Okay, my understanding is that Internetworkexpert are reviewing their SP offering as there are a number of issues with their SP Workbook but anyhow let’s get through their Vol2 Workbook Labs.
I am using their Dynamips Workbook Version and the first thing to note is that the initial configurations require adjusting. Firstly the intial configurations come as one notepad file so you have to cut and paste the relevant router sections to your routers, secondly there are no Backbone Router Configurations supplied so I have to use the original Backbone Configs from the Vol2 Wokbook and finally there is tweakling to be done from an interface level on a couple of routers [Ethernet v Fast Ethernet, Serial Numbering]. Just as a side note, IE recommend using the 3640 IOS for their labs which is fair enough but there is a lot of feedback from the dynamips community that the 3725 IOS is easier to configure idle-pc value wise so it’s up to you – of course those with actual routers disregard the above!
10 Sections – L2, IGP, EGP, MPLS, VPN, Multicast, QoS, Security, System Mgt, IP Services.
Section 1 Layer 2 Technologies – No issues here, the dynamips workbook is modified slightly to disable spanning tree and also redundant trunks. A point to note is to ensure full Layer 2 reachability here before moving to the next section so pings and “sh int stat” required. A security question brings in protected ports via the “switchport protected” command, the key to the question is the wording “cannot communicate directly with” leading you to the above command. As per CCO -> Some applications require that no traffic be forwarded between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch. You can configure protected ports on a physical interface (for example, GigabitEthernet 0/1) or an EtherChannel group (for example, port-channel 5). When you enable protected port for a port channel, it is enabled for all ports in the port channel group.
Protected ports have these features: A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Traffic cannot be forwarded between protected ports at Layer 2; all traffic passing between protected ports must be forwarded through a Layer 3 device.
Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
The default is to have no protected ports defined. Verification involves the “sh int Fa1/24 switchport” command looking for the Port Protected: On Entry.
Note: I believe there is a typo in the provided solutions and Fa0/23 should be Fa1/23!
Frame-Relay: Basically setting up the various PVC’s as per the diagrams, nothing to report here, a couple of ways of doing it, specifically says “use point-to-point sub-interfaces” and “do not use inverse-arp or the frame-relay map command” so you are guided to “frame-relay interface dlci” and “interface serial 2/0.12 point-to-point”, etc. Key here is accuracy and speed!
Cell-Mode MPLS: Ok, Cell Mode MPLS indicates of course ATM – the question is longer than the solution and I do think this catches people out – lab candidates might get a 3 pointer and it requires 5 lines of configuration that takes two minutes to configure and they think that can’t be right, they must want more than that? No, configure what is requested, in this case go to the router, go to the ATM interface, assign the IP Address, enable “mpls ip” and configure the VPI/VC as the control VC thus creating an MPLS sub-interface. Verification includes pings and “sh atm vc”. Nice blog entry on cell-mode MPLS from IE here -> http://blog.internetworkexpert.com/category/ccie-service-provider/mpls/
Layer 2 Complete – 15% Done.
Golden Moment: Full IP Reachability.
IGP – OSPF:Configure OSPF on a number of routers, Area 0, R3 to be the DR, do not use neighbor command. Ok, this is standard, OSPF using 2 network types – Broadcast/non-broadcast, broadcast is the way to go here. How to ensure a particular router is the DR? Configure the “ip ospf priority” on the other routers setting their vaules to 0. Use the loopback address as the OSP router-id’s, why? To enable tracking in the OSPF domain and to avoid IP duplication. Use the “ip ospf network broadcast” command, why? Because the use of the neighbor statement is explicitly not allowed and we need to define the network type as broadcast. One point to note we will not see the OSPF adjancency for R1/R9 at this time as MPLS has not been configured yet on the ATM network. Verification “sh ip ospf nei” and “sh ip route ospf”. A security question added regarding securing OSPF on a particular VLAN with an MD5 hash. Use of the “ip ospf authentication message-digest” and “ip ospf message-digest-key 1 md5” commands required on the two routers in question. Watch for typos especially spaces when typing in the key values which must match on each neighbor. Verification is “sh ip ospf int e0/1”, watch for the message digest authentication enabled entry in output.
IGP Complete – 8%.
Golden Moment: Ensure full reachability, watch for loopbacks being advertised into OSPF.
EGP: Configure BGP on various routers as per diagram, configure the appropriate peering relationships, use loopbacks for the peering sessions, enable community tagging, use of BGP bestpath selection.
As per IE recommendations ensure full IP reachability for the underlying transit path before beginning to configure BGP – there is one exception, the ATM link which requires MPLS.
An importnant consideration is the location of the route reflector and looking at the BGP diagram it becomes obvious that in this case R1 will take up this role. The configuration is standard, enable BGP routing process, define the AS number as designated, specify your neighbors with the remote-as statement, to ensure the clients reflect the unicast address prefixes to and from other clients configure the “route-reflector-client” statement on the route reflector, in this case R1. Specifying that the loopback0 interface be used for the peering sessions requires using the “update-source loopback0” command. This basically designates that iBGP use any operational interface for TCP connections which is the basis of BGP adjacency formation. The use of the “next-hop-self” on R4 is there to overcome any reachability issues. Verification is the “sh ip bgp summ” command and seeing the neighbors listed.
The next section involves the “ip bgp-community new-format” command to ensure BGP updates are tagged with a community value in the format 100:ASN where ASN is the BGP AS number of the EBGP neighbor. This sounds new but was introduced back in IOS 12.0 to conform with RFC 1997. Once set then a route-map is created where you set your value then apply the route-map inbound on the appropriate neighbor statement. Verification is “sh ip bgp” and look for the community value.
For BGP bestpath selection, tracing the path is important and getting the direction correct in your mind is critical. Identify your exit point router, remember that outbound traffic flow can be influenced by changing inbound BGP attributes, in this case local preference. So for this lab R6 is the exit router so we manually specify the local preference value within a route-map statement to a value greater than 100 [which is the default] hence it will be preferred, verification is again “sh ip bgp” and look at the locprf values against the routes.
EGP Complete: 12%
Part 2 to follow with MPLS, VPN, Multicast, QoS, Security, IP Services, Systems Management.