iNETZERO – JNCIE-SP

Technology focused labs

v1.1

For Juniper Networks, inc - JNCIE-SP Lab Exam 2016

JNCIE-SP workbook:

2 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

General information
Copyright and licensing information

This workbook is developed by iNET ZERO.

All rights reserved. No part of this publication may be reproduced or distributed in any form or by
any means without the prior written permission of iNET ZERO a registered company in the
Netherlands. This product cannot be used by or transferred to any other person. You are not allowed
to rent, lease, loan or sell iNET ZERO training products including this workbook and its configurations.

You are not allowed to modify, copy, upload, email, share, distribute this workbook and supporting
materials in any way. This product may only be used and printed for your own personal use and may
not be used in any commercial way.

Warning: Besides standard anti piracy techniques like document watermarks and password
protection this workbook also contains a steganographyID making this workbook unique and always
traceable to the original buyer.

Juniper (c), Juniper Networks inc, JNCIE, JNCIP, JNCIS, JNCIA, Juniper Networks Certified Internet
Expert, are registered trademarks of Juniper Networks, Inc.

JNCIE-SP workbook:

3 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

About the authors:

Alexey Tolstenok

Alexey has more then 12+ experience in the Telecom/IT industry.He is a triple CCIE (R&S, SP, Sec)
#17405 and JNCIE-SP#313, certified Cisco and Juniper instructor.

Ivan Ivanov

Ivan van lives in East Europe country of Bulgaria. He has more than 10 years experience with IP
technologies, working at several Internet Service Providers, big enterprise companies and
International system integrators. Throughout his career, Ivan gained extensive experience designing,
implementing and supporting IP networks based mostly on Juniper Networks and Cisco Systems
solutions and devices. Ivan worked on various international projects, designing, securing and
implementing MPLS/IP backbone for multinational mobile operators. Ivan has the following
certificates: JNCIE, JNCIP-SEC and various Cisco certificates.

Jörg Buesink

JNCIE-SP workbook:

Jörg lives in the Netherlands near Amsterdam and brings more than 10 years of experience in the IT
and networking industry. He has worked for several large ISPs / service providers in the role of
technical consultant, designer and network architect. He has extensive experience in network
implementation, design and architecture. Jörg is triple JNCIE certified (JNCIE-ENT#21, JNCIE-SP#284
and JNCIE-SEC#30) as well as triple CCIE#15032 (Routing/ Switching, Service provider and Security),
3
Cisco CCDE#20110002 and Huawei HCIE#2188 Routing and Switching certified.





4 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Reviewer:

Said van de Klundert

Netherlands based networking enthusiast and Juniper Networks ambassador. Has spent most of his
career on the service-providers’ side of things. Known to lab up and write about whatever sparked
his interest networking wise. Other than that, he is a father to his son, husband to his wife and he
enjoys long dinners with friends.

JNCIE-SP workbook:

5 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

iNET ZERO Rack rental service

Did you know that this workbook could be used in combination with our premium JNCIE rack rental
service? Take a look on our website for more information www.inetzero.com

Warning:

Please do NOT change the root account password for any of our devices to
prevent unnecessary password recovery. Thank you for your cooperation

Target audience
This workbook is developed for experienced network engineers who are preparing for the Juniper
Networks JNCIE-SP lab exam. Although not required it is highly recommended that you have passed
the JNCIP-SP written exam.

How to use this workbook

We recommend that you start your JNCIE lab preparation by completing the first 7 chapters only.
Always take a note on the time spent for each chapter/ task to see if you improved once you go over
the chapters again. Ensure that at least you perform the first 7 chapters twice before you start with
final chapter (the super lab). You are ready to try the 8-hour super Lab if you are able to configure
the chapter’s tasks without the need to look at the answers presented in the appendix. The superlab
must be completed within 8 hours as it simulates a full day JNCIE lab experience.Good luck!

iNET ZERO support

Always feel free to ask us questions regarding the workbook or JNCIE rack rental. You can reach us at
[email protected]. We love to hear from you regarding your preparation progress. Your feedback
regarding our products is also very appreciated! JNCIE-SP workbook:

6 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Table of contents
General information . .......................................................................................................... 2
Copyright and licensing information . ............................................................................................. 2
About the authors: ......................................................................................................................... 3
Target audience . ............................................................................................................................. 5
How to use this workbook . ............................................................................................................ 5
iNET ZERO support . ......................................................................................................................... 5

Table of contents . ............................................................................................................... 6

Chapter 1: System Features . ............................................................................................. 14
Task 1.1:Primary hostname and user configuration ....................................................................... 16
Task 1.2: Aggregated interface configuration . ................................................................................ 16
Task 1.3: Advanced aggregated interface configuration . ................................................................ 16
Task 1.4: Network integration - NTP . .............................................................................................. 16
Task 1.5: Network Integration - Configuration archival .................................................................. 17
Task 1.6: Network Integration - Syslog . ........................................................................................... 17
Task 1.7: Static routing and jumbo frames support . ...................................................................... 17
Task 1.8: SNMPv2 Configuration . ................................................................................................... 17
Task 1.9: Basic RE Protection . .......................................................................................................... 17
Task 1.10: Advanced RE Protection . ............................................................................................... 17

Chapter 2: IGP . ................................................................................................................. 19

Part 1: IS-IS Troubleshooting . ....................................................................................................... 21
Part 2: Single-area OSPFv2 . .......................................................................................................... 24
Task 2.1 Single-area OSPFv2 baseline . ............................................................................................ 25
Task 2.2 OSPFv2 Network Types . .................................................................................................... 25
Task 2.3 OSPFv2: DR/BDR election . ................................................................................................. 25
Task 2.4 OSPFv2: Authentication . ................................................................................................... 25
Task 2.5 OSPFv2: Timers . .................................................................................................................. 25
Task 2.6 OSPFv2: BFD ....................................................................................................................... 25
Task 2.7 OSPFv2: Passive interfaces . ............................................................................................... 25
Task 2.8 OSPFv2: Load-balancing . ................................................................................................... 26
JNCIE-SP workbook: Table of contents

Task 2.9 OSPFv2: Cost tuning ........................................................................................................... 26

Task 2.10: OSPFv2: Miscellaneous features . ................................................................................... 26
Part 3: Multi-area OSPFv2 . .......................................................................................................... 27
Task 2.11 OSPFv2: Multi-area baseline . .......................................................................................... 27
Task 2.12 OSPFv2: Redistribution . ................................................................................................... 27
Task 2.13 OSPFv2: NSSA ................................................................................................................... 27
Task 2.14 OSPFv2: Summarization . ................................................................................................. 28
Part 4: Multi-level IS-IS . .............................................................................................................. 29
Task 2.15: IS-IS Baseline ................................................................................................................... 29
Task 2.16: IS-IS Authentication ......................................................................................................... 29
Task 2.17: IS-IS Timers . ..................................................................................................................... 29
Task 2.18: IS-IS Route Leaking .......................................................................................................... 29 6
Part 5: OSPFv3 and IS-IS (IPv6) . ................................................................................................... 30




7 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.19 . ......................................................................................................................................... 30

Task 2.20 . ......................................................................................................................................... 30
Task 2.21 . ......................................................................................................................................... 30
Task 2.22 . ......................................................................................................................................... 30

Chapter 3: MPLS . .............................................................................................................. 31

Part 1. RSVP . ................................................................................................................................. 34
Task 3.1: MPLS and RSVP baseline . ................................................................................................. 35
Task 3.2: RSVP Refresh Reduction and Authentication ................................................................... 35
Task 3.3: RSVP LSP without CSPF . .................................................................................................... 35
Task 3.4: RSVP ERO . .......................................................................................................................... 35
Task 3.5. RSVP Load-Balancing ......................................................................................................... 35
Task 3.6: RSVP LSP Policy Selection . ................................................................................................ 35
Task 3.7: RSVP LSP Primary and Secondary Paths . .......................................................................... 35
Task 3.8: RSVP LSP Policing and Timers . .......................................................................................... 36
Task 3.9: RSVP LSP Usage for Internal Traffic . ................................................................................. 36
Task 3.10: RSVP LSP Optimization. . ................................................................................................. 36
Task 3.11: RSVP Node/Link Protection . .......................................................................................... 36
Task 3.12: Fast Reroute for RSVP LSP . ............................................................................................. 36
Task 3.13: RSVP Link Coloring . .......................................................................................................... 36
Task 3.14: RSVP Link Coloring (cont.) . ............................................................................................. 36
Task 3.15: RSVP LSP Auto-Bandwidth . ............................................................................................ 36
Task 3.16:RSVP LSP TTL Handling . ................................................................................................... 37
Part 2. LDP . ................................................................................................................................... 38
Task 3.17: LDP Baseline .................................................................................................................... 39
Task 3.18: LDP Tunneling . ................................................................................................................. 39
Task 3.19: LDP Policies ..................................................................................................................... 39

Chapter 4: BGP . ................................................................................................................ 40

Part 1. Basic BGP .......................................................................................................................... 43
Task 4.1: iBGP Full Mesh .................................................................................................................. 44
Task 4.2: eBGP Neighborship and Authentication. . ......................................................................... 44
Task 4.3: Enabling BFD for BGP. ....................................................................................................... 44 JNCIE-SP workbook: Table of contents
Task 4.4: BGP Route Injection and AS Path Manipulation. . ............................................................. 44
Task 4.5: Destination-based Remote-Triggered Blackhole (RTBH) Filtering . .................................. 44
Task 4.6: Source-based RTBH Filtering . ........................................................................................... 44
Part 2. BGP Policies . ...................................................................................................................... 45
Task 4.8: BGP Prefix Propagation and BGP Multipath. . ................................................................... 46
Task 4.9: BGP Prefix Filtering. . .......................................................................................................... 46
Task 4.10: BGP Prefix Origination and Filtering . .............................................................................. 46
Task 4.11: BGP Conditional Route Advertising . ............................................................................... 46
Task 4.12: BGP Attributes Manipulation . ........................................................................................ 46
Task 4.13: BGP Scaling . ..................................................................................................................... 46
Part 3. IPv6 Tunneling Initial configurations: Part 3 . ..................................................................... 47
Task 4.14: IPv6 Tunneling through IPv4/MPLS Cloud . ..................................................................... 47
7

8 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Chapter 5: VPNs . .............................................................................................................. 48

Part 1. L3VPN . .............................................................................................................................. 50
Task 5.1: L3VPN with BGP as PE-CE protocol . ................................................................................. 51
Task 5.2: L3VPN transparency. ........................................................................................................ 51
Task 5.3: Hub and Spoke VPN (BGP-based) . ................................................................................... 51
Task 5.4: VPN Route Leaking ............................................................................................................ 51
Task 5.5: VPN Internet Access .......................................................................................................... 51
Part 2. L3VPN PE-CE OSPF . ........................................................................................................... 52
Task 5.6: OSPF Sham Link ................................................................................................................. 53
Task 5.7: Hub and Spoke L3VPN (OSPF) . ......................................................................................... 53
Part 3. L3VPN . ............................................................................................................................... 54
5.8: BGP based Hub and spoke VPN with 1 interface . ..................................................................... 55
5.9: BGP based MPLS VPN and 6VPE . .............................................................................................. 55
5.10: Inter provider VPN option B . .................................................................................................. 55
Chapter 6: Layer 2 VPN . .................................................................................................... 56
Task 6.1: Kompella L2VPN (VC Type 5) . ........................................................................................... 59
Task 6.2: Martini L2VPN ................................................................................................................... 59
Task 6.3: Kompella L2VPN (VC Type 4) . ........................................................................................... 59
Task 6.4: Basic LDP-based VPLS ........................................................................................................ 59
Task 6.5: LDP-based VPLS and multihoming . .................................................................................. 59
Task 6.6: Basic BGP signaled VPLS . .................................................................................................. 59
Task 6.7: BGP signaled VPLS with a multihomed site . ..................................................................... 60
Task 6.8: BGP signaled VPLS features . ............................................................................................. 60
Task 6.9: BGP signaled VPLS and VLAN normalization .................................................................... 60
Task 6.10:BGP signaled VPLS and VLAN normalization ................................................................... 60
Task 6.11: BGP signaled VPLS feature . ............................................................................................ 60
Task 6.12: Stitching together an L2VPN and a VPLS . ....................................................................... 61
Task 6.13: VPLS and BUM replication with P2MP LSP . .................................................................... 61

Chapter 7: Multicast VPN . ................................................................................................ 62

Part 1: . .......................................................................................................................................... 64
Task 7.1: Configuring PIM with auto-rp . .......................................................................................... 66
Task 7.2: PIM filtering . ...................................................................................................................... 66
JNCIE-SP workbook: Table of contents

Task 7.3: Configuring PIM with BSR . ................................................................................................ 66

Task 7.4: Configuring PIM with a static RP . ..................................................................................... 66
Task 7.5: Configuring PIM with any-cast RP . ................................................................................... 66
Task 7.6: Configuring PIM with any-cast RP . ................................................................................... 66
Part 2: . .......................................................................................................................................... 67
Task 7.7: Configure an MVPN part 1: configuring P-PIM . ................................................................ 67
Task 7.8: Configure an MVPN part 2: configuring C-PIM . ................................................................ 67
Task 7.9: Configure an NG MVPN part 1 . ........................................................................................ 67
Task 7.10: Configure an NG MVPN part 2 . ...................................................................................... 67
Task 7.11: Configure an NG MVPN part 3 . ...................................................................................... 67

Chapter 8: Class of Service . ............................................................................................... 69

8

9 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 8.1: Multi-field classification . .................................................................................................. 73

Task 8.2: BA classification . ................................................................................................................ 73
Task 8.3: Policing . ............................................................................................................................. 73
Task 8.4: Scheduling . ........................................................................................................................ 73
Task 8.5: WRED drop profiles ........................................................................................................... 74
Task 8.6: Rewrite rules ..................................................................................................................... 74
Task 8.7: Class-based forwarding (CBF) . .......................................................................................... 74
Task 8.8: LSP policing . ....................................................................................................................... 74

Full day lab challenge . ...................................................................................................... 75

Part 1: System Features . .............................................................................................................. 79
Task 1.1: Services configuration ....................................................................................................... 79
Task 1.2:Centralized authentication management . ........................................................................ 79
Task 1.3: Local user configuration . .................................................................................................. 79
Task 1.4: Active configuration archival . ........................................................................................... 79
Task 1.5: Interface configuration . ................................................................................................... 80
Task 1.6: RE Protection . ................................................................................................................... 80
Task 1.7: Advanced prefix matching . ............................................................................................... 80
Task 1.8: Advanced RE protection . .................................................................................................. 80
Part 2: IGP ................................................................................................................................... 81
Task 2.1: Troubleshooting ............................................................................................................... 81
Task 2.2: Multiple IP addresses on OSPF interface . ........................................................................ 81
Task 2.3: RIP . ................................................................................................................................... 81
Task 2.4: IS-IS authentication .......................................................................................................... 81
Task 2.5: IS-IS and OSPF Redistribution . ......................................................................................... 82
Task 2.6: IPv6 routing ...................................................................................................................... 82
Task 2.7 General requirements ........................................................................................................ 82
Task 3.1: MPLS and RSVP configuration . ......................................................................................... 83
Task 3.2: LSPs between SRX2 and SRX7 . .......................................................................................... 83
Task 3.3: LSPs between SRX1 and SRX6 . .......................................................................................... 83
Task 3.4: LSP protection ................................................................................................................... 84
Task 3.5: LSPs between SRX6 to SRX3 . ............................................................................................ 84 JNCIE-SP workbook: Table of contents
Task 3.6: LDP configuration .............................................................................................................. 84
Task 3.7: LSP forwarding based on CoS . .......................................................................................... 84
Part 4: BGP ................................................................................................................................... 85
Task 4.1: iBGP configuration ............................................................................................................ 85
Task 4.2: eBGP configuration ........................................................................................................... 85
Task 4.3: Customer BGP policy ........................................................................................................ 85
Task 4.4: Upstream BGP policy ........................................................................................................ 86
Task 4.5: Partner BGP policy . ........................................................................................................... 86
Task 4.6: IPv6 tunneling ................................................................................................................... 86
Task 4.7: BGP general requirements . ............................................................................................. 86
Part 5: VPN .................................................................................................................................. 87
Task 5.1: VPN Infrastructure ............................................................................................................ 87 9
Task 5.2: OSPF-based L3VPN ............................................................................................................ 87





10 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 5.3: BGP-based L3VPN . ............................................................................................................. 87

Task 5.4: L2circuit VPN configuration . ............................................................................................. 87
Task 5.5: BGP VPLS configuration . ................................................................................................... 88
Task 5.6: VPLS transport . .................................................................................................................. 88

Appendix Chapter 1: System Features . ............................................................................. 89

Task 1.1: Primary hostname and user configuration . ...................................................................... 90
Task 1.2: Aggregated interface configuration . ................................................................................ 91
Task 1.3: Advanced aggregated interface configuration . ................................................................ 92
Task 1.4: Network integration - NTP . .............................................................................................. 95
Task 1.5: Network Integration - Configuration archival .................................................................. 96
Task 1.6: Network Integration - Syslog . ........................................................................................... 97
Task 1.7: Static routing and jumbo frames support . ...................................................................... 98
Task 1.8: SNMPv2 Configuration . ................................................................................................... 99
Task 1.9: Basic RE Protection ......................................................................................................... 100
Task 1.10: Advanced RE Protection . ............................................................................................. 103

Appendix: Chapter 2 - IGP . ............................................................................................. 107

Part 1: IS-IS Troubleshooting . ..................................................................................................... 107
Part 2: Single-area OSPFv2 . ........................................................................................................ 118
Task 2.1 Single-area OSPFv2 baseline . .......................................................................................... 119
Task 2.2 OSPFv2 Network Types . .................................................................................................. 121
Task 2.3 OSPFv2: DR/BDR election . ............................................................................................... 122
Task 2.4 OSPFv2: Authentication . ................................................................................................. 123
Task 2.5 OSPFv2: Timers . ................................................................................................................ 124
Task 2.6 OSPFv2: BFD ..................................................................................................................... 125
Task 2.7 OSPFv2: Passive interfaces . ............................................................................................. 126
Task 2.8 OSPFv2: Load-balancing . ................................................................................................. 127
Task 2.9 OSPFv2: Cost tuning ......................................................................................................... 128
Task 2.10: OSPFv2: Miscellaneous features . ................................................................................. 129
Part 3: Multi-area OSPFv2 . ........................................................................................................ 131
Task 2.11 OSPFv2: Multi-area baseline . ........................................................................................ 132
Task 2.12 OSPFv2: Redistribution . ................................................................................................. 134
JNCIE-SP workbook: Table of contents

Task 2.13 OSPFv2: NSSA ................................................................................................................. 136

Task 2.14 OSPFv2: Summarization . ............................................................................................... 138
Part 4: Multi-level IS-IS . ............................................................................................................ 140
Task 2.15: IS-IS Baseline ................................................................................................................. 141
Task 2.16: IS-IS Authentication ....................................................................................................... 143
Task 2.17: IS-IS Timers . ................................................................................................................... 145
Task 2.18: IS-IS Route Leaking ........................................................................................................ 147
Part 5: OSPFv3 and IS-IS (IPv6) . ................................................................................................. 149
Task 2.19 . ....................................................................................................................................... 150
Task 2.20 . ....................................................................................................................................... 152
Task 2.21 . ....................................................................................................................................... 153
Task 2.22 . ....................................................................................................................................... 155 10





11 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Appendix: Chapter 3 - MPLS . .......................................................................................... 156

Part 1. RSVP . ............................................................................................................................... 156
Task 3.1: MPLS and RSVP baseline . ............................................................................................... 157
Task 3.2: RSVP Refresh Reduction and Authentication ................................................................. 160
Task 3.3: RSVP LSP without CSPF . .................................................................................................. 162
Task 3.4: RSVP ERO . ........................................................................................................................ 164
Task 3.5. RSVP Load-Balancing ....................................................................................................... 166
Task 3.6: RSVP LSP Policy Selection . .............................................................................................. 167
Task 3.7: RSVP LSP Primary and Secondary Paths . ........................................................................ 169
Task 3.8: RSVP LSP Policing and Timers . ........................................................................................ 170
Task 3.9: RSVP LSP Usage for Internal Traffic . ............................................................................... 172
Task 3.10: RSVP LSP Optimization. . ............................................................................................... 173
Task 3.11: RSVP Node/Link Protection . ........................................................................................ 176
Task 3.12: Fast Reroute for RSVP LSP . ........................................................................................... 179
Task 3.13: RSVP Link Coloring ......................................................................................................... 181
Task 3.14: RSVP Link Coloring (cont.) . ........................................................................................... 183
Task 3.15: RSVP LSP Auto-Bandwidth . .......................................................................................... 185
Task 3.16: RSVP LSP TTL Handling . ................................................................................................ 187
Part 2. LDP . ................................................................................................................................. 189
Task 3.17: LDP Baseline .................................................................................................................. 190
Task 3.18: LDP Tunneling . ............................................................................................................... 192
Task 3.19: LDP Policies ................................................................................................................... 195

Appendix: Chapter 4 - BGP . ............................................................................................ 197

Part 1. Basic BGP ........................................................................................................................ 197
Task 4.1: iBGP full mesh ................................................................................................................. 198
Task 4.2: eBGP Neighborship and Authentication. . ....................................................................... 200
Task 4.3: Enabling BFD for BGP. . ................................................................................................... 202
Task 4.4: BGP Route Injection and AS Path Manipulation. . ........................................................... 204
Task 4.5: Destination-based Remote-Triggered Blackhole (RTBH) Filtering . ................................ 206
Task 4.6: Source-based RTBH Filtering . ......................................................................................... 209
Part 2. BGP Policies ..................................................................................................................... 211
Task 4.8: BGP Prefix Propagation and BGP Multipath. . ................................................................. 212
JNCIE-SP workbook: Table of contents
Task 4.9: BGP Prefix Filtering. ......................................................................................................... 216
Task 4.10: BGP Prefix Origination and Filtering . ............................................................................ 218
Task 4.11: BGP Conditional Route Advertising . ............................................................................. 221
Task 4.12: BGP Attributes Manipulation . ...................................................................................... 224
Task 4.13: BGP Scaling . ................................................................................................................... 227
Part 3. IPv6 Tunneling . ............................................................................................................... 229
Task 4.14: IPv6 Tunneling through IPv4/MPLS Cloud . ................................................................... 230

Appendix: Chapter 5 - VPN . ............................................................................................ 234

Part 1. L3VPN . ............................................................................................................................ 234
Task 5.1: L3VPN with BGP as PE-CE protocol . ............................................................................... 235
Task 5.2: L3VPN transparency. . .................................................................................................... 239
11
Task 5.3: Hub and Spoke VPN (BGP-based) . ................................................................................. 241





12 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 5.4: VPN Route Leaking .......................................................................................................... 245

Task 5.5: VPN Internet Access ........................................................................................................ 248
Part 2. L3VPN PE-CE OSPF . ......................................................................................................... 250
Task 5.6: OSPF Sham Link ............................................................................................................... 251
Task 5.7: Hub and Spoke L3VPN (OSPF) . ....................................................................................... 255
Part 3. L3VPN . ............................................................................................................................. 259
5.8: BGP based Hub and spoke VPN with 1 interface . ................................................................... 260
5.9: BGP based MPLS VPN and 6VPE . ............................................................................................ 269
5.10: Inter provider VPN option B . ................................................................................................ 282

Appendix: Chapter 6 - Layer 2 VPN . ................................................................................ 287

Task 6.1: Kompella L2VPN (VC Type 5) . ......................................................................................... 288
Task 6.3: Kompella L2VPN (VC Type 4) . ......................................................................................... 294
Task 6.4: Basic LDP-based VPLS . .................................................................................................... 296
Task 6.5: LDP-based VPLS and multihoming . ................................................................................ 300
Task 6.6: Basic BGP signaled VPLS . ................................................................................................ 305
Task 6.7: BGP signaled VPLS with a multihomed site . ................................................................... 309
Task 6.8: BGP signaled VPLS features . ........................................................................................... 315
Task 6.9: BGP signaled VPLS and VLAN normalization .................................................................. 320
Task 6.10: BGP signaled VPLS and VLAN normalization ................................................................ 322
Task 6.11: BGP signaled VPLS feature . .......................................................................................... 325
Task 6.12: Stitching together an L2VPN and a VPLS . ..................................................................... 327
Task 6.13: VPLS and BUM replication with P2MP LSP . .................................................................. 333

Appendix: Chapter 7 - Multicast . .................................................................................... 337

Part 1: . ........................................................................................................................................ 337
Task 7.1: Configuring PIM with auto-rp . ........................................................................................ 339
Task 7.2: PIM filtering . .................................................................................................................... 343
Task 7.3: Configuring PIM with BSR . .............................................................................................. 345
Task 7.4: Configuring PIM with a static RP . ................................................................................... 349
Task 7.5: Configuring PIM with any-cast RP . ................................................................................. 351
Task 7.6: Configuring PIM with any-cast RP . ................................................................................. 354
Part 2: . ........................................................................................................................................ 357
Task 7.7: Configure an MVPN part 1: configuring P-PIM . .............................................................. 360
JNCIE-SP workbook: Table of contents

Task 7.8: Configure an MVPN part 2: configuring C-PIM . .............................................................. 363

Task 7.9: Configure an NG MVPN part 1 . ...................................................................................... 370
Task 7.10: Configure an NG MVPN part 2 . .................................................................................... 372
Task 7.11: Configure an NG MVPN part 3 . .................................................................................... 379

Appendix: Chapter 8 - Class of Service . ........................................................................... 382

Task 8.1: Multi-field classification . ................................................................................................ 383
Task 8.2: BA classification . ............................................................................................................. 386
Task 8.3: Policing . .......................................................................................................................... 389
Task 8.4: Scheduling ...................................................................................................................... 395
Task 8.5: WRED drop profiles ........................................................................................................ 400
Task 8.6: Rewrite rules .................................................................................................................. 402
12

13 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 8.7: Class-based forwarding (CBF) . ....................................................................................... 405

Task 8.8: LSP policing . .................................................................................................................... 408

Appendix – Full day lab challenge . .................................................................................. 410

Part 1: System Features . ............................................................................................................ 410
Task 1.1: Services configuration . ................................................................................................... 410
Task 1.2:Centralized authentication management . ...................................................................... 411
Task 1.3: Local user configuration . ................................................................................................ 412
Task 1.4: Active configuration archival . ......................................................................................... 413
Task 1.5: Interface configuration . ................................................................................................. 413
Task 1.6: RE Protection . ................................................................................................................. 416
Task 1.7: Advanced prefix matching . ............................................................................................. 418
Task 1.8: Advanced RE protection . ................................................................................................ 419
Part 2: IGP ................................................................................................................................. 420
Task 2.1: Troubleshooting ............................................................................................................. 420
Task 2.2: Multiple IP addresses on OSPF interface . ...................................................................... 424
Task 2.3: RIP . ................................................................................................................................. 425
Task 2.4: IS-IS authentication ........................................................................................................ 431
Task 2.5: IS-IS and OSPF Redistribution . ....................................................................................... 431
Task 2.6: IPv6 routing .................................................................................................................... 436
Task 2.7 General requirements . .................................................................................................... 440
Part 3: MPLS ............................................................................................................................... 442
Task 3.1: MPLS and RSVP configuration . ...................................................................................... 442
Task 3.2: LSPs between SRX2 and SRX7 . ....................................................................................... 446
Task 3.3: LSPs between SRX1 and SRX6 . ....................................................................................... 449
Task 3.4: LSP protection ................................................................................................................. 452
Task 3.5: LSPs between SRX6 to SRX3 . .......................................................................................... 454
Task 3.6: LDP configuration ............................................................................................................ 455
Task 3.7: LSP forwarding based on CoS . ........................................................................................ 457
Part 4: BGP ................................................................................................................................. 459
Task 4.1: iBGP configuration .......................................................................................................... 459
Task 4.2: eBGP configuration ........................................................................................................ 464
Task 4.3: Customer BGP policy . .................................................................................................... 470
Task 4.4: Upstream BGP policy . .................................................................................................... 472
Task 4.5: Partner BGP policy . ......................................................................................................... 477
JNCIE-SP workbook: Table of contents

Task 4.6: IPv6 tunneling . ................................................................................................................ 479

Task 4.7: BGP general requirements . ........................................................................................... 481
Part 5: VPN ................................................................................................................................ 483
Task 5.1: VPN Infrastructure .......................................................................................................... 483
Task 5.2: OSPF-based L3VPN .......................................................................................................... 483
Task 5.3: BGP-based L3VPN . ........................................................................................................... 494
Task 5.4: L2circuit VPN configuration . ........................................................................................... 499
Task 5.5: BGP VPLS configuration . ................................................................................................. 502
Task 5.6: VPLS transport . ................................................................................................................ 508

13

14 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Chapter 1: System Features

Introduction:

JUNOS offers support for many features commonly used within networks. The supported
features are (mostly) consistent across the different device types that Juniper has to offer.

By default, there is one super user in the system, this is the “root” user. Any additional users
and passwords have to be added manually. In JUNOS, every user has to belong to a class. A
class can contain multiple users and these classes define what privileges are granted to every
user that is a member of the class. Administrators can define their own custom classes. By
default, there are four pre-defined classes.

Inside every JUNOS class, so-called permission-flags can be set. These permission flags
indicate what commands are available to the users belonging to the class. There are
permissions granting the users access to operational mode commands and there are
permissions granting the users access to configuration commands.

Apart from local password authentication, JUNOS also supports remote authentication
methods such as TACACs+ and RADIUS. Remote authentication methods can be combined
with local password authentication. Local password authentication usually serves as a last
resort, authenticating locally configured users only when IP connectivity with the remote
authentication system is lost.

JNCIE-SP workbook: Chapter 1: System Features

JUNOS also supports physical interface bundling, or link aggregation. This enables the
grouping of multiple physical interfaces with the same properties (media, speed, duplex
mode) into one logical interface called an aggregated interface, or AE. The use of link
aggregation allows for increased redundancy and throughput. In general, AE interfaces can
be used in the same way regular interfaces are used (as a Layer 3 interface, as an interface in
an L2VPNs, etc.). The members of the AE interface can be a statically configured to
participate in the LAG or they can use the LACP protocol . The LACP protocol allows for the
automatic detection and deletion of member links. In addition to his, LACP also has certain
link monitoring capabilities that can check whether both ends of the link belong to the same
AE bundle. The LACP protocol can be configured to operate in different modes and send
messages at different intervals.

JUNOS also offers a plethora of general logging features that can help track events and 14
provide insights into what is happening on the network. NTP is supported up to version 4. By




15 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

configuring the same NTP server(s) on all JUNOS devices, troubleshooting can become a lot
easier. JUNOS also offers a standard UNIX syslog service, which supports eight levels of
message severities. These messages can be stored locally, sent to a remote syslog server
and/or to all users that are currently logged in. On JUNOS systems, the SNMP agent is
disabled by default. All existing SNMP versions up to version 3 are supported.

Another integral part of JUNOS images are basic security features such as stateless firewall
filters, control plane protection mechanisms and anti-spoofing mechanisms.

A standard firewall filter can be applied to JUNOS device’s loopback interface and by doing
so, all traffic to and from the routing-engine can be controlled. This helps to provide basic
protection from potentially malicious traffic that is aimed at the routing-engine.

The uRPF feature works by comparing the source IP of each incoming IP packet against the
routing table. The route towards the source IP of the packet has to correspond to the
interface on which the packet was received. If this is not the case, the packet is dropped. In
general, uRPF is enabled on interfaces facing to the “outside” of the AS and the feature can
eliminate the need to configure long and error-prone anti-spoofing firewall filters.

Do’s and Dont’s

• When listing separate allowed/denied commands in the user class configuration,
always enclose them in double quotes “…”
• By default, the number of supported AE interfaces is 0. Don’t forget to enable the
‘aggregated-devices’ in the [ chassis ] configuration hierarchy.
• If the NTP ‘show ntp associations’ command does not show an NTP server selected
for synchronization (indicated by the “*”), try running the operational mode
command “set date ntp <NTP server IP>”. This runs the BSD ntpdate utility, which

JNCIE-SP workbook: Chapter 1: System Features

queries the NTP server and sets the local time.

15

16 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Initial configuration: sys-start

Task 1.1:Primary hostname and user configuration

• Apply the new hostnames R1 and R2 to the srx1 and srx2 routers respectively.
• Create a custom login class “supervisor” and assign all permissions to it except for the
ability to start a BSD shell from CLI.
• Configure a local user “inetzero” with password “InetZero” as a member of this class.

Task 1.2: Aggregated interface configuration

• Create an aggregated Ethernet interface and statically assign ge-0/0/1 and ge-0/0/2
on R1 and R2 to this bundle.
• Assign IP addresses on both ends according to diagram.

Task 1.3: Advanced aggregated interface configuration

• Enable LACP on both sides of bundle. Only R1 should initiate exchange of LACP PDUs.

JNCIE-SP workbook: Chapter 1: System Features

• Tune the bundle so that the aggregated interface is operational only when both links
are in the “up” state.
• Adjust the configuration so that R2 sends LACP PDUs every 30 seconds.

Task 1.4: Network integration - NTP

• Configure an NTPv3 client on R1 and R2. Configure the routers to synchronize with
the server IP address 10.10.1.100.
• Modify the R1 and R2 configuration so that initial NTP sync with this server is
performed at boot time.
All NTP messages should be authenticated using MD5 authentication. Use the
password “workbook”.

16

17 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 1.5: Network Integration - Configuration archival

• Make sure the active configuration is transferred to and FTP server with IP address
10.10.1.100 every 15 minutes.
• Specify “lab” as username and “lab123” as the password to access the FTP server.
Task 1.6: Network Integration - Syslog
• Log all messages from any facility and for all levelsto host 10.10.1.100.
• Configure local logging and have all ‘error’ messages saved to a file called “error-
messages”. Set the maximum file size to 1Mb and increase the number of files to 20.
All users should be able to see the content of these log files. Also make sure that
priority information is included in the messages.
• Make sure messages with a critical severity are logged to all users currently logged in.
• Remove all other default syslog settings.
Task 1.7: Static routing and jumbo frames support
• Establish IP connectivity between the R1 and R2 loopbacks by configuring static
routes.
• Make sure that R1 and R2 are able to exchange jumbo frames of up to 9192 bytes.
Task 1.8: SNMPv2 Configuration
• Enable an SNMP agent on R1 and limit access to host 10.10.1.100. Use the
community string “inetzero” and allow read/write NMS access.
• Configure R2 to send traps to 10.10.1.100 in case of environment, link transition
events and authentication failures.

Task 1.9: Basic RE Protection

• Configure a firewall filter for R1 and apply it in the input direction of the loopback
interface.

JNCIE-SP workbook: Chapter 1: System Features

• Make sure that previously configured services (NTP, FTP and SNMP) keep on working
as before.
• Restrict telnet access to packets originating from the 10.10.1.0/24 network.
• Accept only ICMP types required for the ping utility to function properly.
• Discard and count all other traffic.

Task 1.10: Advanced RE Protection

• Configure a BFD protected iBGP session between the loopback IP addresses of both
R1 and R2. Use AS65000.
• Enable OSPF for the AE interface on both routers.
• Alter the firewall filter in such a way that BGP, BFD and OSPF can function.
• Permit OSPF in the firewall filter for locally configured subnets. Make sure that all the
addresses configured on the router are automatically added to the list.
17
• Make sure that all configured BGP peers are automatically added to the firewall filter.





18 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

• Change the end-term to not only discard and count, but to log and syslog as well.

JNCIE-SP workbook: Chapter 1: System Features

18

19 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Chapter 2: IGP

Introduction:

The IGP is one of the most important parts in any SP network design. All other protocols
required by any of the SP services rely either directly or indirectly on the IGP. Some of the
IGPs most critical tasks are the fast and correct distribution of internal prefix information.
The IGPs most commonly deployed by SPs are IS-IS and OSPF.

Both of these IGPs use a link-state database (LSDB) to store routing information and both
OSPF and IS-IS use the Dijkstra algorithm to calculate the best paths. Each protocol uses
specific packets to distribute the routing information stored in the LSDB. In OSPF, these
packets are called LSAs. In IS-IS, these packets are called LSPs.

One of the main differences between OSPF LSAs and IS-IS LSPs is the way in which IS-IS LSPs
use TLV tuples to describe prefix information. New TLV tuples are easily added to carry
additional or different information. So even though IS-IS was not initially developed for IP,
this concept has made it possible to extend IS-IS and rely on only 1 instance of the protocol
to distribute information for both IPv4 and IPv6.

OSPF is transported in IP (protocol number 89) and has 2 versions. OSPFv2 was designed for
IPv4 and, later on, OSPFv3 was developed to support IPv6. Since both versions work
independently from each other, IS-IS is generally considered the most attractive IGP for SP
environments.

Both IGPs establish and maintain neighbor adjacencies. These neighbor adjacencies are a
pre-requisite for the exchange of routing-information. Neighbor adjacencies are built
automatically by having routers exchange Hello packets. These same Hello packets are also
used to maintain the neighbor adjacency.

Even though both IGPs need the MTU size to match on both sides of the link for successful
adjacency formation, there is a difference in MTU mismatch discovery. IS-IS uses hello
packets while OSPF can discover an MTU mismatch only during the exchange of database
JNCIE-SP workbook: Chapter 2: IGP

description packets. Both IGPs also handle fragmentation in a different way. OSPF routers
rely on IP to handle fragmentation. IS-IS routers don’t rely on IP, but have packets
fragmented at the originating router instead.

Both protocols organize the network into areas. However, there are some differences in the
way OSPF and IS-IS do this. In OSPF, all areas must to be connected to area 0 (the backbone
area). The reason for this is that OSPF behaves as a distant vector protocol for inter-area
routing. In OSPF, all the routers within an area have an identical LSDB.

IS-IS does not share the concept of a backbone area. Instead, it requires a logical topology of
19
contiguously connected Level 2 routers with (possible) branches of Level 1-2 and Level 1





20 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

routers. Another difference is that in IS-IS, the entire router resides within a single area while
in OSPF, the individual links of a router can be placed into different areas. In IS-IS, routers
have a per level LSDB. In OSPF, routers have a per area LSDB.

Do’s and Dont’s

OSPF:

• Always pay attention to which logical interface number should be put into an area. In
case you omit a unit number, unit 0 will be added automatically.
• Don’t forget to add loopback interface lo0.x to the OSPF configuration because other
protocols like internal BGP rely on loopback IP reachability.
• Check that IP addresses on both sieds of the link belong to the same subnet and that
they are using the same subnet. Also make sure that the following parameters are
identical: OSPF interface network type, area number, area type, hello and dead
intervals, MTU, authentication type and passwords (if any).
• Don’t forget to write and add an export policy to the forwarding table if you’re asked
to enable load-balancing across several equal-cost paths.

IS-IS:

• Take care when you are deciding on which level logical interfaces need to operate. In
case you omit a unit number, unit 0 will be added automatically.
• Make sure that the ISO protocol family is on every logical interface that should run IS-
IS.
• Add at least one NET address to the interface configuration under the “family iso”
hierarchy (generally it is configured on the loopback interface).
• By default, levels 1 and 2 are enabled on the IS-IS interface. Disable the unwanted
level to prevent undesirable level adjacencies to be established.
• Make sure that IP addresses are from the same subnet on both ends of the link. Also
make sure that the following parameters are identical: IS-IS interface network type,
MTU, area IDs (for level-1 only adjacencies), authentication parameters (if any).
JNCIE-SP workbook: Chapter 2: IGP

20

21 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 1: IS-IS Troubleshooting

Initial configs: IS-IS-TShoot

Objective:Troubleshoot IS-IS adjacencies in the following topology. They should form
across logical connections between the routers according to the diagram. All neighbors
should have no more than one adjacency across each logical interface.

JNCIE-SP workbook: Chapter 2: IGP

21

22 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

JNCIE-SP workbook: Chapter 2: IGP

22

23 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

JNCIE-SP workbook: Chapter 2: IGP

23

24 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 2: Single-area OSPFv2

Initial configs: IPv4-basic

JNCIE-SP workbook: Chapter 2: IGP

24

25 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.1 Single-area OSPFv2 baseline

• Configure OSPFv2 area 0 on the interface of every router according to the diagram.

Task 2.2 OSPFv2 Network Types

• Reconfigure R3 and R4 so that there will be no DR/BDR election on the links between
R3 and R4.

Task 2.3 OSPFv2: DR/BDR election

• Reconfigure the R1-R3 and the R2-R4 OSPF adjacencies so that R3 and R4 will always
be the DRs on their respective segments.
• You are allowed to configure the R1 and R2 routers only.

Task 2.4 OSPFv2: Authentication

• Configure clear text authentication between R1 and R3 using password "R1R3CLR"
• Configure MD5 authentication between R2 and R4 using password "R2R4MD5"

Task 2.5 OSPFv2: Timers

• Adjust OSPF hello and dead timers on R1-R3 and R2-R4 links to the values 1 and 4
seconds respectively.
• Modify the amount of time during which the local device waits for acknowledgement
from a neighboring device before retransmitting a previously sent LSA. Do this on all
routers.

Task 2.6 OSPFv2: BFD

• Enable the BFD protocol on the upper R3-R4 link connecting the G0/0/1 interfaces.
Specify a minimum transmit and receive interval of 400 ms.
• Make sure that the detection time is 2 seconds.
• Make sure that BFD is enabled only for those OSPF neighbors which are in the "Full"
state.

Task 2.7 OSPFv2: Passive interfaces

• Assign the addresses 11.11.11.11/24 and 22.22.22.22/24 on the G0/0/1 interfaces of
R1 and R2 respectively.
JNCIE-SP workbook: Chapter 2: IGP

• Advertise these interface addresses to OSPF without actually running OSPF on them.
Do not use a policy to perform this task.

25

26 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.8 OSPFv2: Load-balancing

• Make sure that both equal cost OSPF paths between R3 and R4 are installed into
their respective forwarding tables.

Task 2.9 OSPFv2: Cost tuning

• By changing the OSPF costs make sure that traffic between R1 and R2 in both
directions prefers the link connecting R3 and R4 G0/0/1 interfaces.

Task 2.10: OSPFv2: Miscellaneous features

• Change the automatically calculated OSPF metric to a value of 10 on GigabitEthernet
interfaces on all routers.
• Make sure that the LSAs routers orignate have the DoNotAge bit set.
• Configure OSPF database protection for all routers so that only a warning message is
generated when the maximum number of LSAs generated by other routers exceeds
500. Generate the first warning after exceeding a value of 400.

JNCIE-SP workbook: Chapter 2: IGP

26

27 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 3: Multi-area OSPFv2

Initial configs: IPv4-basic

Task 2.11 OSPFv2: Multi-area baseline

• Configure OSPF area 0 between R3 and R4. Advertise the loopbacks of R3 and R4 to
this area.
• Configure OSPF area 13 between R1 and R3 and OSPF area 24 between R2 and R4.
Advertise the loopbacks of R1 and R2 to OSPF.

Task 2.12 OSPFv2: Redistribution

• Configure static routes 172.16.0.0/24 through 172.16.3.0/24 on R1 and
172.16.4.0/24 through 172.16.7.0/24 on R2 respectively. Enable generation of ICMP
unreachables when traffic is send to these destinations.
JNCIE-SP workbook: Chapter 2: IGP

• Redistribute these static routes into OSPF on R1 and R2.

• Make sure these routes appear in routing tables marked as Type 1 externals.
• Limit the number of the prefixes that can be exported to OSPF to 10 both on R1 and
R2.

Task 2.13 OSPFv2: NSSA

• Convert regular areas 13 and 24 into NSSAs. Do not allow OSPF inter-area LSAs to
leak into areas 13 and 24.
• Make sure you still have IP reachability between prefixes originated at R1 and R2.
27

28 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.14 OSPFv2: Summarization

• Summarize the redistributed static routes from task 2.12 so that each range appears
as a single prefix in area 0 and specific prefixes are suppressed.

JNCIE-SP workbook: Chapter 2: IGP

28

29 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 4: Multi-level IS-IS

Initial configs: IPv6-basic

Task 2.15: IS-IS Baseline
• Configure a multi-level IS-IS basline according to the diagram.
• Use xxxx.xxxx.xxxx as system-id, where x is the router number.
Task 2.16: IS-IS Authentication
• Enable hello authentication only within L1 areas. Use MD5 as the authentication type
and R1R3 as a password for the R1-R3 connection and R2R4 for the R2-R4 one.
• Disable the DIS election on the links as shown in the diagram.
• Enable both hello and LSP authentication between R3 and R4. Use MD5 and
password R3R4.

Task 2.17: IS-IS Timers

JNCIE-SP workbook: Chapter 2: IGP

• Change the CSNP interval on the R3-R4 links to the value of 5 seconds.
• Change the transmission frequency to 1 LSP per second on the links R1-R3 and R2-R4.

Task 2.18: IS-IS Route Leaking

• Disable the installation of a default route on R1 and R2
• Change the configuration so that there still is full IPv6 reachability after that.

29

30 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 5: OSPFv3 and IS-IS (IPv6)

Initial configs: OSPFv3-IS-IS-IPv6

Task 2.19
• Configure the IS-IS and OSPFv3 baseline according to the diagram.

Task 2.20
• Configure 4 static IPv6 routes on R1 according to the diagram.
Use “reject” keyword as a next-hop value.
• Redistribute these routes to IS-IS.

Task 2.21
JNCIE-SP workbook: Chapter 2: IGP

• Enable redistribution between OSPFv3 and IS-IS on R3 and R5.

• Make sure you have full IP reachability between all existing prefixes.
• Make sure that there are no routing loops and that there is no suboptimal routing.

Task 2.22
• Enable OSPFv3 authentication between R3 and R4.
• Use protocol esp, spi 256, the hmac-sha1-96 algorithm and key ' inetzero-jncie-inet0'

30

31 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Chapter 3: MPLS

Introduction:

MPLS is a technology that is playing an invaluable role in any modern SP network. MPLS is
not just another way of switching packets across a SP network, but it’s a different approach
to building a scalable universal infrastructure that can support a variety of services.

In MPLS, Label Switched Paths (LSPs) are signaled between MPLS nodes, called LSRs. These
LSPs are unidirectional and they are used by LSRs to switch traffic across the network. LSRs
perform an exact-match label lookup to determine which interface is to be used as an
outgoing interface. This as opposed to the traditional longest-match lookup of the
destination IP address against the routing table.

Labels are pushed onto IP packets between its Layer 2 and Layer 3 header on the edge of the
MPLS network by edge routers. These router are commonly referred to as PE (Provider Edge)
routers. The operation wherein a label is added to the stack is called a “push” operation. This
operation is mostly performed on ingress. On intermediate MPLS nodes, the MPLS label is
changed. This is called a “swap” operation. On egress, the MPLS label is removed from the
packet in an operation referred to as “pop”. This can be performed by an egress PE or, as is
the case most often, the penultimate hop MPLS node. The scenario wherein the
penultimate hop pops the label is called Penultimate Hop Popping (PHP). PHP behavior
optimizes label operations by avoiding a double lookup on the egress PE. By popping the
label, the egress PE only has to do an IP lookup. If the label were not popped, the egress PE
would have to examine both a label and an IP address.

Label distribution can be provided by means of the label distribution protocols LDP and
RSVP. The main difference between them is the traffic engineering (TE) capabilities offered
by RSVP. LDP relies upon the underlying IGP and LDP signaled LSPs always follow the best
paths chosen by the IGP. RSVP allows for administrators to define what path an LSP should
take, offering a more equal and efficient utilization of network resources. RSVP was
JNCIE-SP workbook: Chapter 3: MPLS

originally designed as a signaling protocol for resource reservations between hosts. By

creating extensions for RSVP, it was made suitable to serve as a label distribution protocol.
Through these extensions, support for labels, hello packets, path protection and other
features were made possible.

RSVP can also track the amount of currently used and available bandwidth together with
other TE specific parameters inside a database called the TED (traffic engineering database).
This is a more detailed version of the link-state LSDB and both IS-IS and OSPF support TED
and TE capabilities.

31

32 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

One of the things the TED can contain is information about link colors. These can offer
additional flexibility for the creation of LSPs. Link colors make it possible to easily include or
exclude colored links from path computation.

CSPF is an advanced version of SPF algorithm used in link-state protocols. Its additional
capabilities include taking user-defined constraints (such as link colors) into consideration
when creating an ERO (explicit route object) – a list of hops that should be visited during the
creation of an LSP. This ERO list is used by RSVP for LSP signaling.

An ERO list can be defined by explicitly specifying hop sequences from the ingress LSR to the
egress LSR. Two types of hops can be defined in these ordered sequences; strict hops and
loose hops. A strict hop has to be an IP address of a directly connected neighbor interface. A
loose hop can be anywhere between the ingress and egress point of the LSP. The actual
path between the local node and the loose hop is calculated by the IGP.

By default, only the loopback IP addresses for routers will be present in the inet.3 table. This
is because with RSVP signaled LSPs, only the /32 that corresponds to the egress point of the
LSP is placed into the inet.3 table. And with LDP, only the label binding for the loopback IP is
advertised to other routers.

Furthermore, by default, the routing information in the inet.3 table is usable only by the BGP
protocol. If for some prefix the BGP next-hop can be resolved in this table, then the
corresponding LSP will be used to forward traffic. This default behavior can be changed and
LSPs can also be used to forward to non BGP destinations.

JNCIE-SP workbook: Chapter 3: MPLS

32

33 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Do’s and Don’ts

• Enable MPLS processing by adding “family mpls” on all core-facing logical interfaces
on every PE and P router. Also configure the same logical interfaces in the “protocols
mpls” stanza. Verify that all the necessary interfaces are MPLS enabled by analyzing
the output of the “show mpls interfaces” operational mode command.
• Enable RSVP and/or LDP on every logical interface that any MPLS LSP might cross.
Generally, these are core-facing interfaces. Be careful with logical interface numbers
and always double-check them to prevent troubleshooting due to typos.
• Always use the “show mpls lsp extensive” command when troubleshooting
unsuccessful LSP setup. This is because the output of this command contains the
LSP’s recent events. The reasons for any LSP setup failure can be found there as well.
• Be aware that, by default, only BGP uses the inet.3 table for route resolution. The
options under “set protocols mpls traffic-engineering” can change this behavior.
• When using link colors, take into account that links with no color assigned are not
considered. They are purged from calculation when “include” is used and considered
when “exclude” is used.
• When working with ERO lists, be careful to visit nodes only once and avoid loops
when defining a path.

JNCIE-SP workbook: Chapter 3: MPLS

33

34 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 1. RSVP
Initial configurations: OSPFv2-baseline

JNCIE-SP workbook: Chapter 3: MPLS

34

35 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.1: MPLS and RSVP baseline

• Enable MPLS processing and RSVP signaling on all interfaces from the diagram on all
routers.

Task 3.2: RSVP Refresh Reduction and Authentication
• Enable RSVP message bundling features on the R3-R4 sessions.
• Enable reliable message delivery and RSVP message ID on the R1-R3 and R2-R4
sessions.
• Authenticate R3-R5 and R4-R5 RSVP sessions with the key "RsvP".

Task 3.3: RSVP LSP without CSPF
• Create 2 RSVP LSPs from R1 to R2 named Red and Blue respectively.
• Request 1Mb of bandwidth for Red and 2Mb for Blue and turn the CSPF off on both
LSPs.

Task 3.4: RSVP ERO
• Create primary explicit paths for the LSPs from previous task.
• Red LSP should go strictly through the upper physical path between R3 and R4, Blue
LSP - through the lower one.
• Don’t use loose hops in ERO list.

Task 3.5. RSVP Load-Balancing

• On R1, enable traffic distribution between Red and Blue LSP proportionally to
theirbandwidth assigned.

Task 3.6: RSVP LSP Policy Selection
• Create 2 RSVP LSPs from R2 to R1 named Orange and Green and disable CSPF for
both LSPs.
• Make both LSPs visible for internal traffic going to the R1 loopback address. At the
same time, the OSPF route to 1.1.1.1/32 should be active.
JNCIE-SP workbook: Chapter 3: MPLS

• Make sure that the Orange LSP is preferred for internal traffic going to 1.1.1.1/32.
Use a policy for performing this task.

Task 3.7: RSVP LSP Primary and Secondary Paths
• Create an RSVP LSP from R1 to R2 named Brown and turn off CSPF for the LSP.
• Enable a primary path that visits R5 and don’t use more than one ERO.
• Enable the use of a secondary path which is fully calculated by the IGP and have this
path ready to accept traffic in case of primary path failure.

35

36 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.8: RSVP LSP Policing and Timers

• Assign 40K of RSVP bandwidth to LSP Brown and enable the policing of traffic going
through this LSP equal to the configured value.
• Change the time between the attempts of bringing up a failed primary path of LSP
Brown to 10 seconds and number of these attempts to 10. Also configure a hold-
down window for switching traffic back to the restored primary to 30 seconds.

Task 3.9: RSVP LSP Usage for Internal Traffic
• Enable the use of LSP Brown for traffic from R1 to IP address 22.22.22.22 on R2.

Task 3.10: RSVP LSP Optimization.
• Change the configuration of your routers so that each router can report the current
bandwidth reservations to OSPF.
• Within Brown LSP configuration, turn the LSP optimization on with the optimize-
timer set to 60 seconds.

Task 3.11: RSVP Node/Link Protection
• Protect both Red and Blue LSPs with the link protection mechanism.
• Protect LSP Brown from the whole failure of R5.

Task 3.12: Fast Reroute for RSVP LSP
• Reconfigure Orange LSP so that it visits R5 and order Fast Reroute for this LSP.

Task 3.13: RSVP Link Coloring
• Assign link colors Red, Blue and Green to R4 ge-0/0/1.0, R4 ge-0/0/2.0 and R4 ge-
0/0/4.45 interfaces respectively.
• Also assign Green color to R2 ge-0/0/4.24, R5 ge-0/0/4.35 and R3 ge-0/0/4.13

Task 3.14: RSVP Link Coloring (cont.)
JNCIE-SP workbook: Chapter 3: MPLS

• Create an LSP from R2 to R1 named “AG1” which includes links only with Green color
while building LSP.
• Create another LSP to the same direction named “AG2” which excludes links with
colors Red or Blue.
Task 3.15: RSVP LSP Auto-Bandwidth
• Enable auto-bandwidth on LSP Orange with the bandwidth reallocation interval set to
300 seconds.
• Adjust the auto-bandwidth statistics interval to 30 seconds and use the name “mpls-
stat” for the statistics file.

36

37 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.16:RSVP LSP TTL Handling

• On the Orange LSP, enable the Juniper proprietary mechanism that disables normal
TTL decrementing.

JNCIE-SP workbook: Chapter 3: MPLS

37

38 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 2. LDP
Initial configurations: OSPFv2-baseline

JNCIE-SP workbook: Chapter 3: MPLS

38

39 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.17: LDP Baseline

• Enable LDP on the R1-R3 and R2-R4 links and on the loopback interfaces of the
routers involved.
• LDP sessions should be extended and authenticated with MD5 hashes using the R1R3
and R2R4 passwords respectively.
• On both pairs enable, the mode that prevents LDP sessions from being established
with non-configured LDP peers.

Task 3.18: LDP Tunneling
• Configure 2 RSVP LSPs between R3 and R4 and have them transit R5.
• Enable the RSVP signaled LSPs for LDP LSPs.
• Make sure that internal traffic between the R1 and R2 loopback addresses make use
of the LDP LSPs and make sure that the LDP metric on both R1 and R2 is derived from
the IGP.

Task 3.19: LDP Policies
• In addition to the loopback interface, have R2 announce prefix 22.22.22.0/24 into
LDP.
• Make sure that only /32 prefixes are installed in the inet.3 table of R1 and R3.
Configure only the R3 router to achieve this.

JNCIE-SP workbook: Chapter 3: MPLS

39

40 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Chapter 4: BGP

Introduction:

BGP is a protocol that performs different tasks in a SP environment. One of the primary tasks
is to allow for the exchange of prefix information between different autonomous systems.
Apart from that, BGP can also play an important role in the signaling of other services. This is
made possible by using the modified version of BGP, called MP-BGP. This version of BGP is
capable of carrying more than just IPv4 prefixes. It allows for the distribution of routing-
information for a number of different address families, such as the ‘inet-vpn’ and ‘l2vpn
signaling’ address families for example. These last two enable services such as BGP signaled
MPLS Layer 3 and Layer 2 VPNs.

Unlike other routing-protocols, there is no auto-discovery procedure defined for BGP. All
BGP neighbors need to be configured explicitly. Another factor that sets BGP apart from
other routing-protocols is the use of TCP as a (reliable) transport protocol.

We can distinguish two types of BGP sessions: iBGP (used within an AS) and eBGP (used
between different ASes). In general, iBGP sessions are sourced from the loopback addresses
of peering routers while eBGP sessions are sourced using the address configured on the
physical interface that connects the peering routers to each other.

BGP relies on the AS path for loop prevention. The AS path is prepended to prefixes when
they are advertised across an eBGP session. Since the AS path is not prepended to prefixes
exchanged across an iBGP session, this mechanism would not work for iBGP. Therefore, iBGP
learned prefixes are never forwarded across an iBGP session. This leads to the requirement
of a full-mesh of iBGP sessions within an AS.

Since the full-mesh requirement does not scale well, 2 different scaling mechanisms were
developed for BGP: BGP confederation and route-reflection. The BGP confederation
JNCIE-SP workbook: Chapter 4: BGP

mechanism allows for the AS to be broken up into smaller sub-ASes called confederations.
Only within these sub-ASes is a full mesh of iBGP sessions required. Prefix exchange between
sub-AS’es is provided by eBGP-like sessions called confederation BGP sessions.

The other BGP scaling mechanism is called Route-Reflection. The Route-Reflection approach
relaxes the iBGP rule which states that iBGP learned routing information cannot be
advertised to other iBGP peers across an iBGP session. This applies to routers that serve as a
Route-Reflector (RR). Instead of a full mesh, all BGP speaking routers have an iBGP session
with one or more RRs. These RRs can reflect iBGP learned routes between the different RR-
clients. For very large networks, it is even possible to define a hierarchy of RR-clusters that
serve different parts of the network or specific address-families. 40

41 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Another point worth mentioning is that the two BGP scaling mechanisms are not mutually
exclusive. A RR can be configured to relax the iBGP full-mesh requirement within a BGP sub-
AS.

All prefix information carried by BGP has so-called PATH attributes attached to it. These
PATH attributes make BGP the most flexible routing-protocol to date. In combination with
routing-policies, these PATH attributes can be used to manipulate routing-information in an
endless number of ways.

For example, the local preference attribute can be used to manipulate the exit point for
outgoing traffic towards another AS while attributes AS-PATH and MED can be used to
manipulate entry points for incoming traffic into the AS.

Another BGP attribute worth mentioning is the BGP community. Communities are often
used to tag or mark traffic at a certain point in the network. The administrator of the AS can
easily identify these routes anywhere in the AS by referencing these communities in policies.
By doing so, it becomes possible to manipulatie traffic and routing information in a very
concise way.

JNCIE-SP workbook: Chapter 4: BGP

41

42 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Do’s and Dont’s:

• Make sure there is IP reachability between BGP speakers before setting up the BGP
sessions. You can use the ping utility with the ‘source’ option for this.
• To prevent BGP routes from being marked as hidden, make sure that the next-hop of
the route (by default the IP address of the last eBGP peer) can be resolved in the
inet.0 table on every BGP peer. This can be done by injecting the eBGP peer facing
interface into the IGP or through the use of a routing policy that rewrites the next-
hop.
• The first step in configuring RTBH is to configure a static route for an unused prefix
that has it’s next-hop set to discard on every iBGP router within the AS. Then, on a
signaling router, an export policy should be configured to redistribute static routes
into BGP. A policy that takes care of the redistribution should set the next-hop of the
route to match the discard route. This will make all iBGP speaking peers install the
route into the forwarding table with a next-hop that corresponds to a discard route.
Furthermore, the policy on the signaling router should also set the local preference
to the highest value within the AS and attach the no-export community. This way the
route will be active and it will never be (accidentally) advertised towards any other
AS. Another good idea is to make the signaling router trigger RTBH only for static
routes configured with a specific tag or community.
• While configuring IPv6 tunneling, don’t forget to enable “family inet6” support not
only on PE interfaces connected to CE but also on core-facing interfaces.

JNCIE-SP workbook: Chapter 4: BGP

42

43 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 1. Basic BGP

Initial configurations: Part 1

JNCIE-SP workbook: Chapter 4: BGP

43

44 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 4.1: iBGP Full Mesh

• Configure a full-mesh of iBGP sessions between R3, R4 and R5 according to the
diagram.
• Use the asdot notation format when configuring the AS number.

Task 4.2: eBGP Neighborship and Authentication.

• Configure the eBGP sessions between R1,R3 and R2,R4.
• AS65565 should be configured as though it is connected to AS 65444
which was recently assimilated by AS 65555.
• Authenticate these sessions with the MD5-hashed passwords ‘R1R3’ and ‘R2R4’
respectively.

Task 4.3: Enabling BFD for BGP.

• Enable BFD on the iBGP session between R3 and R4.
• Specify 1 second as the minimum transmit and receive interval for failure detection
and 5 lost consecutive hellos before declaring down the session.

Task 4.4: BGP Route Injection and AS Path Manipulation.

• Inject prefixes 11.11.11.0/24 and 22.22.22.0/24 into BGP within their respective AS
according to the diagram.
• Make sure AS 65560 and AS 65565 see each other’s prefixes through BGP. Don’t
enable OSPF on the links connecting the ASes.
• Tune R4 to prevent the 65555 AS number from being added to the AS path when
prefixes are sent to AS 65565.
• Tune R4 to prevent the 65444 AS number from being added to the AS path of
prefixes sent to AS 65560.

Task 4.5: Destination-based Remote-Triggered Blackhole (RTBH) Filtering

• Setup destination-based RTBH filtering in AS 65555.
• The protected resource is the R1 address 11.11.11.11/24 and the attack is coming
JNCIE-SP workbook: Chapter 4: BGP

from subnet 22.22.22.22/24, a subnet that is configured on the R2 router.

• Use R5 as a signaling router and 6.6.6.0/24 as a prefix that is not used in the network.

Task 4.6: Source-based RTBH Filtering

• Setup source-based RTBH filtering in AS 65555.
• The protected resource is the R1 address 11.11.11.11/24 and the attack is coming
from subnet 22.22.22.22/24, a subnet that is configured on the R2 router.
• Use R5 as a signaling router and 6.6.6.0/24 as a prefix that is not used in the network.
Activate strict uRPF on the R4 interface that connect the router to R2.

44

45 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 2. BGP Policies

Initial configuration: Part 2

JNCIE-SP workbook: Chapter 4: BGP

45

46 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 4.8: BGP Prefix Propagation and BGP Multipath.

• Configure eBGP sessions between AS65555 and its uplink ISP routers: R1 and R2.
• Configure eBGP sessions between AS65555 and its customers: R6 and R7. Also make
sure that customer prefixes from the diagram are propagated to AS65666.
• In AS 65007, enable load-balancing across its two external eBGP connections.

Task 4.9: BGP Prefix Filtering.

• In AS65555, do not accept prefixes from customers R6 and R7 with a mask length
greater than /24.
• Clear any communities that may be attached to customer prefixes received from
AS65006 and AS65007.
• Prevent the announcement of specific customer prefixes to any other AS. Achieve
this through the use of communities.

Task 4.10: BGP Prefix Origination and Filtering

• In AS 65555, configure and advertise 1 prefix that summarizes all customer prefixes
(from AS 65006 and 65007) and advertise that prefix to AS 65666.
• As an additional security measure, configure AS65666 so that it only accepts prefixes
originated in AS65555.

Task 4.11: BGP Conditional Route Advertising

• Have the AS 65666 routers announce their loopback IP addresses to AS65555
• Make AS 65555 announce a default route to AS 65006 and 65007.
• To prevent traffic black holing, modify the configuration so that the default route will
not be announced when the two /32 routes that originated in AS65666 disappear
from the routing tables.

Task 4.12: BGP Attributes Manipulation

• Fix the configuration of AS65555 so that R1 and R2 announce their /32 prefixes
through both iBGP and eBGP.
JNCIE-SP workbook: Chapter 4: BGP

• Configure AS 65555 so that outgoing traffic to AS 65666 is sent via R3 and all
incoming traffic from AS 65666 enters the AS via R4.
• Don’t use AS Path manipulation for this task.

Task 4.13: BGP Scaling

• Reconfigure AS 65555 from a full-mesh iBGP to a setup wherein R5 serves as a route
reflector and R3 and R4 are its clients.

46

47 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 3. IPv6 Tunneling

Initial configurations: Part 3

Task 4.14: IPv6 Tunneling through IPv4/MPLS Cloud

• Setup BGP sessions across the IPv6 links between R1-R3 and R2-R4.
• Enable the exchange of IPv6 traffic between R1 and R2 (IPv6-only routers) across the
IPv4 MPLS infrastructure (R3, R4, R5).
• You should be able to send pings between the R1 and R2 loopbacks.
JNCIE-SP workbook: Chapter 4: BGP

47

48 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Chapter 5: VPNs

Introduction:

By leveraging their MPLS infrastructure, most of today’s SP networks are able to support
different types of VPNs. VPN traffic for different customers and services is switched across a
common MPLS infrastructure by making use of 2 labels, a bottom label and a top label.

The bottom (or inner) label is sometimes called the VRF label. This label defines the VPN
membership of the packet. An ingress PE pushes this label onto packets on ingress so that an
egress PE router knows what VPN to associate the traffic with.

Another label, the top (or outer) label, is also pushed onto packets by an ingress PE. This
label is used by MPLS routers to forward traffic towards the correct MPLS router. For VPN
traffic, this means that the top label corresponds to the egress PE router.

The routers in between the PE routers, if any, are the P routers. These routers only look at
the top label, switching traffic towards the destination PE router. The P routers have no
knowledge of any VPN or customer routing information. Exchanging routing information
with the customer and propagating customer routing information across the SP network is
strictly the PE routers’ responsibility.

To exchange this customer routing information across the SP network, a modified version of
the BGP protocol is used. This Multi-Protocol BGP (MP-BGP) is used to exchange customer
prefix information for L3VPNs across the SP network. The two most important concepts that
are added in this MP-BGP prefix exchange are the Route-Distinguisher (RD) and the Route-
Target (RT).

The SP network can serve as a common infrastructure to many L3VPNs and all of the
customers using an L3VPN can use their own IP space. This is possible because routing
information for every customer is made unique. This is done by prepending a RD to every
customer prefix. To exchange these routes, the “inet-vpn unicast” address family has to be
enabled for BGP sessions between the PE routers.

JNCIE-SP workbook: Chapter 5: VPNs

The second important concept in L3VPNs is the RT. The RT is an extended BGP community
that defines VPN membership. PE routers attach these RT communities when routing-
information is exported to other PE routers. On import, the remote PE router uses the RT to
determine in which VPN routing table the received prefixes should be installed.

In L3VPNs, the PE routers are involved in customer routing. Between the PE and the CE, the
following routing protocols are supported: OSPF, RIP and BGP. It is also possible to use static
routes on the PE routers involved in with VPN.

Different routing-protocols come with different caveats. For example, with BGP, a customer
may be inclined to use the same AS everywhere. In this case, it is mandatory for the SP to
change the default BGP loop prevention mechanism. This can be done by modifying the AS- 48
path and/or by looping the SP AS several times.




49 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

The most interesting L3VPN scenario is a hub-and-spoke VPN. In this scenario, any inter-
spoke traffic must be forwarded through the hub site first. This is achieved by using different
RTs for the hub and spoke sites and by selectively importing and exporting these RTs. The
hub sites imports routes with the spoke RT and exports routes with the hub RT. The spoke
sites only import routes with the hub RT and export routes with the spoke RT.


Do’s and Dont’s

• If there are no restrictions, use an IP-address-based route distinguisher value. This
can save time during troubleshooting.
• In hub-and-spoke scenarios, consider the default loop-prevention mechanisms and
modify them as needed.
• When using VPN route reflectors that are placed out of the forwarding path, make
sure that the BGP next-hops are resolved in inet.3, else the RR will not accept the
routes.
• To make an OSPF sham link more preferable over a legacy OSPF backbone, it may be
necessary to tune OSPF metrics on the interfaces of the CE devices.

JNCIE-SP workbook: Chapter 5: VPNs

49

50 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 1. L3VPN
Initial configuration: Part 1

JNCIE-SP workbook: Chapter 5: VPNs

50

51 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 5.1: L3VPN with BGP as PE-CE protocol

• Configure VPN B using the interfaces and addresses from the diagram.
• Use BGP as PE-CE routing protocol.
• Modify configuration so that PE routers receive only the VPNv4 prefixes that have
locally configured route-targets.
• RDs and RTs can be any values of your choice.

Task 5.2: L3VPN transparency.
• Reconfigure VPN B from the previous task in such a way so that AS 65555 is not
added to the AS Path after prefix exchange between sites.

Task 5.3: Hub and Spoke VPN (BGP-based)

• Configure VPN A as a hub and spoke VPN using the interfaces and addresses from the
diagram.
• Use BGP as PE-CE routing protocol.
• Make sure CE spokes (R1 and R2) communicate through central hub (R6) only.
• RDs and RTs can be any values of your choice.

Task 5.4: VPN Route Leaking
• Enable remote and local leaking of routes between VPN A and VPN B on R3. Perform
local leaking using the auto-export feature.
• Enable local leaking of routes between VPN A and VPN B on R4 using the RIB groups
approach.

Task 5.5: VPN Internet Access
• Provide Internet access for Site 1 of VPN B. Use the same interface for VPN and
Internet traffic and assume that the VPN B addresses are public.
• Restrict internet access for the IP address of the R7 loopback only. Don’t use firewall
filters for this. JNCIE-SP workbook: Chapter 5: VPNs

51

52 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 2. L3VPN PE-CE OSPF

Initial configurations: Part 2

JNCIE-SP workbook: Chapter 5: VPNs

52

53 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 5.6: OSPF Sham Link

• Configure VPN B between R7 and R8 using OSPF as PE-CE protocol.
• Make sure that the L3VPN is the primary path between R7 and R8 and that the legacy
OSPF backbone is used for backup purposes only.

Task 5.7: Hub and Spoke L3VPN (OSPF)
• Configure VPN A as a hub and spoke VPN using OSPF as PE-CE protocol.
• Make sure that the CE spokes (R1 and R2) can communicate through the central site
only.
• RDs and RTs can be any values of your choice.

JNCIE-SP workbook: Chapter 5: VPNs

53

54 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 3. L3VPN

Initial configurations: L3VPN part3

JNCIE-SP workbook: Chapter 5: VPNs

54

55 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

5.8: BGP based Hub and spoke VPN with 1 interface

• Configure VPNA in AS65001, use BGP as a routing protocol.
• Make VPNA-S1 act as the hub site and connect it to the SP network using only 1
interface.
• Spoke sites should receive a default route, not the routes towards the other spokes.
• Make the PE routers peer with the out-of-path route-reflector and do not enable the
route-reflector for MPLS.

5.9: BGP based MPLS VPN and 6VPE

• Configure VPNB in AS65500, use BGP as a routing protocol.
• Use IPv4 BGP sessions between the CE and PE and use that session to exchange IPv4
and IPv6 prefix information.
• Make sure all sites can reach both the IPv4 and IPv6 addresses that are advertised by
the CEs.
• Make sure that VPNB-S1 is the preferred link for IPv4 traffic and that VPNB-S2 is the
preferred link for IPv6 traffic.
• On R3, configure one set of LSPs that carry only IPv4 traffic and another set of LSPs
that carry only IPv6 traffic towards R1, R2 and R4.

5.10: Inter provider VPN option B

• Configure an EBGP session with the ISP router and connect both VPNA as well as
VPNB to AS64098 on R4.
• For VPNA, the other ISP is using target:64098:1 and for VPNB, the other ISP is using
target:64098:2.



JNCIE-SP workbook: Chapter 5: VPNs

55

56 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Chapter 6: Layer 2 VPN

Introduction:

Same as with MPLS layer 3 VPNs, an MPLS layer 2 VPN uses 2 labels. The bottom or inner
label (VRF label) encapsulates the packet that is send from one site to another. This label
defines the VPN membership. The second label is the outer or top label. This label is used to
tunnel the VPN traffic across the backbone to the egress PE. The JNCIE-SP exam covers four
types of layer 2 VPNs. These are the following:


LDP based layer 2 circuit:

Covered in RFC 4447, the LDP Layer 2 Circuit allows for connectivity between dissimilar
media. An LDP layer 2 circuit is always a point-to-point connection between two devices and
both of these devices have to be configured manually. The LDP based layer 2 circuit is the
only layer 2 VPN that is not configured within a routing-instance. Martini style encapsulation
is used, this goes for the other three layer 2 VPNs as well.

BGP signaled L2VPN:

The BGP Layer 2 VPN (L2VPN) is also referred to as the Kompella-draft. It can be used to
provide for connectivity between dissimilar media. The L2VPN connections are always point-
to-point. L2VPN connections are signaled by the PE routers using MP-BGP.The fact that PE
routers use BGP to signal VPN membership is a quality often described as auto-discovery.
Similar mechanics used in MPLS L3VPNs (route-target, route-distinguisher, vrf) are used for
L2VPN as well.

JNCIE-SP workbook: Chapter 6: Layer 2 VPN

56

57 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

BGP signaled VPLS:

Defined in RFC 4761, VPLS connections are signaled using MP-BGP. VPLS uses the same
address family as an L2VPN. This allows for auto-discovery of PE VPN membership. Similar
mechanics used in MPLS L3VPNs (route-target, route-distinguisher, vrf) are used for BGP
signaled VPLS as well.

There are two key differences between a VPLS and an L2VPN. The first is that a VPLS is an
Ethernet-only VPN and an L2VPN is not. The second is that a VPLS allows for point-to-
multipoint connections and an L2VPN does not. A VPLS connects CE devices together in a
way a common L2 switch would.

LDP signaled VPLS:

Defined in RFC 4762, the VachKompella VPLS uses LDP to signal connections. As opposed to
the BGP signaled VPLS, an LDP signaled VPLS does not offer any auto-discovery. This means
that each VPN member has to be specified on every PE involved in the VPLS. The LDP
signaled VPLS is configured in a routing-instance. Since BGP is not used to signal the VPLS,
there is no need for a route-distinguisher or a route-target. A unique VPLS ID has to be
defined for each VPLS.

Do’s and don’ts:

- When LDP is used as a signaling protocol, make sure that the loopback interface is
configured in the [protocols ldp] stanza
- some encapsulations (vlan-ccc, vlan-vpls) only work for a certain vlan-range
- the forwarding behavior is configured on the interfaces. Be sure to specify the proper
encapsulation on the physical interface level as well as on the logical unit level. JNCIE-SP workbook: Chapter 6: Layer 2 VPN
- BGP signaled L2VPNs and both flavors of VPLS require a routing-instance
- route-reflectors will only reflect the routes that it can resolve
- IP-address-based route-distinguisher values can save time during configuration and
troubleshooting

57

58 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Initial configuration: L2VPN start

JNCIE-SP workbook: Chapter 6: Layer 2 VPN

58

59 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 6.1: Kompella L2VPN (VC Type 5)

• Configure a Kompella L2VPN (VC Type 5) between R1 and R7.
• Use interface ge-0/0/1 on all PE routers.

Task 6.2: Martini L2VPN

• Remove the VPN configuration from the previous task.
• Configure a VPN for VLAN 10 between R1 and R7.
• Use interface ge-0/0/1 on all PE routers.
• Use LDP as a signaling protocol.

Task 6.3: Kompella L2VPN (VC Type 4)

• Configure vpn ‘circuit-b’ for VLAN 11 between R1 and R7.
• Use interface ge-0/0/1 on all PE routers.
• Use BGP as a signaling protocol.
• Use VC-type 4.

Task 6.4: Basic LDP-based VPLS

• Configure VPLS ‘vpn-a’ on all PE routers for vlan 50.
• Use interface ge-0/0/1 on all PE routers.
• Use LDP as a signaling protocol.

Task 6.5: LDP-based VPLS and multihoming

• Configure VPLS ‘vpn-b’ on all PE routers for vlan 60.
• Use interface ge-0/0/1 on all PE routers.
• Use LDP as a signaling protocol.
JNCIE-SP workbook: Chapter 6: Layer 2 VPN
• One of the locations is multihomed to R5 and R7.
• Make sure that R7 is the backup connection and R5 is the primary connection.

Task 6.6: Basic BGP signaled VPLS

• Configure VPLS ‘vpn-c’ on all PE routers for VLAN 70.
• Use interface ge-0/0/1 on all PE routers.
• Use BGP as a signaling protocol.

59

60 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 6.7: BGP signaled VPLS with a multihomed site

• Configure VPLS ‘vpn-d’ on all PE routers for VLAN 80.
• Use interface ge-0/0/1 on all PE routers.
• Use BGP as a signaling protocol.
• The site connected to R5 and R7 is multihomed.
• The R5 connection to the VPLS should be the primary connection.

Task 6.8: BGP signaled VPLS features

• Configure VPLS ‘vpn-e’ on all PE routers for VLAN 90.
• Use interface ge-0/0/1 on all PE routers.
• Use BGP as a signaling protocol.
• Make sure that all BUM traffic is subjected to a 10K policer.
• Configure the lowest MAC limit possible on all sites except for the site connected to
R7. There, the MAC limit should be 100.
• If a MAC limit is crossed anywhere, the packet should be dropped.

Task 6.9: BGP signaled VPLS and VLAN normalization

• Configure VPLS ‘vpn-f’ on R1 and on R5.
• Use interface ge-0/0/2 on all PE routers.
• Use BGP as a signaling protocol.
• On R1, the customer is using VLAN 513.
• On R5, the customer is using VLAN 514.
• Normalize the VLAN through routing-instance configuration.

Task 6.10:BGP signaled VPLS and VLAN normalization

• Configure VPLS ‘vpn-g’ on R1 and R5.
• Use interface ge-0/0/2 on all PE routers. JNCIE-SP workbook: Chapter 6: Layer 2 VPN

• Use BGP as a signaling protocol.

• On R1, the customer is using VLAN 700.
• On R5, the customer is using VLAN 600.
• Normalize the VLAN to 520 through interface configuration.

Task 6.11: BGP signaled VPLS feature

• Configure an additional interface in 'vpn-g' on R1.
• On R1, use interface ge-0/0/1 and VLAN 520.
• Make sure that only the newly configured interface is active.
60






61 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 6.12: Stitching together an L2VPN and a VPLS

• Configure VPLS ‘vpn-h’ on R1, R3 and R5.
• Use interface ge-0/0/1 on all PE routers.
• Use BGP as a signaling protocol.
• Also configure a BGP based L2VPN, ‘vpn-h-stitched-l2vpn’ between R5 and R7.
• Stitch these Layer 2 VPNs together into a single layer 2 broadcast domain.

Task 6.13: VPLS and BUM replication with P2MP LSP

• Make sure that the R5 PE distributes BUM traffic towards the other PE routers for
‘vpn-h’.
• Do this by using an RSVP-signaled P2MP tunnel.

JNCIE-SP workbook: Chapter 6: Layer 2 VPN

61

62 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Chapter 7: Multicast VPN

Introduction:

There are two implementations that enable multicast transmission for MPLS VPNs; these are
the draft-Rosen and the Next-Generation Multicast VPNs (NG MVPN) implementations.

In the draft-Rosen model, a PE router has to be a part of the customer PIM domain and a
separate instance of PIM must be run in the SP network. Any PIM signaling or customer
multicast traffic traversing the backbone is encapsulated in multicast GRE tunnels. The main
drawback of this traditional approach is the limited scalability. Draft-Rosen used to be the
only possibility until P2MP LSPs were adopted for transport purposes.

The NG MVPN approach replaces PIM in the core. The approach uses MP-BGP for signaling
and the MPLS infrastructure for forwarding. This removes the need to use multicast GRE
tunnels that are used in draft Rosen. Seven new NLRI types were introduced to support NG
MVPN. These new NLRIs carry the information and attributes needed to build and support
the "tunnels" across the MPLS infrastructure. As with draft-Rosen, the PE routers still need
to be part of the customer PIM domains. The PE routers can also, optionally, serve as the
customer RP(s).

Like other MPLS VPN services, packet transmission occurs by using two labels: the top label
is used as the packet traverses the core, the bottom label is used to define VPN membership.
NG MVPN uses a special type of LSP called Point-To-Multipoint LSP (P2MP), which is an LSP
that is suitable for multicast packet delivery. Both LDP and RSVP can be used to create P2MP
LSPs. Traffic protection mechanisms like FRR and Link Protection can be used for RSVP
signaled LSPs as well as for RSVP signaled P2MP LSPs.

In NG MVPN, two different provider tunnels can be used for multicast traffic delivery. The
simplest one is the Inclusive P-tunnel. With this tunnel, an inclusive tree (I-PMSI) is built once
on a per-MVPN basis. Using I-PMSI, multicast traffic from the ingress PE will be send to all
JNCIE-SP workbook: Chapter 7: Multicast VPN
the other PEs. This is regardless of whether or not there are any receivers requesting
multicast traffic (similar to the default MDT in draft Rosen).

This can be undesirable if only a few PEs in the MVPN have subscribers that are interested in
the multicast traffic. In such cases, the other type of provider tunnel called Selective P-
tunnel (S-PMSI) can be used. With this approach, a selective tree is build and the PE will be
able to send multicast traffic to interested receivers only. In other words, only those
receivers that specifically send IGMP joins will receive multicast traffic (more or less similar
to the DATA MDT in Draft Rosen).

62

63 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

PE routers work as converters for signaling multicast state between PIM and MP-BGP in both
directions. When the source starts broadcasting to a multicast group, it sends PIM register
messages to the RP (often, this role is performed by a PE router). This PE then announces the
active source, using a Type 5 MVPN NLRI, to all other PEs. PIM register messages on remote
PEs are converted to Type 7 NLRIs and sent towards the PE with an active source. After
building the multicast forwarding tree, multicast traffic will start to flow from the source to
the receivers.

Do’s and Dont’s

• Make sure that MP-BGP sessions support and negotiate the additional MVPN address
family.
• Don’t forget to enable PIM on CE-facing interfaces within the L3VPN routing-instance
and specify the customer RP address when using PIM sparse-mode.
• Make sure that multiple operations (MPLS pop, RPF check etc.) can be performed on
egress packets. This can be achieved by activating the “vrf-table-label” VPN option.
• Pay attention to the task requirements for MVPN sites (sender/receiver only)
because by default, a site is enabled as a sender and a receiver site.

JNCIE-SP workbook: Chapter 7: Multicast VPN

63

64 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 1:

Initial configuration: MULTICAST part 1

JNCIE-SP workbook: Chapter 7: Multicast VPN

64

65 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Lab introduction:

The R6 router is functioning as a multicast source in this lab. No multicast configuration has
to be performed on this router in any of the tasks. At the end of each task, you can verify the
lab by having the R6 router send multicast traffic to the multicast group address 239.0.0.1.

R1 and R5 are configured to send join messages for group 239.0.0.1. Additionally, they will
also reply to multicast traffic, making it easy for you to test your configuration.

At the end of each task, you can verify the configuration by sending a multicast ping from R6
to the multicast addresses that R1 and R5 are willing to join. To verify the configuration
tasks, you can issue the following command on the R6 router:

ping bypass-routing interface ge-0/0/4.14 ttl 10 239.0.0.1

All routers are using the ge-0/0/0 interface as their out-of-band management interface.
Treat these interfaces as though they are the management, or fxp0 interfaces, of the routers
in the lab.

The lab exercises may require configuration on any of the routers except for R6.

JNCIE-SP workbook: Chapter 7: Multicast VPN

65

66 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 7.1: Configuring PIM with auto-rp

• Configure all routers for PIM.
• Configure R3 to be the RP, use the 10.0.0.255 address.
• Use the auto-rp mechanism.

Task 7.2: PIM filtering

• Filter incoming join messages for group 224.2.127.254 on R2.
• Filter outgoing join messages for group 224.2.127.254 on R5.

Task 7.3: Configuring PIM with BSR

• Reconfigure R3 and have the router announce the RP using the BSR mechanism.
• Configure R8 to announce itself as an RP as well. Use the 10.0.0.254 address and the
BSR mechanism.
• Make sure R3 will be the active RP.
• Use PIM SM everywhere.

Task 7.4: Configuring PIM with a static RP

• Configure R3 to be the RP using the 10.0.0.255 address.
• Use static RP configuration.

Task 7.5: Configuring PIM with any-cast RP

• Configure R3 and R8 to be the RP.
• Use the any-cast RP mechanism.
• Use the MSDP protocol.
• Use 10.0.0.255 as the RP address.

JNCIE-SP workbook: Chapter 7: Multicast VPN

Task 7.6: Configuring PIM with any-cast RP

• Change the any-cast RP mechanism into the PIM any-cast mechanism.

66

67 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 2:

Initial configuration: MULTICAST part 2

Task 7.7: Configure an MVPN part 1: configuring P-PIM

• Configure PIM for the core.
• Use the PIM anycast RP mechanism.
• Configure R7 and R8 to be the RP, use 172.16.1.254 as the RP address.

Task 7.8: Configure an MVPN part 2: configuring C-PIM

JNCIE-SP workbook: Chapter 7: Multicast VPN

• Configure PIM for the customer using VPN c1.
• Use the PIM BSR RP mechanism.
• Configure R4 to be the RP for the customer, using address 10.4.4.4.

Task 7.9: Configure an NG MVPN part 1

• Enable PIM-SM on al CE-facing interfaces for VPN c2.
• Configure R4 to be the RP using address 10.4.4.4.

Task 7.10: Configure an NG MVPN part 2

• Configure a NG MVPN for customer 2.
• For the NG MVPN, use a P2MP LDP inclusive provider tunnel.
• Setup the MVPN to operate in RPT-SPT mode.

Task 7.11: Configure an NG MVPN part 3

67
• Reconfigure the provider tunnel to be RSVP-based.





68 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

• Set the bandwidth of the P2MP LSP to 10m.

• Specify the R2 and R6 sites as receivers and the R4 site as sender only.

JNCIE-SP workbook: Chapter 7: Multicast VPN

68

69 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Chapter 8: Class of Service

Introduction:

In today’s SP environment, numerous applications are using the same packet switched
network. These applications and/or protocols are very different in nature and they have to
share a common SP IP/MPLS infrastructure.

Applications can be very severely impacted by packet loss, delay and/or jitter. Because of
this, QoS can be very important to an SP. A set of QoS mechanisms can be used to give
preferential treatment to sensitive applications and/or protocols. To be able to use the
different QoS mechanisms on Juniper devices, we use the class of service configuration.

The first CoS processing task that is performed on every router in the network is input traffic
classification. By distributing packets in different virtual containers called Forwarding Classes
(FC), we define the order in which packets leave the router at a later stage. Packet
classification is performed by means of a BA classifier or multi-field (MF) classifier which is
applied on an input interface. A BA classifier examines the headers of incoming packet and
defines the Forwarding Class of a packet. This can be based on the value of any of the
following fields: DSCP, EXP, IP Precedence and 802.1p. You can also define one more locally
significant parameter called Packet Loss Priority (PLP) for a packet. There are 4 possible
values: high, medium-high, medium-low and low. PLP only comes into play during times of
congestion. The PLP defines which packets will be dropped first – these are packets with high
PLP and so on.

By default, a BA classifier called ipprec-compatibility, is applied to every logical interface
configured. This can be changed by configuring another BA classifier. MF classifiers can use
numerous firewall filter parameters as match criteria. These MF classifiers are commonly
used on edge devices or on customer-facing interfaces. They can also perform the
assignment of packets into different Forwarding Classes and they can also set PLP values. MF

JNCIE-SP workbook: Chapter 8: Class of Service

classifiers are processed after BA classifiers, and can be used to overwrite any previous
classifications.

Policing is a mechanism that can be used to limit the amount of traffic (mostly incoming) for
a configured bandwidth value. Policing uses a token bucket algorithm which allows for traffic
bursts as long as there are enough tokens in the bucket. Tokens are accumulated during
physical interface silence and spent when the interface transmits packets at wire speed.
Policers can be set to a hard-limit, which means that out-of-profile traffic is dropped. You
can also configure soft-limit Policers. When a soft-limit Policer is used, out-of-profile traffic is
assigned to a different (or worse) forwarding class and it is given a higher PLP.

69

70 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Before transit traffic is sent through the fabric, it can be subjected to class-based forwarding.
This mechanism changes the way in which the outgoing interface is identified. Instead of a
traditional destination IP lookup, the router uses class-to-next-hop mappings to forward
traffic destined to a configured prefix. By using this approach, you can push traffic across a
more "reliable" and "faster" path.

Schedulers define how outgoing interface queues will be serviced. Every physical interface
has 4 or 8 hardware queues that are mapped to forwarding classes. Every scheduler has a
priority, interface bandwidth and buffer size configured. Each queue is serviced on a round-
robin basis (from the highest priority to the lowest) according to its configured weight. That
means that every Forwarding Class has a guaranteed rate (CIR) while unallocated bandwidth
can be shared equally between other queues. You can also reference drop profiles in the
JUNOS scheduler configuration, which can be used to enable the TCP congestion avoidance
mechanism called WRED.

As packets leave the interface of the device, the rewrite rule is the last mechanism applied
during CoS processing. The rewrite rule can be used to set/ change different CoS field values
according to the packet’s forwarding class and PLP. By default, only an MPLS EXP rewrite-
rule is applied to MPLS-enabled interfaces while logical IP interfaces don’t have any.

JNCIE-SP workbook: Chapter 8: Class of Service

70

71 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Do’s and Dont’s

• Keep in mind that forwarding class and/or loss priority can be set at several places:
BA classifiers, ingress policer, MF classifier (and they are processed in this order).
This makes it possible to overwrite values in different stages.
• Don’t forget to add last a term to a firewall filter when using it for MF classification,
otherwise any unmatched traffic will be dropped (implicit discard rule).
• To provide end-to-end QoS, apply input MF classifiers on all input or CE-facing
interfaces on every PE.
• When configuring custom BA classifiers and/or rewrite-rules, which differ from the
JUNOS defaults, it’s common to use the default values as template with the keyword
“import” and then override only corresponding entries that need to be changed.
• Checking the result of your CoS configuration can be done by examining the interface
counters. These can be shown by issuing commands such as “show interfaces
extensive” or “show interfaces queue”. Another method can be the use of counters
in firewall filters. During your testing, consider the use of the “rapid” option for the
“ping” command when sending ICMP echoes.
• If you plan to invoke a policer several times in the configuration and want it to have a
“shared” limitation, use the appropriate keywords. The options are: physical-
interface-policer, logical-interface-policer and filter-specific. By using them in the
policer configuration, only one policer instance per specified entity will be created.
• When appropriate, use the “rate-limit” option or “transmit-rate” command while
configuring schedulers with strict-high priority. This prevents the highest priority
queue from starving other queues. This is because by default, there is no upper limit
on the bandwidth that can be used by this queue.
• When configuring CBF with L3VPN, keep in mind that you have to match against
records in the bgp.l3vpn.0 table. This is why it's important to use specific match
criteria like protocol bgp, family inet-vpn and/or community value with CBF
configurations.
• By default, traffic which is flowing across LSPs is not policed. Configure and apply a

JNCIE-SP workbook: Chapter 8: Class of Service

firewall filter with a policer attached to it or consider using the auto-policing feature
for this.

71

72 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Initial configuration: CoS-start

JNCIE-SP workbook: Chapter 8: Class of Service

72

73 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 8.1: Multi-field classification

• Configure R3 so that ICMP packets originated from R1 lo0 and ge-0/0/4.13 interface
IP addresses are assigned to the forwarding classes “gold” and “silver”.
• Configure R4 so that ICMP packets originated from R2 lo0 and the ge-0/0/4.24
interface IP addresses are assigned to the forwarding classes “gold” and “silver”.
• Use queue 1 and queue 2 to process traffic of these forwarding classes.

Task 8.2: BA classification
• Configure a custom MPLS EXP-based BA classifier using a default classifier as a
template.
• Assign forwarding classes “gold” and “silver” and also “low” and “high” PLP to
packets with EXP values of 101 and 010 respectively.
• Apply this BA on the appropriate router interfaces.

Task 8.3: Policing
• Configure a single-rate soft policer on R3 and invoke it twice in the firewall filter that
is already applied to interface ge-0/0/4.13.
• Use the lowest bandwidth-limit and burst size possible. Make sure that this is a total
limit for both gold and silver classes.
• Out-of-profile traffic should be mapped to the “best-effort” forwarding class.

Task 8.4: Scheduling

• Assign the following priorities to the schedulers: scheduler for best-effort traffic –
low, gold traffic – high, silver – medium-high, network-control – medium-low.
• Assign 20% of the interface bandwidth to the scheduler that processes “gold” traffic.

JNCIE-SP workbook: Chapter 8: Class of Service

Assign 10% to the “silver” and 10% to the “network-control” scheduler. Assign the
remaining bandwidth to best-effort traffic. Use the same values for the buffer-size
parameter.
• Configure the scheduler map and apply it to the appropriate interfaces.

73

74 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 8.5: WRED drop profiles

• Configure an interpolated aggressive drop profile. When the buffer is at 50%
utilization, the drop probability should be 75%. When the buffer utilization is 75%,
the drop probability should be 95%.
• Configure an interpolated non-aggressive drop profile. When the buffer is at 50%
utilization, the drop probability should be 30%. When the buffer utilization is 75%,
the drop probability should be 50%.
• Apply these profiles to the “silver” scheduler. Apply the drop profiles to any traffic
with high and low PLPs respectively.

Task 8.6: Rewrite rules

• Configure a custom EXP-based rewrite rule using the default one as a template.
• Assign EXP values 101 and 010 to packets from forwarding classes “gold” with low
PLP and “silver” with “high” PLP.
• Apply this rewrite rule on the appropriate router interfaces to support end-to-end
QoS for customer transit traffic.

Task 8.7: Class-based forwarding (CBF)

• Configure R3 so that “gold” traffic is forwarded across the RSVP LSP named “R3-R4”.
The “silver” traffic should be forwarded across the RSVP LSP named “R3-R5-R4”.
• This CBF should only be valid for traffic that is destined to IP address 2.2.2.2.

Task 8.8: LSP policing

• Configure a hard-limit policer on R3 with a bandwidth-limit of 50Kb/s and burst-size
of 15Kbytes. Apply it on ingress for the RSVP LSPs “R3-R4” and “R3-R5-R4”.

JNCIE-SP workbook: Chapter 8: Class of Service

74

75 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Full day lab challenge

AS 5678

VPLS-2 BGP
VPNA-S1 AS 1516 BGP
AS?
VPNC-S1 VPNA-H
BGP U1 U2
GE-0/0/4.532
GE

AS 3456
GE C2

GE-0/0/4.601

GE-0/0/4.602
-0/

-0/

GE

2
0/4
0/4

. 52
.46

-0/
0
.6

0 23

0/4
P1

0/4
/4.
03

0/0

-0/
GE

.45
-0/0 -
GE

E
/4.4

G
0 0
VPNB-1
GE-0/0/4.200 SRX1 GE-0/0/4.13 SRX3 GE-0/0/4.37 SRX7
GE
OSPF Area 0 -0/
GE 0 /5. IS-IS L1 GE-0/0/4.822
G -0/
E- 0/4 .57 78
0/ 0/4
.35 -0/

GE-0/0/4.67
0/
GE
GE-0/0/2
GE-0/0/1

4.
14 IS-IS L2 SRX8
RIP RIP SRX5
5 GE
23 4.4 -0/
4. /0/ 0/4 68 GE-0/0/4.220
0/ -0 .56 4.
-0/ GE / 0/
E -0
G GE

GE
C1
SRX2 GE-0/0/4.24 SRX4 GE-0/0/4.46 SRX6

-0/
GE-0/0/4.200

0/4
BGP

.53
GE
GE 69
GE-0/0/4.604

GE-0/0/4.320
GE-0/0/4.310
-0/
2

AS 65020
/4.

2
2

-0/ 0/4
.5

0 0/0 .54
E-
/3

/4.
E-
/0

2
0/

49
0

0/

G
E-

4.
G

RR
83

VPLS-1
3

VPNC-S2 VPNA-S2 VPNB-2 U3

BGP
AS 43.356

Physical topology diagram

JNCIE-SP workbook: Full day lab challenge

75

76 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

AS 5678

VPLS-2 BGP
VPNA-S1 AS 1516 BGP
AS?
VPNC-S1 VPNA-H IPv4
BGP .2 U1 U2
.1
19

AS 3456
VLAN 532

.2 .2
2.1

C2
IPv4

192.168.61.0/30

192.168.62.0/30
68

.1 17 .2
17

2.1
.63

IPv6 6.4
2.1

2
52
6 0
.0

.0/ 3
P1 .0/
6
/30

30

AN
.45

30
172 6.2
. 0/

VL
.1 .16 .1
.40 72
30

.0/3 .1 .1 .1 1
0 .2
.2 .1
.2
.1 172.30.0.0/29 .2 .25 172.30.0.24/30 .26 VPNB-1
SRX1 SRX3 SRX7
.1 .9 /30
.29 .46 17 2.0 .2
.9 .14 OSPF Area 0 2 .30 6 8.8
17 0 .1. IS-IS L1 2 .1
/3 .2 8 19
17 .21 2.3 .44 /30
2. 0.0 0.0
30 .28 .45 2.3
172.30.0.20/30

.30 .1
172.30.80.0/24

/30 17
172.30.1.0/30
.0 .10
. 8/
3 0 IS-IS L2 SRX8
RIP RIP SRX5 17
.6 2.1
30 17 .1 6. 2
2/ /30 2.3 20
.0
.1 .32 .34 .41 0 .0. 30 .0/
30 0 .0 40 . 4/ 30
. .22 2.3 /30 .1 .1
.13 72 17 30
1 .5 2.
.10 17 .2
.33 .42
.2 .17 .18 VL C1
SRX2 SRX4 SRX6
172.30.0.16/30 .37 172.30.0.36/30 .38 IPv4
AN

0 .53
53

.1 .49 17
2.3 5 2/3 .1 .1 BGP
2

.1 0.0 .0. VL
192.168.64.0/30

172.16.232.0/30
172.16.231.0/30

fd17:172:16:232::/64

AS 65020
fd17:172:16:231::/64

0 AN
.48 2.3
2
52

/30 17 54
19

2
N

2.
A
VL

16
8.

.50 RR .54
83
.0

VPLS-1
/3
0

.2 .2 .2
.2
IPv4
VPNC-S2 VPNA-S2 VPNB-2 IPv6 U3

lo0.0
172.30.30.6/32 BGP
::172.30.30.6/128
AS 43.356

JNCIE-SP workbook: Full day lab challenge

76

77 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

L3 address topology diagram

JNCIE-SP workbook: Full day lab challenge

77

78 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Lab introduction:

Load the initial configuration on all devices using the files provided with this INETZERO
workbook. You are allowed to perform configuration changes only on devices SRX1 to SRX8
and the RR. To verify the results of your work, you can use operational commands on the VR
device.

You can use username lab with password lab123 to access all the devices. Please, do not
change the password for users lab and root!

To load the initial configuration on all the devices, issue the ‘load override terminal’
command

[edit]
lab@srx1# load override terminal
[Type ^D at a new line to end input]

JNCIE-SP workbook: Full day lab challenge

78

79 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 1: System Features

Task 1.1: Services configuration
• Make sure that only SSH and Telnet service are enabled for remote management.
Configure only SSHv2 to be accepted and don’t allow the user root to login remotely.
• Make sure that console sessions will logout automatically when the console cable is
disconnected.
• Ensure that 10.10.10.1 is resolved by name S1.inetzero.com.

Task 1.2:Centralized authentication management
• Configure a static route for 10.10.10/24 with a next-hop value of 10.10.1.254. Make
sure that the static route is not redistributed to any routing protocol.
• Configure primary user authentication through a RADIUS server reachable at S1. Use
“workbook” as a shared secret.
• Authentication should only be performed against a local database when the Radius
server times out.

Task 1.3: Local user configuration
• Configure the user “ops” with password “ops123” and an idle timeout which is no
more than 5 minutes. Ensure that this user can access network tools like ping,
traceroute and SSH, but not Telnet. Make sure that the user can view the
configuration, including the secret part.
• Make sure that RADIUS authenticated users have all permissions without having
access to the shell and make sure current alarms are shown to these users on login.

Task 1.4: Active configuration archival
• Enable the transfer of the active configuration to FTP server 10.10.10.1 after each
successful commit.
• Use “ftp” and “ftp123” as username/password to access the FTP server. JNCIE-SP workbook: Full day lab challenge

79

80 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 1.5: Interface configuration

• Enable support for MPLS packets on all logical interface units of every device under
your administration except the RR. The management interface must be excluded. Do
not configure each unit explicitly.
• The connection between SRX3 and SRX4 needs more bandwidth. Configure an
Aggregated Ethernet interface bundle using the ge-0/0/1 and ge-0/0/2 physical
interfaces. Make sure that if one of the links is down, the Aggregated interface is
declared down. Adjust the configuration to reflect the change.

Task 1.6: RE Protection
• Create a firewall filter that only permits services and protocols that are used in this
lab. For IPv4, include – RADIUS, BFD, SSH, Telnet, BGP, OSPF, RIP, LDP, RSVP, ping and
traceroute. For IPv6, include – OSPFv3, BGP, ping and traceroute.
• Perform this task on all routers.
• Apply this firewall filter to the loopback interface in the input direction.
• All other traffic should be denied and logged.

Task 1.7: Advanced prefix matching
• Add a rule to the firewall filter from task 1.6 that permits telnet traffic only from the
odd subnets of the 3rd octet within the 192.168/16 address range.
• Use a single-line source address matching criteria to list these subnets.

Task 1.8: Advanced RE protection
• On all routers that use BGP, modify the firewall filter from task 1.6 so that all
configured BGP peers (including the one from the routing-instances) are
automatically put in the compiled firewall filter.

JNCIE-SP workbook: Full day lab challenge

80

81 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 2: IGP


Task 2.1: Troubleshooting
• Make sure that all OSPF and IS-IS adjacencies are established according to the
diagram.
• All OSPF routers should be represented with their 172.30.30.x IP address in the
neighbor table. You are not allowed to use the ‘router-id’ command.
• Ensure that SRX3 never sends Type 2 LSAs.

Task 2.2: Multiple IP addresses on OSPF interface

• All IPv4 Loopback addresses should be reachable. Make sure that only the
172.30.30.3 IP address of SRX3’s loopback is put into the OSPF database as OSPF
internal.
• IP address 3.3.3.3 should be advertised as external.

Task 2.3: RIP

• Enable RIP on SRX1 and SRX2 according to the diagram. Perform mutual
redistribution between RIP and OSPF on SRX1 and SRX2.
• The RIP router should receive all routes from both SRX1 and SRX2. Make sure there
are no routing loops after redistribution and make sure that the network has full IP
reachability. You are not allowed to use route tags or change the routing preference
on SRX1 and SRX2.
• All RIP prefixes must be reachable from all OSPF routers and their metrics should be
cumulative.

Task 2.4: IS-IS authentication

• Configure MD5 authentication for all levels of IS-IS hello and LSP packets. To
accomplish this task, don’t configure authentication directly under ‘protocols isis
interface’. Use inetzero as the password. JNCIE-SP workbook: Full day lab challenge

81

82 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.5: IS-IS and OSPF Redistribution

• Advertise an IPv4 default route to the SRX8 router from SRX6 and SRX7. Redistribute
all IPv4 routes from the IS-IS area into OSPF.
• Ensure that traffic is not black holed when SRX6 or SRX7 lose their connection to the
OSPF area. Make sure there are no routing loops after redistribution and make sure
that the network has full IP reachability.

Task 2.6: IPv6 routing

• Enable IPv6 routing on all routers in the OSPF area. Use a separate OSPF instance to
accomplish this.
• Redistribute all IPv6 routes from IS-IS to OSPF. Advertise an IPv6 default route from
SRX6 and SRX7 to IS-IS. Make sure there are no routing loops after redistribution and
make sure that the network has full IPv6 reachability.
• Make sure that SRX7 is the preferred router to and from IS-IS area for the rest of the
network. Ensure that this is valid only for IPv6 routes and accomplish this without a
policy change.

Task 2.7 General requirements
• Configure equal cost load balancing only for OSPF routes.
• Full and optimal IP reachability should be accomplished in the network.

No static routes are allowed if not explicitly permitted by the particular task.

JNCIE-SP workbook: Full day lab challenge

82

83 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 3: MPLS

Task 3.1: MPLS and RSVP configuration
• Enable the MPLS and RSVP protocols on the routers that are part of the OSPF
domain.
• Ensure that a syslog message is generated when an LSP state is changed.
• Configure traffic-engineering information exchange for all OSPF links. Make sure that
traffic-engineering information is not exchanged between ISIS routers.
• Configure the interface between SRX2 and SRX3 to allow only half of the bandwidth
to be reserved for RSVP.
• Configure link coloring the way that it is shown in the topology below.

yellow (4) green (3)

SRX1 SRX3 SRX7

red
(1) (1)
red
gr

)
(1

(2)
ee

e
blue (2)
n

blu
re
(3
)

SRX5
)

(4) gre
gr
(2

ee

en
low
ue

l (3)
n

ye blu
bl

(3

e(
)

2)
SRX2 SRX4 SRX6
yellow (4) blue (2)

Task 3.2: LSPs between SRX2 and SRX7
• Configure an LSP from SRX2 to SRX7. This LSP should pass through SRX4 and SRX5.
• You are not allowed to use explicit path or coloring.
• Configure an LSP from SRX7 to SRX2 with a primary path that only crosses red links.
Configure a secondary path for this LSP that only crosses blue links. Both paths
should have a bandwidth reservation of 400m. The secondary path should be pre-
JNCIE-SP workbook: Full day lab challenge
signaled and ready for use.

Task 3.3: LSPs between SRX1 and SRX6

• Configure bi-directional LSPs from SRX1 to SRX6 that have two paths through the
network. The primary path should be limited to 3 hops. The secondary path should
not use CSPF and it should pass via SRX3 and SRX5.
• Make sure that if traffic is switched to secondary path, it is never automatically
switched back to the primary path.

83

84 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.4: LSP protection

• Make sure that the LSP from SRX7 to SRX2 is protected with fast reroute detours.
Those detours should reserve at least 25% of the LSP bandwidth.
• Configure node protection for the LSP from SRX2 to SRX7. Make sure that the bypass
LSPs are explicitly configured to bypass SRX4 and SRX5.

Task 3.5: LSPs between SRX6 to SRX3
• Configure two distinct LSPs from SRX6 to SRX3.
• One LSP named srx6-to-srx3-1 should egress to 172.30.30.3 where another LSP
named srx6-to-srx3-2 should egress to 3.3.3.3.

Task 3.6: LDP configuration
• Configure LDP for the links in the ISIS domain.
• Make sure that SRX8 can send and receive MPLS packets to and from SRX1 and SRX2
in a redundant way through SRX6 and SRX7.
• You can configure additional RSVP LSPs if needed.

Task 3.7: LSP forwarding based on CoS
• Make sure that on SRX7, traffic to RIP prefixes marked with expedited-forwarding
bits will use the LSP to SRX1.
• Traffic to RIP prefixes marked with best-effort bits should use the LSP to SRX2.
• You can configure additional RSVP LSPs if needed.

JNCIE-SP workbook: Full day lab challenge

84

85 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 4: BGP

Task 4.1: iBGP configuration
• Configure iBGP sessions between the RR device and the SRX routers. Use AS 5678
and, on the RR, create two clusters with no more than 4 clients.
• Failure of any physical interface should not cause for any iBGP session loss. Configure
BFD monitoring of all iBGP connections with 900ms between the keepalives. If 4
keepalives are lost, the neighbor should be declared down.
• Ensure that all iBGP sessions state changes are logged to syslog.
• Use SRX4 and SRX5 as the only routers where internal routes are advertised to BGP.
Advertise a single summarized route 172.30/16 for all internal routes. Advertise all
RIP routes without summarization.

Task 4.2: eBGP configuration

• Configure eBGP sessions with customers C1 and C2 according to the diagram. The
configuration used by C1 to peer with AS 8765 is wrong. Make sure that AS 8765 is
not shown in the AS path of the prefixes advertised by C1. The AS number of C2 is not
known. You have to receive 16 prefixes from C1 and C2. Make sure that if more than
20 prefixes are received from each neighbor, a syslog message is generated.
• Configure eBGP sessions with U1 and U2. Configure an eBGP session with U3 and
load balance across the two physical links. Make sure that you receive IPv6 routes
over single IPv4 session. You are allowed to use a single static route for each address
family. Make sure that you receive IPv6 prefixes from U3 and that they are active in
the RIB. Assume that SRX6 does not support 4-byte AS.
• Configure an eBGP session with P1. Use a single session for both IPv4 and IPv6. Make
sure that you receive IPv6 prefixes and they are active in the RIB.

Task 4.3: Customer BGP policy
• From C1 and C2, accept only prefixes that originated from within their ASes. Ensure
that the prefixes received from C1 and C2 can be distinguished from the prefixes JNCIE-SP workbook: Full day lab challenge
received from other eBGP neighbors.
• Make sure that both customers receive only a default IPv4 route that is advertised
through BGP. Communication between customers C1 and C2 should not be
restricted.
• There is an agreement with C1 that traffic for prefixes advertised with community
65020:666 should be black holed in AS 5678. Make sure that this is accomplished.

85

86 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 4.4: Upstream BGP policy

• Accept all prefixes from all Upstream neighbors except any IPv4 or IPv6 default
routes or any IPv4 RFC1918 routes.
• Make sure that hidden routes are not kept in memory on the SRX3, SRX6 and SRX7 to
preserve resources on those routers.
• Ensure that the prefixes received from U1, U2 and U3 can be distinguished from the
prefixes received from other eBGP neighbors.
• Advertise local and RIP prefixes to Upstream neighbors using the iBGP prefixes
advertised from SRX4 and SRX5. You are not allowed to create additional aggregate
routes.
• Configure SRX3 to be the preferred egress and ingress point to and from Upstream
prefixes. You are not allowed to use as-path prepend.
• Ensure that prefixes originated from U3 are directly accessible from SRX6. Make SRX6
less preferred compared to SRX3 and SRX7 for prefixes from and to Upstream. Again,
you are not allowed to use as-path prepend.
• Make sure that AS 5678 is not used as a transit AS between Upstream neighbors and
Customer neighbors.
• For routing information received from SRX3, ensure that SRX6 maps prefixes with a
length between /8 and /16 to LSP srx6-to-srx3-2. All other prefixes received from
SRX3 should be mapped to LSP srx6-to-srx3-1. You are not allowed to use or change a
forwarding-table policy to accomplish this.

Task 4.5: Partner BGP policy
• Except for any IPv4 or IPv6 default routes or RFC1918 routes, accept all prefixes from
the Partner neighbor.
• Ensure that the prefixes received from P1 can be distinguished from the prefixes
received from other eBGP neighbors.
• Advertise local and RIP prefixes to P1 neighbor using the iBGP prefixes advertised
from SRX4 and SRX5. You are not allowed to create additional aggregate routes.
JNCIE-SP workbook: Full day lab challenge
Task 4.6: IPv6 tunneling
• Provide IPv6 connectivity between P1 and U3 across LSPs. Create additional LSPs if
needed.
• Use SRX7 to advertise AS 5678 IPv6 prefixes for MPLS core. Make sure those prefixes
are advertised to P1 and U3.
• You are allowed to use one static route if needed.

Task 4.7: BGP general requirements
• Assume that all routers in the AS 5678 domain do not support 4byte AS.
• No hidden or unresolved routes should be present in AS 5678.
• No static routes are allowed if not explicitly permitted by particular task.
• Ensure optimal routing in the network. 86

87 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 5: VPN

Task 5.1: VPN Infrastructure
• To resolve the hidden iBGP routes on the RR, do not use rib-groups, static routes or
any solution that requires enabling family mpls on the RR interfaces.

Task 5.2: OSPF-based L3VPN

• Configure a hub-and-spoke VPN between SRX1, SRX2 and SRX7.
• The CE router behind SRX7 is a VPN hub and all communication between the spokes
should run through it via its two logical interfaces.
• Make sure that a traceroute between the spokes display all hops.
• Setup missing RSVP LSPs where appropriate.
• PE-CE protocol is OSPF. Make sure that the OSPF interface-type used is point-to-
point.
• Route-distinguisher and route-target values can be any of your choice. Make sure
that every prefix advertised by a spoke is easily recognized.

Task 5.3: BGP-based L3VPN
• Configure VPN-B between SRX2 and SRX8.
• Use eBGP as a PE-CE routing protocol, the CE devices are configured with AS64512.
• Route-distinguisher and route-target values can be any of your choice.
• Make sure that all Upstream, Partner and Customer routes are reachable in VPN-B
and the other way around. Designate SRX8 as a point where route leaking is done.
• Make sure that leaked routes are only available in the RIB of the VPN-B VRF. This will
allow th CE attached to SRX8 to have all routes received in BGP without putting an
additional load on the forwarding engine of the SRX.
• You can use single static route to provide routing in the forwarding engine. Advertise
that static to the CE attached behind SRX2. JNCIE-SP workbook: Full day lab challenge

Task 5.4: L2circuit VPN configuration
• Configure a Martini-based L2VPN VPN-C between SRX2 and SRX7.
• Create a new bi-directional CSFP LSP. Make sure it crosses routers SRX4 and SRX5.
• Ensure that VPN-C is using that particular LSP for transport through MPLS network.
• Vlan numbers must match logical interface numbers.

87

88 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 5.5: BGP VPLS configuration
• Configure site 1 of the VPLS behind SRX6 and SRX7. Make sure VLAN numbers match
the logical interface numbers.
• Make sure that SRX6 is a designated forwarder for this site and SRX7 is the backup PE
router in case there is a failure on SRX6.
• The logical interface connecting SRX6 to the CE was mistakenly placed in VLAN 542.
Make sure that traffic in the VPLS is transported with VLAN 532.
• Configure site 2 of the VPLS behind SRX1. Make sure Vlan numbers match the logical
interface numbers.
• Prepare the VPLS configuration to expand with 2 more sites without changing the
configuration for the existing sites.
• Setup RSVP LSPs where appropriate.

Task 5.6: VPLS transport
• To conserve bandwidth, make sure that for ingress replication over the VPLS, ingress
PEs are sending only one packet for each broadcast, unknown or multicast frame.
Replication should be done downstream to the egress.

JNCIE-SP workbook: Full day lab challenge

88

89 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Appendix Chapter 1: System Features

Initial configuration: sys-start

JNCIE-SP workbook: Appendix Chapter 1: System Features

89

90 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 1.1: Primary hostname and user configuration

• Apply the new hostnames R1 and R2 to the srx1 and srx2 routers respectively.
• Create a custom login class “supervisor” and assign all permissions to it except for the
ability to start a BSD shell from CLI.
• Configure a local user “inetzero” with password “InetZero” as a member of this class.

Configuration:

R1:

set system host-name R1
set system login class supervisor permissions all
set system login class supervisor deny-commands “start shell”
set system login user inetzero class supervisor authentication
plain-text-password

R2:

set system host-name R2
set system login class supervisor permissions all
set system login class supervisor deny-commands “start shell”
set system login user inetzero class supervisor authentication
plain-text-password

Verification:

JNCIE-SP workbook: Appendix Chapter 1: System Features

R1 (ttyu0)

login: inetzero
Password:

--- JUNOS 11.4R5.5 built 2012-08-25 08:22:02 UTC

inetzero@R1>start shell
^
syntax error, expecting <command>.

inetzero@R1>configure
Entering configuration mode
[edit]
inetzero@R1#

90

91 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 1.2: Aggregated interface configuration

• Create an aggregated Ethernet interface and statically assign ge-0/0/1 and ge-0/0/2
on R1 and R2 to this bundle.
• Assign IP addresses on both ends according to diagram.

Configuration:

R1:

set chassis aggregated-devices ethernet device-count 1
set interfaces ge-0/0/1 gigether-options 802.3ad ae0
set interfaces ge-0/0/2 gigether-options 802.3ad ae0
set interfaces ae0 unit 0 family inet address 10.1.12.1/24

R2:

set chassis aggregated-devices ethernet device-count 1
set interfaces ge-0/0/1 gigether-options 802.3ad ae0
set interfaces ge-0/0/2 gigether-options 802.3ad ae0
set interfaces ae0 unit 0 family inet address 10.1.12.2/24

Verification:

lab@R1# run show interfaces ge-0/0/1 terse

Interface Admin Link Proto Local Remote
ge-0/0/1 up up

JNCIE-SP workbook: Appendix Chapter 1: System Features

ge-0/0/1.0 up up aenet -->ae0.0

lab@R1# run show interfaces ge-0/0/2 terse

Interface Admin Link Proto Local Remote
ge-0/0/2 up up
ge-0/0/2.0 up up aenet -->ae0.0

lab@R1# run show interfaces ae0 terse

Interface Admin Link Proto Local Remote
ae0 up up
ae0.0 up up inet 10.1.12.1/24

lab@R1# run ping 10.1.12.2 count 1

PING 10.1.12.2 (10.1.12.2): 56 data bytes
64 bytes from 10.1.12.2: icmp_seq=0 ttl=64 time=1.577 ms
--- 10.1.12.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.577/1.577/1.577/0.000 ms 91

92 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 1.3: Advanced aggregated interface configuration

• Enable LACP on both sides of bundle. Only R1 should initiate exchange of LACP PDUs.
• Tune the bundle so that the aggregated interface is operational only when both links
are in the “up” state.
• Adjust the configuration so that R2 sends LACP PDUs every 30 seconds.

Configuration:

R1:

set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 aggregated-ether-options minimum-links 2
set interfaces ae0 aggregated-ether-options lacp periodic slow

R2:

set interfaces ae0 aggregated-ether-options lacp passive
set interfaces ae0 aggregated-ether-options minimum-links 2

JNCIE-SP workbook: Appendix Chapter 1: System Features

92

93 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R1# run show lacp interfaces

Aggregated interface: ae0
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
ge-0/0/1 Actor No No Yes Yes Yes Yes Slow Active
ge-0/0/1 Partner No No Yes Yes Yes Yes Fast Passive
ge-0/0/2 Actor No No Yes Yes Yes Yes Slow Active
ge-0/0/2 Partner No No Yes Yes Yes Yes Fast Passive
LACP protocol: Receive State Transmit State Mux State
ge-0/0/1 Current Fast periodic Collecting distributing
ge-0/0/2 Current Fast periodic Collecting distributing

lab@R2# run show lacp interfaces

Aggregated interface: ae0
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
ge-0/0/1 Actor No No Yes Yes Yes Yes Fast Passive
ge-0/0/1 Partner No No Yes Yes Yes Yes Slow Active
ge-0/0/2 Actor No No Yes Yes Yes Yes Fast Passive
ge-0/0/2 Partner No No Yes Yes Yes Yes Slow Active
LACP protocol: Receive State Transmit State Mux State
ge-0/0/1 Current Slow periodic Collecting distributing
ge-0/0/2 Current Slow periodic Collecting distributing

If we wanted to make the R1 router send lacp messages every 30 seconds, we would have to
configure the R2 router with ‘lacp periodic slow’ as well.

JNCIE-SP workbook: Appendix Chapter 1: System Features

93

94 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R1# run show interfaces ae0 media

Physical interface: ae0, Enabled, Physical link is Up

Interface index: 156, SNMP ifIndex: 558
Link-level type: Ethernet, MTU: 1514, Speed: 2Gbps, BPDU Error: None,
MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled,
Flow control: Disabled, Minimum links needed: 2, Minimum bandwidth needed: 0
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x0
Current address: 00:26:88:ef:76:00, Hardware address: 00:26:88:ef:76:00
Last flapped : 2013-11-15 16:52:31 UTC (00:03:01 ago)
Input rate : 0 bps (0 pps)
Output rate : 1976 bps (1 pps)

lab@R1# run ping 10.1.12.2 count 1

PING 10.1.12.2 (10.1.12.2): 56 data bytes
64 bytes from 10.1.12.2: icmp_seq=0 ttl=64 time=1.308 ms

--- 10.1.12.2 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.308/1.308/1.308/0.000 ms

JNCIE-SP workbook: Appendix Chapter 1: System Features

94

95 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 1.4: Network integration - NTP

• Configure an NTPv3 client on R1 and R2. Configure the routers to synchronize with
the server IP address 10.10.1.100.
• Modify the R1 and R2 configuration so that initial NTP sync with this server is
performed at boot time.
• All NTP messages should be authenticated using MD5 authentication. Use the
password “workbook”.

Configuration:

R1 and R2:

set system ntp server 10.10.1.100 key 1 version 3 prefer
set system ntp authentication-key 1 type md5 value workbook
set system ntp boot-server 10.10.1.100
set system ntp trusted-key 1

Verification:

lab@R1# run show ntp associations

remote refid st t when poll reach delay offset jitter

==============================================================================

JNCIE-SP workbook: Appendix Chapter 1: System Features

*10.10.1.100 46.19.35.158 3 - 2 64 1 1.225 0.052 1.619

lab@R2# run show ntp associations

remote refid st t when poll reach delay offset jitter

==============================================================================

*10.10.1.100 46.19.35.158 3 - 20 64 1 1.272 0.136 1.226

95

96 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 1.5: Network Integration - Configuration archival

• Make sure the active configuration is transferred to an FTP server with IP address
10.10.1.100 every 15 minutes.
• Specify “lab” as username and “lab123” as the password to access the FTP server.

Configuration:

R1 and R2:

set system archival configuration transfer-interval 15
set system archival configuration archive-sites
ftp://lab:[email protected]

JNCIE-SP workbook: Appendix Chapter 1: System Features

96

97 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 1.6: Network Integration - Syslog

• Log all messages from any facility and for all levels to host 10.10.1.100.
• Configure local logging and have all ‘error’ messages saved to a file called “error-
messages”. Set the maximum file size to 1Mb and increase the number of files to 20.
All users should be able to see the content of these log files. Also make sure that
priority information is included in the messages.
• Make sure messages with a critical severity are logged to all users currently logged in.
• Remove all other default syslog settings.

Configuration:

R1 and R2:

delete system syslog
set system syslog host 10.10.1.100 any any
set system syslog file error-messages any error
set system syslog file error-messages archive size 1M files 20
world-readable
set system syslog file error-messages explicit-priority
set system syslog user * any critical


Verification:

JNCIE-SP workbook: Appendix Chapter 1: System Features

lab@R1# show system syslog

user * {
any critical;
}
host 10.10.1.100 {
any any;
}
file error-messages {
any error;
archive size 1m files 20 world-readable;
explicit-priority;
}

lab@R1# run show log error-messages

Nov 15 17:08:16 R1 init: %AUTH-1: l2cpd-service is thrashing, not restarted

97

98 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 1.7: Static routing and jumbo frames support

• Establish IP connectivity between the R1 and R2 loopbacks by configuring static
routes.
• Make sure that R1 and R2 are able to exchange jumbo frames of up to 9192 bytes.

Configuration:

R1:

set routing-options static route 2.2.2.2 next-hop 10.1.12.2
set interfaces ae0 mtu 9192

R2:

set routing-options static route 1.1.1.1 next-hop 10.1.12.1
set interfaces ae0 mtu 9192


Verification:

lab@R1# run ping 2.2.2.2 source 1.1.1.1 count 1 size 9184

PING 2.2.2.2 (2.2.2.2): 9184 data bytes

JNCIE-SP workbook: Appendix Chapter 1: System Features

9192 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=3.465 ms

--- 2.2.2.2 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss

round-trip min/avg/max/stddev = 3.465/3.465/3.465/0.000 ms

98

99 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 1.8: SNMPv2 Configuration

• Enable an SNMP agent on R1 and limit access to host 10.10.1.100. Use the
community string “inetzero” and allow read/write NMS access.
• Configure R2 to send traps to 10.10.1.100 in case of environment, link transition
events and authentication failures.

Configuration:

R1:

set snmp community inetzero clients 10.10.1.100/32
set snmp community inetzero authorization read-write

R2:

set snmp trap-group tg version v2
set snmp trap-group tg categories chassis link authentication
set snmp trap-group tg targets 10.10.1.100

JNCIE-SP workbook: Appendix Chapter 1: System Features

99

100 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 1.9: Basic RE Protection

• Configure a firewall filter for R1 and apply it in the input direction of the loopback
interface.
• Make sure that previously configured services (NTP, FTP and SNMP) keep on working
as before.
• Restrict telnet access to packets originating from the 10.10.1.0/24 network.
• Accept only ICMP types required for the ping utility to function properly.
• Discard and count all other traffic.

Configuration:

R1:

set firewall family inet filter re-protect term 1 from protocol tcp
set firewall family inet filter re-protect term 1 from port [ftp
ftp-data]
set firewall family inet filter re-protect term 1 then accept

set firewall family inet filter re-protect term 2 from protocol udp
set firewall family inet filter re-protect term 2 from port [ntp
snmp]
set firewall family inet filter re-protect term 2 then accept

set firewall family inet filter re-protect term 3 from source-

address 10.10.1.0/24

JNCIE-SP workbook: Appendix Chapter 1: System Features

set firewall family inet filter re-protect term 3 from protocol tcp
set firewall family inet filter re-protect term 3 from port telnet
set firewall family inet filter re-protect term 3 then accept

set firewall family inet filter re-protect term 4 from protocol icmp
set firewall family inet filter re-protect term 4 from icmp-type
[echo-request echo-reply]
set firewall family inet filter re-protect term 4 then accept

set firewall family inet filter re-protect term 5 then count dropped
discard

set interfaces lo0 unit 0 family inet filter input re-protect

10
0





101 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

R2:

set firewall family inet filter re-protect term 1 from protocol tcp
set firewall family inet filter re-protect term 1 from port [ftp
ftp-data]
set firewall family inet filter re-protect term 1 then accept

set firewall family inet filter re-protect term 2 from protocol udp
set firewall family inet filter re-protect term 2 from port [ntp
snmptrap]
set firewall family inet filter re-protect term 2 then accept

set firewall family inet filter re-protect term 3 from source-

address 10.10.1.0/24
set firewall family inet filter re-protect term 3 from protocol tcp
set firewall family inet filter re-protect term 3 from port telnet
set firewall family inet filter re-protect term 3 then accept

set firewall family inet filter re-protect term 4 from protocol icmp
set firewall family inet filter re-protect term 4 from icmp-type
[echo-request echo-reply]
set firewall family inet filter re-protect term 4 then accept

set firewall family inet filter re-protect term 5 then count dropped
discard

set interfaces lo0 unit 0 family inet filter input re-protect

JNCIE-SP workbook: Appendix Chapter 1: System Features

Verification:
lab@R1# run show ntp associations

remote refid st t when poll reach delay offset jitter

==============================================================================

*10.10.1.100 46.19.35.158 3 - 19 64 177 1.267 0.147 1.189

lab@R1# run ftp 10.10.1.100

Connected to 10.10.1.100.
220 (vsFTPd 2.0.5)
Name (10.10.1.100:lab):

lab@R1# run ping 2.2.2.2 source 1.1.1.1 count 1

PING 2.2.2.2 (2.2.2.2): 56 data bytes
10
64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=1.413 ms
1





102 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

--- 2.2.2.2 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.413/1.413/1.413/0.000 ms

lab@R1# run show firewall

Filter: __default_bpdu_filter__

Filter: re-protect
Counters:
Name Bytes Packets
dropped 6739 78

JNCIE-SP workbook: Appendix Chapter 1: System Features

10
2





103 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 1.10: Advanced RE Protection

• Configure a BFD protected iBGP session between the loopback IP addresses of both
R1 and R2. Use AS65000.
• Enable OSPF for the AE interface on both routers.
• Alter the firewall filter in such a way that BGP, BFD and OSPF can function.
• Permit OSPF in the firewall filter for locally configured subnets. Make sure that all the
addresses configured on the router are automatically added to the list.
• Make sure that all configured BGP peers are automatically added to the firewall filter.
• Change the end-term to not only discard and count, but to log and syslog as well.

Configuration:

R1:

set protocols bgp group ibgp type internal
set protocols bgp group ibgp bfd-liveness-detection minimum-interval
100
set protocols bgp group ibgp neighbor 2.2.2.2 local-address 1.1.1.1
set routing-options autonomous-system 65000

set protocols ospf area 0.0.0.0 interface ae0.0

set policy-options prefix-list bgp apply-path "protocols bgp group

JNCIE-SP workbook: Appendix Chapter 1: System Features

<*> neighbor <*>"
set policy-options prefix-list self apply-path "interfaces <*> unit
<*> family inet address <*>"

rename firewall family inet filter re-protect term 5 to term end

set firewall family inet filter re-protect term 5 from source-

prefix-list self
set firewall family inet filter re-protect term 5 from source-
prefix-list bgp
set firewall family inet filter re-protect term 5 from destination-
prefix-list bgp
set firewall family inet filter re-protect term 5 from destination-
prefix-list self
set firewall family inet filter re-protect term 5 from protocol tcp
set firewall family inet filter re-protect term 5 from port bgp
set firewall family inet filter re-protect term 5 then accept
insert firewall family inet filter re-protect term 5 before term end

set firewall family inet filter re-protect term 6 from source- 10

3
prefix-list bgp





104 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set firewall family inet filter re-protect term 6 from protocol udp
set firewall family inet filter re-protect term 6 from destination-
port 4784
set firewall family inet filter re-protect term 6 then accept
insert firewall family inet filter re-protect term 6 before term end

set policy-options prefix-list ospf 224.0.0.5/32

set policy-options prefix-list ospf 224.0.0.6/32

set firewall family inet filter re-protect term 7 from source-

prefix-list self
set firewall family inet filter re-protect term 7 from destination-
prefix-list ospf
set firewall family inet filter re-protect term 7 from protocol ospf
set firewall family inet filter re-protect term 7 then accept
insert firewall family inet filter re-protect term 7 before term end

set firewall family inet filter re-protect term end then log
set firewall family inet filter re-protect term end then syslog

R2:

set protocols bgp group ibgp type internal
set protocols bgp group ibgp bfd-liveness-detection minimum-interval
100
set protocols bgp group ibgp neighbor 1.1.1.1 local-address 2.2.2.2
set routing-options autonomous-system 65000

JNCIE-SP workbook: Appendix Chapter 1: System Features

set protocols ospf area 0.0.0.0 interface ae0.0

set policy-options prefix-list bgp apply-path "protocols bgp group

<*> neighbor <*>"
set policy-options prefix-list self apply-path "interfaces <*> unit
<*> family inet address <*>"

rename firewall family inet filter re-protect term 5 to term end

set firewall family inet filter re-protect term 5 from source-

prefix-list self
set firewall family inet filter re-protect term 5 from source-
prefix-list bgp
set firewall family inet filter re-protect term 5 from destination-
prefix-list bgp
set firewall family inet filter re-protect term 5 from destination-
prefix-list self
set firewall family inet filter re-protect term 5 from protocol tcp
set firewall family inet filter re-protect term 5 from port bgp
set firewall family inet filter re-protect term 5 then accept 10
4
insert firewall family inet filter re-protect term 5 before term end




105 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set firewall family inet filter re-protect term 6 from source-

prefix-list bgp
set firewall family inet filter re-protect term 6 from protocol udp
set firewall family inet filter re-protect term 6 from destination-
port 4784
set firewall family inet filter re-protect term 6 then accept
insert firewall family inet filter re-protect term 6 before term end

set policy-options prefix-list ospf 224.0.0.5/32

set policy-options prefix-list ospf 224.0.0.6/32

set firewall family inet filter re-protect term 7 from source-

prefix-list self
set firewall family inet filter re-protect term 7 from destination-
prefix-list ospf
set firewall family inet filter re-protect term 7 from protocol ospf
set firewall family inet filter re-protect term 7 then accept
insert firewall family inet filter re-protect term 7 before term end

set firewall family inet filter re-protect term end then log
set firewall family inet filter re-protect term end then syslog

JNCIE-SP workbook: Appendix Chapter 1: System Features

10
5





106 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:
lab@R1> show configuration policy-options prefix-list self | display inheritance
##
## apply-path was expanded to:
## 10.10.1.0/24;
## 10.1.12.0/24;
## 1.1.1.1/32;
##
apply-path "interfaces <*> unit <*> family inet address <*>";

lab@R1> show configuration policy-options prefix-list bgp | display inheritance

##
## apply-path was expanded to:
## 2.2.2.2/32;
##
apply-path "protocols bgp group <*> neighbor <*>";

lab@R1> show ospf neighbor

Address Interface State ID Pri Dead
10.1.12.2 ae0.0 Full 2.2.2.2 128 37

lab@R1> show bgp summary

Groups: 1 Peers: 1 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0
0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
2.2.2.2 65000 27 29 0 0 11:47 0/0/0/0
0/0/0/0

lab@R1> show bfd session

JNCIE-SP workbook: Appendix Chapter 1: System Features

Detect Transmit
Address State Interface Time Interval Multiplier
2.2.2.2 Up 0.300 0.100 3

1 sessions, 1 clients
Cumulative transmit rate 10.0 pps, cumulative receive rate 10.0 pps

10
6





107 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Appendix: Chapter 2 - IGP

Part 1: IS-IS Troubleshooting

Initial configs: IS-IS-TShoot

Objective:Troubleshoot IS-IS adjacencies in the rack. They should be established across
logical connections between routers according to the diagram.All neighbors should have no
more than one adjacency across each logical interface.

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

10
7





108 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Configuration:

R1:

set protocols isis interface ge-0/0/4.15 level 2hello-authentication-key

R1R5CLR

R2:

delete protocols isis interface ge-0/0/4.324

set protocols isis interface ge-0/0/4.234 level 1 disable

R3:

set interfaces ge-0/0/4 unit 36 family iso

delete interfaces lo0 unit 0 family iso address 49.0002.1111.1111.1111.00
set interfaces lo0 unit 0 family iso address 49.0002.3333.3333.3333.00

R4:

set protocols isis interface ge-0/0/4.46 point-to-point

rename interfaces ae0 unit 0 family inet address 10.1.43.4/24 to address
10.1.34.4/24

R5:

set interfaces lo0 unit 0 family iso address 49.0002.5555.5555.5555.00

R6:

delete interfaces ge-0/0/4 unit 68 family iso mtu

R7:

set interfaces ge-0/0/4 unit 67 family iso

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

R8:

delete interfaces lo0 unit 0 family iso address 49.0001.8888.8888.8888.00

set interfaces lo0 unit 0 family iso address 49.0003.8888.8888.8888.00

10
8





109 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Breakdown:

There are many possible reasons for IS-IS neighbor adjacency formation to fail. Here is the
full list of all of them together with the way to discover them during the real lab exam:

Reason 1:
Absence of IS-IS PDUs processing on the interface .

The logical interface which is pointing to IS-IS neighbor should be explicitly allowed to
receive/transmit IS-IS packets. Technically, it should have “family iso” configured within its
definition.

user@host# set interfaces type-fpc/pic/port unit number family iso

How to discover:

Run the “show isis interface” command and compare the list of logical interfaces enabled
for IS-IS processing in its output with the list of the logical interfaces from the network
diagram. Correct the logical interface configuration with the command mentioned earlier.

Reason 2:
IS-IS interface type mismatch.

There are 3 types of IS-IS hello PDUs:

• Point-to-point
• Level 1 broadcast
• Level 2 broadcast

By default, when enabling IS-IS on multi-access interfaces (such as Ethernet) routers will use
the broadcast IS-IS interface type and generate the appropriate L1 or L2 broadcast hello

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

packets. You can change this default behavior and configure the Ethernet interfaces to be
point-to-point. This can be a good idea, especially in case there are only 2 routers on the
Ethernet segment that need to establish IS-IS adjacency.

The rule is that for IS-IS adjacency to be established successfully, both ends should have the
same IS-IS interface type (broadcast or point-to-point)

How to discover:

Run “show isis interface” command on both ends and check whether the interfaces on both
ends do have the same type. Correct logical interface configuration where applicable.

10
9





110 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Example:

root@R1> show isis interface

IS-IS interface database:
Interface L CirID Level 1 DR Level 2 DR L1/L2 Metric
ge0/0/1.0 1 0x1 Point to Point Disabled 10/10
lo0.0 0 0x1 Passive Passive 0/0

root@R2> show isis interface

IS-IS interface database:
InterfaceL CirID Level 1 DR Level 2 DR L1/L2 Metric
ge0/0/1.0 1 0x1 R2.02 Disabled 10/10
lo0.0 0 0x1 Passive Passive 0/0

To change between types:

root@R1# delete protocols isis interface ge-0/0/1.0 point-to-point

OR

root@R2# set protocols isis interface ge0/0/1.0 point-to-point

Reason 3:
Interface MTU issue.

Each IS-IS interface in the system must support an MTU of at least 1492 bytes. There is a
mechanism called “IS-IS hello padding”. When generating hello packet IS-IS router pads it to
this value. If there is no support for this MTU value on the remote side, the adjacency is not
formed.

How to discover:

Run the “show interfaces x.y | match iso” command to verify the value of MTU supported by JNCIE-SP workbook: Appendix: Chapter 2 - IGP
ISO address family. For MTUs lower than 1492 bytes, make the proper configuration
adjustments using the command:

set interfaces x.y family iso mtu 1492

OR

change it back to default value (which is calculated automatically) by removing mtu stanza
from interface configuration within ISO address family

delete interfaces x.y family iso mtu

Reason 4:
Adjacent routers are configured with different values of area IDs 11
0
(Level-1 routers only)




111 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

In IS-IS, level-1 routers determine that the neighbor is in the same L1 area by comparing
values called “area ID”. L1 adjacencies can establish only between routers that have the
same area ID configured. L2 adjacencies form independently of the area ID value.

Each router in IS-IS should have at least one special address in the configuration called the
NET address. Usually, the NET address is assigned to the loopback interface. The address
consists of several parts: Authority and Format Identifier (AFI), a domain ID(optional), an
area ID, a system identifier and a selector. For example, the NET
address 49.0001.1921.6800.1001.00 can be divided into the following parts:

§ 49—AFI
§ 0001—Area ID
§ 1921.6800.1001—System Identifier (System ID)
§ 00—Selector

Example:
R1 has the 49.0001.1921.6800.1001.00 NET address configured
R2 has the 49.0002.1921.6800.1002.00 NET address configured

Result:

A Level-1 adjacency will NOT be established, Level-2 will be.

How to discover:

• Enable IS-IS traceoptions and set the error flag:

set protocols isis traceoptions flag error detail
set protocols isis traceoptions file isis
• Turn on the monitoring of the file content in real-time:
monitor start isis

When there is an area ID mismatch, you will see something similar to the following output: JNCIE-SP workbook: Appendix: Chapter 2 - IGP

ERROR: IIH from R1 with no matching areas, interface x.y

local area 49.0002
remote area 49.0001 (3 bytes)

where x.y is the logical interface behind which another IS-IS router is found.

Reason 5:
Duplicate System IDs in the NET addresses.

According to the protocol rules, the System Identifier (System ID) MUST BE UNIQUE in the IS-
IS network. Commonly, the NET address (which contains Sys ID) is assigned to the most 11
1
stable system interface: logical loopback interface.




112 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Example:

R1 has the 49.0001.1921.6800.1001.00 NET address configured

R2 has the 49.0002.1921.6800.1001.00 NET address configured

Result:

No IS-IS adjacency is established (even on Level-2)

How to discover:

• Enable IS-IS traceoptions and set the error flag:

set protocols isis traceoptions flag error detail

set protocols isis traceoptions file isis

• Turn on the monitoring of the file content in real-time:

monitor start isis

In case of a duplicate System ID, you will see something similar to the following output:

ERROR: ISIS ignored a bad packet: IIH with duplicate sysid on interface x.y

where x.y is the logical interface behind which another IS-IS router is found.

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

11
2





113 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Reason 6:
Absence of NET address in the configuration of IS.

Every router in an IS-IS network must have at least one NET address configured. Routers that
participate in multiple areas can have multiple NET addresses.

Example:

R1 has the 49.0001.1921.6800.1001.00 NET address configured

R2 does not have any NET address configured

How to discover:

• Enable IS-IS traceoptions with the error flag set:

set protocols isis traceoptions flag error detail
set protocols isis traceoptions file isis

• Turn on the monitoring of file content in real-time:

monitor start isis

When the local router does not have any NET address configured, you will see something
similar to the following output:

ERROR: received IIH but have no local sysid

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

11
3





114 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Reason 7:
IP addresses from different subnets on both ends of connection

During adjacency formation between IPv4/v6-enabled neighbors, IS-IS checks that IP

addresses on both ends of the link are from the same subnet. When they are not, the
adjacency is not established.

Example:

R1 has the 10.1.0.1/30 IPv4-address configured on the interface pointing to R2.

R2 has the 10.1.0.6/30 IPv4-address configured on the interface pointing to R1.

How to discover:

• Enable IS-IS traceoptions with the error flag set:

set protocols isis traceoptions flag error detail
set protocols isis traceoptions file isis

• Turn on the monitoring of file content in real-time:

monitor start isis

In case of an IP-addresses mismatch, you will see something similar to the following output:

ERROR: IIH from R1 without matching addresses, interface x.y

where x.y is the logical interface behind which another IS-IS router is found.

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

11
4





115 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Reason 8:
Hello packets authentication parameters mismatch

IS-IS hello packets can be authenticated by their originators. There are 3 possible options:

• No authentication
• Clear text authentication
• MD5-based authentication

For the adjacency to be established, both routers should have the same authentication
type/password configured.

Example:

R1 has IS-IS hello authentication configured on the interface pointing to R2.
R2 does not have IS-IS hello authentication configured on the interface pointing to R1.

OR

R1 and R2 have a different IS-IS hello authentication type and/or password configured on
the interface pointing towards each other.

Result:

In both cases IS-IS adjacency will not be established.

How to discover:

• Enable IS-IS traceoptions with the error flag set:

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

set protocols isis traceoptions flag error detail
set protocols isis traceoptions file isis

• Turn on the monitoring of file content in real-time:

monitor start isis

When one-side has authentication enabled (local side only), you will see something similar
to the following output:

ERROR: IIH from R2 on x.y without authentication

That means that appropriate hello authentication parameters should be enabled on the
remote neighbor configuration.
11
5





116 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

In case of authentication type mismatch and/or different passwords on both ends, you will
see something similar to the following output:

ERROR: IIH authentication failure

ERROR: IIH from R2 on x.y failed authentication

where x.y is the logical interface behind which another IS-IS router is found.

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

11
6





117 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Reason 9:
Wrong logical interface put into the IS-IS configuration

Example:

R1 has the ge-0/0/1.0 interface pointing to R2 which is configured for ISO processing (family
iso enabled for it) but a different logical interface is reference in the IS-IS configuration
stanza.

set interface ge-0/0/1.10

How to discover:

• Enable IS-IS traceoptions with the error flag set:

set protocols isis traceoptions flag error detail
set protocols isis traceoptions file isis

• Turn on the monitoring of file content in real-time:

monitor start isis

In that case you will see the similar output:

ISIS packet ignored: no matching interface

Conclusion:

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

When troubleshooting IS-IS adjacencies, quickly exclude reasons 1-3 by analyzing output of
the “show isis interface” command and by checking the MTU value for the ISO address
family (should be no less than 1492 bytes on both ends).

All other possible reason can be identified by enabling traceoptions for IS-IS. Set the “error”
flag and analyze the content of the created trace file in real-time (using “monitor start
filename”) or offline (with the “show log filename” command).

11
7





118 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 2: Single-area OSPFv2

Initial configs: IPv4-basic

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

11
8





119 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.1 Single-area OSPFv2 baseline

• Configure OSPFv2 area 0 on the interface of every router according to the diagram.

Configuration:

R1:

set protocols ospf area 0.0.0.0 interface ge-0/0/4.13

set protocols ospf area 0.0.0.0 interface lo0.0

R2:

set protocols ospf area 0.0.0.0 interface ge-0/0/4.24

set protocols ospf area 0.0.0.0 interface lo0.0

R3:

set protocols ospf area 0.0.0.0 interface ge-0/0/1.0

set protocols ospf area 0.0.0.0 interface ge-0/0/2.0
set protocols ospf area 0.0.0.0 interface ge-0/0/4.13
set protocols ospf area 0.0.0.0 interface lo0.0

R4:

set protocols ospf area 0.0.0.0 interface ge-0/0/1.0

set protocols ospf area 0.0.0.0 interface ge-0/0/2.0
set protocols ospf area 0.0.0.0 interface ge-0/0/4.24
set protocols ospf area 0.0.0.0 interface lo0.0

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

11
9





120 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

Routers R3 and R4 should have 3 OSPF neighbors according to the diagram:

root@R3> show ospf neighbor

Address Interface State ID Pri Dead
10.1.34.4 ge-0/0/1.0 Full 4.4.4.4 128 33
10.1.43.4 ge-0/0/2.0 Full 4.4.4.4 128 39
10.1.13.1 ge-0/0/4.13 Full 1.1.1.1 128 35

root@R4> show ospf neighbor

Address Interface State ID Pri Dead
10.1.34.3 ge-0/0/1.0 Full 3.3.3.3 128 38
10.1.43.3 ge-0/0/2.0 Full 3.3.3.3 128 37
10.1.24.2 ge-0/0/4.24 Full 2.2.2.2 128 35

To verify that we have routes to all other loopback addresses and subnets between the
routers, we can issue the following command:

root@R1> show route protocol ospf

inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
2.2.2.2/32 *[OSPF/10] 02:39:19, metric 3
> to 10.1.13.3 via ge-0/0/4.13
3.3.3.3/32 *[OSPF/10] 02:39:14, metric 1
> to 10.1.13.3 via ge-0/0/4.13
4.4.4.4/32 *[OSPF/10] 02:39:10, metric 2
> to 10.1.13.3 via ge-0/0/4.13
10.1.24.0/24 *[OSPF/10] 03:15:00, metric 3
> to 10.1.13.3 via ge-0/0/4.13
10.1.34.0/24 *[OSPF/10] 03:18:05, metric 2
> to 10.1.13.3 via ge-0/0/4.13
10.1.43.0/24 *[OSPF/10] 03:18:05, metric 2
> to 10.1.13.3 via ge-0/0/4.13

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

224.0.0.5/32 *[OSPF/10] 03:21:16, metric 1
MultiRecv

To verify connectivity between the far ends of the topology:

root@R1> traceroute 2.2.2.2 source 1.1.1.1

traceroute to 2.2.2.2 (2.2.2.2) from 1.1.1.1, 30 hops max, 40 byte packets

1 10.1.13.3 (10.1.13.3) 8.024 ms 7.431 ms 6.912 ms

2 10.1.43.4 (10.1.43.4) 7.606 ms 8.296 ms 7.918 ms
3 2.2.2.2 (2.2.2.2) 8.259 ms 2.562 ms 2.314 ms

root@R2> traceroute 1.1.1.1 source 2.2.2.2

traceroute to 1.1.1.1 (1.1.1.1) from 2.2.2.2, 30 hops max, 40 byte packets
1 10.1.24.4 (10.1.24.4) 8.055 ms 7.305 ms 8.158 ms
2 10.1.34.3 (10.1.34.3) 8.231 ms 8.587 ms 7.237 ms
3 1.1.1.1 (1.1.1.1) 9.157 ms 2.363 ms 2.340 ms 12
0





121 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.2 OSPFv2 Network Types

• Reconfigure R3 and R4 so that there will be no DR/BDR election on the links between
R3 and R4.

Configuration:

R3 and R4:

set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 interface-type p2p

set protocols ospf area 0.0.0.0 interface ge-0/0/2.0 interface-type p2p

Verification:

Make sure you still have 2 OSPF adjacencies between R3 and R4 after altering the
configuration:

root@R3> show ospf neighbor

Address Interface State ID Pri Dead
10.1.34.4 ge-0/0/1.0 Full 4.4.4.4 128 30
10.1.43.4 ge-0/0/2.0 Full 4.4.4.4 128 39
10.1.13.1 ge-0/0/4.13 Full 1.1.1.1 128 37

Now check the OSPF interface type:

root@R3> show ospf interface

Interface State Area DR ID BDR ID Nbrs
ge-0/0/1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
ge-0/0/2.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
ge-0/0/4.13 BDR 0.0.0.0 1.1.1.1 3.3.3.3 1
lo0.0 DR 0.0.0.0 3.3.3.3 0.0.0.0 0

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

12
1





122 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.3 OSPFv2: DR/BDR election

• Reconfigure the R1-R3 and the R2-R4 OSPF adjacencies so that R3 and R4 will always
be the DRs on their respective segments.
• You are allowed to configure the R1 and R2 routers only.

Configuration:

R1 and R2:

set protocols ospf area 0 interface ge-0/0/4.24 priority 0

Verification:
lab@R1# run show ospf neighbor extensive

Address Interface State ID Pri Dead

10.1.13.3 ge-0/0/4.13 Full 3.3.3.3 128 34
Area 0.0.0.0, opt 0x52, DR 10.1.13.3, BDR 0.0.0.0
Up 00:01:06, adjacent 00:01:06
Topology default (ID 0) -> Bidirectional

lab@R2# run show ospf neighbor extensive

Address Interface State ID Pri Dead
10.1.24.4 ge-0/0/4.24 Full 4.4.4.4 128 36
Area 0.0.0.0, opt 0x52, DR 10.1.24.4, BDR 0.0.0.0
Up 00:01:03, adjacent 00:01:03
Topology default (ID 0) -> Bidirectional

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

12
2





123 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.4 OSPFv2: Authentication

• Configure clear text authentication between R1 and R3 using password "R1R3CLR"
• Configure MD5 authentication between R2 and R4 using password "R2R4MD5"

Configuration:

R1 and R3:

set protocols ospf area 0.0.0.0 interface ge-0/0/4.13 authentication

simple-password R1R3CLR

R2 and R4:

set protocols ospf area 0.0.0.0 interface ge-0/0/4.24 authentication md5 1

key R2R4MD5

Verification:

R1:

lab@R1# run show ospf neighbor

Address Interface State ID Pri Dead
10.1.13.3 ge-0/0/4.13 Full 3.3.3.3 128 32

lab@R1# run show ospf interface ge-0/0/4.13 extensive | match Auth

Auth type: Password

lab@R2# run show ospf neighbor

Address Interface State ID Pri Dead
10.1.24.4 ge-0/0/4.24 Full 4.4.4.4 128 38

lab@R2# run show ospf interface ge-0/0/4.24 extensive | match Auth

Auth type: MD5, Active key ID: 1, Start time: 1970 Jan 1 00:00:00 UTC

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

12
3





124 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.5 OSPFv2: Timers

• Adjust OSPF hello and dead timers on R1-R3 and R2-R4 links to the values 1 and 4
seconds respectively.
• Modify the amount of time during which the local device waits for acknowledgement
from a neighboring device before retransmitting a previously sent LSA. Do this on all
routers.

Configuration:

R1 and R3:

set protocols ospf area 0.0.0.0 interface ge-0/0/4.13 hello-interval 1

set protocols ospf area 0.0.0.0 interface ge-0/0/4.13 dead-interval 4
set protocols ospf area 0.0.0.0 interface ge-0/0/4.13 retransmit-interval
10

R2 and R4:

set protocols ospf area 0.0.0.0 interface ge-0/0/4.24 hello-interval 1

set protocols ospf area 0.0.0.0 interface ge-0/0/4.24 dead-interval 4
set protocols ospf area 0.0.0.0 interface ge-0/0/4.24 retransmit-interval
10

Verification:
lab@R1# run show ospf interface ge-0/0/4.13 extensive | match Hello

Hello: 1, Dead: 4, ReXmit: 10, Not Stub

lab@R2# run show ospf interface ge-0/0/4.24 extensive | match Hello

Hello: 1, Dead: 4, ReXmit: 10, Not Stub

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

lab@R3# run show ospf interface ge-0/0/4.13 extensive | match Hello

Hello: 1, Dead: 4, ReXmit: 10, Not Stub

lab@R4# run show ospf interface ge-0/0/4.24 extensive | match Hello

Hello: 1, Dead: 4, ReXmit: 10, Not Stub

12
4





125 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.6 OSPFv2: BFD

• Enable the BFD protocol on the upper R3-R4 link connecting the G0/0/1 interfaces.
Specify a minimum transmit and receive interval of 400 ms.
• Make sure that the detection time is 2 seconds.
• Make sure that BFD is enabled only for those OSPF neighbors which are in the "Full"
state.

Configuration:

R3 and R4:

set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 bfd-liveness-detection

minimum-interval 400
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 bfd-liveness-detection
multiplier 5
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 bfd-liveness-detection
full-neighbors-only

Verification:

lab@R3# run show bfd session

Detect Transmit
Address State Interface Time Interval Multiplier
10.1.34.4 Up ge-0/0/1.0 2.000 0.400 5

1 sessions, 1 clients
Cumulative transmit rate 2.5 pps, cumulative receive rate 2.5 pps

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

12
5





126 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.7 OSPFv2: Passive interfaces

• Assign the addresses 11.11.11.11/24 and 22.22.22.22/24 on the G0/0/1 interfaces of
R1 and R2 respectively.
• Advertise these interface addresses to OSPF without actually running OSPF on them.
Do not use a policy to perform this task.

Configuration:

R1:

set interfaces ge-0/0/1 unit 0 family inet address 11.11.11.11/24

set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 passive

R2:

set interfaces ge-0/0/1 unit 0 family inet address 22.22.22.22/24

set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 passive

Verification:

lab@R1# run show ospf interface ge-0/0/1.0 extensive | match Passive

Adj count: 0, Passive
Topology default (ID 0) -> Passive, Cost: 1

lab@R2# run show ospf interface ge-0/0/1.0 extensive | match Passive

Adj count: 0, Passive
Topology default (ID 0) -> Passive, Cost: 1

lab@R1# run show route protocol ospf exact 22.22.22.0/24

inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

22.22.22.0/24 *[OSPF/10] 00:00:38, metric 4 JNCIE-SP workbook: Appendix: Chapter 2 - IGP

> to 10.1.13.3 via ge-0/0/4.13

lab@R2# run show route protocol ospf exact 11.11.11.0/24

inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

11.11.11.0/24 *[OSPF/10] 00:03:46, metric 4

> to 10.1.24.4 via ge-0/0/4.24

12
6





127 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.8 OSPFv2: Load-balancing

• Make sure that both equal cost OSPF paths between R3 and R4 are installed into
their respective forwarding tables.

Configuration:

R3 and R4:

set policy-options policy-statement lb then load-balance per-packet

set routing-options forwarding-table export lb

Verification:
Before commit:

lab@R3# run show route protocol ospf exact 2.2.2.2

inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
2.2.2.2/32 *[OSPF/10] 01:41:52, metric 2
to 10.1.34.4 via ge-0/0/1.0
>to 10.1.43.4 via ge-0/0/2.0

lab@R3# run show route forwarding-table destination 2.2.2.2

Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
2.2.2.2/32 user 0 10.1.43.4 ucst 567 5 ge-0/0/2.0

After commiting the configuration:

lab@R3# run show route forwarding-table destination 2.2.2.2

Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

2.2.2.2/32 user 0 ulst 262142 5
10.1.34.4 ucst 568 2 ge-0/0/1.0
10.1.43.4 ucst 567 2 ge-0/0/2.0

12
7





128 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.9 OSPFv2: Cost tuning

• By changing OSPF costs make sure that traffic between R1 and R2 in both directions
prefers the link connecting R3 and R4 G0/0/1 interfaces.

Configuration:

R3 and R4:

set protocols ospf area 0.0.0.0 interface ge-0/0/2.0 metric 100

Verification:
Before applying the configuration:

lab@R1# run traceroute 2.2.2.2

traceroute to 2.2.2.2 (2.2.2.2), 30 hops max, 40 byte packets
1 10.1.13.3 (10.1.13.3) 7.940 ms 11.644 ms 32.993 ms
2 10.1.43.4 (10.1.43.4) 7.725 ms 8.057 ms 7.712 ms
3 2.2.2.2 (2.2.2.2) 8.216 ms 7.954 ms 7.792 ms

lab@R3# run show route protocol ospf exact 2.2.2.2

inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

2.2.2.2/32 *[OSPF/10] 00:00:07, metric 2

>to 10.1.34.4 via ge-0/0/1.0
to 10.1.43.4 via ge-0/0/2.0

After commit:

lab@R1# run traceroute 2.2.2.2

traceroute to 2.2.2.2 (2.2.2.2), 30 hops max, 40 byte packets
1 10.1.13.3 (10.1.13.3) 7.792 ms 5.497 ms 10.570 ms

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

2 10.1.34.4 (10.1.34.4) 8.122 ms 8.575 ms 7.368 ms
3 2.2.2.2 (2.2.2.2) 7.972 ms 9.121 ms 2.322 ms

lab@R3# run show route protocol ospf exact 2.2.2.2

inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

2.2.2.2/32 *[OSPF/10] 00:03:12, metric 2

>to 10.1.34.4 via ge-0/0/1.0

12
8





129 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.10: OSPFv2: Miscellaneous features

• Change the automatically calculated OSPF metric to a value of 10 on GigabitEthernet
interfaces on all routers.
• Make sure that the LSAs routers orignate have the DoNotAge bit set.
• Configure OSPF database protection for all routers so that only a warning message is
generated when the maximum number of LSAs generated by other routers exceeds
500. Generate the first warning after exceeding a value of 400.

Configuration:

On all routers:

set protocols ospf reference-bandwidth 10g

set protocols ospf database-protection maximum-lsa 500
set protocols ospf database-protection warning-only
set protocols ospf database-protection warning-threshold 80

R1:

set protocols ospf area 0 interface ge-0/0/4.13 flood-reduction

R2:

set protocols ospf reference-bandwidth 10g

set protocols ospf area 0 interface ge-0/0/4.24 flood-reduction

R3:

set protocols ospf reference-bandwidth 10g

set protocols ospf area 0 interface ge-0/0/4.13 flood-reduction
set protocols ospf area 0 interface ge-0/0/1.0 flood-reduction
set protocols ospf area 0 interface ge-0/0/2.0 flood-reduction

R4: JNCIE-SP workbook: Appendix: Chapter 2 - IGP

set protocols ospf reference-bandwidth 10g

set protocols ospf area 0 interface ge-0/0/4.24 flood-reduction
set protocols ospf area 0 interface ge-0/0/1.0 flood-reduction
set protocols ospf area 0 interface ge-0/0/2.0 flood-reduction

Verification:

lab@R1# run show ospf interface ge-0/0/4.13 detail | match Cost

Type: LAN, Address: 10.1.13.1, Mask: 255.255.255.0, MTU: 1500, Cost: 10
Topology default (ID 0) ->Cost: 10

lab@R1# run show ospf interface ge-0/0/4.13 extensive | match Flood

Adj count: 1, Flood Reduction
12
9

lab@R1# run show ospf overview

130 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Instance: master
Router ID: 1.1.1.1
Route table index: 0
LSA refresh time: 50 minutes
Database protection state: Normal
Warning threshold: 80 percent, Warning only
Non self-generated LSAs: Current 5, Warning 400, Allowed 500
Ignore time: 300, Reset time: 600
Ignore count: Current 0, Allowed 5
Area: 0.0.0.0
Stub type: Not Stub
Authentication Type: None
Area border routers: 0, AS boundary routers: 0
Neighbors
Up (in full state): 1
Topology: default (ID 0)
Prefix export count: 0
Full SPF runs: 25
SPF delay: 0.200000 sec, SPF holddown: 5 sec, SPF rapid runs: 3
Backup SPF: Not Needed

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

13
0





131 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 3: Multi-area OSPFv2

Initial configs: IPv4-basic

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

13
1





132 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.11 OSPFv2: Multi-area baseline

• Configure OSPF area 0 between R3 and R4. Advertise the loopbacks of R3 and R4 to
this area.
• Configure OSPF area 13 between R1 and R3 and OSPF area 24 between R2 and R4.
Advertise the loopbacks of R1 and R2 to OSPF.

Configuration:

R1:

set protocols ospf area 13 interface ge-0/0/4.13

set protocols ospf area 13 interface lo0.0

R2:

set protocols ospf area 24 interface ge-0/0/4.24

set protocols ospf area 24 interface lo0.0

R3:

set protocols ospf area 0 interface ge-0/0/1.0

set protocols ospf area 0 interface ge-0/0/2.0
set protocols ospf area 13 interface ge-0/0/4.13
set protocols ospf area 0 interface lo0.0

R4:

set protocols ospf area 0 interface ge-0/0/1.0

set protocols ospf area 0 interface ge-0/0/2.0
set protocols ospf area 24 interface ge-0/0/4.24
set protocols ospf area 0 interface lo0.0

Verification:

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

lab@R3# run show ospf neighbor
Address Interface State ID Pri Dead
10.1.34.4 ge-0/0/1.0 Full 4.4.4.4 128 36
10.1.43.4 ge-0/0/2.0 Full 4.4.4.4 128 34
10.1.13.1 ge-0/0/4.13 Full 1.1.1.1 128 37

lab@R4# run show ospf neighbor

Address Interface State ID Pri Dead
10.1.34.3 ge-0/0/1.0 Full 3.3.3.3 128 37
10.1.43.3 ge-0/0/2.0 Full 3.3.3.3 128 35
10.1.24.2 ge-0/0/4.24 Full 2.2.2.2 128 36

lab@R1# run show route protocol ospf 2.2.2.2 exact

13
inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
2
+ = Active Route, - = Last Active, * = Both




133 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

2.2.2.2/32 *[OSPF/10] 00:04:03, metric 3

> to 10.1.13.3 via ge-0/0/4.13

lab@R1# run traceroute 2.2.2.2

traceroute to 2.2.2.2 (2.2.2.2), 30 hops max, 40 byte packets
1 10.1.13.3 (10.1.13.3) 7.471 ms 7.236 ms 7.734 ms
2 10.1.43.4 (10.1.43.4) 7.656 ms 14.420 ms 10.566 ms
3 2.2.2.2 (2.2.2.2) 22.647 ms 8.219 ms 7.828 ms

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

13
3





134 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.12 OSPFv2: Redistribution

• Configure static routes 172.16.0.0/24 through 172.16.3.0/24 on R1 and
172.16.4.0/24 through 172.16.7.0/24 on R2 respectively. Enable generation of ICMP
unreachables when traffic is send to these destinations.
• Redistribute these static routes into OSPF on R1 and R2.
• Make sure these routes appear in routing tables marked as Type 1 externals.
• Limit the number of the prefixes that can be exported to OSPF to 10 both on R1 and
R2.

Configuration:

R1:

set routing-options static route 172.16.0.0/24 reject

set routing-options static route 172.16.1.0/24 reject
set routing-options static route 172.16.2.0/24 reject
set routing-options static route 172.16.3.0/24 reject

set policy-options policy-statement static-ospf term 1 from protocol static

set policy-options policy-statement static-ospf term 1 then external type 1
set policy-options policy-statement static-ospf term 1 then accept

set protocols ospf export static-ospf

set protocols ospf prefix-export-limit 10

R2:

set routing-options static route 172.16.4.0/24 reject

set routing-options static route 172.16.5.0/24 reject
set routing-options static route 172.16.6.0/24 reject
set routing-options static route 172.16.7.0/24 reject

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

set policy-options policy-statement static-ospf term 1 from protocol static
set policy-options policy-statement static-ospf term 1 then external type 1
set policy-options policy-statement static-ospf term 1 then accept

set protocols ospf export static-ospf

set protocols ospf prefix-export-limit 10

13
4





135 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R1# run show ospf database external

OSPF AS SCOPE link state database
Type ID Adv Rtr Seq Age Opt Cksum Len
Extern *172.16.0.0 1.1.1.1 0x80000001 255 0x22 0xd998 36
Extern *172.16.1.0 1.1.1.1 0x80000001 255 0x22 0xcea2 36
Extern *172.16.2.0 1.1.1.1 0x80000001 255 0x22 0xc3ac 36
Extern *172.16.3.0 1.1.1.1 0x80000001 255 0x22 0xb8b6 36
Extern 172.16.4.0 2.2.2.2 0x80000001 263 0x22 0x8fda 36
Extern 172.16.5.0 2.2.2.2 0x80000001 263 0x22 0x84e4 36
Extern 172.16.6.0 2.2.2.2 0x80000001 263 0x22 0x79ee 36
Extern 172.16.7.0 2.2.2.2 0x80000001 263 0x22 0x6ef8 36

lab@R1# run show ospf database external lsa-id 172.16.4.0 extensive

OSPF AS SCOPE link state database
Type ID Adv Rtr Seq Age Opt Cksum Len
Extern 172.16.4.0 2.2.2.2 0x80000001 297 0x22 0x8fda 36
mask 255.255.255.0
Topology default (ID 0)
Type: 1, Metric: 0, Fwd addr: 0.0.0.0, Tag: 0.0.0.0
Aging timer 00:55:03
Installed 00:04:54 ago, expires in 00:55:03
Last changed 00:04:54 ago, Change count: 1

lab@R2# run show ospf database external lsa-id 172.16.0.0 extensive

OSPF AS SCOPE link state database
Type ID Adv Rtr Seq Age Opt Cksum Len
Extern 172.16.0.0 1.1.1.1 0x80000001 317 0x22 0xd998 36
mask 255.255.255.0
Topology default (ID 0)
Type: 1, Metric: 0, Fwd addr: 0.0.0.0, Tag: 0.0.0.0
Aging timer 00:54:43
Installed 00:05:14 ago, expires in 00:54:43

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

Last changed 00:05:14 ago, Change count: 1

lab@R1# run show ospf overview | match Prefix

Prefix export count: 4, Prefix export limit: 10

lab@R2# run show ospf overview | match Prefix

Prefix export count: 4, Prefix export limit: 10

lab@R1# run traceroute 172.16.4.1

traceroute to 172.16.4.1 (172.16.4.1), 30 hops max, 40 byte packets
1 10.1.13.3 (10.1.13.3) 8.285 ms 8.195 ms 6.868 ms
2 10.1.43.4 (10.1.43.4) 7.368 ms 7.654 ms 7.904 ms
3 10.1.24.2 (10.1.24.2) 8.206 ms !N 7.968 ms !N 8.064 ms !N

13
5





136 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.13 OSPFv2: NSSA

• Convert regular areas 13 and 24 into NSSAs. Do not allow OSPF inter-area LSAs to
leak into areas 13 and 24.
• Make sure you still have IP reachability between prefixes originated at R1 and R2

Configuration:

R1:

set protocols ospf area 13 nssa

R2:

set protocols ospf area 24 nssa

R3:

set protocols ospf area 13 nssa default-lsa default-metric 1

set protocols ospf area 13 nssa no-summaries

R4:

set protocols ospf area 24 nssa default-lsa default-metric 1

set protocols ospf area 24 nssa no-summaries

Verification:

lab@R1# run show ospf neighbor

Address Interface State ID Pri Dead
10.1.13.3 ge-0/0/4.13 Full 3.3.3.3 128 35

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

lab@R2# run show ospf neighbor
Address Interface State ID Pri Dead
10.1.24.4 ge-0/0/4.24 Full 4.4.4.4 128 33

lab@R1# run show ospf overview | match "Stub type"

Stub type: Stub NSSA

lab@R2# run show ospf overview | match "Stub type"

Stub type: Stub NSSA

lab@R1# run show route protocol ospf

inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[OSPF/10] 00:06:10, metric 2
> to 10.1.13.3 via ge-0/0/4.13
224.0.0.5/32 *[OSPF/10] 02:32:43, metric 1 13
6
MultiRecv





137 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R2# run show route protocol ospf

inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[OSPF/10] 00:00:11, metric 2

> to 10.1.24.4 via ge-0/0/4.24
224.0.0.5/32 *[OSPF/10] 02:38:26, metric 1
MultiRecv

lab@R1# run ping 2.2.2.2 source 1.1.1.1 count 1

PING 2.2.2.2 (2.2.2.2): 56 data bytes

64 bytes from 2.2.2.2: icmp_seq=0 ttl=62 time=1.700 ms
--- 2.2.2.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.700/1.700/1.700/0.000 ms

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

13
7





138 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.14 OSPFv2: Summarization

• Summarize redistributed static routes from task 2.12 so that each range appears as a
single prefix in area 0 and specific prefixes are suppressed.

Configuration:

R3:

set protocols ospf area 0.0.0.13 nssa area-range 172.16.0.0/22

R4:

set protocols ospf area 0.0.0.24 nssa area-range 172.16.4.0/22

Verification:
lab@R3# run show route protocol ospf 172.16.4.0/22

inet.0: 24 destinations, 24 routes (24 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

172.16.4.0/24 *[OSPF/150] 00:00:03, metric 2, tag 0

to 10.1.34.4 via ge-0/0/1.0
> to 10.1.43.4 via ge-0/0/2.0
172.16.5.0/24 *[OSPF/150] 00:00:03, metric 2, tag 0
> to 10.1.34.4 via ge-0/0/1.0
to 10.1.43.4 via ge-0/0/2.0
172.16.6.0/24 *[OSPF/150] 00:00:03, metric 2, tag 0
to 10.1.34.4 via ge-0/0/1.0
> to 10.1.43.4 via ge-0/0/2.0
172.16.7.0/24 *[OSPF/150] 00:00:03, metric 2, tag 0
to 10.1.34.4 via ge-0/0/1.0
> to 10.1.43.4 via ge-0/0/2.0

lab@R4# run show route protocol ospf 172.16.0.0/22

inet.0: 23 destinations, 23 routes (23 active, 0 holddown, 0 hidden) JNCIE-SP workbook: Appendix: Chapter 2 - IGP
+ = Active Route, - = Last Active, * = Both

172.16.0.0/24 *[OSPF/150] 00:11:27, metric 2, tag 0

to 10.1.34.3 via ge-0/0/1.0
> to 10.1.43.3 via ge-0/0/2.0
172.16.1.0/24 *[OSPF/150] 00:11:27, metric 2, tag 0
> to 10.1.34.3 via ge-0/0/1.0
to 10.1.43.3 via ge-0/0/2.0
172.16.2.0/24 *[OSPF/150] 00:11:27, metric 2, tag 0
to 10.1.34.3 via ge-0/0/1.0
> to 10.1.43.3 via ge-0/0/2.0
172.16.3.0/24 *[OSPF/150] 00:11:27, metric 2, tag 0
to 10.1.34.3 via ge-0/0/1.0
> to 10.1.43.3 via ge-0/0/2.0
13
8





139 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R3# run show route protocol ospf 172.16.4.0/22

inet.0: 21 destinations, 21 routes (21 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

172.16.4.0/22 *[OSPF/150] 00:00:02, metric 2, tag 0

> to 10.1.34.4 via ge-0/0/1.0
to 10.1.43.4 via ge-0/0/2.0

lab@R4# run show route protocol ospf 172.16.0.0/22

inet.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

172.16.0.0/22 *[OSPF/150] 00:00:02, metric 2, tag 0

to 10.1.34.3 via ge-0/0/1.0
> to 10.1.43.3 via ge-0/0/2.0

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

13
9





140 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 4: Multi-level IS-IS

Initial configs: IPv6-basic

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

14
0





141 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.15: IS-IS Baseline

• Configure a multi-level IS-IS basline according to the diagram.
• Use xxxx.xxxx.xxxx as system-id, where x is the router number.

Configuration:

R1:

set interfaces ge-0/0/4 unit 13 family iso

set interfaces lo0 unit 0 family isoaddress 49.0001.1111.1111.1111.00
set protocols isis level 2 disable
set protocols isis interface ge-0/0/4.13
set protocols isis interface lo0.0

R2:

set interfaces ge-0/0/4 unit 24 family iso

set interfaces lo0.0 family iso address 49.0002.2222.2222.2222.00
set protocols isis level 2 disable
set protocols isis interface ge-0/0/4.24
set protocols isis interface lo0.0

R3:

set interfaces ge-0/0/4 unit 13 family iso

set interface ge-0/0/1.0 family iso
set interface ge-0/0/2.0 family iso
set interfaces lo0.0 family iso address 49.0001.3333.3333.3333.00

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

set protocols isis interface ge-0/0/4.13 level 2 disable
set protocols isis interface ge-0/0/1.0 level 1 disable
set protocols isis interface ge-0/0/2.0 level 1 disable
set protocols isis interface lo0.0

R4:

set interfaces ge-0/0/4 unit 24 family iso

set interface ge-0/0/1.0 family iso
set interface ge-0/0/2.0 family iso
set interfaces lo0.0 family iso address 49.0002.4444.4444.4444.00
set protocols isis interface ge-0/0/4.24 level 2 disable
set protocols isis interface ge-0/0/1.0 level 1 disable
set protocols isis interface ge-0/0/2.0 level 1 disable
set protocols isis interface lo0.0 14
1
Verification:





142 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R3> show isis adjacency

Interface System L State Hold (secs) SNPA
ge-0/0/1.0 R4 2 Up 8 f8:c0:1:dc:31:81
ge-0/0/2.0 R4 2 Up 7 f8:c0:1:dc:31:82
ge-0/0/4.13 R1 1 Up 19 0:26:88:ef:75:84

lab@R4> show isis adjacency

Interface System L State Hold (secs) SNPA
ge-0/0/1.0 R3 2 Up 21 2c:21:72:cd:26:81
ge-0/0/2.0 R3 2 Up 26 2c:21:72:cd:26:82
ge-0/0/4.24 R2 1 Up 8 f8:c0:1:dd:2:4

lab@R1> show route protocol isis

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
inet6.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

::/0 *[IS-IS/15] 00:02:37, metric 10

> to fe80::2e21:7200:dcd:2684 via ge-0/0/4.13

2001:d00::/24 *[IS-IS/15] 00:10:41, metric 20

> to fe80::2e21:7200:dcd:2684 via ge-0/0/4.13

2001:db8::3/128 *[IS-IS/15] 00:06:40, metric 10

> to fe80::2e21:7200:dcd:2684 via ge-0/0/4.13

lab@R1> ping 2001:db8::2 count 2

PING6(56=40+8+8 bytes) 2001:db8:0:d::1 --> 2001:db8::2
16 bytes from 2001:db8::2, icmp_seq=0 hlim=62 time=3.747 ms

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

16 bytes from 2001:db8::2, icmp_seq=1 hlim=62 time=2.609 ms
--- 2001:db8::2 ping6 statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 2.609/3.178/3.747/0.569 ms

lab@R1> traceroute 2001:db8::2

traceroute6 to 2001:db8::2 (2001:db8::2) from 2001:db8:0:d::1, 64 hops max, 12
byte packets

1 2001:db8:0:d::3 (2001:db8:0:d::3) 14.044 ms 15.007 ms 7.639 ms

2 2001:db8:0:2b::4 (2001:db8:0:2b::4) 15.279 ms 7.481 ms 7.993 ms
3 2001:db8::2 (2001:db8::2) 8.341 ms 8.809 ms 2.960 ms

14
2





143 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.16: IS-IS Authentication

• Enable hello authentication only within L1 areas. Use MD5 as the authentication type
and R1R3 as a password for the R1-R3 connection and R2R4 for the R2-R4 one.
• Disable the DIS election on the links as shown in the diagram.
• Enable both hello and LSP authentication between R3 and R4. Use MD5 and
password R3R4.

Configuration:

R1:

set protocols isis interface ge-0/0/4.13 level 1 hello-authentication-type

md5
set protocols isis interface ge-0/0/4.13 level 1 hello-authentication-key
R1R3
set protocols isis interface ge-0/0/4.13 point-to-point

R2:

set protocols isis interface ge-0/0/4.24 level 1 hello-authentication-type

md5
set protocols isis interface ge-0/0/4.24 level 1 hello-authentication-key
R2R4
set protocols isis interface ge-0/0/4.24 point-to-point

R3:

set protocols isis interface ge-0/0/4.13 level 1 hello-authentication-type

md5
set protocols isis interface ge-0/0/4.13 level 1 hello-authentication-key

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

R1R3
set protocols isis interface ge-0/0/4.13 point-to-point

set protocols isis level 2 authentication-type md5

set protocols isis level 2 authentication-key R3R4

R4:

set protocols isis interface ge-0/0/4.24 level 1 hello-authentication-type

md5
set protocols isis interface ge-0/0/4.24 level 1 hello-authentication-key
R2R4
set protocols isis interface ge-0/0/4.24 point-to-point

14
3





144 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set protocols isis level 2 authentication-type md5

set protocols isis level 2 authentication-key R3R4

Verification:

lab@R3# run show isis authentication

Interface Level IIH Auth CSN Auth PSN Auth
ge-0/0/1.0 2 MD5 MD5 MD5
ge-0/0/2.0 2 MD5 MD5 MD5
ge-0/0/4.13 1 MD5 None None

L1 LSP Authentication: None

L2 LSP Authentication: MD5

lab@R4# run show isis authentication

Interface Level IIH Auth CSN Auth PSN Auth
ge-0/0/1.0 2 MD5 MD5 MD5
ge-0/0/2.0 2 MD5 MD5 MD5
ge-0/0/4.24 1 MD5 None None

L1 LSP Authentication: None

L2 LSP Authentication: MD5

lab@R3# run show isis adjacency

Interface System L State Hold (secs) SNPA
ge-0/0/1.0 R4 2 Up 7 f8:c0:1:dc:31:81
ge-0/0/2.0 R4 2 Up 8 f8:c0:1:dc:31:82
ge-0/0/4.13 R1 1 Up 24

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

14
4





145 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.17: IS-IS Timers

• Change the CSNP interval on the R3-R4 links to the value of 5 seconds.
• Change the transmission frequency to 1 LSP per second on the links R1-R3 and R2-R4.

Configuration:

R1:

set protocols isis interface ge-0/0/4.13 lsp-interval 1000

R2:

set protocols isis interface ge-0/0/4.24 lsp-interval 1000

R3:

set protocols isis interface ge-0/0/4.13 lsp-interval 1000

set protocols isis interface ge-0/0/1.0 csnp-interval 5
set protocols isis interface ge-0/0/2.0 csnp-interval 5

R4:

set protocols isis interface ge-0/0/4.24 lsp-interval 1000

set protocols isis interface ge-0/0/1.0 csnp-interval 5
set protocols isis interface ge-0/0/2.0 csnp-interval 5

Verification:

lab@R3# run show isis interface detail

IS-IS interface database:
ge-0/0/1.0
Index: 70, State: 0x6, Circuit id: 0x1, Circuit type: 2
LSP interval: 100 ms, CSNP interval: 5 s
Adjacency advertisement: Advertise

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
2 1 64 10 9.000 27 R4.02 (not us)

ge-0/0/2.0
Index: 71, State: 0x6, Circuit id: 0x1, Circuit type: 2
LSP interval: 100 ms, CSNP interval: 5 s
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
2 1 64 10 9.000 27 R4.03 (not us)

ge-0/0/4.13
Index: 72, State: 0x6, Circuit id: 0x1, Circuit type: 1
LSP interval: 1000 ms, CSNP interval: 5 s
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
1 1 64 10 9.000 27
14
5





146 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R4# run show isis interface detail

IS-IS interface database:
ge-0/0/1.0
Index: 70, State: 0x6, Circuit id: 0x2, Circuit type: 2
LSP interval: 100 ms, CSNP interval: 5 s
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
2 1 64 10 3.000 9 R4.02 (us)

ge-0/0/2.0
Index: 71, State: 0x6, Circuit id: 0x3, Circuit type: 2
LSP interval: 100 ms, CSNP interval: 5 s
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
2 1 64 10 3.000 9 R4.03 (us)

ge-0/0/4.24
Index: 72, State: 0x6, Circuit id: 0x1, Circuit type: 1
LSP interval: 1000 ms, CSNP interval: 5 s
Adjacency advertisement: Advertise
Level Adjacencies Priority Metric Hello (s) Hold (s) Designated Router
1 1 64 10 9.000 27

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

14
6





147 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.18: IS-IS Route Leaking

• Disable the installation of a default route on R1 and R2
• Change the configuration so that there still is full IPv6 reachability after that.

Configuration:

R1 and R2:

set protocols isis ignore-attached-bit

R3 and R4:

set policy-options policy-statement l2-l1 term 1 from protocol isis

set policy-options policy-statement l2-l1 term 1 from level 2
set policy-options policy-statement l2-l1 term 1 to level 1
set policy-options policy-statement l2-l1 term 1 then accept
set protocols isis export l2-l1

Verification:
lab@R1# run show route protocol isis
inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
inet6.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2001:d00::/24 *[IS-IS/15] 00:43:23, metric 20

> to fe80::2e21:7200:dcd:2684 via ge-0/0/4.13
2001:db8::2/128 *[IS-IS/18] 00:12:42, metric 30
> to fe80::2e21:7200:dcd:2684 via ge-0/0/4.13
2001:db8::3/128 *[IS-IS/15] 00:43:23, metric 10
> to fe80::2e21:7200:dcd:2684 via ge-0/0/4.13
2001:db8::4/128 *[IS-IS/18] 00:12:42, metric 20

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

> to fe80::2e21:7200:dcd:2684 via ge-0/0/4.13
2001:db8:0:18::/64 *[IS-IS/18] 00:12:42, metric 30
> to fe80::2e21:7200:dcd:2684 via ge-0/0/4.13

lab@R2# run show route protocol isis

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
inet6.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
2001:d00::/24 *[IS-IS/18] 00:10:21, metric 30
> to fe80::fac0:100:18dc:3184 via ge-0/0/4.24
2001:db8::1/128 *[IS-IS/18] 00:10:21, metric 30
> to fe80::fac0:100:18dc:3184 via ge-0/0/4.24
2001:db8::3/128 *[IS-IS/18] 00:10:21, metric 20
> to fe80::fac0:100:18dc:3184 via ge-0/0/4.24
2001:db8::4/128 *[IS-IS/15] 00:42:48, metric 10
> to fe80::fac0:100:18dc:3184 via ge-0/0/4.24 14
7
2001:db8:0:d::/64 *[IS-IS/18] 00:10:21, metric 40





148 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

> to fe80::fac0:100:18dc:3184 via ge-0/0/4.24

lab@R1> traceroute 2001:db8::2

traceroute6 to 2001:db8::2 (2001:db8::2) from 2001:db8:0:d::1, 64 hops max, 12
byte packets
1 2001:db8:0:d::3 (2001:db8:0:d::3) 7.897 ms 13.699 ms 13.011 ms
2 2001:db8:0:22::4 (2001:db8:0:22::4) 8.170 ms 7.531 ms 8.648 ms
3 2001:db8::2 (2001:db8::2) 2.521 ms 2.450 ms 7.998 ms

lab@R1> ping 2001:db8:0:18::2 count 2

PING6(56=40+8+8 bytes) 2001:db8:0:d::1 --> 2001:db8:0:18::2
16 bytes from 2001:db8:0:18::2, icmp_seq=0 hlim=62 time=5.746 ms
16 bytes from 2001:db8:0:18::2, icmp_seq=1 hlim=62 time=8.248 ms

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

14
8





149 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 5: OSPFv3 and IS-IS (IPv6)

Initial configs: OSPFv3-IS-IS-IPv6

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

14
9





150 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.19
• Configure the IS-IS and OSPFv3 baseline according to the diagram.

Configuration:

R1:

set interfaces ge-0/0/4 unit 13 family iso

set interfaces ge-0/0/4 unit 15 family iso
set interfaces lo0.0 family iso address 49.0001.1111.1111.1111.00
set protocols isis level 1 disable
set protocols isis interface ge-0/0/4.13
set protocols isis interface ge-0/0/4.15
set protocols isis interface lo0.0

R2:

set protocols ospf3 area 0 interface lo0.0 passive

set protocols ospf3 area 0 interface ge-0/0/4.24
set protocols ospf3 area 0 interface ge-0/0/4.25

R3:

set interfaces ge-0/0/4 unit 13 family iso

set interfaces ge-0/0/4 unit 35 family iso
set interfaces lo0.0 family iso address 49.0001.3333.3333.3333.00
set protocols isis level 1 disable
set protocols isis interface ge-0/0/4.13
set protocols isis interface ge-0/0/4.35
set protocols isis interface lo0.0
set protocols ospf3 area 0 interface ge-0/0/1.0

R4: JNCIE-SP workbook: Appendix: Chapter 2 - IGP
set protocols ospf3 area 0 interface lo0.0 passive
set protocols ospf3 area 0 interface ge-0/0/4.24
set protocols ospf3 area 0 interface ge-0/0/1.0

R5:

set interfaces ge-0/0/4 unit 15 family iso

set interfaces ge-0/0/4 unit 35 family iso
set interfaces lo0.0 family iso address 49.0001.5555.5555.5555.00
set protocols isis level 1 disable
set protocols isis interface ge-0/0/4.15
set protocols isis interface ge-0/0/4.35
set protocols isis interface lo0.0 15
0
set protocols ospf3 area 0 interface ge-0/0/4.25




151 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R1# run show isis adjacency

Interface System L State Hold (secs) SNPA
ge-0/0/4.13 R3 2 Up 6 2c:21:72:cd:26:84
ge-0/0/4.15 R5 2 Up 7 f8:c0:1:dd:3:84

lab@R3# run show isis adjacency

Interface System L State Hold (secs) SNPA
ge-0/0/4.13 R1 2 Up 26 0:26:88:ef:75:84
ge-0/0/4.35 R5 2 Up 8 f8:c0:1:dd:3:84

lab@R2# run show ospf3 neighbor

ID Interface State Pri Dead
10.10.1.4 ge-0/0/4.24 Full 128 32
Neighbor-address fe80::fac0:100:18dc:3184
10.10.1.5 ge-0/0/4.25 Full 128 36
Neighbor-address fe80::fac0:100:19dd:384

lab@R4# run show ospf3 neighbor

ID Interface State Pri Dead
10.10.1.3 ge-0/0/1.0 Full 128 36
Neighbor-address fe80::2e21:72ff:fecd:2681
10.10.1.2 ge-0/0/4.24 Full 128 35
Neighbor-address fe80::fac0:100:18dd:204

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

15
1





152 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.20
• Configure 4 static IPv6 routes on R1 according to the diagram.
Use “reject” keyword as a next-hop value.
• Redistribute these routes to IS-IS.

Configuration:

R1:

set routing-options rib inet6.0 static route 2000:db8:0:1::/64 reject

set routing-options rib inet6.0 static route 2000:db8::/64 reject
set routing-options rib inet6.0 static route 2000:db8:0:2::/64 reject
set routing-options rib inet6.0 static route 2000:db8:0:3::/64 reject
set policy-options policy-statement statics term 1 from protocol static
set policy-options policy-statement statics term 1 from rib inet6.0
set policy-options policy-statement statics term 1 then accept
set protocols isis export statics

Verification:

lab@R3# run show route protocol isis 2000:db8::/62

inet6.0: 24 destinations, 26 routes (24 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2000:db8::/64 *[IS-IS/165] 00:11:36, metric 10

> to fe80::226:8800:def:7584 via ge-0/0/4.13
2000:db8:0:1::/64 *[IS-IS/165] 00:11:36, metric 10
> to fe80::226:8800:def:7584 via ge-0/0/4.13
2000:db8:0:2::/64 *[IS-IS/165] 00:11:36, metric 10
> to fe80::226:8800:def:7584 via ge-0/0/4.13
2000:db8:0:3::/64 *[IS-IS/165] 00:11:36, metric 10
> to fe80::226:8800:def:7584 via ge-0/0/4.13

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

15
2





153 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.21
• Enable redistribution between OSPFv3 and IS-IS on R3 and R5.
• Make sure you have full IP reachability between all existing prefixes.
• Make sure that there are no routing loops and that there is no suboptimal routing.

Configuration:

R3 and R5:

set policy-options policy-statement isis-ospf term 1 from protocol isis

set policy-options policy-statement isis-ospf term 1 then accept
set protocols ospf3 export isis-ospf
set policy-options policy-statement ospf-isis term 1 from protocol ospf3
set policy-options policy-statement ospf-isis term 1 then accept
set protocols isis export ospf-isis
set protocols isis level 2 external-preference 149

Verification:

After enabling mutual redistribution on R3 and R5:

lab@R5# run show route 2000:db8::1

inet6.0: 24 destinations, 37 routes (24 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2000:db8::/64 *[OSPF3/150] 00:05:08, metric 10, tag 0

> to fe80::fac0:100:19dd:204 via ge-0/0/4.25
[IS-IS/165] 00:24:53, metric 10
> to fe80::226:8800:fef:7584 via ge-0/0/4.15

lab@R5# run traceroute 2000:db8::1

traceroute6 to 2000:db8::1 (2000:db8::1) from 2001:db8:0:19::5, 64 hops max, 12
byte packets

1 2001:db8:0:19::2 (2001:db8:0:19::2) 9.990 ms 3.696 ms 4.775 ms JNCIE-SP workbook: Appendix: Chapter 2 - IGP
2 2001:db8:0:18::4 (2001:db8:0:18::4) 8.211 ms 8.387 ms 7.661 ms
3 2001:db8:0:22::3 (2001:db8:0:22::3) 7.506 ms 7.619 ms 8.077 ms
4 2001:db8:0:d::1 (2001:db8:0:d::1) 8.149 ms !A 2.576 ms !A 7.983 ms !A

We see suboptimal routing to the prefix originated at R1. The path that the packets take is
R5->R2->R4->R3->R1. Instead of going directly over to R1, packets take a longer path due to
a better external preference of OSPFv3 (150) in comparison to IS-IS L2 external preference
(165).

lab@R5# run show route 2000:db8::1

inet6.0: 24 destinations, 37 routes (24 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both 15
3





154 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

2000:db8::/64 *[OSPF3/150] 00:05:08, metric 10, tag 0

> to fe80::fac0:100:19dd:204 via ge-0/0/4.25
[IS-IS/165] 00:24:53, metric 10
> to fe80::226:8800:fef:7584 via ge-0/0/4.15

To resolve this, IS-IS L2 external preference should be “better” than OSPFv3 one. This can be
achieved in 2 ways: by increasing the OSPFv3 external preference or by decreasing the IS-IS
L2 external perference on both R3 and R5.

After changing L2 external preference:

lab@R5# run show route 2000:db8::1

inet6.0: 24 destinations, 34 routes (24 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2000:db8::/64 *[IS-IS/149] 00:10:59, metric 10

> to fe80::226:8800:fef:7584 via ge-0/0/4.15
[OSPF3/150] 00:45:28, metric 10, tag 0
> to fe80::fac0:100:19dd:204 via ge-0/0/4.25

lab@R5# run traceroute 2000:db8::1

traceroute6 to 2000:db8::1 (2000:db8::1) from 2001:db8:0:f::5, 64 hops max, 12
byte packets

1 2001:db8:0:f::1 (2001:db8:0:f::1) 7.623 ms !A 3.332 ms !A 7.466 ms !A

Now, everything works as expected.

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

15
4





155 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.22
• Enable OSPFv3 authentication between R3 and R4.
• Use protocol esp, spi 256, the hmac-sha1-96 algorithm and key ' inetzero-jncie-inet0'

Configuration:

R3 and R4:

set security ipsec security-association inet0 mode transport

set security ipsec security-association inet0 manual direction
bidirectional protocol esp
set security ipsec security-association inet0 manual direction
bidirectional spi 256
set security ipsec security-association inet0 manual direction
bidirectional authentication algorithm hmac-sha1-96
set security ipsec security-association inet0 manual direction
bidirectional authentication key ascii-text inetzero-jncie-inet0

set protocols ospf3 area 0.0.0.0 interface ge-0/0/1.0 ipsec-sa inet0

Verification:

lab@R4> show ospf3 interface ge-0/0/1.0 extensive

Interface State Area DR ID BDR ID Nbrs
ge-0/0/1.0 DR 0.0.0.0 10.10.1.4 10.10.1.3 1
Address fe80::3e61:4ff:fe8d:be81, Prefix-length 64
OSPF3-Intf-index 2, Type LAN, MTU 1500, Cost 1, Priority 128
Adj count: 1, Router LSA ID: 0
DR addr fe80::3e61:4ff:fe8d:be81, BDR addr fe80::3e8a:b0ff:fe5c:7aa1
Hello 10, Dead 40, ReXmit 5, Not Stub

JNCIE-SP workbook: Appendix: Chapter 2 - IGP

IPSec SA name: inet0
Protection type: None

15
5





156 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Appendix: Chapter 3 - MPLS

Part 1. RSVP
Initial configurations: OSPFv2-baseline

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

15
6





157 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.1: MPLS and RSVP baseline

• Enable MPLS processing and RSVP signalling on all interfaces from the diagram on all
routers

Configuration:

R1:

set interfaces ge-0/0/4.13 family mpls

set protocols mpls interface all
set protocols rsvp interface ge-0/0/4.13

R2:

set interfaces ge-0/0/4.24 family mpls

set protocols mpls interface all
set protocols rsvp interface ge-0/0/4.24

R3:

set interfaces ge-0/0/1.0 family mpls

set interfaces ge-0/0/2.0 family mpls
set interfaces ge-0/0/4.13 family mpls
set interfaces ge-0/0/4.35 family mpls
set protocols mpls interface all
set protocols rsvp interface ge-0/0/1.0
set protocols rsvp interface ge-0/0/2.0
set protocols rsvp interface ge-0/0/4.13
set protocols rsvp interface ge-0/0/4.35

R4:

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

set interfaces ge-0/0/1.0 family mpls
set interfaces ge-0/0/2.0 family mpls
set interfaces ge-0/0/4.24 family mpls
set interfaces ge-0/0/4.45 family mpls
set protocols mpls interface all
set protocols rsvp interface ge-0/0/1.0
set protocols rsvp interface ge-0/0/2.0
set protocols rsvp interface ge-0/0/4.24
set protocols rsvp interface ge-0/0/4.45

R5:

set interfaces ge-0/0/4.35 family mpls

set interfaces ge-0/0/4.45 family mpls
set protocols mpls interface all
set protocols rsvp interface ge-0/0/4.35 15
7
set protocols rsvp interface ge-0/0/4.45




158 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

The ‘show mpls interface’ command will display an interface when the MPLS address family
is configured for that interface AND when the interface is configured under the [ protocols
mpls ] stanza.

lab@R1>show mpls interface
Interface State Administrative groups (x: extended)
ge-0/0/4.13 Up <none>

lab@R1>show rsvp interface

RSVP interface: 1 active
Active Subscr- Static Available Reserved Highwater
Interface State resv iption BW BW BW mark
ge-0/0/4.13 Up 1 100% 1000Mbps 1000Mbps 0bps 0bps

lab@R2>show mpls interface

Interface State Administrative groups (x: extended)
ge-0/0/4.24 Up <none>

lab@R2>show rsvp interface

RSVP interface: 1 active
Active Subscr- Static Available Reserved Highwater
Interface State resv iption BW BW BW mark
ge-0/0/4.24 Up 0 100% 1000Mbps 1000Mbps 0bps 0bps

lab@R3>show mpls interface

Interface State Administrative groups (x: extended)
ge-0/0/1.0 Up <none>
ge-0/0/2.0 Up <none>
ge-0/0/4.13 Up <none>
ge-0/0/4.35 Up <none>

lab@R3>show rsvp interface

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

RSVP interface: 4 active
Active Subscr- Static Available Reserved Highwater
Interface State resv iption BW BW BW mark
ge-0/0/1.0 Up 1 100% 1000Mbps 1000Mbps 0bps 0bps
ge-0/0/2.0 Up 0 100% 1000Mbps 1000Mbps 0bps 0bps
ge-0/0/4.13 Up 0 100% 1000Mbps 1000Mbps 0bps 0bps
ge-0/0/4.35 Up 0 100% 1000Mbps 1000Mbps 0bps 0bps

lab@R4>show mpls interface

Interface State Administrative groups (x: extended)
ge-0/0/1.0 Up <none>
ge-0/0/2.0 Up <none>
ge-0/0/4.24 Up <none>
ge-0/0/4.45 Up <none>

lab@R4>show rsvp interface

RSVP interface: 4 active
Active Subscr- Static Available Reserved Highwater
Interface State resv iption BW BW BW mark 15
ge-0/0/1.0 Up 0 100% 1000Mbps 1000Mbps 0bps 0bps 8
ge-0/0/2.0 Up 0 100% 1000Mbps 1000Mbps 0bps 0bps




159 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

ge-0/0/4.24 Up 1 100% 1000Mbps 1000Mbps 0bps 0bps

ge-0/0/4.45 Up 0 100% 1000Mbps 1000Mbps 0bps 0bps

lab@R5>show mpls interface

Interface State Administrative groups (x: extended)
ge-0/0/4.35 Up <none>
ge-0/0/4.45 Up <none>

lab@R5>show rsvp interface

RSVP interface: 2 active
Active Subscr- Static Available Reserved Highwater
Interface State resv iption BW BW BW mark
ge-0/0/4.35 Up 0 100% 1000Mbps 1000Mbps 0bps 0bps
ge-0/0/4.45 Up 0 100% 1000Mbps 1000Mbps 0bps 0bps

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

15
9





160 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.2: RSVP Refresh Reduction and Authentication

• Enable RSVP message bundling features on the R3-R4 sessions.
• Enable reliable message delivery and RSVP message ID on the R1-R3 and R2-R4
sessions.
• Authenticate R3-R5 and R4-R5 RSVP sessions with the key "RsvP".


Configuration:

R1:

set protocols rsvp interface ge-0/0/4.13 reliable

R2:

set protocols rsvp interface ge-0/0/4.24 reliable

R3:

set protocols rsvp interface ge-0/0/4.13 reliable

set protocols rsvp interface ge-0/0/1.0 aggregate
set protocols rsvp interface ge-0/0/2.0 aggregate
set protocols rsvp interface ge-0/0/4.35 authentication-key RsvP

R4:

set protocols rsvp interface ge-0/0/4.24 reliable

set protocols rsvp interface ge-0/0/1.0 aggregate
set protocols rsvp interface ge-0/0/2.0 aggregate
set protocols rsvp interface ge-0/0/4.45 authentication-key RsvP

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

R5:

set protocols rsvp interface ge-0/0/4.35 authentication-key RsvP

set protocols rsvp interface ge-0/0/4.45 authentication-key RsvP

16
0





161 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:


lab@R5# run show rsvp interface ge-0/0/4.35 extensive
ge-0/0/4.35 Index 70, State Ena/Up
Authentication, NoAggregate, NoReliable, NoLinkProtection
HelloInterval 9(second)
Address 10.1.35.5

[…skipped…]

lab@R5# run show rsvp interface ge-0/0/4.45 extensive

ge-0/0/4.45 Index 71, State Ena/Up
Authentication, NoAggregate, NoReliable, NoLinkProtection
HelloInterval 9(second)
Address 10.1.45.5

[…skipped…]

The “aggregate” statement will enable message bundling on an interface:

lab@R3>show rsvp interface ge-0/0/1.0 extensive
ge-0/0/1.0 Index 70, State Ena/Up
NoAuthentication, Aggregate, NoReliable, NoLinkProtection
HelloInterval 9(second)
Address 10.1.34.3

lab@R3>show rsvp interface ge-0/0/2.0 extensive

ge-0/0/2.0 Index 71, State Ena/Up
NoAuthentication, Aggregate, NoReliable, NoLinkProtection
HelloInterval 9(second)
Address 10.1.43.3

[…skipped…]

The “reliable” statement enables RSVP message ID as well as reliable message delivery:

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

lab@R3>show rsvp interface ge-0/0/4.13 extensive
ge-0/0/4.13 Index 72, State Ena/Up
NoAuthentication, NoAggregate, Reliable, NoLinkProtection
HelloInterval 9(second)
Address 10.1.13.3
[…skipped…]

lab@R4>show rsvp interface ge-0/0/4.24 extensive

ge-0/0/4.24 Index 72, State Ena/Up
NoAuthentication, NoAggregate, Reliable, NoLinkProtection
HelloInterval 9(second)
Address 10.1.24.4
[…skipped…]

16
1





162 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.3: RSVP LSP without CSPF

• Create 2 RSVP LSPs from R1 to R2 named Red and Blue respectively.
• Request 1Mb of bandwidth for Red and 2Mb for Blue and turn the CSPF off on both
LSPs.

Configuration:

R1:

set protocols mpls label-switched-path Red to 2.2.2.2

set protocols mpls label-switched-path Red bandwidth 1m
set protocols mpls label-switched-path Red no-cspf

set protocols mpls label-switched-path Blue to 2.2.2.2

set protocols mpls label-switched-path Blue bandwidth 2m
set protocols mpls label-switched-path Blue no-cspf

Verification:

lab@R1# run show mpls lsp ingress detail
Ingress LSP: 2 sessions

2.2.2.2
From: 1.1.1.1, State: Up, ActiveRoute: 0, LSPname: Red
ActivePath: (primary)
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary State: Up
Priorities: 7 0
Bandwidth: 1000kbps
SmartOptimizeTimer: 180
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

10.1.13.3 10.1.43.4 10.1.24.2

2.2.2.2
From: 1.1.1.1, State: Up, ActiveRoute: 0, LSPname: Blue
ActivePath: (primary)
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary State: Up
Priorities: 7 0
Bandwidth: 2Mbps
SmartOptimizeTimer: 180
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
10.1.13.3 10.1.43.4 10.1.24.2
Total 2 displayed, Up 2, Down 0

16
2





163 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R1# run show route table inet.3

inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

2.2.2.2/32 *[RSVP/7/1] 00:04:26, metric 3

to 10.1.13.3 via ge-0/0/4.13, label-switched-path Red
> to 10.1.13.3 via ge-0/0/4.13, label-switched-path Blue

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

16
3





164 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.4: RSVP ERO

• Create primary explicit paths for the LSPs from previous task.
• Red LSP should go strictly through the upper physical path between R3 and R4, Blue
LSP - through the lower one.
• Don’t use loose hops in ERO list.

Configuration:

R1:

set protocols mpls path Red-Primary 10.1.13.3 strict

set protocols mpls path Red-Primary 10.1.34.4 strict
set protocols mpls path Red-Primary 10.1.24.2 strict
set protocols mpls label-switched-path Red primary Red-Primary

set protocols mpls path Blue-Primary 10.1.13.3 strict

set protocols mpls path Blue-Primary 10.1.43.4 strict
set protocols mpls path Blue-Primary 10.1.24.2 strict
set protocols mpls label-switched-path Blue primary Blue-Primary

Verification:

When a path has a ‘loose’ ERO, the route towards the router IP specified does not need to
be a direct path and can include other intermediate routers as well. When a path has a
‘strict’ ERO, the route from the previous router to the router IP specified must be a direct
path. Strict ERO is the default.

lab@R1# runshow mpls lsp ingress detail

Ingress LSP: 2 sessions

2.2.2.2
From: 1.1.1.1, State: Up, ActiveRoute: 0, LSPname: Blue

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

ActivePath: Blue-Primary (primary)
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary Blue-Primary State: Up
Priorities: 7 0
Bandwidth: 2Mbps
SmartOptimizeTimer: 180
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
10.1.13.3 10.1.43.4 10.1.24.2

16
4





165 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

2.2.2.2
From: 1.1.1.1, State: Up, ActiveRoute: 0, LSPname: Red
ActivePath: Red-Primary (primary)
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary Red-Primary State: Up
Priorities: 7 0
Bandwidth: 1000kbps
SmartOptimizeTimer: 180
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
10.1.13.3 10.1.34.4 10.1.24.2
Total 2 displayed, Up 2, Down 0

Another thing worth mentioning is that with either ‘strict’ or ‘loose’ ERO, you are allowed to
configure an interface address or a loopback address. This is can make things easier and it
can save time.

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

16
5





166 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.5. RSVP Load-Balancing

• On R1, enable traffic distribution between Red and Blue LSP proportionally to
theirbandwidth assigned.

Configuration:

R1:

set policy-options policy-statement load-balance then load-balance

per-packet
set routing-options forwarding-table export load-balance
set protocols rsvp load-balance bandwidth

Verification:

lab@R1# run show route table inet.3 detail

inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

2.2.2.2/32 (1 entry, 0 announced)
State: <FlashAll>
*RSVP Preference: 7/1
Next hop type: Router
Address: 0x15f4010
Next-hop reference count: 1
Next hop: 10.1.13.3 via ge-0/0/4.13 weight 0x1 balance 67%
Label-switched-path Blue
Label operation: Push 299840
Label TTL action: prop-ttl
Next hop: 10.1.13.3 via ge-0/0/4.13 weight 0x1 balance 33%
Label-switched-path Red
Label operation: Push 299856
Label TTL action: prop-ttl
State: <Active Int>
Age: 18:34 Metric: 3

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

Task: RSVP
AS path: I

16
6





167 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.6: RSVP LSP Policy Selection

• Create 2 RSVP LSPs from R2 to R1 named Orange and Green and disable CSPF for
both LSPs.
• Make both LSPs visible for internal traffic going to the R1 loopback address. At the
same time, the OSPF route to 1.1.1.1/32 should be active.
• Make sure that the Orange LSP is preferred for internal traffic going to 1.1.1.1/32.
Use a policy for performing this task.

Configuration:

R2:

set protocols mpls label-switched-path Orange to 1.1.1.1

set protocols mpls label-switched-path Orange no-cspf
set protocols mpls label-switched-path Green to 1.1.1.1
set protocols mpls label-switched-path Green no-cspf
set protocols mpls traffic-engineering mpls-forwarding
set policy-options policy-statement Prefer-Orange term 1 from route-
filter 1.1.1.1/32 exact
set policy-options policy-statement Prefer-Orange term 1 then
install-nexthop lsp Orange
set routing-options forwarding-table export Prefer-Orange

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

16
7





168 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R2# runshow mpls lsp ingress brief
Ingress LSP: 2 sessions
To From State Rt P ActivePath LSPname
1.1.1.1 2.2.2.2 Up 0 * Green
1.1.1.1 2.2.2.2 Up 0 * Orange
Total 2 displayed, Up 2, Down 0

lab@R2# run show route table inet.0 1.1.1.1/32 exact

inet.0: 16 destinations, 17 routes (16 active, 0 holddown, 0 hidden)

@ = Routing Use Only, # = Forwarding Use Only
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32 @[OSPF/10] 00:32:35, metric 3

> to 10.1.24.4 via ge-0/0/4.24
#[RSVP/7/1] 00:32:31, metric 3
to 10.1.24.4 via ge-0/0/4.24, label-switched-path Green
> to 10.1.24.4 via ge-0/0/4.24, label-switched-path Orange

lab@R2# run show rsvp session ingress name Orange detail

Ingress RSVP: 2 sessions

1.1.1.1
From: 2.2.2.2, LSPstate: Up, ActiveRoute: 0
LSPname: Orange, LSPpath: Primary
LSPtype: Static Configured
Suggested label received: -, Suggested label sent: -
Recovery label received: -, Recovery label sent: 299968
Resv style: 1 FF, Label in: -, Label out: 299968
Time left: -, Since: Fri Jul 19 10:26:15 2013
Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
Port number: sender 2 receiver 18972 protocol 0
PATH rcvfrom: localclient
Adspec: sent MTU 1500
Path MTU: received 1500

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

PATH sentto: 10.1.24.4 (ge-0/0/4.24) 50 pkts
RESV rcvfrom: 10.1.24.4 (ge-0/0/4.24) 1 pkts
Record route: <self> 10.1.24.4 10.1.34.3 10.1.13.1
Total 1 displayed, Up 1, Down 0

lab@R2# run show route forwarding-table destination 1.1.1.1

Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
1.1.1.1/32 user 0 10.1.24.4 Push 299968 560 2 ge-0/0/4.24

lab@R2# run traceroute 1.1.1.1

traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 40 byte packets
1 10.1.24.4 (10.1.24.4) 2.301 ms 2.061 ms 1.916 ms
MPLS Label=299968 CoS=0 TTL=1 S=1
2 10.1.34.3 (10.1.34.3) 2.261 ms 2.157 ms 2.038 ms
MPLS Label=299968 CoS=0 TTL=1 S=1
3 1.1.1.1 (1.1.1.1) 8.094 ms 2.533 ms 8.451 ms

16
8





169 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.7: RSVP LSP Primary and Secondary Paths

• Create an RSVP LSP from R1 to R2 named Brown and turn off CSPF for the LSP.
• Enable a primary path that visits R5 and don’t use more than one ERO.
• Enable the use of a secondary path which is fully calculated by the IGP and have this
path ready to accept traffic in case of primary path failure.

Configuration:

R1:

set protocols mpls label-switched-path Brown to 2.2.2.2

set protocols mpls label-switched-path Brown no-cspf
set protocols mpls label-switched-path Brown primary Brown-Primary
set protocols mpls label-switched-path Brown secondary Brown-
Secondary standby
set protocols mpls path Brown-Primary 5.5.5.5 loose
set protocols mpls path Brown-Secondary

Verification:

lab@R1# runshow mpls lsp ingress name Brown detail
Ingress LSP: 3 sessions

2.2.2.2
From: 1.1.1.1, State: Up, ActiveRoute: 0, LSPname: Brown
ActivePath: Brown-Primary (primary)
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary Brown-Primary State: Up
Priorities: 7 0
SmartOptimizeTimer: 180

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node
10=SoftPreempt 20=Node-ID):
10.1.13.3 10.1.35.5 10.1.45.4 10.1.24.2

Standby Brown-Secondary State: Up

Priorities: 7 0
SmartOptimizeTimer: 180
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node
10=SoftPreempt 20=Node-ID):
10.1.13.3 10.1.43.4 10.1.24.2
Total 1 displayed, Up 1, Down 0

16
9





170 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.8: RSVP LSP Policing and Timers

• Assign 40K of RSVP bandwidth to LSP Brown and enable the policing of traffic going
through this LSP equal to the configured value.
• Change the time between the attempts of bringing up a failed primary path of LSP
Brown to 10 seconds and number of these attempts to 10. Also configure a hold-
down window for switching traffic back to the restored primary to 30 seconds.

Configuration:

R1:

set protocols mpls label-switched-path Brown bandwidth 40k

set firewall family any filter Filter-Brown term 1 then policer
Police-Brown
set firewall family any filter Filter-Brown term 1 then accept
set firewall policer Police-Brown if-exceeding bandwidth-limit 40k
set firewall policer Police-Brown if-exceeding burst-size-limit 1500
set firewall policer Police-Brown then discard
set protocols mpls label-switched-path Brown policing filter Filter-
Brown

set protocols mpls label-switched-path Brown retry-timer 10

set protocols mpls label-switched-path Brown retry-limit 10
set protocols mpls label-switched-path Brown revert-timer 30

Verification:

lab@R1# run show mpls lsp ingress name Brown extensive

Ingress LSP: 3 sessions

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

2.2.2.2
From: 1.1.1.1, State: Up, ActiveRoute: 0, LSPname: Brown
ActivePath: Brown-Primary (primary)
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
Revert timer: 30
*Primary Brown-Primary State: Up
Priorities: 7 0
Bandwidth: 40kbps
SmartOptimizeTimer: 180
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
10.1.13.3 10.1.35.5 10.1.45.4 10.1.24.2
4 Jul 19 11:30:40.770 Selected as active path
3 Jul 19 11:30:40.769 Record Route: 10.1.13.3 10.1.35.5 10.1.45.4 10.1.24.2
2 Jul 19 11:30:40.769 Up
1 Jul 19 11:30:40.654 Originate Call
Standby Brown-Secondary State: Up 17
Priorities: 7 0 0
Bandwidth: 40kbps




171 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

SmartOptimizeTimer: 180
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
10.1.13.3 10.1.34.4 10.1.24.2
3 Jul 19 11:31:09.957 Record Route: 10.1.13.3 10.1.34.4 10.1.24.2
2 Jul 19 11:31:09.956 Up
1 Jul 19 11:31:09.724 Originate Call
Created: Fri Jul 19 11:30:41 2013
Retrytimer: 10
Retrylimit: 10
Total 1 displayed, Up 1, Down 0

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

17
1





172 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.9: RSVP LSP Usage for Internal Traffic

• Enable the use of LSP Brown for traffic from R1 to IP address 22.22.22.22 on R2.

Configuration:

R2:

set protocols mpls label-switched-path Brown install 22.22.22.22/32

active

Verification:

Before applying configuration in LSP section:

lab@R1# run traceroute 22.22.22.22

traceroute to 22.22.22.22 (22.22.22.22), 30 hops max, 40 byte packets
1 10.1.13.3 (10.1.13.3) 14.157 ms 8.403 ms 8.175 ms
2 10.1.34.4 (10.1.34.4) 8.810 ms 7.694 ms 8.226 ms
3 22.22.22.22 (22.22.22.22) 2.364 ms 2.395 ms 2.278 ms

After:

lab@R1# run traceroute 22.22.22.22

traceroute to 22.22.22.22 (22.22.22.22), 30 hops max, 40 byte packets
1 10.1.13.3 (10.1.13.3) 2.740 ms 1.986 ms 8.299 ms
MPLS Label=300000 CoS=0 TTL=1 S=1
2 10.1.35.5 (10.1.35.5) 2.889 ms 2.749 ms 2.288 ms
MPLS Label=299792 CoS=0 TTL=1 S=1
3 10.1.45.4 (10.1.45.4) 2.394 ms 8.120 ms 7.746 ms
MPLS Label=300000 CoS=0 TTL=1 S=1
4 22.22.22.22 (22.22.22.22) 2.507 ms 15.354 ms 2.816 ms

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

17
2





173 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.10: RSVP LSP Optimization.

• Change the configuration of your routers so that each router can report the current
bandwidth reservations to OSPF.
• Within Brown LSP configuration, turn the LSP optimization on with the optimize-
timer set to 60 seconds.

Configuration:

On all routers:

set protocols ospf traffic-engineering

R1:

delete protocols mpls label-switched-path Brown no-cspf

set protocols mpls label-switched-path Brown optimize-timer 60

Verification:

Let’s disable R3 ge-0/0/4.35 interface to break the primary path and let the secondary path
become active:

R3:

set interfaces ge-0/0/4.35 disable

lab@R1# run show mpls lsp name Brown extensive

Ingress LSP: 3 sessions

2.2.2.2
From: 1.1.1.1, State: Up, ActiveRoute: 0, LSPname: Brown
ActivePath: Brown-Secondary (secondary)

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
Revert timer: 30
Primary Brown-Primary State: Dn
Priorities: 7 0
Bandwidth: 40kbps
OptimizeTimer: 60
SmartOptimizeTimer: 180
RetryCount: 10
RetryLimit: 10
No computed ERO.
23 Jul 22 08:34:54.382 Retry limit exceeded
22 Jul 22 08:34:44.551 CSPF failed: no route toward 2.2.2.2[11 times]
21 Jul 22 08:33:09.062 Clear Call: CSPF computation failed
20 Jul 22 08:33:09.061 CSPF: link down/deleted: 10.1.35.3(3.3.3.3:73)(3.3.3.3)-
>10.1.35.5(5.5.5.5:0)(5.5.5.5)
19 Jul 22 08:33:09.038 Deselected as active
18 Jul 22 08:33:09.038 ResvTear received
17 Jul 22 08:33:09.037 10.1.13.1: Down 17
16 Jul 22 08:33:09.037 CSPF failed: no route toward 2.2.2.2 3
15 Jul 22 08:33:09.036 10.1.13.3: No Route toward dest




174 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

14 Jul 22 08:28:12.961 CSPF: computation result ignored, new path no benefit

13 Jul 22 08:27:15.810 Selected as active path
12 Jul 22 08:27:15.810 Record Route: 10.1.13.3 10.1.35.5 10.1.45.4 10.1.24.2
11 Jul 22 08:27:15.810 Up
10 Jul 22 08:27:15.697 Originate Call

[…skipped…]

Now LSP Brown uses the following ERO: 10.1.13.3 10.1.34.4 10.1.24.2

lab@R1# run show mpls lsp name Brown extensive

[…skipped…]

*Standby Brown-Secondary State: Up

Priorities: 7 0
Bandwidth: 40kbps
OptimizeTimer: 60
SmartOptimizeTimer: 180
Reoptimization in 7 second(s).
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 4278967308)
10.1.13.3 S 10.1.34.4 S 10.1.24.2 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
10.1.13.3 10.1.34.4 10.1.24.2
17 Jul 22 08:34:17.844 CSPF: computation result ignored, new path no benefit[2
times]
16 Jul 22 08:33:09.038 Selected as active path

Let’s make some temporary changes to let the optimization algorithm choose the lower path
(going through ge-0/0/2 interface of R3) for the LSP:

R1:

set protocols mpls label-switched-path Brown bandwidth 2k

R3:

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

set protocols ospf area 0 interface ge-0/0/1.0 metric 10

Soon after the changes, we can see the effect of the reoptimization by issuing the following
command:

lab@R1# run show mpls lsp ingress name Brown extensive

[…skipped…]

*Standby Brown-Secondary State: Up

Priorities: 7 0
Bandwidth: 40kbps
OptimizeTimer: 60
SmartOptimizeTimer: 180
Reoptimization in 31 second(s).
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 4278967299)
10.1.13.3 S 10.1.43.4 S 10.1.24.2 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID): 17
4
10.1.13.3 10.1.43.4 10.1.24.2





175 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

67 Jul 22 09:13:18.120 Record Route: 10.1.13.3 10.1.43.4 10.1.24.2

66 Jul 22 09:13:18.119 Up
65 Jul 22 09:13:17.877 Originate Call
64 Jul 22 09:13:17.876 Clear Call
63 Jul 22 09:13:17.876 CSPF: computation result accepted 10.1.13.3 10.1.43.4
10.1.24.2
62 Jul 22 09:13:17.876 CSPF: Reroute due to re-optimization

After verification, don’t forget to rollback temporary changes.

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

17
5





176 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.11: RSVP Node/Link Protection

• Protect both Red and Blue LSPs with the link protection mechanism.
• Protect LSP Brown from the whole failure of R5.

Configuration:

R1:

set protocols mpls label-switched-path Red link-protection

set protocols mpls label-switched-path Blue link-protection
set protocols mpls label-switched-path Brown node-link-protection

R3:

set protocols rsvp interface ge-0/0/1.0 link-protection

set protocols rsvp interface ge-0/0/2.0 link-protection

Verification:

lab@R1# run show mpls lsp ingress name Red detail
Ingress LSP: 3 sessions

2.2.2.2
From: 1.1.1.1, State: Up, ActiveRoute: 0, LSPname: Red
ActivePath: Red-Primary (primary)
Link protection desired
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary Red-Primary State: Up
Priorities: 7 0
Bandwidth: 1000kbps
SmartOptimizeTimer: 180

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
3.3.3.3(flag=0x21) 10.1.13.3(flag=1 Label=300496) 4.4.4.4(flag=0x20)
10.1.34.4(Label=300496) 2.2.2.2(flag=0x20) 10.1.24.2(Label=3)
Total 1 displayed, Up 1, Down 0

lab@R1# run show mpls lsp ingress name Blue detail

Ingress LSP: 3 sessions

2.2.2.2
From: 1.1.1.1, State: Up, ActiveRoute: 0, LSPname: Blue
ActivePath: Blue-Primary (primary)
Link protection desired
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary Blue-Primary State: Up
Priorities: 7 0
Bandwidth: 2Mbps
SmartOptimizeTimer: 180 17
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt 6
20=Node-ID):




177 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

3.3.3.3(flag=0x21) 10.1.13.3(flag=1 Label=300480) 4.4.4.4(flag=0x20)

10.1.43.4(Label=300480) 2.2.2.2(flag=0x20) 10.1.24.2(Label=3)
Total 1 displayed, Up 1, Down 0

lab@R3# run show rsvp session ingress bypass detail

Ingress RSVP: 2 sessions

4.4.4.4
From: 3.3.3.3, LSPstate: Up, ActiveRoute: 0
LSPname: Bypass->10.1.43.4
LSPtype: Static Configured
Suggested label received: -, Suggested label sent: -
Recovery label received: -, Recovery label sent: 299888
Resv style: 1 SE, Label in: -, Label out: 299888
Time left: -, Since: Mon Jul 22 12:03:31 2013
Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
Port number: sender 1 receiver 57949 protocol 0
Type: Bypass LSP
Number of data route tunnel through: 1
Number of RSVP session tunnel through: 0
PATH rcvfrom: localclient
Adspec: sent MTU 1500
Path MTU: received 1500
PATH sentto: 10.1.35.5 (ge-0/0/4.35) 6 pkts
RESV rcvfrom: 10.1.35.5 (ge-0/0/4.35) 6 pkts
Explct route: 10.1.35.5 10.1.45.4
Record route: <self> 10.1.35.5 10.1.45.4

4.4.4.4
From: 3.3.3.3, LSPstate: Up, ActiveRoute: 0
LSPname: Bypass->10.1.34.4
LSPtype: Static Configured
Suggested label received: -, Suggested label sent: -
Recovery label received: -, Recovery label sent: 3
Resv style: 1 SE, Label in: -, Label out: 3
Time left: -, Since: Mon Jul 22 12:03:35 2013
Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
Port number: sender 1 receiver 57950 protocol 0

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

Type: Bypass LSP
Number of data route tunnel through: 1
Number of RSVP session tunnel through: 0
PATH rcvfrom: localclient
Adspec: sent MTU 1500
Path MTU: received 1500
PATH sentto: 10.1.43.4 (ge-0/0/2.0) 1 pkts
RESV rcvfrom: 10.1.43.4 (ge-0/0/2.0) 1 pkts
Explct route: 10.1.43.4
Record route: <self> 10.1.43.4
Total 2 displayed, Up 2, Down 0

lab@R1# run show mpls lsp ingress name Brown detail

Ingress LSP: 3 sessions

2.2.2.2
From: 1.1.1.1, State: Up, ActiveRoute: 0, LSPname: Brown
ActivePath: Brown-Primary (primary)
Node/Link protection desired
17
LSPtype: Static Configured
7
LoadBalance: Random




178 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Encoding type: Packet, Switching type: Packet, GPID: IPv4

Revert timer: 30
*Primary Brown-Primary State: Up
Priorities: 7 0
Bandwidth: 40kbps
OptimizeTimer: 60
SmartOptimizeTimer: 180
Reoptimization in 34 second(s).
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 4)
10.1.13.3 S 10.1.35.5 S 10.1.45.4 S 10.1.24.2 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
3.3.3.3(flag=0x29) 10.1.13.3(flag=9 Label=300512) 5.5.5.5(flag=0x20)
10.1.35.5(Label=299904) 4.4.4.4(flag=0x20) 10.1.45.4(Label=300512)
2.2.2.2(flag=0x20) 10.1.24.2(Label=3)

lab@R3# run show rsvp session ingress bypass

Ingress RSVP: 3 sessions
To From State Rt Style Labelin Labelout LSPname
4.4.4.4 3.3.3.3 Up 0 1 SE - 299888 Bypass->10.1.43.4
4.4.4.4 3.3.3.3 Up 0 1 SE - 3 Bypass->10.1.34.4
4.4.4.4 3.3.3.3 Up 0 1 SE - 3 Bypass->10.1.35.5-
>10.1.45.4
Total 3 displayed, Up 3, Down 0

lab@R3# run show rsvp session ingress bypass name Bypass->10.1.35.5->10.1.45.4

extensive
Ingress RSVP: 3 sessions

4.4.4.4
From: 3.3.3.3, LSPstate: Up, ActiveRoute: 0
LSPname: Bypass->10.1.35.5->10.1.45.4
LSPtype: Static Configured
Suggested label received: -, Suggested label sent: -
Recovery label received: -, Recovery label sent: 3
Resv style: 1 SE, Label in: -, Label out: 3
Time left: -, Since: Mon Jul 22 12:10:37 2013
Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

Port number: sender 1 receiver 57951 protocol 0
Type: Bypass LSP
Number of data route tunnel through: 1
Number of RSVP session tunnel through: 0
PATH rcvfrom: localclient
Adspec: sent MTU 1500
Path MTU: received 1500
PATH sentto: 10.1.43.4 (ge-0/0/2.0) 1 pkts
RESV rcvfrom: 10.1.43.4 (ge-0/0/2.0) 1 pkts
Explct route: 10.1.43.4
Record route: <self> 10.1.43.4
Total 1 displayed, Up 1, Down 0

17
8





179 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.12: Fast Reroute for RSVP LSP

• Reconfigure the Orange LSP so that it visits R5 and request Fast Reroute for this LSP.

Configuration:

R2:

set protocols mpls path Orange-Primary 5.5.5.5 loose

set protocols mpls label-switched-path Orange primary Orange-Primary
set protocols mpls label-switched-path Orange fast-reroute

Verification:

lab@R2# run show mpls lsp ingress name Orange extensive
Ingress LSP: 2 sessions

1.1.1.1
From: 2.2.2.2, State: Up, ActiveRoute: 0, LSPname: Orange
ActivePath: (primary)
FastReroute desired
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary State: Up
Priorities: 7 0
SmartOptimizeTimer: 180
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
10.1.24.4(flag=1) 10.1.43.3 10.1.13.1
16 Jul 22 12:16:19.589 Record Route: 10.1.24.4(flag=1) 10.1.43.3 10.1.13.1
15 Jul 22 12:16:17.596 Make-before-break: Switched to new instance
14 Jul 22 12:16:16.594 Record Route: 10.1.24.4 10.1.43.3 10.1.13.1
13 Jul 22 12:16:16.594 Up
12 Jul 22 12:16:16.356 Originate make-before-break call

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

[…skipped…]

lab@R4# run show mpls lsp name Orange transit extensive

Transit LSP: 6 sessions, 1 detours

1.1.1.1
From: 2.2.2.2, LSPstate: Up, ActiveRoute: 0
LSPname: Orange, LSPpath: Primary
Suggested label received: -, Suggested label sent: -
Recovery label received: -, Recovery label sent: 299920
Resv style: 1 FF, Label in: 300592, Label out: 299920
Time left: 158, Since: Mon Jul 22 12:32:09 2013
Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
Port number: sender 1 receiver 50967 protocol 0
FastReroute desired
PATH rcvfrom: 10.1.24.2 (ge-0/0/4.24) 6 pkts
Adspec: received MTU 1500 sent MTU 1500
PATH sentto: 10.1.45.5 (ge-0/0/4.45) 10 pkts
RESV rcvfrom: 10.1.45.5 (ge-0/0/4.45) 8 pkts
17
Explct route: 10.1.45.5 5.5.5.5
9
Record route: 10.1.24.2 <self> 10.1.45.5 10.1.35.3 10.1.13.1




180 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Detour is Up
Detour Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
Detour adspec: received MTU 1500 sent MTU 1500
Path MTU: received 1500
Detour PATH sentto: 10.1.34.3 (ge-0/0/1.0) 4 pkts
Detour RESV rcvfrom: 10.1.34.3 (ge-0/0/1.0) 2 pkts
Detour Explct route: 10.1.34.3 10.1.13.1
Detour Record route: 10.1.24.2 <self> 10.1.34.3 10.1.13.1
Detour Label out: 300640
Detour branch from 10.1.45.5, to skip 3.3.3.3, Up
Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
Adspec: received MTU 1500
Path MTU: received 0
PATH rcvfrom: 10.1.45.5 (ge-0/0/4.45) 8 pkts
Adspec: received MTU 1500
PATH sentto: 10.1.34.3 (ge-0/0/1.0) 0 pkts
RESV rcvfrom: 10.1.34.3 (ge-0/0/1.0) 0 pkts
Explct route: 10.1.34.3 10.1.13.1
Record route: 10.1.24.2 10.1.45.4 10.1.45.5 <self> 10.1.34.3 10.1.13.1
Label in: 300608, Label out: 300640
Total 1 displayed, Up 1, Down 0

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

18
0





181 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.13: RSVP Link Coloring

• Assign link colors Red, Blue and Green to R4 ge-0/0/1.0, R4 ge-0/0/2.0 and R4 ge-
0/0/4.45 interfaces respectively.
• Also assign Green color to R2 ge-0/0/4.24, R5 ge-0/0/4.35 and R3 ge-0/0/4.13

Configuration:

R2-R5:

set protocols mpls admin-groups Red 1

set protocols mpls admin-groups Blue 2
set protocols mpls admin-groups Green 3

R2:

set protocols mpls interface ge-0/0/4.24 admin-group Green

R3:

set protocols mpls interface ge-0/0/4.13 admin-group Green

R4:

set protocols mpls interface ge-0/0/1.0 admin-group Red

set protocols mpls interface ge-0/0/2.0 admin-group Blue
set protocols mpls interface ge-0/0/4.45 admin-group Green

R5:

set protocols mpls interface ge-0/0/4.35 admin-group Green

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

18
1





182 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R2# run show mpls interface
Interface State Administrative groups (x: extended)
ge-0/0/4.24 Up Green

lab@R3# run show mpls interface

Interface State Administrative groups (x: extended)
ge-0/0/1.0 Up <none>
ge-0/0/2.0 Up <none>
ge-0/0/4.13 Up Green
ge-0/0/4.35 Up <none>

lab@R4# run show mpls interface

Interface State Administrative groups (x: extended)
ge-0/0/1.0 Up Red
ge-0/0/2.0 Up Blue
ge-0/0/4.24 Up <none>
ge-0/0/4.45 Up Green

lab@R5# run show mpls interface

Interface State Administrative groups (x: extended)
ge-0/0/4.35 Up Green
ge-0/0/4.45 Up <none>

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

18
2





183 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.14: RSVP Link Coloring (cont.)

• Create an LSP from R2 to R1 named “AG1” which includes links only with Green color
while building LSP.
• Create another LSP to the same direction named “AG2” which excludes links with
colors Red or Blue.

Configuration:

R2:

set protocols mpls label-switched-path AG1 to 1.1.1.1 admin-group

include-any Green
set protocols mpls label-switched-path AG2 to 1.1.1.1 admin-group
exclude [Red Blue]

Verification:

In the case of the ‘AG1’ path, we are only working with one color. Because of this, the
‘include-any’ or ‘include-all’ both would have worked the same in this task. The ‘include-any’
functions as an OR when multiple colors are assigned to the LSP. The ‘include-all’ functions
as an AND when multiple colors are assigned to the LSP.

When using the ‘exclude’ option, you are telling the router to perform an OR on the
configured colors. The ‘exclude’ option will ony exclude links if that link contains one of the
colors that it should exclude. Links without any administrative group assigned to them can
still become part of the LSP path when ‘exclude’ is used .

When both include and exclude options are used, the LSP will perform an AND on these
configuration statements.

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

lab@R2# run show mpls lsp ingress name AG1 extensive
Ingress LSP: 4 sessions

1.1.1.1
From: 2.2.2.2, State: Up, ActiveRoute: 0, LSPname: AG1
ActivePath: (primary)
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary State: Up
Priorities: 7 0
SmartOptimizeTimer: 180
Include Any: Green
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 4)
10.1.24.4 S 10.1.45.5 S 10.1.35.3 S 10.1.13.1 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
10.1.24.4 10.1.45.5 10.1.35.3 10.1.13.1 18
3

6 Jul 22 12:55:46.370 Selected as active path

184 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

5 Jul 22 12:55:46.369 Record Route: 10.1.24.4 10.1.45.5 10.1.35.3 10.1.13.1

4 Jul 22 12:55:46.369 Up
3 Jul 22 12:55:46.279 Originate Call
2 Jul 22 12:55:46.279 CSPF: computation result accepted 10.1.24.4 10.1.45.5
10.1.35.3 10.1.13.1
Created: Mon Jul 22 12:49:07 2013
Total 1 displayed, Up 1, Down 0

lab@R2# run show mpls lsp ingress name AG2 extensive

Ingress LSP: 4 sessions

1.1.1.1
From: 2.2.2.2, State: Up, ActiveRoute: 0, LSPname: AG2
ActivePath: (primary)
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary State: Up
Priorities: 7 0
SmartOptimizeTimer: 180
Exclude: Blue Red
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 4)
10.1.24.4 S 10.1.45.5 S 10.1.35.3 S 10.1.13.1 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
10.1.24.4 10.1.45.5 10.1.35.3 10.1.13.1
5 Jul 22 13:02:49.319 Selected as active path
4 Jul 22 13:02:49.318 Record Route: 10.1.24.4 10.1.45.5 10.1.35.3 10.1.13.1
3 Jul 22 13:02:49.318 Up
2 Jul 22 13:02:49.222 Originate Call
1 Jul 22 13:02:49.222 CSPF: computation result accepted 10.1.24.4 10.1.45.5
10.1.35.3 10.1.13.1
Created: Mon Jul 22 13:02:49 2013
Total 1 displayed, Up 1, Down 0

Also keep in mind that when you assign link-colors, the change is not immediately reflected

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

in the LSPs that are are already signaled. The change wil only applies to new LSPs. You can
run the ‘clear mpls lsp’ or a ‘clear rsvp session’ command on the node you are working on to
force the (transit) LSPs to take into consideration any colors that you’ve assigned or
removed.

A final thing worth mentioning is that the link-color assigned to a link is evaluated as packets
make their way to the destination. For instance, if the link on the R1 router towards the R3
router would have been configured with the color ‘blue’, this color would not have been
taken into consideration by either of the LSPs. So even though LSP ‘AG2’ specifically excludes
this color, the LSP would have been able to cross this link anyway.

18
4





185 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.15: RSVP LSP Auto-Bandwidth

• Enable auto-bandwidth on LSP Orange with the bandwidth reallocation interval set to
300 seconds.
• Adjust the auto-bandwidth statistics interval to 30 seconds and use the name “mpls-
stat” for the statistics file.

Configuration:

R2:

set protocols mpls statistics file mpls-stat

set protocols mpls statistics interval 30
set protocols mpls statistics auto-bandwidth

set protocols mpls label-switched-path Orange auto-bandwidth adjust-

interval 300
delete protocols mpls label-switched-path Orange no-cspf

Verification:

lab@R2# run ping 1.1.1.1 rapid count 10000

[…skipped…]

lab@R2# run file show /var/log/mpls-stat | last 10

Jul 22 13:26:48 Total 8 sessions: 4 success, 0 fail, 4 ignored
Green (LSP ID 5, Tunnel ID 50965) 1 pkt 84 Byte
0 pps 0 Bps Reserved Bw 0 Bps
AG2 (LSP ID 1, Tunnel ID 50969) 14 pkt 648 Byte
0 pps 0 Bps Reserved Bw 0 Bps
AG1 (LSP ID 1, Tunnel ID 50973) 0 pkt 0 Byte
0 pps 0 Bps Reserved Bw 0 Bps
Orange (LSP ID 1, Tunnel ID 50974) 10005 pkt839892 Byte 0 pps

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

0 Bps Reserved Bw 0 Bps
Jul 22 13:27:18 Total 8 sessions: 4 success, 0 fail, 4 ignored

lab@R2# run show mpls lsp ingress name Orange extensive

Ingress LSP: 4 sessions

1.1.1.1
From: 2.2.2.2, State: Up, ActiveRoute: 0, LSPname: Orange
ActivePath: Orange-Primary (primary)
FastReroute desired
LSPtype: Static Configured
LoadBalance: Random
Autobandwidth
AdjustTimer: 300 secs
Max AvgBW util: 0bps, Bandwidth Adjustment in 296 second(s).
Overflow limit: 0, Overflow sample count: 0
Underflow limit: 0, Underflow sample count: 1, Underflow Max AvgBW: 0bps
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary Orange-Primary State: Up
Priorities: 7 0 18
5

Bandwidth: 112.215kbps

186 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

SmartOptimizeTimer: 180
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 4)
10.1.24.4 S 10.1.45.5 S 10.1.35.3 S 10.1.13.1 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
10.1.24.4 10.1.45.5 10.1.35.3 10.1.13.1
13 Jul 22 13:28:19.520 Make-before-break: Switched to new instance
12 Jul 22 13:28:18.519 Record Route: 10.1.24.4 10.1.45.5 10.1.35.3 10.1.13.1
11 Jul 22 13:28:18.519 Up
10 Jul 22 13:28:18.518 Automatic Autobw adjustment succeeded: BW changes from 0
bps to 112215 bps
9 Jul 22 13:28:18.417 Originate make-before-break call

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

18
6





187 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.16: RSVP LSP TTL Handling

• On the Orange LSP, enable the Juniper proprietary mechanism that disables normal
TTL decrementing.

Configuration:

R2:

set protocols mpls label-switched-path Orange no-decrement-ttl

Verification:
lab@R2# run show mpls lsp ingress name Orange extensive
Ingress LSP: 4 sessions

1.1.1.1
From: 2.2.2.2, State: Up, ActiveRoute: 0, LSPname: Orange
ActivePath: Orange-Primary (primary)
FastReroute desired
LSPtype: Static Configured
LoadBalance: Random
Autobandwidth
AdjustTimer: 300 secs
Max AvgBW util: 0bps, Bandwidth Adjustment in 255 second(s).
Overflow limit: 0, Overflow sample count: 0
Underflow limit: 0, Underflow sample count: 0, Underflow Max AvgBW: 0bps
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary Orange-Primary State: Up, No-decrement-ttl
Priorities: 7 0
SmartOptimizeTimer: 180
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 4)
10.1.24.4 S 10.1.45.5 S 10.1.35.3 S 10.1.13.1 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
10.1.24.4(flag=9) 10.1.45.5(flag=1) 10.1.35.3 10.1.13.1

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

7 Jul 22 13:32:23.383 Record Route: 10.1.24.4(flag=9) 10.1.45.5(flag=1)
10.1.35.3 10.1.13.1
6 Jul 22 13:32:23.364 Record Route: 10.1.24.4(flag=9) 10.1.45.5 10.1.35.3
10.1.13.1
5 Jul 22 13:32:20.231 Selected as active path
4 Jul 22 13:32:20.230 Record Route: 10.1.24.4 10.1.45.5 10.1.35.3 10.1.13.1
3 Jul 22 13:32:20.230 Up
2 Jul 22 13:32:20.126 Originate Call
1 Jul 22 13:32:20.126 CSPF: computation result accepted 10.1.24.4 10.1.45.5
10.1.35.3 10.1.13.1
Created: Mon Jul 22 13:32:20 2013
Total 1 displayed, Up 1, Down 0

The ‘no-decrement-ttl’ is the Juniper proprietary solution for disabling the normal TTL. It is
configured per LSP and when it is successful, the whole LSP will start to behave as one hop to
any transit IP traffic.
The non-proprietary alternative to this would be the ‘no-propagate-ttl’ configuration
statement. This statement can be configured under the [protocols mpls] stanza. The 2 18
7





188 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

differences with this way of disabling the TTL is that it affects all LSPs (RSVP and LDP
signaled) and that it has to be configured on every router.

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

18
8





189 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 2. LDP
Initial configurations: OSPFv2-baseline

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

18
9





190 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.17: LDP Baseline

• Enable LDP on the R1-R3 and R2-R4 links and on the loopback interfaces of the
routers involved.
• LDP sessions should be extended and authenticated with MD5 hashes using the R1R3
and R2R4 passwords respectively.
• On both pairs enable, the mode that prevents LDP sessions from being established
with non-configured LDP peers.

Configuration:

R1:

set interfaces ge-0/0/4.13 family mpls

set protocols mpls interface all
set protocols ldp interface ge-0/0/4.13
set protocols ldp interface lo0.0
set protocols ldp session 3.3.3.3 authentication-key R1R3
set protocols ldp strict-targeted-hellos

R3:

set interfaces ge-0/0/4.13 family mpls

set protocols mpls interface all
set protocols ldp interface ge-0/0/4.13
set protocols ldp interface lo0.0
set protocols ldp session 1.1.1.1 authentication-key R1R3
set protocols ldp strict-targeted-hellos

R2:

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

set interfaces ge-0/0/4.24 family mpls
set protocols mpls interface all
set protocols ldp interface ge-0/0/4.24
set protocols ldp interface lo0.0
set protocols ldp session 4.4.4.4 authentication-key R2R4
set protocols ldp strict-targeted-hellos

R4:

set interfaces ge-0/0/4.24 family mpls

set protocols mpls interface all
set protocols ldp interface ge-0/0/4.24
set protocols ldp interface lo0.0
set protocols ldp session 2.2.2.2 authentication-key R2R4
set protocols ldp strict-targeted-hellos
19
0





191 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

To authenticate the TCP session that LDP neighbors setup, we configured the
‘authentication-key’ under the corresponding LDP session. By enabling ‘strict-targeted-
hellos’, we prevent session-establishtment with neighbors that are not specifically
configured.


lab@R1# run show ldp session
Address State Connection Hold time
3.3.3.3 Operational Open 28

lab@R2# run show ldp session

Address State Connection Hold time
4.4.4.4 Operational Open 25

lab@R1# run show ldp overview

Instance: master
Router ID: 1.1.1.1
Message id: 302
Configuration sequence: 7
Deaggregate: disabled
Explicit null: disabled
IPv6 tunneling: disabled
Strict targeted hellos: enabled
Loopback if added: yes

lab@R2# run show ldp overview

Instance: master
Router ID: 2.2.2.2
Message id: 196
Configuration sequence: 1
Deaggregate: disabled

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

Explicit null: disabled
IPv6 tunneling: disabled
Strict targeted hellos: enabled
Loopback if added: yes

lab@R1# run show ldp session detail | match Auth

Authentication type: MD5

lab@R2# run show ldp session detail | match Auth

Authentication type: MD5

19
1





192 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.18: LDP Tunneling

• Configure 2 RSVP LSPs between R3 and R4 and have them transit R5.
• Enable the RSVP signaled LSPs for LDP LSPs.
• Make sure that internal traffic between the R1 and R2 loopback addresses make use
of the LDP LSPs and make sure that the LDP metric on both R1 and R2 is derived from
the IGP.

Configuration:

On R1 and R2:

set protocols mpls traffic-engineering mpls-forwarding

set protocols ldp track-igp-metric

R3:

set interfaces ge-0/0/4.35 family mpls

set protocols rsvp interface ge-0/0/4.35
set protocols mpls label-switched-path R3-R4 to 4.4.4.4
set protocols mpls label-switched-path R3-R4 no-cspf
set protocols mpls label-switched-path R3-R4 primary R3-R5-R4
set protocols mpls path R3-R5-R4 5.5.5.5 loose
set protocols mpls label-switched-path R3-R4 ldp-tunneling

R4:

set interfaces ge-0/0/4.45 family mpls

set protocols rsvp interface ge-0/0/4.45
set protocols mpls label-switched-path R4-R3 to 3.3.3.3
set protocols mpls label-switched-path R4-R3 no-cspf

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

set protocols mpls label-switched-path R4-R3 primary R4-R5-R3
set protocols mpls path R4-R5-R3 5.5.5.5 loose
set protocols mpls label-switched-path R4-R3 ldp-tunneling

R5:

set interfaces ge-0/0/4.35 family mpls

set interfaces ge-0/0/4.45 family mpls
set protocols mpls interface all
set protocols rsvp interface ge-0/0/4.35
set protocols rsvp interface ge-0/0/4.45

19
2





193 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

Because we configured the LSPs between R3 and R4 to tunnel LDP, we do not need to
explicitly configure an LDP session. This is despite of the fact that we have enabled ‘strict-
targeted-hellos’.

lab@R3# run show mpls lsp ingress detail
Ingress LSP: 1 sessions

4.4.4.4
From: 3.3.3.3, State: Up, ActiveRoute: 0, LSPname: R3-R4
ActivePath: R3-R5-R4 (primary)
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary R3-R5-R4 State: Up
Priorities: 7 0
SmartOptimizeTimer: 180
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
10.1.35.5 10.1.45.4
Total 1 displayed, Up 1, Down 0

lab@R4# run show mpls lsp ingress detail

Ingress LSP: 1 sessions

3.3.3.3
From: 4.4.4.4, State: Up, ActiveRoute: 0, LSPname: R4-R3
ActivePath: R4-R5-R3 (primary)
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary R4-R5-R3 State: Up
Priorities: 7 0
SmartOptimizeTimer: 180
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

20=Node-ID):
10.1.45.5 10.1.35.3
Total 1 displayed, Up 1, Down 0

lab@R1# run show route table inet.0 2.2.2.2 exact

inet.0: 17 destinations, 20 routes (17 active, 0 holddown, 0 hidden)

@ = Routing Use Only, # = Forwarding Use Only
+ = Active Route, - = Last Active, * = Both

2.2.2.2/32 @[OSPF/10] 00:30:23, metric 3

> to 10.1.13.3 via ge-0/0/4.13
#[LDP/9] 00:29:47, metric 3
> to 10.1.13.3 via ge-0/0/4.13, Push 299840

lab@R1# run traceroute 2.2.2.2

traceroute to 2.2.2.2 (2.2.2.2), 30 hops max, 40 byte packets
1 10.1.13.3 (10.1.13.3) 13.937 ms 2.239 ms 7.913 ms
MPLS Label=299840 CoS=0 TTL=1 S=1
2 10.1.35.5 (10.1.35.5) 2.483 ms 2.502 ms 2.447 ms 19
3

MPLS Label=299776 CoS=0 TTL=1 S=0

194 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

MPLS Label=299776 CoS=0 TTL=1 S=1

3 10.1.45.4 (10.1.45.4) 2.433 ms 8.261 ms 8.019 ms
MPLS Label=299776 CoS=0 TTL=1 S=1
4 2.2.2.2 (2.2.2.2) 9.092 ms 2.466 ms 7.687 ms

lab@R2# run show route table inet.0 1.1.1.1 exact

inet.0: 18 destinations, 21 routes (18 active, 0 holddown, 0 hidden)

@ = Routing Use Only, # = Forwarding Use Only
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32 @[OSPF/10] 00:17:04, metric 3

> to 10.1.24.4 via ge-0/0/4.24
#[LDP/9] 00:17:04, metric 3
> to 10.1.24.4 via ge-0/0/4.24, Push 299808

lab@R2# run traceroute 1.1.1.1

traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 40 byte packets
1 10.1.24.4 (10.1.24.4) 2.248 ms 2.254 ms 1.751 ms
MPLS Label=299808 CoS=0 TTL=1 S=1
2 10.1.45.5 (10.1.45.5) 2.326 ms 2.371 ms 8.020 ms
MPLS Label=299792 CoS=0 TTL=1 S=0
MPLS Label=299808 CoS=0 TTL=1 S=1
3 10.1.35.3 (10.1.35.3) 2.309 ms 8.398 ms 2.197 ms
MPLS Label=299808 CoS=0 TTL=1 S=1
4 1.1.1.1 (1.1.1.1) 3.361 ms 2.403 ms 7.863 ms

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

19
4





195 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 3.19: LDP Policies
• In addition to the loopback interface, have R2 announce prefix 22.22.22.0/24 into
LDP.
• Make sure that only /32 prefixes are installed in the inet.3 table of R1 and R3.
Configure only the R3 router to achieve this.

Configuration:

R2:

set policy-options policy-statement direct-ldp term 1 from protocol

direct
set policy-options policy-statement direct-ldp term 1 from route-
filter 2.2.2.2/32 exact
set policy-options policy-statement direct-ldp term 1 from route-
filter 22.22.22.0/24 exact
set policy-options policy-statement direct-ldp term 1 then accept

set protocols ldp egress-policy direct-ldp

R3:

set policy-options policy-statement ldp-import-filter term 1 from

route-filter 0.0.0.0/0 upto /31
set policy-options policy-statement ldp-import-filter term 1 then
reject
set policy-options policy-statement ldp-import-filter term 2 then
accept

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

set protocols ldp import ldp-import-filter

19
5





196 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

Under the LDP protocol configuration stanza, you can configure an import policy, an export
policy and an egress policy.
The import and export policy can be used to filter label bindings. The egress policy is what
puts you in control of what it is that LDP should advertise. By configuring an egress policy,
you can advertise additional label bindings that are derived from other interfaces or
protocols.

By default, Juniper devices only advertise a label binding for the loopback IP address

lab@R4>show route table inet.3 22.22.22.0/24 exact

inet.3: 6 destinations, 9 routes (4 active, 0 holddown, 4 hidden)

+ = Active Route, - = Last Active, * = Both

22.22.22.0/24 *[LDP/9] 00:08:35, metric 1

> to 10.1.24.2 via ge-0/0/4.24

lab@R3# run show route table inet.3 22.22.22.0/24 exact

inet.3: 6 destinations, 9 routes (3 active, 0 holddown, 5 hidden)

lab@R3# run show route table inet.3 22.22.22.0/24 exact hidden

inet.3: 6 destinations, 9 routes (3 active, 0 holddown, 5 hidden)
+ = Active Route, - = Last Active, * = Both

22.22.22.0/24 [OSPF] 00:26:07, metric 3

> to 10.1.35.5 via ge-0/0/4.35, label-switched-path R3-R4

lab@R1# run show route table inet.3 22.22.22.0/24 hidden

[edit]

lab@R3# run show ldp database session 4.4.4.4

JNCIE-SP workbook: Appendix: Chapter 3 - MPLS

Input label database, 3.3.3.3:0--4.4.4.4:0
Label Prefix
299808 1.1.1.1/32
299776 2.2.2.2/32
299792 3.3.3.3/32
3 4.4.4.4/32
299776 22.22.22.0/24 (Filtered)

Output label database, 3.3.3.3:0--4.4.4.4:0

Label Prefix
299776 1.1.1.1/32
299808 2.2.2.2/32
3 3.3.3.3/32
299792 4.4.4.4/32

19
6





197 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Appendix: Chapter 4 - BGP

Part 1. Basic BGP

Initial configurations: Part 1

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

19
7





198 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 4.1: iBGP full mesh

• Configure a full-mesh of iBGP sessions between R3, R4 and R5 according to the
diagram.
• Use the asdot notation format when configuring the AS number.

Configuration:

R3:

set protocols bgp group internal local-address 3.3.3.3

set protocols bgp group internal peer-as 1.19
set protocols bgp group internal neighbor 4.4.4.4
set protocols bgp group internal neighbor 5.5.5.5
set routing-options autonomous-system 1.19

R4:

set protocols bgp group internal local-address 4.4.4.4

set protocols bgp group internal peer-as 1.19
set protocols bgp group internal neighbor 3.3.3.3
set protocols bgp group internal neighbor 5.5.5.5
set routing-options autonomous-system 1.19

R5:

set protocols bgp group internal local-address 5.5.5.5

set protocols bgp group internal peer-as 1.19
set protocols bgp group internal neighbor 3.3.3.3
set protocols bgp group internal neighbor 4.4.4.4
set routing-options autonomous-system 1.19

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

19
8





199 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R3# run show bgp summary

Groups: 1 Peers: 2 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0
0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
4.4.4.4 65555 12 12 0 0 4:21
0/0/0/0 0/0/0/0
5.5.5.5 65555 12 11 0 0 4:09
0/0/0/0 0/0/0/0

lab@R4# run show bgp summary

Groups: 1 Peers: 2 Down peers: 0

Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0
0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
3.3.3.3 65555 14 15 0 0 5:44
0/0/0/0 0/0/0/0
5.5.5.5 65555 14 14 0 0 5:29
0/0/0/0 0/0/0/0

With asdot notation, all the AS numbers in the 2-byte range of 0-65535 are written in
asplain. Any AS that is above that range is written in asdot+. In asdot+, AS numbers are
represented by two integer values joined by a period character. The first integer represents
the high order 16-bit value in decimal and the second integer represents the low order 16-
bit value in decimal.

In our case, the AS 65555 number exceeds 65535 and converts to AS 1.19. The ‘show bgp

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

summary’ command displays the asplain format, so this is a good check to see whether or
not the configuration (and the conversion) is done correctly.

There is also a Juniper configuration command to have AS numbers displayed in asdot-

notation. This is the ‘set routing-options autonomous-system asdot-notation’ configuration
command. When you configure this, any asplain configured AS will be displayed in asdot-
notation. You could have configured autonomous-system 65555 together with the asdot-
notation configuration command, and the ‘show bgp summary’ command would have
outputted AS 1.19 for you.

19
9





200 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 4.2: eBGP Neighborship and Authentication.

• Configure the eBGP sessions between R1,R3 and R2,R4.
• AS65565 should be configured as if it is connected to AS 65444
which was recently assimilated by AS 65555.
• Authenticate these sessions with the MD5-hashed passwords ‘R1R3’ and ‘R2R4’
respectively.

Configuration:

R1:

set protocols bgp group external neighbor 10.1.13.3 authentication-

key R1R3
set protocols bgp group external neighbor 10.1.13.3 peer-as 65555
set routing-options autonomous-system 65560

R2:

set protocols bgp group external neighbor 10.1.24.4 authentication-

key R2R4
set protocols bgp group external neighbor 10.1.24.4 peer-as 65444
set routing-options autonomous-system 65565

R3:

set protocols bgp group external neighbor 10.1.13.1 authentication-

key R1R3
set protocols bgp group external neighbor 10.1.13.1 peer-as 65560

R4:

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

set protocols bgp group external neighbor 10.1.24.2 authentication-
key R2R4
set protocols bgp group external neighbor 10.1.24.2 peer-as 65565
set protocols bgp group external neighbor 10.1.24.2 local-as 65444

20
0





201 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R1# run show bgp summary

Groups: 1 Peers: 1 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0
0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
10.1.13.3 65555 4 5 0 0 1:07
0/0/0/0 0/0/0/0

lab@R1# run show bgp neighbor 10.1.13.3 | match Auth

Options: <Preference AuthKey PeerAS Refresh>
Authentication key is configured

lab@R2# run show bgp summary

Groups: 1 Peers: 1 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0
0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
10.1.24.4 65444 21 21 0 0 8:19
0/0/0/0 0/0/0/0

lab@R2# run show bgp neighbor 10.1.24.4 | match Auth

Options: <Preference AuthKey PeerAS Refresh>
Authentication key is configured

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

20
1





202 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 4.3: Enabling BFD for BGP.

• Enable BFD on the iBGP session between R3 and R4.
• Specify 1 second as the minimum transmit and receive interval for failure detection
and 5 lost consecutive hellos before declaring down the session.

Configuration:

R3:

set protocols bgp group internal neighbor 4.4.4.4 bfd-liveness-

detection minimum-interval 1000
set protocols bgp group internal neighbor 4.4.4.4 bfd-liveness-
detection multiplier 5

R4:

set protocols bgp group internal neighbor 3.3.3.3 bfd-liveness-

detection minimum-interval 1000
set protocols bgp group internal neighbor 3.3.3.3 bfd-liveness-
detection multiplier 5

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

20
2





203 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R3# run show bfd session detail

Detect Transmit
Address State Interface Time Interval Multiplier
4.4.4.4 Up 5.000 1.000 5
Client BGP, TX interval 1.000, RX interval 1.000
Session up time 00:02:15
Local diagnostic NbrSignal, remote diagnostic None
Remote state Up, version 1

1 sessions, 1 clients
Cumulative transmit rate 1.0 pps, cumulative receive rate 1.0 pps

lab@R3# run show bgp neighbor 4.4.4.4 | match bfd

Options: <BfdEnabled>
BFD: enabled, up

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

20
3





204 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 4.4: BGP Route Injection and AS Path Manipulation.

• Inject prefixes 11.11.11.0/24 and 22.22.22.0/24 into BGP within their respective AS
according to the diagram.
• Make sure AS 65560 and AS 65565 see each other’s prefixes through BGP. Don’t
enable OSPF on the links connecting the ASes.
• Tune R4 to prevent the 65555 AS number from being added to the AS path when
prefixes are sent to AS 65565.
• Tune R4 to prevent the 65444 AS number from being added to the AS path of
prefixes sent to AS 65560.

Configuration:

R1:

set policy-options policy-statement static-bgp term 1 from protocol

direct
set policy-options policy-statement static-bgp term 1 from route-
filter 11.11.11.0/24 exact
set policy-options policy-statement static-bgp term 1 then accept
set protocols bgp group external export static-bgp

R2:

set policy-options policy-statement static-bgp term 1 from protocol

direct
set policy-options policy-statement static-bgp term 1 from route-
filter 22.22.22.0/24 exact
set policy-options policy-statement static-bgp term 1 then accept
set protocols bgp group external export static-bgp

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

R3:

set policy-options policy-statement nh then next-hop self

set protocols bgp group internal export nh

R4:

set policy-options policy-statement nh then next-hop self

set protocols bgp group internal export nh

set protocols bgp group external neighbor 10.1.24.2 local-as no-

prepend-global-as

set protocols bgp group external neighbor 10.1.24.2 local-as private

20

4





205 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

Before adding the “local-as private” option on R4, we can see that the AS configured as
‘local-as’ was added to the AS path:

lab@R1# run show route protocol bgp

inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

22.22.22.0/24 *[BGP/170] 00:00:05, localpref 100

AS path: 65555 65444 65565 I
> to 10.1.13.3 via ge-0/0/4.13

After adding the “local-as private” option to the configuration on R4, we can see that the AS
is no longer added to the AS path:

lab@R1# run show route protocol bgp

inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

22.22.22.0/24 *[BGP/170] 00:00:02, localpref 100

AS path: 65555 65565 I
> to 10.1.13.3 via ge-0/0/4.13

Before adding the “local-as no-prepend-global-as” configuration command on R4, we can

see that R4 prepends the AS that is configured under the routing-options as well as the AS
that it uses in as the local AS in the BGP session with R2:

lab@R2# run show route protocol bgp

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

11.11.11.0/24 *[BGP/170] 00:00:28, localpref 100

AS path: 65444 65555 65560 I
> to 10.1.24.4 via ge-0/0/4.24

After adding the “local-as no-prepend-global-as” configuration command, we can see that
R4 no longer prepends AS 65555. Instead, only the AS 65444 is prepended:

lab@R2# run show route protocol bgp

inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

11.11.11.0/24 *[BGP/170] 00:00:27, localpref 100

AS path: 65444 65560 I 20
5
> to 10.1.24.4 via ge-0/0/4.24




206 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 4.5: Destination-based Remote-Triggered Blackhole (RTBH) Filtering

• Setup destination-based RTBH filtering in AS 65555.
• The protected resource is the R1 address 11.11.11.11/24 and the attack is coming
from subnet 22.22.22.22/24, a subnet that is configured on the R2 router.
• Use R5 as a signaling router and 6.6.6.0/24 as a prefix that is not used in the network.

Configuration:

R3:

set routing-options static route 6.6.6.0/24 reject

R5:

set routing-options static route 6.6.6.0/24 reject

set policy-options policy-statement RTBH term 1 from protocol
static
set policy-options policy-statement RTBH term 1 from tag 666
set policy-options policy-statement RTBH term 1 then local-
preference 1000
set policy-options policy-statement RTBH term 1 then community add
no-export
set policy-options policy-statement RTBH term 1 then next-hop
6.6.6.6
set policy-options policy-statement RTBH term 1 then accept
set policy-options community no-export members no-export
set protocols bgp group internal export RTBH

set routing-options static route 11.11.11.0/24 reject tag 666

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

20
6





207 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

First we verify the IP connectivity between the 11.11.11.11 and 22.22.22.22 IP addresses:

lab@R2>ping 11.11.11.11 source 22.22.22.22 count 1

PING 11.11.11.11 (11.11.11.11): 56 data bytes
64 bytes from 11.11.11.11: icmp_seq=0 ttl=62 time=3.282 ms

--- 11.11.11.11 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.282/3.282/3.282/0.000 ms

Before the DDOS starts, the signaling router does not advertise any routing information
towards other routers:
lab@R5# run show route advertising-protocol bgp 4.4.4.4

[edit]
lab@R5#

The R3 router will have the following entry in it’s routing-table:

lab@R3# run show route 11.11.11.0/24 exact

inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

11.11.11.0/24 *[BGP/170] 01:04:27, localpref 100

AS path: 65560 I
> to 10.1.13.1 via ge-0/0/4.13

After discovering an ongoing DDoS attack, we can activate a static route on our signaling
router. Since the objective here is ‘Destination-based’ RTBH, we signal for the attacked
subnet to be redirected to the discard interface on all iBGP routers. We do this by adding
a static route on R5:

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

set routing-options static route 11.11.11.0/24 reject tag 666

After adding the route on R5, we can observe the following:

lab@R5# run show route advertising-protocol bgp 4.4.4.4

inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
* 11.11.11.0/24 6.6.6.6 1000 I

20
7





208 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R3# run show route 11.11.11.0/24 exact extensive

inet.0: 19 destinations, 20 routes (19 active, 0 holddown, 0 hidden)

11.11.11.0/24 (2 entries, 1 announced)
TSI:
KRT in-kernel 11.11.11.0/24 -> {indirect(262144)}
*BGP Preference: 170/-1001
Next hop type: Indirect
Address: 0x155ca28
Next-hop reference count: 3
Source: 5.5.5.5
Next hop type: Reject
Protocol next hop: 6.6.6.6
Indirect next hop: 15f83a0 262144
State: <Active Int Ext>
Local AS: 65555 Peer AS: 65555
Age: 21 Metric2: 0
Task: BGP_65555.5.5.5.5+179
Announcement bits (2): 0-KRT 5-Resolve tree 1
AS path: I
Communities: no-export
Accepted
Localpref: 1000
Router ID: 5.5.5.5
Indirect next hops: 1
Protocol next hop: 6.6.6.6 Metric: 0
Indirect next hop: 15f83a0 262144
Indirect path forwarding next hops: 0
Next hop type: Reject
6.6.6.0/24 Originating RIB: inet.0
Metric: 0 Node path count: 1
Forwarding nexthops: 0
Next hop type: Reject

lab@R2> ping 11.11.11.11 source 22.22.22.22 count 1

PING 11.11.11.11 (11.11.11.11): 56 data bytes
ping: sendto: No route to host

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

lab@R3> ping 11.11.11.11 count 1
PING 11.11.11.11 (11.11.11.11): 56 data bytes
ping: sendto: No route to host

By blocking all traffic towards the victim IP, we limit can limit the effect of the attack on
the networks of both the customer and the SP. The ‘no-export’ community prevents all
BGP speaking routers in the AS to advertise the subnet to neighboring ASes and the high
local preference makes sure that the route signaled by R5 will win andy election and
become the active.

20
8





209 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 4.6: Source-based RTBH Filtering

• Setup source-based RTBH filtering in AS 65555.
• The protected resource is the R1 address 11.11.11.11/24 and the attack is coming
from subnet 22.22.22.22/24, a subnet that is configured on the R2 router.
• Use R5 as a signaling router and 6.6.6.0/24 as a prefix that is not used in the network.
Activate strict uRPF on the R4 interface that connect the router to R2.

Configuration:

R4:

set routing-options static route 6.6.6.0/24 reject

set interfaces ge-0/0/4 unit 24 family inet rpf-check

R5:

delete routing-options static route 11.11.11.0/24 (from previous

task)
set routing-options static route 22.22.22.0/24 reject tag 666 (<--
attacker subnet)

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

20
9





210 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R4# run show route 22.22.22.0/24 exact

inet.0: 19 destinations, 20 routes (19 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

22.22.22.0/24 *[BGP/170] 00:00:00, localpref 1000, from 5.5.5.5

AS path: I

to Reject

[BGP/170] 01:27:10, localpref 100

AS path: 65565 I

> to 10.1.24.2 via ge-0/0/4.24

lab@R2> ping 11.11.11.11 source 22.22.22.22 count 1

PING 11.11.11.11 (11.11.11.11): 56 data bytes

--- 11.11.11.11 ping statistics ---

1 packets transmitted, 0 packets received, 100% packet loss

In this case uRPF doesn’t allow packets from the attacker to pass while at the same time
having the customer addresses that are under attack remain available in the ISP network.
This makes it a more appropriate solution when the source address of the attacker is
known.

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

lab@R3# run ping 11.11.11.11 count 1

PING 11.11.11.11 (11.11.11.11): 56 data bytes

64 bytes from 11.11.11.11: icmp_seq=0 ttl=64 time=1.236 ms

21
0





211 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 2. BGP Policies

Initial configuration: Part 2

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

21
1





212 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 4.8: BGP Prefix Propagation and BGP Multipath.

• Configure eBGP sessions between AS65555 and its uplink ISP routers: R1 and R2.
• Configure eBGP sessions between AS65555 and its customers: R6 and R7. Also make
sure that customer prefixes from the diagram are propagated to AS65666.
• In AS 65007, enable load-balancing across its two external eBGP connections.

Configuration:

R1:

set protocols bgp group ebgp neighbor 10.1.13.3 peer-as 65555

R2:

set protocols bgp group ebgp neighbor 10.1.24.4 peer-as 65555

R3:

set protocols bgp group ebgp neighbor 10.1.13.1 peer-as 65666

R4:

set protocols bgp group ebgp neighbor 10.1.24.2 peer-as 65666

set protocols bgp group ebgp neighbor 10.1.47.7 peer-as 65007
set policy-options policy-statement nhs then next-hop self
set protocols bgp group ibgp export nhs

R5:

set protocols bgp group ebgp neighbor 10.1.57.7 peer-as 65007

set protocols bgp group ebgp neighbor 10.1.56.6 peer-as 65006

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

set policy-options policy-statement nhs then next-hop self
set protocols bgp group ibgp export nhs

21
2





213 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

R6:

set policy-options policy-statement static-bgp term 1 from protocol

static
set policy-options policy-statement static-bgp term 1 from route-
filter 172.16.4.0/22 prefix-length-range /24-/24
set policy-options policy-statement static-bgp term 1 then accept

set policy-options policy-statement static-bgp term 2 from protocol

direct
set policy-options policy-statement static-bgp term 2 from route-
filter 6.6.6.6/32 exact
set policy-options policy-statement static-bgp term 2 then accept

set protocols bgp group ebgp neighbor 10.1.56.5 peer-as 65555

set protocols bgp group ebgp export static-bgp
set routing-options autonomous-system 65006

R7:

set policy-options policy-statement static-bgp term 1 from protocol

static
set policy-options policy-statement static-bgp term 1 from route-
filter 172.16.0.0/22 prefix-length-range /24-/24
set policy-options policy-statement static-bgp term 1 then accept

set policy-options policy-statement static-bgp term 2 from protocol

direct
set policy-options policy-statement static-bgp term 2 from route-
filter 7.7.7.7/32 exact
set policy-options policy-statement static-bgp term 2 then accept

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

set protocols bgp group ebgp export static-bgp
set protocols bgp group ebgp neighbor 10.1.47.4 peer-as 65555
set protocols bgp group ebgp neighbor 10.1.57.5 peer-as 65555
set protocols bgp group ebgp multipath
set routing-options autonomous-system 65007

21
3





214 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R5# run show bgp summary

Groups: 2 Peers: 4 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0
15 10 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
3.3.3.3 65555 475 485 0 0 3:34:53
0/0/0/0 0/0/0/0
4.4.4.4 65555 477 483 0 0 3:34:53
0/5/5/0 0/0/0/0
10.1.56.6 65006 478 474 0 0 3:32:17
5/5/5/0 0/0/0/0
10.1.57.7 65007 342 340 0 0 2:32:14
5/5/5/0 0/0/0/0

lab@R4# run show bgp summary

Groups: 2 Peers: 4 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0
15 10 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
3.3.3.3 65555 479 480 0 0 3:35:53
0/0/0/0 0/0/0/0
5.5.5.5 65555 484 479 0 0 3:35:49
5/10/10/0 0/0/0/0
10.1.24.2 65666 481 483 0 0 3:36:18
0/0/0/0 0/0/0/0
10.1.47.7 65007 346 341 0 0 2:33:14
5/5/5/0 0/0/0/0

lab@R3# run show bgp summary

Groups: 2 Peers: 3 Down peers: 0

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0
15 10 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
4.4.4.4 65555 480 480 0 0 3:36:18
5/5/5/0 0/0/0/0
5.5.5.5 65555 487 478 0 0 3:36:14
5/10/10/0 0/0/0/0
10.1.13.1 65666 485 487 0 0 3:37:13
0/0/0/0 0/0/0/0

21
4





215 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R1# run show route protocol bgp terse

inet.0: 20 destinations, 30 routes (20 active, 0 holddown, 10 hidden)

+ = Active Route, - = Last Active, * = Both

A Destination P Prf Metric 1 Metric 2 Next hop AS path

* 6.6.6.6/32 B 170 100 >10.1.13.3 65555 65006 I
* 7.7.7.7/32 B 170 100 >10.1.13.3 65555 65007 I
* 172.16.0.0/24 B 170 100 >10.1.13.3 65555 65007 I
* 172.16.1.0/24 B 170 100 >10.1.13.3 65555 65007 I
* 172.16.2.0/24 B 170 100 >10.1.13.3 65555 65007 I
* 172.16.3.0/24 B 170 100 >10.1.13.3 65555 65007 I
* 172.16.4.0/24 B 170 100 >10.1.13.3 65555 65006 I
* 172.16.5.0/24 B 170 100 >10.1.13.3 65555 65006 I
* 172.16.6.0/24 B 170 100 >10.1.13.3 65555 65006 I
* 172.16.7.0/24 B 170 100 >10.1.13.3 65555 65006 I

lab@R2# run show route protocol bgp terse

inet.0: 22 destinations, 32 routes (22 active, 0 holddown, 10 hidden)

+ = Active Route, - = Last Active, * = Both

A Destination P Prf Metric 1 Metric 2 Next hop AS path

* 6.6.6.6/32 B 170 100 >10.1.24.4 65555 65006 I
* 7.7.7.7/32 B 170 100 >10.1.24.4 65555 65007 I
* 172.16.0.0/24 B 170 100 >10.1.24.4 65555 65007 I
* 172.16.1.0/24 B 170 100 >10.1.24.4 65555 65007 I
* 172.16.2.0/24 B 170 100 >10.1.24.4 65555 65007 I
* 172.16.3.0/24 B 170 100 >10.1.24.4 65555 65007 I
* 172.16.4.0/24 B 170 100 >10.1.24.4 65555 65006 I
* 172.16.5.0/24 B 170 100 >10.1.24.4 65555 65006 I
* 172.16.6.0/24 B 170 100 >10.1.24.4 65555 65006 I
* 172.16.7.0/24 B 170 100 >10.1.24.4 65555 65006 I

lab@R7# run show route protocol bgp terse

inet.0: 17 destinations, 22 routes (17 active, 0 holddown, 0 hidden)

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

+ = Active Route, - = Last Active, * = Both

A Destination P Prf Metric 1 Metric 2 Next hop AS path

* 6.6.6.6/32 B 170 100 >10.1.47.4 65555 65006 I
10.1.57.5
B 170 100 >10.1.47.4 65555 65006 I
* 172.16.4.0/24 B 170 100 10.1.47.4 65555 65006 I
>10.1.57.5
B 170 100 >10.1.47.4 65555 65006 I
* 172.16.5.0/24 B 170 100 >10.1.47.4 65555 65006 I
10.1.57.5
B 170 100 >10.1.47.4 65555 65006 I
* 172.16.6.0/24 B 170 100 >10.1.47.4 65555 65006 I
10.1.57.5
B 170 100 >10.1.47.4 65555 65006 I
* 172.16.7.0/24 B 170 100 10.1.47.4 65555 65006 I
>10.1.57.5
B 170 100 >10.1.47.4 65555 65006 I
21
5





216 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 4.9: BGP Prefix Filtering.

• In AS65555, do not accept prefixes from customers R6 and R7 with a mask length
greater than /24.
• Clear any communities that may be attached to customer prefixes received from
AS65006 and AS65007.
• Prevent the announcement of specific customer prefixes to any other AS. Achieve
this through the use of communities.

Configuration:

R4:

set policy-options policy-statement ebgp-import term 1 from protocol

bgp
set policy-options policy-statement ebgp-import term 1 from route-
filter 0.0.0.0/0 prefix-length-range /25-/32
set policy-options policy-statement ebgp-import term 1 then reject
set policy-options policy-statement ebgp-import term 2 then
community set no-export
set policy-options policy-statement ebgp-import term 2 then accept
set policy-options community no-export members no-export

set protocols bgp group ebgp neighbor 10.1.47.7 import ebgp-import

R5:

set policy-options policy-statement ebgp-import term 1 from protocol

bgp
set policy-options policy-statement ebgp-import term 1 from route-
filter 0.0.0.0/0 prefix-length-range /25-/32
set policy-options policy-statement ebgp-import term 1 then reject

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

set policy-options policy-statement ebgp-import term 2 then
community set no-export
set policy-options policy-statement ebgp-import term 2 then accept
set policy-options community no-export members no-export

set protocols bgp group ebgp import ebgp-import

21
6





217 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

After applying the BGP import policy, you will see how the /32 routes disappear from RIB-IN
table.

lab@R5# run show route receive-protocol bgp 10.1.57.7

inet.0: 28 destinations, 32 routes (25 active, 0 holddown, 3 hidden)

Prefix Nexthop MED Lclpref AS path
* 172.16.0.0/24 10.1.57.7 65007 I
* 172.16.1.0/24 10.1.57.7 65007 I
* 172.16.2.0/24 10.1.57.7 65007 I
* 172.16.3.0/24 10.1.57.7 65007 I

lab@R5# run show route receive-protocol bgp 10.1.56.6

inet.0: 28 destinations, 32 routes (25 active, 0 holddown, 3 hidden)

Prefix Nexthop MED Lclpref AS path
* 172.16.4.0/24 10.1.56.6 65006 I
* 172.16.5.0/24 10.1.56.6 65006 I
* 172.16.6.0/24 10.1.56.6 65006 I
* 172.16.7.0/24 10.1.56.6 65006 I

By using “community set” in the policy, we apply that community and we clear any existing
communities.

lab@R5# run show route advertising-protocol bgp 3.3.3.3 172.16.0.0/24 extensive

inet.0: 28 destinations, 32 routes (25 active, 0 holddown, 3 hidden)

* 172.16.0.0/24 (2 entries, 1 announced)
BGP group ibgp type Internal
Nexthop: Self
Flags: Nexthop Change
Localpref: 100
AS path: [65555] 65007 I
Communities: no-export

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

To verify that AS 65555 is no longer advertising any routes to other AS, we can issue the
following commands:
lab@R3# run show route advertising-protocol bgp 10.1.13.1

[edit]
lab@R4# run show route advertising-protocol bgp 10.1.24.2

[edit]
lab@R5# run show route advertising-protocol bgp 10.1.56.6

[edit]
lab@R5# run show route advertising-protocol bgp 10.1.57.7

[edit]

21
7





218 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 4.10: BGP Prefix Origination and Filtering

• In AS 65555, configure and advertise 1 prefix that summarizes all customer prefixes
(from AS 65006 and 65007) and advertise that prefix to AS 65666.
• As an additional security measure, configure AS65666 so that it only accepts prefixes
originated in AS65555.

Configuration:

R1 and R2:

set policy-options as-path as65007-orig "65555 65007"

set policy-options as-path as65006-orig "65555 65006"

set policy-options policy-statement bgp-import term 1 from protocol

bgp
set policy-options policy-statement bgp-import term 1 from as-path
[as65006-orig as65007-orig]
set policy-options policy-statement bgp-import term 1 then reject

set protocols bgp group ebgp import bgp-import

R3:

set routing-options aggregate route 172.16.0.0/20 discard

set policy-options policy-statement agg-announce term 1 from

protocol aggregate
set policy-options policy-statement agg-announce term 1 from route-
filter 172.16.0.0/20 exact
set policy-options policy-statement agg-announce term 1 then accept

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

set protocols bgp group ebgp export agg-announce

R4:

set routing-options aggregate route 172.16.0.0/20 discard

set policy-options policy-statement agg-announce term 1 from

protocol aggregate
set policy-options policy-statement agg-announce term 1 from route-
filter 172.16.0.0/20 exact
set policy-options policy-statement agg-announce term 1 then accept

set protocols bgp group ebgp neighbor 10.1.24.2 export agg-announce

21
8





219 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R3# run show route advertising-protocol bgp 10.1.13.1

inet.0: 27 destinations, 31 routes (27 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
* 172.16.0.0/20 Self {65006 65007} I

lab@R4# run show route advertising-protocol bgp 10.1.24.2

inet.0: 30 destinations, 34 routes (28 active, 0 holddown, 2 hidden)

Prefix Nexthop MED Lclpref AS path
* 172.16.0.0/20 Self {65006 65007} I

Let’s check if the AS Path filter works as expected by temporarily deactivating the import
BGP filter on R4:

lab@R4# deactivate protocols bgp group ebgp neighbor 10.1.47.7 import

Now, since the no-export community is no longer applied to the prefixes received from R7,
R4 starts announcing those routes to AS 65666:

lab@R4# run show route advertising-protocol bgp 10.1.24.2

inet.0: 30 destinations, 34 routes (29 active, 0 holddown, 1 hidden)

Prefix Nexthop MED Lclpref AS path
* 7.7.7.7/32 Self 65007 I
* 172.16.0.0/20 Self {65006 65007} I
* 172.16.0.0/24 Self 65007 I
* 172.16.1.0/24 Self 65007 I
* 172.16.2.0/24 Self 65007 I
* 172.16.3.0/24 Self 65007 I

On R2, we can see that these routes are filtered because of the applied as-path filter:

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

lab@R2# run show route receive-protocol bgp 10.1.24.4

inet.0: 18 destinations, 24 routes (18 active, 0 holddown, 5 hidden)

Prefix Nexthop MED Lclpref AS path
* 172.16.0.0/20 10.1.24.4 65555 {65006
65007} I

21
9





220 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R2# run show route receive-protocol bgp 10.1.24.4 hidden brief

inet.0: 18 destinations, 24 routes (18 active, 0 holddown, 5 hidden)

Prefix Nexthop MED Lclpref AS path
7.7.7.7/32 10.1.24.4 65555 65007 I
172.16.0.0/24 10.1.24.4 65555 65007 I
172.16.1.0/24 10.1.24.4 65555 65007 I
172.16.2.0/24 10.1.24.4 65555 65007 I
172.16.3.0/24 10.1.24.4 65555 65007 I

Don’t forget to reactivate the import BGP policy on R4!

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

22
0





221 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 4.11: BGP Conditional Route Advertising

• Have the AS 65666 routers announce their loopback IP addresses to AS65555
• Make AS 65555 announce a default route to AS 65006 and 65007.
• To prevent traffic black holing, modify the configuration so that the default route will
not be announced when the two /32 routes that originated in AS65666 disappear
from the routing tables.

Configuration:

R1:

set policy-options policy-statement direct-bgp term 1 from protocol

direct
set policy-options policy-statement direct-bgp term 1 from route-
filter 1.1.1.1/32 exact
set policy-options policy-statement direct-bgp term 1 then accept

set protocols bgp group ebgp export direct-bgp

R2:

set policy-options policy-statement direct-bgp term 1 from protocol

direct
set policy-options policy-statement direct-bgp term 1 from route-
filter 2.2.2.2/32 exact
set policy-options policy-statement direct-bgp term 1 then accept

set protocols bgp group ebgp export direct-bgp

R3:

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

set policy-options policy-statement nhs then next-hop self
set protocols bgp group ibgp export nhs

R4:

set policy-options policy-statement announce-default term 1 from

protocol aggregate
set policy-options policy-statement announce-default term 1 from
route-filter 0.0.0.0/0 exact
set policy-options policy-statement announce-default term 1 then
accept
set policy-options policy-statement announce-default term 2 then
reject

set policy-options policy-statement as65666-routes term 1 from

protocol bgp 22
1





222 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set policy-options policy-statement as65666-routes term 1 from

route-filter 1.1.1.1/32 exact
set policy-options policy-statement as65666-routes term 1 from
route-filter 2.2.2.2/32 exact
set policy-options policy-statement as65666-routes term 1 then
accept
set policy-options policy-statement as65666-routes term 2 then
reject

set routing-options generate route 0.0.0.0/0 policy as65666-routes

set protocols bgp group ebgp neighbor 10.1.47.7 export announce-

default

R5:

set policy-options policy-statement announce-default term 1 from

protocol aggregate
set policy-options policy-statement announce-default term 1 from
route-filter 0.0.0.0/0 exact
set policy-options policy-statement announce-default term 1 then
accept
set policy-options policy-statement announce-default term 2 then
reject

set policy-options policy-statement as65666-routes term 1 from

protocol bgp
set policy-options policy-statement as65666-routes term 1 from
route-filter 1.1.1.1/32 exact
set policy-options policy-statement as65666-routes term 1 from
route-filter 2.2.2.2/32 exact

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

set policy-options policy-statement as65666-routes term 1 then
accept
set policy-options policy-statement as65666-routes term 2 then
reject

set routing-options generate route 0.0.0.0/0 policy as65666-routes

set protocols bgp group ebgp export announce-default

22
2





223 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

Normally, both 1.1.1.1/32 and 2.2.2.2/32 are present in the inet.0 table on R4 and R5:

lab@R4# run show route advertising-protocol bgp 10.1.47.7

inet.0: 31 destinations, 35 routes (30 active, 0 holddown, 1 hidden)

Prefix Nexthop MED Lclpref AS path
* 0.0.0.0/0 Self I

lab@R5# run show route advertising-protocol bgp 10.1.56.6

inet.0: 30 destinations, 34 routes (28 active, 0 holddown, 2 hidden)

Prefix Nexthop MED Lclpref AS path
* 0.0.0.0/0 Self I

lab@R5# run show route advertising-protocol bgp 10.1.57.7

inet.0: 30 destinations, 34 routes (28 active, 0 holddown, 2 hidden)

Prefix Nexthop MED Lclpref AS path
* 0.0.0.0/0 Self I

A quick way to check if the conditional route advertisement works as intended is by

deactivating the BGP export policies on R1 and R2:

lab@R1# deactivate protocols bgp group ebgp export

lab@R2# deactivate protocols bgp group ebgp export

After deactivating the export policies, R1 and R2 no longer advertise their loopback IP
addresses. Because of this, the default route will no longer be announced to R6 and R7:

lab@R5# run show route advertising-protocol bgp 10.1.56.6

[edit]

lab@R5# run show route advertising-protocol bgp 10.1.57.7

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

[edit]

lab@R4# run show route advertising-protocol bgp 10.1.47.7

[edit]

22
3





224 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 4.12: BGP Attributes Manipulation

• Fix the configuration of AS65666 so that R1 and R2 announce their /32 prefixes
through both iBGP and eBGP.
• Configure AS 65555 so that outgoing traffic to AS 65666 is sent via R3 and all
incoming traffic from AS 65666 enters the AS via R4.
• Don’t use AS Path manipulation for this task.

Configuration:

R1 and R2:

set protocols bgp group ibgp export [direct-bgp nhs]

set protocols bgp advertise-inactive

set policy-options policy-statement nhs then next-hop self

R3:

set policy-options policy-statement agg-announce term 1 then metric

100

set policy-options policy-statement out-traffic term 1 then local-

preference 200
set policy-options policy-statement out-traffic term 1 then accept

set protocols bgp group ebgp import out-traffic

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

22
4





225 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R3# run show route receive-protocol bgp 10.1.13.1

inet.0: 27 destinations, 31 routes (27 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
* 1.1.1.1/32 10.1.13.1 65666 I
* 2.2.2.2/32 10.1.13.1 65666 I

lab@R4# run show route receive-protocol bgp 10.1.24.2

inet.0: 31 destinations, 37 routes (30 active, 0 holddown, 1 hidden)

Prefix Nexthop MED Lclpref AS path
1.1.1.1/32 10.1.24.2 65666 I
2.2.2.2/32 10.1.24.2 65666 I

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

22
5





226 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R3# run show route 2.2.2.2 exact

inet.0: 27 destinations, 31 routes (27 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

2.2.2.2/32 *[BGP/170] 01:28:44, localpref 200

AS path: 65666 I
> to 10.1.13.1 via ge-0/0/4.13

lab@R4# run show route 1.1.1.1 exact

inet.0: 31 destinations, 37 routes (30 active, 0 holddown, 1 hidden)

+ = Active Route, - = Last Active, * = Both

1.1.1.1/32 *[BGP/170] 00:05:55, localpref 200, from 3.3.3.3

AS path: 65666 I
> to 10.1.34.3 via ge-0/0/1.0
to 10.1.43.3 via ge-0/0/2.0
[BGP/170] 01:26:40, localpref 100
AS path: 65666 I
> to 10.1.24.2 via ge-0/0/4.24

lab@R1# run show route 172.16.0.0/20 exact

inet.0: 11 destinations, 13 routes (11 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

172.16.0.0/20 *[BGP/170] 03:50:31, localpref 100, from 2.2.2.2

AS path: 65555 {65006 65007} I
> to 10.1.12.2 via ge-0/0/1.0
[BGP/170] 00:16:37, MED 100, localpref 100
AS path: 65555 {65006 65007} I
> to 10.1.13.3 via ge-0/0/4.13

lab@R2# run show route 172.16.0.0/20 exact

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

inet.0: 13 destinations, 14 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.0.0/20 *[BGP/170] 03:51:09, localpref 100

AS path: 65555 {65006 65007} I
> to 10.1.24.4 via ge-0/0/4.24

22
6





227 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 4.13: BGP Scaling

• Reconfigure AS 65555 from a full-mesh iBGP to a setup wherein R5 serves as a route
reflector and R3 and R4 are its clients.

Configuration:

R3:

delete protocols bgp group ibgp neighbor 4.4.4.4

R4:

delete protocols bgp group ibgp neighbor 3.3.3.3

R5:

set protocols bgp group ibgp cluster 5.5.5.5

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

22
7





228 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R5# run show bgp group ibgp brief

Group Type: Internal AS: 65555 Local AS: 65555
Name: ibgp Index: 2 Flags: <>
Export: [ nhs ]
Options: <Cluster>
Holdtime: 0
Total peers: 2 Established: 2
4.4.4.4+179
3.3.3.3+179
inet.0: 2/6/6/0

lab@R3# run show route protocol bgp terse

inet.0: 27 destinations, 27 routes (27 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

A Destination P Prf Metric 1 Metric 2 Next hop AS path

* 1.1.1.1/32 B 170 200 >10.1.13.1 65666 I
* 2.2.2.2/32 B 170 200 >10.1.13.1 65666 I
* 172.16.0.0/24 B 170 100 >10.1.35.5 65007 I
* 172.16.1.0/24 B 170 100 >10.1.35.5 65007 I
* 172.16.2.0/24 B 170 100 >10.1.35.5 65007 I
* 172.16.3.0/24 B 170 100 >10.1.35.5 65007 I
* 172.16.4.0/24 B 170 100 >10.1.35.5 65006 I
* 172.16.5.0/24 B 170 100 >10.1.35.5 65006 I
* 172.16.6.0/24 B 170 100 >10.1.35.5 65006 I
* 172.16.7.0/24 B 170 100 >10.1.35.5 65006 I

lab@R4# run show route protocol bgp terse

inet.0: 31 destinations, 37 routes (30 active, 0 holddown, 1 hidden)

+ = Active Route, - = Last Active, * = Both

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

A Destination P Prf Metric 1 Metric 2 Next hop AS path
* 1.1.1.1/32 B 170 200 >10.1.45.5 65666 I
B 170 100 >10.1.24.2 65666 I
* 2.2.2.2/32 B 170 200 >10.1.45.5 65666 I
B 170 100 >10.1.24.2 65666 I
* 172.16.0.0/24 B 170 100 >10.1.47.7 65007 I
B 170 100 >10.1.45.5 65007 I
* 172.16.1.0/24 B 170 100 >10.1.47.7 65007 I
B 170 100 >10.1.45.5 65007 I
* 172.16.2.0/24 B 170 100 >10.1.47.7 65007 I
B 170 100 >10.1.45.5 65007 I
* 172.16.3.0/24 B 170 100 >10.1.47.7 65007 I
B 170 100 >10.1.45.5 65007 I
* 172.16.4.0/24 B 170 100 >10.1.45.5 65006 I
* 172.16.5.0/24 B 170 100 >10.1.45.5 65006 I
* 172.16.6.0/24 B 170 100 >10.1.45.5 65006 I
* 172.16.7.0/24 B 170 100 >10.1.45.5 65006 I

22
8





229 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 3. IPv6 Tunneling

Initial configurations: Part 3

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

22
9





230 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 4.14: IPv6 Tunneling through IPv4/MPLS Cloud

• Setup BGP sessions across the IPv6 links between R1-R3 and R2-R4.
• Enable the exchange of IPv6 traffic between R1 and R2 (IPv6-only routers) across the
IPv4 MPLS infrastructure (R3, R4, R5).
• You should be able to send pings between the R1 and R2 loopbacks.

Configuration:

R3:

set interfaces ge-0/0/4.35 family inet6

set routing-options autonomous-system 65555

set protocols bgp group ebgp neighbor 2001:db8:0:d::1 peer-as 65560

set protocols bgp group ebgp as-override

set protocols bgp group ibgp local-address 3.3.3.3

set protocols bgp group ibgp neighbor 4.4.4.4 family inet6 labeled-
unicast explicit-null
set protocols bgp group ibgp neighbor 4.4.4.4 peer-as 65555

set protocols mpls ipv6-tunneling

R4:

set interfaces ge-0/0/4.45 family inet6

set routing-options autonomous-system 65555

set protocols bgp group ebgp neighbor 2001:db8:0:18::2 peer-as 65560

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

set protocols bgp group ebgp as-override

set protocols bgp group ibgp local-address 4.4.4.4

set protocols bgp group ibgp neighbor 3.3.3.3 family inet6 labeled-
unicast explicit-null
set protocols bgp group ibgp neighbor 3.3.3.3 peer-as 65555

set protocols mpls ipv6-tunneling

23
0





231 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R3# run show bgp summary

Groups: 2 Peers: 2 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet6.0
2 2 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
4.4.4.4 65555 93 93 0 0 39:22
Establ
inet6.0: 1/1/1/0
2001:db8:0:d::1 65560 31 36 0 0 12:58
Establ
inet6.0: 1/1/1/0

lab@R1# run show route protocol bgp

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

inet6.0: 7 destinations, 8 routes (7 active, 0 holddown, 1 hidden)

+ = Active Route, - = Last Active, * = Both

2001:db8::2/128 *[BGP/170] 00:15:00, localpref 100

AS path: 65555 65555 I
> to 2001:db8:0:d::3 via ge-0/0/4.13

lab@R2# run show route protocol bgp

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

inet6.0: 7 destinations, 8 routes (7 active, 0 holddown, 1 hidden)

+ = Active Route, - = Last Active, * = Both

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

2001:db8::1/128 *[BGP/170] 00:26:55, localpref 100
AS path: 65555 65555 I
> to 2001:db8:0:18::4 via ge-0/0/4.24

23
1





232 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R3# run show route protocol bgp 2001:db8::2 extensive

inet6.0: 7 destinations, 8 routes (7 active, 0 holddown, 0 hidden)

2001:db8::2/128 (1 entry, 1 announced)
TSI:
KRT in-kernel 2001:db8::2/128 -> {indirect(262142)}
Page 0 idx 1 Type 1 val 1545014
Nexthop: Self
AS path: [65555] 65555 I
Communities:
Path 2001:db8::2 from 4.4.4.4 Vector len 4. Val: 1
*BGP Preference: 170/-101
Next hop type: Indirect
Address: 0x15a8990
Next-hop reference count: 3
Source: 4.4.4.4
Next hop type: Router, Next hop index: 551
Next hop: 10.1.35.5 via ge-0/0/4.35 weight 0x1, selected
Label-switched-path R3-R4
Label operation: Push 2, Push 299808(top)
Label TTL action: prop-ttl, prop-ttl(top)
Protocol next hop: ::ffff:4.4.4.4
Push 2
Indirect next hop: 16bc000 262142
State: <Active Int Ext>
Local AS: 65555 Peer AS: 65555
Age: 28:03 Metric2: 2
Task: BGP_65555.4.4.4.4+50571
AS path: 65560 I
Accepted
Route Label: 2
Localpref: 100
Router ID: 4.4.4.4
Indirect next hops: 1
Protocol next hop: ::ffff:4.4.4.4 Metric: 2
Push 2
Indirect next hop: 16bc000 262142
Indirect path forwarding next hops: 1

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

Next hop type: Router
Next hop: 10.1.35.5 via ge-0/0/4.35 weight 0x1
::ffff:4.4.4.4/128 Originating RIB: inet6.3
Metric: 2 Node path count: 1
Forwarding nexthops: 1
Nexthop: 10.1.35.5 via ge-0/0/4.35

23
2





233 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R1# run ping 2001:db8::2 source 2001:db8::1 count 3

PING6(56=40+8+8 bytes) 2001:db8::1 --> 2001:db8::2
16 bytes from 2001:db8::2, icmp_seq=0 hlim=62 time=3.031 ms
16 bytes from 2001:db8::2, icmp_seq=1 hlim=62 time=2.414 ms
16 bytes from 2001:db8::2, icmp_seq=2 hlim=62 time=2.919 ms

lab@R1# run traceroute 2001:db8::2 source 2001:db8::1

traceroute6 to 2001:db8::2 (2001:db8::2) from 2001:db8::1, 64 hops max, 12 byte
packets
1 2001:db8:0:d::3 (2001:db8:0:d::3) 7.432 ms 7.333 ms 8.019 ms
2 * * *
3 2001:db8:0:18::4 (2001:db8:0:18::4) 3.262 ms 7.042 ms 2.315 ms
4 2001:db8::2 (2001:db8::2) 8.315 ms 8.516 ms 2.717 ms

JNCIE-SP workbook: Appendix: Chapter 4 - BGP

23
3





234 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Appendix: Chapter 5 - VPN

Part 1. L3VPN
Initial configuration: Part 1

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

23
4





235 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 5.1: L3VPN with BGP as PE-CE protocol

Configure VPN B using the interfaces and addresses from the diagram.
•
Use BGP as PE-CE routing protocol.
•
Modify configuration so that PE routers receive only the VPNv4 prefixes that have
•
locally configured route-targets.
• RDs and RTs can be any values of your choice.


Configuration:

R3:

set protocols bgp group ibgp family inet-vpn unicast

set protocols bgp group ibgp family route-target

set routing-instances vpn-b instance-type vrf

set routing-instances vpn-b
set routing-instances vpn-b
set routing-instances vpn-b
set routing-instances vpn-b
10.1.37.7 peer-as 65570
set routing-instances vpn-b
10.1.37.7 as-override
interface ge-0/0/4.37
route-distinguisher 3.3.3.3:1
vrf-target target:65555L:1
protocols bgp group pe-ce neighbor
protocols bgp group pe-ce neighbor

R4:

set protocols bgp group ibgp family inet-vpn unicast

set protocols bgp group ibgp family route-target

set routing-instances vpn-b instance-type vrf

set routing-instances vpn-b interface ge-0/0/4.48

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

set routing-instances vpn-b
set routing-instances vpn-b
set routing-instances vpn-b
10.1.48.8 peer-as 65570
set routing-instances vpn-b
10.1.48.8 as-override
route-distinguisher 4.4.4.4:1
vrf-target target:65555L:1
protocols bgp group pe-ce neighbor
protocols bgp group pe-ce neighbor

R5:

set protocols bgp group ibgp family inet-vpn unicast

set protocols bgp group ibgp family route-target

23
5





236 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R5# run show bgp summary
Groups: 1 Peers: 2 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0
0 0 0 0 0 0
bgp.l3vpn.0
8 8 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
3.3.3.3 65555 19 17 0 0 4:59
Establ
bgp.l3vpn.0: 4/4/4/0
bgp.rtarget.0: 1/1/1/0
4.4.4.4 65555 17 15 0 0 4:47
Establ
bgp.l3vpn.0: 4/4/4/0
bgp.rtarget.0: 0/1/1/0

lab@R3# run show route receive-protocol bgp 5.5.5.5

inet.0: 14 destinations, 14 routes (14 active, 0 holddown, 0 hidden)
inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
vpn-b.inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 8.8.8.8/32 5.5.5.5 100 65570 I
* 10.1.48.0/24 5.5.5.5 100 I
* 172.17.2.0/24 5.5.5.5 100 65570 I

* 172.17.3.0/24 5.5.5.5 100 65570 I

mpls.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)

bgp.l3vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

Prefix Nexthop MED Lclpref AS path
4.4.4.4:1:8.8.8.8/32
* 5.5.5.5 100 65570 I
4.4.4.4:1:10.1.48.0/24
* 5.5.5.5 100 I
4.4.4.4:1:172.17.2.0/24
* 5.5.5.5 100 65570 I
4.4.4.4:1:172.17.3.0/24
* 5.5.5.5 100 65570 I

bgp.rtarget.0: 1 destinations, 2 routes (1 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
65555:33685505L:#0001/96
5.5.5.5 100 I

23
6





237 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R4# run show route receive-protocol bgp 5.5.5.5

inet.0: 14 destinations, 14 routes (14 active, 0 holddown, 0 hidden)
inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
vpn-b.inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 7.7.7.7/32 5.5.5.5 100 65570 I
* 10.1.37.0/24 5.5.5.5 100 I
* 172.17.0.0/24 5.5.5.5 100 65570 I
* 172.17.1.0/24 5.5.5.5 100 65570 I
mpls.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
bgp.l3vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
3.3.3.3:1:7.7.7.7/32
* 5.5.5.5 100 65570 I
3.3.3.3:1:10.1.37.0/24
* 5.5.5.5 100 I
3.3.3.3:1:172.17.0.0/24
* 5.5.5.5 100 65570 I
3.3.3.3:1:172.17.1.0/24
* 5.5.5.5 100 65570 I

bgp.rtarget.0: 1 destinations, 2 routes (1 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
65555:33685505L:#0001/96
5.5.5.5 100 I

lab@R7# run show route protocol bgp

inet.0: 12 destinations, 15 routes (12 active, 0 holddown, 3 hidden)

+ = Active Route, - = Last Active, * = Both
8.8.8.8/32 *[BGP/170] 00:25:06, localpref 100
AS path: 65555 65555 I
> to 10.1.37.3 via ge-0/0/4.37
10.1.48.0/24 *[BGP/170] 00:25:06, localpref 100

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

AS path: 65555 I
> to 10.1.37.3 via ge-0/0/4.37
172.17.2.0/24 *[BGP/170] 00:25:06, localpref 100
AS path: 65555 65555 I
> to 10.1.37.3 via ge-0/0/4.37
172.17.3.0/24 *[BGP/170] 00:25:06, localpref 100
AS path: 65555 65555 I
> to 10.1.37.3 via ge-0/0/4.37

23
7





238 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R8# run show route protocol bgp

inet.0: 12 destinations, 15 routes (12 active, 0 holddown, 3 hidden)

+ = Active Route, - = Last Active, * = Both

7.7.7.7/32 *[BGP/170] 00:25:51, localpref 100

AS path: 65555 65555 I
> to 10.1.48.4 via ge-0/0/4.48
10.1.37.0/24 *[BGP/170] 00:25:51, localpref 100
AS path: 65555 I
> to 10.1.48.4 via ge-0/0/4.48
172.17.0.0/24 *[BGP/170] 00:25:51, localpref 100
AS path: 65555 65555 I
> to 10.1.48.4 via ge-0/0/4.48
172.17.1.0/24 *[BGP/170] 00:25:51, localpref 100
AS path: 65555 65555 I
> to 10.1.48.4 via ge-0/0/4.48

lab@R7# run ping 8.8.8.8 source 7.7.7.7 count 1

PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=61 time=1.854 ms

--- 8.8.8.8 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.854/1.854/1.854/0.000 ms

lab@R7# run traceroute 8.8.8.8 source 7.7.7.7

traceroute to 8.8.8.8 (8.8.8.8) from 7.7.7.7, 30 hops max, 40 byte packets

1 10.1.37.3 (10.1.37.3) 8.287 ms 13.923 ms 7.254 ms

2 * * *
3 10.1.45.4 (10.1.45.4) 8.600 ms 8.145 ms 7.970 ms
MPLS Label=299808 CoS=0 TTL=1 S=1
4 8.8.8.8 (8.8.8.8) 2.677 ms 3.065 ms 2.562 ms

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

23
8





239 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 5.2: L3VPN transparency.

• Reconfigure VPN B from the previous task in such a way so that AS 65555 is not
added to the AS Path after prefix exchange between sites.

Configuration:

R3:

delete routing-instances vpn-b protocols bgp group pe-ce neighbor

10.1.37.7 as-override

R4:

delete routing-instances vpn-b protocols bgp group pe-ce neighbor

10.1.48.8 as-override

R3 and R4:

set routing-instances vpn-b routing-options autonomous-system 65570

independent-domain

R7:

set protocols bgp group ebgp neighbor 10.1.37.3 peer-as 65570

R8:

set protocols bgp group ebgp neighbor 10.1.48.4 peer-as 65570

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

23
9





240 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:
lab@R7# run show route protocol bgp

inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both
8.8.8.8/32 *[BGP/170] 00:00:18, localpref 100
AS path: I
> to 10.1.37.3 via ge-0/0/4.37
10.1.48.0/24 *[BGP/170] 00:00:18, localpref 100
AS path: I
> to 10.1.37.3 via ge-0/0/4.37
172.17.2.0/24 *[BGP/170] 00:00:18, localpref 100
AS path: I
> to 10.1.37.3 via ge-0/0/4.37
172.17.3.0/24 *[BGP/170] 00:00:18, localpref 100
AS path: I
> to 10.1.37.3 via ge-0/0/4.37

lab@R8# run show route protocol bgp

inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

7.7.7.7/32 *[BGP/170] 00:05:17, localpref 100

AS path: I
> to 10.1.48.4 via ge-0/0/4.48
10.1.37.0/24 *[BGP/170] 00:05:17, localpref 100
AS path: I
> to 10.1.48.4 via ge-0/0/4.48
172.17.0.0/24 *[BGP/170] 00:05:17, localpref 100
AS path: I
> to 10.1.48.4 via ge-0/0/4.48

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

172.17.1.0/24 *[BGP/170] 00:05:17, localpref 100
AS path: I
> to 10.1.48.4 via ge-0/0/4.48

lab@R7# run ping 8.8.8.8 source 7.7.7.7 count 1

PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=61 time=2.042 ms

--- 8.8.8.8 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.042/2.042/2.042/0.000 ms

24
0





241 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 5.3: Hub and Spoke VPN (BGP-based)

• Configure VPN A as a hub and spoke VPN using the interfaces and addresses from the
diagram.
• Use BGP as PE-CE routing protocol.
• Make sure CE spokes (R1 and R2) communicate through central hub (R6) only.
• RDs and RTs can be any values of your choice.

Configuration:

R3:

set routing-instances vpn-a instance-type vrf

set routing-instances vpn-a
set routing-instances vpn-a
set routing-instances vpn-a
set routing-instances vpn-a
set routing-instances vpn-a
10.1.13.1 peer-as 65560
set routing-instances vpn-a
10.1.13.1 as-override
interface ge-0/0/4.13
route-distinguisher 3.3.3.3:2
vrf-import hub-routes
vrf-export spoke-routes
protocols bgp group pe-ce neighbor
protocols bgp group pe-ce neighbor

set policy-options policy-statement hub-routes term 1 from protocol

bgp
set policy-options policy-statement hub-routes term 1 from community
hub
set policy-options policy-statement hub-routes term 1 then accept
set policy-options policy-statement hub-routes term 2 then reject

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

set policy-options policy-statement
protocol bgp
set policy-options policy-statement
community add spoke
set policy-options policy-statement
set policy-options policy-statement
spoke-routes term 1 from
spoke-routes term 1 then
spoke-routes term 1 then accept
spoke-routes term 2 then reject

set policy-options community spoke members target:65555L:2

set policy-options community hub members target:65555L:3

set routing-options autonomous-system loops 3

R4:

set routing-instances vpn-a instance-type vrf

set routing-instances vpn-a interface ge-0/0/4.24
24
set routing-instances vpn-a route-distinguisher 4.4.4.4:2 1
set routing-instances vpn-a vrf-import hub-routes




242 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set routing-instances vpn-a vrf-export spoke-routes

set routing-instances vpn-a protocols bgp group pe-ce neighbor
10.1.24.2 peer-as 65560
set routing-instances vpn-a protocols bgp group pe-ce neighbor
10.1.24.2 as-override

set policy-options policy-statement hub-routes term 1 from protocol

bgp
set policy-options policy-statement hub-routes term 1 from community
hub
set policy-options policy-statement hub-routes term 1 then accept
set policy-options policy-statement hub-routes term 2 then reject

set policy-options policy-statement spoke-routes term 1 from

protocol bgp
set policy-options policy-statement
community add spoke
set policy-options policy-statement
set policy-options policy-statement
spoke-routes term 1 then
spoke-routes term 1 then accept
spoke-routes term 2 then reject

set policy-options community spoke members target:65555L:2

set policy-options community hub members target:65555L:3

set routing-options autonomous-system loops 3

R5:

set routing-instances vpn-a-hub instance-type vrf

set routing-instances vpn-a-hub interface ge-0/0/1.0
set routing-instances vpn-a-hub route-distinguisher 5.5.5.5:1
set routing-instances vpn-a-hub vrf-import reject-all
set routing-instances vpn-a-hub vrf-export hub-routes

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

set routing-instances vpn-a-hub protocols bgp group pe-ce neighbor
10.1.56.6 peer-as 65560

set routing-instances vpn-a-spoke instance-type vrf

set routing-instances vpn-a-spoke
set routing-instances vpn-a-spoke
set routing-instances vpn-a-spoke
set routing-instances vpn-a-spoke
set routing-instances vpn-a-spoke
10.1.65.6 peer-as 65560
set routing-instances vpn-a-spoke
10.1.65.6 as-override
interface ge-0/0/2.0
route-distinguisher 5.5.5.5:2
vrf-import spoke-routes
vrf-export reject-all
protocols bgp group pe-ce neighbor
protocols bgp group pe-ce neighbor

set policy-options policy-statement spoke-routes term 1 from

protocol bgp
set policy-options policy-statement spoke-routes term 1 from 24
2
community spoke





243 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set policy-options policy-statement spoke-routes term 1 then accept

set policy-options policy-statement spoke-routes term 2 then reject

set policy-options policy-statement hub-routes term 1 from protocol

bgp
set policy-options policy-statement hub-routes term 1 then community
add hub
set policy-options policy-statement hub-routes term 1 then accept
set policy-options policy-statement hub-routes term 2 then reject

set policy-options policy-statement reject-all then reject

set policy-options community spoke members target:65555L:2

set policy-options community hub members target:65555L:3

set routing-options autonomous-system loops 3

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

24
3





244 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R1# run show route receive-protocol bgp 10.1.13.3

inet.0: 20 destinations, 23 routes (20 active, 0 holddown, 3 hidden)

Prefix Nexthop MED Lclpref AS path
* 2.2.2.2/32 10.1.13.3 65555 65555 65555 65555 I
* 6.6.6.6/32 10.1.13.3 65555 65555 I
* 172.16.2.0/24 10.1.13.3 65555 65555 65555 65555 I
* 172.16.3.0/24 10.1.13.3 65555 65555 65555 65555 I
* 192.168.0.0/16 10.1.13.3 65555 65555 I

lab@R2# run show route receive-protocol bgp 10.1.24.4

inet.0: 16 destinations, 19 routes (16 active, 0 holddown, 3 hidden)

Prefix Nexthop MED Lclpref AS path
* 1.1.1.1/32 10.1.24.4 65555 65555 65555 65555 I
* 6.6.6.6/32 10.1.24.4 65555 65555 I
* 172.16.0.0/24 10.1.24.4 65555 65555 65555 65555 I
* 172.16.1.0/24 10.1.24.4 65555 65555 65555 65555 I
* 192.168.0.0/16 10.1.24.4 65555 65555 I

lab@R1# run ping 2.2.2.2 source 1.1.1.1 count 1

PING 2.2.2.2 (2.2.2.2): 56 data bytes
64 bytes from 2.2.2.2: icmp_seq=0 ttl=59 time=8.222 ms

--- 2.2.2.2 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 8.222/8.222/8.222/0.000 ms

lab@R1# run traceroute 2.2.2.2 source 1.1.1.1

traceroute to 2.2.2.2 (2.2.2.2) from 1.1.1.1, 30 hops max, 40 byte packets
1 10.1.13.3 (10.1.13.3) 8.096 ms 14.055 ms 6.821 ms
2 10.1.35.5 (10.1.35.5) 2.536 ms 2.694 ms 8.217 ms
MPLS Label=299984 CoS=0 TTL=1 S=1
3 10.1.56.6 (10.1.56.6) 7.935 ms 7.979 ms 7.790 ms
4 10.1.65.5 (10.1.65.5) 43.725 ms 8.236 ms 7.991 ms
5 10.1.45.4 (10.1.45.4) 2.641 ms 3.202 ms 2.602 ms

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

MPLS Label=299840 CoS=0 TTL=1 S=1
6 2.2.2.2 (2.2.2.2) 8.805 ms 8.455 ms 8.947 ms

24
4





245 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 5.4: VPN Route Leaking

• Enable remote and local leaking of routes between VPN A and VPN B on R3. Perform
local leaking using the auto-export feature.
• Enable local leaking of routes between VPN A and VPN B on R4 using the RIB groups
approach.

Configuration:

R3:

set routing-instances vpn-a routing-options auto-export

set routing-instances vpn-b routing-options auto-export

delete routing-instances vpn-b vrf-target

set routing-instances vpn-b vrf-import vpn-b-import
set routing-instances vpn-b vrf-export vpn-b-export

set policy-options policy-statement vpn-b-import term 1 from

protocol bgp
set policy-options policy-statement
community [vpn-b hub spoke]
set policy-options policy-statement
set policy-options policy-statement
vpn-b-import term 1 from
vpn-b-import term 1 then accept
vpn-b-import term 2 then reject

set policy-options policy-statement vpn-b-export term 1 from

protocol bgp
set policy-options policy-statement
community add vpn-b
set policy-options policy-statement
set policy-options policy-statement
vpn-b-export term 1 then
vpn-b-export term 1 then accept
vpn-b-export term 2 then reject

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

set policy-options community vpn-b members target:65555L:1

set policy-options policy-statement vpn-b-routes term 1 from

protocol bgp
set policy-options policy-statement vpn-b-routes term 1 from
community vpn-b
set policy-options policy-statement vpn-b-routes term 1 then accept

delete routing-instances vpn-a vrf-import

set routing-instances vpn-a vrf-import [vpn-b-routes hub-routes]

24
5





246 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

R4:

set routing-options rib-groups vpn-a-vpn-b import-rib [vpn-a.inet.0

vpn-b.inet.0]
set routing-options rib-groups vpn-b-vpn-a import–rib [vpn-b.inet.0
vpn-a.inet.0]

set routing-instances vpn-b protocols bgp group pe-ce family inet

unicast rib-group vpn-b-vpn-a
set routing-instances vpn-a protocols bgp group pe-ce family inet
unicast rib-group vpn-a-vpn-b

Verification:

lab@R1# run show route receive-protocol bgp 10.1.13.3

inet.0: 20 destinations, 23 routes (20 active, 0 holddown, 3 hidden)

Prefix Nexthop MED Lclpref AS path
* 2.2.2.2/32 10.1.13.3 65555 65555 65555 65555 I
* 6.6.6.6/32 10.1.13.3 65555 65555 I
* 7.7.7.7/32 10.1.13.3 65555 65570 I
* 8.8.8.8/32 10.1.13.3 65555 65570 I
* 10.1.48.0/24 10.1.13.3 65555 65570 I
* 172.16.2.0/24 10.1.13.3 65555 65555 65555 65555 I
* 172.16.3.0/24 10.1.13.3 65555 65555 65555 65555 I
* 172.17.0.0/24 10.1.13.3 65555 65570 I
* 172.17.1.0/24 10.1.13.3 65555 65570 I
* 172.17.2.0/24 10.1.13.3 65555 65570 I
* 172.17.3.0/24 10.1.13.3 65555 65570 I
* 192.168.0.0/16 10.1.13.3 65555 65555 I

lab@R7# run show route receive-protocol bgp 10.1.37.3

inet.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

Prefix Nexthop MED Lclpref AS path
* 1.1.1.1/32 10.1.37.3 100 65555 65560 I
* 2.2.2.2/32 10.1.37.3 100 65555 65560 I
* 6.6.6.6/32 10.1.37.3 100 65555 65560 I
* 8.8.8.8/32 10.1.37.3 100 I
* 10.1.48.0/24 10.1.37.3 100 I
* 172.16.0.0/24 10.1.37.3 100 65555 65560 I
* 172.16.1.0/24 10.1.37.3 100 65555 65560 I
* 172.16.2.0/24 10.1.37.3 100 65555 65560 I
* 172.16.3.0/24 10.1.37.3 100 65555 65560 I
* 172.17.2.0/24 10.1.37.3 100 I
* 172.17.3.0/24 10.1.37.3 100 I
* 192.168.0.0/16 10.1.37.3 100 65555 65560 I

24
6





247 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R7# run ping 1.1.1.1 source 7.7.7.7 count 1

PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=63 time=1.420 ms
--- 1.1.1.1 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss

round-trip min/avg/max/stddev = 1.420/1.420/1.420/0.000 ms

lab@R7# run ping 8.8.8.8 source 7.7.7.7 count 1

PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=61 time=1.896 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.896/1.896/1.896/0.000 ms

lab@R2# run show route receive-protocol bgp 10.1.24.4

inet.0: 16 destinations, 19 routes (16 active, 0 holddown, 3 hidden)

Prefix Nexthop MED Lclpref AS path
* 1.1.1.1/32 10.1.24.4 65555 65555 65555 65555 I
* 6.6.6.6/32 10.1.24.4 65555 65555 I
* 8.8.8.8/32 10.1.24.4 65555 65570 I
* 172.16.0.0/24 10.1.24.4 65555 65555 65555 65555 I
* 172.16.1.0/24 10.1.24.4 65555 65555 65555 65555 I
* 172.17.2.0/24 10.1.24.4 65555 65570 I
* 172.17.3.0/24 10.1.24.4 65555 65570 I
* 192.168.0.0/16 10.1.24.4 65555 65555 I

lab@R8# run show route receive-protocol bgp 10.1.48.4

inet.0: 14 destinations, 14 routes (14 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
* 2.2.2.2/32 10.1.48.4 100 65555 65560 I
* 7.7.7.7/32 10.1.48.4 100 I
* 172.16.2.0/24 10.1.48.4 100 65555 65560 I

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

* 172.16.3.0/24 10.1.48.4 100 65555 65560 I
* 172.17.0.0/24 10.1.48.4 100 I
* 172.17.1.0/24 10.1.48.4 100 I

lab@R8# run ping 2.2.2.2 source 8.8.8.8 count 1

PING 2.2.2.2 (2.2.2.2): 56 data bytes
64 bytes from 2.2.2.2: icmp_seq=0 ttl=63 time=1.592 ms

--- 2.2.2.2 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.592/1.592/1.592/0.000 ms

24
7





248 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 5.5: VPN Internet Access

• Provide Internet access for Site 1 of VPN B. Use the same interface for VPN and
Internet traffic and assume that the VPN B addresses are public.
• Restrict internet access for the IP address of the R7 loopback only. Don’t use firewall
filters for this.

Configuration:

R3:

set routing-instances vpn-b routing-options static route 0.0.0.0/0

next-table inet.0

set routing-options rib-groups vpn-b-to-inet import-rib [vpn-

b.inet.0 inet.0]
set routing-options rib-groups vpn-b-to-inet import-policy r7-
loopback-only

set routing-instances vpn-b protocols bgp group pe-ce family inet

unicast rib-group vpn-b-to-inet

set policy-options policy-statement r7-loopback-only term 1 from

protocol bgp
set policy-options policy-statement r7-loopback-only term 1 from
route-filter 7.7.7.7/32 exact
set policy-options policy-statement r7-loopback-only term 1 to rib
inet.0
set policy-options policy-statement r7-loopback-only term 1 the
accept
set policy-options policy-statement r7-loopback-only term 2 then

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

reject

set policy-options policy-statement def-bgp term 1 from protocol

static
set policy-options policy-statement def-bgp term 1 from route-filter
0.0.0.0/0 exact
set policy-options policy-statement def-bgp term 1 then accept

set routing-instances vpn-b protocols bgp group pe-ce neighbor

10.1.37.7 export def-bgp

24
8





249 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R3# run show route table inet.0 7.7.7.7 exact

inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

7.7.7.7/32 *[BGP/170] 00:02:56, localpref 100

AS path: 65570 I
> to 10.1.37.7 via ge-0/0/4.37

lab@R7# run show route 3.3.3.3

inet.0: 21 destinations, 21 routes (21 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[BGP/170] 00:09:34, localpref 100

AS path: I
> to 10.1.37.3 via ge-0/0/4.37

To check “Internet connection” is up we ping lo0 address of R3 from R7 lo0 address which is
the only allowed IP:
lab@R7# run ping 3.3.3.3 source 7.7.7.7 count 1
PING 3.3.3.3 (3.3.3.3): 56 data bytes
64 bytes from 3.3.3.3: icmp_seq=0 ttl=64 time=1.572 ms

--- 3.3.3.3 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.572/1.572/1.572/0.000 ms

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

24
9





250 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 2. L3VPN PE-CE OSPF

Initial configurations: Part 2

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

25
0





251 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 5.6: OSPF Sham Link

• Configure VPN B between R7 and R8 using OSPF as PE-CE protocol.
• Make sure that the L3VPN is the primary path between R7 and R8 and that the legacy
OSPF backbone is used for backup purposes only.

Configuration:

R3:
set protocols bgp group ibgp family inet-vpn unicast
set routing-instances vpn-b instance-type vrf
set routing-instances vpn-b interface ge-0/0/4.37
set routing-instances vpn-b route-distinguisher 3.3.3.3:1
set routing-instances vpn-b vrf-target target:65555L:1
set routing-instances vpn-b protocols ospf area 0 interface ge-
0/0/4.37
set routing-instances vpn-b protocols ospf export bgp-ospf
set policy-options policy-statement bgp-ospf term 1 from protocol
bgp
set policy-options policy-statement bgp-ospf term 1 the accept
set interfaces lo0 unit 1 family inet address 33.33.33.33/32
set routing-instances vpn-b interface lo0.1
set routing-instances vpn-b protocols ospf sham-link local
33.33.33.33
set routing-instances vpn-b protocols ospf area 0 sham-link-remote
44.44.44.44 metric 1

R4:
set protocols bgp group ibgp family inet-vpn unicast
set routing-instances vpn-b instance-type vrf
set routing-instances vpn-b interface ge-0/0/4.48

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

set routing-instances vpn-b route-distinguisher 4.4.4.4:1
set routing-instances vpn-b vrf-target target:65555L:1
set routing-instances vpn-b protocols ospf area 0 interface ge-
0/0/4.48
set routing-instances vpn-b protocols ospf export bgp-ospf
set policy-options policy-statement bgp-ospf term 1 from protocol
bgp
set policy-options policy-statement bgp-ospf term 1 the accept
set interfaces lo0 unit 1 family inet address 44.44.44.44/32
set routing-instances vpn-b interface lo0.1
set routing-instances vpn-b protocols ospf sham-link local
44.44.44.44
set routing-instances vpn-b protocols ospf area 0 sham-link-remote
33.33.33.33 metric 1

R5:
25
set protocols bgp group ibgp family inet-vpn unicast 1





252 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R3# run show ospf neighbor instance vpn-b
Address Interface State ID Pri Dead
10.1.37.7 ge-0/0/4.37 Full 7.7.7.7 128 33
44.44.44.44 shamlink.0 Full 44.44.44.44 0 32

lab@R3# run show ospf database instance vpn-b

OSPF database, Area 0.0.0.0

Type ID Adv Rtr Seq Age Opt Cksum Len
Router 7.7.7.7 7.7.7.7 0x80000011 1192 0x22 0x4ccd 60
Router 8.8.8.8 8.8.8.8 0x8000000b 617 0x22 0x7189 60
Router *33.33.33.33 33.33.33.33 0x8000000d 197 0x22 0x92dc 48
Router 44.44.44.44 44.44.44.44 0x80000007 609 0x22 0xd858 48
Network 10.1.37.7 7.7.7.7 0x80000004 592 0x22 0xc082 32
Network 10.1.48.8 8.8.8.8 0x80000004 635 0x22 0x6999 32
Network 10.1.78.7 7.7.7.7 0x80000007 1792 0x22 0xf6c 32
OSPF AS SCOPE link state database
Type ID Adv Rtr Seq Age Opt Cksum Len
Extern 33.33.33.33 44.44.44.44 0x80000004 618 0xa2 0xe530 36
Extern *44.44.44.44 33.33.33.33 0x80000004 617 0xa2 0x35e0 36
Extern 172.17.0.0 7.7.7.7 0x80000007 2992 0x22 0x9042 36
Extern 172.17.1.0 7.7.7.7 0x80000007 2392 0x22 0x854c 36
Extern 172.17.2.0 8.8.8.8 0x80000007 2883 0x22 0x5c70 36
Extern 172.17.3.0 8.8.8.8 0x80000007 2134 0x22 0x517a 36

lab@R7# run show route protocol ospf

inet.0: 17 destinations, 18 routes (17 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

8.8.8.8/32 *[OSPF/10] 02:23:19, metric 3

> to 10.1.37.3 via ge-0/0/4.37
10.1.48.0/24 *[OSPF/10] 02:23:19, metric 3
> to 10.1.37.3 via ge-0/0/4.37
10.1.78.0/24 [OSPF/10] 02:23:19, metric 4
> to 10.1.37.3 via ge-0/0/4.37

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

33.33.33.33/32 *[OSPF/150] 02:23:19, metric 0, tag 3489660947
> to 10.1.37.3 via ge-0/0/4.37
44.44.44.44/32 *[OSPF/150] 02:23:19, metric 0, tag 3489660947
> to 10.1.37.3 via ge-0/0/4.37
172.17.2.0/24 *[OSPF/150] 02:23:19, metric 0, tag 0
> to 10.1.37.3 via ge-0/0/4.37
172.17.3.0/24 *[OSPF/150] 02:23:19, metric 0, tag 0
> to 10.1.37.3 via ge-0/0/4.37
224.0.0.5/32 *[OSPF/10] 04:53:50, metric 1
MultiRecv

25
2





253 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R8# run show route protocol ospf

inet.0: 17 destinations, 18 routes (17 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

7.7.7.7/32 *[OSPF/10] 04:52:00, metric 1

> to 10.1.78.7 via ge-0/0/1.0
10.1.37.0/24 *[OSPF/10] 04:52:00, metric 2
> to 10.1.78.7 via ge-0/0/1.0
10.1.48.0/24 [OSPF/10] 00:00:09, metric 4
> to 10.1.78.7 via ge-0/0/1.0
33.33.33.33/32 *[OSPF/150] 00:00:09, metric 0, tag 3489660947
> to 10.1.78.7 via ge-0/0/1.0
44.44.44.44/32 *[OSPF/150] 00:00:09, metric 0, tag 3489660947
> to 10.1.78.7 via ge-0/0/1.0
172.17.0.0/24 *[OSPF/150] 04:52:00, metric 0, tag 0
> to 10.1.78.7 via ge-0/0/1.0
172.17.1.0/24 *[OSPF/150] 04:52:00, metric 0, tag 0
> to 10.1.78.7 via ge-0/0/1.0
224.0.0.5/32 *[OSPF/10] 04:52:10, metric 1
MultiRecv

lab@R7# run ping 8.8.8.8 source 7.7.7.7 count 1

PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=64 time=1.784 ms

--- 8.8.8.8 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.784/1.784/1.784/0.000 ms

lab@R7# run traceroute 8.8.8.8 source 7.7.7.7

traceroute to 8.8.8.8 (8.8.8.8) from 7.7.7.7, 30 hops max, 40 byte packets
1 10.1.37.3 (10.1.37.3) 59.709 ms 5.479 ms 2.184 ms
2 * * *
3 10.1.45.4 (10.1.45.4) 14.577 ms 2.917 ms 7.877 ms
MPLS Label=299888 CoS=0 TTL=1 S=1
4 8.8.8.8 (8.8.8.8) 2.302 ms 2.863 ms 2.200 ms

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

To check if legacy OSPF backbone works as a backup in case of L3VPN failure let’s disable PE-
CE link on R3:
lab@R3# set interfaces ge-0/0/4 unit 37 disable
lab@R3# commit

lab@R7# run show route protocol ospf

inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

8.8.8.8/32 *[OSPF/10] 00:00:25, metric 100

> to 10.1.78.8 via ge-0/0/1.0
10.1.48.0/24 *[OSPF/10] 00:00:25, metric 200
> to 10.1.78.8 via ge-0/0/1.0
33.33.33.33/32 *[OSPF/150] 00:00:25, metric 0, tag 3489660947
> to 10.1.78.8 via ge-0/0/1.0
44.44.44.44/32 *[OSPF/150] 00:00:25, metric 0, tag 3489660947 25
3

> to 10.1.78.8 via ge-0/0/1.0

254 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

172.17.2.0/24 *[OSPF/150] 00:00:25, metric 0, tag 0

> to 10.1.78.8 via ge-0/0/1.0
172.17.3.0/24 *[OSPF/150] 00:00:25, metric 0, tag 0
> to 10.1.78.8 via ge-0/0/1.0
224.0.0.5/32 *[OSPF/10] 05:06:35, metric 1
MultiRecv

lab@R7# run ping 8.8.8.8 source 7.7.7.7 count 1

PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=64 time=1.354 ms

lab@R7# run traceroute 8.8.8.8 source 7.7.7.7

traceroute to 8.8.8.8 (8.8.8.8) from 7.7.7.7, 30 hops max, 40 byte packets
1 8.8.8.8 (8.8.8.8) 2.379 ms 7.924 ms 7.601 ms

Don’t forget to re-enable PE-CE link!

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

25
4





255 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 5.7: Hub and Spoke L3VPN (OSPF)

• Configure VPN A as a hub and spoke VPN using OSPF as PE-CE protocol.
• Make sure that the CE spokes (R1 and R2) can communicate through the central site
only.
• RDs and RTs can be any values of your choice.


Configuration:

R3:

set routing-instances vpn-a instance-type vrf
set routing-instances vpn-a interface ge-0/0/4.13
set routing-instances vpn-a route-distinguisher 3.3.3.3:2
set routing-instances vpn-a vrf-import hub-routes
set routing-instances vpn-a vrf-export spoke-routes
set routing-instances vpn-a protocols ospf area 0 interface ge-
0/0/4.13
set routing-instances vpn-a protocols ospf export bgp-ospf
set policy-options policy-statement hub-routes term 1 from protocol
bgp
set policy-options policy-statement hub-routes term 1 from community
hub
set policy-options policy-statement hub-routes term 1 then accept
set policy-options policy-statement hub-routes term 2 then reject
set policy-options policy-statement spoke-routes term 1 from
protocol ospf
set policy-options policy-statement spoke-routes term 1 then
community add spoke
set policy-options policy-statement spoke-routes term 1 then accept
set policy-options policy-statement spoke-routes term 2 then reject

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

set policy-options community spoke members target:65555L:2
set policy-options community hub members target:65555L:3

R4:

set routing-instances vpn-a instance-type vrf
set routing-instances vpn-a interface ge-0/0/4.24
set routing-instances vpn-a route-distinguisher 4.4.4.4:2
set routing-instances vpn-a vrf-import hub-routes
set routing-instances vpn-a vrf-export spoke-routes
set routing-instances vpn-a protocols ospf area 0 interface ge-
0/0/4.24
set policy-options policy-statement hub-routes term 1 from protocol
bgp
set policy-options policy-statement hub-routes term 1 from community
hub 25
5
set policy-options policy-statement hub-routes term 1 then accept




256 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set policy-options policy-statement hub-routes term 2 then reject

set policy-options policy-statement spoke-routes term 1 from

protocol ospf
set policy-options policy-statement
community add spoke
set policy-options policy-statement
set policy-options policy-statement
spoke-routes term 1 then
spoke-routes term 1 then accept
spoke-routes term 2 then reject

set policy-options community spoke members target:65555L:2

set policy-options community hub members target:65555L:3

R5:

set routing-instances vpn-a-hub instance-type vrf

set routing-instances
set routing-instances
set routing-instances
set routing-instances
set routing-instances
0/0/1.0
set routing-instances
vpn-a-hub interface ge-0/0/1.0
vpn-a-hub route-distinguisher 5.5.5.5:1
vpn-a-hub vrf-import reject-all
vpn-a-hub vrf-export hub-routes
vpn-a-hub protocols ospf area 0 interface ge-
vpn-a-hub protocols ospf domain-vpn-tag 0

set routing-instances vpn-a-spoke instance-type vrf

set routing-instances
set routing-instances
set routing-instances
set routing-instances
set routing-instances
ge-0/0/2.0
set routing-instances
set routing-instances
vpn-a-spoke interface ge-0/0/2.0
vpn-a-spoke route-distinguisher 5.5.5.5:2
vpn-a-spoke vrf-import spoke-routes
vpn-a-spoke vrf-export reject-all
vpn-a-spoke protocols ospf area 0 interface
vpn-a-spoke protocols ospf domain-vpn-tag 0
vpn-a-spoke protocols ospf domain-id disable

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

set routing-instances vpn-a-spoke protocols ospf export bgp-ospf

set policy-options policy-statement spoke-routes term 1 from

protocol bgp
set policy-options policy-statement spoke-routes term 1 from
community spoke
set policy-options policy-statement spoke-routes term 1 then accept
set policy-options policy-statement spoke-routes term 2 then reject

set policy-options policy-statement hub-routes term 1 from protocol

ospf
set policy-options policy-statement hub-routes term 1 then community
add hub
set policy-options policy-statement hub-routes term 1 then accept
set policy-options policy-statement hub-routes term 2 then reject
25
6
set policy-options policy-statement reject-all then reject





257 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set policy-options policy-statement bgp-ospf term 1 from protocol

bgp
set policy-options policy-statement bgp-ospf term 1 then accept

set policy-options community spoke members target:65555L:2

set policy-options community hub members target:65555L:3

Verification:

lab@R3# run show ospf neighbor instance vpn-a

Address Interface State ID Pri Dead
10.1.13.1 ge-0/0/4.13 Full 1.1.1.1 128 30

lab@R4# run show ospf neighbor instance vpn-a

Address Interface State ID Pri Dead
10.1.24.2 ge-0/0/4.24 Full 2.2.2.2 128 38

lab@R5# run show ospf neighbor instance vpn-a-hub

Address Interface State ID Pri Dead
10.1.56.6 ge-0/0/1.0 Full 6.6.6.6 128 39

lab@R5# run show ospf neighbor instance vpn-a-spoke

Address Interface State ID Pri Dead
10.1.65.6 ge-0/0/2.0 Full 6.6.6.6 128 36

lab@R1# run show route protocol ospf

inet.0: 15 destinations, 15 routes (15 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

2.2.2.2/32 *[OSPF/150] 00:08:26, metric 1, tag 3489660947

> to 10.1.13.3 via ge-0/0/4.13

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

6.6.6.6/32 *[OSPF/10] 00:39:12, metric 2
> to 10.1.13.3 via ge-0/0/4.13
10.1.65.0/24 *[OSPF/10] 00:39:12, metric 3
> to 10.1.13.3 via ge-0/0/4.13
172.16.2.0/24 *[OSPF/150] 00:10:44, metric 0, tag 3489660947
> to 10.1.13.3 via ge-0/0/4.13
172.16.3.0/24 *[OSPF/150] 00:10:44, metric 0, tag 3489660947
> to 10.1.13.3 via ge-0/0/4.13
192.168.0.0/16 *[OSPF/150] 00:39:12, metric 0, tag 3489660947
> to 10.1.13.3 via ge-0/0/4.13
224.0.0.5/32 *[OSPF/10] 07:55:00, metric 1
MultiRecv

25
7





258 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R1# run ping 2.2.2.2 source 1.1.1.1 count 1

PING 2.2.2.2 (2.2.2.2): 56 data bytes
64 bytes from 2.2.2.2: icmp_seq=0 ttl=59 time=2.236 ms

--- 2.2.2.2 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.236/2.236/2.236/0.000 ms

lab@R1# run traceroute 2.2.2.2 source 1.1.1.1

traceroute to 2.2.2.2 (2.2.2.2) from 1.1.1.1, 30 hops max, 40 byte packets
1 10.1.13.3 (10.1.13.3) 9.215 ms 7.687 ms 8.462 ms
2 10.1.35.5 (10.1.35.5) 2.654 ms 2.592 ms 2.306 ms
MPLS Label=300448 CoS=0 TTL=1 S=1
3 10.1.56.6 (10.1.56.6) 8.232 ms 14.013 ms 8.016 ms
4 10.1.65.5 (10.1.65.5) 8.699 ms 7.908 ms 7.785 ms
5 10.1.45.4 (10.1.45.4) 2.715 ms 3.069 ms 8.991 ms
MPLS Label=299968 CoS=0 TTL=1 S=1
6 2.2.2.2 (2.2.2.2) 8.860 ms 3.062 ms 2.850 ms

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

25
8





259 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 3. L3VPN

Initial configurations: L3VPN part3

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

25
9





260 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

5.8: BGP based Hub and spoke VPN with 1 interface

• Configure VPNA in AS65001, use BGP as a routing protocol.
• Make VPNA-S1 act as the hub site and connect it to the SP network using only 1
interface.
• Spoke sites should receive a default route, not the routes towards the other spokes.
• Make the PE routers peer with the out-of-path route-reflector and do not enable the
route-reflector for MPLS.

Configuration:

R1:

set protocols bgp log-updown

set protocols bgp group ibgp type internal
set protocols bgp group ibgp local-address 172.16.1.1
set protocols bgp group ibgp family inet-vpn unicast
set protocols bgp group ibgp neighbor 172.16.1.9

set routing-instances VPNA-ADVERTISE instance-type vrf

set routing-instances VPNA-ADVERTISE vrf-target target:6500:100
set routing-instances VPNA-ADVERTISE vrf-table-label
set routing-instances VPNA-ADVERTISE routing-options auto-export

set routing-instances VPNA-HUB instance-type vrf

set routing-instances VPNA-HUB interface ge-0/0/4.100
set routing-instances VPNA-HUB vrf-import spoke-import

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

set routing-instances VPNA-HUB vrf-export hub-export
set routing-instances VPNA-HUB no-vrf-advertise
set routing-instances VPNA-HUB routing-options auto-export
set routing-instances VPNA-HUB protocols bgp group ce peer-as 65001
set routing-instances VPNA-HUB protocols bgp group ce as-override
set routing-instances VPNA-HUB protocols bgp group ce neighbor
10.0.0.2

set policy-options policy-statement hub-export term hub from

protocol direct
set policy-options policy-statement hub-export term hub from
protocol bgp
set policy-options policy-statement hub-export term hub then
community add vpna-hub 26
0
set policy-options policy-statement hub-export term hub then accept





261 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set policy-options policy-statement spoke-import term spokes from

protocol bgp
set policy-options policy-statement spoke-import term spokes from
community vpna-spoke
set policy-options policy-statement spoke-import term spokes then
accept

set policy-options community vpna-hub members target:6500:100

set policy-options community vpna-spoke members target:6500:101

set routing-options route-distinguisher-id 172.16.1.1

set routing-options autonomous-system 65000

R2:

set protocols bgp log-updown

set protocols bgp group ibgp type internal
set protocols bgp group ibgp local-address 172.16.1.2
set protocols bgp group ibgp family inet-vpn unicast
set protocols bgp group ibgp neighbor 172.16.1.9

set routing-instances VPNA-S2 instance-type vrf

set routing-instances VPNA-S2 interface ge-0/0/4.101
set routing-instances VPNA-S2 vrf-import hub-import
set routing-instances VPNA-S2 vrf-export spoke-export
set routing-instances VPNA-S2 protocols bgp group ce peer-as 65001

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

set routing-instances VPNA-S2 protocols bgp group ce as-override
set routing-instances VPNA-S2 protocols bgp group ce neighbor
10.0.0.6

set policy-options policy-statement hub-import term spokes from

protocol bgp
set policy-options policy-statement hub-import term spokes from
community vpna-hub
set policy-options policy-statement hub-import term spokes then
accept

set policy-options policy-statement spoke-export term hub from

protocol direct
set policy-options policy-statement spoke-export term hub from 26
1
protocol bgp





262 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set policy-options policy-statement spoke-export term hub then

community add vpna-spoke
set policy-options policy-statement spoke-export term hub then
accept

set policy-options community vpna-hub members target:6500:100

set policy-options community vpna-spoke members target:6500:101

set routing-options route-distinguisher-id 172.16.1.2

set routing-options autonomous-system 65000

R3:

set protocols bgp log-updown

set protocols bgp group ibgp type internal
set protocols bgp group ibgp local-address 172.16.1.3
set protocols bgp group ibgp family inet-vpn unicast
set protocols bgp group ibgp neighbor 172.16.1.9

set routing-instances VPNA-S3 instance-type vrf

set routing-instances VPNA-S3 interface ge-0/0/4.102
set routing-instances VPNA-S3 vrf-import hub-import
set routing-instances VPNA-S3 vrf-export spoke-export
set routing-instances VPNA-S3 protocols bgp group ce peer-as 65001
set routing-instances VPNA-S3 protocols bgp group ce as-override
set routing-instances VPNA-S3 protocols bgp group ce neighbor
10.0.0.10

set policy-options policy-statement hub-import term spokes from JNCIE-SP workbook: Appendix: Chapter 5 - VPN
protocol bgp
set policy-options policy-statement hub-import term spokes from
community vpna-hub
set policy-options policy-statement hub-import term spokes then
accept

set policy-options policy-statement spoke-export term hub from

protocol direct
set policy-options policy-statement spoke-export term hub from
protocol bgp
set policy-options policy-statement spoke-export term hub then
community add vpna-spoke 26
2





263 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set policy-options policy-statement spoke-export term hub then

accept

set policy-options community vpna-hub members target:6500:100

set policy-options community vpna-spoke members target:6500:101

set routing-options route-distinguisher-id 172.16.1.3

set routing-options autonomous-system 65000

RR:

set protocols bgp log-updown

set protocols bgp group ibgp type internal
set protocols bgp group ibgp local-address 172.16.1.9
set protocols bgp group ibgp family inet-vpn unicast
set protocols bgp group ibgp cluster 0.0.0.1
set protocols bgp group ibgp neighbor 172.16.1.1
set protocols bgp group ibgp neighbor 172.16.1.2
set protocols bgp group ibgp neighbor 172.16.1.3
set routing-options resolution rib bgp.l3vpn.0 resolution-ribs
inet.0
set routing-options autonomous-system 65000

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

26
3





264 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

From the route-reflector, we can quickly check to see if all sessions are up and we can verify
if the inet-vpn address family has been negotiated successfully:

lab@route-reflector> show bgp summary
Groups: 1 Peers: 3 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
bgp.l3vpn.0 26 26 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Damped...
172.16.1.1 65000 7 10 0 0 1:24 Establ
bgp.l3vpn.0: 3/3/0
172.16.1.2 65000 6 8 0 0 1:20 Establ
bgp.l3vpn.0: 11/11/0
172.16.1.3 65000 7 9 0 0 1:19 Establ
bgp.l3vpn.0: 12/12/0

We can see that received routes are active even though the route-reflector does not have
any routing-information in its inet.3 table. Because of the resolution configuration under the
routing-options stanza, this is not necessary. Through this configuration, we have instructed
the route-reflector to resolve the next-hop for all routes in the bgp.l3vpn.0 table in the inet.0
table. This one BGP command also immediately informs us that we are learning routes from
all PE routers involved in the hub and spoke VPN.

Let’s move on to the verification of the VPN. When a hub site only has one interface, it still
requires two route-targets. These are a hub and a spoke route-target. The hub site will also
require two routing-instances on the PE that it is attached to. The two instances each have
their own purpose.

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

Let’s first examine the ‘VPNA-HUB’ instance. The interface towards the CE is place in this
VPN. Across this interface, a BGP session is configured with the CE device:

lab@R1> show bgp summary instance VPNA-HUB

Groups: 1 Peers: 1 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
VPNA-HUB.inet.0
25 25 0 0 0 0
VPNA-HUB.mdt.0
0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
10.0.0.2 65001 6 11 0 0 1:23
Establ
VPNA-HUB.inet.0: 2/2/2/0
26
lab@R1> show route receive-protocol bgp 10.0.0.2 table VPNA-HUB 4





265 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

VPNA-HUB.inet.0: 27 destinations, 27 routes (27 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
* 0.0.0.0/0 10.0.0.2 65001 I
* 1.1.1.1/32 10.0.0.2 65001 I

We can see that we are learning two prefixes from the CE device. The routing-instance is
also configured to import all routes with the spoke route-target. To verify this, we first check
what routes we are receiving on R2 and R3:

lab@R2> show route receive-protocol bgp 10.0.0.6 table VPNA-S2.inet.0

VPNA-S2.inet.0: 15 destinations, 15 routes (15 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 1.1.1.2/32 10.0.0.6 65001 I
* 1.1.2.0/24 10.0.0.6 65001 I
* 1.1.3.0/24 10.0.0.6 65001 I
* 1.1.4.0/24 10.0.0.6 65001 I
* 1.1.5.0/24 10.0.0.6 65001 I
* 1.1.6.0/24 10.0.0.6 65001 I
* 1.1.7.0/24 10.0.0.6 65001 I
* 1.1.8.0/24 10.0.0.6 65001 I
* 1.1.9.0/24 10.0.0.6 65001 I
* 1.1.10.0/24 10.0.0.6 65001 I

lab@R3> show route receive-protocol bgp 10.0.0.10 table VPNA-S3.inet.0

VPNA-S3.inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
* 1.1.1.3/32 10.0.0.10 65001 I
* 1.1.11.0/24 10.0.0.10 65001 I
* 1.1.12.0/24 10.0.0.10 65001 I
* 1.1.13.0/24 10.0.0.10 65001 I

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

* 1.1.14.0/24 10.0.0.10 65001 I
* 1.1.15.0/24 10.0.0.10 65001 I
* 1.1.16.0/24 10.0.0.10 65001 I
* 1.1.17.0/24 10.0.0.10 65001 I
* 1.1.18.0/24 10.0.0.10 65001 I
* 1.1.19.0/24 10.0.0.10 65001 I
* 1.1.20.0/24 10.0.0.10 65001 I

To verify that these routes are being advertised to the hub CE device, we can issue the
following command:

lab@R1> show route advertising-protocol bgp 10.0.0.2 table VPNA-HUB 1.1.1.2

VPNA-HUB.inet.0: 27 destinations, 27 routes (27 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path 26
5
* 1.1.1.2/32 Self 65000 I





266 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R1> show route advertising-protocol bgp 10.0.0.2 table VPNA-HUB 1.1.1.3

VPNA-HUB.inet.0: 27 destinations, 27 routes (27 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
* 1.1.1.3/32 Self 65000 I

The PE is advertising the spoke routes towards the hub CE. This means that the hub CE has
full knowledge of all the spoke routes. We also added two extra knobs to the configuration
of this routing-instance. These are ‘no-vrf-advertise’ and the ‘auto-export’ knob.

The ‘no-vrf-advertise’ configuration prevents the hub learned prefixes from being advertised
to the route-reflector. Instead of advertising the routes to the route-reflector, the ‘auto-
export’ knob makes the routes eligible for local route-leaking.

This is where the second routing-instance comes in. The VPNA-ADVERTISE routing-instance is
configured without any interfaces. It’s also configured with ‘auto-export’ and the ‘vrf-target
target:6500:100’, which is the hub route-target. Because of the 'auto-export' configuration,
the routes learned from the hub CE are leaked from VPNA-HUB to VPNA-ADVERTISE. And
because VPNA-ADVERTISE is not configured with the ‘no-vrf-advertise’ knob, this routing-
instance will advertise the hub CE prefixes to the route-reflector. Packets that are send from
one spoke site to the other will arrive in this routing-instance. When they do, a lookup is
done and packets will be routed towards the hub CE:

lab@R1> show route table VPNA-ADVERTISE

VPNA-ADVERTISE.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[BGP/170] 00:02:11, localpref 100 JNCIE-SP workbook: Appendix: Chapter 5 - VPN
AS path: 65001 I
> to 10.0.0.2 via ge-0/0/4.100
1.1.1.1/32 *[BGP/170] 00:02:11, localpref 100
AS path: 65001 I
> to 10.0.0.2 via ge-0/0/4.100
10.0.0.0/30 *[Direct/0] 00:06:07
> via ge-0/0/4.100

Packets send by a spoke can only be routed towards hub CE and when they arrive at the hub
CE , that device will do a route-lookup. As we saw earlier, the hub CE has all the spoke
routes, so the lookup by the hub CE will point the packets back at the PE. This will make the
packets arrive in the VPNA-HUB routing instance. This routing-instance does contain all
spoke routes, so packets can be routed towards a spoke site: 26
6





267 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R1> show route table VPNA-HUB terse

VPNA-HUB.inet.0: 27 destinations, 27 routes (27 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

A Destination P Prf Metric 1 Metric 2 Next hop AS path

* 0.0.0.0/0 B 170 100 >10.0.0.2 65001 I
* 1.1.1.1/32 B 170 100 >10.0.0.2 65001 I
* 1.1.1.2/32 B 170 100 >192.168.1.6 65001 I
* 1.1.1.3/32 B 170 100 >192.168.1.6 65001 I
* 1.1.2.0/24 B 170 100 >192.168.1.6 65001 I
* 1.1.3.0/24 B 170 100 >192.168.1.6 65001 I
* 1.1.4.0/24 B 170 100 >192.168.1.6 65001 I
* 1.1.5.0/24 B 170 100 >192.168.1.6 65001 I
* 1.1.6.0/24 B 170 100 >192.168.1.6 65001 I
* 1.1.7.0/24 B 170 100 >192.168.1.6 65001 I
* 1.1.8.0/24 B 170 100 >192.168.1.6 65001 I
* 1.1.9.0/24 B 170 100 >192.168.1.6 65001 I
* 1.1.10.0/24 B 170 100 >192.168.1.6 65001 I
* 1.1.11.0/24 B 170 100 >192.168.1.6 65001 I
* 1.1.12.0/24 B 170 100 >192.168.1.6 65001 I
* 1.1.13.0/24 B 170 100 >192.168.1.6 65001 I
* 1.1.14.0/24 B 170 100 >192.168.1.6 65001 I
* 1.1.15.0/24 B 170 100 >192.168.1.6 65001 I
* 1.1.16.0/24 B 170 100 >192.168.1.6 65001 I
* 1.1.17.0/24 B 170 100 >192.168.1.6 65001 I
* 1.1.18.0/24 B 170 100 >192.168.1.6 65001 I
* 1.1.19.0/24 B 170 100 >192.168.1.6 65001 I
* 1.1.20.0/24 B 170 100 >192.168.1.6 65001 I
* 10.0.0.0/30 D 0 >ge-0/0/4.100
* 10.0.0.1/32 L 0 Local
* 10.0.0.4/30 B 170 100 >192.168.1.6 I
* 10.0.0.8/30 B 170 100 >192.168.1.6 I

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

We can do a final check to verify that the hub and spoke topology we have just created
works as intended by performing a traceroute from S3 to S2:

lab@vr-device> traceroute routing-instance vpna-s3 1.1.1.2 source 1.1.1.3 wait 1

traceroute to 1.1.1.2 (1.1.1.2) from 1.1.1.3, 30 hops max, 40 byte packets
1 10.0.0.9 (10.0.0.9) 2.348 ms 3.841 ms 2.739 ms
2 * * *
3 10.0.0.2 (10.0.0.2) 5.967 ms 5.517 ms 5.861 ms
4 10.0.0.1 (10.0.0.1) 9.081 ms 9.605 ms 8.905 ms
5 * * *
6 192.168.1.21 (192.168.1.21) 4.641 ms 3.780 ms 4.034 ms
MPLS Label=299776 CoS=0 TTL=1 S=1
7 1.1.1.2 (1.1.1.2) 5.337 ms 6.422 ms 5.141 ms
lab@vr-device>
26
lab@vr-device> traceroute routing-instance vpna-s2 1.1.1.3 source 1.1.1.2 wait 1 7
traceroute to 1.1.1.3 (1.1.1.3) from 1.1.1.2, 30 hops max, 40 byte packets




268 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

1
10.0.0.5 (10.0.0.5) 8.076 ms 7.724 ms 3.879 ms
2
* * *
3
10.0.0.2 (10.0.0.2) 8.156 ms 7.550 ms 5.514 ms
4
10.0.0.1 (10.0.0.1) 11.056 ms 10.971 ms 8.827 ms
5
* * *
6
* * *
7
192.168.1.29 (192.168.1.29) 12.342 ms 9.812 ms 11.312 ms
MPLS Label=299776 CoS=0 TTL=1 S=1
8 1.1.1.3 (1.1.1.3) 20.463 ms 27.710 ms 11.933 ms
lab@vr-device>

Packets sourced from s3 can make it to s2 and vice versa. From the traceroute output, we
can conclude that packets are send through the hub site.

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

26
8





269 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

5.9: BGP based MPLS VPN and 6VPE

• Configure VPNB in AS65000, use BGP as a routing protocol.
• Use IPv4 BGP sessions between the CE and PE and use that session to exchange IPv4
and IPv6 prefix information.
• Make sure all sites can reach both the IPv4 and IPv6 addresses that are advertised by
the CEs.
• Make sure that VPNB-S1 is the preferred link for IPv4 traffic and that VPNB-S2 is the
preferred link for IPv6 traffic.
• Give R3 one set of LSPs that carry only IPv4 traffic and another set of LSPs that carry
only IPv6 traffic towards R1, R2 and R4.

Configuration:

R1:

set protocols bgp group ibgp family inet6-vpn unicast

set protocols mpls ipv6-tunneling

set interfaces ge-0/0/4 unit 103 family inet6 address

::ffff:10.0.1.1/126

set routing-instances VPNB instance-type vrf

set routing-instances VPNB interface ge-0/0/4.103
set routing-instances VPNB vrf-target target:65000:2
set routing-instances VPNB protocols bgp group ce import vpnb-import
set routing-instances VPNB protocols bgp group ce family inet

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

unicast
set routing-instances VPNB protocols bgp group ce family inet6
unicast
set routing-instances VPNB protocols bgp group ce export vpnb-export
set routing-instances VPNB protocols bgp group ce peer-as 65500
set routing-instances VPNB protocols bgp group ce as-override
set routing-instances VPNB protocols bgp group ce neighbor 10.0.1.2

set policy-options policy-statement vpnb-export term ipv6 from

family inet6
set policy-options policy-statement vpnb-export term ipv6 then as-
path-prepend 65000
set policy-options policy-statement vpnb-export term ipv6 then
accept
26
9





270 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set policy-options policy-statement vpnb-import term ipv4 from

family inet
set policy-options policy-statement vpnb-import term ipv4 then
local-preference 110
set policy-options policy-statement vpnb-import term ipv4 then
accept

R2:

set protocols bgp group ibgp family inet6-vpn unicast

set protocols mpls ipv6-tunneling

set interfaces ge-0/0/4 unit 104 family inet6 address
::ffff:10.0.1.5/126

set routing-instances VPNB instance-type vrf

set routing-instances VPNB interface ge-0/0/4.104
set routing-instances VPNB vrf-target target:65000:2
set routing-instances VPNB protocols bgp group ce import vpnb-import
set routing-instances VPNB protocols bgp group ce family inet
unicast
set routing-instances VPNB protocols bgp group ce family inet6
unicast
set routing-instances VPNB protocols bgp group ce export vpnb-export
set routing-instances VPNB protocols bgp group ce peer-as 65500
set routing-instances VPNB protocols bgp group ce as-override
set routing-instances VPNB protocols bgp group ce neighbor 10.0.1.6

set policy-options policy-statement vpnb-export term ipv4 from JNCIE-SP workbook: Appendix: Chapter 5 - VPN
family inet
set policy-options policy-statement vpnb-export term ipv4 then as-
path-prepend 65000
set policy-options policy-statement vpnb-export term ipv4 then
accept
set policy-options policy-statement vpnb-import term ipv6 from next-
hop ::ffff:10.0.1.6
set policy-options policy-statement vpnb-import term ipv6 then
local-preference 110
set policy-options policy-statement vpnb-import term ipv6 then
accept
27
0
R3:





271 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set protocols bgp group ibgp family inet6-vpn unicast

set protocols mpls label-switched-path R3_to_R1_ipv6 no-install-to-

address
set protocols mpls label-switched-path R3_to_R1_ipv6 to 172.16.1.1
set protocols mpls label-switched-path R3_to_R1_ipv6 install
::ffff:172.16.1.1/128
set protocols mpls label-switched-path R3_to_R2_ipv6 no-install-to-
address
set protocols mpls label-switched-path R3_to_R2_ipv6 to 172.16.1.2
set protocols mpls label-switched-path R3_to_R2_ipv6 install
::ffff:172.16.1.2/128
set protocols mpls label-switched-path R3_to_R4_ipv6 no-install-to-
address
set protocols mpls label-switched-path R3_to_R4_ipv6 to 172.16.1.4
set protocols mpls label-switched-path R3_to_R4_ipv6 install
::ffff:172.16.1.4/128

set interfaces ge-0/0/4 unit 105 family inet6 address

::ffff:10.0.1.9/126

set routing-instances VPNB instance-type vrf

set routing-instances VPNB interface ge-0/0/4.105
set routing-instances VPNB vrf-target target:65000:2
set routing-instances VPNB protocols bgp group ce family inet
unicast

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

set routing-instances
unicast
set routing-instances
set routing-instances
set routing-instances
VPNB protocols bgp group ce family inet6
VPNB protocols bgp group ce peer-as 65500
VPNB protocols bgp group ce as-override
VPNB protocols bgp group ce neighbor 10.0.1.10

R4:

set protocols bgp log-updown

set protocols bgp group ibgp type internal
set protocols bgp group ibgp local-address 172.16.1.4
set protocols bgp group ibgp family inet-vpn unicast
set protocols bgp group ibgp family inet6-vpn unicast
set protocols bgp group ibgp neighbor 172.16.1.9 27
1





272 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set protocols mpls ipv6-tunneling

set interfaces ge-0/0/4 unit 106 family inet6 address

::ffff:10.0.1.13/126

set routing-instances VPNB instance-type vrf

set routing-instances
set routing-instances
set routing-instances
unicast
set routing-instances
unicast
set routing-instances
set routing-instances
set routing-instances
VPNB interface ge-0/0/4.106
VPNB vrf-target target:65000:2
VPNB protocols bgp group ce family inet
VPNB protocols bgp group ce family inet6
VPNB protocols bgp group ce peer-as 65500
VPNB protocols bgp group ce as-override
VPNB protocols bgp group ce neighbor 10.0.1.14

set routing-options route-distinguisher-id 172.16.1.4

set routing-options autonomous-system 65000

RR:

set protocols bgp group ibgp neighbor 172.16.1.4

set protocols bgp group ibgp family inet6-vpn unicast
set routing-options rib inet6.3 static route 0:0:0:0:0:ffff::/96
discard

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

27
2





273 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

We have configured several things. The highlights are the following:
• enabled PE-CE communication and configured a routing-instance on all PE routers
• manipulated the preference for IPv4 and IPv6 routes
• enabled the distribution of the additional inet6-vpn address family between the PE
routers
• installed IPv4 mapped IPv6 routes in the inet6.3 table to be able to resolve the IPv6
routes

The routing instance was configured on PE routers R1, R2, R3 and R4. To verify that the PE-
CE peering session supports both IPv4 and IPv6 prefixes, we can issue the following
command:

lab@R1> show bgp neighbor 10.0.1.2 | match NLRI.*session
NLRI for this session: inet-unicast inet6-unicast

The CE devices send the IPv6 prefixes with a next-hop attribute that contains an IPv4
mapped IPv6 address. To be able to resolve these routes, we configured an IPv4 mapped
IPv6 address on the PE’s CE facing interface. This was done on all PE routers. To verify the
receipt of the IPv6 prefixes:

lab@R1> show route receive-protocol bgp 10.0.1.2

inet.0: 29 destinations, 29 routes (29 active, 0 holddown, 0 hidden)

inet.3: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

VPNA-ADVERTISE.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

VPNA-HUB.inet.0: 27 destinations, 27 routes (27 active, 0 holddown, 0 hidden)

VPNB.inet.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
* 2.0.1.0/24 10.0.1.2 65500 I
* 2.0.2.0/24 10.0.1.2 65500 I
* 2.0.3.0/24 10.0.1.2 65500 I
* 2.0.4.0/24 10.0.1.2 65500 I
* 2.2.2.1/32 10.0.1.2 65500 I
* 2.2.2.2/32 10.0.1.2 65500 I

iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

mpls.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)

27
bgp.l3vpn.0: 35 destinations, 35 routes (35 active, 0 holddown, 0 hidden) 3





274 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

inet6.3: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

VPNB.inet6.0: 20 destinations, 26 routes (20 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
2001:db8:2222::1/128
::ffff:10.0.1.2 65500 I
2001:db8:2222::2/128
::ffff:10.0.1.2 65500 I
2001:db8:aaaa:2:1::/80
::ffff:10.0.1.2 65500 I
2001:db8:aaaa:2:2::/80
::ffff:10.0.1.2 65500 I
2001:db8:aaaa:2:3::/80
::ffff:10.0.1.2 65500 I
2001:db8:aaaa:2:4::/80
::ffff:10.0.1.2 65500 I

bgp.l3vpn-inet6.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)

To verify that R1 is used primarily for IPv4 traffic and that R2 is used primarily for IPv6 traffic,
we first check the routes that were advertised to the CE devices.

lab@R1> show route advertising-protocol bgp 10.0.1.2

VPNB.inet.0: 21 destinations, 21 routes (21 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
* 2.0.1.0/24 10.0.1.2 65000 I
* 2.0.2.0/24 10.0.1.2 65000 I
* 2.0.3.0/24 10.0.1.2 65000 I
* 2.0.4.0/24 10.0.1.2 65000 I
* 2.0.5.0/24 Self 65000 I

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

* 2.0.6.0/24 Self 65000 I
* 2.0.7.0/24 Self 65000 I
* 2.0.8.0/24 Self 65000 I
* 2.0.9.0/24 Self 65000 I
* 2.0.10.0/24 Self 65000 I
* 2.0.11.0/24 Self 65000 I
* 2.0.12.0/24 Self 65000 I
* 2.2.2.1/32 10.0.1.2 65000 I
* 2.2.2.2/32 Self 65000 I
* 2.2.2.3/32 Self 65000 I
* 2.2.2.4/32 Self 65000 I
* 10.0.1.4/30 Self I
* 10.0.1.8/30 Self I
* 10.0.1.12/30 Self I

VPNB.inet6.0: 20 destinations, 24 routes (20 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path 27
4
* ::ffff:10.0.1.0/126 Self 65000 [65000] I





275 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

2001:db8:2222::1/128
* ::ffff:10.0.1.2 65000 [65000]
65000 I
2001:db8:2222::2/128
* Self 65000 [65000]
65000 I
2001:db8:2222::3/128
* Self 65000 [65000]
65000 I
2001:db8:2222::4/128
* Self 65000 [65000]
65000 I
2001:db8:aaaa:2:1::/80
* Self 65000 [65000]
65000 I
2001:db8:aaaa:2:2::/80
* Self 65000 [65000]
65000 I
2001:db8:aaaa:2:3::/80
* Self 65000 [65000]
65000 I
2001:db8:aaaa:2:4::/80
* Self 65000 [65000]
65000 I
2001:db8:aaaa:2:5::/80
* Self 65000 [65000]
65000 I
2001:db8:aaaa:2:6::/80
* Self 65000 [65000]
65000 I
2001:db8:aaaa:2:7::/80
* Self 65000 [65000]
65000 I

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

2001:db8:aaaa:2:8::/80
* Self 65000 [65000]
65000 I
2001:db8:aaaa:2:9::/80
* Self 65000 [65000]
65000 I
2001:db8:aaaa:2:10::/80
* Self 65000 [65000]
65000 I
2001:db8:aaaa:2:11::/80
* Self 65000 [65000]
65000 I
2001:db8:aaaa:2:12::/80
* Self 65000 [65000]
65000 I

lab@R2> show route advertising-protocol bgp 10.0.1.6 27
5





276 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

VPNB.inet.0: 21 destinations, 25 routes (21 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
* 2.0.1.0/24 Self 65000 [65000]
65000 I
* 2.0.2.0/24 Self 65000 [65000]
65000 I
* 2.0.3.0/24 Self 65000 [65000]
65000 I
* 2.0.4.0/24 Self 65000 [65000]
65000 I
* 2.0.5.0/24 Self 65000 [65000]
65000 I
* 2.0.6.0/24 Self 65000 [65000]
65000 I
* 2.0.7.0/24 Self 65000 [65000]
65000 I
* 2.0.8.0/24 Self 65000 [65000]
65000 I
* 2.0.9.0/24 Self 65000 [65000]
65000 I
* 2.0.10.0/24 Self 65000 [65000]
65000 I
* 2.0.11.0/24 Self 65000 [65000]
65000 I
* 2.0.12.0/24 Self 65000 [65000]
65000 I
* 2.2.2.1/32 Self 65000 [65000]
65000 I
* 2.2.2.2/32 10.0.1.6 65000 [65000]
65000 I
* 2.2.2.3/32 Self 65000 [65000]
65000 I
* 2.2.2.4/32 Self 65000 [65000]

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

65000 I
* 10.0.1.0/30 Self 65000 [65000] I
* 10.0.1.4/30 Self 65000 [65000] I
* 10.0.1.8/30 Self 65000 [65000] I
* 10.0.1.12/30 Self 65000 [65000] I

VPNB.inet6.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
2001:db8:2222::1/128
* Self 65000 I
2001:db8:2222::2/128
* ::ffff:10.0.1.6 65000 I
2001:db8:2222::3/128
* Self 65000 I
2001:db8:2222::4/128
* Self 65000 I
2001:db8:aaaa:2:1::/80 27
6

* ::ffff:10.0.1.6 65000 I

277 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

2001:db8:aaaa:2:2::/80
* ::ffff:10.0.1.6 65000 I
2001:db8:aaaa:2:3::/80
* ::ffff:10.0.1.6 65000 I
2001:db8:aaaa:2:4::/80
* ::ffff:10.0.1.6 65000 I
2001:db8:aaaa:2:5::/80
* Self 65000 I
2001:db8:aaaa:2:6::/80
* Self 65000 I
2001:db8:aaaa:2:7::/80
* Self 65000 I
2001:db8:aaaa:2:8::/80
* Self 65000 I
2001:db8:aaaa:2:9::/80
* Self 65000 I
2001:db8:aaaa:2:10::/80
* Self 65000 I
2001:db8:aaaa:2:11::/80
* Self 65000 I
2001:db8:aaaa:2:12::/80
* Self 65000 I

Both PE routers are advertising IPv4 and IPv6 prefixes. On R1, the IPv6 prefixes are being
prepended and on R2, the IPv4 prefixes are being prepended.

To verify that traffic from the MPLS VPN towards the CE devices is following the desired
path, we can examine the route towards CE1 in the routing-table of the VPN on both R1 and
R2:

lab@R1> show route table VPNB 2.2.2.1

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

VPNB.inet.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2.2.2.1/32 *[BGP/170] 00:17:05, localpref 110

AS path: 65500 I
> to 10.0.1.2 via ge-0/0/4.103

lab@R1> show route table VPNB 2001:db8:2222::1/128

VPNB.inet6.0: 20 destinations, 26 routes (20 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

2001:db8:2222::1/128
*[BGP/170] 00:03:34, localpref 110, from 172.16.1.9
AS path: 65500 I
> to 192.168.1.6 via ge-0/0/4.3, label-switched-path R1_to_R2
27
[BGP/170] 00:17:07, localpref 100, from 10.0.1.2
7
AS path: 65500 I




278 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

> to ::ffff:10.0.1.2 via ge-0/0/4.103

lab@R2> show route table VPNB 2.2.2.1

VPNB.inet.0: 21 destinations, 27 routes (21 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

2.2.2.1/32 *[BGP/170] 00:17:34, localpref 110, from 172.16.1.9

AS path: 65500 I
> to 192.168.1.22 via ge-0/0/4.7, label-switched-path R2_to_R1
[BGP/170] 00:04:02, localpref 100
AS path: 65500 I
> to 10.0.1.6 via ge-0/0/4.104

lab@R2> show route 2001:db8:2222::1/128

VPNB.inet6.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

2001:db8:2222::1/128
*[BGP/170] 00:04:08, localpref 110, from 10.0.1.6
AS path: 65500 I
> to ::ffff:10.0.1.6 via ge-0/0/4.104

In the output, the local preference of the route that was advertised by the attached CE
device was highlighted. On R1, the IPv4 route has the highest local preference and on R2 the
IPv6 route has the highest local preference.

All PE routers and the RR had their BGP sessions configured with the inet6-vpn address
family. To verify what address families are currently active on a BGP session:

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

lab@route-reflector> show bgp neighbor | match NLRI.*session
NLRI for this session: inet-vpn-unicast inet6-vpn-unicast
NLRI for this session: inet-vpn-unicast inet6-vpn-unicast
NLRI for this session: inet-vpn-unicast inet6-vpn-unicast
NLRI for this session: inet-vpn-unicast inet6-vpn-unicast

This enables the distribution of the IPv6 VPN prefix information throughout the core
network. To make sure that the IPv6 prefixes will be reflected by the RR, we configured a
static default route for the inet6.3 table.

On several PE routers, we configured ‘ipv6-tunneling’ under the MPLS stanza. This
configuration knob copies the IPv4 LDP and RSVP routes as IPv4 mapped IPv6 addresses in
the inet6.3 table: 27
8






279 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R1> show route table inet.3

inet.3: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

172.16.1.2/32 *[RSVP/7/1] 00:21:00, metric 20

> to 192.168.1.6 via ge-0/0/4.3, label-switched-path R1_to_R2
172.16.1.3/32 *[RSVP/7/1] 00:21:00, metric 20
> to 192.168.1.6 via ge-0/0/4.3, label-switched-path R1_to_R3
172.16.1.4/32 *[RSVP/7/1] 00:21:00, metric 30
> to 192.168.1.6 via ge-0/0/4.3, label-switched-path R1_to_R4

lab@R1> show route table inet6.3

inet6.3: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

::ffff:172.16.1.2/128
*[RSVP/7/1] 00:21:02, metric 20
> to 192.168.1.6 via ge-0/0/4.3, label-switched-path R1_to_R2
::ffff:172.16.1.3/128
*[RSVP/7/1] 00:21:02, metric 20
> to 192.168.1.6 via ge-0/0/4.3, label-switched-path R1_to_R3
::ffff:172.16.1.4/128
*[RSVP/7/1] 00:21:02, metric 30
> to 192.168.1.6 via ge-0/0/4.3, label-switched-path R1_to_R4

Because of this, the PE routers can both resolve the IPv6 prefixes and use the RSVP-signaled
LSPs to forward IPv6 traffic.

On the R3 router, we forced IPv6 traffic across separate LSPSs by configuring the IPv4
mapped IPv6 address in the LSP configuration. Additionally, we configured the LSP with the

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

‘no-install-to-address’ knob. Because of this, the LSP endpoint will not be installed for the
LSP. To verify the LSPs, we can issue the following command:

lab@R3> show route table inet.3

inet.3: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

172.16.1.1/32 *[RSVP/7/1] 00:56:49, metric 20

> to 192.168.1.34 via ge-0/0/4.10, label-switched-path
R3_to_R1
172.16.1.2/32 *[RSVP/7/1] 00:56:50, metric 20
> to 192.168.1.30 via ge-0/0/4.9, label-switched-path R3_to_R2
172.16.1.4/32 *[RSVP/7/1] 00:56:54, metric 20
> to 192.168.1.30 via ge-0/0/4.9, label-switched-path R3_to_R4
27
9
lab@R3> show route table inet6.3




280 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

inet6.3: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

::ffff:172.16.1.1/128
*[RSVP/7/1] 00:15:00, metric 20
> to 192.168.1.34 via ge-0/0/4.10, label-switched-path
R3_to_R1_ipv6
::ffff:172.16.1.2/128
*[RSVP/7/1] 00:15:00, metric 20
> to 192.168.1.34 via ge-0/0/4.10, label-switched-path
R3_to_R2_ipv6
::ffff:172.16.1.4/128
*[RSVP/7/1] 00:15:00, metric 20
> to 192.168.1.30 via ge-0/0/4.9, label-switched-path
R3_to_R4_ipv6

Finally, we can verify IP connectivity from the VR.

lab@vr-device> ping rapid routing-instance vpnb-s4 source 2.2.2.4 2.2.2.1

PING 2.2.2.1 (2.2.2.1): 56 data bytes
!!!!!
--- 2.2.2.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.823/3.294/3.872/0.418 ms

lab@vr-device> ping rapid routing-instance vpnb-s4 source 2.2.2.4 2.2.2.2

PING 2.2.2.2 (2.2.2.2): 56 data bytes
!!!!!
--- 2.2.2.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.792/3.123/3.919/0.412 ms

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

lab@vr-device> ping rapid routing-instance vpnb-s4 source 2.2.2.4 2.2.2.3
PING 2.2.2.3 (2.2.2.3): 56 data bytes
!!!!!

lab@vr-device> ping rapid routing-instance vpnb-s4 source 2001:db8:2222::4

2001:db8:2222::1

PING6(56=40+8+8 bytes) 2001:db8:2222::4 --> 2001:db8:2222::1

!!!!!
--- 2001:db8:2222::1 ping6 statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 4.096/4.939/6.118/0.655 ms

lab@vr-device> ping rapid routing-instance vpnb-s4 source 2001:db8:2222::4

2001:db8:2222::2

PING6(56=40+8+8 bytes) 2001:db8:2222::4 --> 2001:db8:2222::2 28

0
!!!!!





281 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

--- 2001:db8:2222::2 ping6 statistics ---

5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 4.615/5.729/6.302/0.593 ms

lab@vr-device> ping rapid routing-instance vpnb-s4 source 2001:db8:2222::4

2001:db8:2222::3

PING6(56=40+8+8 bytes) 2001:db8:2222::4 --> 2001:db8:2222::3

!!!!!
--- 2001:db8:2222::3 ping6 statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 3.896/5.310/6.958/1.199 ms

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

28
1





282 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

5.10: Inter provider VPN option B

• Configure an EBGP session with the ISP router and connect both VPNA as well as
VPNB to AS64098 on R4.
• For VPNA, the other ISP is using target:64098:1 and for VPNB, the other ISP is using
target:64098:2.


Configuration:

R4:

set interfaces ge-0/0/4 unit 107 family mpls

set protocols bgp group ebgp import import-isp

set protocols bgp group ebgp family inet-vpn unicast
set protocols bgp group ebgp export export-isp
set protocols bgp group ebgp neighbor 192.168.1.58 peer-as 64098

set policy-options policy-statement export-isp term vpna from community

vpna-spoke
set policy-options policy-statement export-isp term vpna from community
vpna-hub
set policy-options policy-statement export-isp term vpna then community set
vpna-remote
set policy-options policy-statement export-isp term vpna then accept
set policy-options policy-statement export-isp term vpnb from community
vpnb
set policy-options policy-statement export-isp term vpnb then community set

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

vpnb-remote
set policy-options policy-statement export-isp term vpnb then accept

set policy-options policy-statement import-isp term vpna from community

vpna-remote
set policy-options policy-statement import-isp term vpna then community set
vpna-spoke
set policy-options policy-statement import-isp term vpna then accept
set policy-options policy-statement import-isp term vpnb from community
vpnb-remote
set policy-options policy-statement import-isp term vpnb then community set
vpnb
set policy-options policy-statement import-isp term vpnb then accept

28
set policy-options community vpna-hub members target:6500:100 2





283 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set policy-options community vpna-remote members target:64098:1

set policy-options community vpna-spoke members target:6500:101
set policy-options community vpnb members target:65000:2
set policy-options community vpnb-remote members target:64098:2

Verification:

Interprovider VPN option B is described in RFC4364. The option is titled ‘EBGP redistribution
of labeled VPN-IPv4 routes from AS to neighboring AS’.

First, the BGP session with the neighboring AS needs to support the correct address family:

lab@R4> show bgp neighbor 192.168.1.58 | match NLRI.*session
NLRI for this session: inet-vpn-unicast

The R4 router also needs to be able to forward MPLS traffic across the interface towards the
neighboring AS. For this reason, the interface is configured for MPLS forwarding:

lab@R4> show mpls interface
Interface State Administrative groups (x: extended)
ge-0/0/4.12 Up <none>
ge-0/0/4.13 Up <none>
ge-0/0/4.107 Up <none>

The RTs need to be normalized. This means that through import and export policies, R4 will
be translating the advertised and received RTs to make them correspond with the different
numbering schemes deployed in both ASes.

To verify that the RTs have been translated correctly, we first check the RTs attached to the

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

8.8.8.1 and 8.8.8.2 route:

lab@R4> show route receive-protocol bgp 192.168.1.58 rd-prefix
10.250.1.1:1:8.8.8.1 detail

bgp.l3vpn.0: 63 destinations, 63 routes (63 active, 0 holddown, 0 hidden)

* 10.250.1.1:1:8.8.8.1/32 (1 entry, 1 announced)
Accepted
Route Distinguisher: 10.250.1.1:1
VPN Label: 299808
Nexthop: 192.168.1.58
AS path: 64098 I
Communities: target:64098:1

lab@R4> show route receive-protocol bgp 192.168.1.58 rd-prefix

10.250.1.1:2:8.8.8.2 detail 28
3





284 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

bgp.l3vpn.0: 63 destinations, 63 routes (63 active, 0 holddown, 0 hidden)

* 10.250.1.1:2:8.8.8.2/32 (1 entry, 1 announced)
Import Accepted
Route Distinguisher: 10.250.1.1:2
VPN Label: 299824
Nexthop: 192.168.1.58
AS path: 64098 I
Communities: target:64098:2

Then we check how they are advertised to the RR:

lab@R4> show route advertising-protocol bgp 172.16.1.9 rd-prefix

10.250.1.1:1:8.8.8.1 detail

bgp.l3vpn.0: 63 destinations, 63 routes (63 active, 0 holddown, 0 hidden)

* 10.250.1.1:1:8.8.8.1/32 (1 entry, 1 announced)
BGP group ibgp type Internal
Route Distinguisher: 10.250.1.1:1
VPN Label: 299856
Nexthop: Self
Flags: Nexthop Change
Localpref: 100
AS path: [65000] 64098 I
Communities: target:6500:101

lab@R4> show route advertising-protocol bgp 172.16.1.9 rd-prefix

10.250.1.1:2:8.8.8.2 detail

bgp.l3vpn.0: 63 destinations, 63 routes (63 active, 0 holddown, 0 hidden)

* 10.250.1.1:2:8.8.8.2/32 (1 entry, 1 announced)
BGP group ibgp type Internal
Route Distinguisher: 10.250.1.1:2
VPN Label: 299872

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

Nexthop: Self
Flags: Nexthop Change
Localpref: 100
AS path: [65000] 64098 I
Communities: target:65000:2

The route that is destined to be imported into VPNA had the spoke RT attached to it. To
verify that it was imported correctly, we can issue the following command on R1:

lab@R1> show route table VPNA-HUB.inet.0 8.8.8.1

VPNA-HUB.inet.0: 39 destinations, 39 routes (39 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

8.8.8.1/32 *[BGP/170] 00:03:35, localpref 100, from 172.16.1.9

AS path: 64098 I 28
4
> to 192.168.1.6 via ge-0/0/4.3, label-switched-path R1_to_R4





285 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

To verify that the route for VPNB was imported correctly:

lab@R1> show route table VPNB.inet.0 8.8.8.2

VPNB.inet.0: 25 destinations, 25 routes (25 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

8.8.8.2/32 *[BGP/170] 00:05:48, localpref 100, from 172.16.1.9

AS path: 64098 I
> to 192.168.1.6 via ge-0/0/4.3, label-switched-path R1_to_R4


We also need to verify that the routes we are sending into AS64098 have the correct RT
attached:

lab@R4> show route advertising-protocol bgp 192.168.1.58 1.1.1.1/32 detail

bgp.l3vpn.0: 63 destinations, 63 routes (63 active, 0 holddown, 0 hidden)

* 172.16.1.1:4:1.1.1.1/32 (1 entry, 1 announced)
BGP group ebgp type External
Route Distinguisher: 172.16.1.1:4
VPN Label: 299904
Nexthop: Self
Flags: Nexthop Change
AS path: [65000] 65001 I
Communities: target:64098:1

lab@R4> show route advertising-protocol bgp 192.168.1.58 2.2.2.1/32 detail

bgp.l3vpn.0: 63 destinations, 63 routes (63 active, 0 holddown, 0 hidden)

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

* 172.16.1.1:6:2.2.2.1/32 (1 entry, 1 announced)
BGP group ebgp type External
Route Distinguisher: 172.16.1.1:6
VPN Label: 299936
Nexthop: Self
Flags: Nexthop Change
AS path: [65000] 65500 I
Communities: target:64098:2

The last thing we can do to verify the configuration is verifying IP connectivity between the
remote sites and the sites in AS65000:

lab@vr-device> ping routing-instance vpna-s1 8.8.8.1 rapid

PING 8.8.8.1 (8.8.8.1): 56 data bytes
28
!!!!!
5
--- 8.8.8.1 ping statistics ---




286 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max/stddev = 3.824/4.399/5.118/0.588 ms

lab@vr-device> ping routing-instance vpnb-s1 8.8.8.2 rapid

PING 8.8.8.2 (8.8.8.2): 56 data bytes
!!!!!
--- 8.8.8.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.829/4.599/6.073/0.821 ms

For the route in VPNA, we also want to make sure that traffic passes through the hub site. To
verify this, we can issue the following command:

lab@vr-device> traceroute routing-instance vpna-s2 8.8.8.1 source 1.1.1.2
traceroute to 8.8.8.1 (8.8.8.1) from 1.1.1.2, 30 hops max, 40 byte packets
1 10.0.0.5 (10.0.0.5) 9.949 ms 14.805 ms 8.891 ms
2 * * *
3 10.0.0.2 (10.0.0.2) 5.905 ms 5.767 ms 6.843 ms
4 10.0.0.1 (10.0.0.1) 8.959 ms 9.700 ms 9.934 ms
5 * * *
6 * * *
7 * * *
8 192.168.1.58 (192.168.1.58) 4.933 ms 4.649 ms 4.873 ms
MPLS Label=299808 CoS=0 TTL=1 S=1
9 8.8.8.1 (8.8.8.1) 4.733 ms 4.770 ms 5.749 ms

JNCIE-SP workbook: Appendix: Chapter 5 - VPN

28
6





287 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Appendix: Chapter 6 - Layer 2 VPN

Initial configuration: L2VPN start

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

28
7





288 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 6.1: Kompella L2VPN (VC Type 5)

• Configure a Kompella L2VPN (VC Type 5) between R1 and R7.
• Use interface ge-0/0/1 on all PE routers.

VC Type 5 is an indication that the encapsulation type is to be set to Ethernet. By using this
encapsulation type, the entire Ethernet frame (except for the preamble or FCS) is
transported as a single packet.

Configuration:

R1:

set interfaces ge-0/0/1 encapsulation ethernet-ccc
set interfaces ge-0/0/1 unit 0 family ccc

set routing-options route-distinguisher-id 1.1.1.1

set protocols bgp group ibgp family l2vpn signaling

set routing-instances l2vpn instance-type l2vpn

set routing-instances l2vpn interface ge-0/0/1.0
set routing-instances l2vpn vrf-target target:65555L:1
set routing-instances l2vpn protocols l2vpn encapsulation-type
ethernet
set routing-instances l2vpn protocols l2vpnsite 1 site-identifier 1

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

set routing-instances l2vpn protocols l2vpnsite 1 interface ge-
0/0/1.0

R7:

set interfaces ge-0/0/1 encapsulation ethernet-ccc
set interfaces ge-0/0/1 unit 0 family ccc

set routing-options route-distinguisher-id 7.7.7.7

set protocols bgp group ibgp family l2vpn signaling

set routing-instances l2vpn instance-type l2vpn

set routing-instances l2vpn interface ge-0/0/1.0
set routing-instances l2vpn vrf-target target:65555L:1
set routing-instances l2vpn protocols l2vpn encapsulation-type 28
ethernet 8





289 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set routing-instances l2vpn protocols l2vpnsite 2 site-identifier 2

set routing-instances l2vpn protocols l2vpnsite 2 interface ge-
0/0/1.0

Verification:

Before an L2VPN (or a VPLS) connection can be signaled, the BGP session between R1 and R7
has to be able to support the 'l2vpn' address family:

lab@R7> show bgp neighbor 1.1.1.1 | match NLRI
NLRI for restart configured on peer: l2vpn
NLRI advertised by peer: l2vpn
NLRI for this session: l2vpn
NLRI that restart is negotiated for: l2vpn
NLRI of received end-of-rib markers: l2vpn
NLRI of all end-of-rib markers sent: l2vpn

Checking the L2VPN status can be done by issuing the following command:

lab@R7> show l2vpn connections extensive
Layer-2 VPN connections:

Legend for connection status (St)

EI -- encapsulation invalid NC -- interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE -- interface and instance encaps not same
VC-Dn -- Virtual circuit down NP -- interface hardware not present
CM -- control-word mismatch -> -- only outbound connection is up
CN -- circuit not provisioned <- -- only inbound connection is up

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

OR -- out of range Up -- operational
OL -- no outgoing label Dn -- down
LD -- local site signaled down CF -- call admission control failure
RD -- remote site signaled down SC -- local and remote site ID collision
LN -- local site not designated LM -- local site ID not minimum designated
RN -- remote site not designated RM -- remote site ID not minimum designated
XX -- unknown connection status IL -- no incoming label
MM -- MTU mismatch MI -- Mesh-Group ID not available
BK -- Backup connection ST -- Standby connection
PF -- Profile parse failure PB -- Profile busy
RS -- remote site standby SN -- Static Neighbor
VM -- VLAN ID mismatch

Legend for interface status

Up -- operational
Dn -- down

Instance: l2vpn
Local site: 2 (2)
28
Number of local interfaces: 1 9
Number of local interfaces up: 1




290 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

ge-0/0/1.0 1
Label-base Offset Size Range Preference
800000 1 2 1 100
status-vector: 0
connection-site Type St Time last up # Up trans
1 rmt Up Mar 13 08:05:53 2016 1
Remote PE: 1.1.1.1, Negotiated control-word: Yes (Null)
Incoming label: 800000, Outgoing label: 800003
Local interface: ge-0/0/1.0, Status: Up, Encapsulation: ETHERNET
Connection History:
Mar 13 08:05:53 2016 status update timer
Mar 13 08:05:53 2016 PE route changed
Mar 13 08:05:53 2016 Out lbl Update 800003
Mar 13 08:05:53 2016 In lbl Update 800000
Mar 13 08:05:53 2016 loc intf up ge-0/0/1.0

The highlighted parts inform us about the following:
• the state of the L2VPN (Up)
• the remote PE router involved in this L2VPN (1.1.1.1)
• the local interface that is connected to that remote PE (ge-0/0/1.0)
• the Encapsulation type (Ethernet)
• the connection history

On R1, the L2VPN route that is advertised towards R7 can be observed by issuing the
following command:

lab@R1> show route advertising-protocol bgp 7.7.7.7 detail

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

l2vpn.l2vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
* 1.1.1.1:65533:1:1/96 (1 entry, 1 announced)
BGP group ibgp type Internal
Route Distinguisher: 1.1.1.1:65533
Label-base: 800002, range: 2, status-vector: 0x0
Nexthop: Self
Flags: Nexthop Change
Localpref: 100
AS path: [65555] I
Communities: target:65555L:1 Layer2-info: encaps:ETHERNET, control
flags:Control-Word, mtu: 0, site preference: 100

Some key items in this printout are the route-distinguisher, the extended route-target
community and the encapsulation used for this VPN.

Since the entire interface is configured as part of the L2VPN, all OSPF neighbor relationships
between R8 and R1 should form as soon as the L2VPN is up. We can verify this on the R8
router like this: 29
0






291 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R8> show ospf neighbor instance all

Instance: vpn-a
Address Interface State ID Pri Dead
192.168.1.1 ge-0/0/1.50 Full 192.168.1.1 255 36

Instance: vpn-b
Address Interface State ID Pri Dead
192.168.1.1 ge-0/0/1.60 Full 192.168.1.1 255 35

Instance: vpn-c
Address Interface State ID Pri Dead
192.168.1.1 ge-0/0/1.70 Full 192.168.1.1 255 39

Instance: vpn-d
Address Interface State ID Pri Dead
192.168.1.1 ge-0/0/1.80 Full 192.168.1.1 255 39

Instance: vpn-e
Address Interface State ID Pri Dead
192.168.1.1 ge-0/0/1.90 Full 192.168.1.1 255 38

Instance: l2circuit
Address Interface State ID Pri Dead
192.168.1.1 ge-0/0/1.10 Full 192.168.1.1 255 38

Instance: circuit-b
Address Interface State ID Pri Dead
192.168.1.1 ge-0/0/1.11 Full 192.168.1.1 255 35

Instance: vpn-h

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

29
1





292 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 6.2: Martini L2VPN

• Remove the VPN configuration from the previous task.

• Configure a VPN for VLAN 10 between R1 and R7.
• Use interface ge-0/0/1 on all PE routers.
• Use LDP as a signaling protocol.

Configuration:

R1:

delete interfaces ge-0/0/1 encapsulation ethernet-ccc
delete interfaces ge-0/0/1 unit 0
delete routing-instances l2vpn

set interfaces ge-0/0/1 vlan-tagging

set interfaces ge-0/0/1 encapsulation flexible-ethernet-services
set interfaces ge-0/0/1 unit 10 vlan-id 10
set interfaces ge-0/0/1 unit 10 encapsulation vlan-ccc

set protocols ldp interface lo0.0

set protocols l2circuit neighbor 7.7.7.7 interface ge-0/0/1.10
virtual-circuit-id 10

R7:

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

delete interfaces ge-0/0/1 encapsulation ethernet-ccc
delete interfaces ge-0/0/1 unit 0
delete routing-instances l2vpn

set interfaces ge-0/0/1 vlan-tagging

set interfaces ge-0/0/1 encapsulation flexible-ethernet-services
set interfaces ge-0/0/1 unit 10 vlan-id 10
set interfaces ge-0/0/1 unit 10 encapsulation vlan-ccc

set protocols ldp interface lo0.0

set protocols l2circuit neighbor 1.1.1.1 interface ge-0/0/1.10
virtual-circuit-id 10

29
2





293 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

We can verify the status of the layer 2 circuit itself by issuing the following command:

lab@R1> show l2circuit connections extensive

Layer-2 Circuit Connections:

[…skipped…]

Neighbor: 7.7.7.7
Interface Type St Time last up # Up trans
ge-0/0/1.10(vc 10) rmt Up Mar 13 08:25:14 2016 1
Remote PE: 7.7.7.7, Negotiated control-word: Yes (Null)
Incoming label: 299824, Outgoing label: 299824
Negotiated PW status TLV: No
Local interface: ge-0/0/1.10, Status: Up, Encapsulation: VLAN
Connection History:
Mar 13 08:25:14 2016 status update timer
Mar 13 08:25:14 2016 PE route changed
Mar 13 08:25:14 2016 Out lbl Update 299824
Mar 13 08:25:14 2016 In lbl Update 299824
Mar 13 08:25:14 2016 loc intf up ge-0/0/1.10

On the R8 router, we can verify whether or not an OSPF adjacency was able to form:

lab@R8> show ospf neighbor instance l2circuit
Address Interface State ID Pri Dead
192.168.1.1 ge-0/0/1.10 Full 192.168.1.1 255 34

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

29
3





294 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 6.3: Kompella L2VPN (VC Type 4)

• Configure vpn ‘circuit-b’ for VLAN 11 between R1 and R7.
• Use interface ge-0/0/1 on all PE routers.
• Use BGP as a signaling protocol.
• Use VC-type 4.

Configuration:

R1:

set interfaces ge-0/0/1 unit 11 encapsulation vlan-ccc
set interfaces ge-0/0/1 unit 11 vlan-id 11

set routing-instances circuit-b instance-type l2vpn

set routing-instances circuit-b interface ge-0/0/1.11
set routing-instances circuit-b vrf-target target:65555L:11
set routing-instances circuit-b protocols l2vpn encapsulation-type
ethernet-vlan
set routing-instances circuit-b protocols l2vpnsite 1 site-
identifier 1
set routing-instances circuit-b protocols l2vpnsite 1 interface ge-
0/0/1.11

R7:

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

set interfaces ge-0/0/1 unit 11 encapsulation vlan-ccc
set interfaces ge-0/0/1 unit 11 vlan-id 11

set routing-instances circuit-b instance-type l2vpn

set routing-instances
set routing-instances
set routing-instances
ethernet-vlan
set routing-instances
identifier 2
set routing-instances
0/0/1.11
circuit-b interface ge-0/0/1.11
circuit-b vrf-target target:65555L:11
circuit-b protocols l2vpn encapsulation-type
circuit-b protocols l2vpnsite 2 site-
circuit-b protocols l2vpnsite 2 interface ge-

29
4





295 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R1> show l2vpn connections
Layer-2 VPN connections:

[…skipped…]

Instance: circuit-b
Local site: 1 (1)
connection-site Type St Time last up # Up trans
2 rmt Up Mar 13 08:36:54 2016 1
Remote PE: 7.7.7.7, Negotiated control-word: Yes (Null)
Incoming label: 800003, Outgoing label: 800002
Local interface: ge-0/0/1.11, Status: Up, Encapsulation: VLAN

On the R2 router, we can verify whether or not an OSPF adjacency was able to form across
the configured circuit:

lab@R2> show ospf neighbor instance circuit-b
Address Interface State ID Pri Dead
192.168.1.4 ge-0/0/1.11 Full 192.168.1.4 128 38

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

29
5





296 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 6.4: Basic LDP-based VPLS

• Configure VPLS ‘vpn-a’ on all PE routers for vlan 50.
• Use interface ge-0/0/1 on all PE routers.
• Use LDP as a signaling protocol.

Configuration:

R1:

set interfaces ge-0/0/1 unit 50 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 50 vlan-id 50

set routing-instances vpn-a instance-type vpls

set routing-instances vpn-a vlan-id 50
set routing-instances vpn-a interface ge-0/0/1.50
set routing-instances vpn-a protocols vpls interface ge-0/0/1.50
set routing-instances vpn-a protocols vpls no-tunnel-services
set routing-instances vpn-a protocols vpls vpls-id 50
set routing-instances vpn-a protocols vpls neighbor 5.5.5.5
set routing-instances vpn-a protocols vpls neighbor 3.3.3.3
set routing-instances vpn-a protocols vpls neighbor 7.7.7.7

R3:

set interfaces ge-0/0/1 vlan-tagging

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

set interfaces ge-0/0/1 encapsulation flexible-ethernet-services
set interfaces ge-0/0/1 unit 50 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 50 vlan-id 50

set protocols ldp interface lo0.0

set routing-instances vpn-a instance-type vpls

set routing-instances vpn-a vlan-id 50
set routing-instances vpn-a interface ge-0/0/1.50
set routing-instances vpn-a protocols vpls interface ge-0/0/1.50
set routing-instances vpn-a protocols vpls no-tunnel-services
set routing-instances vpn-a protocols vpls vpls-id 50
set routing-instances vpn-a protocols vpls neighbor 1.1.1.1
set routing-instances vpn-a protocols vpls neighbor 5.5.5.5
set routing-instances vpn-a protocols vpls neighbor 7.7.7.7

R5: 29
6





297 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set interfaces ge-0/0/1 vlan-tagging

set interfaces ge-0/0/1 encapsulation flexible-ethernet-services
set interfaces ge-0/0/1 unit 50 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 50 vlan-id 50

set protocols ldp interface lo0.0

set routing-instances vpn-a instance-type vpls

set routing-instances vpn-a vlan-id 50
set routing-instances vpn-a interface ge-0/0/1.50
set routing-instances vpn-a protocols vpls interface ge-0/0/1.50
set routing-instances vpn-a protocols vpls no-tunnel-services
set routing-instances vpn-a protocols vpls vpls-id 50
set routing-instances vpn-a protocols vpls neighbor 1.1.1.1
set routing-instances vpn-a protocols vpls neighbor 3.3.3.3
set routing-instances vpn-a protocols vpls neighbor 7.7.7.7

R7:

set interfaces ge-0/0/1 unit 50 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 50 vlan-id 50

set routing-instances vpn-a instance-type vpls

set routing-instances vpn-a vlan-id 50
set routing-instances vpn-a interface ge-0/0/1.50
set routing-instances vpn-a protocols vpls interface ge-0/0/1.50

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

set routing-instances vpn-a protocols vpls no-tunnel-services
set routing-instances vpn-a protocols vpls vpls-id 50
set routing-instances vpn-a protocols vpls neighbor 1.1.1.1
set routing-instances vpn-a protocols vpls neighbor 3.3.3.3
set routing-instances vpn-a protocols vpls neighbor 5.5.5.5

29
7





298 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

Issuing the following command gives us an overview of all the VPLS connection that have
been able to form:

lab@R1> show vpls connections extensive
Layer-2 VPN connections:

[…skipped…]

Instance: vpn-a
VPLS-id: 50
Number of local interfaces: 1
Number of local interfaces up: 1
ge-0/0/1.50
lsi.1048577 Intf - vpls vpn-a neighbor 3.3.3.3 vpls-id 50
lsi.1048576 Intf - vpls vpn-a neighbor 5.5.5.5 vpls-id 50
lsi.1048578 Intf - vpls vpn-a neighbor 7.7.7.7 vpls-id 50
Neighbor Type St Time last up # Up trans
3.3.3.3(vpls-id 50) rmt Up Mar 13 08:44:03 2016 1
Remote PE: 3.3.3.3, Negotiated control-word: No
Incoming label: 262146, Outgoing label: 262145
Negotiated PW status TLV: No
Local interface: lsi.1048577, Status: Up, Encapsulation: ETHERNET
Description: Intf - vpls vpn-a neighbor 3.3.3.3 vpls-id 50
Connection History:
Mar 13 08:44:03 2016 status update timer
Mar 13 08:44:03 2016 PE route changed
Mar 13 08:44:03 2016 Out lbl Update 262145
Mar 13 08:44:03 2016 In lbl Update 262146

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

Mar 13 08:44:03 2016 loc intf up lsi.1048577
5.5.5.5(vpls-id 50) rmt Up Mar 13 08:43:58 2016 1
Remote PE: 5.5.5.5, Negotiated control-word: No
Incoming label: 262145, Outgoing label: 262145
Negotiated PW status TLV: No
Local interface: lsi.1048576, Status: Up, Encapsulation: ETHERNET
Description: Intf - vpls vpn-a neighbor 5.5.5.5 vpls-id 50
Connection History:
Mar 13 08:43:58 2016 status update timer
Mar 13 08:43:58 2016 PE route changed
Mar 13 08:43:58 2016 Out lbl Update 262145
Mar 13 08:43:58 2016 In lbl Update 262145
Mar 13 08:43:58 2016 loc intf up lsi.1048576
7.7.7.7(vpls-id 50) rmt Up Mar 13 08:44:08 2016 1
Remote PE: 7.7.7.7, Negotiated control-word: No
Incoming label: 262147, Outgoing label: 262145
Negotiated PW status TLV: No
Local interface: lsi.1048578, Status: Up, Encapsulation: ETHERNET
Description: Intf - vpls vpn-a neighbor 7.7.7.7 vpls-id 50 29
8

Connection History:

299 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Mar 13 08:44:08 2016 status update timer

Mar 13 08:44:08 2016 PE route changed
Mar 13 08:44:08 2016 Out lbl Update 262145
Mar 13 08:44:08 2016 In lbl Update 262147
Mar 13 08:44:08 2016 loc intf up lsi.1048578

On the R2 router, we can verify whether or not an OSPF adjacency was able to form across
the configured VPLS by issuing the following command:

lab@R2> show ospf neighbor instance vpn-a

Address Interface State ID Pri Dead
192.168.1.4 ge-0/0/1.50 Full 192.168.1.4 128 32
192.168.1.2 ge-0/0/1.50 Full 192.168.1.2 128 31
192.168.1.3 ge-0/0/1.50 Full 192.168.1.3 128 31

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

29
9





300 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 6.5: LDP-based VPLS and multihoming

• Configure VPLS ‘vpn-b’ on all PE routers for vlan 60.
• Use interface ge-0/0/1 on all PE routers.
• Use LDP as a signaling protocol.
• One of the locations is multihomed to R5 and R7.
• Make sure that R7 is the backup connection and R5 is the primary connection.

Configuration:

R1:

set interfaces ge-0/0/1 unit 60 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 60 vlan-id 60

set routing-instances vpn-b instance-type vpls

set routing-instances vpn-b vlan-id 60
set routing-instances vpn-b interface ge-0/0/1.60
set routing-instances vpn-b protocols vpls interface ge-0/0/1.60
set routing-instances vpn-b protocols vpls no-tunnel-services
set routing-instances vpn-b protocols vpls vpls-id 60
set routing-instances vpn-b protocols vpls neighbor 5.5.5.5 backup-
neighbor 7.7.7.7
set routing-instances vpn-b protocols vpls neighbor 3.3.3.3

R3:

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

set interfaces ge-0/0/1 unit 60 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 60 vlan-id 60

set routing-instances vpn-b instance-type vpls

set routing-instances vpn-b vlan-id 60
set routing-instances vpn-b interface ge-0/0/1.60
set routing-instances vpn-b protocols vpls interface ge-0/0/1.60
set routing-instances vpn-b protocols vpls no-tunnel-services
set routing-instances vpn-b protocols vpls vpls-id 60
set routing-instances vpn-b protocols vpls neighbor 1.1.1.1
set routing-instances vpn-b protocols vpls neighbor 5.5.5.5 backup-
neighbor 7.7.7.7

R5:

30
set interfaces ge-0/0/1 unit 60 encapsulation vlan-vpls 0





301 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set interfaces ge-0/0/1 unit 60 vlan-id 60

set routing-instances vpn-b instance-type vpls

set routing-instances vpn-b vlan-id 60
set routing-instances vpn-b interface ge-0/0/1.60
set routing-instances vpn-b protocols vpls interface ge-0/0/1.60
set routing-instances vpn-b protocols vpls no-tunnel-services
set routing-instances vpn-b protocols vpls vpls-id 60
set routing-instances vpn-b protocols vpls neighbor 1.1.1.1
set routing-instances vpn-b protocols vpls neighbor 3.3.3.3

R7:

set interfaces ge-0/0/1 unit 60 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 60 vlan-id 60

set routing-instances vpn-b instance-type vpls

set routing-instances vpn-b vlan-id 50
set routing-instances vpn-b interface ge-0/0/1.60
set routing-instances vpn-b protocols vpls interface ge-0/0/1.60
set routing-instances vpn-b protocols vpls no-tunnel-services
set routing-instances vpn-b protocols vpls vpls-id 60
set routing-instances vpn-b protocols vpls neighbor 1.1.1.1
set routing-instances vpn-b protocols vpls neighbor 3.3.3.3

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

30
1





302 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

In this scenario, only R1 and R3 are configured to treat R7 as a backup connection to the R5
VPLS connection. On bot R5 and R7, only R1 and R3 are configured as VPLS neighbors:

lab@R1> show vpls connections instance vpn-b
Layer-2 VPN connections:

[…skipped…]

Instance: vpn-b
VPLS-id: 60
Neighbor Type St Time last up # Up trans
3.3.3.3(vpls-id 60) rmt Up Mar 13 08:50:37 2016 1
Remote PE: 3.3.3.3, Negotiated control-word: No
Incoming label: 262149, Outgoing label: 262148
Negotiated PW status TLV: No
Local interface: lsi.1048579, Status: Up, Encapsulation: ETHERNET
Description: Intf - vpls vpn-b neighbor 3.3.3.3 vpls-id 60
5.5.5.5(vpls-id 60) rmt Up Mar 13 08:50:38 2016 1
Remote PE: 5.5.5.5, Negotiated control-word: No
Incoming label: 262148, Outgoing label: 262148
Negotiated PW status TLV: No
Local interface: lsi.1048580, Status: Up, Encapsulation: ETHERNET
Description: Intf - vpls vpn-b neighbor 5.5.5.5 vpls-id 60
7.7.7.7(vpls-id 60) rmt BK

The above printout verifies that the VPLS connections towards R3 and R5 are up. The R7
connection is in a backup state.

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

When we move over to the R5 router, we can see that the connections towards both R1 and
R3 are up:

lab@R5> show vpls connections instance vpn-b

Layer-2 VPN connections:

[…skipped…]

Instance: vpn-b
VPLS-id: 60
Neighbor Type St Time last up # Up trans
1.1.1.1(vpls-id 60) rmt Up Mar 13 08:50:38 2016 1
Remote PE: 1.1.1.1, Negotiated control-word: No
Incoming label: 262148, Outgoing label: 262148
Negotiated PW status TLV: No
Local interface: lsi.1048579, Status: Up, Encapsulation: ETHERNET
Description: Intf - vpls vpn-b neighbor 1.1.1.1 vpls-id 60
3.3.3.3(vpls-id 60) rmt Up Mar 13 08:50:38 2016 1 30
2
Remote PE: 3.3.3.3, Negotiated control-word: No





303 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Incoming label: 262149, Outgoing label: 262149

Negotiated PW status TLV: No
Local interface: lsi.1048580, Status: Up, Encapsulation: ETHERNET
Description: Intf - vpls vpn-b neighbor 3.3.3.3 vpls-id 60

On the R7 router, for as long as R1 and R3 have a connection with R5, the status is OL (no
outgoing label):

lab@R7> show vpls connections instance vpn-b

Layer-2 VPN connections:

[…skipped…]

Instance: vpn-b
VPLS-id: 60
Neighbor Type St Time last up # Up trans
1.1.1.1(vpls-id 60) rmt OL
3.3.3.3(vpls-id 60) rmt OL

On the R2 router, we can verify that an OSPF adjacency was able to form across the
configured VPLS by issuing the following command:

lab@R2> show ospf neighbor instance vpn-b
Address Interface State ID Pri Dead
192.168.1.2 ge-0/0/1.60 Full 192.168.1.2 128 39
192.168.1.3 ge-0/0/1.60 Full 192.168.1.3 128 34

To verify whether or not the redundancy works, we can temporarily deactivate the routing-
instance on the R5 router:

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

R5:

deactivate routing-instances vpn-b

After this, the configured connection on R7 should come up:

lab@R7> show vpls connections instance vpn-b
Layer-2 VPN connections:

[…skipped…]

Instance: vpn-b
VPLS-id: 60
Neighbor Type St Time last up # Up trans
1.1.1.1(vpls-id 60) rmt Up Mar 13 08:57:54 2016 1
Remote PE: 1.1.1.1, Negotiated control-word: No
Incoming label: 262148, Outgoing label: 262150 30
3

Negotiated PW status TLV: No

304 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Local interface: lsi.1048580, Status: Up, Encapsulation: ETHERNET

Description: Intf - vpls vpn-b neighbor 1.1.1.1 vpls-id 60
3.3.3.3(vpls-id 60) rmt Up Mar 13 08:57:53 2016 1
Remote PE: 3.3.3.3, Negotiated control-word: No
Incoming label: 262149, Outgoing label: 262150
Negotiated PW status TLV: No
Local interface: lsi.1048579, Status: Up, Encapsulation: ETHERNET
Description: Intf - vpls vpn-b neighbor 3.3.3.3 vpls-id 60

lab@R1> show vpls connections instance vpn-b

Layer-2 VPN connections:

[…skipped…]

Instance: vpn-b
VPLS-id: 60
Neighbor Type St Time last up # Up trans
3.3.3.3(vpls-id 60) rmt Up Mar 13 08:56:40 2016 1
Remote PE: 3.3.3.3, Negotiated control-word: No
Incoming label: 262148, Outgoing label: 262148
Negotiated PW status TLV: No
Local interface: lsi.1048576, Status: Up, Encapsulation: ETHERNET
Description: Intf - vpls vpn-b neighbor 3.3.3.3 vpls-id 60
7.7.7.7(vpls-id 60) rmt Up Mar 13 08:58:02 2016 1
Remote PE: 7.7.7.7, Negotiated control-word: No
Incoming label: 262150, Outgoing label: 262148
Negotiated PW status TLV: No
Local interface: lsi.1048581, Status: Up, Encapsulation: ETHERNET
Description: Intf - vpls vpn-b neighbor 7.7.7.7 vpls-id 60
5.5.5.5(vpls-id 60) rmt OL

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

The OSPF neighbor relationships across vpn-b changed as well. We can verify this from the
R2 router and compare it to the printouts gathered earlier:

lab@R2> show ospf neighbor instance vpn-b
Address Interface State ID Pri Dead
192.168.1.4 ge-0/0/1.60 Full 192.168.1.4 128 31
192.168.1.2 ge-0/0/1.60 Full 192.168.1.2 128 37

Before moving on, let's restore the VPLS by reactivating the configuration on R5:

R5:

activate routing-instances vpn-b

30
4





305 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 6.6: Basic BGP signaled VPLS

• Configure VPLS ‘vpn-c’ on all PE routers for VLAN 70.
• Use interface ge-0/0/1 on all PE routers.
• Use BGP as a signaling protocol.

Configuration:

R1:

set interfaces ge-0/0/1 unit 70 encapsulation vlan-vpls

set interfaces ge-0/0/1 unit 70 vlan-id 70

set routing-instances vpn-c instance-type vpls

set routing-instances vpn-c vlan-id 70
set routing-instances vpn-c interface ge-0/0/1.70
set routing-instances vpn-c vrf-target target:65555L:70
set routing-instances vpn-c protocols vpls no-tunnel-services
set routing-instances vpn-c protocols vpls site 1 site-identifier 1
set routing-instances vpn-c protocols vpls site 1 interface ge-
0/0/1.70

R3:

set interfaces ge-0/0/1 unit 70 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 70 vlan-id 70

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

set protocols bgp group ibgp family l2vpn signaling

set routing-options route-distinguisher-id 3.3.3.3

set routing-instances vpn-c instance-type vpls

set routing-instances vpn-c vlan-id 70
set routing-instances vpn-c interface ge-0/0/1.70
set routing-instances vpn-c vrf-target target:65555L:70
set routing-instances vpn-c protocols vpls no-tunnel-services
set routing-instances vpn-c protocols vpls site 2 site-identifier 2
set routing-instances vpn-c protocols vpls site 2 interface ge-
0/0/1.70

R5:

set interfaces ge-0/0/1 unit 70 encapsulation vlan-vpls 30
5
set interfaces ge-0/0/1 unit 70 vlan-id 70




306 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set protocols bgp group ibgp family l2vpn signaling

set routing-options route-distinguisher-id 5.5.5.5

set routing-instances vpn-c instance-type vpls

set routing-instances vpn-c vlan-id 70
set routing-instances vpn-c interface ge-0/0/1.70
set routing-instances vpn-c vrf-target target:65555L:70
set routing-instances vpn-c protocols vpls no-tunnel-services
set routing-instances vpn-c protocols vpls site 3 site-identifier 3
set routing-instances vpn-c protocols vpls site 3 interface ge-
0/0/1.70

R7:

set interfaces ge-0/0/1 unit 70 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 70 vlan-id 70

set routing-instances vpn-c instance-type vpls

set routing-instances vpn-c vlan-id 70
set routing-instances vpn-c interface ge-0/0/1.70
set routing-instances vpn-c vrf-target target:65555L:70
set routing-instances vpn-c protocols vpls no-tunnel-services
set routing-instances vpn-c protocols vpls site 4 site-identifier 4
set routing-instances vpn-c protocols vpls site 4 interface ge-

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

0/0/1.70

30
6





307 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

The verification of the VPLS can be done by issuing the following command:

lab@R3> show vpls connections instance vpn-c
Layer-2 VPN connections:

[…skipped…]

Instance: vpn-c
Local site: 2 (2)
connection-site Type St Time last up # Up trans
1 rmt Up Mar 13 09:11:27 2016 1
Remote PE: 1.1.1.1, Negotiated control-word: No
Incoming label: 262401, Outgoing label: 262402
Local interface: lsi.1048581, Status: Up, Encapsulation: VPLS
Description: Intf - vpls vpn-c local site 2 remote site 1
3 rmt Up Mar 13 09:11:31 2016 1
Remote PE: 5.5.5.5, Negotiated control-word: No
Incoming label: 262403, Outgoing label: 262402
Local interface: lsi.1048583, Status: Up, Encapsulation: VPLS
Description: Intf - vpls vpn-c local site 2 remote site 3
4 rmt Up Mar 13 09:11:28 2016 1
Remote PE: 7.7.7.7, Negotiated control-word: No
Incoming label: 262404, Outgoing label: 262402
Local interface: lsi.1048582, Status: Up, Encapsulation: VPLS
Description: Intf - vpls vpn-c local site 2 remote site 4

For troubleshooting purposes, another useful suggestion is to verify the BGP routes
advertised and received for this VPLS. This routing information can be acquired by issuing

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

the following command:

lab@R3> show route advertising-protocol bgp 7.7.7.7 table vpn-c.l2vpn.0 detail

vpn-c.l2vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

* 3.3.3.3:7:2:1/96 (1 entry, 1 announced)
BGP group ibgp type Internal
Route Distinguisher: 3.3.3.3:7
Label-base: 262401, range: 8
Nexthop: Self
Flags: Nexthop Change
Localpref: 100
AS path: [65555] I
Communities: target:65555L:70 Layer2-info: encaps:VPLS, control flags:, mtu:
0, site preference: 100

lab@R3> show route receive-protocol bgp 7.7.7.7 table vpn-c.l2vpn.0 detail

vpn-c.l2vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) 30

7
* 1.1.1.1:6:1:1/96 (1 entry, 1 announced)




308 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Import Accepted
Route Distinguisher: 1.1.1.1:6
Label-base: 262401, range: 8
Nexthop: 1.1.1.1
Localpref: 100
AS path: I (Originator) Cluster list: 0.0.0.1
AS path: Originator ID: 1.1.1.1
Communities: target:65555L:70 Layer2-info: encaps:VPLS, control flags:, mtu:
0, site preference: 100

* 5.5.5.5:6:3:1/96 (1 entry, 1 announced)

Import Accepted
Route Distinguisher: 5.5.5.5:6
Label-base: 262401, range: 8
Nexthop: 5.5.5.5
Localpref: 100
AS path: I (Originator) Cluster list: 0.0.0.1
AS path: Originator ID: 5.5.5.5
Communities: target:65555L:70 Layer2-info: encaps:VPLS, control flags:, mtu:
0, site preference: 100

* 7.7.7.7:6:4:1/96 (1 entry, 1 announced)

Import Accepted
Route Distinguisher: 7.7.7.7:6
Label-base: 262401, range: 8
Nexthop: 7.7.7.7
Localpref: 100
AS path: I
Communities: target:65555L:70 Layer2-info: encaps:VPLS, control flags:, mtu:
0, site preference: 100

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

On the R2 router, we can verify whether or not an OSPF adjacency was able to form across
the configured VPLS by issuing the following command:

lab@R2> show ospf neighbor instance vpn-c
Address Interface State ID Pri Dead
192.168.1.3 ge-0/0/1.70 Full 192.168.1.3 128 35
192.168.1.4 ge-0/0/1.70 Full 192.168.1.4 128 32
192.168.1.2 ge-0/0/1.70 Full 192.168.1.2 128 36

30
8





309 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 6.7: BGP signaled VPLS with a multihomed site

• Configure VPLS ‘vpn-d’ on all PE routers for VLAN 80.
• Use interface ge-0/0/1 on all PE routers.
• Use BGP as a signaling protocol.
• The site connected to R5 and R7 is multihomed.
• The R5 connection to the VPLS should be the primary connection.

Configuration:

R1:

set interfaces ge-0/0/1 unit 80 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 80 vlan-id 80

set routing-instances vpn-d instance-type vpls

set routing-instances vpn-d vlan-id 80
set routing-instances vpn-d interface ge-0/0/1.80
set routing-instances vpn-d vrf-target target:65555L:80
set routing-instances vpn-d protocols vpls no-tunnel-services
set routing-instances vpn-d protocols vpls site 1 site-identifier 1
set routing-instances vpn-d protocols vpls site 1 interface ge-
0/0/1.80

R3:

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

set interfaces ge-0/0/1 unit 80 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 80 vlan-id 80

set routing-instances vpn-d instance-type vpls

set routing-instances vpn-d vlan-id 80
set routing-instances vpn-d interface ge-0/0/1.80
set routing-instances vpn-d vrf-target target:65555L:80
set routing-instances vpn-d protocols vpls no-tunnel-services
set routing-instances vpn-d protocols vpls site 2 site-identifier 2
set routing-instances vpn-d protocols vpls site 2 interface ge-
0/0/1.80

R5:

set interfaces ge-0/0/1 unit 80 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 80 vlan-id 80
30
9





310 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set routing-instances vpn-d instance-type vpls

set routing-instances vpn-d vlan-id 80
set routing-instances vpn-d interface ge-0/0/1.80
set routing-instances vpn-d vrf-target target:65555L:80
set routing-instances vpn-d protocols vpls no-tunnel-services
set routing-instances vpn-d protocols vpls site 3 site-identifier 3
set routing-instances vpn-d protocols vpls site 3 multi-homing
set routing-instances vpn-d protocols vpls site 3 site-preference
primary
set routing-instances vpn-d protocols vpls site 3 interface ge-
0/0/1.80

R7:

set interfaces ge-0/0/1 unit 80 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 80 vlan-id 80

set routing-instances vpn-d instance-type vpls

set routing-instances vpn-d vlan-id 80
set routing-instances vpn-d interface ge-0/0/1.80
set routing-instances vpn-d vrf-target target:65555L:80
set routing-instances vpn-d protocols vpls no-tunnel-services
set routing-instances vpn-d protocols vpls site 3 site-identifier 3
set routing-instances vpn-d protocols vpls site 3 multi-homing
set routing-instances vpn-d protocols vpls site 3 site-preference
backup

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

set routing-instances vpn-d protocols vpls site 3 interface ge-
0/0/1.80

31
0





311 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

We can verify the status of the VPLS connection on R1 by issuing the following command:

lab@R1> show vpls connections instance vpn-d

[…skipped…]

Instance: vpn-d
Local site: 1 (1)
connection-site Type St Time last up # Up trans
2 rmt Up Mar 13 09:30:09 2016 1
Remote PE: 3.3.3.3, Negotiated control-word: No
Incoming label: 262410, Outgoing label: 262409
Local interface: lsi.1048584, Status: Up, Encapsulation: VPLS
Description: Intf - vpls vpn-d local site 1 remote site 2
3 rmt Up Mar 13 09:30:13 2016 1
Remote PE: 5.5.5.5, Negotiated control-word: No
Incoming label: 262411, Outgoing label: 262409
Local interface: lsi.1048585, Status: Up, Encapsulation: VPLS
Description: Intf - vpls vpn-d local site 1 remote site 3

As we can see from the R1 router, connections to the other sites of the VPLS are up. The
primary PE for site 3, R5, is currently handling traffic for that site. By examining the BGP
routing information, we can discover how this works:

lab@R1> show route table vpn-d.l2vpn.0 detail

vpn-d.l2vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

1.1.1.1:7:1:1/96 (1 entry, 1 announced)
*L2VPN Preference: 170/-101
Next hop type: Indirect
Address: 0x155c2bc
Next-hop reference count: 6
Protocol next hop: 1.1.1.1
Indirect next hop: 0 -
State: <Active Int Ext>
Age: 12:50 Metric2: 1
Task: vpn-d-l2vpn
Announcement bits (1): 1-BGP_RT_Background
AS path: I
Communities: Layer2-info: encaps:VPLS, control flags:, mtu: 0,
site preference: 100
Label-base: 262409, range: 8, status-vector: 0x1F

3.3.3.3:8:2:1/96 (1 entry, 1 announced)

*BGP Preference: 170/-101
Route Distinguisher: 3.3.3.3:8 31
Next hop type: Indirect 1





312 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Address: 0x155dbac
Next-hop reference count: 10
Source: 7.7.7.7
Protocol next hop: 3.3.3.3
Indirect next hop: 2 no-forward
State: <Secondary Active Int Ext>
Local AS: 65555 Peer AS: 65555
Age: 2:32 Metric2: 1
Task: BGP_65555.7.7.7.7+59397
Announcement bits (1): 0-vpn-d-l2vpn
AS path: I (Originator)
Cluster list: 0.0.0.1
Originator ID: 3.3.3.3
Communities: target:65555L:80 Layer2-info: encaps:VPLS, control
flags:, mtu: 0, site preference: 100
Import Accepted
Label-base: 262409, range: 8
Localpref: 100
Router ID: 7.7.7.7
Primary Routing Table bgp.l2vpn.0

5.5.5.5:7:3:1/96 (1 entry, 1 announced)

*BGP Preference: 170/-65536
Route Distinguisher: 5.5.5.5:7
Next hop type: Indirect
Address: 0x155de58
Next-hop reference count: 10
Source: 7.7.7.7
Protocol next hop: 5.5.5.5
Indirect next hop: 2 no-forward
State: <Secondary Active Int Ext>

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

Local AS: 65555 Peer AS: 65555
Age: 2:28 Metric2: 1
Task: BGP_65555.7.7.7.7+59397
Announcement bits (1): 0-vpn-d-l2vpn
AS path: I (Originator)
Cluster list: 0.0.0.1
Originator ID: 5.5.5.5
Communities: target:65555L:80 Layer2-info: encaps:VPLS, control
flags:, mtu: 0, site preference: 65535
Import Accepted
Label-base: 262409, range: 8
Localpref: 65535
Router ID: 7.7.7.7
Primary Routing Table bgp.l2vpn.0

7.7.7.7:7:3:1/96 (1 entry, 1 announced)

*BGP Preference: 170/-2
Route Distinguisher: 7.7.7.7:7
Next hop type: Indirect 31
2

Address: 0x155d738

313 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Next-hop reference count: 13

Source: 7.7.7.7
Protocol next hop: 7.7.7.7
Indirect next hop: 2 no-forward
State: <Secondary Active Int Ext>
Local AS: 65555 Peer AS: 65555
Age: 2:20 Metric2: 1
Task: BGP_65555.7.7.7.7+59397
Announcement bits (1): 0-vpn-d-l2vpn
AS path: I
Communities: target:65555L:80 Layer2-info: encaps:VPLS, control
flags:, mtu: 0, site preference: 1
Import Accepted
Label-base: 262409, range: 8
Localpref: 1
Router ID: 7.7.7.7
Primary Routing Table bgp.l2vpn.0

The route generated by R7 has a lower local preference and a lower site preference. As long
as the R5 router remains active for this VPLS connection, the R7 router will display the
following VPLS connection status:

lab@R7> show vpls connections instance vpn-d
Layer-2 VPN connections:

[…skipped…]

Instance: vpn-d
Local site: 3 (3)
connection-site Type St Time last up # Up trans

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

1 rmt LN
2 rmt LN
3 rmt LN


On the R2 router, we can verify whether or not an OSPF adjacency was able to form across
the configured VPLS by issuing the following command:

lab@R2> show ospf neighbor instance vpn-d
Address Interface State ID Pri Dead
192.168.1.3 ge-0/0/1.80 Full 192.168.1.3 128 32
192.168.1.2 ge-0/0/1.80 Full 192.168.1.2 128 35

To verify the redundancy, we can temporarily deactivate the routing-instance on R5:

R5:
31
3

deactivate routing-instances vpn-d

314 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

On R1, we should see the VPLS connection to site 3 form with R7:

lab@R1> show vpls connections instance vpn-d
Layer-2 VPN connections:

[…skipped…]

Instance: vpn-d
Local site: 1 (1)
connection-site Type St Time last up # Up trans
2 rmt Up Mar 13 09:30:09 2016 1
Remote PE: 3.3.3.3, Negotiated control-word: No
Incoming label: 262410, Outgoing label: 262409
Local interface: lsi.1048584, Status: Up, Encapsulation: VPLS
Description: Intf - vpls vpn-d local site 1 remote site 2
3 rmt Up Mar 13 09:30:13 2016 1
Remote PE: 7.7.7.7, Negotiated control-word: No
Incoming label: 262411, Outgoing label: 262409
Local interface: lsi.1048585, Status: Up, Encapsulation: VPLS
Description: Intf - vpls vpn-d local site 1 remote site 3

On R7, the connection towards the other PE routers will be in the status up:

lab@R7> show vpls connections instance vpn-d | no-more
Layer-2 VPN connections:

[…skipped…]

Instance: vpn-d

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

Local site: 3 (3)
connection-site Type St Time last up # Up trans
1 rmt Up Mar 13 09:35:45 2016 1
Remote PE: 1.1.1.1, Negotiated control-word: No
Incoming label: 262409, Outgoing label: 262411
Local interface: lsi.1048582, Status: Up, Encapsulation: VPLS
Description: Intf - vpls vpn-d local site 3 remote site 1
2 rmt Up Mar 13 09:35:45 2016 1
Remote PE: 3.3.3.3, Negotiated control-word: No
Incoming label: 262410, Outgoing label: 262411
Local interface: lsi.1048583, Status: Up, Encapsulation: VPLS
Description: Intf - vpls vpn-d local site 3 remote site 2

Before moving on, we active the routing instance on R5 again.

R5:

activate routing-instances vpn-d 31
4





315 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 6.8: BGP signaled VPLS features

• Configure VPLS ‘vpn-e’ on all PE routers for VLAN 90.
• Use interface ge-0/0/1 on all PE routers.
• Use BGP as a signaling protocol.
• Make sure that all BUM traffic is subjected to a 10K policer.
• Configure the lowest MAC limit possible on all sites except for the site connected to
R7. There, the MAC limit should be 100.
• If a MAC limit is crossed anywhere, the packet should be dropped.

Configuration:

R1:

set interfaces ge-0/0/1 unit 90 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 90 vlan-id 90

set firewall family vpls filter BUM-LIMIT term 1 then policer BUM
set firewall family vpls filter BUM-LIMIT term 1 then accept
set firewall policer BUM if-exceeding bandwidth-limit 32k
set firewall policer BUM if-exceeding burst-size-limit 15k
set firewall policer BUM then discard

set routing-instances vpn-e instance-type vpls

set routing-instances vpn-e vlan-id 90
set routing-instances vpn-e interface ge-0/0/1.90

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

set routing-instances vpn-e vrf-target target:65555L:90
set routing-instances vpn-e forwarding-options family vpls flood
input BUM-LIMIT
set routing-instances vpn-e protocols vpls mac-table-size 16
set routing-instances vpn-e protocols vpls mac-table-size packet-
action drop
set routing-instances vpn-e protocols vpls no-tunnel-services
set routing-instances vpn-e protocols vpls site 1 site-identifier 1
set routing-instances vpn-e protocols vpls site 1 interface ge-
0/0/1.90

R3:

set interfaces ge-0/0/1 unit 90 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 90 vlan-id 90
31
set firewall family vpls filter BUM-LIMIT term 1 then policer BUM 5





316 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set firewall family vpls filter BUM-LIMIT term 1 then accept

set firewall policer BUM if-exceeding bandwidth-limit 32k
set firewall policer BUM if-exceeding burst-size-limit 15k
set firewall policer BUM then discard

set routing-instances vpn-e instance-type vpls

set routing-instances vpn-e vlan-id 90
set routing-instances vpn-e interface ge-0/0/1.90
set routing-instances vpn-e vrf-target target:65555L:90
set routing-instances vpn-e forwarding-options family vpls flood
input BUM-LIMIT
set routing-instances vpn-e protocols vpls mac-table-size 16
set routing-instances vpn-e protocols vpls mac-table-size packet-
action drop
set routing-instances vpn-e protocols vpls no-tunnel-services
set routing-instances vpn-e protocols vpls site 2 site-identifier 2
set routing-instances vpn-e protocols vpls site 2 interface ge-
0/0/1.90

R5:

set interfaces ge-0/0/1 unit 90 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 90 vlan-id 90

set firewall family vpls filter BUM-LIMIT term 1 then policer BUM
set firewall family vpls filter BUM-LIMIT term 1 then accept

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

set firewall policer BUM if-exceeding bandwidth-limit 32k
set firewall policer BUM if-exceeding burst-size-limit 15k
set firewall policer BUM then discard

set routing-instances vpn-e instance-type vpls

set routing-instances
set routing-instances
set routing-instances
set routing-instances
input BUM-LIMIT
set routing-instances
set routing-instances
action drop
set routing-instances
set routing-instances
set routing-instances
0/0/1.90
vpn-e vlan-id 90
vpn-e interface ge-0/0/1.90
vpn-e vrf-target target:65555L:90
vpn-e forwarding-options family vpls flood
vpn-e protocols vpls mac-table-size 16
vpn-e protocols vpls mac-table-size packet-
vpn-e protocols vpls no-tunnel-services
vpn-e protocols vpls site 3 site-identifier 3
vpn-e protocols vpls site 3 interface ge- 31
6
317 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

R7:

set interfaces ge-0/0/1 unit 90 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 90 vlan-id 90

set firewall family vpls filter BUM-LIMIT term 1 then policer BUM
set firewall family vpls filter BUM-LIMIT term 1 then accept
set firewall policer BUM if-exceeding bandwidth-limit 32k
set firewall policer BUM if-exceeding burst-size-limit 15k
set firewall policer BUM then discard

set routing-instances vpn-e instance-type vpls

set routing-instances
set routing-instances
set routing-instances
set routing-instances
input BUM-LIMIT
set routing-instances
set routing-instances
action drop
set routing-instances
set routing-instances
set routing-instances
0/0/1.90
vpn-e vlan-id 90
vpn-e interface ge-0/0/1.90
vpn-e vrf-target target:65555L:90
vpn-e forwarding-options family vpls flood
vpn-e protocols vpls mac-table-size 100
vpn-e protocols vpls mac-table-size packet-
vpn-e protocols vpls no-tunnel-services
vpn-e protocols vpls site 4 site-identifier 4
vpn-e protocols vpls site 4 interface ge-

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

31
7





318 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

First, we check the R1 router to see if the VPLS connections towards the other PE routers are
up:

lab@R1> show vpls connections instance vpn-e

Layer-2 VPN connections:

[…skipped…]

Instance: vpn-e
Local site: 1 (1)
connection-site Type St Time last up # Up trans
2 rmt Up Mar 13 09:39:03 2016 1
Remote PE: 3.3.3.3, Negotiated control-word: No
Incoming label: 262418, Outgoing label: 262417
Local interface: lsi.1048586, Status: Up, Encapsulation: VPLS
Description: Intf - vpls vpn-e local site 1 remote site 2
3 rmt Up Mar 13 09:39:09 2016 1
Remote PE: 5.5.5.5, Negotiated control-word: No
Incoming label: 262419, Outgoing label: 262425
Local interface: lsi.1048587, Status: Up, Encapsulation: VPLS
Description: Intf - vpls vpn-e local site 1 remote site 3
4 rmt Up Mar 13 09:39:20 2016 1
Remote PE: 7.7.7.7, Negotiated control-word: No
Incoming label: 262420, Outgoing label: 262417
Local interface: lsi.1048588, Status: Up, Encapsulation: VPLS
Description: Intf - vpls vpn-e local site 1 remote site 4

On the R2 router, we can verify whether or not an OSPF adjacency was able to form across

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

the configured VPLS by issuing the following command:

lab@R2> show ospf neighbor instance vpn-e

Address Interface State ID Pri Dead
192.168.1.4 ge-0/0/1.90 Full 192.168.1.4 128 39
192.168.1.3 ge-0/0/1.90 Full 192.168.1.3 128 31
192.168.1.2 ge-0/0/1.90 Full 192.168.1.2 128 38

A quick way to verify that a configured firewall filter is matching any packets can be to
configure a counter for it:

R1:

set firewall family vpls filter BUM-LIMIT term 1 then count bum

Since we are running OSPF across this VPLS, and since OSPF uses a multicast address, we
should be able to observe the following after a brief period of time: 31
8





319 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R1> show firewall

Filter: __default_bpdu_filter__

Filter: BUM-LIMIT
Counters:
Name Bytes Packets
bum 3074 29
Policers:
Name Bytes Packets
BUM-1 0

Before moving on, we remove the counter from R1:

R1:

delete firewall family vpls filter BUM-LIMIT term 1 then count bum

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

31
9





320 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 6.9: BGP signaled VPLS and VLAN normalization

• Configure VPLS ‘vpn-f’ on R1 and on R5.
• Use interface ge-0/0/2 on all PE routers.
• Use BGP as a signaling protocol.
• On R1, the customer is using VLAN 513.
• On R5, the customer is using VLAN 514.
• Normalize the VLAN through routing-instance configuration.

Configuration:

R1:

set interfaces ge-0/0/2 flexible-vlan-tagging

set interfaces ge-0/0/2 encapsulation vlan-vpls
set interfaces ge-0/0/2 unit 512 encapsulation vlan-vpls
set interfaces ge-0/0/2 unit 512 vlan-id 513

set routing-instances vpn-f instance-type vpls

set routing-instances vpn-f vlan-id 512
set routing-instances vpn-f interface ge-0/0/2.512
set routing-instances vpn-f vrf-target target:65555L:512
set routing-instances vpn-f protocols vpls no-tunnel-services
set routing-instances vpn-f protocols vpls site 1 site-identifier 1
set routing-instances vpn-f protocols vpls site 1 interface ge-
0/0/2.512

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

R5:

set interfaces ge-0/0/2 flexible-vlan-tagging
set interfaces ge-0/0/2 encapsulation vlan-vpls
set interfaces ge-0/0/2 unit 512 encapsulation vlan-vpls
set interfaces ge-0/0/2 unit 512 vlan-id 512

set routing-instances vpn-f instance-type vpls

set routing-instances vpn-f vlan-id 512
set routing-instances vpn-f interface ge-0/0/2.512
set routing-instances vpn-f vrf-target target:65555L:512
set routing-instances vpn-f protocols vpls no-tunnel-services
set routing-instances vpn-f protocols vpls site 3 site-identifier 3
set routing-instances vpn-f protocols vpls site 3 interface ge-
0/0/2.512 32
0






321 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

As mentioned previously, when normalizing the VLAN through routing-instance
configuration, traffic is not able to transit the VPLS on the hardware used in this lab. The
configuration supplied here will work on an MX router.

To verify VLAN normalization through routing-instance configuration, we could check the
‘show interfaces’ command. The interface locally involved with the VPLS should list
something like this:

Flags: Up SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.600 ] In(swap .512) Out(swap .600)
Encapsulation: VLAN-VPLS

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

32
1





322 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 6.10: BGP signaled VPLS and VLAN normalization

• Configure VPLS ‘vpn-g’ on R1 and R5.
• Use interface ge-0/0/2 on all PE routers.
• Use BGP as a signaling protocol.
• On R1, the customer is using VLAN 700.
• On R5, the customer is using VLAN 600.
• Normalize the VLAN to 520 through interface configuration.

Configuration:

R1:

set interfaces ge-0/0/2 unit 520 encapsulation vlan-vpls
set interfaces ge-0/0/2 unit 520 vlan-id 700
set interfaces ge-0/0/2 unit 520 input-vlan-map swap
set interfaces ge-0/0/2 unit 520 input-vlan-map vlan-id 520
set interfaces ge-0/0/2 unit 520 output-vlan-map swap

set routing-instances vpn-g instance-type vpls

set routing-instances vpn-g interface ge-0/0/2.520
set routing-instances vpn-g vrf-target target:65555L:520
set routing-instances vpn-g protocols vpls no-tunnel-services
set routing-instances vpn-g protocols vpls site 1 site-identifier 1
set routing-instances vpn-g protocols vpls site 1 interface ge-
0/0/2.520

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

R5:

set interfaces ge-0/0/2 unit 520 encapsulation vlan-vpls
set interfaces ge-0/0/2 unit 520 vlan-id 600
set interfaces ge-0/0/2 unit 520 input-vlan-map swap
set interfaces ge-0/0/2 unit 520 input-vlan-map vlan-id 520
set interfaces ge-0/0/2 unit 520 output-vlan-map swap

set routing-instances vpn-g instance-type vpls

set routing-instances vpn-g interface ge-0/0/2.520
set routing-instances vpn-g vrf-target target:65555L:520
set routing-instances vpn-g protocols vpls no-tunnel-services
set routing-instances vpn-g protocols vpls site 3 site-identifier 3
set routing-instances vpn-g protocols vpls site 3 interface ge-
0/0/2.520
32
2





323 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

First, we verify whether or not the VPLS connection is up:

lab@R1> show vpls connections instance vpn-g
Layer-2 VPN connections:

[…skipped…]

Instance: vpn-g
Local site: 1 (1)
connection-site Type St Time last up # Up trans
3 rmt Up Mar 13 10:00:50 2016 1
Remote PE: 5.5.5.5, Negotiated control-word: No
Incoming label: 262435, Outgoing label: 262441
Local interface: lsi.1048590, Status: Up, Encapsulation: VPLS
Description: Intf - vpls vpn-g local site 1 remote site 3

After that, we verify what rewrite rules are applied to the interfaces by issuing the following
command:

lab@R1> show interfaces ge-0/0/2.520

Logical interface ge-0/0/2.520 (Index 113) (SNMP ifIndex 757)
Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.700 ] In(swap .520) Out(swap .700)
Encapsulation: VLAN-VPLS
Input packets : 22
Output packets: 18
Security: Zone: Null
Protocol vpls, MTU: 1522

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

Flags: Is-Primary

Incoming packets are swapped to VLAN 520 and outgoing packets are swapped to VLAN 700.
On the R5 router, we can observe the following

lab@R5> show interfaces ge-0/0/2.520
Logical interface ge-0/0/2.520 (Index 127) (SNMP ifIndex 791)
Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.600 ] In(swap .520) Out(swap .600)
Encapsulation: VLAN-VPLS
Input packets : 21
Output packets: 24
Security: Zone: Null
Protocol vpls, MTU: 1522
Flags: Is-Primary


Here, the incoming packets are swapped to VLAN 520 and the outgoing packets are swapped
to VLAN 600. 32
3






324 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

On the R2 router, we can verify whether or not an OSPF adjacency was able to form across
the configured VPLS by issuing the following command:

lab@R2> show ospf neighbor instance vpn-g
Address Interface State ID Pri Dead
192.168.1.4 ge-0/0/2.700 Full 192.168.1.4 128 39

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

32
4





325 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 6.11: BGP signaled VPLS feature

• Configure an additional interface in 'vpn-g' on R1.
• On R1, use interface ge-0/0/1 and VLAN 520.
• Make sure that only the newly configured interface is active.

Configuration:

R1:

set interfaces ge-0/0/1 unit 520 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 520 vlan-id 520

set routing-instances vpn-g interface ge-0/0/1.520

set routing-instances vpn-g protocols vpls site 1 active-interface
primary ge-0/0/1.520
set routing-instances vpn-g protocols vpls site 1 interface ge-
0/0/1.520

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

32
5





326 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

R6:

lab@R6> show ospf neighbor instance vpn-g

Address Interface State ID Pri Dead
192.168.1.11 ge-0/0/2.600 Full 192.168.1.1 255 30

R1:

lab@R1> show vpls connections instance vpn-g extensive

Layer-2 VPN connections:

[…skipped…]

Instance: vpn-g
Local site: 1 (1)
Number of local interfaces: 2
Number of local interfaces up: 2
IRB interface present: no
ge-0/0/2.520
Interface flags: VC-Down
ge-0/0/1.520
lsi.1048602 3 Intf - vpls vpn-g local site 1 remote site 3
Label-base Offset Size Range Preference
262473 1 8 8 100
connection-site Type St Time last up # Up trans
3 rmt Up Mar 13 10:31:57 2016 1
Remote PE: 5.5.5.5, Negotiated control-word: No

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

Incoming label: 262475, Outgoing label: 262489
Local interface: lsi.1048602, Status: Up, Encapsulation: VPLS
Description: Intf - vpls vpn-g local site 1 remote site 3
Connection History:
Mar 13 10:31:57 2016 status update timer
Mar 13 10:31:57 2016 loc intf up lsi.1048602
Mar 13 10:31:57 2016 PE route changed
Mar 13 10:31:57 2016 Out lbl Update 262489
Mar 13 10:31:57 2016 In lbl Update 262475
Mar 13 10:31:57 2016 loc intf down

Since the ge-0/0/1.520 interface was configured as the active interface, the ge-0/0/2.520
interface is reported as ‘VC-Down’. The ‘ge-0/0/2.520’ interface will be made active as soon
as the ‘ge-0/0/1’ interface goes down.

32
6





327 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 6.12: Stitching together an L2VPN and a VPLS

• Configure VPLS ‘vpn-h’ on R1, R3 and R5.
• Use interface ge-0/0/1 on all PE routers.
• Use BGP as a signaling protocol.
• Also configure a BGP based L2VPN, ‘vpn-h-stitched-l2vpn’ between R5 and R7.
• Stitch these Layer 2 VPNs together into a single layer 2 broadcast domain.

Configuration:

R1:

set interfaces ge-0/0/1 unit 100 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 100 vlan-id 100

set routing-instances vpn-h instance-type vpls

set routing-instances vpn-h vlan-id 100
set routing-instances vpn-h interface ge-0/0/1.100
set routing-instances vpn-h vrf-target target:65555L:100
set routing-instances vpn-h protocols vpls no-tunnel-services
set routing-instances vpn-h protocols vpls site 1 site-identifier 1
set routing-instances vpn-h protocols vpls site 1 interface ge-
0/0/1.100

R3:

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

set interfaces ge-0/0/1 unit 100 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 100 vlan-id 100

set routing-instances vpn-h instance-type vpls

set routing-instances vpn-h vlan-id 100
set routing-instances vpn-h interface ge-0/0/1.100
set routing-instances vpn-h vrf-target target:65555L:100
set routing-instances vpn-h protocols vpls no-tunnel-services
set routing-instances vpn-h protocols vpls site 2 site-identifier 2
set routing-instances vpn-h protocols vpls site 2 interface ge-
0/0/1.100

32
7





328 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

R5:

set interfaces ge-0/0/1 unit 100 encapsulation vlan-vpls
set interfaces ge-0/0/1 unit 100 vlan-id 100

set interfaces lt-0/0/0 unit 0 encapsulation vlan-ccc

set interfaces lt-0/0/0 unit 0 vlan-id 100
set interfaces lt-0/0/0 unit 0 peer-unit 1

set interfaces lt-0/0/0 unit 1 encapsulation vlan-vpls

set interfaces lt-0/0/0 unit 1 vlan-id 100
set interfaces lt-0/0/0 unit 1 peer-unit 0

set routing-instances vpn-h instance-type vpls

set routing-instances vpn-h vlan-id 100
set routing-instances vpn-h interface lt-0/0/0.1
set routing-instances vpn-h interface ge-0/0/1.100
set routing-instances vpn-h vrf-target target:65555L:100
set routing-instances vpn-h protocols vpls no-tunnel-services
set routing-instances vpn-h protocols vpls site 3 site-identifier 3
set routing-instances vpn-h protocols vpls site 3 interface ge-
0/0/1.100
set routing-instances vpn-h protocols vpls site 3 interface lt-
0/0/0.1

set routing-instances vpn-h-stitched-l2vpn instance-type l2vpn

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

set routing-instances vpn-h-stitched-l2vpn interface lt-0/0/0.0
set routing-instances vpn-h-stitched-l2vpn vrf-target
target:65555L:1001
set routing-instances vpn-h-stitched-l2vpn protocols l2vpn
encapsulation-type ethernet-vlan
set routing-instances vpn-h-stitched-l2vpn protocols l2vpn site 1
site-identifier 1
set routing-instances vpn-h-stitched-l2vpn protocols l2vpn site 1
interface lt-0/0/0.0

32
8





329 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

R7:

set interfaces ge-0/0/1 unit 100 encapsulation vlan-ccc
set interfaces ge-0/0/1 unit 100 vlan-id 100

set routing-instances vpn-h-stitched-l2vpn instance-type l2vpn

set routing-instances vpn-h-stitched-l2vpn interface ge-0/0/1.100
set routing-instances vpn-h-stitched-l2vpn vrf-target
target:65555L:1001
set routing-instances vpn-h-stitched-l2vpn protocols l2vpn
encapsulation-type ethernet-vlan
set routing-instances vpn-h-stitched-l2vpn protocols l2vpn site 2
site-identifier 2
set routing-instances vpn-h-stitched-l2vpn protocols l2vpn site 2
interface ge-0/0/1.100

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

32
9





330 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

We verify the solution from R5 since this router is involved with the VPLS and with the
L2VPN. First, we check the VPLS connections:

lab@R5> show vpls connections instance vpn-h extensive
Layer-2 VPN connections:

[…skipped…]

Instance: vpn-h
Local site: 3 (3)
Number of local interfaces: 2
Number of local interfaces up: 2
IRB interface present: no
ge-0/0/1.100
lt-0/0/0.1
lsi.1048608 1 Intf - vpls vpn-h local site 3 remote site 1
lsi.1048609 2 Intf - vpls vpn-h local site 3 remote site 2
Label-base Offset Size Range Preference
262497 1 8 8 100
connection-site Type St Time last up # Up trans
1 rmt Up Mar 13 10:41:05 2016 1
Remote PE: 1.1.1.1, Negotiated control-word: No
Incoming label: 262497, Outgoing label: 262483
Local interface: lsi.1048608, Status: Up, Encapsulation: VPLS
Description: Intf - vpls vpn-h local site 3 remote site 1
Connection History:
Mar 13 10:41:05 2016 status update timer
Mar 13 10:41:05 2016 loc intf up lsi.1048608

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

Mar 13 10:41:05 2016 PE route changed
Mar 13 10:41:05 2016 Out lbl Update 262483
Mar 13 10:41:05 2016 In lbl Update 262497
Mar 13 10:41:05 2016 loc intf down
2 rmt Up Mar 13 10:41:05 2016 1
Remote PE: 3.3.3.3, Negotiated control-word: No
Incoming label: 262498, Outgoing label: 262427
Local interface: lsi.1048609, Status: Up, Encapsulation: VPLS
Description: Intf - vpls vpn-h local site 3 remote site 2
Connection History:
Mar 13 10:41:05 2016 status update timer
Mar 13 10:41:05 2016 loc intf up lsi.1048609
Mar 13 10:41:05 2016 PE route changed
Mar 13 10:41:05 2016 Out lbl Update 262427
Mar 13 10:41:05 2016 In lbl Update 262498
Mar 13 10:41:05 2016 loc intf down

From the previous output, we can see that the R5 router has an active VPLS connection
towards R3 and R1. We can also see that two local interfaces are participating in this VPLS. 33
0
These are interfaces ge-0/0/1.100 and lt-0/0/0.1.




331 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

The ge-0/0/1.100 interface is used to connect the CPE to the VPLS. The lt-0/0/0.1 interface is
used to connect the L2VPN into this VPLS. This is done by peering the interface with
interface lt-0/0/0.0 and by placing that interface into an L2VPN.
We can verify the status of the L2VPN by issuing the following command:

lab@R5> show l2vpn connections instance vpn-h-stitched-l2vpn extensive

Layer-2 VPN connections:

[…skipped…]

Instance: vpn-h-stitched-l2vpn
Local site: 1 (1)
Number of local interfaces: 1
Number of local interfaces up: 1
lt-0/0/0.0 2
Label-base Offset Size Range Preference
800000 1 2 2 100
status-vector: 0
connection-site Type St Time last up # Up trans
2 rmt Up Mar 13 10:54:57 2016 1
Remote PE: 7.7.7.7, Negotiated control-word: Yes (Null)
Incoming label: 800001, Outgoing label: 800002
Local interface: lt-0/0/0.0, Status: Up, Encapsulation: VLAN
Connection History:
Mar 13 10:54:57 2016 status update timer
Mar 13 10:54:57 2016 PE route changed
Mar 13 10:54:57 2016 Out lbl Update 800002
Mar 13 10:54:57 2016 In lbl Update 800001
Mar 13 10:54:57 2016 loc intf up lt-0/0/0.0

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

The printout above tells us that the L2VPN connection between R5 and R7 is up. We can also
see that the only active interface for the L2VPN is the lt-0/0/0.0 interface. On R7, we can
observe the following:

lab@R7> show l2vpn connections instance vpn-h-stitched-l2vpn
Layer-2 VPN connections:

[…skipped…]

Instance: vpn-h-stitched-l2vpn
Local site: 2 (2)
connection-site Type St Time last up # Up trans
1 rmt Up Mar 13 10:54:41 2016 1
Remote PE: 5.5.5.5, Negotiated control-word: Yes (Null)
Incoming label: 800002, Outgoing label: 800001
Local interface: ge-0/0/1.100, Status: Up, Encapsulation: VLAN

What we did was create a VPLS on R1, R3 and R5. On R5, we placed two interfaces in the 33
1
VPLS. One CE facing interface and one tunnel interface. The tunnel interface was peered




332 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

with another tunnel interface that was then placed inside an L2VPN. The L2VPN connection
was setup towards R7.

We can verify that there is layer 2 connectivity between all CPE routers by issuing the
following command on R2:


lab@R2> show ospf neighbor instance vpn-h
Address Interface State ID Pri Dead
192.168.1.4 ge-0/0/1.100 Full 192.168.1.4 128 31
192.168.1.2 ge-0/0/1.100 Full 192.168.1.2 128 33
192.168.1.3 ge-0/0/1.100 Full 192.168.1.3 128 35

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

33
2





333 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 6.13: VPLS and BUM replication with P2MP LSP

• Make sure that the R5 PE distributes BUM traffic towards the other PE routers for
‘vpn-h’.
• Do this by using an RSVP-signaled P2MP tunnel.

Configuration:

R1:

set protocols rsvp interface ge-0/0/4.31
set protocols rsvp interface ge-0/0/4.71
set protocols ospf traffic-engineering

R3:

set protocols rsvp interface ge-0/0/4.31
set protocols rsvp interface ge-0/0/4.35
set protocols ospf traffic-engineering

R5:

set protocols rsvp interface ge-0/0/4.35
set protocols rsvp interface ge-0/0/4.75
set protocols ospf traffic-engineering
set routing-instances vpn-h provider-tunnel rsvp-te label-switched-
path-template default-template

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

R7:

set protocols rsvp interface ge-0/0/4.71
set protocols rsvp interface ge-0/0/4.75
set protocols ospf traffic-engineering

33
3





334 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

The RSVP signaled point-to-multipoint tunnel needs no explicit configuration under the [
protocols mpls stanza ]. Activating the routers for RSVP and specifying the provider-tunnel
rsvp-te label-switched-path-template default-template for the routing-instance is
enough.

lab@R5> show mpls lsp extensive
Ingress LSP: 2 sessions

1.1.1.1
From: 5.5.5.5, State: Up, ActiveRoute: 0, LSPname: 1.1.1.1:5.5.5.5:11:vpls:vpn-h
ActivePath: (primary)
P2MP name: 5.5.5.5:11:vpls:vpn-h
PathDomain: Inter-domain
LSPtype: Dynamic Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary State: Up
Priorities: 7 0
SmartOptimizeTimer: 180
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 2)
10.0.75.7 S 10.0.71.1 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
10.0.75.7 10.0.71.1
5 Mar 13 11:34:30.223 Selected as active path
4 Mar 13 11:34:30.217 Record Route: 10.0.75.7 10.0.71.1
3 Mar 13 11:34:30.217 Up

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

2 Mar 13 11:34:30.198 Originate Call
1 Mar 13 11:34:30.198 CSPF: computation result accepted 10.0.75.7 10.0.71.1
Created: Sun Mar 13 11:32:03 2016

3.3.3.3
From: 5.5.5.5, State: Up, ActiveRoute: 0, LSPname: 3.3.3.3:5.5.5.5:11:vpls:vpn-h
ActivePath: (primary)
P2MP name: 5.5.5.5:11:vpls:vpn-h
PathDomain: Inter-domain
LSPtype: Dynamic Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary State: Up
Priorities: 7 0
SmartOptimizeTimer: 180
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 1)
10.0.35.3 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
33
10.0.35.3
4
5 Mar 13 11:34:30.205 Selected as active path




335 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

4 Mar 13 11:34:30.205 Record Route: 10.0.35.3

3 Mar 13 11:34:30.205 Up
2 Mar 13 11:34:30.198 Originate Call
1 Mar 13 11:34:30.198 CSPF: computation result accepted 10.0.35.3
Created: Sun Mar 13 11:32:03 2016
Total 2 displayed, Up 2, Down 0

Egress LSP: 0 sessions

Total 0 displayed, Up 0, Down 0

Transit LSP: 0 sessions

Total 0 displayed, Up 0, Down 0

lab@R5> show rsvp session extensive

Ingress RSVP: 2 sessions

3.3.3.3
From: 5.5.5.5, LSPstate: Up, ActiveRoute: 0
LSPname: 3.3.3.3:5.5.5.5:11:vpls:vpn-h, LSPpath: Primary
LSPtype: Dynamic Configured
P2MP LSPname: 5.5.5.5:11:vpls:vpn-h, Re-merge: None
Suggested label received: -, Suggested label sent: -
Recovery label received: -, Recovery label sent: 262427
Resv style: 1 SE, Label in: -, Label out: 262427
Time left: -, Since: Sun Mar 13 11:34:30 2016
Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
Port number: sender 1 receiver 22905 protocol 0
PATH rcvfrom: localclient
Adspec: sent MTU 1500
Path MTU: received 1500
PATH sentto: 10.0.35.3 (ge-0/0/4.35) 3 pkts

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

RESV rcvfrom: 10.0.35.3 (ge-0/0/4.35) 3 pkts
Explct route: 10.0.35.3
Record route: <self> 10.0.35.3

1.1.1.1
From: 5.5.5.5, LSPstate: Up, ActiveRoute: 0
LSPname: 1.1.1.1:5.5.5.5:11:vpls:vpn-h, LSPpath: Primary
LSPtype: Dynamic Configured
P2MP LSPname: 5.5.5.5:11:vpls:vpn-h, Re-merge: None
Suggested label received: -, Suggested label sent: -
Recovery label received: -, Recovery label sent: 299840
Resv style: 1 SE, Label in: -, Label out: 299840
Time left: -, Since: Sun Mar 13 11:34:30 2016
Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
Port number: sender 1 receiver 22905 protocol 0
PATH rcvfrom: localclient
Adspec: sent MTU 1500
Path MTU: received 1500
PATH sentto: 10.0.75.7 (ge-0/0/4.75) 3 pkts 33
5

RESV rcvfrom: 10.0.75.7 (ge-0/0/4.75) 3 pkts

336 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Explct route: 10.0.75.7 10.0.71.1

Record route: <self> 10.0.75.7 10.0.71.1
Total 2 displayed, Up 2, Down 0

Egress RSVP: 0 sessions

Total 0 displayed, Up 0, Down 0

Transit RSVP: 0 sessions

Total 0 displayed, Up 0, Down 0

JNCIE-SP workbook: Appendix: Chapter 6 - Layer 2 VPN

33
6





337 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Appendix: Chapter 7 - Multicast

Part 1:

Initial configuration: MULTICAST part 1

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

33
7





338 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Lab introduction:

The R6 router is functioning as a multicast source in this lab. No multicast configuration has
to be performed on this router in any of the tasks. At the end of each task, you can verify the
lab by having the R6 router send multicast traffic to the multicast group address 239.0.0.1.

R1 and R5 are configured to send join messages for group 239.0.0.1. Additionally, they will
also reply to multicast traffic, making it easy for you to test your configuration.

At the end of each task, you can verify the configuration by sending a multicast ping from R6
to the multicast addresses that R1 and R5 are willing to join. To verify the configuration
tasks, you can issue the following command on the R6 router:

ping bypass-routing interface ge-0/0/4.14 ttl 10 239.0.0.1

All routers are using the ge-0/0/0 interface as their out-of-band management interface.
Treat these interfaces as though they are the management, or fxp0 interfaces, of the routers
in the lab.

The lab exercises may require configuration on any of the routers except for R6.

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

33
8





339 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 7.1: Configuring PIM with auto-rp

• Configure all routers for PIM.
• Configure R3 to be the RP, use the 10.0.0.255 address.
• Use the auto-rp mechanism.

Configuration:

On all routers but R3:

set protocols pim dense-groups 224.0.1.39/32

set protocols pim dense-groups 224.0.1.40/32
set protocols pim rp auto-rp discovery
set protocols pim interface all mode sparse-dense
set protocols pim interface ge-0/0/0.0 disable

R3:

set protocols pim dense-groups 224.0.1.39/32
set protocols pim dense-groups 224.0.1.40/32
set protocols pim rp local address 10.0.0.255
set protocols pim rp auto-rp mapping
set protocols pim interface all mode sparse-dense
set protocols pim interface ge-0/0/0.0 disable
set interfaces lo0 unit 0 family inet address 10.0.0.255/32

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

33
9





340 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

To display information about PIM neighbors, we can issue the following command:

lab@R3> show pim neighbors

B = Bidirectional Capable, G = Generation Identifier
H = Hello Option Holdtime, L = Hello Option LAN Prune Delay,
P = Hello Option DR Priority, T = Tracking Bit

Instance: PIM.master
Interface IP V Mode Option Uptime Neighbor addr
ge-0/0/4.3 4 2 HPLGT 00:04:52 192.168.1.6
ge-0/0/4.6 4 2 HPLGT 00:04:52 192.168.1.18
ge-0/0/4.9 4 2 HPLGT 00:04:52 192.168.1.29


The auto-rp mechanism enables routers to learn the about the RP. The configuration of two
dense mode group addresses is required on every router. This is because the auto-rp
mechanism relies on the dense mode group addresses 224.0.1.39 (to advertise auto-rp
messages) and 224.0.1.40 (to discover).

In this task, all routers except for R3 are configured to discover, or listen for auto-rp
messages. Since the R3 router is configured to be an RP, it is configured with the 'mapping'
keyword. This makes the router send and listen for auto-rp messages. Be patient because it
can take a while for all routers to learn about the RP.

To verify that the auto-rp mechanism was successful, we can issue the following command:

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

lab@R4> show pim rps
Instance: PIM.master

Address family INET

RP address Type Mode Holdtime Timeout Groups Group prefixes
10.0.0.255 auto-rp sparse 150 115 0 224.0.0.0/4

Address family INET6

All routers need to know the RP address, so a thorough investigation would require a similar
check on every router.

To verify that multicast traffic can make its way to the receivers, we can make R6 generate
some multicast traffic:

lab@R6> ping bypass-routing interface ge-0/0/4.14 ttl 10 239.0.0.1 34
0

PING 239.0.0.1 (239.0.0.1): 56 data bytes

341 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

64 bytes from 192.168.1.1: icmp_seq=0 ttl=61 time=7.817 ms

64 bytes from 192.168.1.45: icmp_seq=0 ttl=62 time=8.349 ms (DUP!)
64 bytes from 192.168.1.45: icmp_seq=1 ttl=62 time=2.251 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=61 time=2.535 ms (DUP!)
64 bytes from 192.168.1.1: icmp_seq=2 ttl=61 time=2.421 ms
64 bytes from 192.168.1.45: icmp_seq=2 ttl=62 time=7.420 ms (DUP!)
....

We should start to see replies from both routers that were configured as receivers. The
192.168.1.1 address belongs to R1 and the 192.168.1.45 address belongs to R5.

Shortly after initiating the multicast stream, we can see that on R4, two interfaces have
joined the 'Downstream interface list':

lab@R4> show multicast route group 239.0.0.1
extensive Instance: master Family: INET

Group: 239.0.0.1
Source: 192.168.1.50/32
Upstream interface: ge-0/0/4.14
Downstream interface list:
ge-0/0/4.5 ge-0/0/4.4
Session description: Organisational Local Scope
Statistics: 0 kBps, 1 pps, 105 packets
Next-hop ID: 262142
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 0

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

Uptime: 00:02:11

In our small topology, this is the only place where we can see two interfaces in the
downstream interface list. R4 is a member of the shortest path tree for both R1 and R5:

lab@R4> show pim join 239.0.0.1 extensive
Instance: PIM.master Family: INET
R = Rendezvous Point Tree, S = Sparse, W = Wildcard

Group: 239.0.0.1
Source: 192.168.1.50
Flags: sparse,spt
Upstream interface: ge-0/0/4.14
Upstream neighbor: Direct
Upstream state: Local Source
Keepalive timeout: 346
Uptime: 00:01:30
Downstream neighbors: 34
1
Interface: ge-0/0/4.4





342 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

192.168.1.10 State: Join Flags: S Timeout: 180

Uptime: 00:01:29 Time since last Join: 00:00:29
Downstream neighbors:
Interface: ge-0/0/4.5
192.168.1.13 State: Join Flags: S Timeout: 180
Uptime: 00:01:30 Time since last Join: 00:00:30


On R8, we will see only one downstream interface listing:

lab@R8> show multicast route group 239.0.0.1 extensive

Instance: master Family: INET

Group: 239.0.0.1
Source: 192.168.1.50/32
Upstream interface: ge-0/0/4.5
Downstream interface list:
ge-0/0/4.13
Session description: Organisational Local Scope
Statistics: 0 kBps, 1 pps, 205 packets
Next-hop ID: 262150
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 0
Uptime: 00:03:52

This is the multicast traffic destined to R5. On R7 and R2, we could see multicast traffic
destined to R1.

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

34
2





343 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 7.2: PIM filtering

• Filter incoming join messages for group 224.2.127.254 on R2.
• Filter outgoing join messages for group 224.2.127.254 on R5.

Configuration:

R2:

set policy-options policy-statement pim-filter term reject-sap from
route-filter 224.2.127.254/32 exact
set policy-options policy-statement pim-filter term reject-sap then
reject
set policy-options policy-statement pim-filter term accept-rest then
accept

set protocols pim import pim-filter

R5:

set policy-options policy-statement pim-filter term reject-sap from
route-filter 224.2.127.254/32 exact
set policy-options policy-statement pim-filter term reject-sap then
reject
set policy-options policy-statement pim-filter term accept-rest then
accept

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

set protocols pim export pim-filter

34
3





344 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

PIM allows for both export and import filters. Import filters can be used to filter inbound
joins for a multicast group. To verify that Rx Joins are being filtered:

lab@R2> show pim statistics | match filtered
RP Filtered Source 0
Rx Joins/Prunes filtered 7
Tx Joins/Prunes filtered 0

And export filters can be used to limit, or filter, outbound joins for a multicast group. To
verify that Tx Joins are being filtered:

lab@R5> show pim statistics | match filtered

RP Filtered Source 0
Rx Joins/Prunes filtered 0
Tx Joins/Prunes filtered 3

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

34
4





345 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 7.3: Configuring PIM with BSR

• Reconfigure R3 and have the router announce the RP using the BSR mechanism.
• Configure R8 to announce itself as an RP as well. Use the 10.0.0.254 address and the
BSR mechanism.
• Make sure R3 will be the active RP.
• Use PIM SM everywhere.


Configuration:


On all routers:

delete protocols pim rp auto-rp
delete protocols pim dense-groups
set protocols pim interface all mode sparse


R3:

set protocols pim rp bootstrap family inet priority 200

R8:

set protocols pim rp local address 10.0.0.254

set protocols pim rp bootstrap family inet priority 175
set interface lo0.0 family inet address 10.0.0.254/32

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

34
5





346 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

Since multicast routing protocols are not the fastest routing protocols there are, a 'run
restart routing' can speed things up in a lab.

In this task, the routers must learn about the RP using the bootstrap mechanism instead of
the auto-rp mechanism. Since we no longer need the two dense-groups, we use PIM SM, or
PIM sparse mode. PIM SM neighbors are indicated by an 'S' as opposed to an 'SD' for sparse
dense which we saw in our previous tasks:

lab@R4> show pim interfaces
Instance: PIM.master

Stat = Status, V = Version, NbrCnt = Neighbor Count,

S = Sparse, D = Dense, B = Bidirectional, DR = Designated Router
P2P = Point-to-point link, P2MP = Point-to-Multipoint
Active = Bidirectional is active, NotCap = Not Bidirectional Capable

Name Stat Mode IP V State NbrCnt JoinCnt(sg/*g) DR address

ge-0/0/4.14 Up S 4 2 DR,NotCap 0 0/0 192.168.1.49
ge-0/0/4.4 Up S 4 2 NotDR,NotCap 1 0/0 192.168.1.10
ge-0/0/4.5 Up S 4 2 DR,NotCap 1 0/0 192.168.1.14
lo0.0 Up S 4 2 DR,NotCap 0 0/0 10.0.0.4

In PM SM, all routers in the domain collect bootstrap messages by default. All routers will
have a default BSR priority of 0, making them ineligible to become the BSR. In this case, you
only need to configure the routers that need to advertise themselves as candidate RP. For
this reason, we only configured R3 and R8. Since we wanted R3 to win the election, we

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

configured the R3 router with a higher priority:

lab@R3> show pim bootstrap
Instance: PIM.master

BSR Pri Local address Pri State Timeout

10.0.0.3 200 10.0.0.3 200 Elected 50
None 0 (null) 0 0

The above shows R3 has been elected and the next printout tells us that R8 sees itself as a
candidate:

lab@R8> show pim bootstrap

Instance: PIM.master

BSR Pri Local address Pri State Timeout

10.0.0.3 200 10.0.0.8 175 Candidate 123
None 0 (null) 0 0 34
6





347 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

After while, the other routers will learn about the BSR routers and they will display that they
have learned about the RP:

lab@R4> show pim rps

Instance: PIM.master

Address family INET

RP address Type Mode Holdtime Timeout Groups Group prefixes
10.0.0.254 bootstrap sparse 150 113 0 224.0.0.0/4
10.0.0.255 bootstrap sparse 150 113 0 224.0.0.0/4

Address family INET6

A final check on R6 shows us that multicast traffic can make its way across the network:

lab@R6> ping bypass-routing interface ge-0/0/4.14 ttl 10 239.0.0.1

PING 239.0.0.1 (239.0.0.1): 56 data bytes
64 bytes from 192.168.1.45: icmp_seq=0 ttl=62 time=117.292 ms
64 bytes from 192.168.1.1: icmp_seq=0 ttl=61 time=183.321 ms (DUP!)
64 bytes from 192.168.1.45: icmp_seq=2 ttl=62 time=7.980 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=61 time=9.226 ms (DUP!)
64 bytes from 192.168.1.1: icmp_seq=3 ttl=61 time=2.291 ms
64 bytes from 192.168.1.45: icmp_seq=3 ttl=62 time=7.948 ms (DUP!)
....

lab@R4> show multicast route extensive
Instance: master Family: INET

Group: 239.0.0.1

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

Source: 192.168.1.50/32
Upstream interface: ge-0/0/4.14
Downstream interface list:
ge-0/0/4.5 ge-0/0/4.4
Session description: Organisational Local Scope
Statistics: 0 kBps, 1 pps, 40 packets
Next-hop ID: 262142
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 0
Uptime: 00:00:41

Instance: master Family: INET6

To verify that the packets keep flowing, we can issue the same command a few seconds
later: 34
7





348 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R4> show multicast route extensive

Instance: master Family: INET

Group: 239.0.0.1
Source: 192.168.1.50/32
Upstream interface: ge-0/0/4.14
Downstream interface list:
ge-0/0/4.5 ge-0/0/4.4
Session description: Organisational Local Scope
Statistics: 0 kBps, 1 pps, 41 packets
Next-hop ID: 262142
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 0
Uptime: 00:00:43

Instance: master Family: INET6

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

34
8





349 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 7.4: Configuring PIM with a static RP

• Configure R3 to be the RP using the 10.0.0.255 address.
• Use static RP configuration.


Configuration:

On all routers except for R3 and R8:

set protocols pim rp static address 10.0.0.255

R3:

delete protocols pim rp bootstrap

R8:

delete interfaces lo0 unit 0 family inet address 10.0.0.254/32
delete protocols pim rp local
delete protocols pim rp bootstrap
set protocols pim rp static address 10.0.0.255

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

34
9





350 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:


lab@R4> show pim rps
Instance: PIM.master

Address family INET

RP address Type Mode Holdtime Timeout Groups Group prefixes
10.0.0.255 static sparse 0 None 0 224.0.0.0/4

lab@R3> show pim rps

Instance: PIM.master

Address family INET

RP address Type Mode Holdtime Timeout Groups Group prefixes
10.0.0.255 static sparse 150 None 2 224.0.0.0/4

Address family INET6

lab@R6> ping bypass-routing interface ge-0/0/4.14 ttl 10 239.0.0.1

PING 239.0.0.1 (239.0.0.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=61 time=2.436 ms
64 bytes from 192.168.1.45: icmp_seq=0 ttl=62 time=3.018 ms (DUP!)
64 bytes from 192.168.1.45: icmp_seq=1 ttl=62 time=2.505 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=61 time=2.802 ms (DUP!)
.....

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

35
0





351 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 7.5: Configuring PIM with any-cast RP

• Configure R3 and R8 to be the RP.
• Use the any-cast RP mechanism.
• Use the MSDP protocol.
• Use 10.0.0.255 as the RP address.


Configuration:


R3:

set protocols msdp group any-cast peer 10.0.0.8
set protocols msdp group any-cast local-address 10.0.0.3
set protocols msdp group any-cast mode mesh-group

R8:

delete protocols pim rp static
set protocols pim rp local address 10.0.0.255
set protocols msdp group any-cast peer 10.0.0.3
set protocols msdp group any-cast local-address 10.0.0.8
set protocols msdp group any-cast mode mesh-group

set interfaces lo0.0 family inet address 10.0.0.255/32

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

35
1





352 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

With anycast-RPs, we can achieve load sharing per multicast group and fast failover times.
Anycast RP routers need to be configured with a shared address that they both inject into
the network. Typically, this is done through an IGP. Receivers interested in multicast traffic
use the nearest available RP. This RP might not be the closest RP towards the source of the
traffic. The two redundant RPs must be able to communicate with each other and make sure
they both know about all the sources and receivers. The anycast RP configuration needs a
way to handle this exchange of information between the two RP routers. This can be
achieved by using either PIM or MSDP. For this task, we are using MSDP.

Apart from being able to connect together multiple PIM-SM domains, MSDP can also be
used to enable anycast RP within a PIM-SM domain allowing the redundant RPs to share
information. An anycast RP setup can be configured together with different RP selection
methods, though in this case, a static RP is all that is required.

To see if the configured MSDP peering is up, issue the following command:

lab@R3> show msdp
Peer address Local address State Last up/down Peer-Group SA Count
10.0.0.8 10.0.0.3 Established 00:02:09 any-cast 1/1

Activity (or lack thereof) is easily spotted by using the following command:

lab@R3> show msdp statistics

Global active source limit exceeded: 0

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

Peer: 10.0.0.8
Last State Change: 8:42:33 (00:02:25)
Last message received from peer: 8:44:09 (00:00:49)
RPF Failures: 0
Remote Closes: 0
Peer Timeouts: 0
SA messages sent: 0
SA messages received: 1
SA request messages sent: 0
SA request messages received: 0
SA response messages sent: 0
SA response messages received: 0
Active source exceeded: 0
Keepalive messages sent: 2
Keepalive messages received: 1
Unknown messages received: 0
Error messages received: 0

35
Both R3 and R8 will function as an RP and both will display they are a static RP:
2





353 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R8> show pim rps extensive

Instance: PIM.master
Address family INET

RP: 10.0.0.255
Learned via: static configuration
Time Active: 00:03:33
Holdtime: 0
Device Index: 131
Subunit: 32769
Interface: ppd0.32769
Static RP Override: Off
Group Ranges:
224.0.0.0/4
Register State for RP:
Group Source FirstHop RP Address State Timeout
239.0.0.1 192.168.1.50 10.0.0.4 10.0.0.255 Receive 148
Anycast PIM local address used: 10.0.0.8

Address family INET6

Always double-check the addresses used in the configuration. The peer and source address
are the addresses that will be used to setup the TCP session between the two routers.

A final check to end the verification of the MSDP anycast RP configuration:

lab@R6> ping bypass-routing interface ge-0/0/4.14 ttl 10 239.0.0.1

PING 239.0.0.1 (239.0.0.1): 56 data bytes
64 bytes from 192.168.1.45: icmp_seq=0 ttl=62 time=96.797 ms
64 bytes from 192.168.1.1: icmp_seq=0 ttl=61 time=132.349 ms

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

(DUP!) 64 bytes from 192.168.1.45: icmp_seq=2 ttl=62 time=2.458 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=61 time=2.742 ms (DUP!)

....

35
3





354 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 7.6: Configuring PIM with any-cast RP

• Change the any-cast RP mechanism into the PIM any-cast mechanism.



Configuration:

R3:

delete protocols msdp
delete protocols pim rp local
set protocols pim rp local family inet address 10.0.0.255
set protocols pim rp local family inet anycast-pim local-address
10.0.0.3
set protocols pim rp local family inet anycast-pim rp-set address
10.0.0.8

R8:

delete protocols msdp
delete protocols pim rp local
set protocols pim rp local family inet address 10.0.0.255
set protocols pim rp local family inet anycast-pim local-address
10.0.0.8
set protocols pim rp local family inet anycast-pim rp-set address
10.0.0.3

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

35
4





355 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

Instead of MSDP, this time we use the PIM protocol to provide for a working anycast-RP
solution inside the PIM SM domain. Instead of introducing a new protocol, this flavor of
anycast RP re-uses the PIM register messages between the RPs to have them synchronize
with each other.

Same as with the MSDP anycast-RP configuration, mind the addresses you are using in the
configuration. With PIM anycast-RP, the 'anycast-pim rp-set address' is the remote loopback
of the other anycast-RP router. The 'anycast-pim local-address' is the local loopback address.

lab@R3> show pim rps extensive
Instance: PIM.master

Address family INET

RP: 10.0.0.255
Learned via: static configuration
Mode: Sparse
Time Active: 00:00:38
Holdtime: 150
Device Index: 131
Subunit: 32769
Interface: ppd0.32769
Static RP Override: Off
Group Ranges:
224.0.0.0/4
Anycast PIM rpset:
10.0.0.8

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

Anycast PIM local address used: 10.0.0.3

Address family INET6

lab@R8> show pim rps extensive

Instance: PIM.master
Address family INET

RP: 10.0.0.255
Learned via: static configuration
Time Active: 00:00:51
Holdtime: 0
Device Index: 131
Subunit: 32769
Interface: ppd0.32769
Static RP Override: Off
Group Ranges:
224.0.0.0/4
35
Anycast PIM rpset:
5
10.0.0.3




356 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Anycast PIM local address used: 10.0.0.8

Address family INET6

Before sending any multicast traffic:

lab@R3> show pim statistics | match Anycast

Anycast Register 0 0 0
Anycast Register Stop 0 0 0

lab@R8> show pim statistics | match Anycast

Anycast Register 0 0 0
Anycast Register Stop 0 0 0

lab@R6> ping bypass-routing interface ge-0/0/4.14 ttl 10 239.0.0.1

PING 239.0.0.1 (239.0.0.1): 56 data bytes
64 bytes from 192.168.1.45: icmp_seq=0 ttl=62 time=96.394 ms
64 bytes from 192.168.1.1: icmp_seq=0 ttl=61 time=122.258 ms (DUP!)
64 bytes from 192.168.1.45: icmp_seq=2 ttl=62 time=2.352 ms

After sending some multicast traffic:

lab@R3> show pim statistics | match Anycast

Anycast Register 2 0 0
Anycast Register Stop 0 2 0

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

lab@R8> show pim statistics | match Anycast
Anycast Register 0 2 0
Anycast Register Stop 2 0 0

35
6





357 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 2:

Initial configuration: MULTICAST part 2

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

35
7





358 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

35
8





359 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

35
9





360 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 7.7: Configure an MVPN part 1: configuring P-PIM

• Configure PIM for the core.
• Use the PIM anycast RP mechanism.
• Configure R7 and R8 to be the RP, use 172.16.1.254 as the RP address.

Configuration:

All routers except for R7 and R8:

set protocols pim interface all mode sparse
set protocols pim interface ge-0/0/0.0 disable
set protocols pim rp static address 172.16.1.254

R7:

set interfaces lo0.0 family inet address 172.16.1.254/32
set protocols pim interface all mode sparse
set protocols pim interface ge-0/0/0.0 disable
set protocols pim rp local family inet address 172.16.1.254
set protocols pim rp local family inet anycast-pim rp-set address
172.16.1.8
set protocols pim rp local family inet anycast-pim local-address
172.16.1.7

R8:

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

set interfaces lo0.0 family inet address 172.16.1.254/32
set protocols pim interface all mode sparse
set protocols pim interface ge-0/0/0.0 disable
set protocols pim rp local family inet address 172.16.1.254
set protocols pim rp local family inet anycast-pim rp-set address
172.16.1.7
set protocols pim rp local family inet anycast-pim local-address
172.16.1.8

36
0





361 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

In draft Rosen, which is described in historic RFC 6037, a distinction is made between two
instances of PIM.

The first instance is the PIM P-instance, where the P stands for Provider. This instance of PIM
is the provider wide instance that runs on the backbone of the service provider. The PIM P-
instance of PIM provides for adjacencies between service provider routers, P and PE alike.

The second is the PIM C-instance, where the C stands for customer. This instance of PIM
runs on the edges, is VPN specific and runs between the PE and CE routers.

For this task, we start with the configuration of the P-instance of PIM. It will be a PIM-SM
domain using the PIM anycast RP mechanism.

To verify the neighbor PIM neighbor establishment:

lab@R2> show pim neighbors

Instance: PIM.master
B = Bidirectional Capable, G = Generation Identifier,
H = Hello Option Holdtime, L = Hello Option LAN Prune Delay,
P = Hello Option DR Priority, T = Tracking Bit

Interface IP V Mode Option Uptime Neighbor addr

ge-0/0/4.2 4 2 HPLGT 00:00:20 192.168.1.1
ge-0/0/4.3 4 2 HPLGT 00:00:24 192.168.1.5

To verify the mode and to see if the correct interfaces are enabled for PIM:

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

lab@R2> show pim interfaces
Instance: PIM.master

Name Stat Mode IP V State NbrCnt JoinCnt(sg) JoinCnt(*g) DR

address
ge-0/0/4.2 Up Sparse 4 2 DR 1 0 0
192.168.1.2
ge-0/0/4.3 Up Sparse 4 2 DR 1 0 0
192.168.1.6
lo0.0 Up Sparse 4 2 DR 0 0 0
172.16.1.2
ppe0.32769 Up Sparse 4 2 P2P 0 0 0
sp-0/0/0.0 Up Sparse 4 2 P2P 0 0 0

We can verify the configuration of the RP on all routers as follows:

lab@R2> show pim rps 36

1
Instance: PIM.master





362 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Address family INET

RP address Type Holdtime Timeout Groups Group prefixes
172.16.1.254 static 0 None 0 224.0.0.0/4

Address family INET6

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

36
2





363 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 7.8: Configure an MVPN part 2: configuring C-PIM

• Configure PIM for the customer using VPN c1.
• Use the PIM BSR RP mechanism.
• Configure R4 to be the RP for the customer, using address 10.4.4.4.

Configuration:

R2:

set routing-instances c1 protocols pim vpn-group-address 239.1.1.1
set routing-instances c1 protocols pim interface all mode sparse

R4:
set routing-instances
set routing-instances
priority 200
set routing-instances
set routing-instances
set routing-instances
c1 protocols pim vpn-group-address 239.1.1.1
c1 protocols pim rp bootstrap family inet
c1 protocols pim rp local address 10.4.4.4
c1 protocols pim interface all mode sparse
c1 protocols bgp export export-lo0

set policy-options policy-statement export-lo0 from route-filter

10.4.4.4/32 exact
set policy-options policy-statement export-lo0 then accept

R6:

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

set routing-instances c1 protocols pim vpn-group-address 239.1.1.1
set routing-instances c1 protocols pim interface all mode sparse

36
3





364 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:


If the PIM P-instance is configured correctly, we should be able to see that all the customer
sites have learned the RP:

lab@R1> show pim rps instance c1-1
Instance: PIM.c1-1
Address family INET
RP address Type Holdtime Timeout Groups Group prefixes
10.4.4.4 bootstrap 150 117 1 224.0.0.0/4

Address family INET6

lab@R1> show pim rps instance c1-2

Instance: PIM.c1-2
Address family INET
RP address Type Holdtime Timeout Groups Group prefixes
10.4.4.4 bootstrap 150 115 1 224.0.0.0/4

Address family INET6

lab@R1> show pim rps instance c1-3

Instance: PIM.c1-3
Address family INET
RP address Type Holdtime Timeout Groups Group prefixes
10.4.4.4 bootstrap 150 114 1 224.0.0.0/4

Address family INET6

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

We can also check this on the provider side by checking the RP inside the VPN of the customer:

lab@R2> show pim rps instance c1
Instance: PIM.c1
Address family INET
RP address Type Holdtime Timeout Groups Group prefixes
10.4.4.4 bootstrap 150 108 1 224.0.0.0/4

Address family INET6

lab@R4> show pim rps instance c1

Instance: PIM.c1

Address family INET

RP address Type Mode Holdtime Timeout Groups Group prefixes
10.4.4.4 bootstrap sparse 150 None 3 224.0.0.0/4
10.4.4.4 static sparse 150 None 3 224.0.0.0/4

36
Address family INET6
4





365 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R6> show pim rps instance c1

Instance: PIM.c1
Address family INET
RP address Type Holdtime Timeout Groups Group prefixes
10.4.4.4 bootstrap 150 144 1 224.0.0.0/4

Address family INET6

Let's check and see what happens when we initiate a multicast stream. As an example, we'll
send some traffic from the R1 router in the c1-1 instance. Let's send some multicast traffic
towards 224.2.2.2 like this:

lab@R1> ping routing-instance c1-1 224.2.2.2 ttl 10 bypass-routing interface ge-
0/0/4.99
PING 224.2.2.2 (224.2.2.2): 56 data bytes

The multicast traffic first arrives at PE R6, where we can see the upstream interface ge-
0/0/4.99 (the interface closest to the source of the multicast traffic) and the downstream
interface mt-0/0/0.32768:

lab@R6> show multicast route instance c1 detail
Instance: c1 Family: INET

Group: 224.2.2.2
Source: 10.0.0.5/32
Upstream interface: ge-0/0/4.99
Downstream interface list:
mt-0/0/0.32768
Session description: Multimedia Conference Calls

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

Statistics: 0 kBps, 1 pps, 31 packets
Next-hop ID: 262160
Upstream protocol: PIM

Instance: c1 Family: INET6

The traffic arrives at R2. In this case, the upstream interface is multicast tunnel interface.
Another command that can give a quick overview is the following command:

36
5





366 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R6> show pim interfaces instance c1

Instance: PIM.c1

Name Stat Mode IP V State NbrCnt JoinCnt(sg) JoinCnt(*g) DR

address
ge-0/0/4.99 Up Sparse 4 2 DR 1 1 0
10.0.0.6
lo0.60 Up Sparse 4 2 DR 0 0 0
10.6.6.6
mt-0/0/0.1081344 Up SparseDense 4 2 P2P 0 0 0
mt-0/0/0.32768 Up SparseDense 4 2 P2P 2 0 1
ppe0.32771 Up Sparse 4 2 P2P 0 0 0

In the above printout, we can see that there is one neighbor on the ge-0/0/4.99 interface.
This is the CE. There are 2 neighbors behind the mt-0/0/0.32768 interface. These are the
other PE routers. As you can see, there are two dynamically created mt-interfaces. One
interface (the highlighted one) is used to encapsulate multicast traffic over the GRE tunnel.
The other interface is used to de-encapsulate the received multicast traffic.

We can also verify or see which PIM neighbors are active by issuing the 'show pim
neighbors instance c1' command:

lab@R6> show pim neighbors instance c1
Instance: PIM.c1
B = Bidirectional Capable, G = Generation Identifier,
H = Hello Option Holdtime, L = Hello Option LAN Prune Delay,
P = Hello Option DR Priority, T = Tracking Bit

Interface IP V Mode Option Uptime Neighbor addr

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

ge-0/0/4.99 4 2 HPLGT 00:05:40 10.0.0.5
mt-0/0/0.32768 4 2 HPLGT 00:04:18 10.2.2.2
mt-0/0/0.32768 4 2 HPLGT 00:03:14 10.4.4.4

lab@R2> show pim neighbors instance c1

Instance: PIM.c1
B = Bidirectional Capable, G = Generation Identifier,
H = Hello Option Holdtime, L = Hello Option LAN Prune Delay,
P = Hello Option DR Priority, T = Tracking Bit

Interface IP V Mode Option Uptime Neighbor addr

ge-0/0/4.98 4 2 HPLGT 00:07:18 10.0.0.9
mt-0/0/0.32768 4 2 HPLGT 00:04:29 10.4.4.4
mt-0/0/0.32768 4 2 HPLGT 00:05:05 10.6.6.6

36
6





367 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R4> show pim neighbors instance c1

B = Bidirectional Capable, G = Generation Identifier
H = Hello Option Holdtime, L = Hello Option LAN Prune Delay,
P = Hello Option DR Priority, T = Tracking Bit

Instance: PIM.c1
Interface IP V Mode Option Uptime Neighbor addr
ge-0/0/4.100 4 2 HPLGT 00:05:24 10.0.0.1
mt-0/0/0.32768 4 2 HPLGT 00:04:52 10.2.2.2
mt-0/0/0.32768 4 2 HPLGT 00:04:24 10.6.6.6

The multicast traffic is actually send across the multicast tunnel interface to both PE routers.
However, since the R2 PE does not have any interested receivers, the forwarding state is
pruned:

lab@R2> show multicast route instance c1 extensive

Instance: c1 Family: INET

Group: 224.2.2.2
Source: 10.0.0.5/32
Upstream interface: mt-0/0/0.1081344
Session description: Multimedia Conference Calls
Statistics: 0 kBps, 2 pps, 133 packets
Next-hop ID: 0
Upstream protocol: PIM
Route state: Active
Forwarding state: Pruned
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 0
Uptime: 00:02:13

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

Instance: c1 Family: INET6

On the R4 PE, we can see traffic received over the multicast tunnel interface. Only in this
case, there is an interested receiver. The interface towards the CE was added to the
downstream interface list, and the traffic is flowing towards the interested receiver:

lab@R4> show multicast route instance c1 extensive

Instance: c1 Family: INET

Group: 224.2.2.2
Source: 10.0.0.5/32
Upstream interface: mt-0/0/0.1081344
Downstream interface list:
ge-0/0/4.100
Session description: Multimedia Conference Calls
Statistics: 0 kBps, 1 pps, 128 packets
Next-hop ID: 262154
36
Upstream protocol: PIM
7
Route state: Active




368 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Forwarding state: Forwarding

Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 1
Uptime: 00:02:10

Instance: c1 Family: INET6

Different sites listen to different receivers. Let's try and see what happens when we send
traffic towards another multicast destination from R1 c1-1, like this:
lab@R1> ping routing-instance c1-1 224.3.3.3 ttl 10 bypass-routing interface ge-
0/0/4.99

The traffic enters the same PE as in the previous example:

lab@R6> show multicast route instance c1 extensive group 224.3.3.3

Instance: c1 Family: INET

Group: 224.3.3.3
Source: 10.0.0.5/32
Upstream interface: ge-0/0/4.99
Downstream interface list:
mt-0/0/0.32768
Session description: Unknown
Statistics: 0 kBps, 0 pps, 15 packets
Next-hop ID: 262160
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 1
Uptime: 00:01:16

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

But this time, the interested receiver sits behind R2:

lab@R2> show multicast route instance c1 extensive group 224.3.3.3

Instance: c1 Family: INET

Group: 224.3.3.3
Source: 10.0.0.5/32
Upstream interface: mt-0/0/0.1081344
Downstream interface list:
ge-0/0/4.98
Session description: Unknown
Statistics: 0 kBps, 1 pps, 74 packets
Next-hop ID: 262159
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
36
Cache lifetime/timeout: 360 seconds
8
Wrong incoming interface notifications: 0




369 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Uptime: 00:01:15

And so we will see R4 prune the traffic:

lab@R4> show multicast route instance c1 extensive group 224.3.3.3
Instance: c1 Family: INET

Group: 224.3.3.3
Source: 10.0.0.5/32
Upstream interface: mt-0/0/0.1081344
Session description: Unknown
Statistics: 0 kBps, 1 pps, 73 packets
Next-hop ID: 0
Upstream protocol: PIM
Route state: Active
Forwarding state: Pruned
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 1
Uptime: 00:01:16

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

36
9





370 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 7.9: Configure an NG MVPN part 1

• Enable PIM-SM on al CE-facing interfaces for VPN c2.
• Configure R4 to be the RP using address 10.4.4.4.

Configuration:

R2:

set routing-instances c2 protocols pim interface all mode sparse
set routing-instances c2 protocols pim rp static address 10.4.4.4

R4:

set routing-instances c2 protocols pim interface all mode sparse
set routing-instances c2 protocols pim rp local address 10.4.4.4
set routing-instances c2 protocols bgp group cpe export export-lo0

R6:

set routing-instances c2 protocols pim interface all mode sparse
set routing-instances c2 protocols pim rp static address 10.4.4.4

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

37
0





371 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R2> show pim neighbors instance c2
Instance: PIM.c2
B = Bidirectional Capable, G = Generation Identifier,
H = Hello Option Holdtime, L = Hello Option LAN Prune Delay,
P = Hello Option DR Priority, T = Tracking Bit

Interface IP V Mode Option Uptime Neighbor addr

ge-0/0/4.95 4 2 HPLGT 00:00:24 10.0.0.9

lab@R4> show pim neighbors instance c2

B = Bidirectional Capable, G = Generation Identifier
H = Hello Option Holdtime, L = Hello Option LAN Prune Delay,
P = Hello Option DR Priority, T = Tracking Bit

Instance: PIM.c2
Interface IP V Mode Option Uptime Neighbor addr
ge-0/0/4.97 4 2 HPLGT 00:00:22 10.0.0.1

lab@R6> show pim neighbors instance c2

Instance: PIM.c2
B = Bidirectional Capable, G = Generation Identifier,
H = Hello Option Holdtime, L = Hello Option LAN Prune Delay,
P = Hello Option DR Priority, T = Tracking Bit

Interface IP V Mode Option Uptime Neighbor addr

ge-0/0/4.96 4 2 HPLGT 00:00:30 10.0.0.5

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

37
1





372 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 7.10: Configure an NG MVPN part 2

• Configure a NG MVPN for customer 2.
• For the NG MVPN, use a P2MP LDP inclusive provider tunnel.
• Setup the MVPN to operate in RPT-SPT mode.

Configuration:

R2:

set protocols ldp p2mp
set protocols bgp group ibgp family inet-mvpn signaling

set routing-instances c2 vrf-table-label

set routing-instances c2 protocols mvpn mvpn-mode rpt-spt

R4:

set protocols ldp p2mp
set protocols bgp group ibgp family inet-mvpn signaling

set routing-instances c2 vrf-table-label

set routing-instances c2 provider-tunnel ldp-p2mp
set routing-instances c2 protocols mvpn mvpn-mode rpt-spt

R6:

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

set protocols ldp p2mp
set protocols bgp group ibgp family inet-mvpn signaling

set routing-instances c2 vrf-table-label

set routing-instances c2 protocols mvpn mvpn-mode rpt-spt

Other P routers:

set protocols ldp p2mp

37
2





373 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

In NG MVPN, the forwarding and the signaling operations have been separated. The
signaling is something that is taken care of by a BGP address family called 'inet-mvpn ',
which we'll check later on. First, we'll examine the forwarding part of the NG MVPN by
looking into LDP.

The routing-instances on the R4 PE is configured with a 'provider-tunnel'. R4 will use BGP
to signal the other routers to setup a p2mp LDP signaled LSP. For R2 and R6 to succeed in
this, all the other P/PE routers need to have the p2mp capability enabled. To verify this, we
can check the following on every router:

lab@R2> show ldp overview | match Cap
Capabilities enabled: p2mp

On R4, we should see the following:

lab@R4> show ldp database p2mp extensive
Input label database, 172.16.1.4:0--172.16.1.3:0
Label Prefix
300096 P2MP root-addr 172.16.1.4, lsp-id 16777217
State: Active
Age: 4:37

Output label database, 172.16.1.4:0--172.16.1.3:0

Input label database, 172.16.1.4:0--172.16.1.5:0

Label Prefix

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

300080 P2MP root-addr 172.16.1.4, lsp-id 16777217
State: Active
Age: 4:37

Output label database, 172.16.1.4:0--172.16.1.5:0

The other routers in the network should have the P2MP LSP in the LDP database:

lab@R6> show ldp database
Input label database, 172.16.1.6:0--172.16.1.5:0
Label Prefix
300032 172.16.1.2/32
299984 172.16.1.3/32
300064 172.16.1.4/32
3 172.16.1.5/32
300048 172.16.1.6/32
300016 172.16.1.7/32
300000 172.16.1.8/32 37
3





374 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Output label database, 172.16.1.6:0--172.16.1.5:0

Label Prefix
300096 172.16.1.2/32
300112 172.16.1.3/32
300080 172.16.1.4/32
300064 172.16.1.5/32
3 172.16.1.6/32
300128 172.16.1.7/32
300144 172.16.1.8/32
16 P2MP root-addr 172.16.1.4, lsp-id 16777217

Input label database, 172.16.1.6:0--172.16.1.7:0

Label Prefix
300000 172.16.1.2/32
299984 172.16.1.3/32
300048 172.16.1.4/32
300016 172.16.1.5/32
300032 172.16.1.6/32
3 172.16.1.7/32
299968 172.16.1.8/32

Output label database, 172.16.1.6:0--172.16.1.7:0

Label Prefix
300096 172.16.1.2/32
300112 172.16.1.3/32
300080 172.16.1.4/32
300064 172.16.1.5/32
3 172.16.1.6/32
300128 172.16.1.7/32
300144 172.16.1.8/32

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

You should note that the LDP p2mp paths are signaled on demand. So, for instance, if the
BGP configuration would not have been correct, you might have seen the following output:

lab@R4> show ldp overview | match Cap
Capabilities enabled: p2mp

lab@R4> show ldp p2mp path

lab@R4>

37
4





375 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

To verify BGP, we should check and make sure that all the BGP sessions support the two
required address families. The required address families are 'inet-vpn-unicast' (for the
MPLS VPN) and 'inet-mvpn' (for the multicast VPN part).

lab@R4> show bgp neighbor 172.16.1.2 | match NLRI.*session
NLRI for this session: inet-vpn-unicast inet-mvpn

lab@R4> show bgp neighbor 172.16.1.6 | match NLRI.*session

NLRI for this session: inet-vpn-unicast inet-mvpn

To verify that we are advertising prefix information from R4 to R6:

lab@R4> show route advertising-protocol bgp 172.16.1.6

c1.inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
* 10.0.0.0/30 Self 100 I
* 10.0.20.4/30 Self 100 65010 I
* 10.1.0.2/32 Self 100 65010 I
* 10.4.4.4/32 Self 100 I

c2.inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
* 10.0.0.0/30 Self 100 I
* 10.0.20.4/30 Self 100 65010 I
* 10.2.0.2/32 Self 100 65010 I
* 10.4.4.4/32 Self 100 I

c2.mvpn.0: 5 destinations, 8 routes (5 active, 2 holddown, 0 hidden)

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

Prefix Nexthop MED Lclpref AS path
1:172.16.1.4:8:172.16.1.4/240
* Self 100 I

The 'c2.inet.0' table contains the IPv4 prefix information for this customers. The 'c2.mvpn.0'
table is the multicast virtual private network route advertised by R4. The R4 router is
announcing the exact same c2.mvpn route towards both of the other PE routers:

lab@R4> show route advertising-protocol bgp 172.16.1.6 table c2.mvpn.0 extensive

c2.mvpn.0: 5 destinations, 8 routes (5 active, 2 holddown, 0 hidden)

* 1:172.16.1.4:8:172.16.1.4/240 (1 entry, 1 announced)
BGP group ibgp type Internal
Route Distinguisher: 172.16.1.4:8
Nexthop: Self
Flags: Nexthop Change
Localpref: 100
AS path: [65000] I 37
5
Communities: target:65000:2





376 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

PMSI: Flags 0x0: Label[0:0:0]: LDP-P2MP: Root 172.16.1.4, lsp-id 16777217

lab@R4> show route advertising-protocol bgp 172.16.1.2 table c2.mvpn.0 extensive

c2.mvpn.0: 5 destinations, 8 routes (5 active, 2 holddown, 0 hidden)

* 1:172.16.1.4:8:172.16.1.4/240 (1 entry, 1 announced)
BGP group ibgp type Internal
Route Distinguisher: 172.16.1.4:8
Nexthop: Self
Flags: Nexthop Change
Localpref: 100
AS path: [65000] I
Communities: target:65000:2
PMSI: Flags 0x0: Label[0:0:0]: LDP-P2MP: Root 172.16.1.4, lsp-id 16777217

Notice that this is a type 1 intra-AS I-PMSI autodiscovery route. This route is generated by all
PE routers. On R4, the route also contains the PMSI attribute. It is through this attribute that
R4 can tell it's MVPN neighbors that the provider tunnel is LDP based. In this case, the PMSI
attribute signals the root of the LSP and an opaque value. It's based on this attribute value
that both R2 and R6 will begin to signal an LSP to the root.
On the R4 PE, we are also receiving routes. Let's examine what we are receiving from the R6
router:
lab@R4> show route receive-protocol bgp 172.16.1.6 table c2.mvpn.0 detail

c2.mvpn.0: 5 destinations, 8 routes (5 active, 2 holddown, 0 hidden)

* 1:172.16.1.6:7:172.16.1.6/240 (1 entry, 1 announced)
Import Accepted
Route Distinguisher: 172.16.1.6:7
Nexthop: 172.16.1.6
Localpref: 100

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

AS path: I
Communities: target:65000:2

6:172.16.1.4:8:65000:32:10.4.4.4:32:224.4.4.4/240 (3 entries, 3 announced)

Import Accepted
Route Distinguisher: 172.16.1.4:8
Nexthop: 172.16.1.6
Localpref: 100
AS path: I
Communities: target:172.16.1.4:7

We received a type 1 intra-AS route, but we have also received a type 6 shared tree join
route.

In Draft Rosen, if the PE receives a PIM join from a CE, this join would have been tunneled
through a multicast interface towards all the other routers participating in the VPN. In the
37
6





377 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

NG MVPN, the PIM join that a PE receives from the customer is encoded in a BGP route
update. The format of this route is as follows:

{type}{active sender PE}{source AS}{C-S mask}{C-RP}{C-G mask}{C-G}

Now, let's look at the route that was send by R6 to R4 again:

6:172.16.1.4:8:65000:32:10.4.4.4:32:224.4.4.4

Type: 6
Active sender PE: 172.16.1.4:8
Source AS: 65000
C-S mask: 32
C-RP: 10.4.4.4
C-G mask: 32
C-G: 224.4.4.4

We can also examine the PIM join by issuing the following command:

lab@R6# show pim join instance c2 extensive

Instance: PIM.c2 Family: INET
R = Rendezvous Point Tree, S = Sparse, W = Wildcard

Group: 224.4.4.4
Source: *
RP: 10.4.4.4
Flags: sparse,rptree,wildcard
Upstream protocol: BGP
Upstream interface: Through BGP

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

Upstream neighbor: Through MVPN
Upstream state: Join to RP
Uptime: 00:31:03
Downstream neighbors:
Interface: ge-0/0/4.96
10.0.0.5 State: Join Flags: SRW Timeout: 207
Uptime: 00:31:03 Time since last Join: 00:00:03

Instance: PIM.c2 Family: INET6

R = Rendezvous Point Tree, S = Sparse, W = Wildcard

37
7





378 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Another interesting verification command is the following command:

lab@R4# show mvpn instance c2 extensive

MVPN instance:
Legend for provider tunnel
I-P-tnl -- inclusive provider tunnel S-P-tnl -- selective provider tunnel
Legend for c-multicast routes properties (Pr)
DS -- derived from (*, c-g) RM -- remote VPN route
Family : INET

Instance : c2
MVPN Mode : RPT-SPT
Provider tunnel: I-P-tnl:LDP-P2MP:172.16.1.4, lsp-id 16777218
Neighbor I-P-tnl
172.16.1.2
172.16.1.6
C-mcast IPv4 (S:G) Ptnl St
0.0.0.0/0:224.3.3.3/32 LDP-P2MP:172.16.1.4, lsp-id 16777218 RM
0.0.0.0/0:224.4.4.4/32 LDP-P2MP:172.16.1.4, lsp-id 16777218 RM

MVPN instance:
Legend for provider tunnel
I-P-tnl -- inclusive provider tunnel S-P-tnl -- selective provider tunnel
Legend for c-multicast routes properties (Pr)
DS -- derived from (*, c-g) RM -- remote VPN route
Family : INET6

Instance : c2
MVPN Mode : RPT-SPT
Provider tunnel: I-P-tnl:LDP-P2MP:172.16.1.4, lsp-id 16777218

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

The above printout shows us the following:
• The MVPN mode is RPT-SPT (which is the default).
• An inclusive p2mp LDP signaled tunnel is setup.
• The p2mp tunnel is rooted at R4.
• R4 has two neighbors routers active in this MVPN. These are R2 (172.16.1.2) and R6
(172.16.1.6).
• There are interested receivers for two multicast groups.

Another thing we configured was vrf-table-label. As a consequence of this configuration

command, the entire VRF is allocated a single label (as opposed to the default per prefix
label). A further consequence is that because there is a single label allocated to the VPN, a
second lookup is made possible.
An alternative to the vrf-table label would be the installation of a tunnel PIC.
37
8





379 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 7.11: Configure an NG MVPN part 3

• Reconfigure the provider tunnel to be RSVP-based.
• Set the bandwidth of the P2MP LSP to 10m.
• Specify the R2 and R6 sites as receivers and the R4 site as sender only.


Configuration:

R4:

set protocols mpls label-switched-path ng-mvpn-p2mp template
set protocols mpls label-switched-path ng-mvpn-p2mp bandwidth 10m
set protocols mpls label-switched-path ng-mvpn-p2mp p2mp
delete routing-instances c2 provider-tunnel ldp-p2mp
set routing-instances c2 provider-tunnel rsvp-te label-switched-
path-template ng-mvpn-p2mp
set routing-instances c2 protocols mvpn sender-site

R6:

set routing-instances c2 protocols mvpn receiver-site

R2:

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

set routing-instances c2 protocols mvpn receiver-site

37
9





380 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

The LSP was changed from LDP signaled to RSVP signaled:

lab@R4> show rsvp session

Ingress RSVP: 2 sessions
To From State Rt Style Labelin Labelout LSPname
172.16.1.2 172.16.1.4 Up 0 1 SE - 300272
172.16.1.2:172.16.1.4:6:mvpn:c2
172.16.1.6 172.16.1.4 Up 0 1 SE - 300240
172.16.1.6:172.16.1.4:6:mvpn:c2
Total 2 displayed, Up 2, Down 0

lab@R4> show mpls lsp ingress extensive

Ingress LSP: 2 sessions

172.16.1.2
From: 172.16.1.4, State: Up, ActiveRoute: 0, LSPname:
172.16.1.2:172.16.1.4:6:mvpn:c2
ActivePath: (primary)
P2MP name: 172.16.1.4:6:mvpn:c2
LSPtype: Dynamic Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary State: Up
Priorities: 7 0
Bandwidth: 10Mbps
SmartOptimizeTimer: 180
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 20)
192.168.1.17 S 192.168.1.2 S

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
192.168.1.17 192.168.1.2
7 Apr 12 10:21:53.361 Selected as active path
6 Apr 12 10:21:53.339 Up
5 Apr 12 10:21:53.330 192.168.1.18: Down
4 Apr 12 10:21:53.329 Record Route: 192.168.1.17 192.168.1.2
3 Apr 12 10:21:53.322 Up
2 Apr 12 10:21:53.294 Originate Call
1 Apr 12 10:21:53.294 CSPF: computation result accepted 192.168.1.17
192.168.1.2
Created: Tue Apr 12 10:21:53 2016

172.16.1.6
From: 172.16.1.4, State: Up, ActiveRoute: 0, LSPname:
172.16.1.6:172.16.1.4:6:mvpn:c2
ActivePath: (primary)
P2MP name: 172.16.1.4:6:mvpn:c2
38
LSPtype: Dynamic Configured
0
LoadBalance: Random




381 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Encoding type: Packet, Switching type: Packet, GPID: IPv4

*Primary State: Up
Priorities: 7 0
Bandwidth: 10Mbps
SmartOptimizeTimer: 180
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 20)
192.168.1.21 S 192.168.1.34 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
192.168.1.21 192.168.1.34
5 Apr 12 10:21:53.365 Selected as active path
4 Apr 12 10:21:53.359 Record Route: 192.168.1.21 192.168.1.34
3 Apr 12 10:21:53.355 Up
2 Apr 12 10:21:53.295 Originate Call
1 Apr 12 10:21:53.295 CSPF: computation result accepted 192.168.1.21
192.168.1.34
Created: Tue Apr 12 10:21:52 2016
Total 2 displayed, Up 2, Down 0

In the previous task, we saw that the R4 router used BGP to signal the other routers that an
LDP p2mp LSP would be used to forward traffic. In this case, the R4 router is updating R2 and
R6 that an RSVP signaled p2mp LSP will be used:

lab@R4> show route advertising-protocol bgp 172.16.1.2 table c2.mvpn.0 extensive

c2.mvpn.0: 5 destinations, 8 routes (5 active, 2 holddown, 0 hidden)

* 1:172.16.1.4:6:172.16.1.4/240 (1 entry, 1 announced)
BGP group ibgp type Internal
Route Distinguisher: 172.16.1.4:6
Nexthop: Self
Flags: Nexthop Change

JNCIE-SP workbook: Appendix: Chapter 7 - Multicast

Localpref: 100
AS path: [65000] I
Communities: target:65000:2
PMSI: Flags 0x0: Label[0:0:0]: RSVP-TE:
Session_13[172.16.1.4:0:30235:172.16.1.4]

No additional RSVP configuration is required on any of the other routers.

38
1





382 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Appendix: Chapter 8 - Class of Service

Initial configuration: CoS-start

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

38
2





383 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 8.1: Multi-field classification

• Configure R3 so that ICMP packets originated from R1 lo0 and the ge-0/0/4.13
interface IP addresses are assigned to forwarding classes “gold” and “silver.
• Configure R4 so that ICMP packets originated from R2 lo0 and the ge-0/0/4.24
interface IP addresses are assigned to forwarding classes “gold” and “silver”.
• Use queue 1 and queue 2 to process traffic of these forwarding classes.

Configuration:

R3:

set firewall family inet filter mfc term 1 from protocol icmp
set firewall family inet filter mfc term 1 from source-address
1.1.1.1/32
set firewall family inet filter mfc term 1 then forwarding-class
gold
set firewall family inet filter mfc term 1 then count gold
set firewall family inet filter mfc term 1 then accept

set firewall family inet filter mfc term 2 from protocol icmp
set firewall family inet filter mfc term 2 from source-address
10.1.13.1/32
set firewall family inet filter mfc term 2 then forwarding-class
silver

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

set firewall family inet filter mfc term 2 then count silver
set firewall family inet filter mfc term 2 then accept
set firewall family inet filter mfc term 3 then accept

set interfaces ge-0/0/4 unit 13 family inet filter input mfc

set class-of-service forwarding-classes queue 1 gold

set class-of-service forwarding-classes queue 2 silver

R4:

set firewall family inet filter mfc term 1 from protocol icmp
set firewall family inet filter mfc term 1 from source-address
2.2.2.2/32
set firewall family inet filter mfc term 1 then forwarding-class
gold

set firewall family inet filter mfc term 1 then count gold
38
set firewall family inet filter mfc term 1 then accept 3





384 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set firewall family inet filter mfc term 2 from protocol icmp
set firewall family inet filter mfc term 2 from source-address
10.1.24.2/32
set firewall family inet filter mfc term 2 then forwarding-class
silver
set firewall family inet filter mfc term 2 then count silver
set firewall family inet filter mfc term 2 then accept
set firewall family inet filter mfc term 3 then accept

set interfaces ge-0/0/4 unit 24 family inet filter input mfc

set class-of-service forwarding-classes queue 1 gold

set class-of-service forwarding-classes queue 2 silver

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

38
4





385 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

root@R1# run ping 2.2.2.2 source 1.1.1.1 count 1

PING 2.2.2.2 (2.2.2.2): 56 data bytes
64 bytes from 2.2.2.2: icmp_seq=0 ttl=61 time=1.907 ms

--- 2.2.2.2 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.907/1.907/1.907/0.000 ms

root@R1# run ping 2.2.2.2 source 10.1.13.1 count 1

PING 2.2.2.2 (2.2.2.2): 56 data bytes
64 bytes from 2.2.2.2: icmp_seq=0 ttl=61 time=2.101 ms

--- 2.2.2.2 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.101/2.101/2.101/0.000 ms

root@R3# run show firewall filter mfc

Counters:
Name Bytes Packets
gold 84 1
silver 84 1

root@R3# run show class-of-service forwarding-class

Forwarding class ID Queue Policing priority SPU

priority

best-effort 0 0 normal low

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

gold 1 1 normal low
silver 2 2 normal low
network-control 3 3 normal low

38
5





386 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 8.2: BA classification

• Configure a custom MPLS EXP-based BA classifier using a default classifier as a
template.
• Assign forwarding classes “gold” and “silver” and also “low” and “high” PLP to
packets with EXP values of 101 and 010 respectively.
• Apply this BA on the appropriate router interfaces.

Configuration:

R3:

set class-of-service classifiers exp custom-exp import default

set class-of-service classifiers exp custom-exp forwarding-class
gold loss-priority low code-points 101
set class-of-service classifiers exp custom-exp forwarding-class
silver loss-priority high code-points 010
set class-of-service interfaces ge-0/0/1 unit 0 classifiers exp
custom-exp
set class-of-service interfaces ge-0/0/4 unit 35 classifiers exp
custom-exp

R4:

set class-of-service classifiers exp custom-exp import default

set class-of-service classifiers exp custom-exp forwarding-class

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

gold loss-priority low code-points 101
set class-of-service classifiers exp custom-exp forwarding-class
silver loss-priority high code-points 010
set class-of-service interfaces ge-0/0/1 unit 0 classifiers exp
custom-exp
set class-of-service interfaces ge-0/0/4 unit 45 classifiers exp
custom-exp

R5:

set class-of-service classifiers exp custom-exp import default

set class-of-service classifiers exp custom-exp forwarding-class
gold loss-priority low code-points 101
set class-of-service classifiers exp custom-exp forwarding-class
silver loss-priority high code-points 010
set class-of-service interfaces ge-0/0/4 unit 35 classifiers exp
custom-exp
38
set class-of-service interfaces ge-0/0/4 unit 45 classifiers exp
6





387 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

custom-exp
set class-of-service forwarding-classes queue 1 gold
set class-of-service forwarding-classes queue 2 silver

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

38
7





388 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R4# run show class-of-service interface ge-0/0/1.0

Logical interface: ge-0/0/1.0, Index: 66
Object Name Type Index
Rewrite exp-default exp (mpls-any) 33
Classifier custom-exp exp 46412
Classifier ipprec-compatibility ip 13

[edit]
lab@R4# run show class-of-service interface ge-0/0/4.45
Logical interface: ge-0/0/4.45, Index: 74
Object Name Type Index
Rewrite exp-default exp (mpls-any) 33
Classifier custom-exp exp 46412
Classifier ipprec-compatibility ip 13

[edit]
lab@R4# run show class-of-service classifier name custom-exp
Classifier: custom-exp, Code point type: exp, Index: 46412
Code point Forwarding class Loss priority
000 best-effort low
001 best-effort high
010 silver high
011 gold high
100 silver low
101 gold low
110 network-control low
111 network-control high

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

38
8





389 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 8.3: Policing

• Configure a single-rate soft policer on R3 and invoke it twice in the firewall filter that
is already applied to interface ge-0/0/4.13.
• Use the lowest bandwidth-limit and burst size possible. Make sure that this is a total
limit for both gold and silver classes.
• Out-of-profile traffic should be mapped to the “best-effort” forwarding class.

Configuration:

R3:

set firewall policer soft-limit filter-specific
set firewall policer soft-limit if-exceeding bandwidth-limit 32k
set firewall policer soft-limit if-exceeding burst-size-limit 1500
set firewall policer soft-limit then forwarding-class best-effort
set firewall family inet filter mfc term 1 then policer soft-limit
set firewall family inet filter mfc term 2 then policer soft-limit

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

38
9





390 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

root@R3# run clear firewall all

lab@R1# run ping 2.2.2.2 source 1.1.1.1 rapid count 1000

PING 2.2.2.2 (2.2.2.2): 56 data bytes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

39
0





391 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!
--- 2.2.2.2 ping statistics ---
1000 packets transmitted, 1000 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.323/2.646/22.828/2.210 ms

[edit]
lab@R1# run ping 2.2.2.2 rapid count 1000
PING 2.2.2.2 (2.2.2.2): 56 data bytes

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

39
1





392 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

39
2





393 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!
--- 2.2.2.2 ping statistics ---
1000 packets transmitted, 1000 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.307/2.474/28.111/2.280 ms

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

39
3





394 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R3# run show firewall filter mfc

Filter: mfc
Counters:
Name Bytes Packets
gold 84000 1000
silver 84000 1000
Policers:
Name Bytes Packets
soft-limit 1702

If we would not have used the filter-specific knob, and we would have performed the exact
same test, the output would have looked like this:

lab@R3# run show firewall filter mfc

Filter: mfc
Counters:
Name Bytes Packets
gold 84000 1000
silver 84000 1000
Policers:
Name Bytes Packets
soft-limit-1 851
soft-limit-2 856

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

39
4





395 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 8.4: Scheduling

• Assign the following priorities to the schedulers: scheduler for best-effort traffic –
low, gold traffic – high, silver – medium-high, network-control – medium-low.
• Assign 20% of the interface bandwidth to the scheduler that processes “gold” traffic.
Assign 10% to the “silver” and 10% to the “network-control” scheduler. Assign the
remaining bandwidth to best-effort traffic. Use the same values for the buffer-size
parameter.
• Configure the scheduler map and apply it to the appropriate interfaces.

Configuration:

R3, R4, R5:

set class-of-service schedulers gold transmit-rate percent 20

set class-of-service schedulers gold buffer-size percent 20
set class-of-service schedulers gold priority high
set class-of-service schedulers silver transmit-rate percent 10
set class-of-service schedulers silver buffer-size percent 10
set class-of-service schedulers silver priority medium-high
set class-of-service schedulers nc transmit-rate percent 10
set class-of-service schedulers nc buffer-size percent 10
set class-of-service schedulers nc priority medium-low

set class-of-service schedulers be transmit-rate remainder

set class-of-service schedulers be buffer-size remainder

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

set class-of-service schedulers be priority low

set class-of-service scheduler-maps sm forwarding-class gold

scheduler gold
set class-of-service scheduler-maps sm forwarding-class silver
scheduler silver
set class-of-service scheduler-maps sm forwarding-class network-
control scheduler nc
set class-of-service scheduler-maps sm forwarding-class best-effort
scheduler be

set interfaces ge-0/0/4 per-unit-scheduler

R3 and R4:

set class-of-service interfaces ge-0/0/4 unit * scheduler-map sm

set class-of-service interfaces ge-0/0/1 unit 0 scheduler-map sm
set interfaces ge-0/0/1 per-unit-scheduler
39
5
R5:




396 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

set class-of-service interfaces ge-0/0/4 unit * scheduler-map sm

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

39
6





397 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R3# run show class-of-service scheduler-map sm

Scheduler map: sm, Index: 3597

Scheduler: be, Forwarding class: best-effort, Index: 3109
Transmit rate: remainder, Rate Limit: none, Buffer size: remainder,
Buffer Limit: none, Priority: low
Excess Priority: unspecified
Drop profiles:
Loss priority Protocol Index Name
Low any 1 <default-drop-profile>
Medium low any 1 <default-drop-profile>
Medium high any 1 <default-drop-profile>
High any 1 <default-drop-profile>

Scheduler: gold, Forwarding class: gold, Index: 12758

Transmit rate: 20 percent, Rate Limit: none, Buffer size: 20 percent,
Buffer Limit: none, Priority: high
Excess Priority: unspecified
Drop profiles:
Loss priority Protocol Index Name
Low any 1 <default-drop-profile>
Medium low any 1 <default-drop-profile>
Medium high any 1 <default-drop-profile>
High any 1 <default-drop-profile>

Scheduler: silver, Forwarding class: silver, Index: 13429

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

Transmit rate: 10 percent, Rate Limit: none, Buffer size: 10 percent,
Buffer Limit: none, Priority: medium-high
Excess Priority: unspecified
Drop profiles:
Loss priority Protocol Index Name
Low any 1 <default-drop-profile>
Medium low any 1 <default-drop-profile>
Medium high any 1 <default-drop-profile>
High any 1 <default-drop-profile>

Scheduler: nc, Forwarding class: network-control, Index: 3491

Transmit rate: 10 percent, Rate Limit: none, Buffer size: 10 percent,
Buffer Limit: none, Priority: medium-low
Excess Priority: unspecified
Drop profiles:
Loss priority Protocol Index Name
Low any 1 <default-drop-profile>
Medium low any 1 <default-drop-profile>
Medium high any 1 <default-drop-profile>
High any 1 <default-drop-profile>
39
lab@R3# run show class-of-service interface ge-0/0/1.0
7





398 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Logical interface: ge-0/0/1.0, Index: 78

Object Name Type Index
Scheduler-map sm Output 3597
Rewrite exp-default exp (mpls-any) 33
Classifier custom-exp exp 46412
Classifier ipprec-compatibility ip 13

lab@R1> ping 2.2.2.2 source 1.1.1.1 count 100 rapid

PING 2.2.2.2 (2.2.2.2): 56 data bytes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!

--- 2.2.2.2 ping statistics ---

100 packets transmitted, 100 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.594/3.181/14.484/2.648 ms

lab@R3# run show interfaces queue ge-0/0/4.35

Logical interface ge-0/0/4.35 (Index 79) (SNMP ifIndex 645)

Forwarding classes: 8 supported, 4 in use
Egress queues: 8 supported, 4 in use
Burst size: 0
Queue: 0, Forwarding classes: best-effort
Queued:
Packets : 66 0 pps
Bytes : 6996 0 bps
Transmitted:
Packets : 66 0 pps
Bytes : 6996 0 bps

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

[…skipped…]

Queue: 1, Forwarding classes: gold

Queued:
Packets : 34 0 pps
Bytes : 3604 0 bps
Transmitted:

Packets : 34 0 pps
Bytes : 3604 0 bps

[…skipped…]

lab@R1> ping 2.2.2.2 source 10.1.13.1 count 100 rapid

39
PING 2.2.2.2 (2.2.2.2): 56 data bytes
8





399 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!
--- 2.2.2.2 ping statistics ---
100 packets transmitted, 100 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.619/2.556/8.104/1.907 ms

lab@R3# run show interfaces queue ge-0/0/4.35

Logical interface ge-0/0/4.35 (Index 79) (SNMP ifIndex 645)
Forwarding classes: 8 supported, 4 in use
Egress queues: 8 supported, 4 in use
Burst size: 0
Queue: 0, Forwarding classes: best-effort
Queued:

Packets : 135 0 pps

Bytes : 14310 0 bps
Transmitted:
Packets : 135 0 pps
Bytes : 14310 0 bps

[…skipped…]

Queue: 2, Forwarding classes: silver

Queued:
Packets : 31 0 pps
Bytes : 3286 0 bps
Transmitted:

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

Packets : 31 0 pps
Bytes : 3286 0 bps

39
9





400 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 8.5: WRED drop profiles

• Configure an interpolated aggressive drop profile. When the buffer is at 50%
utilization, the drop probability should be 75%. When the buffer utilization is 75%,
the drop probability should be 95%.
• Configure an interpolated non-aggressive drop profile. When the buffer is at 50%
utilization, the drop probability should be 30%. When the buffer utilization is 75%,
the drop probability should be 50%.
• Apply these profiles to the “silver” scheduler. Apply the drop profiles to any traffic
with high and low PLPs respectively.

Configuration:

R3, R4 and R5:

set class-of-service drop-profiles drop-aggr interpolate fill-level

[50 75]

set class-of-service drop-profiles drop-aggr interpolate drop-

probability [75 95]

set class-of-service drop-profiles drop-non-aggr interpolate fill-

level [50 75]

set class-of-service drop-profiles drop-non-aggr interpolate drop-

probability [30 50]

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

set class-of-service schedulers silver drop-profile-map loss-
priority low protocol any drop-profile drop-non-aggr

set class-of-service schedulers silver drop-profile-map loss-

priority high protocol any drop-profile drop-aggr

40
0





401 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R3# run show class-of-service scheduler-map sm

Scheduler map: sm, Index: 3597

Scheduler: be, Forwarding class: best-effort, Index: 3109

Transmit rate: remainder, Rate Limit: none, Buffer size: remainder, Buffer
Limit: none, Priority: low
Excess Priority: unspecified
Drop profiles:
Loss priority Protocol Index Name
Low any 1 <default-drop-profile>
Medium low any 1 <default-drop-profile>
Medium high any 1 <default-drop-profile>
High any 1 <default-drop-profile>

Scheduler: gold, Forwarding class: gold, Index: 12758

Transmit rate: 20 percent, Rate Limit: none, Buffer size: 20 percent, Buffer
Limit: none, Priority: high
Excess Priority: unspecified
Drop profiles:
Loss priority Protocol Index Name
Low any 1 <default-drop-profile>
Medium low any 1 <default-drop-profile>
Medium high any 1 <default-drop-profile>
High any 1 <default-drop-profile>

Scheduler: silver, Forwarding class: silver, Index: 13429

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

Transmit rate: 10 percent, Rate Limit: none, Buffer size: 10 percent, Buffer
Limit: none, Priority: medium-high
Excess Priority: unspecified
Drop profiles:
Loss priority Protocol Index Name
Low any 22700 drop-non-aggr
Medium low any 1 <default-drop-profile>
Medium high any 1 <default-drop-profile>
High any 22008 drop-aggr

Scheduler: nc, Forwarding class: network-control, Index: 3491

Transmit rate: 10 percent, Rate Limit: none, Buffer size: 10 percent, Buffer
Limit: none, Priority: medium-low
Excess Priority: unspecified
Drop profiles:
Loss priority Protocol Index Name
Low any 1 <default-drop-profile>
Medium low any 1 <default-drop-profile>
Medium high any 1 <default-drop-profile>
High any 1 <default-drop-profile> 40
1





402 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 8.6: Rewrite rules

• Configure a custom EXP-based rewrite rule using the default one as a template.
• Assign EXP values 101 and 010 to packets from forwarding classes “gold” with low
PLP and “silver” with “high” PLP.
• Apply this rewrite rule on the appropriate router interfaces to support end-to-end
QoS for customer transit traffic.

Configuration:

R3:

set class-of-service rewrite-rules exp custom-exp import default

set class-of-service rewrite-rules exp custom-exp forwarding-class
gold loss-priority low code-point 101
set class-of-service rewrite-rules exp custom-exp forwarding-class
silver loss-priority high code-point 010
set class-of-service interfaces ge-0/0/1 unit 0 rewrite-rules exp
custom-exp
set class-of-service interfaces ge-0/0/4 unit 35 rewrite-rules exp
custom-exp

R4:

set class-of-service rewrite-rules exp custom-exp import default

set class-of-service rewrite-rules exp custom-exp forwarding-class

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

gold loss-priority low code-point 101
set class-of-service rewrite-rules exp custom-exp forwarding-class
silver loss-priority high code-point 010
set class-of-service interfaces ge-0/0/1 unit 0 rewrite-rules exp
custom-exp
set class-of-service interfaces ge-0/0/4 unit 45 rewrite-rules exp
custom-exp

R5:

set class-of-service rewrite-rules exp custom-exp import default

set class-of-service rewrite-rules exp custom-exp forwarding-class
gold loss-priority low code-point 101
set class-of-service rewrite-rules exp custom-exp forwarding-class
silver loss-priority high code-point 010
set class-of-service interfaces ge-0/0/4 unit 35 rewrite-rules exp
custom-exp
set class-of-service interfaces ge-0/0/4 unit 45 rewrite-rules exp 40
2
custom-exp





403 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

40
3





404 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R3# run show class-of-service rewrite-rule name custom-exp

Rewrite rule: custom-exp, Code point type: exp, Index: 46413
Forwarding class Loss priority Code point
best-effort low 000
best-effort high 001
gold low 101
gold high 011
silver low 100
silver high 010
network-control low 110
network-control high 111

lab@R3# run show class-of-service interface ge-0/0/4.35

Logical interface: ge-0/0/4.35, Index: 79
Object Name Type Index
Scheduler-map <default> Output 2
Rewrite custom-exp exp (mpls-any) 46413
Classifier custom-exp exp 46412
Classifier ipprec-compatibility ip 13

lab@R3# run show class-of-service interface ge-0/0/1.0

Logical interface: ge-0/0/1.0, Index: 72
Object Name Type Index

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

Scheduler-map sm Output 3597
Rewrite custom-exp exp (mpls-any) 46413
Classifier custom-exp exp 46412
Classifier ipprec-compatibility ip 13

40
4





405 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 8.7: Class-based forwarding (CBF)

• Configure R3 so that “gold” traffic is forwarded across the RSVP LSP named “R3-R4”.
The “silver” traffic should be forwarded across the RSVP LSP named “R3-R5-R4”.
• This CBF should only be valid for traffic that is destined to IP address 2.2.2.2.

Configuration:

R3:

set policy-options policy-statement cbf from family inet-vpn

set policy-options policy-statement cbf from protocol bgp
set policy-options policy-statement cbf from community vpn-a
set policy-options policy-statement cbf then cos-next-hop-map cbf-
map

set policy-options community vpn-a members target:65555L:1

set class-of-service forwarding-policy next-hop-map cbf-map
forwarding-class gold lsp-next-hop R3-R4
set class-of-service forwarding-policy next-hop-map cbf-map
forwarding-class silver lsp-next-hop R3-R5-R4

set routing-options forwarding-table export cbf

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

40
5





406 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

lab@R3> clear mpls lsp statistics

lab@R1> ping 2.2.2.2 source 1.1.1.1 count 20 interval .5

PING 2.2.2.2 (2.2.2.2): 56 data bytes
64 bytes from 2.2.2.2: icmp_seq=0 ttl=62 time=7.243 ms
…
64 bytes from 2.2.2.2: icmp_seq=19 ttl=61 time=1.901 ms

--- 2.2.2.2 ping statistics ---

20 packets transmitted, 20 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.460/2.327/7.267/1.650 ms

lab@R3> show mpls lsp statistics

Ingress LSP: 2 sessions
To From State Packets Bytes LSPname
4.4.4.4 3.3.3.3 Up 20 1760 R3-R4
4.4.4.4 3.3.3.3 Up 0 0 R3-R5-R4
Total 2 displayed, Up 2, Down 0

Egress LSP: 3 sessions

To From State Packets Bytes LSPname
3.3.3.3 5.5.5.5 Up NA NA R5-R3
3.3.3.3 4.4.4.4 Up NA NA R4-R3
3.3.3.3 4.4.4.4 Up NA NA R4-R5-R3
Total 3 displayed, Up 3, Down 0

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

Transit LSP: 0 sessions
Total 0 displayed, Up 0, Down 0

lab@R3> clear mpls lsp statistics

lab@R1> ping 2.2.2.2 source 10.1.13.1 count 20 interval .5

PING 2.2.2.2 (2.2.2.2): 56 data bytes
64 bytes from 2.2.2.2: icmp_seq=0 ttl=61 time=2.432 ms
…
64 bytes from 2.2.2.2: icmp_seq=19 ttl=62 time=1.762 ms

--- 2.2.2.2 ping statistics ---

20 packets transmitted, 20 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.555/1.896/2.432/0.220 ms

40
6





407 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@R3> show mpls lsp statistics

Ingress LSP: 2 sessions
To From State Packets Bytes LSPname
4.4.4.4 3.3.3.3 Up 0 0 R3-R4
4.4.4.4 3.3.3.3 Up 20 1840 R3-R5-R4
Total 2 displayed, Up 2, Down 0

Egress LSP: 3 sessions

To From State Packets Bytes LSPname
3.3.3.3 5.5.5.5 Up NA NA R5-R3
3.3.3.3 4.4.4.4 Up NA NA R4-R3
3.3.3.3 4.4.4.4 Up NA NA R4-R5-R3
Total 3 displayed, Up 3, Down 0

Transit LSP: 0 sessions

Total 0 displayed, Up 0, Down 0

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

40
7





408 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 8.8: LSP policing

• Configure a hard-limit policer on R3 with a bandwidth-limit of 50Kb/s and burst-size
of 15Kbytes. Apply it on ingress for the RSVP LSPs “R3-R4” and “R3-R5-R4”.

Configuration:

R3:

set firewall policer hard-limit if-exceeding bandwidth-limit 50k

set firewall policer hard-limit if-exceeding burst-size-limit 15k
set firewall policer hard-limit then discard

set firewall family any filter hard-limit-filter term 1 then policer

hard-limit
set firewall family any filter hard-limit-filter term 1 then count
lsp-drops

set firewall family any filter hard-limit-filter term 1 then accept

set protocols mpls label-switched-path R3-R4 policing filter hard-

limit-filter

set protocols mpls label-switched-path R3-R5-R4 policing filter

hard-limit-filter

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

40
8





409 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:
lab@R1> ping 2.2.2.2 source 1.1.1.1 count 1000 rapid

PING 2.2.2.2 (2.2.2.2): 56 data bytes

[…skipped…]

1000 packets transmitted, 985 packets received, 1% packet loss

round-trip min/avg/max/stddev = 1.147/2.587/13.345/2.244 ms

lab@R3# run show firewall filter hard-limit-filter-R3-R4

Filter: hard-limit-filter-R3-R4
Counters:
Name Bytes Packets
lsp-drops-R3-R4 97020 1155

Policers:
Name Bytes Packets
hard-limit-1-R3-R4 15

JNCIE-SP workbook: Appendix: Chapter 8 - Class of Service

40
9





410 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Appendix – Full day lab challenge

Lab introduction:

Load the initial configuration on all devices using the files provided with this INETZERO
workbook. You are allowed to perform configuration changes only on devices SRX1 to SRX8
and the RR. To verify the results of your work, you can use operational commands on the VR
device.

You can use username lab with password lab123 to access all the devices. Please, do not
change the password for users lab and root!

To load the initial configuration on all the devices, issue the ‘load override terminal’
command

[edit]
lab@srx1# load override terminal
[Type ^D at a new line to end input]

Part 1: System Features

Task 1.1: Services configuration

JNCIE-SP workbook: Appendix – Full day lab challenge

• Make sure that only SSH and Telnet service are enabled for remote management.
Configure only SSHv2 to be accepted and don’t allow the user root to login remotely.

On all devices:

[edit]
lab@srx1# show system services
ssh {
root-login deny;
}
telnet;

• Make sure that console sessions will logout automatically when the console cable is
disconnected.

On all devices:

[edit]
lab@srx1# show system
host-name srx1; 41
0
authentication-order radius;





411 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

ports {
console log-out-on-disconnect;
}

• Ensure that 10.10.10.1 is resolved by name S1.inetzero.com.

On all devices:

[edit]
lab@srx1# show system
static-host-mapping {
S1.inetzero.com inet 10.10.10.1;
}

Verification:

[edit]
lab@srx1# run ping S1.inetzero.com
PING S1.inetzero.com (10.10.10.1): 56 data bytes
^C

Task 1.2:Centralized authentication management

• Configure a static route for 10.10.10/24 with a next-hop value of 10.10.1.254. Make
sure that the static route is not redistributed to any routing protocol.

On all devices:

[edit]
lab@srx1# show routing-options

JNCIE-SP workbook: Appendix – Full day lab challenge

static {
route 10.10.10.0/24 {
next-hop 10.10.1.254;
no-readvertise;
}
}

• Configure primary user authentication through a RADIUS server reachable at S1. Use
“workbook” as a shared secret.

On all devices:

[edit]
lab@srx1# show system
radius-server {
10.10.10.1 secret "$9$n5yoCORx7VsgJvWX-wgUDn/CuBE"; ## SECRET-DATA
}

• Authentication should only be performed against a local database when the Radius 41
server times out. 1





412 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

On all devices:

[edit]
lab@srx1# show system
authentication-order radius;

Verification:

login as: lab
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Local password:
--- JUNOS 12.1X46-D10 built 2013-12-05 15:04:51 UTC
lab@srx1>

Task 1.3: Local user configuration

• Configure the user “ops” with password “ops123” and an idle timeout which is no
more than 5 minutes. Ensure that this user can access network tools like ping,
traceroute and SSH, but not Telnet. Make sure that the user can view the
configuration, including the secret part.

On all devices:

[edit]
lab@srx1# show system login
class operations {
idle-timeout 5;
permissions [ network secret view view-configuration ];

JNCIE-SP workbook: Appendix – Full day lab challenge

deny-commands telnet;
}
user lab {
uid 2001;
class super-user;
authentication {
encrypted-password "$1$1t7KVYGt$z35GDmJHus7aSER2uwvwc1"; ## SECRET-DATA
}
}
user ops {
uid 2002;
class operations;
authentication {
encrypted-password "$1$8vVm1P3n$EnzAMqcrzRr0secJD9ub30"; ## SECRET-DATA
}
}

• Make sure that RADIUS authenticated users have all permissions without having
access to the shell and make sure current alarms are shown to these users on login.

On all devices: 41
2





413 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx1# show system login
class super-remote {
permissions all;
deny-commands "start shell";
}
user remote {
uid 2003;
class super-remote;
}

Task 1.4: Active configuration archival

• Enable the transfer of the active configuration to FTP server 10.10.10.1 after each
successful commit.

On all devices:

[edit]
lab@srx1# show system
archival {
configuration {
transfer-on-commit;
}
}

• Use “ftp” and “ftp123” as username/password to access the FTP server.

On all devices:

[edit]
lab@srx1# show system

JNCIE-SP workbook: Appendix – Full day lab challenge

archival {
configuration {
archive-sites {
"ftp://[email protected]" password "$9$qP5F9A0OIc/9evLX-d"; ## SECRET-
DATA
}
}
}

Task 1.5: Interface configuration

• Enable support for MPLS packets on all logical interface units of every device under
your administration except the RR. The management interface must be excluded. Do
not configure each unit explicitly.

On all devices:

[edit]
lab@srx1# show groups 41
family_mpls { 3
interfaces {




414 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

<*> {
unit <*> {
family mpls;
}
}
}
}

[edit]
lab@srx1# set interfaces apply-groups family_mpls

[edit]
lab@srx1# show interfaces
ge-0/0/0 {
unit 0 {
apply-groups-except family_mpls;
description "=== management connection ===";
family inet {
address 10.10.1.1/24;
}
}
}

Verification:

[edit]
lab@srx1# show interfaces | display inheritance
ge-0/0/0 {
unit 0 {
apply-groups-except family_mpls;
description "=== management connection ===";
family inet {
address 10.10.1.1/24;
}
}

JNCIE-SP workbook: Appendix – Full day lab challenge

}
ge-0/0/4 {
vlan-tagging;
unit 13 {
description "=== connection to SRX3 ===";
vlan-id 13;
family inet {
address 172.30.0.1/29;
}
##
## 'mpls' was inherited from group 'family_mpls'
##
family mpls;
}
unit 14 {
description "=== connection to SRX4 ===";
vlan-id 14;
family inet {
address 172.30.0.9/30;
}
##
## 'mpls' was inherited from group 'family_mpls' 41
## 4
family mpls;




415 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

}
}

• The connection between SRX3 and SRX4 needs more bandwidth. Configure an
Aggregated Ethernet interface bundle using the ge-0/0/1 and ge-0/0/2 physical
interfaces. Make sure that if one of the links is down, the Aggregated interface is
declared down. Adjust the configuration to reflect the change.

On SRX3 and SRX4 devices:

[edit]
lab@srx3# set chassis aggregated-devices ethernet device-count 1

[edit]
lab@srx3# copy interfaces ge-0/0/1 to ae0

[edit]
lab@srx3# delete interfaces ge-0/0/1 unit 0

[edit]
lab@srx3# set interfaces ge-0/0/1 gigether-options 802.3ad ae0

[edit]
lab@srx3# set interfaces ge-0/0/1 description "=== Link 1 to SRX4 ==="

[edit]
lab@srx3# set interfaces ge-0/0/2 gigether-options 802.3ad ae0

[edit]
lab@srx3# set interfaces ge-0/0/2 description "=== Link 2 to SRX4 ==="

[edit]
lab@srx3# set interfaces ae0 aggregated-ether-options lacp active

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx3# set interfaces ae0 aggregated-ether-options minimum-links 2

[edit]
lab@srx3# rename protocols ospf area 0 interface ge-0/0/4.34 to interface ae0.0

Verification:

[edit]
lab@srx4# set interfaces ge-0/0/1 disable

[edit]
lab@srx4# commit
commit complete

[edit]
lab@srx4# run show interfaces terse ae0
Interface Admin Link Proto Local Remote
ae0 up down
ae0.0 up down inet 172.30.0.22/30
41
5





416 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 1.6: RE Protection

• Create a firewall filter that only permits services and protocols that are used in this
lab. For IPv4, include – RADIUS, BFD, SSH, Telnet, BGP, OSPF, RIP, LDP, RSVP, ping and
traceroute. For IPv6, include – OSPFv3, BGP, ping and traceroute.
• Perform this task on all routers.

On all devices:

[edit]
lab@srx1# show firewall
family inet {
filter protect.RE {
term accept.ssh {
from {
port ssh;
}
then accept;
}
term accept.telnet {
from {
port telnet;
}
then accept;
}
term accept.rip {
from {
protocol udp;
port rip;
}
then accept;
}
term accept.bgp {

JNCIE-SP workbook: Appendix – Full day lab challenge

from {
port bgp;
}
then accept;
}
term accept.ospf {
from {
protocol ospf;
}
then accept;
}
term accept.radius {
from {
protocol udp;
port radius;
}
then accept;
}
term accept.bfd {
from {
protocol udp;
port [ 3784 ]; 41
} 6
then accept;




417 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

}
term accept.rsvp {
from {
protocol rsvp;
}
then accept;
}
term accept.ldp {
from {
port ldp;
}
then accept;
}
term accept.traceroute {
from {
protocol udp;
port 33434-33464;
}
then accept;
}
term accept.icmp {
from {
protocol icmp;
}
then accept;
}
}
}
family inet6 {
filter protect.ipv6.RE {
term accept.ospf3 {
from {
next-header ospf;
}
then accept;
}

JNCIE-SP workbook: Appendix – Full day lab challenge

term accept.bgp {
from {
port bgp;
}
then accept;
}
term accept.icmp {
from {
next-header icmp6;
}
then accept;
}
term accept.traceroute {
from {
next-header udp;
port 33434-33464;
}
then accept;
}
}
}
41
7





418 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

• Apply this firewall filter to the loopback interface in the input direction.

On all devices

[edit]
lab@srx1# show interfaces lo0
apply-groups-except family_mpls;
unit 0 {
family inet {
filter {
input protect.RE;
}
address 172.30.30.1/32;
}
family inet6 {
filter {
input protect.ipv6.RE;
}
}
}
• All other traffic should be denied and logged.

On all devices:

[edit]
lab@srx1# show firewall family inet filter protect.RE
term discard.all {
then {
log;
syslog;
discard;
}
}

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx1# show firewall family inet6 filter protect.ipv6.RE
term discard.all {
then {
log;
syslog;
discard;
}
}

Task 1.7: Advanced prefix matching
• Add a rule to the firewall filter from task 1.6 that permits telnet traffic only from the
odd subnets of the 3rd octet within the 192.168/16 address range.
• Use a single-line source address matching criteria to list these subnets.

On all devices:
41
[edit] 8
lab@srx1# show firewall family inet filter protect.RE term accept.telnet




419 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

from {
source-address {
192.168.1.0/255.255.1.0;
}
port telnet;
}
then accept;

Task 1.8: Advanced RE protection
• On all routers that use BGP, modify the firewall filter from task 1.6 so that all
configured BGP peers (including the one from the routing-instances) are
automatically put in the compiled firewall filter.

On all devices:

[edit]
lab@srx1# show policy-options
prefix-list bgp.neighbors {
apply-path "protocols bgp group <*> neighbor <*>";
}
prefix-list bgp.neighbors.routing.instance {
apply-path "routing-instances <*> protocols bgp group <*> neighbor <*>";
}

[edit]
lab@srx1# show firewall family inet filter protect.RE term accept.bgp
from {
source-prefix-list {
bgp.neighbors;
bgp.neighbors.routing.instance;
}
port bgp;

JNCIE-SP workbook: Appendix – Full day lab challenge

}
then accept;

41
9





420 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 2: IGP

Task 2.1: Troubleshooting
• Make sure that all OSPF and IS-IS adjacencies are established according to the
diagram.
• Ensure that SRX3 never sends Type 2 LSAs.

Troubleshooting SRX1 OSPF neighbors:

[edit]
lab@srx1# run show ospf neighbor
Address Interface State ID Pri Dead
172.30.0.2 ge-0/0/4.13 2Way 3.3.3.3 0 35
172.30.0.10 ge-0/0/4.14 Full 172.30.30.4 128 39

[edit]
lab@srx1# show protocols ospf
area 0.0.0.0 {
interface ge-0/0/4.13 {
priority 0;
}
interface ge-0/0/4.14 {
interface-type p2p;
}
}

[edit]
lab@srx3# show protocols
ospf {
area 0.0.0.0 {
interface ge-0/0/4.13 {

JNCIE-SP workbook: Appendix – Full day lab challenge

priority 0;
}
interface ae0.0 {
interface-type p2p;
}
interface ge-0/0/4.23 {
interface-type p2p;
}
interface ge-0/0/4.35 {
interface-type p2p;
}
interface ge-0/0/4.37 {
interface-type p2p;
authentication {
md5 1 key "$9$naaj/A0vMXVb2LxPQFnpu8X7VYo"; ## SECRET-DATA
}
}
}
}

Fixing the problems:
42

0
[edit]




421 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@srx1# delete protocols ospf area 0 interface ge-0/0/4.13 priority 0

[edit]
lab@srx1# commit
commit complete

[edit]
lab@srx1# run show ospf neighbor
Address Interface State ID Pri Dead
172.30.0.2 ge-0/0/4.13 Full 3.3.3.3 0 38
172.30.0.10 ge-0/0/4.14 Full 172.30.30.4 128 33

Troubleshooting SRX5 OSPF neighbors:

[edit]
lab@srx5# run show ospf neighbor
Address Interface State ID Pri Dead
172.30.0.29 ge-0/0/4.35 Full 3.3.3.3 128 33
172.30.0.42 ge-0/0/4.56 Full 172.30.30.6 128 31

[edit]
lab@srx5# show protocols ospf
area 0.0.0.0 {
interface ge-0/0/4.35 {
interface-type p2p;
}
interface ge-0/0/4.45 {
interface-type p2p;
}
interface ge-0/0/4.56 {
interface-type p2p;
}
interface ge-0/0/4.57 {
interface-type p2p;
authentication {

JNCIE-SP workbook: Appendix – Full day lab challenge

md5 10 key "$9$mfQnEhrW87ylUHqmF3SreWxd"; ## SECRET-DATA
}
}
}

Fixing the problems:

[edit]
lab@srx5# show interfaces lo0
unit 0 {
family inet {
address 172.30.30.4/32;
}
}

[edit]
lab@srx5# rename interfaces lo0.0 family inet address 172.30.30.4/32 to address
172.30.30.5/32

[edit]
lab@srx5# run show ospf neighbor
Address Interface State ID Pri Dead 42
1
172.30.0.29 ge-0/0/4.35 Full 3.3.3.3 128 37





422 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

172.30.0.33 ge-0/0/4.45 Full 172.30.30.4 128 37

172.30.0.42 ge-0/0/4.56 Full 172.30.30.6 128 38

[edit]
lab@srx5# set protocols ospf traceoptions file OSPF_log

[edit]
lab@srx5# set protocols ospf traceoptions file size 10m

[edit]
lab@srx5# set protocols ospf traceoptions flag all

[edit]
lab@srx5# commit
commit complete

[edit]
lab@srx5# run show log OSPF_log | match authentication
Nov 21 13:52:54.863670 OSPF authentication key with key-id 10 active (gen_time :
0, now : 1416577974)
Nov 21 13:52:56.786645 OSPF packet ignored: authentication failure (missing key-
id).
Nov 21 13:52:56.786781 OSPF packet ignored: authentication failure from
172.30.0.46
Nov 21 13:53:05.480469 OSPF packet ignored: authentication failure (missing key-
id).
Nov 21 13:53:05.480605 OSPF packet ignored: authentication failure from
172.30.0.46
Nov 21 13:53:15.269870 OSPF packet ignored: authentication failure (missing key-
id).
Nov 21 13:53:15.270006 OSPF packet ignored: authentication failure from
172.30.0.46
Nov 21 13:53:23.714098 OSPF packet ignored: authentication failure (missing key-
id).
Nov 21 13:53:23.714234 OSPF packet ignored: authentication failure from
172.30.0.46

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx5# rename protocols ospf area 0 interface ge-0/0/4.57 authentication md5 10
to md5 1

[edit]
lab@srx5# commit
commit complete

[edit]
lab@srx5# run show ospf neighbor
Address Interface State ID Pri Dead
172.30.0.29 ge-0/0/4.35 Full 3.3.3.3 128 37
172.30.0.33 ge-0/0/4.45 Full 172.30.30.4 128 37
172.30.0.42 ge-0/0/4.56 Full 172.30.30.6 128 38
172.30.0.46 ge-0/0/4.57 Full 172.30.30.7 128 33

Troubleshooting SRX7 IS-IS adjacencies:

[edit]
lab@srx7# run show isis adjacency 42
2

Interface System L State Hold (secs) SNPA

423 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

ge-0/0/5.78 srx8 1 Up 7 0:c:29:b1:d0:75

Fixing the problems:

[edit]
lab@srx7# show interfaces ge-0/0/4.67
description "=== connection to SRX6 ===";
vlan-id 67;
family inet {
address 172.30.1.2/30;
}
family inet6;

[edit]
lab@srx7# set interfaces ge-0/0/4.67 family iso

[edit]
lab@srx7# commit
commit complete

[edit]
lab@srx7# run show isis adjacency
Interface System L State Hold (secs) SNPA
ge-0/0/4.67 srx6 2 Up 25 0:c:29:84:c5:5c
ge-0/0/5.78 srx8 1 Up 8 0:c:29:b1:d0:75


Troubleshooting SRX8 IS-ISadjacencies:

[edit]
lab@srx8# run show isis adjacency
Interface System L State Hold (secs) SNPA
ge-0/0/4.68 0172.3030.0006 1 Initializing 24 0:c:29:84:c5:5c
ge-0/0/5.78 srx7 1 Up 26 0:c:29:99:d8:93

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx8# show interfaces
ge-0/0/4 {
vlan-tagging;
mtu 1255;
unit 68 {
description "=== connection to SRX6 ===";
vlan-id 68;
family inet {
address 172.30.1.6/30;
}
family iso;
family inet6;
}
}

Fixing the problems:

[edit]
lab@srx8# delete interfaces ge-0/0/4 mtu 42
3
[edit]




424 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@srx8# commit
commit complete

[edit]
lab@srx8# run show isis adjacency
Interface System L State Hold (secs) SNPA
ge-0/0/4.68 srx6 1 Up 22 0:c:29:84:c5:5c
ge-0/0/5.78 srx7 1 Up 22 0:c:29:99:d8:93

• All OSPF routers should be represented with their 172.30.30.x IP address in the
neighbor table. You are not allowed to use the ‘router-id’ command.

[edit]
lab@srx3# show interfaces lo0.0
family inet {
address 172.30.30.3/32;
address 3.3.3.3/32;
}

[edit]
lab@srx3# set interfaces lo0.0 family inet address 172.30.30.3/32 primary

[edit]
lab@srx3# commit
commit complete

Verification:

[edit]
lab@srx2# run show ospf neighbor
Address Interface State ID Pri Dead
172.30.0.14 ge-0/0/4.23 Full 172.30.30.3 128 39
172.30.0.18 ge-0/0/4.24 Full 172.30.30.4 128 32

JNCIE-SP workbook: Appendix – Full day lab challenge

Task 2.2: Multiple IP addresses on OSPF interface

• All IPv4 Loopback addresses should be reachable. Make sure that only the
172.30.30.3 IP address of SRX3’s loopback is put into the OSPF database as OSPF
internal.

On All devices:

[edit]
lab@srx1# set protocols ospf area 0 interface lo0.0 passive

[edit]
lab@srx1# commit
commit complete

On SRX3 devices:

[edit]
lab@srx3# delete protocols ospf area 0 interface lo0.0 42
4





425 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx3# set protocols ospf area 0 interface 172.30.30.3 passive

[edit]
lab@srx3# commit
commit complete

Verification:

[edit]
lab@srx4# run show route 172.30.30.3

inet.0: 571 destinations, 572 routes (570 active, 0 holddown, 1 hidden)

+ = Active Route, - = Last Active, * = Both

172.30.30.3/32 *[OSPF/10] 2w0d 12:59:59, metric 1

> to 172.30.0.21 via ge-0/0/4.34

• IP address 3.3.3.3 should be advertised as external.

On SRX3 devices:

[edit]
lab@srx3# show policy-options
policy-statement adv.to.ospf {
term adv.loopback {
from {
route-filter 3.3.3.3/32 exact;
}
then accept;
}
}

[edit]

JNCIE-SP workbook: Appendix – Full day lab challenge

lab@srx3# set protocols ospf export adv.to.ospf

[edit]
lab@srx3# commit
commit complete

Verification:

[edit]
lab@srx4# run show route 3.3.3.3

inet.0: 571 destinations, 572 routes (570 active, 0 holddown, 1 hidden)

+ = Active Route, - = Last Active, * = Both

3.3.3.3/32 *[OSPF/150] 2w0d 13:00:06, metric 0, tag 0

> to 172.30.0.21 via ge-0/0/4.34

Task 2.3: RIP

• Enable RIP on SRX1 and SRX2 according to the diagram. Perform mutual 42
5
redistribution between RIP and OSPF on SRX1 and SRX2.




426 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

On SRX1 and SRX2 devices:

[edit]
lab@srx1# set interfaces ge-0/0/4.200 vlan-id 200 family inet address
172.30.80.1/24

[edit]
lab@srx1# set protocols rip group RIP neighbor ge-0/0/4.200

[edit]
lab@srx1# set policy-options policy-statement adv.to.rip term 1 from protocol ospf

[edit]
lab@srx1# set policy-options policy-statement adv.to.rip term 1 from protocol
direct

[edit]
lab@srx1# set policy-options policy-statement adv.to.rip term 1 then accept

[edit]
lab@srx1# set protocols rip group RIP export adv.to.rip

[edit]
lab@srx1# set policy-options policy-statement adv.to.ospf term 1 from protocol rip

[edit]
lab@srx1# set policy-options policy-statement adv.to.ospf term 1 from protocol
direct

[edit]
lab@srx1# set policy-options policy-statement adv.to.ospf term 1 then accept

[edit]
lab@srx1# set protocols ospf export adv.to.ospf

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx1# commit
commit complete

[edit]
lab@srx2# set interfaces ge-0/0/4.200 vlan-id 200 family inet address
172.30.80.2/24

[edit]
lab@srx2# set protocols rip group RIP neighbor ge-0/0/4.200

[edit]
lab@srx2# set policy-options policy-statement adv.to.rip term 1 from protocol ospf

[edit]
lab@srx2# set policy-options policy-statement adv.to.rip term 1 from protocol
direct

[edit]
lab@srx2# set policy-options policy-statement adv.to.rip term 1 then accept

[edit] 42
lab@srx2# set protocols rip group RIP export adv.to.rip 6





427 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx2# set policy-options policy-statement adv.to.ospf term 1 from protocol rip

[edit]
lab@srx2# set policy-options policy-statement adv.to.ospf term 1 from protocol
direct

[edit]
lab@srx2# set policy-options policy-statement adv.to.ospf term 1 then accept

[edit]
lab@srx2# set protocols ospf export adv.to.ospf

[edit]
lab@srx2# commit
commit complete

Verification:

[edit]
lab@srx1# run show rip neighbor
Local Source Destination Send Receive In
Neighbor State Address Address Mode Mode Met
-------- ----- ------- ----------- ---- ------- ---
ge-0/0/4.200 Up 172.30.80.1 224.0.0.9 mcast both 1

[edit]
lab@srx2# run show rip neighbor
Local Source Destination Send Receive In
Neighbor State Address Address Mode Mode Met
-------- ----- ------- ----------- ---- ------- ---
ge-0/0/4.200 Up 172.30.80.2 224.0.0.9 mcast both 1

[edit]
lab@srx1# run show route protocol rip terse

JNCIE-SP workbook: Appendix – Full day lab challenge

inet.0: 569 destinations, 603 routes (569 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

A Destination P Prf Metric 1 Metric 2 Next hop AS path

* 172.31.0.0/24 R 100 2 >172.30.80.100
* 172.31.1.0/24 R 100 2 >172.30.80.100
* 172.31.2.0/24 R 100 2 >172.30.80.100
* 172.31.3.0/24 R 100 2 >172.30.80.100
* 172.31.4.0/24 R 100 2 >172.30.80.100
* 172.31.5.0/24 R 100 2 >172.30.80.100
* 172.31.6.0/24 R 100 2 >172.30.80.100
* 172.31.7.0/24 R 100 2 >172.30.80.100
* 172.31.8.0/24 R 100 2 >172.30.80.100
* 172.31.9.0/24 R 100 2 >172.30.80.100
* 172.31.10.0/24 R 100 2 >172.30.80.100
* 172.31.11.0/24 R 100 2 >172.30.80.100
* 172.31.12.0/24 R 100 2 >172.30.80.100
* 172.31.13.0/24 R 100 2 >172.30.80.100
* 172.31.14.0/24 R 100 2 >172.30.80.100
* 172.31.15.0/24 R 100 2 >172.30.80.100
* 224.0.0.9/32 R 100 1 MultiRecv 42
7





428 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx1# run show route advertising-protocol rip 172.30.80.1 terse

inet.0: 569 destinations, 603 routes (569 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

A Destination P Prf Metric 1 Metric 2 Next hop AS path

* 3.3.3.3/32 O 150 0 >172.30.0.2
* 10.10.1.0/24 D 0 >ge-0/0/0.0
O 150 2 >172.30.0.2
172.30.0.10
* 172.16.40.0/30 D 0 >ge-0/0/3.400
* 172.16.46.0/30 O 150 0 >172.30.0.2
* 172.16.230.0/30 O 150 0 >172.30.0.2
* 172.16.231.0/30 O 150 0 >172.30.0.10
* 172.16.232.0/30 O 150 0 >172.30.0.10
* 172.30.0.0/29 D 0 >ge-0/0/4.13
* 172.30.0.8/30 D 0 >ge-0/0/4.14
* 172.30.0.12/30 O 10 2 >172.30.0.2
* 172.30.0.16/30 O 10 2 >172.30.0.10
* 172.30.0.20/30 O 10 2 >172.30.0.2
172.30.0.10
* 172.30.0.24/30 O 10 2 >172.30.0.2
* 172.30.0.28/30 O 10 2 >172.30.0.2
* 172.30.0.32/30 O 10 2 >172.30.0.10
* 172.30.0.36/30 O 10 2 >172.30.0.10
* 172.30.0.40/30 O 10 3 172.30.0.2
>172.30.0.10
* 172.30.0.44/30 O 10 3 >172.30.0.2
172.30.0.10
* 172.30.0.48/30 O 10 2 >172.30.0.10
* 172.30.0.52/30 O 10 3 >172.30.0.10
* 172.30.1.0/30 O 150 0 172.30.0.2
>172.30.0.10
* 172.30.1.4/30 O 150 0 >172.30.0.10
* 172.30.1.8/30 O 150 0 >172.30.0.2

JNCIE-SP workbook: Appendix – Full day lab challenge

* 172.30.30.1/32 D 0 >lo0.0
* 172.30.30.2/32 O 10 2 172.30.0.2
>172.30.0.10
* 172.30.30.3/32 O 10 1 >172.30.0.2
* 172.30.30.4/32 O 10 1 >172.30.0.10
* 172.30.30.5/32 O 10 2 172.30.0.2
>172.30.0.10
* 172.30.30.6/32 O 10 2 >172.30.0.10
* 172.30.30.7/32 O 10 2 >172.30.0.2
* 172.30.30.8/32 O 150 10 172.30.0.2
>172.30.0.10
* 172.30.30.19/32 O 10 2 >172.30.0.10

• The RIP router should receive all routes from both SRX1 and SRX2. Make sure there
are no routing loops after redistribution and make sure that the network has full IP
reachability. You are not allowed to use route tags or change the routing preference
on SRX1 and SRX2.

On SRX1 and SRX2 devices:

42

8
[edit]




429 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@srx1# set policy-options policy-statement adv.from.rip term 1 from next-hop

172.30.80.2

[edit]
lab@srx1# set policy-options policy-statement adv.from.rip term 1 then reject

[edit]
lab@srx1# set policy-options policy-statement adv.from.rip term 2 then accept

[edit]
lab@srx1# set protocols rip group RIP neighbor ge-0/0/4.200 import adv.from.rip

[edit]
lab@srx1# commit
commit complete

[edit]
lab@srx2# set policy-options policy-statement adv.from.rip term 1 from next-hop
172.30.80.1

[edit]
lab@srx2# set policy-options policy-statement adv.from.rip term 1 then reject

[edit]
lab@srx2# set policy-options policy-statement adv.from.rip term 2 then accept

[edit]
lab@srx2# set protocols rip group RIP neighbor ge-0/0/4.200 import adv.from.rip

[edit]
lab@srx2# commit
commit complete

Verification:

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx1# run show route protocol rip

inet.0: 569 destinations, 603 routes (569 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

172.31.0.0/24 *[RIP/100] 3w0d 14:32:25, metric 2, tag 520

> to 172.30.80.100 via ge-0/0/4.200
172.31.1.0/24 *[RIP/100] 3w0d 14:32:25, metric 2, tag 520
> to 172.30.80.100 via ge-0/0/4.200
172.31.2.0/24 *[RIP/100] 3w0d 14:32:25, metric 2, tag 520
> to 172.30.80.100 via ge-0/0/4.200
172.31.3.0/24 *[RIP/100] 3w0d 14:32:25, metric 2, tag 520
> to 172.30.80.100 via ge-0/0/4.200
172.31.4.0/24 *[RIP/100] 3w0d 14:32:25, metric 2, tag 520
> to 172.30.80.100 via ge-0/0/4.200
172.31.5.0/24 *[RIP/100] 3w0d 14:32:25, metric 2, tag 520
> to 172.30.80.100 via ge-0/0/4.200

[edit]
lab@srx2# run show route protocol rip
42
9
inet.0: 569 destinations, 603 routes (568 active, 0 holddown, 1 hidden)





430 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

+ = Active Route, - = Last Active, * = Both

172.31.0.0/24 *[RIP/100] 3w0d 14:35:20, metric 2, tag 520

> to 172.30.80.100 via ge-0/0/4.200
172.31.1.0/24 *[RIP/100] 3w0d 14:35:20, metric 2, tag 520
> to 172.30.80.100 via ge-0/0/4.200
172.31.2.0/24 *[RIP/100] 3w0d 14:35:20, metric 2, tag 520
> to 172.30.80.100 via ge-0/0/4.200
172.31.3.0/24 *[RIP/100] 3w0d 14:35:20, metric 2, tag 520
> to 172.30.80.100 via ge-0/0/4.200
172.31.4.0/24 *[RIP/100] 3w0d 14:35:20, metric 2, tag 520
> to 172.30.80.100 via ge-0/0/4.200
172.31.5.0/24 *[RIP/100] 3w0d 14:35:20, metric 2, tag 520
> to 172.30.80.100 via ge-0/0/4.200

• All RIP prefixes must be reachable from all OSPF routers and their metrics should be
cumulative.

On SRX1 and SRX2 devices:

[edit]
lab@srx1# set policy-options policy-statement adv.to.ospf term 1 then external
type 1

[edit]
lab@srx1# commit
commit complete

[edit]
lab@srx2# set policy-options policy-statement adv.to.ospf term 1 then external
type 1

[edit]

JNCIE-SP workbook: Appendix – Full day lab challenge

lab@srx2# commit
commit complete

Verification:

[edit]
lab@srx5# run show route 172.31.0.0/20

inet.0: 48 destinations, 49 routes (48 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

172.31.0.0/24 *[OSPF/150] 00:00:28, metric 4, tag 0

> to 172.30.0.29 via ge-0/0/4.35
to 172.30.0.33 via ge-0/0/4.45
172.31.1.0/24 *[OSPF/150] 00:00:28, metric 4, tag 0
> to 172.30.0.29 via ge-0/0/4.35
to 172.30.0.33 via ge-0/0/4.45
172.31.2.0/24 *[OSPF/150] 00:00:28, metric 4, tag 0
> to 172.30.0.29 via ge-0/0/4.35
to 172.30.0.33 via ge-0/0/4.45
172.31.3.0/24 *[OSPF/150] 00:00:28, metric 4, tag 0
> to 172.30.0.29 via ge-0/0/4.35 43
0
to 172.30.0.33 via ge-0/0/4.45





431 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 2.4: IS-IS authentication

• Configure MD5 authentication for all levels of IS-IS hello and LSP packets. To
accomplish this task, don’t configure authentication directly under ‘protocols isis
interface’. Use inetzero as the password.

On SRX6, SRX7 and SRX8 devices:

[edit]
lab@srx6# set protocols isis level 1 authentication-type md5

[edit]
lab@srx6# set protocols isis level 1 authentication-key inetzero

[edit]
lab@srx6# set protocols isis level 2 authentication-type md5

[edit]
lab@srx6# set protocols isis level 2 authentication-key inetzero

[edit]
lab@srx6# set protocols isis level 1 no-csnp-authentication

[edit]
lab@srx6# set protocols isis level 1 no-psnp-authentication

[edit]
lab@srx6# set protocols isis level 2 no-csnp-authentication

[edit]

JNCIE-SP workbook: Appendix – Full day lab challenge

lab@srx6# set protocols isis level 2 no-psnp-authentication

[edit]
lab@srx6# commit
commit complete

Verification:

[edit]
lab@srx6# run show isis authentication
Interface Level IIH Auth CSN Auth PSN Auth
ge-0/0/4.67 2 MD5 None None
ge-0/0/4.68 1 MD5 None None

L1 LSP Authentication: MD5

L2 LSP Authentication: MD5

Task 2.5: IS-IS and OSPF Redistribution

• Advertise an IPv4 default route to the SRX8 router from SRX6 and SRX7. Redistribute
all IPv4 routes from the IS-IS area into OSPF. 43
1





432 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

• Ensure that traffic is not black holed when SRX6 or SRX7 lose their connection to the
OSPF area. Make sure there are no routing loops after redistribution and make sure
that the network has full IP reachability.

On SRX6 device:

[edit]
lab@srx6# set policy-options policy-statement condition.default term 1 from
protocol ospf

[edit]
lab@srx6# set policy-options policy-statement condition.default term 1 from route-
filter 172.30.30.5/32 exact

[edit]
lab@srx6# set policy-options policy-statement condition.default term 1 then accept

[edit]
lab@srx6# set policy-options policy-statement condition.default term 2 from
protocol ospf

[edit]
lab@srx6# set policy-options policy-statement condition.default term 2 from route-
filter 172.30.0.4/32 exact

[edit]
lab@srx6# set policy-options policy-statement condition.default term 2 then accept

[edit]
lab@srx6# set policy-options policy-statement condition.default term 3 from
protocol ospf

[edit]
lab@srx6# set policy-options policy-statement condition.default term 3 from route-

JNCIE-SP workbook: Appendix – Full day lab challenge

filter 172.30.30.19/32 exact

[edit]
lab@srx6# set policy-options policy-statement condition.default term 3 then accept

[edit]
lab@srx6# set policy-options policy-statement condition.default term last then
reject

[edit]
lab@srx6# set routing-options generate route 0.0.0.0/0 policy condition.default

[edit]
lab@srx6# set policy-options policy-statement adv.to.ospf term reject.tag.200 from
protocol isis

[edit]
lab@srx6# set policy-options policy-statement adv.to.ospf term reject.tag.200 from
tag 200

[edit]
lab@srx6# set policy-options policy-statement adv.to.ospf term reject.tag.200 then 43
2

reject

433 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx6# set policy-options policy-statement adv.to.ospf term 1 from protocol
isis

[edit]
lab@srx6# set policy-options policy-statement adv.to.ospf term 1 from protocol
direct

[edit]
lab@srx6# set policy-options policy-statement adv.to.ospf term 1 then tag 100

[edit]
lab@srx6# set policy-options policy-statement adv.to.ospf term 1 then accept

[edit]
lab@srx6# set policy-options policy-statement adv.to.isis term reject.tag.100 from
protocol ospf

[edit]
lab@srx6# set policy-options policy-statement adv.to.isis term reject.tag.100 from
tag 100

[edit]
lab@srx6# set policy-options policy-statement adv.to.isis term reject.tag.100 then
reject

[edit]
lab@srx6# set policy-options policy-statement adv.to.isis term 2 from route-filter
0.0.0.0/0 exact

[edit]
lab@srx6# set policy-options policy-statement adv.to.isis term 2 then tag 200

[edit]
lab@srx6# set protocols ospf export adv.to.ospf

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx6# set protocols isis export adv.to.isis

[edit]
lab@srx6# commit
commit complete

On SRX7 device:

[edit]
lab@srx7# set policy-options policy-statement condition.default term 1 from
protocol ospf

[edit]
lab@srx7# set policy-options policy-statement condition.default term 1 from route-
filter 172.30.30.5/32 exact

[edit]
lab@srx7# set policy-options policy-statement condition.default term 1 then accept
43
3

[edit]

434 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@srx7# set policy-options policy-statement condition.default term 2 from

protocol ospf

[edit]
lab@srx7# set policy-options policy-statement condition.default term 2 from route-
filter 172.30.0.3/32 exact

[edit]
lab@srx7# set policy-options policy-statement condition.default term 2 then accept

[edit]
lab@srx7# set policy-options policy-statement condition.default term last then
reject

[edit]
lab@srx7# set routing-options generate route 0.0.0.0/0 policy condition.default

[edit]
lab@srx7# set policy-options policy-statement adv.to.ospf term reject.tag from
protocol isis

[edit]
lab@srx7# set policy-options policy-statement adv.to.ospf term reject.tag from tag
200

[edit]
lab@srx7# set policy-options policy-statement adv.to.ospf term reject.tag then
reject

[edit]
lab@srx7# set policy-options policy-statement adv.to.ospf term 1 from protocol
isis

[edit]
lab@srx7# set policy-options policy-statement adv.to.ospf term 1 from protocol
direct

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx7# set policy-options policy-statement adv.to.ospf term 1 then tag 100

[edit]
lab@srx7# set policy-options policy-statement adv.to.ospf term 1 then accept

[edit]
lab@srx7# set policy-options policy-statement adv.to.isis term reject.tag.100 from
protocol ospf

[edit]
lab@srx7# set policy-options policy-statement adv.to.isis term reject.tag.100 from
tag 100

[edit]
lab@srx7# set policy-options policy-statement adv.to.isis term reject.tag.100 then
reject

[edit]
lab@srx7# set policy-options policy-statement adv.to.isis term 2 from route-filter
43
0.0.0.0/0 exact
4





435 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx7# set policy-options policy-statement adv.to.isis term 2 then tag 200

[edit]
lab@srx7# set policy-options policy-statement adv.to.isis term 2 then accept

[edit]
lab@srx7# set protocols ospf export adv.to.ospf

[edit]
lab@srx7# set protocols isis export adv.to.isis

[edit]
lab@srx7# commit
commit complete

Verification:

[edit]
lab@srx8# run show route 0.0.0.0/0 exact

inet.0: 545 destinations, 545 routes (545 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[IS-IS/160] 23:25:21, metric 20

to 172.30.1.5 via ge-0/0/4.68
> to 172.30.1.9 via ge-0/0/5.78

[edit]
lab@srx5# run show route 172.30.30.8/32

inet.0: 568 destinations, 586 routes (568 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

172.30.30.8/32 *[OSPF/150] 23:28:39, metric 10, tag 100

JNCIE-SP workbook: Appendix – Full day lab challenge

> to 172.30.0.42 via ge-0/0/4.56
to 172.30.0.46 via ge-0/0/4.57

Simulating a loss of connection to the OSFP domain on SRX7:

[edit]
lab@srx7# deactivate interfaces ge-0/0/4.37

[edit]
lab@srx7# deactivate interfaces ge-0/0/4.57

[edit]
lab@srx7# commit
commit complete

Verification:

[edit]
lab@srx8# run show route 0.0.0.0/0 exact

inet.0: 529 destinations, 529 routes (529 active, 0 holddown, 0 hidden) 43

5
+ = Active Route, - = Last Active, * = Both





436 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

0.0.0.0/0 *[IS-IS/160] 00:00:04, metric 20

> to 172.30.1.5 via ge-0/0/4.68

Task 2.6: IPv6 routing

• Enable IPv6 routing on all routers in the OSPF area. Use a separate OSPF instance to
accomplish this.

On All devices in OSPF area:

[edit]
lab@srx1# set interfaces ge-0/0/4 unit 13 family inet6

[edit]
lab@srx1# set interfaces ge-0/0/4 unit 14 family inet6

[edit]
lab@srx1# set protocols ospf3 area 0 interface ge-0/0/4.13 interface-type p2p

[edit]
lab@srx1# set protocols ospf3 area 0 interface ge-0/0/4.14 interface-type p2p

[edit]
lab@srx1# commit
commit complete

Verification:

[edit]
lab@srx1# run show ospf3 neighbor
ID Interface State Pri Dead
172.30.30.3 ge-0/0/4.13 Full 128 32
Neighbor-address fe80::20c:2900:dbd:ff4c

JNCIE-SP workbook: Appendix – Full day lab challenge

172.30.30.4 ge-0/0/4.14 Full 128 39
Neighbor-address fe80::20c:2900:e3a:e4d7

• Redistribute all IPv6 routes from IS-IS to OSPF. Advertise an IPv6 default route from
SRX6 and SRX7 to IS-IS. Make sure there are no routing loops after redistribution and
make sure that the network has full IPv6 reachability.

On SRX6 device:

[edit]
lab@srx6# set policy-options policy-statement adv.to.ospf3 term reject.tag.200
from protocol isis tag 200

[edit]
lab@srx6# set policy-options policy-statement adv.to.ospf3 term reject.tag.200
then reject

[edit]
lab@srx6# set policy-options policy-statement adv.to.ospf3 term 1 from protocol
isis 43
6
[edit]




437 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@srx6# set policy-options policy-statement adv.to.ospf3 term 1 then accept tag

100

[edit]
lab@srx6# set protocols ospf3 export adv.to.ospf3

[edit]
lab@srx6# set policy-options policy-statement adv.to.isis term 3 from route-filter
::/0 exact

[edit]
lab@srx6# set policy-options policy-statement adv.to.isis term 3 then accept tag
200

[edit]
lab@srx6# set routing-options rib inet6.0 aggregate route ::/0

[edit]
lab@srx6# commit
commit complete


On SRX7 device:

[edit]
lab@srx7# set policy-options policy-statement adv.to.ospf3 term reject.tag.200
from protocol isis tag 200

[edit]
lab@srx7# set policy-options policy-statement adv.to.ospf3 term reject.tag.200
then reject

[edit]
lab@srx7# set policy-options policy-statement adv.to.ospf3 term 1 from protocol
isis

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx7# set policy-options policy-statement adv.to.ospf3 term 1 then accept tag
100

[edit]
lab@srx7# set protocols ospf3 export adv.to.ospf3

[edit]
lab@srx7# set policy-options policy-statement adv.to.isis term 3 from route-filter
::/0 exact

[edit]
lab@srx7# set policy-options policy-statement adv.to.isis term 3 then accept tag
200

[edit]
lab@srx7# set routing-options rib inet6.0 aggregate route ::/0

[edit]
lab@srx7# commit
commit complete 43
7






438 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

[edit]
lab@srx5# run show route fd17:f0f4:fe:f:0::/64

inet6.0: 127 destinations, 146 routes (24 active, 0 holddown, 119 hidden)
+ = Active Route, - = Last Active, * = Both

fd17:f0f4:fe:f::/80*[OSPF3/150] 02:58:13, metric 50, tag 100

> to fe80::20c:2900:3884:c55c via ge-0/0/4.56
fd17:f0f4:fe:f:1::/80
*[OSPF3/150] 02:58:13, metric 50, tag 100
> to fe80::20c:2900:3884:c55c via ge-0/0/4.56
fd17:f0f4:fe:f:2::/80
*[OSPF3/150] 02:58:13, metric 50, tag 100
> to fe80::20c:2900:3884:c55c via ge-0/0/4.56
fd17:f0f4:fe:f:3::/80
*[OSPF3/150] 02:58:13, metric 50, tag 100
> to fe80::20c:2900:3884:c55c via ge-0/0/4.56
fd17:f0f4:fe:f:4::/80
*[OSPF3/150] 02:58:13, metric 50, tag 100
> to fe80::20c:2900:3884:c55c via ge-0/0/4.56
fd17:f0f4:fe:f:5::/80
*[OSPF3/150] 02:58:13, metric 50, tag 100
> to fe80::20c:2900:3884:c55c via ge-0/0/4.56

[edit]
lab@srx8# run show route table inet6.0

inet6.0: 20 destinations, 21 routes (20 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

::/0 *[IS-IS/160] 00:00:08, metric 20, tag 200

> to fe80::20c:2900:4484:c55c via ge-0/0/4.68
to fe80::20c:2900:4e99:d893 via ge-0/0/5.78

JNCIE-SP workbook: Appendix – Full day lab challenge

• Make sure that SRX7 is the preferred router to and from IS-IS area for the rest of the
network. Ensure that this is valid only for IPv6 routes and accomplish this without a
policy change.

On SRX6 device:

[edit]
lab@srx6# set protocols isis topologies ipv6-unicast

[edit]
lab@srx6# set protocols isis interface ge-0/0/4.68 level 1 ipv6-unicast-metric 50

[edit]
lab@srx6# commit
commit complete

On SRX7 device:
43
8
[edit]





439 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@srx7# set protocols isis topologies ipv6-unicast

[edit]
lab@srx7# delete protocols isis overload

[edit]
lab@srx7# commit
commit complete

On SRX8 device:

[edit]
lab@srx8# set protocols isis topologies ipv6-unicast

[edit]
lab@srx8# set protocols isis interface ge-0/0/4.68 level 1 ipv6-unicast-metric 50

[edit]
lab@srx8# commit
commit complete

Verification:

When R7 is unavailable:

lab@srx8# run show route table inet6.0 protocol isis

inet6.0: 22 destinations, 23 routes (22 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

::/0 *[IS-IS/160] 00:00:24, metric 60, tag 200

> to fe80::120e:7e00:4443:d904 via ge-0/0/4.68
::172.30.30.6/128 *[IS-IS/15] 00:00:24, metric 50
> to fe80::120e:7e00:4443:d904 via ge-0/0/4.68

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx8#

When the IS-IS adjacency with R7 is restored:

[edit]
lab@srx8# run show route table inet6.0 protocol isis

inet6.0: 22 destinations, 23 routes (22 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

::/0 *[IS-IS/160] 00:00:01, metric 20, tag 200

> to fe80::7a19:f700:4e18:4285 via ge-0/0/5.78
::172.30.30.6/128 *[IS-IS/15] 00:00:26, metric 50
> to fe80::120e:7e00:4443:d904 via ge-0/0/4.68



lab@srx7> show route table inet6.0 fd17:f0f4:fe:f:0::/80 protocol isis
43
inet6.0: 128 destinations, 147 routes (128 active, 0 holddown, 0 hidden) 9





440 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

+ = Active Route, - = Last Active, * = Both

fd17:f0f4:fe:f::/80 [IS-IS/160] 00:01:21, metric 10
> to fe80::120e:7e00:4e43:da05 via ge-0/0/5.78

lab@srx6> show route table inet6.0 fd17:f0f4:fe:f:0::/80 protocol isis

inet6.0: 135 destinations, 157 routes (135 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

fd17:f0f4:fe:f::/80*[IS-IS/160] 00:04:32, metric 50
> to fe80::120e:7e00:4443:da04 via ge-0/0/4.68

Task 2.7 General requirements

• Configure equal cost load balancing only for OSPF routes.
• Full and optimal IP reachability should be accomplished in the network.

No static routes are allowed if not explicitly permitted by the particular task.

On All OSPF enabled devices:

[edit]
lab@srx1# set policy-options policy-statement load.balance term 1 from protocol
ospf

[edit]
lab@srx1# set policy-options policy-statement load.balance term 1 then load-
balance per-packet

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx1# set routing-options forwarding-table export load.balance

[edit]
lab@srx1# commit
commit complete

Verification:

[edit]
lab@srx5# run show route forwarding-table destination 172.16.40.0/30
Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
172.16.40.0/30 user 0 ulst 262153 23
172.30.0.29 ucst 594 12 ge-0/0/4.35
172.30.0.33 ucst 597 8 ge-0/0/4.45

Routing table: __master.anon__.inet

Internet: 44
0
Destination Type RtRef Next hop Type Index NhRef Netif





441 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

default perm 0 rjct 525 1

JNCIE-SP workbook: Appendix – Full day lab challenge

44
1





442 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 3: MPLS

Task 3.1: MPLS and RSVP configuration

• Enable the MPLS and RSVP protocols on the routers that are part of the OSPF
domain.
• Ensure that a syslog message is generated when an LSP state is changed.

On All devices:

[edit]
lab@srx1# set protocols mpls interface all

[edit]
lab@srx1# set protocols mpls interface ge-0/0/0.0 disable

[edit]
lab@srx1# set protocols mpls log-updown syslog

[edit]
lab@srx1# set protocols rsvp interface all

[edit]
lab@srx1# set protocols rsvp interface ge-0/0/0.0 disable

[edit]
lab@srx1# commit
commit complete

Verification:

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx1# run show rsvp interface
RSVP interface: 4 active
Active Subscr- Static Available Reserved Highwater
Interface State resv iption BW BW BW mark
ge-0/0/4.200Up 0 100% 1000Mbps 1000Mbps 0bps 0bps
ge-0/0/4.13 Up 0 100% 1000Mbps 1000Mbps 0bps 0bps
ge-0/0/4.14 Up 0 100% 1000Mbps 1000Mbps 0bps 0bps
sp-0/0/0.0 Up 0 100% 800Mbps 800Mbps 0bps 0bps

• Configure traffic-engineering information exchange for all OSPF links. Make sure that
traffic-engineering information is not exchanged between ISIS routers.

On All OSFP enabled devices:

[edit]
lab@srx1# set protocols ospf traffic-engineering

[edit]
lab@srx1# commit 44
2
commit complete





443 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

On SRX6, SRX7 and SRX8 devices:

[edit]
lab@srx6# set protocols isis traffic-engineering disable

[edit]
lab@srx6# commit
commit complete

• Configure the interface between SRX2 and SRX3 to allow only half of the bandwidth
to be reserved for RSVP.

On SRX2 and SRX3 devices:

[edit]
lab@srx2# set protocols rsvp interface ge-0/0/4.23 subscription 50

[edit]
lab@srx2# commit
commit complete

Verification:

[edit]
lab@srx2# run show rsvp interface
RSVP interface: 4 active
Active Subscr- Static Available Reserved Highwater
Interface State resv iption BW BW BW mark
ge-0/0/4.200Up 0 100% 1000Mbps 1000Mbps 0bps 0bps
ge-0/0/4.23 Up 0 50% 1000Mbps 500Mbps 0bps 0bps
ge-0/0/4.24 Up 0 100% 1000Mbps 1000Mbps 0bps 0bps
sp-0/0/0.0 Up 0 100% 800Mbps 800Mbps 0bps 0bps

JNCIE-SP workbook: Appendix – Full day lab challenge

• Configure link coloring the way that it is shown in the topology below.

On All devices:

[edit]
lab@srx1# set protocols mpls admin-groups red 1

[edit]
lab@srx1# set protocols mpls admin-groups blue 2

[edit]
lab@srx1# set protocols mpls admin-groups green 3

[edit]
lab@srx1# set protocols mpls admin-groups yellow 4


On SRX1 device:

[edit] 44
3

lab@srx1# set protocols mpls interface ge-0/0/4.13 admin-group yellow

444 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx1# set protocols mpls interface ge-0/0/4.14 admin-group green

[edit]
lab@srx1# commit
commit complete

On SRX2 device:

[edit]
lab@srx2# set protocols mpls interface ge-0/0/4.23 admin-group red

[edit]
lab@srx2# set protocols mpls interface ge-0/0/4.23 admin-group blue

[edit]
lab@srx2# set protocols mpls interface ge-0/0/4.24 admin-group yellow

[edit]
lab@srx2# commit
commit complete

On SRX3 device:

[edit]
lab@srx3# set protocols mpls interface ae0.0 admin-group blue

[edit]
lab@srx3# set protocols mpls interface ge-0/0/4.13 admin-group yellow

[edit]
lab@srx3# set protocols mpls interface ge-0/0/4.23 admin-group red

[edit]

JNCIE-SP workbook: Appendix – Full day lab challenge

lab@srx3# set protocols mpls interface ge-0/0/4.23 admin-group blue

[edit]
lab@srx3# set protocols mpls interface ge-0/0/4.35 admin-group red

[edit]
lab@srx3# set protocols mpls interface ge-0/0/4.37 admin-group green

[edit]
lab@srx3# commit
commit complete

On SRX4 device:

[edit]
lab@srx4# set protocols mpls interface ge-0/0/4.14 admin-group green

[edit]
lab@srx4# set protocols mpls interface ae0.0 admin-group blue

[edit] 44
lab@srx4# set protocols mpls interface ge-0/0/4.24 admin-group yellow 4





445 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx4# set protocols mpls interface ge-0/0/4.45 admin-group yellow

[edit]
lab@srx4# set protocols mpls interface ge-0/0/4.46 admin-group blue

[edit]
lab@srx4# commit
commit complete

On SRX5 device:

[edit]
lab@srx5# set protocols mpls interface ge-0/0/4.35 admin-group red

[edit]
lab@srx5# set protocols mpls interface ge-0/0/4.45 admin-group yellow

[edit]
lab@srx5# set protocols mpls interface ge-0/0/4.57 admin-group red

[edit]
lab@srx5# set protocols mpls interface ge-0/0/4.56 admin-group green

[edit]
lab@srx5# commit
commit complete

On SRX6 device:

[edit]
lab@srx6# set protocols mpls interface ge-0/0/4.46 admin-group blue

[edit]
lab@srx6# set protocols mpls interface ge-0/0/4.56 admin-group green

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx6# set protocols mpls interface ge-0/0/4.67 admin-group blue

[edit]
lab@srx6# commit
commit complete

On SRX7 device:

[edit]
lab@srx7# set protocols mpls interface ge-0/0/4.57 admin-group red

[edit]
lab@srx7# set protocols mpls interface ge-0/0/4.57 admin-group blue

[edit]
lab@srx7# set protocols mpls interface ge-0/0/4.37 admin-group green

[edit]
lab@srx7# commit 44
commit complete 5





446 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

[edit]
lab@srx1# run show mpls interface
Interface State Administrative groups (x: extended)
ge-0/0/4.200 Up <none>
ge-0/0/4.400 Up <none>
ge-0/0/4.13 Up yellow
ge-0/0/4.14 Up green

Task 3.2: LSPs between SRX2 and SRX7

• Configure an LSP from SRX2 to SRX7. This LSP should pass through SRX4 and SRX5.
• You are not allowed to use explicit path or coloring.

On SRX2 device:

[edit]
lab@srx2# set protocols mpls label-switched-path srx2-to-srx7 to 172.30.30.7

[edit]
lab@srx2# set protocols ospf area 0.0.0.0 interface ge-0/0/4.23 te-metric 100

[edit]
lab@srx2# commit
commit complete

On SRX3 device:

[edit]

JNCIE-SP workbook: Appendix – Full day lab challenge

lab@srx3# set protocols ospf area 0.0.0.0 interface ge-0/0/4.23 te-metric 100

[edit]
lab@srx3# set protocols ospf area 0.0.0.0 interface ge-0/0/4.37 te-metric 100

[edit]
lab@srx3# commit
commit complete

On SRX4 device:

[edit]
lab@srx4# set protocols ospf area 0.0.0.0 interface ge-0/0/4.46 te-metric 100

[edit]
lab@srx4# commit
commit complete

Verification:
[edit] 44
lab@srx2# run show mpls lsp name srx2-to-srx7 extensive 6
Ingress LSP: 3 sessions




447 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

172.30.30.7
From: 172.30.30.2, State: Up, ActiveRoute: 0, LSPname: srx2-to-srx7
ActivePath: (primary)
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary State: Up
Priorities: 7 0
SmartOptimizeTimer: 180
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 3)
172.30.0.18 S 172.30.0.34 S 172.30.0.46 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
172.30.30.4(flag=0x29) 172.30.0.18(flag=9 Label=301312) 172.30.30.5(flag=0x20)
172.30.0.34(Label=300256) 172.30.30.7(flag=0x20) 172.30.0.46(Label=3)
117 Jan 1 07:12:47.792 Record Route: 172.30.30.4(flag=0x29) 172.30.0.18(flag=9
Label=301312) 172.30.30.5(flag=0x20) 172.30.0.34(Label=300256)
172.30.30.7(flag=0x20) 172.30.0.46(Label=3)
116 Jan 1 07:12:44.919 Selected as active path
115 Jan 1 07:12:44.918 Record Route: 172.30.30.4(flag=0x20)
172.30.0.18(Label=301312) 172.30.30.5(flag=0x20) 172.30.0.34(Label=300256)
172.30.30.7(flag=0x20) 172.30.0.46(Label=3)
114 Jan 1 07:12:44.918 Up
113 Jan 1 07:12:44.755 Originate Call
112 Jan 1 07:12:44.755 CSPF: computation result accepted 172.30.0.18
172.30.0.34 172.30.0.46

• Configure an LSP from SRX7 to SRX2 with a primary path that only crosses red links.
Configure a secondary path for this LSP that only crosses blue links. Both paths
should have a bandwidth reservation of 400m. The secondary path should be pre-
signaled and ready for use.

JNCIE-SP workbook: Appendix – Full day lab challenge

On SRX7 device:

[edit]
lab@srx7# set protocols mpls label-switched-path srx7-to-srx2 to 172.30.30.2

[edit]
lab@srx7# set protocols mpls label-switched-path srx7-to-srx2 adaptive

[edit]
lab@srx7# set protocols mpls label-switched-path srx7-to-srx2 primary srx7-srx2-
primary bandwidth 400m

[edit]
lab@srx7# set protocols mpls label-switched-path srx7-to-srx2 primary srx7-srx2-
primary admin-group include-all red

[edit]
lab@srx7# set protocols mpls label-switched-path srx7-to-srx2 secondary srx7-srx2-
secondary bandwidth 400m
44
7
[edit]





448 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@srx7# set protocols mpls label-switched-path srx7-to-srx2 secondary srx7-srx2-

secondary standby

[edit]
lab@srx7# set protocols mpls label-switched-path srx7-to-srx2 secondary srx7-srx2-
secondary admin-group include-all blue

[edit]
lab@srx7# set protocols mpls path srx7-srx2-primary

[edit]
lab@srx7# set protocols mpls path srx7-srx2-secondary

[edit]
lab@srx7# commit
commit complete

Verification:

[edit]
lab@srx7# run show mpls lsp name srx7-to-srx2 extensive
Ingress LSP: 6 sessions

172.30.30.2
From: 172.30.30.7, State: Up, ActiveRoute: 0, LSPname: srx7-to-srx2
ActivePath: srx7-srx2-primary (primary)
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary srx7-srx2-primary State: Up
Priorities: 7 0
Bandwidth: 400Mbps
SmartOptimizeTimer: 180
Include All: red
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 102)

JNCIE-SP workbook: Appendix – Full day lab challenge

172.30.0.45 S 172.30.0.29 S 172.30.0.13 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
172.30.0.45(flag=0xd) 172.30.0.29(flag=5) 172.30.0.13
86 Jan 1 06:46:19.522 Record Route: 172.30.0.45(flag=0xd) 172.30.0.29(flag=5)
172.30.0.13
85 Jan 1 06:46:16.524 Selected as active path
84 Jan 1 06:46:16.514 Record Route: 172.30.0.45 172.30.0.29 172.30.0.13
83 Jan 1 06:46:16.514 Up
82 Jan 1 06:46:16.379 Originate Call
81 Jan 1 06:46:16.379 CSPF: computation result accepted 172.30.0.45
172.30.0.29 172.30.0.13

Standby srx7-srx2-secondary State: Up

Priorities: 7 0
Bandwidth: 400Mbps
SmartOptimizeTimer: 180
Include All: blue
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 104)
172.30.0.45 S 172.30.0.42 S 172.30.0.37 S 172.30.0.21 S 172.30.0.13 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID): 44
8





449 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

172.30.0.45(flag=0xd) 172.30.0.42(flag=0xd) 172.30.0.37(flag=0xd)

172.30.0.21(flag=5) 172.30.0.13
66 Jan 1 06:46:48.826 Record Route: 172.30.0.45(flag=0xd)
172.30.0.42(flag=0xd) 172.30.0.37(flag=0xd) 172.30.0.21(flag=5) 172.30.0.13
65 Jan 1 06:46:48.776 Record Route: 172.30.0.45(flag=0xd) 172.30.0.42
172.30.0.37(flag=0xd) 172.30.0.21 172.30.0.13
64 Jan 1 06:46:48.751 Record Route: 172.30.0.45(flag=0xd) 172.30.0.42
172.30.0.37 172.30.0.21 172.30.0.13
63 Jan 1 06:46:45.866 Record Route: 172.30.0.45 172.30.0.42 172.30.0.37
172.30.0.21 172.30.0.13
62 Jan 1 06:46:45.866 Up
61 Jan 1 06:46:45.643 Originate Call
60 Jan 1 06:46:45.643 CSPF: computation result accepted 172.30.0.45
172.30.0.42 172.30.0.37 172.30.0.21 172.30.0.13

Task 3.3: LSPs between SRX1 and SRX6

• Configure bi-directional LSPs from SRX1 to SRX6 that have two paths through the
network. The primary path should be limited to 3 hops. The secondary path should
not use CSPF and it should pass via SRX3 and SRX5.
• Make sure that if traffic is switched to secondary path, it is never automatically
switched back to the primary path.

On SRX1 device:

[edit]
lab@srx1# set protocols mpls label-switched-path srx1-to-srx6 to 172.30.30.6

[edit]
lab@srx1# set protocols mpls label-switched-path srx1-to-srx6 primary to-srx6-1
hop-limit 3

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx1# set protocols mpls label-switched-path srx1-to-srx6 secondary to-srx6-2
no-cspf

[edit]
lab@srx1# set protocols mpls path to-srx6-1

[edit]
lab@srx1# set protocols mpls path to-srx6-2 172.30.30.3 loose

[edit]
lab@srx1# set protocols mpls path to-srx6-2 172.30.30.5 loose

[edit]
lab@srx1# commit
commit complete

Verification:

[edit]
lab@srx1# run show mpls lsp name srx1-to-srx6 extensive 44
9
Ingress LSP: 3 sessions





450 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

172.30.30.6
From: 172.30.30.1, State: Up, ActiveRoute: 0, LSPname: srx1-to-srx6
ActivePath: to-srx6-1 (primary)
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary to-srx6-1 State: Up
Priorities: 7 0
Hoplimit: 3
SmartOptimizeTimer: 180
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 101)
172.30.0.10 S 172.30.0.38 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
172.30.0.10 172.30.0.38
5 Dec 31 07:34:06.597 Selected as active path
4 Dec 31 07:34:06.587 Record Route: 172.30.0.10 172.30.0.38
3 Dec 31 07:34:06.587 Up
2 Dec 31 07:34:06.507 Originate Call
1 Dec 31 07:34:06.507 CSPF: computation result accepted 172.30.0.10
172.30.0.38
Secondary to-srx6-2 State: Dn
Priorities: 7 0
SmartOptimizeTimer: 180
Created: Wed Dec 31 07:33:36 2014

[edit]
lab@srx1# deactivate protocols mpls label-switched-path srx1-to-srx6 primary to-
srx6-1

Verification:

[edit]
lab@srx1# run show mpls lsp name srx1-to-srx6 extensive

JNCIE-SP workbook: Appendix – Full day lab challenge

Ingress LSP: 3 sessions

172.30.30.6
From: 172.30.30.1, State: Up, ActiveRoute: 0, LSPname: srx1-to-srx6
ActivePath: to-srx6-2 (secondary)
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Secondary to-srx6-2 State: Up
Priorities: 7 0
SmartOptimizeTimer: 180
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
172.30.0.2 172.30.0.30 172.30.0.42
4 Jan 3 07:44:22.834 Selected as active path
3 Jan 3 07:44:22.833 Record Route: 172.30.0.2 172.30.0.30 172.30.0.42
2 Jan 3 07:44:22.833 Up
1 Jan 3 07:44:22.715 Originate Call
Created: Wed Dec 31 07:33:37 2014
Total 1 displayed, Up 1, Down 0

[edit] 45
0
lab@srx1# rollback 1





451 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

load complete

On SRX6 device:

[edit]
lab@srx6# set protocols mpls label-switched-path srx6-to-srx1 to 172.30.30.1

[edit]
lab@srx6# set protocols mpls label-switched-path srx6-to-srx1 primary to-srx1-1
hop-limit 3

[edit]
lab@srx6# set protocols mpls label-switched-path srx6-to-srx1 secondary to-srx1-2
no-cspf

[edit]
lab@srx6# set protocols mpls path to-srx1-1

[edit]
lab@srx6# set protocols mpls path to-srx1-2 172.30.30.5 loose

[edit]
lab@srx6# set protocols mpls path to-srx1-2 172.30.30.3 loose

[edit]
lab@srx6# commit
commit complete

Verification:

[edit]
lab@srx6# run show mpls lsp name srx6-to-srx1
Ingress LSP: 6 sessions
To From State Rt P ActivePath LSPname
172.30.30.1 172.30.30.6 Up 0 * to-srx1-1 srx6-to-srx1

JNCIE-SP workbook: Appendix – Full day lab challenge

Total 1 displayed, Up 1, Down 0

• Make sure that if traffic is switched to secondary path, it is never automatically
switched back to the primary path.

On SRX1 device:

[edit]
lab@srx1# set protocols mpls label-switched-path srx1-to-srx6 revert-timer 0

[edit]
lab@srx6# commit
commit complete

On SRX6 device:

[edit]
lab@srx6# set protocols mpls label-switched-path srx6-to-srx1 revert-timer 0
45
1
[edit]




452 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@srx6# commit
commit complete

lab@srx6> show mpls lsp name srx6-to-srx1 detail | match Revert

Revert timer: 0

Task 3.4: LSP protection

• Make sure that the LSP from SRX7 to SRX2 is protected with fast reroute detours.
Those detours should reserve at least 25% of the LSP bandwidth.

On SRX7 device:

[edit]
lab@srx7# set protocols mpls label-switched-path srx7-to-srx2 fast-reroute
bandwidth-percent 25

[edit]
lab@srx7# set protocols mpls label-switched-path srx7-to-srx2 fast-reroute no-
include-all

[edit]
lab@srx7# commit
commit complete

Verification:

[edit]
lab@srx7# run show mpls lsp name srx7-to-srx2 extensive
Ingress LSP: 6 sessions

172.30.30.2
From: 172.30.30.7, State: Up, ActiveRoute: 0, LSPname: srx7-to-srx2

JNCIE-SP workbook: Appendix – Full day lab challenge

ActivePath: srx7-srx2-primary (primary)
FastReroute desired
LSPtype: Static Configured
LoadBalance: Random
Encoding type: Packet, Switching type: Packet, GPID: IPv4
*Primary srx7-srx2-primary State: Up
Priorities: 7 0
Bandwidth: 400Mbps
SmartOptimizeTimer: 180
Include All: red
Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 102)
172.30.0.45 S 172.30.0.29 S 172.30.0.13 S
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt
20=Node-ID):
172.30.0.45(flag=0xd) 172.30.0.29(flag=5) 172.30.0.13
87 Jan 1 06:46:25.442 Fast-reroute Detour Up
86 Jan 1 06:46:19.522 Record Route: 172.30.0.45(flag=0xd) 172.30.0.29(flag=5)
172.30.0.13
85 Jan 1 06:46:16.524 Selected as active path
84 Jan 1 06:46:16.514 Record Route: 172.30.0.45 172.30.0.29 172.30.0.13
83 Jan 1 06:46:16.514 Up
82 Jan 1 06:46:16.379 Originate Call 45
81 Jan 1 06:46:16.379 CSPF: computation result accepted 172.30.0.45 2
172.30.0.29 172.30.0.13




453 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

• Configure node protection for the LSP from SRX2 to SRX7. Make sure that the bypass
LSPs are explicitly configured to bypass SRX4 and SRX5.

On SRX2 device:

[edit]
lab@srx2# set protocols mpls label-switched-path srx2-to-srx7 node-link-protection

[edit]
lab@srx2# set protocols rsvp interface ge-0/0/4.23 link-protection path
172.30.30.3 loose

[edit]
lab@srx2# set protocols rsvp interface ge-0/0/4.23 link-protection path
172.30.30.5 loose

[edit]
lab@srx2# set protocols rsvp interface ge-0/0/4.24 link-protection

[edit]
lab@srx2# commit
commit complete

On SRX4 device:

[edit]
lab@srx4# set protocols rsvp interface ae0.0 link-protection path 172.30.30.3
loose

[edit]
lab@srx4# set protocols rsvp interface ae0.0 link-protection path 172.30.30.7
loose

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx4# set protocols rsvp interface ge-0/0/4.45 link-protection

[edit]
lab@srx4# commit
commit complete

Verification:

[edit]
lab@srx2# run show rsvp session name Bypass->172.30.0.18->172.30.0.34 extensive
Ingress RSVP: 4 sessions

172.30.30.5
From: 172.30.30.2, LSPstate: Up, ActiveRoute: 0
LSPname: Bypass->172.30.0.18->172.30.0.34
LSPtype: Static Configured
Suggested label received: -, Suggested label sent: -
Recovery label received: -, Recovery label sent: 301616
Resv style: 1 SE, Label in: -, Label out: 301616
Time left: -, Since: Thu Jan 1 07:12:55 2015
45
Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
3
Port number: sender 1 receiver 21233 protocol 0




454 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Type: Bypass LSP

Number of data route tunnel through: 1
Number of RSVP session tunnel through: 0
PATH rcvfrom: localclient
Adspec: sent MTU 1500
Path MTU: received 1500
PATH sentto: 172.30.0.14 (ge-0/0/4.23) 4200 pkts
RESV rcvfrom: 172.30.0.14 (ge-0/0/4.23) 4201 pkts
Explct route: 172.30.0.14 172.30.0.30
Record route: <self> 172.30.0.14 172.30.0.30
Total 1 displayed, Up 1, Down 0

[edit]
lab@srx4# run show rsvp session name Bypass->172.30.0.34->172.30.0.46 extensive
Ingress RSVP: 1 sessions

172.30.30.7
From: 172.30.30.4, LSPstate: Up, ActiveRoute: 0
LSPname: Bypass->172.30.0.34->172.30.0.46
LSPtype: Static Configured
Suggested label received: -, Suggested label sent: -
Recovery label received: -, Recovery label sent: 301568
Resv style: 1 SE, Label in: -, Label out: 301568
Time left: -, Since: Thu Jan 1 07:11:56 2015
Tspec: rate 0bps size 0bps peak Infbps m 20 M 1500
Port number: sender 1 receiver 30718 protocol 0
Type: Bypass LSP
Number of data route tunnel through: 1
Number of RSVP session tunnel through: 0
PATH rcvfrom: localclient
Adspec: sent MTU 1500
Path MTU: received 1500
PATH sentto: 172.30.0.21 (ge-0/0/4.34) 4202 pkts
RESV rcvfrom: 172.30.0.21 (ge-0/0/4.34) 4201 pkts
Explct route: 172.30.0.21 172.30.0.26
Record route: <self> 172.30.0.21 172.30.0.26

JNCIE-SP workbook: Appendix – Full day lab challenge

Total 1 displayed, Up 1, Down 0

Task 3.5: LSPs between SRX6 to SRX3

• Configure two distinct LSPs from SRX6 to SRX3.
• One LSP named srx6-to-srx3-1 should egress to 172.30.30.3 where another LSP
named srx6-to-srx3-2 should egress to 3.3.3.3.

On SRX6 device:

[edit]
lab@srx6# set protocols mpls label-switched-path srx6-to-srx3-1 to 172.30.30.3

[edit]
lab@srx6# set protocols mpls label-switched-path srx6-to-srx3-1 no-cspf

[edit]
lab@srx6# set protocols mpls label-switched-path srx6-to-srx3-2 to 3.3.3.3

[edit] 45
4
lab@srx6# set protocols mpls label-switched-path srx6-to-srx3-2 no-cspf





455 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx6# commit
commit complete

Verification:

[edit]
lab@srx6# run show mpls lsp
Ingress LSP: 6 sessions
To From State Rt P ActivePath LSPname
3.3.3.3 172.30.30.6 Up 0 * srx6-to-srx3-2
172.30.30.1 172.30.30.6 Up 0 * to-srx1-1 srx6-to-srx1
172.30.30.2 172.30.30.6 Up 0 * srx6-to-srx2
172.30.30.3 172.30.30.6 Up 0 * srx6-to-srx3-1
172.30.30.7 172.30.30.6 Up 0 * srx6-to-srx7
Total 5 displayed, Up 5, Down 0

Task 3.6: LDP configuration

• Configure LDP for the links in the ISIS domain.

On SRX6, SRX7 and SRX8 devices:

[edit]
lab@srx6# set protocols ldp interface ge-0/0/4.67

[edit]
lab@srx6# set protocols ldp interface ge-0/0/4.68

[edit]
lab@srx6# commit
commit complete

JNCIE-SP workbook: Appendix – Full day lab challenge

Verification:

[edit]
lab@srx6# run show ldp session
Address State Connection Hold time
172.30.30.7 Operational Open 27
172.30.30.8 Operational Open 27

• Make sure that SRX8 can send and receive MPLS packets to and from SRX1 and SRX2
in a redundant way through SRX6 and SRX7.
• You can configure additional RSVP LSPs if needed.

On SRX1 device:

[edit]
lab@srx1# set protocols mpls label-switched-path srx1-to-srx6 ldp-tunneling

[edit]
45
lab@srx1# set protocols mpls label-switched-path srx1-to-srx7 to 172.30.30.7
5





456 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx1# set protocols mpls label-switched-path srx1-to-srx7 ldp-tunneling

[edit]
lab@srx1# set protocols ldp interface lo0.0

[edit]
lab@srx1# commit
commit complete

On SRX2 device:

[edit]
lab@srx2# set protocols mpls label-switched-path srx2-to-srx7 ldp-tunneling

[edit]
lab@srx2# set protocols mpls label-switched-path srx2-to-srx6 to 172.30.30.6

[edit]
lab@srx2# set protocols mpls label-switched-path srx2-to-srx6 ldp-tunneling

[edit]
lab@srx2# set protocols ldp interface lo0.0

[edit]
lab@srx2# commit
commit complete

On SRX6 device:

[edit]
lab@srx6# set protocols mpls label-switched-path srx6-to-srx1 ldp-tunneling

[edit]
lab@srx6# set protocols mpls label-switched-path srx6-to-srx2 to 172.30.30.2

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx6# set protocols mpls label-switched-path srx6-to-srx2 ldp-tunneling

[edit]
lab@srx6# set policy-options policy-statement adv.to.isis term 4 from route-filter
172.30.30.1/32 exact accept

[edit]
lab@srx6# set policy-options policy-statement adv.to.isis term 4 from route-filter
172.30.30.2/32 exact accept

[edit]
lab@srx6# set protocols ldp interface lo0.0

[edit]
lab@srx6# commit
commit complete

On SRX7 device:
45
[edit] 6
lab@srx7# set protocols mpls label-switched-path srx7-to-srx2 ldp-tunneling




457 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx7# set protocols mpls label-switched-path srx7-to-srx1 to 172.30.30.1

[edit]
lab@srx7# set protocols mpls label-switched-path srx7-to-srx1 ldp-tunneling

[edit]
lab@srx7# set policy-options policy-statement adv.to.isis term 4 from route-filter
172.30.30.1/32 exact accept

[edit]
lab@srx7# set policy-options policy-statement adv.to.isis term 4 from route-filter
172.30.30.2/32 exact accept

[edit]
lab@srx7# set protocols ldp interface lo0.0

[edit]
lab@srx7# commit
commit complete

Verification:

[edit]
lab@srx6# run show ldp session
Address State Connection Hold time
172.30.30.1 Operational Open 27
172.30.30.2 Operational Open 27
172.30.30.7 Operational Open 27
172.30.30.8 Operational Open 27

[edit]
lab@srx8# run show route 172.30.30.1 table inet.3

JNCIE-SP workbook: Appendix – Full day lab challenge

inet.3: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.30.30.1/32 *[LDP/9] 2d 06:23:40, metric 1

> to 172.30.1.5 via ge-0/0/4.68, Push 299952
to 172.30.1.9 via ge-0/0/5.78, Push 300112

[edit]
lab@srx8# run show route 172.30.30.2 table inet.3

inet.3: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

172.30.30.2/32 *[LDP/9] 2d 06:23:51, metric 1

> to 172.30.1.5 via ge-0/0/4.68, Push 299888
to 172.30.1.9 via ge-0/0/5.78, Push 300128

Task 3.7: LSP forwarding based on CoS

• Make sure that on SRX7, traffic to RIP prefixes marked with expedited-forwarding
bits will use the LSP to SRX1. 45
7
• Traffic to RIP prefixes marked with best-effort bits should use the LSP to SRX2.




458 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

• You can configure additional RSVP LSPs if needed.

On SRX7 device:

[edit]
lab@srx7# set class-of-service forwarding-policy next-hop-map rip.routes
forwarding-class best-effort lsp-next-hop srx7-to-srx2

[edit]
lab@srx7# set class-of-service forwarding-policy next-hop-map rip.routes
forwarding-class expedited-forwarding lsp-next-hop srx7-to-srx1

[edit]
lab@srx7# set policy-options policy-statement cos.forwarding term 1 from route-
filter 172.31.0.0/20 orlonger

[edit]
lab@srx7# set policy-options policy-statement cos.forwarding term 1 then cos-next-
hop-map rip.routes

[edit]
lab@srx7# set routing-options forwarding-table export cos.forwarding

[edit]
lab@srx7# commit
commit complete

JNCIE-SP workbook: Appendix – Full day lab challenge

45
8





459 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 4: BGP

Task 4.1: iBGP configuration

• Configure iBGP sessions between the RR device and the SRX routers. Use AS 5678
and, on the RR, create two clusters with no more than 4 clients.
• Failure of any physical interface should not cause for any iBGP session loss. Configure
BFD monitoring of all iBGP connections with 900ms between the keepalives. If 4
keepalives are lost, the neighbor should be declared down.

On SRX1 device:

[edit]
lab@srx1# set routing-options autonomous-system 5678

[edit]
lab@srx1# set protocols bgp group cluster-1 type internal

[edit]
lab@srx1# set protocols bgp group cluster-1 local-address 172.30.30.1

[edit]
lab@srx1# set protocols bgp group cluster-1 bfd-liveness-detection minimum-
interval 900

[edit]
lab@srx1# set protocols bgp group cluster-1 bfd-liveness-detection multiplier 4

[edit]
lab@srx1# set protocols bgp group cluster-1 neighbor 172.30.30.19

[edit]

JNCIE-SP workbook: Appendix – Full day lab challenge

lab@srx1# commit
commit complete

On RR device:

[edit]
lab@route-reflector# set routing-options autonomous-system 5678

[edit]
lab@route-reflector# set protocols bgp group cluster-1 type internal

[edit]
lab@route-reflector# set protocols bgp group cluster-1 local-address 172.30.30.19

[edit]
lab@route-reflector# set protocols bgp group cluster-1 cluster 1.1.1.1

[edit]
lab@route-reflector# set protocols bgp group cluster-1 bfd-liveness-detection
minimum-interval 900
45
9
[edit]





460 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@route-reflector# set protocols bgp group cluster-1 bfd-liveness-detection

multiplier 4

[edit]
lab@route-reflector# set protocols bgp group cluster-1 neighbor 172.30.30.1

[edit]
lab@route-reflector# set protocols bgp group cluster-1 neighbor 172.30.30.2

[edit]
lab@route-reflector# set protocols bgp group cluster-1 neighbor 172.30.30.3

[edit]
lab@route-reflector# set protocols bgp group cluster-1 neighbor 172.30.30.4

[edit]
lab@route-reflector# set protocols bgp group cluster-2 type internal

[edit]
lab@route-reflector# set protocols bgp group cluster-2 local-address 172.30.30.19

[edit]
lab@route-reflector# set protocols bgp group cluster-2 cluster 2.2.2.2

[edit]
lab@route-reflector# set protocols bgp group cluster-2 bfd-liveness-detection
minimum-interval 900

[edit]
lab@route-reflector# set protocols bgp group cluster-2 bfd-liveness-detection
multiplier 4

[edit]
lab@route-reflector# set protocols bgp group cluster-2 neighbor 172.30.30.5

[edit]

JNCIE-SP workbook: Appendix – Full day lab challenge

lab@route-reflector# set protocols bgp group cluster-2 neighbor 172.30.30.6

[edit]
lab@route-reflector# set protocols bgp group cluster-2 neighbor 172.30.30.7

[edit]
lab@route-reflector# set protocols bgp group cluster-2 neighbor 172.30.30.8

[edit]
lab@route-reflector# commit
commit complete

Verification:

[edit]
lab@srx1# run show bfd session
Detect Transmit
Address State Interface Time Interval Multiplier
172.30.30.19 Down 0.000 0.900 4

1 sessions, 1 clients 46
0
Cumulative transmit rate 1.0 pps, cumulative receive rate 0.0 pps





461 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx1# run show firewall log detail
Time of Log: 2015-01-04 05:51:39 UTC, Filter: pfe, Filter action: discard, Name of
interface: ge-0/0/4.14
Name of protocol: UDP, Packet Length: 13312, Source address: 172.30.30.19:49152,
Destination address: 172.30.30.1:4784
Time of Log: 2015-01-04 05:51:38 UTC, Filter: pfe, Filter action: discard, Name of
interface: ge-0/0/4.14
Name of protocol: UDP, Packet Length: 13312, Source address: 172.30.30.19:49152,
Destination address: 172.30.30.1:4784

Fixing the problem:

[edit]
lab@srx1# set firewall family inet filter protect.RE term accept.bfd from port
4784

lab@srx1# commit
commit complete

Verification:

[edit]
lab@srx1# run show bfd session
Detect Transmit
Address State Interface Time Interval Multiplier
172.30.30.19 Up 3.600 0.900 4

1 sessions, 1 clients
Cumulative transmit rate 1.1 pps, cumulative receive rate 1.1 pps

[edit]
lab@srx1# run show bgp summary

JNCIE-SP workbook: Appendix – Full day lab challenge

Groups: 1 Peers: 1 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.30.30.19 5678 531 44 0 2 16:18
0/0/0/0 0/0/0/0

[edit]
lab@route-reflector# run show bgp summary
Groups: 2 Peers: 8 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.30.30.1 5678 11 12 0 0 4:17
0/0/0/0 0/0/0/0
172.30.30.2 5678 11 11 0 0 4:12
0/0/0/0 0/0/0/0
172.30.30.3 5678 10 10 0 0 4:04
0/0/0/0 0/0/0/0
172.30.30.4 5678 10 10 0 0 4:00 46
1

0/0/0/0 0/0/0/0

462 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

172.30.30.5 5678 10 10 0 0 3:56

0/0/0/0 0/0/0/0
172.30.30.6 5678 10 10 0 0 3:52
0/0/0/0 0/0/0/0
172.30.30.7 5678 12 12 0 0 4:20
0/0/0/0 0/0/0/0
172.30.30.8 5678 12 11 0 0 4:18
0/0/0/0 0/0/0/0

[edit]
lab@route-reflector# run show bfd session
Detect Transmit
Address State Interface Time Interval Multiplier
172.30.30.1 Up 3.600 0.900 4
172.30.30.2 Up 3.600 0.900 4
172.30.30.3 Up 3.600 0.900 4
172.30.30.4 Up 3.600 0.900 4
172.30.30.5 Up 3.600 0.900 4
172.30.30.6 Up 3.600 0.900 4
172.30.30.7 Up 3.600 0.900 4
172.30.30.8 Up 3.600 0.900 4

8 sessions, 8 clients
Cumulative transmit rate 8.9 pps, cumulative receive rate 8.9 pps

• Ensure that all iBGP sessions state changes are logged to syslog.

On All devices:

[edit]
lab@srx1# set protocols bgp log-updown

[edit]
lab@srx1# commit
commit complete

JNCIE-SP workbook: Appendix – Full day lab challenge

• Use SRX4 and SRX5 as the only routers where internal routes are advertised to BGP.
Advertise a single summarized route 172.30/16 for all internal routes. Advertise all
RIP routes without summarization.

On SRX1 and SRX2 devices:

[edit]
lab@srx1# set policy-options policy-statement adv.from.rip term 2 then tag 520

[edit]
lab@srx1# commit
commit complete

On SRX4 and SRX5 devices:

[edit]
lab@srx4# set routing-options aggregate route 172.30.0.0/16

[edit] 46
2





463 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@srx4# set policy-options policy-statement adv.to.ibgp term 1 from protocol

aggregate

[edit]
lab@srx4# set policy-options policy-statement adv.to.ibgp term 1 from route-filter
172.30.0.0/16 exact

[edit]
lab@srx4# set policy-options policy-statement adv.to.ibgp term 1 then accept

[edit]
lab@srx4# set policy-options policy-statement adv.to.ibgp term 2 from tag 520

[edit]
lab@srx4# set policy-options policy-statement adv.to.ibgp term 2 then next-hop
self

[edit]
lab@srx4# set policy-options policy-statement adv.to.ibgp term 2 then accept

[edit]
lab@srx4# set protocols bgp group cluster-1 export adv.to.ibgp

[edit]
lab@srx4# commit
commit complete

On RR device:

[edit]
lab@route-reflector# set protocols bgp advertise-inactive

[edit]
lab@route-reflector# commit
commit complete

JNCIE-SP workbook: Appendix – Full day lab challenge

Verification:

[edit]
lab@srx8# run show route 172.30/16

inet.0: 545 destinations, 545 routes (545 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

172.30.0.0/16 *[BGP/170] 3d 19:54:41, localpref 100, from 172.30.30.19

AS path: I
> to 172.30.1.5 via ge-0/0/4.68

[edit]
lab@srx8# run show route 172.31/16

inet.0: 545 destinations, 545 routes (545 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

172.31.0.0/24 *[BGP/170] 3d 19:54:51, MED 3, localpref 100, from 172.30.30.19

AS path: I
46
> to 172.30.1.5 via ge-0/0/4.68
3
172.31.1.0/24 *[BGP/170] 3d 19:54:51, MED 3, localpref 100, from 172.30.30.19




464 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

AS path: I
> to 172.30.1.5 via ge-0/0/4.68

Task 4.2: eBGP configuration

• Configure eBGP sessions with customers C1 and C2 according to the diagram. The
configuration used by C1 to peer with AS 8765 is wrong. Make sure that AS 8765 is
not shown in the AS path of the prefixes advertised by C1. The AS number of C2 is not
known. You have to receive 16 prefixes from C1 and C2. Make sure that if more than
20 prefixes are received from each neighbor, a syslog message is generated.

On SRX8 device:

[edit]
lab@srx8# set interfaces ge-0/0/4.220 description "=== connection to C1 ==="

[edit]
lab@srx8# set interfaces ge-0/0/4.220 vlan-id 220 family inet address
172.16.220.1/30

[edit]
lab@srx8# set protocols bgp group C1 peer-as 65020

[edit]
lab@srx8# set protocols bgp group C1 local-as 8765

[edit]
lab@srx8# set protocols bgp group C1 local-as private

[edit]
lab@srx8# set protocols bgp group C1 neighbor 172.16.220.2 family inet unicast
prefix-limit maximum 20

[edit]

JNCIE-SP workbook: Appendix – Full day lab challenge

lab@srx8# commit
commit complete

Verification:

[edit]
lab@srx8# run show bgp summary
Groups: 3 Peers: 3 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 527 527 0 0 0 0
bgp.l3vpn.0 2 2 0 0 0 0
inet6.0 119 103 0 0 0 0
bgp.l2vpn.0 0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.16.220.2 65020 80047 81585 0 0 3w4d16h
Establ
inet.0: 16/16/16/0

[edit]
lab@srx8# run show route receive-protocol bgp 172.16.220.2 46
4





465 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

inet.0: 545 destinations, 545 routes (545 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
* 10.10.32.0/24 172.16.220.2 65020 I
* 10.10.33.0/24 172.16.220.2 65020 I
* 10.10.34.0/24 172.16.220.2 65020 I
* 10.10.35.0/24 172.16.220.2 65020 I
* 10.10.36.0/24 172.16.220.2 65020 I
* 10.10.37.0/24 172.16.220.2 65020 I
* 10.10.38.0/24 172.16.220.2 65020 I
* 10.10.39.0/24 172.16.220.2 65020 I
* 10.10.40.0/24 172.16.220.2 65020 I
* 10.10.41.0/24 172.16.220.2 65020 I
* 10.10.42.0/24 172.16.220.2 65020 I
* 10.10.43.0/24 172.16.220.2 65020 I
* 10.10.44.0/24 172.16.220.2 65020 I
* 10.10.45.0/24 172.16.220.2 65020 I
* 10.10.46.0/24 172.16.220.2 65020 I
* 10.10.47.0/24 172.16.220.2 65020 I

On SRX7 device:

[edit]
lab@srx7# set interfaces ge-0/0/4.230 description "=== connection to C1 ==="

[edit]
lab@srx7# set interfaces ge-0/0/4.230 vlan-id 320 family inet address
172.16.230.1/30

[edit]
lab@srx7# set protocols bgp group C2 neighbor 172.16.230.2 family inet unicast
prefix-limit maximum 20

[edit]
lab@srx7# set protocols bgp group C2 peer-as 64512

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx7# set protocols bgp group C2 traceoptions file BGP.log

[edit]
lab@srx7# set protocols bgp group C2 traceoptions flag open

[edit]
lab@srx7# set protocols bgp group C2 traceoptions flag general

[edit]
lab@srx7# commit
commit complete

Verification:

[edit]
lab@srx7# run show log BGP.log
Dec 2 12:16:46.796357 bgp_process_open:2789: NOTIFICATION sent to 172.16.230.2
(External AS 64512): code 2 (Open Message Error) subcode 2 (bad peer AS number),
Reason: peer 172.16.230.2 (External AS 64512) claims 65100, 64512 configured
46
[edit]
5
lab@srx7# set protocols bgp group C2 neighbor 172.16.230.2 peer-as 65100




466 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx7# commit
commit complete

Verification:

[edit]
lab@srx7# run show bgp summary
Groups: 2 Peers: 2 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 499 499 0 0 0 0
bgp.l3vpn.0 0 0 0 0 0 0
inet6.0 0 0 0 0 0 0
bgp.l2vpn.0 2 2 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.16.230.2 65100 3 417 0 0 9
Establ
inet.0: 16/16/16/0

• Configure eBGP sessions with U1 and U2. Configure an eBGP session with U3 and
load balance across the two physical links. Make sure that you receive IPv6 routes
over single IPv4 session. You are allowed to use a single static route for each address
family. Make sure that you receive IPv6 prefixes from U3 and that they are active in
the RIB. Assume that SRX6 does not support 4-byte AS.

On SRX3 device:

[edit]
lab@srx3# set interfaces ge-0/0/4 unit 450 description "=== connection to upstream
==="

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx3# set interfaces ge-0/0/4 unit 450 vlan-id 450 family inet address
172.16.45.2/30

[edit]
lab@srx3# set protocols bgp group U1 peer-as 1516

[edit]
lab@srx3# set protocols bgp group U1 neighbor 172.16.45.1

[edit]
lab@srx3# commit
commit complete

Verification:

[edit]
lab@srx3# run show bgp summary
Groups: 2 Peers: 2 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 533 512 0 0 0 0
46
bgp.l3vpn.0 0 0 0 0 0 0
6
inet6.0 119 0 0 0 0 0




467 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

bgp.l2vpn.0 0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.16.45.1 1516 81860 82923 0 2 3w4d21h
Establ
inet.0: 457/462/462/0

On SRX7 device:

[edit]
lab@srx7# set interfaces ge-0/0/4 unit 460 description "=== connection to upstream
==="

[edit]
lab@srx7# set interfaces ge-0/0/4 unit 460 vlan-id 460 family inet address
172.16.46.2/30

[edit]
lab@srx7# set protocols bgp group U2 peer-as 1516

[edit]
lab@srx7# set protocols bgp group U2 neighbor 172.16.46.1

[edit]
lab@srx7# commit
commit complete

Verification:

[edit]
lab@srx7# run show bgp summary
Groups: 3 Peers: 3 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 990 512 0 0 0 0
bgp.l3vpn.0 6 6 0 0 0 0

JNCIE-SP workbook: Appendix – Full day lab challenge

inet6.0 103 103 0 0 0 0
bgp.l2vpn.0 3 3 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.16.46.1 1516 81894 82727 0 1 3w5d0h
Establ
inet.0: 0/462/462/0

On SRX6 device:

[edit]
lab@srx6# set interfaces ge-0/0/4 unit 310 vlan-id 310 family inet address
172.16.231.1/30

[edit]
lab@srx6# set interfaces ge-0/0/4 unit 310 family inet6 address
fd17:172:16:231::1/64

[edit]
lab@srx6# set interfaces ge-0/0/4 unit 320 vlan-id 320 family inet address
172.16.232.1/30 46
7





468 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx6# set interfaces ge-0/0/4 unit 320 family inet6 address
fd17:172:16:232::1/64

[edit]
lab@srx6# set interfaces lo0 unit 0 family inet6 address ::172.30.30.6/128

[edit]
lab@srx6# set routing-options rib inet6.0 static route ::192.168.50.1/128 next-hop
fd17:172:16:231::2

[edit]
lab@srx6# set routing-options rib inet6.0 static route ::192.168.50.1/128 next-hop
fd17:172:16:232::2

[edit]
lab@srx6# set routing-options static route 192.168.50.1/32 next-hop 172.16.231.2

[edit]
lab@srx6# set routing-options static route 192.168.50.1/32 next-hop 172.16.232.2

[edit]
lab@srx6# set protocols bgp group U3 multihop

[edit]
lab@srx6# set protocols bgp group U3 local-address 172.30.30.6

[edit]
lab@srx6# set protocols bgp group U3 family inet unicast

[edit]
lab@srx6# set protocols bgp group U3 family inet6 unicast

[edit]
lab@srx6# set protocols bgp group U3 peer-as 23456

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx6# set protocols bgp group U3 neighbor 192.168.50.1

[edit]
lab@srx6# set protocols bgp group U3 import adv.from.U3

[edit]
lab@srx6# set policy-options policy-statement adv.from.U3 term 3 from family inet6

[edit]
lab@srx6# set policy-options policy-statement adv.from.U3 term 3 then next-hop
::192.168.50.1

[edit]
lab@srx6# commit
commit complete

Verification:

[edit]
lab@srx6# run show bgp summary 46
8
Groups: 2 Peers: 2 Down peers: 0





469 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 985 512 0 0 0 0
bgp.l3vpn.0 0 0 0 0 0 0
inet6.0 119 103 0 0 0 0
bgp.l2vpn.0 2 2 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
192.168.50.1 23456 82093 86979 0 1 3w5d0h
Establ
inet.0: 5/462/462/0
inet6.0: 87/87/87/0

• Configure an eBGP session with P1. Use a single session for both IPv4 and IPv6. Make
sure that you receive IPv6 prefixes and they are active in the RIB.

On SRX1 device:

[edit]
lab@srx1# set interfaces ge-0/0/4 unit 400 vlan-id 400 family inet address
172.16.40.2/30

[edit]
lab@srx1# set interfaces ge-0/0/4 unit 400 family inet6 address
::ffff:172.16.40.2/96

[edit]
lab@srx1# set protocols bgp group P1 peer-as 3456

[edit]
lab@srx1# set protocols bgp group P1 neighbor 172.16.40.1 family inet unicast

[edit]
lab@srx1# set protocols bgp group P1 neighbor 172.16.40.1 family inet6 unicast

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx1# commit
commit complete

Verification:

[edit]
lab@srx1# run show bgp summary
Groups: 2 Peers: 2 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 528 512 0 0 0 0
bgp.l3vpn.0 10 10 0 0 0 0
inet6.0 119 103 0 0 0 0
bgp.l2vpn.0 2 2 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.16.40.1 3456 13827 15641 0 0 4d 10:34:23
Establ
inet.0: 16/16/16/0
inet6.0: 16/16/16/0
46

9





470 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 4.3: Customer BGP policy

• From C1 and C2, accept only prefixes that originated from within their ASes. Ensure
that the prefixes received from C1 and C2 can be distinguished from the prefixes
received from other eBGP neighbors.
• Make sure that both customers receive only a default IPv4 route that is advertised
through BGP. Communication between customers C1 and C2 should not be
restricted.

On All devices:

[edit]
lab@srx1# set policy-options community customer members 5678:2000

[edit]
lab@srx1# set policy-options community partner members 5678:3000

[edit]
lab@srx1# set policy-options community upstream members 5678:1000

On SRX8 device:

[edit]
lab@srx8# set policy-options policy-statement adv.from.C1 term 2 from as-path
C1.as.path

[edit]
lab@srx8# set policy-options policy-statement adv.from.C1 term 2 then community
add customer

[edit]
lab@srx8# set policy-options policy-statement adv.from.C1 term 2 then accept

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx8# set policy-options policy-statement adv.from.C1 term 3 then reject

[edit]
lab@srx8# set policy-options policy-statement adv.to.C1 term 1 from route-filter
0.0.0.0/0 exact

[edit]
lab@srx8# set policy-options policy-statement adv.to.C1 term 1 then accept

[edit]
lab@srx8# set policy-options policy-statement adv.to.C1 term 2 then reject

[edit]
lab@srx8# set policy-options as-path C1.as.path "^65020$"

[edit]
lab@srx8# set protocols bgp group C1 import adv.from.C1

[edit]
lab@srx8# set protocols bgp group C1 export adv.to.C1
47
[edit] 0
lab@srx8# commit




471 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

commit complete

On SRX7 device:

[edit]
lab@srx7# set policy-options policy-statement adv.to.C2 term 1 from route-filter
0.0.0.0/0 exact

[edit]
lab@srx7# set policy-options policy-statement adv.to.C2 term 1 then accept

[edit]
lab@srx7# set policy-options policy-statement adv.to.C2 term 2 then reject

[edit]
lab@srx7# set policy-options policy-statement adv.from.C2 term 1 from as-path
C2.as.path

[edit]
lab@srx7# set policy-options policy-statement adv.from.C2 term 1 then community
add customer

[edit]
lab@srx7# set policy-options policy-statement adv.from.C2 term 1 then accept

[edit]
lab@srx7# set policy-options policy-statement adv.from.C2 term 2 then reject

[edit]
lab@srx7# set policy-options as-path C2.as.path "^65100$"

[edit]
lab@srx7# set protocols bgp group C2 import adv.from.C2

[edit]

JNCIE-SP workbook: Appendix – Full day lab challenge

lab@srx7# set protocols bgp group C2 export adv.to.C2

[edit]
lab@srx7# commit
commit complete

Verification:

[edit]
lab@srx8# run show route community-name customer terse

inet.0: 545 destinations, 545 routes (545 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

A Destination P Prf Metric 1 Metric 2 Next hop AS path

* 10.10.32.0/24 B 170 100 >172.16.220.2 65020 I
* 10.10.33.0/24 B 170 100 >172.16.220.2 65020 I
* 10.10.34.0/24 B 170 100 >172.16.220.2 65020 I
* 10.10.35.0/24 B 170 100 >172.16.220.2 65020 I
* 10.10.36.0/24 B 170 100 >172.16.220.2 65020 I
* 10.10.37.0/24 B 170 100 >172.16.220.2 65020 I
47
* 10.10.38.0/24 B 170 100 >172.16.220.2 65020 I
1
* 10.10.39.0/24 B 170 100 >172.16.220.2 65020 I




472 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

* 10.10.40.0/24 B 170 100 >172.16.220.2 65020 I

* 10.10.41.0/24 B 170 100 >172.16.220.2 65020 I
* 10.10.42.0/24 B 170 100 >172.16.220.2 65020 I
* 10.10.43.0/24 B 170 100 >172.16.220.2 65020 I

[edit]
lab@srx8# run show route advertising-protocol bgp 172.16.220.2

inet.0: 545 destinations, 545 routes (545 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
* 0.0.0.0/0 Self 20 I

• There is an agreement with C1 that traffic for prefixes advertised with community
65020:666 should be black holed in AS 5678. Make sure that this is accomplished.

On SRX8 device:

[edit]
lab@srx8# set policy-options policy-statement adv.from.C1 term 1 from community
blackhole

[edit]
lab@srx8# set policy-options policy-statement adv.from.C1 term 1 then next-hop
discard

[edit]
lab@srx8# insert policy-options policy-statement adv.from.C1 term 1 before term 2

[edit]
lab@srx8# set policy-options community blackhole members 65020:666

[edit]
lab@srx8# commit
commit complete

JNCIE-SP workbook: Appendix – Full day lab challenge

Verification:

[edit]
lab@srx8# run show route community-name blackhole

inet.0: 545 destinations, 545 routes (545 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

10.10.44.0/24 *[BGP/170] 01:09:57, localpref 100, from 172.16.220.2

AS path: 65020 I
Discard

Task 4.4: Upstream BGP policy

• Accept all prefixes from all Upstream neighbors except any IPv4 or IPv6 default
routes or any IPv4 RFC1918 routes.
• Make sure that hidden routes are not kept in memory on the SRX3, SRX6 and SRX7 to
preserve resources on those routers. 47
2





473 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

• Ensure that the prefixes received from U1, U2 and U3 can be distinguished from the
prefixes received from other eBGP neighbors.

On SRX3, SRX7 and SRX6 devices:

[edit]
lab@srx3# set policy-options policy-statement adv.from.U1 term 1 from route-filter
10.0.0.0/8 orlonger reject

[edit]
lab@srx3# set policy-options policy-statement adv.from.U1 term 1 from route-filter
172.16.0.0/12 orlonger reject

[edit]
lab@srx3# set policy-options policy-statement adv.from.U1 term 1 from route-filter
182.168.0.0/16 orlonger reject

[edit]
lab@srx3# set policy-options policy-statement adv.from.U1 term 1 from route-filter
0.0.0.0/0 through 0.0.0.0/32 reject

[edit]
lab@srx3# set policy-options policy-statement adv.from.U1 term 2 then community
add upstream

[edit]
lab@srx3# set protocols bgp group U1 import adv.from.U1

[edit]
lab@srx3# set protocols bgp keep none

[edit]
lab@srx3# commit
commit complete

JNCIE-SP workbook: Appendix – Full day lab challenge

On SRX6 device:

[edit]
lab@srx6# set policy-options policy-statement adv.from.U3 term 2 from route-filter
::/0 through ::/128 reject

[edit]
lab@srx6# commit
commit complete

Verification:

[edit]
lab@srx3# run show route community-name upstream

inet.0: 571 destinations, 593 routes (571 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

1.64.0.0/10 *[BGP/170] 01:17:39, localpref 200

AS path: 1516 1620 61671 I 47
> to 172.16.45.1 via ge-0/0/3.450 3
1.84.160.0/20 *[BGP/170] 01:17:39, localpref 200




474 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

AS path: 1516 1620 33112 I

> to 172.16.45.1 via ge-0/0/3.450
1.96.0.0/11 *[BGP/170] 01:17:39, localpref 200
AS path: 1516 1620 33112 63164 40776 51777 I
> to 172.16.45.1 via ge-0/0/3.450
1.161.192.0/21 *[BGP/170] 01:17:39, localpref 200
AS path: 1516 1620 33112 30404 32138 45045 I
> to 172.16.45.1 via ge-0/0/3.450

• Advertise local and RIP prefixes to Upstream neighbors using the iBGP prefixes
advertised from SRX4 and SRX5. You are not allowed to create additional aggregate
routes.

On SRX3, SRX7 and SRX6 devices:

[edit]
lab@srx3# set protocols bgp advertise-inactive

[edit]
lab@srx3# commit
commit complete

Verification:

[edit]
lab@srx3# run show route advertising-protocol bgp 172.16.45.1 172.31/16

inet.0: 571 destinations, 593 routes (571 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
172.31.0.0/24 Self I
172.31.1.0/24 Self I
172.31.2.0/24 Self I
172.31.3.0/24 Self I

JNCIE-SP workbook: Appendix – Full day lab challenge

172.31.4.0/24 Self I
172.31.5.0/24 Self I
172.31.6.0/24 Self I
172.31.7.0/24 Self I
172.31.8.0/24 Self I
172.31.9.0/24 Self I
172.31.10.0/24 Self I
172.31.11.0/24 Self I
172.31.12.0/24 Self I
172.31.13.0/24 Self I
172.31.14.0/24 Self I
172.31.15.0/24 Self I

• Configure SRX3 to be the preferred egress and ingress point to and from Upstream
prefixes. You are not allowed to use as-path prepend.

On SRX3 device:

[edit]
lab@srx3# set policy-options policy-statement adv.from.U1 term 2 then local-
preference 200 47
4





475 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx3# commit
commit complete

On SRX7 device:

[edit]
lab@srx7# set policy-options policy-statement adv.to.U2 term 2 then origin egp

[edit]
lab@srx7# set protocols bgp group U2 export adv.to.U2

[edit]
lab@srx7# commit
commit complete

• Ensure that prefixes originated from U3 are directly accessible from SRX6. Make SRX6
less preferred compared to SRX3 and SRX7 for prefixes from and to Upstream. Again,
you are not allowed to use as-path prepend.

On SRX6 device:

[edit]
lab@srx6# set policy-options policy-statement adv.from.U3 term 4 from as-path
U3.as.path

[edit]
lab@srx6# set policy-options policy-statement adv.from.U3 term 4 then local-
preference 250

[edit]
lab@srx6# set policy-options policy-statement adv.from.U3 term 4 from as-path

JNCIE-SP workbook: Appendix – Full day lab challenge

U3.as.path

[edit]
lab@srx6# set policy-options policy-statement adv.from.U3 term 4 then local-
preference 250

[edit]
lab@srx6# set policy-options policy-statement adv.to.U3 term 2 then origin
incomplete

[edit]
lab@srx6# commit
commit complete

Verification:

[edit]
lab@srx6# run show route aspath-regex "^43\.356$"

inet.0: 573 destinations, 1052 routes (573 active, 16 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both
47
5
14.9.9.0/24 *[BGP/170] 01:55:05, localpref 250, from 192.168.50.1




476 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

AS path: 2818404 I
to 172.16.231.2 via ge-0/0/3.310
> to 172.16.232.2 via ge-0/0/3.320
45.26.0.0/16 *[BGP/170] 01:55:05, localpref 250, from 192.168.50.1
AS path: 2818404 I
> to 172.16.231.2 via ge-0/0/3.310
to 172.16.232.2 via ge-0/0/3.320
120.128.0.0/20 *[BGP/170] 01:55:04, localpref 250, from 192.168.50.1
AS path: 2818404 I
to 172.16.231.2 via ge-0/0/3.310
> to 172.16.232.2 via ge-0/0/3.320
160.34.192.0/24 *[BGP/170] 01:55:03, localpref 250, from 192.168.50.1
AS path: 2818404 I
> to 172.16.231.2 via ge-0/0/3.310
to 172.16.232.2 via ge-0/0/3.320
193.35.40.0/22 *[BGP/170] 01:55:03, localpref 250, from 192.168.50.1
AS path: 2818404 I
to 172.16.231.2 via ge-0/0/3.310
> to 172.16.232.2 via ge-0/0/3.320

• Make sure that AS 5678 is not used as a transit AS between Upstream neighbors and
Customer neighbors.


[edit]
lab@srx3# set policy-options policy-statement adv.to.U1 term 1 from community
customer

[edit]
lab@srx3# set policy-options policy-statement adv.to.U1 term 1 then reject

[edit]
lab@srx3# commit
commit complete

JNCIE-SP workbook: Appendix – Full day lab challenge

• For routing information received from SRX3, ensure that SRX6 maps prefixes with a
length between /8 and /16 to LSP srx6-to-srx3-2. All other prefixes received from
SRX3 should be mapped to LSP srx6-to-srx3-1. You are not allowed to use or change a
forwarding-table policy to accomplish this.

[edit]
lab@srx3# set policy-options policy-statement adv.to.ibgp term 1 from route-filter
0.0.0.0/0 prefix-length-range /8-/16

[edit]
lab@srx3# set policy-options policy-statement adv.to.ibgp term 1 then next-hop
3.3.3.3

[edit]
lab@srx3# set policy-options policy-statement adv.to.ibgp term 1 then accept

[edit]
lab@srx3# set policy-options policy-statement adv.to.ibgp term 2 then next-hop
self
47
[edit] 6
lab@srx3# commit




477 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

commit complete

Verification:

[edit]
lab@srx6# run show route 3.189.0.0/16

inet.0: 573 destinations, 1052 routes (573 active, 16 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

3.189.0.0/16 *[BGP/170] 02:09:56, localpref 200, from 172.30.30.19

AS path: 1516 1620 33112 41164 7136 6370 35389 39823 16965 I
> to 172.30.0.41 via ge-0/0/4.56, label-switched-path srx6-to-
srx3-2
[BGP/170] 02:10:17, localpref 100, from 192.168.50.1
AS path: 2818404 1620 33112 41164 7136 6370 35389 39823
16965 I
to 172.16.231.2 via ge-0/0/3.310
> to 172.16.232.2 via ge-0/0/3.320

Task 4.5: Partner BGP policy

Except for any IPv4 or IPv6 default routes or RFC1918 routes, accept all prefixes from
•
the Partner neighbor.
• Ensure that the prefixes received from P1 can be distinguished from the prefixes
received from other eBGP neighbors.

On SRX1 device:

[edit]
lab@srx1# set policy-options policy-statement adv.from.P1 term 1 from route-filter
10.0.0.0/8 orlonger reject

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx1# set policy-options policy-statement adv.from.P1 term 1 from route-filter
172.16.0.0/12 orlonger reject

[edit]
lab@srx1# set policy-options policy-statement adv.from.P1 term 1 from route-filter
182.168.0.0/16 orlonger reject

[edit]
lab@srx1# set policy-options policy-statement adv.from.P1 term 1 from route-filter
0.0.0.0/0 through 0.0.0.0/32 reject

[edit]
lab@srx1# set policy-options policy-statement adv.from.P1 term 2 then community
add partner

[edit]
lab@srx1# set protocols bgp group P1 import adv.from.P1

[edit]
lab@srx1# commit
commit complete 47
7





478 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Verification:

[edit]
lab@srx1# run show route community-name partner terse

inet.0: 569 destinations, 603 routes (569 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

A Destination P Prf Metric 1 Metric 2 Next hop AS path

* 195.24.32.0/24 B 170 100 >172.16.40.1 3456 I
* 195.25.33.0/24 B 170 100 >172.16.40.1 3456 I
* 195.26.34.0/24 B 170 100 >172.16.40.1 3456 I
* 195.27.35.0/24 B 170 100 >172.16.40.1 3456 I
* 195.28.36.0/24 B 170 100 >172.16.40.1 3456 I
* 195.29.37.0/24 B 170 100 >172.16.40.1 3456 I
* 195.30.38.0/24 B 170 100 >172.16.40.1 3456 I
* 195.31.39.0/24 B 170 100 >172.16.40.1 3456 I
* 195.32.40.0/24 B 170 100 >172.16.40.1 3456 I
* 195.33.41.0/24 B 170 100 >172.16.40.1 3456 I
* 195.34.42.0/24 B 170 100 >172.16.40.1 3456 I
* 195.35.43.0/24 B 170 100 >172.16.40.1 3456 I
* 195.36.44.0/24 B 170 100 >172.16.40.1 3456 I
* 195.36.45.0/24 B 170 100 >172.16.40.1 3456 I
* 195.36.46.0/24 B 170 100 >172.16.40.1 3456 I
* 195.36.47.0/24 B 170 100 >172.16.40.1 3456 I

• Advertise local and RIP prefixes to P1 neighbor using the iBGP prefixes advertised
from SRX4 and SRX5. You are not allowed to create additional aggregate routes.

On SRX1 device:

[edit]

JNCIE-SP workbook: Appendix – Full day lab challenge

lab@srx1# set protocols bgp advertise-inactive

[edit]
lab@srx1# commit
commit complete

Verification:

[edit]
lab@srx1# run show route advertising-protocol bgp 172.16.40.1 172.31/16

inet.0: 569 destinations, 603 routes (569 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path
172.31.0.0/24 Self I
172.31.1.0/24 Self I
172.31.2.0/24 Self I
172.31.3.0/24 Self I
172.31.4.0/24 Self I
172.31.5.0/24 Self I
172.31.6.0/24 Self I
172.31.7.0/24 Self I 47
8
172.31.8.0/24 Self I





479 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

172.31.9.0/24 Self I
172.31.10.0/24 Self I
172.31.11.0/24 Self I
172.31.12.0/24 Self I
172.31.13.0/24 Self I
172.31.14.0/24 Self I
172.31.15.0/24 Self I

Task 4.6: IPv6 tunneling

• Provide IPv6 connectivity between P1 and U3 across LSPs. Create additional LSPs if
needed.

On All devices and RR device:

[edit]
lab@srx1# set protocols bgp group cluster-1 family inet6 labeled-unicast explicit-
null

On SRX1 andSRX6 device:

[edit]
lab@srx1# set protocols mpls ipv6-tunneling

[edit]
lab@srx1# commit
commit complete

[edit]
lab@route-reflector# set routing-options rib inet6.3 static route
0:0:0:0:0:ffff::/96 receive

lab@route-reflector# commit
commit complete

JNCIE-SP workbook: Appendix – Full day lab challenge

Verification:

[edit]
lab@srx6# run show route fd17:f0f4:f691:d::/64

inet6.0: 135 destinations, 173 routes (135 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

fd17:f0f4:f691:d::/80
*[BGP/170] 02:27:51, localpref 100, from 172.30.30.19
AS path: 3456 I
> to 172.30.0.37 via ge-0/0/4.46, label-switched-path srx6-to-
srx1
fd17:f0f4:f691:d:1::/80
*[BGP/170] 02:27:51, localpref 100, from 172.30.30.19
AS path: 3456 I
> to 172.30.0.37 via ge-0/0/4.46, label-switched-path srx6-to-
srx1
fd17:f0f4:f691:d:2::/80 47
9

*[BGP/170] 02:27:51, localpref 100, from 172.30.30.19

480 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

AS path: 3456 I
> to 172.30.0.37 via ge-0/0/4.46, label-switched-path srx6-to-
srx1
fd17:f0f4:f691:d:3::/80
*[BGP/170] 02:27:51, localpref 100, from 172.30.30.19
AS path: 3456 I
> to 172.30.0.37 via ge-0/0/4.46, label-switched-path srx6-to-
srx1
fd17:f0f4:f691:d:4::/80
*[BGP/170] 02:27:51, localpref 100, from 172.30.30.19
AS path: 3456 I
> to 172.30.0.37 via ge-0/0/4.46, label-switched-path srx6-to-
srx1
fd17:f0f4:f691:d:5::/80
*[BGP/170] 02:27:51, localpref 100, from 172.30.30.19
AS path: 3456 I
> to 172.30.0.37 via ge-0/0/4.46, label-switched-path srx6-to-
srx1
fd17:f0f4:f691:d:6::/80
*[BGP/170] 02:27:51, localpref 100, from 172.30.30.19
AS path: 3456 I
> to 172.30.0.37 via ge-0/0/4.46, label-switched-path srx6-to-
srx1
fd17:f0f4:f691:d:7::/80
*[BGP/170] 02:27:51, localpref 100, from 172.30.30.19
AS path: 3456 I
> to 172.30.0.37 via ge-0/0/4.46, label-switched-path srx6-to-
srx1
fd17:f0f4:f691:d:8::/80
*[BGP/170] 02:27:51, localpref 100, from 172.30.30.19
AS path: 3456 I
> to 172.30.0.37 via ge-0/0/4.46, label-switched-path srx6-to-
srx1

Use SRX7 to advertise AS 5678 IPv6 prefixes for MPLS core. Make sure those prefixes

JNCIE-SP workbook: Appendix – Full day lab challenge

•
are advertised to P1 and U3.
• You are allowed to use one static route if needed.

On SRX6 device:

[edit]
lab@srx6# set protocols mpls label-switched-path srx6-to-srx7 to 172.30.30.7

lab@srx6# commit
commit complete

On SRX7 device:

[edit]
lab@srx7# set protocols mpls label-switched-path srx7-to-srx6 to 172.30.30.6

[edit]
lab@srx7# set policy-options policy-statement adv.to.ibgp term 1 from rib inet6.0
48
[edit]
0





481 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@srx7# set policy-options policy-statement adv.to.ibgp term 1 from route-filter

fd17:f0f4:fe:f::/64 orlonger

[edit]
lab@srx7# set policy-options policy-statement adv.to.ibgp term 1 then accept

[edit]
lab@srx7# set protocols bgp group cluster-2 export adv.to.ibgp

lab@srx7# commit
commit complete

Verification:

[edit]
lab@srx6# run show route fd17:f0f4:fe:f::/64

inet6.0: 135 destinations, 173 routes (135 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

fd17:f0f4:fe:f::/80*[OSPF3/150] 02:48:05, metric 10, tag 100

> to fe80::20c:2900:3886:eee0 via ge-0/0/4.56
[IS-IS/160] 02:47:40, metric 50
> to fe80::20c:2900:44b1:d06b via ge-0/0/4.68
[BGP/170] 02:46:26, MED 10, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.41 via ge-0/0/4.56, label-switched-path srx6-to-
srx7
fd17:f0f4:fe:f:1::/80
*[OSPF3/150] 02:48:05, metric 10, tag 100
> to fe80::20c:2900:3886:eee0 via ge-0/0/4.56
[IS-IS/160] 02:47:40, metric 50
> to fe80::20c:2900:44b1:d06b via ge-0/0/4.68
[BGP/170] 02:46:26, MED 10, localpref 100, from 172.30.30.19
AS path: I

JNCIE-SP workbook: Appendix – Full day lab challenge

> to 172.30.0.41 via ge-0/0/4.56, label-switched-path srx6-to-
srx7

[edit]

Task 4.7: BGP general requirements

• Assume that all routers in the AS 5678 domain do not support 4byte AS.
• No hidden or unresolved routes should be present in AS 5678.
• No static routes are allowed if not explicitly permitted by particular task.
• Ensure optimal routing in the network.

On All devices:

[edit]
lab@srx6# set policy-options policy-statement nhs term 1 then next-hop self

[edit]
lab@srx6# set protocols bgp group cluster-2 export nhs
48
1
lab@srx6# commit




482 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

commit complete

JNCIE-SP workbook: Appendix – Full day lab challenge

48
2





483 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Part 5: VPN

Task 5.1: VPN Infrastructure
• To resolve the hidden iBGP routes on the RR, do not use rib-groups, static routes or
any solution that requires enabling family mpls on the RR interfaces.

On All devices and RR device:

[edit]
lab@srx1# set protocols bgp group cluster-1 family inet unicast

[edit]
lab@srx1# set protocols bgp group cluster-1 family inet-vpn unicast

[edit]
lab@srx1# set protocols bgp group cluster-1 family l2vpn signaling

On RR device:

[edit]
lab@route-reflector# set routing-options resolution rib bgp.l3vpn.0 resolution-
ribs inet.0

[edit]
lab@route-reflector# set routing-options resolution rib bgp.l2vpn.0 resolution-
ribs inet.0

[edit]
lab@route-reflector# commit
commit complete

Verification:

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@route-reflector# run show route resolution unresolved
Tree Index 1
Tree Index 2
Tree Index 3

Task 5.2: OSPF-based L3VPN

• Configure a hub-and-spoke VPN between SRX1, SRX2 and SRX7.
• The CE router behind SRX7 is a VPN hub and all communication between the spokes
should run through it via its two logical interfaces.
• Make sure that a traceroute between the spokes display all hops.
• Setup missing RSVP LSPs where appropriate.
• PE-CE protocol is OSPF. Make sure that the OSPF interface-type used is point-to-
point.
• Route-distinguisher and route-target values can be any of your choice. Make sure 48
that every prefix advertised by a spoke is easily recognized. 3





484 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

On SRX7 device:

[edit]
lab@srx7# set routing-options route-distinguisher-id 172.30.30.7

[edit]
lab@srx7# set interfaces ge-0/0/4 unit 601 vlan-id 601 family inet address
192.168.61.1/30

[edit]
lab@srx7# set interfaces ge-0/0/4 unit 602 vlan-id 602 family inet address
192.168.62.1/30

[edit]
lab@srx7# set routing-instances VPNA-HUB instance-type vrf

[edit]
lab@srx7# set routing-instances VPNA-HUB interface ge-0/0/4.601

[edit]
lab@srx7# set routing-instances VPNA-HUB vrf-import vpna.null

[edit]
lab@srx7# set routing-instances VPNA-HUB vrf-export vpna.hub.export

[edit]
lab@srx7# set routing-instances VPNA-HUB vrf-table-label

[edit]
lab@srx7# set routing-instances VPNA-HUB protocols ospf area 0.0.0.0 interface ge-
0/0/4.601 interface-type p2p

[edit]
lab@srx7# set routing-instances VPNA-SPOKE instance-type vrf

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx7# set routing-instances VPNA-SPOKE interface ge-0/0/4.602

[edit]
lab@srx7# set routing-instances VPNA-SPOKE vrf-import vpna.spoke.import

[edit]
lab@srx7# set routing-instances VPNA-SPOKE vrf-export vpna.null

[edit]
lab@srx7# set routing-instances VPNA-SPOKE vrf-table-label

[edit]
lab@srx7# set routing-instances VPNA-SPOKE protocols ospf domain-id disable

[edit]
lab@srx7# set routing-instances VPNA-SPOKE protocols ospf domain-vpn-tag 0

[edit]
lab@srx7# set routing-instances VPNA-SPOKE protocols ospf export vpna.ospf.export
48
[edit] 4





485 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@srx7# set routing-instances VPNA-SPOKE protocols ospf area 0.0.0.0 interface

ge-0/0/4.602 interface-type p2p

[edit]
lab@srx7# set policy-options community VPNA-HUB members target:5678:601

[edit]
lab@srx7# set policy-options community VPNA-SPOKE members target:5678:602

[edit]
lab@srx7# set policy-options policy-statement vpna.hub.export term 1 from protocol
ospf

[edit]
lab@srx7# set policy-options policy-statement vpna.hub.export term 1 from protocol
direct

[edit]
lab@srx7# set policy-options policy-statement vpna.hub.export term 1 then
community add VPNA-HUB

[edit]
lab@srx7# set policy-options policy-statement vpna.hub.export term 1 then accept

[edit]
lab@srx7# set policy-options policy-statement vpna.null term 1 then reject

[edit]
lab@srx7# set policy-options policy-statement vpna.ospf.export term 1 from
protocol bgp

[edit]
lab@srx7# set policy-options policy-statement vpna.ospf.export term 1 then accept

[edit]
lab@srx7# set policy-options policy-statement vpna.spoke.import term 1 from

JNCIE-SP workbook: Appendix – Full day lab challenge

protocol bgp

[edit]
lab@srx7# set policy-options policy-statement vpna.spoke.import term 1 from
community VPNA-SPOKE

[edit]
lab@srx7# set policy-options policy-statement vpna.spoke.import term 1 then accept

[edit]
lab@srx7# set policy-options policy-statement vpna.spoke.import term 2 then reject

[edit]
lab@srx7# set protocols mpls icmp-tunneling

lab@srx7# commit
commit complete

On SRX1 device:

[edit] 48
5
lab@srx1# set routing-options route-distinguisher-id 172.30.30.1





486 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx1# set interfaces ge-0/0/4 unit 603 vlan-id 603 family inet address
192.168.63.1/30

[edit]
lab@srx1# set routing-instances VPNA-SPOKE1 instance-type vrf

[edit]
lab@srx1# set routing-instances VPNA-SPOKE1 interface ge-0/0/4.603

[edit]
lab@srx1# set routing-instances VPNA-SPOKE1 vrf-import vpna.import

[edit]
lab@srx1# set routing-instances VPNA-SPOKE1 vrf-export vpna.export

[edit]
lab@srx1# set routing-instances VPNA-SPOKE1 vrf-table-label

[edit]
lab@srx1# set routing-instances VPNA-SPOKE1 protocols ospf export vpna.ospf.export

[edit]
lab@srx1# set routing-instances VPNA-SPOKE1 protocols ospf area 0.0.0.0 interface
ge-0/0/4.603 interface-type p2p

[edit]
lab@srx1# set policy-options policy-statement vpna.export term 1 from protocol
ospf

[edit]
lab@srx1# set policy-options policy-statement vpna.export term 1 from protocol
direct

[edit]

JNCIE-SP workbook: Appendix – Full day lab challenge

lab@srx1# set policy-options policy-statement vpna.export term 1 then community
add VPNA-SPOKE

[edit]
lab@srx1# set policy-options policy-statement vpna.export term 1 then community
add SPOKE-1

[edit]
lab@srx1# set policy-options policy-statement vpna.export term 1 then accept

[edit]
lab@srx1# set policy-options policy-statement vpna.export term 2 then reject

[edit]
lab@srx1# set policy-options policy-statement vpna.import term 1 from protocol bgp

[edit]
lab@srx1# set policy-options policy-statement vpna.import term 1 from community
VPNA-HUB

[edit]
48
lab@srx1# set policy-options policy-statement vpna.import term 1 then accept
6





487 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx1# set policy-options policy-statement vpna.import term 2 then reject

[edit]
lab@srx1# set policy-options policy-statement vpna.ospf.export term 1 from
protocol bgp

[edit]
lab@srx1# set policy-options policy-statement vpna.ospf.export term 1 then accept

[edit]
lab@srx1# set policy-options community SPOKE-1 members origin:172.30.30.1:602

[edit]
lab@srx1# set policy-options community VPNA-HUB members target:5678:601

[edit]
lab@srx1# set policy-options community VPNA-SPOKE members target:5678:602

[edit]
lab@srx1# set protocols mpls icmp-tunneling

lab@srx1# commit
commit complete

On SRX2 device:

[edit]
lab@srx2# set routing-options route-distinguisher-id 172.30.30.2

[edit]
lab@srx2# set interfaces ge-0/0/3 unit 604 vlan-id 604 family inet address
192.168.64.1/30

[edit]

JNCIE-SP workbook: Appendix – Full day lab challenge

lab@srx2# set routing-instances VPNA-SPOKE2 instance-type vrf

[edit]
lab@srx2# set routing-instances VPNA-SPOKE2 interface ge-0/0/4.604

[edit]
lab@srx2# set routing-instances VPNA-SPOKE2 vrf-import vpna.import

[edit]
lab@srx2# set routing-instances VPNA-SPOKE2 vrf-export vpna.export

[edit]
lab@srx2# set routing-instances VPNA-SPOKE2 vrf-table-label

[edit]
lab@srx2# set routing-instances VPNA-SPOKE2 protocols ospf export vpna.ospf.export

[edit]
lab@srx2# set routing-instances VPNA-SPOKE2 protocols ospf area 0.0.0.0 interface
ge-0/0/4.604 interface-type p2p

[edit] 48
7
lab@srx2# set routing-instances VPNB-2 instance-type vrf





488 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx2# set routing-instances VPNB-2 interface ge-0/0/3.833

[edit]
lab@srx2# set routing-instances VPNB-2 vrf-target target:5678:500

[edit]
lab@srx2# set routing-instances VPNB-2 vrf-table-label

[edit]
lab@srx2# set routing-instances VPNB-2 protocols bgp group site-2 advertise-peer-
as

[edit]
lab@srx2# set routing-instances VPNB-2 protocols bgp group site-2 peer-as 64512

[edit]
lab@srx2# set routing-instances VPNB-2 protocols bgp group site-2 neighbor
192.168.83.2

[edit]
lab@srx2# set policy-options policy-statement vpna.export term 1 from protocol
ospf

[edit]
lab@srx2# set policy-options policy-statement vpna.export term 1 from protocol
direct

[edit]
lab@srx2# set policy-options policy-statement vpna.export term 1 then community
add VPNA-SPOKE

[edit]
lab@srx2# set policy-options policy-statement vpna.export term 1 then community
add SPOKE-2

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx2# set policy-options policy-statement vpna.export term 1 then accept

[edit]
lab@srx2# set policy-options policy-statement vpna.export term 2 then reject

[edit]
lab@srx2# set policy-options policy-statement vpna.import term 1 from protocol bgp

[edit]
lab@srx2# set policy-options policy-statement vpna.import term 1 from community
VPNA-HUB

[edit]
lab@srx2# set policy-options policy-statement vpna.import term 1 then accept

[edit]
lab@srx2# set policy-options policy-statement vpna.import term 2 then reject

[edit]
48
lab@srx2# set policy-options policy-statement vpna.ospf.export term 1 from
8
protocol bgp




489 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx2# set policy-options policy-statement vpna.ospf.export term 1 then accept

[edit]
lab@srx2# set protocols mpls icmp-tunneling

lab@srx2# commit
commit complete

Verification:

lab@srx7# run show route table VPNA-HUB.inet.0

VPNA-HUB.inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

10.10.60.0/24 *[OSPF/10] 03:59:03, metric 1

> to 192.168.61.2 via ge-0/0/4.601
10.10.60.1/32 *[OSPF/10] 03:59:03, metric 1
> to 192.168.61.2 via ge-0/0/4.601
10.10.63.0/24 *[OSPF/150] 03:02:47, metric 1, tag 0
> to 192.168.61.2 via ge-0/0/4.601
10.10.63.1/32 *[OSPF/150] 03:02:47, metric 1, tag 0
> to 192.168.61.2 via ge-0/0/4.601
10.10.64.0/24 *[OSPF/150] 02:29:53, metric 1, tag 0
> to 192.168.61.2 via ge-0/0/4.601
10.10.64.1/32 *[OSPF/150] 02:29:53, metric 1, tag 0
> to 192.168.61.2 via ge-0/0/4.601
192.168.61.0/30 *[Direct/0] 04:00:05
> via ge-0/0/4.601
192.168.61.1/32 *[Local/0] 04:00:05
Local via ge-0/0/4.601
192.168.62.0/30 *[OSPF/10] 03:59:03, metric 2
> to 192.168.61.2 via ge-0/0/4.601

JNCIE-SP workbook: Appendix – Full day lab challenge

192.168.63.0/30 *[OSPF/150] 03:02:47, metric 0, tag 0
> to 192.168.61.2 via ge-0/0/4.601
192.168.64.0/30 *[OSPF/150] 02:29:53, metric 0, tag 0
> to 192.168.61.2 via ge-0/0/4.601
224.0.0.5/32 *[OSPF/10] 04:00:09, metric 1
MultiRecv

[edit]
lab@srx7# run show route table VPNA-SPOKE.inet.0

VPNA-SPOKE.inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

10.10.60.0/24 *[OSPF/10] 03:59:20, metric 1

> to 192.168.62.2 via ge-0/0/4.602
10.10.60.1/32 *[OSPF/10] 03:59:20, metric 1
> to 192.168.62.2 via ge-0/0/4.602
10.10.63.0/24 *[BGP/170] 03:03:00, MED 1, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.25 via ge-0/0/4.37, label-switched-path srx7-to-
srx1
10.10.63.1/32 *[BGP/170] 03:03:00, MED 1, localpref 100, from 172.30.30.19 48
9
AS path: I





490 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

> to 172.30.0.25 via ge-0/0/4.37, label-switched-path srx7-to-

srx1
10.10.64.0/24 *[BGP/170] 02:30:18, MED 1, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.45 via ge-0/0/4.57, label-switched-path srx7-to-
srx2
to 172.30.0.25 via ge-0/0/4.37, label-switched-path srx7-to-
srx2-l2circuit
to 172.30.0.25 via ge-0/0/4.37, label-switched-path srx7-to-
srx2
10.10.64.1/32 *[BGP/170] 02:30:18, MED 1, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.45 via ge-0/0/4.57, label-switched-path srx7-to-
srx2
to 172.30.0.25 via ge-0/0/4.37, label-switched-path srx7-to-
srx2-l2circuit
to 172.30.0.25 via ge-0/0/4.37, label-switched-path srx7-to-
srx2
192.168.61.0/30 *[OSPF/10] 03:59:20, metric 2
> to 192.168.62.2 via ge-0/0/4.602
192.168.62.0/30 *[Direct/0] 04:00:29
> via ge-0/0/4.602
192.168.62.1/32 *[Local/0] 04:00:29
Local via ge-0/0/4.602
192.168.63.0/30 *[BGP/170] 03:03:00, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.25 via ge-0/0/4.37, label-switched-path srx7-to-
srx1
192.168.64.0/30 *[BGP/170] 02:30:18, localpref 100, from 172.30.30.19
AS path: I
to 172.30.0.45 via ge-0/0/4.57, label-switched-path srx7-to-
srx2
> to 172.30.0.25 via ge-0/0/4.37, label-switched-path srx7-to-
srx2-l2circuit
to 172.30.0.25 via ge-0/0/4.37, label-switched-path srx7-to-
srx2

JNCIE-SP workbook: Appendix – Full day lab challenge

224.0.0.5/32 *[OSPF/10] 04:00:33, metric 1
MultiRecv

lab@srx1# run show route table VPNA-SPOKE1.inet.0

VPNA-SPOKE1.inet.0: 12 destinations, 15 routes (12 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

10.10.60.0/24 *[BGP/170] 03:07:51, MED 1, localpref 100, from 172.30.30.19

AS path: I
> to 172.30.0.2 via ge-0/0/4.13, label-switched-path srx1-to-
srx7
10.10.60.1/32 *[BGP/170] 03:07:51, MED 1, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.2 via ge-0/0/4.13, label-switched-path srx1-to-
srx7
10.10.63.0/24 *[OSPF/10] 04:04:16, metric 1
> to 192.168.63.2 via ge-0/0/4.603
[BGP/170] 03:07:51, MED 1, localpref 100, from 172.30.30.19
AS path: I
49
> to 172.30.0.2 via ge-0/0/4.13, label-switched-path srx1-to-
0
srx7




491 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

10.10.63.1/32 *[OSPF/10] 04:04:16, metric 1

> to 192.168.63.2 via ge-0/0/4.603
[BGP/170] 03:07:51, MED 1, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.2 via ge-0/0/4.13, label-switched-path srx1-to-
srx7
10.10.64.0/24 *[BGP/170] 02:35:07, MED 1, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.2 via ge-0/0/4.13, label-switched-path srx1-to-
srx7
10.10.64.1/32 *[BGP/170] 02:35:07, MED 1, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.2 via ge-0/0/4.13, label-switched-path srx1-to-
srx7
192.168.61.0/30 *[BGP/170] 03:07:51, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.2 via ge-0/0/4.13, label-switched-path srx1-to-
srx7
192.168.62.0/30 *[BGP/170] 03:07:51, MED 2, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.2 via ge-0/0/4.13, label-switched-path srx1-to-
srx7
192.168.63.0/30 *[Direct/0] 04:04:54
> via ge-0/0/4.603
[BGP/170] 03:07:51, MED 0, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.2 via ge-0/0/4.13, label-switched-path srx1-to-
srx7
192.168.63.1/32 *[Local/0] 04:04:54
Local via ge-0/0/4.603
192.168.64.0/30 *[BGP/170] 02:35:07, MED 0, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.2 via ge-0/0/4.13, label-switched-path srx1-to-
srx7
224.0.0.5/32 *[OSPF/10] 04:04:57, metric 1
MultiRecv

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]

lab@srx2# run show route table VPNA-SPOKE2.inet.0

VPNA-SPOKE2.inet.0: 12 destinations, 15 routes (12 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

10.10.60.0/24 *[BGP/170] 02:35:24, MED 1, localpref 100, from 172.30.30.19

AS path: I
to 172.30.0.18 via ge-0/0/4.24, label-switched-path srx2-to-
srx7
> to 172.30.0.14 via ge-0/0/4.23, label-switched-path srx2-to-
srx7-l2circuit
to 172.30.0.14 via ge-0/0/4.23, label-switched-path Bypass-
>172.30.0.18->172.30.0.34
10.10.60.1/32 *[BGP/170] 02:35:24, MED 1, localpref 100, from 172.30.30.19
AS path: I
to 172.30.0.18 via ge-0/0/4.24, label-switched-path srx2-to-
srx7
> to 172.30.0.14 via ge-0/0/4.23, label-switched-path srx2-to-
49
srx7-l2circuit
1





492 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

to 172.30.0.14 via ge-0/0/4.23, label-switched-path Bypass-

>172.30.0.18->172.30.0.34
10.10.63.0/24 *[BGP/170] 02:35:24, MED 1, localpref 100, from 172.30.30.19
AS path: I
to 172.30.0.18 via ge-0/0/4.24, label-switched-path srx2-to-
srx7
> to 172.30.0.14 via ge-0/0/4.23, label-switched-path srx2-to-
srx7-l2circuit
to 172.30.0.14 via ge-0/0/4.23, label-switched-path Bypass-
>172.30.0.18->172.30.0.34
10.10.63.1/32 *[BGP/170] 02:35:24, MED 1, localpref 100, from 172.30.30.19
AS path: I
to 172.30.0.18 via ge-0/0/4.24, label-switched-path srx2-to-
srx7
> to 172.30.0.14 via ge-0/0/4.23, label-switched-path srx2-to-
srx7-l2circuit
to 172.30.0.14 via ge-0/0/4.23, label-switched-path Bypass-
>172.30.0.18->172.30.0.34
10.10.64.0/24 *[OSPF/10] 02:35:33, metric 1
> to 192.168.64.2 via ge-0/0/4.604
[BGP/170] 02:35:22, MED 1, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.18 via ge-0/0/4.24, label-switched-path srx2-to-
srx7
to 172.30.0.14 via ge-0/0/4.23, label-switched-path srx2-to-
srx7-l2circuit
to 172.30.0.14 via ge-0/0/4.23, label-switched-path Bypass-
>172.30.0.18->172.30.0.34
10.10.64.1/32 *[OSPF/10] 02:35:33, metric 1
> to 192.168.64.2 via ge-0/0/4.604
[BGP/170] 02:35:22, MED 1, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.18 via ge-0/0/4.24, label-switched-path srx2-to-
srx7
to 172.30.0.14 via ge-0/0/4.23, label-switched-path srx2-to-
srx7-l2circuit

JNCIE-SP workbook: Appendix – Full day lab challenge

to 172.30.0.14 via ge-0/0/4.23, label-switched-path Bypass-
>172.30.0.18->172.30.0.34
192.168.61.0/30 *[BGP/170] 02:35:24, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.18 via ge-0/0/4.24, label-switched-path srx2-to-
srx7
to 172.30.0.14 via ge-0/0/4.23, label-switched-path srx2-to-
srx7-l2circuit
to 172.30.0.14 via ge-0/0/4.23, label-switched-path Bypass-
>172.30.0.18->172.30.0.34
192.168.62.0/30 *[BGP/170] 02:35:24, MED 2, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.18 via ge-0/0/4.24, label-switched-path srx2-to-
srx7
to 172.30.0.14 via ge-0/0/4.23, label-switched-path srx2-to-
srx7-l2circuit
to 172.30.0.14 via ge-0/0/4.23, label-switched-path Bypass-
>172.30.0.18->172.30.0.34
192.168.63.0/30 *[BGP/170] 02:35:24, MED 0, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.18 via ge-0/0/4.24, label-switched-path srx2-to-
49
srx7
2





493 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

to 172.30.0.14 via ge-0/0/4.23, label-switched-path srx2-to-

srx7-l2circuit
to 172.30.0.14 via ge-0/0/4.23, label-switched-path Bypass-
>172.30.0.18->172.30.0.34
192.168.64.0/30 *[Direct/0] 02:35:53
> via ge-0/0/4.604
[BGP/170] 02:35:23, MED 0, localpref 100, from 172.30.30.19
AS path: I
to 172.30.0.18 via ge-0/0/4.24, label-switched-path srx2-to-
srx7
> to 172.30.0.14 via ge-0/0/4.23, label-switched-path srx2-to-
srx7-l2circuit
to 172.30.0.14 via ge-0/0/4.23, label-switched-path Bypass-
>172.30.0.18->172.30.0.34
192.168.64.1/32 *[Local/0] 02:35:53
Local via ge-0/0/4.604
224.0.0.5/32 *[OSPF/10] 02:35:54, metric 1
MultiRecv

[edit]
lab@srx2#

lab@vrdevice> traceroute routing-instance VPNA-S2 192.168.63.2 source 192.168.64.2

traceroute to 192.168.63.2 (192.168.63.2) from 192.168.64.2, 30 hops max, 40 byte
packets
1 192.168.64.1 (192.168.64.1) 8.417 ms 9.965 ms 7.812 ms
2 172.30.0.14 (172.30.0.14) 3.971 ms 4.462 ms 3.294 ms
MPLS Label=300528 CoS=0 TTL=1 S=0
MPLS Label=16 CoS=0 TTL=1 S=1
3 192.168.61.2 (192.168.61.2) 27.531 ms 25.945 ms 26.916 ms
4 192.168.62.1 (192.168.62.1) 9.649 ms 9.271 ms 9.608 ms
5 172.30.0.25 (172.30.0.25) 4.437 ms 4.483 ms 5.775 ms
MPLS Label=300176 CoS=0 TTL=1 S=0
MPLS Label=16 CoS=0 TTL=1 S=1

JNCIE-SP workbook: Appendix – Full day lab challenge

6 192.168.63.2 (192.168.63.2) 6.726 ms 6.943 ms 7.729 ms

49
3





494 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 5.3: BGP-based L3VPN

• Configure VPN-B between SRX2 and SRX8.
• Use eBGP as a PE-CE routing protocol, the CE devices are configured with AS64512.
• Route-distinguisher and route-target values can be any of your choice.
• Make sure that all Upstream, Partner and Customer routes are reachable in VPN-B
and the other way around. Designate SRX8 as a point where route leaking is done.
• Make sure that leaked routes are only available in the RIB of the VPN-B VRF. This will
allow th CE attached to SRX8 to have all routes received in BGP without putting an
additional load on the forwarding engine of the SRX.
• You can use single static route to provide routing in the forwarding engine. Advertise
that static to the CE attached behind SRX2.

On SRX8 device:

[edit]
lab@srx8# set routing-options route-distinguisher-id 172.30.30.8

[edit]
lab@srx8# set routing-instances VPNB-1 instance-type vrf

[edit]
lab@srx8# set routing-instances VPNB-1 interface ge-0/0/4.822

[edit]
lab@srx8# set routing-instances VPNB-1 vrf-export VPNB.export

[edit]

JNCIE-SP workbook: Appendix – Full day lab challenge

lab@srx8# set routing-instances VPNB-1 vrf-target target:5678:500

[edit]
lab@srx8# set routing-instances VPNB-1 vrf-table-label

[edit]
lab@srx8# set routing-instances VPNB-1 routing-options static route 0.0.0.0/0
next-table inet.0

[edit]
lab@srx8# set routing-instances VPNB-1 protocols bgp group site-1 advertise-peer-
as

[edit]
lab@srx8# set routing-instances VPNB-1 protocols bgp group site-1 family inet
unicast rib-group vpnb.inet.to.master

[edit]
lab@srx8# set routing-instances VPNB-1 protocols bgp group site-1 peer-as 64512

[edit]
lab@srx8# set routing-instances VPNB-1 protocols bgp group site-1 neighbor 49
192.168.82.2 4





495 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx8# set policy-options policy-statement VPNB.export term 1 from protocol
static

[edit]
lab@srx8# set policy-options policy-statement VPNB.export term 1 from route-filter
0.0.0.0/0 exact

[edit]
lab@srx8# set policy-options policy-statement VPNB.export term 1 then community
add VPNB

[edit]
lab@srx8# set policy-options policy-statement VPNB.export term 1 then accept

[edit]
lab@srx8# set routing-options interface-routes rib-group inet master.inet.to.vpnb

[edit]
lab@srx8# set routing-options rib-groups master.inet.to.vpnb import-rib inet.0

[edit]
lab@srx8# set routing-options rib-groups master.inet.to.vpnb import-rib VPNB-
1.inet.0

[edit]
lab@srx8# set routing-options rib-groups vpnb.inet.to.master import-rib VPNB-
1.inet.0

[edit]
lab@srx8# set routing-options rib-groups vpnb.inet.to.master import-rib inet.0

[edit]
lab@srx8# set protocols bgp group cluster-2 family inet unicast rib-group
master.inet.to.vpnb

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx8# set policy-options policy-statement no.vpnb.forwarding term 1 from rib
VPNB-1.inet.0

[edit]
lab@srx8# set policy-options policy-statement no.vpnb.forwarding term 1 from
community upstream

[edit]
lab@srx8# set policy-options policy-statement no.vpnb.forwarding term 1 from
community customer

[edit]
lab@srx8# set policy-options policy-statement no.vpnb.forwarding term 1 from
community partner

[edit]
lab@srx8# set policy-options policy-statement no.vpnb.forwarding term 1 then
reject

[edit]
49
lab@srx8# set routing-options forwarding-table export no.vpnb.forwarding
5





496 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx8# commit
commit complete

On SRX2 device:

[edit]
lab@srx2# set routing-options route-distinguisher-id 172.30.30.2

[edit]
lab@srx2# set routing-instances VPNB-2 instance-type vrf

[edit]
lab@srx2# set routing-instances VPNB-2 interface ge-0/0/4.833

[edit]
lab@srx2# set routing-instances VPNB-2 vrf-target target:5678:500

[edit]
lab@srx2# set routing-instances VPNB-2 vrf-table-label

[edit]
lab@srx2# set routing-instances VPNB-2 protocols bgp group site-2 advertise-peer-
as

[edit]
lab@srx2# set routing-instances VPNB-2 protocols bgp group site-2 peer-as 64512

[edit]
lab@srx2# set routing-instances VPNB-2 protocols bgp group site-2 neighbor
192.168.83.2

[edit]
lab@srx2# commit
commit complete

JNCIE-SP workbook: Appendix – Full day lab challenge

Verification:

lab@srx8# run show route table VPNB-1.inet.0 | count
Count: 1571 lines

[edit]
lab@srx8# run show route table VPNB-1.inet.0

VPNB-1.inet.0: 525 destinations, 526 routes (525 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 03:17:34

to table inet.0
1.64.0.0/10 *[BGP/170] 02:29:02, localpref 200, from 172.30.30.19
AS path: 1516 1620 61671 I
> to 172.30.1.5 via ge-0/0/4.68
1.84.160.0/20 *[BGP/170] 02:29:02, localpref 200, from 172.30.30.19
AS path: 1516 1620 33112 I
> to 172.30.1.5 via ge-0/0/4.68
1.96.0.0/11 *[BGP/170] 02:29:02, localpref 200, from 172.30.30.19 49
AS path: 1516 1620 33112 63164 40776 51777 I
6
> to 172.30.1.5 via ge-0/0/4.68




497 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

1.161.192.0/21 *[BGP/170] 02:29:02, localpref 200, from 172.30.30.19

AS path: 1516 1620 33112 30404 32138 45045 I
> to 172.30.1.5 via ge-0/0/4.68
1.176.0.0/12 *[BGP/170] 02:29:02, localpref 200, from 172.30.30.19
AS path: 1516 1620 33112 49129 16320 52954 I
> to 172.30.1.5 via ge-0/0/4.68
2.0.0.0/7 *[BGP/170] 02:29:02, localpref 200, from 172.30.30.19
AS path: 1516 1620 61671 60177 3091 5721 1770 35283 6098
41407 I

[edit]
lab@srx8# run show route forwarding-table table VPNB-1
Routing table: VPNB-1.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default user 0 rtbl 1 7
default perm 0 rjct 606 1
0.0.0.0/32 perm 0 dscd 604 1
10.10.1.0/24 user 0 rtbl 1 7
10.10.1.8/32 user 0 10.10.1.8 locl 543 3
10.10.82.0/24 user 0 192.168.82.2 ucst 557 5 ge-0/0/4.822
172.16.220.0/30 user 0 rtbl 1 7
172.16.220.1/32 user 0 172.16.220.1 locl 588 3
172.30.0.0/16 user 0 indr 262145 36
10:e:7e:43:d9:4 ucst 513 16 ge-0/0/4.68
172.30.1.4/30 user 0 rtbl 1 7
172.30.1.6/32 user 0 172.30.1.6 locl 547 3
172.30.1.8/30 user 0 rtbl 1 7
172.30.1.10/32 user 0 172.30.1.10 locl 592 3
172.30.30.8/32 user 0 rtbl 1 7
172.31.0.0/24 user 0 indr 262145 36
172.30.1.5 ucst 513 16 ge-0/0/4.68
172.31.1.0/24 user 0 indr 262145 36
172.30.1.5 ucst 513 16 ge-0/0/4.68
172.31.2.0/24 user 0 indr 262145 36
172.30.1.5 ucst 513 16 ge-0/0/4.68

JNCIE-SP workbook: Appendix – Full day lab challenge

172.31.3.0/24 user 0 indr 262145 36
172.30.1.5 ucst 513 16 ge-0/0/4.68
172.31.4.0/24 user 0 indr 262145 36
172.30.1.5 ucst 513 16 ge-0/0/4.68
172.31.5.0/24 user 0 indr 262145 36
172.30.1.5 ucst 513 16 ge-0/0/4.68
172.31.6.0/24 user 0 indr 262145 36
172.30.1.5 ucst 513 16 ge-0/0/4.68
172.31.7.0/24 user 0 indr 262145 36
172.30.1.5 ucst 513 16 ge-0/0/4.68
172.31.8.0/24 user 0 indr 262145 36
172.30.1.5 ucst 513 16 ge-0/0/4.68
172.31.9.0/24 user 0 indr 262145 36
172.30.1.5 ucst 513 16 ge-0/0/4.68
172.31.10.0/24 user 0 indr 262145 36
172.30.1.5 ucst 513 16 ge-0/0/4.68
172.31.11.0/24 user 0 indr 262145 36
172.30.1.5 ucst 513 16 ge-0/0/4.68
172.31.12.0/24 user 0 indr 262145 36
172.30.1.5 ucst 513 16 ge-0/0/4.68
172.31.13.0/24 user 0 indr 262145 36
49
172.30.1.5 ucst 513 16 ge-0/0/4.68
7
172.31.14.0/24 user 0 indr 262145 36




498 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

172.30.1.5 ucst 513 16 ge-0/0/4.68

172.31.15.0/24 user 0 indr 262145 36
172.30.1.5 ucst 513 16 ge-0/0/4.68
192.168.82.0/30 intf 0 rslv 613 1 ge-0/0/4.822
192.168.82.0/32 dest 0 192.168.82.0 recv 611 1 ge-0/0/4.822
192.168.82.1/32 intf 0 192.168.82.1 locl 612 2
192.168.82.1/32 dest 0 192.168.82.1 locl 612 2
192.168.82.2/32 dest 1 0:1f:12:2e:6f:81 ucst 557 5 ge-0/0/4.822
192.168.82.3/32 dest 0 192.168.82.3 bcst 610 1 ge-0/0/4.822
192.168.83.0/30 user 0 indr 262150 2
172.30.1.9 Push 17, Push 300000(top) 563
1 ge-0/0/5.78
224.0.0.0/4 perm 0 mdsc 605 1
224.0.0.1/32 perm 0 224.0.0.1 mcst 601 1
255.255.255.255/32 perm 0 bcst 602 1

Routing table: VPNB-1.iso

ISO:
Destination Type RtRef Next hop Type Index NhRef Netif
default perm 0 rjct 616 1

Routing table: VPNB-1.inet6

Internet6:
Destination Type RtRef Next hop Type Index NhRef Netif
default perm 0 rjct 622 1
::/128 perm 0 dscd 620 1
ff00::/8 perm 0 mdsc 621 1
ff02::1/128 perm 0 ff02::1 mcst 618 1

[edit]
lab@srx8#

lab@srx2# run show route table VPNB-2.inet.0

VPNB-2.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

JNCIE-SP workbook: Appendix – Full day lab challenge

0.0.0.0/0 *[BGP/170] 02:29:51, localpref 100, from 172.30.30.19
AS path: I
> to 172.30.0.18 via ge-0/0/4.24, label-switched-path srx2-to-
srx7
to 172.30.0.18 via ge-0/0/4.24, label-switched-path srx2-to-
srx6
10.10.82.0/24 *[BGP/170] 02:59:34, localpref 100
AS path: 64512 I
> to 192.168.83.2 via ge-0/0/4.833
192.168.83.0/30 *[Direct/0] 02:59:42
> via ge-0/0/4.833
192.168.83.1/32 *[Local/0] 02:59:42
Local via ge-0/0/4.833

49
8





499 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 5.4: L2circuit VPN configuration

• Configure a Martini-based L2VPN VPN-C between SRX2 and SRX7.
• Create a new bi-directional CSFP LSP. Make sure it crosses routers SRX4 and SRX5.
• Ensure that VPN-C is using that particular LSP for transport through MPLS network.
• Vlan numbers must match logical interface numbers.

On SRX2 device:

[edit]
lab@srx2# set interfaces ge-0/0/3 encapsulation flexible-ethernet-services

[edit]
lab@srx2# set interfaces ge-0/0/3.522 vlan-id 522

[edit]
lab@srx2# set interfaces ge-0/0/3.522 encapsulation vlan-ccc

[edit]
lab@srx2# set interfaces ge-0/0/3.522 apply-groups-except family_mpls

[edit]
lab@srx2# set l2circuit neighbor 172.30.30.7 interface ge-0/0/3.522 virtual-
circuit-id 522

[edit]
lab@srx2# set l2circuit neighbor 172.30.30.7 interface ge-0/0/3.522 community
l2mapped

[edit]
lab@srx2# set policy-options policy-statement l2circuit.mapping term 1 from
community l2mapped

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx2# set policy-options policy-statement l2circuit.mapping term 1 then
install-nexthop lsp srx2-to-srx7-l2circuit

[edit]
lab@srx2# set policy-options community l2mapped members 5678:2

[edit]
lab@srx2# set routing-options forwarding-table export l2circuit.mapping

[edit]
lab@srx2# set protocols mpls label-switched-path srx2-to-srx7-l2circuit to
172.30.30.7

[edit]
lab@srx2# set protocols mpls label-switched-path srx2-to-srx7-l2circuit primary
to-srx7-via-srx3

[edit]
lab@srx2# set protocols mpls path to-srx7-via-srx3 172.30.0.14 strict

[edit] 49
9
lab@srx2# set protocols mpls path to-srx7-via-srx3 172.30.0.26 strict





500 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx2# commit
commit complete

On SRX7 device:

[edit]
lab@srx7# set interfaces ge-0/0/4 encapsulation flexible-ethernet-services

[edit]
lab@srx7# set interfaces ge-0/0/4.522 vlan-id 522

[edit]
lab@srx7# set interfaces ge-0/0/4.522 encapsulation vlan-ccc

[edit]
lab@srx7# set interfaces ge-0/0/4.522 apply-groups-except family_mpls

[edit]
lab@srx7# set l2circuit neighbor 172.30.30.2 interface ge-0/0/4.522 virtual-
circuit-id 522

[edit]
lab@srx7# set l2circuit neighbor 172.30.30.2 interface ge-0/0/4.522 community
l2mapped

[edit]
lab@srx7# set policy-options policy-statement l2circuit.mapping term 1 from
community l2mapped

[edit]
lab@srx7# set policy-options policy-statement l2circuit.mapping term 1 then
install-nexthop lsp srx7-to-srx2-l2circuit

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx7# set policy-options community l2mapped members 5678:2

[edit]
lab@srx7# set protocols mpls label-switched-path srx7-to-srx2-l2circuit to
172.30.30.2

[edit]
lab@srx7# set protocols mpls label-switched-path srx7-to-srx2-l2circuit primary
to-srx2-via-srx3

[edit]
lab@srx7# set protocols mpls path to-srx2-via-srx3 172.30.0.25 strict

[edit]
lab@srx7# set protocols mpls path to-srx2-via-srx3 172.30.0.13 strict

[edit]
lab@srx7# commit
commit complete

Verification: 50
0





501 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx7# run show l2circuit connections
Layer-2 Circuit Connections:

Legend for connection status (St)

EI -- encapsulation invalid NP -- interface h/w not present
MM -- mtu mismatch Dn -- down
EM -- encapsulation mismatch VC-Dn -- Virtual circuit Down
CM -- control-word mismatch Up -- operational
VM -- vlan id mismatch CF -- Call admission control failure
OL -- no outgoing label IB -- TDM incompatible bitrate
NC -- intf encaps not CCC/TCC TM -- TDM misconfiguration
BK -- Backup Connection ST -- Standby Connection
CB -- rcvd cell-bundle size bad SP -- Static Pseudowire
LD -- local site signaled down RS -- remote site standby
RD -- remote site signaled down XX -- unknown

Legend for interface status

Up -- operational
Dn -- down
Neighbor: 172.30.30.1
Interface Type St Time last up # Up trans
ge-0/0/4.522(vc 522) rmt Up Nov 30 16:10:14 2014 1
Remote PE: 172.30.30.1, Negotiated control-word: Yes (Null)
Incoming label: 299856, Outgoing label: 299824
Negotiated PW status TLV: No
Local interface: ge-0/0/4.522, Status: Up, Encapsulation: VLAN

lab@srx7> show route community-name l2mapped

inet.0: 571 destinations, 1055 routes (571 active, 0 holddown, 0 hidden)

inet.3: 33 destinations, 39 routes (4 active, 0 holddown, 33 hidden)

VPNA-HUB.inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)

JNCIE-SP workbook: Appendix – Full day lab challenge

VPNA-SPOKE.inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)

iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

mpls.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

ge-0/0/4.522 *[L2CKT/7] 00:29:10, metric2 2

to 172.30.0.25 via ge-0/0/4.37, label-switched-path srx7-to-
srx2-l2circuit

50
1





502 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 5.5: BGP VPLS configuration

• Configure site 1 of the VPLS behind SRX6 and SRX7. Make sure VLAN numbers match
the logical interface numbers.
• Make sure that SRX6 is a designated forwarder for this site and SRX7 is the backup PE
router in case there is a failure on SRX6.
• The logical interface connecting SRX6 to the CE was mistakenly placed in VLAN 542.
Make sure that traffic in the VPLS is transported with VLAN 532.
• Configure site 2 of the VPLS behind SRX1. Make sure Vlan numbers match the logical
interface numbers.
• Prepare the VPLS configuration to expand with 2 more sites without changing the
configuration for the existing sites.
• Setup RSVP LSPs where appropriate.

On SRX6 device:

[edit]
lab@srx6# set interfaces ge-0/0/4 encapsulation flexible-ethernet-services

[edit]
lab@srx6# set interfaces ge-0/0/4 unit 542 apply-groups-except family_mpls

[edit]
lab@srx6# set interfaces ge-0/0/4 unit 542 encapsulation vlan-vpls

[edit]
lab@srx6# set interfaces ge-0/0/4 unit 542 vlan-id 542

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx6# set interfaces ge-0/0/4 unit 542 input-vlan-map swap

[edit]
lab@srx6# set interfaces ge-0/0/4 unit 542 input-vlan-map vlan-id 532

[edit]
lab@srx6# set interfaces ge-0/0/4 unit 542 output-vlan-map swap

[edit]
lab@srx6# set routing-instances VPLS-2 instance-type vpls

[edit]
lab@srx6# set routing-instances VPLS-2 interface ge-0/0/4.542

[edit]
lab@srx6# set routing-instances VPLS-2 vrf-target target:5678:200

[edit]
lab@srx6# set routing-instances VPLS-2 protocols vpls site-range 4

[edit] 50
2
lab@srx6# set routing-instances VPLS-2 protocols vpls no-tunnel-services





503 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

[edit]
lab@srx6# set routing-instances VPLS-2 protocols vpls site 1 site-identifier 1

[edit]
lab@srx6# set routing-instances VPLS-2 protocols vpls site 1 multi-homing

[edit]
lab@srx6# set routing-instances VPLS-2 protocols vpls site 1 site-preference
primary

[edit]
lab@srx6# commit
commit complete

On SRX7 device:

[edit]
lab@srx7# set interfaces ge-0/0/4 unit 532 apply-groups-except family_mpls

[edit]
lab@srx7# set interfaces ge-0/0/4 unit 532 encapsulation vlan-vpls

[edit]
lab@srx7# set interfaces ge-0/0/4 unit 532 vlan-id 532

[edit]
lab@srx7# set routing-instances VPLS-2 instance-type vpls

[edit]
lab@srx7# set routing-instances VPLS-2 interface ge-0/0/4.532

[edit]
lab@srx7# set routing-instances VPLS-2 vrf-target target:5678:200

JNCIE-SP workbook: Appendix – Full day lab challenge

[edit]
lab@srx7# set routing-instances VPLS-2 protocols vpls site-range 4

[edit]
lab@srx7# set routing-instances VPLS-2 protocols vpls no-tunnel-services

[edit]
lab@srx7# set routing-instances VPLS-2 protocols vpls site 1 site-identifier 1

[edit]
lab@srx7# set routing-instances VPLS-2 protocols vpls site 1 multi-homing

[edit]
lab@srx7# set routing-instances VPLS-2 protocols vpls site 1 site-preference
backup

[edit]
lab@srx7# commit
commit complete

On SRX1 device:
50

3
[edit]




504 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

lab@srx1# set interfaces ge-0/0/4 encapsulation flexible-ethernet-services

[edit]
lab@srx1# set interfaces ge-0/0/4 unit 532 apply-groups-except family_mpls

[edit]
lab@srx1# set interfaces ge-0/0/4 unit 532 encapsulation vlan-vpls

[edit]
lab@srx1# set interfaces ge-0/0/4 unit 532 vlan-id 532

[edit]
lab@srx1# set routing-instances VPLS-1 instance-type vpls

[edit]
lab@srx1# set routing-instances VPLS-1 interface ge-0/0/4.532

[edit]
lab@srx1# set routing-instances VPLS-1 vrf-target target:5678:200

[edit]
lab@srx1# set routing-instances VPLS-1 protocols vpls site-range 4

[edit]
lab@srx1# set routing-instances VPLS-1 protocols vpls no-tunnel-services

[edit]
lab@srx1# set routing-instances VPLS-1 protocols vpls site 2 site-identifier 2

[edit]
lab@srx1# commit
commit complete

Verification:

JNCIE-SP workbook: Appendix – Full day lab challenge

lab@srx6# run show interfaces ge-0/0/4.542
Logical interface ge-0/0/4.542 (Index 87) (SNMP ifIndex 696)
Description: === connectioin to VPLS-1 ===
Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.542 ] In(swap .532) Out(swap .542)
Encapsulation: VLAN-VPLS
Input packets : 0
Output packets: 0
Security: Zone: Null
Protocol vpls, MTU: 1518
Flags: Is-Primary

[edit]
lab@srx6# run show vpls connections
Layer-2 VPN connections:

Legend for connection status (St)

EI -- encapsulation invalid NC -- interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE -- interface and instance encaps not same
VC-Dn -- Virtual circuit down NP -- interface hardware not present
CM -- control-word mismatch -> -- only outbound connection is up
CN -- circuit not provisioned <- -- only inbound connection is up
OR -- out of range Up -- operational 50
4
OL -- no outgoing label Dn -- down





505 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

LD -- local site signaled down CF -- call admission control failure

RD -- remote site signaled down SC -- local and remote site ID collision
LN -- local site not designated LM -- local site ID not minimum designated
RN -- remote site not designated RM -- remote site ID not minimum designated
XX -- unknown connection status IL -- no incoming label
MM -- MTU mismatch MI -- Mesh-Group ID not available
BK -- Backup connection ST -- Standby connection
PF -- Profile parse failure PB -- Profile busy
RS -- remote site standby SN -- Static Neighbor
VM -- VLAN ID mismatch

Legend for interface status

Up -- operational
Dn -- down

Instance: VPLS-2
Local site: 1 (1)
connection-site Type St Time last up # Up trans
1 rmt RN
2 rmt Up Jan 11 09:46:51 2015 1
Remote PE: 172.30.30.1, Negotiated control-word: No
Incoming label: 262146, Outgoing label: 262145
Local interface: lsi.1048576, Status: Up, Encapsulation: VPLS
Description: Intf - vpls VPLS-2 local site 1 remote site 2

[edit]
lab@srx1# run show vpls connections
Layer-2 VPN connections:

Legend for connection status (St)

EI -- encapsulation invalid NC -- interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE -- interface and instance encaps not same
VC-Dn -- Virtual circuit down NP -- interface hardware not present
CM -- control-word mismatch -> -- only outbound connection is up
CN -- circuit not provisioned <- -- only inbound connection is up
OR -- out of range Up -- operational

JNCIE-SP workbook: Appendix – Full day lab challenge

OL -- no outgoing label Dn -- down
LD -- local site signaled down CF -- call admission control failure
RD -- remote site signaled down SC -- local and remote site ID collision
LN -- local site not designated LM -- local site ID not minimum designated
RN -- remote site not designated RM -- remote site ID not minimum designated
XX -- unknown connection status IL -- no incoming label
MM -- MTU mismatch MI -- Mesh-Group ID not available
BK -- Backup connection ST -- Standby connection
PF -- Profile parse failure PB -- Profile busy
RS -- remote site standby SN -- Static Neighbor
VM -- VLAN ID mismatch

Legend for interface status

Up -- operational
Dn -- down

Instance: VPLS-1
Local site: 2 (2)
connection-site Type St Time last up # Up trans
1 rmt Up Jan 5 03:59:17 2015 1
Remote PE: 172.30.30.6, Negotiated control-word: No
50
Incoming label: 262145, Outgoing label: 262146
5
Local interface: lsi.1048832, Status: Up, Encapsulation: VPLS




506 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Description: Intf - vpls VPLS-1 local site 2 remote site 1

[edit]
lab@srx7# run show vpls connections
Layer-2 VPN connections:

Legend for connection status (St)

EI -- encapsulation invalid NC -- interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE -- interface and instance encaps not same
VC-Dn -- Virtual circuit down NP -- interface hardware not present
CM -- control-word mismatch -> -- only outbound connection is up
CN -- circuit not provisioned <- -- only inbound connection is up
OR -- out of range Up -- operational
OL -- no outgoing label Dn -- down
LD -- local site signaled down CF -- call admission control failure
RD -- remote site signaled down SC -- local and remote site ID collision
LN -- local site not designated LM -- local site ID not minimum designated
RN -- remote site not designated RM -- remote site ID not minimum designated
XX -- unknown connection status IL -- no incoming label
MM -- MTU mismatch MI -- Mesh-Group ID not available
BK -- Backup connection ST -- Standby connection
PF -- Profile parse failure PB -- Profile busy
RS -- remote site standby SN -- Static Neighbor
VM -- VLAN ID mismatch

Legend for interface status

Up -- operational
Dn -- down

Instance: VPLS-2
Local site: 1 (1)
connection-site Type St Time last up # Up trans
1 rmt LN
2 rmt LN

JNCIE-SP workbook: Appendix – Full day lab challenge

lab@srx6# run show route advertising-protocol bgp 172.30.30.19 table VPLS-
2.l2vpn.0 detail

VPLS-2.l2vpn.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

* 172.30.30.6:4:1:1/96 (1 entry, 1 announced)
BGP group cluster-2 type Internal
Route Distinguisher: 172.30.30.6:4
Label-base: 262145, range: 8
Nexthop: Self
Flags: Nexthop Change
Localpref: 65535
AS path: [5678] I
Communities: target:5678:200 Layer2-info: encaps:VPLS, control flags:, mtu:
0, site preference: 65535

lab@srx7# run show route advertising-protocol bgp 172.30.30.19 table VPLS-

2.l2vpn.0 detail

VPLS-2.l2vpn.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

* 172.30.30.7:6:1:1/96 (1 entry, 1 announced)
BGP group cluster-2 type Internal
Route Distinguisher: 172.30.30.7:6 50
Label-base: 262145, range: 8 6
Nexthop: Self




507 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Flags: Nexthop Change

Localpref: 1
AS path: [5678] I
Communities: target:5678:200 Layer2-info: encaps:VPLS, control flags:, mtu:
0, site preference: 1

JNCIE-SP workbook: Appendix – Full day lab challenge

50
7





508 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

Task 5.6: VPLS transport

• To conserve bandwidth, make sure that for ingress replication over the VPLS, ingress
PEs are sending only one packet for each broadcast, unknown or multicast frame.
Replication should be done downstream to the egress.

On SRX1, SRX6 and SRX7 devices:

[edit]
lab@srx1# set protocols mpls label-switched-path vpls-p2mp-dynamic template

[edit]
lab@srx1# set protocols mpls label-switched-path vpls-p2mp-dynamic optimize-timer
450

[edit]
lab@srx1# set protocols mpls label-switched-path vpls-p2mp-dynamic p2mp

[edit]
lab@srx1# set routing-instances VPLS-1 provider-tunnel rsvp-te label-switched-
path-template vpls-p2mp-dynamic

[edit]
lab@srx1# commit
commit complete

Verification:

[edit]
lab@srx1# run show mpls lsp p2mp
Ingress LSP: 1 sessions
P2MP name: 172.30.30.1:6:vpls:VPLS-1, P2MP branch count: 1

JNCIE-SP workbook: Appendix – Full day lab challenge

To From State Rt P ActivePath LSPname
172.30.30.6 172.30.30.1 Up 0 *
172.30.30.6:172.30.30.1:6:vpls:VPLS-1
Total 1 displayed, Up 1, Down 0

Egress LSP: 4 sessions

P2MP name: 172.30.30.6:5:vpls:VPLS-2, P2MP branch count: 1
To From State Rt Style Labelin Labelout LSPname
172.30.30.1 172.30.30.6 Up 0 1 SE 262145 -
172.30.30.1:172.30.30.6:5:vpls:VPLS-2
P2MP name: 172.30.30.7:7:vpls:VPLS-2, P2MP branch count: 1
To From State Rt Style Labelin Labelout LSPname
172.30.30.1 172.30.30.7 Up 0 1 SE 3 -
172.30.30.1:172.30.30.7:7:vpls:VPLS-2
Total 2 displayed, Up 2, Down 0

Transit LSP: 0 sessions

Total 0 displayed, Up 0, Down 0

[edit]
lab@srx6# run show mpls lsp p2mp
Ingress LSP: 1 sessions 50
8

P2MP name: 172.30.30.6:5:vpls:VPLS-2, P2MP branch count: 1

509 iNET ZERO – JNCIE-SP TECHNOLOGY LABS WORKBOOK – version 1.1 (2016)

To From State Rt P ActivePath LSPname

172.30.30.1 172.30.30.6 Up 0 *
172.30.30.1:172.30.30.6:5:vpls:VPLS-2
Total 1 displayed, Up 1, Down 0

Egress LSP: 5 sessions

P2MP name: 172.30.30.1:6:vpls:VPLS-1, P2MP branch count: 1
To From State Rt Style Labelin Labelout LSPname
172.30.30.6 172.30.30.1 Up 0 1 SE 262146 -
172.30.30.6:172.30.30.1:6:vpls:VPLS-1
P2MP name: 172.30.30.7:7:vpls:VPLS-2, P2MP branch count: 1
To From State Rt Style Labelin Labelout LSPname
172.30.30.6 172.30.30.7 Up 0 1 SE 3 -
172.30.30.6:172.30.30.7:7:vpls:VPLS-2
Total 2 displayed, Up 2, Down 0

lab@srx6# run show mpls lsp p2mp extensive | match OptimizeTimer

OptimizeTimer: 450

END

JNCIE-SP workbook: Appendix – Full day lab challenge

50
9