Professional Documents
Culture Documents
R1 (BSR1) R2 (BSR2)
RADIUS
Video Server
Server R3 (BSR3) R4 (BSR4)
R7 (BSA3) R8 (BSA4)
R12 (BSAN4)
R11 (BSAN4)
Pod3 Pod4
The focus of Lab 1 is to create the Lab topology that will be used in this course. OSPF will be used for
the IGP and RSVP will be used to signal the MPLS LSPs..
Configuration
Verification
1. Verify that the ports, OSPF adjacencies, LSPs, and SDPs are operationally up.
Notes
The focus of this lab is to use a “Bridged CO” triple play solution. This lab will focus on unicast traffic.
Each pod has a BSAN that is simulated with a Service Router that uses a VPLS to connect each PC to the
BSA with correct SAP encapsulation. The PC will simulate a Residential Gateway (RG) in the Home
Network.
In order to route traffic from the RGs, IES services have to be configured on the BSRs. A unicast VPLS
BSR1 will install a Local DHCP Server and distribute it into OSPF to provide the IP address allocation for
all pods.
Configuration
Use the diagram given by the instructor that reflects the physical topology of the lab setup for all
service names and IP addresses not specifically mentioned in the steps below:
1. On BSR1 only, a local DHCP Server has been configured as shown below. All BSRs in the pod will
relay DHCP messages to this DHCP server which is responsible for IP address allocation for all pods.
Verify that subnet pools are defined for all pods. For example, Pod1 has the subnet of
192.168.215.0/24, specify a default router of 192.168.215.2 which belongs to BSR1. This default
router will need to be changed in the VRRP lab. Bind the DHCP server to a loopback interface with
an address of 10.99.99.1/32
router
dhcp
local-dhcp-server "srcDhcpServer" create
use-gi-address
pool "srcDhcpPool1" create
subnet 192.168.215.0/24 create
options
default-router 192.168.215.2
exit
address-range 192.168.215.5 192.168.215.10
exit
subnet 192.168.219.0/24 create
options
default-router 192.168.219.3
exit
address-range 192.168.219.5 192.168.219.10
exit
subnet 192.168.223.0/24 create
options
default-router 192.168.223.2
exit
address-range 192.168.223.5 192.168.223.10
exit
subnet 192.168.227.0/24 create
options
default-router 192.168.227.3
exit
address-range 192.168.227.5 192.168.227.10
exit
exit
no shutdown
exit
ospf
traffic-engineering
area 0.0.0.0
interface "localDhcpLoop1"
exit
exit
exit
Verification
1. Verify that all services, SDP bindings, and SAPs are operationally up on the BSAN, BSA, and BSR of
each pod.
2. On each BSR, verify that the IES interfaces are in the OSPF routing table.
3. Initiate a DHCP request by releasing and then renewing the Windows PC lab connection. The PCs
have two network interface cards, one connected to the BSAN and one connected to the mgmt
network. Be careful not to release the mgmt NIC otherwise access to the PC may be lost!
4. Debug the DHCP requests on the BSR using “debug router ip dhcp”. What kinds of packets appear?
Notes
The focus of this lab is to configure multicast traffic on the Bridged CO Architecture used in Lab 2. The
SRs that are simulating a BSAN in the network will use an MVR VPLS (see Appendix B) to deliver and
receive multicast traffic to the BSAs on a separate VLAN.
Configuration
2. On the BSAN, point the existing VPLS that was used for unicast traffic toward the MVR VPLS. This
will cause all multicast traffic to be filtered to the MVR VPLS and vice versa. Do this for both
unicast VPLS (VPLS 100 and VPLS 200) on each BSAN.
4. Create a new interface in the BSR IES with an IP address from the diagram and a terminating spoke
SDP towards the BSA.
5. Add this interface to your IGP, IGMP (this is the first hop from the receivers perspective – an IGMP
Querier will be elected between the two BSRs) and PIM (a PIM DR will be elected on this subnet).
6. On BSR1, create a routed interface towards the VLC server and add this interface to PIM. BSR1 will
provide the video server for all BSRs and will also be the PIM Rendezvous Point.
7. On all BSRs, add all core interfaces and system interfaces into PIM. Select a static RP for
239.0.0.0/8, preferably the system address of the router connected to the multicast source (BSR1).
8. On the video server, enable a VLC source stream towards 239.1.1.1 (add a static route to the PCs
own interface on the Windows machine) and let the receivers listen to this address (using VLC).
Verification
1. Ensure that all the services (IES and VPLS) are up on the BSR and BSA nodes. Use the “show
service service-using” command on the respective nodes to verify that the services are up. If any
of the services are not operational, use the command:
3. On BSA 1 and BSA 2, Verify that the Access PC has registered its multicast groups with the VPLS.
a. show service id <service-id> mfib
4. What port is the router port? Make sure the PIM DR receives the joins by using the mrouter-port
feature.
Notes
The focus of this lab is on the Routed CO architecture where a BSA is not used for aggregation. In a
Routed CO architecture the BSAN is connected directly to the BSR. In this lab the Bridged CO setup
from the previous lab exercises will be converted to a Routed CO setup by adding an e-pipe on the BSA
to transparently connect the BSAN and BSR together. It is important to change as little configuration as
possible, as subsequent labs will switch between the Bridged CO and Routed CO setup.
1. Configure an e-pipe on the BSA to transparently connect the BSAN and BSR together, simulating a
Routed CO solution. On the BSA, remove the SAPs from the unicast VPLS. The multicast VPLS can
be deleted as it is no longer required. Add a default SAP to the e-pipe. The interface facing the BSR
will need to be changed to an access port. Change as little configuration on the BSA as possible as a
Bridged CO configuration will be required in subsequent labs:
1. On the PCs initiate a new DHCP request. Ping the other PCs. Is the traffic going directly over the
VPLS or does it pass the BSR?
2. Execute a “show service id <service-id> subscriber-hosts detail”. This will list all the active
subscribers.
3. Check the detailed information on the BSR (“info detail”) for the Routed CO IES. Ensure that
“local-proxy-arp” is enabled by default and ensure that under each sap “antispoof ip-mac” is
enabled by default. Why?
Notes
The objective of this lab is to use DHCP to implement security on a Bridged CO architecture. This lab
requires switching back to the Bridged CO configuration.
Anti-spoofing tables can be constructed to prevent a malicious subscriber from using an IP address not
provided by the ISP. Anti-spoof is explicitly configured on the individual SAPs that require anti-
spoofing. In this lab the anti-spoof table is built dynamically using DHCP messages which requires which
requires DHCP snooping and DHCP lease state table construction to be enabled.
Configuration
1. In this lab, anti-spoof filters are built from DHCP lease state tables for valid RG customers,
simulated by two PCs per pod. This ensures that only traffic from the PC matching the IP-mac
combination of the anti-spoof filter is allowed into the corresponding VPLS. The spoofing PC will
attempt to send its traffic with an IP address not obtained from the ISP. This traffic will be
dropped.
2. The first step is to revert back to the Bridged CO configuration. On the BSA, remove the SAPs from
the e-pipe. Add the correct SAP back to the unicast VPLS, change the port facing the BSR back to a
network port and add it to the appropriate interface. Add the Unicast IES interface back into OSPF.
Again keep as much Routed CO configuration in tact as possible as Routed CO will be used again in
subsequent labs.
3. On the BSR, remove the gi-address from the group-interface and remove the IP address from the
subscriber-interface. If there are active DHCP leases for the PCs, either release the IP addresses
on the PCs or use the command “clear service id 214 dhcp lease-state”. The SAPs need to be
removed from the group interface. Also convert the port facing the BSA to a network port and add
it to the appropriate interface.
ies 214 customer 1 create
interface "toUC10" create
4. Verify that both PC’s can get an IP address via DHCP and that all PCs can ping all other PCs.
5. Execute a “show router arp” on the BSRs to see the MAC-IP combinations.
Verification
1. Verify that the anti-spoof filter is now built, use the command to display the contents of the anti-
spoof table. Verify that there are two entries per VPLS (two PCs)
a. show service id 10 subscriber-hosts
2. Observe the dependency between the anti-spoof filter and DHCP snooping, i.e. shut down DHCP on
any SAP and observe the DHCP lease state table.
3. Restore the DHCP configuration on the PCs.
4. Verify that the anti-spoof table is constructed after DHCP messaging and that traffic from the valid
RG is now accepted.
Notes
Objective
Up to now; all subscribers were able to communicate with each other and discover each other’s MAC
addresses in their broadcast domain. This exercise examines the advantages of using split horizon
groups to block subscriber to subscriber communication, and then uses the local proxy ARP feature on
the router to control subscriber to subscriber communication
Configuration
1. Configure both SAPs on the unicast VPLS to be in a residential split horizon group. For this the SAPS
have to be removed and reconfigured as part of the newly created residential split horizon group.
2. Initiate a new DHCP request.
Verification
1. Ensure that all PCs can ping the gateway address and their IES interface gateway addresses and
vice versa.
2. Can you ping the other PC in your pod now?
3. Configure local-proxy-arp on the unicast IES interfaces of each BSR.
4. Can you ping the other PC in your pod now? Why can they ping each other now?
5. Execute an “arp –a” command on your PC. What is the MAC address and IP address of the other PC
in your pod?
6. Clear the BSR ARP cache. Can you ping the PC from the IES interface? Why is this possible?
Shouldn’t the residential split horizon group SAPs block the downstream broadcast packets (such as
ARP)?
Objective
When configuring a SAP for residential split horizon, the ARP Reply Agent feature is automatically
enabled. The feature allows the IES to ping the home RGs provided a DHCP lease state and anti-spoof
tables are constructed for the RGs on the BSA. By enabling ARP-reply agent on the SAPs, downstream
ARPs from the RGs are answered by the VPLS that contains the appropriate residential SAPS. The
exercise investigates the behavior of this feature.
Configuration
1. The last step of the previous lab indicated that the downstream ARP requests initiated from the IES
interfaces towards the PCs are answered by the ARP Reply Agent, which is by default enabled on
residential split horizon group SAPs.
2. Now disable arp-reply agent on the SAPs and clear the BSR ARP cache.
Verification
1. Initiate a ping to a PC. Does the ping work now? Why not?
Notes
To construct redundancy between the BSR IES interfaces for the BSA unicast aggregation VPLS. This will
ensure that only one physical gateway IES is ever used for all the home RG traffic. The RG default
router address will be the logical VRRP address. In case of a gateway failure, the backup gateway IES
will take over. The home RG will be oblivious to the change. The local DHCP Server will need to be
changed to provide the new logical VRRP address as the default gateway to the home network.
1. Before starting this lab, make sure to activate the redundant SDP bindings between the BSAs and
the BSRs. Each BSA needs to be dual homed to two BSRs. Use the lab supplement given by the
instructor as reference.
2. On the BSR, create a non-owner VRRP instance for each BSAs unicast VPLS. Create a VRRP master
and slave using different priority values. Set the priority so that BSAx will use BSRx as the master
when both BSRs are available. Enable ping-reply and telnet-reply on the VRRP instances. For the
VRRP logical (backup) IP address, use the existing IP address on the IES interface with a “1” for the
last octet.
3. Configure a VRRP policy 999 on both the BSR pod nodes making sure the slave will become master
after the port between the BSRs went down.
vrrp
policy 999
priority-event
port-down 1/1/2
priority 1 explicit
exit
exit
exit
Verification
1. From each PC, release and renew the IP address. Make sure the default gateway is the new VRRP
logical IP address (VRRP backup) and ensure the default gateway is reachable using ping.
2. Execute the following commands and observe the output
a. show router vrrp instance <vrrp-id> interface <interface>
Notes
The objective of this lab is to construct redundancy for a Routed CO architecture between the
subscriber interfaces. A BSAN device is dual homed to two subscriber interfaces on the BSRs. Using
SRRP, only one BSR will be the master and receive and send traffic to the BSAN device. In case of a
failure in the path to the master BSR, the redundant BSR will transition from standby to master and
receive/transmit traffic. The home RG will be oblivious to the change.
1. SRRP requires MCS to be configured between the BSR pair. MCS allows subscriber information to be
synchronized between the master and the standby such that in the event of a failover, the standby
BSR can resume the function of the master. Applications that can be synchronized between the
master and standby include IGMP, local DHCP server and SRRP.
2. In this lab, each pair of BSRs (BSR1 and BSR2) will dual home into both BSAN 1 via BSA1 and BSAN2
via BSA2. Similarly BSR3 and BSR4 will dual home into BSAN3 via BSA3 and BSAN4 via BSA4.
3. Separate subscriber interface pairs will be configured on the BSRs to serve their respective BSANs.
For eg: BSR1 and BSR2 will have one subscriber interface each connected to BSAN1 and will have
another subscriber interface each connected to BSAN2 (four in total).
4. The BSAs in this lab are simple layer 2 bridges. Remove any L3 interfaces between BSA1, BSA2 and
BSR1 and BSR2. Re-configure those ports as access ports. Repeat for BSR3/4 and BSA3/4.
5. Configure a simple VPLS on each BSA with 3 SAPS (the first to the connected BSAN devices, the
second and third to each of the BSRs).
6. Configure a redundant subscriber interface on the redundant BSR dual homing into the BSAN. For
BSAN1, a subscriber interface will be created on BSR2 with ingress port of 1/1/6 (Check the
topology). Similarly for BSAN4 a subscriber interface will be created on BSR3 with ingress port of
1/1/6. Observe the following configuration:
SRRP Configuration
Configuring MCS
1. For SRRP to effectively work, MCS must be configured between BSR1 and BSR2 and between BSR3
and BSR4. Observe the following configuration on BSR1
Verification
1. Verify that the multi-chassis synchronization is working. What is the MCS state?
a. show redundancy multi-chassis all
b. show redundancy multi-chassis sync peer <peer ip address>
2. Verify that the SRRP instance on both PE BSRs indicate the master and backup. Verify that on the
backup IES/BSR, the master priority is indicated in the show output
a. show srrp <instance> detail
3. Verify that the redundant interface is shown in the above output. Observe the state of the backup
IES/BSR. What does the state indicate?
4. On any group interface on any BSR, remove the redundant interface. Verify the SRRP instance that
governs the particular group interface on both the master and the backup. Is there a difference in
the state on the backup BSR? What does this indicate?
5. Obtain IP addresses on the PCs by issuing a DHCP request. Once the IP addresses are obtained.
Verify that the DHCP lease states are maintained across both BSRs for that particular SRRP
instance. What does the MCS standby field indicate
a. show service id <svc id> dhcp lease-state
6. On R5, disable the SAP towards BSR1 on the local VPLS. On R6, disable the SAP towards BSR2. On
R7 disable the SAP towards BSR3 and on R8 disable the SAP towards BSR4. Note: All BSRs here must
be the master BSR towards their routed CO instances. This will break communication between the
SRRP instances. Execute the above show command again on both BSRs. What do you observe?
Ensure that the client PC can still ping the gateway. Why are both BSRs SRRP masters?
a. show service id <svc id> dhcp lease-state
Notes
In this exercise a SAP per service model is used on a Bridged CO architecture. Since a 1-1 relationship
does not exist between SAP’s and subscribers, ESM is required for subscriber separation. In this
example each pod will use two PCs to simulate two subscriber hosts of the same subscriber as well and
then two distinct subscribers by modifying Option 82 and port information on the VPLS of the edge
devices.
Configuration
1. Convert the lab setup from aRouted CO to Bridged CO. In a addition to the usual steps required to
change from Bridged CO to Routed CO, remove all SRRP and MCS configuration.
2. Since a VLAN per service model is in use, configure the BSA unicast VPLS with three SAPs for voice,
video, and data. Use VLAN 100 for VoIP, VLAN 200 for video, and VLAN 300 for data. Make sure
the DHCP lease populate value is set to accommodate a larger number then before since now each
SAP will have traffic from many end users (recall that the previous labs had a one to one
relationship between SAPs and subscribers):
sap 1/1/3:100 split-horizon-group "RSHG" create
description "VoIP SAP"
dhcp
snoop
lease-populate 100
no shutdown
exit
anti-spoof ip-mac
exit
sap 1/1/3:200 split-horizon-group "RSHG" create
description "Video SAP"
dhcp
snoop
lease-populate 100
no shutdown
exit
anti-spoof ip-mac
exit
sap 1/1/3:300 split-horizon-group "RSHG" create
description "Data SAP"
dhcp
snoop
lease-populate 100
no shutdown
exit
anti-spoof ip-mac
exit
qos
scheduler-policy "Downstream Policy" create
tier 1
scheduler "Downstream" create
rate 512
exit
exit
exit
scheduler-policy "Upstream Policy" create
tier 1
scheduler "Upstream" create
rate 512
exit
qos
sap-ingress 100 create
description "VOIP upstream"
queue 1 create
parent "Upstream" cir-level 8
rate 128 cir 128
exit
default-fc "ef"
subscriber-mgmt
sla-profile "Basic_DATA" create
host-limit 100
ingress
qos 300
7. Create a basic subscriber profile using the predefined upstream and downstream schedulers. Also
create a premium subscriber profile overwriting the rate of the schedulers.
subscriber-mgmt
sub-profile "Basic_SCHED" create
8. Create the subscriber identity policy with an SLA and subscriber profile map that maps the numbers
retrieved from the Python script to the strings “basic” and “premium” used in the configuration of
the BSR. Also install the Python script.
subscriber-mgmt
sub-ident-policy "SRCdev" create
sub-profile-map
entry key "basic" sub-profile "Basic_SCHED"
entry key "premium" sub-profile "Prem_SCHED"
exit
primary
script-url "cf3:\SRCDEV_3P.py"
no shutdown
exit
exit
exit
9. Finally apply sub-ident-policy to the VPLS SAPs of the BSA. Add a basic sub-profile and basic sla-
profile as the SAP defaults.
10. Configure the IES interface as trusted so that DHCP packets with Option 82 info will not be dropped
(note the VRRP config from lab 6 is shown below however it is not required to make this lab work).
Verification
1. Verify the script is valid on the BSA.
Notes
Configuration
1. Configure a RADIUS policy on the BSA. Make sure the user-name format sent to the RADIUS server is
circuit-id. Also make sure to include the remote-id in the RADIUS access request messages as it is
required to provide the correct ESM strings. Make sure to specify the management router as the
subscriber-mgmt
authentication-policy "knock-knock" create
description "RADIUS Policy"
password "src"
radius-authentication-server
router "management"
server 1 address 192.168.183.89 secret "src"
exit
user-name-format circuit-id
include-radius-attribute
2. Bind the authentication policy to the SAP. Keep the existing sub-ident-policy and default sub-sla-
mgmt parameters. Disable the python script to ensure we are getting the subscriber parameters
from RADIUS.
sub-ident-policy "SRCdev"
Verification
Notes
The objective of this lab is to use Enhanced Subscriber Management on a Routed CO architecture that
uses a SAP per Subscriber model with PPPoE clients. As in the previous lab RADIUS will be used to
provide the required ESM attributes. Since PPPoE clients are used the pod PCs will need to be
configured as described in “Annex B – Setting Up a PPPoE Session on a Windows PC”. The RADIUS server
Configuration
1. Convert the setup back to a Routed CO architecture which will be used for the remaining labs.
2. In this lab, a SAP per Subscriber model is being used with PPPoE clients using PAP/CHAP
authentication. The PAP/CHAP username is enough for the RADIUS server to uniquely identify each
subscriber and provide the correct ESM attributes. The BSAN still needs to provide the correct VLAN
encapsulation to be used by the BSR. Use a VLAN tag of 100 for PC1 and 200 for PC2. Since we are
using PPPoE clients, DHCP option 82 information no longer needs to be inserted by the BSAN.
3. On the BSR create an upstream and downstream Scheduler with a rate of 512 (these may be pre-
provisioned).
qos
scheduler-policy "Downstream_1" create
tier 1
scheduler "Downstream" create
rate 512
exit
exit
exit
scheduler-policy "Upstream_1" create
tier 1
4. On the BSR, create a SAP ingress policy with 3 queues (one for each stream) that are each
equivalent children of the Upstream parent. Use an IP-criteria Policy to put the correct streams in
the correct queues. Note that the qos policies may be pre-provisioned.
qos
5. Create a SAP egress policy with 3 queues (1 per traffic stream) that are equivalent children of the
downstream scheduler. Note that the QoS policies may be pre-provisioned.
qos
sap-egress 100 create
queue 1 create
parent “Downstream”
exit
queue 2 create
parent “Downstream”
exit
queue 3 create
parent “Downstream”
exit
fc be create
6. Create a basic SLA profile using the SAP ingress and egress policies .
7. Create a premium SLA profile using the SAP ingress and egress policies.
subscriber-mgmt
sla-profile "Prem" create
host-limit 1
ingress
qos 100
queue 1
rate 1024
exit
queue 2
rate 1024
exit
queue 3
rate 1024
exit
exit
exit
egress
qos 100
queue 1
rate 1024
exit
queue 2
rate 1024
exit
queue 3
rate 1024
exit
exit
exit
exit
8. Create a basic subscriber profile using the predefined upstream and downstream schedulers. Also
create a premium subscriber profile overwriting the rate of the schedulers to 8Mbps.
subscriber-mgmt
9. Create the subscriber identification policy. As in the previous ESM lab, the RADIUS server is
configured with sub-profile and sla-profile names rather then key values so use the keyword “use-
direct-map-as-default”.
subscriber-mgmt
sub-ident-policy "SRCDEV" create
sub-profile-map
use-direct-map-as-default
exit
sla-profile-map
use-direct-map-as-default
exit
10. Since the RADIUS server is being used an authentication policy needs to be configured as in the
previous lab. In addition, since the BSR needs to relay PPPoE PAP/CHAP authentication parameters
towards the BSR, the command pppoe-access-method pap-chap has to be configured.
subscriber-mgmt
authentication-policy "knock-knock" create
description "RADIUS Policy"
password "src"
radius-authentication-server
router "management"
server 1 address 192.168.183.89 secret "src"
exit
pppoe-access-method pap-chap
11. Configure the IES used on the BSR for the Routed CO model. Apply the authentication policy to the
group interface and the subscriber identification policy to each SAP. Also enable pppoe on the
group interface with a session limit of 100.
12. If not already done , use the “Appendix B – Setting up a PPPoE Session from a Windows PC” to
setup the PCs in each pod to act as PPPoE clients. For the PPPoE username password use
subX@domain1 / subX, where X is the last octet of the management IP address of your PC. For
example PC 192.168.183.80 would be configured to use sub80@domain1 / sub80. This is important
as it will have to match the RADIUS entries in the RADIUS users file.
Verification
1. On the PCs, use the SRC ISP connection start a PPPoE session
2. Verify the subscriber hosts, queues, subscriber profiles and sla profiles on the BSR.
a. show service id 1 pppoe session
b. show service id 1 pppoe summary
c. show service id 1 pppoe statistics
d. show service id 1 pppoe session detail
e. show service active-subscribers
f. show service active-subscribers detail
g. show service active-subscribers hierarchy
3. If the PCs were switched back to DHCP clients, would there be a need to do Option 82 insertion for
Circuit-Id on the BSAN? For Remote-Id?
Notes
In the previous Lab ESM was done on a Routed CO with a SAP per subscriber model. However the SAPs
were provisioned manually. In this Lab we will reuse the configuration of the previous lab but use a
managed SAP model. Managed SAP is a feature on the SR to that will automatically provision SAPs. The
RADIUS server will provide the same ESM attributes (sub-identity, sub-profile, sla-profile) as it provided
in the previous lab, additionally it will also provide three managed SAP attributes required on Routed
CO (msap-policy, msap-service-id, msap-groupInterface). The RADIUS server will also provide the IP
Configuration
3. Create a managed SAP policy with default SAP parameters and the Subscriber Identity policy to be
used. Note the managed SAP policy name is returned by RADIUS and contains information that is
configured directly on the SAP in the provisioned SAP model. Note that the default subscriber-id
string is used to signal that RADIUS did not return one.
subscriber-mgmt
msap-policy "routedCoMsapPolicy" create
sub-sla-mgmt
def-sub-id string "noRadiusSubId"
def-sub-profile "Basic_SCHED"
def-sla-profile "Basic"
sub-ident-policy "SRCDEV"
exit
Verification
Notes
BSA 1
1
Access 1 Pod2-PC1
BSA 2
2
Pod2-PC2
Click on Connect. You will be connected to the remote PC and prompted to log in.
The logon credentials will be supplied by the instructor. A username and password will be required.
Once you have entered them, you should be connected to the remote PCs desktop.
Verify the IP addresses of the both remote PC ‘Inside Lab’ Ethernet interface is as shown in Table 1-5,
PC IP addresses.
Ping the default gateway address from the command prompt of the PC to verify connectivity.
Capture some Lab traffic by clicking on the ‘Prepare’ button for the adapter bound to the IP address of
the Lab network connection interface. In the resulting dialog box, check the ‘Update list of packets in
real time’ and ‘Automatic Scrolling in live capture’ checkboxes under ‘Display Options’, as shown in
Figure 1-5. Click on ‘Start’ to begin the packet capture. There will be a minimal amount of traffic at
his time. Close the capture and the application once you are comfortable with the operation of
Ethereal. It is not required to save the captured packets.
To select a file to stream, click on File – Open File. Click on Browse and select the file to stream as
shown below. If you are not sure of the file to use, consult with the instructor.
Log off from the remote PC Windows session once you are familiar with the operation of the commands
shown above.
2. Bind the Local DHCP Server to an Interface, preferably a loopback interface that will always be up
*A:BSR1>config>router# interface localDhcpLoop1
*A:BSR1>config>router>if# info
----------------------------------------------
address 10.99.99.1/32
loopback
local-dhcp-server "srcDhcpServer"
----------------------------------------------
*A:BSR1>config>router>if#
4. The following command may be required at some points in the lab to clear the leases from the
local DHCP server:
Lab 1 Solution
#--------------------------------------------------
echo "IP Configuration"
#--------------------------------------------------
interface "system"
#--------------------------------------------------
echo "Router (Network Side) Configuration"
#--------------------------------------------------
router
interface "system"
address 10.10.10.215/32
exit
interface "toBSR1"
address 10.214.215.215/24
port 1/1/2
exit
interface "toBSR2"
address 10.215.218.215/24
port 1/1/4
exit
#--------------------------------------------------
echo "OSPFv2 Configuration"
#--------------------------------------------------
ospf
traffic-engineering
area 0.0.0.0
interface "system"
exit
interface "toBSR2"
interface-type point-to-point
exit
interface "toBSR1"
interface-type point-to-point
exit
exit
exit
#--------------------------------------------------
#--------------------------------------------------
echo "MPLS Configuration"
#--------------------------------------------------
mpls
interface "system"
exit
interface "toBSR2"
exit
interface "toBSR1"
exit
path "loose"
no shutdown
exit
lsp "toBSR2"
to 10.10.10.218
primary "loose"
exit
no shutdown
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
service
customer 1 create
description "Default customer"
exit
sdp 214 mpls create
far-end 10.10.10.214
lsp "toBSR1"
keep-alive
shutdown
exit
no shutdown
exit
sdp 218 mpls create
far-end 10.10.10.218
lsp "toBSR2"
keep-alive
shutdown
exit
no shutdown
exit
exit
#--------------------------------------------------
Lab 2 Solution
Lab 2 BSR1
#--------------------------------------------------
echo "Router (Network Side) Configuration"
#--------------------------------------------------
router
dhcp
local-dhcp-server "aminDhcpServer" create
exit
exit
interface "localDhcpLoop1"
address 10.99.99.1/32
loopback
local-dhcp-server "aminDhcpServer"
exit
interface "system"
address 10.10.10.214/32
exit
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
service
customer 1 create
description "Default customer"
exit
sdp 215 mpls create
far-end 10.10.10.215
lsp "toBSA1"
keep-alive
shutdown
exit
no shutdown
exit
ies 214 customer 1 create
interface "toUC10" create
address 192.168.215.2/24
dhcp
server 10.99.99.1
gi-address 192.168.215.2
no shutdown
exit
ip-mtu 1500
spoke-sdp 215:10 create
exit
exit
no shutdown
exit
exit
#--------------------------------------------------
#--------------------------------------------------
echo "Local DHCP Server (Base Router) Configuration"
#--------------------------------------------------
router
dhcp
local-dhcp-server "srcDhcpServer" create
use-gi-address
pool "srcDhcpPool1" create
subnet 192.168.215.0/24 create
options
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
service
ies 218 customer 1 create
interface "ToUC10" create
address 192.168.215.3/24
dhcp
server 192.168.20.1
no shutdown
exit
ip-mtu 1500
spoke-sdp 215:10 create
exit
exit
interface "ToUC20" create
address 192.168.219.3/24
dhcp
server 192.168.20.1
no shutdown
exit
ip-mtu 1500
spoke-sdp 219:20 create
exit
exit
no shutdown
exit
#--------------------------------------------------
echo "Router (Service Side) Configuration"
#--------------------------------------------------
router
#--------------------------------------------------
echo "OSPFv2 Configuration"
#--------------------------------------------------
ospf
area 0.0.0.0
interface "ToUC10"
exit
interface "ToUC20"
1. The packets that appear are: DHCP DISCOVER, OFFER, REQUEST and ACK.
1. There should be three entries. Two for the PC’s and one for the IES interface (chassis MAC).
#--------------------------------------------------
echo "IGMP Configuration"
#--------------------------------------------------
igmp
interface "toMC100"
exit
exit
#--------------------------------------------------
echo "PIM Configuration"
#--------------------------------------------------
pim
interface "system"
exit
interface "toMC100"
exit
interface "toVideoServer"
exit
rp
static
address 10.10.10.214
group-prefix 239.0.0.0/8
exit
exit
bsr-candidate
shutdown
exit
rp-candidate
shutdown
exit
exit
exit
#--------------------------------------------------
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
service
customer 1 create
description "Default customer"
exit
ies 214 customer 1 create
interface "toUC10" create
address 192.168.215.2/24
dhcp
server 10.99.99.1
gi-address 192.168.215.2
no shutdown
exit
ip-mtu 1500
spoke-sdp 215:10 create
exit
exit
interface "toMC100" create
address 192.168.100.214/24
ip-mtu 1500
spoke-sdp 215:100 create
exit
exit
no shutdown
exit
exit
#--------------------------------------------------
1. The router port is the port that has a (*,*) entry in the IGMP Snooping database.
2. Using an IGMP Querier reduces the number of Queries sent out on a LAN. The IGMP Querier is
responsible for the Queries to be sent out.
3. Using a PIM DR makes sure only one router connected to a LAN will issue the PIM Join messages,
making sure only one path per LAN is created in stead of many. The PIM DR is responsible for
the PIM Joins to be sent to the RP or the Source.
Lab 4 Solution
Lab 4 BSR Configuration (note Interface toUC10 is not used in this Routed CO Lab)
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
ies 214 customer 1 create
interface "toUC10" create
dhcp
server 10.99.99.1
no shutdown
exit
ip-mtu 1500
spoke-sdp 215:10 create
exit
exit
subscriber-interface "toRoutedCo10" create
address 192.168.215.2/24
group-interface "toBSAN1" create
arp-populate
dhcp
server 10.99.99.1
trusted
Lab 5 Solution
DHCP Snooping must be installed on the BSA SAPs and Spoke SDPs
DHCP Lease Populate must be installed on the BSA SAPs and BSR IES Interfaces.
Anti Spoof must be installed on the BSA SAPs.
Local Proxy Arp must be installed on the IES Interfaces
Residential Split Horizon groups must be installed on the VPLS and SAPs in that VPLS.
Arp Reply Agent must be enabled on the BSA SAPs and is enabled by default on Residential Split
Horizon Group SAPs.
DHCP Snooping enables a VPLS SAP or Spoke SDP to read the DHCP messages passing through a
Layer 2 domain. Normally DHCP messages are only read by Layer 3 and higher.
DHCP Lease Populate creates the DHCP lease state tables, which are necessary for the Anti
Spoofing tables (and other features).
Anti Spoofing creates a table that links the SAP with the IP/MAC addresses given by the DHCP lease
state table.
Local Proxy Arp makes sure the IES Interface or VRRP interface answers the ARP request from the
PCs requesting the MAC addresses of other PCs in that LAN.
Residential Split Horizon groups bind SAPs in a VPLS together and block direct traffic between
them.
ARP Reply Agent answers the downstream ARP requests initiated from the BSR towards the PCs
instead of forwarding the ARP Request towards the PC.
Lab 6 Solution
vrrp
policy 999
priority-event
port-down 1/1/2
priority 1 explicit
exit
exit
exit
exit
Lab 7 Solution
Lab 7 BSAN1
Lab 7 BSA1
vpls 500 customer 1 create
stp
shutdown
exit
sap 1/1/1 create
description "sap to BSR1"
exit
sap 1/1/3:* create
description "sap to BSAN1"
exit
sap 1/1/6 create
description "sap to BSR2"
exit
no shutdown
exit
redundancy
multi-chassis
peer 10.10.10.218 create
sync
srrp
sub-mgmt
port 1/1/1 create
range 0-1000 sync-tag "SRRP10"
exit
no shutdown
exit
no shutdown
exit
exit
exit
Lab 8 Solution
qos
scheduler-policy "Downstream Policy" create
tier 1
scheduler "Downstream" create
rate 512
exit
exit
exit
scheduler-policy "Upstream Policy" create
tier 1
scheduler "Upstream" create
rate 512
exit
exit
exit
exit
qos
sap-ingress 100 create
description "VOIP upstream"
queue 1 create
parent "Upstream" cir-level 8
rate 128 cir 128
exit
queue 11 multipoint create
exit
default-fc "ef"
exit
sap-ingress 200 create
description "Video Upstream"
queue 1 create
parent "Upstream" cir-level 6
rate 128 cir 128
exit
queue 11 multipoint create
exit
default-fc "h1"
exit
sap-ingress 300 create
description "Data Upstream"
queue 1 create
parent "Upstream"
rate 256
exit
queue 11 multipoint create
exit
exit
sap-egress 100 create
description "VOIP downstream"
queue 1 create
subscriber-mgmt
sla-profile "Basic_DATA" create
host-limit 100
ingress
qos 300
exit
exit
egress
qos 300
exit
exit
exit
sla-profile "Basic_VIDEO" create
host-limit 100
ingress
qos 200
exit
exit
egress
qos 200
exit
exit
exit
sla-profile "Basic_VOIP" create
host-limit 100
ingress
qos 100
exit
exit
egress
qos 100
exit
exit
exit
sla-profile "Prem_Data" create
host-limit 50
ingress
qos 300
queue 1
rate 1024
exit
exit
subscriber-mgmt
authentication-policy "knock-knock" create
description "RADIUS Policy"
password "QIbMUnDKWUzEyR9iryzXIfHvxHvn9NHR" hash2
radius-authentication-server
router "management"
server 1 address 192.168.183.89 secret "WaeD9WV82akVUOYo0VImlk" hash2
exit
user-name-format circuit-id
include-radius-attribute
circuit-id
remote-id
exit
exit
Lab 9 BSAN1
Lab 10 Solution