Advanced CCIE Routing & Switching v5.0 www.MicronicsTraining.com Narbik Kocharians CCSI, CCIE #12410 R&S, Security, SP VOL-II CCTE RAS by Narbik Kocharians Page 1 of 222Table of content Subject Page IPv6 Lab 1 Acquiring an IPv6 Address 4 IP Prefix-lists Lab 4 Prefix-lists 27 NAT Lab 4 Static NAT Configuration 7 Lab 2 Static NAT Configuration & the “Alias” Keyword 4 Lab 3 NAT Reversible oO Lab 4 Advanced Static NAT Configuration 66 Lab 5 Configuration of Dynamic NAT -1 8 Lab 6 Configuration of Dynamic NAT - II R Lab 7 Configuration of Dynamic NAT - 11 5 Lab 8 NAT and TCP Load Balancing 3 Lab 9 Configuring PAT a Lab 10 Configuring PAR 88 Lab 114 Configuring Static NAT Redundancy With HSRP 2 Lab 42 Stateful Translation Failover With HSRP 7 Lab 13 Translation of the Outside Source - I 104 Lab 14 Translation of the Outside Source - IT 107 Lab 15 NAT ona Stick 112 Lab 16 NAT Virtual INterface 119 HSRP Lab 4 HSRP Configuration 126 VRRP Lab 2 VRRP Configuration 160 GLBP Lab 3 GLBP Configuration 194 NTP Lab 4 Configuring NTP 23 CCIE RAS by Narbil 1d. CCW R&S Work Book v5.0 14 Nar Kacieane llrghe reserved Kocharians Page 2 of 222Advanced CCIE Routing & Switching 5.0 www.MicronicsTraining.com Narbik Kocharians CCSI, CCIE #12410 R&S, Security, SP IPv6 CCTE RAS by Narbik:Nocharians A Page 3 of 222Lab1 Acquiring an IPv6 Address Task 1 Configure the Ethernet segment connecting R1 to R3, do not assign an IPv6 address to R3, R3 should acquire the network portion of its IPv6 address through SLAAC process from R1. Use the following mac-addresses for these two routers: R1—0000.1111.1111 R3 ~0000.3333.3333, Let's configure both F0/0 interfaces of these two routers in VLAN 13 (Any VLAN ID can be used). On SW1: Swi (config) #int range £0/1,£0/3 SWi (config-if-range) #swi mode acc SW (config-if-range) #swi acc v 13 Sil (config-if-range) #No. shu Stateless Address Auto-Configuration (SLAAC) is one method for the IPv6 clients to get the network CCIE RAS by Narbik Kochariane Advanced CCIE R&S Work Book ¥5.0 Page 4 of 222 {© 2014 Norbie Koharians. All igh reservedportion of their IPv6 address. SLAAC provides a very simple process where the clients self-assign an IPv6 address based on the IPv6 prefix. ‘This process is achieved based on the following: Host sends a Router Solicitation (RS) message. Arouter with IPv6 unicast routing enabled will reply with a Router Advertisement (RA) message. ‘The Host takes the first 64 bits of the IPV6 prefix from the Router Advertisement message and com it with the 64 bit EUI-64 address to create a global unicast message. The host also uses the source IPv6 address, in the IPv6 header, of the Router Advertisement message, as its default gateway. Duplicate Address Detection is performed by IPv6 clients to ensure the uniqueness of the new IPV6 address. OnRi: In IPv6, unicast routing is disabled by default and in order for R1 to respond to the Router Solicitation (RS) messages the unicast routing MUST be enabled: Rl (config) #IPv6 unicast-routing 1 (config) #int £0/0 Ri (config-if) #mac-address 0000.1111.1111 Rl (config-if) #ipv6 enable Rl (config-if) #ipv6 address 13::1/64 Rl (config-if) #No shut To verify the configuration: OnR R1#Show ipvé interface F0/0 | Inc FF Ipv6 is enabled, link-local address is FE80::200:11FF:FE1| > Allhosts within the local segment > Allrouters within the local segment F00:1 > The Solicited Node Multicast based on the Global unicast IPv6 address F11:1111 > The Solicited Node Multicast based on the Link Local IPv6 address In the output of the above show command we can see that the local router has auto generated a link local address based on the EUI-64 format. The following shows how the EUI-64 format is generated: CCTE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 5 of 222 (64914 Nar Kocbarlan, Al rights reserved0000.1111.1111 FFFE 0000:11FF:FE11:1111 Then, the 7" bit in inverte 0000:11F| IN 0000 0000 1234 5678 E11:1111 ‘The 7" bit s inverted, in this case its 1 0000 0010 ‘The new Link Local Address Is: 0200:11FF:FE11:1111 OR 200:11FF:FE11:1111 The host portion of the IPv6 address is taken from the MAC-address of that interface (In Ethernet ONLY), but the MAC address is 48 bits and the node portion of the IPv6 address is 64 bits, so they decided to add “EFFE” which is 16 bits in the middle of the MAC address, then, the flip the most significant 7" bit and add “FE80::" in front of it. On R3: Before R2 is configured, let's enable “Debug ipv6 nd” and see the exchange of the packets: R3#Debug ipvé nd ICMP Neighbor Discovery events debugging is on R3 (config) #int £0/0 R3 (config-if) ¢mac-address 0000.3333.3333 R3 (config-if) #ipv6 enable R3(config-if) #ipv6 address autoconfig default R3(config-if) #No shut Once the “IPv6 enable” and the “No shut” commands were entered, the local router auto generated its CCHE RAS by Narbik Kocharians Advanced CCIE R&S W. (© 1014 Nari Kocharian. A Book 5.0 Page 6 of 222Link Local address and it wanted to ensure that it was unique within the segment, therefore, a Neighbor Solicitation (NS) was sent for its LL address of “FE80::200:33FF:FE33:3333”: IPv6-Addemgr-ND: DAD request for FE80::200:33FF:FE33:3333 on FastEthernet0/0 ICMPv6-ND: Sending NS for FE80::200:33EF:FE33:3333 on Fastithernet0/0 The local router also generates a Router Solicitation to find out the network portion of its IPv6 address; this is performed because of the “IPv6 address autoconfig default” command configured under the F0/0 interface of the local router: ICMPv6-ND: Sending RS on FastEthernet0/0 The local router received a Router Advertisement (RA) in response to the RS message sent earlier: ICMPv6-ND: Received RA from FE80::200:11FF:FE11:1111 on FastEthernet0/0 ICMPv6-ND: Glean FE8O 00:11FF:FE11:1111 on FastEthernet0/0 ICMPV6-ND: Neighbour FE80::200:11FF:FE11:1111 on FastEthernet0/O : LLA 0000.1111.1111 Since the local router did not receive any messages from R1 within the reachable timeout period, the state transitioned into stale: > ICMPV6-ND: INCMP -> STALE: FE8O::200:11FF:FE11:1111 R3's default route is set to R1’s link local address: ICMPV6-ND: Selected new default router FE80::200:11FF:FE11:1111 on FastEthernet0/0 ICMPV6-ND: Installed default to FEO: :200:11FF:FE11:1111 on FastEthernet0/0 It received its global unicast IPv6 address: ICMPV6-ND: Autoconfiguring 13::200:33FF:FH33:3333 on FastEthernet0/0 Duplicate Address Detection (DAD) process determined that the link local IPv6 address in unique because R3 did not receive an NA in response to the NS that it sent earlier: IPv6-Addrmgr-ND: DAD: FE80::200:33FF:FE33:3333 is unique. The local router sends one more NA for its LL address one last time: ICMPv6-ND: Sending NA for FE80::200:33EF:FE33:3333 on Fast@thernet0/0 CCIE R&S by Narbike Kocharians Advanced CCTE R&S Work Book 5.0 Page 7 of 222 2014 Nar: Koctarans. AI ighLayer three comes up on R3’s F0/0 interface: ICMPv6-ND: L3 came up on FastEthernet0/0 ‘The local router sends an NS for the global unicast address: IPv6-Addrmgr-ND: DAD request for 13: :200:33FF:FE33:3333 on FastEthernet0/0 ICMPV6-ND: Sending NS for 13::200:33FF:FE33:3333 on FastEthernet0/0 LLIPv6 address is up and available: ICMPV6-ND: Linklocel FEO: :200:33FF:FE33:3333 on FastEthernet0/0, Up DAD determines that the global unicast IPv6 address is unique: ICMPV6-ND: Sending RS on FastEthernet0/0 IPv6~Addemgr-ND: DAD: 13: :200:33FF:FE33:3333 is unique. ‘The local router sends one more NA for its global unicast IPv6 address one last ti ICMPv6-ND: Sending NA for 13::200:33FF:FE33:3333 on FastEthernet0/0 Ri sends RA periodically: ICMPV6-ND: Received RA from FE0::200:11FF:FE11:1111 on FastEthernet0/0 ICMPV6-ND: Autoconfiguring 13::200:33FF:FE33:3333 on FastEthernet0/0 On R3 R3#Show ipv6 interface brief F0/0 FastEthernet0/0 [up/up] FEGO: :200:33FF:FE33:3333 13: :200:33FF:FE33:3333 CCTE RAS by Narbik:Kocharlans Advanced CCIE R&S Work Book v5.0 Page & of 222 {©2014 Wark Kocharane AI xghs reservedTask 2 Configure the serial link connecting R4 to RS, do not assign an IPv6 address to the S1/4 interface of R5; R5 should be configured as a DHCP Client acquiring an IPv6 address from 4, RS should also get its domain name “MicronicsTraining.com” and the ONS server's IPv6 address of 2001:1111::1 from RA. Let's configure R4’s $1/5 interface and also configure the local router as a DHCP server: On R4: To work as a DHCP server, unicast-routing MUST be enabled: R4 (config) #IPV6 unicast-routing R4 (config) #IPv6 dhep pool TST Specifies the address range to provide in the pool. R4 (config-dhcpvé6) address prefix 45::/64 Provides the DNS server and the domain name option to DHCP clients. 4 (config-dhcpvé) #dns~server 2001:1:1111::1 R4 (config-dhepv6) #domain-name MicronicsTraining. com RA (config) #int $1/5 ) #IPv6 enable £)4Clock rate 64000 )#IPV6 address 45::4/64 Rd (config: ‘The following command configures the DHCP server on the interface. Rd (config-if) #IPv6 dhcp server TST ‘The following command configures IPv6 interface’s neighbor discovery to allow the hosts to uses DHCP for address configuration. This is also known as the “I” )#IPv6 nd managed-config-flag £)#No shut RA (config R4 (config: There are two bits that we must know, the “M” and the “O” bits: CCTE R&S by Narbik Kocharfans Advanced CCIE R&S Work Book v5.0 Page 9 of 222 © 2014 Narbtk Kocarans. ll eights servedThe “M" bi The When set, information. On RS: RS (config) On RS: Seriall/4 Or: 45 Seriall/4 Address DNS RS (config- 6892: 1A8F:3F8 The "Managed address configuration" flag. When set, it indicates that addresses are available via Dynamic Host Configuration Protocol [DHCPv6]. Clients SHOULD use DHCP to obtain IPv6 addresses. available for autoconfiguration of OTHER (non-address) #int 51/4 if) fipv6 enable RS (config-if) #1Pv6 address dhcp if) #No shut To verify the configuration: R5#Show ipvé int br S1/4 (up/up] 'EBE : 69D0 784 21B:D4EF: We can see that the local router acquired an IPv6 address from the DHCP server. How do we display the DHCP optional items that the local router acquired from the DHCP server? RS#Show ipvé dhcp interface is in client mode Prefix State is IDLE State is OPEN Renew for address will be sent in 11:58:13 List of known servers Reachable via address: FE8Q::217:59FF:FECE:2B8 DUID: 00030001001759Cz02B8 Preference: 0 Configuration parameters: IA NA: IA ID 0x00090001, T1 43200, 72 69120 Addres: 5: 6892: 1NBF:3F80!7784/128 preferred lifetime 86400, valid lifetime 172800 expires at Jun 13 2014 11:12 PM (172693 seconds) sexvee!! 200222:121172 CCIE R&S by Narbik Kocharlans — Adyanced CCTE R&S Work Book ¥5.0 Page 10 of 222 {2014 Nae Kectarian. Al igh reservedDomain’ Wane’ Micronies'trainingseom Information refresh time: 0 Prefix Rapid-Commit: disabled Address Rapid-Commit: disabled On R4: R4#Show ipvé dhcp binding Si EB DEED. D0030 001 00TBD¢BEESDO Username : unassigned TA NAL IA 1D 000090001, 11 43200, T2 69120 preferred lifetine 86400, valid expires at Jun 13 2014 11:05 PM (171405 seconds) Task 3 Configure the serial link connecting R1 to R4 based on the diagram in the beginning of this lab. Configure the serial link connecting R1 to R2. DO NOT configure an IPv6 address on R2's $1/1 interface, this router should be configured to acquire an IPv6 address from the DHCP Server (Rd], Ri should be configured as a DHCP relay agent. Let's configure the serial interfaces first: On Ri: Rl (config) #ipvé unicast-routing RI (config) #int 51/2 Rl (config-if) #Clock rate 64000 Rl (config-if) #ipv6 address 12::1/64 Rl (config-if) #ipvé enable Ri (config-if)#No shut Ri (config) #int s1/4 Rl (config-if) #elock rate 64000 Rl (config-if) #ipvé enable Ri (config-if) #ipv6 address 14::1/64 CCH RSS by Narbik Kocharians Advanced! CCIE R&S Wark Book v5.0 Page 17 of 222R1(config-if} #No shut On R4: R4 (config) #int s1/1 R4 (config-if) #ipvé enable R4 (config-if) fipv6 address 1 R4 (config-if) #No shut To test the configuration: On R4: R4gPing 14::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 14: tere 1, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms In this case R2 is going to be the DHCP-Client, once configured, R2 will send a RS, Ri will receive this request and it will relay that request to R4 the DHCP Server. This request will have the “Link address” field that will have the IPv6 address of R1’s link facing R2; R4 will go through its scopes and it will find one that matches the same network, and it will lease out an IPv6 address from that scope. R1 will receive the RA and it will relay it down to R2, and this is how R2 acquires an IPv6 address. A very simple process that is very similar to IPv4. Let’s configure another scope for the 12::/64 network: OnR4: R4 (config) #ipv6 dhcp pool TST-R2 R4 (config-dhcpv6) taddress prefix 12::/64 R4 (config-dhcpv6) #dns-server 2001:12:12:12: Rd (config-dhepv6) #domain-name MicronicsTraining.com Let’s apply the poo! to the $1/1 interface: RA (config-dhepvé) #int s1/1 R4(config-if) #ipv6 dhcp server TST-R2 NOTE: IF the “address prefix 12::/64” is configured in the previous pool (TST), R2 will get two IPv6 address one from the 12::/64 network and the second one from the 45::/64 network, CCIE R&S by Narbik Kocharians Advanced CCTE R&S Work Book v5.0 Page 12 of 222 (©2015 Narbik Keckariams. Al igh reservedLet's configure R1, the DHCP relay agent: On Ri: R1 (config) #int s1/2 The following command configures the IPv6 address of the DHCP server by using the “detination” keyword; the $1/4 interface configuration is optional in this scenario. The serial1/4 interface has to be configured ONLY if the “destination” keyword references the Link Local ipv6 address of R4. Serial 1/4 Rl (config-if) fipv6 dhep relay destination 14 Rl (config-if) fipw6 nd managed-config-flag The “IPV6 unicast-routing” command MUST be configured, since this was cor have to configure it again. sured in Task-1, we don’t Finally the DHCP client is configured. On R2: R2 (config) #int s1/1 R2(config-if) #ipv6 enable R2(config-if) #ipv6é address dhcp R2(config-it) #No shut To verify the configurati On R2: R2#Show ipv6 interface bri si/1 Seriall/1 (up/up] FEG0: :200:22FF:FE22:2222 12::A0B1:AAB2:4ACO:CEBB R2#Show ipvé dhcp interface |Serial1/1 is in client mode Prefix State is IDLE Address State is OPEN Renew for address will be sent in 11:59:14 List of known servers: Reachable via address: FE80 DUID: 00030001001759CE0288 200:11FF:FE11:1111 CCIE R&S by Narbik Koch: Advanced CCIE R&S Work Book ¥5.0 Page 13 of 222 ‘© 2014 Narbtk Kochariane AlleghtsreeevedPreference: 0 Configuration parameters: 1D 0x00060001, 71 43200, T2 69120 preferred lifetime 86400, valid lifetime 172800 expires at Jun 14 2014 06:57 PM (172754 seconds) Information refresh time: Rapid-Commit: disabled Address Rapid-Conmit: disabled Task 4 Configure R3 to get the DNS and its domain name of “MicroncisTraining.com” from the DHCP server but it should continue to use SLAAC for its IPv6 address. ‘We saw the configuration of the “M” bit which the DHCP server gave an IPv6 address plus the optional DHCP parameters such as the DNS and the domain name. With the “O” bit set the DHCP server will ONLY give out the optional DHCP parameters only, the client will NOT get an IPv6 address from the DHCP server. 3 has already used the SLAAC process to get the network portion of its IPv6 address, let’s configure Ri to accommodate this request. Let's see R3’s FO/0 configuration: On R3: R34Show run int £0/0 | B interface interface FastEthernet0/0 mac-address 0000.3333.3333 no ip address duplex auto d_auto ipvé enable end All we need to do is enable the “O” bit and configure the relay configuration on the FO/0 interface of R1: ‘Sby Narbik Kocharians Ad CIE R&S 5. Page 14 of 222 1 2014 Nari Rocarians AM igh reservedOn Rt: Rl (config) #int £0/0 Rl (config-if) fipvé dhcp relay destination 14 Ri (config-if) fipvé nd other-config-flag To verify the configuration: | OnR3: | R3¢Show ipv6 interface brief F0/0 FastEthernet0/0 (up/up] 200: 33FF:FE33:3333 00: 33¥F:FE33:3333 R34Show ipvé dhcp interface FastEthernet0/0 is in client mode Prefix State is IDLE (0) | Information refresh timer expires in 23:58:07 Address State is IDLE List of known servers: Reachable via addres: DUID: 00030001001759CE02B8 Preference: 0 Configuration parameters DNS server: 2001 :12:12: Domain name! MicroniceTraining/éon Information refresh time: 0 Prefix Rapid-Commit: disabled Address Rapid-Commit: disabled F:FE11:1111 We can see that R3 received its DNS and domain name information from the DHCP server but it received the network portion of its IPv6 address from Ri through the SLAAC process. Task 5 Re-configure R5 to acquire its IPv6 address from Rd (The DHCP Server) using two messages instead of four. CCIE RES by Narbik Kochariavs Adyanced CCIE R&S Work Book v5.0 Page 15 of. 182014 Narbtk Kashar. A ght eserved‘The DHCPvé client can acquire its IPv6 address and optional parameters from a DHCP server in two ways: Rapid-commit: In this process ONLY two messages are exchanged, a Solicit from the client to the server and a reply from the server to the client. ‘The default: The normal way which is the default the DHCP client and the DHCP server exchange four DHCP | messages and they are: Solicit, Advertise, Request, and Reply. Before the task is configured, let’s enable “Debug ipv6 dhcp” and “Default interface S1/4” on R5 and reconfigure a regular or the default four message exchange: On RS: R5 (config) #default inter s1/4 Interface Seriall/4 set to default configuration R5#Debug ipvé dhcp IBv6 DHCP debugging is on R5 (config) #int s1/4 RS (config-if) #shut R5 (config-if) #ipv6 enable R5 (config-if) #ipv6 address dhcp R5 (config-if) #No shut Now, let’s configure RS as a DHCP client to exchange four messages before it acquires an IPv6 address and the optional parameters from the DHCP server, Ra. Sending REQUEST to FFO2/:1:2 DHCPv6 address changes state from SOLICIT to REQUEST (ADDR ADVERTISE. RECERVE| ) on Seriall/4 Processing options 1 Adding address 45: :DC06:2D13:9C93:FF4B/128 to Seriall/4 1 TL set to expire in 43200 seconds 72 set to expire in 69120 seconds Configuring DNS server 2001:1:1111 Configuring domain name MicronicsTraining.com DHCP: DACPV6 address changes state from REQUEST to OPEN (ADDR_REPLY_RECEIVED) on Seriali/4 CCIE R&S by Narbik Kocharlans Advanced CCIE R&S Work Book v5.0 Page 16 of ‘2 a014 Wari Keckarians, AM rights reveredThe “Rapid-commit” option MUST be configured on the DHCP client and the DHCP server. To configure the DHCP server for “rapid-commit”: OnR4: R4 (config) #int s1/5 Ré (config-if) #ipvé dhep server TST EESSG=SSHRE Let’s “Default interface S1/4” on RS and reconfigure the “Rapid-commit” option and see the difference: On RS: RS (config) #int s1/4 RS (config-it) fipvé enable | RS (config-if) #ipv6 address dhcp RS (config-if) #No shut rIpv6 sending’ sotitcrr to! rro2z: ni Seriati7a | TPv6 keceiived REELY 288i 6 IPv6 : Adding server F580: IPv6 Processing options Pv6 Adding address 45 IPvé : Tl set to expire in 43200 seconds IPv6 12 set to expire in 69120 seconds PVv6 Configuring DNS server 2001:1:1111 IPV6 DHCP: Configuring domain name MicronicsTraining.com ‘As we can see only two messages were exchanged. Task 6 Configure R4, R6, R7 and R8 based on the following: DO NOT assign an IPV6 address to R6, R7 or RB. Configure R6 and R7 in VLAN 67. Configure R6 and R8 in VLAN 68. Configure the $1/6 interface of Rd with 46:2::4/64 IPv6 address. CCTE R&S by Narbik Kocharians Advanced CCIE R&S Work: Book v5.0 Page 17 of ? ‘© 2014 Narbik Rocharians, A nights reservedR4 (config) #int 1/6 R4 (config-if) #mac-address 0000.4444.4444 RA (config-if) #ipv6 addr 46:2::4/64 R4(config-if) #clock rate 64000 R4(config-if)#No shut On SW2: This trunk has to be configured because the FO/1 interface of R6 is connected to SW2 and the GO/1 interface of R7 is connected to SW3. 812 (config) #int £0/23 Si12 (config-if) #swi tru enc dot 8812 (config-if)4swi mode trun 82 (config-if)#No shut W2 (config) #int £0/6 Sii2 (config-if) #swi mode acc SW2(config-if) #swi acc v 67 SW2(config-if) #No shut On SW3: SW3 (config) #int £0/7 SW3 (config-if) #swi mode acc SW3 (config-if) #swi acc v 67 SW3 (config-if)#No shut SW3 (config) #int £0/23 SW3(config-if) #swi trun enc do S8i3 (config-if)#swi mode trun 883 (config-if) #No shut Ons Sil (config) #int range £0/6,£0/8 SW1 (config-if-range) #swi mode acc SW1 (config-: range) #swi acc v 68 Sill (config-if-range) #No shut CCIE R&S by Narbik Kocharians Adyanced CCIE R&S Work Book v5. Page 18 af (© 2014 Narbtk Kochariane Alleighs reservedTask 6 ISP-A has an IPv6 prefix of 46:1:1::/48 and it needs to subnet this prefix to /56 subnets. Comipany-A (R6) has two sites that are connected through its FO/0 and FO/1 interfaces, but soon this company will grow to 12 sites. Company-A (R6) should acquire a network address from the ISP-A (Rd) and subnet this prefix to a minimum of 12 subnets; the first subnet should be automatically assigned to its FO/0 interface with the host portion of its IPv6 address as “::10"; RB should use R6-as its default gateway, R6's FO/1 interface should be automatically assigned the third subnet with the host portion of “::1”. R7 should use R6 as its default gateway. R7 and R8 should automatically acquire the network portion of their IPv6 address from RG, they should auto generate their host portion of their IPvé address. Both R7 and RB should have reachability to R4’s 1/6 IPv6 address. DO NOT configure any static route or configure static IPv6 address/es to accomplish this task. ‘The following diagram shows the bits used by the provider to generate more /56 subnets. One of these subnets is given to the customer. eT Bite subnetied Subnet bits used by 18? the’ a! CCIE R&S by Narbik Kacharlans Advanced CCIE R&S Work Book v5.0 Page 19 of 222 ‘©2014 Narbik Recharane, A rights reservedThe following diagram shows the 4 bits that are given to the customer; the customer can use these 4 bits to generate 16 networks: Bits NOT ‘Subnat bits used by I en = 00898989595 Ooo To resolve this task, we need to configure prefix-delegation. The purpose of the prefix delegation mechanism is to delegate prefixes to the CEs automatically. The prefix delegation mechanism typically delegate prefix lengths between /48 to /64. In this topology R4 is the delegating router. On R4: ‘The following configures a local pool that instructs the router to hand out /60 addresses but the first 56 bits of the addresses must be 46: R4 (config) #ipv6 local pool f A regular DHCPV6 pool is configured and it references the local pool and assigns a life time of infinity. R4 (config) #ipvé dhep pool ISP R4 (conf ig-dhepv6) $prefix-delegation pool ESE lifetime infinite infinite The pool is referenced on the $1/6 interface of RA: R4 (config) #int s1/6 R4(config-if) #ipvé dhcp server ISP CCIE R&S by Narbik Kochari Advanced CCIE R&S Work Book v5.0 Page 20 af 2: ‘© MLE Narbic Roebariase All ighs reservedOn R6: RG (config) #ipv6 unicast-routing This router is typically the CE router, it is acquiring the network portion of its IPv6 address from the PE router (Rd), and it auto generates the host portion using EUI-64. R6 (config) #int 51/4 R6(config-if) #ipv6 enable R6(config-if) #ipv6 address autoconfig default ‘The “ipv6 dhcp client pd” command enables request for prefix delegation through the interface on which this command is configured. If this command is not configured, the local router will NOT generate a PD. request. The pool of IPv6 addresses that are received by the local router will be placed in the general cache, R6(config-if) #ipv6 dhcp client pd R6(config-if) #No shut R6 (config) #int £0/0 R6(config-if) fipvé enable ‘The following example shows how to enable IPv6 processing on the interface and configure an address based on the general prefix called “TST-ISP”. The “::1” is the first subnet, meaning that you are assigning the first subnet to this interface; so if you wish to assign the second subnet, then, “::2” should be used. ‘The “40” is the host potion of the IPvé address that you wish the local interface to have. R6(config-if) fipvé address [ig :0:0:0:10/64 R6(config-if) #No shut R6 (config) #int £0/1 R6 (config-if) #ipvé enable R6(config-if) #ipv6 address R6(config-if) #No shut R6#Show ipvé inter bri $1/4 Serial1/4 (up/up] FE8Q::217:SAEF:FEAD:52AA 46:2::217:SAFF:FEAD:52AR CCHE R&S by Narbik Koch Advanced CCIE R&S Work Book v5.0 Puge 21 of: 1 204 Narbik Kcharian. Aight roserved.R6#Ping 46: Type escape sequence to abort. |sending 5, 100-byte ICMP Echos to 46:2::4, timeout is 2 second: renee Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms R6#Show ipvé inter bri F0/0 FastBthernet0/0 [up/up] FE80::217:5AFF:FEAD: S2AA 46:1:1:101::10 R6#Show ipv6 inter bri FO/1 Fast&thernet0/1 [up/up] E80: :217: 5AFF:FEAD:52AB 46:1:1:103::1 R6#Show ipv6 route IBV6 Routing Table - default - 9 entries Codes: C - Connected, L - Local, $ ~ Static, U - Per-user Static route B - BGP, HA - Home Agent, MR - Mobile Router, R ~ RIP Il - Iss Li, 12 - ISIS L2, TA ~ ISIS interarea, IS - ISTS summary D - BIGRP, EX - EIGRP external, NM - NEMO, ND - Neighbor Discovery 1 - LISP 0 - OSPF Intra, OI - OSPF Intex, OE1 - OSPF ext 1, O£2 - OSPF ext 2 ONL - OSPF NSSA ext 1, ON2 ~ OSPF NSSA ext 2 217:59FF:FECE:2B8, Serial1/4 —_ 0/0} FastEthernet0/0, directly connected 2/64 [0/0] FastEthernet0/1, directly connected 764 (0/0) Seriall/4, directly connected 217:5ARF:FEAD:52AA/128 [0/0] Seriall/4, receive /8 10/0) CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 ‘© 014 Naehik Kocharlaos,Allrighs reservedvia Null0, receive On R7: R7 (config) #int g0/0 R7 (config-if) #ipvé enable R7 (config-if) #ipvé address autoconfig default R7(config-if) #No shut On R8 R8 (config) #int g0/1 R8 (config-if) #ipvé enable R8 (config-if) #ipvé address autoconfig default R8(config-if) #No shut To verify the configurat On R7. R7#Show ipv6 inter bri g0/0 GigabitEthernet0/0 (up/up] FE80: :26E9:B3FF:FEAB: 4820 46:1:1:103:2689:B31 R7#Show ipvé route IPv6 Routing Table - default - 4 entries Codes: C = Connected, L - Local, § - Static, U - Per-user Static route B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP H- NHRP, Il - ISIS L1, 12 - ISIS L2, IA - ISIS interarea Ig - ISIS summary, D ~ EIGRE, EX - EIGRP external, NM - NEMO ND ~ ND Default, NDp - ND Prefix, DCE - Destination, NDr ~ Redirect 0 ~ OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, O52 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, 1s - LISP site ld - LISP dyn-EID, a ~ Application ‘217:5ARF:FEAD!52AB, Gigabitethernet0/0 3/64 (2/0) via GigabitBthernet0/0, directly connected 1:103:26E9:B3FF:FEAB:4820/128 [0/0] gabitEthernet0/0, receive 8 [0/0} via Null0, receive CCTE R&S by Narbik Kocharians Advanced! CCIE R&S Work Book v5 Page 23 of 2 {©2014 Narbik Kocharians Allright resersedRI#Ping 46: ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4 10, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/12 ms RI#Ping 46: 4 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 46:2::4, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms On R8: R8#Show ipvé inter br g0/1 GigabitEthernet0/1 (up/up] FESO: :3E08:F6FF:FEA2:BC81 46:1 ‘SEF R8#Show ipvé route IPv6 Routing Table - default - 4 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B- BGP, HA - Home Agent, MR - Mobile Router, R - RIP H- NARP, Il - ISIS Ll, 12 - ISIS 12, TA - ISIS interarea IS - ISIS summary, D - EIGRP, EX - BIGRP external, NM - NEMO ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect © - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 ~ OSPF NSSA ext 2, 1s - LISP site ld ~ LISP dyn-EID, a - Application (0) 12703 via FEO: /217:SARF!PEADS2AA) {Gigabitetherneto/1 NDp 46:1:1:101 64 (2/0: via GigabitBthernet0/1, directly connected L 46:1:1:101:3508:F6FF:FEA2:BC81/128 [0/0] via GigabitEthernet0/1, receive L FFOO 8B [0/0] via Null0, receive R@#Ping 46:1:1:101::10 Type escape sequence to abort. CCTE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v8 Page 24 of 2 {©2014 Nach Karan. At rights reservedSending 5, 100-byte ICMP Echos to 46:1 , timeout is 2 seconds: rere Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms RO#Ping 46:2: :4 Type escape sequence to aboz Sending 5, 100-byte ICMP Echos to 46:2::4, timeout is 2 seconds: ryene Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms On R4: R4#Show ipv6 local pool Pool Prefix Free In use test 46:1:1:10 1 136 15 1 60 the customer can have 244 or 16 possible subnets, and NOTE: Since the customer received 46:1:1:10¢ since we have used one we still have 15 free. Erase the startup configuration of the routers and reload them before proceeding to the next lab, CCIE R&S by Narbik Kocharians Adyanced CCIE R&S Work Book Page 25 of 222 ‘© a14 Nari Kocarlane AM ight reveAdvanced CCIE Routing & Switching v5.0 www.MicronicsTraining.com Narbik Kocharians CCSI, CCIE #12410 R&S, Security, SP IP Prefix-listsLab Setup: To copy and paste the initial configurations, go to http://micronies.nI”-> "Advanced- init”> “Prefix-lists”-> “Prefix-List-Init.docx”. Task 1 Configure R1 to filter 192.1.1.32/27 using a prefix-list. ‘Some important facts about prefix-lists: ‘+ Prefix lists were introduced in 10S 12.0(3)T. + Prefix-lists are configured to match on the actual prefix and the prefix length. + Prefix-lists are parsed and processed from the top to bottom, or to be more accurate, from the lowest sequence number to the highest sequence number. ‘+ Because sequence numbers are used, entries can be added or removed at any time. + _Prefix-lists have an implicit deny all statement at the end just like access-lists. Kochatians Advanced CCIE R&S Wark Book v5.0 {© 2014 Narbik Kechacane A rights reserved CCTE R&S by Nai+. Just like access-lists, preficlists can be used to identify, or filter prefixes. Let's configure an access-list to filter 192.1.1.32/27 network: On RI: R1#Sh ip route ospf | b Gate Gateway of last resort is not set 172.16.0.0/24 is subnetted, 4 subnets ° 172.16.0.0 [110/2] via 12.1.1.2, 00:01:34, FastEthernet0/0 ° 172.16.1.0 [110/2] via 12.1.1.2, FastEthernet0/0 ° 72.16.2.0. (110/2) via 12.1.1.2, 00:01:34, FastEthernet0/0 ° 172.16.3.0 [110/2] via 12.1.1.2, 00:01:34, FastEthernet0/0 192.1.1.0/24 is variably subnetted, 2 subnets, 2 masks ° 192.1.1.1/32 [110/2] via 12.1.1.2, 00:10:35, FastEthernet0/0 ° 192.1.1.32/27 [110/2] via 12.1.1.2, 00:01:51, FastEthernet0/0 Ri (config) #access-list 1 deny 192.1.1.0 0.0.0.255 Ri (config) #access-list 1 permit any Rl (config) #router ospf 1 Rl (config-router) #distribute-list 1 in £0/0 ‘To verify the configuratior OnRI: R1#Show ip route ospf | B Gate Gateway of last resort is not set 172.16.0.0/24 is subnetted, 4 subnets 172.16.0.0 [110/2] via 12.1.1.2, 00:02:32, FastEthernet0/0 172.16.1.0 [110/2] via 12.1.1.2, 00:02:32, FastEthernet0/0 172.16.2.0 [110/2] via 12.1.1.2, 00:02:32, FastEthernet0/0 172.16.3.0 [110/2] via 12.1.1.2, 00:02:32, FastEthernet0/0 000 We can see that the access-list filtered both networks, because in the above example, the access-list is denying any IP address in the 4" octet, meaning the 4" octet can be any number. This is the difference between an access-list and a prefix-list, if a prefix-list is configured with the same prefix-length, none of the networks would have been affected. Let's test: Rl (config) #No access-list 1 CCIE R&S by Narbik Kochariany Advanced CCTE R&S Work Book v5.0 Page 28 of 222 ‘Ba0ld Narbik Kocharins, A sghts reservedRi#Show ip route ospf | B Gate Gateway of last resort is not set 172.16.0.0/24 is subnetted, 4 subnets ° 172.16.0.0 [110/2] via 12.1.1.2, 00:00:26, ° 172.16.1.0 [1210/2] via 12.1.1.2, ° 172.16.2.0 [110/2] via 12.1.1.2, ° 172.16.3.0 [110/2] via 12.1.1.2, 00:00:26, FastBthernet0/0 192.1.1.0/24 is variably subnetted, 2 subnets, 2 masks ° 192.1.1.1/32 [110/2] via 12.1.1.2, 00:00:26, FastEthernet0/0 ° 192.1.1.32/27 [110/2] via 12.1.1.2, 00:00:26, FastBthernet0/0 Let's configure a prefir-list to deny network 192.1.1.0/24 and permit any. The second statement will be discussed in detail in later tasks. Ri (config) #4p prefix-list NET deny 192.1.1.0/24 Ri (config) #ip prefix-list NET permit 0.0.0.0/0 LE 32 Rl (config) #router ospf 1 Rl (config-router) #No distribute-list 1 in FO/0 Rl (config-router) #distribute-list prefix NET in F0/0 To verify the configuration | OnR1: R1#Show ip route ospf | B Gate Gateway of last resort is not set 172.16.0.0/24 is subnetted, 4 subnets 172.16.0.0 [110/2] via 12.1.1.2, 00:01:25, FastEthernet0/0 172.16.1.0 [110/2] via 12.1.1.2, 00:01:25, FastBthernet0/0 172.16.2.0 [110/2] via 12.1.1.2, 00:01:25, FastBthernet0/0 172.16.3.0 [110/2] via 12.1.1.2, 00:01:25, FastBthernet0/0 192.1.1.0/24 is variably subnetted, 2 subnets, 2 masks ° 192.1.1.1/32 [110/2] via 12.1.1.2, 00:01:25, FastEthernet0/0 ° 192.1.1.32/27 [110/2] via 12.1.1.2, 00:01:25, FastEthernet0/0 o000 ‘As we can see, none of the networks were affected betause with prefix-lists the prefix and the prefix- length is matched, in the above example, since network 192.1.1.0/24 does NOT exist, none of the networks were affected. Let’s configure a prefix to filter 192.1.1.32/27 and permit the other prefixes. Ri (config) #ip prefix-list NET deny 192.1.1.32/27 Ri (config) #ip prefix-list NET permit 0.0.0.0/0 LE 32 CCIE RGS by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Puge 29 of 222 1 2014 Narbik Roetariaus. AU righ reservedOnR1: R1#Show ip route ospf | B Gate Gateway of last resort is not set 172.16.0.0/24 is subnetted, 4 subnets ° 172.16.0.0 [110/2] via 12.1.1.2, 00: FastEthernet0/0 ° 172.16.1.0 [110/2] via 12.1.1.2, 00 FastBthernet0/0 ° 172.16.2.0 [110/2] via 12.1.1.2, 00:00:32, FastEthernet0/0 ° 172.16.3.0 [110/2] via 12.1.1.2, 00:00:32, FastEthernet0/0 192.1.1.0/32 is subnetted, 1 subnets ° 192.1.1.1 [110/2] via 12.1.1.2, 00:00:32, FastBthernet0/0 ‘As we can see ONLY 192.1.1.32/27 was filtered. When configuring prefix-lists, the prefix and the prefix-length MUST be configured to exactly match the prefix and the prefix-length that we are trying to deny, permit, or identify. Task 2 Configure R1 such that it only allows class A networks that are not subnetted. Before we configure the prefix-list, let’s verify the routing table of Ri: OnRI: R1#Show ip route rip | B Gate Gateway of last resort is not set RUMP MVOPOLOVE [120/1] via 13.1.1.3, 00:00:20, Serial1/3 10.0.0.0/24 is subnetted, 1 subnets R 10.1.1.0 [120/1] via 13.1.1.3, 00:00:20, Serial1/3 11.0.0.0/16 is subnetted, 1 subnets R 11.1.0.0 [120/1] via 13.1.1.3, 00:00:20, Serial1/3 22.0.0.0/24 is subnetted, 1 subnet: 22.1.2.0 (120/1] via 13.1.1.3, 00:00:20, Serial1/3 *$2990!0)0/8 [120/1] via 13.1.1.3, 00:00:20, Serial1/3 33.0.0.0/24 is subnetted, 1 subnets Book v5. jarbik Kocharians Advanced CCIE R&S W ‘©2014 Nari Kocbarlas. AU Page 30 of 222 R&S byR 33.0.0.0 [120/1] via 13.1.1.3, 00:00:20, Serial1/3 R 443020 )0/8 [120/1] via 13.1.1.3, 00:00:20, Serial1/3 R 201.1.3.0/24 [120/1] via 13.1.1.3, 00:00:20, Seriali/3 ‘The above highlighted networks are NOT subnetted, therefore, they should be allowed in. In this case the task states that ONLY Class A networks that are NOT subnetted should be allowed, or, the subnetted Class A networks should be filtered; this means that the prefix-list can be configured to | allow Class A networks that are NOT subnetted, or filter Class A networks that are subnetted. Let’s | test both scenarios. Class A network are identified based on the following: In the following example the letter “n” identifies the network bits and “h” identifies the host bits. ore EEPEEPEE EPP eet TTT + The first bit is set to 0; therefore, there are 7 network bits followed by 24 host bits | + Initial byte: 0 - 127 | + 126 Class As exist (0 and 127 are reserved) + 16,777,214 hosts on each Class A network | Note: The most significant bit of the first octet is set to a binary “Q”, the rest of the bits in the first | octet can be zeros or ones. If the most significant bit of the first octet is “O” it must be a class A network. The prefi-list matches on the first bit by using a “/1” prefix-length. On Ri config) #ip prefix-list Class-A seq 5 permit 0.0.0.0/1 ge 8 le 8 config) #router zip ‘config-router) #distribute-list prefix Class-A in S1/3 R1gClear ip route * To verify the configuratic R1#Sh ip route rip | B Gate Gateway of last resort is not set CCIE R&S by Narbik Kocharians Advanced CCHE R&S Work Book v5.0 Page 31 of 222 ‘© 2014 Nari Keckarians, AM rights reversedR 1.0.0.0/8 (120/1} via 13.1.1.3, 00:00:16, Serial1/3 R 29.0.0.0/8 [120/1] via 13.1.1.3, 00:00:16, Seriall/3 R 44.0.0.0/8 [120/1] via 13.1.1.3, 00:00:16, Seriall/3 ‘The same prefix-list could have been written to deny all subnetted Class A networks and permit all class A networks that are not subnetted. Let's configure and test: Onk Rl (config) #No ip prefix-list Class-A The following line denies all class A networks that have a subnet mask of “/9"; the only way a class A network will have a prefix-length of 9 or greater, is when they are subnetted. So the line below states, that starting with /1, meaning that the first bit MUST be zero, with a prefix-length of “/9" or greater, should be denied. Rl (config) #ip prefix-list Class-A deny 0.0.0.0/1 ge 9 The following line states that any class A network with a mask of “/8” should be allowed. This covers all class A networks. Rl (config) #ip prefix-list Class-A permit 0.0.0.0/1 ge 8 le 8 |R1#Clear ip route * R1fSh ip route rip | B Gate Gateway of last resort is not set R 1.0.0.0/8 [120/1] via 13.1,1.3, 00:00:06, Serial1/3 R 29.0.0.0/8 [120/1] via 13.1.1.3, 01 6, Seriall/3 R 44.0.0.0/8 [120/1] via 13.1.1.3, 01 6, Seriall/3 Task 3 Configure Ra such that it only allows class B networks that are not subnetted, Before the filter is configured and applied let’s check the routing table of R4: | | Onk CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Page 32 of 222R4¥Show ip route ospf | B Gate Gateway of last resort is not set Seriali/1 6 12BV1V0L0/16 [110/782] via 14.1. O-.131.4.0.0/16 [110/782] via 14.1 180.1.0.0/24 is subnetted, ° 180.1.4.0 [110/782] via ° 180.1.5.0 [110/782] via ° 180.1.6.0 [110/782] via ° 61925 1.0.0/26 [110/782] via 192.1.1.0/24 [110/782] via The highlighted networks should be allowed since they are NOT subnetted. Class B network are identified based on the following: In the following example the letter “n” identifies the network bits and “h” identifies the host bits. weL EEE PT aor + First two bits are set to “10”; therefore, there are 14 network bits left to identify the | networks and the remaining 16 bits identify the host its. + Initial byte: 128 - 191 + 16,384 Class Bs exist * 65,532 hosts on each Class B If the most significant two bits of the first octet is set to “1 O” itis a class B network. The prefix-list matches on the most significant two bit of the first octet by using a “/2” prefix-length. The prefixlist matches on the first two bits by using a “/2” prefixength, with a network address of 128.0.0.0. Since the task states that it should only allow class 8 networks that are not subnetted, the | prefix-ength specifies GE 16 and LE 16. R4 (config) #ip prefix-list NET permit 128.0.0.0/2 ge 16 le 16 R4 (config) #Router ospf 1 R4 (config-router) #distribute-list prefix NET in S1/1 To verify the configuratio On R4: R4#Show ip route ospf | B Gate CCTE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v8.0 Page 33 of 222 ‘© 2014 Nacbik Kechariane Allegis reservedGateway of last resort is not set ° 128.1.0.0/16 [110/782] via 14.1.1.1, 00:01:11, Seriali/2 ° 131.1.0.0/16 [110/782] via 14.1.1.1, 00:01:11, Seriali/1 ° 191.1.0.0/16 [110/782] via 14.1.1.1, 00:01:11, Serial1/1 Just ike the previous task we can deny all class B networks that are subnetted and permit only the class B networks that are NOT subnetted. Let’s test and verify: R4 (config) #No ip prefix-list NET | The first line of the following prefix-list denies any class B network that has a pr higher, which means all the subnetted class 8 networks. R4 (config) #ip prefix-list NET deny 128.0.0.0/2 ge 17 ‘The following and the last line of this prefix-list permits any class B network that is NOT subnetted, this is identified by the “ge 16” which means that the prefix-length could be greater than or equal to 16, and less than of equal 16 using the “le 16” keyword. R4 (config) #ip prefix-list NET permit 128.0.0.0/2 ge 16 le 16 To verify the configuration: On R4: R4gShow ip route ospf | B Gate Gateway of last resort is not set ° 128.1.0.0/16 [110/782] via 14.1.1. Seriali/1 ° 131.1.0.0/16 [110/782] via 14.1.1. ° 191.1.0.0/16 [110/782] via 14.1.1.1 Task 4 Configure RS such that it only allows class C networks that are not subnetted. Before this task is configured, we should verify the routing table on R5: On RS: CCIE RES by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 34 of 222 ‘6014 Rar Kchariane, AU righ reservedR5#Show ip route eigrp | B Gate Gateway of last resort is not set vesiart 0/24 (90/156160] via 199.1.1,0/24 [90/156160] via 200.1.1.0/24 [90/156160] via 200.1.4.0/29 is subnetted, 1 200.1.4.8 [90/156160] via 200.1.5.0/30 is subnetted, 1 200.1.5.4 [90/156160] via 223-110/24 [90/156160] via 00:0 00:01: 00:01: 00:02: 00:01: ‘As we can see only the highlighted networks should be permitted. FastBthernet0/0 FastEthernet0/0 FastEthernet0/0 FastEthernet0/0 FastEthernet0/0 FastEthernet0/0 In the following example the letter “N” identifies the network bits and “H” identifies the host bits. aol | Class C network are identified based on the following: 8 bits identify the host bits Initial byte: 192 - 223 2,097,152 Class Cs exist Each class C network can handle 254 hosts R5 (config) #router eigrp 1 To verify the configuration: On RS: R54Show ip route eigrp | B Gate Gateway of last resort is not set three bits of the first octet is reserved as “410; Since the networks, there are 21 network bits left to identify the networks; g)#ip prefix-list NET permit 192.0.0.0/3 ge 24 R5 (config-router) #distribute-list prefix NET in FO/0 t three actets belong to therefore, the remaining by Narbik Kochatians Advanced CCIE R&S Work Book v5. Page 35 of 222FastEth: FastEthern FastEthernet0/0 FastEthernet0/0 198.1.1,0/24 [90/156160] via 45.1.1.4, 199.1.1.0/24 [90/156160] via 45.1.1.4, 200.1.1,0/24 [90/156160] via 45.1.1.4, 228.1.1.0/24 [90/156160] via 45.1.1.4, vou" Let's remove the prefix-list and configure a new one that denies all subnetted class C networks and only permits the class C networks that are not subnetted: On RS; R5 (config) #No ip prefix-list NET R5 (config) ip prefix-list NET deny 192.0.0.0/3 ge 25 R5 (config) #ip prefix-list NET permit 192.0.0.0/3 ge 24 le 24 To verify the configuration: On RS: R5#Show ip route eigrp | B Gate Gateway of last resort is not set D 198.1.1.0/24 [90/156160] via 45.1.1.4, 00: FastEthernet0/0 D 199.1.1.0/24 [90/156160) via 45.1.1.4, 00: FastEthernet0/0 D 200.1.1.0/24 [90/156160] via 45.1.1.4, 00:00:44, FastEthernet0/0 D 223.1.1.0/24 [90/156160] via 45.1.1.4, 00:00:44, FastEthernet0/0 Task 5 Configure R4 such that it only allows prefixes 10.4.4.33/27 and 10.4.5.65/26 and filters +the rest of the prefixes. You should configure minimum number lines in the prefix-list to accomplish this task. Before the prefix-list is configured we should verify the existing routing table on RA: On R4: R4gShow ip route rip | B Gate Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks CCTE R&S by Narbik Kocharlans Advanced CCIE R&S Work Book v5.0 Page 36 of 222 rights reserved4.32/27 [120/1] via 45.1.1.5, 0 5, FastEthernet0/0 R 10.4.5.64/26 [120/1] via 45.1.1.5, 0 5, FastEthernet0/0 211.4.4.0/27 is subnetted, 1 subnets | R 211.4.4,32 [120/1] via 45.1.1.5, 00:00:05, FastEthernet0/0 | Let's configure the task: To figure out how we are going to use the minimum number of lines, we should focus.on the third and the forth octet, let’s convert the third and the forth octet of these two prefixes to binary: — | 10.44.32 SS [eas] eels) woascs [ololo)ofolsjola]- ‘Once the third and the forth octet of these two networks are converted to binary we will identify the contiguous identical binary digi vane [°]°]* 99] 4] l wasea [o]olo|olo|4 We can see that the first 23 bits are identical, this includes the first two octets (16 bits) plus the most significant 7 bits of the third octet which adds up to 23 bits, this defines the network, 10.4.4.0; so we needc the first 23 bits to be exactly 10.4.4.0, therefore, it’s written as 10.4.4.0/23, now, for the mask, needs to be GE 23, and LE 27, this will cover the two prefixes. Let’s configure the prefix-list and verify: On R4: R4 (config) #ip prefix-list Task-5 deny 10.4.4.0/23 ge 24 le 27 R4 (config) #ip prefix-list Task-5 permit 0.0.0.0/0 le 32 R4 (config) #Router rip R4 (config-router) #distribute-list prefix Task-5 in F0/0 R4#Clear ip route * To verify the configuration: CCIE R&S by Narbik Kocharians Ad mnced CCIE R&S Work Book ¥5.0 Page 37On R4: R4#Show ip route rip | B Gate Gateway of last resort is not set 211.4.4.0/27 is subnetted, 1 subnets 211.4.4.32 [120/1] via 45.1.1.5, 00:00:01, FastBthernet0/0 Task 6 Configure RS to inject a default route in the RIP routing domain. If this configuration is, successful, R4 should see the default route in its routing table. On RS: RS (config) router rip R5 (config-router) #default-information originate To verify the configuration: On R4: R4#Show ip route rip | B Gate Gateway of last resort is 45.1.1.5 to network 0.0.0.0 Re/ I /[OOOI0/01Z07T7 Waid! as;412)/5; "00: 00702, FastEthexnato/o 211.4.4.0/27 is subnetted, 1 subnets R 211.4.4.32 [120/1] via 45.1.1.5, 00:00:02, FastEthernet0/0 Task 7 4 should be configured to filter the default route injected in the previos step. On R4: CCIE R&S by Narbik Kocharians Advanced CCIE R&S Werk Book v5.0 Page 38 of 222 (© 2014 Narbik Kocharians. A right reservedR4#Show run | s router rip router rip version 2 network 45.0.0.0 distribute-list' prefix [SERE9 ai rastetnerneto/o no auto-summary We can see the prefix-list “Task-5” applied to the F0/0 interface inbound, therefore, we can only add to the existing prefix-list; let’s look at the existing pref R4#Show run | 4 ip prefix-list Task-5 ip prefix-list Task-5 seq 5 deny 10.4.4.0/23 ge 24 le 27 ip prefix-list Task-5 seq 10 permit 0.0.0.0/0 le 32 We should add sequence 7 (Before the permit any statement) to deny the default route. R4 (config) #ip prefix-list Task-5 seq 7 deny 0.0.0.0/0 To verify the configuration: On R4: R4#Clear ip route * R4#Show ip route rip | B Gate Gateway of last resort is not set 4.4.0/27 is subnetted, 1 subnets 211.4.4.32 (120/1] via 45.1.1.5, 00:00:17, FastBthernet0/0 Task 8 Configure R6 to filter any networks with a prefix-length of 26 or less. Let's verify the routing table of R6 before configuring any prefix: On R6: R6#Show ip route ospf | B Gate CCIE RES by NarbikKocharians Advanced CCIE R&S Work: Book v5.0 Page 39 of 222 ‘© 014 Narbik Kosharane, Allright reversed|Gateway of last resort is not set 99.0.0.0/8 [110/782] via 56.1.1.5, 00:00:08, Seriali/5 185.1.0.0/16 [110/782] via 56.1.1.5, 00:00:09, Serial1/5 186.1.0.0/17 is subnetted, 1-subnets 186.1.128.0. [110/782] via 56.1.1.5, 00:00:09, Seriall/5 189.1.0.0/24 is subnetted, 1 subn 189.1.1.0 [110/782] via 56,1.1.5, 00:00:09, Serial1/5 205.1.1.0/28 is subnetted, 1 subnets 205.1.1.240 [110/782] via 56.1.1.5, 00:00:09, Serial1/5 206.1.1.0/30 is subnetted, 1 subnets 206.1.1.248 [110/782] via 56.1.1.5, 00:00:09, Seriall/5 207.1.1.0/26 is subnetted, 1 subnets 207.1.1.192 [110/782] via 56-1.1.5, 00:00:09, Serial1/5 208.1.1.0/25 is subnetted, 1 subnets 208.1.1.128 [110/782] via 56.1.1.5, 00:00:09, Seriali/5 211.4.4.0/27 is subnetted, 1 subnets ° 211.4:4.32 [110/782] via 56.1.1.5, 00:00:09, Seriall/5 We can see prefixes with prefix-lengths of /8, /16, /17, /24, /25, /26, /27, /28, /30. in this task we are going to filter any prefix/es with a prefix-lengths of 26 or less, this should leave us with the following networks: 205.1.1.0/28 To configure this task and verify: On R6: The following prefix denies any prefix as long as the prefix-lengths are greater than or equal to 8, and less than or equal to 26. R6 (config) #ip prefix-list Task-8 deny 0.0.0.0/0 ge 8 le 26 R6 (config) #ip prefix-list Task-8 permit 0.0.0.0/0 le 32 R6 (config) #router ospf 1 R6 (config-router) #distribute-list prefix Task-8 in To verify the configuration: CCTE RES by Narbik Kochariaus Advanced CCIE R&S Work Book v8.0 Page 40 of 2 ‘©2014 Narbit Kecharane Aight reservedR6#Show ip route ospf | B Gate Gateway of last resort is not set 205.1.1.0/28 is subnetted, 1 subnets 205.1.1.240. [110/782] via 56.1.1.5, 00:01:15, Seriall/S 206.1.1.0/30 is subnetted, 1 subnets 206.1.1.248 (110/782) via 56.1.1.5, 00:01:15, Seriall/5 211.4.4.0/27 is subnetted, 1 subnets 211.4.4.32 [110/782] via 56.1.1.5, 00:01:15, Seriall/5 Task 9 Re-configure R6 to filter any networks with a prefix-length of 26 or greater. Before we configure any filtering task, we should always verify the routing table: On R6: R6 (config) #No ip prefix-list Task-8 R64Show ip route ospf | B Gate Gateway of last resort is not set 99.0.0.0/8 [110/782] via 56.1.1.5, 00:02:00, Seriall/S 185.1.0.0/16 [110/782] via 56.1.1.5, 00:02:00, Seriali/s 186.1.0.0/17 is subnetted, 1 subnets 186.1.128.0 [110/782] via 56.1.1.5, 00:02:00, Seriall/S 189.1.0.0/24 is subnetted, 1 subnets 189.1.1.0 [110/782] via 56.1.1.5, 00:02:00, Serial1/5 205.1.1.0/28 is subnetted, 1 subnets 205.1.1.240 [110/782] via 56.1.1.5, 00:02:00, Seriall/5 206.1.1.0/30 is subnetted, 1 subnets 206.1.1.248 [110/782] via 56.1.1.5, 00:02:00, Seriall/5 207.1.1.0/26 is subnetted, 1 subnets 207.1.1.192 [110/782] via 56.1.1.5, 00:02:00, Seriall/S 208.1.1.0/25 is subnetted, 1 subnets 208.1.1.128 [110/782] via 56.1.1.5, 00:02:00, Seriall/5 211.4.4.0/27 is subnetted, 1 subnets 211.4.4.32 [110/782] via 56.1.1.5, 00:02:00, Seriali/S figure the prefix-list: CCIE R&S by Narbik Kocharlans Adyanced CCIE R&S Work Book v5.0 Page 49 of 222 ‘52014 arbi Kocharians. Al igh reserved‘The following prefix-list denies any network/prefix that has a prefix-length of 26 or greater, this means 27,28,29,30,31, and 32, and permits everything else. R6 (config) #ip prefix-list Task-8 deny 0.0.0.0/0 ge 26 R6(config)#ip prefix-list Task-8 permit 0.0.0.0/0 le 32 To verify the configuration: On R6: R6#Show ip route ospf | B Gate Gateway of last resort is not set ° 99.0.0.0/8 [110/782] via 56.1.1.5, 00:00:10, Seriall/5 ° 185.1.0.0/16 [110/782] via 56.1.1.5, 00:00:10, Seriali/5 186.1.0.0/17 is subnetted, 1 subnets ° 186.1.128.0 [110/782] via 56.1.1.5, 00:00:10, Serial1/5 189.1.0.0/24 is subnetted, 1 subnets ° 189.1.1.0 [110/782] via 56.1.1.5, 00:00: 208.1.1.0/25 is subnetted, 1 subnets ° 208.1.1.128 [110/782] via 56.1.1 0, Seriali/5 5, 00:00:10, Seriall/5 Task 10 Configure R7 to filter the following networks, you should be as specific as possible using only two prefix-list statements. 146.1.2.125/25 | 614225727 146.1.3.193/26 | 6.1.5.241/28 | 146.1.4.225/27 J Let’s check the routing table of R7: OnR’ R7#Show ip route eigrp | B Gate Gateway of last resort is not set 6.0.0.0/8 is variably subnetted, 5 subnets, 5 masks CCIE R&S by Narbik Kocharians Advanced CCIE R&S Werk Book v8.0 Page 42 of {@ A014 Nari Kecbarkane. Allright reer1.0/24 [90/156160] via 67.1.1.6, 00:00:17, GigabitEthernet0/0 2.128/25 [90/156160} via 67.1.1.6, 00:00:17, GigabitEthernet0/0 3.192/26 [90/156160] via 67.1.1.6, 00:00:17, Gigabituthernet0/0 4 5 2224/27 [90/156160] via 67.1.1.6, 00:00:17, GigabitEthernet0/0 :1.5.240/28 (90/156160] via 67.1.1.6, 00:00:17, Gigabitzthernet0/0 146.1.0.0/16 is variably subnetted, 5 subnets, 5 masks 146.1.1.0/24 [90/156160] via 67.1.1.6, 00:03:38, Gigabitmthernet0/0 146.1.2.128/25 [90/156160] via 67.1.1.6, 3:38, Gigabitethernet0/0 :192/26 [90/156160) via 67.1,1.6, 00:03:38, GigabitEthernet0/0 224/27 [90/186160] via 67.1.1.6, 00:03:38, GigabitEthernet0/0 1240/28 [90/156160) via 67.1.1.6, 00:03:38, Gigabitethernet0/0 veoo0 ‘The task states that we should only configure two prefix-list statements and be as accurate as possible. In the third octet, the most significant 5 bits are identical, and since the first two octets are also identical, the prefix-list should filter the following prefi 146.1,0.0/21 meaning that the first 21 bits should match, now for the mask: Ht should say greater or equal to 25 and less than or equal 27, it should look like the following: Ip prefix-list TST deny 146.1.0.0/21 ge 25 le 27 After applying the above prefix-list, we should only see the following two networks in the routering table of Ri 146.1.1.0/24 and 146.1.5.240/28 Now, let’s resolve the requirement for the 6.1.x.x networks. The task states that 6.1.4.225/27 and 6.1.5.241/28 prefixes should also be filtered, the prefix-list for these networks should look like the CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 43 of 162014 Nari Rechacians. A ghts reservedfollowing: Ip prefix-list TST deny 6.1.0.0/21 ge 27 le 28 To configure and test this task: OnR’ | | R7 (config) #ip prefix-list TST deny 146.1.0.0/21 ge 25 le 27 Ri (config) #ip prefix-list TST deny 6.1.0.0/21 ge 27 le 28 R7 (config) #ip prefix-list TST permit 0.0.0.0/0 le 32 R7 (config) #Router eigrp 100 R17 (config-router) #distribute-list prefix TST in g0/0 | R7#Show ip route eigrp | B Gate Gateway of last resort is not set 6.0.0.0/8 is variably subnetted, 3 subnets, 3 masks 6.1.1.0/24 [90/156160] via 67.1.1.6, 00:43:03, Gigabitethernet0/0 6.1.2.128/25 (90/156160] via 67.1.1.6, 00:43:03, GigabitEthernet0/0 6.1.3.192/26 [90/156160] via 67.1.1.6, 00:43:03, GigabitEthernet0/0 146.1.0.0/16 is variably subnetted, 2 subnets, 2 masks D 146.1.1.0/24 [90/156160] via 67.1.1.6, 00:46:24, GigabitEthernet0/0 D 146.1.5.240/28 [90/156160] via 67.1.1.6, 00:46:24, GigabitEthernet0/0 v09 Task 11 Erase the startup configuration and reload the routers before proceeding to the next lab. R&S by Narbik Kock Advanced CCIE R&S Work Book v5.0 Page 44 of 222 1 2014 Narbik Rocharans AMleighs reservedAdvanced CCIE Routing & Switching v5.0 www.MicronicsTraining.com Narbik Kocharians CCSI, CCIE #12410 R&S, Security, SP IP Services CCIE R&S by Narbik KochariAdvanced CCIE Routing & Switching v5.0 www.MicronicsTraining.com Narbik Kocharians CCSI, CCIE #12410 R&S, Security, SP NAT CCTE R&S by Narbik KochariansLab 1 — Static NAT Configuration —— 131.1.12.0/24 ib Setup: ‘To copy and paste the initial configurations, go to “http://micronics.nI” >”Advanced-init”> “NAT” >"Lab-1". Task 1 Configure a default route on R2 pointing to its $1/1 interface. yn R2: R2 (config) #ip route 0.0.0.0 0.0.0.0 Si/1 This is configured for the initial traffic. CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 (© 014 Nace Rocuarians Allright reserved Page 47 of 222Task 2 Configuring a static NAT; ensure that the primary IP address of R2's loopback0 interface is translated to an IP address of your choice such that a ping sourced from this Loopback interface destined to the lo0 interface of R1.is successful. You should NOT configure Ri to accomplish this task. On R2: R2 (config) #int 100 R2(config-if)#ip nat inside R2 (config) #int S1/1 R2(config-subif) #ip nat outside R2(config)#4p nat inside source static 10.2.2.1 131.1.12.3 ‘The above command statically translates the inside local IP address of 10.2.2.1 to the inside global IP 12.3. Since 131.1.12.3 is on the same IP address space as R1’s $1/2 interface, there is no ing on R1 to accomplish this task. To verify the configuration On R2: R2#show ip nat translations ‘0 Inside global side local outside local = 131.1.12.3 10.2.2.1 = Inside Local — inside local is the local private IP address of a host on your network (e.g, a PC's IP address), Inside Global— inside global is the public/registered IP address that the outside network sees as the IP address of your local host. ‘Outside Local— outside local is the local IP address from the private network, which your local host sees as the IP address of the remote host. Outside Global— outside global is the public IP address of the remote host (e.g,, the IP address of the remote Web server that a workstation is connecting to). Let’s turn on debugging and perform a ping so we can see the transl On R2: CCIE R&S by Narbik Kochar Advanced CCIE R&S Wark Book v5.0 Page 48 of 222 1 2014 Narbik Rocharians. AM sighs reersedR2#Debug ip nat The following will disable the timestamp for debug messages. R2 (config) #No service timestamps debug R2#Ping 1.1.1.1 source 10.2.2.1 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet sent with a source address of 10.2.2.1 Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms NAT: 2.1->131.1.12.3, de1.1.1.1 [0] 0.2. WAT*: s=1.1.1.1, d=131.1,12.3->10.2.2.1 [0] NOTE: The source IP address of the ICMP echo packet is 10.2.2.1 which is translated to 131,1.12.3 to destination 1.1.1.1. R2#Show ip nat translations Pro Inside global Inside local outside local Outside global Romp 131.1.12.3:1 10.2.2 ee wo=-131.1.12.3 10.2.2 We can see that the local and the global outside IP addresses are the same because it is not translated to some other IP address, In the output of the above show command as can also see the protocol used in this ‘communication, in this case ICMP. Let’s try Telnet and verify: R2#Pelnet 1.1.1.1 /source Lod Trying 1 Open Password required, but none set [Connection to 1.1.1.1 closed by foreign host] R2#Sh ip nat translations Pro Inside global Inside local Outside local Outside global 10.2.2.1:41737 5 4.1.1.1:23 10.2.2.1 ‘We can see that after a while the entry is timed out of the NAT table, this timeout value can be changed using the “IP NAT translation” global configuration mode command. Let's configure the timeout for ICMP to be 60 seconds: R2 (config) #Ip nat translation icmp-timeout 60 CCIE R&S by Narbik Kocharisus — Adyanced CCIE R&S Work Book v5.0 Page 49 of 222 {© 2014 Nar Kocuariane. AUlighs reserved‘To verify the configuration: On R2: R2 (config) #Service timestamps debug R2#Ping 1.1.1.1 source 10.2.2.1 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet sent with a source address of 10.2.2.1 ! Success rate is 100 percent (1/1), round-trip min/avg/max = 32/32/32 ms 01:24:42: NAT: s=10.2.2.1->131,1.12.3, de1.1.1.1 [8] 01:24:42: NAT s1.1,1, d=131.1.12.3->10.2.2.1 [8] You sijould see the following debug output: 01:25:42: NAT: expiring 131,1.12.3 (10.2.2.1) iemp 4 (4) NOTE: One minute later the entry was removed. Let’s disable the debug: R2#Undebug all All possible debugging has been turned off Task 3 Remove the “ip nat inside source” command from R2 that was configured in task 2. ‘Accomplish the previous task using another static method. | On R2: ‘To remove the command entered in the previous task: R2 (config) #NO ip nat inside source static 10.2.2.1 131.1,12.3 The following command translates the inside local address of 10.2.2.1 to the inside global address of 131.1.12.1 (the IP address of the S1/1 interface). R2(config)#ip nat inside source static 10.2.2.1 interface S1/1 CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 50 of 2. ‘abla Narbk Kecharians, AM rights reversedTo verify the configuratio On R2: R2#Debug ip nat R2#Ping 1.1.1.1 source 10.2.2.1 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet sent with a source address of 10.2.2.1 ! Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms WAT: s=10.2.2.1->131.1.12.2, d=1.1.1.1 [9] 9: NAT*: s=1.1.1.1, d=131.1.12.2->10.2.2.1 [9] Note: The source is translated to the IP address of R2’s S1/1 interface. The IP address of R2’s S1/1 could also be used instead of the “interface $1/1” command. To see the translation table used by R2: R2#Show ip nat translations Pro Inside global Inside local Outside local outside global domp 131.1.12.2:2 10.2.2.1:2 : 2.16222 131,1.12.2 210.2.2.1 Task 4 On R2, remove the static nat command before proceeding to the next task. On R2: R2#Clear ip nat translation * n table is not cleared, you will receive an error message telling you that the static entry R2 (config) #NO ip nat inside source static 10.2.2.1 interface S1/1 CCIE R&S by Nerbik Kocharlans Advanced CCTE R&S Work Book v5.0 Page $1 af 222 ‘p14 Kari Kociacians. AU rights reservedTask 5 Configure static NAT on R2 such that the entire private network (10.2.2.0 /24) can be translated to 200.2.2.0 /24, Ensure that the host portion of the inside global IP addresses match the host portion of the inside local addresses. You must use a static NAT to accomplish this task. You are allowed to configure a single static route on R1. ‘The following static route is needed since the source IP address of all packets from the 10.2.2.0 /24 network will be translated to an IP address from the 200.2.2.0 /24 network. If this is NOT configured, R1. NOT be able to return the traffic. OnR 1 (config) #ip route 200.2.2.0 255.255.255.0 131.1.12.2 On R2: R2(config)#ip nat inside source static network 10.2.2.0 200.2.2.0 /24 To verify the configuratioy On R2: R2#Show ip nat translations Pro Inside global Inside local outside local outside global =a 200.2.2.0 20.2.2.0 To test the configuration: R2#Debug ip nat IP NAT debugging is on R2#Ping 1.1.1.1 source 10.2.2.3 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet sent with a source address of 10.2.2.3 Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book ¥5.0 Page $2 of 222 ‘©2004 Nock Rocbartans. Al igh reservedNAT: s=10.2.2.8->200.2.2.8, d=1.1.1.1 [7] NAT*: s=1.1.1. 100.32. B->10.2.2.8 [7] R2#Ping 1.1.1. fe 10.2.2.5 rept Type escape sequlygf to abort Sending 1, 100-b)€e ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet sent with a source address of 10.2.2.5 Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms 2 s210.2.2,5-5200.2,2.5, del.1.1.1 [21] : 1.1.1.1 asgoeW.2. 5 [21] R2#Show ip nat translations \K icmp 200.2.2.3:6 10.2. n=- 200.2.2.3 10. icmp 200.2.2.5: 10 200.2.2.5 10. 200.2.2.0 10. NOTE: When 10.2.2.3 pings 1.1.1.1, the source IP address is translated to 200.2.2.3 and when 10.2.2.5 pings 1.1.1.1, the source IP address is translated to 200.2.2.5. Task 6 Erase the startup config and reload the routers before proceeding to the next lab. CCIE RSS by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page $3 af 222 {© A014 Narbik Kocharlane. Alright reservedLab 2 -Static NAT Configuration & the “Alias” Keyword Lab Setup: To copy and paste the initial configurations, go to “http://micronics.nl” >7Advanced-init”> “NAT” "Lab-2 Task 1 Configure static NAT on R1 to translate the inside local IP address of 1.1.1.1 to inside global address of 12.1.1.11. Do not configure R2 to accomplish this task. In the first step of this configuration, the Inside and the Outside domains are defined: OnR: Ri (config) #Int Loo Rl (config-if) #1P NAT Inside Rl (config) #Int F0/0 Rl (config-if) #IP NAT Outside In the second and the last step the actual NAT statement is configured: Rl (config) #IP NAT Inside source static 1.1.1.1 12.1.1.11 ‘To verify the configuration: CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page $4 of 222 ‘©2014 Nacbik Kocharians Sights servedOn R1: R1#Ping 12.1.1.2 Source Lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: Packet sent with a source address of 1.1.1. reer Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms a NOW, let's see what happened, Ri Pinged 12.1.1.2 using the 1.1.1.1 IP address as the source. Since going from Inside to Outside, routing is consulted before NATing, and the 12.1.1.0/24 is connected to the FO/0 interface of Rt, the routing part of this process is satisfied, therefore, NAT is processed and the source IP address of 1.1.1.1 is translated to 12.1.1.11. A packet with a source IP address of 12.1.1.11 and a destination IP address of 12.1.1.2 must be sent to 12.1.1.2. An ARP has to happen for the MAC Address of 12.1.1.2, R2 responds with its MAC address and the ICMP packet is received by R2. On R2 the received packet has a source IP address of 12.1.1.11 and a destination address of 12. R2 has to perform an ARP request for 12.1.1.11, Ri has created an entry for 12.1.1.11 in its ARP table, because this is the defult behavior on multiaccess interfaces, this default can be changed, but if itis changed, meaning that Ri does not create an ARP entry for the 12.1.1.11 IP address, R2 won't be able to reply. Let's verify: OnR: Before we change the default behavior, let’s check the ARP table on Ri: RifShow arp Protocol Address Age (min) Hardware Addr Type Interface Internet 12.1,1.1 = 0000.1121,1111 ARPA FastEthernet0/0 Internet 712/42.17 #99) 0000).1111 1211 ARPA)” Fastetherneto/0 We can see an entry that was created automatically by R1 so it can respond to R2’s ARP requests. Ri (config) #IP nat inside source static 1.1.1.1 12.1.1.11 no-alias R1dShow arp Protocol Address Age (min) Hardware Addr Type _Interface CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 58 of 2 {2014 Narbik KecharLane. AU rights reversedInternet 12.1.1.1 0000.1111.1111 ARPA FastEthernet0/0 ‘As we can see the ARP entry for IP address of 12.1.1.11 was removed. Let's originate a Ping sou the Lo0 interface of Ri destined to 12.1.1.2: | onR1: Let's enable “Debug ip NAT”, “Debug ip packet” and “Debug arp” on Ri and “Debug arp” on R2: R1#Debug ip nat IP NAT debugging is on Ri#Debug arp ARP packét debugging is. on RifDebug ip packet Ip packet debugging is on On R2: R2#Debug arp ARP packet debugging is on Let's check R2’s ARP cache: R2#Show arp Protocol address Hardware Addr Type Interface ig from Internet 12.1.1.1 0000.1111.1111 ARPA FastEthernet0/0 Internet 12.1.1.2 000.222.2222 ARPA FastEthernet0/0 internet //12.4:1) 12) i 9))0000.9211: 1717 cARPA ‘o-Fastethernet0/0, ‘We can see that R2 still has an entry for 12.1.1.11 IP address, let's clear this entry and test: | R2#Clear ip arp 12.1.1.11 R2#sh arp Protocol address Age (min) Hardware Addr Type Interface Internet. 12.1.1.1 10 0000.1111.1111 ARPA FastEthernet0/0 Internet 12.1.1.2 = 0000.2222.2222 ARPA FastEthernet0/0 On Ri: Ri#Ping 12.1.1.2 sou 100 repeat 2 CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page $6 of ‘© old Nartik Kocharians, AU rights reversedType escape sequence to abort. Sending 2, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 Ri originated an ICMP packet with a source IP address of 1.1.1.1 destined to 12.1.1.2, the routing table was consulted and a directly connected interface was fount Ip: tableid=0, s=1.1.1.1 (local), d=12.1.1.2 (FastEthernet0/0), routed via RIB IP: 2.1.1.1 (local), d=12.1.1.2 (FastEthernet0/0), len 100, sending ICMP type=8, code=0 NATing occurred and the source IP address of 1.1.1.1 was translated to 12.1.1.11: WAT: s=1.1.1.1->12.1.1.11, d=12.1.1.2 [58] Since R1 does not have an ARP entry for the IP address of 12.1.1.2, an ARP request was sent for the IP address of 12.1.1.2. NOTE: You may NOT see the following output because your router may already have an ARP entry. IP ARP: creating incomplete entry for IP address: 12.1.1.2 interface FastBthernet0/0 IP ARP: sent req src 12.1.1.1 0000.1111.1111, dst 12.1.1.2 0000.0000.0000 FastEthernet0/0 IP: e=12.1.1.11 (local), d=12.1.1.2 (FastEthernet0/0), len 100, encapsulation failed ICMP type=8, code=0 R2 responds with its MAC address: IP ARP: revd rep sre 12.1.1.2 0000.2222.2222, dst 12.1.1.1 FastEthernet0/0. The ICMP packet is sent: IP: tableid=0, s=1.1.1.1 (local), d=12.1.1.2 (FastEthernet0/0), routed via FIB IP: s=1.1.1.1 (local), d=12.1.1.2 (Fast#thernet0/0), len 100,’ sending TOMP" type=8 codex WAT: s=1.1,1.1->12.1.1.11, d=12.1.1.2 [59] R2 received the packet and since RZ did NOT have an entry for 12.1.1.11 in its ARP table, it originated an ARP request: CCTE R&S by Narbik Kocharians Advanced! CCIE R&S Work Book v5.0 ‘© 2014 Narbik Kocbarlans. Allright rxervedIP ARP: xevd req sre 12.1.1.2 0000.2222.2222, dst 12.1.1.11 FastHthernet0/0. The following process is repeated five times: Ip: tableid=0, s=1.1.1.1 (local), d=12.1,1.2 (FastEthernet0/0), routed via FIB IP: s=1.1.1.1 (local), ICMP type=8, code=0 =12.1.1.2 (FastEthernet0/0), len 100, sending NAT: 9=1,1.1.1->12.1.1.11, =12.1.1.2 [60] IP ARP: revd req src 12.1.1.2 0000.2222.2222, dst 12.1.1.11 FastEthernet0/0. Let’s check the output of the debug command on R2: On R2: This is what happened when R2 received the ICMP packet from R1; R2 sees that it has no entry for the MAC address of 12.1.1.11, so it sent an ARP request for the MAC address of 12.1.1.11: IP ARP: creating incomplete entry for IP address: 12.1.1.11 interface FastEthernet0/0 IP ARP: sent req src 12.1.1.2 0000.2222.2222, dst 12.1.1.11 0000.0000.0000 FastEthernet0/0 ‘As we can see, R2 does NOT receive any ARP replies for the MAC address of 12.1.1.11, so the Ping fa following debug output is repeated five times: IP ARP: sent req src 12.1.1.2 0000.2222.2222, dst 12.1.1.11 0000.0000.0000 FastEthernet0/0 Therefore, By default, the static NAT statement has the “Alias” keyword at the end which instructs Ri to create an ARP entry using its FO/0 interface’s MAC address. But what if the statement has the “No-alias” keyword at the end, and the task states that the NAT statement can NOT be changed? How can we resolve this issue? Let’s disable the Debugging on both routers: On R1 and R2: RxfUndebug all All possible debugging has been turned off 1s Advanced! CCIE R&S Work Book v5.0 Page $8 of 222 ‘© 2m Narbik Kecharkne. AU xghts revered. CCIE R&S by Narbik KochariSolution # Create a static ARP entry for 12.1.1.11 on R2 pointing to Ri’s FO/0’s MAC address: On R2: R2 (config) #Aep 12.1.1.11 0000.1111,1111 arpa On R1fPing 12.1.1.2 source LoO rep 2 Type escape sequence to abort. Sending 2, 100-byte ICMP Echos to 12 Packet sent with a source address Success rate is 100 percent (2/2), round-trip min/avg/max = 1/2/4 ms 1.1.2, timeout is 2 seconds: LL... Let's remove the static ARP entry from R2: On R2: R2 (config) #No arp 12.1.1.11 0000.1111.1111 arpa Solution # Enable “IP Local-Proxy-Arp” on the FO/0 interface of Riz Rl (config) #Int F0/0 R1(config-if) #IP Local-proxy-arp To verify the configurati onRE RLEPing 12.1.1.2 source Lo0 Type escape sequence to abort. Sending 5,-100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 ace Success rate is 60 percent (3/5), round-trip min/avg/max = 1/1/1 ms R1#Sh arp Protocol Address Age (min) Hardware Addr Type Interface CCIE R&S by Narbik Kochariams Advanced CTE R&S Work Book v5.0 Page $9 af 222 ‘© 2004 Narbik Kocharane. Allright servedInternet Internet Let's see the arp table on R2: On R2: R2#Sh arp Protocol Address = 0000.1111.1111 ARPA 0 0000,.2222.2222 ARPA Age (min) Hardware Addr Type Internet 12.1.1.1 Internet 12.1.1.2 internet! 12.1.2 For “IP local-proxy-arp” to work, the “IP proxy-arp” must also be enabled. The “IP Local-proxy-arp” allows the local router (In this case Ri) to respond to ARP Requests for IP addresses withii typically no routing is required (Same network). This command is typically used when hosts within the same x © 0000.1311.1111 ARPA = 0000.2222.2222 ARPA “9000. 21011111" ARPA FastBthernet0/0 FastEthernet0/0 Interface FastEthernet0/0 FastEthernet0/0 ‘oPastzthernet0/0 a subnet where subnet/VLAN are intentionally prevented from communicating directly with each other. Task 2 Erase the startup config and reload the routers before proceeding to the next lab. CCIE R&S by Na ik Kocharians Advanced CCIE R&S Work Book v5. ‘©2014 Narbik Kecharans, rights reserved Page 60 of 222Lab 3 - NAT Reversible Lab Setup: ions, go to “http://mieronics ‘To copy and paste the initial configu DPA ”> “NAT” >"Lab-3". Task 1 Configure RIPv2 on all directly connected interfaces of R1 and the F0/0 interface of R2. R2 should redistribute network 23.1.1.0/24 into RIP routing protocol so R1 can have access to the network. R3 should be configured with a static default route pointing to R2, OnRi: nfig) #router rip config-router) #No au router) #ver 2 router) #netw 1.0.0.0 Rl (config-router) #netw 11.0.0.0 Rl (config: puter) #netw 12.0.0.0 On R2: R2 (config) #router rip R2(config-router) #No au R2 (config-router) #ver 2 R&S by Narbik Kocharlaus Advanced CCIE R&S Work Book v5.0 Page 6! ofR2(config-router) ¢netw 12.0.0.0 R2(config-router) #redistribute connected metric 2 On R3:; R3 (config) #ip route 0.0.0.0 0.0.0.0 23.1.1.2 To verify the configuration: onRi R1#Show ip route rip | Inc R codes: L = local, © - connected, S - static, R- RIP, M- mobile, B - BGP D - EIGRP, EX - EIGRP external, 0 - OSPF, IA ~ OSPF inter area © - ODR, ? - periodic downloaded static route, H - NHR, 1 - LISP RoE Saat 1f0°[12072) vial 12.1 /1)2,, /oot00:14;" FastBenexneto/0 On R2: R2#Show ip route rip | Inc R codes: L - local, C - connected, S - static, R- RIP, M- mobile, B- BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area o'- ODR, P - periodic downloaded static route, H - NHRP, 1 ~ LISP peed 1.4),0°1120/1] via 12/1.1.1, 00:00:25, ‘FastEthernet0/o |) 41.4,1.0 [120/1] via 12.1.1.1, 00:00:25, FastEthernet0/0 aa OnR3: R3¢Show ip route 0.0.0.0 Routing entry for 0.0.0.0/0, supeznet Known "via "gtatie!, distance 1, metric 0, candidate default, path Routing Descriptor Blocks: e232 Route metric is 0, traffic share count is 1 R3$Ping 12.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.1 _. Success rate is 100 percent (5/5), round-trip min/avg/max = 28/30/32 ms timeout is 2 seconds: CCIE R&S by Narbik Kacharians Advanced CCIE R&S Work Book v5.0 Parge 62 of 222 ‘©2014 Nav Kecharans. Al igh reservedTask 2 Configure R2 to translate Loopback0 and Loopback! interfaces of R1 to 100.1.1.1 and 100.1.1.2/24 respectively. This translation should be configured such that once the hosts from Inside establishes a connection with a host on the Outside, a static entry in the translation table is created so the hosts from the outside can contact the hosts from. inside domain, You MUST configure a NAT pool and a route-map to accomplish this task. When configuring NAT using route-maps, the external hosts can NOT have a reverse connection back to the hosts on the inside domain because the translation table does NOT include a one-to-one mapping. Reversible NAT creates the extendable entries plus the one-to-one mapping so the external hosts can have the ability to connect to the inside hosts. ‘The following configuration defines the Inside and the Outside domain: On R2: R2 (config) #int S1/3 R2(config-if)#ip nat outside R2(config-if)#int £0/0 R2(config-if)#ip nat inside A pool of Global inside IP addresses are defined: R2 (config) #ip nat pool NAT-POOL 100.1.1.1 100.1.1.2 prefix-length 24 An access-list is configured to identified the Inside local IP addresses that need to be translated: R2 (config) #ip access-list standard HOSTS R2 (config-std-nacl) #permit host 1.1.1.1 R2 (config-std-nacl) #permit host 11.1.1.1 ‘The following route-map is referencing the access-list configured above: R2 (config) #route-map tst permit 10 R2 (config-route-map) #match ip addr HOSTS The following NAT statement states that Inside source IP addresses that are referenced by a route-map called “tst” should be translated into one of the IP addresses in a NAT pool called “NAT-POOL”: R2 (config) #ip nat inside source route-map tst pool NAT-POOL reversible CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5. ‘©2014 Nari Kocharane sgh revarved Page 63 af 222Let’s test and vel ify the configuration: OnRI R1#Ping 23.1.1.3 source Lod ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 ret Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms RifPing 23.1.1.3 source Lol Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 23.1. Packet sent with a source address of 11.1.1.1 aver Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms , timeout is 2 seconds: On R2: R2#Show ip nat translations Pro Inside global Inside local Outside global icmp 100.1.1. L.1.1.1:0 23.1.1.3:0 domp 100.1.1.2:1 LL1.ed2 23.1.1.3:1 w= 100.1.2.1 Led... === w-- 100.1.1.2 LLd.d1 We can see both extendable and one-to-one entries. The extendable entries will be timed out, and once the entendable entries time out, the one-to-one entries will remain in the table unless the table is cleared manually. Let's repeat the “Show ip nat translations” command again, you should see that the extendale entries have timed out: R2#Show ip nat translations Pro Inside global Inside local Outside local Outside global w-- 100.2.1.1 --~ 100.1.1.2 We can see that the one-to-one entries remained in the translation table, and it’s because of this. CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 64 of 222 {© 2014 Nar Kochariane ll eighs reservedbehavior that the hosts on the Outside can communicate with the hosts on the Inside, let’s verify: On R3: R34Ping 100.1.1.1 rep 1 Type escape sequence to abort. Sending 1, 100-by P Echos to 100. 1, timeout is 2 seconds: Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms R3#Telnet 100.1.1.2 Trying 100.1.1.2 ... Open Password required, but none set (Connection. to 100.1.1.2 closed by foreign host] On R2: R2#Show ip nat translations Pro Inside global 1 Outside global Task 3 Erase the startup config and reload the routers before proceeding to the next lab. CCTE R&S by Narbik Kochariaus Advanced CCIE R&S Work Book Page 65 of 222 1 2014 Nach Koebatau, AU nights reserved‘aa To copy and paste the initial configurations, go to “http://micronics >”Advanced-init”> “NAT” >"Lab-4”. Task 1 Your company has two connections to the internet, one through ISP-1 and the other ‘through ISP-2 for redundancy. You have acquired an IP address of 200.2.2.2 /24 from IsP-1 and an IP address of 200.3.3.3 /24 from ISP-2. These ISPs ONLY support their assigned IP addresses and they do not support the addresses from the other ISP. Your company has an internal WEB server with an IP address of 10.1.1.1 /24 (The IP address of R1’s Lo0 interface). Using static translation ensure that if the traffic comes through ISP-1, the NAT device (R1) translates 10.1.1.1 to an IP address that is supported by ISP- but if the traffic comes through ISP-2, R1 should translate 10.1.1.1 to an IP address that Is supported by ISP-2. Do not use PAT, PBR, or dynamic NAT to accomplish this task. CCIE R&S by Narbik Kochariaus Adyanced CCIE R&S Work Book v5.0 Page 66 of 222 (9 2014 Nari Kocharhane. Allright reservedOn Ri: Ri (config) #ip nat inside source static 10.1.1.1 200.2.2.2 extendable Ri (config) #ip nat inside source static 10.1.1.1 200.3.3.3 extendable RI (config) #int 100 RI (config-if) #ip nat inside Ri (config-if) #int 81/2 Rl (config-subif)#ip nat outside Rl (config-subif) #int S1/3 Rl (config-subif)#ip nat outside To verify the configuration: OnR: RifShow ip nat translations Pro Inside global Inside local outside local Outside global 200.2.2.2 10.1.1.1 200.3.3.3 20-1.1.1 You can see that 10.1.1.1 is translated to 200.2.2.2 and 200.3.3.3, without the “extendable” keyword at the end of these statements, you could NOT have the same IP address translated to more than one IP address, therefore, this solution will not work. If you try to configure and NAT a single IP address to multiple IP addresses, you will get the following console error: © 10.1.1.1 already mapped (10.1.1.1 -> 200.2.2.2) To test the configuration: On RI: R1gDebug ip nat IP NAT debugging is on Rl (config) #No service timestamps deb On R2: R2#Ping 200.2.2.2 rep 1 CCTE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 {© 2014 Nacbik Kocharane. Allright reservedype escape sequence to abort. Sending 1, 100-byte ICMP Echos to 200.2.2.2, timeout is 2 seconds: 1 Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms On R3: R3#Ping 200.3.3.3 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 200.3.3.3, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 48/48/48 ms onRi You should see the following debug output: NAT*: SS131/112.2//d=200.2.2/2-510.2.119 [3] NAT: s=10.1.1.1->200.2.2.2, d=i31.1.12.2 [3] NAT*: | NAT and when the traffic is sourced from R3, the destination is translated to 10. Ri#Show ip nat translations Pro inside global Inside local ae H== 200.2-2.2 Note: If the “Extendable” keyword was not used, the [0S will not allow you to have two NAT entries for the same source IP address. The “extendable” keyword creates an extended entry in the translation table. Task 2 Erase the startup configuration and reload the routers before proceeding to the next lab. CCTE R&S by Narbik Kocharians Advanced! CCIE R&S Work Book v5.0 Page 68 of: {© 2014 Narhik Rocharans Legh reservedLoo s0.tit 126 Lab Setup: ‘To copy and paste the initial configurations, go to “http://micronics.n!” Configure a dynamic NAT on R2 using a pool of IP addresses for inside global such that ONLY hosts on network 10.2.2.0 /24 have the ability to ping R1’s loopback0 interface. You are allowed a single static route on R2, but you should net configure Ri to accomplish this .d internal hosts that are allowed to get translated to inside global addresses: )#access-list 1 permit host 10.2. R2 (config) faccess-list 1 permit host 10.2. R2 (config) faccess-list 1 permit host 10.2. R2 (config) faccess-list 1 permit host 10.2. R2 (config) faccess-list 1 permit host 10.2. REND aun Step2 TE R&S Work Book ¥5 CCIE R&S by Narbik: Koeharians Advanced 5 oceans lights escrved ‘abla at Page 68 af 222Create a pool of inside global addresses: R2(config) #ip nat pool TEST 12.1.1.3 12.1.1.8 prefix-length 24 Since this task has not assigned a pool of inside global IP addresses, we must use the address space that is assigned to the link that connects the two routers, so Ri can have NLRI to the source addresses. Step 3 Assign the allowed hosts (access-list 1) to use a pool (TEST) of inside global addresses: R2 (config) #ip nat inside source list 1 pool TEST Step 4 Specify the inside and the outside interface: R2 (config) #int 100 R2(config-if) #ip nat inside R2(config-if) #int $1/1 R2(config-subif) #ip nat outside Step 5 ‘The following configures a static route for network 10.1. so Ri can have NLRI. (0 /24 on R2 pointing to 12.1.1.1, this is created R2(config)#IP route 10.1.1.0 255.255.255.0 12.1.1.1 To verify the configuration: On R2: R2#Debug ip nat IP NAT debugging is on R2 (config) #No service timestamp debug R2#Ping 10.1.1.1 source 10.2.2.5 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.1.1.1, [Packet sent with a source address of 10.2.2. Ameout is 2 seconds: CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Bool 2 2014 Nari Roches A Page 70 of 222Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 me You should see the following debug output: 0.2.2.5->131.1.12.3, d=10.1.1.1 [11] 0.1.1.1, d=131.1.12.3->10.2.2.5 [11] R2#Sh ip nat translations Pro Inside global Inside local outside local outside global domp 12.1.1.3:0 10.2.2.5:0 10.2.1.1:0 10.1.1.1:0 wo= 12.1143 10.2.2.5 -—- NOTE: When host 10.2.2.5 pings host 10.1.1.1, the first available global IP address from the pool is used for translation, therefore, the host portion of the IP addresses might not match. Task 2 Erase the startup configuration and reload the routers before proceeding to the next tab, CCIE RES by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 ‘2 yold Nartik Keshacians al aights reserved12.4.4.0 124 Lab Setup: ‘To copy and paste the initial configurations, go to “http://micronics.n!” it" > “NAT” > "Lab-6". You were given inside global IP address range of 200.2.2.1- 200.2.2.5 /24 by your ISP, Ensure that the IP addresses in network 10.2.2.0 /24 can be translated to these IP addresses. You must configure R2 using dynamic NAT such that the host portion of the inside local IP addresses match the host portion of the inside global addresses. You are allowed to configure a single static route on each router to accomplish this task. route is configured on Ri for the return traffic. R1 (config) #ip route 200.2.2.0 255.255.255.0 12.1.1.2 On R2: ‘The following static route is required for R2 to initiate traffic from 10.2.2.0 /24 networks. R2 (config) #ip xoute 10.1.1.0 255.255.255.0 12.1.1.1 1&5 by Narbik Koeharians Advanced CCIE R&S Werk Book v5.0 Page 72 of 222 ‘A014 Narbik Recharlans, A eight veservedonk R2 (config) #int 100 R2 (config-if) #ip nat inside R2 (config-if) #int S1/1 R2 (config-subif) #ip nat outside ‘The following access-list identifies the hosts that are allowed to be translated. R2 (config) taccess-list 1 permit host 10.2.2.1 R2 (config) faccess-list 1 permit host 10.2.2.2 R2 (config) #access-list 1 permit host 10.2.2.3 R2 (config) taccess-list 1 permit host 10.2.2.4 R2 (config) faccess-list 1 permit host 10.2.2.5 Note: The “type match-host” keyword tells the IOS to match the host portion of the inside local to the host portion of the inside global IP addresses. R2 (config) #ip nat pool TEST 200.2.2.1 200.2.2.5 prefix-length 24 type match-host R2 (config) #ip nat inside source list 1 pool TEST To verify the configuration: On R2: R2#Debug ip nat IP NAT debugging is on R2 (config) #No service timestamps debug R2#Ping 10.1.1.1 source 10.2.2.1 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: Packet sent with a source address of 10.2.2.1 ! Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms NAP: s=10.2.2.ff->200.2.2.], d=10.1.1.1 [22] WAT*: s=10.1.1.1, d=200.2.2.1->10.2.2.1 [22] R2#Ping 10.1.1.1 source 10.2.2.3 rep 1 CCIE RES by Narbik Kocharians Advanced CCTE R&S Work Book v5.0 Page 73 of 222 {02014 Nari Kocharane. AM igh reservedType escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: Packet sent with a source address of 10.2.2.3 ! Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms NAT: NAT*: | s=; 0.2.2.3+>200.2.2.3, d=10.1.1.1 [23] 0.1.1.1, d=200.2.2.3->10.2.2.3 [23] R2#Ping 10.1.1.1 source 10.2.2.5 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: Packet sent with a source address of 10.2.2.5 |! Success rate is 100 percent (1/1), round-trip min/avg/max = 48/48/48 ms NAT: s=10.2.2.§->200.2.2.§, d=10.1.1.1 [24] NAT*: s=10.1.1.1, d=200.2.2.5->10.2.2.5 [24] R2#Show ip nat trgx6latons Pro Inside glo eich recat outside local —outedde global donp 200.2.2.4:0 10 10.1.1,1:0 10.4.1.1:0 na" 20.2.2. 2 = ienp 200.2.2.8 10.2.2-1:1 7 na" 200.2.2.3 NS = ienp 20.2.2. 10.22.82 10.2.1.1 20.2.2-1:2 na= 200.2.2.5 10.2.2.5 — Note: The translation is performed such that the host portion of the inside local IP addresses are translated to the host portion of the inside global IP addresses. Task 2 Erase the startup config and reload the routers before proceeding to the next lab. CCIE R&S by Narbik Kocharlans Advanced CCIE R&S W {©2014 Harb Rochas. Al Page 74 of 222= Lab Setup: To copy and paste the initial configurations, go to “http://micronics.nI” >7Advanei "> >" lab-7”. Task 1 Your company (R1) has two connections to the Internet, one through ISP-1 (R2) and the other through ISP-2 (R3). You have acquired an IP address of 192.2.2.2 /24 from ISP-1, and an IP address of 193.3.3.3 /24 from ISP-2. These ISPs only support their assigned IP addresses. Your company has an internal WEB server with an IP address of 10.1.1.1 /24, sing dynamic translation, ensure that when host 10.1.1.1 communicates with host 200.2.2.2 from ISP-1, the traffic goes to ISP-1 and the NAT device (R4) translates 10.1.1.1 to an IP address that is supported and given to the company by ISP-1. When host 10.1.1.1 communicates with 200.3.3.3, the traffic should go to ISP-2 and R1 should translate 10.1.1.1 to the IP address that is supported and given to the company by ISP-2. Do not use PAT or static NAT, you should not use the “extendable” keyword to accomplish this task, CCTE R&S by Narbik Kocharians Advanced CCTE R&S Work Book v5.0 Page 75 of 222 ‘p24 Narbik Kecharane,AUleightsrewervedOn Ri ‘The following configuration defines the inside and outside interfaces: Ri (config) #int $1/2 Ri (config-subif) #ip nat outside Ri (config-subif) #int S1/3 Rl (config-subif) #ip nat outside Rl (config-subif) #int 100 Ri (config-if) #ip nat inside Two pools are defined. These are the IP addresses that were acquired from the two ISPs: Ri (config) #ip nat pool ispl-pool 192.2.2.2 192.2.2.2 prefix-length 24 Ri (config) #ip nat pool isp2-pool 193.3.3.3 193.3.3.3 prefix-length 24 ‘The following two access-lists identify the communication between the hosts: Ri (config) #ip access-list extended ispl-acl Rl (config-ext-nacl) #permit ip host 10.1.1.1 host 200.2.2.2 Ri (config) #ip access-list extended isp2-acl R1 (config-ext-nacl) #permit ip host 10.1.1.1 host 200.3.3.3 ‘The following two route-maps reference the access-lists configured in the previous step: Ri (config) #route-map ispl permit 10 Ri (config-route-map) #match ip address ispl-acl Ri (config) #route-map isp2 permit 10 Rl (config-route-map) #match ip address isp2-acl Finally the route-maps are tied to the pools: Rl (config) #ip nat inside source route-map ispl pool ispl-pool Ri (config) #ip nat inside source route-map isp2 pool isp2-pool To verify the configuration: On Ri: | RL#Debug ip nat CCT R&S by Narbik Koclarians Advanced CCIE R&S Werk Book ¥5.0 Page 76 af 222 ‘told Nach Kecharins, Al ight reservedIP NAT debugging is on Rl (config) #No service timestamps debug R1#Ping 200.2.2.2 source 10.1.1.1 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 200.2.2.2, timeout is 2 seconds: Packet sent with a source address of 10.1.1.1 ! Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms You should see the following debug output: NAT: s=10.1.1.1->192.2.2.2, d=200.2.2.2 [0] wat* 00.2.2.2, d=192.2.2.2->10.1.1.1 [0] To see the translation table: On RI: R1#Sh ip nat translation Pro Inside global Inside local outside local outside global fomp 192.2.2.2:0 10.1.1.1:0 200.2.2.2:0 200.2.2.2:0 R1gPing 200.3.3.3 source 10.1.1.1 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 200.3.3.3, timeout is 2 seconds: Packet sent with a source address of 10.1.1.1 Success rate is 100 percent (1/1), round-trip min/avg/max = 48/48/48 ms You should see the following debug output: WAT: s=10.1.1.1->193.3.3.3, d=200.3.3.3 [11] WAT*: s=200.3.3.3, d=193.3.3.3->10.1.1.1 [11] To see the translation table: On Ri: R1#Sh ip nat translations CCIE R&S by NarbikKochurlans Advanced CCIE R&S Work Book v5.0 Page 77 of 222 {©2014 Narbik Kecarans AICrghts reservedPro Inside global Inside local outside local Lemp 193.3:3.3 Ronied id 200.3.3.3:7 emp 192.2.2.2:3 10.1.1.1:3 200.2.2.2:3 Outside global 200.3.3.3:7 Erase the startup configuration and reload the routers before proceeding to the next lab CCTE R&S by Narbik Kociarians Advanced CCIE R&S Work Book v5.0 ‘Sold Narbik Kecharane Allright revered Page 78 of 222Loo w.Acich 24 12.1.1.0 124 a sin Lab Setup: To copy and paste the initial configurations, go to “http://micronics >" Advanced-init”> “NAT” >”Lab-8”. Task 1 R2 has five telnet servers, the inside local IP addresses of these servers are 10.2.2. 10.2.2.5 /24 (loopback0 interface). The administrator of this router created an entry in the DNS server that points to the inside global IP address of 200.2.2.2 /24 for the telnet service offered by these five servers. Configure R2 such that it evenly distributes the TCP load between the five servers. You are allowed to configure a single static route on Ri to accomplish this task. The solution implemented in this scenario MUST be done through the NAT configuration. On R2: | ‘The following command creates a pool that contains the 5 servers inside local IP addresses that are offering identical service; the “type rotary” keyword tells the router to evenly distribute the TCP load amongst the IP addresses specified in the pool. Note: This isa little different to the pool of IP addresses that we have used in the previous labs. These ones _| CCIE RES by Narbik Kocharians Page 79 of 2are the inside local IP addresses, whereas, in the previous labs we used a pool of inside Global IP addresses. R2 (config) #ip nat pool TEST 10.2.2.1 10.2.2.5 prefix-length 24 type rotary ‘The following access-list identifies the virtual IP address (inside global). This is the address that is configured on the DNS for the server/s. R2 (config) #access-list 1 permit host 200.2.2.2 ‘The following command tells the router that if the incoming traffic is destined for the IP address that is specified in the access-list 1, it should use the pool called TEST. R2 (config) #ip nat inside destination list 1 pool TEST The following commands define the inside and outside interfaces: R2 (config) #interface 100 R2(config-if)#ip nat inside R2 (config) #interface S1/1 R2(config-if) fip nat outside Finally, the static route on Ri that provides NLRI to Ri for 200.2.2.2 /32 IP address. OnRi: Rl (config) #ip route 200.2.2.2 255.255.255.255 12.1.1.2 To verify and test the configurati In this process, R1 telnets to 200.2.2.2 five times, so we can see how the traffic is load shared amongst the five IP addresses. OnRi: Rl#Telnet 200.2.2.2 Trying 200.2.2.2 ... Open Password required, but none set [Connection to 200.2.2.2 closed by foreign host] CCIE RAS by Narbik Koeharians Advanced CCHE 162014 Narbik Kock 8S Wark Book v5.0 Page 80 of 2 ane. Alright eservedRl#Telnet 200.2.2.2 Trying 200.2.2.2 ... Open Password required, but none set [Connection to 200.2.2.2 closed by foreign host] RifTelnet 200.2.2.2 Trying 200.2.2.2 ... Op Password required, but none set [Connection to 200.2.2.2 closed by foreign host] Ri#Telnet 200.2.2.2 Trying 200.2.2.2 ... Open Password required, but none set [Connection to 200.2.2.2 closed by foreign host] Rl#Telnet 200.2.2.2 Trying 200.2.2.2 ... Open Password required, but none set [Connection to 200.2.2.2 closed by foreign host] The telnet session will not be successful, because telnet it is not setup, this is not important, since the idea of this exercise is to generate TCP based traffic. On R2: R2#Show ip nat translations Pro Inside global Inside local Outside local Outside global top 200.2.2.2:23 10.2.2.1:23 131.1.12.1:58503 131.1.12.1:58503 tep 200.2.2.2:23 10.2.2.2:23 131.1.12.1:59050 131.1.12. tep 200.2.2.2:23 10.2.2.3:23 131.1.12.1:61609 131.1.12. top 200.2.2.2:23 10.2.2.4:23, 131.1.12.1:13630 131.2.12 tep 200.2.2.2:23 10,2.2.5:23 231.1.12.1:26428 © 131.1.12. Note: The same inside global IP address is used for all 5 inside local IP addresses. Advanced CCIE R&S Work Book ¥5.0 Page 84 af CCIE R&S by Narbik Koehari {2014 Nari Roctarins. AM rights reversed ee —Task 2 Erase the startup config and reload the routers before proceeding to the next lab. CCIE RWS by NarbikKocharians Advanced CCIE R&S Wark Book v5.0 Page 82 of 222 {2 20L4 Nari Rocharlane AIF reservedL00 EERE 12,1.1.0 124 Lab Setup: ‘To copy and paste the initial configurations, go to “http://micronics.nI” >" Advanced-init”> "NAT" >”Lab-9”. Task 1 Create a static route for network 10.1.1.0 /24 on R2 pointing to its $1/1 interface: On R2: ‘The following static route is configured on R2 so it can initiate traffic destined for network 10.1.1.0. R2 (config) #ip route 10.1.1.0 255.255.255.0 S1/1 Task 2 | Ensure that R2 uses PAT for all 5 IP addresses connected to its loopbackO interface such | that they can ping the loopback0 interface of R1. You should not perform additional configuration on Ri, or use an additional IP address on R2 to accomplish this task CCIW RES by NarbikKochatans Advanced CCIE R&S Work Book v5.0 Page 83 of 22 | Staite ecardYou can conserve addresses in the inside global address pool by allowing the router to use one global address for many local addresses. This is called PAT (port address translation). When this is configured, the router uses unused TCP and UDP ports to assign to the source IP address of the host that gets translated. ‘The router then maintains enough information from TCP and UDP port numbers to translate the global address/es back to the correct local address. PAT can be configured in few ways, the following shows two ways to configure PAT: The first way: Step 1: interfaces on R2: Identify the inside and outs On R2: R2 (config) #int 100 R2 (config-if) #ip nat inside R2 (config) #int S1/1 R2(config-if)#ip nat outside Step Identify the IP addresses that should get translated: On R2:; R2 (config) faccess-list 1 permit host 10. R2 (config) #access-list 1 permit host 10. R2 (config) #access-list 1 permit host 10 R2 (config) access-list 1 permit host 10. R2 (config) #access-list 1 permit host 10. RRR RRND whore Step 3: Configure PAT to point to the interface of R2: R2(config)#ip nat inside source list 1 interface S1/1 When this command is entered, the 10S will automatically add the “overload” keyword to the end of the command, A “show run” command will reveal this behavior: CCTE R&S by Narbik Kocharlans Advanced CCIE R&S Werk Book ¥5.0 Page 84 of 2 4014 Nerbik Kocharane. Allright reserved oo ————R2#Show run | inc ip nat inside source ip nat inside source list 1 interface Serial0/0.21 overload To verify the configuration: ‘The system added this keyword On R2: R2#Debug ip nat R2 (config) #No service timestamp debug R2#Ping 10.1.1.1 source 10.2.2.1 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: Packet sent with a source address of 10.2.2.1 Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms WAT: s=10.2.2.1->12.1.1.2, d=10.1.1.1 [0] NAT 0.1.1.1, d=12.1.1.2->10.2.2.1 [0] Let's check the translation table: R2#Show ip nat translations Bro Inside global Inside local outside loc: Outside global domp 12.1.1.2:0 10.2.2.1:0 10.1.1.1:0 40-1.1.1:0 R2#Ping 10.1.1.1 source 10.2.2.2 rep 1 ‘Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: Packet sent with a source address 0.2.2.2 Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms NAT; s=10.2.2.2->12.1.1.2, d=10.1.1.1 [1] NAT*: s=10.1.1.1, d=12.1.1.2->10.2.2.2 [1] R2#Ping 10.1.1.1 source 10.2.2.3 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: CCIE RGS by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 85 af {92014 Narbk Kechariass Al rights reservedPacket sent with a source adc ' Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms WAT; s=10.2.2.3->12.1.1.2, d=10.1.1.1 [2] NAT*: s=10.1.1.1, d=12.1.1.2->10.2.2.3 [2] Note: The ICMP protocol times out very quickly, but if you conduct the three pings again you should see the following translation table: R2#Show ip nat translations Pro Inside global Inside local outside local Outside global domp 12.1.1.2 10.2.2.1:0 10.2.2.1:0 10.1.1.1:0 domp 12.1.1.2:1 10.2.2.2:1 30.1.2.2 domp 12.1.1.2:2 10.2.2. 10.1-1-1: ‘The second way to configure PAT: Remove the NAT statement from the previous task: R2 (config) #No ip nat inside source list 1 interface $i/1 Create a pool of inside global IP address/es, this IP address could be any IP address within the same scope of the IP address space from the link connecting the two routers: R2 (config) #ip nat pool TEST 12.1.1.3 12.1.1.3 prefix-length 24 R2 (config) #ip nat inside source list 1 pool TEST overload“ Note: Like dynamic NAT, first a pool of IP addresses is created, in this case there is only a single IP address in the poo! (a pool of more than one IP address can also be created for PAT). Then, the “ip nat inside source” command allows the IP addresses identified in the access-list 1 to use the pool. The “overload” argument here is the key command, Note: Ifthe overload keyword is not configured you will receive the following result: R2 (config) #ip nat inside source list 1 pool TEST Note: The first ping sourcing from 10.2.2.1 works and the source IP address of 10.2.2.1 is translated to 12.4.1.3: R2#Ping 10.1.1.1 source 10.2.2.1 rep 1 CCIE R&S by Narbik Kochariaus Advanced CCIE R&S Work Book v5.0 Page 86 of 222 ‘22014 Nar Kocharlane.AUrights reservedType escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: Packet sent. with a source address of 10.2.2.1 ' Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms : s=10.2.2.1->12.1.1.3, d=10.1.1.1 [6] NAT*: 9=10.1.1.1, d=12.1.1.3->10.2.2.1 [6] ‘The second ping originated from 10.2.2.2 fails, because the overload keyword is not automatically added: R2#Ping 10.1.1.1 source 10.2.2.2 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: Packet sent with a source address of 10.2.2.2 Success rate is 0 percent (0/1) ‘You should see the following debug output, the translation failed because there was only a single inside global IP address: WAT: translation failed (E), dropping packet s=10.2.2.2 d=10.1.1.1 R2#Show run | inc ip nat inside source Note: The overload keyword is NOT added automatically: ip iat “Gnide'/source “ist 2 |pool TEST Task 3 Erase the startup configuration and reload the routers before proceeding to the next lab. Adyanced CCIE R&S Work Book v5.0 ‘©4014 Nari Kacharians. AM eights reserved CCTE R&S by Narbik Kocharianab 10 — Configuring PAR Lab Setup: ‘To copy and paste the initial configurations, go to “http://mieronies.nI” >" Advanced-init”> “NAT” >”Lab-10". Task 1 R2 is configured as a telnet server; configure Rt such that when it receives a packet that is destined for the IP address of its $1/4 interface for port 23, the traffic is redirected to the telnet server (R2). ‘The following command redirects any traffic destined to R1’s $1/4 for port 23 to the host with an | address of 10.1.123.2 port 23. Sometimes this command should be read backwards to make sense, On RI: Ri (config) #ip nat inside source static tep 10.1.123.2 23 int 81/4 23 Rl (config) interface £0/0 Ri(config-if) #ip nat inside CTE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 88 of ‘21a Neri Roghariane, AV rights reservedRI (config) #interface S1/4 Ri (config-if) #ip nat outside To verify the configuration: OnRi: Note: 14.1.1.1 port 23 is mapped to 10.1.123.2 port 23 for TCP protocol: R1#Show ip nat translations Pro Inside global Inside local outside local top 14.1.1.1:23 10.1.123.2:23, - To test the configuration: On R1: R1#Debug ip nat IP NAT debugging is on Rl (config) #No service timestamp debug On R4; Ré#Telnet 14,1.1.1 Trying 14.1.1.1 ... Open Password required, but none set [Connection to 14.1.1.1 closed by foreign host] ‘You should see the following debug output: On Ri: NAT*: s=14.1.1.4, 1.1,1->10.1.123.2 [38152] WAT*: s=10.1.123.2->14.1.1.1, d=14.1.1.4 [61481] (The rest of the output is omitted) CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 ‘201d Nari Koala, AM his reserved Outside global Note: Ré performed a “Telnet 14.1.1.1” command but Ri redirected the call to R2 for port 23. Page 89 ofTo verify the configuration: OnRi R1#Show ip nat translations Inside local 20.2.123.2:23 10.1.123.2:23 Pro Inside global top 14.1.1.1:23 top 14.1,1.1:23 Outside local 14.1.1,4:12439 14 outside global 1,4:12439 Task 2 Configure R1 such that when it receives any traffic destined for the IP address of its S1/4 interface for ports 80 and/or 8080, the traffic is redirected to R3. OnRI Ri (config) #ip nat inside sour static tcp 10.1.123.3 80 int S1/4 80 Rl (config) #4p nat inside sour static tcp 10.1.123.3 8080 int Si/4 8080 To test and verify the configuration: On R1: Rl#Show ip nat translations Pro Inside global Inside local top 14.1.1.1:23 10.1-123.2:23 top 14.1.1.1:80 10 tep 14.1.1.1:8080 10. RifDebug ip nat IP NAT debugging is on On R4: R4#Telnet 14.1.1.1 80 1 (config) #No service timestamp debug Outside local Outside global CCIE R&S by Narbik Kocharlaus Advanced Ct ‘e ania Narbik R&S Work Book v5.0 Page 90 of 23Pro tep tep tep tep WAT*: s=14.1.1.4, d=14.1. WAT*: s=10.1.123.3->14.1. Trying 14.1,1.1, 80 ... % Connection refused by remote host ) On RI: Note: Ri redirected the traffic to R3. 1. -1,123.3 [52156] 1 v1.1.4 [1861] On R1 Ri#Show ip nat trans Inside global Inside local Outside local outside global 14.2.1.1:23 10.1.123.2:23 --- 14.2.1.1:80 10.1.123. 14.1,1,4215762 14.1,1.4:15762 24,1.1,1:80 10.1.123. 14,1.1.1:8080 Task 3 Erase the startup configuration and reload the routers before proceeding to the next lab. CCIE RSS by Narbilt Kochariaus Advanced CCIE R&S Work Book v5.0 Page 91 of 222 ‘H014 Nari Kocbarians. Alright reservedLab 11 — Configuring Static NAT Redundancy With HSRP vz/ OV F00r Lab Setup: To copy and paste the initial configurations, go to “http://micronics.nI” >”Advanced-init”> “NAT” >"Lab-11”, Task 1 Configure R2 and R3 as the default gateway for R1 and Ra, Ensure that R1’s FO/O interface (100.1.1.1 /24) is translated to 192.1.1.1 /24 when communicating with any host behind R2 and R3. R2 should be the primary default gateway, whereas, R3 should be configured as the backup default gateway for Ri and R4. However, if R2 is down, R3 should assume the active role, and if R2 is fixed and it’s up again, R2 should assume the active role again. The active router should be the only router performing the translation. CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Puge 92 of 222 {2014 Narbik Kacharlane. Alright vesrvedYou can use an IP addressing of your choice and two static default routes to accomplish this task. Assign a name of HSRP-1. and HSRP-2 when configuring R2 and R3. ‘The following configures HSRP and sets the default gateway of R1 and Rd to point to the active router within their network. In this configuration, 100.1.1.100 and 200.1.1.100 are chosen as the tual IP addresses, but any IP address from the appropriate subnet can be chosen: On R2: R2 (config) interface FastEthernet0/0 R2(config-if) #standby 1 R2(config-if) #standby R2(config-if) #standby R2(config-if) #standby zi 1 5 R2(config-if) #standby 1 ip 100.1.1.100 priority 110 preempt name HSRP-1 track FastEthernet0/1 50 R2 (config) #interface Fastfthernet0/1 R2(config-if) #standby 2 R2(config-if) #standby 2 R2(config-if) #standby 2 2 2 R2(config-if) #standby R2(config-if) #standby OnR1: Rl (config) #ip route 0.0. On R3: 4p 200.1.1.100 priority 110 preempt name HSRP-2 track FastEthernet0/0 50 0.0 0.0.0.0 100.1.1.100 R3 (config) #interface FastEthernet0/0 R3 (config-if) standby 1 R3(config-if) #standby 1 R3(config-if) #Standby 1 R3 (config-if) #interface R3(config-if) #standby 2 3 (config-if) #standby 2 R3 (config-if) #standby 2 R3 (config-if) #standby 2 On: ip 100.1.1.100 preempt name HSRP-1 FastEthernet0/1 ip 200.1.1.100 priority 100 preempt name HSRP-2 CCIE R&S by Narbik Kociariaus Advanced CCIE R&S Work Book v5.0 (end Nari Kecharians, AU rights reserved Page 93 of 222R4 (config) #ip route 0.0.0.0 0.0.0.0 200.1.1.100 To verify the configuration: On R2: R2#Show standby Interface Grp Fa0/0 1 Fa0/1 2 R2#Show standby Group name is brief P indicates configured to preempt I Pri P State Active 110 P Active local 110 B Active local | anc name "HSRP-1" (cfd) Standby Virtual IP 100.1.1.3 100.1.1.100 200.1.1.3 200.1.1.100 Group name is "HSRP-2" (cfgd) On R3: R34Show standby brief P indicates configured to preempt. I Interface Grp PriP State Active Standby Fa0/0 1 100 P Standby 10.1.1 Local Fa0/1 2 100 P Standby 200.1.1.2 Local virtual IP 10.1.1.100 200.1.1.100 R3#Show standby | inc name Group name is "HSRP-1" (cfd) Group name is "HSRP-2" (cfd) Step #2 Configure NAT and integrate it with HSRP: On R2 and R3 Rx (config) #int £0/0 Rx (config-if) #ip nat inside Rx (config) #int £0/1 Rx (config ip nat outside Rx (config) #ip nat insi sour static 100.1.1.1 192.1.1.1 redundancy HSRP-1 CCTE R&S by Nerbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 94 of 22 {5 2014 Navi Kocharane Allis reserveTo test and verify the configuration: On R2 and R3: Rx#Debug ip nat IP NAT debugging is on On RI: R1#Ping 200.1.1.4 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 4/4/4 ms You should see the following only on R2 (the active router): gan 19 0 00.4.1.1->192.1.1.1, d=200.1.1.4 [1] #3an 19 00:05:05.267: NAT*: s=200.1.1.4, d=192.1.1.1->100.1.1.1 [1] Note: The output of the above debug reveals that when 100.1.1.1 pings 200.1.1.4, itis translated to 192.1.1.1 and the return traffic from 200.1.1.4 to 192.1.1.1 which is again translated back to 100.1.1.1. if the FO/0 interface of R2 goes down, then, R3 will be the active router, the following tests this condition: On R2: R2 (config) #int £0/0 R2 (config-if) #Shut You should receive the following messages stating that the local router is no longer the active router: °%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active > Init %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 2 state Active > Speak °%HSRP-S-STATECHANGE: FastEthernet0/1 Grp 2 state Speak -> Standby On. R1#Ping 200.1.1.4 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: ! Advanced Page 95 of 222 ‘5 2014 Narbik Rocharane All egh reserved CCIE R&S by Narbik KocharSuccess rate is 100 percent (1/1), round-trip min/avg/max You should see the following only on R3 (the active router): 00.1. 00.1.1.1->192.1.1.1, d=200. 192.1.1.1->100. 1.4, 1 1/1/1 ms 2.4 [21 .1.1 [2] Erase the startup config and reload the routers before proceeding to the next lab. CTE R&S by Narbik Kochariaus Advanced C ‘02014 Nar JE R&S Work Book v5.0) Page 96 ofTranslation Failover With “| HSRP initial configurations, go to “http://micronics.nI” "Lab-12". Configure R2 and R3 as the default gateway for R1 and R4. Ensure that R1's FO/0 interface (100.1.1.1 /24) is translated to 192.1.1.1 /24 when communicating with any host behind R2 and R3. R2 should be the primary default gateway, whereas, R3 should be configured as the backup default gateway for Ri and R4. The active router should be the only router performing the translation; this could be R2 or R3, the standby router should also know about the translations, the standby router should receive its CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 97 of 222 ‘5 A014 Narbik Kocharins Al nghts reserved‘translation/s from the active router. Use “HSRP-1” and “HSRP-2”. You should configure dynamic NAT using the following IP addresses: 192.4,1.1-192.1.1.2 Step #1 Configure HSRP: On R2: R2 (config) #interface £0/0 R2(config-if)#standby 1 ip 100.1.1.100 R2(config-if)#standby 1 priority 110 R2(config-if) #standby 1 preempt R2(config-if) #standby 1 name HSRP-1 R2(config-if)#standby 1 track FastEthernet0/1 50 R2 (config) #interface £0/1 R2(config-if) #standby 2 ip 200.1.1.100 R2 (config-if) #standby 2 priority 110 if) #standby 2 preempt if) #standby 2 name HSRP-2 R2 (config-if) #standby 2 track FastEthernet0/0 50 On R3. R3 (config) #interface £0/0 R3 (config-if) #standby 1 ip 100.1.1.100 R3 (config-if) #standby 1 preempt R3 (config-if) #standby 1 name HSRP-1 R3 (config) #interface £0/1 R3 (config-if) #standby 2 ip 200.1.1.100 R3 (config-if) #standby 2 preempt R3 (config-if) #standby 2 name HSRP-2 | Configuring static routes on R1 and Ra: OnRi: Rl (config) #ip route 0.0.0.0 0.0.0.0 100.1.1.100 OnR4: Advanced CCTE R&S Work Book ¥5.0 Page 98 of 222 {2014 Norbit Kocuarians llR4 (config) #ip route 0.0.0.0 0.0.0.0 200.1.1.100 To verify the configuration: OnR2: R2#Show standby brief indicates configured to preempt. State Active Standby Virtual IP Active local 100.1.1.3 100.1.1.100 Active local 200.1.1.3 200.1.1.100 R3¥Show standby brief indicates configured to preempt. Interface State active Standby Virtual IP Fa0/0 Standby 100.1.1.2 local 100.1.1.100 Fa0/1 Standby 200.1.1.2 local 200.1.1.100 Step 2: Configure stateful failover: On R2: R2(config)#ip nat stateful id 1 22 (config~ipnat~snat) #redundancy HSRP-1 R2 (config-ipnat~snat-red) #mapping-id 100 The first line in the configuration “ip nat stateful id 1”, identifies the router in the SNAT group, each router should have a unique identifier. ‘The second line “redundancy HSRP-1” Specifies the HSRP group name. The third line “mapping-id 100” uniquely identifies the translation/s that the active HSRP router sends to the standby router/s, this identifier must be identical on all routers. The following command creates a pool of registered or global inside IP addresses: CCIE RES by Narbik Kochurlans Advances! CCIE R&S Work Book v5.0 Page 99 of 222 {©2014 Narik Kasharlane Allrghs reservedR2 (config) #ip nat pool TST-POOL 192.1.1.1 192.1.1.2 prefix-length 24 The following configuration identifies the communication between 10.1.1.1 and 200.1.1.4: | R2 (config) faccess-list 100 permit ip host 100.1.1.1 host 200.1.1.4 R2 (config) froute-map TST permit 10 R2(config-route-map) match ip address 100 R2 (config) finterface £0/0 R2(config-if)#ip nat inside R2 (config) #interface £0/1 R2(config-if) #ip nat outside The following configuration ties the route-map that references access-list 100 to the pool of IP addresses defined in “TST-POOL” and the mapping-id. R2 (config) #ip nat inside source route-map TST pool TST-POOL mapping-id 100 On R3: R3 (config) #ip nat stateful id 2 R3 (config-ipnat-snat) fredundancy HSRP-1 R3 (config-ipnat-snat-red) #mapping-id 100 R3 (config) #ip nat pool TST-POOL 192.1.1.1 192.1.1.2 prefix-length 24 R3 (config) #access-list 100 permit ip host 100.1.1.1 host 200.1.1.4 R3 (config) #route-map TST permit 10 R3(config-route-map) #match ip address 100 R3 (config) #interface £0/0 R3(config-if)#ip nat inside R3 (config) #interface £0/1 R3(config-if) #ip nat outside R3 (config) #ip nat inside source route-map TST pool TST-POOL mapping-id 100 To test and verify the configuratio: On R2 and R3: CCTE R&S by Narbik Kocharians Advanced CTH R&S Work Book v5.0 Page 100 of 222 16 A014 Wari Kecharians ll ght reservedRx#Debug ip nat IP NAT debugging is on On Ri: R1#Ping 200.1.1.4 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: Success rate is 100 percent (1/1), round-trip min/avg/max = 4/4/4 ms On R2: You should see the following debug output on R2: SNAT (Add_node): Allocate Node for nat-id 2, Router-id 1 00.1.1.1->192.1.1.1, d=200.1.1.4 [15] NAT*: s=200.1.1.4, d=192.1.1.1->100.1.1.1 [15] R2#Show ip nat trans Pro Inside global Inside local outside local demp 192.1.1.1:0 100.1.1.1:0 200.1.1.4:0 200.1.1.4:0 On R3: You should see the following debug output on R3: SNAT (Add_node): Allocate Node for nat-id 2, Router-id 1 R3#Sh ip nat trans Pro Inside global Inside local Outside local outside global domp 192.1.1.1:0 100.1.1.1:0 200.1.1.4:0 200.1.1.4:0 On R2: R2#Show ip snat distributed Stateful NAT Connected Peers SNAT: Mode IP-REDUNDANCY :: ACTIVE CCHER&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 101 of 222 (02014 Narik Kosharbane All rghterrserved: State READY Local Address 100.1.1.2 : Local NAT id 1 Peer Address 100.1.1.3 Peer NAT id 2 : Mapping List 100 On R3: R3#Show ip snat distributed Stateful NAT Connected Peers SNAT: Mode IP-REDUNDANCY :: STANDBY State READY Local Address 100.1.1.3 Local NAT id 2 Peer Address 100.1.1.2 : Peer NAT id 1 : Mapping List 100 Note: The following was given to R3 by R2: R3#Show ip snat peer 100.1.1.2 Show NAT Entries created by peer: 100.1.1.2 Pro Inside global Inside local Outside local Outside global domp 192.1.1.1:1 100.1.2.1:1 200.1.2.4:1 200.1.1.4:1 One way to test the stateful nature of this configuration is to disable the debug on R2 and R3 and configure R1 to ping 200.1.1.4 with a high count, while the ping is running successfully, on R2 (The active router) Shutdown its FO/1 interface and check the number of dropped packets. Let’s test this: On R2 and R3: R2#Undebug all All possible debugging has been turned off On RL R1#Ping 200.1.1.4 xep 100000 Type escape sequence to abort. Sending 100000, 100-byte ICMP Echos to 200.1.1.4, timeout is 2 seconds: PEEP CCIE R&S hy Narbik Koc! Advanced CCIE R&S Work Book v5.0 Page 102 of 222 {02014 Nari Kocharians ll eights reersedHEEL WESTETETETTETERTITETETETETEETECETSTOSTITISTSTETTITSTSISETSSTSETITISES On R2: R2 (config) #int £0/1 2 (config-if) #Shut OnRi: PPP PPePreeeceeee eerie eee r eet eee Pere eet ce eee Oper eer eep regener PEPE PPePeeeeee tee eee eee tei eee eee Peeeeeee ee hie Pete bee Pree Peeee rent POPUP PePUCG C02 EPC E EDEL OP CeCe eee eee eee TERERETETETENSETESTSTIETESSTETESTESESTSUTEUECESUICTSUTISETSOTITIOET) POPEDEUPEE EEE EEE EE CEE PEGP Pee Pee eee PUPUDECEE EPEC ECE PELE LE EPPS eee eerie Pee PUPUDEUEEEEE OEE EPEC De eee Peo We can see that R1 did not miss a single ping, if this test is conducted over and over again, you may see one missing ping and the output on Ri will resemble the following: POU ee LEEPereeeupeynyy VIUEP PEEP Lethe eee hee vaverenyy Hf MELEE PUPEEPOP EPP; Pere ee eee cece PEELED CEE Pe DE LYE POPUEEEEUE UPC PEEPEECe GP eeererernen Task 2 Erase the startup configuration and reload the routers before proceeding to the next lab, CCIE RAS by Narbik Kocharians Advanced CCTE R&S Work Book v5.0 Page 103 of 222 152014 Nac Kocbarians. AM igh reserved12.1.1.0 /24 Lab Setup: ‘To copy and paste the initial configurations, go to “http://micronies.nI” D"Advanced-init”> “NAT” >"Lab-13". Task 1 Configure Ri such that when it receives any packet with a source IP address of 2.2.2.2, it translates that IP address to 200.2.2.2 Ri (config) #int 100 | Rl (config-if) #ip nat inside Rl (config) #int £0/0 Rl(config-if)#ip nat outside Rl (config) #ip nat outside source static 2.2.2.2 200.2.2.2 To test and verify the configuration: CCH RAS hy Narbik Kocharlans Advanced CCIE R&S Work Book v5.0 Page 1N4 of 222, 16 014 Narbik Kocarane, right resereed,OnR1: R1#Debug ip-nat IP NAT debugging is on Rl (config) #No service timestamp debug On R2: R2#Ping 1.1.1.1 source 2.2.2.2 rep 2 Type escape sequence to abort. Sending 2, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet sent with a source address of 2.2.2.2 ' Success rate is 50 percent (1/2), round-trip min/avg/max 1/1/1 ms OnR1: You should see the following debug output: ->200.2.2.2, d=1.1.1.1 [5] 00.2.2.2->2.2.2.2 [5] NAT: NAT 2.2.2.2: 1.2 Note: When a packet with a source IP address of 2.2.2.2 comes in through R1's F0/0 interface, the source IP address (2.2.2.2) of the incoming traffic is translated to 200.2.2.2. When R1 replies back to 200.2.2.2, the NAT process will translate the destination IP address of 200.2.2.2 to 2.2.2.2. This is an important concept that will be very useful for the next lab R1#Ping 200.2.2.2 source 1.1.1.1 rep 1 Type escape sequence to abort Sending 1, 100-byte ICMP Echos to 200.2.2.2, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 1 Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms You should see the following debug output: NAT: s=1.1.1.1, d=200.2.2.2->2.2.2.2 [5] NaT* -2.2.2->200.2.2.2, d=1.1.1.1 [5] Note: The static NAT configuration performs translation in both directions; this is a very important concept CCIE RAS hy Navbi Kocharians Advanced CCTE R&S Work Book ¥5.0 Page 105 of 222 {©2014 Nari Kocharlans. Allright reservedthat will help you understand the next lab. R1¢Show ip nat translations Pro Inside global Inside local Outside local --- 200.2.2.2 iy ee 200.2.2.2:0 The first line: States that any ingress traffic with a source IP address of 2.2.2.2 (Outside Global) should be translated to 200.2.2.2 (Outside Local) which means an outside IP address that can be accessed locally. ‘The second fine: ‘The second line reveals what happened when the local host with an IP address of 1.1.1.1 (Inside local) tried ‘to communicate with an IP address of 200.2.2.2 (Outside local} on the outside network; the outside local IP address was translated to an outside global IP address of 2.2.2.2. Task 2 Erase the startup configuration and reload the routers before proceeding to the next lab. CCIE RAS hy Narbik Kocharlans Advanced CCIE R&S Work Book v5.0 Page 106 of 22Lab.14 — Translation of the Outside Source - IT 2.4.1.0 24 23.A.1.0124 To copy and paste the initial configurations, go to “http://micronics.nI” >Advanced-init”> “NAT” >"Lab-14”. Task 1 R2 is the NAT router, R2’s $1/1 interface should be configured as the Inside and R2's S1/3 interface should be configured as Outside domain. Configure R2 such that R3 can ping 12.1.1.1. You should configure Static NAT on R2 to accomplish this task. DO NOT configure any static, dynamic routing, PBR, or PAT on R2. Before we configure the static NAT let’s define the NAT domains: oOnk R2 (config) #Int s1/2 R2(config-subif) #1P NAT Inside R2 (config) #Int S1/3 R2 (config~if) #IP NAT Outside Since R3 is on the Outside NAT domain, the following Static NAT is configured to translate the source IP address of 23.1.1.3 for ingress traffic to 12.1.1.3 : R2(config)#ip nat outside source static 23.1.1.3 12.1.1.3 aes Page 107 of 222To verify the configuration: On R2: R2#Show ip nat translations Pro Inside global Inside local Outside local Outside global = a 32.1. 23.1.1.3 To test the configuration: On KR: R3#Ping 12.1.1.1 rep 1 ‘Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: Success rate is 0 percent (0/1) What happened? Let's check the translation table of R2: On R2: R2gShow ip nat translations Pro Inside global Inside local Outside local outside global - --- 12.1.1.3 domp 12.1.1.1:8 12.1.1.1:8 12.1.1.3:8 ‘The NAT translation table reveals that when the NAT router (R2) received a packet on its Outside interface (61/3) with an IP address of 23.1.1.3, it translated the source IP address of 23.1.1.3 to 12.1.1.3, then, R2 consulted its routing table and sent the packet to Ri. R2#Show ip route 12.1.1.1 Routing entry for 12.1.1.0/24 Known via "connected", distance 0, metric 0 (connected, via interface) Routing Descriptor Blocks: + directly connectéd, via’ Seriali/i Route metric is 0, traffic share count is 1 Let's verify that the traffic actually made it to R1. To reveal this fact, let’s enable “Debug ip packet det” on Advanced CCIE R&S Work Book v5.0 Page 108 of 222 '© 2914 Narbik Kocharlan. Alright reserved.R1, and Ping 12.1.1.1 from R3 and examine the output of the debug on R1: OnR! Ri (config) #No service time debug RifDebug ip packet detail IP packet debugging is on (detailed) On R3 R3Ping 12.1.1.1 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: Success rate is 0 percent (0/1) Let’s check R1’s console for the debug output: On Ri: 1p: @eUQsTNaS"(SeRaLIy2), Ssi2ua 1, 1en 100, input feature, MCI Check(80), xtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE IP: tableid=0, s=12:11'.3 (Seriali/2) “i:1(Seriali/2], routed via RIB IP 2.1.1.3 (Seriali/2), d=12.1.1.1 (Seriali/2), len 100, revd 3 IP: s=12.1.1.3 (Seriali/2), d=12.1.1.1, len 100, stop process pak for forus packet IP: IP: We can see that Ri received the ICMP packet generated by R3; R2 received the packet with a source IP | address of 12.1.1.3 (The translated source IP address of R3), and it replied back with a source IP address of 12.1.1.1 destined to 12.1.1.3. So the problem must be on R2. So why didn’t R2 send the packet back to R3? Remember the following important facts: * When traffic is received on the Outside interface, NAT occurs before routing. + When traffic is received on the Inside interface, routing occurs before NAT. | When R2 received the traffic from R1 on its Inside interface it looked for a route for 12.1.1.3 destination, CCH RAS by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 109 of 222 16 2014 Naruth Kecbaraneand since it did not see a route for that destination, the packet was dropped, let's add a static route for 12.1.1.3 destination and verify the result: On R2: R2 (config) #IP route 12.1.1.3 255.255.255.255 23.1.1.3 To test the configuration On R3: R3#Ping 12.1.1.1 rep 1 ‘Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 12.1.1.2, timeout 4s 2 seconds: Success rate is 100 percent (1/1), round-trip min/avg/max = 60/60/60 ms Let's check the NAT translation table: On R2: R2#Show ip nat translations Pro Inside global Inside local Outside local Outside global ae a 12.1.1.3 23.1.1.3 iomp 12.1.1.1:12 12.1,1.1:12 12.1.1.3:12 23.1.1.3:12 But the task stated that static, Dynamic routing or PBR is prohibited, so how are we going to accomplish this task? ‘ask can be resolved by adding the “Add-route” keyword at the end of the “IP NAT Outside static” statement. Let's configure the keyword, remove the static route, and test and veri On R2: R2(config) #ip ‘nat outside source static 13.1.1.3 12.1.1.3 add-route R2 (config) #No ip route 12.1.1.3 255.255.255.255 23.1.1.3 To verify the configuration: CCTE RAS by Narbik Kockar Advanced CCIE R&S Work Book v5.0 Page 110 of 222. "© 2014 Nacbtk Kocharans Al eights eservedOn R2: R2#Show ip route | B Gate Gateway of last resort is not set | 12.0.0.0/8 is variably subnetted, 3 subnets, 2 masks 12.1.1.0/24 is directly connected, Seriall/1 L 12.1.1.2/32 is directly connected, Seriall/1 8 o424.1.3/32" [1/0] via 23-1.1:3 | 23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks Jc 23.1.1.0/24 is directly connected, Serial1/3 L 23.1.1.2/32 is directly connected, Serial1/3 ‘We can see that the “add-route” keyword added the static route for us, this is highlighted in yellow. To test the configuration: OnR3 R3#Ping 12.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: eee Success rate is 100 percent (5/5), round-trip min/avg/max = 80/81/84 ms On R2: R2#Show ip nat translations Pro Inside global Inside local Outside local outside global 12.1.1.3 1:18 12.1.1.1:18 22.1.1.3:18 domp 12.1.1 Erase the startup configuration and reload the routers before proceeding to the next lab. Advanced CCIE R&S Work Book ¥5.0 1 2014 Nach Kocbarian. Allright reserved, Page 111 of 222123.1.1.0 /24 Fo/0|.2 10.2.2.2 [24 To copy and paste the initial configurations, go to “http://mieronics.n!” >? Advanced-init”> “NAT” >”Lab-15". The traffic between the loopback0 interfaces of R1 and R2 should traverse through R3; R3 should be configured such that it translates 10.1.1.1 to 100.1.1.1 and 10.2.2.2 to 200.2.2.2.. | Note: This situation is probably one of few scenarios where “NAT on a stick” configuration comes in handy. ‘The tricky part is that the NAT router has one interface, in a normal scenario, you need two interfaces. One interface should be configured as outside and the second interface should be configured as inside. In this scenario, since there is one physical interface and a loopback interface, PBR is utilized to accomplish this task. On R3: CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Rook ¥5.0 Page 112 of 222 162014 Narbik Kearns. A ights reserved‘The loopback 0 interface is set as the inside: R3 (config) #int 100 R3(config-if)#ip nat inside In the following configuration, the FO/0 interface is set as the NAT outside interface. The policy-map called “TST" is also applied to this interface and lastly, IP redirects are disabled so packets originated from Ri are not redirected to R2. R3 (config) #int £0/0 f. )#ip nat outside )fip policy route-map TST if) mo ip redirects s the communication between the Lo0 of R1 and globally unique IP address of R2’s Lo0 interface: R3 (config) #access-list 100 permit ip host 10.1.1.1 host 200.2.2.2 ‘The following route-map called “TST” references the above access-list and sets the interface to LoO interface of the local router (R3) which is configured as “ip nat inside”, so if 10.1.1.1 tries to communicate ‘with 200.2.2.2, the following PBR will send the traffic to the Loopback0 interface of R3: R3 (config) #route-map TST permit 10 R3(config-route-map)#match ip addr 100 R3 (config-route-map) #set interface 100 In the following Static NAT configuration, if traffic is received on the inside interface with a source IP address of 10.1.1.1 will have their source IP address translated to 100.1.1.1: R3 (config) #ip nat inside source static 10.1.1.1 100.1.1.1 In the following static NAT configuration, if traffic is received on the outside interface with a source IP address of 10.2.2.2 will have their source address translated to 200.2.2.2: R3 (config) #ip nat outside source static 10.2.2.2 200.2.2.2 ‘The following three static routes are needed for this communication to occur, these static routes will be explained in detail when the scenario is tested: R3 (config) #ip route 10.1.1.0 255.255.255.0 123.1.1.1 R3 (config) #ip route 10.2.2.0 255.255.255.0 123.1.1.2 R3 (config) #ip route 200.2.2.0 255.255.255.0 123.1.1.2 CCIE RAS hy Narbik Kocharians Page 113 of 222To verify the configuration: Onk: R34Show ip nat translations Pro Inside global Inside local Outside local Outside global --- 200.2.2.2 10.2.2.2 Led To test and verify the configuration: | On R: Before testing and explaining the scenario, let’s see if the traffic from the Loopback0 interface of R1 destined to R3’s global IP address is policy routed: R3#Debug ip policy uting debugging is on R1#Ping 200.2.2.2 Source 10.1.1.1 repeat 1 | Type escape sequence to abort. | Sending 1, 100-byte ICMP Echos to 200.2.2.2, timeout is 2 seconds: Packet sent with a source address of 10.1.1.1 ! Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms Well, we can see that the test worked but let’s focus on the output of the debug command and verify that the traffic from the loopback0 interface of R1 destined to the global IP address of R3 is PBRed: | On R: We should see the following debug output, the output reveals that the traffic sourced from 10.1.1.1 and destined to 200.2.2.2 matches item 10 of our route-map called “TST”” which sets interface to be LoobackO interface of R3. The last two lines reveals that the communication sourcing from 200.2.2.2 destined to 10.1.1.1 is NOT Policy routed because it was NOT referenced in the route-map: zp: S£1021/4/i (Fastethernet0/0), d=200.2:2.2, len 100, FIB policy match CCIE RAS by Narbik Wocharians Advanced CCTE R&S Work Book v5.0 Page 114 of 222 {© 2014 Nacblk Kecharns lbight reservedIP: s=10.1.1.1 (FastEthernet0/0), d=200.2.2.2, len 100, policy match IP: route map “tse item 10) "perailt IP: s=10.1.1.1 (FastEthernet0/0), d=200/12'2!2"(Loopback0), len 100, policy routed IP: FastEthernet0/0 to LoopbackO 131.1.123.2 IP: s=200.2.2.2 (FastEthernet0/0), d=10.1.1.1, len 100, FIB policy rejected(no match) - normal forwarding 222i ten 1007, PIB policy matey "2.2, len 100, PBR Counted 2.2, len 100, policy, match 1 se1O Ma (mastetnerneto/oy-a=z00 3510.1.1.1 (FastEthernet0/0), d=200 : sel0.1.1.1 (Fastthernet0/0), d=200.2 route map PST, ited 10, permit cy rejected (no match) - normal forwarding Let’s disable the “Debug ip policy” on R3: On R3: R34Undebug all All possible debugging has been turned off NOW, let’s see what happens in detail, to accomplish this the “Debug ip nat” and “Debug ip packet detail” is enabled on R3: On R3: R3§Debub ip nat IP NAT debugging is on On Ri: R1gPing 200.2.2.2 source 10.1.1.1 repeat 1 Type escape sequence to abort, Sending 1, 100-byte ICMP Echos to 200.2.2.2, timeout.is 2 second: Packet sent with a source address of 10.1.1.1 ' Success rate is 100 percent (1/1), round-trip min/avg/max = 4/4/4 ms On R3: uced CCIE R&S Work Book v5.0 Page 115 of 222 CCIE R&S by Narbik Kocharia‘You should see the following debugging output on R3: NAT: s=10.1.1.1->100.1.1.1, d=200.2.2.2 [27] NAT: s=100.1.1.1, d=200.2.2.2->10.2.2.2 [27] NAT*: s=10.2.2.2->200.2.2.2, d=100.1.1.1 [27] NAT*: s=200.2.2.2, d=100.1.1.1->10.1.1.1 [27] R1 sources a ping from its Lo0 interface to 200.2.2.2, it uses a route locally to reach that network, let's check the route in R1’s routing table: R1#Show ip route 200.2.2.2 Routing entry for 200.2.2.0/24 Known via "static", distance 1, metric 0 Routing Descriptor Blocks: #4230023 Route metric is 0, traffic share count is 1 ‘The packet is sent to 123.1.1.3 (R3), R3 is configured with PBR, this packet matches the Policy because of the access-list that is configured on R3: R3 (config) #access-list 100 permit ip host 10.1.1.1 host 200.2.2.2 and the packet is sent to the Lo0 interface of R3. The loopback 0 interface of R3 is configured as “IP Nat Inside”, therefore, routing is checked before NATting can occure, there is a static route for network 200.2.2.0/24 pointing to 123.1.1.2, so the routing is there, therefore, the source IP address of the packet is NATted from 10.1.1.1 to 100.1.1.1 and sent to 200.2.2.2 with a next-hop IP address of 123.1.1.2. WAT: s=10.1.1,1->100.1.1.1, d=200.2.2.2 [20] R34Show ip route 200.2.2.2 Routing entry for 200.2.2.0/24 Known via "static", distance 1, metric 0 Routing Descriptor Block: 123.10. Route metric is 0, traffic share count is 1 NAT; s=100.1.1.1, d=200.2.2.2->10.2.2.2 [26] Before the packet is sent to 123.1.1.2, the destination of the packet (200.2.2.2) is translated to 10.2.2.2, this is done because of the “IP Nat outside source 10.2.2.2 200.2.2.2" command. The reason R3 routes the packet to 10.2.2.0/24 network is because a static route is configured for that network: CCIE R&S by Narbik Wocharians Advanced CTE R&S Work Book v5.0 Page 116 of 222 {02014 Nari, Kocharias, AM ight reservedR3#Show ip route 10.2.2.2 Routing entry for 10.2.2.0/24 Known via "static", distance 1, metric 0 Routing Descriptor Blocks: #123.1:1.2 Route metric is 0, traffic share count is 1 R2 receives a packet with a source IP address of 100.1.1.1 destined to its 10.2.2.2, it consults its routing table and forwards the packet to its Loopback0 interface: R2$Show ip route 10.2.2.2 Routing entry for 10.2.2.2/32 Known via "Gonnécted”, distance 0, me Routing Descriptor Blocks: * directly connected, via Loopback0 Route metric is 0, traffic share count is 1 ¢ 0 (connected) R2 responds back using 10.2,2,2 as the source and the 100.1.1.1 as the destination. This process is. successful because of a static route that was configured on R2 (Part of the initial configuration): R24Show ip route 100.1.1.1 Routing entry for 100.1.1.0/24 Known’ via°"statie!, distance 1, metric 0 Routing Descriptor Blocks: #423,101,3 Route metric is 0, traffic share count is 1 ‘The packet is forwarded to R3 (123.1.1.3). R3 receives a packet which is destined to 100.1.1.1 from 10.2.2.2; this packet is received on the FO/0 Interface of R3 which is configured as “IP Nat Outside”. When a packet is received on an interface that is configured as “IP Nat Outside” NATting happens before routing, so the packet is Natted: NAT*: s=10.2.2.2->200.2.2.2, d=100.1.1.1 [26] 2 is translated to 200.2.2.2. which is ‘The above debug output reveals that the source IP address of 10. destined to 100.1.1.1. Because of the “IP Nat inside source 10.1.1.1 100.1.1.1” command, the destination IP address of 100.1.1.1 is translated to 10.1.1.1: CCIE R&S by Narbik Kocharians Advanced CTE R&S Work Rook Page 117 of 22 ‘22014 Nac: Kocbarins I eights servedR3 (config) #ip nat inside source static 10.1.1.1 100.1.1.1 3 consults its routing table for network 10.1.1.0 /24: R34Show ip route 10.1.1.1 Routing entry for 10.1.1.0/24 Known ‘via "static", distance 1, metric 0 Routing Descriptor Blocks: #2123... Route metric is 0, traffic share count is 1 The packet is forwarded to 123.1.1.1. R3#Show ip nat translations Pro Inside global Inside local Outside local Outside global 200.2.2.2 10.2.2.2 domp 100.2.1. 1. 200.2.2.2:15 10.2.2.2:15 Erase the startup configuration and reload the routers before proceeding to the next lab, CCIE RAS by Narbik Kocharians Advanced CCTE R&S Work Book v5.0 Page 118 of 222 {© 014 Rack Kocharlan. Al righ reservedLab 16 - NAT Virtual Interface Lab Setup: To copy and paste the initial configurations, go to “http://micronics.nI” >7Advanced-init”> “NAT” >"Lab-16". Task 1 Configure RIPV2 on the FO/0 interfaces of R1 and R2, disable auto summarization. On Ri and R2: Rx (config) #Router rip Rx (config-router) #No au Rx (config-router) #ver 2 Rx (config-router) Network 12.0.0.0 Task 2 Configure a default route on R3 pointing to R2’s FO/1 interface's IP address. CCIE RAS by Narbik Kocharians Advanced CCTE R&S Work Book ¥5.0 Page 119 of 222 {© 1014 Narbik Kocharkns, A right reservedOn R3: R3 (config) #IP route 0.0.0.0 0.0.0.0 23.1.1.2 3 Configure R2 such that when R1 communicates with R3, R1’s FO/0 interface’s IP address is translated to 100.1.1.1/24. You should configure NAT, DO NOT configure the “IP NAT Inside” or “IP NAT Outside” interface configuration, PBR, or static route/s to accomplish this task. On R2: R2 (config) #Int FO/0 R2(config-if) #1P nat enable R2 (config) #Int FO/1 R2(config-if) #IP nat enable R2 (config) #IP access-list standard TST R2(config-std-nacl) #Permit host 12.1.1.1 R2 (config) #IP nat pool TST-POOL 100.1.1.1 100.1.1.1 prefix-length 24 add-route R2 (config) #IP nat source list TST pool tst-Poou To verify the routing table: On R2: R2#Show ip route | B Gateway Gateway of last resort is not set 12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks 12.1.1.0/24 is directly connected, FastEthernet0/0 L 12.1.1.2/32 is directly connected, FastEthernet0/0 23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks 23.1.1.0/24 is directly connected, FastEthernet0/1 23.1.1.5/32 is directly connected, FastEthernet0/1 100.0.0.0/24 is subnetted, 1 subnets ° ra CCIE RAS by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 120 of 22 © 2014 Narbih Kacharlane. A igh reserveds 100.1.1.0 [0/0] via 0.0.0.0, NVIO In oder for R1 to communicate with R3 using R3's FO/1 interface’s IP address, R2 should “redistribute connected” in RIP routing domain so R1 can see network 23.1.1.0/24 in its routing table. On R2: R2 (config) #Router rip R2(config-router) #redistribute connected metric 5 To verify the configuration: On Ri: Ri#Show ip route rip | B Gate Gateway of last resort is not set 23.0.0.0/24 is subnetted, 1 subnets bios ti20/5)% 12:1.1:2, 00:00: To test the configuration: On Ri: R1#Ping 23.1.1.3 rep 2 Type escape sequence to abort. Sending 2, 100-byte ICMP Echos to 35.1.1.3, timeout is 2 seconds: " Success rate is 100 percent (2/2), round-trip min/avg/max = 1/2/4 ms On R2: R5#Show ip nat nvi translations Pro Source global Source local Destin local Destin global icmp 100.1.1.1:3 12.1.1.1:3 23.1.1.3:3 23.1.1.3:3 === 100.1.1.1 = Let's explain the process: Ri pings 23.1.1.3. CCIE RAS by Narbik Kocharians Advanced CCT R&S Work Book v5.0 Page 121 of 22 (© 2014 Wars Kocharian, AU ight reservedBecause R2 is redistributing connected, R1 knows how to reach that network, it forwards the packet to R2. R2 translates the source IP address of 12.1.1.1 to 100.1.1.1 and sends it to its destination IP address of 23.1.1.3. R3 receives the packet and uses its default route to forward the replies to R2. In NVI configuration, routing occurs before NATting, therefore, if the static route to NVIO for network 100.1.1.0/24 is not in R2’s routing table, the packet will be dropped, this satisfies the condition and the packet is NATted back to 12.1.1.1, and it is frowarded to R1. Task 4 Remove the following commands from R2: ‘+ The standard access-list called “TST” + The NAT pool called “TST-POOL” + The IP nat source statement. * The redistribute connected from RIP routing protocol. On R2: R2#Clear ip nat nvi trans * R2 (config) #No ip access-list standard TST R2 (config) #No ip nat pool TST-POOL R2(config)#No ip nat source list TST Pool TST-POOL R2 (config) #Router rip 2 (config-router) tNo redistribute connected sk 5 Ti Configure R2 such that when R1 originates any kind of commnuication with R3, R1's FO/0 interface's IP address is translated to 100.1.1.1/24 and when R3 originates any kind ‘of communication with R1, its source IP address (23.1.1.3) is translated to 200.1.1.3. DO CCIE RAS by Narbik Kocharians Advanced CCTE R&S Work Book v5.0 Page 122 of 222 16 014 Nach Kocharans, I eights servedNOT configure the “IP NAT Inside” or “IP NAT Outside” interface configuration, PBR, or static route/s to accomplish this task. In this case we have to configure two NAT pools, one for 100.1.1.1, and the second one for 200.1.1. On R2: R2 (config) #IP nat pool R3 200.1.1.3 200.1.1.3 prefix-length 24 add-route R2 (config) #IP nat pool Rl 100.1.1.1 100.1.1.1 prefix-length 24 add-route Two access-lists are configured, one that references Rts source IP address (12.1.1.1), and the second one that references R3’s Source IP address (23.1.1.3): R2 (config) #IP access-list standard R1-ACL R2 (config-std-nacl) #Permit host 12.1.1.1 R2 (config) #IP access-list standard R3-ACL R2 (config-std-nacl) #Permit host 23.1.1.3 In the Final step, we have to configure two NAT statements one for R1’s source and the second one for R3’s, source: R2 (config) #IP nat source list R1-ACL pool Ri R2(config)#IP nat source list R3-ACL pool R3 Let’s test and verify the configurati On R2: R2#Show ip route | b Gateway Gateway of last resort is not set 12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks 12.1.1.0/24 is directly connected, FastEthernet0/0 12.1.1.2/32 is directly connected, FastEthernet0/0 23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks 23.1.1.0/24 is directly connected, FastEthernet0/1 23.1.1.2/32 is directly connected, FastEthernet0/1 100.0.0.0/24 is subnetted, 1 subne "7 100.1.1.0 [0/0] via 0.0.0.0, NVIO -200.1.1.0/24 [0/0] via 0.0.0.0, VIO ‘The following two redistribution must be configured or else this will not work. The first redistribution (Redistribute connected) is needed so R1 can have reachability to 23.1.1.3, if this is not configured, then a CCIE RAS by Narbike Kochay Advanced CCIE R&S Work Book ¥5.0 Page 123 of 222 18 2014 Narbik Kocharane Allighs reservedstatic default route can also do the trick. The second one (redistribute Static) is needed so Ri can reply back to 200.1.1.3, when the ping is issued on RB, R2 (config) #Router rip R2(config-router) #Redistribute connected metric 5 R2(config-router) #redistr static metric 5 To verify the confi OnRi: R1¥Show ip route rip | B Gate Gateway of last resort is not set 23.0.0.0/24 is subnetted, 1 subnets ©23 15120" [120/51 via’ 12.1.112, 0000703) Fastatherneto/0 100.0.0.0/24 is subnetted, 1 subnets 100 :1:1.0! [120/5}via 12/1/1.2, 00200503, Fastetnerneto/0 10/24 1120/5, 2;.00:00:03, FastEthernet0/0 R2#Debug ip nat IP NAT debugging is on On RI R1#Ping 23.1.1.3 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 35.1.1.3, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 4/4/4 ms R5#Show ip nat hvi translations Pro Source global Source local Destin local Destin global icmp 100.1.1.1:7 oe ee 23.1.1.3:7 23.1.1.3:7 --- 100.1.1.1 ie - CCIE RAS by Narbik Kocharims Advanced CCIE R&S Work Book v5.0 1 2014 Rarbik Kocharans I ight reservedNOW, let’s generate the ping from R3: R3#Ping 12.1.1.1 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 15.1.1.1, timeout is 2 seconds: ' Success rate is 100 percent (1/1), round-trip min/avg/max = 4/4/4 ms On R2: On R3: R3#Ping 100.1.1.1 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 second: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 4/4/4 ms On R2: WAT*: s=23.1.1.3->200.1.1.3, d=100.1.1.1 [8] WAT*: s=200.1.1.3, d=100.1.1.1->12.1.1.1 [8] WAT*: s=12.1.1.1->100.1.1.1, d=200.1.1.3 [8] NAT#: s=100.1.1.1, d=200.1.1.3->23.1.1.3 [8] Task 6 Erase the startup configuration and reload the routers before proceeding to the next lab. CCIE RAS by Narbike Koel Ade {© 2014 Barbi Kocharans, A eights reserved wood CCHE R&S Work Baok v5.0 Page 125 of 222CCTE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 ‘© 014 Nac Kochaian, Allright xeserved Page 126 of 222Task 1 Configure the routers based on the following policy: Configure DMVPN Phase 1 such that R1 is configured as the hub, and routers R2 and R3 are configured as the spokes. In the above diagram, SW1 should be configured to represent the Internet and provide routing to R1’s FO/0, R7 and R8’s GO/0 interfaces for the DMVPN Network, Configure 192.1.1.10/24, 192.1.7.10/24, and 192.1.8.10 on SW1 for ports FO/1, FO/7 and FO/8 respectively. Ri, R7 and R8 should be configured with static routes to reach the IP addresses of the routers connected to this DMVPN network; these routers should use the IP address of the Switchport to which they are connected to as their gateway. The static routes should be configured for each IP address, DO NOT configure static default route to accomplish this task. Ri should NOT be configured with static mapping for the DMVPN endpoints, provide Multicast capability Configure R7 and R8’s GO/1 interfaces, and R4’s FO/1 interface in VLAN 234. On SW2: Sw2 (config) #Int FO/23 SW2(config-if) #8witchport trunk encap dotig SW2 (config-if) #Switchport mode trunk SW2(config-it) #No shut sii2 (config) #Int range FO/4, FO/7 si2 (config-if-range) #Switchport mode access sW2(config-if-range) #Switchport access vlan 478 SW2(config-if) #No shut On SW3: Si3 (config) #int £0/23 Sh3 (config-if) #Swi trunk enc dot SW3 (config-if) #Swi_ mode trunk CCIE R&S by Narbik Kochariang Advanced CCIE R&S Work Book v5.0 © 2014 Narbik Kocharian. All igh reservedS13 (config-if) #No shut Si3 (config) #int £0/8 v3 (config-if) #8wi mode access S013 (config-if) #Swi access vlan 478 S13 (config-if) #No shut. On R7: RT (config) #int GO/1 R7(config-if)#ip addr 10.1.1.7 255.255.255.0 RT (config-if)#No shut RT (config) #Int 100 R] (config-if) #ip addr 1.1.1.7 255.255.255.255 On RS: RS (config) #int GO/1 R& (config-if) #ip addr 10.1.1.8 255.255.255.0 R8 (config-if) #No shut R8 (config-if) #Int Lod R8 (config-if) #Ip addr 1.1.1.8 255.255.255.255 On RA: R4 (config) #int £0/1 Rd (config-if) #ip addr 10.1.1.4 255.255.255.0 R4 (config-if) #No shut RA (config) #Int_ 100 Rd (config-if)#ip addr 1.1.1.4 255.255.255.255 To verify and test the configuration: On R4: R4#Ping 10.1.1.7 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds: rit Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms CCI RAS by Narbik Kocharians Advanced CCTE R&S Work Book ¥5.0 Page 128 of 222 {© 014 Nae Kocharians. Al ight eservedR4#Ping 10.1.1.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.8, timeout is 2 seconds: Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms Let's configure the DMVPN phase 1; before the tunnel is configured, the switch is configured to represent the Internet: On SW1: SW1 (config) #ip routing Sil (config) #int £0/1 SwW1(config-if) #No swi sw (con: )#ip addr 192.1.1.10 255.255.255. SW1(config-if) #No shut Sif] (config) #int £0/7 Si11 (config-if) #No swi. Sil (config-if) #ip addr 192.1.7.10 255.255.255. sW1(config-if)#No shut SW1 (config) #int £0/8 SW1(config-if) #No swi. Sill (config-if) #ip addr 192.1.8.10 255.255.255. Si11 (config-if) #No shut On RI: R1 (config-if) #Int Lo0 Ri (config-if) #Ip addr 1.1.1.1 255.255.255.255, Rl (config) #Int FO/0 Ri (config-if) #Ip addr 192.1.1.1 255.255.255.0 Ri (config-if) #No shut Ri (config) #4p route 192.1.7.7 255.255.255.255 192.1.1.10 Ri (config) #ip route 192.1.8.8 255.255.255.255 192.1.1.10 On R7: R17 (config) #Int_GO/0 CCTE R&S by Narbik Kocharians x Page 129 of 222R7 (config-if) #Ip addr 192.1.7.7 255.255.255.0 R7 (config-if) #No shut RI (config) #ip route 192.1.1.1 255.255.255.255 192.1.7.10 Ri (config) #ip route 192.1.8.8 255.255.255.255 192.1.7.10 On RB: R8 (config) #Int 60/0 RG (config-if) #Ip addr 192.1.8.8 255.255.255.0 Rg (config-if) #No shut R& (config) #ip route 192.1.1.1 255.255.255.255 192.1.8.10 R& (config) #ip route 192.1.7.7 255.255.255.255 192.1.8.10 To verify the configuration: On RI RIfPing 192.1.7.7 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.1.7.7, timeout is 2 seconds: Success rate is 60 percent (3/5), round-trip min/avg/max = 1/2/4 ms Ri#Ping 192.1.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.1.8.8, timeout is 2 seconds: ttt Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms Let’s configure the tunnel interfaces On Ri: Ri (config) #Int tunnel 178 Rl (config-if) #1P addr 178.1.1.1 255.255.255.0 Rl (config-if)#Tunnel source FO/0 Ri (config-if) #Tunnel mode gre multipoint RI (config-if) #IP nhrp network-id 111 Rl (config-if) #IP nhrp map multicast dynamic CCHE RRS by Narbik Kocharians Advanced CCIE R&S Work Book v {© 2014 Nach Kocharans AID eghts ses Page 130 of 222On R’ R7 (config) #Int tunnel 178 RT (config-if)#IP addr 178.1.1.7 255.255.255.0 R1(config-if) #Tunnel source G0/0 RI (config-if)#Tunnel destination 192.1.1.1 R7(config-if)#IP nhrp network-id 777 RT (config-if)#IP nhrp map 178.1.1.1 192.1. RI (config-if)#IP nhrp nhs 178.1.1.1 On R8: R8 (config) #int tunnel 178 RS (config-if) #ip addr 178.1.1.8 255,255.25 R8(config-if)#Tunnel source 0/0 R8 (config-if)#Tunnel destination 192.1.1.1 R8(config-if) #IP nhrp network-id 888 R8(config-if)#IP nhrp map 178.1.1.1 192.1. R8(config-if)#IP nhrp nhs 178.1.1.1 To verify and test the configuration: On RL R1¢Show dmvpn 1a 5.0 a Legend: Attrb --> $ - Static, D - Dynamic, I - Incomplete N- NATed, L - Local, x - No Socket # Ent --> Number of NHS Status UpDn Time > Up or Down Time for a Tu P entries with same NEMA peer E --> Expecting Replies, R ~-> Responding, W --> Waiting nnel Interface: Tunnel178, IPv4 NHRP Details Type: Hub; NHRP Peers:2, g Ent Peer NBMA Adc Pe 192.47 a 192.1.8.8 178.1.4.8 UP 00:00:18 R1#Show ip nhrp 178.1.1.7/32 via 178.1.1.7 Tunnel178 created 00:03:08, expire 01:51 178A dT swe oro z«2 UpDn Tm Attrb 6:51 CCTE RAS hy Novbik Kocharians Advanced CCTE R&S W: ‘© 2014 Narvik Kesar. fork Book v8.0 Page 131 of 222Type: dynamic, Flags: unique registered NBMA address: 192.1.7.7 178.1.1.8/32 via 178.1.1.8 Tunnell78 created 00:01:43, expire 01:58:16 Type: dynamic, Flags: unique registered NBMA address: 192.1.8.8 R1#Ping 178.1.1.7 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 178.1.1.7, timeout is 2 seconds: peent Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 RigPing 178.1.1.8 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 178.1.1.8, timeout is 2 seconds: tee Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms On RT: R7#Show dmvpn | B Interface Interface: Tunnel178, IPv4 NHRP Details Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDa Tm Attrb 192.1.1.1 178.1.1.2 UP 00:04:31 R7#Show ip nhrp 178.1.1.1/32 via 178.1.1.1 Tunnell178 created 00:05:07, never expire Type: static, Flags NBMA address: 192.1.1.1 R7#Ping 178.1.1.1 |Type escape sequence to abort | Sending 5, 100-byte ICMP Echos to 123.1.1.1, timeout is 2 seconds: rity Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms CCH RAS by Narbik Kocharians Advanced CCHE R&S Work Book v5.0 Page 132 of 222 {© 2014 Narbik Kocharians Il sgh reservedRI#Ping 178.1.1.8 Type escape sequence to abor’ Sending 5, 100-byte ICMP Echos to 178.1.1.8, timeout is 2 seconds: ue Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms R7#Traceroute 178.1.1.8 Numeric Type escape sequence to abor Tracing the route to 178.1.1.8 VRF info: (vrf in name/id, vrf out name/id) US278VTN1L4 4 msec 0 msec 4 msec 2 0 msec * 0 msec en On R8: R84Show dmvpn | B Interface Interface: Tunneli78, IPv4 NHRP Details ‘Type:Spoke, NERP Pee! # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb 1 192.1.1.1 178.1.1.1 UP 00:05:35 s R6#Show ip nhrp 178.1.1.1/32 via 178.1.1.1 Tunnell78 created 00:06:26, never expire Type: static, Flags: NBMA address: 192.1.1.1 R6#Ping 178.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 178.1.1.1, timeout is 2 seconds: reer Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms R8#Ping 178.1.1.7 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 178.1.1.7, timeout is 2 seconds: me Advanced CCIE R&S Work Book v5.0 Page 133 of 222 1 2014 Narbtk Kosar AI eght eserved CCIE RAS by Narbik KochariSuccess rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms R8#Traceroute 178.1.1.7 Numeric ‘Type escape sequence to abo: Tracing the route to 178.1.1.7 VRE info: (vrf in name/id, vrf out name/id) | 0 msec 4 msec 0 msec 2.178.1.1.7 0 msec * 0 msec Task 2 Configure RIPV2 on Ri, R7 and R8. Advertise their Loopback 0 and their tunnel interfaces in this routing domain. Disable the auto-summarization. R7 and R8 should be configured to redistribute network 10.1.1.0 /24 into the RIP routing domain. OnRL Ri (config) #Router rip R1(config-router) #No au Rl (config-router) #ver 2 Ri (config-router) #Netw 1.0.0. Rl (config-router) #Netw 178.1. 0 0.0 Rl (config) #int tunnel 178 Rl (config-if)#No ip split-horizon On RT: R7 (config) #Router rip R1] (config-router) #No au R1 (config-router) #ver 2 R17 (config-router) #Netw 1.0.0.0 R7 (config-router) #Netw 178.1.0.0 On R8: R8 (config) #Router rip R8 (config-router) #No_au CCTE R&S by Narbik Rocha Advanced CCIE R&S Work Book v5.0 Page 134 of 22 "2014 Narbik Kocbartan. All igh reservedR8 (config-router) fver 2 R8 (config-router) #Netw 1.0.0.0 R8 (config-router) #Netw 178.1.0.0 To verify the configuration: OnR7: R7#Show ip route rip | B Gate | Gateway of last resort is not set 1.0.0.0/32 is subnetted, 3 subnets 1.1.1 (120/1] via 178.1.1 :23, Tunnel178 1.8 [120/2] via 178.1 :01, Tunnel178 R 1. R 1. On R8: R8#Show ip route rip | B Gate Gateway of last resort is not set 1.0.0.0/32 is subnetted, 3 subnets R 1.1.1.1 [120/1] via 178.1.1.1, 00:00:03, Tunnel178 R 1.1.1.7 [120/2) via 178.1.1.7, 00:00:03, Tunnel178 R8#Traceroute 1.1.1.7 Numeric Type escape sequence to abort. Tracing the route to 1.1.1.7 VRE info: (vrf in name/id, vrf out name/id) 1°178.1.1.1 4 msec 0 msec 4 msec 2 178.1.1.7 0 msec * 0 msec R8#Ping 1.1.1.7 Type ‘escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.7, timeout is 2 seconds: rae Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms On R7 and R8: The following redistributes the G0/1 interfaces of R7 and R8 into the RIP routing domain. The purpose of this configuration Is for the return traffic back to Rd. In the later tasks R4 will Ping 1.1.1.1/32 prefix, and if Ri does NOT have a return path back to that 10.1.1.0/24 segment, the test will fail. CCIE RAS by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 135 of 222 1 2014 Narbis Kochrians, AU ight reservedRx (config) #Route-map tst permit 10 Rx (config-route-map) #match inter G0/1 Rx (config) #Router rip Rx (config-router) #redistribute connected route-map tst To verify the configuratior OnR1 R1#Show ip route rip | B Gate Gateway st resort is not set 1.0.0.0/32 is subnetted, 3 subnets 1.1.1.7 [120/1] via 178.1.1.7, 0 1.1.1.8 [120/1] via 178.1.1.8, 0} 10.0.0.0/24 is subnetted, 1 subnets 10:2, 1071120/2] via! 17e-1.128), 00%01 [120/41] via 178.1.1.7 13, Tunnel178 Task 3 Configure VLAN 478 such that the host/s (In this case RA) in this VLAN use R8 as the primary and R7 as the backup default gateway. Use the following policy to accomplish this tas . You must use 10.1.1.78 IP address as the gateway. ONLY R4 should be configured with a single static route, the other routers should NOT be configtued with any static route/s. DO NOT change the IP address of any router. Use HSRP. ‘The Hot Standby Router Protocol or HSRP is designed to allow for transparent failover of the First-Hop IP router (The default gateways). With HSRP, HSRP’s virtual IP address (VIP) is configured as the default gateway on the hosts, and the primary router is the responsible router for this VIP. ‘Once HSRP is configured on a network segment, it provides a VIP and a Virtual MAC Address (VMAC) that CCIE RAS by Narbik Kocharians Advanced CCME R&S Work Book v5.0 Page 136 of 222 (©2014 Narbik Kocharians All nghts reservedis shared among a group of routers running HSRP. Only one of the routers within the group is chosen as the primary or the active router. The active/Primary router receives and routes packets destined for the MAC address of the group, this is the VMAC. HSRP detects when the active/Primary router fails and selects another router from the HSRP Group as the active/primary router. The active and Standby (The Backup) election is based on the configured priority. By default, all routers within the group have a priority of 100, and the router with a higher priority value will be elected as the active/primary. ‘The routers running HSRP use a hello mechanism to detect router failure; this mechanism uses UDP-based ‘Multicast. When the active/primary router fails to send a hello message within a configured period of ‘time, the standby router with the highest priority or next highest priority will transition into active/primary router. This process is completely transparent to the hosts on that given segment. Let's configure HSRP on R7 and R&: On R7 and R8: Rx (config) #Int G0/1 Rx (config-if) #Standby 1 ip 10.1.1.78 You should see the following console message: ‘SHSRP-5-STATECHANGE: GigabitEthernet0/1 Grp 1 state Speak -> Standby Let’s verify HSRP On R’ On R’ R7#Show standby GigabitEthernet0/1 - Group 1 State is Standby 1 state change, last state change 00:00:15 Virtual IP address is 10.1.1.78 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac0l (vi default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.256 secs Preemption disabled Active router is 10.1.1.8, priority 100 (expires in 9.344 sec) CCTE RAS hy Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 137 of 222 {©1014 Nari Kocharane Alright reservedStandby router is local Priority 100 (default 100) Group name is “hsrp-Gi0/1-1" (default) The output of the above show command reveals the following: HSRP group is 1 ‘The state of the local router is Standby VIP address is 10.1.1.78 MAC address id 0000.0¢07.ac01 Hellos are set to 3 seconds, and the Hold time is set to three times as much as the hello interval Preemption is disable The IP address of the active/primary router is 10.1.1.8 The local router is in standby mode ‘The name of the HSRP group is “hsrp-Gi0/1-1”. The (default) at the end of this line means that the default name is being used, meaning that we have not configured the name for this group. In HSRP we can have multiple groups; this will be configured and discussed in later tasks. The local router is in Standby mode. In this case, the of these two routers were not configured, why did R3 become the active router? If the priority of the routers within a group is identical, the router with the highest IP address will transition into Active/Primary state. ‘When HSRP is configured, the group number is specified, the VMAC address is derived from the configured ‘group number. The VMAC address is “0000.0c07.acxx”, where xx is the group number. If a group number is not specified in the configuration, the 10S will assign “group 0” automatically, in which case the VMAC address will be 0000.0c07.ac00”. By default, the hello intervals are set to 3 seconds and the Hold time is set to 10 seconds. ‘The preemption is disabled by default; this feature will be discussed and configured in later tasks. The IP address of the active/Primary. ‘The Group-name, the group name of the configured HSRP On R7: R2#Show standby brief P indicates configured to preempt. I Interface Grp Pri P State Active Standby Virtual IP Gi0/1 1 100 Standby 10.1.1.8 local 10.1.1.78 ‘The above show command reveals the important aspects of the configured HSRP. CCIE RAS by Narbik Kocharians Advanced CCIE RAS Work Book v5.0 Page 138 of 222 ‘© 2014 Narbik Kocharaus. AU rights reservedTo complete the configuration, Ra's default gateway MUST be configured to point to the VIP address, in this case 10.1.1.23. On R4: R4 (config) #Ip route 0.0.0.0 0.0.0.0 10.1.1.78 To clear the ARP table: R4 (config) #Int FO/1 R4 (config-if) #Shut. wi for the interface to go down, then: R4 (config-if) #No shut R4#Traceroute 1.1.1.1 Numeric Type escape sequence to abort. Tracing the route to 1.1.1.1 vRF info: (vrf in name/id, vrf out name/id) 110:1.458 0 nsec 4 msec 0 msec 2178.1.1.1 4 msec * 0 msec ‘The output of the above traceroute shows that RB is the next-hop to reach the 1.1.1.1/32 prefix. R4#Ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1 Haey Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms , timeout is 2 seconds: R4#Show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.1.1.4 = 0017,59ce.02b9 ARPA FastBthernet0/1 Internet 10.1.1.78 {gf 0" Y!00000c07 ac0l* ARPA”! Fastethernet0/i You can see that the VMAC (The Virtual MAC) address is used instead of the real MAC address of R8. CCTE RAS hy Narbik Kocharians Page 139 of 222 1 20)4 Nari: Kocarians, all eight reservedR4#Ping 10.1.1.78 |Type escape sequence to abort. | Sending 5, 100-byte ICMP Echos to 10.1.1.23, timeout is 2 seconds: re Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms Let's test by shutting down the G0/1 interface of the active router (RB), and check if the failover occurs: On R8: R8 (config) #Int GO/1 R8 (config-if) #Shut You should see the following console message: @HSRE“S-1STATECHANGE! “FastetherAeto/i!Gxpii!'state Active)/Ss THE QLINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down SLINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down Let's Traceroute to 1.1.1.1 IP address on R4 again and verify the output: On R4: R4#Traceroute 1.1.1.1 Numeric Type escape sequence to abort. Tracing the route to 1.1.1.1 vRF info: (vrf in name/id, vrf out name/id) 240247 4 msec 0 msec 0 msec 2°178.1.1.1 4 msec * 0 msec R4#Show arp Protocol address Age (min) Hardware Addr Interface ‘We can see that the failover worked, but the default gateway of R4 was not changed and the ARP table ies that R4 is still using 10.1.1.78 with a MAC address of 0000.0c07.ac01. CCIE RES by Navbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 140 of 222 {© 2014 Narbik Kocarians. AM ight reservedLet's “No shut” the G0/1 interface of R8: On R8: R8 (config) #Int GO/1 R8 (config-if) #No shut You should see the following console message: SHSRP-5-STATECHANGE: FastEthernet0/1 Grp 1 state Standby -> Active To verify the configuration: On R8: You should see the following console message: SHSRP-5-STATECHANGE: GigabitEthernet0/1 Grp 1 state Speak -> Standby R8#Show standby brief P indicates configured to preempt. Interface Grp Pri P State Active Standby Virtual IP Gio/1 1 100 Standby 10.1.1.7 10.1.1.78 Why didn’t R8 become the active router? Because preemption is NOT enabled by default, let's verify thi R8#Show standby | Inc Pree Configure the appropriate router/s such that as long as R7 is up, itis the active router, if R7 goes down, R8 should take the active role and become the active router, but if R7 comes back up, R7 should become the active router and R8 should transition into the Standby mode. Let's test and verify the result before configuring the routers: CCIE RAS hy Narbik: Kocharians Advanced CCTE R&S Work Book v5.0 Page 141 of 222 (02014 Narbik Kecharkns llrightsreservedOn R7: RT#Show standby ‘brief P indicates configured to preempt. | Interface Grp Pri P State Standby Virtual IP Gi0/1 1 100 Active 10.1.1.8 10.1.1.78 On R8: R8#Show standby brief P indicates configured to preempt. Interface Grp Pri P State Active stanaby Virtual IP Gi0/1 1 100 Standby 10.1.1.7 local 10.1.1.78 Let’s verify the configuration of HSRP: On R7: R7#Show run int g0/1 | B interface interface GigabitEthernet0/2 ip address 10.1.1.7 255.255.255.0 standby 1/ip/10.1.1.78 duplex auto speed auto end RT#Show standby GigabitEthernet0/1 - Group 1 State is Active 2 state changes, last state change 02:10:21 Virtual IP address is 10.1.1.78 Active virtual MAC address is 0000.0c07.ac0l Local virtual MAC address is 0000.0c07.ac01 (vl default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.992 secs Preemption disabled Active router is local Standby router is 10.1.1.8, priority 100 (expires in 8.448 sec) Priority 100 (default 100) Group name is “hsrp-Gid " (default) CCTE RAS by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 142 of 222 162014 Nac Kecarians A eights reservedOn R8: R8#Show run int g0/1 | B interface interface GigabitEthernet0/1 ip address 10.1.1.8 255.255.255.0 standby 1 ip 10.1.1.78 duplex auto speed auto | end R@#Show standby GigabitEthernet0/1 - Group 1 4 state changes, last state change 02:10:04 Virtual IP address is 10.1.1.78 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (vl default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.256 secs Preemption disabled Active router is 10.1.1.7, priority 100 (expires in 7.968 sec) Standby router is local Priority 100 (default 100) Group name is "hsrp-Gi0/1-1 (default) To configure this task, preemption must be configured. Preemption enables the HSRP router with the ighest priority to immediately become the active router. Priority is determined first by the configured priority value, in which case the router with the highest priority value will become the active router, and in an event of a tie, the router with the highest IP address will have the highest priority. On R7: R7 (config) #Int GO/1 R7 (config-if) #Standby 1 priority 101 NOTE: R3 is still the active router, to verify thi R7(config-if)#Do Show standby brief P indicates configured to preempt. CCIE R&S by Narbik: Kocharians Advanced CCIE R&S Work Book v8.0 Page 143 of 222 ‘62014 Nari Keetarian. AM ight reservedInterface P State Active Standby Virtual IP Gi0/i Active local 1o.d.2.8 10.1.1.78 NOW....let’s configure the “Standby preempt” command so as long as the local router (R7) is up, itis the active router, and verify the result: On R7: RT (config) #int g0/L RT (config-if) #Standby 1 preempt To test the configuration: On RT: RT (config) #Int GO/1 RT (config-if) #Shut On R8: R8¢Show standby brie P indicates configured to preempt. \ Interface Grp P state Standby Virtual IP Fa0/0 1 100 Active unknown 10.1.1.23 NOTE: The Standby router is unknown, because the GO/1 interface of R7 is shutdown, Let's enable the G0/1 interface of R7: On R’ R7 (config) #Int GO/1 R7 (config-if) #No shut You should see the following console messages: QLINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up It may take few seconds to see the following console message: SHSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Listen -> Active CCT R&S hy Narbik Kochari Advanced CCTE R&S Work Book v5.0 Page 144 of 222 1 A014 Wari Keshacians. A eghts enerved| To verify the configuration: On R8: R8#Show standby brie P indicates configured to preempt. I Interface Grp Pri P State Kétive Virtual IP Gio/1 L 101 P Active local 10.1.1.78 Task 5 Configure the appropriate router/s such that if the R7’s connection to R1 goes down, RB will become the active router. If R7’s connection to R1 goes down, R7 should not remain as the active router because it will blackhole all the destinations, therefore, let’s configure R8 to become the active router if R7's connection to R1 is down. OnR7 RT (config) #Track 10 interface g0/0 line-protocol RT (config) #Int GO/1 R17 (config-if) Standby 1 track 10 decrement 2 OnR8: R8 (config) #Int GO/1 R8 (config-if) #Standby 1 preempt ‘The above command configures interface tracking for the HSRP group 1. This command instructs the router for group 1 to track interface GO/1, and if it goes down, the process should reduce the priority of this router by 2, which means: 101 (The configured priority) minus 2 (From the Standby track command) = 99 Since the default priority is 100. If R8 is configured with the “Standby 1 preempt” command, it will | CCIE RAS hy Narbie Kock Advanced CCI R&S Work Book v5.0 Page 145 of 222 10 H014 Rarbik Kecharians, AM sights reveredbecome the active router. To test the configuration: On R7: R7 (config) #Int 60/1 RT (config-if) #Shut You should also see the following console message: STRACK-6-STATE: 10 interface Gi0/0 line-protocol Up -> Down SHSRP-5-STATECHANGE: GigabitEthernet0/1 Grp 1 state Active -> Speak SHSRP-5-STATECHANGE: GigabitEthernet0/1 Grp 1 state Speak -> Standby RT#Show standby brief P indicates configured to preempt. fl Interface Grp BEE P Standby Virtual IP Gio/1 gee local 10.1.1.78 To test the configuration further: On R’ RT (config) #Int GO/0 RT (config-if) #No shut STRACK-6-STATE: 10 interface Gi0/0 line-protocol Down -> Up SLINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up SLINEPROTO-5-UPDOWN: Line protocol on Interface Gigabitzthernet0/0, changed state to up SHSRP-5-STATECHANGE: GigabitEthernet0/1 Grp 1 state Standby -> Active SLINEPROTO-5-UPDOWN: Line protocol on Interface Tunnell78, changed state to up RT#Show standby brief P indicates configured to preempt. Interface Grp Pri P State Active SEanaBy Virtual IP CCIE RAS by Narbik Kocharians Advanced CCH R&S Work Book v5.0 Page 146.of 222 {©2014 Nori: Kochariane. Al ight servedGi0/1 1 101 P Active local Tis 10.1.1.78 Task 6 Configure the hello and hold time interval for groups 1 to 5 and 15 seconds respectively. A “Show Standby” command reveals that the default hello and hold timer is set to 3 and 10 seconds. respectively, to change these timers perform the following: On R7 and R8: Rx#Show Standby | Inc Hello Hexio:time” se¢) “hold time"0'see To change the timers: Rx (config) #Int 60/1 Rx (config-if) #Standby 1 timers 5 15 To verify the configuration: On R8: R8#Show Standby | Inc Hello Hallo “time 'S)lsee) [hold/ tine! 15 see Task 7 Configure the name of the HSRP group 1 to “R7-8-HSRP-G1”, On R7and Rt Rx (config) #int g0/1 CCHE R&S hy Navbsk Kocharians Advanced CCIE R&S Work Book v8.0 Page 147 of 222 ‘© 291 Waebik Kocharans, Ang reserved,Rx (config-if) #Standby 1 name R7-8-HSRP-G1 To verify the configuration: On R8: R8#Show standby | Inc name Group name is "R7-8-HSRP-Gi" (cfgd) NOTE: The “default” is replaced with (cfgd). Task 8 Ensure that the routers send SNMP traps to the NMS located at 1.2.3.4 for HSRP. On Both routers: Rx (config) #snmp-server enable traps hsrp Rx (config) #snmp-server host 1.2.3.4 public hsrp ‘The first command enables the router to send SNMP traps, informs, and HSRP notification. ‘The second command specifies the recipient of an SNMP notification operation, and that hsrp notification is sent to the host with an IP address of 1.2.3.4. Task 9 Configure VLAN 478 such that half of the users use R7 as the primary default gateway and R8 as the backup, the other half should use R8 as the primary and R7 as their backup default gateway. Use the following IP addresses to accomplish this task: 10.1.1.77 and 10.1.1.88 ‘Multiple HSRP groups enables load-sharing with a given network, with this feature configured, redundancy can also be fully utilized, With this feature R7 can be the active router for group 2 and standby for group 2, CCIE R&S by Narbik Kook Advanced CCIE R&S Work Book v5.0 Page 148 of 222 (©2014 Nach Kocuarane. AH right teerswhereas, R8 can be the active router for Group 2 and the standby router for Group 1. This feature can be used for multiple VLANs or a single VLAN. On RT: R7 (config) #Int 60/1 RT (config-if) #Standby 1 ip 10.1.1.77 R7 (config-if) #Standby 2 ip 10.1.1.88 On R8: R8 (config) #Int GO/1 R8(config-if) #Standby 1 ip 10.1.1.77 R8 (config-if) #Standby 2 priority 101 8 (config-if) #Standby 2 preempt 8 (config-if) #Standby 2 ip 10.1.1.88 To see the configuration of these routers: On R7: R7#Show run int g0/1 | B interface erface FastBthernet0/0 ip address 10.1.1.7 255.255.255.0 standby 1 ip 10.1.1.77 standby 1 timers 5 15 standby 1 priority 101 standby 1 preempt standby 1 name R7-8-HSRP=G1 standby 1 track 10 decrement 2 end On R8: R8#Show run int F0/O | B interface face FastBthernet0/0 ip address 10.1.1.8 255.255.255.0 standby 1 ip 10.1.1.77 standby 1 timers 5 15 standby 1 preempt standby 1 name R7-8-HSRP-G1 CCIE RAS by Narbike Nocharians Advanced CCHE RAS Work Book v5.0 Page 149 of 22 1 2014 Narbik Kocartans.Allighs reserveP indicates configured to preempt. I Interface Grp Pri P State Active Standby Virtual IP Pp - : was Gio/t R7#Show Standby brief P indicates configured to preempt. |anterface Gxp Pri P state Active standby virtual IP Gio7a TE Too: 7 Task 10 Configure HSRP group 1 to use plain text authenticated using “Cisco” as the password. HSRP ignores unauthenticated HSRP protocol messages. The default authentication type is test authentication, and the string is “cisco”. This means that both ends MUST be configured with the same string, unless ONLY one end is configured using “cisco” as the string. HSRP authentication protects against false HSRP hello packets causing a DoS attacks. A host can send HSRP hellos with a higher priority to become the active router. HSRP offers two kinds of authentications: + Plain text + ps CCU RAS by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 150 of 222 1 2014 Nari Koctarians leh eservedMD5 authentication provides greater security than the alternative plain text authentication scheme. This | authentication can be applied to a given group, meaning that different groups can have different authentication strings. In order to test the default string, let's configure authentication on R7 and use “cisco” as the string: On RZ: | RT (config) #Int GO/1 RT (config-if) #Standby 1 authentication cisco Nothing happened. Let’s check the status of the HSRP groups: RT#Show standby brief P indicates configured to preempt. Interface Grp Pri P State Active Standby Virtual IP Gio/1 1 101 P Active local 10.1.1.8 10.1.1.77 Gi0/1 2 100 Standby 10.1.1.8 local On R8: | Rg#Show standby brief P indicates configured to preempt. : | Interface Grp Pri P State Active Standby Virtual IP Gi0/1 1 100 P Standby 10.1.1.7 local 10.1.1.77 Gio/1 2 101 P Active local 10.1.1.7 10.1.1.88 Let’s verify the configuration in detail: On R7: R7#Show Standby | Inc Authentication RTE | | ‘The reason we do not see authentication in the output of any show command is because the “cisco” string | is the default, to verify this information, let’s configure the string to be “Cisco” as the task stated. NOTE: The letter “C" in “Cisco” is now upper case. OnR7: R7 (config) #Int 60/1 CCIE RAS by Narbik Kocharians Advanced CCIE R&S Work Book ¥5.0 Page 151 of 222 {© 1014 Nari Kosharlane. Al igh reservedRT (config-if) #Standby 1 authentication Cisco You should see the following console message: QHSRP-4-BADAUTH: Bad authentication from 10.1.1.8, group 1, Standby To verify the configuration OnR’ R7#Show Standby brief P indicates configured to preempt. j Interface Grp Pri P Active Virtual IP 1 101 P local 10.1.1.77 2 100 Standby 10.1.1.8 10.1.1.88 R8#Show Standby brief P indicates configured to preempt. I Interface Grp Pri P State Active Standby Virtual IP Gi0/1 1 100 P Active local unknown 10.1.1.77 Gi0/1 2 101 P Active local 10.1.1.7 10.1.1.88 Let’s verify the configuration in detail On R7: R7#Show Standby | Inc Authentication Let's configure R8 to authenticate using “Cisco” as the string: On R8: R8 (config) #Int GO/1 R8 (config-if) #Standby 1 authentication Cisco CCTE R&S by Narbik Kocharians Advanced CCTE R&S Work Book v5.0 Page 152 of 222 {©2014 Nari Kochacans I rght reserYou should see the following console message: SHSRP-5-STATECHANGE: GigabitEthernet0/1 Grp 1 state Active -> Speak SHSRP-5-STATECHANGE: GigabitEthernet0/1 Grp 1 state Speak -> Standby To verify the configuration On R8: R8#Show standby brief P indicates configured to preempt. 1 Interface Grp Pri P State Active Standby Virtual IP Gi0/1 1 .100 P Standby 10.1.1.7 local 10.1.1.77 Gi0/1 2 101 P Active loca. 10.2.1.7 10.1.1.88 On R2: R2#Show Standby brief PB indicates configured to preempt I Interface Grp Pri P State Active Standby Virtual IP Gi0/1 1 101 P Active local 10.1.1.8 10.1.1.77 Gio/1 2 100 Standby 10.1.1.8 local 10.1.1.88 Task 11 Configure HSRP group 2 to be MDS authenticated using “HSRP” as the password. On R7 and R8: Rx (config) #Key chain tst | Rx (config-keychain) #Key 1 Rx (config-keychain-key) #Key-string HSRP Rx (config) #Int FO/0 Rx (config-if) #Standby 2 authentication md5 key-chain tst Advanced CCIE R&S Work Book ¥5.0 Page 1 2014 Nari Kocharians. Aight reserved CCTE R&S hy Naxbik Kochari 53 of 222To verify the configuration On R8: R8#Show Standby brief P Interface Grp Pri P Gi0/2 1 100 B Gio/1 ole On R7: | R7#Show Standby brief P 1 Interface Grp Pri P Gi0/2 1 101 B Gi0/1 2 =. 100) On R8: Authentication MDS, key- Group name is “hsrp-Gi0/1-2" (default) indicates configured to preempt. State Active Standby Standby 10.1.1.7 ocal Active local 10.1.1.7 indicates configured to preempt. State Active Standby Active local 10.1.1.8 Standby 10.1.1.8 local To verify the configuration: Re#Show Standby | Inc Authentication |Group init tst" Virtual IP 10.1.1.77 10.1.1.88 Task 12 ‘The GO/1 interfaces of R7and R8 are connected to SW2’s port FO/7 and SW3's port FO/8. Configure SW2's F0/8 and SW3's FO/8 interfaces with “Port-Security” using the default parameters, Configure HSRP to accommodate this request. CCIE RAS by Narbik Ke fang Advanced CCTE R&S Work Book v5.0 {02014 Nari Kochatane. AM i eserved Page 154 of 222‘The default parameters of “Port-Security” only allows a single MAC address to be attached, how are we going to configure this task, since HSRP will also use a virtual MAC address. Let’s see the Mac-address- Table of Sw2: On SW2: SW2#Show mac-address-table dynamic vlan 478 Mac Address Table Mac Address §0000..0c07.acoi | * DYNAMIC ¥a0/7 > The VMAfor G1 0000.0c07.ac02 DYNAMIC Fa0/23 000c.858b.7al7 DYNAMIC Fa0/23 0017.59ce.02b9__ DYNAMIC bab aie DENaMae > R7’s GO/1's MAC Address DYNAMIC Fa0/23 Total Mac Addresses for this criterion: 6 On SW3: SW3#Show mac address-table dynamic vlan 478 Mac Address Table Mac Address 0000.0c07.ac01L Fa0/23 ObOe MSO acOa MEZO/E > The vA for G2 0017.59ce.02b9 DYNAMIC Fa0/23 478 24e9.b3ab.4b21 DYNAMIC Fa0/23 476 °9°°3c08.#6a2 Bei |!’ D¥NAMIC)) |" Fa0/8 > RB's GO/1’s MAC address Total Mac Addresses for this criterion: 5 You can see that each port on the switch has two MAC addresses, the HSRP’s VMAC and the MAC address of the router. Therefore, if the “Port-Security” is configured on FO/7 interface of SW2 and the SW3’s FO/8 interface, the ports will transition into “err-disable” state. On R7 and Rt Rx (config) #int GO/1 Rx (config-if) #Standby use-bia Rx (config-if) #Shut_ CCIE R&S by Narbil: Nocharians vanced CCIE R&S Work Book ¥5.0 D014 Nari Kocarans, I rights enrvedRx (config-if)#No Shut To verify the configuratio1 On SW2: SW2#Show mac-address-table dynamic vlan 478 Mac Address Table |vlan Mac Address Type 0000.0c07.ac0l DYNAMIC. Fa0/23 0000.0c07.ac02 DYNAMIC = -Fa0/23 858b.7a17 ‘DYNAMIC © —-Fa0/23 59ce.02b9 DYNAMIC Fa0/4 59 (bab aba! //pymamtc}/]/-Fa0/7 81 DYNAMIC Fa0/23 Total Mac AddresseNgor this criterion: 6 R7#Show int g0/1 | Inc bia Hardware is CN Gigabit Sthernet, address—Mm 2d691b3ab/4b21 (bia 24e9.b3ab. 4b21) Let's enable port-security on the FO/7 of SW2 and the FO/8 interfaces of SW3: On SW2: SW2 (config) #Int FO/7 SW2 (config-if) #Switchport port-security To verify the configura On SW2: SW2¥Show port-security interface FO/7 Port Security : Bnabled Port Status Secure-up Violation Mode shutdown Aging Time : 0 mins NOTE: HSRP uses the MAC address®sgf the routers instead of the default HSRP MAC addresses. To verify: CCIE RAS by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 156 of 222 (© 2014 Nari Kocharians, Al rights reservedAging Type Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses E Total MAC Addresses ‘The MAC address of R7’s GO/1_ interface Configured MAC Addresses v Sticky MAC Addresses : Last Source Address:Vlan 2409 b3ab!4b21: 478 Security Violation Count a The VLAN ID On SW3: sw3 (config) #Int FO/8 SW3 (config-if) #Switchport port-security sw3#Show port-security interface FO/8 Mac Address Table Mac Address Ports 0017.59ce.02b9 DYNAMIC Fa0/23 DYNAMIC Fa0/23 Si3#Show port-security int £0/8 Port Security Bnabled Port Status Seoure-up Violation Node shutdown Aging Time 0 mins Aging Type Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses Total MAC Addresses Configured MAC addresses Sticky NAC Addresses (adazeSs :VISAMRIEL ICO Security Violation Count : To test this feature properly, let’s remove the “Standby use-bia”, and verify the resul | onR’ Kocharians Advanced CCTE R&S Work Book v5.0 Page 157 of 222 ® 2014 Naik Kocharan, AM rights reservedRT (config) #int GO/1 R7(config-if)#No Standby use-bia RT (config-: R1(config-if) #No Shut You should see the following console messages: QLINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down NOTE: The interface came up and went down and stayed down, let’s see why: On Sw2 SW2#Show port-security interface F0/7 Port Security port''status Violation Mode Shutdown Aging Tine 0 mins aging Type Absolute SecureStatic Address Aging Disabled Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Last Source Address:Vlan : 0000.0c07.ac01:478 Security Violation Count: 1 SW2#Show interface FO/7 status Port Name status vian Duplex Speed Type Fa0/7 err-disabled7e auto auto 10/1Q0BaseTX ‘That's exactly what we expected to see. Let’s re-configure the “Standby use-bia” command. On R7: R7 (config) #int GO/1 R7(config-if) #Standby use-bia R7 (config-if) #Shut R7(config-if) #No Shut On SW2: CCHE RAS hy Narbik Kocharians Advanced CCTE RAS Work Book v5.0 Page 158 of 222 16 2014 Nackik Kocharkns, right reserve‘SW2 (config) #int £0/7 SW2(config-if) #shu SW2(config-if)#No shu To verify the configuration: On Sw2: sti2#Show port-security inter £0/7 Port Security : Enabled port istatus 9% Pséeure-up Violation Mode shutdown Aging Time 0 mins Aging Type : Absolute | securestatic Address Aging : Disabled Maximum MAC Addresses Total MAC Addresses | configured MAC addresses | Sticky MAC Addresses \ast Source Address:Vlan Security Violation Coun 409. b3ab.4b21:478 0 0 2 0 Task 13 Erase the startup config and reload the routers before proceeding to the next lab. 2014 Nari Kochariane. I righ eeserved Advanced CCTE R&S Work Book ¥5.0 Page 159 of 222Lab 2 —- VRRP Configuration siz] [513] (sia [pee Bee] [pce 12.4.1.0/24 14. CCIE RAS hy Narbik Kochariens Advanced CCTE R&S Wor {52014 Nari Koctarians. AM Book v5.0 Page 160 of 222Configure the routers based on the above diagram and the following policy: + Assign 0000.2222.2222, 0000.3333.3333, and 0000.4444.4444 MAC addresses to R2, R3 and Ré respectively. On SW1: | SW1 (config) #int range F0/2-6 SW (config-if-range) #Switchport mode access | si (config-if-range) #Switchport access vlan 100 SWI (config-if-range) #No shu On Ri: Rl (config) #int 1/2 RI (config-if)#clock rate 64000 | Ri (config-if)#ip addr 12.1.1.1 255.255.255.0 Ri (config-if) #No shut R1 (config) #Int s1/3 | R1(config-if) #elock rate 64000 Ri (config-if) #ip addr 13.1.1.1 255.255.255.0 Rl (config-if) #No shut Ri (config) #int s1/4 Rl (config-if)#clock rate 64000 | Ri (config-if)#ip addr 14.1.1.1 255.255.255.0 Ri (config-if) #No shut. R1(config-if) #Int Loo Rl (config-if) #Ip addr 1.1.1.1 255.255.255.255 On R2: R2 (config) #int s1/1 R2(config-if) #ip addr 12.1.1.2 255.255.255.0 R2(config-if)#No shut R2 (config) #Int FO/0 R2 (config-if) #Ip addr 10.1.1.2 255.255.255.0 R2 (config-if) #mac-address 0000.2222.2222 R2(config-if) #No shut CCTE R&S by Narbik Kocharians Advanced CCTE R&S Work Book ¥5.0 Page 161 of 222 (© 014 Nari Keshaciam. All ights reservedR2 (config) #Int 100 R2(config-if) fip addr 2.2.2.2 255.255.255.255 On R3: R3 (config) #Int_S1/1 | R3(config-if)#Ip addr 13.1.1.3 255.255.255.0 R3(config-if} #No shut R3 (config) #int FO/0 R3(config-if) #Ip addr 10.1.1.3 255.255.255.0 R3 (co £)#mac-address 0000.3333.3333 £)#No shut R3 (config) #Int Lod | R3 (config-if) #Ip addr 3.3.3.3 255.255.255.255 | On R4: RA (config) #Int S1/1 | R4 (config-: £)#4p addr 14.1.1.4 255.255.255.0 |R4(config-if] #No shut | R4 (config) #int F0/0 RA (config-if) #1p addr 10.1.1.4 255.255.255.0 | R4 (config-it) #mac-address 0000. 4444.4444 RA (config-if) #No shut R4 (config) #Int_LoO R4(config-if) #Ip addr 4.4.4.4 255.255.255.255 | On RS: R5 (config) #Int FO/O R5(config-if) #Ip addr 10.1.1.5 255.255.255.0 RS (config-if) #No shut On R6: R6 (config) #Int FO/0 R6(config-if) #Ip addr 10.1.1.5 255.255.255.0 R6(config-if) No shut To verify the configuration: CCH R&S by Narbik Kocharians Advanced CCTE R&S Work Book ¥5.0 {52014 Nari: Kove AI eights eserved Page 162 of 222On R1: R1#Ping 12.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: tie Success rate is 100 percent (5/5), round-trip min/avg/max = 52/52/56 ms R1#Ping 13.1.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 13.1.1.3, timeout is 2, seconds: a Success rate is 100 percent (5/5), round-trip min/avg/max = 52/53/56 ms R1#Ping 14.1.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 14.1.1.4, timeout is 2 seconds: reer Success rate is 100 percent (5/5), round-trip min/avg/max = 52/53/56 ms On R2: R2#Ping 10.1.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: vittt Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms R2¢Ping 10.1.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.4, timeout is 2 seconds: tit! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms R2#Ping 10.1.1.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.5, timeout is 2 seconds: ! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms CCIE RAS by Narbik Nocharlans Advanced CCTE R&S Work Book v5.0 Page 163 of 222 (© 2014 Nacbik Kocharians I gh reserveTask 2 Configure RIPv2 on Ri, R2, R3 and RA. Advertise their Loopback 0 and their serial interfaces in this routing domain. Disable the auto-summarization. R2, R3 and Rd should be configured to redistribute network 10.1.1.0 /24 into the RIP routing domain. On RL Ri (config) #Router rip Rl (config-router) #No au Rl (config-router) #ver 2 Rl (config-router) #Netw 1.0.0.0 R1 (config-router) #Netw 12. Ri (config-router) #Netw 13. RI (config-router) #Netw 14. 0.0 -0.0 -0.0 On R2: R2 (config) #Route-map tst permit 10 | R2 (config-route-map) #match inter £0/0 R2 (config) #Router rip R2(config-router) #No au R2 (config-router) #ver 2 | R2 (config-router) #Netw 2.0.0.0 R2 (config-router) #Netw 12.0.0.0 R2 (config-router) fredistribute connected route-map tst | | ons: R3 (config) #Route-map tst permit 10 R3 (config-route-map) #match inter £0/0 | | R3 (config) #Router rip | R3 (config-router) #No au | R3 (config-router) #ver 2 R3 (config-router) #Netw 3.0.0.0 R3 (config-router) Netw 13.0.0.0 R3 (config-router) redistribute connected route-map tst On R4: 4 (config) #Route-map tst permit 10 | CCT RAS by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 164 of 222 16 2014 Rack Kocharane. llrightsreservedR4 (config-route-map) #match inter £0/0 | R4 (config) Router rip R4(config-router) #No au R4 (config-router) #ver 2 R4(config-router) #Netw 4.0.0.0 R4(config-router) #Netw 14.0.0.0 R4(config-router) #redistribute connected route-map tst To verify the configuration: On R3: R3#Show ip route rip | B Gate | Gateway of last resort ‘is not set | 1.0,0.0/32 is subnetted, 1 subnets R 1.1.1.1 [120/1] via 13.1.1.1, 00:00:25, Sexial1/1 2.0.0.0/32 4s subnetted, 1 subnets R 2.2.2.2 [120/2] via 13.1.1.1, 00:00:25, Serial1/1 } 4.0,0.0/32 is subnetted, 1 subnets | | R 4.4.4.4 [120/2] via 13.1.1.1, 00:00:25, Serial1/1 | 12.0.0.0/24 is subnetted, 1 subnets | R 12.1,1,0 (120/1] via 13.1.1.1, 00:00:25, Seriali/1 j 14.0.0.0/24 is subnetted, 1 subnets R 14.1.1.0 (120/1] via 13.1.1.1, 00:00:25, Sexia: Hl To verify the configuration: On R3: Type escape sequence to abort. Sending 5,'100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: rent Success rate is 100 percent (5/5), round-trip min/avg/max = 52/53/56 ms | R3#Ping 1.1.1.1 R3#Ping 2.2.2.2 | Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: nett Success rate is 100 percent (5/5), round-trip min/avg/max = 104/105/108 ms | CCIE RAS by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 165 of 222 ‘92014 Nari Kochartans AU rights reserva | |R3#Ping 4.4.4.4 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds: rit Success rate is 100 percent (5/5), round-trip min/avg/max = 104/105/108 ms Configure VLAN 100 such that the host/s (R2 - 6) in this VLAN use R2 as the VR (Virtual Router) Master, and R3 and Ré as the VR Backup default gateway. Use the following. policy to accomplish this task: ‘+ R2 should be configured as the VR Master. = R3.and Rd should be configured as the VR Backup routers. ‘+ R3 should be the first backup, and R4 should be the second backup. ‘+ DO NOT change the IP address of any router. ‘VRRP enables a group of routers to form a single virtual router. The hosts on that segment can then be configured with the IP address of the Virtual router (VR) as their default gateway. VRRP is very flexible because it is supported on Ethernet, Fast Ethernet, BVI, Gigabit Ethernet, and MPLS VPNs. Let's say there are three routers in the VR group, R1 (1.1.1.1), R2 (1.1.1.2) and R3 (1.1.1.3). The IP address of the VR is the same as that configured for the Ethernet interface of R1 (1.1.1.1), because R1 is the VR Master, and R2 and R3 are VR Backups. Since the IP address of R1’s Ethernet interface is used, R1 assumes the role of the VR Master; Ri, the VR Master, is responsible for forwarding packets sent to this IP address. | Hosts H1—3 are configured with the default gateway IP address of R1’s Ethernet’s IP address. R2 and R3 function as the VR Backups. If the VR Master fails, the router configured with the higher priority will become the VR Master and provide uninterrupted service for the hosts on that LAN. The priority determines which VR Backup will assume the role of VR Master, the priority is configured using the “VRRP Priority” command and the range is 1 ~ 254, The higher value has more preference. When RL recovers, it becomes the VR Master again because in VRRP preemption is on by default. CCIE RAS hy Narbike Kocharians Advanced CCTE R&S Work Book v5 Page 166 of 222You can configure two routers in a group, VR1, R1 is the owner of the IP address 1.1.1.1, therefore, it’s the VR Master, and R2 is the VR Backup. You can configure Hosts Hi and H2 to use that IP address as their default gateway. For VR2, R2 is the owner of IP address 1.1.4.2 therefore, it’s the VR Master, and Ri is the VR Backup to R2, You can configure Hosts H3 and H4 to use that IP address as their default gateway. VRRP can support up to 255 VRRP Groups on a physical interface. This enables us to have a granular scalability, redundancy and Load sharing; it also allows the use of secondary IP addresses, Preemption, Authentication, and Object Tracking. VRRP uses a registered Multicast address of 224.1.1.18 and IP protocol number of 112 for its VRRP Advertisements. On R2: R2 (config) #Int FO/0 R2(config-if) #vrrp 1 ip 10.1.1.2 You should see the following console messag SVRRP-6-STATECHANGE: Fa0/0 Grp 1 state Init -> Master ‘The console message announces R2 as the VR Master, NOT hecause it is the only router configured so far; R2 is chosen as the VR Master router because its Ethernet IP address is used as the VIP (Virtual IP address). R2(config-if) #vrxp 1 prio 250 % Priority change will have no effect whilst interface is VRRP address owner NOTE: Because the IP address configured is one of the IP addresses configured on R2, R2 is said to be the ‘owner of that IP address, and because of that, R2 will be the VR Master and its priority will be set to 255. ‘We will see later in this lab how the configured priority can play a major role. On R3: R3 (config) #Int FO/0 R3(config-if) #vrrp 1 ip 10.1.1.2 You can see that the local router is now set as the VR Backup SVRRP-6-STATECHANGE: Fa0/0 Grp 1 state Init -> Backup CCIE RAS by Narbik Kocharians Advanced CTE R&S Work Book v5.0 Page 167 of 222 ‘62014 Nac Kocharians i eights reserved| R3 (config-if) #vrrp 1 priority 200 On R4: R4 (config) #Int FO/0 R4(config-if) #verp 1 ip 10.1.1.2 Based on the following console message, R4 is also a VR Backup router. SVRRP-6-STATECHANGE: Fa0/0 Grp 1 state Init -> Backup Rd (config-if) #vrrp 1 priority 150 To verify the configuration: On R2: R2#Show verp FastEthernet0/0 - Group 1 State is Master Virtual MAC address ts 0000.5e00:010 Advertisement interval is 1,000 sec Priority is 255 (cfgd’ 250) Master Router is 10.1.1.2 (local), priority is 255 Master Advertisement interval is 1.000 sec Master Down interval is 3.003 sec You can see that the local router is the VR Master, and the VIP is 10.1.1.2 and the VMACis (0000.5e00.01xx, where xis the group ID. ‘One major difference between VRRP and HSRP is the preemption, in HSRP the preemption is disabled by default and it can be enabled manually, whereas, in VRRP, the preemption is enabled by default and it can be disabled manually. Since the local router is the VR Master its priority will be set to 255 unless it is statically configured to be something else, in this case, its configured to be 250. The above output also displays the IP address of the master router, and some timers which will be discussed and configured later. CCHE RSS hy Navblk Kocharians Advanced CCIE R&S Work Book v5.0 Page 168 of 222 162014 Narbik Kecarans, AUlights reservedFastEthernet0/0 - Group 1 State is Backup Priority is 200 Master Router is 101-12) ‘priority Gs 255 Master Advertisement interval is 1.000 sec Master Down interval is 3.218 sec (expires in 2.430 sec) The output of the above show command reveals the followin, The local router is a VR Backup iP is 10.1.1.2 \VIMAC is 0000.5¢00.0101 Advertisement interval is set to 1 second Preemption is enabled; unlike HSRP, the preemption is always enabled by default in VRRP. The configured priority is 200 In the next three lines, it identifies the VR Master router’s IP address, default priority and some timers. On Re R4#Show vrrp FastEthernet0/0 - Group 1 State is Backup Virtual 1P address Ge 1021712 Wirtual MAC address is 0000.5e00-0101 Advertisement interval is 1,000 sec Preemption enabled Priority is 150 Master Router is 10.1.1.2, priority is 255 Master Advertisement interval is 1.000 sec Master Down interval is 3.414 sec (expires in 3.022 sec) ‘The output of the above show command reveals the following: CCIE R&S by Narbik Koel Advaneed CCHE R&S Work Book v5. Page 169 of 222 {© 214 Nar Korbarane‘The local router is a VR Backup VIP is 10.1.1.2 \VMAC is 0000.5¢00.0101 Advertisement interval is set to 1 second Preemption is enabled; unlike HSRP, the preemption is always enabled by default in VRRP. The configured priority is 150. The configured priority on the other VR Back router (R3) is configured to be 200, this means that R3 is the first backup and Rd is the second backup, because 4's priority is lower than R3’s priority. In the next three lines, it identifies the VR Master router's IP address, default priority and some timers. To test the configuration, RS is configured with a default gateway pointing to the VIP address (10.1.1.2): On RS: R5 (config) #IP route 0.0.0.0 0.0.0.0 10.1.1.2 To verify the configuration: Since Traceroute will be used in this lab to verify the configuration, and the ICMP unreachable packets are rate-limited, let's disable the rate-limiting so we can get a quicker response. On All Router: Rx (config) #No ip icmp rate-limit unreachable OnR: RS5#Traceroute 1.1.1.1 Numeric Type escape sequence to abort. Tracing the route to 1.1.1.1 VRF info: (vrf in name/id, vrf out name/id) 110.9.4.2° 4 mséc!0 imseci™@ msec 212.1.1.1 16 msec * 12 RS#Show arp Protocol Addr: in) Hardware Addr Interface Internet "10.1.1, aos 00005800. 0102" /FastEtherneto/o Internet 10.1. 000.3333. 3333 Fastuthernet0/0 Internet : 001b.d4be. 6300 FastEthernet0/0 CCIE RAS by Narbike Kocharians Advanced CCIE R&S Work Book v5.0 Page 170 of 222We can see that R5 took the path through R2; its default gateway to reach 1.1.1.1/32 prefix. Let's shutdown the FO/0 interface of R2 and test again: On R2: R2 (config) #Int FO/0 R2 (config-if) #Shut You should see the following console message: 2VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Master -> Init QLINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down SLINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down Let's Traceroute to 1.1.1.1/32 prefix again: On RS: RS#Praceroute 1.1.1.1 Numeric Type escape sequence to abort. Tracing the route to 1.1.1.1 VRF info: (vrf in name, |, vet out name/id) 1 10.2,2.3 O'msec 4 msec!’ méec 213.1.1.1 20 msec * 12 msec R5#Show arp Protocol Hardware Addr Internet 10.1.1. 000.520.0101 internet 0.4.1.3: 0/007 000033333333 Internet 10.1.1. 0000.4444.4444 Internet 001b.dabe. 6840 We can clearly see that RS is going through R3. To clear the ARP table and repeat the Traceroute on RS: On RS: RS (config) #Int FO/0 R5 (config-if) #Shut Type ARPA ‘ARPA © ARPA ARPA Interface FastEthernet0/0 Fastethernet0/0 FastEthernet0/0 FastEthernet0/0 CCIE R&S by Narbike Kocharians Advanced CCIE R&S Work Book ¥5.0 16 2014 Nac Koctariane, AM ihe reserved. Page 171 of 222Wait for the link to go down before issuing the “No shut” command. RS (config-if) #No shut On R: R5#Traceroute 1.1.1.1 Numeric ‘Type escape sequence to abort. Tracing the route to 1.1.1.1 VRF info: (vrf in name/id, vrf out nam 2°20.1.1).3 Ofmsec 0 msec 0 msec 2°13.1.1.1 16 msec * 12 msec R5#Show arp Protocol address Age (min) Hardware addr Interface Internet 10.1.1.2 0 —0000.5e00.0101 FastSthernet0/0 Internet 10.1.1.5 = 001b.dabe. 6940 FastEthernet0/0 RS5#Ping 1.1.1.1 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1 timeout is 2 seconds: we Success rate is 100 percent (5/5), round-trip min/avg/max = 52/52/52 ms R5#Show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10,1.1.2 1 0000.5200.0101 ARPA FastEthernet0/0 Internet 10.1.1.5 = 001b.d4be.69d0 ARPA FastEthernet0/0 On R3: R3#Show vrrp FastEthernet0/0 - Group 1 State is Master virtual IP address is 10.1.1.2 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 1.000 sec Preemption enabled Priority is 200 Master Router is 10.1.1.3 (local), priority is 200 CCIE RAS by Narbik ocharians Advanced CCTE R&S Work Book ¥5.0 Page 172 of 222 (©2014 Narhik Kocharlans ll sgh servedMaster Advertisement interval is 1.000 sec Master Down interval is 3.218 sec Sure enough R3 is the VR Master, let’s check Ra: On R4: RagShow verp FastEthernet0/0 - Group 1 State is Backup Virtual IP address is 200/72 Virtual MAC address is 0000.5e00/0101 Advertisement interval is 1.000 sec Preemption enabled Priority is 150 Master Router is 10.1.1.3, priority is 200 Master Advertisement interval is 1.000 sec Master Down interval is 3.414 sec (expires in 3.366 sec) 4 is the VR backup, because it has a lower vrrp priority than R3; R3’s priority is 200, and R4’s priority is 150. Let’s see what happened to R2: On R2: R2#Show vrrp FastEthernet0/0 - Group 1 Advertisement interval is 1 Preemption enabled ority is 255 (cfgd 250) Master Router is unknown, priority is unknown Master Advertisement interval is unknown Master Down interval is unknown Since the X-VR Master's F0/0 interface is down, itis stuck in the “init” state. Let’s Shutdown the FO/0 interface of R3, if VRRP works as advertised, Ré should transition into the new VR Master: On R3: CCH RAS by Narbik Kocharians Advanced CCIE R&S Work Book v5. Page 173 of 222 ‘62014 Narbik KocharanR3 (config) #Int FO/0 R3 (config-if) #Shut. ‘We can see from the console messages on R3 that it is also stuck in the “init” state: 8VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Master -> Init Let’s verify the VRRP on R4: On R4: You should see the following console message stating that the local router is the Master: SVRRP-6-STATECHANGE: Fa0/0 Grp 1 state Backup -> Master R4#Show vrrp FastEthernet0/0 - Group 1 State is Master Virtual IP address|lis 101-212 Virtual MAC address is 0000. 5e00.0101 Advertisement interval is 1.000 sec Preemption enabled Priority is 150 Master Router is 10.1.1.4 (local), priority is 150 Master Advertisement interval is 1.000 sec Master Down interval is 3.414 sec Let's configure a static default route on R6 and point it to the VR’s IP address. On R6: R6 (config) #ip route 0.0.0.0 0.0.0.0 10.1.1.2 R6#Traceroute 1.1.1.1 Numeric Type escape sequence to abort. Tracing the route to 1.1.1.1 (vrf in name/id, vrf out name/id) 214.1.1.1 16 msec * 16 msec R6#Show arp CCIE R&S by Narbiks Kocharians Advanced CCTE R&S Work Book v5.0 Page 174 of 222 {© 14 Nach Kocharians. stl right reservedProtocol address Hardware Addr Type Interface Internet 10.1.1.2 0000.5e00.0101 ARPA FastEthernet0/0 Internet 10-1.1.4 0000.4444.4444 ARPA FastEthernet0/0 Internet 10.1.1.6 0017.5aad.52aa ARPA FastEthernet0/0 Let's test the preemption which is enabled by default, Let’s “No Shut” the F0/0 interface of R3: On R3: R3 (config) #Int FO/0 R3(config-if) #No shut You should see the following console messages: SVRRP-6-STATECHANGE: Fa0/0 Grp 1 state Init -> Backup LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up 8VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Backup -> Master Yes, as predicted, R3 is the VR Master. If Ré’s console messages are checked, we should see that it has, transitioned into VR Backup: On R4: SVRRP-6-STATECHANGE: Fa0/0 Grp 1 state Master -> Backup To verify and test the configuration: Onk R6 (config) #Int FO/0 R6 (config-if) #Shut Wait for the link to go down before issuing the “No shut” command. R6(config-if) #No shut R6#Traceroute 1.1.1.1 Numeric Type escape sequence to abort. Tracing the route to 1.1.1.1 VRE info: (vrf in name/id, vrf out_name/id) CCIE R&S by Narbik Kocharians Advanced CCHE R&S Work Book ¥5.0 Page 175 of 222 (© 014 Nari Koehaetans AI rights reserve2 13.1.1.1 16 msec * 12 msec R6#Show arp Protocol address Age (min) Hardware Addr Type Interface Internet 10.1.1.2 000.500.0101 ARPA FastEthernet0/0 Internet 10.1.1.6 0017.5aad.52aa ARPA FastEthernet0/0 Finally, let's “No shut” the F0/0 interface of R2: On R2: R2 (config) #Int FO/0 R2(config-if) #No shut You should see the following console messages on R2: SVRRP-6-STATECHANGE: Fa0/0 Grp 1 state Init -> Master SLINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up IMPORTANT....if the priority was not configured on the VR Backup routers (R3 and R4), the router with the highest IP address will become the first backup, in this case R4 will become the first backup. Task 4 Configure the appropriate router/s such that if the R2’s connection to Ri goes down, the first backup router (R3) will become the active router. On R2: R2 (config) #Tzack 21 int 1/1 line-protocol R2 (config) #Int FO/O R2(config-if) #vrrp 1 track 21 decrement 55 % tracking not supported on IP address owner CCH R&S by Narbik Kocharians Advanced CCTE R&S Work Book v5.0 Page 176 of 222 12014 Narbik Kocharians. A ght reservedWOW..... Tihis didn’t work, how do we accomplish this task? Since the error message states that the tracking is NOT supported on IP address owner, we can use an unused IP address from the same subnet? Let's configure and verify: R2 (config) #Int FO/O R2(config-if) #No vrrp 1 R2 (config-if) #vrrp 1 ip 10.1.1.100 R2(config-if) #vrrp 1 priority 254 R2(config-if) #vrrp 1 track.21 decrement 55 On R3: R3 (config) #Int FO/0 R3(config-if) #No vrrp 1 R3(config-if) #Verp 1 ip 10.1.1.100 R3 (config-if) #Verp 1 priority 200 You should see the following console message: SVRRP-6-STATECHANGE: Fa0/0 Grp 1 state Init -> Backup On R4: R4 (config) #Int FO/0 R4 (config-if) #No verp 1 R4 (config-if) #Vrrp 1 ip 10.1.1.100 R4 (config-if) #Vrxp 1 priority 150 You should see the following console message: SVRRP-6-STATECHANGE: Fa0/0 Grp 1 state Init -> Backup On RS and R6: We should remove the previous static route on RS and R6 that was poi new one that points to the new default gateway IP address (10.1.1.100): ing to 10.1.1.2 and configure a Rx (config) #No ip route 0.0.0.0 0.0.0.0 Rx (Config) #ip route 0.0.0.0 0.0.0.0 10.1.1.100 To verify and test the configuration: CCIE R&S by Narbik Kocharins Advanced CCT RAS Work Book v5.0 Page 177 of 222 1 2014 Narbik Kechaians Might reservedOn R2: R2#Show vrxp FastBthernet0/0 - Group 1 Advertisement interval is Preemption enabled Track object 21°state!Up' decrement 55 _ Master Router is 10/1.1.2 (local), priority is" Master Advertisement interval is 1.000 sec Master Down interval is 3.007 sec On R2: R2 (config) #Int S1/1 R2 (config-subif) #Shut | You should see the following console messages: STRACKING-S-STATE: 21 interface Se0/0.21 Line-protocol Up->Down SVRRP-6-STATECHANGE: Fa0/0 Grp 1 state Master -> Backup To verify the configuration: OnR2: R2#Show vrrp brief Interface crp B#i Time own Pre Group addr Fa0/0 1 199, 3007 y a 10.1.1.100 We can see that the priority was decremented by 55, and the local router transitioned to VR Backup, and 3 (10.1.1.3) became the VR Master. To test the configuration: On R: CCIE RAS by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 Page 178 of 222 "6 014 Narbik Kecharans, A nghts reserved.To clear the ARP table: RS (config) #Int FO/0 RS (config-if) #Shut Wait for the link to go down, and then: RS (config-if) #No shut RS#Traceroute 1.1.1.1 Numeric Type escape sequence to abort. Tracing the route to 1.1.1.1 var info: (vrf in name/id, vrf out name/id) 1)10/1.0.3°0"mséc 0 msec™4 msec 2 13.1.1.1 16 msec * 12 msec R5#¢Show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.1.1. )01b.débe.6940 ARPA FastEthernet0/0 a a (800),010: What will happen if the F0/0 interface of R3 goes down? Let’s test this: On R3: R3 (config) #Int FO/0 R3 (config-if) #Shut You should see the following console message: QVRRP-6-STATECHANGE: Fa0/0 Grp 1 state Master -> Init Who is the VR Master? Let's check: On R4: R4#Show vrrp brief Interface Grp Pri Time Own Pre Master addr Group addr 40/0 i a> aso sarees ry qao"a.a.2 yffao.a 4.200 4 is the backup if R4 is the VR Backup, then what is the state of R2? Let’s check: CCIE RAS by Narbike Kocharians Advanced CCIE R&S Work Book v5.0 Page 179 of 222 {0 A014 Nar Kectarians, AW rights reservedOn R2: Yes, we can see the following console message: SVRRP-6-STATECHANGE: Fa0/0 Grp 1 state Backup -> Master Let’s verify: R2#Show vrrp brief Interface Grp Pri Time Own Pre #a0/05= | 1 Si199, 3007722822 Sure enough, R2 is the master. To test the configuratio1 On R5: RS#Tzaceroute 1.1.1.1 Numeric ‘Type escape sequence to abort. Tracing the route to 1.1.1.1 1 10.1.1.2 0 msec 4 msec 0 msec 210.1.1.2 1H !H IH R5¢Ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 vovuy Success rate is 0 percent (0/5) What does the letter “H” mean? Group addr 10,1 /1!/200 Character Description The prob timed out Rdministratively prohibited (sxample access-list) Source quench (The destination is busy) User interrupted test Port Unreachable Host unreachable Network Unreachable CCIE RAS hy Narbik Kocharians Advanced CCIE R&S Work Book v5.0 {© 2014 Nao Kocbartans, AM sighs reserved. Page 180 of 222| R5#Show arp P Protocol unreachable T Timeout 2 Unknown Packet Type So this means that none of the hosts on 10.1.1.0/24 segment have reachability to any network outside of this segment. How can we fix this problem? Why did this happen? When R2 was configured with Object Tracking, it should have decremented its priority to something below R4’s priority which is set to 150, so R4 will take over the role of the VR Master when R3 is down. Let's reconfigure and test again: On R3: R3 (config) #Int FO/0 R3 (config-if) #No shut On R2: R2 (config) #int S1/1 R2(config-subif) #No shut The value should be decremented by 105, because 254-149 = 105 The 254 in the above simple math is the existing priority of R2, and the y of RA is 150, therefore, in order for R4 to become the second backup, the priority of R2 should be less than R4’s priority. R2 (config) #Int FO/0 R2(config-if) #Vrrp 1 track 21 decrement 105 Let’s test again: On R5:; R5#Traceroute 1.1.1.1 Type escape sequence to abort. Tracing the route to 1.1.1.1 VRF info: (vrf in name/id, vrf out name/id) 1 10.1.1.2 0 msec 0 msec 4 msec 2 12.1,1.1 16 msec * 12 msec Protocol Address Age (min) Hardware Addr Type Interface CCIE R&S by Narbik Kocharians Advanced CCEE R&S Work Book v5.0 Page 181 of 222 ‘02014 Narbik Wocharlane, I righs reserved10.1.1.5 10.1.1.100 R2 (config-subif) #Shut 0 © 0000.3333.3333 ARPA 001b.d4be.69d0 ARPA 2 0000.5e00.0101 ARPA | You should see the following console messages: @TRACKING-5-STATE: 21 interface Sel/1 line-protocol Up->Down SLINK-5-CHANGED: Interface Seriall/1, changed state to administratively | down SVRRP-6-STATECHANGE: Fa0/0 Grp 1 state Master -> Backup SLINEPROTO-5-UPDOWN: Line protocol on Interface Seriall/1, changed state | to down R3 should be the master, let's verify: On R2: R2#Show vrrp brief Interface On R3: R3#Show vrrp brief Interface Fa0/0 1 To test the configurat On RS: To clear the ARP table: RS (config) #Int FO/0 Grp Pri Time Own Pre State gS sMOn SIE RBacioe SRO Grp Pri Time 200 3218 Master addr Master addr x 10.22.3 Fastithernet0/0 FastEthernet0/0 FastEthernet0/0 Group adde Group add 10.1.1.100 | CCTE R&S by Narbik Kocharians Advanced CCIE R&S Work Book v5.0 182014 Nacbik Kocharlans Argh reserved Page 182 of 222RS (config-if) #Shut | Wait for the link to go down, and then: RS (config-if) #No shut RS#Traceroute 1.1.1.1 Numeric Type escape sequence to abort. Tracing the route to 1.1.1.1 VRE info: (vrf in name/id, vr! out name/id) 213.1.1.1 16 msec * msec RS5#Show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.1.1.5 = 001b.ddbe.69d0 ARPA FastEthernet0/0 Internet 10.1.1.100 0 0000.5e00.0101 ARPA FastEthernet0/0 Let’s shutdown the FO/0 interface of R3 and see if R4 takes over as the VR Master: On R3: R3 (config) #Int FO/0 R3 (config-if) #Shut You should see the following console messages: SVRRP-6-STATECHANGE: Fa0/0 Grp 1 state Master -> Init QLINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down SLINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down Let's verify that R4 is the VR Master: On R4: Sure enough, we see the console message stating that the local router transitioned from the VR Backup to | the VR Master, let's verify: CCIE RAS by Narbile Ko S Advanced CCTE R&S Work Book v5.0 Page 183 of 222 (©2014 Nari Kecharans. Al eights servedSVRRP-6-STATECHANGE: Fa0/0 Grp 1 state Backup -> Master R4gShow vrrp brief H oMaster addr © Group addr ES 0.1.1.4 10.1.1.100 Interface Grp Pri Time Own Pre Fa0/0 1 150 3414 ¥ Let’s test the configuration On Rt R6#Traceroute 1.1.1.1 Numeric Type escape sequence to abort. |Tracing the route to 1.1.1. VRF info: (vrf in name/id, vrf out name/id) 1910.1 44 O"imsee 0 msec! 0 msec 214.1.1.1 16 msec * 12 msec R6#Show arp Protocol Address Age (min) Type Interface Internet 10.1.1.2 22 0000.5e00.0101 ARPA FastEthernet0/0 Internet 10.1.1.6 = 0017.5aad.52aa ARPA FastEthernet0/0 Internet 10.1-1.100 2 0000.5e00.0101 ARPA FastEthernet0/0 On R2: R2 (config) #Int $1/1 R2(config-subif) #No shut: On R3: R3 (config) #Int FO/0 R3(config-if)#No shut | To verify the configuration: On R2: Once we console into R2 we should see the following console message stating that the local router has Let's bring up the S1/1, F0/0 interfaces on R2, and the FO/0 interface of R3 before proceeding further: ~ CCU RAS hy Narbile Kocharians Advanced CCIE R&S Work Book v5.0 Page 184 of 222 12014 Narbis Kosariaas, Aight reserved