Labs
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Labs as PDF for free.
More details
- Words: 15,809
- Pages: 87
Loading documents preview...
Advanced CCIE Routing & Switching 4.0 www.MicronicsTraining.com Narbik Kocharians CCIE #12410 R&S, Security, SP
VOLI CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 1 of 87
Table of Content: Subject
Page
Volume
Topology
8
VolI
14 51 84 136 156 180 190 217 235
VolI VolI VolI VolI VolI VolI VolI VolI VolI
242 257 262 267 273 282 297 305 312
VolI VolI VolI VolI VolI VolI VolI VolI VolI
321
VolI
327 335 340
VolI VolI VolI
362 398 407 418
VolI VolI VolI VolI
3560 Switching Lab 1 Basic 3560 configuration I Lab 2 Basic 3560 configuration II Lab 3 Configuring Trunks Lab 4 Configuring EtherChannels Lab 5 Advanced STP Configuration Lab 6 Multiple Spanningtree (802.1s) Lab 7 Configuring Private VLANs Lab 8 QinQ Tunneling Lab 9 Fallback Bridging
Framerelay Lab 1 HubnSpoke Using Frame Map Statements Lab 2 HubnSpoke Framerelay Pointtopoint Lab 3 Mixture of P2P and Multipoint Lab 4 Multipoint Framerelay W/O Frame maps Lab 5 Framerelay and Authentication Lab 6 Framerelay EndtoEnd Keepalives Lab 7 Tricky Framerelay Configuration Lab 8 Framerelay Multilinking Lab 9 BacktoBack Framerelay connection
ODR Lab 1 On Demand Routing
RIPv2 Lab 1 RIPv2 and Framerelay Lab 2 RIPv2 Authentication Lab 3 Advanced RIPv2 Mini Mock Lab
EIGRP Lab 1 Eigrp configuration Lab 2 Advanced Eigrp Stub Configuration Lab 3 Eigrp & Defaultinformation Lab 4 Eigrp Filtering
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 2 of 87
Table of Content: Subject
Page
Volume
OSPF Lab 1 Advertising Networks Lab 2 Optimization of OSPF & Adjusting Timers Lab 3 OSPF Authentication Lab 4 OSPF Cost Lab 5 OSPF Summarization Lab 6 Virtuallinks and GRE Tunnels Lab 7 OSPF Stub, T/Stub, and NSSAs Lab 8 OSPF Filtering Lab 9 Additional OSPF Filtering Lab 10 Redirecting Traffic in OSPF Lab 11 Database Overload Protection Lab 12 OSPF NonBroadcast Networks Lab 13 OSPF Broadcast Networks Lab 14 OSPF PointtoPoint Networks Lab 15 OSPF PointtoMultipoint Networks Lab 16 OSPF PointtoMulti Network – II Lab 17 OSPF PtoM NonBroadcast Net Lab 18 OSPF and NBMA Lab 19 Forward Address Suppression Lab 20 OSPF NSSA noredistribution & Injection of default routes
427 430 437 462 467 474 484 495 522 531 537 542 551 555 559 566 573 579 588 600
VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI
609 626 642 657 666 686 702 711 715 719 727 738 746 754 761 778
VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI
BGP Lab 1 Establishing Neighbor Adjacency Lab 2 Route Reflectors Lab 3 Conditional Adv & Back door Lab 4 Route Dampening Lab 5 Route Aggregation Lab 6 The community Attribute Lab 7 BGP Cost Community Lab 8 BGP & Load Balancing – I Lab 9 BGP Load Balancing – II Lab 10 BGP Unequal Cost Load Balancing Lab 11 BGP Local Preference – I Lab 12 BGP Local Preference – II Lab 13 The ASPath Attribute Lab 14 The Weight Attribute Lab 15 MED Lab 16 Filtering Using ACLs & Prefixlists CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 3 of 87
Lab 17 Regular Expressions Lab 18 Adv BGP Configurations Lab 19 Administrative Distance Lab 20 BGP Confederation Lab 21 BGP Hiding Local AS Number Lab 22 BGP Allowasin
788 805 816 824 829 837
VolI VolI VolI VolI VolI VolI
843
VolI
854 874 890 919
VolI VolI VolI VolI
938 944 951
VolI VolI VolI
964 974
VolI VolI
988 1000 1010 1017
VolI VolI VolI VolI
Policy Based Routing Lab 1 PBR based on Source IP address
Redistribution Lab 1 Basics of RedistributionI Lab 2 Basics of RedistributionII Lab 3 Advanced Redistribution Lab 4 Routing Loops
IP SLA Lab 1 IP SLA Lab 2 Reliable Static Routing using IP SLA Lab 3 Reliable Conditional Default Route Injection using IP SLA Lab 4 Object Tracking in HSRP Using SLA Lab 5 Object Tracking
GRE Tunnels Lab 1 Basic Configuration of GRE Tunnels Lab 2 Configuration of GRE Tunnels II Lab 3 Configuration of GRE Tunnels III Lab 4 GRE & Recursive loops
QOS Lab 1 MLS QOS Lab 2 DSCP Mutation Lab 3 DSCPCoS Mapping Lab 4 CoSDSCP Mapping Lab 5 IPPrecedenceDSCP Mapping Lab 6 Individual rate Policing Lab 7 Policed DSCP Lab 8 Aggregate Policer Lab 9 Priority Queuing Lab 10 Custom Queuing Lab 11 WFQ Lab 12 RSVP Lab 13 Match Accessgroup Lab 14 Match Destination & Source Add MAC Lab 15 Match InputInterface Lab 16 Match FRde & Packet Length Lab 17 Match IP Precedence vs. Match Precedence CCIE R&S by Narbik Kocharians
14 30 38 43 49 54 60 65 70 76 80 84 90 95 101 104 112
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII Page 4 of 87
Lab 18 Match Protocol HTTP URL, MIME & Host Lab 19 Match Frdlci Lab 20 Framerelay Traffic Shaping Lab 21 Framerelay Trafficshaping – II Lab 22 Framerelay Fragmentation Lab 23 Framerelay PIPQ Lab 24 Framerelay DE Lab 25 Framerelay and Compression Lab 26 CBWFQ Lab 27 CBWFQ – II Lab 28 Converting Custom Queuing to CBWFQ Lab 29 LLQ Lab 30 CAR Lab 31 Class Based Policing – I Lab 32 CB Policing – II Lab 33 WRED & CB WRED
123 131 135 142 151 155 162 165 178 184 186 189 193 200 210 215
VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII
221 227 231 234 237 241 244 249 253 258 264 267
VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII
273 277 286 293 305 312 314 315 317 320 329
VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII
337
VolII
NAT Lab 1 Static NAT Configuration Lab 2 Advanced Static NAT Configuration Lab 3 Configuration of Dynamic NAT – I Lab 4 Configuration of Dynamic NAT – II Lab 5 Configuration of Dynamic NAT – III Lab 6 NAT and Load Balancing Lab 7 Configuring PAT Lab 8 Configuring PAR Lab 9 Configuring Static NAT Redundancy W/HSRP Lab 10 Stateful Translation Failover With HSRP Lab 11 Translation of the Outside Source Lab 12NAT on a Stick
IP Services Lab 1 DHCP Configuration Lab 2 HSRP Configuration Lab 3 VRRP Configuration Lab 4 GLBP Configuration Lab 5 IRDP Configuration Lab 6 Configuring DRP Lab 7 Configuring WCCP Lab 8 Core Dump Using FTP Lab 9 HTTP Connection Management Lab 10 Configuting NTP Lab 11 More IP Stuff
IP PrefixList Lab 1 PrefixLists CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 5 of 87
IPv6 Lab 1 Configuring Basic IPv6 Lab 2 Configuring OSPFv3 Lab 3 Configuring OSPFv3 MultiArea Lab 4 Summarization of Internal & External N/W Lab 5 OSPFv3 Stub, T/Stub and NSSA networks Lab 6 OSPFv3 Cost and Autocost Lab 7 Tunneling IPv6 Over IPv4 Lab 8 Eigrp and IPv6
364 385 394 399 408 420 426 452
VolII VolII VolII VolII VolII VolII VolII VolII
477 484 488 495 501 505 509 512 522 529 533 535 542 544 546 552 559 566 576 587
VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII
592 610 628 643 665 687 702 720 730 749 760 767
VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII
Security Lab 1 Basic Router Security Configuration Lab 2 Standard Named Access List Lab 3 Controlling Telnet Access and SSH Lab 4 Extended Access List IP and ICMP Lab 5 Extended Access List OSPF & Eigrp Lab 6 Using MQC as a Filtering tool Lab 7 Extended Access List With Established Lab 8 Dynamic Access List Lab 9 Reflexive AccessLists Lab 10 Accesslist & Time Range Lab 11 Configuring Basic CBAC Lab 12 Configuring CBAC Lab 13 Configuring CBAC & Java Blocking Lab 14 Configuring PAM Lab 15 Configuring uRPF Lab 16 Configuring Zone Based Firewall Lab 17 Control Plane Policing Lab 18 Configuring IOS IPS Lab 19 Attacks Lab 20 AAA Authentication
Multicasting Lab 1 Configuring IGMP Lab 2 Dense Mode Lab 3 Static RP Configuration Lab 4 AutoRP Lab 5 AutoRP Filtering & Listener Lab 6 Configuring BSR Lab 7 Configuring MSDP Lab 8 Anycast RP Lab 9 MSDP/MPBGP Lab 10 Configuring SSM Lab 11 HelperMap Lab 12 Bidirectional PIM CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 6 of 87
MPLS & L3VPNs Lab 1 Configuring Label Distribution Protocol Lab 2 Static & RIPv2 Routing in a VPN Lab 3 OSPF Routing in a VPN Lab 4 Backdoor links & OSPF Lab 5 Eigrp Routing in a VPN Lab 6 BGP Routing in a VPN Lab 7 Complex VPNs and Filters
CCIE R&S by Narbik Kocharians
785 855 886 905 921 937 954
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
VolII VolII VolII VolII VolII VolII VolII
Page 7 of 87
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 8 of 87
The Serial connection between R1 and R3
The Serial connection between R4 and R5
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 9 of 87
Framerelay Switch connections S0 /0
S0/0
R1 S0/0
S0/1
R2 S0/1 S0 /0
S0/2
R3 S0/0
R4 S 0/0
R5 S 0/ 0
R6
S0/3 S1/0 S1/1 S1/2
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 10 of 87
Framerelay DLCI connections:
Router R1
R2
R3
R4
R5
R6
CCIE R&S by Narbik Kocharians
Local DLCI 102 112 103 104 105 106 201 211 203 204 205 206 301 302 304 305 306 401 402 403 405 406 501 502 503 504 506 601 602 603 604 605
Connecting to: R2 R2 R3 R4 R5 R6 R1 R1 R3 R4 R5 R6 R1 R2 R4 R5 R6 R1 R2 R3 R5 R6 R1 R2 R3 R4 R6 R1 R2 R3 R4 R5
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 11 of 87
F0/18 F0/19 F0/20
F0/24 F0/23
F0/23
F0/21
F0/22
SW2 F0/22
F0/21
SW1
F0/24 F0/19
SW3
CCIE R&S by Narbik Kocharians
F0/20
SW4
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 12 of 87
Lab 7 Configuring Private VLANs Task 1 The first switch should be configured with a hostname of SW1 and the second switch should be configured with a hostname of SW2
On the First Switch Switch(config)#Hostname SW1
On the Second Switch Switch(config)#Hostname SW2
Task 2 Shutdown ports F0/2124 on SW1 and SW2
On Both Switches: SWx(config)#int range f0/2124 SWx(configifrange)#Shut
Task 3 Configure trunking between SW1 and SW2 using ports F0/19 and F0/20. Use an industry standard trunking protocol for this purpose. Assign a brief meaningful description to these interfaces.
On SW1 SW1(config)#Interface range f0/1920 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 13 of 87
SW1(configifrange)#Switch trunk encap dot1q SW1(configifrange)#Switch mode trunk SW1(configifrange)#Description Trunk to SW2
On SW2 SW2(config)#Interface range f0/1920 SW2(configifrange)#Switch trunk encap dot1q SW2(configifrange)#Switch mode trunk SW2(configifrange)#Description Trunk to SW1
To verify the configuration: On SW1 SW1#Show int trunk Port Mode Encapsulation Status Native vlan Fa0/19 on 802.1q trunking 1 Fa0/20 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/19 14094 Fa0/20 14094 Port Vlans allowed and active in management domain Fa0/19 1 Fa0/20 1 Port Vlans in spanning tree forwarding state and not pruned Fa0/19 1 Fa0/20 none
On SW2 SW2#Show int trunk Port Mode Encapsulation Status Native vlan Fa0/19 on 802.1q trunking 1 Fa0/20 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/19 14094 Fa0/20 14094 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 14 of 87
Port Vlans allowed and active in management domain Fa0/19 1 Fa0/20 1 Port Vlans in spanning tree forwarding state and not pruned Fa0/19 1 Fa0/20 1
Task 4 Assign IP addressing to the interface of the routers using the following chart and ensure that these routers can ping each other: You should assign a brief meaningful interface description on the switchports. Router R1 R2 R3 R4 R5 R6 BB1 BB2 BB3
Interface F0/0 F0/0 F0/1 F0/0 F0/1 F0/1 F0/1 F0/0 F0/0
IP address and Subnet mask 200.1.1.1 /24 200.1.1.2 /24 200.1.1.3 /24 200.1.1.4 /24 200.1.1.5 /24 200.1.1.6 /24 200.1.1.7 /24 200.1.1.8 /24 200.1.1.9 /24
On R1 R1(config)#Int F0/0 R1(configif)#Ip address 200.1.1.1 255.255.255.0 R1(configif)#No shut
On R2 R2(config)#Int F0/0 R2(configif)#Ip address 200.1.1.2 255.255.255.0 R2(configif)#No shut
On R3 R3(config)#Int F0/1 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 15 of 87
R3(configif)#Ip address 200.1.1.3 255.255.255.0 R3(configif)#No shut
On R4 R4(config)#Int F0/0 R4(configif)#Ip address 200.1.1.4 255.255.255.0 R4(configif)#No shut
On R5 R5(config)#Int F0/1 R5(configif)#Ip address 200.1.1.5 255.255.255.0 R5(configif)#No shut
On R6 R6(config)#Int F0/1 R6(configif)# Ip address 200.1.1.6 255.255.255.0 R6(configif)#No shut
On BB1 BB1(config)#Int F0/1 BB1(configif)# Ip address 200.1.1.7 255.255.255.0 BB1(configif)#No shut
On BB2 BB2(config)#int F0/0 BB2(configif)#ip address 200.1.1.8 255.255.255.0 BB2(configif)#No shut
On BB3 BB3(config)#int F0/0 BB3(configif)#ip address 200.1.1.9 255.255.255.0 BB3(configif)#No shut
On SW1 SW1(config)#Int F0/1 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 16 of 87
SW1(configif)#Description R1’s F0/0 SW1(config)#Int F0/2 SW1(configif)#Description R2’s F0/0 SW1(config)#Int range F0/3 , F0/59 , F0/1218 , F0/2124 SW1(configifrange)#Description SW1(config)#Int F0/4 SW1(configif)#Description R4’s F0/0 SW1(config)#Int F0/12 SW1(configif)#Description BB2’s F0/0 SW1(config)#Int F0/13 SW1(configif)#Description BB3’s F0/0
On SW2 SW2(config)#Int range F0/12 , F0/4 , F0/1018 , F0/2124 SW2(configifrange)#Description SW2(config)#Int F0/3 SW2(configif)#Description R3’s F0/1 SW2(config)#Int F0/5 SW2(configif)#Description R5’s F0/1 SW2(config)#Int F0/6 SW2(configif)#Description R6’s F0/1 SW2(config)#Int F0/11 SW2(configif)#Description BB1’s F0/1
To test and verify the configuration: On R1 R1#Ping 200.1.1.2 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 17 of 87
R1#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.4 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.5 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.6 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.7 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.7, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.8 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.9 Type escape sequence to abort. CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 18 of 87
Sending 5, 100byte ICMP Echos to 200.1.1.9, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms
Task 5 Configure the switches such that the ports that are not used are in Administratively down state. Use minimum number of commands for this task.
On SW1 SW1(config)#int range F0/3 , F0/5 , F0/10, F0/1418 , F0/2124 SW1(configifrange)#Shut
To verify the configuration: On SW1 SW1#Sh int status | Inc Port|connected Port Name Status Vlan Duplex Speed Type Fa0/1 R1's F0/0 connected 1 afull a100 10/100BaseTX Fa0/2 R2's F0/0 connected 1 afull a100 10/100BaseTX Fa0/4 R4's F0/0 connected 1 afull a100 10/100BaseTX Fa0/12 BB2's F0/0 connected 1 afull a100 10/100BaseTX Fa0/13 BB3's F0/0 connected 1 afull a100 10/100BaseTX Fa0/19 Trunk to SW2 connected trunk afull a100 10/100BaseTX Fa0/20 Trunk to SW2 connected trunk afull a100 10/100BaseTX
On SW2 SW2(config)#int range F0/12 , F0/4 , F0/810, F0/1218 , F0/2124 SW2(configif)#Shut
To verify the configuration: On SW2 SW2# Sh int status | Inc Port|connected
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 19 of 87
Port Name Status Vlan Duplex Speed Type Fa0/3 R3's F0/1 connected 1 afull a100 10/100BaseTX Fa0/5 R5's F0/1 connected 1 afull a100 10/100BaseTX Fa0/6 R6's F0/1 connected 1 afull a100 10/100BaseTX Fa0/11 BB1's F0/1 connected 1 afull a100 10/100BaseTX Fa0/19 Trunk to SW1 connected trunk afull a100 10/100BaseTX Fa0/20 Trunk to SW1 connected trunk afull a100 10/100BaseTX
Note the interface description can be extremely helpful especially if the switches are configured in transparent mode, and/or the task asks for the configuration of allowed VLANs on the trunks.
Task 6 Configure Private VLANs based on the following policy: Router R1 R2 R3 R4 R5 R6 BB1 BB2 BB3
Interface F0/0 F0/0 F0/1 F0/0 F0/1 F0/1 F0/1 F0/0 F0/0
VLANType Primary Community Community Community Community Isolated Isolated Isolated Isolated
VLANID 10 20 20 30 30 40 40 40 40
PrivateVLANs are typically seen in service provider networks, this feature addresses two major problems that the providers used to face: 1. Number of Clients: If every client was in a VLAN of their own, the provider will be restricted to 4094 clients, which is the maximum number of VLANs on a given switch. 2. Routing between VLANs & IP addressing: Routing between VLANs will be a nightmare, and the number of wasted IP addresses that result from Subnetting will be enormous. PrivateVLANs solves these two issues, with PrivateVLANs a VLAN is subdivided into sub VLANs or subdomains. PrivateVLANs consist of one primary, and one or more secondary VLANs, the secondary VLANs CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 20 of 87
can be either Community VLANs or Isolated VLANs. A Primary VLAN can have many Community VLANs, but it can ONLY have a Single Isolated VLAN. Ports in a PrivateVLAN: There are three types of ports in PrivateVLAN and they are as follows: 1. Promiscuous: A promiscuous port belongs to the primary VLAN; this port can communicate with all ports that are member of a secondary VLAN/s (Community and/or Isolated) that are associated with the primary VLAN that it belongs. 2. Isolated: An isolated port is a host port that belongs to an isolated secondary VLAN. The host ports that are member of a given Isolated VLAN can NOT Communicate with each other. These ports can ONLY communicate with the Port configured as Promiscuous port. 3. Community: A community port is a host port that belongs to a community Secondary VLAN. Community ports can communicate with ports in the same Community VLAN and with the port that is configured as promiscuous ports. These ports can’t Communicate with other ports in other Community VLANs.
On Both Switches: In order to configure privatevlans, the switches must be configured in Transparent mode as follows: SWx(config)#vtp mode transparent The following commands configures the primary VLAN SWx(config)#vlan 10 SWx(configvlan)#privatevlan primary SWx(configvlan)#Exit The following two VLANs are defined as the community secondary VLANs, there could be many community VLANs: SWx(config)#vlan 20 SWx(configvlan)#privatevlan community SWx(config)#vlan 30 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 21 of 87
SWx(configvlan)#privatevlan community There can ONLY be one isolated secondary VLAN: SWx(config)#vlan 40 SWx(configvlan)#privatevlan isolated The following command associates the secondary VLANs to the primary: SWx(config)#vlan 10 SWx(configvlan)#privatevlan association add 20,30,40
To verify the configuration: On Both Switches: SWx#Show vlan privatevlan Primary Secondary Type Ports 10 20 community 10 30 community 10 40 isolated The output of the above show command displays the secondary VLANs that are created so far and the primary VLAN to which they are associated.
On SW1 The following command sets F0/1 interface in promiscuous mode, assigns the port to primary VLAN 10 and maps VLANs 20, 30 and 40 to this interface: SW1(config)#Int F0/1 SW1(configif)#Switchport mode privatevlan promiscuous SW1(configif)#Switchport privatevlan mapping 10 add 20,30,40 The ports that belong to a given secondary VLAN must be configured in host mode. The following command sets F0/2 interface in a host mode, associates this port to VLAN 10 (The primary VLAN) and assigns this port to VLAN 20 which was configured as a community secondary VLAN earlier: SW1(configif)#Int F0/2 SW1(configif)#Switchport mode privatevlan host SW1(configif)#Switchport privatevlan hostassociation 10 20
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 22 of 87
The following command sets F0/4 interface in a host mode, associates this port to VLAN 10 (The primary VLAN) and assigns this port to VLAN 30 which was configured as a community secondary VLAN earlier: SW1(configif)#Int F0/4 SW1(configif)#Switchport mode privatevlan host SW1(configif)#switchport privatevlan hostassociation 10 30 The following command sets F0/12 and F0/13 interfaces in a host mode, associates these ports to VLAN 10 (The primary VLAN) and assigns these ports to VLAN 40 which was configured as an isolated secondary VLAN earlier: SW1(config)#Int range F0/1213 SW1(configif)#Switchport mode privatevlan host SW1(configif)#Switchport privatevlan hostassociation 10 40
To verify the configuration: On SW1 SW1#Sh vlan pri Primary Secondary Type Ports 10 20 community Fa0/1, Fa0/2 10 30 community Fa0/1, Fa0/4 10 40 isolated Fa0/1, Fa0/12, Fa0/13
On SW2 SW2(config)#Int F0/3 SW2(configif)#Switchport mode privatevlan host SW2(configif)#Switchport privatevlan hostassociation 10 20 SW2(config)#Int F0/5 SW2(configif)#Switchport mode privatevlan host SW2(configif)#Switchport privatevlan hostassociation 10 30 SW2(config)#Int range F0/6 , F0/11 SW2(configif)#Switchport mode privatevlan host SW2(configif)#switchport privatevlan hostassociation 10 40
To verify the configuration: CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 23 of 87
On SW2 SW2#Show vlan privatevlan Primary Secondary Type Ports 10 20 community Fa0/3 10 30 community Fa0/5 10 40 isolated Fa0/6, Fa0/11
To test the configuration: On R1 R1#Ping 200.1.1.2 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms R1#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.4 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.5 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.6
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 24 of 87
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.7 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.7, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.8 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.9 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.9, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms Note R1 is able to ping all routers because it is configured to be in promiscuous mode, this interface can be thought of as the default gateway.
On R2 R2#Ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms R2#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 25 of 87
Note R2 is able to ping R1 which is the port in the primary VLAN and R3 which is in the same community VLAN. R2 can NOT communicate with the hosts in the other secondary VLANs. The following verifies this information: R2#Ping 200.1.1.4 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2#Ping 200.1.1.5 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2#Ping 200.1.1.6 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2#Ping 200.1.1.7 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.7, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2#Ping 200.1.1.8 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2#Ping 200.1.1.9 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.9, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 26 of 87
On R3 R3#Ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R3#Ping 200.1.1.2 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms Note R3 is able to ping R1 which is the port in primary VLAN and the router in its own community secondary VLAN, which is R2. R3#Ping 200.1.1.4 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R3#Ping 200.1.1.5 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R3#Ping 200.1.1.6 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R3#Ping 200.1.1.7 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.10, timeout is 2 seconds: ..... CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 27 of 87
Success rate is 0 percent (0/5) R3#Ping 200.1.1.8 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R3#Ping 200.1.1.9 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.10, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Note R3 can NOT ping the other routers because they are in another secondary VLAN.
On R4 R4#Ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R4#Ping 200.1.1.5 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms Note R4 is able to ping R1 which is the port in primary VLAN and the router in its own community secondary VLAN, which is R5. R4#Ping 200.1.1.2 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R4#Ping 200.1.1.3 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 28 of 87
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R4#Ping 200.1.1.6 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R4#Ping 200.1.1.7 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.7, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R4#Ping 200.1.1.8 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R4#Ping 200.1.1.9 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.9, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Note R4 can NOT ping the other routers because they are in another secondary VLAN.
On R5 R5#Ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R5#Ping 200.1.1.4 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 29 of 87
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms Note R5 is able to ping R1 which is the port in primary VLAN and the router in its own community secondary VLAN (R2). R5#Ping 200.1.1.2 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R5#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R5#Ping 200.1.1.6 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R5#Ping 200.1.1.7 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.7, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R5#Ping 200.1.1.8 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R5#Ping 200.1.1.9
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 30 of 87
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.9, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Note R5 can NOT ping the other routers because they are in another secondary VLAN.
On R6 R6#Ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms Note R6 is able to ping R1 which is the port in primary VLAN but it can NOT ping any other router, even though BB1, BB2 and BB3 are in the same VLAN, but remember that the VLAN is defined as isolated; the hosts in isolated VLAN do NOT have reachability to each other. R6#Ping 200.1.1.2 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R6#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R6#Ping 200.1.1.4 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R6#Ping 200.1.1.5 Type escape sequence to abort. CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 31 of 87
Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R6#Ping 200.1.1.7 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.7, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R6#Ping 200.1.1.8 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R6#Ping 200.1.1.9 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.9, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
On BB1 BB1#Ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms Note BB1 is able to ping R1 which is the port in primary VLAN but it can NOT ping any other router, even though R6, BB2 and BB3 are in the same VLAN, but remember that the VLAN is defined as an isolated secondary VLAN; the hosts in isolated VLAN do NOT have reachability to each other. BB1#Ping 200.1.1.2 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 32 of 87
BB1#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB1#Ping 200.1.1.4 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB1#Ping 200.1.1.5 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB1#Ping 200.1.1.6 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB1#Ping 200.1.1.8 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB1#Ping 200.1.1.9 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.9, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
On BB2 BB2#Ping 200.1.1.1 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 33 of 87
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms Note BB2 is able to ping R1 which is the port in primary VLAN but it can NOT ping any other router, even though R6, BB1 and BB3 are in the same VLAN, but remember that the VLAN is defined as an isolated secondary VLAN; the hosts in isolated VLAN do NOT have reachability to each other. BB2#Ping 200.1.1.2 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB2#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB2#Ping 200.1.1.4 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB2#Ping 200.1.1.5 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB2#Ping 200.1.1.6 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 34 of 87
BB2#Ping 200.1.1.7 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.7, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB2#Ping 200.1.1.9 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.9, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
On BB3 BB3#Ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms Note BB3 is able to ping R1 which is the port in primary VLAN but it can NOT ping any other router, even though R6, BB1 and BB2 are in the same VLAN, but remember that the VLAN is defined as an isolated secondary VLAN; the hosts in isolated VLAN do NOT have reachability to each other. BB3#Ping 200.1.1.2 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB3#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB3#Ping 200.1.1.4 Type escape sequence to abort. CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 35 of 87
Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB3#Ping 200.1.1.5 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB3#Ping 200.1.1.6 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB3#Ping 200.1.1.7 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.7, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB3#Ping 200.1.1.8 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
Task 7 Reconfigure the IP addressing of the hosts that belong to the two community secondary VLANs based on the following chart and provide InterVlan routing between them: The hosts in the other secondary VLANs should still be able to reach the host in the primary VLAN. You can use static routes and any IP addressing to accomplish this task.
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 36 of 87
Routers / Interface R2 – F0/0 R3 – F0/1 R4 – F0/0 R5 – F0/1
IP address 202.1.1.2 /24 202.1.1.3 /24 203.1.1.4 /24 203.1.1.5 /24
VLANID 20 20 30 30
On R2 R2(config)#int f0/0 R2(configif)#ip addr 202.1.1.2 255.255.255.0 R2(config)#ip route 0.0.0.0 0.0.0.0 202.1.1.100
On R3 R3(config)#int f0/1 R3(configif)#ip addr 202.1.1.3 255.255.255.0 R3(config)#ip route 0.0.0.0 0.0.0.0 202.1.1.100
On R4 R4(config)#int f0/0 R4(configif)#ip addr 203.1.1.4 255.255.255.0 R4(config)#ip route 0.0.0.0 0.0.0.0 203.1.1.100
On R5 R5(config)#int f0/1 R5(configif)#ip addr 203.1.1.5 255.255.255.0 R5(config)#ip route 0.0.0.0 0.0.0.0 203.1.1.100
On SW1 SW1(config)#IP routing Note two IP addresses are configured under interface VLAN 10, a primary and a secondary, the primary IP address is used by the hosts in VLAN 20 and the secondary is used by the hosts in VLAN 30. The “Privatevlan mapping” command maps the secondary VLANs to their layer 3 VLAN interface, in this case VLAN 10 which is the layer 3 interface of the primary VLAN. CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 37 of 87
SW1(config)#int vlan 10 SW1(configif)#ip address 202.1.1.100 255.255.255.0 SW1(configif)#ip address 203.1.1.100 255.255.255.0 sec SW1(configif)#privatevlan mapping 20,30 With the “Privatevlan mapping” interface configuration command, secondary VLANs can be added or removed using the “Privatevlan mapping add, or Privatevlan mapping remove” interface configuration command. After this command is entered, you should get the following messages: %PV6PV_MSG: Created a private vlan mapping, Primary 10, Secondary 20 %PV6PV_MSG: Created a private vlan mapping, Primary 10, Secondary 30
To verify the configuration: On SW1 SW1#Show interfaces privatevlan mapping Interface Secondary VLAN Type vlan10 20 community vlan10 30 community
To test the configuration: On R2 R2#Ping 203.1.1.4 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 203.1.1.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R2#Ping 203.1.1.5 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 203.1.1.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (4/5), roundtrip min/avg/max = 1/1/4 ms
On BB1 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 38 of 87
BB1#Ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms
Task 8 Erase the startup config and reload the routers before proceeding to the next task.
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 39 of 87
Advanced CCIE Routing & Switching 4.0 www.MicronicsTraining.com Narbik Kocharians CCIE #12410 R&S, Security, SP
Framerelay
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 40 of 87
Lab 1 – HubnSpoke using Framerelay map statements
R1
R1 10.1.100.1 /24 S0/0
104 103
102
201
401 301 10.1.100.4 /24
S0/0
S0/0
R4
10.1.100.3 /24
10.1.100.2 /24
R2
S0/0
R3
IP addressing and DLCI information Chart: Routers
IP address
R1’s Framerelay interface S0/0
10.1.100.1 /24
Local DLCI
Connecting to:
102 103 104 201
R2 R3 R4 R1
10.1.100.3 /24
301
R1
R4’s Framerelay interface S0/0 10.1.100.4 /24
401
R1
R2’s Framerelay interface S0/0 10.1.100.2 /24 R3’s Framerelay interface S0/0
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 41 of 87
Task 1 Configure a framerelay Hub and spoke using framerelay map statements. Use the IP addressing in the above chart. Disable inversearp such that the routers do not generate inversearp request packets, and ensure that only the assigned DLCIs are used and mapped, these mappings should be as follows: Ø On R1: DLCIs 102, 103 and 104 should be mapped to R2, R3 and R4 respectively. Ø On R2, R3 and R4: DLCIs 201, 301 and 401 should be used on R2, R3 and R4 respectively for their mapping to R1 (The hub). In the future Eigrp routing protocol will be configured on these routers, ensure that the routers can handle the Multicast traffic generated by the Eigrp routing protocol. DO NOT configure any subinterface(s) to accomplish this task.
On R1 R1(config)#Int S0/0 R1(configif)#IP address 10.1.100.1 255.255.255.0 R1(configif)#Encapsulation frame R1(configif)#Framerelay map ip 10.1.100.2 102 broadcast R1(configif)#Framerelay map ip 10.1.100.3 103 broadcast R1(configif)#Framerelay map ip 10.1.100.4 104 broadcast R1(configif)#NO framerelay inversearp R1(configif)#NO shut
To verify the configuration: On R1 R1#Show framerelay map Serial0/0 (up): ip 10.1.100.2 dlci 102(0x66,0x1860), static, broadcast, CISCO, status defined, inactive Serial0/0 (up): ip 10.1.100.3 dlci 103(0x67,0x1870), static, broadcast, CISCO, status defined, inactive Serial0/0 (up): ip 10.1.100.4 dlci 104(0x68,0x1880), static, broadcast, CISCO, status defined, inactive CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 42 of 87
Note you may see DLCIs 105 and 106 mapped to 0.0.0.0 IP address, these dynamic mappings may not affect Unicast traffic, but they will affect Multicast and/or Broadcast traffic, therefore, they should be removed from the mapping table. The “clear framerelay inarp” command will NOT have any effect on these entries, whereas, saving the configuration and then reloading the routers will definitely clear the 0.0.0.0 mappings. Another way to clear the “0.0.0.0” mapping is to remove the encapsulation and reconfigure the encapsulation back again, but once the encapsulation is removed, the framerelay commands configured under the interface are also removed. The output of the above show command shows that the DLCIs are all in “inactive” status, this means that the problem is on the other side of the VC, in this case, the other end of these VCs are not configured yet, and once they are configured, the status should transition to active state. Let’s configure the spoke routers:
On R2 R2(config)#Int S0/0 R2(configif)#Ip address 10.1.100.2 255.255.255.0 R2(configif)#Encapsulation frame R2(configif)#Framerelay map ip 10.1.100.1 201 broadcast R2(configif)#NO framerelay inversearp R2(configif)#NO shut
To verify the configuration: On R2 Let’s start with layer one and see if we have a serial cable connected to the Framerelay switch, if so, which end of the cable is connected to our router, DTE or DCE? The output of the following show command shows that the DTE end of the cable is connected to our local router, and the “clocks detected” tells us that we are receiving clocking from a DCE device. This should always be the first step in troubleshooting framerelay. If the output of the following command showed that we have the DCE end of the cable connected to our router, then, the local router has to provide clocking, which means that the “clockrate” command MUST be configured or else the VC will NOT transition into UP/UP state. R2#Show controller S0/0 | Inc clocks DTE V.35 TX and RX clocks detected. In the next step, we should see if the local router is exchanging LMIs with the framerelay switch. NOTE: Keepalive LMIs are exchanged every 10 seconds, which means that if the framerelay switch is CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 43 of 87
configured correctly and the LMI types are also configured correctly (They match on both ends), then, you should see the number of status Enquires sent and received increment every 10 seconds. R2#Show framerelay lmi | Inc Num Num Status Enq. Sent 68 Num Status msgs Rcvd 69 Num Update Status Rcvd 0 Num Status Timeouts 0 R2#Show framerelay lmi | Inc Num Num Status Enq. Sent 69 Num Status msgs Rcvd 70 Num Update Status Rcvd 0 Num Status Timeouts 0 Next the framerelay maps are checked: R2#Show framerelay map 201 Serial0/0 (up): ip 10.1.100.1 dlci 201(0xC9,0x3090), static, broadcast, CISCO, status defined, active NOTE: The output of the above show command reveals that the remote IP address of 10.1.100.1 is mapped to the local DLCI of 201. Make sure you see the correct IP address. In the paranthesis, DLCI 201, is presented in Hexadecimal and Q922 format. If the Hexadecimal value of 0xC9 is converted to decimal, the result is 201, which is the local DLCI number. The second Hexadecimal value of 0x3090, indicates how the DLCI is split into two sections within the Framerelay header; a DLCI is a 10 bit digit and the first 6 bits (The most significant 6 bits) are in the first byte and the last 4 bits of the DLCI, is found in the beginning of the second byte of the Frame relay frame, as follows:
Frame Relay header structure
Notice how the 10 bits are divided? 6 bits are in the first BYTE and the remaining 4 bits are in the second Byte. If the hex value of 0x3090 is converted to decimal, you will once again see a DLCI value of 201. As follows: CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 44 of 87
Convert 0x3090 to Binary: 3 0011
0 0 0 0 0
9 1001
0 0000
Take the most significant 6 bits, in this case: 001100 Take the most significant 4 bits of the second byte, in this case: 1001 Note the most significant 6 bits of the first byte and the most significant 4 bits of the second byte are concatenated into a 10 bit value, as follows: 0011001001 If the above binary number is converted to decimal (1 + 8 + 64 + 128), you should get 201. In the final step, an end to end reachability is tested: R2#Ping 10.1.100.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 56/56/60 ms
Let’s configure R3: On R3 R3(config)#Int S0/0 R3(configif)#Ip address 10.1.100.3 255.255.255.0 R3(configif)#Encapsulation frame R3(configif)#Framerelay map ip 10.1.100.1 301 broadcast R3(configif)#NO framerelay inversearp R3(configif)#NO shut
To verify the configuration: On R3 R3#Ping 10.1.100.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.1, timeout is 2 seconds: CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 45 of 87
!!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 56/56/60 ms R3#Show frame map Serial0/0 (up): ip 10.1.100.1 dlci 301(0x12D,0x48D0), static, broadcast, CISCO, status defined, active
Let’s configure R4: On R4 R4(config)#Int S0/0 R4(config)#Ip address 10.1.100.4 255.255.255.0 R4(config)#Encapsulation frame R4(config)#Framerelay map ip 10.1.100.1 401 broadcast R4(config)#NO framerelay inversearp R4(config)#NO shut
To verify the configuration: On R4 R4#Ping 10.1.100.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 48/50/52 ms R4#Show framerelay map Serial0/0 (up): ip 10.1.100.1 dlci 401(0x191,0x6410), static, broadcast, CISCO, status defined, active
Task 2 Ensure that every router can ping every IP address connected to the cloud. When configuring this task, ensure that the hub router does NOT receive redundant routing traffic. CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 46 of 87
NOTE: Every IP address connected to the cloud also includes the local router’s IP address. Let’s test the existing situation:
On R1 R1#Ping 10.1.100.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) The ping is NOT successful. Let’s enable the “Debug Framerelay packet” and try the ping again: R1#Debug Framerelay packet Frame Relay packet debugging is on R1#Ping 10.1.100.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.1, timeout is 2 seconds: Serial0/0:Encaps failedno map entry link 7(IP). Serial0/0:Encaps failedno map entry link 7(IP). Serial0/0:Encaps failedno map entry link 7(IP). Serial0/0:Encaps failedno map entry link 7(IP). Serial0/0:Encaps failedno map entry link 7(IP). Success rate is 0 percent (0/5)
Let’s disable the debug: On R1 R1#u all The output of the above debug states that there is NO mapping and encapsulation failed because of that; Framerelay can be configured in two different ways: Multipoint and Pointtopoint. There is ONLY one way to configure framerelay in a pointtopoint manner, and that’s through a pointtopoint subinterface configuration, whereas, a multipoint can be configurd in two ways: · Perform the entire configuration directly under the main interface. · Configure a subinterface in a multipoint manner. Since the entire configuration was performed without the use of subinterfaces, this is a multipoint CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 47 of 87
interface. In a multipoint framerelay configuration, two conditions must be met before an IP address is reachable: A. The destination IP address must be in the routing table with a valid next hop. B. There must be a framerelay mapping for that destination. In this case the destination IP address is in the routing table, but the framerelay mapping is missing. When configuring the framerelay mapping, you can use any active DLCI:
On R1 R1(config)#Interface S0/0 R1(configif)#Framerelay map ip 10.1.100.1 102 NOTE: Since the local router will NOT be sending Multicast or Broadcast traffic to itself, there is no need to add the “broadcast” keyword for this configuration.
To verify the configuration: On R1 R1#Ping 10.1.100.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 100/101/108 ms
Let’s test R2’s reachability, we already know that it needs a framerelay map or else it will not be able to ping its own IP address, let’s configure one and test:
On R2 R2(config)#Int S0/0 R2(configif)#Framerelay map ip 10.1.100.2 201
To test the configuration: On R2 R2#Ping 10.1.100.2 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 48 of 87
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 96/100/108 ms Let’s see if R2 can ping the other spokes:
On R2 R2#Ping 10.1.100.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2#Ping 10.1.100.34 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.34, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Do we have a framerelay mappings for these destinations? Let’s check:
On R2 R2#Show framerelay map Serial0/0 (up): ip 10.1.100.2 dlci 201(0xC9,0x3090), static, CISCO, status defined, active Serial0/0 (up): ip 10.1.100.1 dlci 201(0xC9,0x3090), static, broadcast, CISCO, status defined, active NOTE: There are two framerelay mappings, one for 10.1.100.2 and the second one is for 10.1.100.1 IP addresses. Let’s add two more framerelay mappings, one for 10.1.100.3 and the second one for 10.1.100.4:
On R2 R2(config)#Int S0/0 R2(configif)#Framerelay map ip 10.1.100.3 201 R2(configif)#Framerelay map ip 10.1.100.4 201 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 49 of 87
There are two points that you need to remember: a. The destination IP address must be in the routing table with a valid next hop. b. There must be a framerelay mapping for that destination.
To test the configuration: On R2 R2#Ping 10.1.100.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Let’s turn on the “Debug Framerelay packet” and ping again and see the result:
On R2 R2#Deb frame pack Frame Relay packet debugging is on R2#Ping 10.1.100.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.3, timeout is 2 seconds: Serial0/0(o): dlci 201(0x3091), pkt type 0x800(IP), datagramsize 104. Serial0/0(o): dlci 201(0x3091), pkt type 0x800(IP), datagramsize 104. Serial0/0(o): dlci 201(0x3091), pkt type 0x800(IP), datagramsize 104. Serial0/0(o): dlci 201(0x3091), pkt type 0x800(IP), datagramsize 104. Serial0/0(o): dlci 201(0x3091), pkt type 0x800(IP), datagramsize 104. Success rate is 0 percent (0/5) It seems like the local router (R2) is sending the packets out, let’s enable the same debugging on R3 and see the result:
On R2 R2#Ping 10.1.100.3
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 50 of 87
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
On R3 Serial0/0(i): dlci 301(0x48D1), pkt type 0x800, datagramsize 104 Serial0/0:Encaps failedno map entry link 7(IP) It looks like R3 is missing framerelay map back to R2. Let’s configure a framerelay map on R3 for R2 and test again:
On R3 R3(config)#Int S0/0 R3(configif)#Framerelay map ip 10.1.100.2 301
To verify the configuration: On R2 R2#Ping 10.1.100.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 100/100/100 ms
Perfect…..Let’s do the same on R4.
On R4 R4(config)#Int S0/0 R4(configif)#Framerelay map ip 10.1.100.2 401
To verify the configuration: On R2 R2#Ping 10.1.100.4 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.4, timeout is 2 seconds: CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 51 of 87
!!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 96/100/108 ms When configuring the framerelay mapping from one spoke to another spoke, the “broadcast” keyword should not be used, if this keyword is used, the hub router will receive redundant routing traffic. This can be verified by running RIPv2 and performing a “debug ip rip” command on the hub router.
Task 3 Configure the routers such that the LMI status inquiries are sent every 5 seconds and Full Status LMI requests are sent every 3 cycles instead of 6.
By default framerelay routers generate LMI Status inquiries every 10 seconds, and a full status inquiry every 6 th cycle (Every 60 seconds). The interval for status inquiries can be changed using the “Keepalive” command, whereas, the “Framerelay lmin391dte” command can be used to change the interval for the complete status inquiries. NOTE: The output of the following debug command reveals the status inquiries and full status inquiries:
On R1 R1#Debug frame lmi Serial0/0(out): StEnq, myseq 125, yourseen 124, DTE up datagramstart = 0x3F401ED4, datagramsize = 14 FR encap = 0x00010308 00 75 95 01 01 01 03 02 7D 7C Serial0/0(in): Status, myseq 125, pak size 14 RT IE 1, length 1, type 1 KA IE 3, length 2, yourseq 125, myseq 125 Serial0/0(out): StEnq, myseq 126, yourseen 125, DTE up datagramstart = 0x3F6B0294, datagramsize = 14 FR encap = 0x00010308 407: 00 75 95 01 01 01 03 02 7E 7D Serial0/0(in): Status, myseq 126, pak size 14 RT IE 1, length 1, type 1 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 52 of 87
KA IE 3, length 2, yourseq 126, myseq 126 Serial0/0(out): StEnq, myseq 127, yourseen 126, DTE up datagramstart = 0x3F400C14, datagramsize = 14 FR encap = 0x00010308 00 75 95 01 01 01 03 02 7F 7E Serial0/0(in): Status, myseq 127, pak size 14 RT IE 1, length 1, type 1 KA IE 3, length 2, yourseq 127, myseq 127 Serial0/0(out): StEnq, myseq 128, yourseen 127, DTE up datagramstart = 0x3F6AF394, datagramsize = 14 FR encap = 0x00010308 00 75 95 01 01 01 03 02 80 7F Serial0/0(in): Status, myseq 128, pak size 14 RT IE 1, length 1, type 1 KA IE 3, length 2, yourseq 128, myseq 128 Serial0/0(out): StEnq, myseq 129, yourseen 128, DTE up datagramstart = 0x3F644ED4, datagramsize = 14 FR encap = 0x00010308 00 75 95 01 01 01 03 02 81 80 Serial0/0(in): Status, myseq 129, pak size 14 RT IE 1, length 1, type 1 KA IE 3, length 2, yourseq 129, myseq 129 Serial0/0(out): StEnq, myseq 130, yourseen 129, DTE up datagramstart = 0x3F6B03D4, datagramsize = 14 FR encap = 0x00010308 00 75 95 01 01 00 03 02 82 81 Serial0/0(in): Status, myseq 130, pak size 59 RT IE 1, length 1, type 0 KA IE 3, length 2, yourseq 130, myseq 130 PVC IE 0x7 , length 0x3 , dlci 102, status 0x2 PVC IE 0x7 , length 0x3 , dlci 103, status 0x2 PVC IE 0x7 , length 0x3 , dlci 104, status 0x2 PVC IE 0x7 , length 0x3 , dlci 105, status 0x0 PVC IE 0x7 , length 0x3 , dlci 106, status 0x0 Note the status inquiries are sent every 10 seconds, these messages are “type 1s”, whereas, the complete status inquiries are generated by the local router every 6 th cycle, these message are “type 0” messages, and when the framerelay switch receives these messages it responds with all the DLCIs that are CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 53 of 87
configured for that given router.
To change these timers: On all routers Rx(config)#Interface S0/0 Rx(configif)#Keepalive 5 Rx(configif)#Framerelay lmin391dte 3
To test the configuration: Rx#Debug frame LMI *Nov 24 20:13:52.411: Serial0/0(out): StEnq, myseq 221, yourseen 220, DTE up *Nov 24 20:13:52.411: datagramstart = 0x3F6AEFD4, datagramsize = 14 *Nov 24 20:13:52.411: FR encap = 0x00010308 *Nov 24 20:13:52.411: 00 75 95 01 01 01 03 02 DD DC *Nov 24 20:13:52.415: Serial0/0(in): Status, myseq 221, pak size 14 *Nov 24 20:13:52.415: RT IE 1, length 1, type 1 *Nov 24 20:13:52.415: KA IE 3, length 2, yourseq 221, myseq 221 *Nov 24 20:13:57.411: Serial0/0(out): StEnq, myseq 222, yourseen 221, DTE up *Nov 24 20:13:57.411: datagramstart = 0x3F400D54, datagramsize = 14 *Nov 24 20:13:57.411: FR encap = 0x00010308 *Nov 24 20:13:57.411: 00 75 95 01 01 01 03 02 DE DD *Nov 24 20:13:57.415: Serial0/0(in): Status, myseq 222, pak size 14 *Nov 24 20:13:57.415: RT IE 1, length 1, type 1 *Nov 24 20:13:57.415: KA IE 3, length 2, yourseq 222, myseq 222 *Nov 24 20:14:02.411: Serial0/0(out): StEnq, myseq 223, yourseen 222, DTE up *Nov 24 20:14:02.411: datagramstart = 0x3F6AF394, datagramsize = 14 *Nov 24 20:14:02.411: FR encap = 0x00010308 *Nov 24 20:14:02.411: 00 75 95 01 01 00 03 02 DF DE *Nov 24 20:14:02.423: Serial0/0(in): Status, myseq 223, pak size 59 *Nov 24 20:14:02.423: RT IE 1, length 1, type 0 *Nov 24 20:14:02.423: KA IE 3, length 2, yourseq 223, myseq 223 *Nov 24 20:14:02.423: PVC IE 0x7 , length 0x3 , dlci 102, status 0x2 *Nov 24 20:14:02.423: PVC IE 0x7 , length 0x3 , dlci 103, status 0x2 *Nov 24 20:14:02.423: PVC IE 0x7 , length 0x3 , dlci 104, status 0x2 *Nov 24 20:14:02.423: PVC IE 0x7 , length 0x3 , dlci 105, status 0x0 *Nov 24 20:14:02.423: PVC IE 0x7 , length 0x3 , dlci 106, status 0x0
Note initially the router and the framerelay switch exchange two “type 1” inquiries, and the third CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 54 of 87
message that the local router generates is a “type 0” messages which tells the switch to respond with all the DLCIs.
Task 4 Erase the startup configuration and reload the routers before proceeding to the next lab.
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 55 of 87
Lab 9 – BacktoBack Framerelay connection
IP addressing: Router R1
Interface / IP address S0/1 = 200.1.1.1 /24
DLCI assignment 113
R3
S0/1 = 200.1.1.3 /24
113
Task 1 Configure Framerelay between R1 and R3, you should use the IP address, interface and the DLCIs provided in the IP Addressing table above.
In this scenario we do not have a framerelay switch connecting the routers; these routers are connected back to back using a DTE ßà DCE serial cable. The router that is connected to the DCE side should provide the clocking using the “Clock rate” interface configuration command, the DCE side can be determined using the “Show controller S 0/1” command as follows: R1#Sh controller S 0/1 | Inc clock DCE V.35, clock rate 64000 In this case since the framerelay switch does NOT exist, the LMIs should be disabled using the “No Keepalive” interface configuration command, and the framerelay mapping should be done statically. When configuring the Framerelay mapping, the DLCIs should be identical on both ends. CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 56 of 87
On R1 R1(config)#interface Serial0/1 R1(configif)#ip address 200.1.1.1 255.255.255.0 R1(configif)#encapsulation framerelay R1(configif)#NO keepalive R1(configif)#clock rate 64000 R1(configif)#framerelay map ip 200.1.1.3 113 R1(configif)#NO shut
On R3 R3(config)#interface Serial0/1 R3(configif)#ip address 200.1.1.3 255.255.255.0 R3(configif)#encapsulation framerelay R3(configif)#NO keepalive R3(configif)#framerelay map ip 200.1.1.1 113
To verify & test the configuration: On R1 R1#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 28/29/32 ms R1#Show framerelay lmi R1# Note there are no LMIs, because they are disabled. R1#Show framerelay pvc PVC Statistics for interface Serial0/1 (Frame Relay DTE) Active Inactive Deleted Static Local 1 0 0 0 Switched 0 0 0 0 Unused 0 0 0 0 DLCI = 113, DLCI USAGE = LOCAL, PVC STATUS = STATIC, INTERFACE = Serial0/1 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 57 of 87
input pkts 5 output pkts 10 in bytes 520 out bytes 1040 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 0 out bcast bytes 0 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec pvc create time 00:03:53, last time pvc status changed 00:02:39 R1#Show framerelay map Serial0/1 (up): ip 200.1.1.3 dlci 113(0x71,0x1c10), static, CISCO
Task 2 Configure the routers such that R1 uses DLCI 103 to send and DLCI 301 to receive packets, whereas, R3 should use DLCI 301 to send and DLCI 103 to receive packets. You should configure interface S0/1 to accomplish this task.
In this task we are asked to configure these routers to use different DLCIs, 103 connecting R1 to R3 and 301 connecting R3 to R1.
On R1 R1(config)#interface Serial0/1 R1(configif)#ip address 200.1.1.1 255.255.255.0 R1(configif)#encapsulation framerelay R1(configif)#NO keepalive R1(configif)#clock rate 64000 The following command removes the framerelay mapping that was configured in the previous task and adds the new mapping: R1(configif)#NO framerelay map ip 200.1.1.3 113 R1(configif)#framerelay map ip 200.1.1.3 103
On R3 R3(config)#interface Serial0/1 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 58 of 87
R3(configif)#ip address 200.1.1.3 255.255.255.0 R3(configif)#encapsulation framerelay R3(configif)#NO keepalive R3(configif)#NO framerelay map ip 200.1.1.1 113 R3(configif)#framerelay map ip 200.1.1.1 301
To verify and test the configuration: On Both Routers: #Debug Framerelay packet
On R1 R1#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) You should see the following debug output on R1 and R3:
On R1 Serial0/1(o): dlci 103(0x1871), pkt type 0x800(IP), datagramsize 104. Serial0/1(o): dlci 103(0x1871), pkt type 0x800(IP), datagramsize 104. Serial0/1(o): dlci 103(0x1871), pkt type 0x800(IP), datagramsize 104. Serial0/1(o): dlci 103(0x1871), pkt type 0x800(IP), datagramsize 104. Serial0/1(o): dlci 103(0x1871), pkt type 0x800(IP), datagramsize 104.
On R3 Serial0/1: FR invalid/unexpected pak received on DLCI 103 Serial0/1: FR invalid/unexpected pak received on DLCI 103 Serial0/1: FR invalid/unexpected pak received on DLCI 103 Serial0/1: FR invalid/unexpected pak received on DLCI 103 Serial0/1: FR invalid/unexpected pak received on DLCI 103 NOTE: The output of the debug messages on R3 reveals the reason that the ping was NOT successful. It’s telling us that it received 5 invalid and unexpected packets on DLCI 103. The reason the local router (R3) sees R1’s DLCI is because they are directly connected. To fix this problem, R3 can be configured to receive data on DLCI 103 and send on DLCI 301, as follows: CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 59 of 87
On R3 R3(config)#int S0/1 R3(configif)#framerelay interfacedlci 103
To verify and test the configuration: On R1 R1#Ping 200.1.1.3 repeat 4
On R3 Serial0/1(i): dlci 103(0x1871), pkt type 0x800, datagramsize 104 Serial0/1(o): dlci 301(0x48D1), pkt type 0x800(IP), datagramsize 104 Serial0/1(i): dlci 103(0x1871), pkt type 0x800, datagramsize 104 Serial0/1(o): dlci 301(0x48D1), pkt type 0x800(IP), datagramsize 104 Serial0/1(i): dlci 103(0x1871), pkt type 0x800, datagramsize 104 Serial0/1(o): dlci 301(0x48D1), pkt type 0x800(IP), datagramsize 104 Serial0/1(i): dlci 103(0x1871), pkt type 0x800, datagramsize 104 Serial0/1(o): dlci 301(0x48D1), pkt type 0x800(IP), datagramsize 104 Note the incoming traffic uses DLCI 103, whereas, the outgoing traffic uses DLCI 301. Let’s try to ping R1 and see why the pings are unsuccessful:
To test the configuration: On R3 R3#Ping 200.1.1.1 repeat 4
On R1 Serial0/1: FR invalid/unexpected pak received on DLCI 301 Serial0/1: FR invalid/unexpected pak received on DLCI 301 Serial0/1: FR invalid/unexpected pak received on DLCI 301 Serial0/1: FR invalid/unexpected pak received on DLCI 301 Note we are experiencing the same problem on R3, the traffic comes in on DLCI 301 and the local router is NOT aware of this DLCI. To fix this problem: CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 60 of 87
R1(config)#int S0/1 R1(configif)#framerelay interfacedlci 301
To verify and test the configuration: On R3 R3#Ping 200.1.1.1 repeat 4 Type escape sequence to abort. Sending 4, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!! Success rate is 100 percent (4/4), roundtrip min/avg/max = 28/29/32 ms
On R1 Serial0/1(i): dlci 301(0x48D1), pkt type 0x800, datagramsize 104 Serial0/1(o): dlci 103(0x1871), pkt type 0x800(IP), datagramsize 104 Serial0/1(i): dlci 301(0x48D1), pkt type 0x800, datagramsize 104 Serial0/1(o): dlci 103(0x1871), pkt type 0x800(IP), datagramsize 104 Serial0/1(i): dlci 301(0x48D1), pkt type 0x800, datagramsize 104 Serial0/1(o): dlci 103(0x1871), pkt type 0x800(IP), datagramsize 104 Serial0/1(i): dlci 301(0x48D1), pkt type 0x800, datagramsize 104 Serial0/1(o): dlci 103(0x1871), pkt type 0x800(IP), datagramsize 104 R1#Show frame map Serial0/1 (up): ip 200.1.1.3 dlci 103(0x67,0x1870), static, CISCO
On R3 R3#Show frame map Serial0/1 (up): ip 200.1.1.1 dlci 301(0x12D,0x48D0), static, CISCO
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 61 of 87
Task 3 Reconfigure R1 as a framerelay switch and a router connecting to R3, whereas, R3 should be configured as a router connecting to R1 using S0/1 interface. R1 should use DLCI 103 for its connection to R3 and R3 should use DLCI 301 for its connection to R1. You should NOT disable LMIs to accomplish this task.
On R1 R1(config)#frame switching R1(config)#int S0/1 R1(configif)#ip addr 200.1.1.1 255.255.255.0 R1(configif)#encap framerelay R1(configif)#clock rate 64000 R1(configif)#frame map ip 200.1.1.3 103 R1(configif)#frame interfacedlci 301 R1(configif)#framerelay intftype dce
On R3 R3(configif)#int S0/1 R3(configif)#ip addr 200.1.1.3 255.255.255.0 R3(configif)#encap framerelay R3(configif)#frame map ip 200.1.1.1 301
To verify and test the configuration: On R1 R1#Show frame lmi | B Num Num Status Enq. Rcvd 11 Num Status msgs Sent 11 Num Update Status Sent 0 Num St Enq. Timeouts 0
On R3 R3#Show framerelay lmi | B Num Num Status Enq. Sent 18 Num Status msgs Rcvd 19 Num Update Status Rcvd 0 Num Status Timeouts 0 Last Full Status Req 00:00:00 Last Full Status Rcvd 00:00:00
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 62 of 87
R3#Show framerelay map Serial0/1 (up): ip 200.1.1.1 dlci 301(0x12D,0x48D0), static, CISCO, status defined, active R3#Ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 28/30/33 ms
Task 4 Erase the startup configuration and reload the routers before proceeding to the next lab.
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 63 of 87
Lab 1 – MLS QOS
Lab Setup: Ø Configure F0/19 interface of SW1 and SW2 as a Dot1Q trunk. Ø Configure SW1 and SW2 in VTP domain called TST Ø Configure F0/1 and F0/2 interface of SW1 in VLAN 100. Ø Configure F0/3 interface of SW2 as a Dot1Q trunk. Ø Configure F0/1 interface of R3 as a Dot1Q trunk for VLAN 100. You can copy and paste the initial configuration from the init directory
IP addressing: Router R1 R2 R3
Interface / IP address F0/0 = 10.1.1.1 /24 F0/0 = 10.1.1.2 /24 F0/1.100 = 10.1.1.3 /24
CCIE R&S by Narbik Kocharians
VLAN 100 100 100
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 64 of 87
Task 1 Assign a hostname of SW1 to Switch 1 and a hostname of SW2 to Switch 2. Shutdown all unused ports on these switches.
On Switch 1 Switch(config)#Host SW1 SW1(config)#Int range f0/318 , F0/2024 SW1(configifrange)#Shut
On Switch 2 Switch(config)#Host SW2 SW2(config)#Int range f0/12 , F0/418 , F0/2024 SW2(configifrange)#Shut
Task 2 Configure SW1’s port F0/2 such that it marks All ingress traffic with a CoS marking of 2. For verification purpose, R3 should be configured to match on CoS values of 0 – 7 ingress on its F0/1.100 subinterface.
In this step R3 is configured to match on incoming CoS values of 0 – 7, this is done so the policy can be tested and verified.
On R3 R3(config)#classmap cos0 R3(configcmap)#match CoS 0 R3(config)#classmap cos1 R3(configcmap)#match CoS 1 R3(config)#classmap cos2 R3(configcmap)#match CoS 2 R3(config)#classmap cos3 R3(configcmap)#match CoS 3 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 65 of 87
R3(config)#classmap cos4 R3(configcmap)#match CoS 4 R3(config)#classmap cos5 R3(configcmap)#match CoS 5 R3(config)#classmap cos6 R3(configcmap)#match CoS 6 R3(config)#classmap cos7 R3(configcmap)#match CoS 7 R3(config)#Policymap TST R3(configpmap)#Class cos0 R3(configpmap)#Class cos1 R3(configpmap)#Class cos2 R3(configpmap)#Class cos3 R3(configpmap)#Class cos4 R3(configpmap)#Class cos5 R3(configpmap)#Class cos6 R3(configpmap)#Class cos7 R3(config)#Int F0/1.100 R3(configsubif)#Servicepolicy in TST
On SW1 By default, QOS is disabled and the switch will NOT modify the CoS, IPPrecedence or the DSCP values of received traffic. To verify: SW1#Show mls qos QoS is disabled QoS ip packet dscp rewrite is enabled The following command enables MLS QOS; to perform any kind of QOS configuration, MLS QOS must be enabled. SW1(config)#MLS QOS
To verify the configuration: On SW1 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 66 of 87
SW1#Show mls qos QoS is enabled QoS ip packet dscp rewrite is enabled
To continue with the configuration: SW1(config)#int F0/1 The following command assigns a default CoS value of 2 to untagged traffic received through this interface. SW1(configif)#mls qos cos 2
To verify the configuration: On SW1 SW1#Show mls qos inter f0/1 FastEthernet0/1 trust state: not trusted trust mode: not trusted trust enabled flag: ena COS override: dis default COS: 2 DSCP Mutation Map: Default DSCP Mutation Map Trust device: none qos mode: portbased
To test the configuration: On R1 R1#Ping 10.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), roundtrip min/avg/max = 1/1/4 ms
To verify the test:
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 67 of 87
On R3 R3#Show policymap interface | S cos0 Classmap: cos0 (matchall) 4 packets, 472 bytes 5 minute offered rate 0 bps Match: cos 0 R3#Show policymap interface | S cos2 Classmap: cos2 (matchall) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: cos 2 Note, even though the interface is configured with “Mls qos cos 2” the traffic coming in on that interface is NOT affected. To mark ALL traffic with a CoS marking of 2, which means all traffic regardless of their marking, the port must be configured to override the existing CoS. The “mls qos cos” command on its own does NOTHING, it should be combined with either the “Mls qos cos override” or “Mls qos trust cos”. When its combined with “MLS qos trust cos”, ONLY the untagged traffic is affected, but if it’s combined with “MLS qos cos override”, then, all traffic (Tagged or untagged) is affected. The following command configures the switch port to trust the CoS value in ALL incoming traffic through F0/2 interface, the “Mls qos cos override” command will be tested later: SW1(config)#int F0/1 SW1(configif)#mls qos trust cos
To verify the configuration: On SW1 SW1#Sh mls qos interface f0/1 FastEthernet0/1 trust state: trust cos trust mode: trust cos trust enabled flag: ena COS override: dis default COS: 2 DSCP Mutation Map: Default DSCP Mutation Map CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 68 of 87
Trust device: none qos mode: portbased
To test the configuration: On R3 R3#Clear counters Clear "show interface" counters on all interfaces [confirm] Press Enter to allow the counters to be cleared
On R1 R1#Ping 10.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms
To verify the test: On R3 R3#Sh policymap inter | S cos0 Classmap: cos0 (matchall) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: cos 0 R3#Show policymap interface | S cos2 Classmap: cos2 (matchall) 5 packets, 590 bytes 5 minute offered rate 0 bps Match: cos 2 Note the output of the above show command reveals that all traffic that sourced from R1 is marked with a CoS value of 0; the reason for this outcome is because SW1 is configured with “Mls qos” global configuration command, therefore, the switch will mark all untagged incoming traffic through its F0/1 interface with a CoS value of 2.
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 69 of 87
Task 3 Configure SW1 and R1 as follows: · F0/1 interface of SW1 should be configured as a Dot1q trunk. · Disable “Mls QOS” and remove the “Mls qos cos 2” command from F0/1 interface of SW1. · Configure F0/0.100 subinterface on R1, this subinterface should be configured based on the following: · · ·
R1’s F0/0.100 interface should be configured as trunk for VLAN 100 R1’s F0/0.100 should be assigned an IP address of 10.1.1.1 /24 R1’s F0/0.100 should be configured to mark all egress traffic with a CoS value of 6.
On SW1 SW1(config)#int F0/1 SW1(configif)#Default inter f0/1 SW1(config)#int F0/1 SW1(configif)#swi trunk enc do SW1(configif)#swi mode trunk SW1(config)#NO Mls qos
To verify the configuration On SW1 SW1#Show int trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 1 Fa0/19 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/1 14094 Fa0/19 14094 Port Vlans allowed and active in management domain Fa0/1 1,100 Fa0/19 1,100
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 70 of 87
Port Vlans in spanning tree forwarding state and not pruned Fa0/1 none Fa0/19 1,100
On R1 R1(config)#Default inter F0/0 R1(configif)#int F0/0.100 R1(configsubif)#encap dot1 100 R1(configsubif)#ip addr 10.1.1.1 255.255.255.0 R1(config)#Policymap TST R1(configpmap)#class classdefault R1(configpmapc)#set cos 6 R1(configpmapc)#int F0/0.100 R1(configsubif)#servicepolicy out TST
To test the configuration: On R3 R3#Clear counters
On R1 R1#Ping 10.1.1.3 rep 60 Type escape sequence to abort. Sending 60, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (60/60), roundtrip min/avg/max = 1/1/4 ms
On R3 R3#Sh policymap inter | S cos60 Classmap: cos6 (matchall) 60 packets, 7080 bytes 5 minute offered rate 0 bps Match: cos 6 Note traffic generated by R1 has a CoS marking of 6. CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 71 of 87
Task 4 SW1 should be configured to trust the CoS marking of any traffic coming through its F0/1 interface.
On SW1 SW1(config)#mls qos SW1(config)#int F0/1 SW1(configif)#mls qos trust CoS
To test the configuration On R3 R3#Clear counters
On R1 R1#Ping 10.1.1.3 repeat 60 Type escape sequence to abort. Sending 60, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (60/60), roundtrip min/avg/max = 1/1/4 ms Note the output of the following show command reveals that the traffic retained its CoS marking.
On R3 R3#Show policymap interface | S cos6 Classmap: cos6 (matchall) 60 packets, 7080 bytes 5 minute offered rate 0 bps Match: cos 6
Task 5 Configure R1, R2 & SW1 using the following policy: CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 72 of 87
1. If the ingress traffic from R2 is NOT marked with a CoS value, SW1 should be configured to mark that traffic with a CoS value of 0. 2. If the ingress traffic from R1 is NOT tagged, SW1 should be configured to rewrite the CoS value to 1, however, if the traffic is tagged, SW1 should NOT rewrite the CoS value of the incoming traffic.
To configure the first policy: Since the “Mls Qos” command is configured on SW1, when traffic without a CoS marking enters any port on SW1, that traffic is marked with a CoS value of 0, therefore, SW1 does NOT need to be configured for this policy:
To verify and test the first policy: On R3 R3#Clear counter
On R2 R2#Ping 10.1.1.3 rep 60 Type escape sequence to abort. Sending 60, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (60/60), roundtrip min/avg/max = 1/1/4 ms
On R3 Since the traffic generated by R2 did not have a CoS marking, the traffic will arrive with a CoS marking of zero. R3#Show policymap interface | S cos6 Classmap: cos6 (matchall) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: cos 6 R3#Show policymap interface | S cos0 Classmap: cos0 (matchall) 60 packets, 7080 bytes CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 73 of 87
5 minute offered rate 0 bps Match: cos 0 To configure the second policy: The “Mls qos trust cos” command that was configured in the previous task will trust the CoS value in the incoming traffic and will NOT rewrite the CoS value; since the task stats that the untagged traffic should be rewritten to a CoS value of 1, whereas, the tagged traffic should NOT be affected at all, the following should be configured:
To test the configuration: On R3 R3#Clear counters
On SW1 SW1(config)#Int F0/1 SW1(configif)#mls qos cos 1 The above command ONLY affects the untagged traffic, since R1’s F0/1 interface is configured as a truck link, this configuration should NOT have any affect. The following show command reveals this information:
On R1 R1#Ping 10.1.1.3 repeat 10 Type escape sequence to abort. Sending 10, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!!!!!!! Success rate is 100 percent (10/10), roundtrip min/avg/max = 1/1/4 ms
On R3 The output of the following show command reveals that the traffic from R1 retained its CoS value of 6: R3#Sh policymap inter | s cos6 Classmap: cos6 (matchall) 10 packets, 1180 bytes 5 minute offered rate 0 bps Match: cos 6 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 74 of 87
To test the untagged traffic: On R1 R1(config)#int F0/0.100 R1(configsubif)#encap dot1 100 native NOTE: In the above and the following configuration, VLAN 100 is configured to be the Native VLAN so the traffic arrives with NO tagging:
On SW1 SW1(configif)#int F0/1 SW1(configif)#swi trunk native vlan 100
To see SW1’s configuration: On SW1 SW1#Sh run int F0/1 | B interface interface FastEthernet0/1 switchport trunk encapsulation dot1q switchport trunk native vlan 100 switchport mode trunk mls qos cos 1 mls qos trust cos
To verify the configuration: On SW1 SW1#Sh interface trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 100 Fa0/19 on 802.1q trunking 1 (The rest of the output is omitted)
On R3 R3#Clear counters CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 75 of 87
On R1 R1#Ping 10.1.1.3 rep 100 Type escape sequence to abort. Sending 100, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100), roundtrip min/avg/max = 1/1/4 ms
On R3 R3#Show policymap interface | S cos6 Classmap: cos6 (matchall) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: cos 6 R3#Show policymap interface | S cos0 Classmap: cos0 (matchall) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: cos 0 R3#Show policymap interface | S cos1 Classmap: cos1 (matchall) 100 packets, 11800 bytes 5 minute offered rate 0 bps Match: cos 1
The following shows R1’s policymap configuration: On R1 R1#Show policymap TST Policy Map TST Class classdefault set cos 6
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 76 of 87
Task 6 SW2 should be configured such that it marks all traffic from any router/s connected to SW1 (Tagged or Untagged) with a CoS value of 7. DO NOT configure R1, R2 or SW1 to accomplish this task.
On SW2 SW2(config)#MLS QOS NOTE: This configuration is performed on the trunk link of SW2 so it can affect all traffic coming from SW1; this affects the traffic that has marking, the traffic that does NOT have any marking, tagged or untagged: SW2(config)#int F0/19 SW2(configif)#mls qos cos 7 SW2(configif)#mls qos cos override
To verify the configuration: On SW2 SW2#Sh mls qos inter f0/19 FastEthernet0/19 trust state: not trusted trust mode: not trusted trust enabled flag: ena COS override: ena default COS: 7 DSCP Mutation Map: Default DSCP Mutation Map Trust device: none qos mode: portbased
To test the configuration: On R3 R3#Clear counter
On R1 R1#Ping 10.1.1.3 rep 100 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 77 of 87
Type escape sequence to abort. Sending 100, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100), roundtrip min/avg/max = 1/1/4 ms
On R3 Note the traffic matched to CoS 7 R3#Show policymap interface | S cos7 Classmap: cos7 (matchall) 100 packets, 11800 bytes 5 minute offered rate 0 bps Match: cos 7
On R2 R2#Ping 10.1.1.3 rep 200 Type escape sequence to abort. Sending 200, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (200/200), roundtrip min/avg/max = 1/1/4 ms
On R3 R3#Show policymap interface | S cos7 Classmap: cos7 (matchall) 300 packets, 35400 bytes 5 minute offered rate 0 bps Match: cos 7 Note all traffic regardless of their marking are marked with a CoS value of 7.
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 78 of 87
Task 7 Erase the startup configuration on R13 and SW1 & SW2 and reload these routers and switches before proceeding to the next lab.
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 79 of 87
Lab 2 – DSCPMutation
Lab Setup: The lab topology and setup is based on the previous lab, with the exception of R3’s configuration and the F0/3 interface of SW2; R3’s F0/1 interface should be configured with an IP address of 10.1.1.3 /24 and the F0/3 interface of SW2 should be configured in VLAN 100. You can copy and paste the initial configuration from the init directory
Task 1 Configure an MQC on R1 such that all packets going out of its F0/0 interface are marked with a DSCP value of 1. For verification purpose, R3’s F0/1 interface should be configured to match on DSCP 07 for all ingress traffic. Ensure that “Mls qos” is disabled on both switches.
On Both Switches: SWx#Sh mls qos CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 80 of 87
QoS is disabled QoS ip packet dscp rewrite is enabled The following configuration on R1 marks all egress traffic with a DSCP value of 1:
On R1 R1(config)#Policymap TST R1(configpmap)#class classdefault R1(configpmapc)#set ip dscp 1 R1(config)#int F0/0 R1(configif)#Servicepolicy out TST
On R3 The following configuration is done for verification and testing purposes: R3(config)#Classmap DSCP0 R3(configcmap)#match ip dscp 0 R3(config)#Classmap DSCP1 R3(configcmap)#match ip dscp 1 R3(config)#Classmap DSCP2 R3(configcmap)#match ip dscp 2 R3(config)#Classmap DSCP3 R3(configcmap)#match ip dscp 3 R3(config)#Classmap DSCP4 R3(configcmap)#match ip dscp 4 R3(config)#Classmap DSCP5 R3(configcmap)#match ip dscp 5 R3(config)#Classmap DSCP6 R3(configcmap)#match ip dscp 6 R3(config)#Classmap DSCP7 R3(configcmap)#match ip dscp 7 R3(config)#policymap TST R3(configpmap)#Class DSCP0 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 81 of 87
R3(configpmap)#Class DSCP1 R3(configpmap)#Class DSCP2 R3(configpmap)#Class DSCP3 R3(configpmap)#Class DSCP4 R3(configpmap)#Class DSCP5 R3(configpmap)#Class DSCP6 R3(configpmap)#Class DSCP7 R3(config)#int F0/1 R3(configif)#servicepolicy in TST
To test the configuration: On R1 R1#Ping 10.1.1.3 rep 10 Type escape sequence to abort. Sending 10, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: .!!!!!!!!! Success rate is 90 percent (9/10), roundtrip min/avg/max = 1/1/4 ms
On R3 R3#Sh Policymap inter | S DSCP1 Classmap: DSCP1 (matchall) 9 packets, 1026 bytes 5 minute offered rate 0 bps Match: ip dscp 1 Note since “Mls qos” is disabled on both switches, the packets traversing the switches will retain their marking.
Task 2 Configure SW2 such that if the incoming traffic is marked with DSCP 1, they are overwritten to a DSCP value of 60. DO NOT configure a classmap or Policymap to accomplish this task. Use R3 to verify the configuration.
DSCP Mutation can be configured to accomplish this task; there are five steps in configuring DSCP CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 82 of 87
mutation, and they are as follows:
Step 1: Mls qos MUST be enabled:
On SW2 SW2(config)#Mls qos
To verify the configuration of this step: On SW2 SW2#Show mls QoS QoS is enabled QoS ip packet dscp rewrite is enabled
Step 2: In this step a custom DSCPMutation map is configured, remember that if this custom mapping is NOT configured, the default DSCPMutation map will be used, the default DSCPMutation map can NOT be changed and it is configured as one to one, meaning that the incoming DSCP value will always match to the same outgoing DSCP value: In this step a custom DSCPMutation map named TST is configured, this custom DSCPMutation maps the incoming DSCP value (in this case 1) to an outgoing DSCP value of 60:
To see the default DSCPMutation map: SW2#Show mls qos map dscpmutation Dscpdscp mutation map: Default DSCP Mutation Map: d1 : d2 0 1 2 3 4 5 6 7 8 9 0 : 00 01 02 03 04 05 06 07 08 09 1 : 10 11 12 13 14 15 16 17 18 19 2 : 20 21 22 23 24 25 26 27 28 29 3 : 30 31 32 33 34 35 36 37 38 39 4 : 40 41 42 43 44 45 46 47 48 49 5 : 50 51 52 53 54 55 56 57 58 59 6 : 60 61 62 63 Note the d1: column (highlighted in yellow) specifies the most significant digit of the DSCP value of CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 83 of 87
incoming packets, whereas, the d2: row (highlighted in blue) specifies the least significant digit of the DSCP value of incoming packets. The intersection of the d1 and d2 values (this is the body of the output) provides the DSCP value of the outgoing packets. NOTE: the output of the above show command reveals that the incoming DSCP value of 1, is re written to the outgoing DSCP value of 1. Let’s configure a custom DSCPMutation map called TST that maps the incoming DSCP value of 1 to an outgoing DSCP value of 60: SW2(config)#Mls qos map dscpmutation TST 1 to 60
To verify the configuration: On SW2 SW2#Show mls qos map dscpmutation TST Dscpdscp mutation map: TST: d1 : d2 0 1 2 3 4 5 6 7 8 9 0 : 00 60 02 03 04 05 06 07 08 09 1 : 10 11 12 13 14 15 16 17 18 19 2 : 20 21 22 23 24 25 26 27 28 29 3 : 30 31 32 33 34 35 36 37 38 39 4 : 40 41 42 43 44 45 46 47 48 49 5 : 50 51 52 53 54 55 56 57 58 59 6 : 60 61 62 63
Step 3: In this step, the custom DSCPMutation map called TST is applied to the F0/19 interface (Trunk interface) of SW2 SW2(config)#int F0/19 SW2(configif)#mls qos dscpmutation TST
To verify the configuration: On SW2 SW2#Show mls qos int F0/19 | Inc DSCP CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 84 of 87
DSCP Mutation Map: TST
Step 4: Remember, if the “Mls qos trust DSCP” is NOT configured, the configuration will NOT have any affect on the packets:
To see the trust trust state (What’s being trusted) of the F0/19 interface: On SW2 SW2#Show mls qos int F0/19 | Inc trust state trust state: not trusted
On SW2 SW2(config)#int F0/19 SW2(configif)#mls qos trust dscp
To verify the configuration: On SW2 SW2#Show mls qos int F0/19 | Inc trust state trust state: trust dscp NOTE: If CoS was trusted, the output of the above command would have stated “trust state: trust CoS”, since ONLY DSCP is trusted, the trust state is DSCP.
Step 5: Ensure that the DSCP rewrites are enabled, if this is disabled, then, the DSCP marking will NOT be rewritten.
To verify if the DSCP rewrites are enabled: On SW2 SW2#Show mls qos QoS is enabled QoS ip packet dscp rewrite is enabled
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 85 of 87
If the DSCP rewrites are disabled, then, the DSCP marking in the outgoing packets will NOT be re written. There are times that this feature must be disable, to disable this feature, the “NO mls qos rewrite ip dscp” global command can be used.
To prepare R3 for verification purpose: On R3 The following configuration is required for testing and verification. R3(config)#Classmap DSCP60 R3(configcmap)#match ip dscp 60 R3(config)#policymap TST R3(configpmap)#Class DSCP60 Remember, the policymap TST is already applied.
To verify the configuration: On SW2 R3#Show policymap TST Policy Map TST Class DSCP0 Class DSCP1 Class DSCP2 Class DSCP3 Class DSCP4 Class DSCP5 Class DSCP6 Class DSCP7 Class DSCP60
To test the configuration: On R3 R3#clear counters
On R1 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 86 of 87
R1#Ping 10.1.1.3 rep 60 Type escape sequence to abort. Sending 60, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (60/60), roundtrip min/avg/max = 1/1/4 ms
On R3 R3#Show policymap interface | S DSCP60 Classmap: DSCP60 (matchall) 60 packets, 6840 bytes 5 minute offered rate 0 bps Match: ip dscp 60
Task 3 Configure the “Default interface F0/1” command on R3 before proceeding to the next lab.
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 87 of 87
VOLI CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 1 of 87
Table of Content: Subject
Page
Volume
Topology
8
VolI
14 51 84 136 156 180 190 217 235
VolI VolI VolI VolI VolI VolI VolI VolI VolI
242 257 262 267 273 282 297 305 312
VolI VolI VolI VolI VolI VolI VolI VolI VolI
321
VolI
327 335 340
VolI VolI VolI
362 398 407 418
VolI VolI VolI VolI
3560 Switching Lab 1 Basic 3560 configuration I Lab 2 Basic 3560 configuration II Lab 3 Configuring Trunks Lab 4 Configuring EtherChannels Lab 5 Advanced STP Configuration Lab 6 Multiple Spanningtree (802.1s) Lab 7 Configuring Private VLANs Lab 8 QinQ Tunneling Lab 9 Fallback Bridging
Framerelay Lab 1 HubnSpoke Using Frame Map Statements Lab 2 HubnSpoke Framerelay Pointtopoint Lab 3 Mixture of P2P and Multipoint Lab 4 Multipoint Framerelay W/O Frame maps Lab 5 Framerelay and Authentication Lab 6 Framerelay EndtoEnd Keepalives Lab 7 Tricky Framerelay Configuration Lab 8 Framerelay Multilinking Lab 9 BacktoBack Framerelay connection
ODR Lab 1 On Demand Routing
RIPv2 Lab 1 RIPv2 and Framerelay Lab 2 RIPv2 Authentication Lab 3 Advanced RIPv2 Mini Mock Lab
EIGRP Lab 1 Eigrp configuration Lab 2 Advanced Eigrp Stub Configuration Lab 3 Eigrp & Defaultinformation Lab 4 Eigrp Filtering
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 2 of 87
Table of Content: Subject
Page
Volume
OSPF Lab 1 Advertising Networks Lab 2 Optimization of OSPF & Adjusting Timers Lab 3 OSPF Authentication Lab 4 OSPF Cost Lab 5 OSPF Summarization Lab 6 Virtuallinks and GRE Tunnels Lab 7 OSPF Stub, T/Stub, and NSSAs Lab 8 OSPF Filtering Lab 9 Additional OSPF Filtering Lab 10 Redirecting Traffic in OSPF Lab 11 Database Overload Protection Lab 12 OSPF NonBroadcast Networks Lab 13 OSPF Broadcast Networks Lab 14 OSPF PointtoPoint Networks Lab 15 OSPF PointtoMultipoint Networks Lab 16 OSPF PointtoMulti Network – II Lab 17 OSPF PtoM NonBroadcast Net Lab 18 OSPF and NBMA Lab 19 Forward Address Suppression Lab 20 OSPF NSSA noredistribution & Injection of default routes
427 430 437 462 467 474 484 495 522 531 537 542 551 555 559 566 573 579 588 600
VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI
609 626 642 657 666 686 702 711 715 719 727 738 746 754 761 778
VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI VolI
BGP Lab 1 Establishing Neighbor Adjacency Lab 2 Route Reflectors Lab 3 Conditional Adv & Back door Lab 4 Route Dampening Lab 5 Route Aggregation Lab 6 The community Attribute Lab 7 BGP Cost Community Lab 8 BGP & Load Balancing – I Lab 9 BGP Load Balancing – II Lab 10 BGP Unequal Cost Load Balancing Lab 11 BGP Local Preference – I Lab 12 BGP Local Preference – II Lab 13 The ASPath Attribute Lab 14 The Weight Attribute Lab 15 MED Lab 16 Filtering Using ACLs & Prefixlists CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 3 of 87
Lab 17 Regular Expressions Lab 18 Adv BGP Configurations Lab 19 Administrative Distance Lab 20 BGP Confederation Lab 21 BGP Hiding Local AS Number Lab 22 BGP Allowasin
788 805 816 824 829 837
VolI VolI VolI VolI VolI VolI
843
VolI
854 874 890 919
VolI VolI VolI VolI
938 944 951
VolI VolI VolI
964 974
VolI VolI
988 1000 1010 1017
VolI VolI VolI VolI
Policy Based Routing Lab 1 PBR based on Source IP address
Redistribution Lab 1 Basics of RedistributionI Lab 2 Basics of RedistributionII Lab 3 Advanced Redistribution Lab 4 Routing Loops
IP SLA Lab 1 IP SLA Lab 2 Reliable Static Routing using IP SLA Lab 3 Reliable Conditional Default Route Injection using IP SLA Lab 4 Object Tracking in HSRP Using SLA Lab 5 Object Tracking
GRE Tunnels Lab 1 Basic Configuration of GRE Tunnels Lab 2 Configuration of GRE Tunnels II Lab 3 Configuration of GRE Tunnels III Lab 4 GRE & Recursive loops
QOS Lab 1 MLS QOS Lab 2 DSCP Mutation Lab 3 DSCPCoS Mapping Lab 4 CoSDSCP Mapping Lab 5 IPPrecedenceDSCP Mapping Lab 6 Individual rate Policing Lab 7 Policed DSCP Lab 8 Aggregate Policer Lab 9 Priority Queuing Lab 10 Custom Queuing Lab 11 WFQ Lab 12 RSVP Lab 13 Match Accessgroup Lab 14 Match Destination & Source Add MAC Lab 15 Match InputInterface Lab 16 Match FRde & Packet Length Lab 17 Match IP Precedence vs. Match Precedence CCIE R&S by Narbik Kocharians
14 30 38 43 49 54 60 65 70 76 80 84 90 95 101 104 112
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII Page 4 of 87
Lab 18 Match Protocol HTTP URL, MIME & Host Lab 19 Match Frdlci Lab 20 Framerelay Traffic Shaping Lab 21 Framerelay Trafficshaping – II Lab 22 Framerelay Fragmentation Lab 23 Framerelay PIPQ Lab 24 Framerelay DE Lab 25 Framerelay and Compression Lab 26 CBWFQ Lab 27 CBWFQ – II Lab 28 Converting Custom Queuing to CBWFQ Lab 29 LLQ Lab 30 CAR Lab 31 Class Based Policing – I Lab 32 CB Policing – II Lab 33 WRED & CB WRED
123 131 135 142 151 155 162 165 178 184 186 189 193 200 210 215
VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII
221 227 231 234 237 241 244 249 253 258 264 267
VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII
273 277 286 293 305 312 314 315 317 320 329
VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII
337
VolII
NAT Lab 1 Static NAT Configuration Lab 2 Advanced Static NAT Configuration Lab 3 Configuration of Dynamic NAT – I Lab 4 Configuration of Dynamic NAT – II Lab 5 Configuration of Dynamic NAT – III Lab 6 NAT and Load Balancing Lab 7 Configuring PAT Lab 8 Configuring PAR Lab 9 Configuring Static NAT Redundancy W/HSRP Lab 10 Stateful Translation Failover With HSRP Lab 11 Translation of the Outside Source Lab 12NAT on a Stick
IP Services Lab 1 DHCP Configuration Lab 2 HSRP Configuration Lab 3 VRRP Configuration Lab 4 GLBP Configuration Lab 5 IRDP Configuration Lab 6 Configuring DRP Lab 7 Configuring WCCP Lab 8 Core Dump Using FTP Lab 9 HTTP Connection Management Lab 10 Configuting NTP Lab 11 More IP Stuff
IP PrefixList Lab 1 PrefixLists CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 5 of 87
IPv6 Lab 1 Configuring Basic IPv6 Lab 2 Configuring OSPFv3 Lab 3 Configuring OSPFv3 MultiArea Lab 4 Summarization of Internal & External N/W Lab 5 OSPFv3 Stub, T/Stub and NSSA networks Lab 6 OSPFv3 Cost and Autocost Lab 7 Tunneling IPv6 Over IPv4 Lab 8 Eigrp and IPv6
364 385 394 399 408 420 426 452
VolII VolII VolII VolII VolII VolII VolII VolII
477 484 488 495 501 505 509 512 522 529 533 535 542 544 546 552 559 566 576 587
VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII
592 610 628 643 665 687 702 720 730 749 760 767
VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII VolII
Security Lab 1 Basic Router Security Configuration Lab 2 Standard Named Access List Lab 3 Controlling Telnet Access and SSH Lab 4 Extended Access List IP and ICMP Lab 5 Extended Access List OSPF & Eigrp Lab 6 Using MQC as a Filtering tool Lab 7 Extended Access List With Established Lab 8 Dynamic Access List Lab 9 Reflexive AccessLists Lab 10 Accesslist & Time Range Lab 11 Configuring Basic CBAC Lab 12 Configuring CBAC Lab 13 Configuring CBAC & Java Blocking Lab 14 Configuring PAM Lab 15 Configuring uRPF Lab 16 Configuring Zone Based Firewall Lab 17 Control Plane Policing Lab 18 Configuring IOS IPS Lab 19 Attacks Lab 20 AAA Authentication
Multicasting Lab 1 Configuring IGMP Lab 2 Dense Mode Lab 3 Static RP Configuration Lab 4 AutoRP Lab 5 AutoRP Filtering & Listener Lab 6 Configuring BSR Lab 7 Configuring MSDP Lab 8 Anycast RP Lab 9 MSDP/MPBGP Lab 10 Configuring SSM Lab 11 HelperMap Lab 12 Bidirectional PIM CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 6 of 87
MPLS & L3VPNs Lab 1 Configuring Label Distribution Protocol Lab 2 Static & RIPv2 Routing in a VPN Lab 3 OSPF Routing in a VPN Lab 4 Backdoor links & OSPF Lab 5 Eigrp Routing in a VPN Lab 6 BGP Routing in a VPN Lab 7 Complex VPNs and Filters
CCIE R&S by Narbik Kocharians
785 855 886 905 921 937 954
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
VolII VolII VolII VolII VolII VolII VolII
Page 7 of 87
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 8 of 87
The Serial connection between R1 and R3
The Serial connection between R4 and R5
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 9 of 87
Framerelay Switch connections S0 /0
S0/0
R1 S0/0
S0/1
R2 S0/1 S0 /0
S0/2
R3 S0/0
R4 S 0/0
R5 S 0/ 0
R6
S0/3 S1/0 S1/1 S1/2
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 10 of 87
Framerelay DLCI connections:
Router R1
R2
R3
R4
R5
R6
CCIE R&S by Narbik Kocharians
Local DLCI 102 112 103 104 105 106 201 211 203 204 205 206 301 302 304 305 306 401 402 403 405 406 501 502 503 504 506 601 602 603 604 605
Connecting to: R2 R2 R3 R4 R5 R6 R1 R1 R3 R4 R5 R6 R1 R2 R4 R5 R6 R1 R2 R3 R5 R6 R1 R2 R3 R4 R6 R1 R2 R3 R4 R5
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 11 of 87
F0/18 F0/19 F0/20
F0/24 F0/23
F0/23
F0/21
F0/22
SW2 F0/22
F0/21
SW1
F0/24 F0/19
SW3
CCIE R&S by Narbik Kocharians
F0/20
SW4
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 12 of 87
Lab 7 Configuring Private VLANs Task 1 The first switch should be configured with a hostname of SW1 and the second switch should be configured with a hostname of SW2
On the First Switch Switch(config)#Hostname SW1
On the Second Switch Switch(config)#Hostname SW2
Task 2 Shutdown ports F0/2124 on SW1 and SW2
On Both Switches: SWx(config)#int range f0/2124 SWx(configifrange)#Shut
Task 3 Configure trunking between SW1 and SW2 using ports F0/19 and F0/20. Use an industry standard trunking protocol for this purpose. Assign a brief meaningful description to these interfaces.
On SW1 SW1(config)#Interface range f0/1920 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 13 of 87
SW1(configifrange)#Switch trunk encap dot1q SW1(configifrange)#Switch mode trunk SW1(configifrange)#Description Trunk to SW2
On SW2 SW2(config)#Interface range f0/1920 SW2(configifrange)#Switch trunk encap dot1q SW2(configifrange)#Switch mode trunk SW2(configifrange)#Description Trunk to SW1
To verify the configuration: On SW1 SW1#Show int trunk Port Mode Encapsulation Status Native vlan Fa0/19 on 802.1q trunking 1 Fa0/20 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/19 14094 Fa0/20 14094 Port Vlans allowed and active in management domain Fa0/19 1 Fa0/20 1 Port Vlans in spanning tree forwarding state and not pruned Fa0/19 1 Fa0/20 none
On SW2 SW2#Show int trunk Port Mode Encapsulation Status Native vlan Fa0/19 on 802.1q trunking 1 Fa0/20 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/19 14094 Fa0/20 14094 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 14 of 87
Port Vlans allowed and active in management domain Fa0/19 1 Fa0/20 1 Port Vlans in spanning tree forwarding state and not pruned Fa0/19 1 Fa0/20 1
Task 4 Assign IP addressing to the interface of the routers using the following chart and ensure that these routers can ping each other: You should assign a brief meaningful interface description on the switchports. Router R1 R2 R3 R4 R5 R6 BB1 BB2 BB3
Interface F0/0 F0/0 F0/1 F0/0 F0/1 F0/1 F0/1 F0/0 F0/0
IP address and Subnet mask 200.1.1.1 /24 200.1.1.2 /24 200.1.1.3 /24 200.1.1.4 /24 200.1.1.5 /24 200.1.1.6 /24 200.1.1.7 /24 200.1.1.8 /24 200.1.1.9 /24
On R1 R1(config)#Int F0/0 R1(configif)#Ip address 200.1.1.1 255.255.255.0 R1(configif)#No shut
On R2 R2(config)#Int F0/0 R2(configif)#Ip address 200.1.1.2 255.255.255.0 R2(configif)#No shut
On R3 R3(config)#Int F0/1 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 15 of 87
R3(configif)#Ip address 200.1.1.3 255.255.255.0 R3(configif)#No shut
On R4 R4(config)#Int F0/0 R4(configif)#Ip address 200.1.1.4 255.255.255.0 R4(configif)#No shut
On R5 R5(config)#Int F0/1 R5(configif)#Ip address 200.1.1.5 255.255.255.0 R5(configif)#No shut
On R6 R6(config)#Int F0/1 R6(configif)# Ip address 200.1.1.6 255.255.255.0 R6(configif)#No shut
On BB1 BB1(config)#Int F0/1 BB1(configif)# Ip address 200.1.1.7 255.255.255.0 BB1(configif)#No shut
On BB2 BB2(config)#int F0/0 BB2(configif)#ip address 200.1.1.8 255.255.255.0 BB2(configif)#No shut
On BB3 BB3(config)#int F0/0 BB3(configif)#ip address 200.1.1.9 255.255.255.0 BB3(configif)#No shut
On SW1 SW1(config)#Int F0/1 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 16 of 87
SW1(configif)#Description R1’s F0/0 SW1(config)#Int F0/2 SW1(configif)#Description R2’s F0/0 SW1(config)#Int range F0/3 , F0/59 , F0/1218 , F0/2124 SW1(configifrange)#Description SW1(config)#Int F0/4 SW1(configif)#Description R4’s F0/0 SW1(config)#Int F0/12 SW1(configif)#Description BB2’s F0/0 SW1(config)#Int F0/13 SW1(configif)#Description BB3’s F0/0
On SW2 SW2(config)#Int range F0/12 , F0/4 , F0/1018 , F0/2124 SW2(configifrange)#Description SW2(config)#Int F0/3 SW2(configif)#Description R3’s F0/1 SW2(config)#Int F0/5 SW2(configif)#Description R5’s F0/1 SW2(config)#Int F0/6 SW2(configif)#Description R6’s F0/1 SW2(config)#Int F0/11 SW2(configif)#Description BB1’s F0/1
To test and verify the configuration: On R1 R1#Ping 200.1.1.2 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 17 of 87
R1#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.4 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.5 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.6 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.7 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.7, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.8 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.9 Type escape sequence to abort. CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 18 of 87
Sending 5, 100byte ICMP Echos to 200.1.1.9, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms
Task 5 Configure the switches such that the ports that are not used are in Administratively down state. Use minimum number of commands for this task.
On SW1 SW1(config)#int range F0/3 , F0/5 , F0/10, F0/1418 , F0/2124 SW1(configifrange)#Shut
To verify the configuration: On SW1 SW1#Sh int status | Inc Port|connected Port Name Status Vlan Duplex Speed Type Fa0/1 R1's F0/0 connected 1 afull a100 10/100BaseTX Fa0/2 R2's F0/0 connected 1 afull a100 10/100BaseTX Fa0/4 R4's F0/0 connected 1 afull a100 10/100BaseTX Fa0/12 BB2's F0/0 connected 1 afull a100 10/100BaseTX Fa0/13 BB3's F0/0 connected 1 afull a100 10/100BaseTX Fa0/19 Trunk to SW2 connected trunk afull a100 10/100BaseTX Fa0/20 Trunk to SW2 connected trunk afull a100 10/100BaseTX
On SW2 SW2(config)#int range F0/12 , F0/4 , F0/810, F0/1218 , F0/2124 SW2(configif)#Shut
To verify the configuration: On SW2 SW2# Sh int status | Inc Port|connected
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 19 of 87
Port Name Status Vlan Duplex Speed Type Fa0/3 R3's F0/1 connected 1 afull a100 10/100BaseTX Fa0/5 R5's F0/1 connected 1 afull a100 10/100BaseTX Fa0/6 R6's F0/1 connected 1 afull a100 10/100BaseTX Fa0/11 BB1's F0/1 connected 1 afull a100 10/100BaseTX Fa0/19 Trunk to SW1 connected trunk afull a100 10/100BaseTX Fa0/20 Trunk to SW1 connected trunk afull a100 10/100BaseTX
Note the interface description can be extremely helpful especially if the switches are configured in transparent mode, and/or the task asks for the configuration of allowed VLANs on the trunks.
Task 6 Configure Private VLANs based on the following policy: Router R1 R2 R3 R4 R5 R6 BB1 BB2 BB3
Interface F0/0 F0/0 F0/1 F0/0 F0/1 F0/1 F0/1 F0/0 F0/0
VLANType Primary Community Community Community Community Isolated Isolated Isolated Isolated
VLANID 10 20 20 30 30 40 40 40 40
PrivateVLANs are typically seen in service provider networks, this feature addresses two major problems that the providers used to face: 1. Number of Clients: If every client was in a VLAN of their own, the provider will be restricted to 4094 clients, which is the maximum number of VLANs on a given switch. 2. Routing between VLANs & IP addressing: Routing between VLANs will be a nightmare, and the number of wasted IP addresses that result from Subnetting will be enormous. PrivateVLANs solves these two issues, with PrivateVLANs a VLAN is subdivided into sub VLANs or subdomains. PrivateVLANs consist of one primary, and one or more secondary VLANs, the secondary VLANs CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 20 of 87
can be either Community VLANs or Isolated VLANs. A Primary VLAN can have many Community VLANs, but it can ONLY have a Single Isolated VLAN. Ports in a PrivateVLAN: There are three types of ports in PrivateVLAN and they are as follows: 1. Promiscuous: A promiscuous port belongs to the primary VLAN; this port can communicate with all ports that are member of a secondary VLAN/s (Community and/or Isolated) that are associated with the primary VLAN that it belongs. 2. Isolated: An isolated port is a host port that belongs to an isolated secondary VLAN. The host ports that are member of a given Isolated VLAN can NOT Communicate with each other. These ports can ONLY communicate with the Port configured as Promiscuous port. 3. Community: A community port is a host port that belongs to a community Secondary VLAN. Community ports can communicate with ports in the same Community VLAN and with the port that is configured as promiscuous ports. These ports can’t Communicate with other ports in other Community VLANs.
On Both Switches: In order to configure privatevlans, the switches must be configured in Transparent mode as follows: SWx(config)#vtp mode transparent The following commands configures the primary VLAN SWx(config)#vlan 10 SWx(configvlan)#privatevlan primary SWx(configvlan)#Exit The following two VLANs are defined as the community secondary VLANs, there could be many community VLANs: SWx(config)#vlan 20 SWx(configvlan)#privatevlan community SWx(config)#vlan 30 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 21 of 87
SWx(configvlan)#privatevlan community There can ONLY be one isolated secondary VLAN: SWx(config)#vlan 40 SWx(configvlan)#privatevlan isolated The following command associates the secondary VLANs to the primary: SWx(config)#vlan 10 SWx(configvlan)#privatevlan association add 20,30,40
To verify the configuration: On Both Switches: SWx#Show vlan privatevlan Primary Secondary Type Ports 10 20 community 10 30 community 10 40 isolated The output of the above show command displays the secondary VLANs that are created so far and the primary VLAN to which they are associated.
On SW1 The following command sets F0/1 interface in promiscuous mode, assigns the port to primary VLAN 10 and maps VLANs 20, 30 and 40 to this interface: SW1(config)#Int F0/1 SW1(configif)#Switchport mode privatevlan promiscuous SW1(configif)#Switchport privatevlan mapping 10 add 20,30,40 The ports that belong to a given secondary VLAN must be configured in host mode. The following command sets F0/2 interface in a host mode, associates this port to VLAN 10 (The primary VLAN) and assigns this port to VLAN 20 which was configured as a community secondary VLAN earlier: SW1(configif)#Int F0/2 SW1(configif)#Switchport mode privatevlan host SW1(configif)#Switchport privatevlan hostassociation 10 20
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 22 of 87
The following command sets F0/4 interface in a host mode, associates this port to VLAN 10 (The primary VLAN) and assigns this port to VLAN 30 which was configured as a community secondary VLAN earlier: SW1(configif)#Int F0/4 SW1(configif)#Switchport mode privatevlan host SW1(configif)#switchport privatevlan hostassociation 10 30 The following command sets F0/12 and F0/13 interfaces in a host mode, associates these ports to VLAN 10 (The primary VLAN) and assigns these ports to VLAN 40 which was configured as an isolated secondary VLAN earlier: SW1(config)#Int range F0/1213 SW1(configif)#Switchport mode privatevlan host SW1(configif)#Switchport privatevlan hostassociation 10 40
To verify the configuration: On SW1 SW1#Sh vlan pri Primary Secondary Type Ports 10 20 community Fa0/1, Fa0/2 10 30 community Fa0/1, Fa0/4 10 40 isolated Fa0/1, Fa0/12, Fa0/13
On SW2 SW2(config)#Int F0/3 SW2(configif)#Switchport mode privatevlan host SW2(configif)#Switchport privatevlan hostassociation 10 20 SW2(config)#Int F0/5 SW2(configif)#Switchport mode privatevlan host SW2(configif)#Switchport privatevlan hostassociation 10 30 SW2(config)#Int range F0/6 , F0/11 SW2(configif)#Switchport mode privatevlan host SW2(configif)#switchport privatevlan hostassociation 10 40
To verify the configuration: CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 23 of 87
On SW2 SW2#Show vlan privatevlan Primary Secondary Type Ports 10 20 community Fa0/3 10 30 community Fa0/5 10 40 isolated Fa0/6, Fa0/11
To test the configuration: On R1 R1#Ping 200.1.1.2 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms R1#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.4 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.5 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.6
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 24 of 87
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.7 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.7, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.8 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R1#Ping 200.1.1.9 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.9, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms Note R1 is able to ping all routers because it is configured to be in promiscuous mode, this interface can be thought of as the default gateway.
On R2 R2#Ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms R2#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 25 of 87
Note R2 is able to ping R1 which is the port in the primary VLAN and R3 which is in the same community VLAN. R2 can NOT communicate with the hosts in the other secondary VLANs. The following verifies this information: R2#Ping 200.1.1.4 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2#Ping 200.1.1.5 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2#Ping 200.1.1.6 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2#Ping 200.1.1.7 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.7, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2#Ping 200.1.1.8 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2#Ping 200.1.1.9 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.9, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 26 of 87
On R3 R3#Ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R3#Ping 200.1.1.2 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms Note R3 is able to ping R1 which is the port in primary VLAN and the router in its own community secondary VLAN, which is R2. R3#Ping 200.1.1.4 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R3#Ping 200.1.1.5 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R3#Ping 200.1.1.6 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R3#Ping 200.1.1.7 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.10, timeout is 2 seconds: ..... CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 27 of 87
Success rate is 0 percent (0/5) R3#Ping 200.1.1.8 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R3#Ping 200.1.1.9 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.10, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Note R3 can NOT ping the other routers because they are in another secondary VLAN.
On R4 R4#Ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R4#Ping 200.1.1.5 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms Note R4 is able to ping R1 which is the port in primary VLAN and the router in its own community secondary VLAN, which is R5. R4#Ping 200.1.1.2 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R4#Ping 200.1.1.3 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 28 of 87
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R4#Ping 200.1.1.6 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R4#Ping 200.1.1.7 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.7, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R4#Ping 200.1.1.8 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R4#Ping 200.1.1.9 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.9, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Note R4 can NOT ping the other routers because they are in another secondary VLAN.
On R5 R5#Ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R5#Ping 200.1.1.4 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 29 of 87
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms Note R5 is able to ping R1 which is the port in primary VLAN and the router in its own community secondary VLAN (R2). R5#Ping 200.1.1.2 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R5#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R5#Ping 200.1.1.6 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R5#Ping 200.1.1.7 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.7, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R5#Ping 200.1.1.8 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R5#Ping 200.1.1.9
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 30 of 87
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.9, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Note R5 can NOT ping the other routers because they are in another secondary VLAN.
On R6 R6#Ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms Note R6 is able to ping R1 which is the port in primary VLAN but it can NOT ping any other router, even though BB1, BB2 and BB3 are in the same VLAN, but remember that the VLAN is defined as isolated; the hosts in isolated VLAN do NOT have reachability to each other. R6#Ping 200.1.1.2 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R6#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R6#Ping 200.1.1.4 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R6#Ping 200.1.1.5 Type escape sequence to abort. CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 31 of 87
Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R6#Ping 200.1.1.7 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.7, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R6#Ping 200.1.1.8 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R6#Ping 200.1.1.9 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.9, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
On BB1 BB1#Ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms Note BB1 is able to ping R1 which is the port in primary VLAN but it can NOT ping any other router, even though R6, BB2 and BB3 are in the same VLAN, but remember that the VLAN is defined as an isolated secondary VLAN; the hosts in isolated VLAN do NOT have reachability to each other. BB1#Ping 200.1.1.2 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 32 of 87
BB1#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB1#Ping 200.1.1.4 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB1#Ping 200.1.1.5 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB1#Ping 200.1.1.6 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB1#Ping 200.1.1.8 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB1#Ping 200.1.1.9 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.9, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
On BB2 BB2#Ping 200.1.1.1 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 33 of 87
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms Note BB2 is able to ping R1 which is the port in primary VLAN but it can NOT ping any other router, even though R6, BB1 and BB3 are in the same VLAN, but remember that the VLAN is defined as an isolated secondary VLAN; the hosts in isolated VLAN do NOT have reachability to each other. BB2#Ping 200.1.1.2 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB2#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB2#Ping 200.1.1.4 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB2#Ping 200.1.1.5 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB2#Ping 200.1.1.6 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 34 of 87
BB2#Ping 200.1.1.7 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.7, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB2#Ping 200.1.1.9 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.9, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
On BB3 BB3#Ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms Note BB3 is able to ping R1 which is the port in primary VLAN but it can NOT ping any other router, even though R6, BB1 and BB2 are in the same VLAN, but remember that the VLAN is defined as an isolated secondary VLAN; the hosts in isolated VLAN do NOT have reachability to each other. BB3#Ping 200.1.1.2 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB3#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB3#Ping 200.1.1.4 Type escape sequence to abort. CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 35 of 87
Sending 5, 100byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB3#Ping 200.1.1.5 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.5, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB3#Ping 200.1.1.6 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB3#Ping 200.1.1.7 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.7, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) BB3#Ping 200.1.1.8 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
Task 7 Reconfigure the IP addressing of the hosts that belong to the two community secondary VLANs based on the following chart and provide InterVlan routing between them: The hosts in the other secondary VLANs should still be able to reach the host in the primary VLAN. You can use static routes and any IP addressing to accomplish this task.
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 36 of 87
Routers / Interface R2 – F0/0 R3 – F0/1 R4 – F0/0 R5 – F0/1
IP address 202.1.1.2 /24 202.1.1.3 /24 203.1.1.4 /24 203.1.1.5 /24
VLANID 20 20 30 30
On R2 R2(config)#int f0/0 R2(configif)#ip addr 202.1.1.2 255.255.255.0 R2(config)#ip route 0.0.0.0 0.0.0.0 202.1.1.100
On R3 R3(config)#int f0/1 R3(configif)#ip addr 202.1.1.3 255.255.255.0 R3(config)#ip route 0.0.0.0 0.0.0.0 202.1.1.100
On R4 R4(config)#int f0/0 R4(configif)#ip addr 203.1.1.4 255.255.255.0 R4(config)#ip route 0.0.0.0 0.0.0.0 203.1.1.100
On R5 R5(config)#int f0/1 R5(configif)#ip addr 203.1.1.5 255.255.255.0 R5(config)#ip route 0.0.0.0 0.0.0.0 203.1.1.100
On SW1 SW1(config)#IP routing Note two IP addresses are configured under interface VLAN 10, a primary and a secondary, the primary IP address is used by the hosts in VLAN 20 and the secondary is used by the hosts in VLAN 30. The “Privatevlan mapping” command maps the secondary VLANs to their layer 3 VLAN interface, in this case VLAN 10 which is the layer 3 interface of the primary VLAN. CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 37 of 87
SW1(config)#int vlan 10 SW1(configif)#ip address 202.1.1.100 255.255.255.0 SW1(configif)#ip address 203.1.1.100 255.255.255.0 sec SW1(configif)#privatevlan mapping 20,30 With the “Privatevlan mapping” interface configuration command, secondary VLANs can be added or removed using the “Privatevlan mapping add, or Privatevlan mapping remove” interface configuration command. After this command is entered, you should get the following messages: %PV6PV_MSG: Created a private vlan mapping, Primary 10, Secondary 20 %PV6PV_MSG: Created a private vlan mapping, Primary 10, Secondary 30
To verify the configuration: On SW1 SW1#Show interfaces privatevlan mapping Interface Secondary VLAN Type vlan10 20 community vlan10 30 community
To test the configuration: On R2 R2#Ping 203.1.1.4 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 203.1.1.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms R2#Ping 203.1.1.5 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 203.1.1.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (4/5), roundtrip min/avg/max = 1/1/4 ms
On BB1 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 38 of 87
BB1#Ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms
Task 8 Erase the startup config and reload the routers before proceeding to the next task.
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 39 of 87
Advanced CCIE Routing & Switching 4.0 www.MicronicsTraining.com Narbik Kocharians CCIE #12410 R&S, Security, SP
Framerelay
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 40 of 87
Lab 1 – HubnSpoke using Framerelay map statements
R1
R1 10.1.100.1 /24 S0/0
104 103
102
201
401 301 10.1.100.4 /24
S0/0
S0/0
R4
10.1.100.3 /24
10.1.100.2 /24
R2
S0/0
R3
IP addressing and DLCI information Chart: Routers
IP address
R1’s Framerelay interface S0/0
10.1.100.1 /24
Local DLCI
Connecting to:
102 103 104 201
R2 R3 R4 R1
10.1.100.3 /24
301
R1
R4’s Framerelay interface S0/0 10.1.100.4 /24
401
R1
R2’s Framerelay interface S0/0 10.1.100.2 /24 R3’s Framerelay interface S0/0
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 41 of 87
Task 1 Configure a framerelay Hub and spoke using framerelay map statements. Use the IP addressing in the above chart. Disable inversearp such that the routers do not generate inversearp request packets, and ensure that only the assigned DLCIs are used and mapped, these mappings should be as follows: Ø On R1: DLCIs 102, 103 and 104 should be mapped to R2, R3 and R4 respectively. Ø On R2, R3 and R4: DLCIs 201, 301 and 401 should be used on R2, R3 and R4 respectively for their mapping to R1 (The hub). In the future Eigrp routing protocol will be configured on these routers, ensure that the routers can handle the Multicast traffic generated by the Eigrp routing protocol. DO NOT configure any subinterface(s) to accomplish this task.
On R1 R1(config)#Int S0/0 R1(configif)#IP address 10.1.100.1 255.255.255.0 R1(configif)#Encapsulation frame R1(configif)#Framerelay map ip 10.1.100.2 102 broadcast R1(configif)#Framerelay map ip 10.1.100.3 103 broadcast R1(configif)#Framerelay map ip 10.1.100.4 104 broadcast R1(configif)#NO framerelay inversearp R1(configif)#NO shut
To verify the configuration: On R1 R1#Show framerelay map Serial0/0 (up): ip 10.1.100.2 dlci 102(0x66,0x1860), static, broadcast, CISCO, status defined, inactive Serial0/0 (up): ip 10.1.100.3 dlci 103(0x67,0x1870), static, broadcast, CISCO, status defined, inactive Serial0/0 (up): ip 10.1.100.4 dlci 104(0x68,0x1880), static, broadcast, CISCO, status defined, inactive CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 42 of 87
Note you may see DLCIs 105 and 106 mapped to 0.0.0.0 IP address, these dynamic mappings may not affect Unicast traffic, but they will affect Multicast and/or Broadcast traffic, therefore, they should be removed from the mapping table. The “clear framerelay inarp” command will NOT have any effect on these entries, whereas, saving the configuration and then reloading the routers will definitely clear the 0.0.0.0 mappings. Another way to clear the “0.0.0.0” mapping is to remove the encapsulation and reconfigure the encapsulation back again, but once the encapsulation is removed, the framerelay commands configured under the interface are also removed. The output of the above show command shows that the DLCIs are all in “inactive” status, this means that the problem is on the other side of the VC, in this case, the other end of these VCs are not configured yet, and once they are configured, the status should transition to active state. Let’s configure the spoke routers:
On R2 R2(config)#Int S0/0 R2(configif)#Ip address 10.1.100.2 255.255.255.0 R2(configif)#Encapsulation frame R2(configif)#Framerelay map ip 10.1.100.1 201 broadcast R2(configif)#NO framerelay inversearp R2(configif)#NO shut
To verify the configuration: On R2 Let’s start with layer one and see if we have a serial cable connected to the Framerelay switch, if so, which end of the cable is connected to our router, DTE or DCE? The output of the following show command shows that the DTE end of the cable is connected to our local router, and the “clocks detected” tells us that we are receiving clocking from a DCE device. This should always be the first step in troubleshooting framerelay. If the output of the following command showed that we have the DCE end of the cable connected to our router, then, the local router has to provide clocking, which means that the “clockrate” command MUST be configured or else the VC will NOT transition into UP/UP state. R2#Show controller S0/0 | Inc clocks DTE V.35 TX and RX clocks detected. In the next step, we should see if the local router is exchanging LMIs with the framerelay switch. NOTE: Keepalive LMIs are exchanged every 10 seconds, which means that if the framerelay switch is CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 43 of 87
configured correctly and the LMI types are also configured correctly (They match on both ends), then, you should see the number of status Enquires sent and received increment every 10 seconds. R2#Show framerelay lmi | Inc Num Num Status Enq. Sent 68 Num Status msgs Rcvd 69 Num Update Status Rcvd 0 Num Status Timeouts 0 R2#Show framerelay lmi | Inc Num Num Status Enq. Sent 69 Num Status msgs Rcvd 70 Num Update Status Rcvd 0 Num Status Timeouts 0 Next the framerelay maps are checked: R2#Show framerelay map 201 Serial0/0 (up): ip 10.1.100.1 dlci 201(0xC9,0x3090), static, broadcast, CISCO, status defined, active NOTE: The output of the above show command reveals that the remote IP address of 10.1.100.1 is mapped to the local DLCI of 201. Make sure you see the correct IP address. In the paranthesis, DLCI 201, is presented in Hexadecimal and Q922 format. If the Hexadecimal value of 0xC9 is converted to decimal, the result is 201, which is the local DLCI number. The second Hexadecimal value of 0x3090, indicates how the DLCI is split into two sections within the Framerelay header; a DLCI is a 10 bit digit and the first 6 bits (The most significant 6 bits) are in the first byte and the last 4 bits of the DLCI, is found in the beginning of the second byte of the Frame relay frame, as follows:
Frame Relay header structure
Notice how the 10 bits are divided? 6 bits are in the first BYTE and the remaining 4 bits are in the second Byte. If the hex value of 0x3090 is converted to decimal, you will once again see a DLCI value of 201. As follows: CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 44 of 87
Convert 0x3090 to Binary: 3 0011
0 0 0 0 0
9 1001
0 0000
Take the most significant 6 bits, in this case: 001100 Take the most significant 4 bits of the second byte, in this case: 1001 Note the most significant 6 bits of the first byte and the most significant 4 bits of the second byte are concatenated into a 10 bit value, as follows: 0011001001 If the above binary number is converted to decimal (1 + 8 + 64 + 128), you should get 201. In the final step, an end to end reachability is tested: R2#Ping 10.1.100.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 56/56/60 ms
Let’s configure R3: On R3 R3(config)#Int S0/0 R3(configif)#Ip address 10.1.100.3 255.255.255.0 R3(configif)#Encapsulation frame R3(configif)#Framerelay map ip 10.1.100.1 301 broadcast R3(configif)#NO framerelay inversearp R3(configif)#NO shut
To verify the configuration: On R3 R3#Ping 10.1.100.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.1, timeout is 2 seconds: CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 45 of 87
!!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 56/56/60 ms R3#Show frame map Serial0/0 (up): ip 10.1.100.1 dlci 301(0x12D,0x48D0), static, broadcast, CISCO, status defined, active
Let’s configure R4: On R4 R4(config)#Int S0/0 R4(config)#Ip address 10.1.100.4 255.255.255.0 R4(config)#Encapsulation frame R4(config)#Framerelay map ip 10.1.100.1 401 broadcast R4(config)#NO framerelay inversearp R4(config)#NO shut
To verify the configuration: On R4 R4#Ping 10.1.100.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 48/50/52 ms R4#Show framerelay map Serial0/0 (up): ip 10.1.100.1 dlci 401(0x191,0x6410), static, broadcast, CISCO, status defined, active
Task 2 Ensure that every router can ping every IP address connected to the cloud. When configuring this task, ensure that the hub router does NOT receive redundant routing traffic. CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 46 of 87
NOTE: Every IP address connected to the cloud also includes the local router’s IP address. Let’s test the existing situation:
On R1 R1#Ping 10.1.100.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) The ping is NOT successful. Let’s enable the “Debug Framerelay packet” and try the ping again: R1#Debug Framerelay packet Frame Relay packet debugging is on R1#Ping 10.1.100.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.1, timeout is 2 seconds: Serial0/0:Encaps failedno map entry link 7(IP). Serial0/0:Encaps failedno map entry link 7(IP). Serial0/0:Encaps failedno map entry link 7(IP). Serial0/0:Encaps failedno map entry link 7(IP). Serial0/0:Encaps failedno map entry link 7(IP). Success rate is 0 percent (0/5)
Let’s disable the debug: On R1 R1#u all The output of the above debug states that there is NO mapping and encapsulation failed because of that; Framerelay can be configured in two different ways: Multipoint and Pointtopoint. There is ONLY one way to configure framerelay in a pointtopoint manner, and that’s through a pointtopoint subinterface configuration, whereas, a multipoint can be configurd in two ways: · Perform the entire configuration directly under the main interface. · Configure a subinterface in a multipoint manner. Since the entire configuration was performed without the use of subinterfaces, this is a multipoint CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 47 of 87
interface. In a multipoint framerelay configuration, two conditions must be met before an IP address is reachable: A. The destination IP address must be in the routing table with a valid next hop. B. There must be a framerelay mapping for that destination. In this case the destination IP address is in the routing table, but the framerelay mapping is missing. When configuring the framerelay mapping, you can use any active DLCI:
On R1 R1(config)#Interface S0/0 R1(configif)#Framerelay map ip 10.1.100.1 102 NOTE: Since the local router will NOT be sending Multicast or Broadcast traffic to itself, there is no need to add the “broadcast” keyword for this configuration.
To verify the configuration: On R1 R1#Ping 10.1.100.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 100/101/108 ms
Let’s test R2’s reachability, we already know that it needs a framerelay map or else it will not be able to ping its own IP address, let’s configure one and test:
On R2 R2(config)#Int S0/0 R2(configif)#Framerelay map ip 10.1.100.2 201
To test the configuration: On R2 R2#Ping 10.1.100.2 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 48 of 87
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 96/100/108 ms Let’s see if R2 can ping the other spokes:
On R2 R2#Ping 10.1.100.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2#Ping 10.1.100.34 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.34, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Do we have a framerelay mappings for these destinations? Let’s check:
On R2 R2#Show framerelay map Serial0/0 (up): ip 10.1.100.2 dlci 201(0xC9,0x3090), static, CISCO, status defined, active Serial0/0 (up): ip 10.1.100.1 dlci 201(0xC9,0x3090), static, broadcast, CISCO, status defined, active NOTE: There are two framerelay mappings, one for 10.1.100.2 and the second one is for 10.1.100.1 IP addresses. Let’s add two more framerelay mappings, one for 10.1.100.3 and the second one for 10.1.100.4:
On R2 R2(config)#Int S0/0 R2(configif)#Framerelay map ip 10.1.100.3 201 R2(configif)#Framerelay map ip 10.1.100.4 201 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 49 of 87
There are two points that you need to remember: a. The destination IP address must be in the routing table with a valid next hop. b. There must be a framerelay mapping for that destination.
To test the configuration: On R2 R2#Ping 10.1.100.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Let’s turn on the “Debug Framerelay packet” and ping again and see the result:
On R2 R2#Deb frame pack Frame Relay packet debugging is on R2#Ping 10.1.100.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.3, timeout is 2 seconds: Serial0/0(o): dlci 201(0x3091), pkt type 0x800(IP), datagramsize 104. Serial0/0(o): dlci 201(0x3091), pkt type 0x800(IP), datagramsize 104. Serial0/0(o): dlci 201(0x3091), pkt type 0x800(IP), datagramsize 104. Serial0/0(o): dlci 201(0x3091), pkt type 0x800(IP), datagramsize 104. Serial0/0(o): dlci 201(0x3091), pkt type 0x800(IP), datagramsize 104. Success rate is 0 percent (0/5) It seems like the local router (R2) is sending the packets out, let’s enable the same debugging on R3 and see the result:
On R2 R2#Ping 10.1.100.3
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 50 of 87
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
On R3 Serial0/0(i): dlci 301(0x48D1), pkt type 0x800, datagramsize 104 Serial0/0:Encaps failedno map entry link 7(IP) It looks like R3 is missing framerelay map back to R2. Let’s configure a framerelay map on R3 for R2 and test again:
On R3 R3(config)#Int S0/0 R3(configif)#Framerelay map ip 10.1.100.2 301
To verify the configuration: On R2 R2#Ping 10.1.100.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 100/100/100 ms
Perfect…..Let’s do the same on R4.
On R4 R4(config)#Int S0/0 R4(configif)#Framerelay map ip 10.1.100.2 401
To verify the configuration: On R2 R2#Ping 10.1.100.4 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.100.4, timeout is 2 seconds: CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 51 of 87
!!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 96/100/108 ms When configuring the framerelay mapping from one spoke to another spoke, the “broadcast” keyword should not be used, if this keyword is used, the hub router will receive redundant routing traffic. This can be verified by running RIPv2 and performing a “debug ip rip” command on the hub router.
Task 3 Configure the routers such that the LMI status inquiries are sent every 5 seconds and Full Status LMI requests are sent every 3 cycles instead of 6.
By default framerelay routers generate LMI Status inquiries every 10 seconds, and a full status inquiry every 6 th cycle (Every 60 seconds). The interval for status inquiries can be changed using the “Keepalive” command, whereas, the “Framerelay lmin391dte” command can be used to change the interval for the complete status inquiries. NOTE: The output of the following debug command reveals the status inquiries and full status inquiries:
On R1 R1#Debug frame lmi Serial0/0(out): StEnq, myseq 125, yourseen 124, DTE up datagramstart = 0x3F401ED4, datagramsize = 14 FR encap = 0x00010308 00 75 95 01 01 01 03 02 7D 7C Serial0/0(in): Status, myseq 125, pak size 14 RT IE 1, length 1, type 1 KA IE 3, length 2, yourseq 125, myseq 125 Serial0/0(out): StEnq, myseq 126, yourseen 125, DTE up datagramstart = 0x3F6B0294, datagramsize = 14 FR encap = 0x00010308 407: 00 75 95 01 01 01 03 02 7E 7D Serial0/0(in): Status, myseq 126, pak size 14 RT IE 1, length 1, type 1 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 52 of 87
KA IE 3, length 2, yourseq 126, myseq 126 Serial0/0(out): StEnq, myseq 127, yourseen 126, DTE up datagramstart = 0x3F400C14, datagramsize = 14 FR encap = 0x00010308 00 75 95 01 01 01 03 02 7F 7E Serial0/0(in): Status, myseq 127, pak size 14 RT IE 1, length 1, type 1 KA IE 3, length 2, yourseq 127, myseq 127 Serial0/0(out): StEnq, myseq 128, yourseen 127, DTE up datagramstart = 0x3F6AF394, datagramsize = 14 FR encap = 0x00010308 00 75 95 01 01 01 03 02 80 7F Serial0/0(in): Status, myseq 128, pak size 14 RT IE 1, length 1, type 1 KA IE 3, length 2, yourseq 128, myseq 128 Serial0/0(out): StEnq, myseq 129, yourseen 128, DTE up datagramstart = 0x3F644ED4, datagramsize = 14 FR encap = 0x00010308 00 75 95 01 01 01 03 02 81 80 Serial0/0(in): Status, myseq 129, pak size 14 RT IE 1, length 1, type 1 KA IE 3, length 2, yourseq 129, myseq 129 Serial0/0(out): StEnq, myseq 130, yourseen 129, DTE up datagramstart = 0x3F6B03D4, datagramsize = 14 FR encap = 0x00010308 00 75 95 01 01 00 03 02 82 81 Serial0/0(in): Status, myseq 130, pak size 59 RT IE 1, length 1, type 0 KA IE 3, length 2, yourseq 130, myseq 130 PVC IE 0x7 , length 0x3 , dlci 102, status 0x2 PVC IE 0x7 , length 0x3 , dlci 103, status 0x2 PVC IE 0x7 , length 0x3 , dlci 104, status 0x2 PVC IE 0x7 , length 0x3 , dlci 105, status 0x0 PVC IE 0x7 , length 0x3 , dlci 106, status 0x0 Note the status inquiries are sent every 10 seconds, these messages are “type 1s”, whereas, the complete status inquiries are generated by the local router every 6 th cycle, these message are “type 0” messages, and when the framerelay switch receives these messages it responds with all the DLCIs that are CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 53 of 87
configured for that given router.
To change these timers: On all routers Rx(config)#Interface S0/0 Rx(configif)#Keepalive 5 Rx(configif)#Framerelay lmin391dte 3
To test the configuration: Rx#Debug frame LMI *Nov 24 20:13:52.411: Serial0/0(out): StEnq, myseq 221, yourseen 220, DTE up *Nov 24 20:13:52.411: datagramstart = 0x3F6AEFD4, datagramsize = 14 *Nov 24 20:13:52.411: FR encap = 0x00010308 *Nov 24 20:13:52.411: 00 75 95 01 01 01 03 02 DD DC *Nov 24 20:13:52.415: Serial0/0(in): Status, myseq 221, pak size 14 *Nov 24 20:13:52.415: RT IE 1, length 1, type 1 *Nov 24 20:13:52.415: KA IE 3, length 2, yourseq 221, myseq 221 *Nov 24 20:13:57.411: Serial0/0(out): StEnq, myseq 222, yourseen 221, DTE up *Nov 24 20:13:57.411: datagramstart = 0x3F400D54, datagramsize = 14 *Nov 24 20:13:57.411: FR encap = 0x00010308 *Nov 24 20:13:57.411: 00 75 95 01 01 01 03 02 DE DD *Nov 24 20:13:57.415: Serial0/0(in): Status, myseq 222, pak size 14 *Nov 24 20:13:57.415: RT IE 1, length 1, type 1 *Nov 24 20:13:57.415: KA IE 3, length 2, yourseq 222, myseq 222 *Nov 24 20:14:02.411: Serial0/0(out): StEnq, myseq 223, yourseen 222, DTE up *Nov 24 20:14:02.411: datagramstart = 0x3F6AF394, datagramsize = 14 *Nov 24 20:14:02.411: FR encap = 0x00010308 *Nov 24 20:14:02.411: 00 75 95 01 01 00 03 02 DF DE *Nov 24 20:14:02.423: Serial0/0(in): Status, myseq 223, pak size 59 *Nov 24 20:14:02.423: RT IE 1, length 1, type 0 *Nov 24 20:14:02.423: KA IE 3, length 2, yourseq 223, myseq 223 *Nov 24 20:14:02.423: PVC IE 0x7 , length 0x3 , dlci 102, status 0x2 *Nov 24 20:14:02.423: PVC IE 0x7 , length 0x3 , dlci 103, status 0x2 *Nov 24 20:14:02.423: PVC IE 0x7 , length 0x3 , dlci 104, status 0x2 *Nov 24 20:14:02.423: PVC IE 0x7 , length 0x3 , dlci 105, status 0x0 *Nov 24 20:14:02.423: PVC IE 0x7 , length 0x3 , dlci 106, status 0x0
Note initially the router and the framerelay switch exchange two “type 1” inquiries, and the third CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 54 of 87
message that the local router generates is a “type 0” messages which tells the switch to respond with all the DLCIs.
Task 4 Erase the startup configuration and reload the routers before proceeding to the next lab.
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 55 of 87
Lab 9 – BacktoBack Framerelay connection
IP addressing: Router R1
Interface / IP address S0/1 = 200.1.1.1 /24
DLCI assignment 113
R3
S0/1 = 200.1.1.3 /24
113
Task 1 Configure Framerelay between R1 and R3, you should use the IP address, interface and the DLCIs provided in the IP Addressing table above.
In this scenario we do not have a framerelay switch connecting the routers; these routers are connected back to back using a DTE ßà DCE serial cable. The router that is connected to the DCE side should provide the clocking using the “Clock rate” interface configuration command, the DCE side can be determined using the “Show controller S 0/1” command as follows: R1#Sh controller S 0/1 | Inc clock DCE V.35, clock rate 64000 In this case since the framerelay switch does NOT exist, the LMIs should be disabled using the “No Keepalive” interface configuration command, and the framerelay mapping should be done statically. When configuring the Framerelay mapping, the DLCIs should be identical on both ends. CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 56 of 87
On R1 R1(config)#interface Serial0/1 R1(configif)#ip address 200.1.1.1 255.255.255.0 R1(configif)#encapsulation framerelay R1(configif)#NO keepalive R1(configif)#clock rate 64000 R1(configif)#framerelay map ip 200.1.1.3 113 R1(configif)#NO shut
On R3 R3(config)#interface Serial0/1 R3(configif)#ip address 200.1.1.3 255.255.255.0 R3(configif)#encapsulation framerelay R3(configif)#NO keepalive R3(configif)#framerelay map ip 200.1.1.1 113
To verify & test the configuration: On R1 R1#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 28/29/32 ms R1#Show framerelay lmi R1# Note there are no LMIs, because they are disabled. R1#Show framerelay pvc PVC Statistics for interface Serial0/1 (Frame Relay DTE) Active Inactive Deleted Static Local 1 0 0 0 Switched 0 0 0 0 Unused 0 0 0 0 DLCI = 113, DLCI USAGE = LOCAL, PVC STATUS = STATIC, INTERFACE = Serial0/1 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 57 of 87
input pkts 5 output pkts 10 in bytes 520 out bytes 1040 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 0 out bcast bytes 0 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec pvc create time 00:03:53, last time pvc status changed 00:02:39 R1#Show framerelay map Serial0/1 (up): ip 200.1.1.3 dlci 113(0x71,0x1c10), static, CISCO
Task 2 Configure the routers such that R1 uses DLCI 103 to send and DLCI 301 to receive packets, whereas, R3 should use DLCI 301 to send and DLCI 103 to receive packets. You should configure interface S0/1 to accomplish this task.
In this task we are asked to configure these routers to use different DLCIs, 103 connecting R1 to R3 and 301 connecting R3 to R1.
On R1 R1(config)#interface Serial0/1 R1(configif)#ip address 200.1.1.1 255.255.255.0 R1(configif)#encapsulation framerelay R1(configif)#NO keepalive R1(configif)#clock rate 64000 The following command removes the framerelay mapping that was configured in the previous task and adds the new mapping: R1(configif)#NO framerelay map ip 200.1.1.3 113 R1(configif)#framerelay map ip 200.1.1.3 103
On R3 R3(config)#interface Serial0/1 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 58 of 87
R3(configif)#ip address 200.1.1.3 255.255.255.0 R3(configif)#encapsulation framerelay R3(configif)#NO keepalive R3(configif)#NO framerelay map ip 200.1.1.1 113 R3(configif)#framerelay map ip 200.1.1.1 301
To verify and test the configuration: On Both Routers: #Debug Framerelay packet
On R1 R1#Ping 200.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) You should see the following debug output on R1 and R3:
On R1 Serial0/1(o): dlci 103(0x1871), pkt type 0x800(IP), datagramsize 104. Serial0/1(o): dlci 103(0x1871), pkt type 0x800(IP), datagramsize 104. Serial0/1(o): dlci 103(0x1871), pkt type 0x800(IP), datagramsize 104. Serial0/1(o): dlci 103(0x1871), pkt type 0x800(IP), datagramsize 104. Serial0/1(o): dlci 103(0x1871), pkt type 0x800(IP), datagramsize 104.
On R3 Serial0/1: FR invalid/unexpected pak received on DLCI 103 Serial0/1: FR invalid/unexpected pak received on DLCI 103 Serial0/1: FR invalid/unexpected pak received on DLCI 103 Serial0/1: FR invalid/unexpected pak received on DLCI 103 Serial0/1: FR invalid/unexpected pak received on DLCI 103 NOTE: The output of the debug messages on R3 reveals the reason that the ping was NOT successful. It’s telling us that it received 5 invalid and unexpected packets on DLCI 103. The reason the local router (R3) sees R1’s DLCI is because they are directly connected. To fix this problem, R3 can be configured to receive data on DLCI 103 and send on DLCI 301, as follows: CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 59 of 87
On R3 R3(config)#int S0/1 R3(configif)#framerelay interfacedlci 103
To verify and test the configuration: On R1 R1#Ping 200.1.1.3 repeat 4
On R3 Serial0/1(i): dlci 103(0x1871), pkt type 0x800, datagramsize 104 Serial0/1(o): dlci 301(0x48D1), pkt type 0x800(IP), datagramsize 104 Serial0/1(i): dlci 103(0x1871), pkt type 0x800, datagramsize 104 Serial0/1(o): dlci 301(0x48D1), pkt type 0x800(IP), datagramsize 104 Serial0/1(i): dlci 103(0x1871), pkt type 0x800, datagramsize 104 Serial0/1(o): dlci 301(0x48D1), pkt type 0x800(IP), datagramsize 104 Serial0/1(i): dlci 103(0x1871), pkt type 0x800, datagramsize 104 Serial0/1(o): dlci 301(0x48D1), pkt type 0x800(IP), datagramsize 104 Note the incoming traffic uses DLCI 103, whereas, the outgoing traffic uses DLCI 301. Let’s try to ping R1 and see why the pings are unsuccessful:
To test the configuration: On R3 R3#Ping 200.1.1.1 repeat 4
On R1 Serial0/1: FR invalid/unexpected pak received on DLCI 301 Serial0/1: FR invalid/unexpected pak received on DLCI 301 Serial0/1: FR invalid/unexpected pak received on DLCI 301 Serial0/1: FR invalid/unexpected pak received on DLCI 301 Note we are experiencing the same problem on R3, the traffic comes in on DLCI 301 and the local router is NOT aware of this DLCI. To fix this problem: CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 60 of 87
R1(config)#int S0/1 R1(configif)#framerelay interfacedlci 301
To verify and test the configuration: On R3 R3#Ping 200.1.1.1 repeat 4 Type escape sequence to abort. Sending 4, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!! Success rate is 100 percent (4/4), roundtrip min/avg/max = 28/29/32 ms
On R1 Serial0/1(i): dlci 301(0x48D1), pkt type 0x800, datagramsize 104 Serial0/1(o): dlci 103(0x1871), pkt type 0x800(IP), datagramsize 104 Serial0/1(i): dlci 301(0x48D1), pkt type 0x800, datagramsize 104 Serial0/1(o): dlci 103(0x1871), pkt type 0x800(IP), datagramsize 104 Serial0/1(i): dlci 301(0x48D1), pkt type 0x800, datagramsize 104 Serial0/1(o): dlci 103(0x1871), pkt type 0x800(IP), datagramsize 104 Serial0/1(i): dlci 301(0x48D1), pkt type 0x800, datagramsize 104 Serial0/1(o): dlci 103(0x1871), pkt type 0x800(IP), datagramsize 104 R1#Show frame map Serial0/1 (up): ip 200.1.1.3 dlci 103(0x67,0x1870), static, CISCO
On R3 R3#Show frame map Serial0/1 (up): ip 200.1.1.1 dlci 301(0x12D,0x48D0), static, CISCO
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 61 of 87
Task 3 Reconfigure R1 as a framerelay switch and a router connecting to R3, whereas, R3 should be configured as a router connecting to R1 using S0/1 interface. R1 should use DLCI 103 for its connection to R3 and R3 should use DLCI 301 for its connection to R1. You should NOT disable LMIs to accomplish this task.
On R1 R1(config)#frame switching R1(config)#int S0/1 R1(configif)#ip addr 200.1.1.1 255.255.255.0 R1(configif)#encap framerelay R1(configif)#clock rate 64000 R1(configif)#frame map ip 200.1.1.3 103 R1(configif)#frame interfacedlci 301 R1(configif)#framerelay intftype dce
On R3 R3(configif)#int S0/1 R3(configif)#ip addr 200.1.1.3 255.255.255.0 R3(configif)#encap framerelay R3(configif)#frame map ip 200.1.1.1 301
To verify and test the configuration: On R1 R1#Show frame lmi | B Num Num Status Enq. Rcvd 11 Num Status msgs Sent 11 Num Update Status Sent 0 Num St Enq. Timeouts 0
On R3 R3#Show framerelay lmi | B Num Num Status Enq. Sent 18 Num Status msgs Rcvd 19 Num Update Status Rcvd 0 Num Status Timeouts 0 Last Full Status Req 00:00:00 Last Full Status Rcvd 00:00:00
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 62 of 87
R3#Show framerelay map Serial0/1 (up): ip 200.1.1.1 dlci 301(0x12D,0x48D0), static, CISCO, status defined, active R3#Ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 28/30/33 ms
Task 4 Erase the startup configuration and reload the routers before proceeding to the next lab.
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 63 of 87
Lab 1 – MLS QOS
Lab Setup: Ø Configure F0/19 interface of SW1 and SW2 as a Dot1Q trunk. Ø Configure SW1 and SW2 in VTP domain called TST Ø Configure F0/1 and F0/2 interface of SW1 in VLAN 100. Ø Configure F0/3 interface of SW2 as a Dot1Q trunk. Ø Configure F0/1 interface of R3 as a Dot1Q trunk for VLAN 100. You can copy and paste the initial configuration from the init directory
IP addressing: Router R1 R2 R3
Interface / IP address F0/0 = 10.1.1.1 /24 F0/0 = 10.1.1.2 /24 F0/1.100 = 10.1.1.3 /24
CCIE R&S by Narbik Kocharians
VLAN 100 100 100
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 64 of 87
Task 1 Assign a hostname of SW1 to Switch 1 and a hostname of SW2 to Switch 2. Shutdown all unused ports on these switches.
On Switch 1 Switch(config)#Host SW1 SW1(config)#Int range f0/318 , F0/2024 SW1(configifrange)#Shut
On Switch 2 Switch(config)#Host SW2 SW2(config)#Int range f0/12 , F0/418 , F0/2024 SW2(configifrange)#Shut
Task 2 Configure SW1’s port F0/2 such that it marks All ingress traffic with a CoS marking of 2. For verification purpose, R3 should be configured to match on CoS values of 0 – 7 ingress on its F0/1.100 subinterface.
In this step R3 is configured to match on incoming CoS values of 0 – 7, this is done so the policy can be tested and verified.
On R3 R3(config)#classmap cos0 R3(configcmap)#match CoS 0 R3(config)#classmap cos1 R3(configcmap)#match CoS 1 R3(config)#classmap cos2 R3(configcmap)#match CoS 2 R3(config)#classmap cos3 R3(configcmap)#match CoS 3 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 65 of 87
R3(config)#classmap cos4 R3(configcmap)#match CoS 4 R3(config)#classmap cos5 R3(configcmap)#match CoS 5 R3(config)#classmap cos6 R3(configcmap)#match CoS 6 R3(config)#classmap cos7 R3(configcmap)#match CoS 7 R3(config)#Policymap TST R3(configpmap)#Class cos0 R3(configpmap)#Class cos1 R3(configpmap)#Class cos2 R3(configpmap)#Class cos3 R3(configpmap)#Class cos4 R3(configpmap)#Class cos5 R3(configpmap)#Class cos6 R3(configpmap)#Class cos7 R3(config)#Int F0/1.100 R3(configsubif)#Servicepolicy in TST
On SW1 By default, QOS is disabled and the switch will NOT modify the CoS, IPPrecedence or the DSCP values of received traffic. To verify: SW1#Show mls qos QoS is disabled QoS ip packet dscp rewrite is enabled The following command enables MLS QOS; to perform any kind of QOS configuration, MLS QOS must be enabled. SW1(config)#MLS QOS
To verify the configuration: On SW1 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 66 of 87
SW1#Show mls qos QoS is enabled QoS ip packet dscp rewrite is enabled
To continue with the configuration: SW1(config)#int F0/1 The following command assigns a default CoS value of 2 to untagged traffic received through this interface. SW1(configif)#mls qos cos 2
To verify the configuration: On SW1 SW1#Show mls qos inter f0/1 FastEthernet0/1 trust state: not trusted trust mode: not trusted trust enabled flag: ena COS override: dis default COS: 2 DSCP Mutation Map: Default DSCP Mutation Map Trust device: none qos mode: portbased
To test the configuration: On R1 R1#Ping 10.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), roundtrip min/avg/max = 1/1/4 ms
To verify the test:
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 67 of 87
On R3 R3#Show policymap interface | S cos0 Classmap: cos0 (matchall) 4 packets, 472 bytes 5 minute offered rate 0 bps Match: cos 0 R3#Show policymap interface | S cos2 Classmap: cos2 (matchall) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: cos 2 Note, even though the interface is configured with “Mls qos cos 2” the traffic coming in on that interface is NOT affected. To mark ALL traffic with a CoS marking of 2, which means all traffic regardless of their marking, the port must be configured to override the existing CoS. The “mls qos cos” command on its own does NOTHING, it should be combined with either the “Mls qos cos override” or “Mls qos trust cos”. When its combined with “MLS qos trust cos”, ONLY the untagged traffic is affected, but if it’s combined with “MLS qos cos override”, then, all traffic (Tagged or untagged) is affected. The following command configures the switch port to trust the CoS value in ALL incoming traffic through F0/2 interface, the “Mls qos cos override” command will be tested later: SW1(config)#int F0/1 SW1(configif)#mls qos trust cos
To verify the configuration: On SW1 SW1#Sh mls qos interface f0/1 FastEthernet0/1 trust state: trust cos trust mode: trust cos trust enabled flag: ena COS override: dis default COS: 2 DSCP Mutation Map: Default DSCP Mutation Map CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 68 of 87
Trust device: none qos mode: portbased
To test the configuration: On R3 R3#Clear counters Clear "show interface" counters on all interfaces [confirm] Press Enter to allow the counters to be cleared
On R1 R1#Ping 10.1.1.3 Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms
To verify the test: On R3 R3#Sh policymap inter | S cos0 Classmap: cos0 (matchall) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: cos 0 R3#Show policymap interface | S cos2 Classmap: cos2 (matchall) 5 packets, 590 bytes 5 minute offered rate 0 bps Match: cos 2 Note the output of the above show command reveals that all traffic that sourced from R1 is marked with a CoS value of 0; the reason for this outcome is because SW1 is configured with “Mls qos” global configuration command, therefore, the switch will mark all untagged incoming traffic through its F0/1 interface with a CoS value of 2.
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 69 of 87
Task 3 Configure SW1 and R1 as follows: · F0/1 interface of SW1 should be configured as a Dot1q trunk. · Disable “Mls QOS” and remove the “Mls qos cos 2” command from F0/1 interface of SW1. · Configure F0/0.100 subinterface on R1, this subinterface should be configured based on the following: · · ·
R1’s F0/0.100 interface should be configured as trunk for VLAN 100 R1’s F0/0.100 should be assigned an IP address of 10.1.1.1 /24 R1’s F0/0.100 should be configured to mark all egress traffic with a CoS value of 6.
On SW1 SW1(config)#int F0/1 SW1(configif)#Default inter f0/1 SW1(config)#int F0/1 SW1(configif)#swi trunk enc do SW1(configif)#swi mode trunk SW1(config)#NO Mls qos
To verify the configuration On SW1 SW1#Show int trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 1 Fa0/19 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/1 14094 Fa0/19 14094 Port Vlans allowed and active in management domain Fa0/1 1,100 Fa0/19 1,100
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 70 of 87
Port Vlans in spanning tree forwarding state and not pruned Fa0/1 none Fa0/19 1,100
On R1 R1(config)#Default inter F0/0 R1(configif)#int F0/0.100 R1(configsubif)#encap dot1 100 R1(configsubif)#ip addr 10.1.1.1 255.255.255.0 R1(config)#Policymap TST R1(configpmap)#class classdefault R1(configpmapc)#set cos 6 R1(configpmapc)#int F0/0.100 R1(configsubif)#servicepolicy out TST
To test the configuration: On R3 R3#Clear counters
On R1 R1#Ping 10.1.1.3 rep 60 Type escape sequence to abort. Sending 60, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (60/60), roundtrip min/avg/max = 1/1/4 ms
On R3 R3#Sh policymap inter | S cos60 Classmap: cos6 (matchall) 60 packets, 7080 bytes 5 minute offered rate 0 bps Match: cos 6 Note traffic generated by R1 has a CoS marking of 6. CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 71 of 87
Task 4 SW1 should be configured to trust the CoS marking of any traffic coming through its F0/1 interface.
On SW1 SW1(config)#mls qos SW1(config)#int F0/1 SW1(configif)#mls qos trust CoS
To test the configuration On R3 R3#Clear counters
On R1 R1#Ping 10.1.1.3 repeat 60 Type escape sequence to abort. Sending 60, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (60/60), roundtrip min/avg/max = 1/1/4 ms Note the output of the following show command reveals that the traffic retained its CoS marking.
On R3 R3#Show policymap interface | S cos6 Classmap: cos6 (matchall) 60 packets, 7080 bytes 5 minute offered rate 0 bps Match: cos 6
Task 5 Configure R1, R2 & SW1 using the following policy: CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 72 of 87
1. If the ingress traffic from R2 is NOT marked with a CoS value, SW1 should be configured to mark that traffic with a CoS value of 0. 2. If the ingress traffic from R1 is NOT tagged, SW1 should be configured to rewrite the CoS value to 1, however, if the traffic is tagged, SW1 should NOT rewrite the CoS value of the incoming traffic.
To configure the first policy: Since the “Mls Qos” command is configured on SW1, when traffic without a CoS marking enters any port on SW1, that traffic is marked with a CoS value of 0, therefore, SW1 does NOT need to be configured for this policy:
To verify and test the first policy: On R3 R3#Clear counter
On R2 R2#Ping 10.1.1.3 rep 60 Type escape sequence to abort. Sending 60, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (60/60), roundtrip min/avg/max = 1/1/4 ms
On R3 Since the traffic generated by R2 did not have a CoS marking, the traffic will arrive with a CoS marking of zero. R3#Show policymap interface | S cos6 Classmap: cos6 (matchall) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: cos 6 R3#Show policymap interface | S cos0 Classmap: cos0 (matchall) 60 packets, 7080 bytes CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 73 of 87
5 minute offered rate 0 bps Match: cos 0 To configure the second policy: The “Mls qos trust cos” command that was configured in the previous task will trust the CoS value in the incoming traffic and will NOT rewrite the CoS value; since the task stats that the untagged traffic should be rewritten to a CoS value of 1, whereas, the tagged traffic should NOT be affected at all, the following should be configured:
To test the configuration: On R3 R3#Clear counters
On SW1 SW1(config)#Int F0/1 SW1(configif)#mls qos cos 1 The above command ONLY affects the untagged traffic, since R1’s F0/1 interface is configured as a truck link, this configuration should NOT have any affect. The following show command reveals this information:
On R1 R1#Ping 10.1.1.3 repeat 10 Type escape sequence to abort. Sending 10, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!!!!!!! Success rate is 100 percent (10/10), roundtrip min/avg/max = 1/1/4 ms
On R3 The output of the following show command reveals that the traffic from R1 retained its CoS value of 6: R3#Sh policymap inter | s cos6 Classmap: cos6 (matchall) 10 packets, 1180 bytes 5 minute offered rate 0 bps Match: cos 6 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 74 of 87
To test the untagged traffic: On R1 R1(config)#int F0/0.100 R1(configsubif)#encap dot1 100 native NOTE: In the above and the following configuration, VLAN 100 is configured to be the Native VLAN so the traffic arrives with NO tagging:
On SW1 SW1(configif)#int F0/1 SW1(configif)#swi trunk native vlan 100
To see SW1’s configuration: On SW1 SW1#Sh run int F0/1 | B interface interface FastEthernet0/1 switchport trunk encapsulation dot1q switchport trunk native vlan 100 switchport mode trunk mls qos cos 1 mls qos trust cos
To verify the configuration: On SW1 SW1#Sh interface trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 100 Fa0/19 on 802.1q trunking 1 (The rest of the output is omitted)
On R3 R3#Clear counters CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 75 of 87
On R1 R1#Ping 10.1.1.3 rep 100 Type escape sequence to abort. Sending 100, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100), roundtrip min/avg/max = 1/1/4 ms
On R3 R3#Show policymap interface | S cos6 Classmap: cos6 (matchall) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: cos 6 R3#Show policymap interface | S cos0 Classmap: cos0 (matchall) 0 packets, 0 bytes 5 minute offered rate 0 bps Match: cos 0 R3#Show policymap interface | S cos1 Classmap: cos1 (matchall) 100 packets, 11800 bytes 5 minute offered rate 0 bps Match: cos 1
The following shows R1’s policymap configuration: On R1 R1#Show policymap TST Policy Map TST Class classdefault set cos 6
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 76 of 87
Task 6 SW2 should be configured such that it marks all traffic from any router/s connected to SW1 (Tagged or Untagged) with a CoS value of 7. DO NOT configure R1, R2 or SW1 to accomplish this task.
On SW2 SW2(config)#MLS QOS NOTE: This configuration is performed on the trunk link of SW2 so it can affect all traffic coming from SW1; this affects the traffic that has marking, the traffic that does NOT have any marking, tagged or untagged: SW2(config)#int F0/19 SW2(configif)#mls qos cos 7 SW2(configif)#mls qos cos override
To verify the configuration: On SW2 SW2#Sh mls qos inter f0/19 FastEthernet0/19 trust state: not trusted trust mode: not trusted trust enabled flag: ena COS override: ena default COS: 7 DSCP Mutation Map: Default DSCP Mutation Map Trust device: none qos mode: portbased
To test the configuration: On R3 R3#Clear counter
On R1 R1#Ping 10.1.1.3 rep 100 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 77 of 87
Type escape sequence to abort. Sending 100, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100), roundtrip min/avg/max = 1/1/4 ms
On R3 Note the traffic matched to CoS 7 R3#Show policymap interface | S cos7 Classmap: cos7 (matchall) 100 packets, 11800 bytes 5 minute offered rate 0 bps Match: cos 7
On R2 R2#Ping 10.1.1.3 rep 200 Type escape sequence to abort. Sending 200, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (200/200), roundtrip min/avg/max = 1/1/4 ms
On R3 R3#Show policymap interface | S cos7 Classmap: cos7 (matchall) 300 packets, 35400 bytes 5 minute offered rate 0 bps Match: cos 7 Note all traffic regardless of their marking are marked with a CoS value of 7.
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 78 of 87
Task 7 Erase the startup configuration on R13 and SW1 & SW2 and reload these routers and switches before proceeding to the next lab.
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 79 of 87
Lab 2 – DSCPMutation
Lab Setup: The lab topology and setup is based on the previous lab, with the exception of R3’s configuration and the F0/3 interface of SW2; R3’s F0/1 interface should be configured with an IP address of 10.1.1.3 /24 and the F0/3 interface of SW2 should be configured in VLAN 100. You can copy and paste the initial configuration from the init directory
Task 1 Configure an MQC on R1 such that all packets going out of its F0/0 interface are marked with a DSCP value of 1. For verification purpose, R3’s F0/1 interface should be configured to match on DSCP 07 for all ingress traffic. Ensure that “Mls qos” is disabled on both switches.
On Both Switches: SWx#Sh mls qos CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 80 of 87
QoS is disabled QoS ip packet dscp rewrite is enabled The following configuration on R1 marks all egress traffic with a DSCP value of 1:
On R1 R1(config)#Policymap TST R1(configpmap)#class classdefault R1(configpmapc)#set ip dscp 1 R1(config)#int F0/0 R1(configif)#Servicepolicy out TST
On R3 The following configuration is done for verification and testing purposes: R3(config)#Classmap DSCP0 R3(configcmap)#match ip dscp 0 R3(config)#Classmap DSCP1 R3(configcmap)#match ip dscp 1 R3(config)#Classmap DSCP2 R3(configcmap)#match ip dscp 2 R3(config)#Classmap DSCP3 R3(configcmap)#match ip dscp 3 R3(config)#Classmap DSCP4 R3(configcmap)#match ip dscp 4 R3(config)#Classmap DSCP5 R3(configcmap)#match ip dscp 5 R3(config)#Classmap DSCP6 R3(configcmap)#match ip dscp 6 R3(config)#Classmap DSCP7 R3(configcmap)#match ip dscp 7 R3(config)#policymap TST R3(configpmap)#Class DSCP0 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 81 of 87
R3(configpmap)#Class DSCP1 R3(configpmap)#Class DSCP2 R3(configpmap)#Class DSCP3 R3(configpmap)#Class DSCP4 R3(configpmap)#Class DSCP5 R3(configpmap)#Class DSCP6 R3(configpmap)#Class DSCP7 R3(config)#int F0/1 R3(configif)#servicepolicy in TST
To test the configuration: On R1 R1#Ping 10.1.1.3 rep 10 Type escape sequence to abort. Sending 10, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: .!!!!!!!!! Success rate is 90 percent (9/10), roundtrip min/avg/max = 1/1/4 ms
On R3 R3#Sh Policymap inter | S DSCP1 Classmap: DSCP1 (matchall) 9 packets, 1026 bytes 5 minute offered rate 0 bps Match: ip dscp 1 Note since “Mls qos” is disabled on both switches, the packets traversing the switches will retain their marking.
Task 2 Configure SW2 such that if the incoming traffic is marked with DSCP 1, they are overwritten to a DSCP value of 60. DO NOT configure a classmap or Policymap to accomplish this task. Use R3 to verify the configuration.
DSCP Mutation can be configured to accomplish this task; there are five steps in configuring DSCP CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 82 of 87
mutation, and they are as follows:
Step 1: Mls qos MUST be enabled:
On SW2 SW2(config)#Mls qos
To verify the configuration of this step: On SW2 SW2#Show mls QoS QoS is enabled QoS ip packet dscp rewrite is enabled
Step 2: In this step a custom DSCPMutation map is configured, remember that if this custom mapping is NOT configured, the default DSCPMutation map will be used, the default DSCPMutation map can NOT be changed and it is configured as one to one, meaning that the incoming DSCP value will always match to the same outgoing DSCP value: In this step a custom DSCPMutation map named TST is configured, this custom DSCPMutation maps the incoming DSCP value (in this case 1) to an outgoing DSCP value of 60:
To see the default DSCPMutation map: SW2#Show mls qos map dscpmutation Dscpdscp mutation map: Default DSCP Mutation Map: d1 : d2 0 1 2 3 4 5 6 7 8 9 0 : 00 01 02 03 04 05 06 07 08 09 1 : 10 11 12 13 14 15 16 17 18 19 2 : 20 21 22 23 24 25 26 27 28 29 3 : 30 31 32 33 34 35 36 37 38 39 4 : 40 41 42 43 44 45 46 47 48 49 5 : 50 51 52 53 54 55 56 57 58 59 6 : 60 61 62 63 Note the d1: column (highlighted in yellow) specifies the most significant digit of the DSCP value of CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 83 of 87
incoming packets, whereas, the d2: row (highlighted in blue) specifies the least significant digit of the DSCP value of incoming packets. The intersection of the d1 and d2 values (this is the body of the output) provides the DSCP value of the outgoing packets. NOTE: the output of the above show command reveals that the incoming DSCP value of 1, is re written to the outgoing DSCP value of 1. Let’s configure a custom DSCPMutation map called TST that maps the incoming DSCP value of 1 to an outgoing DSCP value of 60: SW2(config)#Mls qos map dscpmutation TST 1 to 60
To verify the configuration: On SW2 SW2#Show mls qos map dscpmutation TST Dscpdscp mutation map: TST: d1 : d2 0 1 2 3 4 5 6 7 8 9 0 : 00 60 02 03 04 05 06 07 08 09 1 : 10 11 12 13 14 15 16 17 18 19 2 : 20 21 22 23 24 25 26 27 28 29 3 : 30 31 32 33 34 35 36 37 38 39 4 : 40 41 42 43 44 45 46 47 48 49 5 : 50 51 52 53 54 55 56 57 58 59 6 : 60 61 62 63
Step 3: In this step, the custom DSCPMutation map called TST is applied to the F0/19 interface (Trunk interface) of SW2 SW2(config)#int F0/19 SW2(configif)#mls qos dscpmutation TST
To verify the configuration: On SW2 SW2#Show mls qos int F0/19 | Inc DSCP CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 84 of 87
DSCP Mutation Map: TST
Step 4: Remember, if the “Mls qos trust DSCP” is NOT configured, the configuration will NOT have any affect on the packets:
To see the trust trust state (What’s being trusted) of the F0/19 interface: On SW2 SW2#Show mls qos int F0/19 | Inc trust state trust state: not trusted
On SW2 SW2(config)#int F0/19 SW2(configif)#mls qos trust dscp
To verify the configuration: On SW2 SW2#Show mls qos int F0/19 | Inc trust state trust state: trust dscp NOTE: If CoS was trusted, the output of the above command would have stated “trust state: trust CoS”, since ONLY DSCP is trusted, the trust state is DSCP.
Step 5: Ensure that the DSCP rewrites are enabled, if this is disabled, then, the DSCP marking will NOT be rewritten.
To verify if the DSCP rewrites are enabled: On SW2 SW2#Show mls qos QoS is enabled QoS ip packet dscp rewrite is enabled
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 85 of 87
If the DSCP rewrites are disabled, then, the DSCP marking in the outgoing packets will NOT be re written. There are times that this feature must be disable, to disable this feature, the “NO mls qos rewrite ip dscp” global command can be used.
To prepare R3 for verification purpose: On R3 The following configuration is required for testing and verification. R3(config)#Classmap DSCP60 R3(configcmap)#match ip dscp 60 R3(config)#policymap TST R3(configpmap)#Class DSCP60 Remember, the policymap TST is already applied.
To verify the configuration: On SW2 R3#Show policymap TST Policy Map TST Class DSCP0 Class DSCP1 Class DSCP2 Class DSCP3 Class DSCP4 Class DSCP5 Class DSCP6 Class DSCP7 Class DSCP60
To test the configuration: On R3 R3#clear counters
On R1 CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 86 of 87
R1#Ping 10.1.1.3 rep 60 Type escape sequence to abort. Sending 60, 100byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (60/60), roundtrip min/avg/max = 1/1/4 ms
On R3 R3#Show policymap interface | S DSCP60 Classmap: DSCP60 (matchall) 60 packets, 6840 bytes 5 minute offered rate 0 bps Match: ip dscp 60
Task 3 Configure the “Default interface F0/1” command on R3 before proceeding to the next lab.
CCIE R&S by Narbik Kocharians
Advanced CCIE R&S Work Book 4.0 © 2011 Narbik Kocharians. All rights reserved
Page 87 of 87
Related Documents
Labs
March 2021 0
Photogrammetry Labs
February 2021 1
Labs Kali
January 2021 7
Bell Labs
March 2021 0
Ccna Sequential Labs
February 2021 1
Sp3d-isometric Practice Labs
January 2021 0More Documents from "Lucafuck"
Labs
March 2021 0
151643878-piping-spec-piping-class.pdf
February 2021 0
Cfo Bins
March 2021 0
Restitution Of Conjugal Rights
January 2021 1
