Tuesday, April 28, 2009

Mpls Lab#5: Frame mode MPLS TE

Hi all,

Here another Mpls Lab I used to troubleshoot TE problems with lab#4 (see previous post: Mpls Lab #4: using Mpls with cell-mode ATM )
The main goal here is configure PE - PE Traffic Eng tunnels with explicit paths.

First let's read the "Implementing an MPLS VPN over TE Tunnels" document on Ciscowiki



It's a simple mpls vpn topology with a single vrf "custA".
P-R1 has no need of MP-BGP, acts only as LSR.
Let's take a look to the TE part:



There are 3 preferred paths, each one with a reserved bw of 10Mbps.
Remind that TE tunnels are UNIDIRECTIONAL, so you need to configure two tunnels each PE router, for a total on 6 tunnels.

some configuration parts:
hostname PE-R2
!
ip vrf custA
rd 100:99
route-target export 100:99
route-target import 100:99
!
!-- igp routing with CE, single area ospf
router ospf 20 vrf custA
router-id 172.16.0.1
log-adjacency-changes
redistribute bgp 65000 subnets
network 172.16.0.1 0.0.0.0 area 0
!
!-- igp routing of ISP core
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
router-id 10.10.0.2
log-adjacency-changes
network 10.0.0.2 0.0.0.0 area 0
network 10.0.0.9 0.0.0.0 area 0
network 10.10.0.2 0.0.0.0 area 0
!
!-- MP-BGP
router bgp 65000
bgp log-neighbor-changes
neighbor ISP peer-group
neighbor ISP remote-as 65000
neighbor ISP update-source Loopback0
neighbor ISP next-hop-self
neighbor 10.10.0.3 peer-group ISP
neighbor 10.10.0.5 peer-group ISP
!
address-family vpnv4
neighbor ISP send-community both
neighbor 10.10.0.3 activate
neighbor 10.10.0.5 activate
exit-address-family
!
address-family ipv4 vrf custA
redistribute ospf 20 vrf custA
no synchronization
exit-address-family


Here the most relevant parts of MPLS TE configurations with some comments:
hostname PE-R2
!
mpls traffic-eng tunnels !-- enable RSVP globally
!
interface FastEthernet1/1
description PE-R2 <-> PE-R3
ip address 10.0.0.9 255.255.255.252
mpls ip
mpls traffic-eng tunnels !-- enable RSVP on the interface
ip rsvp bandwidth 100000 !-- specify how many bw can be reserved (Kbps)
!
interface FastEthernet2/0
description PE-R2 <-> P-R1
ip address 10.0.0.2 255.255.255.252
mpls ip
mpls traffic-eng tunnels
ip rsvp bandwidth 100000
!
router ospf 1
mpls traffic-eng router-id Loopback0 !-- it's a GOOD IDEA use the same loopback of MP-BGP
mpls traffic-eng area 0
!
ip explicit-path name R2-R3-R1-R5 enable
next-address 10.0.0.10
next-address 10.0.0.6
next-address 10.0.0.14
!
ip explicit-path name R2-R1-R3 enable
next-address 10.0.0.1
next-address 10.0.0.5
!
interface Tunnel0
description R2 ->> R3 !-- tunnels are unidirectionals (so .. ->> )
ip unnumbered Loopback0 !-- same loopback as TE router-id, just to avoid problems
tunnel destination 10.10.0.3 !-- destination is TE router-id too
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng priority 4 4 !-- mid-priority ,-)
tunnel mpls traffic-eng bandwidth 10000 !-- 10Mbps reserved
tunnel mpls traffic-eng path-option 10 explicit name R2-R1-R3
tunnel mpls traffic-eng path-option 20 dynamic !-- dynamic path, if explicit fails
no routing dynamic
!
interface Tunnel1
description R2 ->> R5 !-- you'll see this as "tunnel name" with "sh mpls traffic-eng tunnels brief"
ip unnumbered Loopback0
tunnel destination 10.10.0.5
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng priority 4 4
tunnel mpls traffic-eng bandwidth 10000
tunnel mpls traffic-eng path-option 10 explicit name R2-R3-R1-R5
tunnel mpls traffic-eng path-option 20 dynamic
no routing dynamic
!

Note that the "mpls traffic-eng router-id Loopback0" under router ospf 1, combined with the bgp next-hop-self is important in order to have the traffic successfully flowing into the TE tunnel.
In fact, if you try to use other loopbacks as TE router-id or as tunnel sources/destinations, you can experience CEF failures (cef drops). [that's why my Mpls Lab #4 failed to work for 15 evenings ;-) ]
eg: a loopback 10 is used as router-id and tunnel source/destination, mp-bgp next-hop-self is not configured you see:
PE-R2#sh ip cef vrf custA 192.168.50.1 detail
192.168.50.1/32, version 17, epoch 0
0 packets, 0 bytes
tag information set
local tag: VPN-route-head
fast tag rewrite with
Recursive rewrite via 10.10.0.5/32, tags imposed {26}
via 10.10.0.5, 0 dependencies, recursive
next hop 10.10.0.5, Tunnel1 via 10.10.0.5/32
valid adjacency
tag rewrite with
Recursive rewrite via 10.10.0.5/32, tags imposed {26} !-- that's a sort of l00p?
PE-R2#

Here Cef try to do a recursive resolution of the next hop, but it isn't in the vrf custA cef table, so packets are dropped.
Let's look at the correct cef entry:
PE-R2#sh ip cef vrf custA 192.168.50.1 detail
192.168.50.1/32, version 20, epoch 0
0 packets, 0 bytes
tag information set
local tag: VPN-route-head
fast tag rewrite with Tu1, point2point, tags imposed: {25 23}
via 10.10.0.5, 0 dependencies, recursive
next hop 10.10.0.5, Tunnel1 via 10.10.0.5/32
valid adjacency
tag rewrite with Tu1, point2point, tags imposed: {25 23}
PE-R2#

Here next-hop is resolved and labels are imposed correctly.

If you try to traceroute CE-R6 prefixes from R0:
CE-R0#traceroute 192.168.50.1

Type escape sequence to abort.
Tracing the route to 192.168.50.1

1 172.16.0.1 12 msec 4 msec 8 msec
2 10.0.0.10 [MPLS: Labels 25/23 Exp 0] 28 msec 28 msec 32 msec
3 10.0.0.6 [MPLS: Labels 21/23 Exp 0] 44 msec 24 msec 36 msec
4 172.16.0.9 [MPLS: Label 23 Exp 0] 20 msec 32 msec 24 msec
5 172.16.0.10 32 msec * 48 msec

Note also that the "autoroute announce" in the interface tunnel configuration doesn't permit to select which traffic must flow into the tunnel, that could be a problem if there are multiple CE connected to the same PE router with different vrfs. With this tunnel configuration, all traffic destined to the othe PE will flow into the TE tunnel.

Wednesday, April 22, 2009

Configuring multiple PPTP dialin on vrfs

Hi all, I spent a lot of time this week trying to change our unstables pptp "servers" (3 x PIII linux blackboxes), merging into a single Cisco 2811.

First I have read as usual some docs:

- Shivlu's great post "IP Dialing From PC To LNS"

- Cisco IOS Dial Technologies Configuration Guide

Then I made a configuration like this using vrfs to keep the different services isolated:


Click here to view the config [+/-]



ip vrf vpn-1
rd 1:1
vpn id 0:1
route-target export 1:1
route-target import 1:1
!
aaa new-model
!
aaa group server radius radius-vpn-1
server-private 192.168.10.10 auth-port 1812 acct-port 1813 non-standard retransmit 1 key abcd
ip vrf forwarding vpn-1
ip radius source-interface FastEthernet0/0.10
!
aaa authentication ppp authentication-vpn-1 group radius-vpn-1
aaa authorization exec authorization-vpn-1 group radius-vpn-1 if-authenticated
aaa authorization network authorization-vpn-1 group radius-vpn-1 if-authenticated
aaa accounting suppress null-username
aaa accounting update newinfo
aaa accounting network accounting-vpn-1
action-type stop-only
group radius-vpn-1
!
ip address-pool local
!
vpdn enable
!
vpdn-group 1
description vpdn for vpn-1
accept-dialin
protocol pptp
virtual-template 1
vpn vrf vpn-1
source-ip A.B.C.D
local name vpn-1
!
class-map match-any peer-2-peer
match protocol bittorrent
match protocol gnutella
match protocol winmx
match protocol edonkey
match protocol kazaa2
match protocol fasttrack
!
policy-map QoS-vpn-1
class peer-2-peer
police 8000 conform-action drop exceed-action drop violate-action drop
class class-default
bandwidth 10240
policy-map PARENT-QoS-vpn-1
class class-default
shape average percent 100
service-policy QoS-vpn-1
!
!
interface FastEthernet0/0
no ip address
duplex full
speed 100
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding vpn-1
ip address A.B.C.D 255.255.255.0
service-policy output PARENT-QoS-vpn-1
!
interface FastEthernet0/0.101
encapsulation dot1Q 101
ip vrf forwarding vpn-1
ip address 10.1.6.3 255.255.255.0
service-policy output PARENT-QoS-vpn-1
!
interface Virtual-Template1
ip vrf forwarding vpn-1
ip unnumbered FastEthernet0/0.10
peer default ip address pool PPTPPool
ppp pfc local forbid
ppp pfc remote reject
ppp encrypt mppe auto
ppp authentication ms-chap-v2 authentication-vpn-1
ppp authorization authorization-vpn-1
ppp accounting accounting-vpn-1
!
ip local pool PPTPPool 10.1.6.50 10.1.6.200
!
ip route vrf vpn-1 0.0.0.0 0.0.0.0 10.1.6.1


Let's go through the various config sections, in a sort of "operational" order:

1) create the vrf for this pptp vpn... multiple vrfs for multiple pptp dialin, I've configured 3 vrfs on the same 2811..
ip vrf vpn-1
rd 1:1
vpn id 0:1
route-target export 1:1
route-target import 1:1


2) configure the subinterfaces (here I didn't used loopbacks), the service-policy must be applied after class-map and policy-map creation, obviously.
A.B.C.D is the public address for this vpn

interface FastEthernet0/0
no ip address
duplex full
speed 100
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding vpn-1
ip address A.B.C.D 255.255.255.0
service-policy output PARENT-QoS-vpn-1
!
interface FastEthernet0/0.101
encapsulation dot1Q 101
ip vrf forwarding vpn-1
ip address 10.1.6.3 255.255.255.0
service-policy output PARENT-QoS-vpn-1


3) configure routing for vrf. Here I used a simple static default route for each vrf
ip route vrf vpn-1 0.0.0.0 0.0.0.0 10.1.6.1

Before proceed, it's a good idea to check the vrf routing table and radius reachability, use "show ip route vrf vpn-1" and "ping vrf vpn-1 x.y.z.x" ;-)

4) configure per-vrf AAA using server-groups.
aaa new-model
!
aaa group server radius radius-vpn-1
server-private 192.168.10.10 auth-port 1812 acct-port 1813 non-standard retransmit 1 key abcd
ip vrf forwarding vpn-1
ip radius source-interface FastEthernet0/0.10
!
aaa authentication ppp authentication-vpn-1 group radius-vpn-1
aaa authorization exec authorization-vpn-1 group radius-vpn-1 if-authenticated
aaa authorization network authorization-vpn-1 group radius-vpn-1 if-authenticated
aaa accounting suppress null-username
aaa accounting update newinfo
aaa accounting network accounting-vpn-1
action-type stop-only
group radius-vpn-1

I use freeradius, 1812/1813 are freeradius standard ports for auth and acct.
The "ip radius source-interface" is the ip address used in the "NASIpAddress" radius attribute, it's useful if you use a single radius and must understand the different vpns.
Let's read the "Understanding IOS Local AAA" post on Internetwork Expert's blog if you want "more spice" playing with vrfs on ppp interfaces ;-)

5) configure ip address pool for pptp users

ip address-pool local
!
ip local pool PPTPPool 10.1.6.50 10.1.6.200

You need a pool for each vpn/vrf, see virtual-template configuration below.
Note: I've reserved the addresses from 200 to 255 for administration use, the simplest way to do this is adding in the "users" file of freeradius some entries like:
marco.rizzi     NAS-IP-Address == "A.B.C.D"      
Framed-IP-Address = 10.1.6.228,
Reply-Message = "Hello, %u"


6) create the virtual template for pptp users
interface Virtual-Template1
ip vrf forwarding vpn-1
ip unnumbered FastEthernet0/0.10
peer default ip address pool PPTPPool
ppp pfc local forbid
ppp pfc remote reject
ppp encrypt mppe auto
ppp authentication ms-chap-v2 authentication-vpn-1
ppp authorization authorization-vpn-1
ppp accounting accounting-vpn-1

note the ip pool configuration, and the aaa using groups.

7) configure the vpdn-group
vpdn enable
!
vpdn-group 1
description vpdn for vpn-1
accept-dialin
protocol pptp
virtual-template 1
vpn vrf vpn-1
source-ip A.B.C.D
local name vpn-1

the "source-ip" is the interface where the vpdn will allow to connect.

8) [optional] configure some QoS.

class-map match-any peer-2-peer
match protocol bittorrent
match protocol gnutella
match protocol winmx
match protocol edonkey
match protocol kazaa2
match protocol fasttrack
!
policy-map QoS-vpn-1
class peer-2-peer
police 8000 conform-action drop exceed-action drop violate-action drop
class class-default
bandwidth 10240
policy-map PARENT-QoS-vpn-1
class class-default
shape average percent 100
service-policy QoS-vpn-1

(don't forget to apply it under the interfaces with "service-policy")
One of my pptp vpn services allows our users from the internal (private) addresses to receive a public ip address, here the needs to completely drop peer-to-peer traffic, at least the unencrypted one, just to avoid wasting 2811's cpu cycles ,-)
The maximum bw available is also limited to 10Mbps... more than enough for my users requirements.
(with 20 users connected and 2Mbps traffic, cpu reaches 40%...)
See the Ardeen Packeer's post "QOS: Applying CBWFQ to a sub-interface" to understand the needs of a nested policy with shape.


Finally, more than useful for debugging the configuration was the Cisco Document ID 42887 "PPP Troubleshooting Flowchart"

Monday, April 6, 2009

Mpls Lab #4: using Mpls with cell-mode ATM

Hi all, I've built this lab with GNS3 to trying mpls over LC-ATM (so called "cell mode").

In real life you will never find routers with ATM interfaces connected back-to-back, usually routers are connected with ATM switches... but it's the only way to test LC-ATM with GNS3, so this lab don't represents a real scenario.



note that all "red" links are ATM connections....
main goals of this lab are:

1) configure and verify mpls on LC-ATM links (use session protection for all ldp neighbors)
2) configure mpls vpn for custA (CE-R9 and CE-R10) using eigrp as PE-CE protocol
3) configure mpls vpn for custB (CE-R5, CE-R6 and CE-R7) using ospf as PE-CE protocol
4) configure traffic engineering tunnels: configure a 5 Mbps tunnel for CE-R5 <-> CE-R6 using R4-3-2-0-1 path (it's senseless... I agree ;-) )
5) configure traffic engineering tunnels: configure a 2 Mbps tunnel for CE-R9 <-> CE-R10 using R2-3-4-0-1-8 path


First of all, you have to read the great "Cell-Mode MPLS" post on InterNetworkExpert blog.

Second one: configure GNS3 with the "right" IOS for this lab... I tryed with the "c7200-adventerprisek9-mz.124-22.T" but doesn't support atm mpls subinterfaces... the great "c7200-adventerprisek9-mz.124-11.T" version worked instead, note that requires 256 MB ram for each router, don't try this lab without 2,6 GB free ram ;-)

Then you can proceed with the tasks:

1) configure and verify mpls on LC-ATM links (use session protection for all ldp neighbors)
Enable mpls and TE globally with:
ip cef
mpls ldp neighbor 10.0.0.3 password cisco
mpls ldp neighbor 10.0.0.1 password cisco
mpls ldp loop-detection   !-- very important with atm interfaces... read below
mpls ldp session protection  !-- enables session protection for all neighbors
mpls traffic-eng tunnels  !-- enables RSVP globally
mpls ldp router-id Loopback0 force  !-- configure Lo0 before ;-)

Session protection is useless in this lab... if I shut an ATM interface, ldp session is "closed" so no session protection will happen, but is nice to know how configure it.

Configure your interfaces as follows (you can share the same loopback ip using ip unnumbered for multiple atm subinterfaces):
R4#sh run int lo 0
!
interface Loopback0
ip address 10.0.0.4 255.255.255.255
end

R4#sh run int lo 10   !-- let's add some loopbacks for ospf and TE
!
interface Loopback10
description Used as Ospf router-id and TE
ip address 172.18.0.4 255.255.255.255
end

R4#sh run int atm 1/0
!
interface ATM1/0      !--- no configuration for atm interfaces, only a description ,-)
description R4 <-> R3
no ip address
no atm ilmi-keepalive
end

R4#sh run int atm 1/0.10
!
interface ATM1/0.10 mpls   !--- not all ios versions supports atm mpls subinterfaces..
ip unnumbered Loopback0    !--- don't waste labels (and vpi/vcis) for point2point links
no snmp trap link-status
mpls ip
mpls atm control-vc 10 1   !--- this is the control vpi/vci used to establish ldp session
mpls traffic-eng tunnels   !--- enables TE on the subinterface
ip rsvp bandwidth 155000   !--- optional, used for TE by RSVP
end

Don't forget to enable the ldp loop detection! Remember that with atm interaces the label exchange is DoD (Downsteam-on-Demand), so each LSR requests explicitly for labels to its neighbors... and the neighbors send the request to their neighbors too if they don't know the label for a prefix. In this case, the topology is a l00p, so ldp loop detection will avoid problems with looped requests. ,-)

Let's verify if ldp sessions are established and labels exchanged.
R4#sh mpls ldp neighbor detail
Peer LDP Ident: 10.0.0.1:1; Local LDP Ident 10.0.0.4:2
TCP connection: 10.0.0.1.646 - 10.0.0.4.19294; MD5 on
State: Oper; Msgs sent/rcvd: 27/28; Downstream on demand
Up time: 00:11:41; UID: 1; Peer Id 0;
LDP discovery sources:
ATM2/0.10; Src IP addr: 10.0.0.1
holdtime: 15000 ms, hello interval: 5000 ms
Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
Clients: TC ATM
Path Vector Loop Detection Peer/Local: On/On
Path Vector Limit Peer/Local: 255/255
Peer LDP Ident: 10.0.0.3:2; Local LDP Ident 10.0.0.4:1
TCP connection: 10.0.0.3.646 - 10.0.0.4.16280; MD5 on
State: Oper; Msgs sent/rcvd: 22/25; Downstream on demand
Up time: 00:11:40; UID: 2; Peer Id 1;
LDP discovery sources:
ATM1/0.10; Src IP addr: 10.0.0.3
holdtime: 15000 ms, hello interval: 5000 ms
Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
Clients: TC ATM
Path Vector Loop Detection Peer/Local: On/On
Path Vector Limit Peer/Local: 255/255

Well done, let's check the atm-ldp bindings (here you see only the prefixes that this router has requested to neighbors, path is displayed only if ldp loop detection is enabled):
R4#sh mpls atm-ldp bindings path
Destination: 10.0.0.1/32
Tailend Router ATM1/0.10 1/34 Active, VCD=4, CoS=available
Path:    10.0.0.3        10.0.0.4*
Destination: 172.18.0.1/32
Tailend Router ATM1/0.10 1/36 Active, VCD=6, CoS=available
Path:    10.0.0.3        10.0.0.4*
Destination: 10.0.0.2/32
Headend Router ATM1/0.10 (1 hop) 1/33  Active, VCD=3, CoS=available
Path:    10.0.0.4*       10.0.0.3
Destination: 10.0.0.3/32
Headend Router ATM1/0.10 (1 hop) 1/34  Active, VCD=4, CoS=available
Path:    10.0.0.4*       10.0.0.3
Destination: 10.0.0.4/32
Tailend Router ATM1/0.10 1/35 Active, VCD=5, CoS=available
Path:    10.0.0.3        10.0.0.4*


Configure the core ISP igp with a simple single area ospf, use the loopback10 as TE router-id (use the same loopback as update-source configured in bgp...):
R4#sh run | sec inc router ospf
router ospf 1
mpls traffic-eng router-id Loopback10  !-- assign a TE router id
mpls traffic-eng area 0  !-- enable ospf opaque area for TE
router-id 172.18.0.4
log-adjacency-changes
network 10.0.0.4 0.0.0.0 area 0
network 172.18.0.4 0.0.0.0 area 0
!

...and finally let's prepare the MP-bgp sessions for vpnv4 before start the next task:
R4#sh run | sec inc router bgp
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor ISP peer-group
neighbor ISP remote-as 65000
neighbor ISP update-source Loopback10
neighbor ISP send-community both
neighbor ISP next-hop-self
neighbor 172.18.0.1 peer-group ISP
neighbor 172.18.0.2 peer-group ISP
neighbor 172.18.0.3 peer-group ISP
neighbor 172.18.0.8 peer-group ISP
neighbor 172.18.0.100 peer-group ISP
no auto-summary
!
address-family vpnv4      !-- don't forget to activate vpnv4 address family! ,-)
neighbor ISP send-community both
neighbor 172.18.0.1 activate
neighbor 172.18.0.2 activate
neighbor 172.18.0.3 activate
neighbor 172.18.0.8 activate
neighbor 172.18.0.100 activate
exit-address-family

Well, here we can use route reflectors to improve scalability...

2) configure mpls vpn for custA (CE-R9 and CE-R10) using eigrp as PE-CE protocol
nothing special on the CE side:
CE-R9#sh run | sec inc router
router eigrp 1
network 172.16.0.4 0.0.0.3
network 172.17.0.9 0.0.0.0
network 192.168.30.0
network 192.168.40.0
no auto-summary
CE-R9#

on PE:
ip vrf custA
rd 65000:10
route-target export 65000:10
route-target import 65000:10
!
interface Ethernet3/0
description R2 <-> CE-R9
ip vrf forwarding custA
ip address 172.16.0.5 255.255.255.252
duplex half
!
router eigrp 1
no auto-summary
!
address-family ipv4 vrf custA
redistribute bgp 65000 metric 10000 1000 255 1 1516
network 172.16.0.4 0.0.0.3
no auto-summary
autonomous-system 1  !-- don't forget it!
exit-address-family
!
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor ISP peer-group
neighbor ISP remote-as 65000
neighbor ISP update-source Loopback10
neighbor ISP send-community both
neighbor ISP next-hop-self
neighbor 172.18.0.1 peer-group ISP
neighbor 172.18.0.3 peer-group ISP
neighbor 172.18.0.4 peer-group ISP
neighbor 172.18.0.8 peer-group ISP
neighbor 172.18.0.100 peer-group ISP
no auto-summary
!
address-family vpnv4
neighbor ISP send-community both
neighbor 172.18.0.1 activate
neighbor 172.18.0.3 activate
neighbor 172.18.0.4 activate
neighbor 172.18.0.8 activate
neighbor 172.18.0.100 activate
exit-address-family
!
address-family ipv4 vrf custA
redistribute eigrp 1
no synchronization
exit-address-family


3) configure mpls vpn for custB (CE-R5, CE-R6 and CE-R7) using ospf as PE-CE protocol
You have to use an ospf sham-link betw R1 and R4:
ip vrf custB
rd 65000:20
route-target export 65000:20
route-target import 65000:20
!
interface Loopback10
description Used for mpls TE
ip address 172.18.0.4 255.255.255.255
!
interface Loopback100
description used for sham link vrf custB (must be /32 and assiged to vrf)
ip vrf forwarding custB
ip address 172.16.1.4 255.255.255.255
!
interface Ethernet3/0
description R4 <-> CE-R5
ip vrf forwarding custB
ip address 172.16.0.17 255.255.255.252
duplex half
!
router ospf 20 vrf custB
router-id 172.16.0.17
log-adjacency-changes
area 0 sham-link 172.16.1.4 172.16.1.1 cost 5  !-- the backup "direct" link must have ip ospf cost > ... better if 20-40...
redistribute bgp 65000 metric 5 subnets
network 172.16.0.17 0.0.0.0 area 0
!
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor ISP peer-group
neighbor ISP remote-as 65000
neighbor ISP update-source Loopback10
neighbor ISP send-community both
neighbor ISP next-hop-self
neighbor 172.18.0.1 peer-group ISP
neighbor 172.18.0.2 peer-group ISP
neighbor 172.18.0.3 peer-group ISP
neighbor 172.18.0.8 peer-group ISP
neighbor 172.18.0.100 peer-group ISP
no auto-summary
!
address-family vpnv4
neighbor ISP send-community both
neighbor 172.18.0.1 activate
neighbor 172.18.0.2 activate
neighbor 172.18.0.3 activate
neighbor 172.18.0.8 activate
neighbor 172.18.0.100 activate
exit-address-family
!
address-family ipv4 vrf custB
redistribute ospf 20 vrf custB
no synchronization
network 172.16.1.4 mask 255.255.255.255  !-- declare the lo address used for sham-link into bgp only
exit-address-family
!

Pay attention to the cost of sham-link, and assign a proportionally "bigger" cost on the backup link, in this lab everything worked well with a cost of 5 on sham link, and a cost of 40 on backup.

4) configure traffic engineering tunnels: configure a 5 Mbps tunnel for CE-R5 <-> CE-R6 using R4-3-2-0-1 path (it's senseless... I agree ;-) )

R4#sh run int lo 10
!
interface Loopback10
description Used for mpls TE
ip address 172.18.0.4 255.255.255.255
end

R4#sh run int tun 0
!
interface Tunnel0
ip unnumbered Loopback10
tunnel destination 172.18.0.1
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng priority 5 5
tunnel mpls traffic-eng bandwidth  5000
tunnel mpls traffic-eng path-option 1 explicit identifier 1
tunnel mpls traffic-eng path-option 2 dynamic
no routing dynamic
end

R4#sh ip explicit-paths
PATH 1 (strict source route, path complete, generation 6)
1: next-address 10.0.0.3
2: next-address 10.0.0.2
3: next-address 10.0.0.100
4: next-address 10.0.0.1

..and on R1..
R1#sh run int lo 10
!
interface Loopback10
ip address 172.18.0.1 255.255.255.255
end

R1#sh run int tun 0
!
interface Tunnel0
ip unnumbered Loopback10
tunnel destination 172.18.0.4
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng priority 5 5
tunnel mpls traffic-eng bandwidth  5000
tunnel mpls traffic-eng path-option 1 explicit identifier 1
tunnel mpls traffic-eng path-option 2 dynamic
no routing dynamic
end

R1#sh ip explicit-paths
PATH 1 (strict source route, path complete, generation 6)
1: next-address 10.0.0.100
2: next-address 10.0.0.2
3: next-address 10.0.0.3
4: next-address 10.0.0.4
R1#


(I go mad with the interaction between tunnel and sham link... until I realized that ldp loop detection was missed in my config! ;-) )
Note the use of Loopback 10 as tunnel destination and ip unnumbered... Loopback 0 is already used for atm links, so the LSP for TE will fails if you try to use it for Tunnels too.
Let's verify if traffic is flowing thorugh the tunnel with a traceroute from CE-R5 to CE-R6 subnets:
CE-R5#traceroute 192.168.70.1

Type escape sequence to abort.
Tracing the route to 192.168.70.1

1 172.16.0.17 88 msec 12 msec 8 msec
2 10.0.0.3 [MPLS: Labels 28/34 Exp 0] 48 msec 32 msec 28 msec
3 10.0.0.2 [MPLS: Labels 30/34 Exp 0] 52 msec 32 msec 32 msec
4 10.0.0.100 [MPLS: Labels 32/34 Exp 0] 24 msec 32 msec 44 msec
5 172.16.0.13 [MPLS: Labels 0/34 Exp 0] 32 msec 20 msec 20 msec
6 172.16.0.14 36 msec *  40 msec
CE-R5#


5) configure traffic engineering tunnels: configure a 2 Mbps tunnel for CE-R9 <-> CE-R10 using R2-3-4-0-1-8 path
Same story as Task #4...
R8#sh run int lo 10
!
interface Loopback10
ip address 172.18.0.8 255.255.255.255
end

R8#sh run int tun 0
!
interface Tunnel0
ip unnumbered Loopback10
tunnel destination 172.18.0.2
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng priority 5 5
tunnel mpls traffic-eng bandwidth  2000
tunnel mpls traffic-eng path-option 1 explicit identifier 1
tunnel mpls traffic-eng path-option 2 dynamic
no routing dynamic
end

R8#sh ip explicit-paths
PATH 1 (strict source route, path complete, generation 7)
1: next-address 10.0.0.100
2: next-address 10.0.0.1
3: next-address 10.0.0.4
4: next-address 10.0.0.3
5: next-address 10.0.0.2
R8#


And verify with a traceroute..
CE-R10#traceroute 192.168.30.1

Type escape sequence to abort.
Tracing the route to 192.168.30.1

1 172.16.0.1 20 msec 4 msec 8 msec
2 10.0.0.100 [MPLS: Labels 26/28 Exp 0] 68 msec 56 msec 36 msec
3 10.0.0.1 [MPLS: Labels 26/28 Exp 0] 56 msec 64 msec 36 msec
4 10.0.0.4 [MPLS: Labels 26/28 Exp 0] 68 msec 60 msec 48 msec
5 10.0.0.3 [MPLS: Labels 26/28 Exp 0] 60 msec 52 msec 56 msec
6 172.16.0.5 [MPLS: Labels 0/28 Exp 0] 52 msec 40 msec 52 msec
7 172.16.0.6 60 msec *  36 msec
CE-R10#


CONCLUSION: It's possible to study the obsolete, deprecated LC-ATM technology with GNS3! And it will help you to study for CCIP-MPLS exam ;-)