Topology:
Use configuration from L3VPN task #3 as initial configuration for this task.
For this task, a new router R9 is added to the topology.
Router R9 represents the Internet from the perspective of AS17 and its clients.
Router R9 represents the Internet from the perspective of AS17 and its clients.
Requirements:
1. Configure the following interfaces on R9 to represent the "Internet":
Loopback1, ipv4 address 11.11.11.11/8.
Loopback2, ipv4 address 22.22.22.22/8.
Loopback3, ipv4 address 33.33.33.33/8.
2. Configure eBGP session between R1 and R9.
3. Configure AS17, so all routers have access to AS9 and to the prefixes representing the internet access.
4. Customer A has been allocated an IPv4 address block 67.0/16 and assigned an AS number 67.
Each site is allocated /24 prefix from this block - 67.0.6/24 for R6 & 67.0.7/24 for R7.
Router R6 represents the head office, and router R7 represents the branch.
Customer A should be able to access the Internet from it's routable address space.
Customer A site R7 should access the Internet via the head office site (R6).
On the link between head office (R6) and its service provider (R5), separate between Internet- bound and site-to-site traffic.
Customer should be responsible for advertising it's public prefix upstream.
You are allowed to use an additional prefix 17.0.65.0/24 for this requirement.
4. Customer A has been allocated an IPv4 address block 67.0/16 and assigned an AS number 67.
Each site is allocated /24 prefix from this block - 67.0.6/24 for R6 & 67.0.7/24 for R7.
Router R6 represents the head office, and router R7 represents the branch.
Customer A should be able to access the Internet from it's routable address space.
Customer A site R7 should access the Internet via the head office site (R6).
On the link between head office (R6) and its service provider (R5), separate between Internet- bound and site-to-site traffic.
Customer should be responsible for advertising it's public prefix upstream.
You are allowed to use an additional prefix 17.0.65.0/24 for this requirement.
5. Customer B has been allocated an IPv4 address block 48.0/16.
Each site is allocated /24 prefix from this block.
Each site should have an independent access to Internet, from it's routable address space, via the service provider. (assume Customer B has no additional connections, and AS17 is it's only upstream provider).
Service provider is responsible for advertising the 67.0/16 prefix.
Each site is allocated /24 prefix from this block.
Each site should have an independent access to Internet, from it's routable address space, via the service provider. (assume Customer B has no additional connections, and AS17 is it's only upstream provider).
Service provider is responsible for advertising the 67.0/16 prefix.
Solution:
Highlight the text below to reveal the solution.
This task requires an understanding of Internet access options for L3VPN solutions.
Requirement #3 - Enable ipv4 address-family on iBGP peerings inside AS17. Also, advertise AS17 prefix 17.0/16 to R9 via eBGP. On R1, either advertise the network 9.0.19/24 to ISIS, or set "next-hop-self" on iBGP sessions to neighbors. The first method is recommended for faster convergence.
Requirement #4 - For Customer A, Internet traffic is separated from site-to-site traffic using two logical interfaces.
One interface is between CE to PE VRF, and provides site-to-site traffic.
Add a second interface between CE to PE global routing table, to provides Internet access.
Branch site should have a default route towards the head office site.
Keep the specific routes in branch routing table, in case there is branch to branch traffic, so it won't have to traverse the head office, and take the optimal route.
This type of solution allows separation of Internet and site-to-site traffic.
Requirement #5 - For Customer B, Internet access is configured using static routing on PE router only. PE router has a default route from VRF to global routing table (towards Internet) and from global routing table to VRF. Only configuration change required on CE router is to add a default route towards the PE.
This task requires an understanding of Internet access options for L3VPN solutions.
Requirement #3 - Enable ipv4 address-family on iBGP peerings inside AS17. Also, advertise AS17 prefix 17.0/16 to R9 via eBGP. On R1, either advertise the network 9.0.19/24 to ISIS, or set "next-hop-self" on iBGP sessions to neighbors. The first method is recommended for faster convergence.
Requirement #4 - For Customer A, Internet traffic is separated from site-to-site traffic using two logical interfaces.
One interface is between CE to PE VRF, and provides site-to-site traffic.
Add a second interface between CE to PE global routing table, to provides Internet access.
Branch site should have a default route towards the head office site.
Keep the specific routes in branch routing table, in case there is branch to branch traffic, so it won't have to traverse the head office, and take the optimal route.
This type of solution allows separation of Internet and site-to-site traffic.
Requirement #5 - For Customer B, Internet access is configured using static routing on PE router only. PE router has a default route from VRF to global routing table (towards Internet) and from global routing table to VRF. Only configuration change required on CE router is to add a default route towards the PE.
Note: Default route cannot be redistributed into ISIS protocol. On R2, in order to advertise a default route into CUST_A VRF, use default-information originate command.
R1:
!
interface Ethernet1/0
ip address 9.0.19.1 255.255.255.0
!
router bgp 17
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor CLIENTS peer-group
neighbor CLIENTS remote-as 17
neighbor CLIENTS update-source Loopback0
neighbor 9.0.19.9 remote-as 9
neighbor 17.0.2.2 peer-group CLIENTS
neighbor 17.0.3.3 peer-group CLIENTS
neighbor 17.0.5.5 peer-group CLIENTS
!
address-family ipv4
network 17.0.0.0 mask 255.255.0.0
neighbor 9.0.19.9 activate
neighbor 17.0.2.2 activate
neighbor 17.0.3.3 activate
neighbor 17.0.5.5 activate
exit-address-family
!
address-family vpnv4
neighbor CLIENTS send-community both
neighbor CLIENTS route-reflector-client
neighbor 17.0.2.2 activate
neighbor 17.0.3.3 activate
neighbor 17.0.5.5 activate
exit-address-family
!
ip route 17.0.0.0 255.255.0.0 Null0
!
R2:
!
router isis CUST_A
vrf CUST_A
net 49.0007.0000.0000.0002.00
is-type level-2-only
redistribute bgp 17
default-information originate
!
router bgp 17
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 17.0.1.1 remote-as 17
neighbor 17.0.1.1 update-source Loopback0
!
address-family ipv4
network 48.0.4.0 mask 255.255.255.0
neighbor 17.0.1.1 activate
neighbor 17.0.1.1 next-hop-self
exit-address-family
!
address-family vpnv4
neighbor 17.0.1.1 activate
neighbor 17.0.1.1 send-community both
exit-address-family
!
address-family ipv4 vrf CUST_A
redistribute connected
redistribute static
redistribute isis CUST_A level-1-2
exit-address-family
!
address-family ipv4 vrf CUST_B
redistribute connected
neighbor 17.0.24.4 remote-as 48
neighbor 17.0.24.4 activate
exit-address-family
!
ip route 48.0.4.0 255.255.255.0 Ethernet1/0 17.0.24.4
ip route vrf CUST_B 0.0.0.0 0.0.0.0 Ethernet0/0 9.0.19.1 global
!
R3:
router bgp 17
address-family ipv4 unicast
network 48.0.0.0/16
!
address-family vpnv4 unicast
!
neighbor 17.0.1.1
remote-as 17
update-source Loopback0
address-family ipv4 unicast
!
address-family vpnv4 unicast
!
!
vrf CUST_B
rd 48:1
address-family ipv4 unicast
as-path-loopcheck out disable
redistribute connected
!
neighbor 17.0.38.8
remote-as 48
address-family ipv4 unicast
route-policy ANY in
route-policy ANY out
!
!
!
!
router static
address-family ipv4 unicast
48.0.0.0/16 Null0
48.0.8.0/24 vrf CUST_B 17.0.38.8
!
vrf CUST_B
address-family ipv4 unicast
0.0.0.0/0 vrf default GigabitEthernet0/0/0/0 9.0.19.1
!
!
!
R4:
router static
address-family ipv4 unicast
0.0.0.0/0 17.0.24.2
10.10.4.0/24 Null0
!
!
R5:
!
interface Ethernet1/0.56
encapsulation dot1Q 56
vrf forwarding CUST_A
ip address 17.0.56.5 255.255.255.0
ip router isis CUST_A
!
interface Ethernet1/0.65
encapsulation dot1Q 65
ip address 17.0.65.5 255.255.255.0
ip router isis CCIE
!
ip route vrf CUST_A 0.0.0.0 0.0.0.0 17.0.56.6
!
!
router bgp 17
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 17.0.1.1 remote-as 17
neighbor 17.0.1.1 update-source Loopback0
neighbor 17.0.65.6 remote-as 67
!
address-family ipv4
neighbor 17.0.1.1 activate
neighbor 17.0.65.6 activate
exit-address-family
!
address-family vpnv4
neighbor 17.0.1.1 activate
neighbor 17.0.1.1 send-community both
exit-address-family
!
address-family ipv4 vrf CUST_A
redistribute connected
redistribute static
redistribute isis CUST_A level-1-2
default-information originate
exit-address-family
!
R6:
!
interface Ethernet0/0.56
encapsulation dot1Q 56
ip address 17.0.56.6 255.255.255.0
ip router isis CCIE
!
interface Ethernet0/0.65
encapsulation dot1Q 65
ip address 17.0.65.6 255.255.255.0
!
!
router bgp 67
bgp log-neighbor-changes
network 67.0.0.0 mask 255.255.0.0
neighbor 17.0.65.5 remote-as 17
!
ip route 67.0.0.0 255.255.0.0 Null0
!
R8:
!
ip route 0.0.0.0 0.0.0.0 17.0.38.3
!
Verification:
Customer A:
R6#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
9.0.0.0/16 is subnetted, 1 subnets
B 9.0.0.0 [20/0] via 17.0.65.5, 13:24:10
B 11.0.0.0/8 [20/0] via 17.0.65.5, 13:24:10
17.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
B 17.0.0.0/16 [20/0] via 17.0.65.5, 13:24:10
i L2 17.0.27.0/24 [115/10] via 17.0.56.5, 13:27:37, Ethernet0/0.56
C 17.0.56.0/24 is directly connected, Ethernet0/0.56
L 17.0.56.6/32 is directly connected, Ethernet0/0.56
C 17.0.65.0/24 is directly connected, Ethernet0/0.65
L 17.0.65.6/32 is directly connected, Ethernet0/0.65
B 22.0.0.0/8 [20/0] via 17.0.65.5, 13:24:10
B 33.0.0.0/8 [20/0] via 17.0.65.5, 13:24:10
67.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S 67.0.0.0/16 is directly connected, Null0
C 67.0.6.6/32 is directly connected, Loopback1
i L2 67.0.7.7/32 [115/10] via 17.0.56.5, 12:28:00, Ethernet0/0.56
192.168.6.0/32 is subnetted, 1 subnets
C 192.168.6.6 is directly connected, Loopback0
192.168.7.0/32 is subnetted, 1 subnets
i L2 192.168.7.7 [115/10] via 17.0.56.5, 13:27:37, Ethernet0/0.56
R7#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 17.0.27.2 to network 0.0.0.0
i*L2 0.0.0.0/0 [115/10] via 17.0.27.2, 12:29:29, Ethernet0/0
17.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 17.0.27.0/24 is directly connected, Ethernet0/0
L 17.0.27.7/32 is directly connected, Ethernet0/0
i L2 17.0.56.0/24 [115/10] via 17.0.27.2, 13:29:32, Ethernet0/0
67.0.0.0/32 is subnetted, 1 subnets
C 67.0.7.7 is directly connected, Loopback1
192.168.6.0/32 is subnetted, 1 subnets
i L2 192.168.6.6 [115/10] via 17.0.27.2, 13:28:33, Ethernet0/0
192.168.7.0/32 is subnetted, 1 subnets
C 192.168.7.7 is directly connected, Loopback0
R7#traceroute 11.11.11.11 sou
R7#traceroute 11.11.11.11 source 67.0.7.7
Type escape sequence to abort.
Tracing the route to 11.11.11.11
VRF info: (vrf in name/id, vrf out name/id)
1 17.0.27.2 5 msec 5 msec 4 msec
2 17.0.56.5 [MPLS: Label 21 Exp 0] 5 msec 5 msec 5 msec
3 17.0.56.6 5 msec 6 msec 6 msec
4 17.0.65.5 6 msec 6 msec 6 msec
5 17.0.15.1 6 msec 5 msec 5 msec
6 9.0.19.9 7 msec 5 msec 6 msec
R6#traceroute 11.11.11.11 source 67.0.6.6
Type escape sequence to abort.
Tracing the route to 11.11.11.11
VRF info: (vrf in name/id, vrf out name/id)
1 17.0.65.5 [AS 17] 6 msec 5 msec 5 msec
2 17.0.15.1 [AS 17] 6 msec 5 msec 5 msec
3 9.0.19.9 [AS 9] 5 msec 6 msec 5 msec
Customer B:
RP/0/0/CPU0:R4#sh ip route
Thu Jan 7 21:30:51.221 UTC
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, a - Application route, (!) - FRR Backup path
Gateway of last resort is 17.0.24.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 17.0.24.2, 00:20:18
S 10.10.4.0/24 is directly connected, 1d16h, Null0
L 10.10.4.4/32 is directly connected, 2d19h, Loopback0
B 10.10.8.0/24 [20/0] via 17.0.24.2, 22:33:05
C 17.0.24.0/24 is directly connected, 2d19h, GigabitEthernet0/0/0/0
L 17.0.24.4/32 is directly connected, 2d19h, GigabitEthernet0/0/0/0
B 17.0.38.0/24 [20/0] via 17.0.24.2, 22:33:05
C 48.0.4.0/24 is directly connected, 18:38:31, Loopback1
L 48.0.4.4/32 is directly connected, 18:38:31, Loopback1
R8# sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 17.0.38.3 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 17.0.38.3
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
B 10.10.4.0/24 [20/0] via 17.0.38.3, 22:37:25
S 10.10.8.0/24 is directly connected, Null0
C 10.10.8.8/32 is directly connected, Loopback0
17.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
B 17.0.24.0/24 [20/0] via 17.0.38.3, 22:37:25
C 17.0.38.0/24 is directly connected, Ethernet0/0
L 17.0.38.8/32 is directly connected, Ethernet0/0
48.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
B 48.0.4.0/24 [20/0] via 17.0.38.3, 18:42:22
C 48.0.8.0/24 is directly connected, Loopback1
L 48.0.8.8/32 is directly connected, Loopback1
R8#traceroute 11.11.11.11 source lo1
Type escape sequence to abort.
Tracing the route to 11.11.11.11
VRF info: (vrf in name/id, vrf out name/id)
1 17.0.38.3 [AS 17] 1 msec 1 msec 2 msec
2 17.0.13.1 2 msec 1 msec 1 msec
3 9.0.19.9 2 msec 2 msec 2 msec
RP/0/0/CPU0:R4#traceroute 22.22.22.22 source 48.0.4.4
Thu Jan 7 21:35:43.091 UTC
Type escape sequence to abort.
Tracing the route to 22.22.22.22
1 17.0.24.2 0 msec 0 msec 0 msec
2 17.0.12.1 0 msec 0 msec 0 msec
3 9.0.19.9 0 msec 0 msec 0 msec
