Ltrccie 3401

LTRCCIE-3401
CCIE SP Practice Lab
Lizabete Cacic, Technical Leader

Lukasz Bromirski, System Engineering Manager
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#LTRCCIE-3401
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
“If you know the enemy and yourself,
you need no fear the results of a hundred battles”
Sun Tzu – The Art of War
LTRCCIE-3401 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• CCIE SP Lab Format

• LabTorial Overview
• Hands-on Lab
• Troubleshoot Lab
• Diagnostic Lab
• Configuration Lab
• Lab Review
• Questions & Answers
CCIE SP Lab Format
CCIE SP v4.1 – Unified Exam Topics
Domains Written Lab
1. Core Routing 25% 30%
2. Service Provider Architecture and Services 21% 22%
3. Access and Aggregation 18% 21%
4. High Availability and Fast Convergence 14% 15%
5. Service Provider Security, Operation, and Management 12% 12%
6. Evolving Technologies 10% n/a
https://learningnetwork.cisco.com/community/certifications/ccie_service_provider/written_exam_v4/exam-topics
CCIE Passing Criteria
• 120 min • 60 min • 300 min (5h)

• Optional +30min • No Optional time • Optional - 30min (if used in TS)
• Independent incidents • Independent tickets • Dependent items

• Console access to the devices • No Console access to the devices • Console access to the devices
• Topology specif c for TS • Multiple source of information (like • Topology specif c for
scenarios diagrams, emails, and logs) conf guration scenario
LabTorial Overview
Login Page
CCIE SP Lab Exam Format
Web-based delivery
Optional Optional
(2h) + 30 min (60 min) - 30 min (5h)
about 10 to 12 6 minutes per about 10 to 12

minutes in average question in minutes in average
per question average per question
Hands-on Lab
Troubleshooting
Module
CCIE SP Troubleshoot – CiscoLive! Barcelona 2018
Duration: 60m / Total points: 13
• LDP – 2 points
• mLDP – 2 points
• L2VPN – 1 point
• L3VPN – 2 points
• QoS – 2 points
• BGP PIC – 2 points
• Control Plane Security – 2 points
Presentation ID © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Loopback0: 10.0.0.x/32, where x is the Router No.
Lab topology XR interfaces begin with G0/0/0/x
AS 43 AS 44 The last octet of an IP address is the Router No. + mask /24

Troubleshooting
g2 CE43 g3 CE44
g2
10.2.44
AS 4142 AS 45
/0 g4 g5
g2 /4 /1 10.1.1 /1 /4 10.1.6 g3 g6 172.16.1 g3 g2 192.168.1 /0 /3 g2
CE41 10.2.41 g5 /2 192.168.7 CE45

PE11 /2 /3 PE13 /2 P15 PE21 g4 PE23
g3 /0 g2 /1
10.1.7 192.168.4
10.3.41 10.1.3
g4 g3
AS 46
g4 /1 /2 /3
g3 g5 g2 /5
g2 g6 g3 10.1.9 g3 g5 10.1.8 /0 /3 172.16.3 /0 /1 192.168.5 g2 g6 g2
CE42 10.2.42 PE12 g4 P14 PE22 PE24 192.168.8 CE46

PE16
/4 /2
g7 g5
10.1.11
192.168.6
/0 /1
/0 /1 g2
AS 100 AS 200
PE31 RR25
RR17
AS 300
Trouble Ticket 1: LDP
AS100 operations engineer notices that the LDP sessions on PE11 are down.
Your task is to fix this issue.
Score: 2 points
TS – Ticket 1: LDP
RP/0/0/CPU0:PE11#sh mpls ldp neighbor
[empty]
RP/0/0/CPU0:PE11#sh mpls ldp discovery

Local LDP Identifier: 10.0.0.11:0
Discovery Sources:
Interfaces:
GigabitEthernet0/0/0/0 : xmit
VRF: 'default' (0x60000000)
GigabitEthernet0/0/0/1 : xmit/recv
LDP Id: 10.0.0.13:0, Transport address: 10.0.0.13
Hold time: 15 sec (local:15 sec, peer:15 sec)
Established: Jan 08 03:14:14.935 (00:18:15 ago)
[..]
Ticket 1: Solution: TCP process is down
RP/0/0/CPU0:PE11(admin)#sh process tcp
Mon Jan 01 20:36:11.962 UTC
Job Id: 399
PID: 1241295
Executable path: /disk0/iosxr-fwding-6.1.3/bin/tcp
Instance #: 1
Version ID: 00.00.0000
Respawn: ON
Respawn count: 4
Last started: Sat Jan 13 13:03:46 2018
Process state: Killed (last exit status : 94)
Package state: Normal
Process group: dlrsc
core: MAINMEM
Max. core: 0
Level: 181
Placement: None
startup_path: /pkg/startup/tcp.startup
Ready: 0.119s
RP/0/0/CPU0:PE11#sh tcp brief

tcp_show_list_bag_generic: TCP process not running or invalid tuple on this node
Ticket 1: Solution: Start a TCP process which crashed.
RP/0/0/CPU0:PE11#admin
RP/0/0/CPU0:PE11(admin)#process start tcp location all
Open a TAC case immediately!
Ticket 1: Verification
RP/0/0/CPU0:PE11#sh mpls ldp neighbor
Peer LDP Identifier: 10.0.0.14:0
TCP connection: 10.0.0.14:54446 - 10.0.0.11:646
Graceful Restart: No
Session Holdtime: 180 sec
State: Oper; Msgs sent/rcvd: 13/28; Downstream-Unsolicited
Up time: 00:03:13
[..]
TCP connection: 10.0.0.13:15524 - 10.0.0.11:646
Graceful Restart: No
Session Holdtime: 180 sec
State: Oper; Msgs sent/rcvd: 10/10; Downstream-Unsolicited
Up time: 00:00:44
[..]
Trouble Ticket 2: mLDP
ISP AS200 prepares their core to migration to mLDP. There is an issue with a
transmission between a simulated source on PE22 and CE45. Your task is to fix
this issue. The expected result is depicted on the following picture.
RP/0/0/CPU0:PE22#ping vrf cust45 233.2.2.2 sou 10.3.0.22 tim 1 repeat 2
Reply to request 0 from 10.0.0.45, 1 ms
Score: 2 points
TS – Ticket 2: mLDP
RP/0/0/CPU0:PE22#sh mpls mldp bindings
No entries in the table to display
RP/0/0/CPU0:PE23#sh mrib vrf cust45 route 233.2.2.2

[..]
(10.3.0.22,233.2.2.2) RPF nbr: 0.0.0.0 Flags: RPF
Up: 00:06:39
Outgoing Interface List
GigabitEthernet0/0/0/3 Flags: F NS, Up: 00:06:39
RP/0/0/CPU0:PE22#sh mrib vrf cust45 route 233.2.2.2

No matching routes in MRIB route-DB
Ticket 2: Solution: Configure the inband mode.
PE22, PE23:
route-policy mldp1
set core-tree mldp-inband
end-policy
RP/0/0/CPU0:PE22#sh mpls mldp bindings
Sun Jan 03 06:26:11.372 UTC
mLDP MPLS Bindings database
LSP-ID: 0x00001 Paths: 2 Flags:
0x00001 P2MP 10.0.0.22 [vpnv4 1:45 10.3.0.22 233.2.2.2]
Local Label: 24014
Remote Label: 24009 NH: 192.168.3.23 Inft: GigabitEthernet0/0/0/3
RP/0/0/CPU0:PE23#sh mpls mldp bind

Sun Jan 03 06:26:46.628 UTC
0x00001 P2MP 10.0.0.22 [vpnv4 1:45 10.3.0.22 233.2.2.2]
Local Label: 24009 Active
Remote Label: 1048577 Inft: Imdtcust45 RPF-ID: 6 TIDv4/v6: 0xE0000011/0x0
RP/0/0/CPU0:PE22#ping vrf cust45 233.2.2.2 sou 10.3.0.22 tim 1 repeat 2

Trouble Ticket 3: L2VPN
AS100 and AS200 offer L2VPN service to CE44 and CE46. There is no communication
between CE44 and CE46 because the pseudowire is down. Your task is to identify the issue
and fix it.
After this task is completed, CE44 and CE46 should be able to learn each other loopback
ipv4 address via RIP.
Notes
• You are not allowed to run LDP between ASs.
• Because of virtualization environment CE46 is not able to ping CE44 and vice-versa.
Score: 1 point
TS – Ticket 3: L2VPN
PE15#sh mpls l2transport vc
Local intf Local circuit Dest address VC ID Status
------------- -------------------------- --------------- ---------- ----------
Gi5.10 Eth VLAN 10 10.1.0.24 44 DOWN
CE44#ping 10.4.4.46
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.46, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
PE15#sh mpls l2 vc det
Local interface: Gi5.10 up, line protocol up, Eth VLAN 10 up
Interworking type is Ethernet
Destination address: 10.1.0.24, VC ID: 44, VC status: down
Last error: Local access circuit is not ready for label advertise
Output interface: none, imposed label stack {}
Preferred path: not configured
Default path: no route
No adjacency
Create time: 06:18:27, last status change time: 04:46:07
Last label FSM state change time: 04:46:07
Signaling protocol: LDP, peer unknown
Targeted Hello: 10.1.0.15(LDP Id) -> 10.1.0.24, LDP is DOWN, no binding
[..]
PE15#sh ip route 10.1.0.24
Routing entry for 10.1.0.24/32
Known via "bgp 100", distance 200, metric 0
Tag 200, type internal
Last update from 10.0.0.16 00:28:02 ago
Routing Descriptor Blocks:
* 10.0.0.16, from 10.0.0.17, 00:28:02 ago
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 200
MPLS label: 24008
RP/0/0/CPU0:PE16#sh cef 10.1.0.24
10.1.0.24/32, version 799, drop adjacency, internal 0x1000001 0x0 (ptr 0xa1422e74) [1],
0x0 (0xa13edb00), 0x808 (0xa1583280)
Updated Jan 02 02:28:04.722
Prefix Len 32, traffic index 0, precedence n/a, priority 4
via 172.16.3.22/32, 0 dependencies, recursive, bgp-ext [flags 0x6020]
path-idx 0 NHID 0x0 [0xa0db7294 0x0]
recursion-via-/32
unresolved
local label 24008
labels imposed {24006}
Ticket 3: Solution: Configure static routes to resolve NH
PE16:
!
router static
address-family ipv4 unicast
172.16.3.22/32 GigabitEthernet0/0/0/3
!
PE22:
!
router static
172.16.3.16/32 GigabitEthernet0/0/0/0
!
RP/0/0/CPU0:PE16#sh cef 10.1.0.24/32
[..]
path-idx 0 NHID 0x0 [0xa15ebff4 0x0]
recursion-via-/32
next hop 172.16.3.22/32 via 24011/0/21
local label 24008
next hop 172.16.3.22/32 Gi0/0/0/3 labels imposed {ImplNull 24006}
RP/0/0/CPU0:PE22#sh cef 10.1.0.15/32

[..]
path-idx 0 NHID 0x0 [0xa15eb7f4 0x0]
recursion-via-/32
next hop 172.16.3.16/32 via 24008/0/21
local label 24007
PE15#sh mpls l2transport vc
Local intf Local circuit Dest address VC ID Status
------------- -------------------------- --------------- ---------- ----------
Gi5.10 Eth VLAN 10 10.1.0.24 44 UP
CE44#ping 10.4.4.46
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 7/8/11 ms
Trouble Ticket 4: L3VPN
There is no communication between CE45 and CE42. This customer uses L3VPN
services offered by AS100 and AS200. Your task is to fix this issue.
CE45#sh ip route 10.0.0.42
% Subnet not in table
Score: 2 points
PE23#sh bgp vrf cust45 summ
[..]
Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd
192.168.7.45 0 45 179 163 0 0 0 08:19:10 Idle
RP/0/0/CPU0:PE23#sh cef vrf cust45 10.0.0.42

10.0.0.42/32, version 37, internal 0x1000001 0x0 (ptr 0xa1408874) [1], 0x0 (0x0), 0x208
(0xa1583140)
Updated Jan 02 23:25:19.750
via 10.0.0.21/32, 0 dependencies, recursive [flags 0x6000]
path-idx 0 NHID 0x0 [0xa0f92294 0x0]
recursion-via-/32
next hop VRF - 'default', table - 0xe0000000
unresolved
labels imposed {34}
Ticket 4: Solution: Fix eBGP session and LSP
PE23:
!
interface GigabitEthernet0/0/0/3
ipv6 add 2001:0:45::23/64
!
PE11:
!
interface Loopback0
ip address 10.0.0.21 255.255.255.255
!
RP/0/0/CPU0:PE23#sh cef vrf cust45 10.0.0.42
10.0.0.42/32, version 7, internal 0x1000001 0x0 (ptr 0xa1408874) [1], 0x0 (0x0), 0x208
(0xa1583140)
Updated Jan 04 17:49:31.931
via 10.0.0.21/32, 3 dependencies, recursive [flags 0x6000]
path-idx 0 NHID 0x0 [0xa15eb7f4 0x0]
recursion-via-/32
next hop VRF - 'default', table - 0xe0000000
next hop 10.0.0.21/32 via 24003/0/21
CE45#sh ip route 10.0.0.42
Known via "bgp 45", distance 20, metric 0
Tag 200, type external
Last update from 192.168.7.23 00:12:34 ago
* 192.168.7.23, from 192.168.7.23, 00:12:34 ago
AS Hops 3
Route tag 200
MPLS label: none
CE45#ping 10.0.0.42 sou 10.0.0.45

Packet sent with a source address of 10.0.0.45
!!!!!
Trouble Ticket 5: QoS
CE42 implemented QoS recently, since then when congestion occurs, BFD session goes
down. Your task is to fix this issue.
Note: You do not need to fix a BFD session.

Score: 2 points
TS – Ticket 5: QoS
CE42#sh policy-map int g2
GigabitEthernet2
Service-policy output: as4142-out
Class-map: bfd (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: ip dscp cs7 (56)
Queueing
queue limit 416 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
bandwidth 100000 kbps
[..]
Ticket 5: Solution: Match correct markings
CE42(config)#class-map match-any bfd
CE42(config-cmap)#no match ip dscp cs7
CE42(config-cmap)# match ip dscp cs6
CE42#sh policy-map int g2
GigabitEthernet2
Service-policy output: as4142-out
Class-map: bfd (match-any)
117 packets, 7949 bytes
Match: ip dscp cs6 (48)
Queueing
[..]
Trouble Ticket 6: BGP PIC
An AS100 operations engineer notices that there is no backup entry in the FIB on PE12 for
the 10.0.0.43/32 prefix even though BGP PIC is configured. Your task is to fix this issue.
Note: Do not change the BGP sessions.

Score: 2 points
TS – Ticket 6: BGP PIC
PE12#sh bgp vpnv4 unicast all | i 10.0.0.43/32|Disti
Route Distinguisher: 1:1 (default for vrf cust1)
*>i 10.0.0.43/32 10.0.0.11 0 100 0 43 i
Route Distinguisher: 1:43
*>i 10.0.0.43/32 10.0.0.11 0 100 0 43 i
PE12#sh ip cef vrf cust1 10.0.0.43/32 detail

10.0.0.43/32, epoch 0, flags [rib defined all labels]
recursive via 10.0.0.11 label 24007
nexthop 10.1.5.13 GigabitEthernet5 label 24000-(local:20)
Ticket 6: Solution: Change RD on one of PEs
PE15:
!
ip vrf cust43
no rd 1:43
CTRL+Z
ip vrf cust43
rd 43:43
route-target export 1:43
route-target import 1:43
!
router bgp 100
add ipv4 unicast vrf cust43
nei 10.3.43.43 remote-as 43
!
PE12#sh ip cef vrf cust1 10.0.0.43/32 det
recursive via 10.0.0.15 label 36, repair
Trouble Ticket 7: Control Plane Security
PE16 must be protected in a way that BGP sessions initialized from AS300 are blocked;
however, a BGP session with PE31 must be established. Your task is to fix the configuration
that meets this requirement.
Score: 2 points
TS – Ticket 7: Control Plane Security
PCB VRF-ID Recv-Q Send-Q Local Address Foreign Address State
[..]
0x1216c7e8 0x60000000 0 0 172.16.4.16:179 172.16.4.31:36188 ESTAB
[..]

[..]
0x1215b26c 0x60000000 0 0 172.16.5.31:60068 172.16.3.16:179 SYNSENT
0x1216c7e8 0x60000000 0 0 172.16.4.31:179 172.16.4.16:36188 ESTAB
[..]
Ticket 7: Solution: Correct ACL configurations
PE16:
!
ipv4 access-list as300-in
10 deny tcp any any eq bgp
20 permit ipv4 any any
!
PE31:
!
ipv4 access-list as100-in
10 deny tcp any eq bgp any
20 permit ipv4 any any
!
PCB VRF-ID Recv-Q Send-Q Local Address Foreign Address State
[..]
0x1216992c 0x60000000 0 0 172.16.4.16:36028 172.16.4.31:179 ESTAB
[..]
Diagnostics
Module
CCIE SP Diagnostics – CiscoLive! Barcelona 2018
Duration: 30m / Total points: 5
• IGP – 1 point
• MPLS-TE – 1 point
• LISP – 1 point
• PE-CE – 1 point
• Failure Detection – 1 point
Loopback0: 10.0.0.x/32, where x is the Router No.
Lab topology XR interfaces begin with G0/0/0/x
AS 43 AS 44 The last octet of an IP address is the Router No. + mask /24

Diagnostics
g2 CE43 g3 CE44
g2
10.2.44
AS 4142 AS 45
/0 g4 g5
g2 /4 /1 10.1.1 /1 /4 10.1.6 g3 g6 172.16.1 g3 g2 192.168.1 /0 /3 g2
CE41 10.2.41 g5 /2 192.168.7 CE45

PE11 /2 /3 PE13 /2 P15 PE21 g4 PE23
g3 /0 g2 /1
10.1.7 192.168.4
10.3.41 10.1.3
g4 g3
AS 46
g4 /1 /2 /3
g3 g5 g2 /5
g2 g6 g3 10.1.9 g3 g5 10.1.8 /0 /3 172.16.3 /0 /1 192.168.5 g2 g6 g2
CE42 10.2.42 PE12 g4 P14 PE22 PE24 192.168.8 CE46

PE16
/4 /2
g7 g5
10.1.11
192.168.6
/0 /1
/0 /1 g2
AS 100 AS 200
PE31 RR25
RR17
AS 300
Task 1: IGP
CE46 10.0.0.46 can't communicate with CE45 10.0.0.45. An operation engineer
found that an LSP between PE23 and PE24 is broken. Indicate what is the root
cause of this issue?
a) The MP-BGP next hop 10.0.0.23 is advertised as an OSPF type external route instead of intra- or
inter-area.
b) There is a conflict of advertised prefixes in the network between PE23 and an another router.
c) PE23 does not assign a label to 10.0.0.0/24.
d) The LSP is broken as the MP-BGP next hop 10.0.0.23 is not advertised as the /32 prefix but with the
/24 mask.
e) PE23 breaks an LSP by the aggregation of prefixes to 10.0.0.0/24.
Score: 1 point
Task 1: Email
From: Chris (Support) <chris@isp2.com>
Date: Thu, Jun 15, 2017 at 1:34 PM
To: Brad Whooley<bradwhooley@cust2.com>
Subject: No ip reachability
Brad,
We migrated OSPF areas on couple of our devices. As far as I can see something is wrong with the data plane. Prefixes are advertised correctly. I am waiting for a guy to compare an
old config with the current one. Meanwhile I will nail down this issue.
Regards,
Chris
=========================================================
From: Brad Whooley<bradwhooley@cust2.com>

To: Support <support@isp2.com>
Subject: No ip reachability
Hi,
We lost connectivity between CE45 and CE46 last night. Did you do anything? Can you check what may be an issue?
Kind regards,
Brad
Task 1: Output
Known via "ospf 1", distance 110, metric 3, type intra area
Last update from 192.168.5.22 on GigabitEthernet2, 1w4d ago
* 192.168.5.22, from 10.0.0.23, 1w4d ago, via GigabitEthernet2
PE24#sh ip route | i 10.0.0.0/24

O E2 10.0.0.0/24 [110/20] via 192.168.5.22, 1w4d, GigabitEthernet2
PE24#sh mpls for 10.1.0.23

Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
20 24004 10.1.0.23/32 0 Gi2 192.168.5.22
PE24#traceroute 10.1.0.23
Tracing the route to 10.1.0.23
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.5.22 [MPLS: Label 24004 Exp 0] 4 msec 3 msec 3 msec
2 192.168.3.23 3 msec * 3 msec
Task 1: Output
PE24#sh ip cef vrf cust46 10.0.0.45 det
recursive via 10.0.0.0/24
RP/0/0/CPU0:PE22#sh mpls for | i 24018

24018 Unlabelled 10.0.0.0/24 Gi0/0/0/3 192.168.3.23 39070
RP/0/0/CPU0:PE22#sh route 10.1.0.23

Known via "ospf 1", distance 110, metric 2, type intra area
Installed Jan 14 08:47:58.026 for 1w4d
Routing Descriptor Blocks
192.168.3.23, from 10.0.0.23, via GigabitEthernet0/0/0/3
Route metric is 2 No advertising protos.
Task 1: Output
RP/0/0/CPU0:PE22#sh mpls ldp bindings 10.0.0.23/24
10.0.0.0/24, rev 54
Local binding: label: 24018
Remote bindings: (1 peers)
Peer Label
----------------- ---------
10.1.0.24:0 30

10.0.0.0/24, rev 0 (no route)
No local binding
Peer Label
----------------- ---------
10.0.0.22:0 24018
Task 1: Output
10.0.0.23/32, rev 0 (no route)
No local binding
Peer Label
----------------- ---------
10.0.0.23:0 ExpNullv4

10.0.0.23/32, rev 22
Local binding: label: ImpNull
No remote bindings
Task 2: MPLS-TE
The traffic from CE41 10.0.0.46 to CE44 10.0.0.44 should go via P14.The MPLS-
TE tunnel 111 is configured on PE11 to PE15 but it is not working as expected.
What is a root cause of this issue?
Failed link P14-P16 device
No route to destination
issue
Path Error
Loose object in a path
Wrong explicit-path
From: NOC-global <noc@isp1.com>
Date: Wed, Aug 9, 2017 at 7:51 PM
To: Provisioning <prov@isp1.com>
Subject: Core network down [SR12436343]
Task 2: Email Here are outputs. It does not look like as an issue with routing or labels. Traffic via T111 is not going through. Shall I shut down this
interface or will you verify a cfg? Please let me know asap. Some customers are becoming edgy.
=========================================================
From: Provisioning <prov@isp1.com>

To: NOC-global <noc@isp1.com>
Hi
Derek who configured TE tunnels is out of the office after his shift. I can have a look within an hour. Send us outputs from sh mpls
traffic-eng tunnels det, sh route and sh mpls for.
Regards,
Paul
=========================================================
From: NOC-global <noc@isp1.com>

To: Provisioning <prov@isp1.com>
Team,
The core of the network is broken with your recent changes. Please have a look at this case and rollback to the previous configuration.
Regards
Task 2: Output
RP/0/0/CPU0:PE11#sh mpls traffic-eng tunnels det
Tue Jan 16 22:15:53.024 UTC
Name: tunnel-te111 Destination: 10.1.6.15 Ifhandle:0xd0
Signalled-Name: PE11_t111
Status:
Admin: up Oper: up Path: valid Signalling: connected
path option 10, type dynamic (Basis for Setup, path weight 20)
path option 5, type explicit divert2
Last PCALC Error: Tue Jan 16 22:15:51 2018
Info: Path-option is skipped because it is held down
Last Signalled Error : Tue Jan 16 22:15:51 2018
Info: [23] PathErr(23,769)-(system) at 10.1.3.13
G-PID: 0x0800 (derived from egress interface properties)
[..]
RP/0/0/CPU0:PE11#sh explicit-paths n divert2

Path divert2 status enabled
10: next-address strict 10.0.0.13
20: next-address loose 10.0.0.14
Task 2: Output
RP/0/0/CPU0:PE11#sh route 10.1.6.15
Known via "isis AS100", distance 115, metric 11, type level-2
10.1.6.15, from 10.0.0.15, via tunnel-te111
Route metric is 11
No advertising protos.
P14#sh ip int brief

Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 10.255.0.121 YES TFTP up up
GigabitEthernet5 10.1.8.14 YES TFTP administratively down down
GigabitEthernet6 unassigned YES unset administratively down down
Loopback0 10.0.0.14 YES TFTP up up
Task 2: Output
RP/0/0/CPU0:P13#sh mpls traffic-eng tunnels det
LSP Tunnel 10.0.0.11 111 [24] is signalled, Signaling State: up
Tunnel Name: PE11_t111 Tunnel Role: Mid
InLabel: GigabitEthernet0/0/0/1, 24007
OutLabel: GigabitEthernet0/0/0/4, implicit-null
Signalling Info:
Src 10.0.0.11 Dst 10.1.6.15, Tun ID 111, Tun Inst 24, Ext ID 10.0.0.11
Router-IDs: upstream 10.0.0.11
local 10.0.0.13
downstream 10.0.0.15
Bandwidth: 10000 kbps (CT0) Priority: 7 7 DSTE-class: 0
Soft Preemption: None
SRLGs: not collected
Path Info:
Incoming Address: 10.1.1.13
Incoming:
Explicit Route:
Strict, 10.1.1.13
Strict, 10.1.6.15
Strict, 10.0.0.15
Outgoing:
Explicit Route:
Strict, 10.1.6.15
Strict, 10.0.0.15
[..]
Task 2: Output
PE12#sh mpls traffic-eng tunnels det
P2P TUNNELS/LSPs:
P2MP TUNNELS:
P2MP SUB-LSPS:
P14#sh mpls traffic-eng tunnels det
P2P TUNNELS/LSPs:
P2MP TUNNELS:
P2MP SUB-LSPS:
Task 3: LISP
Customer XYZ opened a case regards to LISP. Apparently there is no reachability
to the subnet 10.4.42.0/24 in AS4142 from the WAN. Indicate which show
command help you identify the root cause? Also which device would you apply
this command?
Device: Show command:

CE42 sh lisp site 10.4.42.0/24
CE41 sh lisp instance-id 0 ipv4 database
CE44 sh lisp instance-id 0 ipv4 map-cache
PE15 sh lisp platform
From: Benjamin <noc@isp1.com>
Date: Mon, Sep 18, 2017 at 6:57 AM
To: Michael <mike@site.com>
Subject: LISP site down
Task 3: Email Mike,
What about the LISP database? Do you have all entries there?
Regards
=========================================================
From: Michael <mike@site.com>

To: Benjamin <noc@isp1.com>
Hi Ben
Find the outputs attached. We did not change anything, I suppose. We had a switchover to CE41 from CE42. Maybe this router never
has been tested.
Regards,
Paul
=========================================================
From: Benjamin <noc@isp1.com>

To: Michael <mike@site.com>
Hi,
As discussed through a phone please send us the outputs of your CE devices. Did you change you settings?
Regards
Task 3: Output
CE44#sh lisp site 10.4.42.0/24
LISP Site Registration Information
Site name: AS4142
Allowed configured locators:
10.2.41.41
10.2.42.42
Requested EID-prefix:
EID-prefix: 10.4.42.0/24
[..]
State: complete
Registration errors:
Authentication failures: 0
Allowed locators mismatch: 2
ETR 10.2.41.41, last registered 1w2d, no proxy-reply, map-notify
TTL 1d00h, no merge, hash-function sha1, nonce 0x2491A8B9-0xE0F8DEA0
state complete, no security-capability
xTR-ID 0x26E07475-0x467BADA9-0x52A6B114-0x4D12CBE7
site-ID unspecified
sourced by reliable transport
Locator Local State Pri/Wgt Scope
10.2.41.41 yes admin-down 255/10 IPv4 none
Task 3: Output
CE41#sh lisp instance-id 0 ipv4 database
LISP ETR IPv4 Mapping Database for EID-table default (IID 0), LSBs: 0x1
Entries total 2, no-route 1, inactive 0
10.2.42.0/24
Locator Pri/Wgt Source State
10.2.41.41 1/10 cfg-intf site-self, reachable
10.4.42.0/24 *** NO ROUTE TO EID PREFIX ***

10.2.42.0/24
PE15#sh lisp instance-id 0 ipv4 database

% LISP is not running.
Task 3: Output
CE41#sh lisp instance-id 0 ipv4 map-cache
LISP IPv4 Mapping Cache for EID-table default (IID 0), 2 entries
0.0.0.0/0, uptime: 1w3d, expires: never, via static-send-map-request
Negative cache entry, action: send-map-request
10.4.42.0/24, uptime: 1w3d, expires: never, via away, self, send-map-request
CE42#sh lisp instance-id 0 ipv4 map-cache

LISP IPv4 Mapping Cache for EID-table default (IID 0), 1 entries
0.0.0.0/0, uptime: 1w3d, expires: never, via static-send-map-request
CE44#sh lisp platform

Parallel LISP instance limit: 2000
RLOC forwarding support:
IPv4 RLOC, local: OK
IPv6 RLOC, local: OK
MAC RLOC, local: Unsupported
IPv4 RLOC, remote: OK
IPv6 RLOC, remote: OK
MAC RLOC, remote: Unsupported
Latest supported config style: Service and instance
Current config style: implied instance 0
Task 4: PE-CE
To prefer a backbone network over a backdoor link the AS100 engineers
configured a sham-link between PE11 and PE12. But this SL adjacency does not
come up. What is a reason for that?
a) There is a domain-id mismatch.
b) There is a domain-tag mismatch.
c) Router-id of PE11 is not visible on PE12.
d) PE12 is not an ASBR.
e) The IP endpoint of a sham-link 10.3.0.12 is not reachable.
Task 4: Email
From: level2 <level2@isp2.com>
Date: Fri, Jun 16, 2017 at 8:20 PM
To: level1 <level1@isp2.com>
Subject: Cust1 traffic optimization [SR46455234]
Hi Lora,
Did you redistribute those endpoint to OSPF? You cannot do this. Just advertise them to BGP and that's all. Other prefixes can be redistributed from BGP to OSPF. Send us the latest
configs. Did you use additional settings in OSPF like domain-id? This should not be relevant but to have intra-area routes it is better to set the same id.
Regards,
Jason
=========================================================
From: level1 <level1@isp2.com>

Date: Fri, Jun 16, 2017 at 6:18 PM
To: level2 <level2@isp2.com>
Subject: Cust1 traffic optimization [SR46455234]
Hi Team,
We want to escalate the ticket SR46455234. A customer wants to send the traffic over our backbone not a backdoor link. Engineering team prepared a configuration of a sham-link but
it does not go up. Strange. IP addresses of endpoints are advertised to BGP, we can ping them. Please support.
Kind regards,
Lora
Task 4: Output
RP/0/0/CPU0:PE11#sh ospf vrf cust1 int brief
* Indicates MADJ interface, (P)Indicates fast detect hold down state
Interfaces for OSPF 2, VRF cust1
Interface PID Area IP Address/Mask Cost State Nbrs F/
COSPF_SL0 2 0 - 1 DOWN 0/0
Gi0/0/0/4 2 0 10.2.41.11/24 1 DR 1/1
PE12#sh ip ospf int brief

Interface PID Area IP Address/Mask Cost State Nbrs F/C
SL1 2 0 0.0.0.0/0 1 P2P 0/0
Gi6 2 0 10.2.42.12/24 1 BDR 1/1
PE12#sh ip ospf database

OSPF Router with ID (0.0.0.12) (Process ID 2)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
0.0.0.12 0.0.0.12 1395 0x800001D8 0x004658 1
10.0.0.11 10.0.0.11 1094 0x800001C1 0x004C79 1
10.0.0.41 10.0.0.41 1680 0x800001B9 0x00AEA7 4
10.0.0.42 10.0.0.42 679 0x800001CC 0x005DBE 4
Task 4: Output
PE12#sh ip route vrf cust1 10.3.0.11
Routing Table: cust1
Known via "bgp 100", distance 200, metric 0, type internal
Last update from 10.0.0.11 1w3d ago
* 10.0.0.11 (default), from 10.0.0.17, 1w3d ago, recursive-via-host
AS Hops 0
MPLS label: 24009
MPLS Flags: MPLS Required
RP/0/0/CPU0:PE11#sh route vrf cust1 10.3.0.12

Known via "bgp 100", distance 200, metric 0, type internal
10.0.0.12, from 10.0.0.17
Nexthop in Vrf: "default", Table: "default", IPv4 Unicast, Table Id: 0xe0000000
Route metric is 0 No advertising protos.
Task 4: Output
PE12#sh ip ospf border-routers det
Base Topology (MTID 0)
Internal Router Routing Table
Codes: i - Intra-area route, I - Inter-area route
i 10.0.0.11 [3] via 10.2.42.42, GigabitEthernet6, ABR, Area 0, SPF 47

Source 10.0.0.11, PDB SPF 59, path flag: none
Flags: PathList
RP/0/0/CPU0:PE11#sh ospf 2 vrf cust1

VRF cust1 in Routing Process "ospf 2" with ID 10.0.0.11
Role: Primary Active
NSR (Non-stop routing) is Enabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
It is an area border router
Primary Domain ID: 0x5:0x000000650200
[..]
PE12#sh ip ospf
Routing Process "ospf 2" with ID 0.0.0.12
Domain ID type 0x0005, value 0x000000640200
[..]
Task 5: Failure Detection
What is a BFD detection time between CE42 and PE12?
a) It is more than 3 seconds.
b) It is 3 seconds or more.
c) It is between 2 and 3 seconds.
d) It is subsecond.
Score: 1 point
Task 5: Email
From: Niki (Support) <niki@isp2.com>
To: Matthias (Support) <matt@isp2.com>
Subject: BFD detection time
Hi Matt,
Yes, I think so. Let's check the current setting. What is the interval time?
Regards,
Niki
=========================================================
From: Matthias(Support) <matt@isp2.com>

To: Niki (Support) <niki@isp2.com>
Subject: BFD detection time
Niki,
The customer wants to confirm what will be the current detection time with BFD? Is it just interval * multiplier? They had slow convergence and complained to our service massively.
Kind regards,
Matt
Task 5: Output
PE12#sh bfd nei det
IPv4 Sessions
NeighAddr LD/RD RH/RS State Int
10.2.42.42 4097/4097 Up Up Gi6
Session state is UP and using echo function with 1000 ms interval.
Session Host: Software
OurAddr: 10.2.42.12
Handle: 1
Local Diag: 0, Demand mode: 0, Poll bit: 0
MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3
Received MinRxInt: 1000000, Received Multiplier: 3
Holddown (hits): 0(0), Hello (hits): 1000(62152)
Rx Count: 62161, Rx Interval (ms) min/max/avg: 1/1046/875 last: 830 ms ago
Tx Count: 62164, Tx Interval (ms) min/max/avg: 1/1022/875 last: 488 ms ago
Elapsed time watermarks: 0 0 (last: 0)
Registered protocols: CEF BGP
Uptime: 00:19:08
Last packet: Version: 1 - Diagnostic: 0
State bit: Up - Demand bit: 0
Poll bit: 0 - Final bit: 0
C bit: 0
Multiplier: 3 - Length: 24
My Discr.: 4097 - Your Discr.: 4097
Min tx interval: 1000000 - Min rx interval: 1000000
Min Echo interval: 1000000
CCIE SP Diagnostics
Answers
Task 1: Output
PE24#sh ip cef vrf cust46 10.0.0.45 det
recursive via 10.0.0.0/24
RP/0/0/CPU0:PE22#sh mpls for | i 24018

24018 Unlabelled 10.0.0.0/24 Gi0/0/0/3 192.168.3.23 39070

10.0.0.0/24, rev 0 (no route)
No local binding
Peer Label
----------------- ---------
10.0.0.22:0 24018
Task 1: Answer
ANSWER: PE23 does not allocate a label to 10.0.0.0/24.
Key:
a) The external route can be a next hop for an MP-BGP session.
b) No conflicts or duplications.
c) PE23 does not assign a label to 10.0.0.0/24 and this is a root cause.
d) The LSP is broken but not because of lack of a host route.
e) A /24 aggregate does not break an LSP.
CONCLUSION: A /24 prefix can be a BGP next-hop for L3VPN sessions.
Task 2: Output
RP/0/0/CPU0:PE11#sh mpls traffic-eng tunnels det
Tue Jan 16 22:15:53.024 UTC
Name: tunnel-te111 Destination: 10.1.6.15 Ifhandle:0xd0
Signalled-Name: PE11_t111
Status:
Admin: up Oper: up Path: valid Signalling: connected
path option 10, type dynamic (Basis for Setup, path weight 20)
path option 5, type explicit divert2
Last PCALC Error: Tue Jan 16 22:15:51 2018
Info: Path-option is skipped because it is held down
Last Signalled Error : Tue Jan 16 22:15:51 2018
Info: [23] PathErr(23,769)-(system) at 10.1.3.13
G-PID: 0x0800 (derived from egress interface properties)
[..]
RP/0/0/CPU0:PE11#sh explicit-paths n divert2

Path divert2 status enabled
20: next-address loose 10.0.0.14
Task 2: Answer
ANSWER: Wrong explicit path on PE11
Clue:
The explicit path divert2 is going through PE13, PE12, PE14 and back to PE13.
Task 3: Output
10.2.42.0/24
10.4.42.0/24 *** NO ROUTE TO EID PREFIX ***
Task 3: Answer
ANSWER: The command "sh lisp instance-id 0 ipv4 database" on CE41.
Clue:
The prefix 10.4.42.0/24 is not reachable on CE41.
Task 4: Output
i 10.0.0.11 [3] via 10.2.42.42, GigabitEthernet6, ABR, Area 0, SPF 47

Flags: PathList
After adding "redistribute bgp" on PE11

PE12#*Jan 02 23:26:40.005: %OSPF-5-ADJCHG: Process 2, Nbr 10.0.0.11 on OSPF_SL1 from LOADING to FULL, Loading
Done

i 10.0.0.11 [1] via 10.3.0.11, OSPF_SL1, ABR/ASBR, Area 0, SPF 48
Flags: PathList
Task 4: Answer
ANSWER: PE12 is not an ASBR.
Clue:
Note that XR has to be an ASBR. To make PE12 the XE does not have to be an ASBR.
Task 5: Output
PE12#sh bfd nei det
IPv4 Sessions
NeighAddr LD/RD RH/RS State Int
10.2.42.42 4097/4097 Up Up Gi6
Session state is UP and using echo function with 1000 ms interval.
Session Host: Software
OurAddr: 10.2.42.12
Handle: 1
Local Diag: 0, Demand mode: 0, Poll bit: 0
MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3
Received MinRxInt: 1000000, Received Multiplier: 3
Holddown (hits): 0(0), Hello (hits): 1000(62152)
Rx Count: 62161, Rx Interval (ms) min/max/avg: 1/1046/875 last: 830 ms ago
Tx Count: 62164, Tx Interval (ms) min/max/avg: 1/1022/875 last: 488 ms ago
Elapsed time watermarks: 0 0 (last: 0)
Registered protocols: CEF BGP
Uptime: 00:19:08
Last packet: Version: 1 - Diagnostic: 0
State bit: Up - Demand bit: 0
Poll bit: 0 - Final bit: 0
C bit: 0
Multiplier: 3 - Length: 24
My Discr.: 4097 - Your Discr.: 4097
Min tx interval: 1000000 - Min rx interval: 1000000
Min Echo interval: 1000000
Task 5: Answer
ANSWER: It is between 2 and 3 seconds.
lost 3 packets
detection < 3 sec
2 examples
of failures
t
BFD 1000ms BFD 1000ms BFD 1000ms
lost 3 packets
detection > 2 sec
Configuration
Module
CCIE SP Configuration – CiscoLive! Barcelona 2018
Duration: 2h30m / Total points: 23
• Domain 1 • Domain 3
• IGP – 2 points • PE-CE connectivity – 3 points
• BGP – 2 points • QoS – 2 points
• MPLS LDP – 3 points • Multicast – 2 points
• MPLS/TE – 3 points
• Domain 4
• Domain 2 • System HA (LDP protection/sync) – 2 points
• L2VPN – 2 points • FC (IP FRR or MPLS TE/FRR) – 2 points
• L3VPN – 3 points
• Domain 5
• IPv6 transition – 2 points
• Control Plane security – 2 points
• Infrastructure security – 2 points
SP-300
AS 78 AS 19 AS 91 AS 42
Customer42
Lab topology Customer78
Site 2
CE111 PE301 CE21
Site 2
Configuration RIPv2 /1
/2 /3
/1.66 /1 OSPFv2
Customer24
Site 1
AS 64 AS 109 172.16.11.X AS 901 192.168.21.X AS 24
EIGRP
/3 /5 /6 /5
(IPv4 and IPv6)
172.16.101.X .13.X /4 1.9.13.X/24 /1 /4 192.168.23.X
CE101 0/1 /5 PE11 /2 /0 PE13 PE21 MP-BGP 0/1 CE23
Customer64 /3 /4 /2 /1 OSPF Area 0 /2 /3

Site 2
.36.X
.12.X
IS-IS Level-2
.12.X
AS 78 AS 24
/0 /2 /4 /1 /0
/3
172.16.10.X /1 .26.X /2 /1 .24.X /1 /3 192.168.24.X
CE110 RIPv2 /5 PE12 P16 P24 PE22 MP-BGP 0/1 CE24

0/1
Customer78 /3 /4 /6 /5 /3 /4 /2 Customer24
Site 1 Site 2
.45.X
.24.X
.56.X
IS-IS Level-1
AS 42
/2 /4 /4 /5 /2 OSPFv2
/3 /3
/3 /1.66
/3 .45.X /2 /6 1.9.55.X/24 .35.X
P14 PE15 /2 P25 /4 /1 PE23 0/1 CE22
PE12 is IPv4/IPv6 RR 192.168.22.X
P16 is VPNv4 RR /5 Customer42
EIGRP Site 1
10.100/16 /1 172.16.102.X
(IPv4 and IPv6) PE22 is IPv4/IPv6/VPNv4 RR
2001:10:100::/48
20.200/16
Customer64
Site 1 CE102 2001:20:200::/48
AS 64 LTRCCIE-3401 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
D1 Task 1: IGP for AS109
IS-IS Level-1 and Level-2 areas are configured on SP-109 as depicted on the diagram. Your
tasks are:
• Advertise the IPv4 and IPv6 addresses only for the Loopback 0 interface.
• Loopback 0 interface of PE12 and P16 must be in both Level-1 and Level-2 areas.
• IS-IS metrics of IPv6 prefixes must be independently calculated from IPv4 prefixes.
Note: You cannot leak Level-2 prefixes into the Level-1 area.
Score: 2 points
SP-300
AS 78 AS 19 AS 91 AS 42
Customer42
Lab topology Customer78
Site 2
CE111 PE301 CE21
Site 2
Configuration RIPv2 /1
/2 /3
/1.66 /1 OSPFv2
Customer24
Site 1
AS 64 AS 109 172.16.11.X AS 901 192.168.21.X AS 24
EIGRP
/3 /5 /6 /5
(IPv4 and IPv6)
172.16.101.X .13.X /4 1.9.13.X/24 /1 /4 192.168.23.X
CE101 0/1 /5 PE11 /2 /0 PE13 PE21 MP-BGP 0/1 CE23
Customer64 /3 /4 /2 /1 OSPF Area 0 /2 /3

Site 2
.36.X
.12.X
IS-IS Level-2
.12.X
AS 78 AS 24
/0 /2 /4 /1 /0
/3
172.16.10.X /1 .26.X /2 /1 .24.X /1 /3 192.168.24.X
CE110 RIPv2 /5 PE12 P16 P24 PE22 MP-BGP 0/1 CE24

0/1
Customer78 /3 /4 /6 /5 /3 /4 /2 Customer24
Site 1 Site 2
.45.X
.24.X
.56.X
IS-IS Level-1
AS 42
/2 /4 /4 /5 /2 OSPFv2
/3 /3
/3 /1.66
/3 .45.X /2 /6 1.9.55.X/24 .35.X
P14 PE15 /2 P25 /4 /1 PE23 0/1 CE22
PE12 is IPv4/IPv6 RR 192.168.22.X
P16 is VPNv4 RR /5 Customer42
EIGRP Site 1
10.100/16 /1 172.16.102.X
(IPv4 and IPv6) PE22 is IPv4/IPv6/VPNv4 RR
2001:10:100::/48
20.200/16
Customer64
Site 1 CE102 2001:20:200::/48
AS 64 LTRCCIE-3401 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
D1 Task 1: Configuration
PE12, PE13: PE11, P16, P14, PE15:
! !
router isis 109 router isis 109
address-family ipv4 unicast is-type [level-1|level-2-only]
advertise passive-only advertise passive-only
! passive-interface Loopback0
address-family ipv6 unicast !
advertise passive-only address-family ipv6
no single-topology advertise passive-only
! multi-topology
interface Loopback0 !
passive interface GigabitEthernetx
address-family ipv4 unicast isis circuit-type [level-1|level-2-only]
! !
!
!
interface GigabitEthernet0/0/0/x
circuit-type [level-1|level-2-only]
!
D1 Task 1: Verification
PE15#sh isis nei
Tag 109:
System Id Type Interface IP Address State Holdtime Circuit Id
PE12 L1 Gi4 10.100.25.2 UP 26 00
P14 L1 Gi2 10.100.45.4 UP 26 03
P16 L1 Gi3 10.100.56.6 UP 25 05
PE15#sh ip route isis
[..]
10.0.0.0/8 is variably subnetted, 12 subnets, 3 masks
i L1 10.100.0.2/32 [115/20] via 10.100.45.4, 00:20:39, GigabitEthernet2
PE15#sh ipv6 route isis
[..]
I1 2001:10:100::2/128 [115/20] via FE80::F816:3EFF:FE13:3C52, GigabitEthernet2
I1 2001:10:100::6/128 [115/10] via FE80::F816:3EFF:FEA0:DB36, GigabitEthernet3
PE15#sh isis nei
Tag 109:
System Id Type Interface IP Address State Holdtime Circuit Id
PE12 L1 Gi4 10.100.25.2 UP 26 00
P14 L1 Gi2 10.100.45.4 UP 26 03
P16 L1 Gi3 10.100.56.6 UP 25 05
PE15#sh ip route isis
[..]
PE15#sh ipv6 route isis
[..]
I1 2001:10:100::6/128 [115/10] via FE80::F816:3EFF:FEA0:DB36, GigabitEthernet3
D1 Task 2: TE for AS109 and AS901
Apply the BGP traffic engineering that meets the following recommendations:
• SP-109 must prefer SP-300 path when sending traffic towards SP-901.
• The next preferred path from SP-109 towards SP-901 must be PE13 and PE21 link.
• SP-901 must prefer P25 and PE15 link when sending traffic towards SP-109 and also
towards SP-300.
• Only if P25 and PE15 link fails, SP-901 can follow the shortest path to reach
SP-109 and also to reach SP-300.
Score: 2 points
D1 Task 2: TE for AS109 – PE13 configuration
RP/0/0/CPU0:PE13#sh rpl route-policy AS19
route-policy AS19
set local-preference 3000
done
end-policy
!
RP/0/0/CPU0:PE13#sh rpl route-policy AS901
route-policy AS901
done
end-policy
!
RP/0/0/CPU0:PE13#sh running-config router bgp | utility egrep "neigh|route-pol”
neighbor 19.3.0.1
route-policy AS19 in
neighbor 1.9.13.21
neighbor 2001:19:3::1
neighbor 2001:1:9:13::21
P25#sh running-config | s ^route-map
route-map AS901 permit 10
P25#sh running-config | s router bgp

router bgp 901
[...]
address-family ipv4
neighbor 1.9.55.15 route-map AS901 in
address-family ipv6
neighbor 2001:1:9:55::15 route-map AS901 in
D1 Task 3: LDP for AS109 and AS901
Configure LSR in SP-901 to customize the label range assignments. Each router must use
label range calculated using the following formula:
• 2X00-2X99 (where X is the router number (the last digit of the router ID))
• Cisco IOS XRv nodes must use the following formula:
• 16X00-16X99
• example: for PE21, the router ID is 1, for PE22 the router ID is 2, and so on.
Configure LSR in SP-901 to rely on IGP to enable LDP.
Score: 3 points
D1 Task 3: Label range for AS901
PE21#sh run | i range
mpls label range 2100 2199
RP/0/0/CPU0:PE22#sh running-config | i range

mpls label range table 0 16200 16299
D1 Task 3:
MPLS LDP autoconfiguration for AS901 – IOS/IOS-XE
PE21#sh running-config | s router ospf 901
router ospf 901
mpls ldp autoconfig
passive-interface Loopback0
PE21#sh mpls interfaces detail

Interface GigabitEthernet0/2:
Type Unknown
IP labeling enabled (ldp):
IGP config
D1 Task 3:
MPLS LDP autoconfiguration for AS901 – IOS-XR
RP/0/0/CPU0:PE22#sh running-config router ospf
router ospf 901
area 0
mpls ldp auto-config
interface Loopback0
passive enable
RP/0/0/CPU0:PE22#sh mpls ldp interface

Sun Jan 21 21:27:04.211 UTC
Interface GigabitEthernet0/0/0/0 (0x40)
Enabled via config: IGP Auto-config
Interface GigabitEthernet0/0/0/1 (0x60)
Enabled via config: IGP Auto-config
D1 Task 4: Tunnel in AS109
Create MPLS Traffic Engineering tunnels that meet the following requirements:
• Build a Tunnel from PE11 to PE15 via PE13, P16, and P14. This MPLS TE tunnel must be
used to carry the Layer 3 VPN traffic of the Customer64 (CE101 and CE102).
• Traffic from CE102 towards CE101 must be guaranteed as well, and it must follow this
path: P16  P14  PE12  PE13.
Note: Manipulation of IGP metrics is not treated as a guarantee of the path.
Score: 3 points
D1 Task 4: MPLS TE
PE11:
!
interface Tunnel1365
ip unnumbered Loopback0 Inter-Area TE
tunnel mode mpls traffic-eng
tunnel destination 10.100.0.5
tunnel mpls traffic-eng autoroute destination
tunnel mpls traffic-eng path-option 10 explicit name T1365
!
ip explicit-path name T1365 enable
index 10 next-address 10.100.0.3 Loose hop required
index 20 next-address loose 10.100.0.6
index 30 next-address 10.100.0.4 pointing at ABR
!
Known via "static", distance 1, metric 0 (connected)
* directly connected, via Tunnel1365
Traceroute after
a L3VPN task.
D1 Task 4: MPLS TE
CE101#trace 13.101.13.2 sou 13.101.13.1
[..]
VRF info: (vrf in name/id, vrf out name/id) Without MPLS TE
1 172.16.101.1 3 msec 5 msec 2 msec
2 10.100.12.2 [MPLS: Labels 16205/509 Exp 0] 12 msec 6 msec 31 msec
5 172.16.102.254 6 msec * 7 msec
CE101#trace 13.101.13.2 sou 13.101.13.1
[..]
VRF info: (vrf in name/id, vrf out name/id) With tunnel T1365
1 172.16.101.1 1 msec 1 msec 2 msec
6 172.16.102.254 16 msec * 11 msec
D1 Task 4: MPLS TE
PE15:
!
interface Tunnel5642
ip unnumbered Loopback0
tunnel mode mpls traffic-eng
tunnel destination 10.100.0.2
tunnel mpls traffic-eng autoroute destination
tunnel mpls traffic-eng path-option 10 explicit name T5642
!
ip explicit-path name T5642 enable
index 10 next-address 10.100.0.6 2 Tunnels as
index 20 next-address 10.100.0.4 10.100.0.1 is not
index 30 next-address 10.100.0.2
! reachable from Level-1
PE12:
!
interface tunnel-te231
ipv4 unnumbered Loopback0
autoroute announce
destination 10.100.0.1
path-option 10 explicit name T231
!
explicit-path name T231
index 10 next-address strict ipv4 unicast 10.100.0.3
index 20 next-address strict ipv4 unicast 10.100.0.1
!
Traceroute after
a L3VPN task.
D1 Task 4: MPLS TE
CE102#trace 13.101.13.1 sou 13.101.13.2
[..]
VRF info: (vrf in name/id, vrf out name/id) Without MPLS TE
1 172.16.102.1 2 msec 1 msec 5 msec
2 10.100.45.4 [MPLS: Labels 404/16209/101 Exp 0] 9 msec 9 msec 10 msec
5 172.16.101.254 7 msec * 8 msec
CE102#trace 13.101.13.1 sou 13.101.13.2
[..] With 2 tunnels:
VRF info: (vrf in name/id, vrf out name/id) T5642 + T231
1 172.16.102.1 1 msec 2 msec 4 msec
7 172.16.101.254 10 msec * 11 msec
D2 Task 1: CE21 and CE22 service
SP-901 must provide an IP-transparent connection to be used by Customer42 (CE21 and
CE22).
• CE21 and CE22 must use Gig0/1.66 interface for this connection.
• The service must use control word.
CE21 must assign an IPv6 address to CE22 (Gig 0/1.66), automatically.

• CE21 must use IPv6 only on GigabitEthernet 0/1.66 sub-interface.
• CE22 must be able to reach CE21 directly using the assigned IPv6 address over the service provided
by SP-901.
• Use the 2001:192:168:21::/64 network for this configuration.
Score: 2 points
D2 Task 1: xconnect for AS901
RP/0/0/CPU0:PE22#sh running-config router ospf
PE21#sh running-config interface gigabitEthernet 0/5.66
!
interface GigabitEthernet0/5.66
encapsulation dot1Q 66
no cdp enable
xconnect 20.200.0.3 66 encapsulation mpls pw-class AS901
end
PE21#sh running-config | s pseudowire

pseudowire-class AS901
encapsulation mpls
control-word
D2 Task 1: IPv6 autoconfiguration for CE21
CE21#sh run int gi0/1.66
ipv6 address 2001:192:168:21::1/64
no cdp enable
end
CE21#sh ipv6 int gi0/1.66 prefix

IPv6 Prefix Advertisements GigabitEthernet0/1.66
PD default [LA] Valid lifetime 2592000, preferred lifetime 604800
AD 2001:192:168:21::/64 [LA] Valid lifetime 2592000, preferred lifetime 604800
D2 Task 1: IPv6 autoconfiguration for CE22
CE22#sh run int gi0/1.66
Building configuration...Current configuration : 103 bytes!
ipv6 address autoconfig
no cdp enable
end
CE22#sh ipv6 int gi0/1.66

GigabitEthernet0/1.66 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::F816:3EFF:FE50:6FFE
No Virtual link-local address(es):
Stateless address autoconfig enabled
Global unicast address(es):
2001:192:168:21:F816:3EFF:FE50:6FFE, subnet is 2001:192:168:21::/64 [EUI/CAL/PRE]
valid lifetime 2591867 preferred lifetime 604667
D2 Task 2: L3VPN for AS109 and AS901
MP-iBGP VPNv4 and VPNv6 peering have been configured on both SP-109 and SP-901.
Your task is to complete the L3VPN configuration on both service providers to allow
communication between sites of Customer24, Customer42, Customer64, and Customer78.
Note: Traffic cannot be leaked between customers.

Score: 3 points
D3 Task 1: Example for AS_64
PE11#sh vrf AS_64
Name Default RD Protocols Interfaces
AS_64 64:64 ipv4,ipv6 Gi5
PE11#sh ip route vrf AS_64
13.0.0.0/32 is subnetted, 2 subnets
D 13.101.13.1 [90/10880] via 172.16.101.254, 3d08h, GigabitEthernet5
B 13.101.13.2 [200/100] via 10.100.0.5, 09:24:56
C 172.16.101.0/24 is directly connected, GigabitEthernet5
L 172.16.101.1/32 is directly connected, GigabitEthernet5
B 172.16.102.0/24 [200/0] via 10.100.0.5, 09:24:56
PE11#sh running-config | s router bgp
router bgp 109
[…]
neighbor 10.100.0.2 remote-as 109
neighbor 10.100.0.2 update-source Loopback0
neighbor 2001:10:100::2 remote-as 109
neighbor 2001:10:100::2 update-source Loopback0
neighbor 2001:10:100::6 remote-as 109
neighbor 2001:10:100::6 update-source Loopback0
D3 Task 1: Example for AS_64 (continued)
address-family ipv4
network 10.100.0.0 mask 255.255.0.0
network 10.100.0.1 mask 255.255.255.255
aggregate-address 10.100.0.0 255.255.0.0
neighbor 10.100.0.2 activate
neighbor 10.100.0.2 next-hop-self
neighbor 10.100.0.2 send-label
exit-address-family
address-family vpnv4
neighbor 10.100.0.6 send-community extended
exit-address-family
address-family vpnv6
neighbor 2001:10:100::6 activate
neighbor 2001:10:100::6 send-community extended
exit-address-family
address-family ipv4 vrf AS_64
redistribute connected
redistribute eigrp 64 metric 100
exit-address-family
redistribute connected
redistribute eigrp 64 metric 100
exit-address-family
Additional cfg to the
required in L3VPN.
D2 Task 2: L3VPN
PE11:
!
router bgp 109
neighbor 10.100.0.2 remote-as 109 PE15 is in the Level-1 area and
neighbor 10.100.0.2 update-source Lo0 there is no 10.100.0.1/32
network 10.100.0.1 mask 255.255.255.255 advertised via IS-IS. Thus
neighbor 10.100.0.2 activate RFC3107 is needed.
!
PE12:
!
router bgp 109
ibgp policy out enforce-modifications
address-family ipv4 unicast PE12 acts as an inline RR,
network 10.100.0.2/32
allocate-label all assigns a BGP label for
! 10.100.0.1/32.
neighbor 10.100.0.1
address-family ipv4 labeled-unicast
route-reflector-client
next-hop-self
!
required in L3VPN.
D2 Task 2: L3VPN
PE12:
!
router bgp 109
neighbor 10.100.0.5
remote-as 109
update-source Loopback0
address-family ipv4 labeled-unicast
route-reflector-client
next-hop-self
!
PE15:
!
router bgp 109
neighbor 10.100.0.2
remote-as 109
! PE15 receives 10.100.0.1/32 with
address-family ipv4
network 10.100.0.5 mask 255.255.255.255 a BGP label allocated by PE12.
!
required in L3VPN.
PE12#sh bgp ipv4 labeled-unicast labels | utility egrep "Label|10.100.0.1/32"
Network Next Hop Rcvd Label Local Label
*>i10.100.0.1/32 10.100.0.1 3 16209
PE15#sh ip cef vrf AS_64 13.101.13.1 det
nexthop 10.100.45.4 GigabitEthernet2 label [404|implicit-null]-(local:503)
repair: attached-nexthop 10.100.25.2 GigabitEthernet4
CE102#trace 13.101.13.1 sou 13.101.13.2 RFC3107 in action
Type escape sequence to abort. Label 16209 is to
VRF info: (vrf in name/id, vrf out name/id) 10.100.0.1/32
1 172.16.102.1 4 msec 3 msec 3 msec
5 172.16.101.254 7 msec * 6 msec
D2 Task 3: IPv6 Transition
Configure on AS-901 to provide IPv6 to IPv4 translation, so that the IPv6 address of the
Loopback 0 of the PE23 is translated to IPv4. PE23 should be able to connect to 30.3.1.1 on
PE301.
Notes:
• You can choose any IPv4/IPv6 address required to complete this task.
• Use PE21 as a translator.
Score: 2 points
D2 Task 3: IPv6 Transition
PE21:
!
interface GigabitEthernet0/2
nat64 enable
!
nat64 enable
!
nat64 enable
! 2006:BEEF::/96 and
nat64 prefix stateful 2006:BEEF::/96
nat64 v4v6 static 30.3.1.1 2006:BEEF::1E03:101 93.3.0.3 are any taken
nat64 v6v4 static 2001:20:200::3 93.3.0.3 addresses.
!
router ospfv3 901
redistribute static
!
router bgp 901
address-family ipv4
redistribute static
!
PE23#sh ipv6 route 2006:BEEF::1E03:101
Routing entry for 2006:BEEF::/96
Known via "ospf 901", distance 110, metric 20, type extern 2
Route count is 1/1, share count 0
Routing paths:
FE80::F816:3EFF:FE79:3161, GigabitEthernet0/2
From FE80::F816:3EFF:FE79:3161
Last updated 00:21:33 ago
PE21#sh ipv6 route 2006:BEEF::1E03:101
Routing entry for 2006:BEEF::/96
Known via "static", distance 1, metric 0
Redistributing via ospf 901
Route count is 1/1, share count 0
Routing paths:
::100.0.0.1, NVI1
Known via "static", distance 0, metric 0
Redistributing via bgp 901
Advertised by bgp 901
* directly connected, via NVI1
PE23#telnet 2006:BEEF::1E03:101 /source-interface lo0 /ipv6
Trying 2006:BEEF::1E03:101 ... Open
User Access Verification
Username: cisco
Password:
PE301#sh users
Line User Host(s) Idle Location
0 con 0 idle 00:01:02
* 1 vty 0 cisco idle 00:00:00 93.3.0.3
Interface User Mode Idle Peer Address
PE21#sh nat64 trans
Proto Original IPv4 Translated IPv4
Translated IPv6 Original IPv6
--------------------------------------------------------
--- 30.3.1.1 2006:BEEF::1E03:101
--- ---
tcp 30.3.1.1:23 [2006:BEEF::1E03:101]:23
93.3.0.3:48577 [2001:20:200::3]:48577
--- --- ---
93.3.0.3 2001:20:200::3
Total number of translations: 3
D3 Task 1: Routing protocols on PE-CE edge
Enable the PE-CE routing protocol as per the following requirements:
• Configure EIGRP for both IPv4 and IPv6 for Customer64 (CE101 and CE102).
• Configure RIPv2 for Customer78 (CE111 and CE110).
• Make sure metric for routes exchanged over service provider backbone is adjusted by SP-109 by 10.
• Configure OSPFv2 for Customer42 (CE21 and CE22).

• Configure BGP for Customer24.
• Make sure both IPv4 and IPv6 networks are exchanged.
• There is a full reachability between both sites.
• SP-901 must use AS number 500 for this peering.
Score: 3 points
D3 Task 1: Verification for AS64
CE101#sh running-config | s router eigrp
router eigrp AS64
address-family ipv4 unicast autonomous-system 64
af-interface Loopback0
passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 13.0.0.0
network 172.16.0.0
exit-address-family
address-family ipv6 unicast autonomous-system 64
af-interface Loopback0
passive-interface
exit-af-interface
topology base
exit-af-topology
exit-address-family
D3 Task 1: Verification for AS64 (continued)
CE101#sh ip route eigrp | b ^D
D 13.101.13.2 [90/16000] via 172.16.101.1, 00:09:36, GigabitEthernet0/1
D 172.16.102.0/24
[90/15360] via 172.16.101.1, 00:09:36, GigabitEthernet0/1
CE101#sh ipv6 route eigrp | b ^D
D 2001:13:101:13::2/128 [90/16000]
via FE80::F816:3EFF:FE6B:3ED5, GigabitEthernet0/1
EX 2001:172:16:102::/64 [170/51205120]
via FE80::F816:3EFF:FE6B:3ED5, GigabitEthernet0/1
CE101#ping 2001:13:101:13::2
Sending 5, 100-byte ICMP Echos to 2001:13:101:13::2, timeout is 2 seconds:
!!!!!
CE101#ping 2001:172:16:102::254
!!!!!
D3 Task 1: Verification for AS78
CE23#sh running-config | s router bgp
router bgp 24
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 2001:192:168:23::1 remote-as 500
!
address-family ipv4
network 23.23.0.3 mask 255.255.255.255
neighbor 192.168.23.1 allowas-in 1
exit-address-family
!
address-family ipv6
network 2001:23:23::3/128
neighbor 2001:192:168:23::1 activate
neighbor 2001:192:168:23::1 allowas-in 1
exit-address-family
D3 Task 1: Verification for AS78 (continued)
CE23#sh ip route | b ^B
B 23.23.0.4 [20/0] via 192.168.23.1, 1d16h
C 192.168.23.0/24 is directly connected, GigabitEthernet0/1
L 192.168.23.254/32 is directly connected, GigabitEthernet0/1
B 192.168.24.0/24 [20/0] via 192.168.23.1, 1d16h
CE23#sh ipv6 route | b ^B
[…]
B 2001:23:23::4/128 [20/0]
via FE80::F816:3EFF:FE88:DC3E, GigabitEthernet0/1
[…]
B 2001:192:168:24::/64 [20/0]
via FE80::F816:3EFF:FE88:DC3E, GigabitEthernet0/1
CE23#traceroute 23.23.0.4 source lo0
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.23.1 [AS 901] 3 msec 3 msec 5 msec
3 192.168.24.254 [AS 901] 9 msec * 6 msec
D3 Task 2: QoS
Configure a policy to remark IPP=5 to EXP=3 for the traffic using a PW from PE23 to PE21.
Reserve 10Mbps for the traffic with EXP=3 going out of this PW from PE21 to CE21.
Note: No reservation is needed through the core at this moment.
Score: 2 points
D3 Task 2: QoS
PE23:
!
class-map match-all ipv6
match precedence 5
!
policy-map pw1
class ipv6
set mpls experimental imposition 3
!
service-policy input pw1
!
D3 Task 2: QoS
PE21:
!
class-map match-all exp3
match mpls experimental topmost 3
class-map match-all qos3
match qos-group 3
!
policy-map pw1-out
class qos3
bandwidth 10000
policy-map pw1
class exp3
set qos-group 3
!
service-policy input pw1
!
service-policy output pw1-out
!
CE22#ping ipv6
Target IPv6 address: 2001:192:168:21::1
Repeat count [5]: 3
Datagram size [100]:
Timeout in seconds [2]:
Extended commands? [no]: y
Source address or interface: g0/1.66
UDP protocol? [no]:
Verbose? [no]:
Precedence [0]: 5
Include hop by hop option? [no]:
Include destination option? [no]:
Sweep range of sizes? [no]:
!!!
PE23#sh policy-map int g0/3.66
GigabitEthernet0/3.66
Service-policy input: pw1
Class-map: ipv6 (match-all)
Match: precedence 5
QoS Set
mpls experimental imposition 5
Packets marked 5
Class-map: class-default (match-any)
Match: any
PE21#sh policy-map int g0/2
GigabitEthernet0/2
Service-policy input: pw1
Class-map: exp3 (match-all)
Match: mpls experimental topmost 3
QoS Set
qos-group 3
Packets marked 5
[..]
PE21#sh policy-map int g0/5
GigabitEthernet0/5
Service-policy output: pw1-out
Class-map: qos3 (match-all)
Match: qos-group 3
Queueing
[..]
D3 Task 3: Multicast
Enable multicast traffic on Customer78 that meets the following requirements:
• SP-109 must use mLDP as the core MDT.
• SP-109 must use PIM SP in the VRF.
• CE110 must be the source of the multicast traffic.
• CE111 must be the receiver.
• PE12 must be the RP.
Note: You can choose PIM SP or SSM in the core.
Score: 2 points
D3 Task 3: Multicast
PE12, PE13: PE12, PE13:
! [cont. multicast-routing]
ipv4 access-list ssm1 !
10 permit ipv4 host 233.1.1.1 any vrf AS_78
! address-family ipv4
route-policy mldp1 mdt source Loopback0
set core-tree mldp-inband interface all enable
end-policy mdt mldp in-band-signaling ipv4
! !
mpls ldp multicast-routing
mldp !
logging notifications router pim
! address-family ipv4
multicast-routing rp-address 172.16.10.1
address-family ipv4 rpf topology route-policy mldp1
interface Loopback0 interface GigabitEthernet0/0/0/[5|3]
enable enable
! !
mdt source Loopback0 ssm range ssm1
! !
CE110#ping 225.1.1.1 repeat 5
[..]
PE13#sh mpls mldp bind
0x00001 P2MP 10.100.0.2 [vpnv4 78:78 * 225.1.1.1]
Remote Label: 1048577 Inft: ImdtAS/78 RPF-ID: 3 TIDv4/v6: 0xE0000011/0x0
0x00002 P2MP 10.100.0.2 [vpnv4 78:78 13.13.13.10 225.1.1.1]
0x00003 P2MP 10.100.0.2 [vpnv4 78:78 172.16.10.254 225.1.1.1]
PE12#sh mrib vrf AS_78 route 225.1.1.1
(*,225.1.1.1) RPF nbr: 172.16.10.1 Flags: C RPF
Up: 00:06:08
Incoming Interface List
Decapstunnel0 Flags: A, Up: 00:06:08
GImdtAS/78 Flags: F LMI, Up: 00:06:08
(13.13.13.10,225.1.1.1) RPF nbr: 172.16.10.254 Flags: L RPF
Up: 00:00:46
GigabitEthernet0/0/0/5 Flags: A, Up: 00:00:46
ImdtAS/78 Flags: F LMI, Up: 00:00:44
(172.16.10.254,225.1.1.1) RPF nbr: 172.16.10.254 Flags: L RPF
Up: 00:00:46
GigabitEthernet0/0/0/5 Flags: A, Up: 00:00:46
D4 Task 1: LSP protection
Configure SP-901 in a such way to make sure routers will establish additional
direct sessions for LDP in case link between them goes down.
Score: 2 points
D4 Task 1:
LSP protection in AS901 – IOS/IOS-XE
PE21#sh running-config | i ^mpls ldp
mpls ldp session protection
mpls ldp discovery targeted-hello accept
PE21#sh mpls ldp neighbor

Peer LDP Ident: 20.200.0.4:0; Local LDP Ident 20.200.0.1:0
TCP connection: 20.200.0.4.25218 - 20.200.0.1.646
State: Oper; Msgs sent/rcvd: 1621/1626; Downstream
Up time: 23:23:37
LDP discovery sources:
GigabitEthernet0/2, Src IP addr: 20.200.14.4
Targeted Hello 20.200.0.1 -> 20.200.0.4, active, passive
Peer LDP Ident: 20.200.0.3:0; Local LDP Ident 20.200.0.1:0
[...]
LDP discovery sources:
Targeted Hello 20.200.0.1 -> 20.200.0.3, active, passive
D4 Task 1:
LSP protection in AS901 – IOS/IOS-XE and IOS-XR
RP/0/0/CPU0:PE22#sh running-config mpls ldp
mpls ldp router-id 20.200.0.2
session protection
address-family ipv4
!
!
RP/0/0/CPU0:PE22#sh mpls ldp neighbor | utility egrep "Peer LDP|Targeted”
Sun Jan 21 22:42:43.980 UTC
Targeted Hello (20.200.0.2 -> 20.200.0.5, active)
D4 Task 2: IS-IS optimization
Enable IP FRR in SP-109 for all prefixes in the IGP database.
Score: 2 points
D4 Task 2: IS-IS IP FRR – IOS/IOS-XE
P14#sh running-config | s ^router isis
router isis 109
net 49.0109.0000.0004.00
fast-reroute per-prefix level-2 all
P14#sh ip route repair-paths

[...]
S 10.100.0.0/16 is directly connected, Null0
Repair Path: 10.100.45.5, via GigabitEthernet3
[RPR][115/20] via 10.100.45.5, 23:31:59, GigabitEthernet3
D4 Task 2: IS-IS IP FRR – IOS-XR
RP/0/0/CPU0:PE13#sh running-config router isis | utility egrep "interface|fast-”
fast-reroute per-prefix
fast-reroute per-prefix
[...]
RP/0/0/CPU0:PE13#sh route isis

Sun Jan 21 22:48:44.425 UTC
i L2 10.100.0.1/32 [115/101] via 10.100.23.2, 23:29:53, GigabitEthernet0/0/0/2 (!)
[115/1] via 10.100.13.1, 23:29:53, GigabitEthernet0/0/0/0
D5 Task 1: Peering security
Service providers must increase network security. Your tasks are:
• Make sure PE13 and PE301 establish eBGP peering using maximum TTL value and
discard any TCP request with lower TTL values.
• Configure PE21 for receiving up to 1000 prefixes from PE301.
• At 75% mark, router must send a warning message.
• If the limit is breached, the session must be reset.
• PE21 must wait 3 minutes before initialing or accepting a new session in this case.
Score: 2 points
D5 Task 1: PE13 and PE301 eBGP peering protection
RP/0/0/CPU0:PE13#sh running-config router bgp
[...]
router bgp 109
neighbor 19.3.0.1
remote-as 19
ttl-security
[...]

router bgp 300
[...]
neighbor 19.3.0.13 ttl-security hops 1
D5 Task 1: PE21 eBGP peering protection
router bgp 901
[...]
address-family ipv4
neighbor 91.3.0.1 maximum-prefix 1000 restart 3
address-family ipv6
neighbor 2001:91:3::1 maximum-prefix 1000 restart 3
D5 Task 2: VPN traffic control
On PE21 and PE23, make sure routers check for spoofing of source addresses. Should
such activity be detected, spoofed traffic must be dropped, and a message must be logged
identifying both IP addressing information, as well as, the Layer 4 information such as in the
following example:
denied tcp 16.16.14.1(5403) -> 21.200.0.1(23), 1 packet
Score: 2 points
D5 Task 2: PE21 and PE23 uRPF configuration
PE21#sh run int gi0/5 | i interf|verify
ip verify unicast source reachable-via rx 2699
[...]
PE21#sh ip access-lists 2699
Extended IP access list 2699
10 deny ip any any log
Questions & Answers
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• LABCCIE-3007: CCIE SP – Troubleshoot MPLS
• LABCCIE-3008: CCIE SP – DIAG module
• LABCCIE-3009: CCIE SP – Troubleshooting IGP
• LABCCIE-3010: CCIE SP – Multicast VPN
• LABCCIE-3011: CCIE SP – Fast Convergence
• Lunch & Learn

• Meet the Engineer 1:1 meetings
• CCIE SP workbook on CLN
• https://learningnetworkstore.cisco.com/cisco-ccie-expert-training/level-for-service-provider-v4-1-lab-workbook-360-sp-04-wkb-core-020997
• CCIE SP study group

• https://learningnetwork.cisco.com/groups/ccie-sp-study-group
Become a Cisco Subject Matter Expert
• Do you consider yourself a Subject Matter Expert?
• Would like to lend your expertise to the Cisco Certification Exam?
http://www.cisco.com/go/certsme
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#LTRCCIE-3401
• Please complete your Online Complete Your Online
Session Evaluations after each
session
Session Evaluation
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
Thank you
References
Preparation Materials
• Configuration Guide, Products, Technology
• Cisco Tools, Cisco Press, Whitepapers
• Cisco Learning Network (CLN)
• Design Zone, Cisco Forums
• Cisco Training Program
• External Resources
https://supportforums.cisco.com
http://docwiki.cisco.com
www.cisco.com/go/documentation
www.cisco.com/go/tools
Recommended Reading
Service Provider Cisco Education Offerings
Course Description Cisco Certification
Deploying Cisco Service Provider Network Routing SPROUTE covers the implementation of routing protocols (OSPF, IS-IS, BGP), CCNP Service Provider®
(SPROUTE) & Advanced (SPADVROUTE) route manipulations, and HA routing features; SPADVROUTE covers advanced
routing topics in BGP, multicast services including PIM-SM, and IPv6;
Implementing Cisco Service Provider Next-Generation
Core Network Services (SPCORE) SPCORE covers network services, including MPLS-LDP, MPLS traffic engineering,
QoS mechanisms, and transport technologies;
Edge Network Services (SPEDGE) SPEDGE covers network services, including MPLS Layer 3 VPNs, Layer 2 VPNs,
and Carrier Ethernet services; all within SP IP NGN environments.
Building Cisco Service Provider Next-Generation The two courses introduce networking technologies and solutions, including OSI CCNA Service Provider®
Networks, Part 1&2 (SPNGN1), (SPNGN2) and TCP/IP models, IPv4/v6, switching, routing, transport types, security, network
management, and Cisco OS (IOS and IOS XR).
Implementing Cisco Service Provider Mobility UMTS The three courses (SPUMTS, SPCDMA, SPLTE) cover knowledge and skills Cisco Service Provider Mobility
Networks (SPUMTS); required to understand products, technologies, and architectures that are found in CDMA to LTE Specialist;
Implementing Cisco Service Provider Mobility CDMA Universal Mobile Telecommunications Systems (UMTS) and Code Division Multiple Cisco Service Provider Mobility UMTS
Networks (SPCDMA); Access (CDMA) packet core networks, plus their migration to Long-Term Evolution to LTE Specialist
Implementing Cisco Service Provider Mobility LTE (LTE) Evolved Packet Systems (EPS), including Evolved Packet Core (EPC) and
Networks (SPLTE) Radio Access Networks (RANs).
Implementing and Maintaining Cisco Technologies Service Provider/Enterprise engineers to implement, verification-test, and optimize Cisco IOS XR Specialist
Using IOS XR (IMTXR) core/edge technologies in a Cisco IOS XR environment.
For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth

Ltrccie 3401

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Ltrccie 3401

Caricato da

Copyright:

Formati disponibili

LTRCCIE-3401

CCIE SP Practice Lab

Lizabete Cacic, Technical Leader

Sun Tzu – The Art of War

• CCIE SP Lab Format

2. Service Provider Architecture and Services 21% 22%

3. Access and Aggregation 18% 21%

4. High Availability and Fast Convergence 14% 15%

5. Service Provider Security, Operation, and Management 12% 12%

6. Evolving Technologies 10% n/a

• 120 min • 60 min • 300 min (5h)

• Independent incidents • Independent tickets • Dependent items

about 10 to 12 6 minutes per about 10 to 12

Lab topology XR interfaces begin with G0/0/0/x

AS 43 AS 44 The last octet of an IP address is the Router No. + mask /24

CE41 10.2.41 g5 /2 192.168.7 CE45

CE42 10.2.42 PE12 g4 P14 PE22 PE24 192.168.8 CE46

RP/0/0/CPU0:PE11#sh mpls ldp discovery

RP/0/0/CPU0:PE11#sh tcp brief

Open a TAC case immediately!

RP/0/0/CPU0:PE23#sh mrib vrf cust45 route 233.2.2.2

RP/0/0/CPU0:PE22#sh mrib vrf cust45 route 233.2.2.2

RP/0/0/CPU0:PE23#sh mpls mldp bind

RP/0/0/CPU0:PE22#ping vrf cust45 233.2.2.2 sou 10.3.0.22 tim 1 repeat 2

RP/0/0/CPU0:PE22#sh cef 10.1.0.15/32

RP/0/0/CPU0:PE23#sh cef vrf cust45 10.0.0.42

CE45#ping 10.0.0.42 sou 10.0.0.45

Note: You do not need to fix a BFD session.

Note: Do not change the BGP sessions.

PE12#sh ip cef vrf cust1 10.0.0.43/32 detail

RP/0/0/CPU0:PE31#sh tcp brief

Lab topology XR interfaces begin with G0/0/0/x

AS 43 AS 44 The last octet of an IP address is the Router No. + mask /24

CE41 10.2.41 g5 /2 192.168.7 CE45

CE42 10.2.42 PE12 g4 P14 PE22 PE24 192.168.8 CE46

From: Brad Whooley<bradwhooley@cust2.com>

PE24#sh ip route | i 10.0.0.0/24

PE24#sh mpls for 10.1.0.23

RP/0/0/CPU0:PE22#sh mpls for | i 24018

RP/0/0/CPU0:PE22#sh route 10.1.0.23

RP/0/0/CPU0:PE23#sh mpls ldp bindings 10.0.0.23/24

RP/0/0/CPU0:PE23#sh mpls ldp bindings 10.0.0.23/32

Failed link P14-P16 device

From: Provisioning <prov@isp1.com>

From: NOC-global <noc@isp1.com>

RP/0/0/CPU0:PE11#sh explicit-paths n divert2

P14#sh ip int brief

P14#sh mpls traffic-eng tunnels det

Device: Show command:

Task 3: Email Mike,

From: Michael <mike@site.com>

From: Benjamin <noc@isp1.com>

CE42#sh lisp instance-id 0 ipv4 database

PE15#sh lisp instance-id 0 ipv4 database

CE42#sh lisp instance-id 0 ipv4 map-cache

CE44#sh lisp platform

From: level1 <level1@isp2.com>

PE12#sh ip ospf int brief

PE12#sh ip ospf database

RP/0/0/CPU0:PE11#sh route vrf cust1 10.3.0.12

i 10.0.0.11 [3] via 10.2.42.42, GigabitEthernet6, ABR, Area 0, SPF 47

RP/0/0/CPU0:PE11#sh ospf 2 vrf cust1

From: Matthias(Support) <matt@isp2.com>