Master Lab 1 Solutionc

ieMentor CCIE™ Service Provider Workbook v1.
0 | Master Lab 1 Solutions
Section 1: Layer 2 Ethernet / Wan Ports

ASBR2-RACK1(config)#int e 0/0
ASBR2-RACK1(config-if)#duplex half
ASBR2-RACK1(config)#int FastEthernet 0/0

ASBR2-RACK1(config-if)#full duplex
ASBR1-RACK1(config-if)#int ser 0/1

ASBR1-RACK1(config-if)#clock rate 256000

ASBR1-RACK1(config-if)#encapsulation ppp



♦ Connect CE1, CE2, CE3, CE4, CE5, CE6, as well as CE7, CE8 to
the Catalyst switches 3550 and 3750-M base on the drawing please
try to use same port numbers to reduce complexity when it comes
to troubleshooting.
This section self explanatory.
Task 1.2:
1 This product is individually licensed.

Copyright® 2005 ieMentor http://www.iementor.com.
ieMentor CCIE™ Service Provider Workbook v1.0 | Master Lab 1 Solutions
Task 1.3:
Switching Configuration
hostname 3550
!
!
interface Loopback0
ip address 6.6.6.6 255.255.255.0
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/1
switchport mode dynamic desirable
duplex full
speed 100
!
!
description to PE3-RACK1
switchport trunk allowed vlan 13,23,24,30,31,66,67,123
!
description TO ASBR2-RACK1 -VLAN 240
switchport access vlan 240
switchport mode access
duplex half
!
description To PE4 - VLAN 240
duplex full
speed 100
!
!
description to PE4 - Trunk VLAN600/VLAN300
duplex full
speed 100
!

description to CE8 - VLAN 82

duplex full
speed 100
!
!
!
no switchport
no ip address
spanning-tree portfast disable
!
description to RR
switchport trunk allowed vlan 20,30,123
duplex full
speed 10
!
description To 3750-M
duplex full
speed 100
channel-group 1 mode on
!
description To 3750-M
duplex full
speed 100
!
description to User 1
no keepalive
!
description to User 2
switchport protected
!

duplex full
speed 100
spanning-tree portfast
!
duplex full
speed 10
!
duplex full
speed 10
!
!
!
duplex full
speed 10
!
duplex full
speed 10
spanning-tree portfast
!
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
hostname 3750-M
!
no aaa new-model
ip subnet-zero
ip routing
!
interface Port-channel1
!
interface FastEthernet1/0/1
description to CE1 VPN ieMentor Site 2
switchport trunk allowed vlan 123


!
description to CE2 VPN Solaris Site 1
switchport trunk allowed vlan 23,24
!
description to BB3 - VLAN 300
duplex full
speed 100
!
description To PE2
duplex full
speed 100
!
description to PE1
duplex full
speed 100
!
description to PE2
switchport trunk allowed vlan 20,21,82,123
duplex half
speed 10
!
description to 3550
duplex full
speed 100
!
description to 3550
duplex full
speed 100

BB2-RACK1(config)#interface atm 1/0.100

BB2-RACK1(config-subif)#interface atm 1/0.100 point-to-point
BB2-RACK1(config-subif)#mtu 9216
BB2-RACK1(config-subif)#ip address 140.100.1.1 255.255.255.0
BB2-RACK1(config-subif)#pvc 1/100
BB2-RACK1(config-if-atm-vc)#protocol ip 140.100.1.2 broadcast
BB2-RACK1(config-if-atm-vc)#encapsulation aal5snap
PE1-RACK1(config)#interface atm 1/0.100

PE1-RACK1(config)#interface ATM1/0.100 point-to-point
PE1-RACK1(config-subif)#mtu 9216
PE1-RACK1(config-subif)#ip address 140.100.1.2 255.255.255.0
PE1-RACK1(config-subif)#pvc 1/100
PE1-RACK1(config-if-atm-vc)#protocol ip 140.100.1.1 broadcast
PE1-RACK1(config-if-atm-vc)#encapsulation aal5snap

Section 2: Service Provider Backbone
Task 2.1:
hostname RR1-RACK1
!
!
interface Loopback0
ip address 10.1.1.254 255.255.255.255
!
interface Ethernet0/0
no ip address
full-duplex
!
interface Ethernet0/0.20
description to PE2 -VLAN 20
encapsulation dot1Q 20
ip address 172.16.20.254 255.255.255.0
ip pim sparse-dense-mode
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 iementor
ip ospf priority 255
!
ip address 172.16.30.254 255.255.255.0
!
router ospf 100
router-id 10.1.1.254
log-adjacency-changes
area 0 authentication message-digest
redistribute connected metric 2 subnets route-map loopback
network 172.16.20.0 0.0.0.255 area 0
network 172.16.30.0 0.0.0.255 area 0
!
ip classless
!
access-list 1 permit 10.1.1.254 log
route-map loopback permit 10
match ip address 1

hostname PE1-RACK1
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
description to PE3 VLAN31
ip address 172.16.13.1 255.255.255.0
speed 100
full-duplex
!
interface Serial0/0
description to Inter-AS ASBR1
no ip address
encapsulation frame-relay
no keepalive
!
interface Serial0/0.101 multipoint
description to Inter-AS ASBR1 ISIS
ip address 172.16.222.1 255.255.255.0
ip ospf network point-to-point
tag-switching ip
frame-relay map ip 172.16.222.1 201 broadcast
no frame-relay inverse-arp
!
ip address 172.16.12.1 255.255.255.0
speed 100
full-duplex
!
interface ATM1/0
no ip address
no atm ilmi-keepalive
!
interface ATM1/0.100 point-to-point
mtu 9216
ip address 140.100.1.2 255.255.255.0
pvc 1/100
protocol ip 140.100.1.1 broadcast
encapsulation aal5snap
!
router ospf 100
router-id 10.1.1.1
log-adjacency-changes detail


area 13 virtual-link 10.1.1.100 message-digest-key 1 md5 iementor
network 10.1.1.1 0.0.0.0 area 0
network 172.16.12.0 0.0.0.255 area 0
network 172.16.13.0 0.0.0.255 area 13
network 172.16.222.0 0.0.0.255 area 13
hostname PE2-RACK1
!
interface Loopback0
ip address 10.1.1.2 255.255.255.255
!
no ip address
half-duplex
!
description to RR - VLAN 20
ip address 172.16.20.2 255.255.255.0
!
description to PE1 - VLAN 21
ip address 172.16.12.2 255.255.255.0
!
ip address 172.16.123.2 255.255.255.0
!
description to BB1-RACK1
no ip address
full-duplex
!
router ospf 100
router-id 172.16.123.2
redistribute connected subnets route-map connected
network 10.1.1.2 0.0.0.0 area 0
network 172.16.12.0 0.0.0.255 area 0
network 172.16.20.0 0.0.0.255 area 0
network 172.16.123.0 0.0.0.255 area 123

hostname PE3-RACK1
!
interface Loopback0
ip address 10.1.1.3 255.255.255.255
!
no ip address
half-duplex
!
ip address 172.16.30.3 255.255.255.0
!
ip address 172.16.13.3 255.255.255.0
!
ip address 172.16.123.3 255.255.255.0
!
router ospf 100
router-id 172.16.123.3
network 10.1.1.3 0.0.0.0 area 0
network 172.16.13.0 0.0.0.255 area 13
network 172.16.30.0 0.0.0.255 area 0
network 172.16.123.0 0.0.0.255 area 123

hostname ASBR1-RACK1
!
interface Loopback0
ip address 10.1.1.100 255.255.255.255
!
no ip address
ip accounting output-packets
half-duplex
!
interface Serial0/0
description to ASBR2-RACK1
ip address 172.16.113.1 255.255.255.0
no ip proxy-arp
encapsulation ppp
clock rate 256000
no fair-queue
!
no ip address
half-duplex
!
interface Serial0/1
ip address 172.16.114.1 255.255.255.0
encapsulation ppp
!
interface Serial0/2
description to PE1-RACK1 ISIS
ip address 172.16.222.2 255.255.255.0
no keepalive
clock rate 8000000
!
router ospf 100
network 172.16.222.0 0.0.0.255 area 13

router ospf 100

area 1 stub
network 10.1.1.100 0.0.0.0 area 1
network 172.16.222.0 0.0.0.255 area 13
PE1-RACK1(config-router)#max-metric router-lsa on-startup wait-for-bgp
ASBR1-RACK1(config)#router ospf 100

ASBR1-RACK1(config-router)#auto-cost reference-bandwidth 10000
ASBR1-RACK1#sho ip ospf interface serial 0/2

Serial0/2 is up, line protocol is up
Internet Address 172.16.222.2/24, Area 13
Process ID 100, Router ID 10.1.1.100, Network Type POINT_TO_POINT,
Cost: 6476
Transmit Delay is 1 sec, State POINT_TO_POINT,

ASBR1-RACK1(config-router)#timers throttle spf 7 4000 94000
ASBR1-RACK1#sho ip ospf 100

Routing Process "ospf 100" with ID 10.1.1.100
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
It is an area border router
Initial SPF schedule delay 7 msecs
Minimum hold time between two consecutive SPFs 4000 msecs
Maximum wait time between two consecutive SPFs 94000 msecs

Task 2.2:
ASBR2
router ospf 100

area 1 nssa default-information-originate
redistribute static metric 2 subnets
network 10.1.1.200 0.0.0.0 area 1
network 172.16.240.0 0.0.0.255 area 1
!
ip route 0.0.0.0 0.0.0.0 Null0
PE4
router ospf 100

router-id 10.1.1.4
area 1 nssa
network 10.1.1.4 0.0.0.0 area 0
network 172.16.240.0 0.0.0.255 area 1
PE4-RACK1#sho ip route os
10.0.0.0/32 is subnetted, 2 subnets
O 10.1.1.200 [110/2] via 172.16.240.1, 00:05:26, FastEthernet0/0
O*N2 0.0.0.0/0 [110/1] via 172.16.240.1, 00:03:53, FastEthernet0/0
ASBR2-RACK1(config-router)#router ospf 100

ASBR2-RACK1(config-router)#timers pacing flood 65
ASBR2-RACK1#sho ip ospf
*Mar 13 01:41:32.421: %SYS-5-CONFIG_I: Configured from console by console
Routing Process "ospf 100" with ID 10.1.1.200
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
It is an autonomous system boundary router
Redistributing External Routes from,
static with metric mapped to 2, includes subnets in redistribution
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
LSA group pacing timer 240 secs
Interface flood pacing timer 65 msecs
PE4-RACK1(config)#no ip ospf name-lookup

Task 2.3: CORRECTION!!! Configure ASBR2 such that if ASBR2

receives LSA Type 6 it will suppress notification sending to the
Syslog Server ASBR2 must ignore all LSA Type 6 messages in
AREA 0 and AREA 1.
ASBR2-RACK1(config-router)#ignore lsa mospf
Task 2.4:

ASBR2-RACK1(config-router)# no compatible rfc1583
Task 2.5:
PE1-RACK1(config)#router ospf 100

PE1-RACK1(config-router)# mpls traffic-eng router-id Loopback0
PE1-RACK1(config-router)# mpls traffic-eng area 0
PE1-RACK1(config-router)# mpls traffic-eng interface Loopback0 area 0
PE1-RACK1(config-router)# router-id 10.1.1.1
PE1-RACK1(config-router)# max-metric router-lsa on-startup wait-for-bgp
Task 2.6:
Task 2.7:
PE3-RACK1(config)#mpls ip
PE3-RACK1(config)#mpls label protocol ldp
PE3-RACK1(config)#int ethernet 0/0
PE3-RACK1(config-if)#mpls ip
Task 2.8:
Example for all PE’s
PE3-RACK1(config)#mpls ldp router-id loopback 0 force

Task 2.9:
PE3-RACK1(config)#mpls ldp logging neighbor-changes
Section 3: Service Provider Backbone I
Task 3.1:
router bgp 65001

no synchronization
bgp log-neighbor-changes
network 172.16.20.0 mask 255.255.255.0
network 172.16.30.0 mask 255.255.255.0
redistribute connected metric 2 route-map allow55
neighbor ibgp peer-group
neighbor ibgp remote-as 65001
neighbor ibgp update-source Loopback0
neighbor ibgp password iementor
neighbor ibgp route-reflector-client
neighbor 10.1.1.1 peer-group ibgp
no auto-summary
!
route-map allow55 permit 10
match ip address 55
!
access-list 55 permit 55.55.55.0 0.0.0.255 log
All PE’s in SP1
router bgp 65001

no synchronization
neighbor 10.1.1.254 remote-as 65001
neighbor 10.1.1.254 update-source Loopback0
no auto-summary

Task 3.2:
PE1
router bgp 65001

no synchronization
network 11.11.11.0 mask 255.255.255.0
neighbor 10.1.1.254 password iementor
no auto-summary
PE2
router bgp 65001

no synchronization
network 22.22.22.0 mask 255.255.255.0
PE3
router bgp 65001

no synchronization
network 33.33.33.0 mask 255.255.255.0
no auto-summary

ASBR1
router bgp 100

!
address-family ipv4
neighbor 172.16.113.2 activate
neighbor 172.16.113.2 send-label
neighbor 172.16.113.2 route-map prep out
neighbor 172.16.222.1 next-hop-self
no auto-summary
no synchronization
network 172.16.113.0 mask 255.255.255.0
exit-address-family
ASBR2
router bgp 200

neighbor 10.1.1.4 ebgp-multihop 2
!
address-family ipv4
no auto-summary
no synchronization
network 172.16.113.0 mask 255.255.255.0
network 172.16.240.0 mask 255.255.255.0
exit-address-family
PE4
router bgp 65002

no synchronization
network 44.44.44.0 mask 255.255.255.0
no auto-summary

Section 4: Layer 2 VPN
Task 4.1:
BB1-RACK1(config)#interface ethernet 0/0.112

BB1-RACK1(config-subif)#encapsulation dot1Q 112
Task 4.2:
Task 4.3:
Task 4.4:
Task 4.5:
hostname PE3
!
no aaa new-model
ip cef
!
l2tp-class iementor-class
authentication
password 7 060F0A2C
cookie size 4
!
pseudowire-class PE3-PE2
encapsulation l2tpv3
protocol l2tpv3 iementor-class
ip local interface Loopback0
!
!
crypto isakmp policy 10

hash md5q
authentication rsa-sig
crypto isakmp key iem6727 address 10.1.1.2
!
!
crypto ipsec transform-set iem esp-des esp-md5-hmac
!
crypto map combines 10 ipsec-isakmp
description to PE1
set peer 10.1.1.2
set transform-set iem

match address 115

!
interface Loopback0
ip address 10.1.1.3 255.255.255.255
crypto map combines
!
ip address 172.16.13.1 255.255.255.0
crypto map combines
!
no ip address
no cdp enable
xconnect 10.1.1.2 100 pw-class PE3-PE2
!
access-list 115 permit 115 any any log
hostname PE2-RACK1
ip cef
!
l2tp-class iementor-class
authentication
password 7 151B0E01
cookie size 4
!
pseudowire-class PE3-PE2
encapsulation l2tpv3
protocol l2tpv3 iementor-class
ip local interface Loopback0
!
crypto isakmp policy 10
hash md5
authentication rsa-sig
!
crypto isakmp key iem6727 address 10.1.1.3
!
crypto ipsec transform-set iem esp-des esp-md5-hmac
!
crypto map combines 10 ipsec-isakmp
description to PE3
set peer 10.1.1.3
set transform-set iem
match address 115
!
interface Loopback0
ip address 10.1.1.2 255.255.255.255
crypto map combines
!
interface ethernet0/0.82
no ip address
no cdp enable
xconnect 10.1.1.3 100 pw-class PE3-PE2

Section 5: Multicast
Task 5.1:
Task 5.2:
Task 5.3:
Task 5.4:
Task 5.5:
CE2-RACK1(config)#ip access-list standard RP-10.1.1.2-Groups

CE2-RACK1(config-std-nacl)#permit 224.8.8.8
CE2-RACK1(config)#ip pim rp-address 10.1.1.2 RP-10.1.1.2-Groups

PE1-RACK1(config)#ip access-list standard RP-10.1.1.2-Groups

PE1-RACK1(config-std-nacl)#permit 224.8.8.8
PE1-RACK1(config)#ip pim rp-address 10.1.1.2 RP-10.1.1.2-Groups


The above configuration tells every router in the PIM domain that
group 224.8.8.8 has an RP on 10.1.1.2. Therefore, it can run in
sparse mode. Immediately, every router that has receivers for the
224.8.8.8 group (in our case, it’s only CE8) will try to create a
shared Multicast tree with RP PE2 at its root. The shared tree would
be pretty simple in our case:

PE2 (10.1.1.2, RP for 224.8.8.8 group)

|
CE8 (router with 224.8.8.8 receivers)
You should know the difference between the show ip pim rp

mapping and the show ip pim rp commands. The first command
shows you an identical output on all PIM routers in the domain. It is
the direct result of our static RP configuration or it could also be the
result of Auto-RP (or BSR). It doesn’t matter if the 224.8.8.8
receivers exist on any of the routers. If you run the show ip pim
rp mapping command on any PIM router you will get the same
output:
PE3-RACK1#show ip pim rp mapping

PIM Group-to-RP Mappings
Acl: RP-10.1.1.2-Groups, Static

RP: 10.1.1.2 (?)
This mapping indicates that if PE3 ever hears about the Multicast
group listed in RP-10.1.1.2-Groups ACL (i.e. directly connected
receivers join the group), it will try to build a shared Multicast tree
with RP 10.1.1.2 at its root.
Show ip pim rp is the result of the shared tree creation. You will
only see the output for this command on the routers that are part
of the shared tree: CE8 and PE2.
CE8-RACK1#show ip pim rp
Group: 224.8.8.8, RP: 10.1.1.2, uptime 00:18:13, expires never
PE2-RACK1#sh ip pim rp
Group: 224.8.8.8, RP: 10.1.1.2, next RP-reachable in 00:00:11
Notice the difference in the outputs. The first output is from the
leaf router CE8. It indicates that the RP has been up for 18 minutes
and 13 seconds. The second output is from the RP PE2. It indicates
that it will send the next RP-reachability message for 224.8.8.8 on
Ethernet 1/0 interface in 11 seconds. It does it every 90 seconds.
PE2-RACK1#debug ip pim
04:29:23: PIM(0): Send RP-reachability for 224.8.8.8 on Ethernet0/0.82

Let’s look at how CE8 tries to create the shared tree. We’ll remove
the static RP information from CE8, enable debug, and then re-
enter the static RP command. The process looks like this:
1. There’s a receiver for Multicast group 224.8.8.8 on CE8.
2. Leaf router CE8 knows the IP address of the RP for the

224.8.8.8 group (from the static RP statement). It sends
(*,G) join for this group towards the RP PE2.
3. This (*,G) Join travels hop-by-hop to the RP (PE2) building a

branch of the Shared tree that extends from the RP (PE2) to
the last-hop router (CE8). In our case this shared tree is
very small consisting of two routers, PE2 and CE8.
4. At this point, group 224.8.8.8’s traffic can flow down the

Shared Tree to the receiver.
CE8-RACK1(config)#no ip pim rp-address 10.1.1.2 RP-10.1.1.2-Groups

CE8-RACK1#debug ip pim
04:40:50: PIM(0): Check RP 10.1.1.2 into the (*, 224.8.8.8) entry

04:40:50: PIM(0): Building triggered (*,G) Join / (S,G,RP-bit) Prune
message for 224.8.8.8
04:40:50: PIM(0): Insert (*,224.8.8.8) join in nbr 10.82.1.2's queue
04:40:50: PIM(0): Building Join/Prune packet for nbr 10.82.1.2
04:40:50: PIM(0): Adding v2 (10.1.1.2/32, 224.8.8.8), WC-bit, RPT-bit,
S-bit Join
04:40:50: PIM(0): Send v2 join/prune to 10.82.1.2 (FastEthernet0/0)
Let’s look at the debug on PE2 when this happens:
PE2-RACK1#debug ip pim
04:43:21: PIM(0): Received v2 Join/Prune on Ethernet0/0.82 from
10.82.1.1, to us
04:43:21: PIM(0): Join-list: (*, 224.8.8.8), RPT-bit set, WC-bit set, S-
bit set
04:43:21: PIM(0): Check RP 10.1.1.2 into the (*, 224.8.8.8) entry
04:43:21: PIM(0): Add Ethernet0/0.82/10.82.1.1 to (*, 224.8.8.8), Forward
state, by PIM *G Join
The result is the added (*,G) entry to the Multicast routing table on
PE2 and CE8.

CE8-RACK1#show ip mroute 224.8.8.8

IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
L - Local, P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set, J - Join SPT, M - MSDP created entry,
X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel,
Y - Joined MDT-data group, y - Sending to MDT-data group
V - RD & Vector, v - Vector
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode
(*, 224.8.8.8), 00:02:52/00:02:57, RP 10.1.1.2, flags: SJCL

Incoming interface: FastEthernet0/0, RPF nbr 10.82.1.2
Outgoing interface list:
FastEthernet0/1, Forward/Sparse-Dense, 00:02:52/00:02:57
PE2-RACK1#sh ip mroute 224.8.8.8

IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
L - Local, P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set, J - Join SPT, M - MSDP created entry,
X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel,
Y - Joined MDT-data group, y - Sending to MDT-data group
V - RD & Vector, v - Vector
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode
(*, 224.8.8.8), 00:02:52/00:03:04, RP 10.1.1.2, flags: S

Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Ethernet0/0.82, Forward/Sparse-Dense, 00:02:52/00:03:04
Pay attention to the Incoming and Outgoing interface lists. They

should make sense to you now.
No other router in the topology knows anything about group

224.8.8.8. Notice, no traffic has been sent yet. Remember that IP
Dense Mode requires the first packet to be sent from the source in
order to start building the Multicast tree. Let’s look at show ip pim
rp and show ip mroute on some other router that doesn’t belong
to the shared tree, for example PE1.
Å NO OUTPUT
PE1-RACK1#sh ip mroute 224.8.8.8
Group 224.8.8.8 not found
Let’s do a ping test right from RP PE2.

PE2-RACK1#ping 224.8.8.8
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 224.8.8.8, timeout is 2 seconds:
Reply to request 0 from 10.82.1.1, 8 ms

By the way, you have received three replies, because three ICMP
messages have been sent out. One from each PIM-enabled
interface on PE2:
1. Ethernet0/0.123 connected to PE3
2. Ethernet0/0.82 connected to CE8
3. Ethernet0/0.21 connected to PE1
The ICMP echo sent via the Ethernet0/0.82 directly to CE8 took the
Sparse shared tree that has already been created. We can assume
that the very first reply (8 ms) was for that packet.
Let’s configure PE1 as a static RP for the 224.1.1.1 group. This

command has to be configured on every router running PIM. You
should always configure a group list specifying what Multicast
groups the static RP is for.






Verify.
CE1-RACK1#show ip pim rp
CE1 has no RP mappings, because it doesn’t participate in PIM. It’s

simply an IGMP host. PE3 is the IGMP router on that segment.
PE3-RACK1#sh ip igmp groups 224.1.1.1

IGMP Connected Group Membership
Group Address Interface Uptime Expires Last
Reporter
224.1.1.1 Ethernet0/0.13 00:18:23 00:02:41 10.13.1.1
PE3-RACK1#show ip pim rp
Up the tree, let’s check PE1.
Let’s check PE2. It should not know about the RP for this group as
it’s not part of the shared tree.
Everything is OK. It’s a different group, there’s no 224.1.1.1.
Let’s configure PE3 as a static RP for the 224.2.2.2 group. This

command has to be configured on every router running PIM. You
should always configure a group list specifying what Multicast
groups the static RP is for.
By default, Auto-RP will always override static RP information. You

have to specify the override keyword to override this behavior and
prefer the static RP.

CE2-RACK1(config)#ip pim rp-address 10.1.1.3 RP-10.1.1.3-Groups override


CE8-RACK1(config)#ip pim rp-address 10.1.1.3 RP-10.1.1.3-Groups override

PE1-RACK1(config)#ip pim rp-address 10.1.1.3 RP-10.1.1.3-Groups override


Verify on PE3:
PE3-RACK1#show ip pim rp mapping

PIM Group-to-RP Mappings

RP: 10.1.1.2 (?)
RP: 10.1.1.1 (?)
Acl: RP-10.1.1.3-Groups, Static-Override
RP: 10.1.1.3 (?)
As you can see each router knows about all three static RP
mappings. The last RP 10.1.1.3 is static for the group specified in
RP-10.1.1.3-Groups access-list.
Not every router knows about each elected RP. For example, PE3
only knows that it is an RP for the 224.2.2.2 group and that it’s
part of the shared tree for group 224.1.1.1 with the 10.1.1.1 RP.
Ping should work from everywhere. Remember that number of

ICMP echo replies directly correlates to the number of PIM
interfaces on the source router. In the example below, PE3 has four
IP PIM-enabled interfaces. When you ping the group, the router
creates four ICMP echo packets and sends them out. All four will
reach the receiver.




The ip pim dm-fallback command was introduced in 12.3(4)T

version of the IOS® code. The PIM Dense Mode Fallback Prevention
in a Network Following RP Information Loss feature enables you to
prevent Protocol Independent Multicast (PIM) dense mode (DM)
fallback when all rendezvous points (RPs) fail. Preventing the use of
PIM-DM is very important to Multicast networks whose reliability is
critical. The feature provides a mechanism to keep Multicast groups
in sparse mode. The feature provides a mechanism to keep
Multicast groups in sparse mode.
There are three ways to prevent dense mode fallback. First one is
to simply change the ip sparse-dense-mode config to ip pim
sparse-mode on all PIM interfaces. This would prevent IP PIM
dense mode to ever go in effect when RP information is lost. In
fact, if there’s no static RP available and Auto-RP is not configured
or is misconfigured, Multicast traffic will fail. We can’t use this
method, because we have configured Dense groups, and need to
leave them this way.
The second way is to configure the new command ip pim dm-

fallback in global configuration mode. When the feature is
configured, sparse mode groups operate with an RP address of
0.0.0.0. This task requires that you don’t use this method.
The third way is to configure a sink RP. This method was used
before the ip pim dm-fallback command became available.

To successfully implement Auto-RP and prevent any groups other

than 224.0.1.39 and 224.0.1.40 from operating in dense mode,
you should configure a "sink RP" (also known as RP of last resort).
A sink RP is a statically configured RP that may or may not actually
exist in the network. Configuring a sink RP does not interfere with
Auto-RP operation because, by default, Auto-RP messages
supersede static RP configurations. We recommend configuring a
sink RP for all possible Multicast groups in your network because it
is possible for an unknown or unexpected source to become active.
If no RP is configured to limit source registration, the group may
revert to dense mode operation and be flooded with data.
If you have already configured some static RPs and would like to
keep them that way, you would have to exclude them when
configuring a sink RP.
Let’s configure RP1 as a sink RP for all IGMP groups. Typically, in

the all-Auto-RP environment you would configure this command on
every router:
ip pim rp-address 10.1.1.1
When you don’t specify a group-list in the above command, the

default 224.0.0.0/4 group range is applied. That translates to
“10.1.1.1 is a static RP for all Multicast groups”. But since we
already have some static RPs configured, we have to exclude those
groups. Don’t exclude the 224.1.1.1 group because PE1 was
already configured to be its static RP.
Always exclude 224.0.1.39 and 224.0.1.40 Auto-RP groups,

because they should always operate in PIM Dense Mode.
Apply the following configuration on all routers (CE8, CE2, PE1,

PE2, PE3).
CE8-RACK1(config)#ip access-list standard RP-Sink-Groups

CE8-RACK1(config-std-nacl)#deny 224.0.1.39
CE8-RACK1(config-std-nacl)#permit 224.0.0.0 15.255.255.255
CE8-RACK1(config)#ip pim rp-address 10.1.1.1 RP-Sink-Groups
FYI, ip pim rp-address 10.1.1.1 RP-Sink-Groups overrides

previously entered ip pim rp-address 10.1.1.1 RP-10.1.1.1-

Groups command. You can’t have more than one group list
configured for a single static RP.
Let’s look at the show ip pim rp on PE3:
By now you should see why some groups show up in the list and
why others don’t. For example, 224.2.2.2 is not in the list because
PE3 is its RP, and PE1 is not part of that shared tree.
You will notice two new groups: 239.255.255.255 and

224.2.127.254. If you check all the routers, you will find the IGMP
groups 239.255.255.255 and 224.2.127.254:
CE8-RACK1#sh ip igmp groups

IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
235.235.235.235 FastEthernet0/1 01:39:04 00:01:16 192.168.100.8
235.5.5.5 FastEthernet0/1 01:39:04 stopped 0.0.0.0
239.255.255.255 FastEthernet0/1 00:05:57 00:01:16 192.168.100.8
224.2.127.254 FastEthernet0/1 00:05:57 00:01:16 192.168.100.8
224.8.8.8 FastEthernet0/1 01:39:05 00:01:16 192.168.100.8
225.8.8.8 FastEthernet0/1 01:39:04 00:01:16 192.168.100.8
229.0.0.1 FastEthernet0/1 01:39:04 00:01:16 192.168.100.8
229.0.0.2 FastEthernet0/1 01:39:04 00:01:16 192.168.100.8
224.0.1.40 FastEthernet0/0 01:39:05 00:02:09 10.82.1.1
These two new groups are the result of configuring ip sdr listen.

Section 6: MPLS Layer 3 VPN
Task 6.1:
♦ ADDITION!!! Enable Classical ATM 1/0.100 between PE1 and

BB2
♦ CORRECTION!!! Confirm reachability to BB2 Loopbacks from

PE1.
♦ CORRECTION!!! Suppress as many specific routes as possible

coming from BB2. Configure such that only a summary address
appears in the database on PE1.
hostname PE1-RACK1
!
ip vrf iementor
route-target export 100:100
route-target import 100:100
!
ip cef
mpls label protocol ldp
tag-switching tdp router-id Loopback0 force
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface Loopback11
description BGP Loopback
ip address 11.11.11.11 255.255.255.0
!
ip address 172.16.13.1 255.255.255.0
speed 100
full-duplex
mpls traffic-eng tunnels
tag-switching ip
!
interface Serial0/0


no ip address
no keepalive
!
ip address 172.16.222.1 255.255.255.0
tag-switching ip
!
ip address 172.16.12.1 255.255.255.0
!
interface ATM1/0
no ip address
!
ip vrf forwarding iementor
ip address 140.100.1.2 255.255.255.0
pvc 1/100
!
router ospf 100
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
mpls traffic-eng interface Loopback0 area 0
router-id 10.1.1.1
max-metric router-lsa on-startup wait-for-bgp
network 10.1.1.1 0.0.0.0 area 0
network 172.16.12.0 0.0.0.255 area 0
network 172.16.13.0 0.0.0.255 area 13
network 172.16.222.0 0.0.0.255 area 13
!
router bgp 65001
no synchronization
network 11.11.11.0 mask 255.255.255.0


no auto-summary
!
address-family vpnv4
neighbor 10.1.1.254 send-community extended
exit-address-family
!
address-family ipv4 vrf iementor
redistribute connected
no auto-summary
no synchronization
exit-address-family
BB2
hostname BB2-RACK1
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Loopback1
ip address 8.2.1.7 255.255.255.0
!
interface Loopback2
ip address 18.2.2.7 255.255.255.0
!
interface Loopback3
ip address 28.3.2.7 255.255.255.0
!
interface Loopback4
ip address 38.2.1.7 255.255.255.0
!
ip address 12.2.1.1 255.255.255.0
!
ip address 157.46.1.1 255.255.255.0
!
ip address 157.46.2.1 255.255.255.0
!
ip address 157.46.3.1 255.255.255.0
!
ip address 157.46.4.1 255.255.252.0
!
ip address 210.112.1.1 255.255.255.0

!
ip address 210.112.2.1 255.255.255.0
!
ip address 210.112.3.1 255.255.255.0
!
ip address 210.112.4.1 255.255.255.0
!
interface ATM1/0
no ip address
atm vc-per-vp 4096
!
ip address 140.100.1.1 255.255.255.0
pvc 1/100
!
router bgp 22
network 140.100.1.0 mask 255.255.255.0
aggregate-address 210.112.0.0 255.255.0.0 summary-only
redistribute connected metric 2
Task 6.2:
♦
♦ CORRECTION!!! Configure PE3 to accept RIP routes in VPN

mode

ip address 10.13.1.1 255.255.255.0
ip rip authentication mode md5
ip rip authentication key-chain iem
no snmp trap link-status
!
router rip
version 2
network 1.0.0.0
network 10.0.0.0
network 22.0.0.0
neighbor 10.13.1.3
no auto-summary
PE3
ip vrf iementor
rd 100:100
!
key chain iem
key 1
key-string 408
!
router rip
version 2
!
network 10.0.0.0
no auto-summary
version 2
exit-address-family
!
ip address 10.13.1.3 255.255.255.0
!
router bgp 65001
no synchronization
network 33.33.33.0 mask 255.255.255.0
no auto-summary
!

exit-address-family
!
no auto-summary
no synchronization
exit-address-family
Task 6.3:
♦
♦ CORRECTION!!! Configure PE2 to allow only routes from BB1

with prefix match of 24 with one access-list.
BB1
router bgp 57
no synchronization
network 10.12.1.0 mask 255.255.255.0
redistribute static metric 2
neighbor 10.12.1.2 description to AS65001-SP1-PE2
neighbor 10.12.1.2 default-originate
no auto-summary

PE2
router bgp 65001

no synchronization
network 22.22.22.0 mask 255.255.255.0
no auto-summary
!
exit-address-family
!
address-family ipv4 vrf green
neighbor 10.12.1.1 distribute-list 111 in
no auto-summary
no synchronization
exit-address-family
!
access-list 111 permit ip 0.0.0.0 255.255.255.0 host 255.255.255.0 log
access-list 111 permit ip host 0.0.0.0 host 0.0.0.0 log
Task 6.4:
PE2
router ospf 100

router-id 172.16.123.2
network 10.1.1.2 0.0.0.0 area 0
network 172.16.12.0 0.0.0.255 area 0
network 172.16.20.0 0.0.0.255 area 0
network 172.16.123.0 0.0.0.255 area 123
!
router ospf 10 vrf green
redistribute bgp 65001 metric 1 metric-type 1 subnets
network 10.82.1.0 0.0.0.255 area 0
default-information originate always
!

router bgp 65001

no synchronization
network 22.22.22.0 mask 255.255.255.0
no auto-summary
!
exit-address-family
!
redistribute ospf 10 metric 2 match internal external 1 external 2
no auto-summary
no synchronization
exit-address-family
CE8
interface FastEthernet0/0.82
ip address 10.82.1.1 255.255.255.0
!
router ospf 100
router-id 8.8.8.8
network 8.8.8.0 0.0.0.255 area 0
network 10.82.1.0 0.0.0.255 area 0

CE8-RACK1#sho ip route ospf

O E1 18.2.1.0 [110/2] via 10.82.1.2, 00:13:48, FastEthernet0/0.82
O E1 209.112.65.0/24 [110/2] via 10.82.1.2, 00:13:48, FastEthernet0/0.82
O*E2 0.0.0.0/0 [110/1] via 10.82.1.2, 00:12:37, FastEthernet0/0.82
CE8-RACK1#ping 156.46.22.1

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Task 6.5:

PE3
router eigrp 100

auto-summary
!
address-family ipv4 vrf solaris
redistribute bgp 65001 metric 1500 255 255 255 1500
network 10.23.1.0 0.0.0.255
auto-summary
autonomous-system 100
exit-address-family
!
router bgp 65001
no synchronization
network 33.33.33.0 mask 255.255.255.0
no auto-summary
!
exit-address-family
!
redistribute eigrp 100 metric 10
no auto-summary
no synchronization
exit-address-family
!
no auto-summary
no synchronization
exit-address-family
!
ip http server
ip classless
ip route vrf solaris 0.0.0.0 0.0.0.0 10.23.1.1

CE2
ip address 10.23.1.1 255.255.255.0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 iementor
!
!
router eigrp 100
redistribute static metric 1544 255 255 255 1500
network 10.23.1.0 0.0.0.255
no auto-summary
!
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Null0

Task 6.6:
ASBR1
router bgp 100

no bgp default route-target filter
!
address-family ipv4
no auto-summary
no synchronization
network 172.16.113.0 mask 255.255.255.0
exit-address-family
!
exit-address-family

ASBR2
router bgp 200

!
address-family ipv4
no auto-summary
no synchronization
network 172.16.113.0 mask 255.255.255.0
network 172.16.240.0 mask 255.255.255.0
exit-address-family
!
exit-address-family

Task 6.7:
hostname RR1-RACK1
!
!
ip cef
no ip domain lookup
!
interface Loopback0
ip address 10.1.1.254 255.255.255.255
!
ip address 55.55.55.55 255.255.255.0
!
no ip address
full-duplex
!
ip address 172.16.20.254 255.255.255.0
tag-switching ip
ip rsvp bandwidth
!
ip address 172.16.30.254 255.255.255.0
tag-switching ip
ip rsvp bandwidth
!
router ospf 100
log-adjacency-changes
redistribute connected metric 2 subnets route-map loopback

network 172.16.20.0 0.0.0.255 area 0

network 172.16.30.0 0.0.0.255 area 0
!
router bgp 65001
neighbor ibgp peer-group
neighbor ibgp remote-as 65001
neighbor ibgp password iementor
neighbor ibgp update-source Loopback0
!
address-family ipv4
redistribute connected route-map allow55
no auto-summary
no synchronization
exit-address-family
!
neighbor ibgp send-community extended
exit-address-family
!
ip http server
ip classless
ip flow-aggregation cache as
enabled
!
access-list 55 permit 55.55.55.0 0.0.0.255 log
route-map loopback permit 10
match ip address 1
!
route-map allow55 permit 10
match ip address 55

hostname PE1-RACK1
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
ip address 11.11.11.11 255.255.255.0
!
ip address 172.16.13.1 255.255.255.0
speed 100
full-duplex
tag-switching mtu 9216
tag-switching ip
!
interface Serial0/0
no ip address
no keepalive
!
ip address 172.16.222.1 255.255.255.0
tag-switching ip
!
ip address 172.16.12.1 255.255.255.0
speed 100
full-duplex
tag-switching mtu 9216
tag-switching ip
!
interface ATM1/0
no ip address

!
ip address 140.100.1.2 255.255.255.0
pvc 1/100
!
router ospf 100
router-id 10.1.1.1
network 10.1.1.1 0.0.0.0 area 0
network 172.16.12.0 0.0.0.255 area 0
network 172.16.13.0 0.0.0.255 area 13
network 172.16.222.0 0.0.0.255 area 13
!
router bgp 65001
no synchronization
network 11.11.11.0 mask 255.255.255.0
no auto-summary
!
exit-address-family
!
redistribute connected
no auto-summary
no synchronization
exit-address-family

hostname PE2-RACK1
!
ip cef
no ip domain lookup
ip vrf green
rd 200:200
!
ip multicast-routing
mpls ldp loop-detection
tag-switching tdp router-id Loopback0
!
!
key chain iementor
key 6727
key-string iementorlab
!
!
!
interface Loopback0
ip address 10.1.1.2 255.255.255.255
!
ip address 22.22.22.22 255.255.255.0
!
no ip address
half-duplex
!
ip address 172.16.20.2 255.255.255.0
tag-switching ip
ip rsvp bandwidth
!
ip address 172.16.12.2 255.255.255.0
tag-switching ip

!
description to CE8 -VLAN 82 VPN Green Site 2
ip vrf forwarding green
ip address 10.82.1.2 255.255.255.0
tag-switching ip
!
ip address 172.16.123.2 255.255.255.0
tag-switching ip
!
description to BB1-RACK1
ip vrf forwarding green
ip address 10.12.1.2 255.255.255.0
full-duplex
!
router ospf 100
router-id 172.16.123.2
network 10.1.1.2 0.0.0.0 area 0
network 172.16.12.0 0.0.0.255 area 0
network 172.16.20.0 0.0.0.255 area 0
network 172.16.123.0 0.0.0.255 area 123
!
router ospf 10 vrf green
redistribute bgp 65001 metric 1 metric-type 1 subnets
network 10.82.1.0 0.0.0.255 area 0
default-information originate always
!
router bgp 65001
no synchronization
network 22.22.22.0 mask 255.255.255.0

no auto-summary
!
exit-address-family
!
no auto-summary
no synchronization
exit-address-family
!
!
ip prefix-list BB3-allowed seq 5 permit 156.46.1.0/24
access-list 111 permit ip 0.0.0.0 255.255.255.0 host 255.255.255.0 log
access-list 111 permit ip host 0.0.0.0 host 0.0.0.0 log
hostname PE3-RACK1
!
!
ip cef
no ip domain lookup
ip vrf iementor
rd 100:100
!
ip vrf solaris
rd 300:300
!

!
!
key chain iementor
key 1
key-string 408
key 6727
key chain iem
key 1
key-string 408
!
!
!
interface Loopback0

ip address 10.1.1.3 255.255.255.255

!
ip address 33.33.33.33 255.255.255.0
!
no ip address
half-duplex
!
encapsulation dot1Q 1 native
!
ip address 10.13.1.3 255.255.255.0
!
ip vrf forwarding solaris
ip address 10.23.1.3 255.255.255.0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 iementor
!
ip address 172.16.30.3 255.255.255.0
tag-switching ip
!
ip address 172.16.13.3 255.255.255.0
!

tag-switching ip
!
description to Manage VPN's
!
description to Manage IGP Core
ip address 192.168.2.3 255.255.255.0
!
ip address 172.16.123.3 255.255.255.0
tag-switching ip
!
no ip address
half-duplex
!
router eigrp 100
auto-summary
!
redistribute bgp 65001 metric 1500 255 255 255 1500
network 10.23.1.0 0.0.0.255
auto-summary
autonomous-system 100
exit-address-family
!
router ospf 100
router-id 172.16.123.3
network 10.1.1.3 0.0.0.0 area 0
network 172.16.13.0 0.0.0.255 area 13
network 172.16.30.0 0.0.0.255 area 0
network 172.16.123.0 0.0.0.255 area 123
!
router rip
version 2
!
network 10.0.0.0

no auto-summary
version 2
exit-address-family
!
router bgp 65001
no synchronization
network 33.33.33.0 mask 255.255.255.0
no auto-summary
!
exit-address-family
!
redistribute eigrp 100 metric 10
default-information originate
no auto-summary
no synchronization
exit-address-family
!
no auto-summary
no synchronization
exit-address-family
!
ip http server
ip classless
hostname PE4-RACK1
!
ip cef
no ip domain lookup
ip vrf solaris
rd 300:300
!
mpls label protocol tdp
!
interface Loopback0
ip address 10.1.1.4 255.255.255.255
!

ip address 44.44.44.44 255.255.255.0

!
ip address 172.16.240.4 255.255.255.0
speed 100
full-duplex
tag-switching ip
!
description Trunk 3550
no ip address
speed 100
full-duplex
!
description to BB3 VLAN 300
!
description TO svi 3550-CE6 VPN SOLARIS SITE 2
ip vrf forwarding solaris
ip address 172.16.60.4 255.255.255.0
!
router ospf 100
router-id 10.1.1.4
area 1 nssa
timers pacing flood 65
network 10.1.1.4 0.0.0.0 area 0
network 172.16.240.0 0.0.0.255 area 1
!
router bgp 65002
no synchronization
network 44.44.44.0 mask 255.255.255.0
no auto-summary
!
exit-address-family
!

no auto-summary
no synchronization
exit-address-family
!
ip http server
ip classless
!
ip cef
no ip domain lookup
mpls ldp loop-detection
tag-switching atm maxhops 10
!
!
key chain iementor
key 6727
!
!
!
interface Loopback0
ip address 10.1.1.100 255.255.255.255
!
no ip address
ip accounting output-packets
half-duplex
!
interface Serial0/0
ip address 172.16.113.1 255.255.255.0
encapsulation ppp
clock rate 256000
no fair-queue
!
no ip address
half-duplex
!
interface Serial0/1
ip address 172.16.114.1 255.255.255.0
encapsulation ppp
!
interface Serial0/2
description to PE1-RACK1 ISIS
ip address 172.16.222.2 255.255.255.0


tag-switching ip
no keepalive
clock rate 8000000
!
interface Serial0/3
no ip address
clock rate 2000000
!
router ospf 100
auto-cost reference-bandwidth 10000
area 1 stub
timers throttle spf 7 4000 94000
network 10.1.1.100 0.0.0.0 area 1
network 172.16.222.0 0.0.0.255 area 13
!
router bgp 100
!
address-family ipv4
no auto-summary
no synchronization
network 172.16.113.0 mask 255.255.255.0
exit-address-family
!
exit-address-family

!
ip cef
no ip domain lookup
tag-switching tdp router-id Loopback0
!
key chain iementor
key 6727
!
interface Loopback0
ip address 10.1.1.200 255.255.255.255
!
description TO PE4 - VLAN 240
ip address 172.16.240.1 255.255.255.0
half-duplex
tag-switching ip
!
interface Serial0/0
ip address 172.16.113.2 255.255.255.0
encapsulation ppp
no fair-queue
!
interface Serial0/1
ip address 172.16.114.2 255.255.255.0
encapsulation ppp
clock rate 115200
!
router ospf 100
no compatible rfc1583
ignore lsa mospf
area 1 nssa default-information-originate
timers pacing flood 65
redistribute static metric 2 subnets
network 10.1.1.200 0.0.0.0 area 1
network 172.16.240.0 0.0.0.255 area 1
!
router bgp 200

!
address-family ipv4
no auto-summary
no synchronization
network 172.16.113.0 mask 255.255.255.0
network 172.16.240.0 mask 255.255.255.0
exit-address-family
!
exit-address-family

Section 7.0: Advanced MPLS Layer 3 VPN
Task 7.1:
PE4
router bgp 65002

no synchronization
network 44.44.44.0 mask 255.255.255.0
no auto-summary
!
exit-address-family
!
no auto-summary
no synchronization
exit-address-family
!
neighbor 172.16.30.3 as-override
no auto-summary
no synchronization
exit-address-family

PE2
router bgp 65001

no synchronization
network 22.22.22.0 mask 255.255.255.0
no auto-summary
!
exit-address-family
!
no auto-summary
no synchronization
exit-address-family

router bgp 65002

no synchronization
network 44.44.44.0 mask 255.255.255.0
no auto-summary
!
exit-address-family
!
no auto-summary
no synchronization
exit-address-family
!
no auto-summary
no synchronization
aggregate-address 213.112.0.0 255.255.0.0 as-set summary-only suppress-
map remo
ve68
exit-address-family
!
ip http server
ip classless
!
!
access-list 13 deny 213.112.68.0 log
access-list 13 permit any log
route-map remove68 permit 10
match ip address 13

PE4-RACK1#sho ip bgp vpnv4 vrf green

BGP table version is 92, local router ID is 44.44.44.44
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 200:200 (default for vrf green)
*> 0.0.0.0 10.1.1.200 0 200 100 65001 57 i
*> 5.5.5.0/24 10.1.1.200 0 200 100 65001 57 ?
*> 7.7.7.0/24 172.16.30.3 2 0 57 ?
*> 8.1.1.0/24 10.1.1.200 0 200 100 65001 57 ?
*> 8.8.8.8/32 10.1.1.200 0 200 100 65001 ?
*> 10.12.1.0/24 10.1.1.200 0 200 100 65001 ?
*> 10.82.1.0/24 10.1.1.200 0 200 100 65001 ?
*> 11.1.1.0/24 10.1.1.200 0 200 100 65001 57 ?
*> 12.1.1.0/24 10.1.1.200 0 200 100 65001 57 ?
*> 13.1.1.0/24 172.16.30.3 2 0 57 ?
*> 18.2.1.0/24 10.1.1.200 0 200 100 65001 57 ?
*> 28.3.1.0/24 10.1.1.200 0 200 100 65001 57 ?
*> 38.1.1.0/24 10.1.1.200 0 200 100 65001 57 ?
*> 38.2.1.0/24 172.16.30.3 2 0 57 ?
*> 38.3.1.0/24 172.16.30.3 2 0 57 ?
*> 138.1.1.0/24 172.16.30.3 2 0 57 ?
*> 153.46.1.0/24 172.16.30.3 2 0 57 ?
*> 153.46.2.0/24 172.16.30.3 2 0 57 ?
*> 153.46.3.0/24 172.16.30.3 2 0 57 ?
*> 153.46.4.0/24 172.16.30.3 2 0 57 ?
*> 153.46.100.0/22 172.16.30.3 2 0 57 ?
*> 156.46.1.0/24 10.1.1.200 0 200 100 65001 57 ?
*> 156.46.2.0/24 10.1.1.200 0 200 100 65001 57 ?
*> 156.46.3.0/24 10.1.1.200 0 200 100 65001 57 ?
*> 156.46.4.0/24 10.1.1.200 0 200 100 65001 57 ?
* 172.16.30.0/24 172.16.30.3 2 0 57 ?
*> 0.0.0.0 2 32768 ?
*> 209.112.65.0 10.1.1.200 0 200 100 65001 57 ?
*> 209.112.66.0 10.1.1.200 0 200 100 65001 57 ?
*> 209.112.67.0 10.1.1.200 0 200 100 65001 57 ?
*> 209.112.68.0 10.1.1.200 0 200 100 65001 57 ?
*> 209.112.69.0 10.1.1.200 0 200 100 65001 57 ?
*> 209.112.70.0 10.1.1.200 0 200 100 65001 57 ?
*> 213.112.0.0/16 0.0.0.0 100 32768 57 ?
s> 213.112.65.0 172.16.30.3 2 0 57 ?
s> 213.112.66.0 172.16.30.3 2 0 57 ?
s> 213.112.67.0 172.16.30.3 2 0 57 ?
*> 213.112.68.0 172.16.30.3 2 0 57 ?
s> 213.112.69.0 172.16.30.3 2 0 57 ?
s> 213.112.70.0 172.16.30.3 2 0 57 ?
Task 7.2:
PE2-RACK1(config)#router bgp 65001

PE2-RACK1(config-router)#address-family ipv4 vrf green
PE2-RACK1(config-router-af)#neighbor 10.12.1.1 maximum-prefix 15

Task 7.3:
router bgp 65001

no synchronization
no bgp fast-external-fallover
snmp-server enable traps bgp

snmp-server host 10.1.1.212 version 2c iem
router bgp 57
no synchronization
network 10.12.1.0 mask 255.255.255.0
neighbor 10.12.1.2 description to AS65001-SP1-PE2
neighbor 10.12.1.2 default-originate
no auto-summary
!
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Null0
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.255.0.0 Null0
ip route 192.168.1.0 255.255.255.0 Null0

Section 8.0: QoS
Task 8.1:
interface Serial0/2/0
ip address 192.168.11.2 255.255.255.252
frame-relay traffic-shaping
frame-relay interface-dlci 111
class FRTS
frame-relay lmi-type ansi
map-class frame-relay FRTS

frame-relay cir 384000
frame-relay bc 3840
frame-relay be 0
frame-relay mincir 384000
frame-relay fragment 480 (to ensure 10ms serialization delay)
frame-relay fair-queue
Task 8.2:

Task 8.3:
ip address 9.9.9.9 255.255.255.255
!
interface Serial0/0
ip address 172.16.113.1 255.255.255.0
clock rate 2000000
no fair-queue
!
interface Serial0/1
ip address 172.16.114.1 255.255.255.0
!
router bgp 100
no synchronization
network 9.9.9.9 mask 255.255.255.255
network 172.16.113.0 mask 255.255.255.0
network 172.16.114.0 mask 255.255.255.0
no auto-summary
!
ip http server
ip classless
ip route 8.8.8.8 255.255.255.255 172.16.113.2
ip route 8.8.8.8 255.255.255.255 172.16.114.2

!
ip address 202.202.202.202 255.255.255.0
!
ip address 8.8.8.8 255.255.255.255
!
description TO PE4 - VLAN 240
ip address 172.16.240.1 255.255.255.0
half-duplex
!
interface Serial0/0
ip address 172.16.113.2 255.255.255.0
no fair-queue
!
interface Serial0/1
ip address 172.16.114.2 255.255.255.0
clock rate 115200
!
router bgp 200
no synchronization
network 8.8.8.8 mask 255.255.255.255
network 172.16.113.0 mask 255.255.255.0
network 172.16.114.0 mask 255.255.255.0
network 202.202.202.0
no auto-summary
!
ip classless
ip route 9.9.9.9 255.255.255.255 172.16.113.1
ip route 9.9.9.9 255.255.255.255 172.16.114.1
Section 9.0: Security
Task 9.1:
3750-M-CE4(config)#monitor session 1 source vlan 13 , 23

3750-M-CE4(config)#monitor session 1 destination interface fastEthernet
1/0/4

3750-M-CE4#sho monitor detail

Session 1
---------
Type : Local Session
Source Ports :
RX Only : None
TX Only : None
Both : None
Source VLANs :
RX Only : None
TX Only : None
Both : 13,23
Source RSPAN VLAN : None
Destination Ports : Fa1/0/4
Encapsulation : Native
Ingress : Disabled
Filter VLANs : None
Dest RSPAN VLAN : None
Task 9.2:

switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
3550-CE6(config)#interface fastEthernet 0/15

3550-CE6(config-if)#spanning-tree portfast
3550-CE6(config-if)#spanning-tree bpdufilter enable
3550-CE6(config-if)#spanning-tree bpduguard enable
3550-CE6(config)#no service password-recovery
Task 9.3:
3750-M-CE4(config-if)#switchport mode access

3750-M-CE4(config-if)#switchport port-security
3750-M-CE4(config-if)#switchport port-security maximum 15
Task 9.4:
PE2-RACK1(config)#mpls ldp neighbor 172.16.12.1 password iementor
PE1-RACK1(config)#mpls ldp neighbor 172.16.12.2 password iementor

Section 10.0: ATM/MPLS Cell Base
Task 10.1:
Task 10.2:
Task 10.3:
Task 10.4:
Task 10.5:
Task 10.6:
Task 10.7:
PE1-RACK1
interface ATM1/0.300 tag-switching

ip address 140.101.1.1 255.255.255.0
ip ospf mtu-ignore
mpls label protocol tdp
tag-switching atm vp-tunnel 3 vci-range 33-65535
tag-switching ip
!
router ospf 100
router-id 10.1.1.1
network 10.1.1.1 0.0.0.0 area 0
network 140.101.1.0 0.0.0.255 area 0
network 172.16.12.0 0.0.0.255 area 0

network 172.16.13.0 0.0.0.255 area 13

network 172.16.222.0 0.0.0.255 area 13
PE1-RACK1#sho ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface

122.46.1.1 0 FULL/ - 00:00:33 140.101.1.2 ATM1/0.300
10.1.1.100 0 FULL/ - - 172.16.222.2 OSPF_VL2
172.16.123.2 1 FULL/DR 00:00:33 172.16.12.2 FastEthernet0/1
10.1.1.100 0 FULL/ - 00:00:36 172.16.222.2 Serial0/0.101
172.16.123.3 1 FULL/DR 00:00:38 172.16.13.3 FastEthernet0/0
ip address 122.46.1.1 255.255.255.0
!
ip address 122.46.2.1 255.255.255.0
!
ip address 122.46.3.1 255.255.255.0
!
ip address 122.46.4.1 255.255.255.0
!
interface ATM1/0
no ip address
atm vc-per-vp 4096
!
interface ATM1/0.300 tag-switching
mtu 9216
ip address 140.101.1.2 255.255.255.0
tag-switching atm vp-tunnel 3 vci-range 33-65535
tag-switching ip
!
router ospf 100
redistribute connected subnets route-map redcon
network 140.101.1.0 0.0.0.255 area 0
!

BB2-RACK1#sho ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface

10.1.1.1 1 FULL/ - 00:00:33 140.101.1.1 ATM1/0.300
BB2-RACK1#sho ip route os
O IA 172.16.222.0 [110/67] via 140.101.1.1, 00:03:27, ATM1/0.300
O 172.16.30.0 [110/24] via 140.101.1.1, 00:03:27, ATM1/0.300
O 172.16.20.0 [110/14] via 140.101.1.1, 00:03:27, ATM1/0.300
O 172.16.12.0 [110/4] via 140.101.1.1, 00:03:27, ATM1/0.300
O IA 172.16.13.0 [110/4] via 140.101.1.1, 00:03:27, ATM1/0.300
O IA 172.16.123.0 [110/14] via 140.101.1.1, 00:03:27, ATM1/0.300
O E2 22.22.22.0 [110/20] via 140.101.1.1, 00:03:27, ATM1/0.300
O 10.1.1.2 [110/5] via 140.101.1.1, 00:03:27, ATM1/0.300
O 10.1.1.3 [110/15] via 140.101.1.1, 00:03:27, ATM1/0.300
O 10.1.1.1 [110/4] via 140.101.1.1, 00:03:27, ATM1/0.300
O IA 10.1.1.100 [110/68] via 140.101.1.1, 00:03:27, ATM1/0.300
O E2 10.1.1.254 [110/2] via 140.101.1.1, 00:03:27, ATM1/0.300
BB2-RACK1#sho mpls forwarding-table

Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 3/45 172.16.12.0/24 0 AT1/0.300 point2point
17 3/46 172.16.20.0/24 0 AT1/0.300 point2point
18 3/47 172.16.30.0/24 0 AT1/0.300 point2point
19 3/48 10.1.1.1/32 0 AT1/0.300 point2point
20 3/49 10.1.1.2/32 0 AT1/0.300 point2point
21 3/50 10.1.1.3/32 0 AT1/0.300 point2point
22 3/51 10.1.1.100/32 0 AT1/0.300 point2point
23 3/52 172.16.13.0/24 0 AT1/0.300 point2point
24 3/53 172.16.123.0/24 0 AT1/0.300 point2point
25 3/54 172.16.222.0/24 0 AT1/0.300 point2point
26 3/55 10.1.1.254/32 0 AT1/0.300 point2point
27 3/56 22.22.22.0/24 0 AT1/0.300 point2point


Master Lab 1 Solutionc

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Master Lab 1 Solutionc

Uploaded by

Copyright:

Available Formats

ieMentor CCIE™ Service Provider Workbook v1.

0 | Master Lab 1 Solutions

Section 1: Layer 2 Ethernet / Wan Ports

ASBR2-RACK1(config)#int FastEthernet 0/0

ASBR1-RACK1(config-if)#int ser 0/1

ASBR1-RACK1(config-if)#int ser 0/1

ASBR1-RACK1(config-if)#int ser 0/0

ASBR2-RACK1(config-if)#int ser 0/1

ASBR2-RACK1(config-if)#int ser 0/0

This section self explanatory.

1 This product is individually licensed.

2 This product is individually licensed.

description to CE8 - VLAN 82

3 This product is individually licensed.

4 This product is individually licensed.

switchport mode trunk

5 This product is individually licensed.

BB2-RACK1(config)#interface atm 1/0.100

PE1-RACK1(config)#interface atm 1/0.100

6 This product is individually licensed.

Section 2: Service Provider Backbone

7 This product is individually licensed.

8 This product is individually licensed.

area 0 authentication message-digest

9 This product is individually licensed.

10 This product is individually licensed.

11 This product is individually licensed.

router ospf 100

PE1-RACK1(config-router)#max-metric router-lsa on-startup wait-for-bgp

ASBR1-RACK1(config)#router ospf 100

ASBR1-RACK1#sho ip ospf interface serial 0/2

ASBR1-RACK1(config)#router ospf 100

ASBR1-RACK1#sho ip ospf 100

12 This product is individually licensed.

router ospf 100

router ospf 100

ASBR2-RACK1(config-router)#router ospf 100

PE4-RACK1(config)#no ip ospf name-lookup

13 This product is individually licensed.

Task 2.3: CORRECTION!!! Configure ASBR2 such that if ASBR2

ASBR2-RACK1(config-router)#ignore lsa mospf

ASBR2-RACK1(config)#router ospf 100

PE1-RACK1(config)#router ospf 100

Example for all PE’s

PE3-RACK1(config)#mpls ldp router-id loopback 0 force

14 This product is individually licensed.

PE3-RACK1(config)#mpls ldp logging neighbor-changes

Section 3: Service Provider Backbone I

router bgp 65001

All PE’s in SP1

router bgp 65001

15 This product is individually licensed.

router bgp 65001

router bgp 65001

router bgp 65001

16 This product is individually licensed.

router bgp 100

router bgp 200

router bgp 65002

17 This product is individually licensed.

Section 4: Layer 2 VPN

BB1-RACK1(config)#interface ethernet 0/0.112

crypto isakmp policy 10