IEWB-SP Vol2 Lab2 Analysis

I had a rack rental spot this evening on InterNetworkExperts SP Racks – 5 1/2 hours worth – Had a go at labbing up Lab2 from the Vol2 Workbook.

Lab Prep:

No issues whatsoever with connecting to the routers, opened each router in a different SecureCRT Tab and renamed the tabs at top to R1, R2, etc. Copied/pasted the initial configurations, couple of different interfaces that are a pain but so be it. Time taken = 15 Minutes.

Layer 2 Technologies:

Switching – VLAN, VTP, Trunking, pinging on the 2 3550’s – No issues – Time Taken = 18 mins.

Frame-Relay – 1st mistake – right configuration on the wrong interface – common issue, too eager to get FR up and running – had to redo – the command no encap frame-relay is great. Also a number of interfaces are down in the initial configs, caught me slightly, Time Taken = 23 Mins.

Redundancy – Ensuring FR Circuit active – use either IP SLA feature or end-to-end keepalives, not allowed use SLA! Create map-class, define end-to-end keepalive parameters, and apply class to FR sub-interface. Time Taken = 8 Mins.

ATM – Different interface on rack to lab – also had to delete add ional non-required ATM config from initial configs, otherwise ok. Time Taken = 12 mins.

PPPoE – No issues, identify client\server – enable VPDN on server, create Virtual-Template, reference VT in VPDN, enable pppoe on physical interface & setup security. Create dialer interface on client, encap ppp, create dialer pool, reference dialer pool on physical interface & setup security. Time Taken = 15 Mins.

IGP:

ISIS – Lots of config – had to change AS Numbers and Loopbacks into HEX to be used in NET addresses, initial configs were an issue with wrong loopbacks [ref: R5] also the Serial link between R2 & R3 required clocking. Standard ISIS configs, don’t forget the additional clns mapping for the ATM links under the PVC’s, also sh clns nei, sh ip ro isis. Time Taken = 17 Minutes.

OSPF – All looked fine, standard OSPF config, ip routing, network statements under OSPF processes, 1st gotcha, the unmentioned routers/interfaces that require OSPF config but are not explicitly mentioned – aka R1/R2. Instructions in the lab didn’t match up with the diagrams. sh ip ro os, sh ip os int, Time Taken = 15 Minutes.

EGP:

BGP – Not bad – standard BGP configuration – long time typing  – key here is not to miss a config on a router – hence people recommend router by router – easier said than done – various neighbor commands remote-as, update-source, etc parameters, advertising prefix’s with network commands, I am not good at regular expressions so did not use them during verification as advertised by IE. Awkward CIDR query requiring creating an ip prefix-list, creating a route-map referencing the prefix list, applying the route-map in the BGP process and then using a static route to null. The VPNv4 exchange was ok but long. Congestion Management I struggled in  – definite use of the solutions required! Time Taken = 70 Minutes.

MPLS:

Label Distribution – No problem, quick, remember LDP = TCP Port 646 and TDP = TCP Port 711, sh mpls ldp nei, Time Taken = 10 Mins.

Label Filtering – create access list, apply ACL to interface, enable MPLS ldp discovery, sh mpls forw table, Time Taken = 15 Minutes.

Label Security – authenticate MPLS adjacencies? -> mpls ldp nei x.x.x.x password cisco on relevant routers – quick – 3 Minutes.

VPN:

VRF – This is tricky and got my 1st blow in the lab – steps taken were to initialise VRF, define RD, define route-target export, enable ip vrf forwarding on interface – remember this kills the configured IP Address on the router – normally you just type it back in but on R4 when the IP died so did my OSPF adjacency – even after typing the IP back in – no joy, deleting the config and tried again – no joy – I had to park that as time was slipping – Time Taken = 28 Minutes [Ouch!!!]

PE-CE Routing – Another blow to the trooper – trying to configure the PE routers for OSPF gave me the following output ->

Rack1R1(config)#ip vrf CCIE_SITE_1
Rack1R1(config-vrf)#rd 1000:1
Rack1R1(config-vrf)#route-target export 200:1
Rack1R1(config-vrf)#!
Rack1R1(config-vrf)#interface FastEthernet1/0
Rack1R1(config-if)#ip vrf forwarding CCIE_SITE_1
Rack1R1(config-if)#ip address 10.1.18.1 255.255.255.0
Rack1R1(config-if)#exit
Rack1R1(config)#ip vrf CCIE_SITE_1
Rack1R1(config-vrf)#route-target import 200:2
Rack1R1(config-vrf)#!
Rack1R1(config-vrf)#interface FastEthernet1/0
Rack1R1(config-if)#ip ospf dead-interval minimal hello-multiplier 3
Rack1R1(config-if)#!
Rack1R1(config-if)#router ospf 1 vrf CCIE_SITE_1
%VRF specified does not match existing router

Rack1R4(config)#ip vrf CCIE_SITE_2
Rack1R4(config-vrf)#rd 1000:1
Rack1R4(config-vrf)#route-target export 200:2
Rack1R4(config-vrf)#!
Rack1R4(config-vrf)#interface Ethernet0/0
Rack1R4(config-if)#ip vrf forwarding CCIE_SITE_2
Rack1R4(config-if)#ip address 10.1.47.4 255.255.255.0
Rack1R4(config-if)#exit
Rack1R4(config)#ip vrf CCIE_SITE_2
Rack1R4(config-vrf)#route-target import 100:1
Rack1R4(config-vrf)#route-target import 200:1
Rack1R4(config-vrf)#!
Rack1R4(config-vrf)#router ospf 1 vrf CCIE_SITE_2
OSPF process 1 already exists and is attached to Default-IP-Routing-Table
Rack1R4(config)#exit

No amount of deleting/re-configuring/reloading helped – researching on the web [Not allowed in the Lab!] yielded this URL – http://www.cisco.com/en/US/docs/net_mgmt/vpn_solutions_center/2.1.1/release/notes/relnotes.html

But this did not help – issues had to be parked due to time and section 5.3 Internet Access & 5.4 Management VPN’s had to be skipped. Time taken = 20 Minutes.

Multicast:

PIM – okay this should be fine – right? Wrong – Big Time! – Whilst configuring up basic PIM dense-mode I lost my tunnel-interface ->

Rack1R8#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Rack1R8(config)#ip mult
Rack1R8(config)#ip multicast-rou
Rack1R8(config)#ip multicast-routing
Rack1R8(config)#int
Rack1R8(config)#interface tunn
Rack1R8(config)#interface tunnel 78
Rack1R8(config-if)#tu
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel78, changed state to down
Rack1R8(config-if)#tunn
Rack1R8(config-if)#tunnel sour
Rack1R8(config-if)#tunnel source loo
Rack1R8(config-if)#tunnel source loopback 0
Rack1R8(config-if)#tunn
Rack1R8(config-if)#tunnel dest
Rack1R8(config-if)#tunnel destination 10.1.7.7
Rack1R8(config-if)#ip pim den
Rack1R8(config-if)#ip pim dense-mode
Rack1R8(config-if)#ip add 10.1.78.8 255.255.255.0
Rack1R8(config-if)#exit
Rack1R8(config)#int vl
Rack1R8(config)#int vlan 18
Rack1R8(config-if)#ip pim
Rack1R8(config-if)#ip pim dens
Rack1R8(config-if)#ip pim dense-mode
Rack1R8(config-if)#exit             
Rack1R8(config)#int vlan 28      
Rack1R8(config-if)#ip pim dense-mode
Rack1R8(config-if)#exit
Rack1R8(config)#exit
Rack1R8#sh int tunnel 78
Tunnel78 is up, line protocol is down
  Hardware is Tunnel
  Internet address is 10.1.78.8/24
  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 10.1.8.8 (Loopback0), destination 10.1.7.7, fastswitch TTL 15
  Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled
  Tunnel TTL 255
  Checksumming of packets disabled
  Last input never, output never, output hang never
  Last clearing of “show interface” counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
I initially thought about keepalives but that wasn’t the issue – At this stage I had just over 25 minutes to go – so QoS was skipped which was Section 7 and worth 12 points.

IP Services:

MPLS Priority – 20 Minutes to grab the low lying fruit – configure specific LDP hello packets to be prioritised? – mpls ldp tcp pak-priority – Time Taken = 2 Mins.

NetFlow – Enable on specified inter and pass to given mgt Station on this port and this version – ip route-cache flow, ip flow-export version/destination & sh ip cache flow – Time Taken = 5 Minutes.

Systems Management:

Syslog – service timestamps, logging commands a little tricky but ok – Time Taken = 6 Minutes.

NTP – source, server, stratum, authentication, master, etc – ok – Time Taken 5 Minutes.

SNMP – Last bit I got done – 2 ACL’s required, several snmp-server….. commands, cut & paste with notepad after configuring the 1st router to apply to the 2nd Router – Time Taken = 10 Minutes.

Saved routers configurations – Time Up! – What score did I achieve – Well assuming what I configured was correct and that’s a big assumption – then I got 60 points – however in reality I also lost the Syslog & SNMP points as although I configured them correctly I had no visibility to the management station which was defined on a VPN address configured under Section 5.4 which I skipped so 54\100!

I will be reviewing DocCD and IEOC, etc during the week to figure out the VRF and Tunnel Issues – Finally for a laugh I put the final solutions through Cisco Output Interpreter and as stated by the various Guru’s a CCIE Lab is very badly designed – 90 errors encountered on each of the routers!!!