MPLS Tutorial – including verifications

This Cisco MPLS Tutorial will guide you through building the simple MPLS topology below. This consists of a 3 router MPLS core and two remote sites in the same VRF running OSPF as the PE=CE routing protocol. This will be quite a long post as I will be taking you through every single verification along the way to ensure you understand how each section works. I will be using GNS3 and building the routers as we go so you can follow along.

Cisco MPLS Tutorial Topology

cisco mpls tutorial topology

Step 1 – IP addressing of MPLS Core and OSPF

First bring 3 routers into your topology R1, R2, R3 position them as below. We are going to address the routers and configure ospf to ensure loopback to loopback connectivity between R1 and R3

cisco mpls tutorial step 1 ip addressing

R1
hostname R1
int lo0
ip add 1.1.1.1 255.255.255.255
ip ospf 1 area 0
int f0/0
ip add 10.0.0.1 255.255.255.0
no shut
ip ospf 1 area 0
R2
hostname R2
int lo0
ip add 2.2.2.2 255.255.255.255
ip ospf 1 are 0
int f0/0
ip add 10.0.0.2 255.255.255.0
no shut
ip ospf 1 area 0
int f0/1
ip add 10.0.1.2 255.255.255.0
no shut
ip ospf 1 area 0
R3
hostname R3
int lo0
ip add 3.3.3.3 255.255.255.0
ip ospf 1 are 0
int f0/0
ip add 10.0.1.3 255.255.255.0
no shut
ip ospf 1 area 0

You should now have full ip connectivity between R1, R2, R3 to verify this we need to see if we can ping between the loopbacks of R1 and R3

R1#ping 3.3.3.3 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/52/64 ms
R1#

You could show the routing table here, but the fact that you can ping between the loopbacks is verification enough and it is safe to move on.

Step 2 – Configure LDP on all the interfaces in the MPLS Core

In order to run MPLS you need to enable it, there are two ways to do this.

  • At each interface enter the mpls ip command
  • Under the ospf process use the mpls ldp autoconfig command

For this tutorial we will be using the second option, so go int the ospf process and enter mpls ldp autoconfig – this will enable mpls label distribution protocol on every interface running ospf under that specific process.

R1(config)#router ospf 1
R1(config-router)#mpls ldp autoconfig
R2(config)#router ospf 1
R2(config-router)#mpls ldp autoconfig
R3(config)#router ospf 1
R3(config-router)#mpls ldp autoconfig

You should see log messages coming up showing the LDP neighbors are up.

R2#
*Mar  1 00:31:53.643: %SYS-5-CONFIG_I: Configured from console by console
*Mar  1 00:31:54.423: %LDP-5-NBRCHG: LDP Neighbor 1.1.1.1:0 (1) is UP
R2#
*Mar  1 00:36:09.951: %LDP-5-NBRCHG: LDP Neighbor 3.3.3.3:0 (2) is UP

To verify the mpls interfaces the command is very simple – sh mpls interface
This is done on R2 and you can see that both interfaces are running mpls and using LDP

R2#sh mpls interface
Interface              IP            Tunnel   Operational
FastEthernet0/0        Yes (ldp)     No       Yes
FastEthernet0/1        Yes (ldp)     No       Yes

You can also verify the LDP neighbors with the sh mpls ldp neighbors command.

R2#sh mpls ldp neigh
    Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 2.2.2.2:0
        TCP connection: 1.1.1.1.646 - 2.2.2.2.37909
        State: Oper; Msgs sent/rcvd: 16/17; Downstream
        Up time: 00:07:46
        LDP discovery sources:
          FastEthernet0/0, Src IP addr: 10.0.0.1
        Addresses bound to peer LDP Ident:
          10.0.0.1        1.1.1.1
    Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 2.2.2.2:0
        TCP connection: 3.3.3.3.22155 - 2.2.2.2.646
        State: Oper; Msgs sent/rcvd: 12/11; Downstream
        Up time: 00:03:30
        LDP discovery sources:
          FastEthernet0/1, Src IP addr: 10.0.1.3
        Addresses bound to peer LDP Ident:
          10.0.1.3        3.3.3.3

One more verification to confirm LDP is running ok is to do a trace between R1 and R3 and verify if you get MPLS Labels show up in the trace.

R1#trace 3.3.3.3
Type escape sequence to abort.
Tracing the route to 3.3.3.3
  1 10.0.0.2 [MPLS: Label 17 Exp 0] 84 msec 72 msec 44 msec
  2 10.0.1.3 68 msec 60 msec *

As you can see the trace to R2 used an MPLS Label in the path, as this is a very small MPLS core only one label was used as R3 was the final hop.

So to review we have now configured IP addresses on the MPLS core, enabled OSPF and full IP connectivity between all routers and finally enabled mpls on all the interfaces in the core and have established ldp neighbors between all routers.

The next step is to configure MP-BGP between R1 and R3

Step 3 – Configure MP-BGP between R1 and R3

We need to establish a Multi Protocol BGP session between R1 and R3 this is done by configuring the vpnv4  address family as below

R1#
router bgp 1
 neighbor 3.3.3.3 remote-as 1
 neighbor 3.3.3.3 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
  neighbor 3.3.3.3 activate
R3#
router bgp 1
 neighbor 1.1.1.1 remote-as 1
 neighbor 1.1.1.1 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
  neighbor 1.1.1.1 activate
*Mar  1 00:45:01.047: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up

You should see log messages showing the BGP sessions coming up.

To verify the BGP session between R1 and R3 issue the command sh bgp vpnv4 unicast all summary

R1#sh bgp vpnv4 unicast all summary
BGP router identifier 1.1.1.1, local AS number 1
BGP table version is 1, main routing table version 1
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
3.3.3.3         4     1     218     218        1    0    0 03:17:48        0

You can see here that we do have a bgp vpnv4 peering to R3 – looking at the PfxRcd you can see it says 0 this is because we have not got any routes in BGP. We are now going to add two more routers to the topology. These will be the customer sites connected to R1 and R3. We will then create a VRF on each router and put the interfaces connected to each site router into that VRF.

Step 4 – Add two more routers, create VRFs

We will add two more routers into the topology so it now looks like the final topology

cisco mpls tutorial topology

 

 

 

How to build CCIE V5 Lab – with CSR 1000V

How to build CCIE v5 Lab

How to build CCIE V5 Lab using ESXi and CSR 1000v

The basis of this topology is centered around the INE Hardware build which is detailed here – INE CCIE V5 Hardware Topology

This post will detail how to build ccie v5 lab using Vmware and CSR 1000v routers and the issues I faced which should hopefully help you make this build a lot easier.

In simple terms you are going to build a VMWare ESXi server and run multiple instances of the Cisco CSR 1000v router – this can be connected to some physical switches and you can have a 20 router / 4 switch topology that will provide for all your labbing needs. This post is focussed on the router build only and a later post will focus on the switch build and connecting them together.

Virtual Rack – Shopping List

To build your virtual ccie rack you will need:

  • 1 x server or high power desktop with at least 16GB ram for 10 routers and 32GB ram for 20 routers
  • 1 x Cisco CSR1000v
  • 1 x VMWare ESXi 5.1

Server or High Power Desktop

I have built this out twice now. Once on a high end DL360 G8 server and the second time on a Dell Optiplex 790 desktop. Once they are built and up and running there is no performance difference in the two boxes. So I would recommend unless you have access to some big servers then a good desktop PC is more than suitable.

Which ESXi version to use for ccie lab setup?

For the purpose of this tutorial and my home lab setup I am using ESXI 5.1 This is based on the fact that I have tested this and it works. I tried to use ESXi 5.5 but got hung up with the web client so went back to 5.1 and the install and setup worked without a problem. As they say, if it ain’t broke, don’t fix it!

Cisco CSR 1000v

You will need a copy of the Cisco CSR 1000v virtual router this can be downloaded from the Cisco Website

Information about the CSR Router – www.cisco.com/c/en/us/products/routers/cloud-services-router-1000v-series

CSR 1000v download link – Cisco CSR 1000v download

You will want to download the OVA file

cisco csr 1000v download ova

A few people have asked me about the Cisco CSR 1000v price. For lab use you can download and use the router for free, it will run with a limited bandwith but that is fine for just labbing. If you want to use it in production then you need to purchase a license which will increase the throughput of the cloud services router.

 

1 x VMWare ESXi 5.1

You can use VMWare ESXi 5.5 ( I have not tested) but for the purpose of this document I am using 5.1

Download a copy of the VMWare ESXi 5.1 Hypervisor from here

You will need to create an account to download.

Installing VMWare ESXi

Now you have everything you need to install the hypervisor onto your chosen platform. I am not going to detail installing the hypervisor but if you want a good tutorial there are many good tutorials out there. In simple terms make a bootable USB stick, copy the ISO file onto your USB stick and put into your server / desktop and boot the hardware from the USB.

The only two pieces of information you are going to need to provide is a password and an IP address.

For the purpose of this build my IP is 192.168.1.1

So you should now have your VMWare ESXi hypervisor up and running and once logged in should be looking at a screen like this.

vmware esxi client

Yours will be empty so we will now go through the installation of the Cisco CSR 1000v router.

Installing the Cisco Cloud Services Router – CSR 1000v

From the VMWare client click on File / Deploy OVF template

Browse to the location that you saved your CSR1000v installation package

Click Next

deploy ovf template csr 1000v

Notice the Size on disk: If you deploy this router as Thick Provision it will require 8.3GB of disk space. Most of this space is unused. If you deploy as Thin Provisioned it will only take the disk space required but it will grow. This is selected later on. Click Next

give your router a name

Now give your router a name – this is used to identify all your routers so make them unique i.e CSR-1, CSR-2, Click Next

cisco csr 1000v hardware profile small

For the purpose of a virtual ccie rack you have two choices, Small or Medium

  • Small – 1vCPU, 2.5GB RAM
  • Medium – 2vCPUs, 4GB RAM

Again this is all dependent on your hardware platform. On the Server I selected Medium and on my PC install I selected Small.

Once the router is running, it actually uses <1GB of RAM but it does need a bit more to get started.

Select your Configuration and Click Next

cisco csr 1000v thin thick provisioned

This screen is where you select Thick or Thin Provisioned

  • Use Thick Provision if you have lots of disk space
  • Use Thin Provision if you don’t
  • I used Thick provision on the big server install where I had lost of disk space
  • I used Thin provision on my PC install
  • Both work

Basically Thick provisioned allocates a larger chunk of disk space which will not grow, and thin provisioned allocates a smaller amount of disk space which can grow. For a typical 20 router ccie virtual rack you should be fine with a 128GB drive – SSD is better if you can. Select your choice and Click Next, Next again and then Finish

Your router will now be deployed

deploy csr 1000v - virtual ccie rack build

Virtual Serial

On your vSphere Client you should now see your newly deployed router it will not have green arrow beside it because it is not powered on.

Before you power the router on we are going to add a Virtual Serial Port

Right Click on your router and select Edit Settings – then click Add

vmware cisco csr 1000v edit settings

add virtual serial port cisco csr 1000v

Click on Serial Port and Click Next

virtual serial port

Select Connect via Network and click Next

ccie virtual rack serial port configuration

You need to change Network Backing to Server

In the Port URI add telnet://server-ip:port

In my case I would configure telnet://192.168.1.1:2013

Ensure Connect at power on and Yield CPU on poll are ticked and click Next then Finish

 Enable Serial port over Network in ESXi firewall

By default the ESXi server will block access to the VM Serial port over network. You need to enable this in the Security Profile.

Click on your Server and then click the Conguration tab and then properties

vmware esxi firewall

Scroll the window down a bit until you see VM serial port connected over network – it will be un-ticked – Tick this box and click OK

VM Serial port over network

You can now power on the first Virtual router in your ccie virtual rack.

Powering on the Cisco CSR 1000v

Right click on your router and select power on. You should now be able to connect to your router using your chosen terminal client and see it boot up.

Be patient as the first time you boot the router it will take quite a few minutes to start.

I hope you enjoyed the first post on how to build  ccie v5 lab

The next post will deal with troubleshooting the Cisco CSR 1000v router

 

 

 

 

 

 

 

Mastering Switching topics in CCIE Version 5

cisco 3750x With the new version 5 blueprint there are a lot of version 4 students who are trying to work out what has changed, what is new and what has gone. For new students to Version 5 it is probably just as confusing.

One of the changes is the jump to 15 code and the use of virtual switches in the lab.

This certainly left me with a few questions, if there are no physical switches in the lab then what should you be focussing your studies on?

For version 4 I previously just read through the 3560 switch configuration guide.

This pretty much is the same for version 5. To master all the switching topics just read through the  15.0SE documentation from the 3750X and 3560X. The virtual switches used in the lab are an equivalent compile of this code.

You can find the 3750X / 3560X documentation here.

I am planning on reading through this again to pick up on any new features. Its only 1552 pages!

There is more info on the changes here CCIE R&S 4 to 5 updates
www.cisco.com/web/learning/certifications/expert/ccie_rs/docs/ccieRS_examUpdates4-5.pdf

The part relevant to this post is:

Candidates who want to prepare using hardware based labs can use the following equipment and Cisco IOS Software Releases

  • Cisco ISR 2900 Series routers running IOS version 15.3T (I am using the CSR 1000v routers)
  • Catalyst 3560X Series switches running IOS version 15.0SE

Personally I am running 4 x 3560 switches running the latest 12 code, this will allow me to lab the majority of topics, for anything relevant to 15 code I will just rent some rack time

Roger

 

 

 

CCIE Video – from Alexandre Vasseur

I do not know anything about Alexandre Vasseur except for the fact that he has passed his CCIE Lab exam and has made this amazing video to celebrate that fact.

We all need small things to keep us motivated along the journey and this video is one of those.

Watch the video and feel empowered to study more and get your digits.

Nice work Alexandre – I particularly like the diagrams at the start of the video – I am not sure if that was his actual study notes because my topology diagrams were not as neat and colour coded as that!

 

CCIE Version 5 here I come

Well I am sad to say that I did not get my digits at my last attempt at the CCIE Lab exam.

Everything was in place I had prepared well, I went to the NH Airport Hotel a day early so had an extra nights sleep. But on the day the TS got me again and I got buried in one big ticket which I could not resolve and I also dropped marks on the tickets I did fix. So must have broken a restriction. I also dropped some big points in my Layer 2 which I am still not sure about what happened there.

Positive points

  • I was so nearly there I felt on top of everything, I had full reachability early in the day all my TCL scripts were working, there were no topics that really phased me. I felt good.
  • I arrived a day early at the NH Airport hotel which I can highly recommend. I have not slept well before my previous attempts and my first night was very restless. However after a day of gentle labbing in the hotel I went to bed at 10:30 and had a great nights sleep and was up at 6 feeling ready for day.
  • I had a lot more support from friends and fellow CCIE candidates. This I now realise is very important as trying to pass this exam on your own is a very lonely journey. I have met some great people along the way and just bouncing ideas about troubleshooting of each other has really helped me focus on my approach
  • The version 5 blueprint looks very good – and I am enjoying now studying DMVPN and I think the format of the exam is going to be better.
  • I now know that I need to aim to complete TS in 90 minutes max and to also complete the config section in 280 minutes max.

Negative points

  • I failed! After all the time / money / preparation and mental pressure it all came to an email from Cisco which said fail. This is the hardest part of the CCIE journey and I know a lot of other  candidates will empathise with me. On the way home on the train you feel positive, and then start to remember things you may have missed. After the result comes in you are crushed but still positive saying I am going to pass this thing and want tot get straight back into it. After  you have given yourself a few days off the study you start to feel very low about it all and just want to give up. It is at this point which a lot of people do – or you just get back on the horse and keep going.
  • The version 4 to version 5 change – For me passing the CCIE Lab exam this is a negative point as if I could go back for Version 4 in 30 days I think I could have passed it. This is also a positive point (see above)
  • Having to explain to my wife that there will be more weekends where I will be studying. This is another of the hardest part about failing is that knowing that you are going to have to detach yourself from life again for a while in the lead up to your next attempt.
  • I did not have enough time to verify my lab at the end of day which I was very annoyed about, I went a bit slower than I should have done at the start of the lab to ensure the foundations were solid. However on refelction I needed to go a lot faster and just get it built and then verify at the end of the day. There is a fine balance between going slow and steady and verify as you go and going faster and seeing things working and verifying at the end of the day.
  • The cost, each attempt costs me about £1500 and I have also sacrificed a lot of family holiday time. This is something that any CCIE candidate just has to swallow or get someone else to pay for it!

My schedule for the next few months.

I have already built my virtual CCIE rack using a baremetal ESXi install – currently running 20 x CSR1000v routers, I will be connecting up the switches next week and I will be doing a few posts about this build. Although it is very well documented, there are a few tweaks I had to make which did take me a few hours to overcome – mainly the virtual console access.

I am reading through the DMVPN design guides and looking forward to the new ATC class from INE to cover the new topics.

I need to improve on basic speed.  Typing out basic configs in a solid and concise manner. My typing speed has always been good as I learned to touch type when I was 16 and I can easily type at 40 words per minute with my eyes shut. What I need to improve on is interpretation of questions and finding quicker ways of doing everything.

The troubleshooting section needs some work. I was doing very well but did get caught in the lights a few times and just did not know where to do, I had checked everything but the ticket was still not working, I then ended up pecking around for the problem. As a CCIE your troubleshooting strategy needs to be 2 or 3 show and debug commands to isolate the fault and then once the fault is located determining the best way to fix without breaking any restrictions.

I call it a laser approach, you need to find and isolate the problem efficiently.

  1. Look at the fault and verify that it is as the question says
  2. Determine your first TS step – ping / trace / sh ip route etc
  3. Make your first educated move to the next step – do you repeat the ping / trace / sh ip route etc from a different device
  4. You should now be narrowing in to the fault and need to use the most effective debug command to show the problem.
  5. The debug should tell you what the fault is, now you need to locate it.
  6. Once on the problem device and you can see the fault, how do you fix it without breaking restrictions.

I need to do some more work around show commands for specific areas of the config

Instead of doing a sh run and looking – being able to do sh run | sec router bgp and going straight to the right bit of config is essential

I did on a few occasions copy the config to notepad and do a search to find something quickly.

I also need to do some more work on the documentation, as there were a few topics where I probably spent more time studying them, when all the information is there for you in the exam. Familiarise yourself with the technology, lab it a few times and then know where the documentation is. This worked well for me on one particular technology, I had not labbed it for months but a quick look at the documentation brought it all back and the question was asking for a particular change to timers of which I was easily able to take the configuration example and adjust it to the requirements of the questions.

Conclusion

I am disappointed that I did not pass this time, but I am not going to give up!

There are areas that I know can be improved on and I will be working on those over the next few months.

I need to make sure that every day I improve on something. I will be blogging a lot more over the next few months and if you are in the same boat and are transitioning from Version 4 to Version 5 and would like to get together and form a study group I am always looking to meet other CCIE candidates from around the world.

Roger