Advanced CCIE Routing & Switching v5.0 www.MicronicsTraining.com Narbik Kocharians CCSI, CCIE #12410 R&S, Security, SP VOL-II CCTE RAS by Narbik Kocharians Page 1 of 222Table of content Subject Page IPv6 Lab 1 Acquiring an IPv6 Address 4 IP Prefix-lists Lab 4 Prefix-lists 27 NAT Lab 4 Static NAT Configuration 7 Lab 2 Static NAT Configuration & the “Alias” Keyword 4 Lab 3 NAT Reversible oO Lab 4 Advanced Static NAT Configuration 66 Lab 5 Configuration of Dynamic NAT -1 8 Lab 6 Configuration of Dynamic NAT - II R Lab 7 Configuration of Dynamic NAT - 11 5 Lab 8 NAT and TCP Load Balancing 3 Lab 9 Configuring PAT a Lab 10 Configuring PAR 88 Lab 114 Configuring Static NAT Redundancy With HSRP 2 Lab 42 Stateful Translation Failover With HSRP 7 Lab 13 Translation of the Outside Source - I 104 Lab 14 Translation of the Outside Source - IT 107 Lab 15 NAT ona Stick 112 Lab 16 NAT Virtual INterface 119 HSRP Lab 4 HSRP Configuration 126 VRRP Lab 2 VRRP Configuration 160 GLBP Lab 3 GLBP Configuration 194 NTP Lab 4 Configuring NTP 23 CCIE RAS by Narbil 1d. CCW R&S Work Book v5.0 14 Nar Kacieane llrghe reserved Kocharians Page 2 of 222Advanced CCIE Routing & Switching 5.0 www.MicronicsTraining.com Narbik Kocharians CCSI, CCIE #12410 R&S, Security, SP IPv6 CCTE RAS by Narbik:Nocharians A Page 3 of 222Lab1 Acquiring an IPv6 Address Task 1 Configure the Ethernet segment connecting R1 to R3, do not assign an IPv6 address to R3, R3 should acquire the network portion of its IPv6 address through SLAAC process from R1. Use the following mac-addresses for these two routers: R1—0000.1111.1111 R3 ~0000.3333.3333, Let's configure both F0/0 interfaces of these two routers in VLAN 13 (Any VLAN ID can be used). On SW1: Swi (config) #int range £0/1,£0/3 SWi (config-if-range) #swi mode acc SW (config-if-range) #swi acc v 13 Sil (config-if-range) #No. shu Stateless Address Auto-Configuration (SLAAC) is one method for the IPv6 clients to get the network CCIE RAS by Narbik Kochariane Advanced CCIE R&S Work Book ¥5.0 Page 4 of 222 {© 2014 Norbie Koharians. All igh reservedportion of their IPv6 address. SLAAC provides a very simple process where the clients self-assign an IPv6 address based on the IPv6 prefix. ‘This process is achieved based on the following: Host sends a Router Solicitation (RS) message. Arouter with IPv6 unicast routing enabled will reply with a Router Advertisement (RA) message. ‘The Host takes the first 64 bits of the IPV6 prefix from the Router Advertisement message and com it with the 64 bit EUI-64 address to create a global unicast message. The host also uses the source IPv6 address, in the IPv6 header, of the Router Advertisement message, as its default gateway. Duplicate Address Detection is performed by IPv6 clients to ensure the uniqueness of the new IPV6 address. OnRi: In IPv6, unicast routing is disabled by default and in order for R1 to respond to the Router Solicitation (RS) messages the unicast routing MUST be enabled: Rl (config) #IPv6 unicast-routing 1 (config) #int £0/0 Ri (config-if) #mac-address 0000.1111.1111 Rl (config-if) #ipv6 enable Rl (config-if) #ipv6 address 13::1/64 Rl (config-if) #No shut To verify the configuration: OnR R1#Show ipvé interface F0/0 | Inc FF Ipv6 is enabled, link-local address is FE80::200:11FF:FE1| > Allhosts within the local segment > Allrouters within the local segment F00:1 > The Solicited Node Multicast based on the Global unicast IPv6 address F11:1111 > The Solicited Node Multicast based on the Link Local IPv6 address In the output of the above show command we can see that the local router has auto generated a link local address based on the EUI-64 format. The following shows how the EUI-64 format is generated: CCTE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 5 of 222 (64914 Nar Kocbarlan, Al rights reserved0000.1111.1111 FFFE 0000:11FF:FE11:1111 Then, the 7" bit in inverte 0000:11F| IN 0000 0000 1234 5678 E11:1111 ‘The 7" bit s inverted, in this case its 1 0000 0010 ‘The new Link Local Address Is: 0200:11FF:FE11:1111 OR 200:11FF:FE11:1111 The host portion of the IPv6 address is taken from the MAC-address of that interface (In Ethernet ONLY), but the MAC address is 48 bits and the node portion of the IPv6 address is 64 bits, so they decided to add “EFFE” which is 16 bits in the middle of the MAC address, then, the flip the most significant 7" bit and add “FE80::" in front of it. On R3: Before R2 is configured, let's enable “Debug ipv6 nd” and see the exchange of the packets: R3#Debug ipvé nd ICMP Neighbor Discovery events debugging is on R3 (config) #int £0/0 R3 (config-if) ¢mac-address 0000.3333.3333 R3 (config-if) #ipv6 enable R3(config-if) #ipv6 address autoconfig default R3(config-if) #No shut Once the “IPv6 enable” and the “No shut” commands were entered, the local router auto generated its CCHE RAS by Narbik Kocharians Advanced CCIE R&S W. (© 1014 Nari Kocharian. A Book 5.0 Page 6 of 222Link Local address and it wanted to ensure that it was unique within the segment, therefore, a Neighbor Solicitation (NS) was sent for its LL address of “FE80::200:33FF:FE33:3333”: IPv6-Addemgr-ND: DAD request for FE80::200:33FF:FE33:3333 on FastEthernet0/0 ICMPv6-ND: Sending NS for FE80::200:33EF:FE33:3333 on Fastithernet0/0 The local router also generates a Router Solicitation to find out the network portion of its IPv6 address; this is performed because of the “IPv6 address autoconfig default” command configured under the F0/0 interface of the local router: ICMPv6-ND: Sending RS on FastEthernet0/0 The local router received a Router Advertisement (RA) in response to the RS message sent earlier: ICMPv6-ND: Received RA from FE80::200:11FF:FE11:1111 on FastEthernet0/0 ICMPv6-ND: Glean FE8O 00:11FF:FE11:1111 on FastEthernet0/0 ICMPV6-ND: Neighbour FE80::200:11FF:FE11:1111 on FastEthernet0/O : LLA 0000.1111.1111 Since the local router did not receive any messages from R1 within the reachable timeout period, the state transitioned into stale: > ICMPV6-ND: INCMP -> STALE: FE8O::200:11FF:FE11:1111 R3's default route is set to R1’s link local address: ICMPV6-ND: Selected new default router FE80::200:11FF:FE11:1111 on FastEthernet0/0 ICMPV6-ND: Installed default to FEO: :200:11FF:FE11:1111 on FastEthernet0/0 It received its global unicast IPv6 address: ICMPV6-ND: Autoconfiguring 13::200:33FF:FH33:3333 on FastEthernet0/0 Duplicate Address Detection (DAD) process determined that the link local IPv6 address in unique because R3 did not receive an NA in response to the NS that it sent earlier: IPv6-Addrmgr-ND: DAD: FE80::200:33FF:FE33:3333 is unique. The local router sends one more NA for its LL address one last time: ICMPv6-ND: Sending NA for FE80::200:33EF:FE33:3333 on Fast@thernet0/0 CCIE R&S by Narbike Kocharians Advanced CCTE R&S Work Book 5.0 Page 7 of 222 2014 Nar: Koctarans. AI ighLayer three comes up on R3’s F0/0 interface: ICMPv6-ND: L3 came up on FastEthernet0/0 ‘The local router sends an NS for the global unicast address: IPv6-Addrmgr-ND: DAD request for 13: :200:33FF:FE33:3333 on FastEthernet0/0 ICMPV6-ND: Sending NS for 13::200:33FF:FE33:3333 on FastEthernet0/0 LLIPv6 address is up and available: ICMPV6-ND: Linklocel FEO: :200:33FF:FE33:3333 on FastEthernet0/0, Up DAD determines that the global unicast IPv6 address is unique: ICMPV6-ND: Sending RS on FastEthernet0/0 IPv6~Addemgr-ND: DAD: 13: :200:33FF:FE33:3333 is unique. ‘The local router sends one more NA for its global unicast IPv6 address one last ti ICMPv6-ND: Sending NA for 13::200:33FF:FE33:3333 on FastEthernet0/0 Ri sends RA periodically: ICMPV6-ND: Received RA from FE0::200:11FF:FE11:1111 on FastEthernet0/0 ICMPV6-ND: Autoconfiguring 13::200:33FF:FE33:3333 on FastEthernet0/0 On R3 R3#Show ipv6 interface brief F0/0 FastEthernet0/0 [up/up] FEGO: :200:33FF:FE33:3333 13: :200:33FF:FE33:3333 CCTE RAS by Narbik:Kocharlans Advanced CCIE R&S Work Book v5.0 Page & of 222 {©2014 Wark Kocharane AI xghs reservedTask 2 Configure the serial link connecting R4 to RS, do not assign an IPv6 address to the S1/4 interface of R5; R5 should be configured as a DHCP Client acquiring an IPv6 address from 4, RS should also get its domain name “MicronicsTraining.com” and the ONS server's IPv6 address of 2001:1111::1 from RA. Let's configure R4’s $1/5 interface and also configure the local router as a DHCP server: On R4: To work as a DHCP server, unicast-routing MUST be enabled: R4 (config) #IPV6 unicast-routing R4 (config) #IPv6 dhep pool TST Specifies the address range to provide in the pool. R4 (config-dhcpvé6) address prefix 45::/64 Provides the DNS server and the domain name option to DHCP clients. 4 (config-dhcpvé) #dns~server 2001:1:1111::1 R4 (config-dhepv6) #domain-name MicronicsTraining. com RA (config) #int $1/5 ) #IPv6 enable £)4Clock rate 64000 )#IPV6 address 45::4/64 Rd (config: ‘The following command configures the DHCP server on the interface. Rd (config-if) #IPv6 dhcp server TST ‘The following command configures IPv6 interface’s neighbor discovery to allow the hosts to uses DHCP for address configuration. This is also known as the “I” )#IPv6 nd managed-config-flag £)#No shut RA (config R4 (config: There are two bits that we must know, the “M” and the “O” bits: CCTE R&S by Narbik Kocharfans Advanced CCIE R&S Work Book v5.0 Page 9 of 222 © 2014 Narbtk Kocarans. ll eights servedThe “M" bi The When set, information. On RS: RS (config) On RS: Seriall/4 Or: 45 Seriall/4 Address DNS RS (config- 6892: 1A8F:3F8 The "Managed address configuration" flag. When set, it indicates that addresses are available via Dynamic Host Configuration Protocol [DHCPv6]. Clients SHOULD use DHCP to obtain IPv6 addresses. available for autoconfiguration of OTHER (non-address) #int 51/4 if) fipv6 enable RS (config-if) #1Pv6 address dhcp if) #No shut To verify the configuration: R5#Show ipvé int br S1/4 (up/up] 'EBE : 69D0 784 21B:D4EF: We can see that the local router acquired an IPv6 address from the DHCP server. How do we display the DHCP optional items that the local router acquired from the DHCP server? RS#Show ipvé dhcp interface is in client mode Prefix State is IDLE State is OPEN Renew for address will be sent in 11:58:13 List of known servers Reachable via address: FE8Q::217:59FF:FECE:2B8 DUID: 00030001001759Cz02B8 Preference: 0 Configuration parameters: IA NA: IA ID 0x00090001, T1 43200, 72 69120 Addres: 5: 6892: 1NBF:3F80!7784/128 preferred lifetime 86400, valid lifetime 172800 expires at Jun 13 2014 11:12 PM (172693 seconds) sexvee!! 200222:121172 CCIE R&S by Narbik Kocharlans — Adyanced CCTE R&S Work Book ¥5.0 Page 10 of 222 {2014 Nae Kectarian. Al igh reservedDomain’ Wane’ Micronies'trainingseom Information refresh time: 0 Prefix Rapid-Commit: disabled Address Rapid-Commit: disabled On R4: R4#Show ipvé dhcp binding Si EB DEED. D0030 001 00TBD¢BEESDO Username : unassigned TA NAL IA 1D 000090001, 11 43200, T2 69120 preferred lifetine 86400, valid expires at Jun 13 2014 11:05 PM (171405 seconds) Task 3 Configure the serial link connecting R1 to R4 based on the diagram in the beginning of this lab. Configure the serial link connecting R1 to R2. DO NOT configure an IPv6 address on R2's $1/1 interface, this router should be configured to acquire an IPv6 address from the DHCP Server (Rd], Ri should be configured as a DHCP relay agent. Let's configure the serial interfaces first: On Ri: Rl (config) #ipvé unicast-routing RI (config) #int 51/2 Rl (config-if) #Clock rate 64000 Rl (config-if) #ipv6 address 12::1/64 Rl (config-if) #ipvé enable Ri (config-if)#No shut Ri (config) #int s1/4 Rl (config-if) #elock rate 64000 Rl (config-if) #ipvé enable Ri (config-if) #ipv6 address 14::1/64 CCH RSS by Narbik Kocharians Advanced! CCIE R&S Wark Book v5.0 Page 17 of 222R1(config-if} #No shut On R4: R4 (config) #int s1/1 R4 (config-if) #ipvé enable R4 (config-if) fipv6 address 1 R4 (config-if) #No shut To test the configuration: On R4: R4gPing 14::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 14: tere 1, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms In this case R2 is going to be the DHCP-Client, once configured, R2 will send a RS, Ri will receive this request and it will relay that request to R4 the DHCP Server. This request will have the “Link address” field that will have the IPv6 address of R1’s link facing R2; R4 will go through its scopes and it will find one that matches the same network, and it will lease out an IPv6 address from that scope. R1 will receive the RA and it will relay it down to R2, and this is how R2 acquires an IPv6 address. A very simple process that is very similar to IPv4. Let’s configure another scope for the 12::/64 network: OnR4: R4 (config) #ipv6 dhcp pool TST-R2 R4 (config-dhcpv6) taddress prefix 12::/64 R4 (config-dhcpv6) #dns-server 2001:12:12:12: Rd (config-dhepv6) #domain-name MicronicsTraining.com Let’s apply the poo! to the $1/1 interface: RA (config-dhepvé) #int s1/1 R4(config-if) #ipv6 dhcp server TST-R2 NOTE: IF the “address prefix 12::/64” is configured in the previous pool (TST), R2 will get two IPv6 address one from the 12::/64 network and the second one from the 45::/64 network, CCIE R&S by Narbik Kocharians Advanced CCTE R&S Work Book v5.0 Page 12 of 222 (©2015 Narbik Keckariams. Al igh reservedLet's configure R1, the DHCP relay agent: On Ri: R1 (config) #int s1/2 The following command configures the IPv6 address of the DHCP server by using the “detination” keyword; the $1/4 interface configuration is optional in this scenario. The serial1/4 interface has to be configured ONLY if the “destination” keyword references the Link Local ipv6 address of R4. Serial 1/4 Rl (config-if) fipv6 dhep relay destination 14 Rl (config-if) fipw6 nd managed-config-flag The “IPV6 unicast-routing” command MUST be configured, since this was cor have to configure it again. sured in Task-1, we don’t Finally the DHCP client is configured. On R2: R2 (config) #int s1/1 R2(config-if) #ipv6 enable R2(config-if) #ipv6é address dhcp R2(config-it) #No shut To verify the configurati On R2: R2#Show ipv6 interface bri si/1 Seriall/1 (up/up] FEG0: :200:22FF:FE22:2222 12::A0B1:AAB2:4ACO:CEBB R2#Show ipvé dhcp interface |Serial1/1 is in client mode Prefix State is IDLE Address State is OPEN Renew for address will be sent in 11:59:14 List of known servers: Reachable via address: FE80 DUID: 00030001001759CE0288 200:11FF:FE11:1111 CCIE R&S by Narbik Koch: Advanced CCIE R&S Work Book ¥5.0 Page 13 of 222 ‘© 2014 Narbtk Kochariane AlleghtsreeevedPreference: 0 Configuration parameters: 1D 0x00060001, 71 43200, T2 69120 preferred lifetime 86400, valid lifetime 172800 expires at Jun 14 2014 06:57 PM (172754 seconds) Information refresh time: Rapid-Commit: disabled Address Rapid-Conmit: disabled Task 4 Configure R3 to get the DNS and its domain name of “MicroncisTraining.com” from the DHCP server but it should continue to use SLAAC for its IPv6 address. ‘We saw the configuration of the “M” bit which the DHCP server gave an IPv6 address plus the optional DHCP parameters such as the DNS and the domain name. With the “O” bit set the DHCP server will ONLY give out the optional DHCP parameters only, the client will NOT get an IPv6 address from the DHCP server. 3 has already used the SLAAC process to get the network portion of its IPv6 address, let’s configure Ri to accommodate this request. Let's see R3’s FO/0 configuration: On R3: R34Show run int £0/0 | B interface interface FastEthernet0/0 mac-address 0000.3333.3333 no ip address duplex auto d_auto ipvé enable end All we need to do is enable the “O” bit and configure the relay configuration on the FO/0 interface of R1: ‘Sby Narbik Kocharians Ad CIE R&S 5. Page 14 of 222 1 2014 Nari Rocarians AM igh reservedOn Rt: Rl (config) #int £0/0 Rl (config-if) fipvé dhcp relay destination 14 Ri (config-if) fipvé nd other-config-flag To verify the configuration: | OnR3: | R3¢Show ipv6 interface brief F0/0 FastEthernet0/0 (up/up] 200: 33FF:FE33:3333 00: 33¥F:FE33:3333 R34Show ipvé dhcp interface FastEthernet0/0 is in client mode Prefix State is IDLE (0) | Information refresh timer expires in 23:58:07 Address State is IDLE List of known servers: Reachable via addres: DUID: 00030001001759CE02B8 Preference: 0 Configuration parameters DNS server: 2001 :12:12: Domain name! MicroniceTraining/éon Information refresh time: 0 Prefix Rapid-Commit: disabled Address Rapid-Commit: disabled F:FE11:1111 We can see that R3 received its DNS and domain name information from the DHCP server but it received the network portion of its IPv6 address from Ri through the SLAAC process. Task 5 Re-configure R5 to acquire its IPv6 address from Rd (The DHCP Server) using two messages instead of four. CCIE RES by Narbik Kochariavs Adyanced CCIE R&S Work Book v5.0 Page 15 of. 182014 Narbtk Kashar. A ght eserved‘The DHCPvé client can acquire its IPv6 address and optional parameters from a DHCP server in two ways: Rapid-commit: In this process ONLY two messages are exchanged, a Solicit from the client to the server and a reply from the server to the client. ‘The default: The normal way which is the default the DHCP client and the DHCP server exchange four DHCP | messages and they are: Solicit, Advertise, Request, and Reply. Before the task is configured, let’s enable “Debug ipv6 dhcp” and “Default interface S1/4” on R5 and reconfigure a regular or the default four message exchange: On RS: R5 (config) #default inter s1/4 Interface Seriall/4 set to default configuration R5#Debug ipvé dhcp IBv6 DHCP debugging is on R5 (config) #int s1/4 RS (config-if) #shut R5 (config-if) #ipv6 enable R5 (config-if) #ipv6 address dhcp R5 (config-if) #No shut Now, let’s configure RS as a DHCP client to exchange four messages before it acquires an IPv6 address and the optional parameters from the DHCP server, Ra. Sending REQUEST to FFO2/:1:2 DHCPv6 address changes state from SOLICIT to REQUEST (ADDR ADVERTISE. RECERVE| ) on Seriall/4 Processing options 1 Adding address 45: :DC06:2D13:9C93:FF4B/128 to Seriall/4 1 TL set to expire in 43200 seconds 72 set to expire in 69120 seconds Configuring DNS server 2001:1:1111 Configuring domain name MicronicsTraining.com DHCP: DACPV6 address changes state from REQUEST to OPEN (ADDR_REPLY_RECEIVED) on Seriali/4 CCIE R&S by Narbik Kocharlans Advanced CCIE R&S Work Book v5.0 Page 16 of ‘2 a014 Wari Keckarians, AM rights reveredThe “Rapid-commit” option MUST be configured on the DHCP client and the DHCP server. To configure the DHCP server for “rapid-commit”: OnR4: R4 (config) #int s1/5 Ré (config-if) #ipvé dhep server TST EESSG=SSHRE Let’s “Default interface S1/4” on RS and reconfigure the “Rapid-commit” option and see the difference: On RS: RS (config) #int s1/4 RS (config-it) fipvé enable | RS (config-if) #ipv6 address dhcp RS (config-if) #No shut rIpv6 sending’ sotitcrr to! rro2z: ni Seriati7a | TPv6 keceiived REELY 288i 6 IPv6 : Adding server F580: IPv6 Processing options Pv6 Adding address 45 IPvé : Tl set to expire in 43200 seconds IPv6 12 set to expire in 69120 seconds PVv6 Configuring DNS server 2001:1:1111 IPV6 DHCP: Configuring domain name MicronicsTraining.com ‘As we can see only two messages were exchanged. Task 6 Configure R4, R6, R7 and R8 based on the following: DO NOT assign an IPV6 address to R6, R7 or RB. Configure R6 and R7 in VLAN 67. Configure R6 and R8 in VLAN 68. Configure the $1/6 interface of Rd with 46:2::4/64 IPv6 address. CCTE R&S by Narbik Kocharians Advanced CCIE R&S Work: Book v5.0 Page 17 of ? ‘© 2014 Narbik Rocharians, A nights reservedR4 (config) #int 1/6 R4 (config-if) #mac-address 0000.4444.4444 RA (config-if) #ipv6 addr 46:2::4/64 R4(config-if) #clock rate 64000 R4(config-if)#No shut On SW2: This trunk has to be configured because the FO/1 interface of R6 is connected to SW2 and the GO/1 interface of R7 is connected to SW3. 812 (config) #int £0/23 Si12 (config-if) #swi tru enc dot 8812 (config-if)4swi mode trun 82 (config-if)#No shut W2 (config) #int £0/6 Sii2 (config-if) #swi mode acc SW2(config-if) #swi acc v 67 SW2(config-if) #No shut On SW3: SW3 (config) #int £0/7 SW3 (config-if) #swi mode acc SW3 (config-if) #swi acc v 67 SW3 (config-if)#No shut SW3 (config) #int £0/23 SW3(config-if) #swi trun enc do S8i3 (config-if)#swi mode trun 883 (config-if) #No shut Ons Sil (config) #int range £0/6,£0/8 SW1 (config-if-range) #swi mode acc SW1 (config-: range) #swi acc v 68 Sill (config-if-range) #No shut CCIE R&S by Narbik Kocharians Adyanced CCIE R&S Work Book v5. Page 18 af (© 2014 Narbtk Kochariane Alleighs reservedTask 6 ISP-A has an IPv6 prefix of 46:1:1::/48 and it needs to subnet this prefix to /56 subnets. Comipany-A (R6) has two sites that are connected through its FO/0 and FO/1 interfaces, but soon this company will grow to 12 sites. Company-A (R6) should acquire a network address from the ISP-A (Rd) and subnet this prefix to a minimum of 12 subnets; the first subnet should be automatically assigned to its FO/0 interface with the host portion of its IPv6 address as “::10"; RB should use R6-as its default gateway, R6's FO/1 interface should be automatically assigned the third subnet with the host portion of “::1”. R7 should use R6 as its default gateway. R7 and R8 should automatically acquire the network portion of their IPv6 address from RG, they should auto generate their host portion of their IPvé address. Both R7 and RB should have reachability to R4’s 1/6 IPv6 address. DO NOT configure any static route or configure static IPv6 address/es to accomplish this task. ‘The following diagram shows the bits used by the provider to generate more /56 subnets. One of these subnets is given to the customer. eT Bite subnetied Subnet bits used by 18? the’ a! CCIE R&S by Narbik Kacharlans Advanced CCIE R&S Work Book v5.0 Page 19 of 222 ‘©2014 Narbik Recharane, A rights reservedThe following diagram shows the 4 bits that are given to the customer; the customer can use these 4 bits to generate 16 networks: Bits NOT ‘Subnat bits used by I en = 00898989595 Ooo To resolve this task, we need to configure prefix-delegation. The purpose of the prefix delegation mechanism is to delegate prefixes to the CEs automatically. The prefix delegation mechanism typically delegate prefix lengths between /48 to /64. In this topology R4 is the delegating router. On R4: ‘The following configures a local pool that instructs the router to hand out /60 addresses but the first 56 bits of the addresses must be 46: R4 (config) #ipv6 local pool f A regular DHCPV6 pool is configured and it references the local pool and assigns a life time of infinity. R4 (config) #ipvé dhep pool ISP R4 (conf ig-dhepv6) $prefix-delegation pool ESE lifetime infinite infinite The pool is referenced on the $1/6 interface of RA: R4 (config) #int s1/6 R4(config-if) #ipvé dhcp server ISP CCIE R&S by Narbik Kochari Advanced CCIE R&S Work Book v5.0 Page 20 af 2: ‘© MLE Narbic Roebariase All ighs reservedOn R6: RG (config) #ipv6 unicast-routing This router is typically the CE router, it is acquiring the network portion of its IPv6 address from the PE router (Rd), and it auto generates the host portion using EUI-64. R6 (config) #int 51/4 R6(config-if) #ipv6 enable R6(config-if) #ipv6 address autoconfig default ‘The “ipv6 dhcp client pd” command enables request for prefix delegation through the interface on which this command is configured. If this command is not configured, the local router will NOT generate a PD. request. The pool of IPv6 addresses that are received by the local router will be placed in the general cache, R6(config-if) #ipv6 dhcp client pd R6(config-if) #No shut R6 (config) #int £0/0 R6(config-if) fipvé enable ‘The following example shows how to enable IPv6 processing on the interface and configure an address based on the general prefix called “TST-ISP”. The “::1” is the first subnet, meaning that you are assigning the first subnet to this interface; so if you wish to assign the second subnet, then, “::2” should be used. ‘The “40” is the host potion of the IPvé address that you wish the local interface to have. R6(config-if) fipvé address [ig :0:0:0:10/64 R6(config-if) #No shut R6 (config) #int £0/1 R6 (config-if) #ipvé enable R6(config-if) #ipv6 address R6(config-if) #No shut R6#Show ipvé inter bri $1/4 Serial1/4 (up/up] FE8Q::217:SAEF:FEAD:52AA 46:2::217:SAFF:FEAD:52AR CCHE R&S by Narbik Koch Advanced CCIE R&S Work Book v5.0 Puge 21 of: 1 204 Narbik Kcharian. Aight roserved.R6#Ping 46: Type escape sequence to abort. |sending 5, 100-byte ICMP Echos to 46:2::4, timeout is 2 second: renee Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms R6#Show ipvé inter bri F0/0 FastBthernet0/0 [up/up] FE80::217:5AFF:FEAD: S2AA 46:1:1:101::10 R6#Show ipv6 inter bri FO/1 Fast&thernet0/1 [up/up] E80: :217: 5AFF:FEAD:52AB 46:1:1:103::1 R6#Show ipv6 route IBV6 Routing Table - default - 9 entries Codes: C - Connected, L - Local, $ ~ Static, U - Per-user Static route B - BGP, HA - Home Agent, MR - Mobile Router, R ~ RIP Il - Iss Li, 12 - ISIS L2, TA ~ ISIS interarea, IS - ISTS summary D - BIGRP, EX - EIGRP external, NM - NEMO, ND - Neighbor Discovery 1 - LISP 0 - OSPF Intra, OI - OSPF Intex, OE1 - OSPF ext 1, O£2 - OSPF ext 2 ONL - OSPF NSSA ext 1, ON2 ~ OSPF NSSA ext 2 217:59FF:FECE:2B8, Serial1/4 —_ 0/0} FastEthernet0/0, directly connected 2/64 [0/0] FastEthernet0/1, directly connected 764 (0/0) Seriall/4, directly connected 217:5ARF:FEAD:52AA/128 [0/0] Seriall/4, receive /8 10/0) CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 ‘© 014 Naehik Kocharlaos,Allrighs reservedvia Null0, receive On R7: R7 (config) #int g0/0 R7 (config-if) #ipvé enable R7 (config-if) #ipvé address autoconfig default R7(config-if) #No shut On R8 R8 (config) #int g0/1 R8 (config-if) #ipvé enable R8 (config-if) #ipvé address autoconfig default R8(config-if) #No shut To verify the configurat On R7. R7#Show ipv6 inter bri g0/0 GigabitEthernet0/0 (up/up] FE80: :26E9:B3FF:FEAB: 4820 46:1:1:103:2689:B31 R7#Show ipvé route IPv6 Routing Table - default - 4 entries Codes: C = Connected, L - Local, § - Static, U - Per-user Static route B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP H- NHRP, Il - ISIS L1, 12 - ISIS L2, IA - ISIS interarea Ig - ISIS summary, D ~ EIGRE, EX - EIGRP external, NM - NEMO ND ~ ND Default, NDp - ND Prefix, DCE - Destination, NDr ~ Redirect 0 ~ OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, O52 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, 1s - LISP site ld - LISP dyn-EID, a ~ Application ‘217:5ARF:FEAD!52AB, Gigabitethernet0/0 3/64 (2/0) via GigabitBthernet0/0, directly connected 1:103:26E9:B3FF:FEAB:4820/128 [0/0] gabitEthernet0/0, receive 8 [0/0} via Null0, receive CCTE R&S by Narbik Kocharians Advanced! CCIE R&S Work Book v5 Page 23 of 2 {©2014 Narbik Kocharians Allright resersedRI#Ping 46: ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4 10, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/12 ms RI#Ping 46: 4 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 46:2::4, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms On R8: R8#Show ipvé inter br g0/1 GigabitEthernet0/1 (up/up] FESO: :3E08:F6FF:FEA2:BC81 46:1 ‘SEF R8#Show ipvé route IPv6 Routing Table - default - 4 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B- BGP, HA - Home Agent, MR - Mobile Router, R - RIP H- NARP, Il - ISIS Ll, 12 - ISIS 12, TA - ISIS interarea IS - ISIS summary, D - EIGRP, EX - BIGRP external, NM - NEMO ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect © - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 ~ OSPF NSSA ext 2, 1s - LISP site ld ~ LISP dyn-EID, a - Application (0) 12703 via FEO: /217:SARF!PEADS2AA) {Gigabitetherneto/1 NDp 46:1:1:101 64 (2/0: via GigabitBthernet0/1, directly connected L 46:1:1:101:3508:F6FF:FEA2:BC81/128 [0/0] via GigabitEthernet0/1, receive L FFOO 8B [0/0] via Null0, receive R@#Ping 46:1:1:101::10 Type escape sequence to abort. CCTE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v8 Page 24 of 2 {©2014 Nach Karan. At rights reservedSending 5, 100-byte ICMP Echos to 46:1 , timeout is 2 seconds: rere Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms RO#Ping 46:2: :4 Type escape sequence to aboz Sending 5, 100-byte ICMP Echos to 46:2::4, timeout is 2 seconds: ryene Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms On R4: R4#Show ipv6 local pool Pool Prefix Free In use test 46:1:1:10 1 136 15 1 60 the customer can have 244 or 16 possible subnets, and NOTE: Since the customer received 46:1:1:10¢ since we have used one we still have 15 free. Erase the startup configuration of the routers and reload them before proceeding to the next lab, CCIE R&S by Narbik Kocharians Adyanced CCIE R&S Work Book Page 25 of 222 ‘© a14 Nari Kocarlane AM ight reveAdvanced CCIE Routing & Switching v5.0 www.MicronicsTraining.com Narbik Kocharians CCSI, CCIE #12410 R&S, Security, SP IP Prefix-listsLab Setup: To copy and paste the initial configurations, go to http://micronies.nI”-> "Advanced- init”> “Prefix-lists”-> “Prefix-List-Init.docx”. Task 1 Configure R1 to filter 192.1.1.32/27 using a prefix-list. ‘Some important facts about prefix-lists: ‘+ Prefix lists were introduced in 10S 12.0(3)T. + Prefix-lists are configured to match on the actual prefix and the prefix length. + Prefix-lists are parsed and processed from the top to bottom, or to be more accurate, from the lowest sequence number to the highest sequence number. ‘+ Because sequence numbers are used, entries can be added or removed at any time. + _Prefix-lists have an implicit deny all statement at the end just like access-lists. Kochatians Advanced CCIE R&S Wark Book v5.0 {© 2014 Narbik Kechacane A rights reserved CCTE R&S by Nai+. Just like access-lists, preficlists can be used to identify, or filter prefixes. Let's configure an access-list to filter 192.1.1.32/27 network: On RI: R1#Sh ip route ospf | b Gate Gateway of last resort is not set 172.16.0.0/24 is subnetted, 4 subnets ° 172.16.0.0 [110/2] via 12.1.1.2, 00:01:34, FastEthernet0/0 ° 172.16.1.0 [110/2] via 12.1.1.2, FastEthernet0/0 ° 72.16.2.0. (110/2) via 12.1.1.2, 00:01:34, FastEthernet0/0 ° 172.16.3.0 [110/2] via 12.1.1.2, 00:01:34, FastEthernet0/0 192.1.1.0/24 is variably subnetted, 2 subnets, 2 masks ° 192.1.1.1/32 [110/2] via 12.1.1.2, 00:10:35, FastEthernet0/0 ° 192.1.1.32/27 [110/2] via 12.1.1.2, 00:01:51, FastEthernet0/0 Ri (config) #access-list 1 deny 192.1.1.0 0.0.0.255 Ri (config) #access-list 1 permit any Rl (config) #router ospf 1 Rl (config-router) #distribute-list 1 in £0/0 ‘To verify the configuratior OnRI: R1#Show ip route ospf | B Gate Gateway of last resort is not set 172.16.0.0/24 is subnetted, 4 subnets 172.16.0.0 [110/2] via 12.1.1.2, 00:02:32, FastEthernet0/0 172.16.1.0 [110/2] via 12.1.1.2, 00:02:32, FastEthernet0/0 172.16.2.0 [110/2] via 12.1.1.2, 00:02:32, FastEthernet0/0 172.16.3.0 [110/2] via 12.1.1.2, 00:02:32, FastEthernet0/0 000 We can see that the access-list filtered both networks, because in the above example, the access-list is denying any IP address in the 4" octet, meaning the 4" octet can be any number. This is the difference between an access-list and a prefix-list, if a prefix-list is configured with the same prefix-length, none of the networks would have been affected. Let's test: Rl (config) #No access-list 1 CCIE R&S by Narbik Kochariany Advanced CCTE R&S Work Book v5.0 Page 28 of 222 ‘Ba0ld Narbik Kocharins, A sghts reservedRi#Show ip route ospf | B Gate Gateway of last resort is not set 172.16.0.0/24 is subnetted, 4 subnets ° 172.16.0.0 [110/2] via 12.1.1.2, 00:00:26, ° 172.16.1.0 [1210/2] via 12.1.1.2, ° 172.16.2.0 [110/2] via 12.1.1.2, ° 172.16.3.0 [110/2] via 12.1.1.2, 00:00:26, FastBthernet0/0 192.1.1.0/24 is variably subnetted, 2 subnets, 2 masks ° 192.1.1.1/32 [110/2] via 12.1.1.2, 00:00:26, FastEthernet0/0 ° 192.1.1.32/27 [110/2] via 12.1.1.2, 00:00:26, FastBthernet0/0 Let's configure a prefir-list to deny network 192.1.1.0/24 and permit any. The second statement will be discussed in detail in later tasks. Ri (config) #4p prefix-list NET deny 192.1.1.0/24 Ri (config) #ip prefix-list NET permit 0.0.0.0/0 LE 32 Rl (config) #router ospf 1 Rl (config-router) #No distribute-list 1 in FO/0 Rl (config-router) #distribute-list prefix NET in F0/0 To verify the configuration | OnR1: R1#Show ip route ospf | B Gate Gateway of last resort is not set 172.16.0.0/24 is subnetted, 4 subnets 172.16.0.0 [110/2] via 12.1.1.2, 00:01:25, FastEthernet0/0 172.16.1.0 [110/2] via 12.1.1.2, 00:01:25, FastBthernet0/0 172.16.2.0 [110/2] via 12.1.1.2, 00:01:25, FastBthernet0/0 172.16.3.0 [110/2] via 12.1.1.2, 00:01:25, FastBthernet0/0 192.1.1.0/24 is variably subnetted, 2 subnets, 2 masks ° 192.1.1.1/32 [110/2] via 12.1.1.2, 00:01:25, FastEthernet0/0 ° 192.1.1.32/27 [110/2] via 12.1.1.2, 00:01:25, FastEthernet0/0 o000 ‘As we can see, none of the networks were affected betause with prefix-lists the prefix and the prefix- length is matched, in the above example, since network 192.1.1.0/24 does NOT exist, none of the networks were affected. Let’s configure a prefix to filter 192.1.1.32/27 and permit the other prefixes. Ri (config) #ip prefix-list NET deny 192.1.1.32/27 Ri (config) #ip prefix-list NET permit 0.0.0.0/0 LE 32 CCIE RGS by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Puge 29 of 222 1 2014 Narbik Roetariaus. AU righ reservedOnR1: R1#Show ip route ospf | B Gate Gateway of last resort is not set 172.16.0.0/24 is subnetted, 4 subnets ° 172.16.0.0 [110/2] via 12.1.1.2, 00: FastEthernet0/0 ° 172.16.1.0 [110/2] via 12.1.1.2, 00 FastBthernet0/0 ° 172.16.2.0 [110/2] via 12.1.1.2, 00:00:32, FastEthernet0/0 ° 172.16.3.0 [110/2] via 12.1.1.2, 00:00:32, FastEthernet0/0 192.1.1.0/32 is subnetted, 1 subnets ° 192.1.1.1 [110/2] via 12.1.1.2, 00:00:32, FastBthernet0/0 ‘As we can see ONLY 192.1.1.32/27 was filtered. When configuring prefix-lists, the prefix and the prefix-length MUST be configured to exactly match the prefix and the prefix-length that we are trying to deny, permit, or identify. Task 2 Configure R1 such that it only allows class A networks that are not subnetted. Before we configure the prefix-list, let’s verify the routing table of Ri: OnRI: R1#Show ip route rip | B Gate Gateway of last resort is not set RUMP MVOPOLOVE [120/1] via 13.1.1.3, 00:00:20, Serial1/3 10.0.0.0/24 is subnetted, 1 subnets R 10.1.1.0 [120/1] via 13.1.1.3, 00:00:20, Serial1/3 11.0.0.0/16 is subnetted, 1 subnets R 11.1.0.0 [120/1] via 13.1.1.3, 00:00:20, Serial1/3 22.0.0.0/24 is subnetted, 1 subnet: 22.1.2.0 (120/1] via 13.1.1.3, 00:00:20, Serial1/3 *$2990!0)0/8 [120/1] via 13.1.1.3, 00:00:20, Serial1/3 33.0.0.0/24 is subnetted, 1 subnets Book v5. jarbik Kocharians Advanced CCIE R&S W ‘©2014 Nari Kocbarlas. AU Page 30 of 222 R&S byR 33.0.0.0 [120/1] via 13.1.1.3, 00:00:20, Serial1/3 R 443020 )0/8 [120/1] via 13.1.1.3, 00:00:20, Serial1/3 R 201.1.3.0/24 [120/1] via 13.1.1.3, 00:00:20, Seriali/3 ‘The above highlighted networks are NOT subnetted, therefore, they should be allowed in. In this case the task states that ONLY Class A networks that are NOT subnetted should be allowed, or, the subnetted Class A networks should be filtered; this means that the prefix-list can be configured to | allow Class A networks that are NOT subnetted, or filter Class A networks that are subnetted. Let’s | test both scenarios. Class A network are identified based on the following: In the following example the letter “n” identifies the network bits and “h” identifies the host bits. ore EEPEEPEE EPP eet TTT + The first bit is set to 0; therefore, there are 7 network bits followed by 24 host bits | + Initial byte: 0 - 127 | + 126 Class As exist (0 and 127 are reserved) + 16,777,214 hosts on each Class A network | Note: The most significant bit of the first octet is set to a binary “Q”, the rest of the bits in the first | octet can be zeros or ones. If the most significant bit of the first octet is “O” it must be a class A network. The prefi-list matches on the first bit by using a “/1” prefix-length. On Ri config) #ip prefix-list Class-A seq 5 permit 0.0.0.0/1 ge 8 le 8 config) #router zip ‘config-router) #distribute-list prefix Class-A in S1/3 R1gClear ip route * To verify the configuratic R1#Sh ip route rip | B Gate Gateway of last resort is not set CCIE R&S by Narbik Kocharians Advanced CCHE R&S Work Book v5.0 Page 31 of 222 ‘© 2014 Nari Keckarians, AM rights reversedR 1.0.0.0/8 (120/1} via 13.1.1.3, 00:00:16, Serial1/3 R 29.0.0.0/8 [120/1] via 13.1.1.3, 00:00:16, Seriall/3 R 44.0.0.0/8 [120/1] via 13.1.1.3, 00:00:16, Seriall/3 ‘The same prefix-list could have been written to deny all subnetted Class A networks and permit all class A networks that are not subnetted. Let's configure and test: Onk Rl (config) #No ip prefix-list Class-A The following line denies all class A networks that have a subnet mask of “/9"; the only way a class A network will have a prefix-length of 9 or greater, is when they are subnetted. So the line below states, that starting with /1, meaning that the first bit MUST be zero, with a prefix-length of “/9" or greater, should be denied. Rl (config) #ip prefix-list Class-A deny 0.0.0.0/1 ge 9 The following line states that any class A network with a mask of “/8” should be allowed. This covers all class A networks. Rl (config) #ip prefix-list Class-A permit 0.0.0.0/1 ge 8 le 8 |R1#Clear ip route * R1fSh ip route rip | B Gate Gateway of last resort is not set R 1.0.0.0/8 [120/1] via 13.1,1.3, 00:00:06, Serial1/3 R 29.0.0.0/8 [120/1] via 13.1.1.3, 01 6, Seriall/3 R 44.0.0.0/8 [120/1] via 13.1.1.3, 01 6, Seriall/3 Task 3 Configure Ra such that it only allows class B networks that are not subnetted, Before the filter is configured and applied let’s check the routing table of R4: | | Onk CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Page 32 of 222R4¥Show ip route ospf | B Gate Gateway of last resort is not set Seriali/1 6 12BV1V0L0/16 [110/782] via 14.1. O-.131.4.0.0/16 [110/782] via 14.1 180.1.0.0/24 is subnetted, ° 180.1.4.0 [110/782] via ° 180.1.5.0 [110/782] via ° 180.1.6.0 [110/782] via ° 61925 1.0.0/26 [110/782] via 192.1.1.0/24 [110/782] via The highlighted networks should be allowed since they are NOT subnetted. Class B network are identified based on the following: In the following example the letter “n” identifies the network bits and “h” identifies the host bits. weL EEE PT aor + First two bits are set to “10”; therefore, there are 14 network bits left to identify the | networks and the remaining 16 bits identify the host its. + Initial byte: 128 - 191 + 16,384 Class Bs exist * 65,532 hosts on each Class B If the most significant two bits of the first octet is set to “1 O” itis a class B network. The prefix-list matches on the most significant two bit of the first octet by using a “/2” prefix-length. The prefixlist matches on the first two bits by using a “/2” prefixength, with a network address of 128.0.0.0. Since the task states that it should only allow class 8 networks that are not subnetted, the | prefix-ength specifies GE 16 and LE 16. R4 (config) #ip prefix-list NET permit 128.0.0.0/2 ge 16 le 16 R4 (config) #Router ospf 1 R4 (config-router) #distribute-list prefix NET in S1/1 To verify the configuratio On R4: R4#Show ip route ospf | B Gate CCTE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v8.0 Page 33 of 222 ‘© 2014 Nacbik Kechariane Allegis reservedGateway of last resort is not set ° 128.1.0.0/16 [110/782] via 14.1.1.1, 00:01:11, Seriali/2 ° 131.1.0.0/16 [110/782] via 14.1.1.1, 00:01:11, Seriali/1 ° 191.1.0.0/16 [110/782] via 14.1.1.1, 00:01:11, Serial1/1 Just ike the previous task we can deny all class B networks that are subnetted and permit only the class B networks that are NOT subnetted. Let’s test and verify: R4 (config) #No ip prefix-list NET | The first line of the following prefix-list denies any class B network that has a pr higher, which means all the subnetted class 8 networks. R4 (config) #ip prefix-list NET deny 128.0.0.0/2 ge 17 ‘The following and the last line of this prefix-list permits any class B network that is NOT subnetted, this is identified by the “ge 16” which means that the prefix-length could be greater than or equal to 16, and less than of equal 16 using the “le 16” keyword. R4 (config) #ip prefix-list NET permit 128.0.0.0/2 ge 16 le 16 To verify the configuration: On R4: R4gShow ip route ospf | B Gate Gateway of last resort is not set ° 128.1.0.0/16 [110/782] via 14.1.1. Seriali/1 ° 131.1.0.0/16 [110/782] via 14.1.1. ° 191.1.0.0/16 [110/782] via 14.1.1.1 Task 4 Configure RS such that it only allows class C networks that are not subnetted. Before this task is configured, we should verify the routing table on R5: On RS: CCIE RES by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 34 of 222 ‘6014 Rar Kchariane, AU righ reservedR5#Show ip route eigrp | B Gate Gateway of last resort is not set vesiart 0/24 (90/156160] via 199.1.1,0/24 [90/156160] via 200.1.1.0/24 [90/156160] via 200.1.4.0/29 is subnetted, 1 200.1.4.8 [90/156160] via 200.1.5.0/30 is subnetted, 1 200.1.5.4 [90/156160] via 223-110/24 [90/156160] via 00:0 00:01: 00:01: 00:02: 00:01: ‘As we can see only the highlighted networks should be permitted. FastBthernet0/0 FastEthernet0/0 FastEthernet0/0 FastEthernet0/0 FastEthernet0/0 FastEthernet0/0 In the following example the letter “N” identifies the network bits and “H” identifies the host bits. aol | Class C network are identified based on the following: 8 bits identify the host bits Initial byte: 192 - 223 2,097,152 Class Cs exist Each class C network can handle 254 hosts R5 (config) #router eigrp 1 To verify the configuration: On RS: R54Show ip route eigrp | B Gate Gateway of last resort is not set three bits of the first octet is reserved as “410; Since the networks, there are 21 network bits left to identify the networks; g)#ip prefix-list NET permit 192.0.0.0/3 ge 24 R5 (config-router) #distribute-list prefix NET in FO/0 t three actets belong to therefore, the remaining by Narbik Kochatians Advanced CCIE R&S Work Book v5. Page 35 of 222FastEth: FastEthern FastEthernet0/0 FastEthernet0/0 198.1.1,0/24 [90/156160] via 45.1.1.4, 199.1.1.0/24 [90/156160] via 45.1.1.4, 200.1.1,0/24 [90/156160] via 45.1.1.4, 228.1.1.0/24 [90/156160] via 45.1.1.4, vou" Let's remove the prefix-list and configure a new one that denies all subnetted class C networks and only permits the class C networks that are not subnetted: On RS; R5 (config) #No ip prefix-list NET R5 (config) ip prefix-list NET deny 192.0.0.0/3 ge 25 R5 (config) #ip prefix-list NET permit 192.0.0.0/3 ge 24 le 24 To verify the configuration: On RS: R5#Show ip route eigrp | B Gate Gateway of last resort is not set D 198.1.1.0/24 [90/156160] via 45.1.1.4, 00: FastEthernet0/0 D 199.1.1.0/24 [90/156160) via 45.1.1.4, 00: FastEthernet0/0 D 200.1.1.0/24 [90/156160] via 45.1.1.4, 00:00:44, FastEthernet0/0 D 223.1.1.0/24 [90/156160] via 45.1.1.4, 00:00:44, FastEthernet0/0 Task 5 Configure R4 such that it only allows prefixes 10.4.4.33/27 and 10.4.5.65/26 and filters +the rest of the prefixes. You should configure minimum number lines in the prefix-list to accomplish this task. Before the prefix-list is configured we should verify the existing routing table on RA: On R4: R4gShow ip route rip | B Gate Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks CCTE R&S by Narbik Kocharlans Advanced CCIE R&S Work Book v5.0 Page 36 of 222 rights reserved4.32/27 [120/1] via 45.1.1.5, 0 5, FastEthernet0/0 R 10.4.5.64/26 [120/1] via 45.1.1.5, 0 5, FastEthernet0/0 211.4.4.0/27 is subnetted, 1 subnets | R 211.4.4,32 [120/1] via 45.1.1.5, 00:00:05, FastEthernet0/0 | Let's configure the task: To figure out how we are going to use the minimum number of lines, we should focus.on the third and the forth octet, let’s convert the third and the forth octet of these two prefixes to binary: — | 10.44.32 SS [eas] eels) woascs [ololo)ofolsjola]- ‘Once the third and the forth octet of these two networks are converted to binary we will identify the contiguous identical binary digi vane [°]°]* 99] 4] l wasea [o]olo|olo|4 We can see that the first 23 bits are identical, this includes the first two octets (16 bits) plus the most significant 7 bits of the third octet which adds up to 23 bits, this defines the network, 10.4.4.0; so we needc the first 23 bits to be exactly 10.4.4.0, therefore, it’s written as 10.4.4.0/23, now, for the mask, needs to be GE 23, and LE 27, this will cover the two prefixes. Let’s configure the prefix-list and verify: On R4: R4 (config) #ip prefix-list Task-5 deny 10.4.4.0/23 ge 24 le 27 R4 (config) #ip prefix-list Task-5 permit 0.0.0.0/0 le 32 R4 (config) #Router rip R4 (config-router) #distribute-list prefix Task-5 in F0/0 R4#Clear ip route * To verify the configuration: CCIE R&S by Narbik Kocharians Ad mnced CCIE R&S Work Book ¥5.0 Page 37On R4: R4#Show ip route rip | B Gate Gateway of last resort is not set 211.4.4.0/27 is subnetted, 1 subnets 211.4.4.32 [120/1] via 45.1.1.5, 00:00:01, FastBthernet0/0 Task 6 Configure RS to inject a default route in the RIP routing domain. If this configuration is, successful, R4 should see the default route in its routing table. On RS: RS (config) router rip R5 (config-router) #default-information originate To verify the configuration: On R4: R4#Show ip route rip | B Gate Gateway of last resort is 45.1.1.5 to network 0.0.0.0 Re/ I /[OOOI0/01Z07T7 Waid! as;412)/5; "00: 00702, FastEthexnato/o 211.4.4.0/27 is subnetted, 1 subnets R 211.4.4.32 [120/1] via 45.1.1.5, 00:00:02, FastEthernet0/0 Task 7 4 should be configured to filter the default route injected in the previos step. On R4: CCIE R&S by Narbik Kocharians Advanced CCIE R&S Werk Book v5.0 Page 38 of 222 (© 2014 Narbik Kocharians. A right reservedR4#Show run | s router rip router rip version 2 network 45.0.0.0 distribute-list' prefix [SERE9 ai rastetnerneto/o no auto-summary We can see the prefix-list “Task-5” applied to the F0/0 interface inbound, therefore, we can only add to the existing prefix-list; let’s look at the existing pref R4#Show run | 4 ip prefix-list Task-5 ip prefix-list Task-5 seq 5 deny 10.4.4.0/23 ge 24 le 27 ip prefix-list Task-5 seq 10 permit 0.0.0.0/0 le 32 We should add sequence 7 (Before the permit any statement) to deny the default route. R4 (config) #ip prefix-list Task-5 seq 7 deny 0.0.0.0/0 To verify the configuration: On R4: R4#Clear ip route * R4#Show ip route rip | B Gate Gateway of last resort is not set 4.4.0/27 is subnetted, 1 subnets 211.4.4.32 (120/1] via 45.1.1.5, 00:00:17, FastBthernet0/0 Task 8 Configure R6 to filter any networks with a prefix-length of 26 or less. Let's verify the routing table of R6 before configuring any prefix: On R6: R6#Show ip route ospf | B Gate CCIE RES by NarbikKocharians Advanced CCIE R&S Work: Book v5.0 Page 39 of 222 ‘© 014 Narbik Kosharane, Allright reversed|Gateway of last resort is not set 99.0.0.0/8 [110/782] via 56.1.1.5, 00:00:08, Seriali/5 185.1.0.0/16 [110/782] via 56.1.1.5, 00:00:09, Serial1/5 186.1.0.0/17 is subnetted, 1-subnets 186.1.128.0. [110/782] via 56.1.1.5, 00:00:09, Seriall/5 189.1.0.0/24 is subnetted, 1 subn 189.1.1.0 [110/782] via 56,1.1.5, 00:00:09, Serial1/5 205.1.1.0/28 is subnetted, 1 subnets 205.1.1.240 [110/782] via 56.1.1.5, 00:00:09, Serial1/5 206.1.1.0/30 is subnetted, 1 subnets 206.1.1.248 [110/782] via 56.1.1.5, 00:00:09, Seriall/5 207.1.1.0/26 is subnetted, 1 subnets 207.1.1.192 [110/782] via 56-1.1.5, 00:00:09, Serial1/5 208.1.1.0/25 is subnetted, 1 subnets 208.1.1.128 [110/782] via 56.1.1.5, 00:00:09, Seriali/5 211.4.4.0/27 is subnetted, 1 subnets ° 211.4:4.32 [110/782] via 56.1.1.5, 00:00:09, Seriall/5 We can see prefixes with prefix-lengths of /8, /16, /17, /24, /25, /26, /27, /28, /30. in this task we are going to filter any prefix/es with a prefix-lengths of 26 or less, this should leave us with the following networks: 205.1.1.0/28 To configure this task and verify: On R6: The following prefix denies any prefix as long as the prefix-lengths are greater than or equal to 8, and less than or equal to 26. R6 (config) #ip prefix-list Task-8 deny 0.0.0.0/0 ge 8 le 26 R6 (config) #ip prefix-list Task-8 permit 0.0.0.0/0 le 32 R6 (config) #router ospf 1 R6 (config-router) #distribute-list prefix Task-8 in To verify the configuration: CCTE RES by Narbik Kochariaus Advanced CCIE R&S Work Book v8.0 Page 40 of 2 ‘©2014 Narbit Kecharane Aight reservedR6#Show ip route ospf | B Gate Gateway of last resort is not set 205.1.1.0/28 is subnetted, 1 subnets 205.1.1.240. [110/782] via 56.1.1.5, 00:01:15, Seriall/S 206.1.1.0/30 is subnetted, 1 subnets 206.1.1.248 (110/782) via 56.1.1.5, 00:01:15, Seriall/5 211.4.4.0/27 is subnetted, 1 subnets 211.4.4.32 [110/782] via 56.1.1.5, 00:01:15, Seriall/5 Task 9 Re-configure R6 to filter any networks with a prefix-length of 26 or greater. Before we configure any filtering task, we should always verify the routing table: On R6: R6 (config) #No ip prefix-list Task-8 R64Show ip route ospf | B Gate Gateway of last resort is not set 99.0.0.0/8 [110/782] via 56.1.1.5, 00:02:00, Seriall/S 185.1.0.0/16 [110/782] via 56.1.1.5, 00:02:00, Seriali/s 186.1.0.0/17 is subnetted, 1 subnets 186.1.128.0 [110/782] via 56.1.1.5, 00:02:00, Seriall/S 189.1.0.0/24 is subnetted, 1 subnets 189.1.1.0 [110/782] via 56.1.1.5, 00:02:00, Serial1/5 205.1.1.0/28 is subnetted, 1 subnets 205.1.1.240 [110/782] via 56.1.1.5, 00:02:00, Seriall/5 206.1.1.0/30 is subnetted, 1 subnets 206.1.1.248 [110/782] via 56.1.1.5, 00:02:00, Seriall/5 207.1.1.0/26 is subnetted, 1 subnets 207.1.1.192 [110/782] via 56.1.1.5, 00:02:00, Seriall/S 208.1.1.0/25 is subnetted, 1 subnets 208.1.1.128 [110/782] via 56.1.1.5, 00:02:00, Seriall/5 211.4.4.0/27 is subnetted, 1 subnets 211.4.4.32 [110/782] via 56.1.1.5, 00:02:00, Seriali/S figure the prefix-list: CCIE R&S by Narbik Kocharlans Adyanced CCIE R&S Work Book v5.0 Page 49 of 222 ‘52014 arbi Kocharians. Al igh reserved‘The following prefix-list denies any network/prefix that has a prefix-length of 26 or greater, this means 27,28,29,30,31, and 32, and permits everything else. R6 (config) #ip prefix-list Task-8 deny 0.0.0.0/0 ge 26 R6(config)#ip prefix-list Task-8 permit 0.0.0.0/0 le 32 To verify the configuration: On R6: R6#Show ip route ospf | B Gate Gateway of last resort is not set ° 99.0.0.0/8 [110/782] via 56.1.1.5, 00:00:10, Seriall/5 ° 185.1.0.0/16 [110/782] via 56.1.1.5, 00:00:10, Seriali/5 186.1.0.0/17 is subnetted, 1 subnets ° 186.1.128.0 [110/782] via 56.1.1.5, 00:00:10, Serial1/5 189.1.0.0/24 is subnetted, 1 subnets ° 189.1.1.0 [110/782] via 56.1.1.5, 00:00: 208.1.1.0/25 is subnetted, 1 subnets ° 208.1.1.128 [110/782] via 56.1.1 0, Seriali/5 5, 00:00:10, Seriall/5 Task 10 Configure R7 to filter the following networks, you should be as specific as possible using only two prefix-list statements. 146.1.2.125/25 | 614225727 146.1.3.193/26 | 6.1.5.241/28 | 146.1.4.225/27 J Let’s check the routing table of R7: OnR’ R7#Show ip route eigrp | B Gate Gateway of last resort is not set 6.0.0.0/8 is variably subnetted, 5 subnets, 5 masks CCIE R&S by Narbik Kocharians Advanced CCIE R&S Werk Book v8.0 Page 42 of {@ A014 Nari Kecbarkane. Allright reer1.0/24 [90/156160] via 67.1.1.6, 00:00:17, GigabitEthernet0/0 2.128/25 [90/156160} via 67.1.1.6, 00:00:17, GigabitEthernet0/0 3.192/26 [90/156160] via 67.1.1.6, 00:00:17, Gigabituthernet0/0 4 5 2224/27 [90/156160] via 67.1.1.6, 00:00:17, GigabitEthernet0/0 :1.5.240/28 (90/156160] via 67.1.1.6, 00:00:17, Gigabitzthernet0/0 146.1.0.0/16 is variably subnetted, 5 subnets, 5 masks 146.1.1.0/24 [90/156160] via 67.1.1.6, 00:03:38, Gigabitmthernet0/0 146.1.2.128/25 [90/156160] via 67.1.1.6, 3:38, Gigabitethernet0/0 :192/26 [90/156160) via 67.1,1.6, 00:03:38, GigabitEthernet0/0 224/27 [90/186160] via 67.1.1.6, 00:03:38, GigabitEthernet0/0 1240/28 [90/156160) via 67.1.1.6, 00:03:38, Gigabitethernet0/0 veoo0 ‘The task states that we should only configure two prefix-list statements and be as accurate as possible. In the third octet, the most significant 5 bits are identical, and since the first two octets are also identical, the prefix-list should filter the following prefi 146.1,0.0/21 meaning that the first 21 bits should match, now for the mask: Ht should say greater or equal to 25 and less than or equal 27, it should look like the following: Ip prefix-list TST deny 146.1.0.0/21 ge 25 le 27 After applying the above prefix-list, we should only see the following two networks in the routering table of Ri 146.1.1.0/24 and 146.1.5.240/28 Now, let’s resolve the requirement for the 6.1.x.x networks. The task states that 6.1.4.225/27 and 6.1.5.241/28 prefixes should also be filtered, the prefix-list for these networks should look like the CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 43 of 162014 Nari Rechacians. A ghts reservedfollowing: Ip prefix-list TST deny 6.1.0.0/21 ge 27 le 28 To configure and test this task: OnR’ | | R7 (config) #ip prefix-list TST deny 146.1.0.0/21 ge 25 le 27 Ri (config) #ip prefix-list TST deny 6.1.0.0/21 ge 27 le 28 R7 (config) #ip prefix-list TST permit 0.0.0.0/0 le 32 R7 (config) #Router eigrp 100 R17 (config-router) #distribute-list prefix TST in g0/0 | R7#Show ip route eigrp | B Gate Gateway of last resort is not set 6.0.0.0/8 is variably subnetted, 3 subnets, 3 masks 6.1.1.0/24 [90/156160] via 67.1.1.6, 00:43:03, Gigabitethernet0/0 6.1.2.128/25 (90/156160] via 67.1.1.6, 00:43:03, GigabitEthernet0/0 6.1.3.192/26 [90/156160] via 67.1.1.6, 00:43:03, GigabitEthernet0/0 146.1.0.0/16 is variably subnetted, 2 subnets, 2 masks D 146.1.1.0/24 [90/156160] via 67.1.1.6, 00:46:24, GigabitEthernet0/0 D 146.1.5.240/28 [90/156160] via 67.1.1.6, 00:46:24, GigabitEthernet0/0 v09 Task 11 Erase the startup configuration and reload the routers before proceeding to the next lab. R&S by Narbik Kock Advanced CCIE R&S Work Book v5.0 Page 44 of 222 1 2014 Narbik Rocharans AMleighs reservedAdvanced CCIE Routing & Switching v5.0 www.MicronicsTraining.com Narbik Kocharians CCSI, CCIE #12410 R&S, Security, SP IP Services CCIE R&S by Narbik KochariAdvanced CCIE Routing & Switching v5.0 www.MicronicsTraining.com Narbik Kocharians CCSI, CCIE #12410 R&S, Security, SP NAT CCTE R&S by Narbik KochariansLab 1 — Static NAT Configuration —— 131.1.12.0/24 ib Setup: ‘To copy and paste the initial configurations, go to “http://micronics.nI” >”Advanced-init”> “NAT” >"Lab-1". Task 1 Configure a default route on R2 pointing to its $1/1 interface. yn R2: R2 (config) #ip route 0.0.0.0 0.0.0.0 Si/1 This is configured for the initial traffic. CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 (© 014 Nace Rocuarians Allright reserved Page 47 of 222Task 2 Configuring a static NAT; ensure that the primary IP address of R2's loopback0 interface is translated to an IP address of your choice such that a ping sourced from this Loopback interface destined to the lo0 interface of R1.is successful. You should NOT configure Ri to accomplish this task. On R2: R2 (config) #int 100 R2(config-if)#ip nat inside R2 (config) #int S1/1 R2(config-subif) #ip nat outside R2(config)#4p nat inside source static 10.2.2.1 131.1.12.3 ‘The above command statically translates the inside local IP address of 10.2.2.1 to the inside global IP 12.3. Since 131.1.12.3 is on the same IP address space as R1’s $1/2 interface, there is no ing on R1 to accomplish this task. To verify the configuration On R2: R2#show ip nat translations ‘0 Inside global side local outside local = 131.1.12.3 10.2.2.1 = Inside Local — inside local is the local private IP address of a host on your network (e.g, a PC's IP address), Inside Global— inside global is the public/registered IP address that the outside network sees as the IP address of your local host. ‘Outside Local— outside local is the local IP address from the private network, which your local host sees as the IP address of the remote host. Outside Global— outside global is the public IP address of the remote host (e.g,, the IP address of the remote Web server that a workstation is connecting to). Let’s turn on debugging and perform a ping so we can see the transl On R2: CCIE R&S by Narbik Kochar Advanced CCIE R&S Wark Book v5.0 Page 48 of 222 1 2014 Narbik Rocharians. AM sighs reersedR2#Debug ip nat The following will disable the timestamp for debug messages. R2 (config) #No service timestamps debug R2#Ping 1.1.1.1 source 10.2.2.1 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet sent with a source address of 10.2.2.1 Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms NAT: 2.1->131.1.12.3, de1.1.1.1 [0] 0.2. WAT*: s=1.1.1.1, d=131.1,12.3->10.2.2.1 [0] NOTE: The source IP address of the ICMP echo packet is 10.2.2.1 which is translated to 131,1.12.3 to destination 1.1.1.1. R2#Show ip nat translations Pro Inside global Inside local outside local Outside global Romp 131.1.12.3:1 10.2.2 ee wo=-131.1.12.3 10.2.2 We can see that the local and the global outside IP addresses are the same because it is not translated to some other IP address, In the output of the above show command as can also see the protocol used in this ‘communication, in this case ICMP. Let’s try Telnet and verify: R2#Pelnet 1.1.1.1 /source Lod Trying 1 Open Password required, but none set [Connection to 1.1.1.1 closed by foreign host] R2#Sh ip nat translations Pro Inside global Inside local Outside local Outside global 10.2.2.1:41737 5 4.1.1.1:23 10.2.2.1 ‘We can see that after a while the entry is timed out of the NAT table, this timeout value can be changed using the “IP NAT translation” global configuration mode command. Let's configure the timeout for ICMP to be 60 seconds: R2 (config) #Ip nat translation icmp-timeout 60 CCIE R&S by Narbik Kocharisus — Adyanced CCIE R&S Work Book v5.0 Page 49 of 222 {© 2014 Nar Kocuariane. AUlighs reserved