CCIE's way

Inter-AS MPLS VPN 2

showbay@vip.qq.com(admin) — Wed,24 Feb 2010 10:15:11 +0800

在《10210030002 Inter-AS MPLS VPN》中我已经写过了关于Inter-AS MPLS VPN的知识，但是发现，其实这个知识点是很不容易理解的。我又翻阅了相关的文档，现在用更加通俗的语言写写此点的关键。
在RFC中定义了三种方案，我们称作Optin A/B/C，如下所示：
Option A：VRF-to-VRF
Option B：MP-EBGP ASBR-to-ASBR
Option C：Multi-hop MP-EBGP
我们在学习的时候，主要应该从这几个方面学习它：
IGP label，VPN label，Next-hop
我们主要明白这三个点就熟知了Inter-AS MPLS VPN的操作流程。接下来我们就按照以上三个方面讨论Option A/B/C.......

更多参阅PDF文档：点击下载此文件

Cisco Announces Service Provider Operations Track

showbay@vip.qq.com(admin) — Tue,26 Jan 2010 08:00:28 +0800

Cisco Announces New Service Provider Operations Track

Built on the growing demand for dedicated professionals who can manage, maintain and troubleshoot complex service provider IP NGN core network infrastructures, Cisco is introducing a new Service Provider (SP) Operations track. This new track is focused on developing associate, professional and expert-level capabilities to operate large, complex SP networks. These new, first of their kind certifications are designed specifically for Cisco Service Provider Customers, Partners and Cisco Networking Engineers.

Over the coming months Cisco will release new CCIE, CCNP, and CCNA SP Operations courses and exams. In addition, the written exam topics for the CCIE SP Operations certification are now available on the Cisco Learning Network. The CCIE SP Operations written exam is scheduled for release in the second quarter of 2010.

CCIE SP Operations Certification
The Cisco CCIE SP Operations certification assesses and validates core IP NGN service provider operations expertise.  Candidates who pass the CCIE SP Operations certification exams demonstrate skills required of a expert-level (Tier III or Tier IV support) operations engineer to troubleshoot and maintain complex service provider IP NGN core (PE-PE and PE-CE) network infrastructures in both IOS and IOS XR operating environments, plus validate broad theoretical knowledge of operations management processes, frameworks, and network management systems.

CCIE SP Operations Certification benefits:

•Certification helps qualify personnel for customer’s Operations (NOC) Centers
•Provides a credential (certification) that a person holds significant knowledge in SP Operations
•Provides expert level certification to network operations (i.e. NOC) personnel to validate they are qualified to support various Build-Operate Transfer operation models

The CCIE SP Operations written exam is scheduled for release in the second quarter of 2010. The practical exam is scheduled for release in the third quarter of 2010.

CCNP SP Operations Certification
The Cisco Certified Network Professional  in Service Provider Operations (CCNP SP Operations) validates knowledge and skills required (of a Tier II or Tier III support engineer) to troubleshoot and maintain service provider IP NGN core (PE-PE and PE-CE) network infrastructures.  With a CCNP SP Operations certification, a network professional demonstrates the knowledge and skills required to isolate network performance problems, implement proactive fault measures using operations management processes, frameworks, and network management systems. The CCNP SP Operations curriculum includes maintaining carrier class routing protocol environments, MPLS VPN and TE deployments, and QoS mechanisms using Cisco IOS and IOS XR.

CCNP SP Operations Certification benefits:

•Certification helps qualify personnel for customers Operations Centers
•Certification classes provide a developmental path for personnel in Operations
•Provides advanced level training and certification to network operations (i.e. NOC) personnel

The Cisco CCNP SP Operations certification will be made available in the third quarter of 2010.

CCNA SP Operations Certification
Cisco Certified Network Associate in Service Provider Operations (CCNA SP Operations) validates basic knowledge and skills (of a Tier I support engineer) in a prescriptive troubleshooting environment within carrier class IP NGN core network infrastructure.  CCNA SP Operations curriculum includes incident (event), fault, configuration, change, and performance management procedures, along with NMS tools and protocols.

CCNA SP Operations Certification benefits:

•Provides students with a foundation of network operations skills for SP NGN environments
•Provides training and certifications around Network Operations job role
•Provides entry level training and certification to entry level network operations (i.e. NOC) personnel

The CCNA SP Operations certification is scheduled to be released in the second quarter of 2010.

开设新的SP Rack也是由市场机制决定的。现在RS增加了MPLS VPN部分。如今的350-029都是SP的基础。看来Cisco想用SPO来取代350-029 lab。这也是一大调整。不过我觉得调整后的SPO更加贴近SP的要求。

Online Help

showbay@vip.qq.com(admin) — Thu,31 Dec 2009 08:17:11 +0800

      如果你有关于网络方面的难题？请提交问题给我，我会尽力为你解答。
    感谢您提交的问题，如果您有任何问题，请提交您的问题。（最好包括以前的问题）
    让我们共同进步！
    If you have problems on the network? Please submit questions to me, I will try to answer for you。
    Thank you for your submission problem, if you have any questions, please resubmit your question. (Preferably including the previous issues).
      Let us make progress together!

E-mail: help@gotoccie.cn

Site of origin(SOO)

showbay@vip.qq.com(admin) — Wed,23 Dec 2009 17:44:42 +0800

      Site-of-Origin(SOO)是PE路由器分发VPNv4路由时分配给路由的一种属性。他主要的作用是防止路由环路的产生。当然你也可以使用其它的策略。
    有时两端的Site使用相同的AS号码，这就在路由的分发时会发生问题。我们要使用as-overwide来解决这个问题。但同时可能会引起相同的路由再转发回来。这时候我们使用SOO就可以很好的解决这个问题。如果PE看到和某个接口使用相同的SOO，那么PE就不会将此路由加入到VRF路由表中，反之亦然。这点和距离矢量路由协议的水平分割有些类似。当然SOO还可以使用在其他的用途，你可以使用route-map来匹配相应的SOO值，然后分给相应的策略。
    .......

更多参阅PDF文档：点击下载此文件

Project Study of MPLS Rack

showbay@vip.qq.com(admin) — Wed,23 Dec 2009 12:33:26 +0800

    本Rack由8台7206vxr组成。可以在其上做与MPLS相关的实验。基本的MPLS,BGP,IGP,MPLS VPN都已经配置完成。下载文件后自己运行即可。

拓扑图如下(在下载包中有):

以下是net文件(在下载包中有):
##################################################
#
#    Welcome to Rack of CCIE Service Provider
#
#                       Project Study
#
#               WWW.GOTOCCIE.CN
#
##################################################
#        CCIE is that go forward ever day
#                    Edit:bay Wei
#                    QQ：3087274
#              Email:showbay@vip.qq.com
#                MSN:jncies@gmail.com
##################################################
# |Define v60  Router as follows:
# |Cisco 7206VXR--->
#   IOS:   c7200-k91p-mz.122-25.S15.bin
#   Ram:   128M
#   NPE:   NPE-400
#   disk0: 128
#   disk1: 0
#   Slot0: PA-C7200-IO-2FE
#   Slot1: PA-2FE-TX
#----------------------------------------------

autostart = False
ghostios = True
sparsemem = True
mmap = true

################################################## |
# |
# |The 1st instance for AS123's Backbone(R1,R2,R3) and R8
# |Backbone use Cisco 7206VXR router
# |Dynamips use prot 9100 and UDP port is 11000
# |Console port is 8000 serial(8001 - 8012)
# |All FastEthernet interface connected to Switch
# |
#################################################

  [127.0.0.1:9100]
    port = 9100
    udp = 11000
    workingdir = ..\tmp\

    [[7200]]
      image = ..\ios\IMAGES\c7200-k91p-mz.122-25.S15.image
      npe = npe-400
      ram = 128
      disk0 = 128
      disk1 = 0
      confreg = 0x2102
      exec_area = 64
      idlepc = 0x6084ab10
      slot0 = PA-C7200-IO-2FE
      slot1 = PA-2FE-TX

   [[ROUTER R1]]
     model = 7200
     console = 8001
     f0/0 = R3 f0/0
     f0/1 = R2 f0/1
     f1/1 = R8 f1/1

   [[ROUTER R2]]
     model = 7200
     console = 8002
     f1/0 = R3 f1/0
     f1/1 = R4 f1/1

   [[ROUTER R3]]
     model = 7200
     console = 8003
     f0/1 = HUB 1

   [[ROUTER R8]]
     model = 7200
     console = 8008

#################################################
# |
# |The 2st instance for AS456's Backbone(R4,R5,R6) R7 and EthernetSwitch
# |Backbone use Cisco 7206VXR router
# |Dynamips use prot 9200 and UDP port is 12000
# |Console port is 8000 serial(8001 - 8012)
# |All FastEthernet interface connected to Switch
# |
#################################################

  [127.0.0.1:9200]
    port = 9200
    udp = 12000
    workingdir = ..\tmp\

    [[7200]]
      image = ..\ios\IMAGES\c7200-k91p-mz.122-25.S15.image
      npe = npe-400
      ram = 128
      disk0 = 128
      disk1 = 0
      confreg = 0x2102
      exec_area = 64
      idlepc = 0x6084ab10
      slot0 = PA-C7200-IO-2FE
      slot1 = PA-2FE-TX

   [[ROUTER R4]]
     model = 7200
     console = 8004
     f0/0 = R5 f0/0
     f0/1 = R6 f0/1

   [[ROUTER R5]]
     model = 7200
     console = 8005
     f1/0 = R6 f1/0
     f0/1 = HUB 1

   [[ROUTER R6]]
     model = 7200
     console = 8006
     f0/0 = R7 f0/0

   [[ROUTER R7]]
     model = 7200
     console = 8007

    [[ethsw HUB]]
     1 = dot1q 1
     2 = dot1q 1
     3 = access 1 NIO_gen_eth:\Device\NPF_{C7A34BF2-7E96-4B2B-97A1-B9CD5D67E0F5}



##################################################
#                   Bay Wei
#                 CCIE's way
#               WWW.GOTOCCIE.CN
#                 2009-12-23
##################################################
我在R3--R5之间桥接了一个本地接口，主要用来抓包，学习包的格式，你下载后需要修改。至于抓包工具你可以自己选择。我使用的是OmniEngines with OmniPeek 。

-----------------------------------
OmniEngines with OmniPeek Download：http://www.wildpackets.com/support/downloads
配置文件包下载：http://www.namipan.com/d/Project%20Study.rar/8a33019368797b8581a0affdb63f6e7ac0c105062402e301

MPLS Knowledge Architectures Clouds

showbay@vip.qq.com(admin) — Tue,22 Dec 2009 12:51:57 +0800

我把和MPLS相关的知识点画到一个云图上了,希望能对大家建立一个MPLS架构图，对于学习MPLS也知道如何下手。如果你懂得了云图的知识点，可以将相关的知识点组合来学习更深入的学习。后面我的学习也是根据这个云图来学习的。以后的文档也基本上都是根据这个图来写。
Note：原图右键保存图片即可

Inter-AS MPLS VPN

showbay@vip.qq.com(admin) — Mon,14 Dec 2009 15:58:27 +0800

对于Inter-AS MPLS VPN 这里有两种标签：
1. VPN标签（由MP-BGP分发而来）。
2. IGP标签（由LDP/TDP根据IGP分发而来）。
在同一个AS中，MPLS VPN可以很好的工作，因为所有的数据包都是使用两个标签，而同一AS中，所有的PE的Loopback地址都是相互保持的。而在Inter-AS 中，由于是两个不同的AS管理着，那么他们之间的策略可能不一致。那么如何保持他们之间能够正常的通讯。这个就对标签的分发，LSP的建立是很重要的。在Inter-AS MPLS VPN中，有两个点是很重要的。
1. 标签的分发
2. 下一跳
只要这两个能够正常的工作，Inter-AS MPLS VPN就可以工作了。
MPLS VPN Inter-AS RFC定义了三种方法：
Option A：Back-to-Back VRF
Option B：ASBR-to-ASBR
Option C：Multi-Hop MP-eBGP Between RR and eBGP Between ASBRs
在CCIE ISP LAB中，Inter-AS VPN也是相当重要的，它会影响到其他的需求，因此对于Inter-AS的学习也是很重要的。

Note：看不清图片请右键另存为即可

更多内容请参与PDF文档：点击下载此文件

Core Knowledge Questions Now on All CCIE Labs

showbay@vip.qq.com(admin) — Wed,09 Dec 2009 20:02:54 +0800

Effective January 4, 2010, the CCIE® Service Provider, Storage, and Wireless Lab Exams will add a new type of question format in a section called Core Knowledge. In this new section, candidates will be asked a series of four open-ended questions which require a short written response be entered into the computer–typically several words. The questions will be randomly drawn from a pool of questions on topics eligible for testing. Candidates can review the topics by visiting the CCIE track information on Cisco.com or Cisco Learning Network. No new topics are being added as a result of this change. Candidates will have up to 30 minutes to complete the Core Knowledge section and may not return to it once they have moved on. A passing score on the Core Knowledge section is required to achieve certification. Core Knowledge questions were implemented on Routing and Switching labs in February 2009, Security labs in June 2009, and Voice labs in July 2009, and allow Cisco to maintain strong exam security and ensure only qualified candidates are awarded CCIE certification. Candidates with exam dates January 4, 2010 or later should expect to see the new question format on their lab exam. To find out more information regarding updates to the CCIE Lab and scoring format, please click here to go to the CCIE Q&A section.

Come on!2010!

CCIE SP Lab Checklist v3 Edition

showbay@vip.qq.com(admin) — Sun,06 Dec 2009 08:11:10 +0800

I have re-compiled my v2 CCIE SP Checklist which I published here before my last attempt back in February. I have added in nuances, new tips and additional information I have come across in other forums which I hope can help not only you but also me!!

Here is the copy in blog format and I have also added a rapidshare link at the bottom of this blog entry for the PDF Version – let me know what you think.



Title:                 CCIE SP Lab Checklist

Author:             Stephen Bowes

Version:           3.0

Date:                November 2009



Abstract:

This is a compilation of notes, gotcha’s, pointers, etc from my research in preparation for my upcoming CCIE SP Lab exam which I have acquired over many years. Please feel free to notify me of more improved ways to those listed below and or errata through my CCIE blog at cciesplab.wordpress.com or by email at cciesp@rocketmail.com.

Points Scoring and Timings:

I am conscious of the number of candidates who have failed due to running out of time. There are a number of reasons for this, here they are and proposed solutions.

Reasons for Failure: Solutions:
Misinterpreting the questions Read the question more slowly, read it again, do not over-engineer the solution, answer what is asked, confirm any doubts with proctor, if proctor answer unacceptable, ask the same question a different way again.
Typing in the right configuration on the wrong interface or router Tread carefully, cross-check and reference, validate before moving on.
Tasks taking too long to configure in the time window available Practise speed drills, type faster, use aliases, notepad for verbose configurations, and use the Doc CD less if possible. Configure technologies router by router rather than interface by interface [explained later]
Lack of Task Verification Failing to fully verify – ensure you use the three way approach [1] Ping, [2] Trace Route & [3] Routing Table

To this end my timing plan is as follows -> Total Time = 8 hours = 480 Minutes. Lab Points Total = 100 Points, allowing 30 minutes for opening moves [see below] and 45 minutes for checking, validation and verification at the end, gives me 400 minutes for configuration

=> 4 Minutes/Point.

Pre-Lab Actions:

1 Month:

Adjust your body to performing 8 hour labs – Stamina will be key – you will be no use to anyone if you get tired after 5 hours of labbing. With 1 month to go ensure you are not doing 4 hour mini-labs rather the longer ones.

1 Week:

Adjust your body clock to the lab time. In my case I work 11am-7pm GMT whereas the Lab Exam in Brussels starts at 0745. This is 0645 GMT so with a week to go I will be up, showered, and had breakfast and sitting at my desk at 0730 to start an 8 hour lab with lunch at 12 for 30 minutes. I need to be fully alert at 0745 on Lab Day.

Lab Exam Day:

Get as much sleep as is feasible the night before, up, showered, breakfast complete and be at Cisco by 0730. I booked into the nearest hotel I could find 250m away so no reliance on transport, etc.
Bring a number of layers of clothes in case the room is cool, bring ear plugs so that the 11 guys/girls typing next to you and also so that the CCIE Voice candidates testing faxes will not interfere with your concentration levels.
Documentation Location is http://www.cisco.com/web/psa/products/index.html
15 Minute Immediate Action: Anyone who has served in the military knows what an Immediate Action is – when something goes wrong a backup plan – in this case I’m going to move on if I cannot get any 3 pointer completed within 15 minutes ensuring I finish the lab!

Lab Action Plan: [Note: All times below are estimates and dependent on points values as per timing plan noted above]

Opening Moves: [30 Minutes: 0800->0830]

After the proctor instructions, take a minute, calm yourself, open the booklet, read the exam end to end, visualise the Bridging/Switching, IGP, EGP, MPLS, etc.
Draw a personalised diagram of the topology – Note: This is a talking point, some do, some don’t, and I think it’s advantageous especially from an IP/Interface perspective.
Ignore the rush of the other candidates typing or the urge to get started.
Create a point checklist on the rough paper provided. Here is my example.
Example Point Checklist:

Task: Section: Points: Time: [Mins] Completed: Total Points: Comments:
Switching 1.1 3 15 Yes 3 Watch security requirement section 7.2
Switching 1.2 2 10 Yes 5 All ok
Switching 1.3 2 10 No, moved on 5 Look up DocCD to confirm solution.

Troubleshooting: [15 Minutes: 0830->0845]

A number of faults may have been entered into the pre-configured devices. Check your SecureCRT software – can you see each of the devices? Reload each device, look for any hardware errors on boot-up, now is the time to spot this, not 11am.

As any issues could have been introduced check everything, IP Addresses matching Interfaces, subnet masks, FR DLCI’s, FR Inverse-Arp, pre-defined VLAN’s, VTP Modes on 3550’s, watch any pre-defined configurations configured on correct interfaces, ATM configurations, NSAP, IP, IP CEF, etc.

I am not an Alias guy but now would be the time to do this, type these into notepad and cut & paste onto the routers ‘show run | b Se’ – Remember for large or repetitive configurations such as BGP, use notepad and then copy and paste but be aware of changing values such as IP’s, subnets, etc as you copy and paste.

Bridging & Switching:

Frame-Relay: [15 Minutes: 0845->0900]

Use your diagram to draw out the FR Topology
A lot of this may be pre-configured so verification doubly important
Use [1] shut [2] enc frame-relay [3] no frame inverse-arp [4] no shut.
Decide to use either frame-relay map or use sub-interfaces
Ping from spoke to spoke if possible to validate.
Extra mapping required if required to ping your own interface
If PPP over FR, then always create VT first, user/password
Save, reload, and then verify all working.
FRTS – Know your CIR=Bc x 1000\Tc; Be=(AR-CIR) x Tc/1000.
DocCD Location => Main URL = http://www.cisco.com/web/psa/products/index.html
– Cisco IOS SW Release 12.4 Family – 12.4 Mainline – Configuration Guides – Cisco IOS Wide-Area Networking Configuration Guide, Release 12.4.

Verification Tools – ping, show frame-relay map, show int virtual-template, show int virtual-access, show traffic-shape, show interfaces serial, show frame-relay lmi, show frame-relay pvc, clear frame-relay inarp, clear interface, debug serial interface, debug frame-relay lmi, debug frame-delay events, debug frame-relay packets
=> Golden Moment: Frame-Relay is the spinal cord of the inter-network, it must be 100% <=

Switching: [15 minutes: 0900->0915]

Check VLAN’s as per instruction
Check VTP Modes
Check Trunking & Access Ports
A lot of pre-configuration completed so use the verification commands below.
Ping vlan by vlan. Select only one device and ping all other on a specific vlan.
If naming something, type it exactly as specified – Ref: Narbik
Specify both Duplex and Speed as Auto-Sense can be troublesome – Ref: IEMentor & Gorito
DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline, Configuration Guides, Cisco IOS LAN Switching Configuration Guide, Release 12.4
Verification Tools => show interfaces, show interfaces trunk, show vlan brief, show vtp status, clear interface
Cell-Mode MPLS: [15 Minutes: 0915->0930]

Configure any ATM interfaces required – PVC/SVC, NSAP Addressing,
Watch for tag-switching or label-switching.
Security authentication may be required
Use ping to verify
DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline, Configuration Guides, Cisco IOS Asynchronous Transfer Mode Configuration Guide, Release 12.4
Verification Tools => show interfaces, show atm pvc, show atm svc, show atm map, show atm traffic,
PPP/Ethernet: [15 Minutes: 0930->0945]

Configure PPP/PPPoE as required, PPPoE enable, pppoe-client, interface dialer, etc.
Know security configurations, ping and validate.
Be aware of IOS nuances with these types of features.
DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline, Configuration Guides, Cisco IOS VPDN Configuration Guide, Release 12.4 & Cisco IOS Broadband Access Aggregation and DSL Configuration Guide, Release 12.4
Verification Tools => show pppoe session
=> Golden Moment – Bridging & Switching Complete – Total Time 1 Hour 45Mins <=

IGP: [Note that probably only one of these will be the core IGP]

OSPF: [30 Minutes: 0945->1015]

While reading the task, use your master diagram to configure OSPF router by router not area by area. Look for the following OSPF characteristics.
Authentication, stub or nssa, virtual link
Refer again to your master diagram, colour in the OSPF areas.
Make a note on redistribution, summary, area-range, DR/BDR, OPSF network type.
Get Area 0 working 100% first.
Ensure Area 0 Contiguous, test, create GRE/Virtual-links, and test again.
Configure other areas.
Leave OSPF Security until last.
From a time perspective, router by router saves you revisiting router and typing in additional commands after the fact.
First Interface and then router ospf
Preferred sequence for configuring interface

1) OPSF network type based,

2) priority,

3) Authentication,

Preferred sequence for configuring OSPF process

1) router-id

2) area authentication,

3) neighbor,

4) Network (copy paste from interface address)

Validate everything is working (show ip os ne, show ip os vir, show ip os interface, show ip route)
Do redistribute summary, area range, filtering [Be Careful!]
Validate and verify prior to moving on.
Save Configurations,
Reload routers and final verification.
Note: Some candidates do not reload, some do – I will.

DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline, Configuration Guides, Cisco IOS IP Routing Protocols Configuration Guide, Release 12.4
Verification Tools => show ip ospf, show ip ospf interfaces, show ip ospf neighbor, show ip ospf database, show ip ospf virtual-links, debug ip ospf events, debug ip ospf hello, debug ip ospf packet
IS-IS: [30 Minutes: 1015->1030] – Same as OSPF – Allowing additional 15 minutes in case both are present.

This has been noted by previous candidates and having quite a bit to do on the SP Exam! Refer again to your master diagram, colour in the ISIS areas.
Configure ISIS on relevant routers
Note what ISIS Levels are required – 1 or 2,
Assign appropriate NET addresses
Remember unlike other IGP’s, ISIS configured at Interface level and is essentially a L2 protocol.
Verify adjacencies
Due to ISIS only knowing two forms of media – LAN or point-to-point -> use the frame-relay map clns command to create maps for protocol to run.
Configure any ISIS filtering/redistribution
Configure Authentication if required.
Configure any additional ISIS nuances/parameters such as metrics/timers, etc we encounter.
DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline, Configuration Guides, Cisco IOS IP Routing Protocols Configuration Guide, Release 12.4
Verification Tools => show isis database, show isis topology, show clns protocol, show clns interface, show clns neighbors.
=> Golden Moment – IGP Complete – IGP Time 1 hour – Total Time 3 Hours <=

BGP: [60 Minutes: 1030-1130 – dependent on points]

While reading task, draw BGP topology on master diagram, this is important.
Determine Route Reflector or confederation or both to do full-mesh iBGP.
See if neighbor peer-group is required,
Configure router by router not BGP session-by-session
Configure one AS then another – be AS focussed.
Ascertain required address families & configure – ipv4, vpnv4, ipv4 vrf, etc
Ensure reachability, one AS at a time.
Spend enough time to be absolutely correct on route-filtering (ACL, prefix-list, as-path filer), route-aggregate(w/ as-set, summary-only, supress-map, attribute-map, advertise-map), route-manipulation( w/as-prepending, med, local-pref, weight, next-hop, advertise-map/non/existing-map, origin, community, etc ) route-dampening, etc.
Resolve any next-hop-self issues which are easier to troubleshoot working one AS at a time.
Validate config. Use “clear ip bgp * soft “not”, clear ip bgp *.
Leave BGP Authentication until last.
Save, reload and test.
DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline, Configuration Guides, Cisco IOS IP Routing Protocols Configuration Guide, Release 12.4
Verification Tools => show ip bgp, show ip bgp summary, show ip route bgp, show ip bgp neighbors, show ip bgp neighbors neighbor-ip-address, debug ip bgp
=> Golden Moment – EGP Complete – Ensure full Reachability Maintained, Save Configs <=

Reachability Test: [Before lunch if possible followed by reloading routers]

Test full reachability with TCL Script. Check you get an ICMP response from every router to every router. If ping has no response, write down IP address and troubleshoot.

The master diagram will help here. Method involves – show ip alias, Copy to Notepad, Search and Replace to “Massage the Data and toss in the PING Command), Wrap what’s left in a TCL or Macro, Copy and Paste into a Router.

  Run tclsh script

  “foreach addr {

  1.1.1.1 <http://1.1.1.1

  …

  } { ping $ addr}” Just copy past after tclsh – To quit, just type ” tclq”. Also to quote Scott Morris -> I’d leave “debug ip routing” turned on through the rest of the day. It can be a quick indicator to things getting messed up (like when you add ACL’s or play with NAT!)

MPLS: [30 Minutes: 1130->1200]

Tag Switching v Label Switching, when to use which ones – Watch for IOS Bugs here!
Watch any integration with EGP
MPLS might be the final piece of the jigsaw for full lab reachability.
Cell Mode v Frame Mode
MPLS Traffic Engineering – Levels, metric-style wide, ip explicit config, RSVP? etc.
DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline, Configuration Guides, Cisco IOS Multiprotocol Label Switching Configuration Guide, Release 12.4
Verification Tools => show mpls forwarding-table, show mpls interfaces, show mpls ldp neighbor, show mpls ldp parameters, show mpls traffic-eng autoroute
Golden Moment – Lunch – Reachability, Save Configurations & Reload.

Afternoon Session:

SP Management: [15 Minutes: 1230->1245]

Know SNMP, setting up community strings, traps, RMON, pointing at various devices, etc
Netflow, destination address, port no, version, etc
NTP, master, server, source, etc.
Know about various IP Services available in the IOS
DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline, Configuration Guides, Cisco IOS NetFlow Configuration Guide, Release 12.4 & Cisco IOS Network Management Configuration Guide, Release 12.4 & Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4
Verification Tools => Multiple Commands.
SP Security: [30 Minutes: 1245->1315]

Be careful not to block or drop any IGP updates; Draw a flow on paper if required

Consider all options for classification – std/ext/reflexive/dynamic ACL, IP Prefix List, IP inspect, tcp intercept, Unicast RFP, ip accounting output packet /access-violation/precedence.
Be aware of various ways to configure MD5 for IGP, some of this may be completed via the IGP\EGP sections, ensure you have read ahead at the start of the lab.
When configuring Switchport port-security mac-address, be careful to include virtual and physical mac if HSRP is running
Know response planning to common security attacks such as DOS, Smurf, etc.
DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline, Configuration Guides, Cisco IOS Security Configuration Guide, Release 12.4
Verification Tools => Multiple Commands.
MPLS VPN: [75 Minutes: 1315->1445]

So much here: VRF, VRF-Lite, MP-iBGP, MP-eBGP, Important to map out on your master diagram, the flow/direction of the VPN Traffic so that the correct configuration can be applied to the correct interface on the correct router in the correct direction!

MP-BGP filtering, specifying route-targets, etc
PE-CE Routing, RIP – Watch Split-Horizon is off on physical FR and ATM, authentication, version, auto-summary, etc; Other IGP/EGP considerations configure router-by-router, Advanced Options-CSC, Internet Access, Central Services, etc.
Be aware of various backup routes for the VPN traffic in the event of line/router failure, redistribution of PE-CE to Core and vice versa.
Be aware of VPN and Frame Relay specific limitations
GRE/mGRE tunnels, when to use, how to configure.
Be able to provide Internet Access from one portion of the inter-network to another.
Be able to exchange EGP traffic across AS’s, watch next-hop, watch multi-hop, etc
QinQ/PPoE – benefits = reduce no of VLANs, scalability, encap dot1q, pppoe enabled, etc.
DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline, Configuration Guides, Cisco IOS Multiprotocol Label Switching Configuration Guide, Release 12.4
Verification Tools => show ip vrf, show ip route, show ip route vrf vrf-name [prefix], show ip cef vrf vrf-name [ip-prefix], ping vrf, show ip bgp vpn all summary, show ip vrf detail, ping vrf source , sh ip bgp vpn all summary, sh ip bgp vpn all, sh ip bgp vpn vrf summary, sh ip bgp vpn vrf , sh ip bgp vpn vrf labels, sh mpls forwarding, sh mpls forwarding | inc , sh mpls forwarding vrf , sh mpls forwarding label .

SP Multicast: [30 Minutes: 1445->1515]

Setup PIM Mode as required – Sparse/Sparse-Dense – Use address-family ipv4 multicast were required
Identify PIM RP or Bootstrap requirements
Don’t forget ip multicast-routing and/or ip multicast-routing vrf
Be aware of route filtering
Join any IGMP Groups if required, check with pings,
Check Unicast and multicast traffic work across different AS.
Multicast VPN, default MDT, data MDT, MDT Group Addresses, MSDP, etc
DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline, Configuration Guides, Cisco IOS IP Multicast Configuration Guide, Release 12.4
Verification Tools =>   show ip igmp groups, show ip pim rp mapping, show ip mroute, show ip interfaces.
SP QoS: [30 Minutes: 1515->1545]

Be careful not to block or drop any IGP updates
Draw a flow on paper
Interpretation of what is required & which QoS Method to use is Key!!
Determine classification method (ACL, NBAR) and direction.
Determine Shaping v Policing
Consider all options for queuing (legacy custom/priority, bandwidth/priority, shape average/peak, FRTS/GTS) – Always Outbound.
Consider all options for policing ( police, rate-limit, ip multicast rate-limit, aggregate police( 3550))
If frame-relay, don’t forget adaptive-shaping.( becn, fecn, foresight)
Consider all dropping mode (random detect, ecn, tail drop, marking, etc)
DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline, Configuration Guides, Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.4
Verification Tools => show ip rsvp, show class-map, show ip rsvp reservation, show mls qos, show policy-map, show queueing, show traffic-shape, etc.
Timings & Tips:

According to this schedule this allows me 45 minutes for checking, saving, reloading, troubleshooting, going back to skipped sections, etc.
Remember the pass mark is 80% not 100% – we can allow for 6 sections worth 3 points each not to work out and still pass!!!!
Route Filtering – Know this cold, affects several areas, pass or fail the lab on this alone IMO!
Skipping Difficult Sections – This is a dangerous but potentially rewarding path up the mountain but slippery and easy to fall down on – Risky Approach.
Redistribution – Say no more, need to pass routes, this is it – potential failure point.
Strategy has to be flexible depending on the progress through the day.
Ensure the “gimme” questions are answered 100% – These are key to success.
Ongoing Validation, via show commands and TCL Script, saving and reloading at least twice I believe is essential.
Speed accessing resources on the DOCCD is essential – should be less than 90 seconds lookup per topic.
Authors Note: Please feel free to contact me if you can add value to this 3rd Edition as I would like to think this can help other SP candidates with a lab structure going forward.

PDF Upload Location => http://rapidshare.com/files/304716095/CCIE_SP_Lab_Checklist_v3.pdf

OSPF in MPLS VPN PE-CE capability vrf-lite

showbay@vip.qq.com(admin) — Sat,21 Nov 2009 08:13:42 +0800

We have two features doing the same thing - Down BIT and Route Tag. They both are used to prevent routing loops to occur in case that carrier is cross connected to customer's network (check my ASCI "art" below).

(CE-A) ------- (PE-1)
   |                   |
   |        {AS127 MPLS}
   |                   |
(CE-B) ------- (PE-2)

Okay, but why do we need two options for that you may ask - well it's because of LSA type design. When OSPF advertise link state messages, it encloses them into different types of LSA messages. When we have PE-CE routing, PE1 receives the announces from the CE-A , sets them appropriate extended communities and pass them through the next PE. When the PE-2 receives the mBGP update, it checks the provided information in BGP messages regarding this prefix. There is information such Area, DomainID, RouterID and etc. When the PE-2 inserts those prefixes/routes into the appropriate VRF, it sets the "OSPF Down BIT" in order to prevent routing loops. When the other router (PE-1) receives the LSA with the down bit set, it does not redistribute the route back into MP-BGP. So far so good, but why do we have two different options (Down bit and Router tag) when they both are using for the same thing? It's because of OSPF messages. The LSA type 5 (external routes) doesn't have an option field. Since we don't have it, we can't set it Therefore we need another technique to inform the PE that this LSA has already been redistributed and it doesn't need to turns back again and forming a routing loops. Here it comes the "Router tag". It uses the ospf External Route Tag field which is part of LSA type 5 message. This is a 32 bit value which has four highest bits set to 1101 (according to RFC 1745) and the lowest 16 bits are used to identify (actually to MAP) the BGP AS of the PE router. It looks something like this: External Route Tag: 3489661055 (if you check your OSPF external database). If you turn this into binary, you'll get 11010000000000000000000001111111. Here we have highest bits set to 1101000000000000 and lower bits set to 0000000001111111. Now let turn this back to a decimal value 0000000001111111 = 127. Now we know the AS which has imported this route into the OSPF database. So next-time when the PE router receives an ospf LSA5 update which contains this tag - the message well be ignored and wouldn't be redistributed back to the BGP. There is one more thing. When you're using BGP to carry customer's OSPF traffic, the customer both ends received updates as LSA type3 (Inter-area Summary). There is something else - called the DomainID. It's not used for any preventions, it's used to handle OSPF behavior. When PE routers establish OSPF connectivity between each other (on both sites) the "ospf proccess id" which is used in the provider's network is important to bo equal on both sites. If it differs, the route will be exported into the customer's OSPF as E2 (ospf external) not as Inter area (IA) type. So, to your first question - vrf-lite capability. What this command do, is to tell the router NOT to concern about any of theese techniques, but to proceed redistribution proccess as usual routing-to-routing protocol redistribution.

Here you are an URL address when you can check what you're looking for:
http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_osp1.html#wp1012376

The commands which are helpfull for troubleshooting are:

show ip ospf summary - check for the DownBit set in Options field as Downward
show ip ospf database external - check the external route tag if available
show ip bgp vpnv4 all - check the DomainID which is set to the prefix as extended community

Danail Petrov
https://learningnetwork.cisco.com/thread/6097?tstart=0