Jul
27

Clock_New Time is a valuable resource in the lab.   In a lab task, if asked to configure a policy-map named "BOB", it doesn't get the same point value if we happen to accidentally name it "bob", especially  if they are looking to see if you configured what they asked for.

The challenge is, that when reviewing a lab task, and we discover that we need to change a name, it could be a hassle, as we need to remove the policy-map, recreate the policy map, and then put it in place again.

So if you are down to the last minute, here is a time saving solution, that can assist with that process.

IOS allows us to rename a policy-map, and the IOS will swap out the name in other areas of the configuration that reference that policy map.

Here is an example, of a policy map from Volume 2, lab 5.

Rack1R5#show run policy-map
Building configuration...

Current configuration : 352 bytes
!
policy-map TRANSIT_RATE_LIMIT
class FRAGMENTS
police rate 1000000 pps burst 200000 packets
policy-map type port-filter HOST_PORT_FILTER
class CLOSED_PORTS
drop
policy-map CEF_EXCEPTION_RATE_LIMIT
class class-default
police rate 100 pps burst 20 packets
policy-map HOST_RATE_LIMIT
class ICMP
police rate 10 pps burst 5 packets
!
end

Rack1R5#show run | begin control
control-plane host
service-policy input HOST_RATE_LIMIT
service-policy type port-filter input HOST_PORT_FILTER
!
control-plane transit
service-policy input TRANSIT_RATE_LIMIT
!
control-plane cef-exception
service-policy input CEF_EXCEPTION_RATE_LIMIT

Let's say that after reviewing our configuration, we discovered that the policy-map for the cef-exception sub interface of the control plane should have been named "NEW-NAME-CEF".

To change it everywhere in the configuration, instead of creating it new, and replacing it, we could simply do this:

Rack1R5(config)#policy-map CEF_EXCEPTION_RATE_LIMIT
Rack1R5(config-pmap)#rename NEW-NAME-CEF

Now, when we look at the configuration, we can see that not only the name has changed for the policy-map, but it also updated our control-plane configuration to reflect the new name there as well:

Rack1R5#show run policy-map
Building configuration...

Current configuration : 340 bytes
!
policy-map TRANSIT_RATE_LIMIT
class FRAGMENTS
police rate 1000000 pps burst 200000 packets
policy-map type port-filter HOST_PORT_FILTER
class CLOSED_PORTS
drop
policy-map NEW-NAME-CEF
class class-default
police rate 100 pps burst 20 packets
policy-map HOST_RATE_LIMIT
class ICMP
police rate 10 pps burst 5 packets
!
end

Rack1R5#show run | begin control
control-plane host
service-policy input HOST_RATE_LIMIT
service-policy type port-filter input HOST_PORT_FILTER
!
control-plane transit
service-policy input TRANSIT_RATE_LIMIT
!
control-plane cef-exception
service-policy input NEW-NAME-CEF
!
!

Best wishes on your studies, and may your policy-maps be named correctly the first time around. :)

 

Jul
19

The author and poet Maya Angelou said "Words mean more than what is set down on paper. It takes the human voice to infuse them with deeper meaning.". Well that is certainly what we have attempted to do with the CCIE Voice Deep Dive self-paced Class on Demand series - that is to bring the human instructional voice element to infuse deeper meaning to what is already fantastic Cisco Documentation. Anyone that has set out and determined to undertake the task of studying for and ultimately passing any CCIE Lab exam, knows that at some point during your studies, the words on paper (Cisco Docs, RFCs, books) - while a absolute phenomenal source of information - can at times seem to loose their impact. Perhaps you have been studying too long, read one too many docs, have the time pressure of your family and friends waiting for you to return to be a part of their life, or perhaps you are just starting out on your adventure and don't know where to begin. Whatever stage you are at or whatever the case may be, it is certainly helpful to have a tutor and mentor there beside you at times, assisting you in understanding what each complex technology's documentation is trying to teach you, in possibly a deeper and more insightful way than you can manage on your own.

Wait no longer for such help to arrive! INE is happy to announce that each Live-Online Deep Dive course that we have taught has been recorded, and you have the ability to access these extensive repositories of knowledge at any time.

Here are a couple of great demo's of just a portion of the latest Deep Dive session we held on Globalization & Localization in order to whet your appetite:

Demo 1: Globalization Prezi - Theory and Reasons

Demo 2: Inbound Calling Party Localization

For each complex topic we have held -- or will soon hold (listings to follow below) -- a separate online class where we dive down deep and explore all the concepts, practical application and troubleshooting associated with each technology topic. We then allow you to purchase each module individually (if you like) so that you can either try small sections of the product, or so that those who only need to plug in small gaps of knowledge can do so at a very deep, intense level - either one without committing to purchase the entire product series.

The general format for each Class-on-Demand Deep Dive module spends between 4-7 hours on the given topic for that day, and during that time follows this outlined training methodology:

  • Collectively discuss and teach all concepts involved in the technology
  • Whiteboard concepts to further deepen every participant's understanding
  • Define a specific set of tasks to be accomplished
  • Demonstrate how the tasks and concepts are implemented and properly configured
  • Test the configuration thoroughly
  • Vary the configuration to understand how different permutations effect the outcome
  • Debug and trace the working configuration to understand what should be seen
  • Break the configuration and troubleshoot with debugs and traces to contrast from the working set

Thus far, we have held 10 online sessions - each with a median recorded runtime of 6 hours. We have almost 60 hours of Class on Demand content, and we've only just begun! We conservatively estimate that by the time we complete our more than 30 planned modules, that we will have at over 200 hours of Deep Dive recordings.

Below is a detailed index from the 10 currently available sessions:

Module 1 :: Network Infrastructure with LAN Quality of Service

  • Catalyst 3560/3750 Classification and Marking
  • Catalyst 3560/3750 Conditional Trust
  • Catalyst 3560/3750 Ingress Interface Mapping
  • Catalyst 3560/3750 Ingress Interface Queuing
  • Catalyst 3560/3750 Ingress Interface Expedite Queue
  • Catalyst 3560/3750 L2 CoS to L3 DSCP Mapping
  • Catalyst 3560/3750 Egress Interface Mapping
  • Catalyst 3560/3750 Egress Interface Queuing
  • Catalyst 3560/3750 Interface Queue Memory Allocation
  • Catalyst 3560/3750 Egress Queue-Set Templates
  • Catalyst 3560/3750 Weighted Tail Drop (WTD) Buffer Allocation
  • Catalyst 3560/3750 Egress Interface Expedite Queue
  • Catalyst 3560/3750 Egress Interface Sharing
  • Catalyst 3560/3750 Egress Interface Shaping
  • Catalyst 3560/3750 Scavenger Traffic Policing

Module 02 :: CUOS GUI and CLI Admin

  • CUCM WebUI: Service Activation and Stop/Start/Reset
  • CUCM WebUI: Bulk Administration Tool (Import/Export, Phone Reports, etc)
  • CUCM WebUI: DB Replication Status
  • CUCM WebUI: Trace Files
  • CUOS CLU: TFTP Files Management
  • CUOS CLU: Status and Hostname
  • CUOS CLU: DB Replication Assurance
  • CUOS CLU: DB Replication Repair and Cluster Reset
  • CUOS CLU: Trace Files
  • CUOS CLU: RIS DB Search
  • CUOS CLU: Performance Monitor (PerfMon)
  • RTMT: Trace Files
  • RTMT: Performance Monitor (PerfMon)

Module 03 :: CUCM System and Phone - SCCP and SIP Fundamentals

  • CUCM Services
  • UC Servers and Groups
  • Date/Time with NTP Reference
  • Regions and Codecs
  • Location-Based Call Admission Control
  • SRST References
  • Device Pools
  • System Parameters
  • Enterprise Parameters
  • Phone Button Templates
  • Softkey Templates
  • SCCP Phone Basics
  • SIP Phone Basics

Module 04 :: Users, Credentials, Multi-Level Roles and LDAP Internetworking

  • CUCM User Credentials and Policies
  • LDAP Synchronization for CUCM and Unity Connection
  • LDAP Authentication for CUCM and Unity Connection
  • CUCM End Users
  • CUCM User Roles
  • CUCM Multi-Level Administration
  • CUCM Device/Phone/Line User Association
  • UCCX and CUP Basic Users

Module 05 :: Call Features - In-Depth

  • SCCP and SIP Phone Display
  • Phone Firmware
  • Phone Logging
  • Ring Settings
  • Basic and Advanced Call Forwarding Display
  • Auto-Answer Options
  • CallBack (Camp-On)
  • Intercom
  • Advanced Call Hold Options
  • Call Park
  • Directed Call Park
  • Advanced Call Park Settings
  • Call Pickup
  • Group Call Pickup
  • Other Call Pickup
  • Directed Call Pickup
  • Call Pickup Attributes
  • Shared Line
  • Barge and cBarge (Conference Barge)
  • Privacy
  • Built-In IP Phone Bridge

Module 06 :: Media Resources - MTPs, Conf Bridges, Annunciator and Music on Hold

  • IOS Software MTP
  • IOS Conference Bridge
  • IOS Transcoding
  • Media Preference and Redundancy
  • Meet-Me Conferencing
  • Ad-Hoc Conferencing
  • Annunciator
  • Unicast Music on Hold
  • Traditional Multicast Music on Hold
  • Alternate Multicast Music on Hold

Module 07 :: Expert Gateways & Trunks

  • ISDN Switch Types and Advanced CNAM options
  • ISDN Information Elements
  • SIP Trunks - Fundamental and Advanced Options
  • H.323 Gateways - Fundamental and Advanced Options
  • MGCP Gateways - Fundamental and Advanced Options

Module 08 :: Expert H.323 Gatekeeper

  • Provisioning IOS H.323 Gatekeeper
  • Registering CUCM with H.323 Gatekeeper
  • Registering CUCME with H.323 Gatekeeper
  • Routing Calls from CUCME to CUCM via Gatekeeper in Multiple Zones with Dynamic E.164 Aliases
  • Routing Calls from CUCM to CUCME via Gatekeeper in Multiple Zones with Multiple Tech Prefixes
  • Routing Calls from CUCME to CUCM via Gatekeeper in Multiple Zones with Multiple Tech Prefixes
  • Routing Calls from CUCME to CUCM via Gatekeeper in Multiple Zones with Static E.164 Aliases
  • Routing Calls from CUCM to CUCME and Back via Gatekeeper in One Zone with One Tech Prefix
  • Gatekeeper Call Admission Control
  • Routing Calls from CUCM to CUCME and Back via Alternate Gatekeeper Clustering in Multiple Zones with Multiple Tech Prefixes using GUP

Module 09 :: Dial Plan - Line Device Approach and the Not-So-Basic Fundamentals

  • Class of Service: Calling Search Spaces and Partitions
  • Gateways, Route Groups, Local Route Groups/Device Pools
  • Route Lists and Standard Local Route Groups
  • Route Patterns and Translation Patterns
  • Digit Manipulation: Calling & Called Party Transformations and IOS Dial Peers
  • Private Line Automatic Ringdown (PLAR)

Module 10 :: Dial Plan - Globalization & Localization of both the Calling and the Called Numbers, and with Mapping the Global Number to the Local Variant

  • Inbound PSTN Calls (Ingress from PSTN, Egress to Phones): Calling Party Globalization :: GW Incoming Calling Party Settings
  • Inbound PSTN Calls (Ingress from PSTN, Egress to Phones): Calling Party Localization :: Phone Calling Party Transformations
  • Outbound PSTN Calls (Ingress from Phones, Egress to PSTN): Called Party Globalization :: PSTN Patterns - a.k.a. "Translation Patterns are the *New* Route Patterns"
  • Outbound PSTN Calls (Ingress from Phones, Egress to PSTN): Called Party Localization :: Digit Manipulation: Calling & Called Party Transformations and IOS Voice Translation Rules & Dial Peers
  • Mapping the Global Number to the Local Variant :: + Dialing and One-Button Missed Call DialBack

So stay tuned to this blog as we will shortly post the upcoming modules soon to be held online and recorded.

Apr
16

Thank you to all those who have submitted questions and comments to our blog.  We will be taking time each week to post answers to your questions and to post some of these comments.  If you have a question for one of our CCIE Instructors please email them to blog@ine.com.

Question #1

Can anyone please advise what is the recommended laptop hardware configuration for CCIE R&S Lab prep. I have read many blogs, posts and advices but unable to figure out the appropriate answer. While advising,please consider the GNS3 is the only option I have.
Many thanks in advance,
Asif Irfan

If you are looking for an appropriate hardware to run complete IEWB-RS topology (6 routers, 4 switches, 3 backbone routers) than your minimum would be Core 2 Duo 2,5Ghz with 2 Gb of RAM. That the bare minimum, and you should look toward expanding memory at least to 3-4Gb to have more room for other applications (if you have any). The largest benefit of this solution is it's low cost, as Core 2 Duo processors are now "past generation". If you could, you may get two Core 2 Duo laptops, each with 2Gb of RAM and run Dynamips on both systems in distributed fashion. This is still a budget solution.

If you are not restrictred by your budget, look for quad-core processors, such as I7 and memory base of at least 4Gb. This is enough to run the whole IEWB-RS topology, provided that you are using optimal IdlePC values.

Here are some hints to improve Dynamips performace (aside from tuning IdlePC)

1) Shutdown all currently unused routers, e.g. backbones, if you are working through IGP. Only bring them up for testing temporarily.
2) When you're done with layer 2 scenarios, reconfigure your switched in a hub-and-spoke topology (start) say with SW1 being the center switch. After this, disable STP for all VLANs. This will save you a lot of CPU cycles "wasted" on Spanning-Tree processing.
3) Linke I said before, try using distributed systems, running dynamips on multiple "less powerfule" laptops.

Answered by: Petr Lapukhov CCIE #16379

Question #2

Hi,
I would like to know the difference between maximum-path ibgp and maximum-path ibgp import command under a address-family.
Thanks
naman

Hello Naman.

Both commands are used for equal or unequal cost load sharing for iBGP sessions.

The import keyword is used when you are configuring the command under a VRF. Here are examples of usage from the Cisco Command Reference.

The following example configuration installs three parallel iBGP paths in a non-MPLS topology:
Router(config)# router bgp 100
Router(config-router)# maximum-paths ibgp 3

The following example configuration installs two parallel routes in the VRF table:
Router(config)# router bgp 100
Router(config-router)# address-family ipv4 vrf vrf-B
Router(config-router-af)# maximum-paths ibgp 2 import 2
Router(config-router-af)# end

Thanks so much for using blog.ine.com!

Question #3

Dear Valuable Technical Teachers and Friends,

First of all , i wish and thank you for your great support to those who are
all preparing Network studies. I've completed my CCNA two years back.Now am
preparing for next step. At this point, i have bit confusion of deciding
whether can i do CCNP or CCIE(R&S). I would like to reach a top level in
Cisco Networking technology.So am requesting your suggestions, which is best
for me.

Also can you suggest any good simulators to improve my practical skills.

--
Thanks,
K.Saleem Jaffer

Thanks for the question.   Having the CCIE certification makes for an excellent stepping stone in a technical career.   An important aspect to successfully passing the CCIE lab exam, is a very solid understanding of all the technologies involved.    A great way to prepare for this is through the CCNP level of studies.   If a person chooses that path, they would do well to take time to learn the technologies while studying CCNP, and not have the feeling of just learning enough to pass a CCNP written exam.  By truly  learning the core technologies in CCNP, it will serve as a springboard into the CCIE studies.   Many candidates waste large amounts of time in complex configurations, because they are lacking the basic understanding of the protocols and technologies that make up the scenario.    I would recommend a 1-2 yr plan, that begins with CCNP, carries into CCIE studies, and end with you attaining your CCIE.    Best wishes in your studies and journey.

Keith Barker CCIE #6783

Comment:

INE,

I absolutely love your version 4 COD videos for the R&S track. I love them
so much that I am dying to get more. When do you believe the videos will
get posted. Been stuck at EIGRP for over 2 weeks now. Would like to see
these added at a quicker pace.

My current study plan is to read about a technology, watch the videos for
that technology and then do the volume 1 labs for that technology. This is
working very well for me and want to continue without having to watch
previous versions of the COD.

The reason I like the version 4 COD classes is they seem more scripted. I
am watching the MPLS videos from the 10 day bootcamp and I see the
instructor looking around for the right command to show something. I find
this confusing and distracting from learning the material. The scriptedness
and complete mastery of what we are doing and what you are trying to show in
version 4 is great and want more of it.

Also, from a technology viewpoint I find it much easier to pause the v4
videos and write down the configurations or configure the dynamips session I
am using to follow along, than with the v3 technology. The v4 seems like it
downloads the entire video and you can pause, move forwards and backwards
and the screen doesn't "refresh". The v3 technology blanks the screen and
then kind of fastforwards the screen for a little bit while the audio is
normal pace when you move around. Another reason I want more v4!

Also, one tiny suggestion. I like being able to forecast how much time I
need to spend watching the vidoes. I don't see any time counter on the v4
or listing of how long the video is. Would love to see a time value in
parentheses after the title of each video to be able to know how much time
to allot to each video.

Keep up the good work, my CCIE journey would be perilous without you guys.

Thanks,

Thomas Holincheck

Keep submitting your questions and comments!

Mar
27

In a word, "Way to GO" (without the spaces, that would be one word :) ). I am impressed at all the feedback and ideas we received regarding the IKE phase 1 riddle we posed last week. You can read the original post here. Ideas were creative and varied.

As one of our INE Instructors say, "If there are 2 different ways to configure something, as a CCIE candidate, you had better be prepared to know all 3 ".  If you would like to see "a solution", read on.

Ideas sent in included unique identities, isakmp profiles, DMVPN, GETVPN, virtual tunnel interfaces, key-rings, and a few even included full configurations regarding their ideas.  Excellent work and effort to all!

So a huge thanks goes out to Nick, Igor, Fedia, Jeff, AJN, MG, Paul A and Paul S!  Read below to find out which one of you won the tokens!

There are more than 1 way of solving this IKE challenge. My intention was to assist those getting ready for the lab with the absolute best preparation, and that preparation is practicing it. My feeling is that unless we have gone through the debugs for IKE phase 1, and IKE phase 2, and pushed through the CA authentication and enrollment process, we aren't ready to face the lab. When we are to the point that we can look at the debugs, and say, "Yup, that's the problem, and here's why" that is a good indication we are getting close to ready for that topic.

Here is the solution I put together for this task. I chose what I felt would be a fairly straight forward solution, separating the termination points, logically, for the different sets of traffic, and placing keys and IKE phase 1 policies strategically. One of the items, that I failed to remember while putting this solution together, was to match the EasyVPN group name on the server, with the OU name in the client certificate. I appreciate the opportunity to "remember" and to sharpen my skills too!

Here is the diagram again. Below it, the final solutions and verifications.

IKE several different ways

Here are the configurations for the routers, beginning with R1, which is the EasyVPN server. Both R1 and R2 authenticated and enrolled with R3 who acted as a CA server for this IPSec "get-together".

R1#show run brief
version 12.4
hostname R1
!
aaa new-model
!
aaa authentication login Method-2 local
aaa authorization network Method-1 local
clock timezone PST -8
clock summer-time PDT recurring
ip cef
!
no ip domain lookup
ip domain name ine.com
!
crypto pki trustpoint CA-R3
enrollment url http://3.3.3.3:80
fqdn R1.ine.com
subject-name O=ine, OU=vpn_group, CN=R1, C=us, ST=nv
revocation-check none
!
username admin privilege 15 password 0 cisco
!
crypto isakmp policy 1
encr 3des
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 2.2.2.2
!
crypto isakmp client configuration group vpn_group
pool MyPOOL
acl 100
save-password
netmask 255.255.255.0
!
crypto isakmp profile IKE-PROF-1
match identity group vpn_group
client authentication list Method-2
isakmp authorization list Method-1
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile IPSec-PROF-1
set transform-set ESP-3DES-SHA
set isakmp-profile IKE-PROF-1
!
crypto map MYMAP 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set ESP-3DES-SHA
match address 101
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Loopback4
ip address 4.0.0.1 255.255.255.0
!
interface Loopback5
ip address 5.0.0.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.12.0.1 255.255.255.0
crypto map MYMAP
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSec-PROF-1
!
router rip
version 2
network 1.0.0.0
network 4.0.0.0
network 5.0.0.0
network 10.0.0.0
no auto-summary
!
ip local pool MyPOOL 4.0.0.51 4.0.0.100
!
!
access-list 100 permit ip 4.0.0.0 0.0.0.255 any
access-list 101 permit ip 5.0.0.0 0.0.0.255 7.0.0.0 0.0.0.255

line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
privilege level 15
!
ntp authentication-key 1 md5 0822455D0A16 7
! Note: the trusted-key statement isn't needed on the server, but there is a bug
! that on some IOS versions causes to not function if it is not there.
ntp trusted-key 1
ntp source Loopback0
ntp master 5
!
end

R1#

What a fun read that was. Now for R2.

R2#show run brief
version 12.4
hostname R2
clock timezone PST -8
clock summer-time PDT recurring
ip cef
!
no ip domain lookup
ip domain name ine.com
!
crypto pki trustpoint CA-R3
enrollment url http://3.3.3.3:80
fqdn R2.ine.com
subject-name O=ine, OU=vpn_group, CN=R2, C=us, ST=nv
revocation-check none
!
username admin privilege 15 password 0 cisco
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 10.12.0.1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec client ezvpn EZVPN_CLIENT
connect auto
mode network-extension
peer 1.1.1.1
virtual-interface 1
username admin password cisco
xauth userid mode local
!
crypto map MYMAP local-address Loopback0
crypto map MYMAP 1 ipsec-isakmp
set peer 10.12.0.1
set transform-set ESP-3DES-SHA
match address 100
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Loopback6
ip address 6.0.0.2 255.255.255.0
crypto ipsec client ezvpn EZVPN_CLIENT inside
!
interface Loopback7
ip address 7.0.0.2 255.255.255.0
!
interface FastEthernet0/0
ip address 10.12.0.2 255.255.255.0
crypto map MYMAP
crypto ipsec client ezvpn EZVPN_CLIENT
!
interface Serial0/1
no ip address
encapsulation frame-relay
no frame-relay inverse-arp
!
interface Serial0/1.23 point-to-point
ip address 10.23.0.2 255.255.255.0
frame-relay interface-dlci 203
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
router rip
version 2
network 2.0.0.0
network 6.0.0.0
network 7.0.0.0
network 10.0.0.0
no auto-summary
!
access-list 100 permit ip 7.0.0.0 0.0.0.255 5.0.0.0 0.0.0.255
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
privilege level 15
no login
!
ntp authentication-key 1 md5 05080F1C2243 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17179982
ntp server 1.1.1.1
!
end

R2#

Let's start the verification process on R1. We will clear the tunnels, and initiate traffic from R2 from network 4 to 6, and then from network 5 to 7. Because R2 is an EasyVPN remote, it will be initiating the tunnel back for the network 6 to 4 encryption with EasyVPN (nothing to to with IPv6 tunnels) :)

R1#clear crypto isakmp
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
R1#clear crypto sa
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
R1#ping 6.0.0.2 source 4.0.0.1 repeat 15

Type escape sequence to abort.
Sending 15, 100-byte ICMP Echos to 6.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 4.0.0.1
!!!!!!!!!!!!!!!
Success rate is 100 percent (15/15), round-trip min/avg/max = 72/179/252 ms
R1#ping 7.0.0.2 source 5.0.0.1 repeat 75

Type escape sequence to abort.
Sending 75, 100-byte ICMP Echos to 7.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 5.0.0.1
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!
Success rate is 98 percent (74/75), round-trip min/avg/max = 28/154/292 ms
R1#show crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: MYMAP, local addr 10.12.0.1

protected vrf: (none)
local ident (addr/mask/prot/port): (5.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (7.0.0.0/255.255.255.0/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 74, #pkts encrypt: 74, #pkts digest: 74 #pkts decaps: 74, #pkts decrypt: 74, #pkts verify: 74
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 10.12.0.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xEB4512D2(3947172562)

inbound esp sas:
spi: 0xE00894E5(3758658789)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 37, flow_id: SW:37, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4398286/3579)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xEB4512D2(3947172562)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 38, flow_id: SW:38, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4398286/3579)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 1.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.12.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17 #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 10.12.0.2
path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0xB923167D(3106084477)

inbound esp sas:
spi: 0x44649B73(1147444083)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 35, flow_id: SW:35, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4575108/3520)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xB923167D(3106084477)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 36, flow_id: SW:36, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4575107/3520)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
1.1.1.1 10.12.0.2 QM_IDLE 1015 0 ACTIVE 2.2.2.2 10.12.0.1 QM_IDLE 1016 0 ACTIVE

R1#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1015 1.1.1.1 10.12.0.2 ACTIVE 3des sha rsig 2 23:58:18 CX
Engine-id:Conn-id = SW:15

1016 10.12.0.1 2.2.2.2 ACTIVE 3des sha psk 2 23:59:24
Engine-id:Conn-id = SW:16
R1#

Now we will look at R2, using the same process. Clear the SAs, then send interesting traffic.

R2#clear crypto isakmp
%CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=admin Group= Server_public_addr=1.1.1.1 c
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
R2#clear crypto sa
R2#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
R2#
%CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=admin Group= Server_public_addr=1.1.1.1
R2#
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
R2#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
R2#ping 4.0.0.1 source 6.0.0.2 repeat 32

Type escape sequence to abort.
Sending 32, 100-byte ICMP Echos to 4.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 6.0.0.2
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (32/32), round-trip min/avg/max = 128/171/256 ms
R2#ping 5.0.0.1 source 7.0.0.2 repeat 99

Type escape sequence to abort.
Sending 99, 100-byte ICMP Echos to 5.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 7.0.0.2
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 98 percent (98/99), round-trip min/avg/max = 16/133/352 ms
R2#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 6

Tunnel name : SDM_EZVPN_CLIENT_1
Inside interface list: Loopback6
Outside interface: Virtual-Access1 (bound to FastEthernet0/0)
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Allowed
Split Tunnel List: 1
Address : 4.0.0.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 1.1.1.1

R2#show crypto ipsec sa

interface: Virtual-Access1
Crypto map tag: Virtual-Access1-head-0, local addr 10.12.0.2

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 32, #pkts encrypt: 32, #pkts digest: 32 #pkts decaps: 35, #pkts decrypt: 35, #pkts verify: 35
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.12.0.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xB7873D1E(3079093534)

inbound esp sas:
spi: 0xE8738BE2(3899886562)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 39, flow_id: SW:39, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4595984/3495)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xB7873D1E(3079093534)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 40, flow_id: SW:40, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4595985/3495)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

interface: FastEthernet0/0
Crypto map tag: MYMAP, local addr 2.2.2.2

protected vrf: (none)
local ident (addr/mask/prot/port): (7.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (5.0.0.0/255.255.255.0/0/0)
current_peer 10.12.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 98, #pkts encrypt: 98, #pkts digest: 98 #pkts decaps: 98, #pkts decrypt: 98, #pkts verify: 98
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 10.12.0.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x419146C7(1100039879)

inbound esp sas:
spi: 0xEFAA9897(4020934807)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 41, flow_id: SW:41, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4378766/3562)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x419146C7(1100039879)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 42, flow_id: SW:42, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4378766/3562)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R2# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
1.1.1.1 10.12.0.2 QM_IDLE 1017 0 ACTIVE 10.12.0.1 2.2.2.2 QM_IDLE 1018 0 ACTIVE

R2# show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1017 10.12.0.2 1.1.1.1 ACTIVE 3des sha rsig 2 23:57:32 CX
Engine-id:Conn-id = SW:17

1018 2.2.2.2 10.12.0.1 ACTIVE 3des sha psk 2 23:59:12
Engine-id:Conn-id = SW:18

Thanks again to all who posted ideas.

I did a drawing from all the people who contributed, and the winner of the 50 rack tokens to our preferred rack vendor Graded Labs goes to Nick! Congratulations Nick, please email me privately and send me the email address that you use for your INE account, and I will have the tokens credited to your account. Again, thanks to all for all your contributions!

Keep up the great studies, hang in there, and never surrender.

P.S.  Bob says "thank you"  ;)

Best wishes.

Jan
20

Hello everyone,

We are excited to announce that our CCIE Voice Core Knowledge Simulator has been released! You can try out a sample here. So far, the first 100 questions have been released, and will be followed shortly by additional updates.

The simulation is designed to help prepare candidates for the newly added "open ended" section of the 3.0 Voice CCIE Lab Exam. This new section of the exam consists of four computer based, short-answer questions which candidates have 30 minutes to complete.

The simulator is designed to:

* Pinpoint your areas of weakness on Core Knowledge
* Provide study documents to improve in these weak areas
* Practice with question interpretation and your short-answer responses

Enjoy the questions, and as always, good luck with your studies!

Jan
12

The new Core Knowledge Simulator Testing Engine is coming along nicely thanks to our partner, Graded Labs. We are behind schedule, however. We are attempting to incorporate all of the desired features and more. I will be blogging about a new expected date of release for that custom engine soon.

In the meantime, I have added a node to the R&S and Security simulators called More Questions. Our instructors will be working daily to add new and improved Core Knowledge questions to these simulators often.

Of course, new questions are also being added to the latest Service Provider Core Knowledge Simulation.

Many of you have been asking about a Voice Core Knowledge Simulation product and we will be sure to announce a date of release soon.

Enjoy the new questions everyone, and remember the goals of these products:

  • Pinpoint your areas of weakness on Core Knowledge
  • Provide study documents to improve in these weak areas
  • Practice with question interpretation and your short-answer responses
Dec
21

Yes - our partner Graded Labs is still working on a new engine for all of our Core Knowledge Simulation products. The new expected release date is somewhere around Jan 15, 2010. In the meantime, here are four more for you to enjoy. Answer these questions in the comments. On Thursday, December 24th, 2009, we will randomly draw from the pool of students that had the answers correct. One lucky winner will receive the new CCIE Routing and Switching Certification Guide, Fourth Edition.

ShowCover.asp

1.40 Implement Ethernet Technologies

In which component of a modern (non-legacy) PPPoE configuration do we typically assign the TCP/IP address?

2.80 Implement Performance Routing (PfR) and Cisco Optimized Edge Routing (OER)

What command do you issue on a Cisco router in order to enter OER-managed border router configuration mode to establish communication with a border router during a Performance Routing configuration?

5.60 Implement IPv6 multicast, PIM, and related multicast protocols, such as Multicast Listener Discovery (MLD)

What version of MLD is required in order for IPv6 to implement Source Specific Multicast?

6.02 Implement Zone Based Firewall

What zone controls access for packets that are destined for the router acting as a Zone Based Firewall?

Dec
18

Beginning January 4, 2010, Cisco is featuring a Core Knowledge section for all active CCIE labs. To assist in your assessment of your own Tier 1 knowledge of the Service Provider Lab Exam Blueprint topics, INE has released its Service Provider Core Knowledge Simulation.

As of this post, the simulation features 90 questions spanning all major blueprint topics. Over the next week, the product will be updated daily to feature over 200 questions, and will cover EVERY major and minor blueprint topic.

In January, this product will be re-released in a new and improved, custom question engine created by our partner, Graded Labs. This new engine will allow you to create custom exams based on select topics.

Enjoy the new training aid!

Dec
17

Using an IPS Sensor, we can dynamically apply rate limiting/policing on a router interface, based on a signature match or an event action over-ride, which is generated on the sensor appliance.   Ok, I know there is no Sensor Appliance in the RS lab, but what if we need to trigger a rate limit of specific traffic, destined to a router, based on current conditions on that router, such as transmit or receive loads on an interface.

This is a job for, da dada dahhh: Embedded Event Manager (EEM).  In this example we will create a service policy which we will apply to the control plane based on a interface threshold being exceeded.  Full labs on Embedded Event Manager can be found in our RS v5 Vol1 workbook in  "System Management".  Let's break down the individual steps, first for the control plane policing policy, and then the EEM to apply it.

We will first create a policy map, which calls on a class map, which calls on an ACL. In this class map, we are going to identify ICMP, by referencing an access list. So first we create the access list, and we will name it ICMP.

ip access-list extended ICMP
permit icmp any any

Now that the access list is created, we will create the class map called ICMP which will be referencing the access list of the same name.

class-map match-all ICMP
match access-group name ICMP
exit

Next we will create the policy map, and for convenience we will name it ICMP (as well). This policy map will reference the class map, and specify  policing at 8000 bits per second with a burst rate of 1000 bytes.

policy-map ICMP
class ICMP
police 8000 1000

Ok, so now for the EEM part of the configuration.  First, we will create our event manager applet. In this applet we will be referencing serial 0/0, and we will be looking for the received load to be greater than 25. The 25 refers to 25 out of a possible 255 as reported by the interface. Once the ~10% is exceeded, the CLI commands implemented in our applet will be executed. The CLI commands will simply apply the service policy to the logical control plane host interface on the router. By doing this, any ICMP traffic destined TO the router, will be policed, regardless of which interface the traffic is received on.   The EEM policy will also generate a syslog message. There are additional options which we could include, such as sending SNMP traps, e-mail messages and so forth.

event manager applet LOAD
event interface name Serial0/0 parameter rxload entry-val 25 entry-op gt entry-val-is-increment false poll-interval 60
action 0.0 cli command "enable"
action 1.0 cli command "configure terminal"
action 2.0 cli command "control-plane host"
action 3.0 cli command "service-policy input ICMP"
action 4.0 syslog msg "Just Applied Control Plane Policy to Limit ICMP"
exit

At the interface level we will specify a bandwidth statement of 64, which will allow us to trigger the 25/255 much quicker. We will also set the load interval to a lower value than the default of five minutes so that the average will increase faster.

interface ser 0/0
bandwidth 64
load-interval 30
end

The following debug, will give us the Howard Cosell play-by-play of exactly what's happening.

R2#debug event manager action cli
Debug EEM action cli debugging is on

To view the details of the interfaces that are registered with an event manager policy, we would use the following show command.

R2#show event manager policy registered event-type interface
No. Class Type Event Type Trap Time Registered Name
1 applet user interface Off Thu Feb 28 18:51:41 2002 LOAD
name {Serial0/0} parameter {rxload} entry_op gt entry_val 25 entry_val_is_increment FALSE poll_interval 60.000
maxrun 20.000
action 0.0 cli command "enable"
action 1.0 cli command "configure terminal"
action 2.0 cli command "control-plane host"
action 3.0 cli command "service-policy input ICMP"
action 4.0 syslog msg "Just Applied Control Plane Policy to Limit ICMP"

To verify what the current load is on the interface, we can use the command below.

R2#show int ser 0/0 | inc rxload
reliability 255/255, txload 1/255, rxload 1/255

Once the control plane policy has been applied, the actual details of how many packets have been permitted and denied by that policy will be shown by the command below.

R2#show policy-map control-plane host
R2#

From the commands above, you'll notice that the current load is at one, and there is no policy currently applied to the control plane. Let's go to the neighboring router and generate some traffic to trigger event manager and the applet that we just created.

Neighbor-R3#ping 150.1.2.2 size 500 repeat 1000 timeout 0

Type escape sequence to abort.
Sending 1000, 500-byte ICMP Echos to 150.1.2.2, timeout is 0 seconds:
......................................................................
......................................................................
......................................................................
.......................................................!.!............
......................................................................
.............................................!........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
....................
Success rate is 0 percent (3/1000), round-trip min/avg/max = 4/6/8 ms
Neighbor-R3#

Cool, we got 3 back, even with a timeout of 0 seconds.  Now lets go back to R2, and look at some results.

R2#show int ser 0/0 | inc rxload
reliability 255/255, txload 58/255, rxload 58/255
R2#
! Note: It may take a few moments for the policy as polling occurs every 60 seconds ! ! Patience is a virtue, and I want mine NOW ;-) !

%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : CTL : cli_open called.
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN : R2#enable
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN : R2#configure terminal
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line. End with CNTL/Z.
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2(config)#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN : R2(config)#control-plane host
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2(config-cp-host)#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN : R2(config-cp-host)#service-policy input ICMP
%CP-5-FEATURE: Control-plane Policing feature enabled on Control plane host path

%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2(config-cp-host)#
%HA_EM-6-LOG: LOAD: Just Applied Control Plane Policy to Limit ICMP
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : CTL : cli_close called.
R2#
%SYS-5-CONFIG_I: Configured from console by vty0
R2#

Back to the neighbor router, R3 to see how the policing of ICMP looks from the outside.

Neighbor-R3#ping 150.1.2.2 size 500 repeat 20         

Type escape sequence to abort.
Sending 20, 500-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
!!.!!.!!.!!.!!.!!.!.
Success rate is 65 percent (13/20), round-trip min/avg/max = 4/12/24 ms
Neighbor-R3#

Back to R2 to view the output of the service policy.

R2#show policy-map control-plane host
Control Plane Host

Service-policy input: ICMP

Class-map: ICMP (match-all)
20 packets, 10080 bytes
5 minute offered rate 1000 bps, drop rate 0 bps
Match: access-group name ICMP
police:
cir 8000 bps, bc 1000 bytes
conformed 13 packets, 6552 bytes; actions:
transmit
exceeded 7 packets, 3528 bytes; actions:
drop
conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)
3 packets, 268 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R2#

Based on results, the service policy is now applied to the control-plane host sub-interface, and is limiting ICMP.  This example of EEM is like a single ice-cube, compared to a titanic sized iceberg of possibilities.   My intention is to introduce the topic, and encourage you to study it further.

I configured this demonstration using IOS Version 12.4(15)T10

Enjoy your studies, and have fun exploring the world of EEM.

Dec
07

Cheers from London! I learned this week that a "Christmas Cracker" is not a food item, OR a person.  ;-)    There is so much to know.  I am grateful for students willing to show me the ropes here in the UK.   Thank you all.    Now on to the topic at hand.

MPLS is an important part of the RS Bootcamp, including troubleshooting MPLS.

Here is an MPLS troubleshooting scenario, that has 1 (one,одну,un,uno) configuration issue.  Can you spot it?  Lets get to it!  Here is the diagram.

mpls-ine-blog

Problem: Clients on the 5.5.5.0 network are not able to ping the server, or any other devices, on the 1.1.1.0 network. Your challenge, based on the provided IOS show commands only, is to identify the 1 configuration problem that is causing the network failure.

For this scenario, the PC and Server configurations are correct, as well as all the layer 2 switching infrastructure on the Catalyst switches. R1 and R5 are CE routers, R2 and R4 are PE routers, and R3 is a P router.

We will work from the diagram, using the show commands from right to left, starting with R5.    (I have grouped the show commands together, then the individual commands and their output.   This way, the post may be used as a study/reference tool.)

R5
show ip int brief | ex una
show ip route
show ip protocols
ping 136.1.45.255

R5#show ip int brief | ex una
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 5.5.5.5 YES manual up up
FastEthernet0/1 136.1.45.5 YES NVRAM up up
Loopback0 150.1.5.5 YES NVRAM up up
R5#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

136.1.0.0/24 is subnetted, 2 subnets
R 136.1.12.0 [120/1] via 136.1.45.4, 00:00:08, FastEthernet0/1
C 136.1.45.0 is directly connected, FastEthernet0/1
1.0.0.0/24 is subnetted, 1 subnets
R 1.1.1.0 [120/1] via 136.1.45.4, 00:00:08, FastEthernet0/1
5.0.0.0/24 is subnetted, 1 subnets
C 5.5.5.0 is directly connected, FastEthernet0/0
150.1.0.0/24 is subnetted, 1 subnets
C 150.1.5.0 is directly connected, Loopback0
R5#show ip protocols
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 11 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2
FastEthernet0/1 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
5.0.0.0
136.1.0.0
Routing Information Sources:
Gateway Distance Last Update
136.1.45.4 120 00:00:08
Distance: (default is 120)

R5#ping 136.1.45.255

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.45.255, timeout is 2 seconds:

Reply to request 0 from 136.1.45.4, 8 ms
Reply to request 1 from 136.1.45.4, 32 ms
Reply to request 2 from 136.1.45.4, 16 ms
Reply to request 3 from 136.1.45.4, 4 ms
Reply to request 4 from 136.1.45.4, 24 ms
R5#

R4
show ip route
show ip route vrf Vrf1
show ip protocols
show mpls interface
show mpls ldp neighbor
show mpls forwarding-table
show ip bgp summary
show ip bgp vpnv4 all
ping vrf Vrf1 136.1.45.255
ping 136.1.34.255

R4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

136.1.0.0/24 is subnetted, 2 subnets
O 136.1.23.0 [110/65] via 136.1.34.3, 00:04:28, FastEthernet0/0
C 136.1.34.0 is directly connected, FastEthernet0/0
150.1.0.0/32 is subnetted, 2 subnets
C 150.1.4.4 is directly connected, Loopback0
O 150.1.2.2 [110/66] via 136.1.34.3, 00:04:28, FastEthernet0/0
R4#show ip route vrf Vrf1

Routing Table: Vrf1
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

136.1.0.0/24 is subnetted, 2 subnets
B 136.1.12.0 [200/0] via 150.1.2.2, 00:04:23
C 136.1.45.0 is directly connected, FastEthernet0/1
1.0.0.0/24 is subnetted, 1 subnets
B 1.1.1.0 [200/2] via 150.1.2.2, 00:04:23
5.0.0.0/24 is subnetted, 1 subnets
R 5.5.5.0 [120/1] via 136.1.45.5, 00:00:01, FastEthernet0/1
R4#show ip protocols
Routing Protocol is "ospf 234"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 150.1.4.4
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
Routing on Interfaces Configured Explicitly (Area 0):
FastEthernet0/0
Loopback0
Reference bandwidth unit is 100 mbps
Routing Information Sources:
Gateway Distance Last Update
150.1.2.2 110 00:04:28
150.1.3.3 110 00:04:28
Distance: (default is 110)

Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 0 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 1, receive any version
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 120)

Routing Protocol is "bgp 24"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
IGP synchronization is disabled
Automatic route summarization is disabled
Neighbor(s):
Address FiltIn FiltOut DistIn DistOut Weight RouteMap
150.1.2.2
Maximum path: 1
Routing Information Sources:
Gateway Distance Last Update
Distance: external 20 internal 200 local 200

R4#show mpls interface
Interface IP Tunnel Operational
FastEthernet0/0 Yes (ldp) No Yes
R4#show mpls ldp neighbor

R4#show mpls forwarding-table
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
17 Untagged 150.1.2.2/32 0 Fa0/0 136.1.34.3
18 Untagged 136.1.23.0/24 0 Fa0/0 136.1.34.3
19 Untagged 5.5.5.0/24[V] 19950 Fa0/1 136.1.45.5
20 Aggregate 136.1.45.0/24[V] 1684
R4#show ip bgp summary
BGP router identifier 150.1.4.4, local AS number 24
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
150.1.2.2 4 24 148 149 1 0 0 02:08:57 0
R4#show ip bgp vpnv4 all
BGP table version is 22, local router ID is 150.1.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf Vrf1)
*>i1.1.1.0/24 150.1.2.2 2 100 0 ?
*> 5.5.5.0/24 136.1.45.5 1 32768 ?
*>i136.1.12.0/24 150.1.2.2 0 100 0 ?
*> 136.1.45.0/24 0.0.0.0 0 32768 ?
R4#ping vrf Vrf1 136.1.45.255

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.45.255, timeout is 2 seconds:

Reply to request 0 from 136.1.45.5, 4 ms
Reply to request 1 from 136.1.45.5, 28 ms
Reply to request 2 from 136.1.45.5, 16 ms
Reply to request 3 from 136.1.45.5, 32 ms
Reply to request 4 from 136.1.45.5, 8 ms
R4#ping 136.1.34.255

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.34.255, timeout is 2 seconds:

Reply to request 0 from 136.1.34.3, 8 ms
Reply to request 1 from 136.1.34.3, 4 ms
Reply to request 2 from 136.1.34.3, 16 ms
Reply to request 3 from 136.1.34.3, 8 ms
Reply to request 4 from 136.1.34.3, 4 ms
R4#

R3
show ip route
show ip protocols
show mpls interface
show mpls ldp neighbor
show mpls forwarding-table

R3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

136.1.0.0/24 is subnetted, 2 subnets
C 136.1.23.0 is directly connected, Serial0/0.23
C 136.1.34.0 is directly connected, FastEthernet0/0
150.1.0.0/32 is subnetted, 3 subnets
O 150.1.4.4 [110/2] via 136.1.34.4, 00:05:16, FastEthernet0/0
C 150.1.3.3 is directly connected, Loopback0
O 150.1.2.2 [110/65] via 136.1.23.2, 00:05:26, Serial0/0.23
R3#show ip protocols
Routing Protocol is "ospf 234"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 150.1.3.3
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
Routing on Interfaces Configured Explicitly (Area 0):
FastEthernet0/0
Serial0/0.23
Reference bandwidth unit is 100 mbps
Routing Information Sources:
Gateway Distance Last Update
150.1.4.4 110 00:05:16
150.1.2.2 110 00:05:26
Distance: (default is 110)

R3#show mpls interface
Interface IP Tunnel Operational
FastEthernet0/0 Yes (ldp) No Yes
Serial0/0.23 Yes (ldp) No Yes
R3#show mpls ldp neighbor

R3#show mpls forwarding-table
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Untagged 150.1.2.2/32 0 Se0/0.23 point2point
17 Untagged 150.1.4.4/32 0 Fa0/0 136.1.34.4

R2
show ip route
show ip route vrf Vrf1
show ip protocols
show mpls interface
show mpls ldp neighbor
show mpls forwarding-table
show ip bgp summary
show ip bgp vpnv4 all
ping 136.1.23.255
ping vrf Vrf1 136.1.12.255

R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

136.1.0.0/24 is subnetted, 2 subnets
C 136.1.23.0 is directly connected, Serial0/0.23
O 136.1.34.0 [110/65] via 136.1.23.3, 00:05:41, Serial0/0.23
150.1.0.0/32 is subnetted, 2 subnets
O 150.1.4.4 [110/66] via 136.1.23.3, 00:05:41, Serial0/0.23
C 150.1.2.2 is directly connected, Loopback0
R2#show ip route vrf Vrf1

Routing Table: Vrf1
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

136.1.0.0/24 is subnetted, 2 subnets
C 136.1.12.0 is directly connected, FastEthernet0/0
B 136.1.45.0 [200/0] via 150.1.4.4, 00:05:18
1.0.0.0/24 is subnetted, 1 subnets
O 1.1.1.0 [110/2] via 136.1.12.1, 02:18:47, FastEthernet0/0
5.0.0.0/24 is subnetted, 1 subnets
B 5.5.5.0 [200/1] via 150.1.4.4, 00:05:18
R2#show ip protocols
Routing Protocol is "ospf 234"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 150.1.2.2
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
Routing on Interfaces Configured Explicitly (Area 0):
Serial0/0.23
Loopback0
Reference bandwidth unit is 100 mbps
Routing Information Sources:
Gateway Distance Last Update
150.1.4.4 110 00:05:41
150.1.3.3 110 00:05:51
Distance: (default is 110)

Routing Protocol is "bgp 24"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
IGP synchronization is disabled
Automatic route summarization is disabled
Neighbor(s):
Address FiltIn FiltOut DistIn DistOut Weight RouteMap
150.1.4.4
Maximum path: 1
Routing Information Sources:
Gateway Distance Last Update
Distance: external 20 internal 200 local 200

R2#show mpls interface
Interface IP Tunnel Operational
Serial0/0.23 Yes (ldp) No Yes
R2#show mpls ldp neighbor

R2#show mpls forwarding-table
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
17 Untagged 136.1.34.0/24 0 Se0/0.23 point2point
18 Untagged 150.1.4.4/32 0 Se0/0.23 point2point
21 Aggregate 136.1.12.0/24[V] 1040
22 Untagged 1.1.1.0/24[V] 18240 Fa0/0 136.1.12.1
R2#show ip bgp summary
BGP router identifier 150.1.2.2, local AS number 24
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
150.1.4.4 4 24 151 150 1 0 0 02:10:15 0
R2#show ip bgp vpnv4 all
BGP table version is 13, local router ID is 150.1.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf Vrf1)
*> 1.1.1.0/24 136.1.12.1 2 32768 ?
*>i5.5.5.0/24 150.1.4.4 1 100 0 ?
*> 136.1.12.0/24 0.0.0.0 0 32768 ?
*>i136.1.45.0/24 150.1.4.4 0 100 0 ?
R2#ping 136.1.23.255

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.23.255, timeout is 2 seconds:

Reply to request 0 from 136.1.23.3, 12 ms
Reply to request 1 from 136.1.23.3, 16 ms
Reply to request 2 from 136.1.23.3, 32 ms
Reply to request 3 from 136.1.23.3, 28 ms
Reply to request 4 from 136.1.23.3, 28 ms
R2#ping vrf Vrf1 136.1.12.255

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.12.255, timeout is 2 seconds:

Reply to request 0 from 136.1.12.1, 4 ms
Reply to request 1 from 136.1.12.1, 28 ms
Reply to request 2 from 136.1.12.1, 16 ms
Reply to request 3 from 136.1.12.1, 28 ms
Reply to request 4 from 136.1.12.1, 12 ms
R2#

R1
show ip int brief | ex una
show ip route
show ip protocols
ping 136.1.12.255

R1#show ip int brief | ex una
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 136.1.12.1 YES NVRAM up up
FastEthernet0/1 1.1.1.1 YES manual up up
Loopback0 150.1.1.1 YES NVRAM up up
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

136.1.0.0/24 is subnetted, 2 subnets
C 136.1.12.0 is directly connected, FastEthernet0/0
O E2 136.1.45.0 [110/1] via 136.1.12.2, 00:06:20, FastEthernet0/0
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, FastEthernet0/1
5.0.0.0/24 is subnetted, 1 subnets
O E2 5.5.5.0 [110/1] via 136.1.12.2, 00:06:20, FastEthernet0/0
150.1.0.0/24 is subnetted, 1 subnets
C 150.1.1.0 is directly connected, Loopback0
R1#show ip protocols
Routing Protocol is "ospf 12"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 150.1.1.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
1.1.1.0 0.0.0.255 area 0
136.1.12.1 0.0.0.0 area 0
Reference bandwidth unit is 100 mbps
Routing Information Sources:
Gateway Distance Last Update
136.1.12.2 110 00:06:20
Distance: (default is 110)

R1#ping 136.1.12.255

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.12.255, timeout is 2 seconds:

Reply to request 0 from 136.1.12.2, 8 ms
Reply to request 1 from 136.1.12.2, 20 ms
Reply to request 2 from 136.1.12.2, 12 ms
Reply to request 3 from 136.1.12.2, 24 ms
Reply to request 4 from 136.1.12.2, 8 ms
R1#

What do you see as the problem, and what may be done to correct it?

Good luck!

Subscribe to INE Blog Updates