Disjointed Area 0 MPLS

The purpose is :
- Make R1 use MPLS to join area2 (router 3 included)
- Make R3 use backdoor to join area2 and backdoor + mpls to join Area 1
- Serial interfaces are unnumbered :

The Clue :
- Area 0 need to be extended via a virtual-link to PE4 to prevent summary lsa from area 0 to be rejected
- Virtual-link between R3 to PE5 could not be established as it's an unnumbered interface
- Without this second Vlink, R3 will prefer R2 to join R1-R2-R4 as the summary routes of area 1 received by R6 is a summary from a non-backbone area, R3 should ignore it as he is connected to backbone. The summary of area 1 received from the bacbkone is valid and installed in R3
- We need that the summary received from PE5 is also comming from backbone : We use GRE between PE5 and R3 to also extends area 0.
- Then we create a sham-link between both PE, to make routes from area 0 appears as intra-area and be prefered.
- Finally, interface serial between R2 and R3 should be configured with a low bandwidth to make tunnel the prefered routes.

Some tips :
- To prevent recursive routing with the gre, the source destination should be on the same area 2 as the tunnel itself will be on area 0 : as this we are sure source or destination will be prefered out of the tunnel as they will appear intra-area routes inside the tunnel.
-On R3 use a physical link for GRE source in order if the backdoor link goes down the tunnel will also goes down.

IP SLa

Some notes Regarding SLA :


On the responder Sides :

ip sla responder

Control message from the sender side will automatically ask responder to activate the asked responders (udp ports, tcp ports, ...)
If control is disabled a permanent responder could be configured specifying udp or tcp ports.


On the sender side :

Configuration of the monitoring with ip sla for udp-echo, tcp-connect, jitter ...
Scheduling of the task
Configuration of the alarms : based on syslog, for snmp traps it's necessary to activate trap for syslog messages :

ip sla reaction-configuration ...
ip sla logging traps
snmp-server enable traps syslog
snmp-server host

Optionnaly if the reaction type is also of trigger type, you could fire up another sla on a certain threshold

MPPPoFR + LFI

Principe
- A dual FIFO is created on the physical interface to interleave priority packet with fragmented packet

Prerequiste :
- Needs a service-policy with LLQ
- Needs FRTS on the serial interface
- Configure a Virtual-template with ppp multilink interleave and ppp multilink fragment.
- Optionnaly ppp multilink multiclass should be activated if there is multiple links.

To know :
- The configured delay is used by IOS to calculate the fragment size. (in this case 128/8 = 16kb)
- The serialization delay will be calculated according to the physical link speed (in this case 16/2000 = 8ms)
- In case of multilink, multiclass is needed in order to force priority packet to also have the MPPP header and be reordered.

interface Virtual-Template1
bandwidth 128
ip unnumbered Loopback1
ppp multilink
ppp multilink interleave
ppp multilink fragment delay 125
service-policy output QOS

interface Serial0/0
no ip address
encapsulation frame-relay
no keepalive
clock rate 2000000
frame-relay traffic-shaping
frame-relay interface-dlci 102 ppp Virtual-Template1

sh ppp multi

With a single link :

Virtual-Access3
Bundle name: Router
Remote Endpoint Discriminator: [1] Router
Local Endpoint Discriminator: [1] Router
Bundle up for 00:34:33, total bandwidth 256, load 3/255
Receive buffer limit 24384 bytes, frag timeout 1000 ms
Interleaving enabled
0/0 fragments/bytes in reassembly list
0 lost fragments, 0 reordered
0/0 discarded fragments/bytes, 0 lost received
0x6C8 received sequence, 0x891E sent sequence
Member links: 1 (max not set, min not set)
Vi1, since 00:34:33, 2048 weight, 1496 frag size
No inactive multilink interfaces


Router(config-if)#do sh int s0/0
Serial0/0 is up, line protocol is up
Hardware is GT96K Serial
MTU 1500 bytes, BW 1544 Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation FRAME-RELAY, loopback not set
Keepalive not set
CRC checking enabled
LMI DLCI 1023 LMI type is CISCO frame relay DTE
FR SVC disabled, LAPF state down
Broadcast queue 0/64, broadcasts sent/dropped 0/0, interface broadcasts 0
Last input 04:04:29, output 00:00:04, output hang never
Last clearing of "show interface" counters 04:04:27
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: dual fifo
Output queue: high size/max/dropped 0/256/0




With Multilink multiclass :

interface Serial0/0
no ip address
encapsulation frame-relay
no keepalive
clock rate 2000000
frame-relay traffic-shaping
frame-relay interface-dlci 102 ppp Virtual-Template1
frame-relay interface-dlci 103 ppp Virtual-Template1
no shut


interface multilink1
ppp multi multiclass
band 128
ip unnumbered Loopback1
ppp multilink interleave
ppp multilink fragment delay 125
service-policy output QOS

int virtual-template 1
ppp multilink group 1

Virtual-Access4
Bundle name: Router
Remote Endpoint Discriminator: [1] Router
Local Endpoint Discriminator: [1] Router
Bundle up for 00:02:59, total bandwidth 256, load 1/255, 2 receive classes, 2 transmit classes
Receive buffer limit 24384 bytes per class, frag timeout 1000 ms
Interleaving enabled
Receive Class 0:
0/0 fragments/bytes in reassembly list
0 lost fragments, 0 reordered
0/0 discarded fragments/bytes, 0 lost received
0x40 received sequence
Receive Class 1:
0/0 fragments/bytes in reassembly list
0 lost fragments, 0 reordered
0/0 discarded fragments/bytes, 0 lost received
0xBBB received sequence
Transmit Class 0:
0x37 sent sequence
Transmit Class 1:
0x6D sent sequence
Member links: 2 (max not set, min not set)
Vi1, since 00:03:01, 2048 weight, 1496 frag size
Vi3, since 00:03:00, 2048 weight, 1496 frag size
No inactive multilink interfaces



http://www.cisco.com/en/US/docs/ios/wan/configuration/guide/wan_frque_frag_if_ps6350_TSD_Products_Configuration_Guide_Chapter.html

http://blog.ine.com/2008/01/26/ppp-multilink-interleaving-over-frame-relay/

IPEXPERT Vol3 Lab 10

Troubleshooting

Ticket 4 Vrf leaking

The purpose was to interconnect 2 ospf area0 thrue another router that shoudn't be aware of those routes without GRE.
Solution is VRF. I used one vrf on the middle routers, put the interface interconnecting the domains on the vrf and an ospf process. The routes then appears as intra-area whereas it was asked to be inter-area. The solution for it :

- 1 vrf by domain
- 1 ospf process by domain redistributing bgp
- Vrf leaking between both vrf with import/export route-targer
- Redistributing of bgp<->ospf of each Vrf.


Configuration
Task 2.5

Use of community local-as : use in a confederation, permits to advertise only inside the local-as and not to ebgp peers nor ebgp inside the confederation.

Task 5.1

AAA authentication.
Usually, the list of methods used for authentication is used in order if the first fails it uses the second. Fails means no answer and not an authentication failure due to missing user or wrong password.
It seems that there is an exception with local. If local is put first it will first try local if wrong password the process stop. But if the user doesn't exist on local database it will goes to next :

username ccie password ipexpert
aaa authentication login default local group radius

Will authethenticate ccie locally, and use radius for others users.

IPExpert V3 Lab9

1.1 VTP pruning in transparent mode

A sh vtp status output show transparent mode with vtp pruning enabled.
Need to configure pruning in server then switch to transparent. Be careful if extended vlan are configured !

1.2 Load Balancing method over etherchannel

By default source mac.
The question was about being sure One host will not saturate one link. Load balancing source and destination IP was the key ( or the mac)

1.4 Layer 2 protection Task

The task asked about making part of the topology unknow to CE routers. Sould be implemented in 2 manners :
- 2 devices sould interconnect on 1 vlans that sould not be propagated on the network -> QinQ
A new vlan is attibuted to encapsulate the forbidden network on trunks links.
-R4 should be connected at Cat4 on vlan X, there is a switch between R4 & Cat4, the switch sould not know vlan X. Easy just with access ports:

R4 vlanX ------- vlan Y Cat vlanY ------ vlanX Cat4

1.7 Load-Sharing

By default equal-costIP load-balancing is done by CEF on a per-dest basis.
Could be configured per-packet

int C
ip load-sharing per-packet

2.7 BGP redistribution as-path

When redistributing local, if you want them appear from an as

st origin egrp as-path

3.3 L2VPN AToM

The purpose was about L2VPN over MPLS .
- Use xconnect with encapsulation mpls. The destination is the remote PE device and the circuit is identified by an identical id on boths sides.
- Needs LDP
- Could be done under subinterfaces.

4.0 Multicast VPN

Steps for multicast vpn :
-Configure provide network with PIM
-If pim-ssm is used the address-family mdt should be activated between PE to share PE source of the mdt tunnels.
-Configure multicast for each vrf : activate, and choose a unique mdt group adress for each multicast domain
-activate pim on the client side interface of the PE
-configure the multicast domain client side as usual.

The provider network is seen as a lan.

5.0 Parser view

- enable secret
- aaa new-model
- Go into enable view root
- Configure authentication login and authorization exec
- Configure the view
parser view XXX
commands exec include ping

6.3 VRF Aware NAT

Performing nat between a vrf and the global outside table is pretty the same as normal nat except :
- ip nat inside source ... should use the vrf keyword specifying vrf is inside
- A route leak should be configured from the vrf to the global routing table

ip route vrf VPNA 0.0.0.0 0.0.0.0 10.0.0.1 global.

Indicate inside the vrf that to goes out use 10.0.0.1 that is in the global RIB

IPExpert V2 Lab20

1.2 IRB

IP is the same on both vlan -> consider IRB.
Don't forget to active both commands to make the BVI up :

bridge 1 protocol ieeee
bridge 1 route ip

3.4 Default-Route in NSSA

NSSA -> default route is Type7 with area 40 nssa default-originate
Totally NSSA -> default-metric is Type 3

On the first case the metric could be defined adding a metric command after default-originate
On the second the metric used is the defined default-cost for stub/nssa default : 1
Could be changed with

area 40 default-cost X


6.2 Redistribution

Task to redistribute all Loopback to relevant protocol. As there redistribution is not transitive, we have to redistribute loopback on all the protocols used on a given router.

Don't forget when route-map is used on redistribute connected for only redistributing loopback, it will prevent any connected interface activated for a protocol A to be redistributed on protocol B. Route-map should be modified to also accept this interface.

7.3 BGP AS filtering

AS50 permits only directly connected clients of 102 to transit :
Understood that AS102 could use AS50 as transit and othe learned route from 102 could be learned but no used AS50 as transit. Match all other route than coming from 102 and tag as no-export.

Proctor solution was to accept 102 or 102 + 1AS and filter all other. regexp to match 102 + directly 102 connected AS

^102(_[0-9]+)?$

8.4 PBR + Tunnel

The task ask for a certain traffic between 2 BB to transit transparently :

-Create a GRE between egress and ingress tunnel
-Match the traffic
-PBR it to tunnel interface

9.2 Modifying COS to DSCP value.

Default values ares found on the doccd

mls qos map cos-dscp ....

11.2 prevent access to telnet to R2 except from R6. No config R2

I configured ACL on neighbor routers.
Solution guide configured Vlan ACL, wich is wrong as R2 as 2 serials.
Anyway VACL is a good way to think of it in other cases.

IPExpert V2 Lab18

5.3 EIGRP Timer

The task was to make eigrp warn about neighbor down half the default time.
That means hold-time of 7.5 s, but don't forget to change the hello time because the default 5s can cause instability.

Important things : in eigrp, hold-time could be different on each side because waht we configure on R1 for example means "Hello i'm R1, if you neighbor don't hear about me in X seconds i'm dead'

In ospf timers should be the same and changing hello will automatically change dead-time to x4


6.1 OSPF Loopback

Bonehead error : Forgot about what the guidelines asked " the prefix should apperas in RIB with original mask". I dumbly advertised loopback being /32 :
- change the ip ospf network type of lo0
- redistribute connected
- put lo0 on another area and summarize to the regular mask.

7.3 BGP Prefix length route filtering

The task was about filtering all prefixes having /24 or more prefix.
I've done the more but let go the /24 itself. As all routes were /24 I missed the point to find a way of summarize to /23 to let them enter !!

8.1 Time to wait before timeout a output telnet session

Play with syn timeout :

ip tcp synwait-time 5

8.2 default NTP stratum

Is 8 not 16. So 2 less than the default is 6. stupid error.

10.2 Policing on subinterface

MQC policing on subinterface is permitted. The other way the design guide choose is too apply on interface and match the subinterface vlan.

A simple recall it's queueing techniques that are not allowed on subinterace (LLQ and CBWFQ). To make this works you need to apply shaping on a default-class and nest a LLQ OR CBWF policy-map on it

11.3 Rate-limit Mcast

I configured it with mqc. Can also use ip multicast rate-limit