******************************************************* Lab 1 - Configuring Flex VPN - P2P - S-VTI - S-VTI ******************************************************* ------ R1 ------ ! 1A. Phase I - IKEv2 Proposal crypto ikev2 proposal PROP1 encryption 3des aes-cbc-192 integrity md5 sha256 group 2 5 ! 1B. Phase I - IKEv2 Policy crypto ikev2 policy POL1 proposal PROP1 ! 1C. Phase I - IKEv2 Keyring crypto ikev2 keyring KR1 peer R2 address 192.1.20.2 pre-shared-key local Cisco111 pre-shared-key remote Cisco222 ! 1D. Phase I - IKEv2 Profile crypto ikev2 profile IKEv2-PROF match identity remote address 192.1.20.2 authentication local pre-share authentication remote pre-share keyring local KR1 ! 2. Configure Phase II - IPSec Transform Set crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. Configure IPSec Profile crypto ipsec profile IPROF set transform-set ABC set ikev2-profile IKEv2-PROF ! 4. Tunnel Interface Interface Tunnel1 ip address 192.168.1.1 255.255.255.0 tunnel source E 0/0 tunnel destination 192.1.20.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPROF ! 5. Routing Protocol router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ------ R2 ------ ! 1A. Phase I - IKEv2 Proposal crypto ikev2 proposal PROP1 encryption 3des aes-cbc-192 integrity md5 sha256 group 2 5 ! 1B. Phase I - IKEv2 Policy crypto ikev2 policy POL1 proposal PROP1 ! 1C. Phase I - IKEv2 Keyring crypto ikev2 keyring KR1 peer R1 address 192.1.10.1 pre-shared-key remote Cisco111 pre-shared-key local Cisco222 ! 1D. Phase I - IKEv2 Profile crypto ikev2 profile IKEv2-PROF match identity remote address 192.1.10.1 authentication local pre-share authentication remote pre-share keyring local KR1 ! 2. Configure Phase II - IPSec Transform Set crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. Configure IPSec Profile crypto ipsec profile IPROF set transform-set ABC set ikev2-profile IKEv2-PROF ! 4. Tunnel Interface Interface Tunnel1 ip address 192.168.1.2 255.255.255.0 tunnel source E 0/0 tunnel destination 192.1.10.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPROF ! 5. Routing Protocol router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ******************************************************* Lab 2 - Configuring Flex VPN - P2P - ******************************************************* ------ R4 ------ ! 1A. Phase I - IKEv2 Proposal crypto ikev2 proposal PROP1 encryption 3des aes-cbc-192 integrity md5 sha256 group 2 5 ! 1B. Phase I - IKEv2 Policy crypto ikev2 policy POL1 proposal PROP1 ! 1C. Phase I - IKEv2 Keyring crypto ikev2 keyring KR1 peer R3 address 192.1.30.3 pre-shared-key Cisco123 ! 1D. Phase I - IKEv2 Profile crypto ikev2 profile IKEv2-PROF match identity remote address 192.1.30.3 authentication local pre-share authentication remote pre-share keyring local KR1 ! 2. Configure Phase II - IPSec Transform Set crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. Configure IPSec Profile crypto ipsec profile IPROF set transform-set ABC set ikev2-profile IKEv2-PROF ! 4. Tunnel Interface Interface Tunnel1 ip address 192.168.1.4 255.255.255.0 tunnel source E 0/0 tunnel destination 192.1.30.3 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPROF ! 5. Routing Protocol router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ------ R3 ------ ! 1A. Phase I - IKEv2 Proposal crypto ikev2 proposal PROP1 encryption 3des aes-cbc-192 integrity md5 sha256 group 2 5 ! 1B. Phase I - IKEv2 Policy crypto ikev2 policy POL1 proposal PROP1 ! 1C. Phase I - IKEv2 Keyring crypto ikev2 keyring KR1 peer R4 address 0.0.0.0 pre-shared-key Cisco123 ! 1D. Phase I - IKEv2 Profile crypto ikev2 profile IKEv2-PROF match identity remote address 0.0.0.0 authentication local pre-share authentication remote pre-share keyring local KR1 ! 2. Configure Phase II - IPSec Transform Set crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. Configure IPSec Profile crypto ipsec profile IPROF set transform-set ABC set ikev2-profile IKEv2-PROF ! 4. Virtual Template Tunnel Interface - D-VTI Interface loopback 101 ip address 192.168.1.3 255.255.255.0 ! Interface virtual-template 1 type Tunnel ip unnumbered Loopback101 tunnel source E 0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPROF ! crypto ikev2 profile IKEv2-PROF virtual-template 1 ! 5. Routing Protocol router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ******************************************** MPLS - Unicast Routing - Tables ******************************************** ************************************ RIB/FIB Creation - Based on an IGP ************************************ ---- R1 ---- C 1 Loop0 X 2 via R2 X 3 via R2 X 4 via R2 ---- R2 ---- X 1 via R1 C 2 Loop0 X 3 via R3 X 4 via R3 ---- R3 ---- X 1 via R2 X 2 via R2 C 3 Loop0 X 4 via R4 ---- R4 ---- X 1 via R3 X 2 via R3 X 3 via R3 C 4 Loop0 ********************************************************************************* Configure LDP to Generate and Exchange Labels with directly connected neighbors ********************************************************************************* ++++++++++++++++++++++++++++++++ LIB - Label Information Base ++++++++++++++++++++++++++++++++ ---- R1 ---- C 1 Loop0 LOCAL LABEL: POP [Implicit-Null] REMOTE LABEL: 18 - R2 X 2 via R2 LOCAL LABEL: 22 REMOTE LABEL: POP - R2 X 3 via R2 LOCAL LABEL: 23 REMOTE LABEL: 20 - R2 X 4 via R2 LOCAL LABEL: 24 REMOTE LABEL: 21 - R2 ---- R2 ---- X 1 via R1 LOCAL LABEL: 18 REMOTE LABEL: POP - R1 REMOTE LABEL: 20 - R3 C 2 Loop0 LOCAL LABEL: POP [Implicit-Null] REMOTE LABEL: 22 - R1 REMOTE LABEL: 21 - R3 X 3 via R3 LOCAL LABEL: 20 REMOTE LABEL: 23 - R1 REMOTE LABEL: POP - R3 X 4 via R3 LOCAL LABEL: 21 REMOTE LABEL: 24 - R1 REMOTE LABEL: 23 - R3 ---- R3 ---- X 1 via R2 LOCAL LABEL: 20 REMOTE LABEL: 20 - R2 REMOTE LABEL: 19 - R4 X 2 via R2 LOCAL LABEL: 21 REMOTE LABEL: POP - R2 REMOTE LABEL: 20 - R4 C 3 Loop0 LOCAL LABEL: POP [Implicit-Null] REMOTE LABEL: 20 - R2 REMOTE LABEL: 21 - R4 X 4 via R4 LOCAL LABEL: 23 REMOTE LABEL: 21 - R2 REMOTE LABEL: POP - R4 ---- R4 ---- X 1 via R3 LOCAL LABEL: 19 REMOTE LABEL: 20 - R3 X 2 via R3 LOCAL LABEL: 20 REMOTE LABEL: 21 - R3 X 3 via R3 LOCAL LABEL: 21 REMOTE LABEL: POP - R3 C 4 Loop0 LOCAL LABEL: POP [Implicit-Null] REMOTE LABEL: 23 - R3 ********************************************************************************* Creating on the LFIB based on the FIB and the LIB ********************************************************************************* ++++++++++++++++++++++++++++++++++++++++++ LFIB - Label Forwarding Information Base ++++++++++++++++++++++++++++++++++++++++++ ---- R1 ---- -------- --------------------------- -------- ----------- Network Local Label/Outgoing Label Next-hop Interface -------- --------------------------- -------- ----------- 2 22 /POP R2 E 0/0 3 23 /20 R2 E 0/0 4 24 /21 R2 E 0/0 ---- R2 ---- -------- --------------------------- -------- ----------- Network Local Label/Outgoing Label Next-hop Interface -------- --------------------------- -------- ----------- 1 18 /POP R1 E 0/0 3 20 /POP R3 E 0/1 4 21 /23 R3 E 0/1 ---- R3 ---- -------- --------------------------- -------- ----------- Network Local Label/Outgoing Label Next-hop Interface -------- --------------------------- -------- ----------- 1 20 /20 R2 E 0/0 2 21 /POP R2 E 0/0 4 23 /POP R4 E 0/1 ---- R4 ---- -------- --------------------------- -------- ----------- Network Local Label/Outgoing Label Next-hop Interface -------- --------------------------- -------- ----------- 1 19 /20 R3 E 0/0 2 20 /21 R3 E 0/0 3 21 /POP R3 E 0/0 ******************************************************* Lab 3 - Configuring LDP on a Routed Network ******************************************************* ++++++++++++++++++++++++++++++++++++++++++++++++ FIB entry for network 4.0.0.0/0 prior to LDP ++++++++++++++++++++++++++++++++++++++++++++++++ R1#sh ip cef 4.0.0.0 4.0.0.0/8 nexthop 192.1.12.2 Ethernet0/0 ================================================================= 1. Configure a label range for labels on this router (Optional) ================================================================= ----- R1 ----- mpls label range 1001 1999 ----- R2 ----- mpls label range 2001 2999 ----- R3 ----- mpls label range 3001 3999 ----- R4 ----- mpls label range 4001 4999 ====================================================================== 2. Configure a routable Router-id for LDP (Recommended not required) ====================================================================== ----- R1 ----- mpls ldp router-id Loopback0 ----- R1 ----- mpls ldp router-id Loopback0 ----- R2 ----- mpls ldp router-id Loopback0 ----- R3 ----- mpls ldp router-id Loopback0 ----- R4 ----- mpls ldp router-id Loopback0 ====================================================================== 3. Enable LDP on all the Router-2-Router Interfaces ====================================================================== ----- R1 ----- Interface E 0/0 mpls ip ----- R2 ----- Interface E 0/0 mpls ip ! Interface E 0/1 mpls ip ----- R3 ----- Interface E 0/0 mpls ip ! Interface E 0/1 mpls ip ----- R2 ----- Interface E 0/0 mpls ip Verification: ---------------- Verifying the LIB - show mpls ldp binding Verifying the LFIB - show mpls forwarding Verifying the FIB with Labels - show ip cef 4.0.0.0 R1(config-if)#do show ip cef 4.0.0.0 4.0.0.0/8 nexthop 192.1.12.2 Ethernet0/0 label 2003 ******************************************************* Lab 4 - Authenticating LDP Peers ******************************************************* ----- R1 ----- mpls ldp password required mpls ldp neighbor 2.2.2.2 password Cisco123 ----- R2 ----- mpls ldp password required mpls ldp neighbor 1.1.1.1 password Cisco123 mpls ldp neighbor 3.3.3.3 password Cisco123 ----- R3 ----- mpls ldp password required mpls ldp neighbor 2.2.2.2 password Cisco123 mpls ldp neighbor 4.4.4.4 password Cisco123 ----- R4 ----- mpls ldp password required mpls ldp neighbor 3.3.3.3 password Cisco123 ******************************************************* Lab 5 - Configuring a BGP-FREE Core ******************************************************* ============================================= 1. Configure eBGP between AS 1000 & AS 500 ============================================= ----- R1 ----- Interface E 0/1 ip address 192.1.15.1 255.255.255.0 no shut ! router bgp 1000 neighbor 192.1.15.5 remote-as 500 ----- R5 ----- Interface E 0/0 ip address 192.1.15.5 255.255.255.0 no shut ! Interface Loopback 0 ip address 5.1.1.1 255.255.255.0 ! Interface loopback 1 ip address 5.1.2.1 255.255.255.0 ! router bgp 500 neighbor 192.1.15.1 remote-as 1000 network 5.1.1.0 mask 255.255.255.0 network 5.1.2.0 mask 255.255.255.0 ============================================= 2. Configure eBGP between AS 1000 & AS 800 ============================================= ----- R4 ----- Interface E 0/2 ip address 192.1.48.4 255.255.255.0 no shut ! router bgp 1000 neighbor 192.1.48.8 remote-as 800 ----- R8 ----- Interface E 0/0 ip address 192.1.48.8 255.255.255.0 no shut ! Interface Loopback 0 ip address 8.1.1.1 255.255.255.0 ! Interface loopback 1 ip address 8.1.2.1 255.255.255.0 ! router bgp 800 neighbor 192.1.48.4 remote-as 1000 network 8.1.1.0 mask 255.255.255.0 network 8.1.2.0 mask 255.255.255.0 ============================================= 3. Configure iBGP between R1 & R4 in AS 1000 ============================================= ----- R1 ----- router bgp 1000 neighbor 4.4.4.4 remote-as 1000 neighbor 4.4.4.4 update-source loopback0 neighbor 4.4.4.4 next-hop-self ----- R4 ----- router bgp 1000 neighbor 1.1.1.1 remote-as 1000 neighbor 1.1.1.1 update-source loopback0 neighbor 1.1.1.1 next-hop-self Sunday - 23rd - MPLS VPN Sunday - 30th - Qos/Muticast Routing 7th & 14th - Break 21st Python ----------------------- EI - SD-WAN, SDA etc SP - Inter-AS MPLS VPNs, Segment Routing, IOS-XR etc -----------------------