Saturday, December 25, 2010

Merry Christmas Lab

I Wish you all a Merry Christmas,

When you are relaxing in the evening on the pc/rack/dynamips, you may try to solve my gift-lab:

Topology:



Feel free to use your favorite IGP and ip addressing for all links, but there are also a list of nice tasks:

-All routers will have 3 loopbacks interfaces:
Lo0: 10.x.x.x/24
Lo192: 192.186.x.x/24
Lo172: 172.61.x.x/32
where x is the router number

-R1 and R4 share the same subnet, provide a redundant gateway for R2 using an appropriate protocol

-R1 and R4 are also NAT gateways using the same pool, provide a solution to ensure maximum availability allowing asymmetric traffic

-R2 and R3 are running IPv6, allow the IPv6 networks to communicate using an appropriate tunneling solution, run EIGRPv6 through the tunnel

-R5 must reach R3 IPv6 address even it doesn't run IPv6 at all, configure R2 to obtain this

-R2 is suffering high cpu utilization, use Copp to limit the control plane access. Allow routing protocols and other control traffic up to 100 pps, telnet and ssh up to 20 pps and limit cef exceptions to 15 pps.

-R5 is using OER to route traffic to R3 Lo0, using the lowest delay path

-R5 is also using IPSLA to track R2, R1 and R4 Loopbacks0, perform sla traffic every 1 sec with a size of 3000 bytes

-Finally, Loopbacks 192 belongs to customer A vrf and Loopbacks 172 to customer B vrf. Using NGN services, allow customer sites to communicate. Customers also need a default route to R3 Lo0 as internet access. Using a single static route and a different vrf, provide the default to customers

-(Optional/Bonus task) Why not to run ZBF on R2?



Hope you will enjoy this Christmas lab, I will start it this evening, and if I survive, maybe I'll post some solutions (or proposals of ...)

Marco


Update 10:30 PM: my "solution" [+/-]

Assuming you have already done the very basic config (no ip domain-lookup , logging sync...) and you have read carefully ALL the tasks, here is my initial config:


#R1
hostname R1

ip vrf A
rd 1:1
route-target both 1:1
ip vrf B
rd 2:2
route-target both 2:2
int lo 0
ip add 10.1.1.1 255.255.255.0
int lo 192
ip vrf forw A
ip add 192.186.1.1 255.255.255.0
int lo 172
ip vrf forw B
ip add 172.61.1.1 255.255.255.255
int f 0/0
ip add 10.0.124.1 255.255.255.0
no shut
int s 0/0/1
ip add 10.0.13.1 255.255.255.0
no shut



#R2
hostname R2

ip vrf A
rd 1:1
route-target both 1:1
ip vrf B
rd 2:2
route-target both 2:2
int lo 0
ip add 10.2.2.2 255.255.255.0
int lo 192
ip vrf forw A
ip add 192.186.2.2 255.255.255.0
int lo 172
ip vrf forw B
ip add 172.61.2.2 255.255.255.255
int f 0/0
ip add 10.0.124.2 255.255.255.0
no shut
int s 0/0/0
encap frame
no shut
no frame interface-dlci 205
no frame interface-dlci 206
int s 0/0/0.205 point
ip add 10.0.25.2 255.255.255.0
frame interface-dlci 205
int s 0/0/0.206 point
ip add 10.0.26.2 255.255.255.0
frame interface-dlci 206


#R3
hostname R3

ip vrf A
rd 1:1
route-target both 1:1
ip vrf B
rd 2:2
route-target both 2:2
int lo 0
ip add 10.3.3.3 255.255.255.0
int lo 192
ip vrf forw A
ip add 192.186.3.3 255.255.255.0
int lo 172
ip vrf forw B
ip add 172.61.3.3 255.255.255.255
int s 0/1/0
ip add 10.0.13.3 255.255.255.0
no shut
clock rate 128000
int s 0/2/0
ip add 10.0.34.3 255.255.255.0
no shut


#R4
hostname R4

ip vrf A
rd 1:1
route-target both 1:1
ip vrf B
rd 2:2
route-target both 2:2
int lo 0
ip add 10.4.4.4 255.255.255.0
int lo 192
ip vrf forw A
ip add 192.186.4.4 255.255.255.0
int lo 172
ip vrf forw B
ip add 172.61.4.4 255.255.255.255
int f 0/0
ip add 10.0.124.4 255.255.255.0
no shut
int s 0/2/1
ip add 10.0.34.4 255.255.255.0
no shut
clock rate 128000


#R5
hostname R5

ip vrf A
rd 1:1
route-target both 1:1
ip vrf B
rd 2:2
route-target both 2:2
int lo 0
ip add 10.5.5.5 255.255.255.0
int lo 192
ip vrf forw A
ip add 192.186.5.5 255.255.255.0
int lo 172
ip vrf forw B
ip add 172.61.5.5 255.255.255.255
int f 0/0
ip add 10.0.56.5 255.255.255.0
no shut
int s 0/0/0
encap frame
no shut
no frame interface-dlci 502
int s 0/0/0.502 point
ip add 10.0.25.5 255.255.255.0
frame interface-dlci 502


#R6
hostname R6

ip vrf A
rd 1:1
route-target both 1:1
ip vrf B
rd 2:2
route-target both 2:2
int lo 0
ip add 10.6.6.6 255.255.255.0
int lo 192
ip vrf forw A
ip add 192.186.6.6 255.255.255.0
int lo 172
ip vrf forw B
ip add 172.61.6.6 255.255.255.255
int f 0/0
ip add 10.0.56.6 255.255.255.0
no shut
int s 0/0/0
encap frame
no shut
no frame interface-dlci 602
int s 0/0/0.602 point
ip add 10.0.26.6 255.255.255.0
frame interface-dlci 602



And now all the tasks commented:
-All routers will have 3 loopbacks interfaces:
Lo0: 10.x.x.x/24
Lo192: 192.186.x.x/24
Lo172: 172.61.x.x/32
where x is the router number

Already done in the initial config, note that you need to read all tasks to create the vrfs for loopbacks 192 and 172. (Note also the ip addresses... just to avoid common typing of 192.168 and 172.16 ehehehe)

-R1 and R4 share the same subnet, provide a redundant gateway for R2 using an appropriate protocol

This is a FHRP task, we have to choose from 3 protocols: HSRP, VRRP and GLBP. Reading the next task, it must be clear that we are using NAT stateful (to allow asymmetric traffic), so HSRP is our choice, just to keep it "simple"

Here the HSRP config:

#R1
interface FastEthernet0/0
standby 124 ip 10.0.124.254
standby 124 timers 3 6
standby 124 priority 110
standby 124 preempt
standby 124 authentication md5 key-string XMASLAB
standby 124 name HSRP
standby 124 mac-address 0000.0124.0124
standby 124 track Serial0/0/1 20

#R4
interface FastEthernet0/0
standby 124 ip 10.0.124.254
standby 124 timers 3 6
standby 124 preempt
standby 124 authentication md5 key-string XMASLAB
standby 124 name HSRP
standby 124 mac-address 0000.0124.0124
standby 124 track Serial0/2/1 20



-R1 and R4 are also NAT gateways using the same pool, provide a solution to ensure maximum availability allowing asymmetric traffic

Let's configure NAT stateful, I've added a loopback 1 to have the same NAT pool on R1 and R4

#R1
int s 0/0/1
ip nat outside
int f 0/0
ip nat inside
ip nat Stateful id 1
redundancy HSRP
mapping-id 1
protocol udp
interface Loopback1
description Used for NAT Stateful
ip address 10.14.14.14 255.255.255.0
ip nat pool NATPOOL 10.14.14.140 10.14.14.240 prefix-length 24
ip nat inside source route-map INSIDE-TO-NAT pool NATPOOL mapping-id 1 overload
ip access-list extended INSIDE
remark do not nat routing protocols!
deny ospf any any
deny eigrp any any
deny tcp any any eq bgp
deny udp any any eq 646
deny tcp any any eq 646
deny tcp any eq 646 any
permit ip 10.0.0.0 0.255.255.255 any
route-map INSIDE-TO-NAT permit 10
match ip address INSIDE


#R4
int s 0/2/1
ip nat outside
int f 0/0
ip nat inside
ip nat Stateful id 2
redundancy HSRP
mapping-id 1
protocol udp
interface Loopback1
description Used for NAT Stateful
ip address 10.14.14.14 255.255.255.0
ip nat pool NATPOOL 10.14.14.140 10.14.14.240 prefix-length 24
ip nat inside source route-map INSIDE-TO-NAT pool NATPOOL mapping-id 2 overload
ip access-list extended INSIDE
remark do not nat routing protocols!
deny ospf any any
deny eigrp any any
deny tcp any any eq bgp
deny udp any any eq 646
deny tcp any any eq 646
deny tcp any eq 646 any
permit ip 10.0.0.0 0.255.255.255 any
route-map INSIDE-TO-NAT permit 10
match ip address INSIDE


Short after the configuration, you should see messages like:

*Dec 25 13:45:35.954: %SNAT-5-PROCESS: Id 2, System starts converging
*Dec 25 13:45:39.390: %SNAT-5-PROCESS: Id 2, System fully converged
*Dec 25 13:45:41.390: %SNAT-5-PROCESS: Id 2, System starts converging
*Dec 25 13:45:41.554: %SNAT-5-PROCESS: Id 2, System fully converged

You can verify the status of snat with:

R1#sh ip snat distributed

Stateful NAT Connected Peers

SNAT: Mode IP-REDUNDANCY :: ACTIVE
: State READY
: Local Address 10.0.124.1
: Local NAT id 1
: Peer Address 10.0.124.4
: Peer NAT id 2
: Mapping List 1
R1#


Note that HSRP supports NAT stateful, so it's necessary only to specify the redundancy name. Otherwise, you have to configure the primary and backup router for nat.

The stateful nat require the same pool used for nat, in our case I have added Loopback 1.



Now it's time to configure or favorite igp to proceed, since the requirements for the lab doesn't speficy any protocol.
I choosed OSPF, with two areas, using R2 as ABR. R1-2-3-4 belongs to Area 1234, R2-5-6 to Area 0.0.0.0

#R1
int lo 0
ip ospf net point-to-point
int lo 1
ip ospf net point-to-point
router ospf 1
router-id 10.1.1.1
net 10.1.1.0 0.0.0.255 a 1234
net 10.0.13.0 0.0.0.255 a 1234
net 10.0.124.0 0.0.0.255 a 1234
net 10.14.14.0 0.0.0.255 a 1234
int f 0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB
int ser 0/0/1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB


#R2
int lo 0
ip ospf net point-to-point
router ospf 1
router-id 10.2.2.2
net 10.2.2.0 0.0.0.255 a 0.0.0.0
net 10.0.25.0 0.0.0.255 a 0.0.0.0
net 10.0.26.0 0.0.0.255 a 0.0.0.0
net 10.0.124.0 0.0.0.255 a 1234
int fa0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB
int ser 0/0/0.205
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB
int ser 0/0/0.206
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB

#R3
int lo 0
ip ospf net point-to-point
router ospf 1
router-id 10.3.3.3
net 10.3.3.0 0.0.0.255 a 1234
net 10.0.13.0 0.0.0.255 a 1234
net 10.0.34.0 0.0.0.255 a 1234
int ser 0/1/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB
int ser 0/2/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB

#R4
int lo 0
ip ospf net point-to-point
int lo 1
ip ospf net point-to-point
router ospf 1
router-id 10.4.4.4
net 10.4.4.0 0.0.0.255 a 1234
net 10.0.34.0 0.0.0.255 a 1234
net 10.0.124.0 0.0.0.255 a 1234
net 10.14.14.0 0.0.0.255 a 1234
int f 0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB
int ser 0/2/1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB

#R5
int lo 0
ip ospf net point-to-point
router ospf 1
router-id 10.5.5.5
net 10.5.5.0 0.0.0.255 a 0.0.0.0
net 10.0.25.0 0.0.0.255 a 0.0.0.0
net 10.0.56.0 0.0.0.255 a 0.0.0.0
int f 0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB
int ser 0/0/0.502
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB


#R6
int lo 0
ip ospf net point-to-point
router ospf 1
router-id 10.6.6.6
net 10.6.6.0 0.0.0.255 a 0.0.0.0
net 10.0.26.0 0.0.0.255 a 0.0.0.0
net 10.0.56.0 0.0.0.255 a 0.0.0.0
int f 0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB
int ser 0/0/0.602
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XMASLAB

ok, now we have all routing informations, we can also try our stateful nat, let's telnet from R5 to R3, then shut a serial interface on R4 or R1, you will see your telnet session freezing a little, but after a little (converging time) your telnet session still alive.


-R2 and R3 are running IPv6, allow the IPv6 networks to communicate using an appropriate tunneling solution, run EIGRPv6 through the tunnel

The only thing here is to choose the right type of tunnel, we have: IPv6IP, IPv6IP 6to4, ISATAP, GRE...
We can exclude IPv6IP 6to4 because 6to4 doesn't support any dynamic routing protocol. For our requirement any of the others will fit, but keep in mind to avoid tunnel traffic to be natted, so:


#R2
ipv6 unicast-routing
int lo 0
ipv6 add 2001:cafe:cc13:2::2/64
ipv6 eigrp 23
interface Tunnel6
no ip address
ipv6 address 2001:CAFE:CC13:23::2/64
ipv6 eigrp 23
tunnel source Loopback0
tunnel destination 10.3.3.3
tunnel mode ipv6ip
ipv6 router eigrp 23
no shut


#R3
ipv6 unicast-routing
int lo 0
ipv6 add 2001:cafe:cc13:3::3/64
ipv6 eigrp 23
interface Tunnel6
no ip address
ipv6 address 2001:CAFE:CC13:23::3/64
ipv6 eigrp 23
tunnel source Loopback0
tunnel destination 10.2.2.2
tunnel mode ipv6ip
ipv6 router eigrp 23
no shut

and let's add on the nat acl a deny for protocol 41 (IPv6IP) (otherwise the source/destination will be natted and tunnel won't come up)

#R1
ip access-list ext INSIDE
45 deny 41 any any

#R4
ip access-list ext INSIDE
45 deny 41 any any

-R5 must reach R3 IPv6 address even it doesn't run IPv6 at all, configure R2 to obtain this.

This is a NATpt task, assuming that we have to nat R5 lo 0 and R3 lo 0

#R2
int tun 6
ipv6 nat
int ser 0/0/0.205
ipv6 nat
int ser 0/0/0.206
ipv6 nat
ipv6 nat prefix 2001:CAFE:CC13:35::/96
ipv6 router eigrp 23
redistribute connected
ipv6 nat v6v4 source 2001:cafe:cc13:3::3 10.2.2.3
ipv6 nat v4v6 source 10.5.5.5 2001:cafe:cc13:35::5


note that the ipv6 nat prefix must be always a /96, and must be reachable from the other ipv6 routers, from here the redistribute connected.
The logic used to create the static natpt is easy to remember, I usually think like "My ipv6 address is seen as this ipv4" for "ipv6 nat v6v4" and viceversa, "My ipv4 address is seen as this ipv6" for "ipv6 nat v4v6"

after a successful ping (remember: source loopback, destination loopback! :-) ) from both sides you will see:

R2(config)#do sh ipv nat tra
Prot IPv4 source IPv6 source
IPv4 destination IPv6 destination
--- --- ---
10.5.5.5 2001:CAFE:CC13:35::5

icmp 10.2.2.3,7 2001:CAFE:CC13:3::3,7
10.5.5.5,7 2001:CAFE:CC13:35::5,7

icmp 10.2.2.3,8079 2001:CAFE:CC13:3::3,8079
10.5.5.5,8079 2001:CAFE:CC13:35::5,8079

--- 10.2.2.3 2001:CAFE:CC13:3::3
--- ---

-R2 is suffering high cpu utilization, use Copp to limit the control plane access. Allow routing protocols and other control traffic up to 100 pps, telnet and ssh up to 20 pps and limit cef exceptions to 15 pps.

So far, so good, don't forget about ldp, as per vpn task.

#R2
ip access-list extended Management
permit tcp any any eq telnet
permit tcp any any eq 22
ip access-list extended Routing+LDP
permit ospf any any
permit tcp any any eq bgp
permit udp any any eq 646
permit tcp any any eq 646
permit tcp any eq 646 any
permit eigrp any any

class-map match-all Routing+LDP
match access-group name Routing+LDP
class-map match-all Management
match access-group name Management
policy-map CoPP
class Routing+LDP
police rate 100 pps
class Management
police rate 20 pps
policy-map CEF-EXCEPT
class class-default
police rate 15 pps

control-plane host
service-policy input CoPP
control-plane cef-exception
service-policy input CEF-EXCEPT

note that you have to use the control-plane subinterface "host" to police the routing protocols, otherwise you can't apply a policy to cef-exception.
Also note that the cef-exception packet rate is too low! a simple ping through the ipv6/natpt path will result in packet loss and the drop counter on control-plane will increment.

eg:

R3(config-if)#do ping 2001:cafe:cc13:35::5 source lo 0 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 2001:CAFE:CC13:35::5, timeout is 2 seconds:
Packet sent with a source address of 2001:CAFE:CC13:3::3
!!!!.!!!!!!.!!!!!!.!!!!!!!.!!!!!.!!!!.!!!!!!!.!!!!!!!.!!!!!!!.!!!!!!!.
!!!!!!!.!!!!!!!.!!!!.!!!!!!!.!
Success rate is 86 percent (86/100), round-trip min/avg/max = 44/44/60 ms
R3(config-if)#

on R2 we see:

R2#sh control-plane counters
Feature Path Packets processed/dropped/errors
Aggregate 352299/0/0
Host 250522/0/0
Transit 2914/0/0
Cef-exception 98863/173/0

-R5 is using OER to route traffic to R3 Lo0, using the lowest delay path

This is a OER master/border config on a single router, the next task has the objective of introducing delay to influence the OER decision...
Well, OER isn't my favorite argument, I did several labs on it, but unsuccessfully most of time, no exception today :-)
Here is my configuration, every suggestion is welcome as usual:

R5#sh run | s oer
oer master
policy-rules MyOerMap
!
border 10.5.5.5 key-chain OER
interface Null0 internal
interface Serial0/0/0.502 external
interface FastEthernet0/0 external
oer border
local Loopback0
master 10.5.5.5 key-chain OER
oer-map MyOerMap 10
match traffic-class prefix-list R3-Lo0
set periodic 90
set mode select-exit best
set backoff 90 90
set holddown 90
set delay threshold 1000
set mode route control
set unreachable relative 250
set active-probe tcp-conn 10.3.3.3 target-port 23
set probe frequency 4
set probe packets 5
R5#sh ip prefix
ip prefix-list R3-Lo0: 1 entries
seq 5 permit 10.3.3.0/24
R5#

With this config my monitored prefix was suddently stuck in OutOfPolicy state...

R5#sh oer master prefix
OER Prefix Statistics:
Pas - Passive, Act - Active, S - Short term, L - Long term, Dly - Delay (ms),
P - Percentage below threshold, Jit - Jitter (ms),
MOS - Mean Opinion Score
Los - Packet Loss (packets-per-million), Un - Unreachable (flows-per-million),
E - Egress, I - Ingress, Bw - Bandwidth (kbps), N - Not applicable
U - unknown, * - uncontrolled, + - control more specific, @ - active probe all
# - Prefix monitor mode is Special, & - Blackholed Prefix
% - Force Next-Hop, ^ - Prefix is denied

Prefix State Time Curr BR CurrI/F Protocol
PasSDly PasLDly PasSUn PasLUn PasSLos PasLLos
ActSDly ActLDly ActSUn ActLUn EBw IBw
ActSJit ActPMOS ActSLos ActLLos
--------------------------------------------------------------------------------
10.3.3.0/24 OOPOLICY 77 10.5.5.5 Se0/0/0.502 RIB-PBR
U U 0 0 0 0
28 125 0 0 0 0
N N
R5#



-R5 is also using IPSLA to track R2, R1 and R4 Loopbacks0, perform sla traffic every 1 sec with a size of 3000 bytes

Here I used a group schedule

R5# sh run | s ip sla
ip sla 1
icmp-echo 10.2.2.2
request-data-size 3000
timeout 1000
threshold 1000
frequency 3
ip sla 2
icmp-echo 10.1.1.1
request-data-size 3000
timeout 1000
threshold 1000
frequency 3
ip sla 3
icmp-echo 10.4.4.4
request-data-size 3000
timeout 1000
threshold 1000
frequency 3
ip sla group schedule 1 1-3 schedule-period 1 frequency range 1-5 start-time now life forever

-Finally, Loopbacks 192 belongs to customer A vrf and Loopbacks 172 to customer B vrf. Using NGN services, allow customer sites to communicate. Customers also need a default route to R3 Lo0 as internet access. Using a single static route and a different vrf, provide the default to customers

Yep, here mpls configuration is required, so let's start enabling ldp and bgp on all routers. The vrfs are ready from the initial config, we must only redistribute connected for every vrf, there's no CE-PE protocol.

#R1
mpls ldp router-id lo 0 for
mpls label proto ldp
mpls label range 1000 1999
mpls ldp explicit-null
mpls ip
int f 0/0
mpls ip
int s 0/0/1
mpls ip

#R2
mpls ldp router-id lo 0 for
mpls label proto ldp
mpls label range 2000 2999
mpls ldp explicit-null
mpls ip
int f 0/0
mpls ip
int s 0/0/0.205
mpls ip
int s 0/0/0.206
mpls ip


#R3
mpls ldp router-id lo 0 for
mpls label proto ldp
mpls label range 3000 3999
mpls ldp explicit-null
mpls ip
int s 0/1/0
mpls ip
int s 0/2/0
mpls ip


#R4
mpls ldp router-id lo 0 for
mpls label proto ldp
mpls label range 4000 4999
mpls ldp explicit-null
mpls ip
int f 0/0
mpls ip
int s 0/2/1
mpls ip


#R5
mpls ldp router-id lo 0 for
mpls label proto ldp
mpls label range 5000 5999
mpls ldp explicit-null
mpls ip
int f 0/0
mpls ip
int s 0/0/0.502
mpls ip


#R6
mpls ldp router-id lo 0 for
mpls label proto ldp
mpls label range 6000 6999
mpls ldp explicit-null
mpls ip
int f 0/0
mpls ip
int s 0/0/0.602
mpls ip


note that the stateful nat uses the same ip address, so ldp see the same prefix from two different neighbor and logs something like :

*Dec 25 20:49:40.261: %TAGCON-3-DUP_ADDR_RCVD: Duplicate Address 10.14.14.14 advertised by peer 10.4.4.4:0 is already bound to 10.1.1.1:0

Now the BGP configuration:

#R1
R1(config-router)#do sh run | s bgp
router bgp 100
bgp router-id 10.1.1.1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.0.13.3 remote-as 300
neighbor 10.0.124.2 remote-as 200
neighbor 10.0.124.4 remote-as 400
!
address-family vpnv4
neighbor 10.0.13.3 activate
neighbor 10.0.13.3 send-community both
neighbor 10.0.124.2 activate
neighbor 10.0.124.2 send-community both
neighbor 10.0.124.4 activate
neighbor 10.0.124.4 send-community both
exit-address-family
!
address-family ipv4 vrf B
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
no synchronization
exit-address-family

#R2
R2(config-router-af)#do sh run | s bgp
router bgp 200
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.0.25.5 remote-as 500
neighbor 10.0.26.6 remote-as 600
neighbor 10.0.124.1 remote-as 100
neighbor 10.0.124.4 remote-as 400
!
address-family vpnv4
neighbor 10.0.25.5 activate
neighbor 10.0.25.5 send-community both
neighbor 10.0.26.6 activate
neighbor 10.0.26.6 send-community both
neighbor 10.0.124.1 activate
neighbor 10.0.124.1 send-community both
neighbor 10.0.124.4 activate
neighbor 10.0.124.4 send-community both
exit-address-family
!
address-family ipv4 vrf B
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
no synchronization
exit-address-family

#R3
R3(config-router-af)#do sh run | s bgp
router bgp 300
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.0.13.1 remote-as 100
neighbor 10.0.34.4 remote-as 400
!
address-family vpnv4
neighbor 10.0.13.1 activate
neighbor 10.0.13.1 send-community both
neighbor 10.0.34.4 activate
neighbor 10.0.34.4 send-community both
exit-address-family
!
address-family ipv4 vrf B
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
no synchronization
exit-address-family

#R4
R4(config-router)#do sh run | s bgp
router bgp 400
bgp router-id 10.4.4.4
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.0.34.3 remote-as 300
neighbor 10.0.124.1 remote-as 100
neighbor 10.0.124.2 remote-as 200
!
address-family vpnv4
neighbor 10.0.34.3 activate
neighbor 10.0.34.3 send-community both
neighbor 10.0.124.1 activate
neighbor 10.0.124.1 send-community both
neighbor 10.0.124.2 activate
neighbor 10.0.124.2 send-community both
exit-address-family
!
address-family ipv4 vrf B
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
no synchronization
exit-address-family

#R5
R5(config-router-af)#do sh run | s bgp
router bgp 500
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.0.25.2 remote-as 200
neighbor 10.0.56.6 remote-as 600
!
address-family vpnv4
neighbor 10.0.25.2 activate
neighbor 10.0.25.2 send-community both
neighbor 10.0.56.6 activate
neighbor 10.0.56.6 send-community both
exit-address-family
!
address-family ipv4 vrf B
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
no synchronization
exit-address-family

#R6
R6(config-router-af)#do sh run | s bgp
router bgp 600
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.0.26.2 remote-as 200
neighbor 10.0.56.5 remote-as 500
!
address-family vpnv4
neighbor 10.0.26.2 activate
neighbor 10.0.26.2 send-community both
neighbor 10.0.56.5 activate
neighbor 10.0.56.5 send-community both
exit-address-family
!
address-family ipv4 vrf B
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
no synchronization
exit-address-family

On R1 and R4 I have to set manually the bgp router-id, otherwise they will took the same router-id always due to the stateful nat configuration.

Now all customers see their respective routes, then it's time to give "internet" to our customers through a default route. The task mention a single static on R3 and a different vrf, so:

#R3
ip vrf INTERNET
rd 3:3
route-target export 3:3
route-target import 3:3
ip route vrf INTERNET 0.0.0.0 0.0.0.0 Null0

router bgp 300
address-family ipv4 vrf INTERNET
redistribute static
default-information originate
no synchronization
exit-address-family

then on all routers

ip vrf A
route-target import 3:3
ip vrf B
route-target import 3:3

let us check:

R6(config-vrf)#do sh ip route vrf A | beg Gate
Gateway of last resort is 10.0.26.2 to network 0.0.0.0

B 192.186.4.0/24 [20/0] via 10.0.26.2, 00:18:07
B 192.186.5.0/24 [20/0] via 10.0.56.5, 00:20:30
C 192.186.6.0/24 is directly connected, Loopback192
B 192.186.1.0/24 [20/0] via 10.0.26.2, 00:17:36
B 192.186.2.0/24 [20/0] via 10.0.26.2, 00:20:30
B 192.186.3.0/24 [20/0] via 10.0.26.2, 00:18:07
B* 0.0.0.0/0 [20/0] via 10.0.26.2, 00:00:28
R6(config-vrf)#do sh ip route vrf B | beg Gate
Gateway of last resort is 10.0.26.2 to network 0.0.0.0

172.61.0.0/32 is subnetted, 6 subnets
C 172.61.6.6 is directly connected, Loopback172
B 172.61.5.5 [20/0] via 10.0.56.5, 00:20:33
B 172.61.4.4 [20/0] via 10.0.26.2, 00:18:10
B 172.61.3.3 [20/0] via 10.0.26.2, 00:18:10
B 172.61.2.2 [20/0] via 10.0.26.2, 00:20:33
B 172.61.1.1 [20/0] via 10.0.26.2, 00:17:39
B* 0.0.0.0/0 [20/0] via 10.0.26.2, 00:00:31
R6(config-vrf)#



-(Optional/Bonus task) Why not to run ZBF on R2?

How many points for this one? :-D

Marco

No comments: