Little Blog!: 2015-08-09

Thursday, August 13, 2015

CCIE Lab1, Section 1

Introduction:

In this lab, I will introduce you a CCIE Lab configuration including 8 sections:

- Section 1: LAN Switching and Frame Relay.
- Section 2: IPv4 IGP Protocols.
- Section 3: BGP.
- Section 4: IPv6.
- Section 5: QoS.
- Section 6: Security.
- Section 7: Multicast.
- Section 8: IP Services.

Through this lab, you will learn L2, L3 switching and routing configuration from basic to high level. Because there are lots of topics mentioned in this lab, it requires you to have a fundamental knowledge of Switch and Router.

Network Topology:

Figure 1: Lab Diagram.

Figure 2: Lab device connectivity.

R1 Lo0 120.100.1.1/24 R6 Lo0 120.100.6.1/24

R2 Lo0 120.100.2.1/24 SW1 Lo0 120.100.7.1/24

R3 Lo0 120.100.3.1/24 SW2 Lo0 120.100.8.1/24

R4 Lo0 120.100.4.1/24 SW3 Lo0 120.100.9.1/24

R5 Lo0 120.100.5.1/24 SW4 Lo0 120.100.10.1/24

Figure 3: Lab topology details.

Equipment List:

- R1, R2, R3, R4, R5, R6: Cisco routers c7200.

- Sw1, Sw2, Sw3, Sw4: Cisco routers c3745 operating as 3550, 3560 Switches.

Figure 4: VLAN Assignment.

Figure 5: Frame Relay Logical Connectivity.

Section 1: LAN Switching and Frame Relay

Requirements:

■ Configure your switches as a collapsed backbone network with Switches 1 and 2 performing core and distribution functionality and Switches 3 and 4 as access switches in your topology. Switches 3 and 4 should connect only to the core switches.

■ Switch 1 and 2 should run spanning tree in 802.1w mode; Switches 3 and 4 should operate in their default spanning-tree mode.

■ Configure Switch 1 to be the root bridge and Switch 2 the secondary root bridge for VLANs 1 and 300. Ensure that Switches 3 and 4 can never become root bridges for any VLANs for which Switch 1 and Switch 2 are root bridges by configuring only Switches 1 and 2.

■ Ensure you fully utilize the available bandwidth between switches by grouping together your interswitch links as trunks. Ensure that only dot1q and EtherChannel are supported.

■ Ensure traffic is distributed on individual Ethernet trunks between switches based on the destination MAC address of individual flows.

■ Ensure that user interfaces are shut down dynamically by all switches should they toggle excessively; if they remain stable for 35 seconds, they should be reenabled. Configure Fast Ethernet Port 3/7 on each switch so that if multicast traffic is received on this port, the port is automatically disabled.

■ Your initial Frame Relay configuration has been supplied for the R1-R2-R3 connectivity and R2-R5. Configure each device per Figure 5 to ensure each device is reachable over the Frame Relay network. Use only the indicated DLCIs.

Configuration:

This is a simple start to the exercise. The switches are fully meshed to begin with; to create a collapsed backbone topology, the core switches should be connected together, and each access switch should be dual-homed to the core switches. The only switches that should not connect directly to each other would be the access switches (Sw3 and Sw4). By shutting down the interfaces between Sw3 and Sw4, you create the required topology. Even though the resulting topology is not looped at this stage, you can verify route bridge assignment by using the show spanning tree root command.

SW3#conf t

Enter configuration commands, one per line. End with CNTL/Z.

SW3(config)#int f3/14

SW3(config-if)#shut

SW3(config-if)#int f3/15

SW3(config-if)#shut

SW4#conf t

Enter configuration commands, one per line. End with CNTL/Z.

SW4(config)#int f3/14

SW4(config-if)#shut

SW4(config-if)#int f3/15

SW4(config-if)#shut

■ Switch 1 and 2 should run spanning tree in 802.1w mode; Switches 3 and 4 should operate in their default spanning-tree mode.

802.1w is rapid spanning tree; this is backward compatible with the switches' default (PVST), so by configuring Switches 1 and 2 into rapid spanning tree mode, spanning tree can still operate effectively with Switches 3 and 4.

SW1(config)#spanning-tree mode rapid-pvst

SW2(config)#spanning-tree mode rapid-pvst

This is a straightforward question for the core switches. The root bridge prioritization root guard is configured on the ports that connect Switches 1 and 2 to Switches 3 and 4; this ensures that if a superior BPDU is received on these ports, it is ignored.

SW1(config)# spanning-tree vlan 1 root primary

SW1(config)# spanning-tree vlan 300 root primary

SW1(config-if)# interface Fastethernet 3/10

SW1(config-if)# spanning-tree guard root

SW1(config-if)# interface Fastethernet 3/11

SW1(config-if)# spanning-tree guard root

SW1(config-if)# interface Fastethernet 3/12

SW1(config-if)# spanning-tree guard root

SW1(config-if)# interface Fastethernet 3/13

SW1(config-if)# spanning-tree guard root

SW2(config)# spanning-tree vlan 1 root secondary

SW2(config)# spanning-tree vlan 300 root secondary

SW2(config-if)# interface Fastethernet 3/10

SW2(config-if)# spanning-tree guard root

SW2(config-if)# interface Fastethernet 3/11

SW2(config-if)# spanning-tree guard root

SW2(config-if)# interface Fastethernet 3/12

SW2(config-if)# spanning-tree guard root

SW2(config-if)# interface Fastethernet 3/13

SW2(config-if)# spanning-tree guard root

■ Ensure you fully utilize the available bandwidth between switches by grouping together your interswitch links as trunks. Ensure that only dot1q and EtherChannel are supported.

This is another straightforward question for all switches to create EtherChannels between devices. Using the command channel-group n mode on under the physical interfaces ensures that only EtherChannel is supported, as opposed to pagp or lacp, and dot1q is the trunking protocol. For Layer 2 EtherChannels, you don’t have to create a port-channel interface first by using the interface port-channel configuration command before assigning a physical port to a channel group. You can use the channel-group interface configuration command that automatically creates the port-channel interface, although a manual port channel configuration has been shown here for clarity. Remember that now that you have Ether- Channels between switches, you will need to configure root guard on these interfaces to ensure that Switches 3 and 4 cannot become root bridges. This is over and above the previous physical interface configuration completed previously.

SW1(config)# interface Port-channel1

SW1(config-if)# switchport trunk encapsulation dot1q

SW1(config-if)# switchport mode trunk

SW1(config-if)# spanning-tree guard root

SW1(config-if)# interface Port-channel2

SW1(config-if)# switchport trunk encapsulation dot1q

SW1(config-if)# switchport mode trunk

SW1(config-if)# spanning-tree guard root

SW1(config-if)# interface Port-channel3

SW1(config-if)# switchport trunk encapsulation dot1q

SW1(config-if)# switchport mode trunk

SW1(config-if)# interface range FastEthernet3/10-11

SW1(config-if)# channel-group 1 mode on

SW1(config-if)# interface range FastEthernet3/12-13

SW1(config-if)# channel-group 2 mode on

SW1(config-if)# interface range FastEthernet3/14-15

SW1(config-if)# channel-group 3 mode on

SW2(config)# interface Port-channel1

SW2(config-if)# switchport trunk encapsulation dot1q

SW2(config-if)# switchport mode trunk

SW2(config-if)# interface Port-channel2

SW2(config-if)# switchport trunk encapsulation dot1q

SW2(config-if)# switchport mode trunk

SW2(config-if)# interface Port-channel3

SW2(config-if)# switchport trunk encapsulation dot1q

SW2(config-if)# switchport mode trunk

SW2(config-if)# interface range FastEthernet3/10-11

SW2(config-if)# channel-group 1 mode on

SW2(config-if)# interface range FastEthernet3/12-13

SW2(config-if)# channel-group 2 mode on

SW2(config-if)# interface range FastEthernet3/14-15

SW2(config-if)# channel-group 3 mode on

SW3(config)# interface Port-channel1

SW3(config-if)# switchport trunk encapsulation dot1q

SW3(config-if)# switchport mode trunk

SW3(config-if)# interface Port-channel2

SW3(config-if)# switchport trunk encapsulation dot1q

SW3(config-if)# switchport mode trunk

SW3(config-if)# interface range FastEthernet3/10-11

SW3(config-if)# channel-group 1 mode on

SW3(config-if)# interface range FastEthernet3/12-13

SW3(config-if)# channel-group 2 mode on

SW4(config)# interface Port-channel1

SW4(config-if)# switchport trunk encapsulation dot1q

SW4(config-if)# switchport mode trunk

SW4(config-if)# interface Port-channel2

SW4(config-if)# switchport trunk encapsulation dot1q

SW4(config-if)# switchport mode trunk

SW4(config-if)# interface range FastEthernet3/10-11

SW4(config-if)# channel-group 1 mode on

SW4(config-if)# interface range FastEthernet3/12-13

SW4(config-if)# channel-group 2 mode on

SW1#show etherchannel summary

Flags: D - down P - in port-channel

I - stand-alone s - suspended

R - Layer3 S - Layer2

U - in use

Group Port-channel Ports

-----+------------+-----------------------------------------------------------

1 Po1(SU) Fa3/10(P) Fa3/11(P)

2 Po2(SU) Fa3/12(P) Fa3/13(P)

3 Po3(SU) Fa3/14(P) Fa3/15(P)

SW2#show etherchannel summary

Flags: D - down P - in port-channel

I - stand-alone s - suspended

R - Layer3 S - Layer2

U - in use

Group Port-channel Ports

-----+------------+-----------------------------------------------------------

1 Po1(SU) Fa3/10(P) Fa3/11(P)

2 Po2(SU) Fa3/12(P) Fa3/13(P)

3 Po3(SU) Fa3/14(P) Fa3/15(P)

SW3#show etherchannel summary

Flags: D - down P - in port-channel

I - stand-alone s - suspended

R - Layer3 S - Layer2

U - in use

Group Port-channel Ports

-----+------------+-----------------------------------------------------------

1 Po1(SU) Fa3/10(P) Fa3/11(P)

2 Po2(SU) Fa3/12(P) Fa3/13(P)

SW4#show etherchannel summary

Flags: D - down P - in port-channel

I - stand-alone s - suspended

R - Layer3 S - Layer2

U - in use

Group Port-channel Ports

-----+------------+-----------------------------------------------------------

1 Po1(SU) Fa3/10(P) Fa3/11(P)

2 Po2(SU) Fa3/12(P) Fa3/13(P)

■ Ensure traffic is distributed on individual Ethernet trunks between switches based on the destination MAC address of individual flows.

A common problem with EtherChannels is traffic not being distributed equally among the physical interfaces. Configuring channel load balancing based on the destination MAC address of an individual flow is just one method available to distribute traffic.

SW1(config)# port-channel load-balance dst-mac
SW2(config)# port-channel load-balance dst-mac
SW3(config)# port-channel load-balance dst-mac
SW4(config)# port-channel load-balance dst-mac

SW1#sh etherchannel load-balance
Po1 ---> Destination MAC address
Po2 ---> Destination MAC address
Po3 ---> Destination MAC address

Interfaces that flap can cause problems in a network. Toggling would usually indicate a problem such as a faulty connecting NIC or faulty cable; placing the ports into error disable is a method of stabilizing the environment. To disable a port when multicast traffic is present, you need to configure storm control with the multicast option set to 0.

SW1(config)# errdisable recovery cause link-flap

SW1(config)# errdisable recovery interval 35

SW1(config)# interface FastEthernet 3/7

SW1(config-if)# storm-control multicast level 0

SW1(config-if)# storm-control action shutdown

SW2(config)# errdisable recovery cause link-flap

SW2(config)# errdisable recovery interval 35

SW2(config)# interface FastEthernet 3/7

SW2(config-if)# storm-control multicast level 0

SW2(config-if)# storm-control action shutdown

SW3(config)# errdisable recovery cause link-flap

SW3(config)# errdisable recovery interval 35

SW3(config)# interface FastEthernet 3/7

SW3(config-if)# storm-control multicast level 0

SW3(config-if)# storm-control action shutdown

SW4(config)# errdisable recovery cause link-flap

SW4(config)# errdisable recovery interval 35

SW4(config)# interface FastEthernet 3/7

SW4(config-if)# storm-control multicast level 0

SW4(config-if)# storm-control action shutdown

■ Fast Ethernet Ports 3/8 will be used for future connectivity on each switch. Configure these ports as access ports for VLAN300, which should begin forwarding traffic immediately on connection. Devices connected to these ports will dynamically receive IP addresses from a DHCP server due to be connected to Port 3/9 on sw1. For security purposes, this is the only port on the network from which DHCP addresses should be allocated. Ensure the switches intercept the DHCP requests and add the ingress port and VLAN and switch MAC address prior to sending onward to the DHCP server. Limit DHCP requests to 600 packets per minute per user port.

This is a DHCP Snooping question. This is a useful security feature that protects the network from rogue DHCP servers. When the DHCP option-82 feature is enabled on the switch with the command ip dhcp snooping information option, a subscriber is identified by the switch port through which it connects to the network and by its MAC address. DHCP snooping also facilitates a rate limiting feature for DHCP requests to prevent a DHCP denial of service by excessive false requests from a host, which would have the "gobbler effect" of requesting numerous leases from the same port. The question includes a couple of points that could easily be overlooked if you are suffering from exam pressure, namely the ports are required to be configured with switchport host (or by configuring portfast) to set the port mode to access and to

forward immediately. The rate limiting is configured in packets per second not per minute as implied, so you would need to pay attention to detail.

SW1(config)# ip dhcp snooping

SW1(config)# ip dhcp snooping vlan 300

SW1(config)# ip dhcp snooping information option

SW1(config)# int fastEthernet 3/9

SW1(config-if)# ip dhcp snooping trust

SW1(config)# interface fastEthernet 3/8

SW1(config-if)# ip dhcp snooping limit rate 10

SW1(config)# interface range fastEthernet 3/8-9

SW1(config-if-range)# switchport host

SW1(config-if-range)# switchport access vlan 300

SW2(config)# ip dhcp snooping

SW2(config)# ip dhcp snooping vlan 300

SW2(config)# ip dhcp snooping information option

SW2(config)# interface fastEthernet 3/8

SW2(config-if)# ip dhcp snooping limit rate 10

SW2(config-if)# switchport host

SW2(config-if)# switchport access vlan 300

SW3(config)# ip dhcp snooping

SW3(config)# ip dhcp snooping vlan 300

SW3(config)# ip dhcp snooping information option

SW3(config)# interface fastEthernet 3/8

SW3(config-if)# ip dhcp snooping limit rate 10

SW3(config-if)# switchport host

SW3(config-if)# switchport access vlan 300

SW4(config)# ip dhcp snooping

SW4(config)# ip dhcp snooping vlan 300

SW4(config)# ip dhcp snooping information option

SW4(config)# interface fastEthernet 3/8

SW4(config-if)# ip dhcp snooping limit rate 10

SW4(config-if)# switchport host

SW4(config-if)# switchport access vlan 300

■ For additional security ensure the user ports on Switches 1–4 and 8 can communicate only with the network with IP addresses gained from the DHCP feature configured previously. Use a dynamic feature to ensure the only information forwarded upon connection is DHCP request packets, then any traffic that matches the DHCP IP information received from the DHCP binding for additional security.

A complementary feature to DHCP Snooping is IP Source Guard. This feature binds the information received from the DHCP address offered and effectively builds a dynamic VACL on a per port basis to enable only source traffic matched from the DHCP offer to ingress the switch port for additional security.

SW1(config)# int f3/8

SW1(config-if)# ip verify source

SW2(config)# int f3/8

SW2(config-if)# ip verify source

SW3(config)# int f3/8

SW3(config-if)# ip verify source

SW4(config)# int f3/8

SW4(config-if)# ip verify source

■ R5 and R6 have been preconfigured with IP addresses on their Ethernet interfaces. Configure R4 and its associated switch port accordingly without using secondary addressing to communicate with R5 and R6. Configure R4 with an IP address of 120.100.45.4/24 to communicate with R5, and configure R4 with an IP address of 120.100.46.4/24 to communicate with R6. Configure R4 g1/0 and Switch 2 f3/4 only.

This is just a simple trunking question on Switch2 to R4 to enable R4 to connect to VLAN45 and VLAN46. One point to remember is that Switch2 does not have VLAN45 and VLAN46 configured locally within the default configuration, so you will need to create the VLANs locally prior to configuring the trunk.

R4(config)# interface GigabitEthernet1/0.45

R4(config-if)# encapsulation dot1Q 45

R4(config-if)# ip address 120.100.45.4 255.255.255.0

R4(config-if)# interface GigabitEthernet1/0.46

R4(config-if)# encapsulation dot1Q 46

R4(config-if)# ip address 120.100.46.4 255.255.255.0

SW2#vlan database

SW2(vlan)# vlan 45

SW2(vlan)# vlan 46

SW2(vlan)#exit

APPLY completed.

Exiting....

SW2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

SW2(config)# interface FastEthernet3/4

SW2(config-if)# switchport trunk encapsulation dot1q

SW2(config-if)# switchport trunk allowed vlan 45,46

SW2(config-if)# switchport mode trunk

Make sure the interface IP address has been set for R1, R2, R3 and R5. All you need to add is maps on R1, R2 and R3 as well as R2 and R5 spokes to enable them to communicate with each other. Depend on the question, R1 and R2 also need to communicate each other.

R1# conf t
R1(config)# int s6/0
R1(config-if)#encapsulation frame-relay ietf
R1(config-if)# frame-relay map ip 120.100.123.2 103 broadcast
R1(config-if)# frame-relay map ip 120.100.123.3 103 broadcast

R2# conf t
R2(config)# int s6/0
R2(config-if)#encapsulation frame-relay ietf
R2(config-if)# frame-relay map ip 120.100.123.1 203 broadcast
R2(config-if)# frame-relay map ip 120.100.123.3 203 broadcast
R2(config-if)#exit
R2(config)# int s6/1
R2(config-if)#encapsulation frame-relay ietf
R2(config-if)# frame-relay map ip 120.100.25.5 215 broadcast

R3# conf t
R3(config)# int s6/0
R3(config-if)#encapsulation frame-relay ietf
R3(config-if)# frame-relay map ip 120.100.123.1 301 broadcast
R3(config-if)# frame-relay map ip 120.100.123.2 302 broadcast

R5# conf t
R5(config)# int s6/1
R5(config-if)#encapsulation frame-relay ietf
R5(config-if)# frame-relay map ip 120.100.25.2 315 broadcast

R1#ping 120.100.123.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 120.100.123.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 780/940/1088 ms
R1#ping 120.100.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 120.100.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 232/456/580 ms

R2#ping 120.100.25.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 120.100.25.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 384/568/800 ms

Wednesday, August 12, 2015

MPLS VPNs and OSPF

Introduction:

This lab discusses OSPF as the dynamic routing protocol used between CE and PE routers. OSPF is a well-established protocol that is used by both service providers and enterprises. Moreover, there are a lot of routing protocols implemented in this lab. Not only will you learn RIPv2, MP-BGP but also you will learn Multi-Areas OSPF routing protocol and how it is implemented in the MPLS VPN network.

Overview:

- This lab requires you to have a solid understanding of L3 routing protocols: RIPv2, OSPF, MP-BGP, route distinguish, route target and virtual routing and forwarding (VRF). It's more beneficial if you have already read the MPLS VPNs and RIP before reading this lab.

- OSPF Router Type:

Backbone router: In OSPF, Area 0 is the backbone area. Any router that has an interface configured for Area 0 is called a backbone router.

Internal router: Any router that has all its interfaces configured for a single area is said to be an internal router.

Area border router (ABR): is a router that has interfaces configured for two or more areas. For example, a router with Serial 0/0 in Area 0 and Serial 0/1 in Area 1 is an ABR.

Autonomous system boundary router (ASBR): is a router that has at least one interface in the OSPF domain and one interface connecting to an external network. An example of an external network might be a connection to another AS running RIP.

R1: Backbone router/ASBR.

R2, R3: Internal router/Backbone router.

R4, R5: Backbone router/ABR.

R5, R6, R7, R8, R9: Internal router.

- Link State Advertisements (LSAs):

LSA is used to exchange routing information between other OSPF-enabled routers. There are 5 main types:

- OSPF and standard BGP interaction:

An OSPF network is separated by the service provider’s standard BGP backbone. LSA Type 1 or Type 2 routes from Site 1 are redistributed into BGP by a service provider router (PE1) that appears as an ASBR. PE2, an ASBR, redistributes the route from Site 1 back into OSPF and advertises

it to Site 2 as an LSA Type 5.

- OSPF and OSPF super backbone interaction:

In the OSPF hierarchy, all areas had to connect directly to the backbone area (Area 0). The MP-IBGP backbone, functioning as the super-backbone, replaces the Area 0 requirement, meaning that all areas connect to the super backbone instead of to the Area 0 backbone. Without the super-backbone, PE routers appear as ASBRs. Now, with the super-backbone, PE routers appear as ABRs. Remember that ASBRs advertise LSA Type 5 routes and ABRs advertise LSA Type 3 routes

- Why is OSPF super backbone important?

Site 1 and Site 2 are connected to the service provider. In addition, they have an alternate connection through Frame Relay just in case the service provider network is unavailable. The key is that internal (O) routes are always preferred over external (O E2) routes. Let me explain. Site 1 generates an OSPF route for the network 10.1.0.0/16. The OSPF route is redistributed into BGP and arrives at Site 2 as an external route (O E2). In addition, Site 2 learns of the route through OSPF across the alternate Frame Relay connection, resulting in an internal route (O) in the routing table. Since the primary connection is through the service provider and the alternate connection is there just in case, it’s safe to assume that the service provider connection is the fastest. Which way do you want the traffic to travel? Through the fastest connection, which is the service provider network. However, the traffic always traverses through alternate Frame Relay connection in this case. Now, OSPF super backbone is implemented. From Site 1, network 10.1.0.0/16 is advertised to PE1 and Site 2 through the alternate connection. The route, received by PE1, will be received by Site 2 as an inter-area route (O IA). The route received from Site 1 across the alternate connection is an internal route (O).

Now, with OSPF super backbone concepts in mind, can you identify the router types and LSA types in our lab?

- How does service provider handle the routes?

To prevent routing loops, the down bit is set when routes are redistributed from MP-BGP into OSPF. The down bit prevents routing loops because when a PE router sees the down bit set, it does not redistribute the route back into MP-BGP. If the down bit is removed as it travels through the customer’s network, the tag field, containing the originating BGP AS number, is used to prevent loops. To ensure proper routing, a learned route with the down bit results in the routing bit (only on the PE router) being set. With the routing bit set, the PE router does not use the route, even if it is the best path as dictated by OSPF.

Requirements:

1. Customer sites:

A1, B1, A2, B2 (Non-MPLS-enabled routers): OSPF 1: s0/0-area 0 and L0-area 1.
H/W: A1, B1, A2, B2 are Cisco Routers c3745.

2. Service Provider sites:

PE1, PE2 (Edge-LSRs): RIPv2; OSPF 101: vrf vpn_a , OSPF 102: vrf vpn_b; BGP AS 65000, MPLS: s0/0 and s0/3.
P1, P2, P3, P4 (LSRs): RIPv2, MPLS: s0/0 and s0/1.
H/W: PE1, P1, P2, P3, P4, PE2 are Cisco Routers c3745.

Configuration

1. Customer sites:

- Customer A and B are overlapping address spaces.
- Customer A: A1 and A2 network are connected each other via service provider network.
- Customer B: B1 and B2 network are connected each other via service provider network.

- On A1 router:

A1#show running-config

Building configuration...

Current configuration : 2442 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname A1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$7LnD$0qutJY934WdeVsL.wl9q90
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
no ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
ip address 10.1.0.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
description ***Link to PE1 router***
ip address 10.2.0.2 255.255.255.252
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
interface Serial0/4
no ip address
shutdown
clock rate 2000000
!
interface Serial0/5
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
no ip address
!
router ospf 1
log-adjacency-changes
no auto-cost
network 10.1.0.1 0.0.0.0 area 1
network 10.2.0.0 0.0.0.3 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
password console
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password telnet
login
!
!
end

- B1, A2, B2 routers are configured similarly.

2. Service provider sites:

a. Network edge (PE1, PE2):

- On PE1 router:

PE1#show running-config

Building configuration...

Current configuration : 3694 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$PrDN$pHsT2IKCMZjFBIyF8mAbW1
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
ip vrf vpn_a
rd 65000:1
route-target export 65000:1
route-target import 65000:1
!
ip vrf vpn_b
rd 65000:2
route-target export 65000:2
route-target import 65000:2
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
description ***Link to P1 router***
ip address 192.168.1.10 255.255.255.252
mpls ip
no fair-queue
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
description ***Link to customer A1 router***
ip vrf forwarding vpn_a
ip address 10.2.0.1 255.255.255.252
clock rate 2000000
!
interface Serial0/2
description ***Link to customer B2 router***
ip vrf forwarding vpn_b
ip address 10.2.0.1 255.255.255.252
clock rate 2000000
!
interface Serial0/3
description ***Link to P3 router***
ip address 192.168.1.21 255.255.255.252
mpls ip
clock rate 2000000
!
interface Serial0/4
no ip address
shutdown
clock rate 2000000
!
interface Serial0/5
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
no ip address
!
router ospf 101 vrf vpn_a
router-id 10.99.1.1
log-adjacency-changes
redistribute bgp 65000 metric 10 subnets
network 10.2.0.0 0.0.0.3 area 0
!
router ospf 102 vrf vpn_b
router-id 10.99.1.2
log-adjacency-changes
redistribute bgp 65000 metric 10 subnets
network 10.2.0.0 0.0.0.3 area 0
!
router rip
version 2
network 192.168.1.0
no auto-summary
!
router bgp 65000
bgp log-neighbor-changes
neighbor 192.168.1.4 remote-as 65000
neighbor 192.168.1.4 update-source Loopback0
!
address-family ipv4
no neighbor 192.168.1.4 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 192.168.1.4 activate
neighbor 192.168.1.4 send-community both
exit-address-family
!
address-family ipv4 vrf vpn_b
redistribute ospf 102 vrf vpn_b
no synchronization
exit-address-family
!
address-family ipv4 vrf vpn_a
redistribute ospf 101 vrf vpn_a
no synchronization
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
password console
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password telnet
login
!
!
end

- PE2 router is configured similarly.

b. Core Network (P1, P2, P3, P4):

- On P1 router:

P1#show running-config

Building configuration...

Current configuration : 2489 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname P1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$uj6I$Z5BD8vg85xjuAnv4noYA//
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
ip address 192.168.1.2 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
description ***Link to PE1 router***
ip address 192.168.1.9 255.255.255.252
mpls ip
no fair-queue
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
description ***Link to P2 router***
ip address 192.168.1.14 255.255.255.252
mpls ip
no fair-queue
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
interface Serial0/4
no ip address
shutdown
clock rate 2000000
!
interface Serial0/5
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
no ip address
!
router rip
version 2
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
password console
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password telnet
login
!
!
end

- P2, P3, P4 routers are configured similarly.

Verification:

a. Connectivity:

- On Customer A:

Check the connection between A1 router and A2 router.

A1#ping 10.4.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/11/40 ms

A1#telnet 10.4.0.1

Trying 10.4.0.1 ... Open

User Access Verification

Password:
A2>

A2#ping 10.1.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/12/44 ms

A2#telnet 10.1.0.1

Trying 10.1.0.1 ... Open

User Access Verification

Password:
A1>

- On Customer B:

Check the connection between B1 router and B2 router.

B1#ping 10.4.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.4.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/18/72 ms

B1#telnet 10.4.0.1

Trying 10.4.0.1 ... Open

User Access Verification

Password:

B2>

B2#ping 10.1.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/14/52 ms

B2#telnet 10.1.0.1

Trying 10.1.0.1 ... Open

User Access Verification

Password:

B1>

b. Routing table:

b1. On Customer Network:

- They are isolated from the service provider network. The client routers do not know any of the details of the service provider network. Notice in the following device output that no service provider routes are in the global routing tables for A1, B1, A2 and B2 router. The global routing table for A1 is as follows:

A1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.2.0.0/30 is directly connected, Serial0/0
O IA 10.3.0.0/30 [110/1572] via 10.2.0.1, 00:38:35, Serial0/0
C 10.1.0.1/32 is directly connected, Loopback0
O IA 10.4.0.1/32 [110/1572] via 10.2.0.1, 00:38:35, Serial0/0

b2. On Service Provider Network:

- The VRF routing table is well isolated from the global routing table on a PE router. Therefore, on the PE1 and PE2 POP routers, no customer (A1, B1, A2 and B2) routes show up in the global routing table. The global routing table of the PE1 POP router is as follows:

PE1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.1.0/24 is variably subnetted, 12 subnets, 2 masks
C 192.168.1.8/30 is directly connected, Serial0/0
R 192.168.1.12/30 [120/1] via 192.168.1.9, 00:00:40, Serial0/0
C 192.168.1.1/32 is directly connected, Loopback0
R 192.168.1.3/32 [120/2] via 192.168.1.9, 00:00:40, Serial0/0
R 192.168.1.2/32 [120/1] via 192.168.1.9, 00:00:40, Serial0/0
R 192.168.1.5/32 [120/1] via 192.168.1.22, 00:00:15, Serial0/3
R 192.168.1.4/32 [120/3] via 192.168.1.22, 00:00:15, Serial0/3
[120/3] via 192.168.1.9, 00:00:41, Serial0/0
R 192.168.1.6/32 [120/2] via 192.168.1.22, 00:00:16, Serial0/3
R 192.168.1.24/30 [120/1] via 192.168.1.22, 00:00:16, Serial0/3
R 192.168.1.28/30 [120/2] via 192.168.1.22, 00:00:16, Serial0/3
R 192.168.1.16/30 [120/2] via 192.168.1.9, 00:00:41, Serial0/0
C 192.168.1.20/30 is directly connected, Serial0/3

- In addition, none of the customer (A1, B1, A2 and B2) routes show up on the Core routers (P1, P2, P3 and P4). The Core routers are only running the IGP (RIPv2) and know nothing about any of the customer subnets. The global routing table of the P1 router is as follows:

P1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.1.0/24 is variably subnetted, 12 subnets, 2 masks

C 192.168.1.8/30 is directly connected, Serial0/0

C 192.168.1.12/30 is directly connected, Serial0/1

R 192.168.1.1/32 [120/1] via 192.168.1.10, 00:00:06, Serial0/0

R 192.168.1.3/32 [120/1] via 192.168.1.13, 00:00:04, Serial0/1

C 192.168.1.2/32 is directly connected, Loopback0

R 192.168.1.5/32 [120/2] via 192.168.1.10, 00:00:06, Serial0/0

R 192.168.1.4/32 [120/2] via 192.168.1.13, 00:00:04, Serial0/1

R 192.168.1.6/32 [120/3] via 192.168.1.13, 00:00:07, Serial0/1

[120/3] via 192.168.1.10, 00:00:09, Serial0/0

R 192.168.1.24/30 [120/2] via 192.168.1.10, 00:00:09, Serial0/0

R 192.168.1.28/30 [120/2] via 192.168.1.13, 00:00:07, Serial0/1

R 192.168.1.16/30 [120/1] via 192.168.1.13, 00:00:07, Serial0/1

R 192.168.1.20/30 [120/1] via 192.168.1.10, 00:00:11, Serial0/0

- VRF routing table:

PE1#sh ip route vrf vpn_a

Routing Table: vpn_a
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.2.0.0/30 is directly connected, Serial0/1
B 10.3.0.0/30 [200/0] via 192.168.1.4, 00:45:18
O IA 10.1.0.1/32 [110/65] via 10.2.0.2, 00:46:18, Serial0/1
B 10.4.0.1/32 [200/65] via 192.168.1.4, 00:45:18

PE1#sh ip route vrf vpn_b

Routing Table: vpn_b

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.2.0.0/30 is directly connected, Serial0/2

B 10.3.0.0/30 [200/0] via 192.168.1.4, 00:47:05

O IA 10.1.0.1/32 [110/65] via 10.2.0.2, 00:48:06, Serial0/2

B 10.4.0.1/32 [200/65] via 192.168.1.4, 00:47:05

In the routing table for vpn_a on the PE1 POP router, there are two BGP routes (B) and one OSPF inter-area route (O IA). The OSPF route in the output was learned from A1 and is the loopback of A1. The B routes are from the PE2 POP router (A2 OSPF routes redistributed into MP-BGP and carried across the service provider backbone).

- Ping and Telnet from PE routers:

The quickest way to verify that the VRF is up and working is to do a ping from one customer router to another. However, It is not practical to assume that the service provider will always have access to customer routers. Therefore, extensions have been made to the standard ping and telnet commands.

PE1#ping 10.1.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

PE1#ping vrf vpn_a 10.1.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/16 ms

PE1#telnet 10.1.0.1

Trying 10.1.0.1 ...
% Destination unreachable; gateway or host down

PE1#telnet 10.1.0.1 /vrf vpn_a

Trying 10.1.0.1 ... Open

User Access Verification

Password:
A1>

Why can't PE1 router ping A1 router directly?

Well, because PE1 maintains the routing tables for the customers separately with the global routing table.

Troubleshooting:

- From A1 to A2:

A1#trace 10.4.0.1

Type escape sequence to abort.
Tracing the route to 10.4.0.1

1 10.2.0.1 4 msec 24 msec 4 msec
2 192.168.1.9 [MPLS: Labels 24/26 Exp 0] 84 msec 4 msec 56 msec
3 192.168.1.13 [MPLS: Labels 18/26 Exp 0] 16 msec 8 msec 4 msec
4 10.3.0.1 [MPLS: Label 26 Exp 0] 20 msec 0 msec 4 msec
5 10.3.0.2 52 msec 32 msec 8 msec

- There are 5 hops for a packet traversing from A1 to A2 router. The path from A1 to A2 router is as follows:

1 10.2.0.1 4 msec 24 msec 4 msec --> This is the first hop which is PE1 router. This router is directly connected to A1 via its s0/1. PE1 router also creates VPN label 26 for a packet from customer A1 to distinguish the traffic from A1 with others. This value won't change when the packet traverses through service provider routers. Moreover, PE1 router also creates MPLS label 24 used to switch the packet to P1 router via s0/0 interface. Indeed, let's take a look on PE1's VRF routing table and forwarding table.

PE1#sh ip route vrf vpn_a

Routing Table: vpn_a
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.2.0.0/30 is directly connected, Serial0/1
B 10.3.0.0/30 [200/0] via 192.168.1.4, 00:45:18
O IA 10.1.0.1/32 [110/65] via 10.2.0.2, 00:46:18, Serial0/1
B 10.4.0.1/32 [200/65] via 192.168.1.4, 00:45:18

Obviously, the packet destined from A1 to A2 arrives at the PE1 POP router. Does the PE1 POP router have a path to get to the lookback interface of A2 (10.4.0.1)? Yes. There’s a BGP route to 10.4.0.1 network with a next hop address of 192.168.1.4 (PE2).

How does the PE1 router get the packet to the PE2 POP router?

It sends it as a labeled packet, or a tagged packet. Indeed, let's take a look on the PE1's forwarding table:

PE1#sh mpls forwarding-table

Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Pop tag 192.168.1.2/32 0 Se0/0 point2point
17 16 192.168.1.3/32 0 Se0/0 point2point
18 Pop tag 192.168.1.12/30 0 Se0/0 point2point
19 17 192.168.1.16/30 0 Se0/0 point2point
20 Pop tag 192.168.1.5/32 0 Se0/3 point2point
21 16 192.168.1.6/32 0 Se0/3 point2point
22 Pop tag 192.168.1.24/30 0 Se0/3 point2point
23 17 192.168.1.28/30 0 Se0/3 point2point
24 24 192.168.1.4/32 0 Se0/3 point2point
24 192.168.1.4/32 0 Se0/0 point2point
25 Untagged 10.1.0.1/32[V] 0 Se0/1 point2point
26 Aggregate 10.2.0.0/30[V] 1752
27 Untagged 10.1.0.1/32[V] 0 Se0/2 point2point
28 Aggregate 10.2.0.0/30[V] 0

From PE1 router standpoint, it takes untagged or unlabeled traffic coming from its s0/1 interface which is A1 router, then tagged this packet with VPN label 26. Moreover, PE1 router also switches this packet out its s0/0 interface with outbound label 24.

2 192.168.1.9 [MPLS: Labels 24/26 Exp 0] 84 msec 4 msec 56 msec --> A labeled packet is switched from PE1 to P1 with MPLS label 24 and VPN label 26. What will happen at P1 router, let's check the P1's forwarding table.

P1#show mpls forwarding-table

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC or Tunnel Id switched interface

16 Pop tag 192.168.1.3/32 0 Se0/1 point2point

17 Pop tag 192.168.1.16/30 0 Se0/1 point2point

18 Pop tag 192.168.1.1/32 9570 Se0/0 point2point

19 20 192.168.1.5/32 0 Se0/0 point2point

20 20 192.168.1.6/32 0 Se0/1 point2point

21 192.168.1.6/32 0 Se0/0 point2point

21 Pop tag 192.168.1.20/30 0 Se0/0 point2point

22 22 192.168.1.24/30 0 Se0/0 point2point

23 23 192.168.1.28/30 0 Se0/1 point2point

24 18 192.168.1.4/32 5970 Se0/1 point2point

A packet labeled 24 from PE1 router to P1 router will be switched out P1's s0/1 interface with outbound label 18.

3 192.168.1.13 [MPLS: Labels 18/26 Exp 0] 16 msec 8 msec 4 msec -> A labeled packet is switched from P1 to P2 with MPLS label 18 and VPN label 26. What will happen at P2 router, let's check the P2's forwarding table.

P2#show mpls forwarding-table

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC or Tunnel Id switched interface

16 Pop tag 192.168.1.2/32 0 Se0/0 point2point

17 Pop tag 192.168.1.8/30 0 Se0/0 point2point

18 Pop tag 192.168.1.4/32 5739 Se0/1 point2point

19 20 192.168.1.5/32 0 Se0/1 point2point

19 192.168.1.5/32 0 Se0/0 point2point

20 21 192.168.1.6/32 0 Se0/1 point2point

21 21 192.168.1.20/30 0 Se0/0 point2point

22 23 192.168.1.24/30 0 Se0/1 point2point

23 Pop tag 192.168.1.28/30 0 Se0/1 point2point

24 18 192.168.1.1/32 10499 Se0/0 point2point

What happens to the packet? Well, from the P1 router, the packet is sent with a tag of 18. By observing the output of the show mpls forwarding-table command on the P2 router, you can see that an inbound labeled packet of 18 arriving at the P2 router has its label popped and is forwarded as unlabeled IP out interface Serial 0/1. So here at the P2 router, there is no routing, only switching of labeled, or tagged packets. You can think of Pop tag as meaning, "The next hop router needs to do a L3 lookup on the packet, so don't send this traffic as labeled, but instead send it as unlabeled IP traffic". Note that that when I said unlabeled IP packet in this case, it means it's an IP packet with VPN label.

4 10.3.0.1 [MPLS: Label 26 Exp 0] 20 msec 0 msec 4 msec --> A packet handed from P2 router to PE2. Based on VPN label 26, egress PE2 router can understand this packet belonging to customer A1. Because this is an IP packet, let's check the PE2's VRF routing table.

PE2#sh ip route vrf vpn_a

Routing Table: vpn_a

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

B 10.2.0.0/30 [200/0] via 192.168.1.1, 01:20:28

C 10.3.0.0/30 is directly connected, Serial0/1

B 10.1.0.1/32 [200/65] via 192.168.1.1, 01:20:28

O IA 10.4.0.1/32 [110/65] via 10.3.0.2, 01:21:14, Serial0/1

Obviously, there is an OSPF route to get from PE2 to A1 router via 10.3.0.2 (A1's s0/0).

5 10.3.0.2 52 msec 32 msec 8 msec --> 10.3.0.2 is the IP address of A2's s0/0 and this is also the last hop.

Now, your homework is to analyze the traffic from B1 router to B2 router with the traceroute as below:

B1#trace 10.3.0.2

Type escape sequence to abort.
Tracing the route to 10.3.0.2

1 10.2.0.1 4 msec 4 msec 28 msec
2 192.168.1.22 [MPLS: Labels 24/27 Exp 0] 32 msec 0 msec 4 msec
3 192.168.1.26 [MPLS: Labels 20/27 Exp 0] 24 msec 0 msec 0 msec
4 10.3.0.1 [MPLS: Label 27 Exp 0] 0 msec 40 msec 4 msec
5 10.3.0.2 20 msec 28 msec 0 msec

Conclusions

In this lab, you have learned OSPF router types, LSA types, the importance of OSPF super backbone for a surviable network and how the service provider manipulate the routes. You also learned how to implement Multi-Area OSPF in MPLS VPNs including configuration, verification and troubleshooting.

Little Blog!

Menu

Thursday, August 13, 2015

CCIE Lab1, Section 1

Section 1: LAN Switching and Frame Relay

Wednesday, August 12, 2015

MPLS VPNs and OSPF

Archive

Total Pageviews

Weather