Sunteți pe pagina 1din 11

WORKBOOK CCIE SP v4.

TSHOOT
DIAGRAM

INCIDENT: 1 NetFlow
An INET operation engineer enable a random sampled NetFlow in all three interfaces of the INET
router. GigabitEthernet0/1, GigabitEthernet0/2, and GigabitEthernet0/3 with these policies:

a. Incoming packets sourced from XYZ PE devices should collect one packet out of one
b. Incoming packets sourced from XYZ ASBR devices should collect one packet out of 10
c. Every other incoming packet should collect one packet out of 100

The operation engineer performed the following ping command from all XYZ routers to verify if
the random sample configured is collecting as expected

1. Ping 100.2.2.2 source loopback0 repeat 1000 command for Cisco IOS XE devices
2. Ping 100.2.2.2 source loopback0 repeat 1000 command for Cisco IOS XR devices
The operation engineer performed the show flow-sampler command to verify that the packet
matched for each sampler type after performing the ping command surprisingly, the HIGH and
MEDIUM samplers did not have any packet matched.

Your task is to identify the issue and to fix it. After you complete this task, you should see the
output similar to this example:
INET#show flow-sampler

Load for five secs: 17%/0%; one minute: 8%; five minutes: 5%

Time source is hardware calendar, *07:09:30.171 UTC Sun Aug 20 2017

Sampler : HIGH, id : 1, packets matched : 1002, mode : random sampling mode sampling
interval is: 1

Sampler : MEDIUM, id : 2, packets matched : 99, mode : random sampling mode sampling
interval is: 10

Sampler : LOW, id : 3, packets matched : 13, mode : random sampling mode sampling
interval is: 100

Solution:

Missing command INET

Policy-map MY-POLICY
Class HIGH
Netflow-sample HIGH
Class MEDIUM
Netflof-sample MEDIUM

INET
4) Create Pilicy-map to match Class-map and Sampler-
1) Create Access-List map
access-list 101 permit ip 0.0.1.0 255.255.0.255
any policy-map MY_POLICY
access-list 102 permit ip 0.0.2.0 255.255.0.255
any class HIGH
2) Create Class-Map to match access-list netflow-sampler HIGH
class-map match-all HIGH class MEDIUM
match access-group 102 netflow-sampler MEDIUM
class-map match-all MEDIUM class class-default
match access-group 101 netflow-sampler LOW
3) Create Flow-sampler with ramdom 5) Apply the Policy-map to interfaces
flow-sampler-map HIGH interface GigabitEthernet0/1
mode random one-out-of 1 service-policy input MY_POLICY
flow-sampler-map MEDIUM interface GigabitEthernet0/2
mode random one-out-of 10 service-policy input MY_POLICY
flow-sampler-map LOW interface GigabitEthernet0/3
mode random one-out-of 100 service-policy input MY_POLICY

Verification
INET# sh ip flow interface

GigabitEthernet0/1

ingress MQC netflow-sampler LOW

ingress MQC netflow-sampler HIGH

ingress MQC netflow-sampler MEDIUM

INET#show flow-sampler

Load for five secs: 17%/0%; one minute: 8%; five minutes: 5%

Time source is hardware calendar, *07:09:30.171 UTC Sun Aug 20 2017

Sampler : HIGH, id : 1, packets matched : 1002, mode : random sampling mode sampling
interval is: 1

Sampler : MEDIUM, id : 2, packets matched : 99, mode : random sampling mode sampling
interval is: 10

Sampler : LOW, id : 3, packets matched : 13, mode : random sampling mode sampling
interval is: 100

INCIDENT: 2 Tunnel Backup


XYZ Site 2 implemented the MPLS Traffic Engineering-autotunnel primary and backup feature to
achieve fast convergence ins case a link failure occurs in the core.

a. Primary tunnels use a tunnel number from 50000 to 59999


b. Backup tunnels use a tunnel number from 40000 to 49999

After the implementation of this feature, an operations engineer indentified that all router have
MPLS TE tunnels numbers starting from 50000 (MPLS TE primary tunnels), however none of the
routers have MPLS TE tunnels starting from 40000 (MPLS TE backup tunnels).

Your task is to identify this issue and to fix it, After you complete this task, you should find MPLS
TE Tunnels number starting from 40000 in all routers at the XYZ Site 2, as per this example.

XYZ-PE21#show ip int bri | Tunnel5

Tunnel50000 10.0.1.21 YES TFTP up up

Tunnel50001 10.0.1.21 YES TFTP up up

Solution:

Missing Commands on all XYZ SITE-2 Routers

mpls traffic-eng auto-tunnel backup

mpls traffic-eng auto-tunnel backup


mpls traffic-eng auto-tunnel backup tunnel-num min 40000 max 49999
mpls traffic-eng auto-tunnel primary onehop
mpls traffic-eng auto-tunnel primary tunnel-num min 50000 max 59999
Verification

XYZ-PE22

show ip rsvp fast-reroute

XYZ-PE21

show ip int bri | in Tunnel5

INCIDENT: 3 IPV6 Flap (dampening)

BGP is running between XYZ-ASBR22 and INET.


Where after flapping interface, BGPv4 takes more time to get established then BGP for
IPv6
Fix the issue so that they both come up at the same time.
Solution
ASBR22
Interface GigaEthernet5
no dampening 300 1 1 255 5
dampening
no shutdown

Verification:
Show ip bgp ipv4 unicast summary
Show ip bgp ipv6 unicast summary
Both BGP neighborship come up at same time.

INCIDENT: 4 L2VPN_CE

L2VPN circuit id down between XYZ-PE22 and PE23, thus a customers are not receiving
IPv6 RIPng prefix

Solution:

XYZ-PE22
Pseudowire-class SWT12
Encapsulation mpls
!
Interface Gi3
Xconnect 10.0.1.23 1000 pw-class SWT12

YXY-PE23
L2vpn xconnect context ABC
Member GigabitEthernet3
Member neighbor 10.0.1.22 1000 mpls

Verification:
Show mpls l2 vc

INCIDENT: 5 ISIS adjacency over Port-Channel

ISIS neighbor is down between ASBR22 and ASBR21


Show isis adjacency – should have adjacency over port-channel 21

Solution:

XYZ-ASBR21
Interface port-channel 21
no lacp min-bundle 4

Verification
Show ip int brief
Show isis neighbor

INCIDENT: 6 PE-CE Ipv6 RIPng


ABC site 2 and ABC site 3 are not receiving RIPng Prefix however IPv4 connectivity
between them is working fine.
Ping response is asked for IPv6 prefix from ABC site 2 to ABC site 1 and vice-versa

Solution-

XYZ-PE21 & XYZ-PE23


Router bgp 65000
Address-family ipv6 vrf ABC
Redistribute connected

PE21 PE23
ipv6 rip vrf-mode enable ipv6 rip vrf-mode enable

interface GigabitEthernet3 interface GigabitEthernet3


vrf forwarding ABC vrf forwarding ABC
ip address 172.20.21.21 255.255.255.0 ip address 172.20.23.23 255.255.255.0
ipv6 address 2001:DB8:172:21::21/64 ipv6 address 2001:DB8:172:23::23/64
ipv6 rip NGRIP enable ipv6 rip NGRIP enable

router bgp 20 router bgp 20


address-family ipv6 vrf ABC address-family ipv6 vrf ABC
redistribute connected redistribute connected
redistribute rip NGRIP metric 1 redistribute rip NGRIP metric 1
exit-address-family exit-address-family

ipv6 router rip NGRIP ipv6 router rip NGRIP


address-family ipv6 vrf ABC address-family ipv6 vrf ABC
redistribute connected redistribute connected
redistribute bgp 20 metric 5 redistribute bgp 20 metric 5
exit-address-family exit-address-family

Verification

ABC-CE2
ping 2001:db8:168::3
ABC-CE3
ping 2001:db8:168::2

INCIDENT: 7 CSC IPv4 LU


Despite CSC deployment ABC site 1 is not able to ping ipv4 and ipv6 loopback address of
ABC site 2 and site 3, Identify the issue and fix it.

Solution-
Wrong address-family applied on CSC ASBR1 & ASBR2 & XYX ASBR11, you need BGP
Ipv4+Label

XYZ-ASBR11
router static
address-family ipv4 unicast
10.100.111.1/32 GigabitEthernet 0/0/0/1

CSC-ASBR1
Router bgp 222
neighbor 10.100.111.11
remote-as 65000
no address-family ipv4 unicast
address-family ipv4 labeled-unicast
route-policy PASS in
route-policy PASS out
as-override

router static
address-family ipv4 unicast
10.100.111.11/32 GigabitEthernet 0/0/0/1

CSC-ASBR2
Router bgp 222
neighbor 10.100.221.21
remote-as 65000
no address-family ipv4 unicast
address-family ipv4 labeled-unicast
route-policy PASS in
route-policy PASS out
as-override

router static
address-family ipv4 unicast
10.100.221.21/32 GigabitEthernet 0/0/0/1

Verification:

ABC-CE1# ping 192.168.2.2

ABC-CE1# ping 2001:db8:168::2

INCIDENT: 8 KLM (6PE)


KLM-RT1 is receiving IPv6 prefix of INET but still not able to ping.
KLM-RT1 is running IPv6 only.

After you fix this task KLM-RT1 must be able to ping Lo0 Ipv6 address on INET Router.

Solution:
Need 6PE

XYZ-RR1
router bgp 65000
address-family ipv6 unicast
neighbor 10.0.1.12 send-label
neighbor 10.0.2.11 send-label
neighbor 10.0.2.12 send-label

XYZ-ASBR11 & XYZ-ASBR12 & XYZ-PE12


router bgp 65000
address-family ipv6 unicast
allocate-label all
!
neighbor 10.0.0.1
address-family ipv6 labeled-unicast
next-hop-self

Verification:

KLM-RT1# ping 2001:db8:2001::1

INCIDENT: 9 MVPN profile 0 TE


XYZ-SITE 2 has deployed mvpn Profile 0, everything was working fine before the
deployment of mpls traffic-engineering tunnels.

ABC-CE2 has added igmp joing-group 239.1.1.1 under loopback 0 and ABC-CE3 has
added igmp joing-group 239.3.3.3 under loopback 0 to verify connectivity.

Fix the issue and verify the connectivity.

Solution-

All (6) XYZ-SITE-2 Routers

router isis
mpls traffic-eng multicast-intact

Verification:
ABC-CE3# ping 239.1.1.1
ABC-CE2# ping 239.3.3.3
INCIDENT: 10 QoS LLQ
XYZ DEPLOYED LLQ with 2 priorities queue at XYZ-P-RR21 interfacing PE devices.
One for VOICE and another for VIDEO.

But neither voice traffic nor video traffic are queued in these priorities queues

Solution:

You need to change match-all to match-any

XYZ-P-RR21
class-map match-any VIDEO
match ip dscp af32 match ip dscp cs3
match mpls exp top 3

class-map match-any VOICE


match ip dscp ef match dscp cs5
match mpls exp top 5

Verification:

XYZ-RR21# Show run class-map

XYZ-ASBR21# ping mpls ipv4 10.0.1.21/32 exp 5

XYZ-ASBR21# ping mpls ipv4 10.0.1.21/32 exp 3

XYZ-RR21# show policy-map int Gi4

INCIDENT: 11 BGP path selection


XYZ-SITE 1 has two exit point towards INET. Engineer has defined BGP policies for
incoming and outgoing traffic towards INET.

IPv4 outgoing traffic should be via XYZ-ASBR11


IPv4 ingoing traffic should be via XYZ-ASBR12

Your task is to identify why BGP policies are not working and fix it.

Solution:
Policy are preconfigure, only need change BGP session (from BGP+label to BGP)

ASBR11
route-policy LP
set local-preference 300
pass
end-policy
!
route-policy MED
set med 50000
pass
end-policy

router bgp 65000


neighbor 100.1.11.1 // To INET
no address-family ipv4 labeled-unicast
address-family ipv4 unicast
route-policy LP in
route-policy MED out

Verification:

RR1# tracert 100.2.2.2 source loop 0


INET# tracert 10.0.0.1 source loop 10
DIAGNOSTIC

Task Number Description Answer


Answer: A4-CRS-R4 does not have a second
1 System Level High Availability RP/DRP module
For the ipv6 unicast embedded RP address
feature to work, the interface-id field of the
RP ipv6 address should not be higher than
2 Access and Aggregation - Multicast 15(0xF)
Evidence - Show vrf detail VPN on A2-ASR1k-
R2
Root cause - It shows the leaking from the
global table to the VRF, but the leaking from
3 L3 VPN VRF to the global table is missing
Answer: Another DoS attack has accrued on
4 Control Plane security the network, which affects BGP
Device responsible for this issue - A4-ASR9K-
R1
Root cause of the issue - A4-ASR9K-R1 is
5 Carrier Ethernet using different route-target
Answer: The P devices have links marked as
satellite links and the MPLS TE AutoTunnel
Mesh is configured to exclude those links in
6 MPLS Traffic Engineering the path selection.
Answer: No DR election is happening
because both routers are configured with
7 Interior Gateway Protocol priority 0 on a broadcast link
Answer: Px-South-02 is not advertising the
loopback 0 address, consequently, Px-South-
8 Routing/Fast Convergence 02 lost the LDP adjacencies.
Device responsible for this issue - Px-North-
01
9 Core Routing-Multicast Root cause of the issue - MLDP is not enable
10 PE-CE Connectivity II Answer: PE101 Device