(@SHZ - 0) - MTL-Lab-1
Uploaded by
Attia Ebreak(@SHZ - 0) - MTL-Lab-1
Uploaded by
Attia EbreakORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.
0 PRACTICAL BOOK
MTL-
MTL-Lab-
Lab-1: Enterprise Lab
Topology:
Technologies:
• Service Provider Simulation for Internet access and MPLS L3VPN service
• Multi-Area OSPF, MPLS enabled enterprise
• STP: IEEE, Rapid-PVST,MST
• VTP: Version 2 and 3
• FHRP: HSRP, VRRP, GLBP
• IP SLA and Track
• Port-Security
• DHCP Server, DHCP Relay Agent, DHCP Snooping
• Dynamic ARP Inspection
• Ether-Channel
• IGP: OSPF, IS-IS, EIGRP, RIP
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
• BGP Route-Reflectors
• NAT
• BGP Route-Reflectors
• Zone-Based Firewall
• Route-Map
• Prefix-List
• Access-List
• Redistribution
• Private VLAN
• DMVPN
Tasks:
Task-1 (Can be done in any order):
Configure the Core layer node IPv4 addresses according to the diagram below
Enable MPLS LDP Session Protection
All interfaces between Core nodes should be L3 Ether-Channels using LACP
Loopback 0 interfaces IP Addressing scheme should be 10.255.255.R#/32
Every Inter-Switch connections must use this IP Addressing Scheme:
10.x.x.R#/24
Configure OSPF and enable OSPF Prefix-Supression on Core nodes
Enable MPLS and LDP and secure LDP sessions using password
“OrhanErgunLLC”
Change OSPF Cost reference bandwidth to 10 Gb/s
OSPF process should not generate Syslog messages for MOSPF Type 6 LSA
Enable Incremental SPF calculation on OSPF process
Enable OSPF TTL Security Check
Set OSPF and LDP router-id on each router to be the IP address of the Loopback 0
interface
No DR/BDR election should be on any Link
Secure the OSPF per interface using MD5 with key-id 1 and password:
“OrhanErgunLLC”
CEF Load sharing should be set to Per Micro-Flow (Including Src, Dst Ports)
Enable SSH version 2 on each node then Test configuration by doing SSH to every
node
Set Enable Secret of “OrhanErgunLLC”, Algorithm type should be sha256
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Create a username: “ccie” and secret: “OrhanErgunLLC” and also set algorithm
type: sha256
Solution:
Core-SW-1:
interface Loopback0
ip address 10.255.255.1 255.255.255.255
!
default interface range e0/0-3, e1/0-1
interface range e0/0-1
shutdown
no switchport
channel-protocol lacp
channel-group 12 mode active
no shutdown
!
interface range e0/2-3
shutdown
no switchport
channel-protocol lacp
channel-group 13 mode active
no shutdown
!
interface range e1/0-1
shutdown
no switchport
channel-protocol lacp
channel-group 14 mode active
no shutdown
!
It is recommended to reset interface configurations to the factory default by entering
default interface range command and also shutdown them before creating any Port-
channel.
The command no switchport changes the type of interface from L2 to L3 (On some high
end switches the default type of interfaces are L3).
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
The command channel-protocol lacp does not set Ether-channel negotiation protocol to
LACP, this command only forces the user to only enter LACP Protocol (Correct mode)
for negotiation using command channel-group:
Core-SW-1(config-if)#channel-protocol lacp
Core-SW-1(config-if)#channel-group 12 mode desirable
Command rejected (Channel protocol mismatch for interface Et0/0 in group 12): the interface can
not be added to the channel group
Core-SW-1(config-if)#channel-group 12 mode active
Core-SW-1:
interface Port-channel12
no switchport
ip address 10.0.21.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 OrhanErgunLLC
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
no shutdown
!
interface Port-channel13
ip address 10.0.31.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 OrhanErgunLLC
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
no shutdown
!
interface Port-channel14
ip address 10.0.41.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 OrhanErgunLLC
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
no shutdown
!
Task asks us to make interfaces OSPF Network-Type point to point and also enable
MPLS/LDP on them, this switch does not support mpls ldp autoconfig command under
OSPF process, then we have to use mpls ip command under any interface.
Core-SW-1:
ip access-list standard SUBNET_10
permit 10.0.0.0 0.255.255.255
!
mpls label range 10000 19999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 OrhanErgunLLC
mpls ldp session protection
mpls ldp router-id Loopback0
mpls label range command is an optional command for this task but we set it then
troubleshooting of packet LSP could become easier in the Lab environment.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
In order to enable LDP authentication for all neighbors, we use an access list to match
every neighbor’s Loopback 0 interface IP address (Transport address for LDP) and also
force neighbors to only form Secure MD5 authenticated LDP session.
LDP uses Layer 4 (TCP) MD5 authentication:
Core-SW-1:
router ospf 1000
router-id 10.255.255.1
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
prefix-suppression
passive-interface default
no passive-interface Port-channel12
no passive-interface Port-channel13
no passive-interface Port-channel14
!
Cisco’s implemention of OSPF on IOS/IOS-XR does not support LSA Type 6 (MOSPF
LSA) then when the router receives an LSA Type 6 update, IOS generates syslog
messages, it is best practice to disable LSA Type 6 syslog message. Think about an
attacker trying to flood many OSPF LSA Type 6 LSUs towards your router!
OSPF TTL Security Check is a security mechanism that protects OSPF against remote
attacks. Indeed OSPF can be attacked by remote hosts because it uses IP to encapsulate
it’s PDUs:
It is almost impossible to remotely attack IS-IS, because it does not use any L3 routed-
protocol for it’s operations, IS-IS is an L2 protocol.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
When you enable OSPF TTL Security Check feature, OSPF will generate Packets with IP
TTL of 255 and rejects any received packet with smaller TTL values than a configured
threshold.
By default this command forces OSPF process to only accept directly connected (Link-
Local) received packets. The actual command is ttl-
ttl-security all-
all-interfaces hops 1.
OSPF runs the SPF algorithm to calculate the Shortest Path Tree, it means to find out
how this node can reach to each destination with minimum cost by looking at
bandwidth information.
All OSPF neighbors in one area have the same topological information (same LSA type
1 and type 2), it means they create the same SPT (Shortest Path Tree), every single
change in the network causes all those routers in that area to re-run SPF algorithm.
Running this SPF algorithm is a good thing when there is a change in the topology, but
what if only a leaf node addedd/removed to/from the topology?
There is no need to run Full SPF all the time, because Full SPF run is a resource
intensive task, especially for the CPU usage. OSPF supports a method only to
recalculate the part of the SPT that has changed, it is called iSPF (Incremental SPF).
But should be known that running iSPF increases memory usage, so as usual, as a
design practice we should understand the trade-off here , which is running iSPF can
decrease the CPU usage but also it increases the memory usage.
It is a best practice to use passive-
passive-interface default command then exclude the
interfaces that neighbors are being excpected from. This command prevents Multicast
destined (224.0.0.5) Hello message generation on those interfaces.
Core-SW-1:
hostname Core-SW-1
ip domain-name orhanergun.net
enable algorithm-type sha256 secret OrhanErgunLLC
username ccie algorithm-type sha256 secret OrhanErgunLLC
crypto key generate rsa modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
line vty 0 4
login local
transport input ssh
!
To enable SSH, we need to generate an RSA key, domain-name msut be configured.
Core-SW-1#show crypto key mypubkey rsa
% Key pair was generated at: 21:33:35 +0330 Apr 7 2020
Key name: Core-SW-1.orhanergun.net
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable. Redundancy enabled.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00CD5C18
67DE74D1 A31E5AFB F129F480 2C927447 F7DDEDC0 1A746BA2 20E7171B DA053480
F097F5A4 6DC9E571 7F0BBC69 DC82E31D 119F083F CA22FC6A F5F2251D 18AC54B3
6B7CF20D 58CE4F2F C162D4ED CF71FD59 54918BE1 3C75B97A 4B820E3B ACEABD9B
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Let’s generate an other key using modulus 2048:
% Key pair was generated at: 21:37:49 +0330 Apr 7 2020
Key name: Core-SW-1.orhanergun.net
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable. Redundancy enabled.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C4FAF7 76CC2DE3 257B1A2B C89BBFA3 B0C4AABA 8ECA43E7 CE342FA2 F805EEB2
6B7C321C 94ED5EB7 22FF980C 45C494B1 A4B07709 0A4BF051 32FDE5B8 A25811F0
D0AE3907 FD32555E 9C2B7C91 696CAE73 1A554BDE 3293C96B 0575F31B 6BE37023
AB768796 8345CF6E 8427E8BD 59B9E916 1A3B2C6F 88A0F493 8A1C51F5 EC2009EF
6FD9C178 166961AD A476EDD4 B64C866D 5D53E71A B81A309A 95F9843D DA52C6A4
F8A51B07 AC183767 DAC79E24 AD95479C B19AB73D EA69F3C9 2800C06E FB4D97C2
E0A24C2D 1B221A24 612E31BF 7721B85F 35C9D0A4 E2C20CA7 60153EF0 41BEAA7A
532E7780 47EDF974 1CABBA38 E1436B9C FC92CBC3 67FACC66 57F083B8 8B9C9076
5D020301 0001
Higher the modulus number, Longer the key length and longer the time to generate
RSA key and also more security.
By default IOS enables SSH 1.99 when we generate an RSA key, means it supports both
version 1 and 2. It is a good practice to change the version to 2 only by using ip ssh
version 2 command.
By entering ip ssh authentication-
authentication-retries 2 command, session will be closed if user
enters wrong password for more than 3 times.
ip ssh time-
time-out 60 Configures the wait time to 60 seconds for a response from the client
when the SSH server attempts to negotiate a session key and encryption method with a
connecting client.
Task also asks us to change CEF load sharing algorithm to Per-MicroFlow it means
algorithm should consider Src, Dst IP addresses as well as Src, Dst Port numbers.
Core-SW-1:
ip cef load-sharing algorithm include-ports source destination
Configure the other Core Switches the same way:
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Core-SW-2:
hostname Core-SW-2
enable secret 8 $8$qrvK7qOfUAK8cR$AyzNf8DV1Ifjl28oSLtuH4OLJpYdYsaRYbAvCytvXFw
username ccie secret 8 $8$BbZoIfDWgfpL.h$MOXoPRFZbiuVqm6Yae98rKkg.r.U81o1Wy.5hEzaStk
clock timezone +0330 3 30
ip domain-name orhanergun.net
ip cef load-sharing algorithm include-ports source destination
mpls label range 20000 29999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 022916530A082A334B5B07352934
mpls ldp session protection
!
interface Loopback0
ip address 10.255.255.2 255.255.255.255
ip ospf 1000 area 0
!
interface Port-channel21
no switchport
ip address 10.0.21.2 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 OrhanErgunLLC
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Port-channel23
no switchport
ip address 10.0.32.2 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 OrhanErgunLLC
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Port-channel24
no switchport
ip address 10.0.42.2 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 OrhanErgunLLC
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet0/0
no switchport
no ip address
channel-protocol lacp
channel-group 21 mode active
!
interface Ethernet0/1
no switchport
no ip address
channel-protocol lacp
channel-group 21 mode active
!
interface Ethernet0/2
no switchport
no ip address
channel-protocol lacp
channel-group 24 mode active
!
interface Ethernet0/3
no switchport
no ip address
channel-protocol lacp
channel-group 24 mode active
!
interface Ethernet1/0
no switchport
no ip address
channel-protocol lacp
channel-group 23 mode active
!
interface Ethernet1/1
no switchport
no ip address
channel-protocol lacp
channel-group 23 mode active
!
router ospf 1000
router-id 10.255.255.2
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
prefix-suppression
passive-interface default
no passive-interface Port-channel21
no passive-interface Port-channel23
no passive-interface Port-channel24
!
crypto key generate rsa modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip access-list standard SUBNET_10
permit 10.0.0.0 0.255.255.255
!
mpls ldp router-id Loopback0
line vty 0 4
login local
transport input ssh
!
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Core-SW-3:
hostname Core-SW-3
enable secret 8 $8$lLlQ1l7EZREZah$/SyYyvuuyvhuxiLkoGqUZXSUpGKPImOxlTPEmcSWitM
username ccie secret 8 $8$ij8b2/D6/by62B$rwG5EOIEKQEmFyd0KWFcnQV318Ns/HvxHO0Ki4ZoOig
ip domain-name orhanergun.net
ip cef load-sharing algorithm include-ports source destination
mpls label range 30000 39999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 022916530A082A334B5B07352934
mpls ldp session protection
!
interface Loopback0
ip address 10.255.255.3 255.255.255.255
ip ospf 1000 area 0
!
interface Port-channel31
no switchport
ip address 10.0.31.3 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 OrhanErgunLLC
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Port-channel32
no switchport
ip address 10.0.32.3 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 OrhanErgunLLC
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Port-channel34
no switchport
ip address 10.0.43.3 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 OrhanErgunLLC
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet0/0
no switchport
no ip address
channel-protocol lacp
channel-group 34 mode active
!
interface Ethernet0/1
no switchport
no ip address
channel-protocol lacp
channel-group 34 mode active
!
interface Ethernet0/2
no switchport
no ip address
channel-protocol lacp
channel-group 31 mode active
!
interface Ethernet0/3
no switchport
no ip address
channel-protocol lacp
channel-group 31 mode active
!
interface Ethernet1/0
no switchport
no ip address
channel-protocol lacp
channel-group 32 mode active
!
interface Ethernet1/1
no switchport
no ip address
channel-protocol lacp
channel-group 32 mode active
!
router ospf 1000
router-id 10.255.255.3
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
prefix-suppression
passive-interface default
no passive-interface Port-channel31
no passive-interface Port-channel32
no passive-interface Port-channel34
!
crypto key generate rsa modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip access-list standard SUBNET_10
permit 10.0.0.0 0.255.255.255
!
mpls ldp router-id Loopback0
!
line vty 0 4
login local
transport input ssh
!
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Core-SW-4:
hostname Core-SW-4
enable secret 8 $8$D9Plgorbii99Hx$4PJH6CpxKTb1X.flsIn.2cDikKd51wXDQgU9/T1M4oI
username ccie secret 8 $8$KEosyCvZTBtf7x$hYUAnOFF1J7rGXwaIsDgj7CW4aC8fPMgpW1t0j9X8QM
!
ip domain-name orhanergun.net
ip cef load-sharing algorithm include-ports source destination
mpls label range 40000 49999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 072033444F073C17100705202809
mpls ldp session protection
!
interface Loopback0
ip address 10.255.255.4 255.255.255.255
ip ospf 1000 area 0
!
interface Port-channel41
no switchport
ip address 10.0.41.4 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 OrhanErgunLLC
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Port-channel42
no switchport
ip address 10.0.42.4 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 OrhanErgunLLC
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Port-channel43
no switchport
ip address 10.0.43.4 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 OrhanErgunLLC
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet0/0
no switchport
no ip address
channel-protocol lacp
channel-group 43 mode active
!
interface Ethernet0/1
no switchport
no ip address
channel-protocol lacp
channel-group 43 mode active
!
interface Ethernet0/2
no switchport
no ip address
channel-protocol lacp
channel-group 42 mode active
!
interface Ethernet0/3
no switchport
no ip address
channel-protocol lacp
channel-group 42 mode active
!
interface Ethernet1/0
no switchport
no ip address
channel-protocol lacp
channel-group 41 mode active
!
interface Ethernet1/1
no switchport
no ip address
channel-protocol lacp
channel-group 41 mode active
!
router ospf 1000
router-id 10.255.255.4
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
prefix-suppression
passive-interface default
no passive-interface Port-channel41
no passive-interface Port-channel42
no passive-interface Port-channel43
!
crypto key generate rsa modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip access-list standard SUBNET_10
permit 10.0.0.0 0.255.255.255
!
mpls ldp router-id Loopback0
line vty 0 4
login local
transport input ssh
!
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Verification:
Core-SW-1#show ip route ospf | begin Gateway
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
O 10.255.255.2/32 [110/501] via 10.0.21.2, 18:07:33, Port-channel12
O 10.255.255.3/32 [110/501] via 10.0.31.3, 18:37:38, Port-channel13
O 10.255.255.4/32 [110/501] via 10.0.41.4, 18:37:38, Port-channel14
Core-SW-2#show ip route ospf | begin Gateway
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
O 10.255.255.1/32 [110/501] via 10.0.21.1, 18:26:31, Port-channel21
O 10.255.255.3/32 [110/501] via 10.0.32.3, 19:32:16, Port-channel23
O 10.255.255.4/32 [110/501] via 10.0.42.4, 19:32:16, Port-channel24
Core-SW-3#show ip route ospf | begin Gateway
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
O 10.255.255.1/32 [110/501] via 10.0.31.1, 18:26:31, Port-channel31
O 10.255.255.2/32 [110/501] via 10.0.32.2, 19:32:26, Port-channel32
O 10.255.255.4/32 [110/501] via 10.0.43.4, 19:32:16, Port-channel34
Core-SW-4#show ip route ospf | begin Gateway
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
O 10.255.255.1/32 [110/501] via 10.0.41.1, 18:26:31, Port-channel41
O 10.255.255.2/32 [110/501] via 10.0.42.2, 19:32:33, Port-channel42
O 10.255.255.3/32 [110/501] via 10.0.43.3, 19:32:19, Port-channel43
There is only /32 host routes because of using prefix-
prefix-suppression command.
Core-SW-1#show mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
10007 Pop Label 10.255.255.3/32 0 Po13 10.0.31.3
10008 Pop Label 10.255.255.4/32 0 Po14 10.0.41.4
10023 Pop Label 10.255.255.2/32 0 Po12 10.0.21.2
Core-SW-1#show mpls ldp neighbor | include Peer
Peer LDP Ident: 10.255.255.3:0; Local LDP Ident 10.255.255.1:0
Peer LDP Ident: 10.255.255.2:0; Local LDP Ident 10.255.255.1:0
Peer LDP Ident: 10.255.255.4:0; Local LDP Ident 10.255.255.1:0
Core-SW-4#show mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
40000 Pop Label 10.255.255.3/32 0 Po43 10.0.43.3
40001 Pop Label 10.255.255.2/32 0 Po42 10.0.42.2
40016 Pop Label 10.255.255.1/32 0 Po41 10.0.41.1
Core-SW-4#show mpls ldp neighbor | include Peer
Peer LDP Ident: 10.255.255.2:0; Local LDP Ident 10.255.255.4:0
Peer LDP Ident: 10.255.255.3:0; Local LDP Ident 10.255.255.4:0
Peer LDP Ident: 10.255.255.1:0; Local LDP Ident 10.255.255.4:0
LDP uses Loopback 0 to form TCP session, because of LDP router-id of every router,
Cisco IOS/IOS-XR uses router-id as it’s transport address.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Core-SW-1#show etherchannel summary | begin Group
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
12 Po12(RU) LACP Et0/0(P) Et0/1(P)
13 Po13(RU) LACP Et0/2(P) Et0/3(P)
14 Po14(RU) LACP Et1/0(P) Et1/1(P)
Core-SW-2#show etherchannel summary | begin Group
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
21 Po21(RU) LACP Et0/0(P) Et0/1(P)
23 Po23(RU) LACP Et1/0(P) Et1/1(P)
24 Po24(RU) LACP Et0/2(P) Et0/3(P)
Core-SW-3#show etherchannel summary | begin Group
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
31 Po31(RU) LACP Et0/2(P) Et0/3(P)
32 Po32(RU) LACP Et1/0(P) Et1/1(P)
34 Po34(RU) LACP Et0/0(P) Et0/1(P)
Core-SW-4#show etherchannel summary | begin Group
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
41 Po41(RU) LACP Et1/0(P) Et1/1(P)
42 Po42(RU) LACP Et0/2(P) Et0/3(P)
43 Po43(RU) LACP Et0/0(P) Et0/1(P)
RU means the Type of port channel is R: Layer3, and it is being used (U).
P means that port is already boundled in port-channel.
The negotiation protocol is LACP (IEEE 802.3ad).
Core-SW-1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.255.255.4 0 FULL/ - 00:00:33 10.0.41.4 Port-channel14
10.255.255.3 0 FULL/ - 00:00:39 10.0.31.3 Port-channel13
10.255.255.2 0 FULL/ - 00:00:31 10.0.21.2 Port-channel12
Core-SW-2#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.255.255.4 0 FULL/ - 00:00:36 10.0.42.4 Port-channel24
10.255.255.3 0 FULL/ - 00:00:36 10.0.32.3 Port-channel23
10.255.255.1 0 FULL/ - 00:00:36 10.0.21.1 Port-channel21
Core-SW-3#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.255.255.4 0 FULL/ - 00:00:39 10.0.43.4 Port-channel34
10.255.255.2 0 FULL/ - 00:00:34 10.0.32.2 Port-channel32
10.255.255.1 0 FULL/ - 00:00:33 10.0.31.1 Port-channel31
Core-SW-4#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.255.255.3 0 FULL/ - 00:00:36 10.0.43.3 Port-channel43
10.255.255.2 0 FULL/ - 00:00:33 10.0.42.2 Port-channel42
10.255.255.1 0 FULL/ - 00:00:38 10.0.41.1 Port-channel41
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
There is no DR/BDR election on ethernet segments, because of using ip ospf network
point-
point-to-
to-point command on Port-Channel interfaces.
Core-SW-1#show ip ospf interface po 12
Port-channel12 is up, line protocol is up (connected)
Internet Address 10.0.21.1/24, Area 0, Attached via Interface Enable
Process ID 1000, Router ID 10.255.255.1, Network Type POINT_TO_POINT, Cost: 500
Topology-MTID Cost Disabled Shutdown Topology Name
0 500 no no Base
Enabled by interface config, including secondary ip addresses
Prefix-suppression is enabled
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:07
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Strict TTL checking enabled
Index 1/3/3, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 3
Last flood scan time is 0 msec, maximum is 1 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.255.255.2
Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
Youngest key id is 1
Attached via Interface Enable means: we have added this interface to OSPF process
Area 0 using ip ospf 1000 area 0 interface command.
Neighbor Count shows All 2WAY neighbors, but Adjacent neighbor count shows the
neighbors that we are Fully adjacent with them or in other words we Exchanged full
Link-State database with them. In this situation both of those values are 1 because only
2 neighbors can be exist on Point-To-Point Links and the state would be Full and also
no DR/BDR election.
Core-SW-1#show ip ospf | begin Increme
Incremental-SPF enabled
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 0. Checksum Sum 0x000000
Number of opaque AS LSA 0. Checksum Sum 0x000000
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Number of areas transit capable is 0
External flood list length 0
IETF NSF helper support enabled
Cisco NSF helper support enabled
Reference bandwidth unit is 10000 mbps
Strict TTL checking enabled
Prefix-suppression is enabled
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Core-SW-1#ssh -l ccie 10.255.255.3
Password:
Core-SW-3>en
Password:
Core-SW-3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Core-SW-3(config)#
Core-SW-3(config)#do sh ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes128-ctr hmac-sha1 Session started ccie
0 2.0 OUT aes128-ctr hmac-sha1 Session started ccie
Core-SW-3(config)#
Core-SW-3(config)#do sh user
Line User Host(s) Idle Location
0 con 0 idle 00:22:14
* 2 vty 0 ccie idle 00:00:00 10.0.31.1
Core-SW-1(config)#ip ssh source-interface lo0
Core-SW-1(config)#do ssh -l ccie 10.255.255.4
Password:
Core-SW-4>en
Password:
Core-SW-4#show user
Line User Host(s) Idle Location
0 con 0 idle 00:21:41
* 2 vty 0 ccie idle 00:00:00 10.255.255.1
Core-SW-4#show ip ssh | include SSH|version|timeout
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication retries: 2
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Task-2 (Can be done in any order):
Configure the Core to Distribution (Building 1) nodes IPv4 addresses according
to the diagram below
All interfaces between Core to Distribution Layer nodes should be L3.
Create VLAN 10 and VLAN 20
Loopback 0 interfaces IP Addressing scheme should be 10.255.255.R#/32
Every Inter-Switch connections must use this IP Addressing Scheme:
10.x.x.R#/24
Configure OSPF between Core to Distribution L3 Links
Enable MPLS and LDP and secure LDP sessions using password
“OrhanErgunLLC”
Change OSPF Cost reference bandwidth to 10 Gb/s
OSPF process should not generate Syslog messages for MOSPF Type 6 LSA
Enable Incremental SPF calculation on OSPF process
Enable OSPF TTL Security Check
Set OSPF and LDP router-id on each router to be the IP address of the Loopback 0
interface
No DR/BDR election should be on any Link
Secure the OSPF per interface using MD5 with key-id 1 and password:
“OrhanErgunLLC”
Summarize Area Subnets to 10.10.0.0/16
CEF Load sharing should be set to Per Micro-Flow (Including Src, Dsr Ports)
Enable SSH version 2 on each node then Test configuration by doing SSH to every
node
Set Enable Secret of “OrhanErgunLLC”, Algorithm type should be sha256
Create a username: “ccie” and secret: “OrhanErgunLLC” and also set algorithm
type: sha256
This Switch-Block should use VTP version 2 and both Distribution switches must
act as VTP Server and Access Layer switches must be VTP Client, VTP must be
secured using Password “OrhanErgunLLC” and set domain name to “ccie”
All Switch-Block interfaces should be Trunk with Native VLAN of 999 and only
10, 20 VLANs should be allowed on the trunk link, trunking encapsulation must
be standard based, also disable DTP
Agg-SW-5 should be root bridge for VLAN 10 and Agg-SW-6 being root bridge for
VLAN 20 (Use PVST+) using diameter 3, also Enable UplinkFast, BackboneFast
and LoopGuard features.
Configure HSRP on aggregation switches and track Loopback 0 interfaces of Core
Switches, if one of those interfaces become unreachable, HSRP priority should be
decremented by 50
Configure access ports and also enable portfast, port-security with sticky mac
learning, and set violation mode to restrict
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Solution:
Core-SW-3:
interface Ethernet1/2
no switchport
ip address 10.0.53.3 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 OrhanErgunLLC
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet1/3
no switchport
ip address 10.0.63.3 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 OrhanErgunLLC
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
router ospf 1000
no passive-interface Ethernet1/2
no passive-interface Ethernet1/3
!
Core-SW-4:
interface Ethernet1/2
no switchport
ip address 10.0.64.4 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 000A1E071C52
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet1/3
no switchport
ip address 10.0.54.4 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 000A1E071C52
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
router ospf 1000
no passive-interface Ethernet1/2
no passive-interface Ethernet1/3
!
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Agg-SW-5:
interface Loopback0
ip address 10.255.255.5 255.255.255.255
ip ospf 1000 area 0
!
interface Ethernet1/2
no switchport
ip address 10.0.53.5 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 OrhanErgunLLC
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet1/3
no switchport
ip address 10.0.54.5 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 OrhanErgunLLC
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
ip access-list standard SUBNET_10
permit 10.0.0.0 0.255.255.255
!
mpls label range 50000 59999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 OrhanErgunLLC
mpls ldp session protection
mpls ldp router-id Loopback0
!
router ospf 1000
router-id 10.255.255.5
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
area 1 range 10.10.0.0 255.255.0.0
passive-interface default
no passive-interface Ethernet1/2
no passive-interface Ethernet1/3
!
Agg-SW-6:
interface Loopback0
ip address 10.255.255.6 255.255.255.255
ip ospf 1000 area 0
!
interface Ethernet1/2
no switchport
ip address 10.0.64.6 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 022916530A082A334B5B07352934
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet1/3
no switchport
ip address 10.0.63.6 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 032B49030701045E491C17293B31
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
router ospf 1000
router-id 10.255.255.6
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
area 1 range 10.10.0.0 255.255.0.0
passive-interface default
no passive-interface Ethernet1/2
no passive-interface Ethernet1/3
!
ip access-list standard SUBNET_10
permit 10.0.0.0 0.255.255.255
!
mpls label range 60000 69999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 022916530A082A334B5B07352934
mpls ldp session protection
mpls ldp router-id Loopback0
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Agg-SW-5:
enable algorithm-type sha256 secret OrhanErgunLLC
username ccie algorithm-type sha256 secret OrhanErgunLLC
ip domain-name orhanergun.net
hostname Agg-SW-5
crypto key generate rsa modu 1024
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
line vty 0 4
login local
transport input ssh
!
Agg-SW-6:
enable algorithm-type sha256 secret OrhanErgunLLC
username ccie algorithm-type sha256 secret OrhanErgunLLC
ip domain-name orhanergun.net
hostname Agg-SW-6
crypto key generate rsa modu 1024
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
line vty 0 4
login local
transport input ssh
!
Almost the the configuration steps as previous task so far.
The only difference is area 1 range 10.10.0.0 255.255.0.0 command, Both Aggregation
Switches are ABRs then summarization should be done on them.
Agg-SW-5:
vlan 10,20
exit
vlan 999
name DUMMY-VLAN
exit
!
interface range e0/0-2
switchport trunk allowed vlan 10,20
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
!
vtp version 2
vtp domain ccie
vtp password OrhanErgunLLC
Agg-SW-6:
vtp version 2
vtp domain ccie
vtp password OrhanErgunLLC
!
interface range e0/0-2
switchport trunk allowed vlan 10,20
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
!
We just created vlan 999, what is the purpose of this VLAN? We named it DUMMY-
VLAN, it is not going to be used anywhere, just a dummy vlan. It is a best practice to
change Trunk link’s Native-VLAN to something unused else than default vlan 1.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
It prevents VLAN-Hopping attacks. But we don’t even allow that vlan to be functional
on trunk link by using switchport trunk allowed vlan 10,20 command, this is more
secure then.
The task asks us to disable DTP (Dynamic Trunking Protocol) on interfaces, the
command switchport nonegotiage disables DTP on the link. It is also a best practice to
make static trunk ports on inter-switch connections not DTP negotiated ports, an
attacker may try to form Trunk port using his/her machine (Like Kali Linux) and get all
your VLAN data!
VTP version 2 does not support encrypted passwords, it is saved in plain text:
Agg-SW-5(config)#vtp password OrhanErgunLLC hidden
Device is operating in VTP version 2. hidden option is allowed from VTP version 3 only.
Agg-SW-5(config)#vtp password OrhanErgunLLC
Agg-SW-5(config)#do sh vtp password
VTP Password: OrhanErgunLLC
Let’s configure Access-Layer Switches:
Acc-SW-19:
vtp version 2
vtp domain ccie
vtp mode client
vtp password OrhanErgunLLC
!
interface range e0/0-1
switchport trunk allowed vlan 10,20
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
!
Acc-SW-20:
vtp version 2
vtp domain ccie
vtp mode client
vtp password OrhanErgunLLC
!
interface range e0/0-1
switchport trunk allowed vlan 10,20
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
!
3 Switches must get VLAN information from Agg-SW-5 using VTP, then we just
configured vlan 10,20,999 on that switch:
Acc-SW-19(config)#do sh vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Et1/1, Et1/2, Et1/3, Et2/0
Et2/1, Et2/2, Et2/3, Et3/0
Et3/1, Et3/2, Et3/3, Et4/0
Et4/1, Et4/2, Et4/3, Et5/0
Et5/1, Et5/2, Et5/3
10 VLAN0010 active Et0/2, Et0/3
20 VLAN0020 active Et1/0
999 DUMMY-VLAN active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Verification:
Acc-SW-19(config)#do sh interface trunk
Port Mode Encapsulation Status Native vlan
Et0/0 on 802.1q trunking 999
Et0/1 on 802.1q trunking 999
Port Vlans allowed on trunk
Et0/0 10,20
Et0/1 10,20
Port Vlans allowed and active in management domain
Et0/0 10,20
Et0/1 10,20
Port Vlans in spanning tree forwarding state and not pruned
Et0/0 10
Et0/1 20
Acc-SW-19(config)#do sh int status | exclude disabled
Port Name Status Vlan Duplex Speed Type
Et0/0 connected trunk a-full auto RJ45
Et0/1 connected trunk a-full auto RJ45
Acc-SW-19(config)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : ccie
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : aabb.cc80.1100
Configuration last modified by 10.10.10.5 at 4-8-20 15:17:25
Feature VLAN:
--------------
VTP Operating Mode :
Client
Maximum VLANs supported locally :
1005
Number of existing VLANs 8:
Configuration Revision 5:
MD5 digest :
0xAC 0x1A 0xB9 0x0A 0xBA 0x11 0x87 0xD6
0x18 0x76 0x51 0x50 0xDB 0xEF 0x25 0x76
Acc-SW-19(config)#do sh vtp password
VTP Password: OrhanErgunLLC
Agg-SW-6(config)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : ccie
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : aabb.cc80.0400
Configuration last modified by 10.10.10.5 at 4-8-20 15:17:25
Local updater ID is 10.10.10.6 on interface Vl10 (lowest numbered VLAN interface found)
Feature VLAN:
--------------
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
Configuration Revision : 5
MD5 digest : 0xAC 0x1A 0xB9 0x0A 0xBA 0x11 0x87 0xD6
0x18 0x76 0x51 0x50 0xDB 0xEF 0x25 0x76
Look at show int trunk command output:
Mode: “on” means we have configured trunk statically using swi mode trunk command.
Encapsulation: “802.1q” means we have forced trunk port to be dot1q using swi trunk
encap dot1q command.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
VTP mode is client on Access switches, and Server on Distribution switches.
You may not see this output: Configuration last modified by 10.10.10.5 because I have
already configured SVIs. We will get to that point soon.
Agg-SW-5(config)#do sh spann | include protocol|VLAN
VLAN0010
Spanning tree enabled protocol ieee
VLAN0020
Spanning tree enabled protocol ieee
Agg-SW-5:
spanning-tree vlan 10 root primary diameter 2
spanning-tree vlan 20 root secondary diameter 2
spanning-tree backbonefast
!
Agg-SW-6:
spanning-tree vlan 20 root primary diameter 2
spanning-tree vlan 10 root secondary diameter 2
spanning-tree backbonefast
!
Agg-SW-5(config)#do sh run | sec spann
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree backbonefast
spanning-tree vlan 10 priority 24576
spanning-tree vlan 20 priority 28672
spanning-tree vlan 10,20 forward-time 7
spanning-tree vlan 10,20 max-age 10
Agg-SW-6(config)#do sh run | sec spann
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree backbonefast
spanning-tree vlan 10 priority 28672
spanning-tree vlan 20 priority 24576
spanning-tree vlan 10,20 forward-time 7
spanning-tree vlan 10,20 max-age 10
The default STP mode is ieee or PVST+ (Cisco proprietary edition of 802.1D, that is
VLAN aware and generates BPDUs per VLAN).
is a macro that looks at current root bridge priority
spanning-tree vlan [vlan_number] root
and lowers the value depending on it. In this scenario all bridge priorities are default
32768, the macro lowers the priority of STP to 24576 for primary root bridge and
28672 for secondary root bridge.
The diameter argument tunes the timer values, in this scenario we only have
Distribution and Access Layer switches, it means all switches are farthest from root
bridge maximum 2 hops, thus we set diameter value of 2. Then Macro automatically
adds forward-time 7 and max-age 10 to the running-config. The default values were 15
and 20 respectively.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Verification:
Agg-SW-5(config)#do sh spann
VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 24586
Address aabb.cc00.0300
This bridge is the root
Hello Time 2 sec Max Age 10 sec Forward Delay 7 sec
Bridge ID Priority 24586 (priority 24576 sys-id-ext 10)
Address aabb.cc00.0300
Hello Time 2 sec Max Age 10 sec Forward Delay 7 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 100 128.1 P2p
Et0/1 Desg FWD 100 128.2 P2p
Et0/2 Desg FWD 100 128.3 P2p
VLAN0020
Spanning tree enabled protocol ieee
Root ID Priority 24596
Address aabb.cc00.0400
Cost 100
Port 3 (Ethernet0/2)
Hello Time 2 sec Max Age 10 sec Forward Delay 7 sec
Bridge ID Priority 28692 (priority 28672 sys-id-ext 20)
Address aabb.cc00.0300
Hello Time 2 sec Max Age 10 sec Forward Delay 7 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 100 128.1 P2p
Et0/1 Desg FWD 100 128.2 P2p
Et0/2 Root FWD 100 128.3 P2p
Agg-SW-6#show spann
VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 24586
Address aabb.cc00.0300
Cost 100
Port 3 (Ethernet0/2)
Hello Time 2 sec Max Age 10 sec Forward Delay 7 sec
Bridge ID Priority 28682 (priority 28672 sys-id-ext 10)
Address aabb.cc00.0400
Hello Time 2 sec Max Age 10 sec Forward Delay 7 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 100 128.1 P2p
Et0/1 Desg FWD 100 128.2 P2p
Et0/2 Root FWD 100 128.3 P2p
VLAN0020
Spanning tree enabled protocol ieee
Root ID Priority 24596
Address aabb.cc00.0400
This bridge is the root
Hello Time 2 sec Max Age 10 sec Forward Delay 7 sec
Bridge ID Priority 24596 (priority 24576 sys-id-ext 20)
Address aabb.cc00.0400
Hello Time 2 sec Max Age 10 sec Forward Delay 7 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 100 128.1 P2p
Et0/1 Desg FWD 100 128.2 P2p
Et0/2 Desg FWD 100 128.3 P2p
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Acc-SW-19(config)#do sh spann
VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 24586
Address aabb.cc00.0300
Cost 100
Port 1 (Ethernet0/0)
Hello Time 2 sec Max Age 10 sec Forward Delay 7 sec
Bridge ID Priority 32778 (priority 32768 sys-id-ext 10)
Address aabb.cc00.1100
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Root FWD 100 128.1 P2p
Et0/1 Altn BLK 100 128.2 P2p
VLAN0020
Spanning tree enabled protocol ieee
Root ID Priority 24596
Address aabb.cc00.0400
Cost 100
Port 2 (Ethernet0/1)
Hello Time 2 sec Max Age 10 sec Forward Delay 7 sec
Bridge ID Priority 32788 (priority 32768 sys-id-ext 20)
Address aabb.cc00.1100
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Altn BLK 100 128.1 P2p
Et0/1 Root FWD 100 128.2 P2p
Acc-SW-20(config)#do sh spann
VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 24586
Address aabb.cc00.0300
Cost 100
Port 2 (Ethernet0/1)
Hello Time 2 sec Max Age 10 sec Forward Delay 7 sec
Bridge ID Priority 32778 (priority 32768 sys-id-ext 10)
Address aabb.cc00.1200
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Altn BLK 100 128.1 P2p
Et0/1 Root FWD 100 128.2 P2p
VLAN0020
Spanning tree enabled protocol ieee
Root ID Priority 24596
Address aabb.cc00.0400
Cost 100
Port 1 (Ethernet0/0)
Hello Time 2 sec Max Age 10 sec Forward Delay 7 sec
Bridge ID Priority 32788 (priority 32768 sys-id-ext 20)
Address aabb.cc00.1200
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Root FWD 100 128.1 P2p
Et0/1 Altn BLK 100 128.2 P2p
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Both Access Switch L2 links are in forwarding state but each of them for a specific
VLAN. This is the power of Per-VLAN STP. The other links stay at blocking state untill
the main link fails.
The other design point here is: there should be an L2 Link between Distribution
switches because VLANs span on both access switches:
Distribution switches must act as a router for Inter-VLAN traffic routing, this job is
done using SVIs on those switches and VLAN10 and VLAN20 subnets should be
advertised into OSPF:
Agg-SW-5:
ip routing
interface Vlan10
ip address 10.10.10.5 255.255.255.0
ip ospf 1000 area 1
!
interface Vlan20
ip address 10.10.20.5 255.255.255.0
ip ospf 1000 area 1
!
Agg-SW-6:
ip routing
interface Vlan10
ip address 10.10.10.6 255.255.255.0
ip ospf 1000 area 1
!
interface Vlan20
ip address 10.10.20.6 255.255.255.0
ip ospf 1000 area 1
!
The task asks us to configure HSRP as a FHRP, thus hosts can set a Virtual-IP address as
their default gateway, this provides redundancy for the First Hop Gateway. Also the
task asks us to use IP SLA and Tracks for hsrp priority decrement.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Agg-SW-5:
ip sla 10
icmp-echo 10.255.255.1 source-interface Ethernet1/2
verify-data
frequency 5
ip sla schedule 10 life forever start-time now
ip sla 11
icmp-echo 10.255.255.2 source-interface Ethernet1/3
frequency 5
ip sla schedule 11 life forever start-time now
!
track 10 list boolean and
object 11
object 12
!
track 11 ip sla 10 reachability
!
track 12 ip sla 11 reachability
!
interface Vlan10
standby 10 ip 10.10.10.254
standby 10 priority 110
standby 10 preempt
standby 10 track 10 decrement 50
!
interface Vlan20
standby 20 ip 10.10.20.254
standby 20 preempt
standby 20 track 10 decrement 50
!
Agg-SW-6:
ip sla 20
icmp-echo 10.255.255.3 source-interface Ethernet1/2
verify-data
frequency 5
ip sla schedule 20 life forever start-time now
ip sla 21
icmp-echo 10.255.255.4 source-interface Ethernet1/3
frequency 5
ip sla schedule 21 life forever start-time now
!
track 20 list boolean and
object 21
object 22
!
track 21 ip sla 20 reachability
!
track 22 ip sla 21 reachability
!
interface Vlan10
standby 10 ip 10.10.10.254
standby 10 preempt
standby 10 track 20 decrement 50
!
interface Vlan20
standby 20 ip 10.10.20.254
standby 20 priority 110
standby 20 preempt
standby 20 track 20 decrement 50
!
We defined 2 IP SLA objects on both Distribution switches to check the Core router’s
Loopback 0 reachability. Then we used tracks to track those ip sla objects reachability
state. The tricky thing that we have done here is using a blooean track to also track
both track objects we created before! If any of those tracks fails the state of the boolean
track would be DOWN thus HSRP priority would be decremented by 50 and the other
Distribution switch becomes the Active router for the specific VLAN.
Preemption is not enabled by default in HSRP, we should enable it explicitly so the
standby router can become active as soon as the Active router’s priority drops by 50.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Verification:
Agg-SW-5(config)#do sh ip int br | ex unas
Interface IP-Address OK? Method Status Protocol
Ethernet1/2 10.0.53.5 YES TFTP up up
Ethernet1/3 10.0.54.5 YES TFTP up up
Loopback0 10.255.255.5 YES TFTP up up
Vlan10 10.10.10.5 YES TFTP up up
Vlan20 10.10.20.5 YES TFTP up up
Agg-SW-6(config)#do sh ip int br | ex unas
Interface IP-Address OK? Method Status Protocol
Ethernet1/2 10.0.64.6 YES TFTP up up
Ethernet1/3 10.0.63.6 YES TFTP up up
Loopback0 10.255.255.6 YES TFTP up up
Vlan10 10.10.10.6 YES TFTP up up
Vlan20 10.10.20.6 YES TFTP up up
Agg-SW-5(config)#do sh standby
Vlan10 - Group 10
State is Active
2 state changes, last state change 1d04h
Virtual IP address is 10.10.10.254
Active virtual MAC address is 0000.0c07.ac0a (MAC In Use)
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.336 secs
Preemption enabled
Active router is local
Standby router is 10.10.10.6, priority 100 (expires in 9.392 sec)
Priority 110 (configured 110)
Track object 10 state Up decrement 50
Group name is "hsrp-Vl10-10" (default)
Vlan20 - Group 20
State is Standby
1 state change, last state change 1d04h
Virtual IP address is 10.10.20.254
Active virtual MAC address is 0000.0c07.ac14 (MAC Not In Use)
Local virtual MAC address is 0000.0c07.ac14 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.272 secs
Preemption enabled
Active router is 10.10.20.6, priority 110 (expires in 7.744 sec)
Standby router is local
Priority 100 (default 100)
Track object 10 state Up decrement 50
Group name is "hsrp-Vl20-20" (default)
Agg-SW-6(config)#do sh standby
Vlan10 - Group 10
State is Standby
1 state change, last state change 1d04h
Virtual IP address is 10.10.10.254
Active virtual MAC address is 0000.0c07.ac0a (MAC Not In Use)
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.272 secs
Preemption enabled
Active router is 10.10.10.5, priority 110 (expires in 9.312 sec)
Standby router is local
Priority 100 (default 100)
Track object 20 state Up decrement 50
Group name is "hsrp-Vl10-10" (default)
Vlan20 - Group 20
State is Active
2 state changes, last state change 1d04h
Virtual IP address is 10.10.20.254
Active virtual MAC address is 0000.0c07.ac14 (MAC In Use)
Local virtual MAC address is 0000.0c07.ac14 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.960 secs
Preemption enabled
Active router is local
Standby router is 10.10.20.5, priority 100 (expires in 10.192 sec)
Priority 110 (configured 110)
Track object 20 state Up decrement 50
Group name is "hsrp-Vl20-20" (default)
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Agg-SW-5(config)#do sh ip sla statistics
IPSLAs Latest Operation Statistics
IPSLA operation id: 10
Latest RTT: 2 milliseconds
Latest operation start time: 23:32:27 +0330 Thu Apr 9 2020
Latest operation return code: OK
Number of successes: 120
Number of failures: 0
Operation time to live: Forever
IPSLA operation id: 11
Latest RTT: 2 milliseconds
Latest operation start time: 23:32:27 +0330 Thu Apr 9 2020
Latest operation return code: OK
Number of successes: 120
Number of failures: 0
Operation time to live: Forever
Agg-SW-6(config)#do sh ip sla statistics
IPSLAs Latest Operation Statistics
IPSLA operation id: 20
Latest RTT: 1 milliseconds
Latest operation start time: 23:32:44 +0330 Thu Apr 9 2020
Latest operation return code: OK
Number of successes: 123
Number of failures: 0
Operation time to live: Forever
IPSLA operation id: 21
Latest RTT: 2 milliseconds
Latest operation start time: 23:32:44 +0330 Thu Apr 9 2020
Latest operation return code: OK
Number of successes: 123
Number of failures: 0
Operation time to live: Forever
Track 10
List boolean and
Boolean AND is Up
4 changes, last change 1d05h
object 11 Up
object 12 Up
Tracked by:
HSRP Vlan10 10
HSRP Vlan20 20
Track 11
IP SLA 10 reachability
Reachability is Up
4 changes, last change 1d05h
Latest operation return code: OK
Latest RTT (millisecs) 2
Track 12
IP SLA 11 reachability
Reachability is Up
4 changes, last change 1d05h
Latest operation return code: OK
Latest RTT (millisecs) 1
Agg-SW-6(config)#do sh track
Track 20
List boolean and
Boolean AND is Up
4 changes, last change 1d05h
object 21 Up
object 22 Up
Tracked by:
HSRP Vlan10 10
HSRP Vlan20 20
Track 21
IP SLA 20 reachability
Reachability is Up
4 changes, last change 1d05h
Latest operation return code: OK
Latest RTT (millisecs) 1
Track 22
IP SLA 21 reachability
Reachability is Up
4 changes, last change 1d05h
Latest operation return code: OK
Latest RTT (millisecs) 2
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Let’s shutdown one interface of an Aggregation Switch and see what happens:
Agg-SW-5(config)#int e1/2
Agg-SW-5(config-if)#shutdown
Agg-SW-5(config-if)#
*Apr 9 20:07:49.273: %LDP-5-SP: 10.255.255.3:0: session hold up initiated
*Apr 9 20:07:49.274: %OSPF-5-ADJCHG: Process 1000, Nbr 10.255.255.3 on Ethernet1/2 from FULL to DOWN, Neighbor
Down: Interface down or detached
Agg-SW-5(config-if)#
*Apr 9 20:07:51.267: %LINK-5-CHANGED: Interface Ethernet1/2, changed state to administratively down
*Apr 9 20:07:52.268: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/2, changed state to down
Agg-SW-5(config-if)#
*Apr 9 20:07:57.037: %TRACK-6-STATE: 11 ip sla 10 reachability Up -> Down
*Apr 9 20:07:57.596: %TRACK-6-STATE: 10 list boolean and Up -> Down
Agg-SW-5(config-if)#
*Apr 9 20:07:59.724: %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Active -> Speak
Agg-SW-5(config-if)#
*Apr 9 20:08:02.041: %TRACK-6-STATE: 12 ip sla 11 reachability Up -> Down
Agg-SW-5(config-if)#
*Apr 9 20:08:10.317: %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Speak -> Standby
Agg-SW-5(config-if)#do sh standby
Vlan10 - Group 10
State is Standby
4 state changes, last state change 00:00:43
Virtual IP address is 10.10.10.254
Active virtual MAC address is 0000.0c07.ac0a (MAC Not In Use)
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.160 secs
Preemption enabled
Active router is 10.10.10.6, priority 100 (expires in 8.848 sec)
Standby router is local
Priority 60 (configured 110)
Track object 10 state Down decrement 50
Group name is "hsrp-Vl10-10" (default)
Vlan20 - Group 20
State is Standby
1 state change, last state change 1d04h
Virtual IP address is 10.10.20.254
Active virtual MAC address is 0000.0c07.ac14 (MAC Not In Use)
Local virtual MAC address is 0000.0c07.ac14 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.056 secs
Preemption enabled
Active router is 10.10.20.6, priority 110 (expires in 8.960 sec)
Standby router is local
Priority 50 (default 100)
Track object 10 state Down decrement 50
Group name is "hsrp-Vl20-20" (default)
Agg-SW-5(config-if)#do sh track
Track 10
List boolean and
Boolean AND is Down
7 changes, last change 00:00:28
object 11 Down
object 12 Up
Tracked by:
HSRP Vlan10 10
HSRP Vlan20 20
Track 11
IP SLA 10 reachability
Reachability is Down
7 changes, last change 00:00:29
Latest operation return code: Timeout
Track 12
IP SLA 11 reachability
Reachability is Up
6 changes, last change 00:03:29
Latest operation return code: OK
If we shutdown one uplink interface, the Distribution Layer Switch looses it’s
connection to the core using that interface then IP SLA object returns DOWN code to
the Object and because of AND operation of the Boolean Object, the state of the boolean
object becomes Down, this results HSRP Priority decrementation.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Let’s configure host facing interfaces of the Access switches:
Acc-SW-19:
interface range Ethernet0/2-3
switchport access vlan 10
switchport mode access
switchport nonegotiate
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security
spanning-tree portfast edge
!
interface Ethernet1/0
switchport access vlan 20
switchport mode access
switchport nonegotiate
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security
spanning-tree portfast edge
!
Acc-SW-20:
interface Ethernet0/2
switchport access vlan 20
switchport mode access
switchport nonegotiate
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security
spanning-tree portfast edge
!
interface Ethernet0/3
switchport access vlan 10
switchport mode access
switchport nonegotiate
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security
spanning-tree portfast edge
!
Port-security is a feature that we can apply security limitations to the port. By enabling
this feature the port limits the number of learned MAC addresses to 1, if more MAC
addresses appear on this port it is going to be shutdown by default. We changed this
default behavior using switchport port-
port-security violation command. Restrict mode does
not shutdown the port in the case of violation, instead it prevents all the other hosts
than the current one to communicate using this port, It blocks all incomming frames
from those hosts.
Acc-SW-19#show port-security interface e0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : aabb.cc00.2c00:10
Security Violation Count : 0
PC44(config-if)#mac-address 0000.4444.4444
Acc-SW-19#
*Apr 11 15:26:16.638: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address
0000.4444.4444 on port Ethernet0/2.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
When we change MAC address of the PC44 e0/0 interface, syslog messages are being
generated due to the violation. The protect option does not generate syslog messages.
Acc-SW-19#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Et0/2 1 1 61 Restrict
Et0/3 1 1 0 Restrict
Et1/0 1 1 0 Restrict
---------------------------------------------------------------------------
If we change the violation action to shutdown, the port is going to be error disabled as
soon as violation accurs:
Acc-SW-19(config-if)#swi port-security violation shutdown
Acc-SW-19(config-if)#
*Apr 11 15:33:36.638: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address
0000.4444.4444 on port Ethernet0/2.
Acc-SW-19(config-if)#
*Apr 11 15:33:41.421: %PM-4-ERR_DISABLE: psecure-violation error detected on Et0/2, putting Et0/2 in err-disable
state
*Apr 11 15:33:42.422: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2, changed state to down
Acc-SW-19(config-if)#
*Apr 11 15:33:43.422: %LINK-3-UPDOWN: Interface Ethernet0/2, changed state to down
Acc-SW-19(config-if)#do sh port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Et0/2 1 1 79 Shutdown
Et0/3 1 1 0 Restrict
Et1/0 1 1 0 Restrict
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
Acc-SW-19(config-if)#do sh port-security interface e0/2
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0000.4444.4444:10
Security Violation Count : 79
Acc-SW-19#show interfaces e0/2 | include disabled
Ethernet0/2 is down, line protocol is down (err-disabled)
Acc-SW-19#show interfaces e0/2 status
Port Name Status Vlan Duplex Speed Type
Et0/2 err-disabled 10 auto auto RJ45
We can do shutdown/no shutdown on that interface then it becomes up again:
Acc-SW-19(config-if)#int e0/2
Acc-SW-19(config-if)#shutdown
Acc-SW-19(config-if)#no shutdown
Acc-SW-19(config-if)#
*Apr 11 15:39:34.273: %LINK-5-CHANGED: Interface Ethernet0/2, changed state to administratively down
Acc-SW-19(config-if)#
*Apr 11 15:39:36.638: %PM-4-ERR_DISABLE: psecure-violation error detected on Et0/2, putting Et0/2 in err-disable state
Acc-SW-19(config-if)#
*Apr 11 15:39:36.638: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address
0000.4444.4444 on port Ethernet0/2.
Acc-SW-19(config-if)#
*Apr 11 15:39:36.855: %LINK-3-UPDOWN: Interface Ethernet0/2, changed state to down
As soon as the port comes up, it goes down again, because the host is violating using
the static MAC address we configured on the node.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
There is a better solution, indeed an automatic way to bring the port up again:
Acc-SW-19(config)#errdisable recovery cause psecure-violation
Acc-SW-19(config)#errdisable recovery interval 30
Acc-SW-19(config)#int e0/2
Acc-SW-19(config-if)#shut
Acc-SW-19(config-if)#no shut
Acc-SW-19(config-if)#
*Apr 11 15:49:24.475: %LINK-3-UPDOWN: Interface Ethernet0/2, changed state to up
*Apr 11 15:49:25.475: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2, changed state to up
Acc-SW-19(config-if)#
*Apr 11 15:49:26.638: %PM-4-ERR_DISABLE: psecure-violation error detected on Et0/2, putting Et0/2 in err-disable state
Acc-SW-19(config-if)#
*Apr 11 15:49:26.638: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address
0000.4444.4444 on port Ethernet0/2.
*Apr 11 15:49:27.642: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2, changed state to down
Acc-SW-19(config-if)#
*Apr 11 15:49:28.642: %LINK-3-UPDOWN: Interface Ethernet0/2, changed state to down
Acc-SW-19(config-if)#
*Apr 11 15:49:56.634: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Et0/2
*Apr 11 15:49:56.638: %PM-4-ERR_DISABLE: psecure-violation error detected on Et0/2, putting Et0/2 in err-disable state
Acc-SW-19(config-if)#
*Apr 11 15:49:56.638: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address
0000.4444.4444 on port Ethernet0/2.
Acc-SW-19(config-if)#
*Apr 11 15:50:26.637: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Et0/2
Acc-SW-19(config-if)#
*Apr 11 15:50:28.642: %LINK-3-UPDOWN: Interface Ethernet0/2, changed state to up
*Apr 11 15:50:29.642: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2, changed state to up
We enabled errdisable recovery feature for port-security violation, it tracks the error
disabled interface and brings it back to up state after 30 seconds.
The MAC addresses learned by Switch are going to be timed out after a while, by
default 5 minutes or 300 seconds:
Acc-SW-19#show mac address-table aging-time | include Global
Global Aging Time: 300
After 5 minutes of being silent, the host can continue commuication using it’s new MAC
address as the Frame Src MAC address.
We can bind a MAC address statically to the specific port, then even it ages out from the
MAC address table, the host cannot use another MAC address than the static one for the
communication:
Acc-SW-19(config-if)#switchport port-security mac-address 0000.4444.4444
Acc-SW-19(config-if)#do sh port-security inter e0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.4444.4444:10
Security Violation Count : 94
PC44(config-if)#mac-address 0000.6666.6666
Acc-SW-19(config-if)#
*Apr 11 16:31:16.638: %PM-4-ERR_DISABLE: psecure-violation error detected on Et0/2, putting Et0/2 in err-disable state
Acc-SW-19(config-if)#
*Apr 11 16:31:16.638: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address
0000.6666.6666 on port Ethernet0/2.
*Apr 11 16:31:17.642: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2, changed state to down
Acc-SW-19(config-if)#
*Apr 11 16:31:18.642: %LINK-3-UPDOWN: Interface Ethernet0/2, changed state to down
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
There is another option of adding Static MAC addresses but actually in a dynamic way!
Acc-SW-19(config-if)#do sh run int e0/2
Building configuration...
Current configuration : 159 bytes
!
interface Ethernet0/2
switchport access vlan 10
switchport mode access
switchport nonegotiate
switchport port-security
spanning-tree portfast edge
end
Acc-SW-19(config-if)#int e0/2
Acc-SW-19(config-if)#switchport port-security mac sticky
Acc-SW-19(config-if)#do sh run int e0/2
Building configuration...
Current configuration : 264 bytes
!
interface Ethernet0/2
switchport access vlan 10
switchport mode access
switchport nonegotiate
switchport port-security mac-address sticky
switchport port-security mac-address sticky aabb.cc00.2c00
switchport port-security
spanning-tree portfast edge
All dynamic learned MAC addresses are going to be added to the Running-Config not
the Startup config, you must write the running-config to the startup-config in order to
keep sticky learned MAC addresses on the switch after a reboot.
This feature is very useful during the first time boot up of the enterprise network.
When network design, implementation and also configuration is done, the network
engineer can collect all the MAC addresses of the hosts connecting to the access layer
switches and make them static entries using this feature.
We also enabled the PortFast feature of the STP on host facing ports. By enabling this
feature the port immediately goes to forwarding state instead of going through
LIS/LRN:
Acc-SW-19(config-if)#int e0/2
Acc-SW-19(config-if)#no spanning-tree portfast edge
Acc-SW-19(config-if)#do debug spann event
Spanning Tree event debugging is on
Acc-SW-19(config-if)#shutdown
Acc-SW-19(config-if)#
*Apr 11 16:59:45.002: STP: VLAN0010 sent Topology Change Notice on Et0/0
*Apr 11 16:59:45.002: STP[10]: Generating TC trap for port Ethernet0/2
Acc-SW-19(config-if)#
*Apr 11 16:59:47.004: %LINK-5-CHANGED: Interface Ethernet0/2, changed state to administratively down
*Apr 11 16:59:48.005: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2, changed state to down
Acc-SW-19(config-if)#spanning-tree portfast edge
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on Ethernet0/2 but will only
have effect when the interface is in a non-trunking mode.
Acc-SW-19(config-if)#no shutdown
Acc-SW-19(config-if)#
*Apr 11 17:00:05.360: set portid: VLAN0010 Et0/2: new port id 8003
*Apr 11 17:00:05.360: STP: VLAN0010 Et0/2 ->jump to forwarding from blocking
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
As soon as we enable PortFast on the interface, IOS generates a warning message, be
careful to only enable this feature on a host-facing interface Like servers and PCs. This
feature remains enabled as long as the port mode is access. If you connect a server to
the switch using trunk ports, then you should explicitly enable PortFast feature for
trunk ports:
Acc-SW-19(config-if)#spanning-tree portfast edge ?
trunk Enable portfast edge on the interface even in trunk mode
<cr>
Acc-SW-19(config-if)#spanning-tree portfast edge trunk
Enabling PortFast feature does not mean that STP BPDUs are going to be suppressed,
switch still continues to generate STP BPDUs on those interfaces:
Acc-SW-19#show spanning-tree interface e0/2 portfast
VLAN0010 enabled
Acc-SW-19#show spanning-tree interface e0/2
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0010 Desg FWD 3100 128.3 P2p Edge
The switch is trying to talk to another switches even on PortFast enabled access mode
interfaces! We can use a feature called BPDUGuard to detect STP talking switches on
PortFast Enabled interfaces:
Acc-SW-19(config)#int e0/2
Acc-SW-19(config-if)#spanning-tree bpduguard enable
PC44(config-if)#bridge irb
PC44(config)#bridge 1 protocol ieee
PC44(config)#int e0/0
PC44(config-if)#bridge-group 1
PC44(config-if)#shutdown
PC44(config-if)#no sh
PC44(config-if)#no shutdown
Acc-SW-19(config-if)#
*Apr 11 17:24:11.837: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Et0/2 with BPDU Guard enabled. Disabling port.
Acc-SW-19(config-if)#
*Apr 11 17:24:11.837: %PM-4-ERR_DISABLE: bpduguard error detected on Et0/2, putting Et0/2 in err-disable state
*Apr 11 17:24:12.837: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2, changed state to down
Acc-SW-19(config-if)#
*Apr 11 17:24:13.837: %LINK-3-UPDOWN: Interface Ethernet0/2, changed state to down
After enabling bpduguard feature on e0/2 interface of the access switch and also
making some changes to the e0/0 interface of the PC44 (it is actually a router but we
use it as and end host, without using its routing capabilities), the PC44 now generates
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
STP packets and sends it towards the access switch. BPDUGuard feature detects the
STP packet on the host facing interface and puts it into the err-disabled state:
Acc-SW-19#show interfaces e0/2 status err-disabled
Port Name Status Reason Err-disabled Vlans
Et0/2 err-disabled bpduguard
Generating STP BPDUs on end host facing interfaces are just a waste of the resources. If
you have hundreds of host facing interfaces, switch would consume some of its CPU
power to generate BPDUs. We can use a feature called BPDUFilter to suppress BPDU
generation and also reception, the switch ignores even the received BPDUs. But there is
a tricky configuration we can use in order to have both BPDUFilter and BPDUGuard
feature enabled on host facing ports.
If we enable both BPDUFilter and BPDUGuard per interface, then BPDUFilter drops the
received BPDUs even before BPDUGuard notices! It means BPDUGuard and BPDUFilter
cannot be activated per interface at the same time.
But by enabling BPDUFilter feature globally, The switch generates 11 initial STP BPDUs
on PortFast enabled edge ports, If it receives any BPDUs in response, BPDUFilter
becomes disabled on that port and the port starts generating STP messages normally. If
no BPDUs received at all, the switch stops generating BPDUs on that port, but also
listens for incomming BPDUs, as soon as a BPDU is received again (even after being
silent for some time) the BPDUFilter becomes disabled and that port generates BPDUs
normally.
Acc-SW-19(config)#spanning-tree portfast edge bpdufilter default
Globally enabled BPDUFilter can be used with interface enabled BPDUGuard as well as
Globally enabled BPDUGuard:
Acc-SW-19(config)#spanning-tree portfast edge bpdufilter default
Acc-SW-19(config)#spanning-tree portfast edge bpduguard default
Note: Globally enabled BPDUFilter and BPDUGuard only affects PortFast configured
ports.
When they are both configured globally BPDUFilter becomes disabled after receiving a
BPDU and BPDUGuard comes into play:
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Acc-SW-19(config)#spanning-tree portfast edge bpdufilter default
Acc-SW-19(config)#spanning-tree portfast edge bpduguard default
Acc-SW-19(config)#
*Apr 11 18:00:33.638: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Ethernet0/2 with BPDU Guard enabled.
Disabling port.
Acc-SW-19(config)#
*Apr 11 18:00:33.638: %PM-4-ERR_DISABLE: bpduguard error detected on Et0/2, putting Et0/2 in err-disable state
*Apr 11 18:00:34.642: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2, changed state to down
Acc-SW-19(config)#
*Apr 11 18:00:35.642: %LINK-3-UPDOWN: Interface Ethernet0/2, changed state to down
Acc-SW-19(config)#do sh spann summary
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is disabled
Portfast Edge BPDU Guard Default is enabled
Portfast Edge BPDU Filter Default is enabled
Loopguard Default is enabled
PVST Simulation Default is enabled but inactive in pvst mode
Bridge Assurance is enabled but inactive in pvst mode
EtherChannel misconfig guard is enabled
Configured Pathcost method used is short
UplinkFast is enabled
BackboneFast is disabled
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0010 1 0 0 2 3
VLAN0020 1 0 0 2 3
---------------------- -------- --------- -------- ---------- ----------
2 vlans 2 0 0 4 6
Station update rate set to 150 packets/sec.
UplinkFast statistics
-----------------------
Number of transitions via uplinkFast (all VLANs) : 0
Number of proxy multicast addresses transmitted (all VLANs) : 0
The task also asked us to configure UplinkFast on Access switches:
Acc-SW-19:
spanning-tree uplinkfast
Acc-SW-20:
spanning-tree uplinkfast
Let’s analyze the results of entering this command:
Acc-SW-19(config)#do sh spann vlan 10
VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 24586
Address aabb.cc00.0300
Cost 3100
Port 1 (Ethernet0/0)
Hello Time 2 sec Max Age 10 sec Forward Delay 7 sec
Bridge ID Priority 49162 (priority 49152 sys-id-ext 10)
Address aabb.cc00.1100
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Uplinkfast enabled
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Root FWD 3100 128.1 P2p
Et0/1 Altn BLK 3100 128.2 P2p
Et0/3 Desg FWD 3100 128.4 P2p Edge
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Acc-SW-19(config)#do sh spann vlan 10 inter e0/0 detail
Port 1 (Ethernet0/0) of VLAN0010 is root forwarding
Port path cost 3100, Port priority 128, Port Identifier 128.1.
Designated root has priority 24586, address aabb.cc00.0300
Designated bridge has priority 24586, address aabb.cc00.0300
Designated port id is 128.1, designated path cost 0
Timers: message age 1, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
Loop guard is enabled by default on the port
BPDU: sent 3, received 5930
Acc-SW-20#show spann vlan 20 inter e0/0 detail
Port 1 (Ethernet0/0) of VLAN0020 is root forwarding
Port path cost 3100, Port priority 128, Port Identifier 128.1.
Designated root has priority 24596, address aabb.cc00.0400
Designated bridge has priority 24596, address aabb.cc00.0400
Designated port id is 128.1, designated path cost 0
Timers: message age 2, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
Loop guard is enabled by default on the port
BPDU: sent 2, received 5967
Acc-SW-19(config)#do debug spann events
Spanning Tree event debugging is on
Acc-SW-19(config)#int e0/0
Acc-SW-19(config-if)#shutdown
Acc-SW-19(config-if)#
*Apr 11 18:10:31.494: STP: VLAN0010 new root port Et0/1, cost 3200
*Apr 11 18:10:31.494: %SPANTREE_FAST-7-PORT_FWD_UPLINK: VLAN0010 Ethernet0/1 moved to Forwarding (UplinkFast).
Acc-SW-19(config-if)#no shutdown
Acc-SW-19(config-if)#
*Apr 11 18:13:19.999: set portid: VLAN0010 Et0/0: new port id 8001
*Apr 11 18:13:19.999: STP: VLAN0010 Et0/0 -> listening
*Apr 11 18:13:19.999: set portid: VLAN0020 Et0/0: new port id 8001
*Apr 11 18:13:19.999: STP: VLAN0020 Et0/0 -> listening
*Apr 11 18:13:20.178: STP: VLAN0020 Et0/0: root port delay timer active
*Apr 11 18:13:20.178: STP: VLAN0020 Et0/0 -> blocking
*Apr 11 18:13:20.301: STP: VLAN0010 Et0/0: root port delay timer active
*Apr 11 18:13:20.301: STP: VLAN0010 Et0/0 -> blocking
Acc-SW-19(config-if)#
*Apr 11 18:13:21.996: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Apr 11 18:13:22.996: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
Acc-SW-19(config-if)#
*Apr 11 18:13:39.305: STP: VLAN0010 new root port Et0/0, cost 3100
*Apr 11 18:13:39.305: STP: VLAN0010 Et0/1 -> blocking (uplinkfast)
*Apr 11 18:13:39.305: STP[10]: Generating TC trap for port Ethernet0/1
*Apr 11 18:13:39.305: %SPANTREE_FAST-7-PORT_FWD_UPLINK: VLAN0010 Ethernet0/0 moved to Forwarding (UplinkFast).
By enabling UplinkFast feature, STP port costs are automatically increased to 3100 and
also Bridge Priority is increased from 32768 to 49152, Why Switch increases those
values? It tries to not become a transit switch for Distribution layer switches and it
tries to only remain stub switch. When the switch looses its Uplink, the Backup link
takes the job and its state immediately becomes Forwarding.
The other feature the Task asks us to configure is BackboneFast, but before configuring
BackboneFast let’s verify the IEEE STP default behavior:
We enable STP event debugging on Acc-SW-20 and suspend the link between
Distribution switches (e0/2):
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Acc-SW-20(config)#do sh spann
VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 24586
Address aabb.cc00.0300
Cost 3100
Port 2 (Ethernet0/1)
Hello Time 2 sec Max Age 10 sec Forward Delay 7 sec
Acc-SW-20(config)#do debug spann event
Spanning Tree event debugging is on
Acc-SW-20(config)#
*Apr 12 13:01:48.680: STP: VLAN0010 heard root 28682-aabb.cc00.0400 on Et0/0
*Apr 12 13:01:49.258: STP: VLAN0020 heard root 28692-aabb.cc00.0300 on Et0/1
Acc-SW-20(config)#
*Apr 12 13:01:50.314: STP: VLAN0020 heard root 28692-aabb.cc00.0300 on Et0/1
*Apr 12 13:01:50.680: STP: VLAN0010 heard root 28682-aabb.cc00.0400 on Et0/0
Acc-SW-20(config)#
*Apr 12 13:01:52.315: STP: VLAN0020 heard root 28692-aabb.cc00.0300 on Et0/1
*Apr 12 13:01:52.681: STP: VLAN0010 heard root 28682-aabb.cc00.0400 on Et0/0
Acc-SW-20(config)#
*Apr 12 13:01:54.315: STP: VLAN0020 heard root 28692-aabb.cc00.0300 on Et0/1
*Apr 12 13:01:54.682: STP: VLAN0010 heard root 28682-aabb.cc00.0400 on Et0/0
Acc-SW-20(config)#
*Apr 12 13:01:56.315: STP: VLAN0020 heard root 28692-aabb.cc00.0300 on Et0/1
*Apr 12 13:01:56.604: STP: VLAN0010 Et0/0 -> listening
*Apr 12 13:01:56.682: STP: VLAN0010 heard root 28682-aabb.cc00.0400 on Et0/0
*Apr 12 13:01:57.254: STP: VLAN0020 Et0/1 -> listening
Acc-SW-20(config)#
*Apr 12 13:01:58.259: STP: VLAN0020 Topology Change rcvd on Et0/1
*Apr 12 13:01:58.259: STP: VLAN0020 sent Topology Change Notice on Et0/0
Acc-SW-20(config)#
*Apr 12 13:02:03.604: STP: VLAN0010 Et0/0 -> learning
*Apr 12 13:02:04.254: STP: VLAN0020 Et0/1 -> learning
Acc-SW-20(config)#
*Apr 12 13:02:10.604: STP[10]: Generating TC trap for port Ethernet0/0
*Apr 12 13:02:10.604: STP: VLAN0010 sent Topology Change Notice on Et0/1
*Apr 12 13:02:10.604: STP: VLAN0010 Et0/0 -> forwarding
*Apr 12 13:02:11.254: STP[20]: Generating TC trap for port Ethernet0/1
*Apr 12 13:02:11.255: STP: VLAN0020 sent Topology Change Notice on Et0/0
*Apr 12 13:02:11.255: STP: VLAN0020 Et0/1 -> forwarding
When an indirect failure happens in the bridge domain (from Acc-SW-20 point of view,
suspending e0/2 interface of Aggregation switches is an indirect failure) the STP by
default ignores the BPDUs received on e0/0 and e0/1 of Agg-SW-20 for MaxAge time
seconds, because STP keeps (remembers/caches) the inferior BPDU received on every
interface for MaxAge time seconds (in this case 10 seconds). After 10 seconds Bridge
accepts the new BPDUs and can go through LIS/LRN/FWD states.
We enable BackboneFast feature to see what happens:
Agg-SW-5:
spanning-tree backbonefast
Agg-SW-6:
spanning-tree backbonefast
Acc-SW-19:
spanning-tree backbonefast
Acc-SW-20:
spanning-tree backbonefast
BackboneFast is a Cisco proprietary feature that must be enabled on every switch in
the bridge network and can save a switch up to 20 seconds (default MaxAge time)
when it recovers from an indirect link failure, in our case MaxAge time is 10 seconds:
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Acc-SW-20(config)#
*Apr 12 13:22:22.685: STP: VLAN0020 heard root 28692-aabb.cc00.0300 on Et0/1
*Apr 12 13:22:22.686: STP: VLAN0020 Et0/1 -> listening
*Apr 12 13:22:22.733: STP: VLAN0020 Topology Change rcvd on Et0/1
*Apr 12 13:22:22.733: STP: VLAN0020 sent Topology Change Notice on Et0/0
*Apr 12 13:22:23.030: STP: VLAN0010 heard root 28682-aabb.cc00.0400 on Et0/0
*Apr 12 13:22:23.031: STP: VLAN0010 Et0/0 -> listening
Acc-SW-20(config)#
*Apr 12 13:22:23.850: STP: VLAN0010 Topology Change rcvd on Et0/0
*Apr 12 13:22:23.850: STP: VLAN0010 sent Topology Change Notice on Et0/1
Acc-SW-20(config)#
*Apr 12 13:22:29.688: STP: VLAN0020 Et0/1 -> learning
*Apr 12 13:22:30.033: STP: VLAN0010 Et0/0 -> learning
Acc-SW-20(config)#
*Apr 12 13:22:36.691: STP[20]: Generating TC trap for port Ethernet0/1
*Apr 12 13:22:36.692: STP: VLAN0020 sent Topology Change Notice on Et0/0
*Apr 12 13:22:36.692: STP: VLAN0020 Et0/1 -> forwarding
*Apr 12 13:22:37.033: STP[10]: Generating TC trap for port Ethernet0/0
*Apr 12 13:22:37.033: STP: VLAN0010 sent Topology Change Notice on Et0/1
*Apr 12 13:22:37.033: STP: VLAN0010 Et0/0 -> forwarding
Acc-SW-20(config)#do sh spann summ | include Backbone
BackboneFast is enabled
This time we see only on heard root message, because as soon as the bridge receives
new updated BPDU, it drops the previous cached superior BPDU.
It is time to configure and Verify Hosts connectivity:
PC44(config)#no ip routing
PC44(config)#int e0/0
PC44(config-if)#ip add 10.10.10.44 255.255.255.0
PC44(config-if)#no shutdown
PC44(config-if)#ip default-gateway 10.10.10.254
PC44(config)#do trace 10.255.255.1
Type escape sequence to abort.
Tracing the route to 10.255.255.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.10.6 2 msec 1 msec 2 msec
2 10.0.63.3 [MPLS: Label 30007 Exp 0] 2 msec 2 msec 2 msec
3 10.0.31.1 2 msec * 3 msec
PC46(config)#no ip routing
PC46(config)#int e0/0
PC46(config-if)#ip add 10.10.10.46 255.255.255.0
PC46(config-if)#no shutdown
PC46(config-if)#ip default-gateway 10.10.10.254
PC46(config)#do ping 10.10.10.44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.44, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms
PC46(config)#do trace 10.255.255.3
Type escape sequence to abort.
Tracing the route to 10.255.255.3
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.10.6 1005 msec 2 msec 2 msec
2 10.0.63.3 2 msec * 3 msec
PC70(config)#no ip routing
PC70(config)#int e0/0
PC70(config-if)#ip add 10.10.20.70 255.255.255.0
PC70(config-if)#no shutdown
PC70(config-if)#ip default-gateway 10.10.20.254
PC70(config)#do trace 10.10.10.44
Type escape sequence to abort.
Tracing the route to 10.10.10.44
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.20.6 1003 msec 2 msec 1 msec
2 10.10.10.44 3 msec 2 msec 3 msec
PC70(config)#do trace 10.10.10.46
Type escape sequence to abort.
Tracing the route to 10.10.10.46
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.20.6 2 msec 1 msec 1 msec
2 10.10.10.46 3 msec 3 msec 2 msec
PC70(config)#do trace 10.255.255.4
Type escape sequence to abort.
Tracing the route to 10.255.255.4
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.20.6 2 msec 1 msec 1 msec
2 10.0.63.3 [MPLS: Label 30003 Exp 0] 2 msec 1 msec 2 msec
3 10.0.43.4 2 msec * 4 msec
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
PC71(config)#no ip routing
PC71(config)#int e0/0
PC71(config-if)#ip add 10.10.20.71 255.255.255.0
PC71(config-if)#no shutdown
PC71(config-if)#ip default-gateway 10.10.20.254
PC71(config)#do trace
PC71(config)#do trace 10.10.10.44
Type escape sequence to abort.
Tracing the route to 10.10.10.44
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.20.6 1003 msec 2 msec 1 msec
2 10.10.10.44 3 msec 3 msec 3 msec
PC71(config)#do trace 10.10.10.46
Type escape sequence to abort.
Tracing the route to 10.10.10.46
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.20.6 2 msec 1 msec 1 msec
2 10.10.10.46 3 msec 3 msec 2 msec
By entering no ip routing command, we disable the router functionality of the hosts,
they act just like a normal PC (for our ping and traceroute purposes only). After
disabling IPv4 routing feature of the cisco router we cannot write any static-routes
such as default route (ip route 0.0.0.0 0.0.0.0 …), now the host can have a default
gateway using ip default-
default-gateway command.
All PCs have full connectivity, Inter-Vlan routing is working but there is some problem!
Only Agg-SW-6 forwards the traffic for both VLAN 10 and 20! Lets troubleshoot that
issue:
Agg-SW-5(config)#do sh standby
Vlan10 - Group 10
State is Standby
19 state changes, last state change 00:21:54
Virtual IP address is 10.10.10.254
Active virtual MAC address is 0000.0c07.ac0a (MAC Not In Use)
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.224 secs
Preemption enabled
Active router is 10.10.10.6, priority 100 (expires in 9.968 sec)
Standby router is local
Priority 60 (configured 110)
Track object 10 state Down decrement 50
Group name is "hsrp-Vl10-10" (default)
Vlan20 - Group 20
State is Standby
19 state changes, last state change 00:21:53
Virtual IP address is 10.10.20.254
Active virtual MAC address is 0000.0c07.ac14 (MAC Not In Use)
Local virtual MAC address is 0000.0c07.ac14 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.096 secs
Preemption enabled
Active router is 10.10.20.6, priority 110 (expires in 10.752 sec)
Standby router is local
Priority 50 (default 100)
Track object 10 state Down decrement 50
Group name is "hsrp-Vl20-20" (default)
Agg-SW-5(config)#do sh ip int br | ex unas
Interface IP-Address OK? Method Status Protocol
Ethernet1/2 10.0.53.5 YES NVRAM administratively down down
Ethernet1/3 10.0.54.5 YES NVRAM up up
Loopback0 10.255.255.5 YES NVRAM up up
Vlan10 10.10.10.5 YES NVRAM up up
Vlan20 10.10.20.5 YES NVRAM up up
Agg-SW-5(config)#int e1/2
Agg-SW-5(config-if)#no shutdown
*Apr 12 13:54:01.594: %LINK-3-UPDOWN: Interface Ethernet1/2, changed state to up
*Apr 12 13:54:14.353: %TRACK-6-STATE: 11 ip sla 10 reachability Down -> Up
*Apr 12 13:54:14.736: %TRACK-6-STATE: 10 list boolean and Down -> Up
Agg-SW-5(config)#
*Apr 12 13:54:16.829: %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Standby -> Active
The interface e1/2 of Agg-SW-5 was administratively down and track was decreasing
the priority of the HSRP process.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
PC44(config)#do trace 10.255.255.1
Type escape sequence to abort.
Tracing the route to 10.255.255.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.10.5 2 msec 1 msec 1 msec
2 10.0.53.3 [MPLS: Label 30007 Exp 0] 2 msec 2 msec 2 msec
3 10.0.31.1 2 msec
10.0.41.1 2 msec *
PC46(config)#do trace 10.255.255.3
Type escape sequence to abort.
Tracing the route to 10.255.255.3
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.10.5 2 msec 3 msec 1 msec
2 10.0.53.3 2 msec * 3 msec
PC70(config)#do trace 10.255.255.4
Type escape sequence to abort.
Tracing the route to 10.255.255.4
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.20.6 1 msec 1 msec 1 msec
2 10.0.63.3 [MPLS: Label 30003 Exp 0] 2 msec 1 msec 1 msec
3 10.0.43.4 3 msec * 3 msec
Still there is another problem! This time suboptimal routing. We traceroute to
10.255.255.4 on PC70 the packet travels Core-SW-3 and then Core-SW4:
Agg-SW-6 has a direct redundant link to Core-SW-4 (e1/2) but it is not being used,
Let’s troubleshoot the problem, I think there is something wrong with OSPF
neighborship:
Agg-SW-6(config)#do sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.255.255.3 0 FULL/ - 00:00:39 10.0.63.3 Ethernet1/3
Agg-SW-6(config)#do sh run int e1/2
interface Ethernet1/2
no switchport
ip address 10.0.64.6 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 022916530A082A334B5B07352934
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
Core-SW-4(config)#do sh run int e1/2
interface Ethernet1/2
no switchport
ip address 10.0.64.4 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 000A1E071C52
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
We have found the problem! Different MD5 key-strings on Aggregation and Core
switches:
Agg-SW-6(config)#do sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.255.255.3 0 FULL/ - 00:00:39 10.0.63.3 Ethernet1/3
Core-SW-4(config)#int e1/2
Core-SW-4(config-if)#no ip ospf message-digest-key 1 md5 7 000A1E071C52
Core-SW-4(config-if)#ip ospf message-digest-key 1 md5 7 022916530A082A334B5B07352934
*Apr 12 14:14:55.815: %OSPF-5-ADJCHG: Process 1000, Nbr 10.255.255.6 on Ethernet1/2 from DOWN to INIT, Received Hello
Core-SW-4(config-if)#
*Apr 12 14:15:03.089: %OSPF-5-ADJCHG: Process 1000, Nbr 10.255.255.6 on Ethernet1/2 from INIT to 2WAY, 2-Way Received
*Apr 12 14:15:03.089: %OSPF-5-ADJCHG: Process 1000, Nbr 10.255.255.6 on Ethernet1/2 from 2WAY to EXSTART, AdjOK?
*Apr 12 14:15:03.089: %OSPF-5-ADJCHG: Process 1000, Nbr 10.255.255.6 on Ethernet1/2 from EXSTART to EXCHANGE, Negotiation Done
*Apr 12 14:15:03.090: %OSPF-5-ADJCHG: Process 1000, Nbr 10.255.255.6 on Ethernet1/2 from EXCHANGE to LOADING, Exchange Done
*Apr 12 14:15:03.090: %OSPF-5-ADJCHG: Process 1000, Nbr 10.255.255.6 on Ethernet1/2 from LOADING to FULL, Loading Done
PC70(config)#do trace 10.255.255.4
Type escape sequence to abort.
Tracing the route to 10.255.255.4
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.20.6 1 msec 1 msec 1 msec
2 10.0.64.4 1 msec * 2 msec
Let’s verify HSRP to see if it works fine, shutdown Agg-SW-5 while PC44 pings Core
router 3 Loopback 0:
Agg-SW-6(config)#do sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.255.255.3 0 FULL/ - 00:00:39 10.0.63.3 Ethernet1/3
Core-SW-4(config)#int e1/2
Core-SW-4(config-if)#no ip ospf message-digest-key 1 md5 7 000A1E071C52
Core-SW-4(config-if)#ip ospf message-digest-key 1 md5 7 022916530A082A334B5B07352934
*Apr 12 14:14:55.815: %OSPF-5-ADJCHG: Process 1000, Nbr 10.255.255.6 on Ethernet1/2 from DOWN to INIT, Received Hello
Core-SW-4(config-if)#
*Apr 12 14:15:03.089: %OSPF-5-ADJCHG: Process 1000, Nbr 10.255.255.6 on Ethernet1/2 from INIT to 2WAY, 2-Way Received
*Apr 12 14:15:03.089: %OSPF-5-ADJCHG: Process 1000, Nbr 10.255.255.6 on Ethernet1/2 from 2WAY to EXSTART, AdjOK?
*Apr 12 14:15:03.089: %OSPF-5-ADJCHG: Process 1000, Nbr 10.255.255.6 on Ethernet1/2 from EXSTART to EXCHANGE, Negotiation Done
*Apr 12 14:15:03.090: %OSPF-5-ADJCHG: Process 1000, Nbr 10.255.255.6 on Ethernet1/2 from EXCHANGE to LOADING, Exchange Done
*Apr 12 14:15:03.090: %OSPF-5-ADJCHG: Process 1000, Nbr 10.255.255.6 on Ethernet1/2 from LOADING to FULL, Loading Done
PC70(config)#do trace 10.255.255.4
Type escape sequence to abort.
Tracing the route to 10.255.255.4
VRF info: (vrf in name/id, vrf out name/id)
1 10.10.20.6 1 msec 1 msec 1 msec
2 10.0.64.4 1 msec * 2 msec
PC44(config)#do ping 10.255.255.3 re 10000 size 1500
Type escape sequence to abort.
Sending 10000, 1500-byte ICMP Echos to 10.255.255.3, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!...........!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
It took about 22 seconds in order to the standby router takes the role of the active
router. If we tune HSRP timers, what would happen?
Agg-SW-6(config-if)#int vlan 10
Agg-SW-6(config-if)#standby 10 timers msec 250 msec 750
Agg-SW-6(config-if)#int vlan 20
Agg-SW-6(config-if)#standby 20 timers msec 250 msec 750
Agg-SW-5(config)#int vlan 10
Agg-SW-5(config-if)#standby 10 timers msec 250 msec 750
Agg-SW-5(config-if)#int vlan 20
Agg-SW-5(config-if)#standby 20 timers msec 250 msec 750
We almost minimized the HSRP convergence time, but what about STP? It can be tuned
but it is still slow when it comes to convergence time.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Agg-SW-6(config-if)#int vlan 10
Agg-SW-6(config-if)#standby 20 timers msec 250 msec 750
Agg-SW-6(config-if)#int vlan 20
Agg-SW-6(config-if)#standby 20 timers msec 250 msec 750
Agg-SW-5(config)#int vlan 10
Agg-SW-5(config-if)#standby 20 timers msec 250 msec 750
Agg-SW-5(config-if)#int vlan 20
Agg-SW-5(config-if)#standby 20 timers msec 250 msec 750
PC44(config)#do ping 10.255.255.3 re 10000 size 1500
Type escape sequence to abort.
Sending 10000, 1500-byte ICMP Echos to 10.255.255.3, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
..........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The result is the same, no matter you configure HSRP Hello and Hold Timers in
milliseconds, IEEE STP (802.1D) is still slow and prevents HSRP fast switchover.
Also we are enabling the UplinkFast and LoopGuard feature on Access switches, those
features are explained in detail in L2 Technologies Lab.
Acc-SW-19:
spanning-tree loopguard default
spanning-tree uplinkfast
Acc-SW-20:
spanning-tree loopguard default
spanning-tree uplinkfast
Acc-SW-19#show spann summary
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is disabled
Portfast Edge BPDU Guard Default is enabled
Portfast Edge BPDU Filter Default is enabled
Loopguard Default is enabled
PVST Simulation Default is enabled but inactive in pvst mode
Bridge Assurance is enabled but inactive in pvst mode
EtherChannel misconfig guard is enabled
Configured Pathcost method used is short
UplinkFast is enabled
BackboneFast is enabled
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0010 1 0 0 3 4
VLAN0020 1 0 0 2 3
---------------------- -------- --------- -------- ---------- ----------
2 vlans 2 0 0 5 7
Station update rate set to 150 packets/sec.
UplinkFast statistics
-----------------------
Number of transitions via uplinkFast (all VLANs) : 0
Number of proxy multicast addresses transmitted (all VLANs) : 0
BackboneFast statistics
-----------------------
Number of transition via backboneFast (all VLANs) : 0
Number of inferior BPDUs received (all VLANs) : 0
Number of RLQ request PDUs received (all VLANs) : 0
Number of RLQ response PDUs received (all VLANs) : 0
Number of RLQ request PDUs sent (all VLANs) : 0
Number of RLQ response PDUs sent (all VLANs) : 0
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Task-3 (Can be done in any order):
Configure the Core to Distribution (Building 2) nodes IPv4 addresses according
to the diagram
All interfaces between Core to Distribution Layer nodes should be L3.
Create VLAN 30 and VLAN 40
Loopback 0 interfaces IP Addressing scheme should be 10.255.255.R#/32
Every Inter-Switch connections must use this IP Addressing Scheme:
10.x.x.R#/24
Configure OSPF between Core to Distribution L3 Links
Enable MPLS and LDP and secure LDP sessions using password
“OrhanErgunLLC”
Change OSPF Cost reference bandwidth to 10 Gb/s
OSPF process should not generate Syslog messages for MOSPF Type 6 LSA
Enable Incremental SPF calculation on OSPF process
Enable OSPF TTL Security Check
Set OSPF and LDP router-id on each router to be the IP address of the Loopback 0
interface
No DR/BDR election should be on any Link
Secure the OSPF per interface using MD5 with key-id 1 and password:
“OrhanErgunLLC”
Summarize Area Subnets to 10.30.0.0/16
CEF Load sharing should be set to Per Micro-Flow (Including Src, Dsr Ports)
Enable SSH version 2 on each node then Test configuration by doing SSH to every
node
Set Enable Secret of “OrhanErgunLLC”, Algorithm type should be sha256
Create a username: “ccie” and secret: “OrhanErgunLLC” and also set algorithm
type: sha256
This Switch-Block should use VTP version 3 and both Distribution switches must
act as VTP Server and Access Layer switches must be VTP Client, itmust be
secured using Password (Hidden) “OrhanErgunLLC” and set domain name to
“ccie”
All Switch-Block interfaces should be Trunk with Native VLAN of 999 and only
30, 40 VLANs should be allowed on the trunk link, trunking encapsulation must
be standard based, also disable DTP
Agg-SW-14 should be root bridge for VLAN 30 (Instance 30) and Agg-SW-15
being root bridge for VLAN 40 (Instance 40)
Configure VRRP on aggregation switches and track Loopback 0 interfaces of Core
Switches, if one of those interfaces become unreachable, HSRP priority should be
decremented by 50
Configure access ports (edge ports) and also port-security with sticky mac
learning, and set violation mode to restrict
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
All of above technologies have been explained in detail in three labs (L2 Technologies,
OSPF and MPLS Labs) if you want more information please refer to those Labs. It is
recommended to do those three labs before doing this Task.
Agg-SW-14:
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname Agg-SW-14
!
enable secret 8 $8$zWf.NNsCB54aSR$Xsj/n2M1nCDR/F9nPVzk3vt6FKrSPn/bH4Soi49uPA2
!
username ccie secret 8 $8$aZ3dK2AYDs2Jdx$2YvycjcBRKktJ/V8hPas/jdpRJW6bc18mdU7gPa.XqI
clock timezone +0330 3 30
!
no ip domain-lookup
ip cef
ip cef load-sharing algorithm include-ports source destination
mpls label range 140000 149999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 022916530A082A334B5B07352934
mpls ldp session protection
!
spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
name AREA2
revision 10
instance 30 vlan 30
instance 40 vlan 40
!
spanning-tree mst 30 priority 24576
spanning-tree mst 40 priority 28672
!
vlan dot1q tag native
!
track 1 ip sla 1 reachability
delay down 3 up 3
!
track 3 ip sla 3 reachability
delay down 3 up 3
!
track 13 list boolean and
object 1
object 3
!
interface Loopback0
ip address 10.255.255.14 255.255.255.255
ip ospf 1000 area 0
!
interface Ethernet0/0
switchport trunk allowed vlan 30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
!
interface Ethernet0/1
switchport trunk allowed vlan 30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
!
interface Ethernet0/2
switchport trunk allowed vlan 30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
!
interface Ethernet1/3
no switchport
ip address 10.0.141.14 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 002B010E05552E1408344262253A
ip ospf network point-to-point
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
ip ospf 1000 area 0
mpls ip
!
interface Ethernet2/0
no switchport
ip address 10.0.143.14 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 0474190E0E2F695C0E0C0B3B3E28
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Vlan30
ip address 10.30.30.14 255.255.255.0
ip helper-address 10.50.50.99
ip ospf 1000 area 2
vrrp 30 ip 10.30.30.254
vrrp 30 priority 110
vrrp 30 track 13 decrement 50
!
interface Vlan40
ip address 10.30.40.14 255.255.255.0
ip helper-address 10.50.50.99
ip ospf 1000 area 2
vrrp 40 ip 10.30.40.254
vrrp 40 track 13 decrement 50
!
router ospf 1000
router-id 10.255.255.14
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
area 2 stub
area 2 range 10.30.0.0 255.255.0.0
passive-interface default
no passive-interface Ethernet1/3
no passive-interface Ethernet2/0
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list standard SUBNET_10
permit 10.0.0.0 0.255.255.255
!
!
ip sla 1
icmp-echo 10.255.255.1 source-interface Ethernet1/3
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 3
icmp-echo 10.255.255.3 source-interface Ethernet2/0
frequency 5
ip sla schedule 3 life forever start-time now
!
mpls ldp router-id Loopback0
!
control-plane
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login local
transport input ssh
!
vtp mode server
vtp mode server mst
In VTP version 3 we should make a server device to be primary otherwise it cannot
override VTP database of other devices in the VTP domain:
Agg-SW-14(config)#do vtp primary force
This system is becoming primary server for feature vlan
Enter VTP Password:
*Jul 23 17:04:16.372: %SW_VLAN-4-VTP_PRIMARY_SERVER_CHG: aabb.cc80.0700 has become the primary server for the VLAN VTP feature
Agg-SW-14(config)#do vtp primary mst force
This system is becoming primary server for feature mst
Enter VTP Password:
*Jul 23 17:04:30.747: %SW_VLAN-4-VTP_PRIMARY_SERVER_CHG: aabb.cc80.0700 has become the primary server for the MST VTP feature
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Agg-SW-15:
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname Agg-SW-15
!
enable secret 8 $8$zWf.NNsCB54aSR$Xsj/n2M1nCDR/F9nPVzk3vt6FKrSPn/bH4Soi49uPA2
!
username ccie secret 8 $8$aZ3dK2AYDs2Jdx$2YvycjcBRKktJ/V8hPas/jdpRJW6bc18mdU7gPa.XqI
no aaa new-model
clock timezone +0330 3 30
!
no ip domain-lookup
ip cef
ip cef load-sharing algorithm include-ports source destination
mpls label range 150000 159999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 022916530A082A334B5B07352934
mpls ldp session protection
!
spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
name AREA2
revision 10
instance 30 vlan 30
instance 40 vlan 40
!
spanning-tree mst 30 priority 28672
spanning-tree mst 40 priority 24576
!
vlan dot1q tag native
!
track 2 ip sla 2 reachability
delay down 3 up 3
!
track 4 ip sla 4 reachability
delay down 3 up 3
!
track 24 list boolean and
object 2
object 4
!
interface Loopback0
ip address 10.255.255.15 255.255.255.255
ip ospf 1000 area 0
!
interface Ethernet0/0
switchport trunk allowed vlan 30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
!
interface Ethernet0/1
switchport trunk allowed vlan 30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
!
interface Ethernet0/2
switchport trunk allowed vlan 30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
!
interface Ethernet1/2
no switchport
ip address 10.0.151.15 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 132A051A0A0221382C31261F1901
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet2/3
no switchport
ip address 10.0.153.15 255.255.255.0
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 06291D294D402C0B02021C272027
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Vlan30
ip address 10.30.30.15 255.255.255.0
ip helper-address 10.50.50.99
ip ospf 1000 area 2
vrrp 30 ip 10.30.30.254
vrrp 30 track 24 decrement 50
!
interface Vlan40
ip address 10.30.40.15 255.255.255.0
ip helper-address 10.50.50.99
ip ospf 1000 area 2
vrrp 40 ip 10.30.40.254
vrrp 40 priority 110
vrrp 40 track 24 decrement 50
!
router ospf 1000
router-id 10.255.255.15
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
area 2 stub
area 2 range 10.30.0.0 255.255.0.0
passive-interface default
no passive-interface Ethernet1/2
no passive-interface Ethernet2/3
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list standard SUBNET_10
permit 10.0.0.0 0.255.255.255
!
!
ip sla 2
icmp-echo 10.255.255.2 source-interface Ethernet1/2
frequency 5
ip sla schedule 2 life forever start-time now
ip sla 4
icmp-echo 10.255.255.4 source-interface Ethernet2/3
frequency 5
ip sla schedule 4 life forever start-time now
!
mpls ldp router-id Loopback0
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login local
transport input ssh
!
vtp mode server
vtp mode server mst
We have configured Distribution (Aggregation) Layer MLS devices, now it is time to
configure Access Layer ones.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Acc-SW-26:
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname Acc-SW-26
!
enable secret 8 $8$zWf.NNsCB54aSR$Xsj/n2M1nCDR/F9nPVzk3vt6FKrSPn/bH4Soi49uPA2
!
username ccie secret 8 $8$aZ3dK2AYDs2Jdx$2YvycjcBRKktJ/V8hPas/jdpRJW6bc18mdU7gPa.XqI
no aaa new-model
clock timezone +0330 3 30
!
no ip routing
!
!
no ip domain-lookup
!
spanning-tree mode mst
spanning-tree portfast edge default
spanning-tree portfast edge bpduguard default
spanning-tree portfast edge bpdufilter default
spanning-tree extend system-id
!
interface Ethernet0/0
switchport trunk allowed vlan 30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
!
interface Ethernet0/1
switchport trunk allowed vlan 30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
!
interface Ethernet0/2
switchport access vlan 40
switchport mode access
switchport nonegotiate
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky aabb.cc00.4b00
switchport port-security
!
interface Ethernet0/3
switchport access vlan 30
switchport mode access
switchport nonegotiate
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky aabb.cc00.4f00
switchport port-security
!
interface Ethernet1/0
switchport access vlan 40
switchport mode access
switchport nonegotiate
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky aabb.cc00.4e00
switchport port-security
!
interface Ethernet1/1
switchport access vlan 30
switchport mode access
switchport nonegotiate
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky aabb.cc00.2d00
switchport port-security
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
vtp mode client
vtp mode client mst
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Acc-SW-25:
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname Acc-SW-25
!
enable secret 8 $8$zWf.NNsCB54aSR$Xsj/n2M1nCDR/F9nPVzk3vt6FKrSPn/bH4Soi49uPA2
!
username ccie secret 8 $8$aZ3dK2AYDs2Jdx$2YvycjcBRKktJ/V8hPas/jdpRJW6bc18mdU7gPa.XqI
clock timezone +0330 3 30
!
no ip routing
!
no ip domain-lookup
!
spanning-tree mode mst
spanning-tree portfast edge default
spanning-tree portfast edge bpduguard default
spanning-tree portfast edge bpdufilter default
spanning-tree extend system-id
!
interface Ethernet0/0
switchport trunk allowed vlan 30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
!
interface Ethernet0/1
switchport trunk allowed vlan 30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
!
interface Ethernet0/2
switchport access vlan 30
switchport mode access
switchport nonegotiate
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky aabb.cc00.4900
switchport port-security
!
interface Ethernet0/3
switchport access vlan 40
switchport mode access
switchport nonegotiate
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky aabb.cc00.4a00
switchport port-security
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
vtp mode client
vtp mode client mst
This block has been configured successfully.
Let’s verify the configuration:
Agg-SW-14(config)#do sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.255.255.3 0 FULL/ - 00:00:35 10.0.143.3 Ethernet2/0
10.255.255.1 0 FULL/ - 00:00:35 10.0.141.1 Ethernet1/3
Agg-SW-15(config)#do sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.255.255.3 0 FULL/ - 00:00:34 10.0.153.3 Ethernet2/3
10.255.255.1 0 FULL/ - 00:00:37 10.0.151.1 Ethernet1/2
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Agg-SW-14(config)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : ccie
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : aabb.cc80.0700
Feature VLAN:
--------------
VTP Operating Mode : Primary Server
Number of existing VLANs : 7
Number of existing extended VLANs : 0
Maximum VLANs supported locally : 4096
Configuration Revision : 2
Primary ID : aabb.cc80.0700
Primary Description : Agg-SW-14
MD5 digest : 0xF0 0x57 0x25 0x68 0x02 0x49 0x8E 0x07
0x6C 0xAA 0xA1 0x85 0x7A 0x69 0xE5 0xD4
Feature MST:
--------------
VTP Operating Mode : Primary Server
Configuration Revision : 1
Primary ID : aabb.cc80.0700
Primary Description : Agg-SW-14
MD5 digest : 0xBC 0x53 0x70 0xA7 0xE3 0x1E 0xB4 0xC4
0x34 0x27 0x51 0x47 0x81 0x55 0x30 0xAD
Feature UNKNOWN:
--------------
VTP Operating Mode : Transparent
Agg-SW-14(config)#do sh spann | begin MST30
MST30
Spanning tree enabled protocol mstp
Root ID Priority 24606
Address aabb.cc00.0700
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24606 (priority 24576 sys-id-ext 30)
Address aabb.cc00.0700
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 2000000 128.1 P2p
Et0/1 Desg FWD 2000000 128.2 P2p
Et0/2 Desg FWD 2000000 128.3 P2p
MST40
Spanning tree enabled protocol mstp
Root ID Priority 24616
Address aabb.cc00.0800
Cost 2000000
Port 3 (Ethernet0/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 28712 (priority 28672 sys-id-ext 40)
Address aabb.cc00.0700
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 2000000 128.1 P2p
Et0/1 Desg FWD 2000000 128.2 P2p
Et0/2 Root FWD 2000000 128.3 P2p
Agg-SW-14(config)#do sh mpls interfaces
Interface IP Tunnel BGP Static Operational
Ethernet1/3 Yes (ldp) No No No Yes
Ethernet2/0 Yes (ldp) No No No Yes
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Agg-SW-14(config)#do sh vrrp
Vlan30 - Group 30
State is Master
Virtual IP address is 10.30.30.254
Virtual MAC address is 0000.5e00.011e
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 110
Track object 13 state Up decrement 50
Master Router is 10.30.30.14 (local), priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.570 sec
Vlan40 - Group 40
State is Backup
Virtual IP address is 10.30.40.254
Virtual MAC address is 0000.5e00.0128
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Track object 13 state Up decrement 50
Master Router is 10.30.40.15, priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec (expires in 3.331 sec)
Acc-SW-26(config)#do sh interface trunk
Port Mode Encapsulation Status Native vlan
Et0/0 on 802.1q trunking 999
Et0/1 on 802.1q trunking 999
Port Vlans allowed on trunk
Et0/0 30,40
Et0/1 30,40
Port Vlans allowed and active in management domain
Et0/0 30,40
Et0/1 30,40
Port Vlans in spanning tree forwarding state and not pruned
Et0/0 40
Et0/1 30
Acc-SW-26(config)#do sh vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Et1/2, Et1/3, Et2/0, Et2/1
Et2/2, Et2/3, Et3/0, Et3/1
Et3/2, Et3/3, Et4/0, Et4/1
Et4/2, Et4/3, Et5/0, Et5/1
Et5/2, Et5/3
30 VLAN0030 active Et0/3, Et1/1
40 VLAN0040 active Et0/2, Et1/0
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
Acc-SW-26(config)#do sh spann mst config
Name [AREA2]
Revision 10 Instances configured 3
Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 1-29,31-39,41-4094
30 30
40 40
-------------------------------------------------------------------------------
Acc-SW-26#show int status | ex disabled
Port Name Status Vlan Duplex Speed Type
Et0/0 connected trunk a-full auto RJ45
Et0/1 connected trunk a-full auto RJ45
Et0/2 connected 40 a-full auto RJ45
Et0/3 connected 30 a-full auto RJ45
Et1/0 connected 40 a-full auto RJ45
Et1/1 connected 30 a-full auto RJ45
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Task-4 (Can be done in any order):
Configure the Core to Distribution (DC Building 3) nodes IPv4 addresses
according to the diagram
All interfaces between Core to Distribution Layer nodes should be L3.
Create VLAN 50
Loopback 0 interfaces IP Addressing scheme should be 10.255.255.R#/32
Every Inter-Switch connections must use this IP Addressing Scheme:
10.x.x.R#/24
Configure OSPF between Core to Distribution and also Distribution to
Distribution L3 Links
Enable MPLS and LDP and secure LDP sessions using password
“OrhanErgunLLC”
Change OSPF Cost reference bandwidth to 10 Gb/s
OSPF process should not generate Syslog messages for MOSPF Type 6 LSA
Enable Incremental SPF calculation on OSPF process
Enable OSPF TTL Security Check
Set OSPF and LDP router-id on each router to be the IP address of the Loopback 0
interface
No DR/BDR election should be on any Link
Secure the OSPF per interface using MD5 with key-id 1 and password:
“OrhanErgunLLC”
Summarize Area Subnets to 10.30.0.0/16
CEF Load sharing should be set to Per Micro-Flow (Including Src, Dsr Ports)
Enable SSH version 2 on each node then Test configuration by doing SSH to every
node
Set Enable Secret of “OrhanErgunLLC”, Algorithm type should be sha256
Create a username: “ccie” and secret: “OrhanErgunLLC” and also set algorithm
type: sha256
This Switch-Block should not use VTP
All Switch-Block interfaces should be Trunk with Native VLAN of 999 and only
VLAN 50 should be allowed on the trunk links, trunking encapsulation must be
standard based, also disable DTP
Agg-SW-9 should be root bridge for VLAN 50
Configure GLBP on aggregation switches and secure it using the MD5 key-string
of “OrhanErgunLLC”
Configure access ports (edge ports) and also port-security with sticky mac
learning, and set violation mode to restrict
Configure Bridge-Assurance on the DC building switches
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
In this section of the Lab, we have used Loop Free L2 design, as you noticed the link
between Agg-SW-9 and Agg-SW-10 is a routed L3 link which two switches form OSPF
adjacency.
In previous Sections (Building 1 and 2) the link between two aggregation switches was
a trunk. Indeed this topology is not completely loop free because VLAN 50 exists on
both access switches, we could use a VLAN per access switches to make this topology
completely loop free; But in this case we still have an L2 loop that STP is going to deal
with it and block one link in order to prevent L2 loop:
Because of the usage of GLBP and also take advantage of gateway load balancing for all
Data Center servers, this part should be done this way, by default GLBP uses round-
robin algorithm in order to do first hop load balancing. GLBP is explained in the L2
technology lab part of the workbook, so we avoid over explanation and just configure
the devices.
Also it is good to mention that GLBP packets will be sent over Inter-Switch trunk links,
so Aggregation switches can talk GLBP together using those links that are connected to
the Access switches.
Aggregation switches can also do summarization for that area subnet and only sent a
summarized prefix/Length (10.50.0.0/16) to the backbone area.
Also we need to mention that, this building is our Data Center block and as an example
DHCP server (which is remote DHCP server for our campus) is placed in this block. The
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
aggregation switch (distribution switch) of other areas and even remote sites can use
ip helper-address command to send the unicast DHCP messages to this DHCP server.
Agg-SW-9:
hostname Agg-SW-9
!
enable secret 8 $8$zWf.NNsCB54aSR$Xsj/n2M1nCDR/F9nPVzk3vt6FKrSPn/bH4Soi49uPA2
!
username ccie secret 8 $8$aZ3dK2AYDs2Jdx$2YvycjcBRKktJ/V8hPas/jdpRJW6bc18mdU7gPa.XqI
vtp mode off
!
no ip domain-lookup
ip cef
ip cef load-sharing algorithm include-ports source destination
mpls label range 90000 99999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 022916530A082A334B5B07352934
mpls ldp session protection
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 50 priority 24576
!
vlan dot1q tag native
!
vlan 50,999
!
interface Loopback0
ip address 10.255.255.9 255.255.255.255
ip ospf 1000 area 0
!
interface Ethernet0/0
switchport trunk allowed vlan 50
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
spanning-tree portfast network
!
interface Ethernet0/1
switchport trunk allowed vlan 50
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
spanning-tree portfast network
!
interface Ethernet0/2
no switchport
ip address 10.9.10.9 255.255.255.0
ip ospf message-digest-key 1 md5 7 1236171F130529162D3E2A041F16
ip ospf network point-to-point
ip ospf 1000 area 3
spanning-tree portfast network
!
interface Ethernet1/2
no switchport
ip address 10.0.92.9 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 002B010E05552E1408344262253A
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet2/0
no switchport
ip address 10.0.91.9 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 1236171F130529162D3E2A041F16
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Vlan50
ip address 10.50.50.9 255.255.255.0
ip ospf 1000 area 3
glbp 50 ip 10.50.50.254
glbp 50 authentication md5 key-string 7 1236171F130529162D3E2A041F16
!
router ospf 1000
router-id 10.255.255.9
ignore lsa mospf
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
area 3 range 10.50.0.0 255.255.0.0
passive-interface default
no passive-interface Ethernet0/2
no passive-interface Ethernet1/2
no passive-interface Ethernet2/0
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list standard SUBNET_10
permit 10.0.0.0 0.255.255.255
!
mpls ldp router-id Loopback0
!
Agg-SW-10:
hostname Agg-SW-10
!
enable secret 8 $8$zWf.NNsCB54aSR$Xsj/n2M1nCDR/F9nPVzk3vt6FKrSPn/bH4Soi49uPA2
!
username ccie secret 8 $8$aZ3dK2AYDs2Jdx$2YvycjcBRKktJ/V8hPas/jdpRJW6bc18mdU7gPa.XqI
no aaa new-model
clock timezone +0330 3 30
!
vtp mode off
!
no ip domain-lookup
ip cef
ip cef load-sharing algorithm include-ports source destination
mpls label range 10000 19999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 022916530A082A334B5B07352934
mpls ldp session protection
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 50 priority 20480
!
vlan dot1q tag native
!
vlan 50,999
!
interface Loopback0
ip address 10.255.255.10 255.255.255.255
ip ospf 1000 area 0
!
interface Ethernet0/0
switchport trunk allowed vlan 50
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
spanning-tree portfast network
!
interface Ethernet0/1
switchport trunk allowed vlan 50
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
spanning-tree portfast network
!
interface Ethernet0/2
no switchport
ip address 10.9.10.10 255.255.255.0
ip ospf message-digest-key 1 md5 7 002B010E05552E1408344262253A
ip ospf network point-to-point
ip ospf 1000 area 3
spanning-tree portfast network
!
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
interface Ethernet1/3
no switchport
ip address 10.0.102.10 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 0474190E0E2F695C0E0C0B3B3E28
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet2/1
no switchport
ip address 10.0.101.10 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 080E5E4608172005151E02280608
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Vlan50
ip address 10.50.50.10 255.255.255.0
ip ospf 1000 area 3
glbp 50 ip 10.50.50.254
glbp 50 authentication md5 key-string 7 0524140720426B1B1E10193E272F
!
router ospf 1000
router-id 10.255.255.10
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
area 3 range 10.50.0.0 255.255.0.0
passive-interface default
no passive-interface Ethernet0/2
no passive-interface Ethernet1/3
no passive-interface Ethernet2/1
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list standard SUBNET_10
permit 10.0.0.0 0.255.255.255
!
!
mpls ldp router-id Loopback0
!
Acc-SW-21:
hostname Acc-SW-21
!
enable secret 8 $8$zWf.NNsCB54aSR$Xsj/n2M1nCDR/F9nPVzk3vt6FKrSPn/bH4Soi49uPA2
!
username ccie secret 8 $8$aZ3dK2AYDs2Jdx$2YvycjcBRKktJ/V8hPas/jdpRJW6bc18mdU7gPa.XqI
clock timezone +0330 3 30
!
vtp mode off
no ip routing
!
!
!
no ip domain-lookup
no ip cef
!
spanning-tree mode rapid-pvst
spanning-tree portfast edge default
spanning-tree extend system-id
!
vlan 50,999
!
interface Ethernet0/0
switchport trunk allowed vlan 50
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
spanning-tree portfast network
!
interface Ethernet0/1
switchport trunk allowed vlan 50
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
spanning-tree portfast network
!
interface Ethernet0/2
switchport access vlan 50
switchport mode access
switchport nonegotiate
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0050.7966.6841
switchport port-security
!
interface Ethernet0/3
switchport access vlan 50
switchport mode access
switchport nonegotiate
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0050.7966.6842
switchport port-security
!
interface Ethernet1/0
switchport access vlan 50
switchport mode access
switchport nonegotiate
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky aabb.cc00.4500
switchport port-security
!
interface Ethernet1/1
switchport access vlan 50
switchport mode access
switchport nonegotiate
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 5000.002f.0000
switchport port-security
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
Acc-SW-22:
hostname Acc-SW-22
!
enable secret 8 $8$zWf.NNsCB54aSR$Xsj/n2M1nCDR/F9nPVzk3vt6FKrSPn/bH4Soi49uPA2
!
username ccie secret 8 $8$aZ3dK2AYDs2Jdx$2YvycjcBRKktJ/V8hPas/jdpRJW6bc18mdU7gPa.XqI
clock timezone +0330 3 30
!
vtp mode off
no ip routing
!
no ip domain-lookup
no ip cef
!
spanning-tree mode rapid-pvst
spanning-tree portfast edge default
spanning-tree extend system-id
!
vlan 50,999
!
interface Ethernet0/0
switchport trunk allowed vlan 50
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
spanning-tree portfast network
!
interface Ethernet0/1
switchport trunk allowed vlan 50
switchport trunk encapsulation dot1q
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
spanning-tree portfast network
!
interface Ethernet0/2
switchport access vlan 50
switchport mode access
switchport nonegotiate
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security
!
interface Ethernet0/3
switchport access vlan 50
switchport mode access
switchport nonegotiate
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security
!
interface Ethernet1/0
switchport access vlan 50
switchport mode access
switchport nonegotiate
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 5000.0030.0000
switchport port-security
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
DC Block is fully configured, let’s verify the configuration:
Agg-SW-9(config)#do sh vtp status | include Operating
VTP Operating Mode : Off
Agg-SW-9(config)#do sh int trunk
Port Mode Encapsulation Status Native vlan
Et0/0 on 802.1q trunking 999
Et0/1 on 802.1q trunking 999
Port Vlans allowed on trunk
Et0/0 50
Et0/1 50
Port Vlans allowed and active in management domain
Et0/0 50
Et0/1 50
Port Vlans in spanning tree forwarding state and not pruned
Et0/0 50
Et0/1 none
Agg-SW-9(config)#do sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.255.255.1 0 FULL/ - 00:00:35 10.0.91.1 Ethernet2/0
10.255.255.2 0 FULL/ - 00:00:35 10.0.92.2 Ethernet1/2
10.255.255.10 0 FULL/ - 00:00:39 10.9.10.10 Ethernet0/2
Agg-SW-9(config)#do sh ip route | include 10.50.0.0/16
O 10.50.0.0/16 is a summary, 05:05:01, Null0
Acc-SW-21(config)#do sh vlan brief | include VLAN0050|VLAN0999
50 VLAN0050 active Et0/2, Et0/3, Et1/0, Et1/1
999 VLAN0999 active
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Acc-SW-21(config)#do sh int trunk
Port Mode Encapsulation Status Native vlan
Et0/0 on 802.1q trunking 999
Et0/1 on 802.1q trunking 999
Port Vlans allowed on trunk
Et0/0 50
Et0/1 50
Port Vlans allowed and active in management domain
Et0/0 50
Et0/1 50
Port Vlans in spanning tree forwarding state and not pruned
Et0/0 50
Et0/1 50
Acc-SW-21(config)#do sh spann
VLAN0050
Spanning tree enabled protocol rstp
Root ID Priority 20530
Address aabb.cc00.0c00
Cost 100
Port 2 (Ethernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32818 (priority 32768 sys-id-ext 50)
Address aabb.cc00.1700
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 100 128.1 P2p Network
Et0/1 Root FWD 100 128.2 P2p Network
Et0/2 Desg FWD 100 128.3 P2p Edge
Et0/3 Desg FWD 100 128.4 P2p Edge
Et1/0 Desg FWD 100 128.5 P2p Edge
Et1/1 Desg FWD 100 128.6 P2p Edge
DCHP-Server-99#trace 10.255.255.6
Type escape sequence to abort.
Tracing the route to 10.255.255.6
VRF info: (vrf in name/id, vrf out name/id)
1 10.50.50.9 2 msec 1 msec 1 msec
2 10.0.91.1 [MPLS: Label 10030 Exp 0] 2 msec 2 msec 2 msec
3 10.0.41.4 [MPLS: Label 40008 Exp 0] 2 msec 2 msec 1 msec
4 10.0.64.6 2 msec
10.0.63.6 1 msec *
SRV66> trace 10.255.255.6
trace to 10.255.255.6, 8 hops max, press Ctrl+C to stop
1 10.50.50.10 0.939 ms 0.669 ms 0.934 ms
2 10.0.102.2 1.883 ms 1.734 ms 1.571 ms
3 10.0.32.3 2.434 ms 2.014 ms 2.060 ms
4 *10.0.63.6 2.847 ms (ICMP type:3, code:3, Destination port unreachable) *
In the Spanning-Tree show output of the switches you can see some of the interfaces
are in Network mode, it is because we have enabled bridge-assurance on the DC block
switches. Bridge-Assurance is explained in the L2 Technologies Lab of the workbook.
Note: It is a good practice to DO NOT Spann the VLAN across two access switches
because of having Loop Free L2 topology.
For example create VLAN 50 on Access-SW-21 and VLAN55 on Access-SW-22.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Task-5 (Can be done in any order):
Configure the Core to Distribution (Building 4) nodes IPv4 addresses according
to the diagram
All interfaces between Core to Distribution and Distribution to Access Layer
nodes should be L3.
Create VLAN 60 and 70
Loopback 0 interfaces IP Addressing scheme should be 10.255.255.R#/32
Every Inter-Switch connections must use this IP Addressing Scheme:
10.x.x.R#/24
Configure OSPF between Core to Distribution, Distribution to Distribution and
also Distribution to Access L3 Links
Enable MPLS and LDP and secure LDP sessions using password
“OrhanErgunLLC”
Change OSPF Cost reference bandwidth to 10 Gb/s
OSPF process should not generate Syslog messages for MOSPF Type 6 LSA
Enable Incremental SPF calculation on OSPF process
Enable OSPF TTL Security Check
Set OSPF and LDP router-id on each router to be the IP address of the Loopback 0
interface
No DR/BDR election should be on any Link
Secure the OSPF per interface using MD5 with key-id 1 and password:
“OrhanErgunLLC”
Summarize Area Subnets to 10.60.0.0/16
CEF Load sharing should be set to Per Micro-Flow (Including Src, Dsr Ports)
Enable SSH version 2 on each node then Test configuration by doing SSH to every
node
Set Enable Secret of “OrhanErgunLLC”, Algorithm type should be sha256
Create a username: “ccie” and secret: “OrhanErgunLLC” and also set algorithm
type: sha256
Configure access ports (edge ports) and also port-security with sticky mac
learning, and set violation mode to restrict
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
In this task we are going to implement Routed access design. In this kind of design we
don’t have any L2 links between distribution and access switches, so we don’t need to
deal with L2 loops and use STP to prevent that permanent L2 loops.
VLANs exist only on Access switches and that switches are the First Hop Router
(default gateway) for end nodes.
This is also the recommended design of Cisco when it comes to SD-Access technology.
All switches in this building are going to form OSPF neighborship with each other and
access switches advertise VLAN Subnets to the OSPF domain.
Distribution switches are still ABRs (Area Border Routers) and can summarize those
subnets into an aggregated route (in this example 10.60.0.0/16).
Also access switches do not need to get all the routing information, so we can make this
area a totally stub one (access switches only receive a default route). As you noticed
there is no need to have an ASBR inside this area, so we are good to use Totally Stub
area.
If you want to learn more about OSPF Stub area, please refer to the OSPF Topology 1
section of the workbook.
Agg-SW-12:
hostname Agg-SW-12
!
enable secret 8 $8$zWf.NNsCB54aSR$Xsj/n2M1nCDR/F9nPVzk3vt6FKrSPn/bH4Soi49uPA2
!
username ccie secret 8 $8$aZ3dK2AYDs2Jdx$2YvycjcBRKktJ/V8hPas/jdpRJW6bc18mdU7gPa.XqI
no aaa new-model
clock timezone +0330 3 30
!
vtp mode off
!
no ip domain-lookup
ip cef
ip cef load-sharing algorithm include-ports source destination 012ABBAC
mpls label range 120000 129999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 022916530A082A334B5B07352934
mpls ldp session protection
!
interface Loopback0
ip address 10.255.255.12 255.255.255.255
ip ospf 1000 area 0
!
interface Ethernet0/0
no switchport
ip address 10.12.23.12 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 1236171F130529162D3E2A041F16
ip ospf network point-to-point
ip ospf 1000 area 4
mpls ip
!
interface Ethernet0/1
no switchport
ip address 10.12.24.12 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 1236171F130529162D3E2A041F16
ip ospf network point-to-point
ip ospf 1000 area 4
mpls ip
!
interface Ethernet0/2
no switchport
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
ip address 10.0.213.12 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 072033444F073C17100705202809
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet2/0
no switchport
ip address 10.0.122.12 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 09635C01180B32000C190A060707
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet2/2
no switchport
ip address 10.0.121.12 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 1236171F130529162D3E2A041F16
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
router ospf 1000
router-id 10.255.255.12
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
area 4 stub no-summary
area 4 range 10.60.0.0 255.255.0.0
passive-interface default
no passive-interface Ethernet0/0
no passive-interface Ethernet0/1
no passive-interface Ethernet0/2
no passive-interface Ethernet2/0
no passive-interface Ethernet2/2
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list standard SUBNET_10
permit 10.0.0.0 0.255.255.255
!
mpls ldp router-id Loopback0
!
Agg-SW-13:
hostname Agg-SW-13
!
enable secret 8 $8$zWf.NNsCB54aSR$Xsj/n2M1nCDR/F9nPVzk3vt6FKrSPn/bH4Soi49uPA2
!
username ccie secret 8 $8$aZ3dK2AYDs2Jdx$2YvycjcBRKktJ/V8hPas/jdpRJW6bc18mdU7gPa.XqI
clock timezone +0330 3 30
!
vtp mode off
!
no ip domain-lookup
ip cef
ip cef load-sharing algorithm include-ports source destination 012ABDAC
mpls label range 130000 139999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 022916530A082A334B5B07352934
mpls ldp session protection
!
interface Loopback0
ip address 10.255.255.13 255.255.255.255
ip ospf 1000 area 0
!
interface Ethernet0/0
no switchport
ip address 10.13.24.13 255.255.255.0
ip ospf authentication message-digest
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
ip ospf message-digest-key 1 md5 7 1236171F130529162D3E2A041F16
ip ospf network point-to-point
ip ospf 1000 area 4
mpls ip
!
interface Ethernet0/1
no switchport
ip address 10.13.23.13 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 1236171F130529162D3E2A041F16
ip ospf network point-to-point
ip ospf 1000 area 4
mpls ip
!
interface Ethernet0/2
no switchport
ip address 10.0.213.13 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 072033444F073C17100705202809
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet2/1
no switchport
ip address 10.0.132.13 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 143800030D0A0F39233D3D190E30
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet2/3
no switchport
ip address 10.0.131.13 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 0474190E0E2F695C0E0C0B3B3E28
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
router ospf 1000
router-id 10.255.255.13
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
area 4 stub no-summary
area 4 range 10.60.0.0 255.255.0.0
passive-interface default
no passive-interface Ethernet0/0
no passive-interface Ethernet0/1
no passive-interface Ethernet0/2
no passive-interface Ethernet2/1
no passive-interface Ethernet2/3
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list standard SUBNET_10
permit 10.0.0.0 0.255.255.255
!
mpls ldp router-id Loopback0
!
The configuration is straight forward, just like previous tasks, but this time Distribution
to Access links are also L3 links instead of L2 Trunks.
Note: on ABRs (Aggregation/Distribution switches) we have entered area 4 stub no-
no-
summary command. On access switches no need to enter no-summary argument at the
end of the area 4 stub command because those switches are not ABRs and no-
no-summary
does not have any effect.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Acc-SW-23:
hostname Acc-SW-23
!
enable secret 8 $8$zWf.NNsCB54aSR$Xsj/n2M1nCDR/F9nPVzk3vt6FKrSPn/bH4Soi49uPA2
!
username ccie secret 8 $8$aZ3dK2AYDs2Jdx$2YvycjcBRKktJ/V8hPas/jdpRJW6bc18mdU7gPa.XqI
!
vtp mode off
!
no ip domain-lookup
ip cef
ip cef load-sharing algorithm include-ports source destination 001265AC
mpls label range 23000 23999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 022916530A082A334B5B07352934
mpls ldp session protection
!
spanning-tree mode rapid-pvst
spanning-tree portfast edge default
spanning-tree portfast edge bpduguard default
spanning-tree portfast edge bpdufilter default
spanning-tree extend system-id
!
!
vlan 60
!
interface Loopback0
ip address 10.255.255.23 255.255.255.255
ip ospf 1000 area 4
!
interface Ethernet0/0
no switchport
ip address 10.12.23.23 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 1236171F130529162D3E2A041F16
ip ospf network point-to-point
ip ospf 1000 area 4
mpls ip
!
interface Ethernet0/1
no switchport
ip address 10.13.23.23 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 1236171F130529162D3E2A041F16
ip ospf network point-to-point
ip ospf 1000 area 4
mpls ip
!
interface Ethernet0/2
switchport access vlan 60
switchport mode access
switchport nonegotiate
switchport port-security mac-address sticky
switchport port-security mac-address sticky aabb.cc00.4c00
switchport port-security
!
interface Ethernet0/3
switchport access vlan 60
switchport mode access
switchport nonegotiate
switchport port-security mac-address sticky
switchport port-security mac-address sticky aabb.cc00.4d00
switchport port-security
!
interface Vlan60
ip address 10.60.60.254 255.255.255.0
ip helper-address 10.50.50.99
ip ospf 1000 area 4
!
router ospf 1000
router-id 10.255.255.23
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
area 4 stub
passive-interface default
no passive-interface Ethernet0/0
no passive-interface Ethernet0/1
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list standard SUBNET_10
permit 10.0.0.0 0.255.255.255
!
mpls ldp router-id Loopback0
!
Acc-SW-24:
hostname Acc-SW-24
!
enable secret 8 $8$zWf.NNsCB54aSR$Xsj/n2M1nCDR/F9nPVzk3vt6FKrSPn/bH4Soi49uPA2
!
username ccie secret 8 $8$aZ3dK2AYDs2Jdx$2YvycjcBRKktJ/V8hPas/jdpRJW6bc18mdU7gPa.XqI
clock timezone +0330 3 30
!
vtp mode off
no ip domain-lookup
ip cef
ip cef load-sharing algorithm include-ports source destination 00143ABC
mpls label range 24000 24999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 022916530A082A334B5B07352934
mpls ldp session protection
!
spanning-tree mode rapid-pvst
spanning-tree portfast edge default
spanning-tree portfast edge bpduguard default
spanning-tree portfast edge bpdufilter default
spanning-tree extend system-id
!
vlan 70
!
interface Loopback0
ip address 10.255.255.24 255.255.255.255
ip ospf 1000 area 4
!
interface Ethernet0/0
no switchport
ip address 10.13.24.24 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 1236171F130529162D3E2A041F16
ip ospf network point-to-point
ip ospf 1000 area 4
mpls ip
!
interface Ethernet0/1
no switchport
ip address 10.12.24.24 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 1236171F130529162D3E2A041F16
ip ospf network point-to-point
ip ospf 1000 area 4
mpls ip
!
interface Ethernet0/2
switchport access vlan 70
switchport mode access
switchport nonegotiate
switchport port-security mac-address sticky
switchport port-security mac-address sticky aabb.cc00.5000
switchport port-security
!
interface Ethernet0/3
switchport access vlan 70
switchport mode access
switchport nonegotiate
switchport port-security mac-address sticky
switchport port-security mac-address sticky aabb.cc00.5100
switchport port-security
!
interface Ethernet1/0
switchport access vlan 70
switchport mode access
switchport nonegotiate
switchport port-security mac-address sticky
switchport port-security mac-address sticky aabb.cc00.5200
switchport port-security
!
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
interface Vlan70
ip address 10.60.70.254 255.255.255.0
ip helper-address 10.50.50.99
ip ospf 1000 area 4
!
router ospf 1000
router-id 10.255.255.24
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
area 4 stub
passive-interface default
no passive-interface Ethernet0/0
no passive-interface Ethernet0/1
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list standard SUBNET_10
permit 10.0.0.0 0.255.255.255
!
mpls ldp router-id Loopback0
!
Verification:
Acc-SW-24(config)# do sh ip route ospf | begin Gate
Gateway of last resort is 10.13.24.13 to network 0.0.0.0
O*IA 0.0.0.0/0 [110/1001] via 10.13.24.13, 00:19:55, Ethernet0/0
[110/1001] via 10.12.24.12, 00:19:55, Ethernet0/1
10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
O 10.12.23.0/24 [110/2000] via 10.12.24.12, 00:19:55, Ethernet0/1
O 10.13.23.0/24 [110/2000] via 10.13.24.13, 00:19:55, Ethernet0/0
O 10.60.60.0/24 [110/2010] via 10.13.24.13, 00:19:55, Ethernet0/0
[110/2010] via 10.12.24.12, 00:19:55, Ethernet0/1
O 10.255.255.23/32 [110/2001] via 10.13.24.13, 00:19:55, Ethernet0/0
[110/2001] via 10.12.24.12, 00:19:55, Ethernet0/1
Acc-SW-24(config)#do sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.255.255.12 0 FULL/ - 00:00:33 10.12.24.12 Ethernet0/1
10.255.255.13 0 FULL/ - 00:00:38 10.13.24.13 Ethernet0/0
Acc-SW-24(config)#do trace 10.255.255.10
Type escape sequence to abort.
Tracing the route to 10.255.255.10
VRF info: (vrf in name/id, vrf out name/id)
1 10.12.24.12 1 msec
10.13.24.13 1 msec
10.12.24.12 0 msec
2 10.0.132.2 [MPLS: Label 20003 Exp 0] 1 msec
10.0.122.2 [MPLS: Label 20003 Exp 0] 0 msec
10.0.131.1 [MPLS: Label 10004 Exp 0] 1 msec
3 10.0.101.10 2 msec
10.0.102.10 1 msec *
Acc-SW-24(config)#do sh vlan br | ex uns
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Et1/1, Et1/2, Et1/3, Et2/0
Et2/1, Et2/2, Et2/3, Et3/0
Et3/1, Et3/2, Et3/3, Et4/0
Et4/1, Et4/2, Et4/3, Et5/0
Et5/1, Et5/2, Et5/3
70 VLAN0070 active Et0/2, Et0/3, Et1/0
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Task-6:
Configure DHCP-Server-99 to give IP address, default-gateway information for
VLAN 10, 20, 30, 40, 60, 70
Configure DHCP Snooping for those VLANs
Configure Dynamic ARP Inspection for those VLANs
All end nodes in those VLANs must get the IP address from DHCP Server
Solution:
First of all we need to configure the DHCP server in Data Center, this Server is going to
be the Remote DHCP Server for our campus, so the First Hop routers (Distribution
Switches in Building 1 and 2, and Access switches in Building 4) must be configured
with the ip helper-
helper-address command on their SVIs.
DHCP-Server-99:
ip dhcp excluded-address 10.10.10.1 10.10.10.100
ip dhcp excluded-address 10.10.20.1 10.10.20.100
ip dhcp excluded-address 10.10.10.254
ip dhcp excluded-address 10.10.20.254
ip dhcp excluded-address 10.30.30.1 10.30.30.100
ip dhcp excluded-address 10.30.40.1 10.30.40.100
ip dhcp excluded-address 10.30.30.254
ip dhcp excluded-address 10.30.40.254
ip dhcp excluded-address 10.60.60.1 10.60.60.100
ip dhcp excluded-address 10.60.70.1 10.60.70.100
ip dhcp excluded-address 10.60.60.254
ip dhcp excluded-address 10.60.70.254
ip dhcp pool VLAN10
network 10.10.10.0 255.255.255.0
default-router 10.10.10.254
domain-name orhan.local
dns-server 8.8.8.8
ip dhcp pool VLAN60
network 10.60.60.0 255.255.255.0
default-router 10.60.60.254
domain-name orhan.local
dns-server 8.8.8.8
ip dhcp pool VLAN30
network 10.30.30.0 255.255.255.0
default-router 10.30.30.254
domain-name orhan.local
dns-server 8.8.8.8
ip dhcp pool VLAN20
network 10.10.20.0 255.255.255.0
default-router 10.10.20.254
domain-name orhan.local
dns-server 8.8.8.8
ip dhcp pool VLAN40
network 10.30.40.0 255.255.255.0
default-router 10.30.40.254
domain-name orhan.local
dns-server 8.8.8.8
ip dhcp pool VLAN70
network 10.60.70.0 255.255.255.0
default-router 10.60.70.254
domain-name orhan.local
dns-server 8.8.8.8
Note: The task has not mentioned to configure a DNS server. We only configured 8.8.8.8
as an extra command! DO NOT put extra commands in the CCIE Lab exam! Maybe you
would loose the task points!
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Now, let’s configure DHCP Snooping, Dynamic ARP Inspection and also DHCP Relay
agent:
Agg-SW-5 and Agg-SW-6:
int range vlan 10, vlan 20
ip helper-address 10.50.50.99
!
Agg-SW-14 and Agg-SW-15:
int range vlan 30, vlan 40
ip helper-address 10.50.50.99
!
Acc-SW-23:
int vlan 60
ip helper-address 10.50.50.99
!
no ip dhcp snooping information option
ip arp inspection vlan 60
Acc-SW-24:
int vlan 70
ip helper-address 10.50.50.99
!
no ip dhcp snooping information option
ip arp inspection vlan 70
Acc-SW-19 and Acc-SW-20:
ip dhcp snooping
ip dhcp snooping vlan 10,20
ip arp inspection vlan 10,20
interface range e0/0-1
ip arp inspection trust
ip dhcp snooping trust
!
no ip dhcp snooping information option
Acc-SW-25 and Acc-SW-26:
ip dhcp snooping
ip dhcp snooping vlan 30,40
ip arp inspection vlan 30,40
interface range e0/0-1
ip arp inspection trust
ip dhcp snooping trust
!
no ip dhcp snooping information option
Verification:
PC80(config)#int e0/0
PC80(config-if)#ip add dhcp
PC80(config-if)#
*Jul 23 23:31:47.218: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 10.60.70.106, mask
255.255.255.0, hostname PC80
PC81(config)#int e0/0
PC81(config-if)#ip address dhcp
PC81(config-if)#
*Jul 23 23:32:13.481: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 10.60.70.107, mask
255.255.255.0, hostname PC81
PC82(config)#int e0/0
PC82(config-if)#ip add dhcp
PC82(config-if)#
*Jul 23 23:32:23.222: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 10.60.70.108, mask
255.255.255.0, hostname PC82
Acc-SW-24(config)#do sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
AA:BB:CC:00:51:00 10.60.70.107 86324 dhcp-snooping 70 Ethernet0/3
AA:BB:CC:00:50:00 10.60.70.106 86297 dhcp-snooping 70 Ethernet0/2
AA:BB:CC:00:52:00 10.60.70.108 86333 dhcp-snooping 70 Ethernet1/0
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
PC70(config)#int e0/0
PC70(config-if)#ip add dhcp
PC70(config-if)#
*Jul 23 23:34:36.471: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 10.10.20.103, mask
255.255.255.0, hostname PC70
PC71(config)#int e0/0
PC71(config-if)#ip add dhcp
PC71(config-if)#
*Jul 23 23:34:50.964: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 10.10.20.104, mask
255.255.255.0, hostname PC71
PC44(config)#int e0/0
PC44(config-if)#ip add dhcp
PC44(config-if)#
*Jul 23 23:35:19.024: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 10.10.10.103, mask
255.255.255.0, hostname PC44
PC46(config)#int e0/0
PC46(config-if)#ip address dhcp
PC46(config-if)#
*Jul 23 23:36:46.249: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 10.10.10.104, mask
255.255.255.0, hostname PC46
Acc-SW-19(config)#do sh ip dhcp snooping
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
10,20
DHCP snooping is operational on following VLANs:
10,20
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: aabb.cc00.1100 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
Ethernet0/0 yes yes unlimited
Custom circuit-ids:
Ethernet0/1 yes yes unlimited
Acc-SW-19(config)#do sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
AA:BB:CC:00:2E:00 10.10.10.104 86349 dhcp-snooping 10 Ethernet0/3
AA:BB:CC:00:2C:00 10.10.10.103 86262 dhcp-snooping 10 Ethernet0/2
AA:BB:CC:00:46:00 10.10.20.103 86219 dhcp-snooping 20 Ethernet1/0
Acc-SW-19(config)#do sh ip arp inspec
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
10 Enabled Active
20 Enabled Active
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
10 Deny Deny Off
20 Deny Deny Off
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
10 104 0 0 0
20 49 0 0 0
Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures
---- ------------ ----------- ------------- -------------------
10 13 0 4 0
20 9 0 3 0
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
10 0 0 0
20 0 0 0
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Task-7:
Configure the Internet Aggregation block according to the topology
Edge routers (Edge-R-31 and Edge-R-32) must form eBGP to the ISP and also
iBGP with each other
All BGP neighbors must be authenticated using password “OrhanErgunLLC”
Both standard and extended communities should be sent to the neighbors
Edge routers should originate default route to the OSPF domain when they
receive a default route from ISP (Edge-R-31 originated default route should be
prefered over Edge-R-32)
MPLS/LDP should be enabled just like previous tasks (The same rules)
OSPF should be enabled just like previous tasks (but edge router’s VLAN 80 and
VLAN 90 facing interfaces should be configured with the OSPF Network type
Broadcast)
Bogon/Martian networks should not be leaked to the ISP and vice versa (Use
Prefix-Lists)
Unicast Reverse Path Forwarding (uRPF) should be enabled on internal facing
interfaces
Edge routers must give internet access to the internal network using NAT (Use
this NAT Pool: 150.101.101.0/24 on Edge-R-31 and 150.102.102.0/24 on Edge-
R-32)
Enable SSH version 2 on all devices
Configure Zone-Based Firewall on Edge routers:
- SSH and ICMP traffic should be inspected for internal network subnet
10.0.0.0/8
- ICMP, GRE, ESP, ISAKMP traffic from WAN-Aggregation routers should be
inspected (WAN-Aggregation routers IP addresses: 200.105.29.29 and
200.105.30.30)
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Solution:
Let’s configure the Distribution and Access Layer switches:
Agg-SW-16:
hostname Agg-SW-16
!
enable secret 8 $8$qrvK7qOfUAK8cR$AyzNf8DV1Ifjl28oSLtuH4OLJpYdYsaRYbAvCytvXFw
!
username ccie secret 8 $8$BbZoIfDWgfpL.h$MOXoPRFZbiuVqm6Yae98rKkg.r.U81o1Wy.5hEzaStk
clock timezone +0330 3 30
!
no ip domain-lookup
ip cef
ip cef load-sharing algorithm include-ports source destination
mpls label range 160000 169999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 022916530A082A334B5B07352934
mpls ldp session protection
!
interface Loopback0
ip address 10.255.255.16 255.255.255.255
ip ospf 1000 area 0
!
interface Ethernet0/0
no switchport
ip address 10.201.80.16 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 143800030D0A0F39233D3D190E30
ip ospf 1000 area 200
mpls ip
!
interface Ethernet0/1
no switchport
ip address 10.201.90.16 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 153D190405240E362F263B0E3F24
ip ospf 1000 area 200
mpls ip
!
interface Ethernet2/2
no switchport
ip address 10.0.162.16 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 06291D294D402C0B02021C272027
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet2/3
no switchport
ip address 10.0.164.16 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 072033444F073C17100705202809
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
router ospf 1000
router-id 10.255.255.16
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
passive-interface default
no passive-interface Ethernet0/0
no passive-interface Ethernet0/1
no passive-interface Ethernet2/2
no passive-interface Ethernet2/3
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list standard SUBNET_10
permit 10.0.0.0 0.255.255.255
!
mpls ldp router-id Loopback0
!
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Agg-SW-17:
hostname Agg-SW-17
!
enable secret 8 $8$qrvK7qOfUAK8cR$AyzNf8DV1Ifjl28oSLtuH4OLJpYdYsaRYbAvCytvXFw
!
username ccie secret 8 $8$BbZoIfDWgfpL.h$MOXoPRFZbiuVqm6Yae98rKkg.r.U81o1Wy.5hEzaStk
clock timezone +0330 3 30
!
no ip domain-lookup
ip cef
ip cef load-sharing algorithm include-ports source destination
mpls label range 170000 179999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 022916530A082A334B5B07352934
mpls ldp session protection
!
interface Loopback0
ip address 10.255.255.17 255.255.255.255
ip ospf 1000 area 0
!
interface Ethernet0/0
no switchport
ip address 10.201.90.17 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 022916530A082A334B5B07352934
ip ospf 1000 area 200
mpls ip
!
interface Ethernet0/1
no switchport
ip address 10.201.80.17 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 022916530A082A334B5B07352934
ip ospf 1000 area 200
mpls ip
!
interface Ethernet2/2
no switchport
ip address 10.0.174.17 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 032B49030701045E491C17293B31
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet2/3
no switchport
ip address 10.0.172.17 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 OrhanErgunLLC
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
router ospf 1000
router-id 10.255.255.17
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
passive-interface default
no passive-interface Ethernet0/0
no passive-interface Ethernet0/1
no passive-interface Ethernet2/2
no passive-interface Ethernet2/3
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list standard SUBNET_10
permit 10.0.0.0 0.255.255.255
!
mpls ldp router-id Loopback0
!
Just like previous tasks, the distribution layer switches configuration is very easy and
straight forwar.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Acc-SW-27:
hostname Acc-SW-27
!
enable secret 8 $8$qrvK7qOfUAK8cR$AyzNf8DV1Ifjl28oSLtuH4OLJpYdYsaRYbAvCytvXFw
!
username ccie secret 8 $8$BbZoIfDWgfpL.h$MOXoPRFZbiuVqm6Yae98rKkg.r.U81o1Wy.5hEzaStk
!
vtp mode off
no ip routing
!
vlan 80
!
interface Loopback0
ip address 10.255.255.27 255.255.255.255
no ip route-cache
!
interface Ethernet0/0
switchport access vlan 80
switchport mode access
switchport nonegotiate
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet0/1
switchport access vlan 80
switchport mode access
switchport nonegotiate
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet0/2
switchport access vlan 80
switchport mode access
switchport nonegotiate
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet0/3
switchport access vlan 80
switchport mode access
switchport nonegotiate
spanning-tree portfast edge
spanning-tree bpduguard enable
!
Acc-SW-28:
hostname Acc-SW-28
!
enable secret 8 $8$qrvK7qOfUAK8cR$AyzNf8DV1Ifjl28oSLtuH4OLJpYdYsaRYbAvCytvXFw
!
username ccie secret 8 $8$BbZoIfDWgfpL.h$MOXoPRFZbiuVqm6Yae98rKkg.r.U81o1Wy.5hEzaStk
vtp mode off
no ip routing
!
no ip domain-lookup
!
vlan 90
!
interface Loopback0
ip address 10.255.255.28 255.255.255.255
no ip route-cache
!
interface Ethernet0/0
switchport access vlan 90
switchport mode access
switchport nonegotiate
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet0/1
switchport access vlan 90
switchport mode access
switchport nonegotiate
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet0/2
switchport access vlan 90
switchport mode access
switchport nonegotiate
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet0/3
switchport access vlan 90
switchport mode access
switchport nonegotiate
spanning-tree portfast edge
spanning-tree bpduguard enable
!
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Now, it is time to configure the Edge routers:
Edge-R-31:
mpls label range 310000 319999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 022916530A082A334B5B07352934
mpls ldp session protection
!
router ospf 1000
mpls ldp sync
mpls ldp autoconfig
router-id 10.255.255.31
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
passive-interface default
no passive-interface Ethernet0/0
no passive-interface Ethernet0/2
no passive-interface Ethernet0/3
default-information originate metric 1000
!
mpls ldp router-id Loopback0
!
interface Loopback0
ip address 10.255.255.31 255.255.255.255
ip ospf 1000 area 200
!
interface Ethernet0/0
ip address 10.200.12.31 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 013C140C5A05231D265940253526
ip ospf network point-to-point
ip ospf 1000 area 200
!
interface Ethernet0/2
ip address 10.201.80.31 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 11260B0D161C2E1E033F25080410
ip ospf 1000 area 200
!
interface Ethernet0/3
ip address 10.201.90.31 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 032B49030701045E491C17293B31
ip ospf 1000 area 200
!
Edge-R-32:
mpls label range 320000 329999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 022916530A082A334B5B07352934
mpls ldp session protection
!
router ospf 1000
mpls ldp sync
mpls ldp autoconfig
router-id 10.255.255.32
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
passive-interface default
no passive-interface Ethernet0/0
no passive-interface Ethernet0/2
no passive-interface Ethernet0/3
default-information originate metric 2000
!
mpls ldp router-id Loopback0
!
interface Loopback0
ip address 10.255.255.32 255.255.255.255
ip ospf 1000 area 200
!
interface Ethernet0/0
ip address 10.200.12.32 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 013C140C5A05231D265940253526
ip ospf network point-to-point
ip ospf 1000 area 200
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
!
interface Ethernet0/2
ip address 10.201.90.32 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 072033444F073C17100705202809
ip ospf 1000 area 200
!
interface Ethernet0/3
ip address 10.201.80.32 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 0524140720426B1B1E10193E272F
ip ospf 1000 area 200
!
Verification:
Edge-R-31(config)#do sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.255.255.16 1 FULL/DROTHER 00:00:31 10.201.90.16 Ethernet0/3
10.255.255.17 1 FULL/DROTHER 00:00:38 10.201.90.17 Ethernet0/3
10.255.255.32 1 FULL/DR 00:00:31 10.201.90.32 Ethernet0/3
10.255.255.16 1 FULL/DROTHER 00:00:37 10.201.80.16 Ethernet0/2
10.255.255.17 1 FULL/DROTHER 00:00:39 10.201.80.17 Ethernet0/2
10.255.255.32 1 FULL/DR 00:00:36 10.201.80.32 Ethernet0/2
10.255.255.32 0 FULL/ - 00:00:38 10.200.12.32 Ethernet0/0
Edge-R-32(config)#do sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.255.255.16 1 FULL/DROTHER 00:00:32 10.201.80.16 Ethernet0/3
10.255.255.17 1 FULL/DROTHER 00:00:35 10.201.80.17 Ethernet0/3
10.255.255.31 1 FULL/BDR 00:00:37 10.201.80.31 Ethernet0/3
10.255.255.16 1 FULL/DROTHER 00:00:37 10.201.90.16 Ethernet0/2
10.255.255.17 1 FULL/DROTHER 00:00:33 10.201.90.17 Ethernet0/2
10.255.255.31 1 FULL/BDR 00:00:30 10.201.90.31 Ethernet0/2
10.255.255.31 0 FULL/ - 00:00:39 10.200.12.31 Ethernet0/0
Agg-SW-16(config)#do sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.255.255.4 0 FULL/ - 00:00:36 10.0.164.4 Ethernet2/3
10.255.255.17 1 2WAY/DROTHER 00:00:36 10.201.90.17 Ethernet0/1
10.255.255.31 1 FULL/BDR 00:00:33 10.201.90.31 Ethernet0/1
10.255.255.32 1 FULL/DR 00:00:30 10.201.90.32 Ethernet0/1
10.255.255.17 1 2WAY/DROTHER 00:00:38 10.201.80.17 Ethernet0/0
10.255.255.31 1 FULL/BDR 00:00:31 10.201.80.31 Ethernet0/0
10.255.255.32 1 FULL/DR 00:00:35 10.201.80.32 Ethernet0/0
Agg-SW-17(config)#do sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.255.255.4 0 FULL/ - 00:00:35 10.0.174.4 Ethernet2/2
10.255.255.16 1 2WAY/DROTHER 00:00:38 10.201.80.16 Ethernet0/1
10.255.255.31 1 FULL/BDR 00:00:34 10.201.80.31 Ethernet0/1
10.255.255.32 1 FULL/DR 00:00:39 10.201.80.32 Ethernet0/1
10.255.255.16 1 2WAY/DROTHER 00:00:33 10.201.90.16 Ethernet0/0
10.255.255.31 1 FULL/BDR 00:00:38 10.201.90.31 Ethernet0/0
10.255.255.32 1 FULL/DR 00:00:33 10.201.90.32 Ethernet0/0
OSPF and LDP neighborship is up in the Internet Aggregation block.
Next, we are going to configure the BGP neighborships.
In the BGP configuration we use prefix-list to match Bogon/Martian prefix/lengths in
order to prevent leaking of those illegal networks into our network and also global
internet. Bogon networks should not be appear in the global internet (such as RFC
1918 defined networks).
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Edge-R-31 and Edge-R-32:
ip prefix-list MARTIAN seq 5 deny 0.0.0.0/8 le 32
ip prefix-list MARTIAN seq 10 deny 10.0.0.0/8 le 32
ip prefix-list MARTIAN seq 15 deny 172.16.0.0/12 le 32
ip prefix-list MARTIAN seq 20 deny 192.168.0.0/16 le 32
ip prefix-list MARTIAN seq 25 deny 127.0.0.0/8 le 32
ip prefix-list MARTIAN seq 30 deny 169.254.0.0/16 le 32
ip prefix-list MARTIAN seq 35 deny 192.0.2.0/24 le 32
ip prefix-list MARTIAN seq 40 deny 224.0.0.0/4 le 32
ip prefix-list MARTIAN seq 45 deny 240.0.0.0/4 le 32
ip prefix-list MARTIAN seq 50 permit 0.0.0.0/0 le 32
!
Edge-R-31:
router bgp 10000
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 200.105.31.105 remote-as 5000
neighbor 200.105.31.105 password 7 11260B0D161C2E1E033F25080410
neighbor 200.106.31.106 remote-as 5000
neighbor 200.106.31.106 password 7 080E5E4608172005151E02280608
!
address-family ipv4
neighbor 200.105.31.105 activate
neighbor 200.105.31.105 send-community both
neighbor 200.105.31.105 prefix-list MARTIAN in
neighbor 200.105.31.105 prefix-list MARTIAN out
neighbor 200.106.31.106 activate
neighbor 200.106.31.106 send-community both
neighbor 200.106.31.106 prefix-list MARTIAN in
neighbor 200.106.31.106 prefix-list MARTIAN out
exit-address-family
!
Edge-R-32:
router bgp 10000
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 200.105.32.105 remote-as 5000
neighbor 200.105.32.105 password 7 022916530A082A334B5B07352934
neighbor 200.106.32.106 remote-as 5000
neighbor 200.106.32.106 password 7 10611B11041937190B112407080B
!
address-family ipv4
neighbor 200.105.32.105 activate
neighbor 200.105.32.105 send-community both
neighbor 200.105.32.105 prefix-list MARTIAN in
neighbor 200.105.32.105 prefix-list MARTIAN out
neighbor 200.106.32.106 activate
neighbor 200.106.32.106 send-community both
neighbor 200.106.32.106 prefix-list MARTIAN in
neighbor 200.106.32.106 prefix-list MARTIAN out
exit-address-family
!
Verification:
Edge-R-31(config-router)#do sh bgp ipv4 uni summ | begin Neigh
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.255.255.32 4 10000 145 147 71 0 0 02:07:41 11
200.105.31.105 4 5000 152 158 71 0 0 02:06:50 10
200.106.31.106 4 5000 154 157 71 0 0 02:06:44 10
Edge-R-32(config)#do sh bgp ipv4 uni summ | begin Neigh
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.255.255.31 4 10000 147 145 71 0 0 02:08:02 11
200.105.32.105 4 5000 153 158 71 0 0 02:07:14 10
200.106.32.106 4 5000 155 158 71 0 0 02:07:10 10
We are going to configure NAT on edge routers to give internet access to the internal
devices.
First of all we need to match the source IP addresses using an ACL and then define a
NAT pool to translate source addresses to the public ones:
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Edge-R-31:
interface Ethernet0/0
ip nat inside
!
interface Ethernet0/2
ip nat inside
!
interface Ethernet0/3
ip nat inside
!
interface Ethernet2/0
ip nat outside
!
interface Ethernet2/1
ip nat outside
!
ip access-list standard LOCAL_RANGE
permit 10.0.0.0 0.255.255.255
!
ip nat pool NAT_POOL1 150.101.101.1 150.101.101.254 prefix-length 24
ip nat inside source list LOCAL_RANGE pool NAT_POOL1
Edge-R-32:
interface Ethernet0/0
ip nat inside
!
interface Ethernet0/2
ip nat inside
!
interface Ethernet0/3
ip nat inside
!
interface Ethernet2/0
ip nat outside
!
interface Ethernet2/1
ip nat outside
!
ip access-list standard LOCAL_RANGE
permit 10.0.0.0 0.255.255.255
!
ip nat pool NAT_POOL2 150.102.102.1 150.102.102.254 prefix-length 24
ip nat inside source list LOCAL_RANGE pool NAT_POOL2
NAT is configured but ISP is not aware of those public outside ranges yet, we need to
advertise those subnets to the ISP:
Edge-R-31:
router bgp 10000
!
address-family ipv4
network 150.101.101.0 mask 255.255.255.0
!
!
Edge-R-32:
router bgp 10000
!
address-family ipv4
network 150.102.102.0 mask 255.255.255.0
!
!
Verification:
PC74#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/63/78 ms
Edge-R-31(config)#do sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 150.101.101.2:4 10.30.40.102:4 8.8.8.8:4 8.8.8.8:4
--- 150.101.101.2 10.30.40.102 --- ---
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
We should enable uRPF for internal interfaces, by default the router does not look at
the source IP address of the packets, it only forwards the packets based on the
destination IP addresses. So any IP packet with any IP address could be forwarded to
the destination based on the RIB/FIB information.
By enabling uRPF (Unicast Reverse Path Forwarding) we force the router to look at the
source IP address of the incoming packets.
For example by entering ip verify unicast source reachable-
reachable-via rx command under an
interface, the router checks the routing table to see if it has an specific route towards
that source IP address in the RIB, and also the source IP address should be reachable
via received interface.
As an example, if Edge-R-31 receives an IP packet from PC74 (10.30.40.102) on
interface e0/2, the edge router will check the routing table to see if it has reachability
information towords that source IP address with outgoing interface of e0/2:
Edge-R-31(config)#do sh ip cef 10.30.40.102
10.30.0.0/16
nexthop 10.201.80.16 Ethernet0/2 label 160033
nexthop 10.201.80.17 Ethernet0/2 label 170033
nexthop 10.201.90.16 Ethernet0/3 label 160033
nexthop 10.201.90.17 Ethernet0/3 label 170033
Edge-R-31(config)#do sh ip route 10.30.0.0
Routing entry for 10.30.0.0/16
Known via "ospf 1000", distance 110, metric 3510, type inter area
Last update from 10.201.90.16 on Ethernet0/3, 00:26:02 ago
Routing Descriptor Blocks:
10.201.90.17, from 10.255.255.17, 00:26:02 ago, via Ethernet0/3
Route metric is 3510, traffic share count is 1
10.201.90.16, from 10.255.255.16, 00:26:02 ago, via Ethernet0/3
Route metric is 3510, traffic share count is 1
* 10.201.80.17, from 10.255.255.17, 00:26:02 ago, via Ethernet0/2
Route metric is 3510, traffic share count is 1
10.201.80.16, from 10.255.255.16, 00:26:02 ago, via Ethernet0/2
Route metric is 3510, traffic share count is 1
Note: uRPF can be enabled on any campus MLS (Core, Distribution) devices, it was just
a practice in this lab that we used uRPF on perimeter routers.
Last step is to configure Zone Based Firewall on edge routers, this feature is going to
inspect interested traffic, we need to match the traffic using class-map and enable
inspection using policy-map. Also Zones and zone-pairs should be defined:
Edge-R-31:
zone security INSIDE
zone security OUTSIDE
interface Ethernet0/2
zone-member security INSIDE
!
interface Ethernet0/3
zone-member security INSIDE
!
interface Ethernet0/0
zone-member security INSIDE
!
interface Ethernet2/0
zone-member security OUTSIDE
!
interface Ethernet2/1
zone-member security OUTSIDE
!
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
ip access-list extended ESP-ISAKMP
permit esp any any
permit udp any eq isakmp any eq isakmp
permit udp any eq non500-isakmp any
permit udp any any eq non500-isakmp
ip access-list extended INSIDE-TO-OUTSIDE
permit icmp 10.0.0.0 0.255.255.255 any
permit tcp 10.0.0.0 0.255.255.255 any eq 22
permit gre host 201.105.30.30 any
permit gre host 201.105.29.29 any
permit icmp host 200.105.29.29 any
permit icmp host 200.105.30.30 any
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any 10.0.0.0 0.255.255.255
permit gre any host 201.105.30.30
permit gre any host 201.105.29.29
permit tcp any eq 22 10.0.0.0 0.255.255.255
permit tcp any 10.0.0.0 0.255.255.255 eq 22
permit icmp any host 200.105.29.29
permit icmp any host 200.105.30.30
!
class-map type inspect match-all ESP-ISAKMP-CLASS
match access-group name ESP-ISAKMP
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class type inspect ESP-ISAKMP-CLASS
pass
class class-default
drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
inspect
class type inspect ESP-ISAKMP-CLASS
pass
class class-default
drop log
!
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
Edge-R-31:
zone security INSIDE
zone security OUTSIDE
interface Ethernet0/2
zone-member security INSIDE
!
interface Ethernet0/3
zone-member security INSIDE
!
interface Ethernet0/0
zone-member security INSIDE
!
interface Ethernet2/0
zone-member security OUTSIDE
!
interface Ethernet2/1
zone-member security OUTSIDE
!
ip access-list extended ESP-ISAKMP
permit esp any any
permit udp any eq isakmp any eq isakmp
permit udp any eq non500-isakmp any
permit udp any any eq non500-isakmp
ip access-list extended INSIDE-TO-OUTSIDE
permit icmp 10.0.0.0 0.255.255.255 any
permit tcp 10.0.0.0 0.255.255.255 any eq 22
permit gre host 201.105.30.30 any
permit gre host 201.105.29.29 any
permit icmp host 200.105.29.29 any
permit icmp host 200.105.30.30 any
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any 10.0.0.0 0.255.255.255
permit gre any host 201.105.30.30
permit gre any host 201.105.29.29
permit tcp any eq 22 10.0.0.0 0.255.255.255
permit tcp any 10.0.0.0 0.255.255.255 eq 22
permit icmp any host 200.105.29.29
permit icmp any host 200.105.30.30
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
class-map type inspect match-all ESP-ISAKMP-CLASS
match access-group name ESP-ISAKMP
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class type inspect ESP-ISAKMP-CLASS
pass
class class-default
drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
inspect
class type inspect ESP-ISAKMP-CLASS
pass
class class-default
drop log
!
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
Verification:
Edge-R-31(config)#do sh policy-map type inspect
Policy Map type inspect INSIDE-TO-OUTSIDE-POLICY
Class INSIDE-TO-OUTSIDE-CLASS
Inspect
Class ESP-ISAKMP-CLASS
Pass
Class class-default
Drop log
Policy Map type inspect OUTSIDE-TO-INSIDE-POLICY
Class OUTSIDE-TO-INSIDE-CLASS
Inspect
Class ESP-ISAKMP-CLASS
Pass
Class class-default
Drop log
PC74#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 53/67/92 ms
PC74#telnet 8.8.8.8
Trying 8.8.8.8 ...
Edge-R-31(config)#
*Jul 24 23:26:11.419: %FW-6-DROP_PKT: Dropping tcp session 10.30.40.102:44884 8.8.8.8:23 on zone-pair IN-TO-OUT
class class-default due to DROP action found in policy-map with ip ident 44431
Edge-R-31(config)#do sh policy-map type inspect zone-pair
policy exists on zp IN-TO-OUT
Zone-pair: IN-TO-OUT
Service-policy inspect : INSIDE-TO-OUTSIDE-POLICY
Class-map: INSIDE-TO-OUTSIDE-CLASS (match-all)
Match: access-group name INSIDE-TO-OUTSIDE
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [0:4]
icmp packets: [0:43]
--More--
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
We also need to tune BGP! Zone-Based Firewall in IOS is not active-active and two
firewalls are not in sync with each other, so we need to force the incoming traffic to
come to the same device (if Edge-R-31 is used to forward the traffic to the ISP, the same
Edge device should receive the incoming traffic from the ISP, otherwise the other edge
router will drop the incoming flow because it is not aware of it).
Edge-R-31:
ip prefix-list NAT-RANGE2 seq 5 permit 150.102.102.0/24
ip prefix-list DMVPN-RANGE seq 5 permit 200.105.30.0/24
ip prefix-list DMVPN-RANGE seq 10 permit 200.105.29.0/24
!
route-map TO-ISP permit 40
match ip address prefix-list NAT-RANGE2
set as-path prepend 10000
route-map TO-ISP permit 50
match ip address prefix-list DMVPN-RANGE
set as-path prepend 10000
route-map TO-ISP permit 60
!
router bgp 10000
!
address-family ipv4
neighbor 200.105.31.105 route-map TO-ISP out
neighbor 200.106.31.106 route-map TO-ISP out
exit-address-family
!
Edge-R-32:
ip prefix-list DMVPN-RANGE seq 5 permit 200.105.30.0/24
ip prefix-list DMVPN-RANGE seq 10 permit 200.105.29.0/24
ip prefix-list NAT-RANGE1 seq 5 permit 150.101.101.0/24
!
route-map TO-ISP permit 40
match ip address prefix-list NAT-RANGE1
set as-path prepend 10000 10000
route-map TO-ISP permit 50
match ip address prefix-list DMVPN-RANGE
set as-path prepend 10000 10000
route-map TO-ISP permit 60
!
router bgp 10000
!
address-family ipv4
neighbor 200.105.32.105 route-map TO-ISP out
neighbor 200.106.32.106 route-map TO-ISP out
exit-address-family
!
Verification:
SP-PE-R-105(config)#do sh bgp ipv4 uni | begin 150.
* 150.101.101.0/24 200.105.29.29 0 10000 i
* 200.105.30.30 0 10000 i
* i 200.106.31.31 0 100 0 10000 i
* 200.105.32.32 0 10000 10000 i
*> 200.105.31.31 0 0 10000 i
* 150.102.102.0/24 200.105.29.29 0 10000 i
* 200.105.30.30 0 10000 i
* i 200.106.32.32 0 100 0 10000 i
* 200.105.31.31 0 10000 10000 i
*> 200.105.32.32 0 0 10000 i
r 200.105.29.0 200.105.32.32 0 10000 10000 10000 i
r 200.105.31.31 0 10000 10000 i
r 200.105.30.30 0 10000 i
r> 200.105.29.29 0 0 10000 i
r 200.105.30.0 200.105.32.32 0 10000 10000 10000 i
r 200.105.31.31 0 10000 10000 i
r 200.105.29.29 0 10000 i
r> 200.105.30.30 0 0 10000 i
*> 200.105.31.0 0.0.0.0 0 32768 i
*> 200.105.32.0 0.0.0.0 0 32768 i
* i 200.106.31.0 10.254.254.106 0 100 0 i
*>i 10.254.254.106 0 100 0 i
* i 200.106.32.0 10.254.254.106 0 100 0 i
--More--
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Task-8:
Configure the WAN Aggregation block according to the topology
OSPF, MPLS/LDP should be configured just like previous tasks
Edge routers (Edge-R29 and Edge-R30) must form eBGP to the ISP and also iBGP
with each other (also with Edge-R-31 and Edge-R-32)
All BGP neighbors must be authenticated using password “OrhanErgunLLC”
Block Bogon/Martian networks (To/From ISP)
Both standard and extended communities should be sent to the neighbors
WAN Aggregation routers must use BGP Multipath for IPv4 AF
Edge-R29 and Edge-R30 should be Hub for DMVPN (Phase 3)
Use EIGRP as the Dynamic Routing Protocol for DMVPN
DMVPN remote sites should be able to reach all campus networks
Solution:
Just like previous tasks, we need to configure OSPF, MPLS/LDP in this block, one
difference is that there is no Access Layer in this part, Aggregation routers are directly
connected to the Distribution Layer switches.
We could design the Internet Aggregation block just like this one, but for labbing
purpose we have used access layer devices in that block.
This OSPF area is going to be configured as NSSA type, we don’t need to have external
prefixes on Aggregation edge devices, because they are going to form iBGP with
Internet Aggregation edge devices and receive external routes from BGP. Also this area
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
could not be configured as Stub area, because edge routers are going to redistribute
EIGRP and also BGP learned routes into OSPF domain.
Agg-SW-7:
hostname Agg-SW-7
!
enable secret 8 $8$lLlQ1l7EZREZah$/SyYyvuuyvhuxiLkoGqUZXSUpGKPImOxlTPEmcSWitM
!
username ccie secret 8 $8$ij8b2/D6/by62B$rwG5EOIEKQEmFyd0KWFcnQV318Ns/HvxHO0Ki4ZoOig
no aaa new-model
clock timezone +0330 3 30
!
no ip domain-lookup
ip domain-name orhan.local
ip cef
ip cef load-sharing algorithm include-ports source destination
no ipv6 cef
mpls label range 70000 79999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 072033444F073C17100705202809
mpls ldp session protection
!
interface Loopback0
ip address 10.255.255.7 255.255.255.255
ip ospf 1000 area 0
!
interface Ethernet0/0
no switchport
ip address 10.0.87.7 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 1236171F130529162D3E2A041F16
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet0/1
no switchport
ip address 10.129.7.7 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 032B49030701045E491C17293B31
ip ospf network point-to-point
ip ospf 1000 area 100
mpls ip
!
interface Ethernet0/2
no switchport
ip address 10.130.7.7 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 11260B0D161C2E1E033F25080410
ip ospf network point-to-point
ip ospf 1000 area 100
mpls ip
!
interface Ethernet2/0
no switchport
ip address 10.0.74.7 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 013C140C5A05231D265940253526
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet2/1
no switchport
ip address 10.0.73.7 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 022916530A082A334B5B07352934
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
router ospf 1000
router-id 10.255.255.7
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
area 100 nssa
passive-interface default
no passive-interface Ethernet0/0
no passive-interface Ethernet0/1
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
no passive-interface Ethernet0/2
no passive-interface Ethernet2/0
no passive-interface Ethernet2/1
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list standard SUBNET_10
permit 10.0.0.0 0.255.255.255
!
mpls ldp router-id Loopback0
Agg-SW-8:
hostname Agg-SW-8
!
enable secret 8 $8$lLlQ1l7EZREZah$/SyYyvuuyvhuxiLkoGqUZXSUpGKPImOxlTPEmcSWitM
!
username ccie secret 8 $8$ij8b2/D6/by62B$rwG5EOIEKQEmFyd0KWFcnQV318Ns/HvxHO0Ki4ZoOig
no aaa new-model
clock timezone +0330 3 30
!
no ip domain-lookup
ip domain-name orhan.local
ip cef
ip cef load-sharing algorithm include-ports source destination
no ipv6 cef
mpls label range 80000 89999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 072033444F073C17100705202809
mpls ldp session protection
!
interface Loopback0
ip address 10.255.255.8 255.255.255.255
ip ospf 1000 area 0
!
interface Ethernet0/0
no switchport
ip address 10.0.87.8 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 1236171F130529162D3E2A041F16
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet0/1
no switchport
ip address 10.130.8.8 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 072033444F073C17100705202809
ip ospf network point-to-point
ip ospf 1000 area 100
mpls ip
!
interface Ethernet0/2
no switchport
ip address 10.129.8.8 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 132A051A0A0221382C31261F1901
ip ospf network point-to-point
ip ospf 1000 area 100
mpls ip
!
interface Ethernet2/1
no switchport
ip address 10.0.84.8 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 0524140720426B1B1E10193E272F
ip ospf network point-to-point
ip ospf 1000 area 0
mpls ip
!
interface Ethernet2/2
no switchport
ip address 10.0.83.8 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 132A051A0A0221382C31261F1901
ip ospf network point-to-point
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
ip ospf 1000 area 0
mpls ip
!
router ospf 1000
router-id 10.255.255.8
ignore lsa mospf
ispf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
area 100 nssa
passive-interface default
no passive-interface Ethernet0/0
no passive-interface Ethernet0/1
no passive-interface Ethernet0/2
no passive-interface Ethernet2/1
no passive-interface Ethernet2/2
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list standard SUBNET_10
permit 10.0.0.0 0.255.255.255
!
mpls ldp router-id Loopback0
!
Distribution routers configuration is very straight forward, we configured them just
like previous tasks.
Now let’s configure BGP, DMVPN, EIGRP and IPSec profile for DMVPN on edge routers:
Edge-R29:
crypto isakmp policy 10000
encryption aes 256
hash sha256
authentication pre-share
group 24
crypto isakmp key orhan address 0.0.0.0
crypto ipsec transform-set DMVPN-TS esp-aes 256 esp-sha256-hmac
mode transport
crypto ipsec profile DMVPN-PF
set transform-set DMVPN-TS
interface Tunnel10000
ip address 192.168.255.29 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Orhan
ip nhrp network-id 2930
ip nhrp holdtime 60
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel source GigabitEthernet5
tunnel mode gre multipoint
tunnel key 123456
tunnel protection ipsec profile DMVPN-PF
!
router eigrp DMVPN
!
address-family ipv4 unicast autonomous-system 10000
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel10000
no passive-interface
summary-address 10.0.0.0 255.0.0.0
summary-address 192.168.0.0 255.255.0.0
exit-af-interface
!
topology base
default-metric 10000 100 255 1 1500
exit-af-topology
network 192.168.255.0
exit-address-family
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
ip prefix-list MARTIAN seq 5 deny 0.0.0.0/8 le 32
ip prefix-list MARTIAN seq 10 deny 10.0.0.0/8 le 32
ip prefix-list MARTIAN seq 15 deny 172.16.0.0/12 le 32
ip prefix-list MARTIAN seq 20 deny 192.168.0.0/16 le 32
ip prefix-list MARTIAN seq 25 deny 127.0.0.0/8 le 32
ip prefix-list MARTIAN seq 30 deny 169.254.0.0/16 le 32
ip prefix-list MARTIAN seq 35 deny 192.0.2.0/24 le 32
ip prefix-list MARTIAN seq 40 deny 224.0.0.0/4 le 32
ip prefix-list MARTIAN seq 45 deny 240.0.0.0/4 le 32
ip prefix-list MARTIAN seq 50 permit 0.0.0.0/0 le 32
ip prefix-list REMOTE-SITE-SUBNETS seq 5 permit 192.168.3.0/24
ip prefix-list REMOTE-SITE-SUBNETS seq 10 permit 192.168.4.0/24
router bgp 10000
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 10.103.29.103 remote-as 5000
neighbor 10.104.29.104 remote-as 5000
neighbor 10.255.255.30 remote-as 10000
neighbor 10.255.255.30 password 7 06291D294D402C0B02021C272027
neighbor 10.255.255.30 update-source Loopback0
neighbor 10.255.255.31 remote-as 10000
neighbor 10.255.255.31 password 7 0474190E0E2F695C0E0C0B3B3E28
neighbor 10.255.255.31 update-source Loopback0
neighbor 10.255.255.32 remote-as 10000
neighbor 10.255.255.32 password 7 153D190405240E362F263B0E3F24
neighbor 10.255.255.32 update-source Loopback0
neighbor 200.105.29.105 remote-as 5000
neighbor 200.105.29.105 password 7 0474190E0E2F695C0E0C0B3B3E28
!
address-family ipv4
network 192.168.0.0 mask 255.255.0.0
network 200.105.29.0
redistribute eigrp 10000
neighbor 10.103.29.103 activate
neighbor 10.104.29.104 activate
neighbor 10.255.255.30 activate
neighbor 10.255.255.30 send-community both
neighbor 10.255.255.30 next-hop-self
neighbor 10.255.255.31 activate
neighbor 10.255.255.31 send-community both
neighbor 10.255.255.31 next-hop-self
neighbor 10.255.255.32 activate
neighbor 10.255.255.32 send-community both
neighbor 10.255.255.32 next-hop-self
neighbor 200.105.29.105 activate
neighbor 200.105.29.105 send-community both
neighbor 200.105.29.105 prefix-list MARTIAN in
neighbor 200.105.29.105 prefix-list MARTIAN out
maximum-paths ibgp 2
exit-address-family
We have configured two Summary addresses under EIGRP process for Tunnel interface
10000, one of those summary addresses (192.168.0.0/16) is for DMVPN phase 3, by
sending a summary routes to the spokes, Hub can send them only a single prefix. So we
reduce spoke routers RIB size, and also they can be told more specific routes using
NHRP redirect messages when it is needed.
The other summary address is for giving remote sites the HQ devices reachability
(10.0.0.0/8).
Also we redistributed EIGRP learned routes into BGP, so Internet Aggregation edge
routers can learn about those prefixes.
Now time to configure OSPF and enable MPLS/LDP and redistribute BGP learned
routes (Only the routes that edge routers learn from MPLS WAN, not the routes learned
from Internet! Because of that we use a route-map to only allow limited routes to be
redistributed into OSPF, otherwise we can put OSPF and our whole enterprise
connectivity in danger by redistributing Full Internet BGP Table into an IGP (OSPF).
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Edge-R29:
ip access-list standard SUBNET_10
10 permit 10.0.0.0 0.255.255.255
!
mpls label range 290000 299999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 080E5E4608172005151E02280608
mpls ldp session protection
mpls ldp router-id Loopback0
!
ip prefix-list REMOTE-SITE-SUBNETS seq 5 permit 192.168.3.0/24
ip prefix-list REMOTE-SITE-SUBNETS seq 10 permit 192.168.4.0/24
!
route-map REDIST-BGP-TO-OSPF permit 10
match ip address prefix-list REMOTE-SITE-SUBNETS
set metric 3000
!
router ospf 1000
router-id 10.255.255.29
ignore lsa mospf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
area 100 nssa
redistribute eigrp 10000
redistribute bgp 10000 route-map REDIST-BGP-TO-OSPF
passive-interface default
no passive-interface GigabitEthernet1
no passive-interface GigabitEthernet2
mpls ldp autoconfig
!
The other edge router can be configured in the same way:
Edge-R30:
ip cef load-sharing algorithm include-ports source destination
!
mpls label range 30000 39999
mpls label protocol ldp
mpls ldp password required
mpls ldp password option 1 for SUBNET_10 7 022916530A082A334B5B07352934
mpls ldp session protection
!
crypto isakmp policy 10000
encryption aes 256
hash sha256
authentication pre-share
group 24
crypto isakmp key nmaxi address 0.0.0.0
!
!
crypto ipsec transform-set DMVPN-TS esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile DMVPN-PF
set transform-set DMVPN-TS
!
interface Loopback0
ip address 10.255.255.30 255.255.255.255
ip ospf 1000 area 100
!
interface Tunnel10000
ip address 192.168.255.30 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Orhan
ip nhrp network-id 2930
ip nhrp holdtime 60
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel source GigabitEthernet6
tunnel mode gre multipoint
tunnel key 123456
tunnel protection ipsec profile DMVPN-PF
!
interface GigabitEthernet1
ip address 10.130.8.30 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 002B010E05552E1408344262253A
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
ip ospf network point-to-point
ip ospf 1000 area 100
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 10.130.7.30 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 06291D294D402C0B02021C272027
ip ospf network point-to-point
ip ospf 1000 area 100
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
ip address 10.104.30.30 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet4
ip address 10.103.30.30 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet6
ip address 200.105.30.30 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
router eigrp DMVPN
!
address-family ipv4 unicast autonomous-system 10000
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel10000
no passive-interface
summary-address 10.0.0.0 255.0.0.0
summary-address 192.168.0.0 255.255.0.0
exit-af-interface
!
topology base
default-metric 10000 100 255 1 1500
exit-af-topology
network 192.168.255.0
exit-address-family
!
router ospf 1000
router-id 10.255.255.30
ignore lsa mospf
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
ttl-security all-interfaces
area 100 nssa
redistribute eigrp 10000
redistribute bgp 10000 route-map REDIST-BGP-TO-OSPF
passive-interface default
no passive-interface GigabitEthernet1
no passive-interface GigabitEthernet2
mpls ldp autoconfig
!
router bgp 10000
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 10.103.30.103 remote-as 5000
neighbor 10.104.30.104 remote-as 5000
neighbor 10.255.255.29 remote-as 10000
neighbor 10.255.255.29 password 7 002B010E05552E1408344262253A
neighbor 10.255.255.29 update-source Loopback0
neighbor 10.255.255.31 remote-as 10000
neighbor 10.255.255.31 password 7 022916530A082A334B5B07352934
neighbor 10.255.255.31 update-source Loopback0
neighbor 10.255.255.32 remote-as 10000
neighbor 10.255.255.32 password 7 022916530A082A334B5B07352934
neighbor 10.255.255.32 update-source Loopback0
neighbor 200.105.30.105 remote-as 5000
neighbor 200.105.30.105 password 7 06291D294D402C0B02021C272027
!
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
address-family ipv4
network 192.168.0.0 mask 255.255.0.0
network 200.105.30.0
redistribute eigrp 10000
neighbor 10.103.30.103 activate
neighbor 10.104.30.104 activate
neighbor 10.255.255.29 activate
neighbor 10.255.255.29 send-community both
neighbor 10.255.255.29 next-hop-self
neighbor 10.255.255.31 activate
neighbor 10.255.255.31 send-community both
neighbor 10.255.255.31 next-hop-self
neighbor 10.255.255.32 activate
neighbor 10.255.255.32 send-community both
neighbor 10.255.255.32 next-hop-self
neighbor 200.105.30.105 activate
neighbor 200.105.30.105 send-community both
neighbor 200.105.30.105 prefix-list MARTIAN in
neighbor 200.105.30.105 prefix-list MARTIAN out
maximum-paths ibgp 2
exit-address-family
!
!
ip access-list standard SUBNET_10
10 permit 10.0.0.0 0.255.255.255
!
ip prefix-list MARTIAN seq 5 deny 0.0.0.0/8 le 32
ip prefix-list MARTIAN seq 10 deny 10.0.0.0/8 le 32
ip prefix-list MARTIAN seq 15 deny 172.16.0.0/12 le 32
ip prefix-list MARTIAN seq 20 deny 192.168.0.0/16 le 32
ip prefix-list MARTIAN seq 25 deny 127.0.0.0/8 le 32
ip prefix-list MARTIAN seq 30 deny 169.254.0.0/16 le 32
ip prefix-list MARTIAN seq 35 deny 192.0.2.0/24 le 32
ip prefix-list MARTIAN seq 40 deny 224.0.0.0/4 le 32
ip prefix-list MARTIAN seq 45 deny 240.0.0.0/4 le 32
ip prefix-list MARTIAN seq 50 permit 0.0.0.0/0 le 32
!
ip prefix-list REMOTE-SITE-SUBNETS seq 5 permit 192.168.3.0/24
ip prefix-list REMOTE-SITE-SUBNETS seq 10 permit 192.168.4.0/24
!
!
route-map REDIST-BGP-TO-OSPF permit 10
match ip address prefix-list REMOTE-SITE-SUBNETS
set metric 3000
!
Also, Internet Aggregation edge routers need to form iBGP with these two edge routers:
Edge-R-31:
router bgp 10000
neighbor 10.255.255.29 remote-as 10000
neighbor 10.255.255.29 password 7 143800030D0A0F39233D3D190E30
neighbor 10.255.255.29 update-source Loopback0
neighbor 10.255.255.30 remote-as 10000
neighbor 10.255.255.30 password 7 013C140C5A05231D265940253526
neighbor 10.255.255.30 update-source Loopback0
!
address-family ipv4
neighbor 10.255.255.29 activate
neighbor 10.255.255.29 send-community both
neighbor 10.255.255.29 next-hop-self
neighbor 10.255.255.30 activate
neighbor 10.255.255.30 send-community both
neighbor 10.255.255.30 next-hop-self
exit-address-family
Edge-R-32:
router bgp 10000
neighbor 10.255.255.29 remote-as 10000
neighbor 10.255.255.29 password 7 1236171F130529162D3E2A041F16
neighbor 10.255.255.29 update-source Loopback0
neighbor 10.255.255.30 remote-as 10000
neighbor 10.255.255.30 password 7 153D190405240E362F263B0E3F24
neighbor 10.255.255.30 update-source Loopback0
!
address-family ipv4
neighbor 10.255.255.29 activate
neighbor 10.255.255.29 send-community both
neighbor 10.255.255.29 next-hop-self
neighbor 10.255.255.29 route-map TO-DMVPN-PEERS out
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
neighbor 10.255.255.30 activate
neighbor 10.255.255.30 send-community both
neighbor 10.255.255.30 next-hop-self
neighbor 10.255.255.30 route-map TO-DMVPN-PEERS out
exit-address-family
Verification:
Edge-R29(config)#do sh ip ospf ne
Neighbor ID Pri State Dead Time Address Interface
10.255.255.8 0 FULL/ - 00:00:33 10.129.8.8 GigabitEthernet2
10.255.255.7 0 FULL/ - 00:00:32 10.129.7.7 GigabitEthernet1
Edge-R29(config)#do sh bgp ipv4 uni summ | begin Neighbor
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.103.29.103 4 5000 49 57 42 0 0 00:36:40 12
10.104.29.104 4 5000 50 58 42 0 0 00:36:47 12
10.255.255.30 4 10000 59 60 42 0 0 00:36:36 34
10.255.255.31 4 10000 49 59 42 0 0 00:36:41 12
10.255.255.32 4 10000 49 60 42 0 0 00:36:36 12
200.105.29.105 4 5000 51 46 42 0 0 00:36:41 11
Edge-R30(config)#do sh ip ospf ne
Neighbor ID Pri State Dead Time Address Interface
10.255.255.7 0 FULL/ - 00:00:31 10.130.7.7 GigabitEthernet2
10.255.255.8 0 FULL/ - 00:00:31 10.130.8.8 GigabitEthernet1
Edge-R30(config)#do sh bgp ipv4 uni summ | begin Neighbor
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.103.30.103 4 5000 49 60 64 0 0 00:38:05 12
10.104.30.104 4 5000 49 59 64 0 0 00:38:04 12
10.255.255.29 4 10000 61 60 64 0 0 00:37:13 35
10.255.255.31 4 10000 50 60 64 0 0 00:38:01 12
10.255.255.32 4 10000 48 60 64 0 0 00:38:00 12
200.105.30.105 4 5000 49 47 64 0 0 00:37:59 11
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Task-9:
Configure Remote Site edge routers (eBGP as the PE-CE routing protocol for
MPLS sites, Static default route for DMVPN sites)
iVRF should be configured on DMVPN site 5, the second tunnel interface with
e0/2 as the tunnel source sould be backup for the first (primary) tunnel interface
DMVPN Site 1 FHRP should be GLBP.
Configure Private VLANs according to the diagram in DMVPN Site 1
Solution:
We are not going to explain DMVPN configuration steps because it is deeply discussed
in VPN Technologies Lab of the workbook.
Let’s configure all Remote sites edge routers other than DMVPN Site 5:
Remote-Site-1-Edge-R34:
hostname R-Site1-Edge-R34
!
enable secret 8 $8$qrvK7qOfUAK8cR$AyzNf8DV1Ifjl28oSLtuH4OLJpYdYsaRYbAvCytvXFw
!
no aaa new-model
clock timezone +0330 3 30
no ip domain lookup
ip domain name orhan.local
ip cef
ip cef load-sharing algorithm include-ports source destination
no ipv6 cef
!
username ccie secret 8 $8$BbZoIfDWgfpL.h$MOXoPRFZbiuVqm6Yae98rKkg.r.U81o1Wy.5hEzaStk
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
crypto isakmp policy 10000
encr aes 256
hash sha256
authentication pre-share
group 24
crypto isakmp key orhan address 0.0.0.0
!
crypto ipsec transform-set DMVPN-TS esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile DMVPN-PF
set transform-set DMVPN-TS
!
interface Loopback0
ip address 10.255.255.34 255.255.255.255
!
interface Tunnel10000
ip address 192.168.255.34 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Orhan
ip nhrp network-id 34
ip nhrp holdtime 60
ip nhrp nhs 192.168.255.30 nbma 200.105.30.30 multicast
ip nhrp nhs 192.168.255.29 nbma 200.105.29.29 multicast
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 123456
tunnel protection ipsec profile DMVPN-PF
!
interface Ethernet0/3
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
ip address 192.168.1.34 255.255.255.0
glbp 1 ip 192.168.1.254
glbp 1 authentication md5 key-string 7 104004181D1E
!
router eigrp DMVPN
!
address-family ipv4 unicast autonomous-system 10000
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel10000
no passive-interface
exit-af-interface
!
af-interface Ethernet0/1
no passive-interface
exit-af-interface
!
af-interface Ethernet0/3
no passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 10.255.255.34 0.0.0.0
network 192.168.1.0
network 192.168.34.0
network 192.168.255.0
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 201.106.34.106
!
Remote-Site-1-Edge-R33:
hostname R-Site1-Edge-R33
!
enable secret 8 $8$qrvK7qOfUAK8cR$AyzNf8DV1Ifjl28oSLtuH4OLJpYdYsaRYbAvCytvXFw
clock timezone +0330 3 30
no ip icmp rate-limit unreachable
!
no ip domain lookup
ip domain name orhan.local
ip cef
ip cef load-sharing algorithm include-ports source destination
no ipv6 cef
!
username ccie secret 8 $8$BbZoIfDWgfpL.h$MOXoPRFZbiuVqm6Yae98rKkg.r.U81o1Wy.5hEzaStk
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
crypto isakmp policy 10000
encr aes 256
hash sha256
authentication pre-share
group 24
crypto isakmp key nmaxi address 0.0.0.0
!
!
crypto ipsec transform-set DMVPN-TS esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile DMVPN-PF
set transform-set DMVPN-TS
!
interface Loopback0
ip address 10.255.255.33 255.255.255.255
!
interface Tunnel10000
ip address 192.168.255.33 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Orhan
ip nhrp network-id 33
ip nhrp holdtime 60
ip nhrp nhs 192.168.255.30 nbma 200.105.30.30 multicast
ip nhrp nhs 192.168.255.29 nbma 200.105.29.29 multicast
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 123456
tunnel protection ipsec profile DMVPN-PF
!
interface Ethernet0/0
ip address 201.105.33.33 255.255.255.0
!
interface Ethernet0/1
ip address 192.168.34.33 255.255.255.0
!
interface Ethernet0/2
ip address 192.168.1.33 255.255.255.0
glbp 1 ip 192.168.1.254
glbp 1 authentication md5 key-string 7 060802205447
!
!
router eigrp DMVPN
!
address-family ipv4 unicast autonomous-system 10000
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel10000
no passive-interface
exit-af-interface
!
af-interface Ethernet0/1
no passive-interface
exit-af-interface
!
af-interface Ethernet0/2
no passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 10.255.255.33 0.0.0.0
network 192.168.1.0
network 192.168.34.0
network 192.168.255.0
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 201.105.33.105
!
Remote-Site-2-Edge-R35:
hostname R-Site2-Edge-R35
!
enable secret 8 $8$qrvK7qOfUAK8cR$AyzNf8DV1Ifjl28oSLtuH4OLJpYdYsaRYbAvCytvXFw
!
no aaa new-model
clock timezone +0330 3 30
no ip icmp rate-limit unreachable
!
no ip domain lookup
ip domain name nmaxi.local
ip cef
ip cef load-sharing algorithm include-ports source destination
no ipv6 cef
!
username ccie secret 8 $8$BbZoIfDWgfpL.h$MOXoPRFZbiuVqm6Yae98rKkg.r.U81o1Wy.5hEzaStk
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
crypto isakmp policy 10000
encr aes 256
hash sha256
authentication pre-share
group 24
crypto isakmp key orhan address 0.0.0.0
!
!
crypto ipsec transform-set DMVPN-TS esp-aes 256 esp-sha256-hmac
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
mode transport
!
crypto ipsec profile DMVPN-PF
set transform-set DMVPN-TS
!
interface Loopback0
ip address 10.255.255.35 255.255.255.255
!
interface Tunnel10000
ip address 192.168.255.35 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Orhan
ip nhrp network-id 35
ip nhrp holdtime 60
ip nhrp nhs 192.168.255.30 nbma 200.105.30.30 multicast
ip nhrp nhs 192.168.255.29 nbma 200.105.29.29 multicast
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source Ethernet0/1
tunnel mode gre multipoint
tunnel key 123456
tunnel protection ipsec profile DMVPN-PF
!
!
router eigrp DMVPN
!
address-family ipv4 unicast autonomous-system 10000
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel10000
no passive-interface
exit-af-interface
!
af-interface Ethernet0/0
no passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 10.255.255.35 0.0.0.0
network 192.168.2.0
network 192.168.255.0
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 201.106.35.106
!
Remote-Site-3-Edge-R36:
hostname R-Site3-Edge-R36
!
enable secret 8 $8$qrvK7qOfUAK8cR$AyzNf8DV1Ifjl28oSLtuH4OLJpYdYsaRYbAvCytvXFw
!
no aaa new-model
clock timezone +0330 3 30
no ip icmp rate-limit unreachable
!
no ip domain lookup
ip domain name orhan.local
ip cef
ip cef load-sharing algorithm include-ports source destination
no ipv6 cef
!
username ccie secret 8 $8$BbZoIfDWgfpL.h$MOXoPRFZbiuVqm6Yae98rKkg.r.U81o1Wy.5hEzaStk
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
interface Loopback0
ip address 10.255.255.36 255.255.255.255
!
interface Ethernet0/0
ip address 192.168.3.36 255.255.255.0
!
interface Ethernet0/1
ip address 10.107.36.36 255.255.255.0
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
!
interface Ethernet0/3
ip address 10.106.36.36 255.255.255.0
!
router bgp 10000
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 10.106.36.106 remote-as 5000
neighbor 10.107.36.107 remote-as 5000
!
address-family ipv4
network 10.255.255.36 mask 255.255.255.255
network 192.168.3.0
neighbor 10.106.36.106 activate
neighbor 10.107.36.107 activate
exit-address-family
!
Remote-Site-4-Edge-R37:
hostname R-Site4-Edge-R37
!
enable secret 8 $8$qrvK7qOfUAK8cR$AyzNf8DV1Ifjl28oSLtuH4OLJpYdYsaRYbAvCytvXFw
!
no aaa new-model
clock timezone +0330 3 30
no ip icmp rate-limit unreachable
!
no ip domain lookup
ip domain name orhan.local
ip cef
ip cef load-sharing algorithm include-ports source destination
no ipv6 cef
!
username ccie secret 8 $8$BbZoIfDWgfpL.h$MOXoPRFZbiuVqm6Yae98rKkg.r.U81o1Wy.5hEzaStk
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
interface Loopback0
ip address 10.255.255.37 255.255.255.255
!
interface Ethernet0/0
ip address 10.103.37.37 255.255.255.0
!
interface Ethernet0/1
ip address 192.168.4.37 255.255.255.0
!
interface Ethernet0/2
ip address 10.104.37.37 255.255.255.0
!
router bgp 10000
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 10.103.37.103 remote-as 5000
neighbor 10.104.37.104 remote-as 5000
!
address-family ipv4
network 10.255.255.37 mask 255.255.255.255
network 192.168.4.0
neighbor 10.103.37.103 activate
neighbor 10.104.37.104 activate
maximum-paths eibgp 2
exit-address-family
!
All remote sites are configured (other than Site 4).
Let’s discuss about Site 5 and iVRF.
In this remote site we don’t have any eBGP neighborship with the service provider, the
edge router 38 can only use default routes in order to reach the public internet.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
We want to make one WAN link as a backup for our primary one while the physical
interface is still up (the backup one, e0/2). It is easily possible using iVRF.
Two VRFs can be configured, so we can have 2 default routes on separate VRFs
pointing to the Service Provider edge routers as a gateway.
Also on DMVPN hubs, IKEv1 is configured, how we can make ISAKMP policy to be VRF
aware? Also how we can put those two tunnels received routes (via EIGRP) into the
global routing table and also use the interfaces in two separate VRFs as the tunnels
sources?!
It means e0/1 is part of VRF WAN1 and e0/2 is part of VRF WAN2, the two tunnels we
create are going to be part of those two VRFs, but DMVPN learned routes (EIGRP
learned routes) will be put into the Global routing table!
Remote-Site-5-Edge-R38:
vrf definition WAN1
!
address-family ipv4
exit-address-family
!
!
interface Ethernet0/1
vrf forwarding WAN1
ip address 201.107.38.38 255.255.255.0
!
ip route vrf WAN1 0.0.0.0 0.0.0.0 201.107.38.107
vrf definition WAN2
!
address-family ipv4
exit-address-family
!
!
interface Ethernet0/2
vrf forwarding WAN2
ip address 201.103.38.38 255.255.255.0
!
ip route vrf WAN2 0.0.0.0 0.0.0.0 201.103.38.103
crypto keyring WAN1 vrf WAN1
pre-shared-key address 0.0.0.0 0.0.0.0 key orhan
crypto keyring WAN2 vrf WAN2
pre-shared-key address 0.0.0.0 0.0.0.0 key orhan
crypto isakmp policy 10000
encr aes 256
hash sha256
authentication pre-share
group 24
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set DMVPN-TS esp-aes 256 esp-sha256-hmac
mode transport
crypto ipsec profile DMVPN-PF
set transform-set DMVPN-TS
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
interface Tunnel10001
backup interface Tunnel10002
ip address 192.168.255.38 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Orhan
ip nhrp network-id 138
ip nhrp holdtime 60
ip nhrp nhs 192.168.255.30 nbma 200.105.30.30 multicast
ip nhrp nhs 192.168.255.29 nbma 200.105.29.29 multicast
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source Ethernet0/1
tunnel mode gre multipoint
tunnel key 123456
tunnel vrf WAN1
tunnel protection ipsec profile DMVPN-PF
!
interface Tunnel10002
ip address 192.168.255.38 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Orhan
ip nhrp network-id 238
ip nhrp holdtime 60
ip nhrp nhs 192.168.255.30 nbma 200.105.30.30 multicast
ip nhrp nhs 192.168.255.29 nbma 200.105.29.29 multicast
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source Ethernet0/2
tunnel mode gre multipoint
tunnel key 123456
tunnel vrf WAN2
tunnel protection ipsec profile DMVPN-PF
!
router eigrp DMVPN
!
address-family ipv4 unicast autonomous-system 10000
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel10001
no passive-interface
exit-af-interface
!
af-interface Tunnel10002
no passive-interface
exit-af-interface
!
topology base
redistribute rip metric 10000 1000 255 1 1500
exit-af-topology
network 10.255.255.38 0.0.0.0
network 192.168.255.0
exit-address-family
!
interface Ethernet0/0
ip address 192.168.5.38 255.255.255.0
!
Verification:
Edge-R29(config)#do sh ip eigrp ne
EIGRP-IPv4 VR(DMVPN) Address-Family Neighbors for AS(10000)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
3 192.168.255.38 Tu10000 12 01:38:54 13 1476 0 4
2 192.168.255.33 Tu10000 10 01:38:57 37 1362 0 17
1 192.168.255.34 Tu10000 13 01:38:58 15 1362 0 16
0 192.168.255.35 Tu10000 10 01:39:00 32 1398 0 3
Edge-R30(config)#do sh ip eigrp ne
EIGRP-IPv4 VR(DMVPN) Address-Family Neighbors for AS(10000)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
3 192.168.255.38 Tu10000 10 01:39:06 74 1398 0 5
2 192.168.255.33 Tu10000 12 01:39:09 43 1398 0 17
1 192.168.255.34 Tu10000 11 01:39:09 26 1362 0 16
0 192.168.255.35 Tu10000 12 01:39:12 31 1362 0 5
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
R-Site1-Edge-R33#show ip eigrp neighbors
EIGRP-IPv4 VR(DMVPN) Address-Family Neighbors for AS(10000)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
3 192.168.1.34 Et0/2 14 00:51:06 5 100 0 15
2 192.168.255.30 Tu10000 11 01:40:00 1078 5000 0 11
1 192.168.255.29 Tu10000 14 01:40:03 12 1398 0 8
0 192.168.34.34 Et0/1 14 01:45:24 419 2514 0 17
R-Site1-Edge-R34#show ip eigrp neighbors
EIGRP-IPv4 VR(DMVPN) Address-Family Neighbors for AS(10000)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
3 192.168.1.33 Et0/3 13 00:51:30 2 100 0 19
2 192.168.255.30 Tu10000 14 01:40:27 20 1398 0 5
1 192.168.255.29 Tu10000 12 01:40:27 19 1398 0 6
0 192.168.34.33 Et0/1 12 01:45:48 2 100 0 18
R-Site5-Edge-R38(config)#do sh ip eigrp neighbors
EIGRP-IPv4 VR(DMVPN) Address-Family Neighbors for AS(10000)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 192.168.255.30 Tu10001 12 01:41:03 22 1362 0 9
0 192.168.255.29 Tu10001 10 01:41:03 9 1362 0 11
R-Site5-Edge-R38(config)#do sh ip route eigrp | begin Gate
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D 10.0.0.0/8 [90/102400640] via 192.168.255.30, 01:41:08, Tunnel10001
[90/102400640] via 192.168.255.29, 01:41:08, Tunnel10001
D 192.168.0.0/16 [90/102400000] via 192.168.255.30, 01:41:08, Tunnel10001
[90/102400000] via 192.168.255.29, 01:41:08, Tunnel10001
R-Site5-Edge-R38(config)#int e0/1
R-Site5-Edge-R38(config-if)#shutdown
R-Site5-Edge-R38(config-if)#
*Aug 4 21:38:08.448: %LINK-5-CHANGED: Interface Ethernet0/1, changed state to administratively down
*Aug 4 21:38:09.449: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to down
R-Site5-Edge-R38(config-if)#
*Aug 4 21:38:12.369: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel10001, changed state to down
*Aug 4 21:38:12.370: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10000: Neighbor 192.168.255.30 (Tunnel10001) is down:
interface down
*Aug 4 21:38:12.372: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10000: Neighbor 192.168.255.29 (Tunnel10001) is down:
interface down
*Aug 4 21:38:13.382: %NHRP-3-PAKREPLY: Receive Registration Reply packet with error - unique address registered
already(14)
R-Site5-Edge-R38(config-if)#
*Aug 4 21:38:14.378: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel10002, changed state to up
R-Site5-Edge-R38(config-if)#
*Aug 4 21:38:14.378: %LINK-3-UPDOWN: Interface Tunnel10002, changed state to up
R-Site5-Edge-R38(config-if)#
*Aug 4 21:38:34.382: %NHRP-3-PAKREPLY: Receive Registration Reply packet with error - unique address registered
already(14)
R-Site5-Edge-R38(config-if)#
*Aug 4 21:38:54.391: %NHRP-3-PAKREPLY: Receive Registration Reply packet with error - unique address registered
already(14)
R-Site5-Edge-R38(config-if)#
*Aug 4 21:39:18.235: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10000: Neighbor 192.168.255.29 (Tunnel10002) is up: new
adjacency
*Aug 4 21:39:18.933: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10000: Neighbor 192.168.255.30 (Tunnel10002) is up: new
adjacency
R-Site5-Edge-R38(config-if)#do sh ip route eigrp | begin Gate
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D 10.0.0.0/8 [90/102400640] via 192.168.255.30, 00:00:08, Tunnel10002
[90/102400640] via 192.168.255.29, 00:00:08, Tunnel10002
D 192.168.0.0/16 [90/102400000] via 192.168.255.30, 00:00:08, Tunnel10002
[90/102400000] via 192.168.255.29, 00:00:08, Tunnel10002
R-Site5-Edge-R38(config-if)#do sh ip eigrp neighbors
EIGRP-IPv4 VR(DMVPN) Address-Family Neighbors for AS(10000)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 192.168.255.30 Tu10002 11 00:00:14 16 1362 0 16
0 192.168.255.29 Tu10002 14 00:00:15 23 1362 0 15
R-Site5-Edge-R38(config)#do ping 10.255.255.9 source lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.255.255.9, timeout is 2 seconds:
Packet sent with a source address of 10.255.255.38
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/20 ms
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
R-Site5-Edge-R38(config)#do trace 10.255.255.9 source lo 0
Type escape sequence to abort.
Tracing the route to 10.255.255.9
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.255.29 10 msec
192.168.255.30 7 msec
192.168.255.29 7 msec
2 10.130.8.8 [MPLS: Label 80007 Exp 0] 10 msec
10.129.7.7 [MPLS: Label 70007 Exp 0] 10 msec
10.130.8.8 [MPLS: Label 80007 Exp 0] 8 msec
3 10.0.83.3 [MPLS: Label 30009 Exp 0] 9 msec 6 msec 8 msec
4 10.0.31.1 [MPLS: Label 10011 Exp 0] 8 msec 8 msec
10.0.32.2 [MPLS: Label 20011 Exp 0] 8 msec
5 10.0.91.9 9 msec * 9 msec
R-Site5-Edge-R38(config)#do trace 10.255.255.36 source lo 0
Type escape sequence to abort.
Tracing the route to 10.255.255.36
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.255.30 11 msec
192.168.255.29 9 msec
192.168.255.30 7 msec
2 10.103.29.103 9 msec
10.103.30.103 8 msec
10.103.29.103 8 msec
3 10.103.101.101 [MPLS: Labels 10004/60007 Exp 0] 10 msec 9 msec
10.103.102.102 [MPLS: Labels 20004/60007 Exp 0] 8 msec
4 10.106.36.106 [MPLS: Label 60007 Exp 0] 9 msec 9 msec 8 msec
5 10.106.36.36 9 msec 10 msec 9 msec
R-Site5-Edge-R38(config)#do trace 10.255.255.35 source lo 0
Type escape sequence to abort.
Tracing the route to 10.255.255.35
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.255.29 16 msec
192.168.255.30 9 msec
192.168.255.29 6 msec
2 192.168.255.35 9 msec 8 msec 7 msec
R-Site5-Edge-R38(config)#do trace 10.255.255.35 source lo 0
Type escape sequence to abort.
Tracing the route to 10.255.255.35
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.255.35 8 msec 6 msec 7 msec
Everything works fine.
Now, let’s configure Private VLANs on DMVPN Site 1:
Using Private VLANs we can devide a VLAN (Primary) to sub-VLANs (Secondary).
There are two types of secondary VLANs: Isolated, Community.
The primary VLAN is like a parent for Secondary ones.
Both Isolated and Community VLANs can access the nodes that are part of the primary
one.
For example in our topology we have Primary VLAN 95, so VLAN 16 and VLAN 15 are
sub-VLANs of VLAN 95.
The ports that are configured as being part of the Community VLAN 16 can talk to each
other (they are in the same broadcast domain) and also they can talk to primary VLAN
95.
The ports that are configured as being part of the Isolated VLAN 15, can only talk to
Primary VLAN 95.
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Site1-SW:
vlan 15
private-vlan isolated
vlan 16
private-vlan community
vlan 95
private-vlan primary
private-vlan association 15-16
!
interface Ethernet0/0
switchport private-vlan host-association 95 16
switchport mode private-vlan host
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet0/1
switchport private-vlan host-association 95 15
switchport mode private-vlan host
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet0/2
switchport private-vlan mapping 95 15-16
switchport mode private-vlan promiscuous
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet0/3
switchport private-vlan mapping 95 15-16
switchport mode private-vlan promiscuous
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet1/0
switchport private-vlan host-association 95 15
switchport mode private-vlan host
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet1/1
switchport private-vlan host-association 95 15
switchport mode private-vlan host
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface Ethernet1/2
switchport private-vlan host-association 95 16
switchport mode private-vlan host
spanning-tree portfast edge
spanning-tree bpduguard enable
!
Verification:
Site1-SW#show vlan private type
Vlan Type
---- -----------------
15 isolated
16 community
95 primary
Site1-SW#show vlan private
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
95 15 isolated Et0/1, Et0/2, Et0/3, Et1/0, Et1/1
95 16 community Et0/0, Et0/2, Et0/3, Et1/2
PC87#ping 192.168.1.255 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 192.168.1.255, timeout is 2 seconds:
Reply to request 0 from 192.168.1.34, 2 ms
Reply to request 0 from 192.168.1.33, 3 ms
PC84#ping 192.168.1.255 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 192.168.1.255, timeout is 2 seconds:
Reply to request 0 from 192.168.1.34, 2 ms
Reply to request 0 from 192.168.1.33, 2 ms
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
PC85#ping 192.168.1.255 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 192.168.1.255, timeout is 2 seconds:
Reply to request 0 from 192.168.1.34, 2 ms
Reply to request 0 from 192.168.1.86, 2 ms
Reply to request 0 from 192.168.1.33, 2 ms
PC85#trace 10.255.255.9
Type escape sequence to abort.
Tracing the route to 10.255.255.9
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.33 1 msec 1 msec 1 msec
2 192.168.255.29 15 msec
192.168.255.30 3 msec 2 msec
3 10.130.7.7 [MPLS: Label 70007 Exp 0] 7 msec 4 msec 4 msec
4 10.0.74.4 [MPLS: Label 40009 Exp 0] 4 msec 6 msec 4 msec
5 10.0.41.1 [MPLS: Label 10011 Exp 0] 5 msec 4 msec
10.0.31.1 [MPLS: Label 10011 Exp 0] 4 msec
6 10.0.91.9 5 msec * 24 msec
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Task-10:
Enable Device Admin service on ISE
Configure AAA on Edge-R-31
VTY lines sould be configured in a way that users get Authenticated, Authorized
and Accounted
Solution:
By enabling Device Admin service on Cisco ISE, TACACS+ service is going to be
enabled. Using a TACACS+ server we can Authenticate users, Authorize them to see if
they are allowed to enter some commands or not, and also we can account their
activity.
Basic configuration steps are very straight forward.
We are going to create two users and give one of them Full Commands execution access
and for the other one only execute show commands:
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Now the ISE Device Administration configuration is done.
We need to configure AAA on edge router:
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
Edge-R-31:
aaa new-model
tacacs server ISE1
address ipv4 10.50.50.98
key Test123
aaa group server tacacs+ ISE_SERVERS
server name ISE1
aaa authentication login AAA group ISE_SERVERS local
aaa authentication enable default group ISE_SERVERS enable
aaa authorization exec AAA group ISE_SERVERS local
aaa authorization commands 0 AAA group ISE_SERVERS local
aaa authorization commands 1 AAA group ISE_SERVERS local
aaa authorization commands 15 AAA group ISE_SERVERS local
aaa authorization config-commands
line vty 0 4
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
authorization exec AAA
login authentication AAA
transport input ssh
!
ip tacacs source-interface loopback 0
!
Verification:
Agg-SW-14#ssh -l orhan 10.255.255.31
Password:
Edge-R-31#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Edge-R-31(config)#int e2/3
Edge-R-31(config-if)#shutdown
Edge-R-31(config-if)#end
Edge-R-31#exit
[Connection to 10.255.255.31 closed by foreign host]
Agg-SW-14#ssh -l navid 10.255.255.31
Password:
Edge-R-31#conf t
Command authorization failed.
Edge-R-31#show ip int br | ex unas
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 10.200.12.31 YES NVRAM up up
Ethernet0/2 10.201.80.31 YES NVRAM up up
Ethernet0/3 10.201.90.31 YES NVRAM up up
Ethernet2/0 200.106.31.31 YES NVRAM up up
Ethernet2/1 200.105.31.31 YES NVRAM up up
Loopback0 10.255.255.31 YES NVRAM up up
NVI0 10.200.12.31 YES unset up up
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
ORHAN ERGUN LLC CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK
CCIE ENTERPRISE INFRASTRUCTURE V1.0 PRACTICAL BOOK -
You might also like
- Group Encrypted Transport VPN (GETVPN) Design and Implementation GuideNo ratings yetGroup Encrypted Transport VPN (GETVPN) Design and Implementation Guide220 pages
- Cisco Hybrid MultiCloud Networking Design GuideNo ratings yetCisco Hybrid MultiCloud Networking Design Guide92 pages
- BRKCOL-2078 Design and Deployment of Unified Communication Services in SD-WANNo ratings yetBRKCOL-2078 Design and Deployment of Unified Communication Services in SD-WAN162 pages
- ASA, FTD, and Firepower in ACI Lab GuideNo ratings yetASA, FTD, and Firepower in ACI Lab Guide61 pages
- Managing - Secure.cisco - SD WAN - Branch.with - SASENo ratings yetManaging - Secure.cisco - SD WAN - Branch.with - SASE295 pages
- CLC CCIE Sec Real Lab1 M1 Lab1.2.0 DemoNo ratings yetCLC CCIE Sec Real Lab1 M1 Lab1.2.0 Demo13 pages
- DCI Using VXLAN EVPN Multi-Site W/ VPC BGWNo ratings yetDCI Using VXLAN EVPN Multi-Site W/ VPC BGW16 pages
- Ultratech Cement: Particulars Test Results Requirements of100% (1)Ultratech Cement: Particulars Test Results Requirements of1 page
- AlteonOS 32 6 0 WBM - Application - GuideNo ratings yetAlteonOS 32 6 0 WBM - Application - Guide1,241 pages
- Symantec SSL Visibility Appliance: Data SheetNo ratings yetSymantec SSL Visibility Appliance: Data Sheet6 pages
- Cisco IOS XR Routing Configuration Guide For The Cisco CRS Router0% (1)Cisco IOS XR Routing Configuration Guide For The Cisco CRS Router644 pages
- 23.1.4 Lab - Troubleshoot IP SLA and NetflowNo ratings yet23.1.4 Lab - Troubleshoot IP SLA and Netflow5 pages
- Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration NoteNo ratings yetCatalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note218 pages
- CCIE Enterprise Infrastructure (v1.0) Exam Topics - Practical ExamNo ratings yetCCIE Enterprise Infrastructure (v1.0) Exam Topics - Practical Exam8 pages
- AOS-CX Simulator - VRF Part 1 Lab GuideNo ratings yetAOS-CX Simulator - VRF Part 1 Lab Guide17 pages
- D3 T1 S3 VXLAN EVPN Multi-Site With Service Insertion PDFNo ratings yetD3 T1 S3 VXLAN EVPN Multi-Site With Service Insertion PDF61 pages
- Introductory - How To Perform Common Tasks in ACI PDFNo ratings yetIntroductory - How To Perform Common Tasks in ACI PDF119 pages
- Spanning Tree Protocol: CCNA3-1 Chapter 5-2No ratings yetSpanning Tree Protocol: CCNA3-1 Chapter 5-234 pages
- Cisco Book Online - Cisco Application Centric Infrastructure Fundamentals, Releases 2.x and 3.x - B - ACI-Fundamentals PDFNo ratings yetCisco Book Online - Cisco Application Centric Infrastructure Fundamentals, Releases 2.x and 3.x - B - ACI-Fundamentals PDF314 pages
- DCNI-2 Implementing Cisco Data Centre Network Infrastructure 2 SGvol1 Ver3.0No ratings yetDCNI-2 Implementing Cisco Data Centre Network Infrastructure 2 SGvol1 Ver3.0418 pages
- Cisco IOS-XR - Deploy An IOS-XRv Appliance in GNS3 - Just Lab IT !!!!!No ratings yetCisco IOS-XR - Deploy An IOS-XRv Appliance in GNS3 - Just Lab IT !!!!!7 pages
- A Comparative Study of The Academic Performance of USL-SHS Students Before and During Pandemic I100% (1)A Comparative Study of The Academic Performance of USL-SHS Students Before and During Pandemic I10 pages
- Catalogo Typhoon Piaggio 125 4T 2V 2010-2011No ratings yetCatalogo Typhoon Piaggio 125 4T 2V 2010-201162 pages
- (@SHZ - 0) - MPLS Lab2 Part of The CCIE EI Workbook Orhan ErgunNo ratings yet(@SHZ - 0) - MPLS Lab2 Part of The CCIE EI Workbook Orhan Ergun57 pages
- (@SHZ - 0) - MPLS Lab1 Part of The CCIE EI Workbook Orhan ErgunNo ratings yet(@SHZ - 0) - MPLS Lab1 Part of The CCIE EI Workbook Orhan Ergun69 pages
- DGTL-BRKACI-2690-How To Extend Your ACI Fabric To Public CloudNo ratings yetDGTL-BRKACI-2690-How To Extend Your ACI Fabric To Public Cloud79 pages
- Foundation Load (Reactions) Data FOR 45 M Diameter ThickenerNo ratings yetFoundation Load (Reactions) Data FOR 45 M Diameter Thickener88 pages
- Unit 5 - Part - 2 Limitations of Algorithm PowerNo ratings yetUnit 5 - Part - 2 Limitations of Algorithm Power9 pages
- Analytics of SD-WAN: Telecommunication DepartmentNo ratings yetAnalytics of SD-WAN: Telecommunication Department4 pages
- Micro Star Restricted Secret Cover Sheet Micro Star Restricted Secret Cover Sheet Micro Star Restricted Secret Cover Sheet100% (1)Micro Star Restricted Secret Cover Sheet Micro Star Restricted Secret Cover Sheet Micro Star Restricted Secret Cover Sheet32 pages
- The 7 Essential Substation Bus Arrangement Types - LinkedInNo ratings yetThe 7 Essential Substation Bus Arrangement Types - LinkedIn11 pages
- Ml-15 Work Procedure For Row Clean Up & RestorationNo ratings yetMl-15 Work Procedure For Row Clean Up & Restoration8 pages
- Versatile Routing and Services with BGP: Understanding and Implementing BGP in SR-OSFrom EverandVersatile Routing and Services with BGP: Understanding and Implementing BGP in SR-OSNo ratings yet
- IP Routing Protocols All-in-one: OSPF EIGRP IS-IS BGP Hands-on LabsFrom EverandIP Routing Protocols All-in-one: OSPF EIGRP IS-IS BGP Hands-on LabsNo ratings yet
- Next-Generation switching OS configuration and management: Troubleshooting NX-OS in Enterprise EnvironmentsFrom EverandNext-Generation switching OS configuration and management: Troubleshooting NX-OS in Enterprise EnvironmentsNo ratings yet
- WAN TECHNOLOGY FRAME-RELAY: An Expert's Handbook of Navigating Frame Relay NetworksFrom EverandWAN TECHNOLOGY FRAME-RELAY: An Expert's Handbook of Navigating Frame Relay NetworksNo ratings yet
