CCNA Lab - Solution Rev1.0 Advanced MPLS I

Task 15.1: ♦ Configure VPN Green site 1 such as to prevent communication to site 2.. This task requires you to reconfigure VPNs to split in to multiple VPNs by using different RDs, whic

Trang 1

Task 15.1:

♦ Configure VPN Green site 1 such as to prevent communication

to site 2

♦ Configure VPN Green site 1 to talk to site 3

This task requires you to reconfigure VPNs to split in to multiple VPNs by using different RDs, which will allow you to control routes from one site to another

PE2

ip vrf green-site1

rd 1:1 route-target export 1:1 route-target import 1:1

!

ip vrf green-site2

rd 2:2 route-target export 2:2 route-target import 2:2

! interface Ethernet0/0.82 description to CE8 -VLAN 82 VPN Green Site 2 encapsulation dot1Q 82

ip vrf forwarding green-site2

ip address 10.82.1.2 255.255.255.0

ip rip send version 2

ip rip receive version 2

! interface Ethernet0/1 description to BB1-RACK1

ip address 10.12.1.2 255.255.255.0

! router rip version 2 network 10.0.0.0 !

address-family ipv4 vrf green-site2 redistribute bgp 65001 metric transparent network 10.0.0.0

no auto-summary version 2 exit-address-family

! router bgp 65001

no synchronization bgp log-neighbor-changes network 22.22.22.0 mask 255.255.255.0 neighbor 10.1.1.254 remote-as 65001

Trang 2

neighbor 10.1.1.254 update-source Loopback0 neighbor 10.12.1.1 remote-as 57

neighbor 10.12.1.1 description Peer to BB1-AS57 neighbor 10.12.1.1 password iementor

no auto-summary !

address-family vpnv4 neighbor 10.1.1.254 activate neighbor 10.1.1.254 send-community extended exit-address-family

! address-family ipv4 vrf green-site2 redistribute connected

redistribute rip metric 5

no auto-summary

no synchronization exit-address-family

! address-family ipv4 vrf green-site1 redistribute connected

neighbor 10.12.1.1 remote-as 57 neighbor 10.12.1.1 activate

no auto-summary

In PE4 you need to inject RD 1:1 to allow PE4 to receive routes directionally from green-site1 Otherwise, you won’t be able to communicate with the two VPNs You can import/export on green- site3, or you can use export 1:1 on green-site3 and export 3:3 on green-site1, or import/export on PE4 The solutions will work in both cases

bi-PE4

ip vrf green-site3

rd 3:3 route-target export 3:3 route-target export 1:1 route-target import 3:3 route-target import 1:1

! interface FastEthernet0/1.300 description to BB3 VLAN 300 encapsulation dot1Q 300

ip address 172.16.30.4 255.255.255.0

no snmp trap link-status

! router bgp 65001

no synchronization bgp log-neighbor-changes

Trang 3

redistribute connected neighbor 10.1.1.254 remote-as 65001

no auto-summary !

! address-family ipv4 vrf green-site3 neighbor 172.16.30.3 remote-as 3 neighbor 172.16.30.3 activate

no auto-summary

PE4-RACK1#sho ip route vrf green-site3 Gateway of last resort is 172.16.30.3 to network 0.0.0.0 153.46.0.0/16 is variably subnetted, 5 subnets, 2 masks

B 138.1.1.0 [20/2] via 172.16.30.3, 12:18:05 18.0.0.0/24 is subnetted, 1 subnets

B 38.3.1.0 [20/2] via 172.16.30.3, 12:18:06

B 38.2.1.0 [20/2] via 172.16.30.3, 12:18:06

B 5.5.5.0 [200/2] via 10.1.1.2, 12:18:48 156.46.0.0/16 is variably subnetted, 5 subnets, 2 masks

C 172.16.30.0 is directly connected, FastEthernet0/1.300 7.0.0.0/24 is subnetted, 1 subnets

B 7.7.7.0 [20/2] via 172.16.30.3, 12:18:06

B 213.112.68.0/24 [20/2] via 172.16.30.3, 12:18:06 8.0.0.0/24 is subnetted, 1 subnets

B 10.12.1.0 [200/0] via 10.1.1.2, 12:18:48

Trang 4

B 209.112.67.0/24 [200/2] via 10.1.1.2, 12:18:48

B 12.1.1.0 [200/2] via 10.1.1.2, 12:18:48

B 213.112.65.0/24 [20/2] via 172.16.30.3, 12:18:06

B 13.1.1.0 [20/2] via 172.16.30.3, 12:18:06

B 213.112.66.0/24 [20/2] via 172.16.30.3, 12:18:06

B 209.112.70.0/24 [200/2] via 10.1.1.2, 12:18:48

B 213.112.67.0/24 [20/2] via 172.16.30.3, 12:18:06 B* 0.0.0.0/0 [20/0] via 172.16.30.3, 12:18:06

BB3-RACK1#ping 5.5.5.5 Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:

! interface ATM1/0.100 point-to-point

ip vrf forwarding iementor-site1

ip address 140.100.1.2 255.255.255.0 pvc 1/100

protocol ip 140.100.1.1 broadcast encapsulation aal5snap

! router eigrp 100 redistribute isis level-1-2 metric 1544 1000 255 255 4460 network 140.100.2.0 0.0.0.255

auto-summary !

address-family ipv4 vrf iementor-site1 redistribute bgp 65001 metric 1544 100 255 255 1500 network 140.100.1.0 0.0.0.255

no auto-summary autonomous-system 10 exit-address-family

! router bgp 65001

Trang 5

no synchronization bgp router-id 10.1.1.1 bgp log-neighbor-changes network 11.11.11.0 mask 255.255.255.0 network 140.100.1.0 mask 255.255.255.0 neighbor 10.1.1.254 remote-as 65001 neighbor 10.1.1.254 update-source Loopback0 neighbor 140.100.1.1 remote-as 1540

neighbor 140.100.1.1 description To BB2 neighbor 140.100.1.1 password iementor

no auto-summary !

! address-family ipv4 vrf iementor-site1 redistribute eigrp 10 metric 5

no auto-summary

PE1-RACK1#sho ip bgp vpnv4 vrf iementor-site1 BGP table version is 15, local router ID is 10.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 33:33 (default for vrf iementor-site1)

R 3.3.3.0 [120/6] via 10.82.1.2, 00:00:00, FastEthernet0/0.82 140.100.0.0/24 is subnetted, 1 subnets

R 28.3.2.0 [120/6] via 10.82.1.2, 00:00:00, FastEthernet0/0.82

CE8-RACK1#ping 3.3.3.3

Trang 6

Type escape sequence to abort

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Your goal here is to exchange routes from CE8 and BB2

3550-CE6(config)#int fastEthernet 0/3 3550-CE6(config-if)#switchport trunk allowed vlan add 66,67

PE3-RACK1(config)#interface Ethernet0/0.66 PE3-RACK1(config-subif)# encapsulation dot1Q 66 PE3-RACK1(config-subif)# description to Manage VPN's PE3-RACK1(config-subif)# ip vrf forwarding mgt PE3-RACK1(config-subif)# ip address 192.168.1.3 255.255.255.0 PE3-RACK1(config-subif)# no snmp trap link-status

PE3-RACK1(config-subif)#interface Ethernet0/0.67 PE3-RACK1(config-subif)# encapsulation dot1Q 67

Trang 7

PE3-RACK1(config-subif)# description to Manage IGP Core PE3-RACK1(config-subif)# ip address 192.168.2.3 255.255.255.0 PE3-RACK1(config-subif)# ip router isis

PE3-RACK1(config-subif)# no snmp trap link-status PE3-RACK1(config-subif)# isis circuit-type level-1 Å For IGP to be sent

to the MGT Switch

3750-M-CE4(config)#interface Vlan66 3750-M-CE4(config-if)# description Managment for VPN's 3750-M-CE4(config-if)# ip address 192.168.1.1 255.255.255.0 3750-M-CE4(config-if)#interface Vlan67

3750-M-CE4(config-if)# description to Manage IGP Routers 3750-M-CE4(config-if)# ip address 192.168.2.1 255.255.255.0

3750-M-CE4(config)#router isis 3750-M-CE4(config-router)# net 48.0000.0067.0067.00 3750-M-CE4(config-router)# is-type level-1

3750-M-CE4(config-router)# area-password iementor 3750-M-CE4(config-router)# metric-style wide 3750-M-CE4(config-router)# log-adjacency-changes all

3750-M-CE4#sho ip route isis 140.100.0.0/16 is variably subnetted, 3 subnets, 2 masks

i L1 140.100.2.2/32 [115/30] via 192.168.2.3, Vlan67

i L1 140.100.2.0/24 [115/30] via 192.168.2.3, Vlan67 157.46.0.0/16 is variably subnetted, 4 subnets, 2 masks

i L1 157.46.3.0/24 [115/30] via 192.168.2.3, Vlan67

i L1 157.46.2.0/24 [115/30] via 192.168.2.3, Vlan67

i L1 157.46.1.0/24 [115/30] via 192.168.2.3, Vlan67

i L1 157.46.4.0/22 [115/30] via 192.168.2.3, Vlan67 172.16.0.0/24 is subnetted, 9 subnets

i L1 12.2.1.0 [115/30] via 192.168.2.3, Vlan67

i L1 210.112.2.0/24 [115/30] via 192.168.2.3, Vlan67

Trang 8

i L1 210.112.1.0/24 [115/30] via 192.168.2.3, Vlan67

This confirms that now 3750 can reach the IGP routers

3750-M-CE4#ping 10.1.1.254 Type escape sequence to abort

PE3-RACK1(config-router)# address-family ipv4 vrf mgt PE3-RACK1(config-router-af)# neighbor 192.168.1.1 remote-as 66 PE3-RACK1(config-router-af)# neighbor 192.168.1.1 activate PE3-RACK1(config-router-af)#redistribute connected Å don’t forget!

PE3-RACK1(config-router-af)# no auto-summary PE3-RACK1(config-router-af)# no synchronization

3750-M-CE4#sho ip bgp summary Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.3 4 65001 13 5 44 0 0 00:01:00 43

This confirms that now 3750 can reach VPN’s routes

!!!!!

3750-M-CE4(config)#interface loopback 64 3750-M-CE4(config-if)#ip address 67.67.67.67 255.255.255.0 3750-M-CE4(config-if)#ip telnet source-interface loopback 64 3750-M-CE4(config)#access-list 67 permit 67.67.67.0 0.0.0.255 log 3750-M-CE4(config)#router bgp 66

3750-M-CE4(config-router)#neighbor 192.168.1.3 distribute-list 67 out

Trang 9

1d11h: %BGP-5-ADJCHANGE: neighbor 192.168.1.3 Up 1d11h: %SEC-6-IPACCESSLOGS: list 67 permitted 67.67.67.0 1 packetsho ip bgp summary

Task 15.4: Configure VPN Green site 1 to send default-route to all

VPN Green sites

BB1-RACK1(config-router)#router bgp 57 BB1-RACK1(config-router)#neighbor 10.12.1.2 default-originate BB1-RACK1(config-router)#redistribute static metric 2

BB1-RACK1(config)#ip route 0.0.0.0 0.0.0.0 Null0

PE2-RACK1#sho ip route vrf green-site1 | include 0.0.0.0/0 B* 0.0.0.0/0 [20/0] via 10.12.1.1, 00:01:24

This task is very tricky because it is asking to send a default route

to all VPN Greens, which means that by default a default gateway

is only propagated in vpn-green site1 only In the next step we need to advertise the default route only from vpn-green 1 site to vpn-green site 2 and site 3

PE2-RACK1(config)#route-map default permit 10 PE2-RACK1(config-route-map)# match ip address 17 PE2-RACK1(config-route-map)#access-list 17 permit 0.0.0.0 log PE2-RACK1(config)#ip vrf green-site1

PE2-RACK1(config-vrf)# rd 1:1 PE2-RACK1(config-vrf)# route-target export 1:1 PE2-RACK1(config-vrf)# route-target export 2:2 PE2-RACK1(config-vrf)# route-target import 1:1 PE2-RACK1(config-vrf)#ip vrf green-site2 PE2-RACK1(config-vrf)# rd 2:2

PE2-RACK1(config-vrf)# import map default PE2-RACK1(config-vrf)# route-target export 2:2 PE2-RACK1(config-vrf)# route-target import 2:2

Routing Table: green-site2 Gateway of last resort is 10.12.1.1 to network 0.0.0.0 8.0.0.0/24 is subnetted, 1 subnets

R 8.8.8.0 [120/1] via 10.82.1.1, 00:00:23, Ethernet0/0.82 10.0.0.0/24 is subnetted, 1 subnets

C 10.82.1.0 is directly connected, Ethernet0/0.82 B* 0.0.0.0/0 [20/0] via 10.12.1.1 (green-site1), 00:15:39

*Mar 3 14:38:02.772: %SEC-6-IPACCESSLOGS: list 17 permitted 0.0.0.0 2 packets

Task 15.5:

Trang 10

♦ BB1 is sending 209.112.0.0/24 to VPN Green

♦ Configure VRF Green such that only 209.112.69.0 does not get

suppressed; everything else is suppressed

This task requires denying 209.112.69.0 from being suppressed

The only show output related to this task is of the database, not

the routing table Let’s take a look at the database before the solutions are shown

PE2-RACK1(config)#router bgp 65001 PE2-RACK1(config-router)#address-family ipv4 vrf green-site1 PE2-RACK1(config-router-af)#aggregate-address 209.112.0.0 255.255.0.0 summary-only

PE2-RACK1#sho ip bgp vpnv4 vrf green-site1 | include 209

*> 209.112.0.0/16 0.0.0.0 32768 i s> 209.112.65.0 10.12.1.1 2 0 57 ? s> 209.112.66.0 10.12.1.1 2 0 57 ? s> 209.112.67.0 10.12.1.1 2 0 57 ? s> 209.112.68.0 10.12.1.1 2 0 57 ? s> 209.112.69.0 10.12.1.1 2 0 57 ? Å we need to exclude 69

s> 209.112.70.0 10.12.1.1 2 0 57 ?

Let’s exclude 69 from the suppress table

PE2-RACK1(config)#router bgp 65001 PE2-RACK1(config-router)#address-family ipv4 vrf green-site1 PE2-RACK1(config-router-af)#redistribute connected

PE2-RACK1(config-router-af)#neighbor 10.12.1.1 remote-as 57 PE2-RACK1(config-router-af)#neighbor 10.12.1.1 activate PE2-RACK1(config-router-af)#aggregate-address 209.112.0.0 255.255.0.0 suppress-map suppress69

PE2-RACK1(config)#access-list 69 deny 209.112.69.0 log PE2-RACK1(config)#access-list 69 permit any log

PE2-RACK1(config)#route-map suppress69 permit 10 PE2-RACK1(config-route-map)#match ip address 69

PE2-RACK1#sho ip bgp vpnv4 vrf green-site1 | include 209

*> 209.112.0.0/16 0.0.0.0 32768 i s> 209.112.65.0 10.12.1.1 2 0 57 ? s> 209.112.66.0 10.12.1.1 2 0 57 ? s> 209.112.67.0 10.12.1.1 2 0 57 ? s> 209.112.68.0 10.12.1.1 2 0 57 ?

*> 209.112.69.0 10.12.1.1 2 0 57 ? s> 209.112.70.0 10.12.1.1 2 0 57 ?

Trang 11

♦ Summarization/suppressing from BB2 are not allowed

♦ You are permitted to use one access-list only

PE1-RACK1(config)#router eigrp 100 PE1-RACK1(config-router)#address-family ipv4 vrf iementor-site1 PE1-RACK1(config-router-af)#redistribute bgp 65001 metric 1544 100 255

255 1500 route-map allow157 PE1-RACK1(config-router-af)#network 140.100.1.0 0.0.0.255 PE1-RACK1(config-router-af)#no auto-summary

PE1-RACK1(config-router-af)#autonomous-system 10 PE1-RACK1(config-router-af)#exit-address-family

PE1-RACK1(config-router)#router bgp 65001 PE1-RACK1(config-router)# address-family vpnv4 PE1-RACK1(config-router-af)# neighbor 10.1.1.254 activate PE1-RACK1(config-router-af)# neighbor 10.1.1.254 send-community extended PE1-RACK1(config-router-af)# exit-address-family

PE1-RACK1(config-router)# address-family ipv4 vrf iementor-site1 PE1-RACK1(config-router-af)# redistribute eigrp 10 metric 5 PE1-RACK1(config-router-af)# no auto-summary

PE1-RACK1(config-router-af)# no synchronization PE1-RACK1(config-router-af)# aggregate-address 157.46.0.0 255.255.0.0 as-set summary-only

PE1-RACK1(config-router-af)# exit-address-family PE1-RACK1(config-router)#route-map allow157 permit 10 PE1-RACK1(config-route-map)# match ip address 157 PE1-RACK1(config)#access-list 157 permit ip 157.46.0.0 0.0.255.255 host 255.255.0.0

RR1-RACK1#sho ip bgp vpnv4 all | include 157

*>i157.46.0.0 10.1.1.1 0 100 0 ?

Task 15.7: VPN Details

http://www.faqs.org/rfcs/rfc2685.html

PE2-RACK1(config)#ip vrf green-site1 PE2-RACK1(config-vrf)#rd 1:1

Định dạng
Số trang	21
Dung lượng	234,49 KB