Ccie Enterprise Infrastructure Practice Lab3 Ver - 1

Contents
1. SECTION 1: Layer 2 technologies
1.1 Section 1.1: LAN Access
1.2 Section 1.2: LAN Distribution
1.3 Section 1.3: Spanning Tree
1.4 Section 1.4: WAN Switching
2. SECTION 2 : SDWAN BACKGROUND
2.1 Section 2.1 : SDWAN Installation for Control and Data plane
2.2 Section 2.2 : Prepare VPN and Interfaces for all lab system
2.3 Section 2.3 : Tloc extension for New medion office site
3. SECTION 3 SDWAN advance features and Layer 3 Technologies
3.1 Section 3.1: OSPF in NEW HQ //OSPF for SDWAN and Legacy devices
3.2 Section 3.2: OSPF in NEW DATACENTER //OSPF for SDWAN and Legacy devices
3.3 Section 3.3: B2B connection with Partner#1
3.4 Section 3.4: BGP in NEW DATACENTER Part 1 // BGP in SDWAN and Legacy Devices
3.5 Section 3.5: BGP in NEW DATACENTER #1 Part 2 // BGP in SDWAN and Legacy Devices
3.6 Section 3.6: BGP in Remote Site: Part 1 // BGP in SDWAN and Legacy Devices
3.7 Section 3.7: BGP in Remote Sites: Part 2 // BGP in SDWAN and Legacy Devices
3.8 Section 3.8: Routing Policies //SDWAN Policies and BGP Policies
3.9 Section 3.9: IPv6 Routing // SDWAN IPv6 and Legacy Devices IPv6
3.10 Section 3.10: Multicast in NEW DATACENTER //Multicast for SDWAN
4. SECTION 4 VPN Technology
4.1 Section 4.1: MPLS VPN
4.2 Section 4.2: DMVPN
4.3 Section 4.3: Internet Access
4.4 Section 4.4: LAN to LAN IPsec

5. SECTION 5 Infrastructure Security
5.1 Section 5.1: Device Security
5.2 Section 5.2: Network Security
6. SECTION 6 Infrastructure Services
6.1 Section 6.1: System Management
6.2 Section 6.2: QOS
6.3 Section 6.3: Network Services 1
6.4 Section 6.4: Network Services 2
7. SECTION 6 : AUTOMATION
7.1 PYTHON : Use Python to get Data from Routers Legacy and Vedges.
7.2 ANSIBLE : Add inventory, write basic playbooks to configure OSPF routing, push playbooks to
perform on Routers
TOPOLOGY
1. SECTION 1: Layer 2 technologies
1.1 Section 1.1: LAN Access
Question:
The following requirements were pre-configured:
 VTP is turned off in all Switches.

 All required VLAN, and access-ports configuration in all relevant switches are provisioned.
 All required SVI Interfaces in all relevant switches (including IP address and subnet mask) are
provisioned.
Configure the network in all sites as per the following requirements:
 Access-port must immediately transition to the forwarding state upon link up, as long as they do
not receive a BPDU. Use the minimal number of commands per switch to enable this feature.
 If an access-port receives a BPDU, it must automatically shutdown. Use the minimal number of
commands per switch to enable this feature.
 Ports that were shutdown must attempt to automatically recover after 10 minutes.
 None of the switches can generate a TC.
SOLUTON:
SW100/SW101/SW110/SW111/SW200/SW201/SW210/SW211/SW300/SW301/SW310/SW400/SW40
1/SW410/SW500/SW501/SW510/SW600
spanning-tree portfast edge default

spanning-tree portfast edge bpduguard default
errdisable recovery cause bpduguard
errdisable recovery interval 600
1.2 Section 1.2: LAN Distribution

Question:
Configure the Headquater’s Network as well as the large and medium office network as the following
requirements:
 All trunks must use Dot1Q encapsulation.

 Negotiation of the trunking protocol must be disabled in all switches.
 Distribution switches (SW300, SW301, SW400, SW401, SW500, SW501) must initiate
Etherchannel negotiation using LACP.
 Access Switches (SW310, SW410, SW510) should never initiate Etherchannel negotiation.
 Configure Layer 2 Etherchannel number as show in the Diagram 1: Main Topology and Daigram 5:
Layer 2 connections (they use only Po1 and PO2).
 Ensure that all ports included in Etherchannels are effectively in use and bundled in the expected
channel.
 Access switches must see similar output as shown below:
SOLUTION
SW300/SW400/SW501
inter range e2/0-1

shut
sw trunk en dot1q
sw mod trunk
sw nonego
channel-group 1 mod ac
!
int port-channel 1
sw trunk en dot1q
sw mod trunk
sw nonego
SW301/401/500
int range e2/2-3

shut
sw trunk en do
sw mod trunk
sw nonego
channel-group 2 mod active
!
interface port-channel2
sw trunk en dot1q
sw mod trunk
sw nonego
SW310/410/510
int range e2/0-1

shut
sw trunk en do
sw mod trunk
sw none
channel-group 1 mode passive
!
sw trunk en dot1q
sw mod trunk
sw nonego
!
int range e2/2-3
shut
sw trunk en do
sw mod trunk
sw none
channel-group 2 mode passive
!
sw trunk en dot1q
sw mod trunk
sw nonego
SW300, SW310, SW400, SW410, SW501, SW510
int range e2/0-1

no shut
SW301, SW310, SW401, SW410, SW500, SW510
int range e2/2-3

no shut
1.3 Section 1.3: Spanning Tree

Question:
Configure the Headquater’s network as the following requirements:
 SW300 must be the spanning tree root bridge and must maintain a signle spanning tree instance
for the following VLANs: 2000, 2002, 2004, 2006, 2008 (use instance number 2).
 SW301 must be the spanning tree root bridge and must maintain a single spanning tree instance
for the following VLANs: 2001, 2003, 2005, 2007, 2009 (use instance number 1).
 All other VLANS, except 3001 must share the default spanning tree instance.
 Ensure that insterface E0/2 of SW300 and SW301 is a Dot1q trunk and that it switches frames for
VLAN 3001 only.
 SW300, SW301, and SW310 must not have any blocked ports for any access VLANs (i.e 2000-
2009).
 SW310 must have the least chance of being elected the root bridge for any VLANs.
 None of the three switches may run more than four instances of spanning tree any points in time.
Configure all access switches in both DC network (SW110, SW111, SW210, SW211 as the following
requirements:
 Use 32-bit based values for default port path costs.

 All four switches must use the default value for their interface cost.
Solution: (Click to Expand)
SW300/301/310
spanning-tree mode mst

spanning-tree mst configuration
inst 1 vlan 2001,2003,2005,2007,2009
inst 2 vlan 2000,2002,2004,2006,2008
inst 3 vlan 3001
SW300
int e0/2
sw trunk allow vlan 3001
sw trunk en do
sw mod trunk
sw nonego
span mst 2 pri 0
SW301
int e0/2
sw trunk all vlan 3001
sw trunk en do
sw mod trunk
sw nonego
span mst 1 pri 0
SW310
span mst 0-3 pri 61440
SW110/SW111/SW210/SW211
span pathcost method long
1.4 Section 1.4: WAN Switching

Question:
Configure the home router R70 as per following requirements:
 The Ethernet WAN Link must rely on a layer 2 protocol that supports authentication and layer 3
protocol negotiation.
 The service provider expects that R70 completes a three-way handshake by providing the
expected response of a challenge requested.
 R70 must use the hostname: R70 and password CCIE
 R70 must receive an IP address from R8 and must install a default route pointing to 201.99.70.1
 Ensure that R70 can successfully ping 8.8.8.8, which is located in the ISP#2 cloud.
 You are not allowed to configure any static route in R70 in order to archive the previous
requirements.
 Use the pre-configured dialer1 interface as appropriate.
R70
int e0/0
no ip add
int dialer 1
ip add nego
ip mtu 1492
en ppp
dia pool 1
ppp chap hostname R70
ppp chap pass 0 CCIE
ppp ipcp route default
!
int e0/0
pppoe enable group global
pppoe-client dial-pool-number 1
2. 2. SECTION 2 : SDWAN BACKGROUND

2.1 2.1 Section 2.1 : SDWAN Installation for Control and Data plane
Install Control Plane and Data Plan of SDwan, lets follow this lab : https://user.eve-
nglab.com/store/labs/detail?id=15887540878021
Or refer to CCIE Enterprise Infrastructure practice lab - SDWAN appendix at the End of this workbooks.
2.2 Section 2.2 : Prepare VPN and Interfaces for all lab system
(Using Vmanage Template to config Vedge)
Requirements: Use Vmanage template to configure all Vedge (System, VPN, Interface and Protocol ) .
Make sure all Control and Data still working after you make configuration.
3. 3. SECTION 3 SDWAN advance features and Layer 3 Technologies
3.1 3.1 Section 3.1: OSPF in NEW HQ //OSPF for SDWAN and Legacy devices
Configure the HeadQuater’s network (BGP#65003) as per the following requirements:
• Both gateway router of the Headquarters network must always advertise a default route into
the OSPF domain.
Check the output carefully, if between SW300 and SW301 you see the neighbor via vlan 3001, it means
you must enable OSPF for VLAN 3001 in both switches.
SW300
int range e0/0-1

ip os 1 are 0
ip os net point-to-point
!
int vlan 2000
ip os 1 are 0
!
int vlan 2001
ip os 1 are 0
!
int vlan 3001
ip ospf 1 are 0
ip ospf network point-to-point
!
int loopback 0
ip os 1 are 0
!
router ospf 1
router-id 10.3.130.130
passive-inter vlan 2000
SW301
inter range e0/0-1

ip os 1 are 0
ip os net point-to-point
!
int vlan 2000
ip ospf 1 are 0
!
int vlan 2001
ip os 1 are 0
!
int l0
ip os 1 are 0
!
int vlan 3001
ip ospf 1 are 0
ip ospf network point-to-point
!
router ospf 1
router-id 10.3.131.131
SW300/SW301
ip domain lookup
ip host SW301 10.3.131.131
ip host SW300 10.3.130.130
ip host R31 10.3.31.31
ip host R30 10.3.30.30
ip ospf name-lookup
R3/R31 follow the guide on Video. Because SDwan need a lot of step so follow Video is better.
3.2 3.2 Section 3.2: OSPF in NEW DATACENTER //OSPF for SDWAN and Legacy
devices
In order to speed up OSPF convergence in the DC#1 network, limit the number of IP prefixes that carried
in OSPF LSAs that OSPF is preconfigured in all required devices in DC#1.
Configure DC#1 network as the following requirements:
 All OSPF devices must exclude the IP prefixes of connected networks when advertising their type
1 router LSA, except for prefixes associated with loopbacks or passive interfaces.
 All host loopbacks are the only OSPF Intra-area prefixes that may appear in any DC device’s routing
table.
 Your solution must still apply if any new interface was added to the OSPF domain.
 Do not use any prefix-list or other explicit filter anywhere.
 Do not configure any interface as unnumbered.
 Do not remove any pre-configuration.
 SW100
router ospf 1
router-id 10.1.100.100
!
int range e0/0-3, e1/0-2, lo0-1
ip os 1 are 0

 SW101
router ospf 1
router-id 10.1.101.101
!
int range e0/0-3, e1/0-2, lo0-1
ip os 1 are 0

 SW110
router ospf 1
router-id 10.1.110.110
!
int range e1/0-3, e2/0, lo0, vlan2000
ip os 1 are 0

 SW111
router ospf 1
router-id 10.1.111.111
!
int range e1/0-3, e2/0, lo0, vlan2001
ip os 1 are 0
Configuration on Routers Vedges , follow the guide on video.
3.3 3.3 Section 3.3: B2B connection with Partner#1

R100 is located in the Partner#1 network and is connected to R42. It supports
OSPF only.
 Configure the Large Office network as the following requirements:

 R42 must run a separate OSPF process with R100.
 As mentioned in iteam 2.6, the site gateways R40 and R41 are not allowed to
redistribute OSPF in BGP and vice versa.
 R42 is allowed to redistribute OSPF into BGP and vice versa.
 At the end the exam:
o The Server2 (that is located in the DC#2) must be able to ping the IP
address 100.100.100.100/24 (that is located in the Partner#1 network).
o R100 the Partner router must receive the external prefixes as shown
below and no other prefixes:
R100#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/16 is subnetted, 7 subnets

O E2 10.1.0.0 [110/1] via 172.16.200.2, 04:46:04, Ethernet0/0
O E2 10.2.0.0 [110/1] via 172.16.200.2, 04:46:04, Ethernet0/0
O E2 10.3.0.0 [110/1] via 172.16.200.2, 03:16:50, Ethernet0/0
O E2 10.4.0.0 [110/1] via 172.16.200.2, 04:55:40, Ethernet0/0
O E2 10.5.0.0 [110/1] via 172.16.200.2, 04:03:49, Ethernet0/0
O E2 10.6.0.0 [110/1] via 172.16.200.2, 04:03:49, Ethernet0/0
O E2 10.7.0.0 [110/1] via 172.16.200.2, 00:37:54, Ethernet0/0
100.0.0.0/32 is subnetted, 1 subnets
C 100.100.100.100 is directly connected, Loopback0
172.16.0.0/16 is variably subnetted, 4 subnets, 3 masks
C 172.16.100.0/24 is directly connected, Loopback100
L 172.16.100.100/32 is directly connected, Loopback100
C 172.16.200.0/30 is directly connected, Ethernet0/0
L 172.16.200.1/32 is directly connected, Ethernet0/0
Solution
R40
router ospf 1
router-id 10.4.40.40
int range e0/1-3, l0
ip os 1 are 0
R41
router ospf 1
int range e0/1-3, l0
ip os 1 are 0
SW400
router ospf 1
router-id 10.4.0.1
int range e0/0, e1/0-2, l0, vlan 2000-2001
ip os 1 are 0
SW401
router ospf 1
router-id 10.4.0.2
int range e0/0, e1/0-2, l0, vlan 2000-2001
ip os 1 are 0
R42
router ospf 1
int range e0/0-1, lo0
ip os 1 are 0
router ospf 2
int e0/2
ip os 2 are 0
R100
router ospf 2
router-id 10.100.100.100
int range e0/0, lo0, lo1, lo100
ip os 2 are 0
Note:
If in your exam, maybe 172.17.100.100 is R100 interface e0/1’s ip address so you
need move ip ospf 1 are 0 from Lo1 to e0/1 be careful.
R42
ip prefix-list FILTERING se 1 deny 10.0.0.0/16
ip prefix-list FILTERING se 5 permit 10.0.0.0/13 ge 16 le 16
route-map FILTERING per 10
mat ip address prefix-list FILTERING
!
router ospf 2
redis bgp 65004 subnets route-map FILTERING
router bgp 65004
bgp redistribute-internal
redis ospf 2
3.4 3.4 Section 3.4: BGP in NEW DATACENTER Part 1 // BGP in SDWAN and Legacy
Devices
Assuming that the network topology will remin unchanged for the foreseeable
future the network architech devided to reduce the amount and complexity of CLI
configuration and save CPU and memory usage.
Configure the NEW DATACENTER network as the following requirements:
 All six routers and four switches must run BGP using the AS number 65001
(including R10, R11, R12, R13, R14, R15, SW100, SW101, SW110, SW111).
 All internal BGP sessions must be established using interface loopback0 and
must be secured with a MD5 hash of the string “cisco” (without quotes).
 R13 must maintain an active peering with all BGP speakers in the autonomous
system.
 All BGP speakers except R13 must maintain only one active internal BGP
session.
 R13 must be configured in a way that allowes BGP to peer with a group of
neighbor that are defined by a range of IP addresses.
 R13 must not require any additional configurion if a new internal BGP peer is
added to the network.
 The next-hop of any prefix received from any external BGP peer must always
be the interface Loopbacks of the corresponding local BGP router.
Solution
R13
router bgp 65001
bgp router-id 10.1.13.13
bgp listen range 10.1.0.0/16 peer-group IBGP
neighbor IBGP peer-group
neighbor IBGP remote-as 65001
neighbor IBGP password cisco
neighbor IBGP update-source loopback0
neighbor IBGP route-reflector-client
SW100/101/110/111/
router bgp 65001
bgp router-id 10.1.x.x (X= Loopback ID)
neighbor 10.1.13.13 remote 65001
neighbor 10.1.13.13 pass cisco
neighbor 10.1.13.13 update-source loopback0
R10/11/12/14/15 : follow the video about SDWAN
SW111
router bgp 65001
network 10.1.201.0 mask 255.255.255.0
3.5 3.5 Section 3.5: BGP in NEW DATACENTER #1 Part 2 // BGP in SDWAN and
Legacy Devices
The network architect decided to maximize link utilization in the DC#1.
Configure the DC#1 network as the following requirements:
 All BGP routers in AS#65001 must be configured with the minimum send
and/or receive capabilities, in order to ensure multiple paths through the
same peering session for the same prefix.
 New paths must not implicitly replace any previous equivalent paths.
 Only two of the best paths must advertised.
R13:
router bgp 65001
bgp additional-paths select best 2
bgp additional-paths send
neighbor IBGP advertise additional-paths best 2
maximum-path ibgp 2
Note: Clear ip bgp * soft : after you configure BGP additional-paths
SW100/101/110/111
router bgp 65001
neighbor 10.1.13.13 additional-paths receive
maximum-path ibgp 2
/R10/11/12/14/15: Follow the videos
3.6 3.6 Section 3.6: BGP in Remote Site: Part 1 // BGP in SDWAN and Legacy
Devices
3.7 Section 3.7: BGP in Remote Sites: Part 2 // BGP in SDWAN and Legacy Devices
3.8 Section 3.8: Routing Policies //SDWAN Policies and BGP Policies
3.9 Section 3.9: IPv6 Routing // SDWAN IPv6 and Legacy Devices IPv6
3.10 Section 3.10: Multicast in NEW DATACENTER //Multicast for SDWAN
4. 4. SECTION 4 VPN Technology

4.1 4.1 Section 4.1: MPLS VPN
Question:
Some configuration was alredy started. It is your responsibility to verify it and
ensure that the network is fully operational.
Configure the Global Service Provider#1 network AS#10000 as the following

requirements:
 R1 and R2 are P routers they must switch packets based on the labels and
must no run BGP protocol.
 R3, R4, R5, R6 are PE routers they must exchange VPNv4 prefixes with each
other and peer with their connected VE router using BGP.
 All PE routers must serve the “HollyMaya” VPN as described in the MPLS VPN
Topology.
 Do not configure a route-reflector or confederation in AS#10000
 LDP must be enabled on all right interfaces and must derive its Router ID
using interface loopback0.
 At the end of the exam, the following output must be seen on all four PE
routers (the only difference maybe the BGP Table (7) version number and
order of paths):
 Solution:

 R3
router bgp 10000
no bgp default ipv4-unicast
neighbor 100.0.0.4 peer-group IBGP
!
address ipv4
neighbor 100.0.0.4 ac
!
address vpnv4

 R4
router bgp 10000
!
add ipv4
!
add vpnv4

 R5
router bgp 10000
!
add ipv4
!
add vpnv4

 R6
router ospf 1
router-id 100.0.0.6
int l0
ip ospf 1 are 0
int e0/1
ip ospf 1 are 0
!
router bgp 10000
!
address-fa ipv4
!
add vpnv4

 R3
route-map PE-CE permit 10
match interface Ethernet0/0
!
router bgp 10000
address-family ipv4 vrf HollyMaya
neighbor 100.10.0.2 remote-as 65001
neighbor 100.10.0.2 activate
redis connected route-map PE-CE

 R4
!
router bgp 10000

 R5
!
router bgp 10000

 R6
!
router bgp 10000

 R3
ip vrf HollyMaya
rd 65001:3
route-target export 65001:3
route-target import 65002:4

 R4
ip vrf HollyMaya
rd 65002:4

 R5
ip vrf HollyMaya
rd 65005:5

 R6
ip vrf HollyMaya
rd 65004:6

 R1/R2/R3/R4/R5/R6
mpls ldp router-id loopback0 for
router ospf 1
mpls ldp auto
========= CCIE Enterprise Infrastructure practice lab - SDWAN appendix======================
Taks1: Setup vManage web management

- Setup IP web management for vManage:
Console to vManager
config t
vpn 512
interface eth0
ip address 192.168.80.11/24
no shutdown !
ip route 0.0.0.0/0 192.168.80.1
Click to User icon -> login vManage web with ip address: 192.168.10.11. Login with account:
admin/admin
Go to Administration -> Setting

Task2: Lab configuration
- vManage
vmanage# conf t
Entering configuration mode terminal
vmanage(config)# system
vmanage(config-system)# system-ip 100.1.200.11
vmanage(config-system)# site-id 1000
vmanage(config-system)# organization-name "eve-nglab"
vmanage(config-system)# vbond 10.1.200.12
vmanage(config-system)# !
vmanage(config-system)# vpn 0 int eth1
vmanage(config-interface-eth1)# ip add 10.1.200.11/24
vmanage(config-interface-eth1)# no shut
vmanage(config-interface-eth1)# exit
vmanage(config-vpn-0)# ip route 0.0.0.0/0 10.1.200.254
vmanage(config-vpn-0)# !
vmanage(config-vpn-0)# commit and-quit
- vBond
vedge# conf t
vedge(config)# system
vedge(config-system)# host-name vBond
vedge(config-system)# system-ip 100.1.200.12
vedge(config-system)# site-id 1000
vedge(config-system)# organization-name "eve-nglab"
vedge(config-system)# vbond 10.1.200.12 local vbond-only
vedge(config-system)# !
vedge(config-system)# vpn 512 int eth0
vedge(config-interface-eth0)# ip add 192.168.80.12/24
vedge(config-interface-eth0)# no shut
vedge(config-interface-eth0)# exit
vedge(config-vpn-512)# ip route 0.0.0.0/0 192.168.80.1
vedge(config-vpn-0)# interface ge0/0

vedge(config-interface-ge0/0)# vpn 0 int ge0/0
vedge(config-interface-ge0/0)# ip add 10.1.200.12/24
vedge(config-interface-ge0/0)# no shut
vedge(config-interface-ge0/0)# exit
vedge(config-vpn-0)# commit and-quit
- vSmart 1
vsmart(config-vpn-0)# system
vsmart(config-system)# system-ip 100.1.200.13
vsmart(config-system)# site-id 1000
vsmart(config-system)# organization-name "eve-nglab"
vsmart(config-system)# vbond 10.1.200.12
vsmart(config-system)# !
vsmart(config-system)# vpn 512 int eth0

vsmart(config-interface-eth0)# ip add 192.168.80.13/24
vsmart(config-interface-eth0)# no shut
vsmart(config-interface-eth0)# exit
vsmart(config-vpn-512)# ip route 0.0.0.0/0 192.168.80.1
vsmart(config-vpn-512)# !
vsmart(config-vpn-512)# vpn 0
vsmart(config-interface-eth1)# int eth1
vsmart(config-vpn-0)# commit and-quit
Commit complete.
vsmart#
- vSmart 2
vsmart(config-vpn-0)# system
vsmart(config-system)# system-ip 10.1.1.4
vsmart(config-system)# site-id 1000
vsmart(config-system)# organization-name "eve-nglab"
vsmart(config-system)# vbond 10.1.1.2
vsmart(config-system)# !
vsmart(config-system)# vpn 512 int eth0
vsmart(config-vpn-512)# vpn 0 int eth1
vsmart(config-interface-eth1)# no int eth0
vsmart(config-vpn-0)# commit and-quit
Commit complete.
vsmart#
- vEdge 10
vedge# conf t
vedge(config-system)# organization-name eve-nglab
vedge(config-system)# vbond 10.1.1.2
vedge(config-system)# vpn 0 int ge0/0
vedge(config-interface-ge0/0)# no shutdown
vedge(config-vpn-0)# commit and-quit
- vEdge14
vedge# conf t
vedge(config-system)# organization-name CCIE_EI



!!!running OSPF
vedge(config-vpn-0)# commit and-quit Commit complete.
- vEdge60
vedge# conf t

Local AS: 65006

Remote AS:19999
!!!running BGP
- vEdge50
vedge# conf t

Local AS: 65005

Remote AS:10000
!!!running BGP
Task3: Certificate installation

- vManage
Step 1 : Create ROOTCA.key

vmanage# vshell
vmanage:~$ openssl genrsa -out ROOTCA.key
2048
Generating RSA private key, 2048 bit long modulus
........................................+++
.............................+++
e is 65537 (0x10001)
vmanage:~$
Step 2: Created ROOTCA.pem with ROOTCA.key
openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 1024 \
-subj "/C=US/ST=NY/L=NY/O=CCIE_EI/CN=vmanage.lab" \
-out ROOTCA.pem
Step 3: Install ROOTCA.pem
exit
vmanage# request root-cert-chain install /home/admin/ROOTCA.pem
Uploading root-ca-cert-chain via VPN 0

Copying ... /home/admin/ROOTCA.pem via VPN 0
Successfully installed the root certificate chain
Step 4 : Login vManage to create certificate request
Configuration → Certificates → Controllers → vManage → Generate CSR then copy

Step 5: In the vshell use vim to create a file named vmanage.csr with the text from the popup.
Create vmanage.csr with CSR code copy above.
Use vim editor to create this file in Vshell mode of Vmanage.
Vi vmanage.csr
:qw! To exit the vim file.
Step 6: And create vmanage.crt with ROOTCA.key
openssl x509 -req -in vmanage1.csr \

-CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
-out vmanage.crt -days 500 -sha256
openssl x509 -req -in vmanage.csr \

-out vmanage.crt -days 500 -sha256
Result:
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=vnpro-lab/O=vIPtela
Inc/CN=vmanage_07af546c-d136-4f32-9f6d-
aa8e598a3410_0.viptela.com/[email protected]
Getting CA Private Key
Step 7 : Copy content vmanage.crt file by using “cat vmanage.crt” then install certificate on
vManage
Configuration → Certificates → Controllers → Install Certificate
- vBond:
Step 1:
vBond# request root-cert-chain install
scp://[email protected]:/home/admin/ROOTCA.pem vpn 512
Result:
Copying ... [email protected]:/home/admin/ROOTCA.pem via VPN 512
Warning: Permanently added '192.168.10.11' (ECDSA) to the list of
known hosts.
viptela 16.2.11
[email protected]'s
password:
ROOTCA.pem 100% 1265
1.2KB/s 00:00
Step 2: Add vBond to vmanage:

And Vbond IP here is IP in VPN0, not VPN 512
Configuration → Certificates → Controllers → Add Controller:
Step 3 : If vbond adding unsuccessful, lets no tunnel-interface as bellow:
vBond# conf t
vBond(config)# vpn 0
vBond(config-vpn-0)# interface ge0/0
vBond(config-interface-ge0/0)# no tunnel-interface
vBond(config-interface-ge0/0)# commit
Commit complete.
vBond(config-interface-ge0/0)#
Step 4: View vBond CSR:
Configuration → Certificates → Controllers → vBond → View CSR
vManage
Step 5: On vManage, create vbond.csr with content above using VIM editor in Vshell of
Vmanage.
Step 6: Create vbond.crt from Vmange Vsell. // Sign the vbond.csr file with the ROOTCA.key
//vi vbond.csr , press i to insert data, then press ESC to escape the insert things, then press :wq! To save
file vbond.csr in Vshell of Vmanage.
openssl x509 -req -in vbond.csr \

-out vbond.crt -days 500 -sha256
Result:
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=eve-nglab/O=vIPtela
Inc/CN=vbond_cdb5c222-0188-4384-a5c2-
8fa0b76d822f_0.viptela.com/[email protected]
vmanage:~$
Step 7 : Using “cat vbond.crt” to see file contents then copy and install certificate on vManage
web

Send certificate to vBond
Configuration → Certificates → Controllers → Send to vBond
- vSmart:
vsmart# request root-cert-chain install

Result:

Copying ... [email protected]:/home/admin/ROOTCA.pem via VPN 512
Warning: Permanently added '192.168.10.11' (ECDSA) to the list of
known hosts.
viptela 16.2.11
[email protected]'s
password:
ROOTCA.pem 100% 1265
1.2KB/s 00:00
Step 2 : Add vSmart to vManage web

Configuration → Devices → Controllers → Add Controller → vSmart
Step 3: View and copy vSmart CSR

Configuration → Certificates → Controllers → vSmart → View CSR:
Step 4: in Vmange :
Create vsmart1.csr file on vManage with contents viewed above using VIM editor. (I have 2
vsmarts to make backup)
Sign vsmart1.csr with ROOTCA.key ( I have 2 Vsmarts)
- vManage:
openssl x509 -req -in vsmart2.csr \
-out vsmart2.crt -days 500 -sha256
openssl x509 -req -in vsmart1.csr \

-out vsmart1.crt -days 500 -sha256
Result:
Signature ok
Inc/CN=vsmart_f35d4b87-8322-4f81-a63c-
52981f16d5e9_1.viptela.com/[email protected]
Using “cat vmsart6.crt” to see contents and copy then install certificate:

I will make for Vsmart 7 with the same procedure
vEdge:
Step 1 : on vManage, using “cat ROOTCA.pem” to see contents then create ROOTCA.pem file
on vEdge with same contents.
Step 1 : Install ROOTCA.pem on vEdge with command: request root-cert-chain

install /home/admin/ROOTCA.pem
The purpose is to SCP the ROOTCA.pem from Vmanage to Vedge
The interesting here is using VPN 0.
request root-cert-chain install scp://[email protected]:/home/admin/ROOTCA.pem vpn 0
//if we have OAM to this Vedge
Or can use this command : request root-cert-chain install
request root-cert-chain install scp://[email protected]:/home/admin/ROOTCA.pem vpn 0
vedge# request root-cert-chain install /home/admin/ROOTCA.pem

Result:
Copying ... /home/admin/ROOTCA.pem via VPN 0
Updating the root certificate chain..
Step 2 : Create vedge50.csr file : Do it on Vedge using below command

request csr upload /home/admin/vedge50.csr
Uploading CSR via VPN 0

Enter organization-unit name : sdwan
Re-enter organization-unit name : sdwan
Generating private/public pair and CSR for this vedge device
Generating CSR for this vedge device ........[DONE]
Copying ... /home/admin/vedge01.csr via VPN 0
CSR upload successful
Step 3: Using “cat vedge14.csr” to copy contents and create vedge50.csr file on
vManage. Create vedge06.crt with command bellow: vMange:
openssl x509 -req -in vedge8.csr \

-out vedge8.crt -days 500 -sha256
openssl x509 -req -in vedge50.csr \

-out vedge50.crt -days 500 -sha256
Result: Signature
ok
Inc/CN=vedge-368755e1-cfc9-4dbe-984e-
9a8d7e3f41f90.viptela.com/[email protected]
om Getting CA Private Key
Step 4 : On vedge06, create vedge06.crt same contents with file on vManage then install with
command bellow: Note in Normal mode, not Vshell mode
request certificate install scp://[email protected]:/home/admin/vedge50.crt

!you can use the command on the box too. But I love to use the command with SCP
request certificate install scp://[email protected]:/home/admin/vedge7.crt
vedge# request certificate install /home/admin/vedge5.crt

Result:
Installing certificate via VPN 0
Copying ... /home/admin/vedge01.crt via VPN 0
Successfully installed the certificate
Check serial number:
vedge# show certificate serial

Chassis number: 368755e1-cfc9-4dbe-984e-9a8d7e3f41f9 serial
number: BB36DBCE6DF33852
Create text file with code: 368755e1-cfc9-4dbe-984e-9a8d7e3f41f9,BB36DBCE6DF33852
Do the same with vedge06. Check serial and add to text file.
Task 4: Upload vEdge list

Method 1: For this lab , you just upload Vedgelist from your computer to Vmanage
Method 2: it is working for SDWAN lab 1 by Rakus. He made PC on EVE.
Upload vedge file to vManage
Send vedge list to controller

Configuration → Certificates → vEdge List → Send to Controllers
Validate vEdges
Configuration → Certificates → vEdge List → (vEdge) → Valid
Then send to controller after valid all vedge
- Configure tunnel
4.1.1 Tunnel Interfaces
The next step is to enable the tunnel interfaces on the
vManage/Bond/Smart to bring up the control plane.
vManage/Smart
vpn 0 interface eth1
tunnel-interface
vBond /vedges
vpn 0
interface
ge0/0
tunnel-interface encapsulation ipsec

Ccie Enterprise Infrastructure Practice Lab3 Ver - 1

Uploaded by

Copyright:

Available Formats

Ccie Enterprise Infrastructure Practice Lab3 Ver - 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ccie Enterprise Infrastructure Practice Lab3 Ver - 1

Uploaded by

Copyright:

Available Formats

Contents

1. SECTION 1: Layer 2 technologies

1.1 Section 1.1: LAN Access

1.2 Section 1.2: LAN Distribution

1.3 Section 1.3: Spanning Tree

1.4 Section 1.4: WAN Switching

2. SECTION 2 : SDWAN BACKGROUND

3. SECTION 3 SDWAN advance features and Layer 3 Technologies

3.3 Section 3.3: B2B connection with Partner#1

3.10 Section 3.10: Multicast in NEW DATACENTER //Multicast for SDWAN

4. SECTION 4 VPN Technology

4.1 Section 4.1: MPLS VPN

4.2 Section 4.2: DMVPN

4.3 Section 4.3: Internet Access

4.4 Section 4.4: LAN to LAN IPsec

5.1 Section 5.1: Device Security

5.2 Section 5.2: Network Security

6. SECTION 6 Infrastructure Services

6.1 Section 6.1: System Management

6.2 Section 6.2: QOS

6.3 Section 6.3: Network Services 1

6.4 Section 6.4: Network Services 2

The following requirements were pre-configured:

 VTP is turned off in all Switches.

Configure the network in all sites as per the following requirements:

spanning-tree portfast edge default

1.2 Section 1.2: LAN Distribution

 All trunks must use Dot1Q encapsulation.

inter range e2/0-1

int range e2/2-3

int range e2/0-1

SW300, SW310, SW400, SW410, SW501, SW510

int range e2/0-1

SW301, SW310, SW401, SW410, SW500, SW510

int range e2/2-3

1.3 Section 1.3: Spanning Tree

Configure the Headquater’s network as the following requirements:

 Use 32-bit based values for default port path costs.

spanning-tree mode mst

span mst 0-3 pri 61440

span pathcost method long

1.4 Section 1.4: WAN Switching

Configure the home router R70 as per following requirements:

2. 2. SECTION 2 : SDWAN BACKGROUND

Configure the HeadQuater’s network (BGP#65003) as per the following requirements:

int range e0/0-1

inter range e0/0-1

Configure DC#1 network as the following requirements:

Configuration on Routers Vedges , follow the guide on video.

3.3 3.3 Section 3.3: B2B connection with Partner#1

 Configure the Large Office network as the following requirements:

10.0.0.0/16 is subnetted, 7 subnets

Configure the NEW DATACENTER network as the following requirements:

R10/11/12/14/15 : follow the video about SDWAN

Configure the DC#1 network as the following requirements:

Note: Clear ip bgp * soft : after you configure BGP additional-paths

/R10/11/12/14/15: Follow the videos

3.10 Section 3.10: Multicast in NEW DATACENTER //Multicast for SDWAN

4. 4. SECTION 4 VPN Technology