Hi,

 After watching the video I build the lab my self-according to the same diagram used in the video with the exact same setup. I tried to follow the movie as much as possible to learn the technology. I started with the configuration where the traffic still flows over the route reflector so the ebgp peers still are changing the next-hop vaue. That is where my issueis. The control plane is correct I received all routes in all VRF’s The dataplane for VRF B and C is also correct because I can reach the loopback addresses within the VRF. However the dataplane of VRF A is not working. I cannot reach the loopback address. I have researched the issue and found out where the problem is and how I can resolve it. However I failed to figure out exactly why this behavior is like this so maybe you can help me out here.

 I have enable: debug mpls packet on all IOS routers and found out that the path from R10 to R8 is okay the ICMP packets arrived at R8

R10#ping 8.8.8.8 source lo 1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 10.10.10.10

.....

Success rate is 0 percent (0/5)

R8#

*May 15 08:38:12.787: ICMP: echo reply sent, src 8.8.8.8, dst 10.10.10.10, topology BASE, dscp 0 topoid 0

R8#

*May 15 08:38:14.787: ICMP: echo reply sent, src 8.8.8.8, dst 10.10.10.10, topology BASE, dscp 0 topoid 0

R8#

*May 15 08:38:16.789: ICMP: echo reply sent, src 8.8.8.8, dst 10.10.10.10, topology BASE, dscp 0 topoid 0

R8#

*May 15 08:38:18.794: ICMP: echo reply sent, src 8.8.8.8, dst 10.10.10.10, topology BASE, dscp 0 topoid 0

R8#

*May 15 08:38:20.793: ICMP: echo reply sent, src 8.8.8.8, dst 10.10.10.10, topology BASE, dscp 0 topoid 0

R8#

At the debug mpls packet on R6 I can see the traffic returning from R8, XR2 did not send a transport label

R6#

*May 15 08:40:33.025: MPLS les: Et0/0.196: rx: Len 1514 Stack {16 0 251} {16001 0 254} - ipv4 data s:10.10.10.10 d:8.8.8.8 ttl:254 tos:0 prot:1

*May 15 08:40:33.025: MPLS les: Et0/0.206: tx: Len 1510 Stack {16001 0 250} - ipv4 data s:10.10.10.10 d:8.8.8.8 ttl:254 tos:0 prot:1

*May 15 08:40:33.027: MPLS les: Et0/0.206: rx: Len 1514 Stack {25 0 254} - ipv4 data s:8.8.8.8 d:10.10.10.10 ttl:254 tos:0 prot:1

R6#

*May 15 08:40:35.027: MPLS les: Et0/0.196: rx: Len 1514 Stack {16 0 251} {16001 0 254} - ipv4 data s:10.10.10.10 d:8.8.8.8 ttl:254 tos:0 prot:1

*May 15 08:40:35.027: MPLS les: Et0/0.206: tx: Len 1510 Stack {16001 0 250} - ipv4 data s:10.10.10.10 d:8.8.8.8 ttl:254 tos:0 prot:1

*May 15 08:40:35.029: MPLS les: Et0/0.206: rx: Len 1514 Stack {25 0 254} - ipv4 data s:8.8.8.8 d:10.10.10.10 ttl:254 tos:0 prot:1

When I look into the vpnv4 table on XR2 I can see it is using a VPN label 25 with a next-hop of 2.2.2.2

RP/0/0/CPU0:XR2#sh bgp vpnv4 unicast vrf A 10.10.10.10

BGP routing table entry for 10.10.10.10/32, Route Distinguisher: 100:1

Versions:

  Process           bRIB/RIB  SendTblVer

  Speaker                337         337

    Local Label: 16009

Last Modified: May 14 07:23:21.885 for 00:03:37

Paths: (1 available, best #1)

  Advertised to peers (in unique update groups):

    5.5.5.5

  Path #1: Received by speaker 0

  Advertised to peers (in unique update groups):

    5.5.5.5

  1

    2.2.2.2 (metric 1) from 2.2.2.2 (2.2.2.2)

      Received Label 25

      Origin incomplete, localpref 100, valid, external, best, group-best, import-candidate, imported

      Received Path ID 0, Local Path ID 1, version 337

      Extended community: OSPF domain-id:0x5:0x000000020200 OSPF route-type:0:2:0x0 OSPF router-id:10.10.104.4 RT:100:1

      Source VRF: A, Source Route Distinguisher: 100:1

RP/0/0/CPU0:XR2#

When I look into the forwarding table I noticed that destination 2.2.2.2 has  pop as outgoing label to 6.6.6.6 so it indeed does not send a transport label. This is what I cannot figure out why this is

RP/0/0/CPU0:XR2#sh mpls forwarding

Wed May 14 07:29:50.367 UTC

Local  Outgoing    Prefix             Outgoing     Next Hop        Bytes

Label  Label       or ID              Interface                    Switched

------ ----------- ------------------ ------------ --------------- ------------

16000  Aggregate   A: Per-VRF Aggr[V] A                            0

16001  Unlabelled  8.8.8.8/32[V]      Gi0/0/0/0.208 10.10.208.8     81840

16002  Pop         6.6.6.6/32         Gi0/0/0/0.206 10.10.206.6     6830

16003  Pop         10.10.56.0/24      Gi0/0/0/0.206 10.10.206.6     0

16004  Pop         10.10.196.0/24     Gi0/0/0/0.206 10.10.206.6     0

16005  18          5.5.5.5/32         Gi0/0/0/0.206 10.10.206.6     7370

16006  17          19.19.19.19/32     Gi0/0/0/0.206 10.10.206.6     0

16007  Pop         2.2.2.2/32         Gi0/0/0/0.206 10.10.206.6     3215

16008  20          4.4.4.4/32         Gi0/0/0/0.206 10.10.206.6     4860

16009  25          10.10.10.10/32[V]               2.2.2.2         1040

16010  26          10.10.104.0/24[V]               2.2.2.2         0

16011  21          100:2:10.10.115.0/24   \

                                                   5.5.5.5         0

16012  22          100:2:11.11.11.11/32   \

                                                  5.5.5.5         0

16013  23          100:3:10.10.125.0/24   \

                                                   5.5.5.5         0

16014  24          100:3:12.12.12.12/32   \

                                                   5.5.5.5         0

When I look into R6 MPLS forwarding table it does not say it is local but has a local label of 19 (so why is XR2 not have label 19 into its forwarding table)

R6#sh mpls forwarding-table

Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop   

Label      Label      or Tunnel Id     Switched      interface             

16         Pop Label  20.20.20.20/32   96772         Et0/0.206  10.10.206.20

17         Pop Label  19.19.19.19/32   0             Et0/0.196  10.10.196.19

18         Pop Label  5.5.5.5/32       9229          Et0/0.56   10.10.56.5 

19         16000      2.2.2.2/32       36336         Et0/0.196  10.10.196.19

20         16001      4.4.4.4/32       68130         Et0/0.196  10.10.196.19

I have cleared all process even reloaded all routers but this did not help

After that I decided to configure the next-hop unchanged command on the route reflectors and somehow this fixed the issue for VRF A to make it work for the other VRF’s I needed to redistribute the other PE loopbacks into the core IGP so they would also receive labels. This change also changed the MPLS forwarding table on XR2 in such way that it had a label for R2. I cannot related the next-hop unchanged feature to changing the LDP behavior it only ensures it does not change the next hop to its own address. Below is the BGP configuration of XR2

RP/0/0/CPU0:XR2#sh runn router bgp

Wed May 14 07:36:07.721 UTC

router bgp 2

address-family ipv4 unicast

!

address-family vpnv4 unicast

!

neighbor 2.2.2.2

  remote-as 1

  ebgp-multihop 255

  update-source Loopback1

  address-family vpnv4 unicast

   route-policy PASS in

   route-policy PASS out

  !

!

neighbor 5.5.5.5

  remote-as 2

  update-source Loopback1

  address-family vpnv4 unicast

   route-policy PASS in

   route-reflector-client

   route-policy PASS out

  !

!

vrf A

  rd 100:1

  address-family ipv4 unicast

   redistribute ospf main

  !

!

!

 When at the XR2 MPLS forwarding table it is different then the mpls ldp forwarding table. I caanot indetify where the pop label comes from in the mpls forwarding table. The mpls LDP forwarding table and binding table shows the correct label. The router however installes a pop label into the mpls forwarding table.

RP/0/0/CPU0:XR2#sh mpls ldp forwarding
Wed May 14 12:58:52.225 UTC

Codes:
  - = GR label recovering, (!) = LFA FRR pure backup path
  {} = Label stack with multi-line output for a routing path
  G = GR, S = Stale, R = Remote LFA FRR backup

Prefix          Label   Label(s)       Outgoing     Next Hop            Flags
                In      Out            Interface                        G S R
--------------- ------- -------------- ------------ ------------------- -----
2.2.2.2/32      16007   19             Gi0/0/0/0.206 10.10.206.6
4.4.4.4/32      16008   20             Gi0/0/0/0.206 10.10.206.6
5.5.5.5/32      16005   18             Gi0/0/0/0.206 10.10.206.6
6.6.6.6/32      16002   ImpNull        Gi0/0/0/0.206 10.10.206.6
10.10.56.0/24   16003   ImpNull        Gi0/0/0/0.206 10.10.206.6
10.10.196.0/24  16004   ImpNull        Gi0/0/0/0.206 10.10.206.6
19.19.19.19/32  16006   17             Gi0/0/0/0.206 10.10.206.6

Can you please help me clear this up.Thanks in advance

Maarten Vervoorn

Hi Guys,

I need your advise on two point here.

Point 1: I can see from the INE LAB topology diagram that there is MDS3 and MDS4 but I am not really sure how to connect to these MDS (3&4) and if we really need them?

From the telnet option, I can get access to MDS1 and MDS2 which connects to the FC-SAN one way and connects to the UCS-FI the other way.

Has anyone actually used the MDS3 and MDS4? Can you point me to what session on the LAB guide that refers to it?

Just getting confused with this and needs some help understanding how its setup from the MDS point of view.

Point 2: I enabled the port (fc2/3) connecting MDS1 and MDS2 to the FC-SAN and could only see one device in the flogi database. I have configued the interface as mode FL and was hoping I will see multiple flogi from the different disks. Is this not the case?

Please your input from you experience with the lab will be most helpful

Thanks

MDS1

MDS1(config-if)# sh flogi database
--------------------------------------------------------------------------------
INTERFACE        VSAN    FCID           PORT NAME               NODE NAME      
--------------------------------------------------------------------------------
fc2/3            1     0x6102ef  21:00:00:1b:32:07:32:23 20:00:00:1b:32:07:32:23
Total number of flogi = 1.
MDS1(config-if)#

MDS1(config-if)# sh run int fc2/3
interface fc2/3
  switchport mode FL
  no shutdown
MDS1(config-if)#

MDS2

MDS2(config-if)# sh flogi database
--------------------------------------------------------------------------------
INTERFACE        VSAN    FCID           PORT NAME               NODE NAME      
--------------------------------------------------------------------------------
fc2/3            1     0x6402ef  21:01:00:1b:32:27:32:23 20:01:00:1b:32:27:32:23
Total number of flogi = 1.
MDS2(config-if)#

MDS2(config-if)# sh run int fc2/3
interface fc2/3
  switchport mode FL
  no shutdown
MDS2(config-if)#

Topology Diagram showing MDS3 and MDS4

Thanks

Luke

Hey INE guys,

just want to ask - I went through the new workbook and have observed that there is new topology that is Layer3 based (maybe some L2/L3 switch for creating the links between routers). Then, was waiting for physical topology diagram because I have got a plenty of HW sorted in the racks (c2811, c3560).

1) if there is pure Layer3 topo only, how will the LAN switching part be done? Another topology/part of topo?

2) I don't see any serial connections (ETH only) - so what about the HDLC/PPP from the new LAB blueprint?

Maybe it was answered somewhere else or I missed some points - so sorry in that case, thanks anyway for any response.

Tom

Task 5.1
5. Multicast
Some of the multicast settings have been pre-configured for you. You need to
discover the active multicast topology using the show commands.

5.1 PIM Filtering
 - A media server located on VLAN 32 will be streaming a video feed to
clients located on VLAN 5.
 - The network administrator has requested that the Frame Relay connection
between R1 and R5 be used as sparingly as possible for multicast traffic.
 - To help avoid excess multicast flooding and pruning behavior over this
Frame Relay connection, R1 should not allow R5 to become a PIM
neighbor. However, R5 should still allow clients on VLAN 5 to receive
multicast traffic for this group.
 - Configure your network to support this arrangement.
 
 
 This task was a tough one for me.  
 I could get the solution as perscribed in the solution guide
 but it would not vlaidate.
 
 We were to discover the MPLS topology but not change the topology.
 R2 S0/0 did not have PIM enabled so RPF path needed to go from r3 to r1
 through subnet 191.1.13.0.  This took a while to figure out that an OSPF
 virtual link was required for area 13 so the routing went from r3 -> r1 ->r5
 so it followed the PIM interface path.  Also adjusted an ospf cost value.
 
 Config
    R1
    router ospf 1
     area 13 virtual-link 150.1.3.3
 
    R3
    router ospf 1
     area 13 virtual-link 150.1.1.1
 
 Path
    Rack1R3#trace 191.1.5.5
      1 191.1.13.1 16 msec 16 msec 16 msec
      2 191.1.125.5 40 msec *  40 msec
    Rack1R3#
 
    Rack1R5#trace 192.10.1.3
       1 191.1.125.1 28 msec 28 msec 28 msec
       2 191.1.13.3 40 msec *  40 msec
    Rack1R5#

Now the route and the PIM interface path match. 

The validation still fails.
The client is Vlan 5 so R5 int f0/0 must do the join.

   interface FastEthernet0/0
    ip address 191.1.5.5 255.255.255.0
    ip pim dense-mode
    ip igmp helper-address 191.1.125.1
    ip igmp join-group 225.5.5.5

The server is Vlan 32 so the ping needs to originate from R3 int F0/0.
   Rack1R3#ping 225.5.5.5 source f0/0 r 99

   Type escape sequence to abort.
   Sending 99, 100-byte ICMP Echos to 225.5.5.5, timeout is 2 seconds:
   Packet sent with a source address of 192.10.1.3

   Reply to request 0 from 191.1.125.5, 109 ms...........
   Rack1R3#
  The first ping after "clear mr *" works and all others fail. 

The ping from r1 is sucessful:
   Rack1R1#ping 225.5.5.5 r 99

   Type escape sequence to abort.
   Sending 99, 100-byte ICMP Echos to 225.5.5.5, timeout is 2 seconds:

   Reply to request 0 from 191.1.125.5, 116 ms
   Reply to request 1 from 191.1.125.5, 124 ms
   Reply to request 2 from 191.1.125.5, 124 ms
   Reply to request 3 from 191.1.125.5, 124 ms
   Reply to request 4 from 191.1.125.5, 125 ms
   Reply to request 5 from 191.1.125.5, 128 ms
   Reply to request 6 from 191.1.125.5, 128 ms
   Rack1R1#
  
So there is something with PIM dense mode and the frame configuration
that is not happy.   I even tried ip pim NBMA which i know should not be used with dense mode but it did help so I turned it off.

In an attempt to debug the problem I did a "no ip mroute-cache" on R1 s0/0.
   Rack1R1(config)#  interface Serial0/0
   Rack1R1(config-if)#no ip mroute-cache
  
Now everything is validating.

   Rack1R3#ping 225.5.5.5 source f0/0 r 99

   Type escape sequence to abort.
   Sending 99, 100-byte ICMP Echos to 225.5.5.5, timeout is 2 seconds:
   Packet sent with a source address of 192.10.1.3

   Reply to request 0 from 191.1.125.5, 108 ms
   Reply to request 1 from 191.1.125.5, 105 ms
   Reply to request 2 from 191.1.125.5, 104 ms
   Reply to request 3 from 191.1.125.5, 104 ms
   Reply to request 4 from 191.1.125.5, 104 ms
   Reply to request 5 from 191.1.125.5, 104 ms
   Reply to request 6 from 191.1.125.5, 104 ms
   Reply to request 7 from 191.1.125.5, 104 ms
   Reply to request 8 from 191.1.125.5, 105 ms
   Rack1R3#
  
 So to get multicast dense mode to work with this frame-relay configuration
 requires the following commands:
 
   Rack1R1(config)#  interface Serial0/0
   Rack1R1(config-if)#no ip mroute-cache

I am running real routers and switches with the perscribed IOS.

I dont like turning off mroute-cache so
if anyone has found another way to get this task to
validate, I welcome a response.

I am curious to how some of your guys are building your INE topology LAB,

are you using gns3 with XR routers in virtual box?

Are you using the new gns3 with IOU?

What are you using for the ME switches

SG output is:

SW3 and SW4:
mac access-list extended DEC-SPANNING
permit any any dec-spanning
!
vlan access-map NO_DEC-SPANNING 10
action drop
match mac address DEC-SPANNING
!
vlan access-map NO_DEC-SPANNING 20
action forward
!
vlan filter NO_DEC-SPANNING vlan-list 363

Can anyone explain why this wouldnt work? (the SG seems a bit long winded, but I dont know whether it needs to be?)

mac access-list extended VL363
 deny   any any dec-spanning
 permit any any

vlan filter VL363 vlan-list 363

PE-CE config on BB1...

I've taken a look at BB1 but there is no PE configuration on it relating to this PE-CE relationship.  Am I missing something?

How am I meant to get a eigrp peering to work over a VRF?

Hi Experts,

I have network connected like this: R1(Fa0/0) - (Fa0/0)R2

R1 Fa0/0 interface is configured for ip mtu 1498.

Now sending a ping with packet size of 1500 from R1 to R2.

The packet from R1 to R2 will be fragmented into 2 packets because of the ip MTU.

How will be reply packet from R2 to R1. How R2 comes to know that R1 has a lesser mtu size than its default value 1500 bytes?

Will the return reply packet be fragmented?

There are some Topics missing in CCIE Security V4 ATC like NAT on ASA 8.4/8.6,IKEV2,VRF aware VPN,GETVPN etc so Brain or Cristian i would be really thankful to you if you Guys can update us that when these topics will be available i tried to understand these topics from one other vendor but all went over my head there is no comparsion of Brain the way he explains the technology and then implementation and troubleshooting its really awsome Brain is not a trainer HE is instrctor who is career builder you are penta time BEST Sir Brain

Hi everyone,

Just wanted to let you know that INE has just released CCNP Routing & Switching 10-Day Bootcamps! 

Both live on-site and online interactive Bootcamp formats are available for purchase. As an added bonus, if you purchase the CCNP Routing 10-Day Bootcamp, you'll receive a complimentary 1-Year All Access Pass!

On a budget? No problem! INE offers a variety of payment plan options to choose from at checkout. 

Visit INE's website for course dates/locations, and outlines of the CCNP Routing & Switching Bootcamps. Be sure to reserve your seat today! http://www.ine.com/instructor-led/ccnp-bootcamps.htm

Happy Studying,

Kristen Hansen
Technical Marketing | INE, Inc. 

Dears,

I have a question in the above task. I understood that the burst_rate is calculated by the formula (1/30)*rate_interval.
Rate_interval=7200 seconds. Then the Burst_rate will be 240. Why in the solution it is 24000?

Please advise.

Support, we're doing security full lab 4 section 3.4 using your solution, the result show crypto show that packet

is encrypted got increase but 0 packet decrypted, and cannot ping no reply.... any idea what's wrong? please advice?

Hi experts,

according to my testing, this SG statement is not true:

"Matching is case-sensitive and you can use patterns like [aA] to match both cases."


This also contradicts what is said in 11.12 Using NBAR for Content-Based Filtering,
where it is stated:

"All matching is case insensitive. The pattern "text" matches "TEXT" as well."


Any clarification would be highly appreciated!


tom

Hi

I was wondering if anyone has tried a full dual-stack deployment on the new v5Racks? I was running into an ND error where the Routers could not resolve or communicate with ipv6. I tested my config on my home lab gear and no issue, and i also tested by using the ipv4 address on each link and static ipv6 neighbor setting with no luck. 

hi we are seeing Copp violation packet in CoPP is that fine. should we need to increase the bandwidth set. we dont see CPU high though.

thanks in advance

class-map copp-system-class-important (match-any)
match access-group name copp-system-acl-cts
match access-group name copp-system-acl-glbp
match access-group name copp-system-acl-hsrp
match access-group name copp-system-acl-vrrp
match access-group name copp-system-acl-wccp
match access-group name copp-system-acl-hsrp6
match access-group name copp-system-acl-pim-reg
match access-group name copp-system-acl-icmp6-msgs
police cir 1060 kbps , bc 1000 ms
module 1 :
conformed 24434164305 bytes; action: transmit
violated 40636 bytes; action: drop

module 2 :
conformed 2579677277 bytes; action: transmit
violated 0 bytes; action: drop

module 7 :
conformed 10818979339 bytes; action: transmit
violated 28644319360 bytes; action: drop

Support, we follow your detail solution for Lab 5, but the R3 Sub-Ca not working, has below error, what's wrong? Please advice............

Failed troubleshooting, passed configuration.

I got smoked on the troubleshooting section.  My suggestion is like people say regarding config, read all the tickets before starting, there are interdependencies and you can break multiple tickets by messing up another which is what I did.

I also was really nervous and could hardly think or type for the first 20 minutes, and that hurt me.  Bottom line though is I'm weak at troubleshooting, I should have been able to jam through those tickets with plenty of time to verify, but I did not have time to verify anything and that cost me.

I thought maybe I had I had squeaked it out on troubleshooting, but realized the big mistake just as I was beginning config.  I felt sick to my stomach.  Ironically it caused me to settle down and I tore through the config section like I was doing an easy vol 2 lab back at home.  I spent the last hour verifying and I never felt pressed for time.  I put a lot of time into speed drills and base config in the final 3 weeks of my prep and that was obviously effective.

I've learned a lot prepping for this attempt and I'd like to thank INE for their wonderful products, it was the heart of my preperation.  Now it's on to v5 and I'm pissed and determined.  Bring it on.

Hi,

A few days ago I have set up the new v5 topology using 10 CSR1000v (03.11.00.S) and started labbing. It worked great, but today I ran into issue when trying to debug some GRE tunnels.

I found that "debug ip packet" does not show incoming packets. No matter if it's ICMP or routing protocols.

It only shows locally generated packets. I tried to do the same on IOU and it worked like a charm.

Anyone experienced the same thing with CSR1000v and know how to fix this?

Version 03.11.00.S is dated November 2013, but this was the last one with virtual machine version 8, the newer ones will need vSphere Web Client which I've heard is not so good.

Guys,

The task says "Configure the network in such a way that hosts must first authenticate to R2 before they are allowed to telnet to SW1". Doesn't it mean that we need to use the "host" keyword in "access-enable" command? Otherwise, one host can punch a hole in the access-list and other hosts can pass-through without authenticating with R2.

SG solution: (version 5.10.019)
username TELNET autocommand access-enable timeout 5

In my opinion, it shoulde be:
username TELNET autocommand access-enable host timeout 5

Please let me know your opinion.
Thanks

• Configure SW2 to respond to UDP echoes from a network management station with a yet unknown IP address.
• SW2 should not respond to packets sent to the UDP discard and chargen ports from this network management station

Rather than enable the service udp-small-servers and then creating an ACL to filter, how about just:

access-list 101 permit udp any any eq echo

?