Sometimes its so hard to simply find the time to do what I promised. I hope this will spur up some conversation. I still stress that you should always try to do the lab without my help first. This will ensure you learn how to do it properly. Also remember that there are always multiple ways to do certain labs, so don’t take my solution as gospel.
This solution is for the lab I posted here: http://mellowd.co.uk/ccie/?p=527
- CPE1 and CPE5 belong to Customer1
- CPE2 and CPE6 belong to Customer2
- Both customers are running OSPF as their IGP’s
- The loopbacks as shown in the topology must be advertised into OSPF. Cutomer1 should be able to ping all loopbacks in their networks and Customer2 should be able to ping everything in theirs.
- Both customers are now running a project together, and need 2 of their offices connected. CPE1 from Customer1 should be able to communicate with CPE6 from Customer2 and vice-versa
- It’s essential that CPE2 and CPE5 are NOT able to get to all loopbacks. ONLY CPE1 and CPE6 should be able to communicate with each other. This new configuration should not break the previous VPN’s in place
- Do this without using any ACL’s, Prefix-lists, Route-maps or the like
We start by doing a regular MPLS VPN config – The same for which we did for the first MPLS VPN lab. All the MPLS-specific config is here:
CPE1
interface Loopback0 ip address 192.168.1.1 255.255.255.0 ! interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 duplex auto speed auto ! router ospf 1 log-adjacency-changes network 10.1.1.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.255 area 0
CPE2:
interface Loopback0 ip address 172.16.1.1 255.255.255.0 ! interface FastEthernet0/0 ip address 10.1.2.1 255.255.255.0 duplex auto speed auto ! router ospf 1 log-adjacency-changes network 10.1.2.0 0.0.0.255 area 0 network 172.16.1.0 0.0.0.255 area 0
CPE5:
interface Loopback0 ip address 192.168.2.1 255.255.255.0 ! interface FastEthernet0/0 ip address 10.1.3.1 255.255.255.0 duplex auto speed auto ! router ospf 1 log-adjacency-changes network 10.1.3.0 0.0.0.255 area 0 network 192.168.2.0 0.0.0.255 area 0
CPE6:
interface Loopback0 ip address 172.16.2.1 255.255.255.0 ! interface FastEthernet0/0 ip address 10.1.4.1 255.255.255.0 duplex auto speed auto ! router ospf 1 log-adjacency-changes network 10.1.4.0 0.0.0.255 area 0 network 172.16.2.0 0.0.0.255 area 0
Now for the 2 AR Routers:
ip cef ip vrf CUS1 rd 400:1 route-target export 400:1 route-target import 400:1 ip vrf CUS2 rd 400:2 route-target export 400:2 route-target import 400:2 interface FastEthernet0/0 ip vrf forwarding CUS1 ip address 10.1.1.2 255.255.255.0 interface FastEthernet2/0 ip vrf forwarding CUS2 ip address 10.1.2.2 255.255.255.0 router ospf 2 vrf CUS1 redistribute bgp 400 metric 10 subnets network 10.1.1.0 0.0.0.255 area 0 router ospf 3 vrf CUS2 redistribute bgp 400 metric 10 subnets network 10.1.2.0 0.0.0.255 area 0 router bgp 400 bgp log-neighbor-changes neighbor 10.255.255.7 remote-as 400 neighbor 10.255.255.7 update-source Loopback0 address-family vpnv4 neighbor 10.255.255.7 activate neighbor 10.255.255.7 send-community extended address-family ipv4 vrf CUS2 redistribute ospf 3 vrf CUS2 metric 10 no synchronization address-family ipv4 vrf CUS1 redistribute ospf 2 vrf CUS1 metric 10 no synchronization
A similar config is on AR3. (I’m not going to post it here otherwise this post will just get to big)
Let’s now concentrate on CPE1. The initial requirements were to allow CPE1 and CPE5 to speak to each other. Currently CPE1 has the following routing table:
CPE1#sh ip route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 2 subnets
O IA 10.1.3.0 [110/11] via 10.1.1.2, 00:01:20, FastEthernet0/0
C 10.1.1.0 is directly connected, FastEthernet0/0
C 192.168.1.0/24 is directly connected, Loopback0
192.168.2.0/32 is subnetted, 1 subnets
O IA 192.168.2.1 [110/11] via 10.1.1.2, 00:01:20, FastEthernet0/0
Can CPE1 ping the loopback subnet on CPE5? It sure can!
CPE1#ping 192.168.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 80/112/156 ms
Can CPE1 ping CPE6? No it can’t (as expected at this point)
CPE1#ping 172.16.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
We are now told that we need CPE1 and CPE6 to be able to speak to each other for a project. CPE2 and CPE5 need to be left out of this completely. We need to do this without using any ACL’s or the like.
There is a simple way of doing this. It’s called Extranet MPLS VPN. In the configuration above, each customer is given a route target. We can create a third route-target and have both CPE1 and CPE6 join that third route-target. We then simply don’t add CPE2 and CPE6 to that same route-target.
Let’s add it on AR1 and AR3:
AR1(config)#ip vrf CUS1 AR1(config-vrf)#route-target both 400:100
AR3(config)#ip vrf CUS2 AR3(config-vrf)#route-target both 400:100
If I now check the routing table on CPE1 I see the following:
CPE1#sh ip route
Gateway of last resort is not set
172.16.0.0/32 is subnetted, 1 subnets
O E2 172.16.2.1 [110/10] via 10.1.1.2, 00:00:21, FastEthernet0/0
10.0.0.0/24 is subnetted, 3 subnets
O IA 10.1.3.0 [110/11] via 10.1.1.2, 00:08:41, FastEthernet0/0
C 10.1.1.0 is directly connected, FastEthernet0/0
O E2 10.1.4.0 [110/10] via 10.1.1.2, 00:00:21, FastEthernet0/0
C 192.168.1.0/24 is directly connected, Loopback0
192.168.2.0/32 is subnetted, 1 subnets
O IA 192.168.2.1 [110/11] via 10.1.1.2, 00:08:41, FastEthernet0/0
Can CPE1 now ping CPE6′s loopback subnet?
CPE1#ping 172.16.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/69/92 ms
It works :) – We now need to be sure that CPE2 and CPE5 still cannot see any of this.
CPE2#sh ip route
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.1.0/24 is directly connected, Loopback0
O IA 172.16.2.1/32 [110/11] via 10.1.2.2, 22:04:42, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.2.0 is directly connected, FastEthernet0/0
O IA 10.1.4.0 [110/11] via 10.1.2.2, 22:05:56, FastEthernet0/0
As expected, it cannot ping anywhere in Customer1′s network:
CPE2#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) CPE2#ping 192.168.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
Job done. :D
Right, it’s really time I get cracking on with my JNCIA. I’m going to do the EX track first, then maybe ER as well.
I’ve set up an Olive quickly and connected it to a 1721 via dynamips. I want to start off with the basics of getting around the cli of JunOS. Yes it’s different to IOS, but it’s really not that difficult.
When the Olive first boots up, it’ll be a blank slate. If you logged in as root, you’ll need to enter cli to actually get to the cli:
root@O%cli root@O>
Right, now we are at the CLI. Let’s start configuring!
First go into configure mode:
root@O> configure Entering configuration mode [edit] root@O#
Let’s start with a few basics. These few are all intuitive:
#set system host-name Olive #set system time-zone Europe/London #set system domain-name test.com #set system name-server 4.2.2.1
Note that JunOS won’t make these changes live straight away. All changes go into a ‘candidate configuration’ – Only when you actually commit the changes will they actually happen. You can commit straight away or do a syntax check beforehand:
#commit check configuration check succeeds
This means all looks good, so let’s commit the changes!
#commit commit complete [edit] root@Olive#
There is something to note here. JunOS’s config mode is hierarchical. This means that if I was going to do a lot of commands in the same sub-section – I could go into that sub-section first.
For example, the above 4 commands were all in the system sub-section. Instead of the above, I could’ve done this:
root@O> configure Entering configuration mode [edit] root@O#edit system [edit system] root@O#set host-name Olive #set time-zone Europe/London #set domain-name test.com #set name-server 4.2.2.1
This would give me exactly the same configuration as the above. If I need to get out of a sub-section I just type ‘up’
#up [edit] root@O#
If I’m in pretty deep, you can type ‘top’ to get right to the top of the tree
Now we need to set up an IP address on an interface. To see what interfaces you have, you can type:
Olive> show interfaces terse
This command is similar to show ip int brief on a Cisco
I want to configure the em1 interface and I do so like this:
Olive# set interfaces em1 unit 0 family inet address 10.1.1.1/28
So quite a bit longer than on a Cisco, but it’s really not that difficult. There is an important note here. When you assign an IP address to a Cisco, it becomes the ‘first’ IP. You can add secondary addresses on that interface but you need to specify secondary when entering the IP address. The same thing happens on JunOS, but you HAVE to specify a logical unit at all times, even if it is only EVER going to have 1 IP. Therefore Unit 0 is the first IP, unit 1 the second, unit 2 the third and so on. If I wanted to add a second IP to this interface, I’d do it like so:
Olive# set interfaces em1 unit 1 family inet address 10.2.2.2/28
To set up a default route, we do it like so:
Olive# set routing-options static route 0.0.0.0/0 next-hop 10.1.1.2
There’ll be plenty more JunOS stuff coming very shortly!
Rule #1 – Just because Host 1 can get to Host 2, does NOT mean that Host 2 can get back to Host 1!
I can’t tell you how many times I’ve seen this out in the field. Here is a prime example.
This is quite a simply common topology. OfficeA and OfficeB have a WAN connection running between them. RouterA and RouterB are under control of the ISP and are running OSPF. RouterC is a customer-owned router, and so doesn’t run any OSPF with RouterA or RouterB.
OfficeB has an internet connection, and RouterB is injecting a default route to OfficeA via OSPF.
RouterB has a default route to RouterC. So let’s think about traffic flow now. A host connected to RouterA needs to send traffic to the internet. It will send it’s traffic to it’s default gateway, RouterA. RouterA has a default route injected into OSPF from RouterB and so sends traffic to RouterB.
RouterB has a default route and hence sends that traffic out to RouterC. Which then goes out to the internet.
Traffic then flows back from the internet to RouterC. The return address will be an IP that belongs in RouterA and RouterB’s routing table, however RouterC has no knowledge of that subnet (as it’s not participating in OSPF). RouterC will just use it’s default route and send that packet back out to the internet. Eventually the TTL will kill that packet.
This can be fixed by putting a static route on RouterC to let it know that RouterA’s ip range needs to be sent off to RouterB instead.
A similar thing will happen if we add a server to SwitchA. That server’s default gateway will most likely be RouterC. If a host in OfficeA send a PING to that server, that server will then send traffic off to RouterC. If RouterC does not have the static route added above, it’ll send it out to the internet.
I’m well aware that the design in the picture is pretty bad, but I used it to illustrate a point. That point being that just because router’s know how to get from A to B, it does NOT mean they know how to route that traffic back. Make sure you understand this!
Traceroute is a powerful tool. Extremely useful when checking the path of a packet through the network. But how does it ACTUALLY work? What is REALLY going on?
Layer3 packets all have a TTL. A Time To Live. If a router receives a packet with a TTL of 1 (and the packet is addresses to a host not directly connected to this router) it will drop the packet. It will also then create an ICMP error packet and send it back to the original source of the packet to let it know that the address was unreachable this time.
If you ping another machine, the OS will generally create a TTL of 255 for sent packets, though it doesn’t HAVE to be 255.
Traceroute will force an ICMP error message so it can get more information from each hop in the path.
As an example, let’s run a quick traceroute to 4.2.2.1 and see what it gives us:
C:\Users\Darren>tracert 4.2.2.1 Tracing route to vnsc-pri.sys.gtei.net [4.2.2.1] over a maximum of 30 hops: 1 1 ms <1 ms <1 ms DD-WRT [10.50.80.1] 2 8 ms 9 ms 8 ms 10.3.280.1 3 8 ms 9 ms 26 ms walt-cam-1a-ge96.network.virginmedia.net [80.1.170.69] 4 18 ms 7 ms 8 ms popl-core-1a-ae2-0.network.virginmedia.net [195.182.175.229] 5 8 ms 6 ms 16 ms popl-bb-1a-as2-0.network.virginmedia.net [213.105.174.234] 6 31 ms 15 ms 15 ms 195.50.91.69 7 12 ms 13 ms 31 ms ae-11-51.car1.London1.Level3.net [4.69.139.66] 8 14 ms 16 ms 22 ms vnsc-pri.sys.gtei.net [4.2.2.1] Trace complete.
I’ve loaded up Wireshark to tell me exactly what’s going on. The very first packet sent from my PC was sent with a destination IP of 4.2.2.1 – but with a TTL of only 1.
When my router (10.50.80.1) received that packet, it noticed that the TTL was 1, but also that 4.2.2.1 was not directly connected to it. It responded to my PC with an ICMP code 11 – Time-to-live exceeded. It also responded with it’s own source address.
Traceroute now knows that the very first hop to 4.2.2.1 happens to be my local router. It also knows that the routers IP is 10.50.80.1 – It send 3 ECHO reply requests with a TTL of 1. This is the reason you see the 3 values in the traceroute output
It doesn’t stop there though. As soon as traceroute knows that 10.50.80.1 is the first hop, it’ll ask 10.50.80.1 what it’s hostname is via a DNS PTR request. The router will respond to my PC with a DNS PTR response letting it know the hostname. Now traceroute knows what the IP address and hostname is for the first hop. Note that not ALL devices on the internet will respond with a PTR record and so you won’t ALWAYS get a hostname.
Traceroute will now start again and send 3 more packets with a TTL of 2. Exactly the same will happen as above, but for the second hop in the path. This will continue to happen until we eventually get to the host, or we run into the maximum hop count.
When we finally get ICMP echo replies from 4.2.2.1 – traceroute knows it’s job is complete.
btw, traceroute attempts to get PTR records from the devices in the path only when it gets a TTL time exceeded reply. The actual host you are trying to get to is different though. As soon as I ran traceroute 4.2.2.1 it immediately tried to get the PTR record of 4.2.2.1 first. Once it had that it started with all of the above.
As promised, I’ll now start writing up solutions to my previously posted labs. I hope this will spur up some conversation. I still stress that you should always try to do the lab without my help first. This will ensure you learn how to do it properly. Also remember that there are always multiple ways to do certain labs, so don’t take my solution as gospel.
I’ll be walking through my first MPLS lab which was originally posted over here: http://mellowd.co.uk/ccie/?p=518
- Use RIP as the routing protocol on CPE devices
- CPE1 and CPE5 belong to Company_A
- CPE2 and CPE6 belong to Company_B
- Each site has a /24 that is advertised via the loopback
- CPE1 should be able to ping CPE5’s loopback and vice-versa
- CPE2 should be able to ping CPE6’s loopback and vice-versa
- Different companies should NOT be able to ping each other. They must stay completely separate
- Now remove RIP and configure it so that both companies are using OSPF
- Once complete, remove the OSPF config and use EIGRP
The first part is very easy. As far as the config on the CPE goes, it’s standard. The CPE devices don’t know, or care, that the ISP is running MPLS. As an example, I’ve posted the relevent config from CPE6:
interface Loopback0 ip address 172.16.2.1 255.255.255.0 ! interface FastEthernet0/0 ip address 10.1.4.1 255.255.255.0 duplex auto speed auto ! router rip version 2 network 10.0.0.0 network 172.16.0.0 no auto-summary
The actual core routers also have a very simple configuration. This has already been setup in my provided configuration files. All thats needed is a IGP running correctly; CEF to be enabled; and then MPLS IP to be enabled on all links going to MPLS routers. As an example, I’ll show a bit of the configuration on CR1:
ip cef ! interface FastEthernet0/0 ip address 10.0.0.5 255.255.255.252 duplex auto speed auto mpls ip ! interface Serial1/0 ip address 10.3.0.1 255.255.255.252 mpls ip serial restart-delay 0 ! router ospf 1 log-adjacency-changes network 10.0.0.0 0.0.0.3 area 0 network 10.0.0.4 0.0.0.3 area 0 network 10.2.0.0 0.0.0.3 area 0 network 10.3.0.0 0.0.0.3 area 0 network 10.255.255.2 0.0.0.0 area 0
The real meat of the configuration comes in on the AR routers. i.e. the edge MPLS routers that the CPE devices connect to. These are the routers which needs to hold the customer routing tables, as well as keeping customer networks separate from each other.
The first thing that needs to be done is to configure the VRF’s on each AR router that will connect. I’ll use the vrf name of CUS1 for the first customer and CUS2 for the second.
For the first customer:
AR1#(config)ip vrf CUS1 AR1#(config)rd 400:1 AR1#(config)route-target both 400:1
And now the second:
AR1#(config)ip vrf CUS2 AR1#(config)rd 400:2 AR1#(config)route-target both 400:2
We now need to setup the interfaces that the CPE devices will connect to:
AR1#interface FastEthernet0/0 AR1#ip vrf forwarding CUS1 AR1#ip address 10.1.1.2 255.255.255.0 AR1#interface FastEthernet2/0 AR1#ip vrf forwarding CUS2 AR1#ip address 10.1.2.2 255.255.255.0
Now it’s time to set up the routing protocol between the ISP vrf and the customer device. We are using RIP for this lab, so the configuration will be as follows for both customers:
AR1#router rip AR1#version 2 AR1#no auto-summary AR1#address-family ipv4 vrf CUS2 AR1#redistribute bgp 400 metric 10 AR1#network 10.0.0.0 AR1#no auto-summary AR1#version 2 AR1#address-family ipv4 vrf CUS1 AR1#redistribute bgp 400 metric 10 AR1#network 10.0.0.0 AR1#no auto-summary AR1#version 2
You can see in the above commands that we are redistributing BGP even though we haven’t configured BGP yet. Don’t worry, that step is next.
MPLS used MP-BGP for the MPLS VPN feature. i.e. it uses MP-BGP to distribute routes via each customers VRF, through the core, and then out the other side.
The first part of the MP-BGP configuration is a simple iBGP config. AR1′s configuration is below:
AR1#router bgp 400 AR1#neighbor 10.255.255.7 remote-as 400 AR1#neighbor 10.255.255.7 update-source Loopback0 AR1#no auto-summary
The second part of the MP-BGP configuration is to enable the vpnv4 part of BGP:
AR1#address-family vpnv4 AR1#neighbor 10.255.255.7 activate AR1#neighbor 10.255.255.7 send-community extended
The final part is to set up the actual VRF part for each customer, and enable redistribution of RIP routes learned earlier:
AR1#address-family ipv4 vrf CUS2 AR1#redistribute rip metric 10 ! AR1#address-family ipv4 vrf CUS1 AR1#redistribute rip metric 10
To have a quick recap, this is the MPLS specific configuration now on AR1:
ip cef ! ip vrf CUS1 rd 400:1 route-target export 400:1 route-target import 400:1 ! ip vrf CUS2 rd 400:2 route-target export 400:2 route-target import 400:2 ! ! interface FastEthernet0/0 ip vrf forwarding CUS1 ip address 10.1.1.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet2/0 ip vrf forwarding CUS2 ip address 10.1.2.2 255.255.255.0 duplex auto speed auto ! router rip version 2 no auto-summary ! address-family ipv4 vrf CUS2 redistribute bgp 400 metric 10 network 10.0.0.0 no auto-summary version 2 exit-address-family ! address-family ipv4 vrf CUS1 redistribute bgp 400 metric 10 network 10.0.0.0 no auto-summary version 2 exit-address-family ! router bgp 400 no synchronization bgp log-neighbor-changes neighbor 10.255.255.7 remote-as 400 neighbor 10.255.255.7 update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor 10.255.255.7 activate neighbor 10.255.255.7 send-community extended exit-address-family ! address-family ipv4 vrf CUS2 redistribute rip metric 10 no synchronization exit-address-family ! address-family ipv4 vrf CUS1 redistribute rip metric 10 no synchronization exit-address-family
A similar configuration will of course need to be done on AR3.
Once done, we should be able to log onto CPE6 and ensure that it has CPE2′s networks. We should also see that it has NO access to CPE1 and CPE5′s networks. This is exactly what we see:
CPE6#sh ip route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
R 172.16.1.0 [120/10] via 10.1.4.2, 00:00:19, FastEthernet0/0
C 172.16.2.0 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 2 subnets
R 10.1.2.0 [120/10] via 10.1.4.2, 00:00:19, FastEthernet0/0
C 10.1.4.0 is directly connected, FastEthernet0/0
Can we ping CPE2′s loopback? We sure can:
CPE6#ping 172.16.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/60/92 ms
Can we ping CPE1′s loopback? No we cannot!
CPE6#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
If we run a traceroute to CPE2′s loopback, we can see it going through the MPLS core:
CPE6#trace 172.16.1.1 Type escape sequence to abort. Tracing the route to 172.16.1.1 1 10.1.4.2 8 msec 0 msec 20 msec 2 10.8.0.1 [MPLS: Labels 28/38 Exp 0] 44 msec 68 msec 84 msec 3 10.1.2.2 [MPLS: Label 38 Exp 0] 60 msec 48 msec 28 msec 4 10.1.2.1 112 msec * 44 msec CPE6#
Lab done. If there are any questions, please let me know! :)
The diagram is the same as my last VPN Lab. Also it uses my MPLs topology found over here: http://mellowd.co.uk/ccie/?p=522
This is the topology for this lab (click for a bigger image):
- Customer1 and Customer 2 both have MPLS vpn’s through the ISP core.
- Customer1 is using OSPF and Customer2 is using EIGRP
- Customers should have no access to each others networks
- Customers should be able to reach all their sites from all their sites
- The ISP wants to monitor the CPE routers via their monitoring server. Create another loopback on each CPE router and give them all a /32 loopback in the 172.16.1.1/24 range – i.e. 172.16.1.1/32 for CPE1, 172.16.1.2/32 for CPE2 and so on
- Ensure the monitoring router can get to all these /32 routes (and ONLY these /32 routes) – It should not know about any customer routes – CPE routers should only see their OWN loopbacks in the routing table
- Now enable CPE3 and CPE6 to see each others subnets. All other CPE routers should see no change in their routing tables
This lab will test a Central Services MPLS VPN.
The diagram is the same as my last VPN Lab. Also it uses my MPLs topology found over here: http://mellowd.co.uk/ccie/?p=522
This is the topology for this lab (click for a bigger image):
- Customer1 and Customer 2 both have MPLS vpn’s through the ISP core.
- Customer1 is using OSPF and Customer2 is using EIGRP
- Customers should have no access to each others networks
- Customers should be able to reach all their sites from all their sites
- The ISP is now providing a mail relay for it’s customers to use. Ensure that all customers can get to the 10.200.1.1/24 subnet through their vpn’s, but they must still be seperated from each other.
This VPN lab will test intranet and extranet MPLS VPN’s.
The diagram is the same as my last VPN Lab. Also it uses my MPLs topology found over here: http://mellowd.co.uk/ccie/?p=522
This is the lab topology again:
- CPE1 and CPE5 belong to Customer1
- CPE2 and CPE6 belong to Customer2
- Both customers are running OSPF as their IGP’s
- The loopbacks as shown in the topology must be advertised into OSPF. Cutomer1 should be able to ping all loopbacks in their networks and Customer2 should be able to ping everything in theirs.
- Both customers are now running a project together, and need 2 of their offices connected. CPE1 from Customer1 should be able to communicate with CPE6 from Customer2 and vice-versa
- It’s essential that CPE2 and CPE5 are NOT able to get to all loopbacks. ONLY CPE1 and CPE6 should be able to communicate with each other. This new configuration should not break the previous VPN’s in place
- Do this without using any ACL’s, Prefix-lists, Route-maps or the like
Hopefully this will be my final tweak. This time I’ve added base configs to the CPE devices. It just gives them a hostname and ensures there is no timeout. This prevents you from having to keep logging back in.
Image-wise, it’s the same. Click for the larger image:
This is the .net file contents:
#MPLS 1.0 Topology created by Darren O'Connor 22/02/10 #MPLS 1.1 created 23/02/10 #MPLS 1.2 created 24/02/10 #www.mellowd.co.uk/ccie #Feel free to use and change as you see fit. However if you do use please leave my details here at the top [localhost:7200] workingdir = /data/dynamips/working [[3640]] image = /data/dynamips/IOS_Images/3640/c3640-js-mz.124-25c.UNCOMPRESSED.bin ram = 128 disk0 = 0 disk1 = 0 mmap = true ghostios = true ########################### # # # Mpls Topology 1.2 # # # ########################### [[Router CR1]] model = 3640 console = 2001 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX s1/0 = AR1 s1/0 s1/2 = AR3 s1/2 Fa0/0 = CR3 Fa0/0 Fa2/0 = CR2 Fa2/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR1.cfg [[Router CR2]] model = 3640 console = 2002 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX s1/0 = AR2 s1/0 s1/2 = AR1 s1/2 Fa0/0 = CR4 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR2.cfg [[Router CR3]] model = 3640 console = 2003 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa2/0 = CR4 Fa2/0 s1/0 = AR3 s1/0 s1/1 = GR1 s1/1 s1/2 = AR4 s1/2 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR3.cfg [[Router CR4]] model = 3640 console = 2004 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX s1/0 = AR4 s1/0 s1/2 = AR2 s1/2 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR4.cfg [[Router AR1]] model = 3640 console = 2005 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE1 Fa0/0 Fa2/0 = CPE2 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR1.cfg [[Router AR2]] model = 3640 console = 2006 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE4 Fa0/0 Fa2/0 = CPE3 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR2.cfg [[Router AR3]] model = 3640 console = 2007 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE5 Fa0/0 Fa2/0 = CPE6 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR3.cfg [[Router AR4]] model = 3640 console = 2008 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE8 Fa0/0 Fa2/0 = CPE7 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR4.cfg [[Router CPE1]] model = 3640 console = 2009 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE1.cfg [[Router CPE2]] model = 3640 console = 2010 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE2.cfg [[Router CPE3]] model = 3640 console = 2011 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE3.cfg [[Router CPE4]] model = 3640 console = 2012 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE4.cfg [[Router CPE5]] model = 3640 console = 2013 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE5.cfg [[Router CPE6]] model = 3640 console = 2014 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE6.cfg [[Router CPE7]] model = 3640 console = 2021 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE7.cfg [[Router CPE8]] model = 3640 console = 2022 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE8.cfg [[Router GR1]] model = 3640 console = 2023 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T Fa0/0 = ISP2 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/GR1.cfg [[Router ISP2]] model = 3640 console = 2024 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/ISP2.cfg
And here are the updated config files: http://mellowd.co.uk/ccie/wp-content/uploads/2010/02/mpls.tar2.gz
Topology used is over here: http://mellowd.co.uk/ccie/?p=243
BGP Lab 12:
- AS7, AS9 and AS11 are all customers of ISP1
- AS7 has it’s own address space – 77.48.16.0/24 advertised via a loopback
- ISP1 owns the address space 180.16.0.0/16
- AS9 has been assigned 180.16.9.0/24 from ISP1 – insert via loopback
- AS11 has been assigned 180.16.11.0/24 from ISP1 – insert via loopback
- Ensure that AS7′s address space is advertised to AS9 and AS11
- ISP1 needs to advertise the entire 180.16.0.0/16 range and not the more specific routes. Ensure AS7 sees only 180.16.0.0/16 HOWEVER it must still know that some routes have come from AS9 and AS11
- On AS9, configure an attribute so that ISP1 does not advertise the more specific 180.16.9.0/24 address to anyone.
- You should notice that ISP1 is now not advertising the aggregate because it has inherited the no-export community from above
- Now on ISP1, ensure that the community is changed so that the aggregate can be advertised again
Click on the thumbnail for the full size topology:
Comments