1 threshold 3 32 mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23 mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48 mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56 mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63 mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31 mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47 mls qos srr-queue output cos-map queue 1 threshold 3 5 mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7 mls qos srr-queue output cos-map queue 3 threshold 3 2 4 mls qos srr-queue output cos-map queue 4 threshold 2 1 mls qos srr-queue output cos-map queue 4 threshold 3 0 mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 108 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs 42 43 44 45 46 47 mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31 mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55 mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63 mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23 mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39 mls qos srr-queue output dscp-map queue 4 threshold 1 8 mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15 mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 34567 mls qos queue-set output 1 threshold 1 138 138 92 138 mls qos queue-set output 1 threshold 2 138 138 92 400 mls qos queue-set output 1 threshold 3 36 77 100 318 mls qos queue-set output 1 threshold 4 20 50 67 400 mls qos queue-set output 2 threshold 1 149 149 100 149 mls qos queue-set output 2 threshold 2 118 118 100 235 mls qos queue-set output 2 threshold 3 41 68 100 272 mls qos queue-set output 2 threshold 4 42 72 100 242 mls qos queue-set output 1 buffers 10 10 26 54 mls qos queue-set output 2 buffers 16 6 17 61 mls qos interface FastEthernet0/4 srr-queue bandwidth limit 50 ---This command will limit traffic to 50% of the actual port bandwidth CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 109 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs Task2 (MLPP): Between BB1 and R2 on the frame, first use MQC to match all voice traffic with a DSCP of 46 and set a priority of 512k. Second match signaling information with a CS3 and set the bandwidth to 64k. Set Best effort traffic to Fair Queue. Configure MLPP to provide fragmentation and interleaving with a delay of 10 and 1460000 as the CIR. class-map match-all Signal --- Match traffic marked with the requested DSCP match ip dscp cs3 class-map match-all VOICE match ip dscp ef ! ! policy-map BB1toR2 -- This set LLQ for Voice and CBWFQ for Signalling class VOICE priority 512 class Signal bandwidth 64 class class-default fair-queue------------ Set Best Effort Queue to fair queue not FIFO interface Serial0/0/0 frame-relay traffic-shaping ! ! interface Serial0/0/0.2 point-to-point description P2P-to-BB1 frame-relay interface-dlci 209 ppp Virtual-Template1-sets DLCI to Virtual Template class BB1toR2 ! interface Virtual-Template1 description P2P-to-R2 bandwidth 1546 ip address 172.16.2.2 255.255.255.0 ip ospf 1 area 7 delay 100000 ppp multilink ----------MLPPP ppp multilink fragment delay 10 ----Set delay to 10 ppp multilink interleave ---Interleave Voice into larger Data Packets service-policy output BB1toR2 ! map-class frame-relay BB1toR2 -----------FRTS frame-relay cir 1460000 frame-relay bc 14600 frame-relay be 0 frame-relay mincir 1460000 ! CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 110 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs Task3 (Congestion Avoidance): Configure congestion avoidance on R5 F0/0. For DSCP AF11 set the min threshold to 10 and when the queue reaches the max threshold of 100 packets set the drop probability to drop 1 out of 10 packets. interface FastEthernet0/0 description Vlan10_Leased ip address 192.168.10.5 255.255.255.0 ip ospf 1 area 0 duplex auto speed auto ipv6 address 2000:1:1:1234::5/64 ipv6 address FE80::5 link-local ipv6 ospf 1 area 0 random-detect dscp-based random-detect dscp 10 10 100 10--AF11 = 10 decimal, min 10 max 100 , drop 1 out of 10 packets. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 111 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs Day 3 Security Security Tasks Task1 (DHCP security): Configure a DHCP server on SW2. Create a scope for network 20.20.20.0/24 with a default gateway of 20.20.20.254 which will be configured on sw2. Configure Sw2 for DHCP snooping and to examine the DHCP leases coming from Sw2 to R2. Create Vlan 20 on the VTP server and configure a vlan 20 to f0/2 interface on SW2 such that R2 learns its IP address from Sw2. Configure DHCP snooping on Sw2 and save the bindings to flash:. Reset the IP on Sw2 and ensure DHCP snooping is tracking the DHCP lease. Task 2 (Prevent Spoofing): On Sw2 enable security features that can use the DHCP bindings to prevent Spoofing IP addresses already bound to f0/2. On R2 and R3 prevent IP spoofing from the ISP connections. Task 3 (DoS): Configure R3 and R2 to prtotect against TCP DoS. Use 100 for low and 500 for high thresh old of half open connections. On R2 and R3 ip tcp intercept max-incomplete low 100 ip tcp intercept max-incomplete high 500 ! Security Answers Task1 (DHCP security): Configure a DHCP server on SW2. Create a scope for network 20.20.20.0/24 with a default gateway of 20.20.20.254 which will be configured on sw2. Configure Sw2 for DHCP snooping and to examine the DHCP leases coming from Sw2 to R2. Create Vlan 20 on the VTP server and configure a vlan 20 to f0/2 interface on SW2 such that R2 learns its IP address from Sw2. Configure DHCP snooping on Sw2 and save the bindings to flash:. Reset the IP on Sw2 and ensure DHCP snooping is tracking the DHCP lease. Sw2 ip dhcp excluded-address 20.20.20.254 ! ip dhcp pool sw2 network 20.20.20.0 255.255.255.0 default-router 20.20.20.254 interface Vlan20 ip address 20.20.20.254 255.255.255.0 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 112 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs R1 R1(config)#ntp master---NTP is required for DHCP snooping Sw2 ntp server 192.168.10.1----------- NTP is required for DHCP snooping ip dhcp snooping vlan 20 ip dhcp snooping database flash:file01.txt-------Stores the DHCP lease info ip dhcp snooping--------Enables DHCP Snooping Sw2(config)int f0/2 SW2(config-if)#ip dhcp snooping trust SW2#sh ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- ------------------00:15:2B:AD:62:D1 20.20.20.1 86333 dhcp-snooping 20 FastEthern et0/2 Total number of bindings: 1 Task 2 (Prevent Spoofing): On Sw2 enable security features that can use the DHCP bindings to prevent Spoofing IP addresses already bound to f0/2. On R2 and R3 prevent IP spoofing from the ISP connections. Sw2 interface FastEthernet0/2 switchport access vlan 20 switchport mode access ip verify source port-security --------Enables IP source guard SW2#sh ip verify source interface f0/2 Interface Filter-type Filter-mode IP-address Mac-address --------- ----------- ----------- --------------- ----------------- --------Fa0/2 ip-mac active 20.20.20.1 permit-all 20 Vlan R2 R2(config)#int s0/0/0.3 R2(config-subif)#ip verify unicast reverse-path R3(config)#int s0/0/0.3 R3(config-subif)#ip verify unicast reverse-path CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 113 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs Task 3 (DoS): Configure R3 and R2 to prtotect against TCP DoS. Use 100 for low and 500 for high thresh old of half open connections. On R2 and R3 ip tcp intercept max-incomplete low 100 ip tcp intercept max-incomplete high 500 ! CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 114 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs Day 4 IPv6 The Internet Engineering Task Force (IETF) has developed a suite of protocols and standards known as IP version 6 (IPv6). This new version, previously called IP-The Next Generation (IPng), incorporates the concepts of many methods for updating the IPv4 protocol. IPv6 Addressing IPV6 addresses are 128 bits long and are configured in hexadecimal. Consecutive zeroes can be eliminated (::). In the following example 2001:0:0:A1::1E2A/64 is the full IPv6 address where 2001:0:0:A1 is the network portion and the interface (host) portion is 0:0:0:1E2A or ::1E2A. IPv6 Address Scopes IPv6 has the following three scopes:  Link-local Scope  Unique-local Scope  Global Scope Link Local  Identifies all hosts within a single layer 2 domain  Unicast addresses within this scope are called link-local addresses  They are assigned by default when ipv6 is enabled on an interface  Network address is always FE80::/10  Host portion derived from MAC address (Modified EUI-64)  Can be manually added too R3(config-if)#ipv6 address FE80::3 link-local  Independent of the global addressing scheme  Cannot be routed Unique-local Scope  Previously referred to as site local  Identifies all devices within an administrative domain containing multiple distinct links  Unicast addresses within this scope are called unicast-local addresses  Have a scope limited to the site  Network address is always FEC0::/10  16 bits in the network address identify the subnet  Host portion derived from MAC address (Modified EUI-64) Global        Addresses for generic use of IPv6 Identifies all devices reachable across the Internet Unicast addresses within this scope are called global unicast addresses Have to be globally unique and routable Addresses reserved for global scope 2000 /3 Can have a variable subnet portion Last 64 bits for the interface identifier CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 115 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs  IANA assigns /48 Enabling IPv6 On a router in global configuration mode configure: Ipv6 unicast-routing In interface mode: ipv6 address 2001:200:1:1::1/64 Link-local addresses are generated by default or use manual configuration to change them. ipv6 address FE80::3 link-local In order for a switch to understand IPv6 addresses configure: In Global configuration sdm prefer dual-ipv4-and-ipv6 default Next you must reboot the switch for the changes to take place. After a reboot the following global configuration can be entered ipv6 unicast-routing RIPng In RIPng neighbors need not be on the same global subnet since they are on the same link-local subnet. Hence the router has to advertise its own prefix for the link on the actual interface. In addition to the frame-relay map ipv6 broadcast to the Global IPv6 Addresses you also need a map to the link local address. RIP messages are sent to the all RIP routers link-local multicast address FF02::9/128. And lastly, RIPng uses the authentication headers present in the IPv6 header for authentication purposes and does not provide MD5 authentication. To configure RIPng in interface mode: ipv6 rip <string> enable To verify show show show the configuration: ipv6 protocol ipv6 rip ipv6 rip database Note * Redistribution between separate RIPng processes is configure under the routing process. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 116 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs OSPFv3 In comparison wit OSPFv2, Version3 has the same basic mechanisms such as flooding, DR election, areas and spf calculations remain the same. In contrast, link lsa’s announce link-local addresses and a list of ipv6 prefixes to associate with the link. Intra-area prefix lsa’s carry all ipv6 prefixes to all ospfv3 routers within an area (correspond to router and network lsa’s in ipv4) Inter-area prefix lsa 0x2003 replaces summary or type 3 lsa’s and Inter-area router lsa 0x2004 replaces type 4 lsa. Ospfv3 runs on a link basis rather than on a subnet basis as in ospfv2. Authentication is also removed from Ospfv3 and relies on ipv6 for authentication OSPFv3 is configured on the interfaces: • ipv6 ospf 100 area 0 • To verify the configuration: • show ipv6 ospf • show ipv6 ospf neighbor OSPFv3 still uses a 32 bit router id at must be configured tunder ipv6 router ospf 100 Summaries can be configured under ipv6 router ospf 100 using the command area 1 range 2001::/48 The LSAs in OSPFv3: Router-LSA 0x2001 Network-LSA 0x2002 Inter-Area-Prefix-LSA 0x2003 Inter-Area-Router-LSA 0x2004 AS-External-LSA 0x2005 Group-membership-LSA 0x2006 Type-7-LSA 0x2007 Link-LSA 0x2008 Intra-Area-Prefix-LSA 0x2009 OSPFv3 over NBMA OSPFv3 over NBMA is very much similar to OSPFv2 over NBMA. The hub interface priority has to be increased manually to make it the DR. The spokes should be configured with a priority of 0 so that they never participate in the DR elections. Moreover neighbors have to be specified manually on the interface. The address for the neighbor has to be the link local addresses. The neighbors have to be specified only on the hub not on the spokes. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 117 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs Frame-relay maps have to be configured pointing to the neighbor’s link local address on both hub and spokes as well as the global addresses (if configured) sh ipv6 int s0/1/0 displays the link-local address The following example displays configuring OSPFv3 on a hub interface: interface Serial0/1/0 ipv6 ospf priority 100 ipv6 ospf neighbor FE80::20A:B8FF:FE6B:A478 ipv6 ospf neighbor FE80::20A:B8FF:FE2C:7DC8 ipv6 ospf 10 area 0 frame-relay map ipv6 FE80::20A:B8FF:FE6B:A478 106 frame-relay map ipv6 FE80::20A:B8FF:FE2C:7DC8 105 IPv6 over IPv4 IPv6 can be tunneled under ipv4. The 6to4 tunnel mode by default is gre and can to be changed to ipv6ip. The tunnel itself needs an ipv6 address configured manually. The tunnel source and destination will be ipv4 addresses. Afterwards a IPv6 capable routing protocol can be enabled over the tunnel. The following example tunnels IPv6 over IPv4: interface Tunnel0 no ip address ipv6 address 2002:100:24:1::2/64 ipv6 ospf 100 area 0 tunnel source 10.86.72.17 tunnel destination 10.86.72.18 In the above example we are using GRE as the default encapsulation; however we could also opt for ipv6ip with the <tunnel mode ipv6ip command. IPv6 Neighbor Discovery • Neighbor Discovery determines the link-layer address of a neighbor on the same link and helps both keep track of and find neighbor routers. Neighbor discovery is achieved with the ICMP protocol using multicast addresses. This is also known as the solicited node address. A solicited-node address is a Multicast address with a link-local scope, which is formed by a prefix and the right-most 24 bits of the unicast or anycast address. The following diagram illustrates how a neighbor is discovered in IPv6. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 118 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs Neigbbor Discovery Afterwards routers send periodic Router Advertisements (RA) to the all-nodes multicast address. At reboot time the devices send Router Solicitations to promptly receive Router Advertisements. There is also a notion of a redirect, which is used by a router to signal the reroute of a packet to a better router. Duplicate Address Detection Duplicate Address Detection (DAD) uses Neighbor Solicitation to verify the existence of an address to be configured to avoid conflicts. Stateless Auto-configuration This time end devices or routers are configured to send router solicitations at boot up to request RAs for configuring thier interfaces. An IPv6 router configure to respond will send the following information in the Router advertisements: • Default router • IPv6 network prefix • Lifetime of advertisement The IPv6 router would configure an interface with the following parameters: ipv6 nd prefix <prefix> | default [ [<valid-lifetime> <preferred-lifetime>] | [at <valid-date> <preferred-date>] [off-link] [no-autoconfig] ] CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 119 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs IPv6 LAB Scenario Turn-key is doing business with a partner that would like to connect with them over IPv6 in the future. Turn-key has registered IPv6 address space and would like you to configure IPv6 as outlined in the following diagram to pilot this capability over their existing IPv4 infrastructure. IPv6 Topology CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 120 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs IPv6 Tasks Task 1 (Enable IPv6): enable on each device identified in the above diagram. Configure IPv6 addresses based on the following Table: Interface Vlan3_trun ked Device Sw1 Sw2 Vlan10_Le ased Sw1 R3 F0/0 2000:1:1:1234:: 3/64 R3 S0/0/ 0.2 F0/0 2001:1:1:1234:: 3/64 2000:1:1:1234:: 5/64 S0/0/ 0 F0/0 2001:1:1:1234:: 5/64 2000:1:1:1234:: 6/64 S0/0/ 0 2001:1:1:1234:: 6/64 R5 R5 R6 R6 IPv6 2000:2.2:1234:: 2/64 2000:2.2:1234:: 4/64 2000:1:1:1234:: 1/64 Configure the following loop back addresses:    R3 – Lo5 = 2000:3:3:3::3/64 R5 – Lo5 = 2000:5:5:5::5/64 R6- Lo5 = 2000:6:6:6::6/64 Task 2 (Link Local): D0 a <sh ipv6 int on each of the configured addresses and manually modify the link local address to make it easier to look at. For example on R3: R3#sh ipv6 int FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::217:EFF:FE64:B008 Description: Vlan10_Leased Global unicast address(es): 2000:1:1:1:1234::1, subnet is 2000:1:1:1::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF64:B008 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 121 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses. We could shorten the address to FE80::3 by issuing the following interface command: R3(config-if)#ipv6 address FE80::3 link-local Task 3 (RIPng): Enable RIPng for networks on Sw1 and Sw2 Task 4 (OSPFv3): Enable OSPFv3 area 0 between Sw1, R3, R5, and R6. For redundancy OSPF should run over the Leased Ethernet and Frame Relay. Task 5 (Redistribution): Redistribute OSPFv3 and RIPng on Sw1 and ping test from Sw2 to ensure all IPv6 networks are reacheable. CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 122 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs IPv6 Answers Task 1 (Enable IPv6): enable on each device identified in the above diagram. In order to allow the Catalyst 3560 switches to support Ipv6 addresses we need to change the SDM template to dual. Since we have configured so many L2 options in the previous Lab, we will leave the switch tuned for desktop. Sw1: Sw1(config)#sdm ? prefer Config TCAM and Forwarding RAM sizes. Warning: need to reset switch for configuration to take effect. Sw1(config)#sdm prefer ? access Access bias default Default bias dual-ipv4-and-ipv6 Support both IPv4 and IPv6 routing Unicast bias vlan VLAN bias Sw1(config)#sdm prefer dual Sw1(config)#sdm prefer dual-ipv4-and-ipv6 ? default Default bias routing Unicast bias vlan VLAN bias Sw1(config)#sdm prefer dual-ipv4-and-ipv6 rou Sw1(config)#sdm prefer dual-ipv4-and-ipv6 routing Changes to the running SDM preferences have been stored, but cannot take effect until the next reload. Use 'show sdm prefer' to see what SDM preference is currently active. Sw1(config)#do sh sdm prefer The current template is "desktop default" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 6K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 8K number of directly-connected IPv4 hosts: 6K number of indirect IPv4 routes: 2K number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 512 number of IPv4/MAC security aces: 1K On next reload, template will be "desktop IPv4 and IPv6 routing" template. Sw1(config)# Sw1(config)#sdm prefer dual-ipv4-and-ipv6 default Changes to the running SDM preferences have been stored, but cannot take effect until the next reload. Use 'show sdm prefer' to see what SDM preference is currently active. Sw1(config)#do sh sdm prefer The current template is "desktop default" template. The selected template optimizes the resources in the switch to support this level of features for CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 123 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 6K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 8K number of directly-connected IPv4 hosts: 6K number of indirect IPv4 routes: 2K number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 512 number of IPv4/MAC security aces: 1K On next reload, template will be "desktop IPv4 and IPv6 default" template. Sw1(config)# Sw1#reload Proceed with reload? [confirm] Sw1#show sdm prefer The current template is "desktop IPv4 and IPv6 default" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 2K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 3K number of directly-connected IPv4 hosts: 2K number of indirect IPv4 routes: 1K number of IPv6 multicast groups: 1152 number of directly-connected IPv6 addresses: 2K number of indirect IPv6 unicast routes: 1K number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 512 number of IPv4/MAC security aces: 1K number of IPv6 policy based routing aces: 0 number of IPv6 qos aces: 510 number of IPv6 security aces: 510 Sw2: SW2(config)#sdm prefer dual-ipv4-and-ipv6 default Changes to the running SDM preferences have been stored, but cannot take effect until the next reload. Use 'show sdm prefer' to see what SDM preference is currently active. Use 'show sdm prefer' to see what SDM preference is currently active. SW2(config)#do reload System configuration has been modified. Save? [yes/no]: y SW2#sh sdm prefer The current template is "desktop IPv4 and IPv6 default" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 2K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 3K number of directly-connected IPv4 hosts: 2K number of indirect IPv4 routes: 1K number of IPv6 multicast groups: 1152 number of directly-connected IPv6 addresses: 2K CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 124 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs number number number number number number number of of of of of of of indirect IPv6 unicast routes: 1K IPv4 policy based routing aces: 0 IPv4/MAC qos aces: 512 IPv4/MAC security aces: 1K IPv6 policy based routing aces: 0 IPv6 qos aces: 510 IPv6 security aces: 510 Sw3: SW3(config)#sdm prefer dual-ipv4-and-ipv6 default Changes to the running SDM preferences have been stored, but cannot take effect until the next reload. Use 'show sdm prefer' to see what SDM preference is currently active. Use 'show sdm prefer' to see what SDM preference is currently active. SW3(config)#do reload SW3#sh sdm prefer The current template is "desktop IPv4 and IPv6 default" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 2K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 3K number of directly-connected IPv4 hosts: 2K number of indirect IPv4 routes: 1K number of IPv6 multicast groups: 1152 number of directly-connected IPv6 addresses: 2K number of indirect IPv6 unicast routes: 1K number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 512 number of IPv4/MAC security aces: 1K number of IPv6 policy based routing aces: 0 number of IPv6 qos aces: 510 number of IPv6 security aces: 510 Sw4: SW4(config)#sdm prefer dual-ipv4-and-ipv6 default Changes to the running SDM preferences have been stored, but cannot take effect until the next reload. Use 'show sdm prefer' to see what SDM preference is currently active. Use 'show sdm prefer' to see what SDM preference is currently active. SW4(config)#do reload SW4#sh sdm prefer The current template is "desktop default" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 6K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 8K number of directly-connected IPv4 hosts: 6K number of indirect IPv4 routes: 2K CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 125 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs number of IPv4 policy based routing aces: number of IPv4/MAC qos aces: number of IPv4/MAC security aces: 0 512 1K On next reload, template will be "desktop IPv4 and IPv6 default" template. R3: R3(config)#ipv6 unicast-routing R5: R5(config)#ipv6 unicast-routing R6: R6(config)#ipv6 unicast-routing Note* after the switches reboot they need the ipv6 unicastrouting command as well. Configure IPv6 addresses based on the above Table and Task2 Link local addresses: R3: interface Loopback5 no ip address ipv6 address 2000:3:3:3::3/64 (This is the Global IPv6 address) ipv6 address FE80::3 link-local (This is a modified Link Local address that is not routable so it can be duplicated. interface Serial0/0/0.2 multipoint description Hub-and-spoke-R5-R6 ip address 172.16.3.3 255.255.255.0 no ip split-horizon ip ospf dead-interval minimal hello-multiplier 4 ip ospf 1 area 3 ipv6 address 2001:1:1234::3/64 ipv6 address FE80::3 link-local frame-relay map ip 172.16.3.3 305 frame-relay map ip 172.16.3.5 305 broadcast frame-relay map ip 172.16.3.6 306 broadcast no frame-relay inverse-arp interface FastEthernet0/0 description Vlan10_Leased ip address 192.168.10.3 255.255.255.0 ip ospf 1 area 0 delay 1 duplex auto speed auto ipv6 address 2000:1:1:1234::1/64 ipv6 address FE80::3 link-local R3#sh ipv6 int brief FastEthernet0/0 CCIE Routing and Switching [up/up] Boot Camp Day 1 to 4 Lab Page 126 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs FE80::3 2000:1:1:1234::1 FastEthernet0/1 Serial0/0/0 Serial0/0/0.1 Serial0/0/0.2 FE80::3 2001:1:1:1234::3 Serial0/0/0.3 Serial0/0/1 Serial0/1/0 Serial0/1/1 Loopback1 Loopback3 Loopback4 Loopback5 FE80::3 2000:3:3:3::3 [administratively down/down] [up/up] [up/up] [up/up] [up/up] [administratively down/down] [administratively down/down] [administratively down/down] [up/up] [up/up] [up/up] [up/up] R5: interface Loopback5 no ip address ipv6 address 2000:5:5:5::5/64 ipv6 address FE80::5 link-local ! interface FastEthernet0/0 description Vlan10_Leased ip address 192.168.10.5 255.255.255.0 ip ospf 1 area 0 duplex auto speed auto ipv6 address 2000:1:1:1234::5/64 ipv6 address FE80::5 link-local interface Serial0/0/0 description Hub-and-spoke-to-R3-R6 ip address 172.16.3.5 255.255.255.0 encapsulation frame-relay ip ospf dead-interval minimal hello-multiplier 4 ip ospf 1 area 3 ipv6 address 2001:1:1:1234::5/64 ipv6 address FE80::5 link-local frame-relay map ip 172.16.3.3 503 broadcast frame-relay map ip 172.16.3.5 503 broadcast frame-relay map ip 172.16.3.6 503 broadcast no frame-relay inverse-arp frame-relay lmi-type ansi R5#sh ipv6 int brief FastEthernet0/0 [up/up] FE80::5 2000:1:1:1234::5 FastEthernet0/1 [administratively down/down] Serial0/0/0 [up/up] FE80::5 2001:1:1:1234::5 Serial0/0/1 [up/down] Loopback5 [up/up] FE80::5 2000:5:5:5::5 R6: CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 127 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs interface Loopback5 no ip address ipv6 address 2000:6:6:6::6/64 ipv6 address FE80::6 link-local ! interface FastEthernet0/0 description Vlan10_Leased ip address 192.168.10.6 255.255.255.0 ip ospf 1 area 0 duplex auto speed auto ipv6 address 2000:1:1:1234::6/64 ipv6 address FE80::6 link-local ! ! interface Serial0/0/0 description Hub-and-spoke-to-R3-R5 ip address 172.16.3.6 255.255.255.0 encapsulation frame-relay ip ospf dead-interval minimal hello-multiplier 4 ip ospf 1 area 3 ipv6 address 2001:1:1234::6/64 ipv6 address FE80::6 link-local frame-relay map ip 172.16.3.3 603 broadcast frame-relay map ip 172.16.3.5 603 broadcast frame-relay map ip 172.16.3.6 603 broadcast no frame-relay inverse-arp frame-relay lmi-type ansi R6#sh ipv6 int brief FastEthernet0/0 [up/up] FE80::6 2000:1:1:1::6 FastEthernet0/1 [administratively down/down] Serial0/0/0 [up/up] FE80::6 2001:1:1:1::6 Serial0/0/1 [administratively down/down] Loopback5 [up/up] FE80::6 2000:6:6:6::6 Interfaces that are connected you should be able to ping the link locals R6#ping ipv6 fe80::3 Output Interface: fastethernet0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FE80::3, timeout is 2 seconds: Packet sent with a source address of FE80::6 !!!!! Sw1: interface Vlan3 description Vlan3_trunked ip address 10.3.3.1 255.255.255.0 ipv6 address 2000:2:2:1234::1/64 ipv6 address FE80::1 link-local standby ip 10.3.3.254 standby priority 255 standby preempt delay minimum 60 standby name Vlan3 standby track FastEthernet0/1 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 128 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs interface Vlan10 description Vlan10_Leased ip address 192.168.10.1 255.255.255.0 ip summary-address eigrp 100 10.0.0.0 255.0.0.0 5 ipv6 address 2000:1:1:1234::1/64 ipv6 address FE80::1 link-local Sw1#sh ipv6 int brief Vlan1 [administratively down/down] unassigned Vlan3 [up/up] FE80::1 2000:2:2:1234::1 Vlan4 [up/up] unassigned Vlan5 [up/up] unassigned Vlan6 [up/up] unassigned Vlan8 [up/up] unassigned Vlan10 [up/up] FE80::1 2000:1:1:1234::1 Sw2: interface Vlan3 description Vlan3_trunked ip address 10.3.3.2 255.255.255.0 ipv6 address 2000:2:2:1234::2/64 ipv6 address FE80::2 link-local standby ip 10.3.3.254 standby name Vlan3 Vlan1 [administratively down/down] unassigned Vlan3 [up/up] FE80::2 2000:2:2:2:1234::2 Vlan4 [up/up] Unassigned Task 3 (RIPng): Enable RIPng for networks on Sw1 and Sw2 Sw1: interface Vlan3 description Vlan3_trunked ip address 10.3.3.1 255.255.255.0 ipv6 address 2000:2:2:1234::1/64 ipv6 address FE80::1 link-local ipv6 rip cisco enable (This enables RIP for this interface) standby ip 10.3.3.254 standby priority 255 standby preempt delay minimum 60 standby name Vlan3 standby track FastEthernet0/1 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 129 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs interface Vlan10 description Vlan10_Leased ip address 192.168.10.1 255.255.255.0 ip summary-address eigrp 100 10.0.0.0 255.0.0.0 5 ipv6 address 2000:1:1:1234::1/64 ipv6 address FE80::1 link-local ipv6 rip cisco enable Sw1#sh ipv6 rip RIP process "cisco", port 521, multicast-group FF02::9, pid 234 Administrative distance is 120. Maximum paths is 16 Updates every 30 seconds, expire after 180 Holddown lasts 0 seconds, garbage collect after 120 Split horizon is on; poison reverse is off Default routes are not generated Periodic updates 3, trigger updates 1 Interfaces: Loopback5 Vlan10 Vlan3 Redistribution: None Sw1#sh ipv6 route IPv6 Routing Table - 5 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 C 2000:1:1:1234::/64 [0/0] via ::, Vlan10 C 2000:2:2:2::/64 [0/0] via ::, Vlan3 L 2000:2:2:2:1234::1/128 [0/0] via ::, Vlan3 L FE80::/10 [0/0] via ::, Null0 L FF00::/8 [0/0] via ::, Null0 Sw2: interface Vlan3 description Vlan3_trunked ip address 10.3.3.2 255.255.255.0 ipv6 address 2000:2:2:1234::2/64 ipv6 address FE80::2 link-local ipv6 rip cisco enable standby ip 10.3.3.254 standby name Vlan3 SW2#sh ipv6 rip RIP process "cisco", port 521, multicast-group FF02::9, pid 234 Administrative distance is 120. Maximum paths is 16 Updates every 30 seconds, expire after 180 Holddown lasts 0 seconds, garbage collect after 120 Split horizon is on; poison reverse is off Default routes are not generated Periodic updates 11, trigger updates 1 Interfaces: Vlan3 Redistribution: None CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 130 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs SW2#sh ipv6 route IPv6 Routing Table - 5 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 R 2000:1:1:1234::/64 [120/2] via FE80::1, Vlan3 C 2000:2:2::/64 [0/0] via ::, Vlan3 L 2000:2:2:1234::2/128 [0/0] via ::, Vlan3 L FE80::/10 [0/0] via ::, Null0 L FF00::/8 [0/0] via ::, Null0 SW2#sh ipv6 route IPv6 Routing Table - 5 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 R 2000:1:1:1234::/64 [120/2] (This is a RIP netowrk learned) via FE80::1, Vlan3 C 2000:2:2::/64 [0/0] via ::, Vlan3 L 2000:2:2:1234::2/128 [0/0] via ::, Vlan3 L FE80::/10 [0/0] via ::, Null0 L FF00::/8 [0/0] via ::, Null0 SW2#ping 2000:1:1:1234::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2000:1:1:1234::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms SW2# Task 4 (OSPFv3): Enable OSPFv3 area 0 between Sw1, R3, R5, and R6. For redundancy OSPF should run over the Leased Ethernet and Frame Relay. SW1: interface Vlan10 description Vlan10_Leased ip address 192.168.10.1 255.255.255.0 ip summary-address eigrp 100 10.0.0.0 255.0.0.0 5 ipv6 address 2000:1:1:1234::1/64 ipv6 address FE80::1 link-local ipv6 rip cisco enable ipv6 ospf 1 area 0 (This enables an OSPF process in IPV6) Sw1#sh ipv6 ospf database CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 131 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs OSPFv3 Router with ID (192.168.10.1) (Process ID 1) Router Link States (Area 0) ADV Router Age 150.3.3.2 282 192.168.10.1 280 192.168.10.5 287 192.168.10.6 285 Seq# Fragment ID Link count Bits 0x80000015 0 2 None 0x80000007 0 1 None 0x8000000A 0 2 None 0x80000009 0 2 None Net Link States (Area 0) ADV Router Age 150.3.3.2 461 192.168.10.1 287 Seq# Link ID Rtr count 0x80000004 21 3 0x80000003 2078 4 Link (Type-8) Link States (Area 0) ADV Router Age 150.3.3.2 390 192.168.10.1 622 192.168.10.5 295 192.168.10.6 1372 Seq# Link ID Interface 0x80000002 4 Vl10 0x80000002 2078 Vl10 0x80000001 4 Vl10 0x80000001 4 Vl10 Intra Area Prefix Link States (Area 0) ADV Router Age 150.3.3.2 484 150.3.3.2 479 192.168.10.1 373 192.168.10.5 291 Sw1# Seq# Link ID Ref-lstype Ref-LSID 0x80000003 0 0x2001 0 0x80000003 1021 0x2002 21 0x80000002 3078 0x2002 2078 0x80000005 0 0x2001 0 Sw1#sh ipv6 ospf neighbor Neighbor ID Pri State Dead Time Interface ID Interface 192.168.10.5 1 FULL/DROTHER 00:00:35 4 Vlan10 192.168.10.6 1 FULL/DROTHER 00:00:39 4 Vlan10 150.3.3.2 1 FULL/BDR 00:00:33 4 Vlan10 Sw1# Sw1#sh ipv6 route IPv6 Routing Table - 9 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 C 2000:1:1:1234::/64 [0/0] via ::, Vlan10 L 2000:1:1:1234::1/128 [0/0] via ::, Vlan10 C 2000:2:2:1234::/64 [0/0] via ::, Vlan3 L 2000:2:2:1234::1/128 [0/0] via ::, Vlan3 O 2000:3:3:3::3/128 [110/1] via FE80::3, Vlan10 O 2000:5:5:5::5/128 [110/1] via FE80::5, Vlan10 O 2001:1:1:1234::/64 [110/65] via FE80::6, Vlan10 via FE80::3, Vlan10 via FE80::5, Vlan10 L FE80::/10 [0/0] CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 132 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs L via ::, Null0 FF00::/8 [0/0] via ::, Null0 Sw1#ping 2000:3:3:3::3 (Pinging some of the remote Loop backs) Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2000:3:3:3::3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms Sw1#ping 2000:5:5:5::5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2000:5:5:5::5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/8 ms Sw1# R3: interface Loopback5 no ip address ipv6 address 2000:3:3:3::3/64 ipv6 address FE80::3 link-local ipv6 ospf 1 area 0 (Enables this interface in OSPFv3 for IPv6) interface FastEthernet0/0 description Vlan10_Leased ip address 192.168.10.3 255.255.255.0 ip ospf 1 area 0 delay 1 duplex auto speed auto ipv6 address 2000:1:1:1234::3/64 ipv6 address FE80::3 link-local ipv6 ospf 1 area 0 ! interface Serial0/0/0.2 multipoint description Hub-and-spoke-R5-R6 ip address 172.16.3.3 255.255.255.0 no ip split-horizon ip ospf dead-interval minimal hello-multiplier 4 ip ospf 1 area 3 ipv6 address 2001:1:1:1234::3/64 ipv6 address FE80::3 link-local ipv6 ospf priority 255 (These commands use unicast to connect to the spokes and give them a priority of zero which disqualifies them from becoming a DR) ipv6 ospf neighbor FE80::5 ipv6 ospf neighbor FE80::6 ipv6 ospf 1 area 0 frame-relay map ip 172.16.3.3 305 frame-relay map ipv6 FE80::5 305 broadcast frame-relay map ipv6 FE80::6 306 broadcast frame-relay map ip 172.16.3.5 305 broadcast frame-relay map ip 172.16.3.6 306 broadcast frame-relay map ipv6 2001:1:1:1234::5 305 broadcast frame-relay map ipv6 2001:1:1:1234::6 306 broadcast no frame-relay inverse-arp R3#sh ipv6 ospf database OSPFv3 Router with ID (150.3.3.2) (Process ID 1) Router Link States (Area 0) CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 133 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs ADV Router Age 150.3.3.2 511 192.168.10.1 511 192.168.10.5 517 192.168.10.6 516 Seq# Fragment ID Link count Bits 0x80000015 0 2 None 0x80000007 0 1 None 0x8000000A 0 2 None 0x80000009 0 2 None Net Link States (Area 0) ADV Router Age 150.3.3.2 691 192.168.10.1 517 Seq# Link ID Rtr count 0x80000004 21 3 0x80000003 2078 4 Link (Type-8) Link States (Area 0) ADV Router Age 150.3.3.2 710 192.168.10.5 1868 192.168.10.6 1712 150.3.3.2 618 192.168.10.1 854 192.168.10.5 527 192.168.10.6 1603 Seq# Link ID Interface 0x80000003 21 Se0/0/0.2 0x80000003 6 Se0/0/0.2 0x80000001 6 Se0/0/0.2 0x80000002 4 Fa0/0 0x80000002 2078 Fa0/0 0x80000001 4 Fa0/0 0x80000001 4 Fa0/0 Intra Area Prefix Link States (Area 0) ADV Router Age 150.3.3.2 712 150.3.3.2 706 192.168.10.1 602 192.168.10.5 519 R3# Seq# Link ID Ref-lstype Ref-LSID 0x80000003 0 0x2001 0 0x80000003 1021 0x2002 21 0x80000002 3078 0x2002 2078 0x80000005 0 0x2001 0 R3#sh ipv6 route IPv6 Routing Table - 10 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 C 2000:1:1:1234::/64 [0/0] via ::, FastEthernet0/0 L 2000:1:1:1234::3/128 [0/0] via ::, FastEthernet0/0 L 2000:1:1:1234::6/128 [0/0] via ::, FastEthernet0/0 C 2000:3:3:3::/64 [0/0] via ::, Loopback5 L 2000:3:3:3::3/128 [0/0] via ::, Loopback5 O 2000:5:5:5::5/128 [110/1] via FE80::5, FastEthernet0/0 C 2001:1:1:1234::/64 [0/0] via ::, Serial0/0/0.2 L 2001:1:1:1234::3/128 [0/0] via ::, Serial0/0/0.2 L FE80::/10 [0/0] via ::, Null0 L FF00::/8 [0/0] via ::, Null0 R3#ping 2000:5:5:5::5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2000:5:5:5::5, timeout is 2 seconds: !!!!! CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 134 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms R3#ping 2000:6:6:6::6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2000:6:6:6::6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms R3# R5: interface Loopback5 no ip address ipv6 address 2000:5:5:5::5/64 ipv6 address FE80::5 link-local ipv6 ospf 1 area 0 ! interface FastEthernet0/0 description Vlan10_Leased ip address 192.168.10.5 255.255.255.0 ip ospf 1 area 0 duplex auto speed auto ipv6 address 2000:1:1:1234::5/64 ipv6 address FE80::5 link-local ipv6 ospf 1 area 0 interface Serial0/0/0 description Hub-and-spoke-to-R3-R6 ip address 172.16.3.5 255.255.255.0 encapsulation frame-relay ip ospf dead-interval minimal hello-multiplier 4 ip ospf 1 area 3 ipv6 address 2001:1:1:1234::5/64 ipv6 address FE80::5 link-local ipv6 ospf neighbor FE80::3 priority 255 (Normally we do not need neighbors on the spokes but since we are connecting over Ethernet too, it help stabilize the frame neighbor relationship.) ipv6 ospf 1 area 0 frame-relay map ipv6 FE80::3 503 broadcast frame-relay map ip 172.16.3.3 503 broadcast frame-relay map ip 172.16.3.5 503 broadcast frame-relay map ip 172.16.3.6 503 broadcast frame-relay map ipv6 2001:1:1:1234::3 503 broadcast no frame-relay inverse-arp frame-relay lmi-type ansi R6: interface Loopback5 no ip address ipv6 address 2000:6:6:6::6/64 ipv6 address FE80::6 link-local ipv6 ospf 1 area 0 ! interface FastEthernet0/0 description Vlan10_Leased ip address 192.168.10.6 255.255.255.0 ip ospf 1 area 0 duplex auto speed auto ipv6 address 2000:1:1:1234::6/64 ipv6 address FE80::6 link-local ipv6 ospf 1 area 0 interface Serial0/0/0 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 135 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs description Hub-and-spoke-to-R3-R5 ip address 172.16.3.6 255.255.255.0 encapsulation frame-relay ip ospf dead-interval minimal hello-multiplier 4 ip ospf 1 area 3 ipv6 address 2001:1:1:1234::6/64 ipv6 address FE80::6 link-local ipv6 ospf 1 area 0 frame-relay map ipv6 FE80::3 603 broadcast frame-relay map ip 172.16.3.3 603 broadcast frame-relay map ip 172.16.3.5 603 broadcast frame-relay map ip 172.16.3.6 603 broadcast frame-relay map ipv6 2001:1:1:1234::3 603 broadcast no frame-relay inverse-arp frame-relay lmi-type ansi Task 5 (Redistribution): Redistribute OSPFv3 and RIPng on Sw1 and ping test from Sw2 to ensure all IPv6 networks are reachable SW1: ipv6 router ospf 1 (Redistribution is done from the IPv6 routing process) log-adjacency-changes redistribute rip cisco metric-type 1 ! ipv6 router rip cisco redistribute ospf 1 metric 2 Sw2: SW2#sh ipv6 route IPv6 Routing Table - 9 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 R 2000:1:1:1234::/64 [120/2] via FE80::1, Vlan3 C 2000:2:2:1234::/64 [0/0] via ::, Vlan3 L 2000:2:2:1234::2/128 [0/0] via ::, Vlan3 R 2000:3:3:3::3/128 [120/3] via FE80::1, Vlan3 R 2000:5:5:5::5/128 [120/3] via FE80::1, Vlan3 R 2000:6:6:6::6/128 [120/3] via FE80::1, Vlan3 R 2001:1:1:1234::/64 [120/3] via FE80::1, Vlan3 L FE80::/10 [0/0] via ::, Null0 L FF00::/8 [0/0] via ::, Null0 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 136 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs Day 4 IP Features and Services IP Tasks Task1 (Distributed Director): There will be a Distributed Director server in the future on R6. Configure R6 for this future implementation on F0/0 to The Director will need to accept the HTTP connections, appearing to be the requested web server. The Director determines the host name requested by the client based on the IP address on which the HTTP request arrives. Task2 (Web Cache service): There will be a web-cache service in the future. Configure it so that R6 web users will be redirected to a web-cache server at 192.168.10.100 CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 137 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law. CCBOOTCAMP R&S Advanced Labs IP Answers Task1 (Distributed Director): There will be a Distributed Director server in the future on R6. Configure R6 for this future implementation on F0/0 to The Director will need to accept the HTTP connections, appearing to be the requested web server. The Director determines the host name requested by the client based on the IP address on which the HTTP request arrives. ip director access-group 1 -------The IP users are redirected to this IP ip director access-list 1 permit "^WWW." ------ The interesting traffic being redirected ip director access-list 1 deny ANY ip director enable-------Enable Director access-list 1 permit 192.168.10.6 access-list 1 deny any Task2 (Web Cache service): There will be a web-cache service in the future. Configure it so that R6 web users will be redirected to a web-cache server at 192.168.10.100 R6(config)#ip wccp web-cache R6(config)#int f0/0 R6(config-if)#ip wccp web-cache redirect out R6(config-if)# Congratulations !!!!!!!!!!!!!!!! Labs completed CCIE Routing and Switching Boot Camp Day 1 to 4 Lab Page 138 of 138 ©2008 Network Learning, Inc. All Rights reserved Unauthorized duplication is a violation of Federal Law.

Advanced Boot camp Day 1 – Day 4 Technology Labs

Related documents

Products

Support

Advanced Boot camp Day 1 – Day 4 Technology Labs

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib