IEWB-SP Vol2 Lab1 Analysis – MPLS & VPN Sections
Guys, flat out in work with various production issues that are robbing me of study and blogging time which is annoying but at least this weeks issues were OSPF/BGP/Route Filtering related so I suppose a form of education!
MPLS: [Before starting, what needs to be running? - CEF!]
Q: Frame Mode Label Distribution:- Configure MPLS on a number of routers on two frame relay segments and an ethernet segment – use a standards based label distribution method.
Solution: A standards based label distribution method indicates the use of LDP or Label Distribution Protocol, the IETF standard. So enabing MPLS requires the “mpls label protocol ldp” on the routers in question followed by the “mpls ip” command on the relevant interfaces. Note that if you issue a sh run you may see tag switching shown which is the equivalent to the mpls ip command. Also keep an eye on IOS versions in this section as some default to tdp! Once complete, verification is via the sh mpls int, sh mpls ldp disc, and the sh mpls ldp nei commands. For the ldp neighbor command you are looking for the peer ldps specifying the loopback addresses for the peers. Running the sh mpls forwarding table command shows the local tag, outgong tag, prefix or tunnel id, outgoing interfaces, next hop, etc. If you see “Pop tag” in the outgoing tag field this means that the next hop advertised an implicit null label for the destination thus making the router ‘pop’ the top label. If the same field has a value of “Untagged” this means that there is no label for the destination from the next hop or that label switching is not available on the outgoing interface. Finally ping and traceroute complete the verification.
Q: Cell Mode Label Distribution:- Configure MPLS on the routers connected to the ATM cloud and use a Cisco proprietary label distribution.
Solution: Cell mode is ATM, Cisco Proprietary label distribution indicates TDP or Tag Distribution Protocol. Configuration requires the use of the ‘mpls label protocol tdp’ command coupled with the ‘mpls ip’ command under the ATM interface with the keyword ‘mpls’. What is key to this section is that finally OSPF adjacencies will establish between the routers connecting to the ATM cloud thus completing the OSPF IGP section – another example of a later section having a bearing on an earlier section of the lab. Verification is ping, trace route, sh mpls ldp nei and sh mpls forwarding table. Watch out for any ‘untagged’ outgoing labels.
Q. MPLS Security:- Enable authentication using an MD5 hash between two routers.
Solution: First of all ensure full reachability and adjacencies have been established prior to beginning this section – Why? Because implementing security can break configurations – If you do not check this and an issue arises then there are two questions, was it the implementation of the security or was there an underlying issue beforehand? Implement the security with the mpls ldp nei <ip address> password CISCO command combined with the mpls ldp router-id loopback0. Watch for spaces with the password and if you get this question then it will be the easiest 3 points in history. The Lab is difficult but this is a gimme. PS: Those commands are on the two routers in question.
Q. MPLS Traffic Engineering: [aka the "Fun Stuff"] – Will probably get some speel in the exam with a scenario I guess but sticking with the facts for this – Configure an MPLS TE Tunnel with 10Mbps guaranteed between two routers – Configure the path from one router to another through various network segments – if a link should fail, dynamically re-route the tunnel through another path and assume all FR links are DS3. I am obviously being cryptic with the questions here to ensure the integrity of the two Brian’s material!
Solution: Okay, take the 40000 ft view here, step back from the diagram, draw your own, look at the path, note the IP addressing, visualise the routing path, ‘become the packet’ as Scott Morris would say. Once clear in your mind – Begin, ensure full IGP reachability – check, ok - enable mpls traffic-eng tunnels on relevant routers and also on the interfaces, under the interface issue the bandwidth command with 45000 value to reflect DS3, configure ip rsvp bandwidth on each router in the transit path, under the OSPF routing process enable mpls traffic-eng area 0 which is required to enable OSPF to exchange MPLS TE information, for the defined path, we will create the tunnel interfaces with interface tunnel0, define an ip explicit-path command with relevant next-address commands in the sequence that the route is to take referencing the ip addresses of the interfaces encountered in order! – apply the tunnel destination and tunnel mode mpls traffic-eng commands, then finally add the various parameters for the tunnel mpls traffic-eng commands referencing the ip explicit-path previously defined.
We then repeat this process on the destination router but in reverse order for the interface addresses and we do not forget the keyword dynamic for the 2nd path. Some other notes, we give the tunnel an ip address through the ip unnumbered command beacuse it represents a unidirectional link, we use the autoroute annouce parameter to allow IGP to use the tunnel and the verification? Trace route naturally – if the hops match the requirements in both directions -> Bingo! as Cousin Eddie would say!
MPLS Complete -> 12 Points.
VPN
Q. VRF Configuration:- Configure a VRF on two routers using a particular RD [Route Distinguisher], Routes coming from one router to use route-target 100:xx and routes from a different router to have route target 100:yy.
Solution: Pretty straight forward, copy run start, take note of ip addressing! -> then issue the ip vrf <name> command to enter VRF configuration mode, use the rd 100:1 command to define the RD and create the routing and forwarding table, define your two route-targets with the export and import commands referencing the values in the question above, under the appropriate interface define the VRF with the ip vrf forwarding <name> command, then what? re-apply your ip addressing as this command removes it – hence the save and take note at the start of the solution. You will not forget this as you will be prompted that the ip address has been removed due to VRF enabling! Remember that the import and export commands will be in reverse on the two routers, verification is sh ip vrf detail.
Q. PE-CE Routing:- Configure Ripv2 inside the new VRF to exchange IPv4 prefixes, ensure RIPv2 updates are MD5 authenticated.
Solution: Two parts to this – will need to issue the address-family ipv4 vrf <name> command to place the router in address-family configuration mode, then it’s standard RIPv2 configuration, router rip, version 2, network statement, and configure your key-chain RIP, key 1 and key-string value to all the relevant routers. Again note any spacing with the password and enable ip rip authentication mode/key-chain on relevant interfaces. Verification is sh ip route vrf and debug ip rip if required.
Q.VPNv4 Exchange:- [Nice way of saying Redistribution!] – redistibute between RIPv2 and BGP on the two PE Routers for the VRF and VPNv4 routes to be advertised first to a given router. From what I have read/been told the lab will not say redistribute!
Solution: okay, three routers in question, under the address-family vpnv4 issue the neighbor <ip add> activate command to enable the advertisement of address information in the form of IP prefixes otherwise known as NLRI or Network Layer Reachabaility Information with BGP neighbors. For the redistibution from RIP into BGP, under the RIP routing process and the address-family mode use redistribute bgp 100 metric transparent command. For BGP into RIP, simply redistribute rip under the BGP routing process and again the address-family mode. Verifiaction? sh ip route rip and traceroute.
Q. Internet Access from MPLS VPNs:- If this were a lab, tiredness might be beginning to creep in as we would probably be in the early afternoon stages following lunch! That’s the plan – the schedule, not the tiredness!! – Devices in the VRF need access to the internet already connected to one of the routers, make it so and you are allowed to use one static route – hmmm, using a static route?
Solution: Okay, to get to the router in question, we need to traverse a router that is not in play VPN wise, so we have to add it -> How? Activate the traversing router under the BGP routing process on the route reflector – then on that router, activate the VRF configuration as per previous section with the ip vfr, route-target and address-family commands, define the static route ip route vfr <name> source subnet target global command, then redistribute the static route into BGP. Verification is sh ip route vrf <name>
Q. VRF Aware NAT:- Configure a router such that traffic attached to a different router is translated to the loopback of that router and all other traffic from the VRF translated to the 191.xx.yy.zz address.
Note: NAT can really mess things up so be aware!!!
Solution: Generic Solution – create an ip access-list for the traffic you wish to permit, create a route-map matching on that access-list, issue the ip nat inside command referencing the route map and applying it to the relevant interface with the vrf <name> overload parameter and finally issue the ip nat inside command on the interfaces themsolves. Complete this twice for the two requirements outlined in the question, verification includes pings and sh ip route. Require more detail? Buy the IEWB-SP Vol2 Book & Solutions or look at this Nice Free Example -> http://www.tech-recipes.com/rx/713/cisco_how_to_configure_nat_network_address_translation/
Q. VRF Configuration:- Configure VRF <name> on a VLAN with specified RD, limit connectivity to the VLAN, do not use export-map or import-map, configure a loopback on a router, and configure the network such that this router has full reachabilty in the VRF with the loopback.
Solution: The configuration of the VRF is the same as previous sections with ip vrf <name>, rd 100:xx, and route-targets defined, enable ip vrf forwarding on ethernet interface [watch ip addressing!!] and issue redistribute connected under the BGP Address-family configuration mode. Create the loopback, ip vrf forwarding under that interface, add the new interfaces details to the BGP route reflector as a neighbor and finally configure ip vrf on the router itself and redistribute connected under the BGP address-family configuration mode.
VPN Complete -> 20 Points.
Conclusion – This is the SP Exam so a long section, plenty of typing and easy mistakes can lose points and we have Multicast and QoS to come – oh, and there are maybe only 2-3 hours left in the lab – Crap! Might be worth hitting the Systems Management, IP Services and finally Security before QoS?
No comments yet.
