Tag Archives: CCIE-SP

CLEUR Barcelona 2018 Day 2

Configit was quite challenging for me specially the config on the IOS-XR, because i do not touch on this for a long time. To me it looks much more structured in a sense of the config than the IOS family

Special tank you to Lizabete Cacic, Lukasz Bromirski and team

I If you want the LAB/docs let me know

L2TPv3 Tunneling

There are different L2VPN technologies like L2TPv3, VPLS, H-VPLS, AToM. Except L2TPv3, the others require a MPLS backbone. L2TP uses IP protocol 115



  • Layer 2 Tunneling Protocol v3 (L2TPv3)
  • Any transport over MPLS (AToM)


  • Virtual Private LAN Service (VPLS)
  • Hierarchical Virtual Private LAN Service (H-VPLS)

Payload agnostic

  • supports Ethernet, Frame-Relay, ATM, HDLC, PPP over IP
  • supports interworking (between different encap)

Note: Encapsulating means an extra MTU overhead, so we need to be careful to not fragmentation along the way.


The objective here is establish a Pseudowire (PW) between two routers (R2/R4) extending the Layer 2 between R1 and R5 for VLAN 156.

Assuming here we have connectivity for R2/R4 loopback’s, since we will use that as source for PW.

Configuration steps

  1. Define PW
    1. define local interface as the source of tunnel
  2. Define xconnect
    1. define peer, vcid and associate with PW recently created

vcid needs to be unique, in this case i choose the same as VLAN ID

R2(config)#pseudowire-class PW_156_L2TPV3
R2(config-pw-class)# encapsulation l2tpv3
R2(config-pw-class)# ip local interface Loopback0
R2(config-pw-class)# ip tos reflect

R2(config)#interface GigabitEthernet1.156
R2(config-subif)# encapsulation dot1Q 156
R2(config-subif)# no cdp enable
R2(config-subif)# xconnect 156 pw-class PW_156_L2TPV3

R4(config)#pseudowire-class PW_156_L2TPV3
R4(config-pw-class)# encapsulation l2tpv3
R4(config-pw-class)# ip local interface Loopback0
R4(config-pw-class)# ip tos reflect

R4(config)#interface GigabitEthernet1.156
R4(config-subif)# encapsulation dot1Q 156
R4(config-subif)# no cdp enable
R4(config-subif)# xconnect 156 pw-class PW_156_L2TPV3

R2#sh l2tun session all

L2TP Session Information Total tunnels 1 sessions 1

Session id 1881450243 is up, logical session id 32790, tunnel id 1984298019
Remote session id is 4260556922, remote tunnel id 82213150
Locally initiated session
Unique ID is 0
Session Layer 2 circuit, type is Ethernet Vlan, name is GigabitEthernet1.156:156
Session vcid is 156
Circuit state is UP
Local circuit state is UP
Remote circuit state is UP
Call serial number is 4100100002
Remote tunnel name is R4
Internet address is
Local tunnel name is R2
Internet address is
IP protocol 115
Session is L2TP signaled
Session state is established, time since change 00:00:06
2 Packets sent, 2 received
136 Bytes sent, 136 received
Last clearing of counters never
Counters, ignoring last clear:
2 Packets sent, 2 received
136 Bytes sent, 136 received
Receive packets dropped:
out-of-order:             0
other:                    0
total:                    0
Send packets dropped:
exceeded session MTU:     0
other:                    0
total:                    0
DF bit off, ToS reflect enabled, ToS value 0, TTL value 255
Sending UDP checksums are disabled
Received UDP checksums are verified
No session cookie information available
FS cached header information:
encap size = 24 bytes
45000014 00000000 ff73a16b 0a020202
0a040404 fdf2f07a
Sequencing is off
Conditional debugging is disabled
SSM switch id is 8212, SSM segment id is 4121

R2#sh l2tun tunnel all  

L2TP Tunnel Information Total tunnels 1 sessions 1

Tunnel id 1984298019 is up, remote id is 82213150, 1 active sessions
Locally initiated tunnel
Tunnel state is established, time since change 00:00:30
Tunnel transport is IP  (115)
Remote tunnel name is R4
Internet Address, port 0
Local tunnel name is R2
Internet Address, port 0
L2TP class for tunnel is l2tp_default_class
Counters, taking last clear into account:
70908 packets sent, 70725 received
5142824 bytes sent, 5127872 received
Last clearing of counters never
Counters, ignoring last clear:
70908 packets sent, 70725 received
5142824 bytes sent, 5127872 received
Control Ns 1925, Nr 56
Local RWS 1024 (default), Remote RWS 1024
Control channel Congestion Control is disabled
Tunnel PMTU checking disabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 3
Total resends 0, ZLB ACKs sent 51
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled

Configuring OSPF

R1(config)#router ospf 1
R1(config-router)# log-adjacency-changes
R1(config-router)# network area 0
R5(config)#router ospf 1
R5(config-router)# log-adjacency-changes
R5(config-router)# network area 0

Confirm we have OSPF neighbouring across the L2VPN

R1#show ip ospf neighborNeighbor ID     Pri   State           Dead Time   Address         Interface        1   FULL/BDR        00:00:32      GigabitEthernet1.156


Do you like dissect packets? You can do it here


https://tools.ietf.org/html/rfc3931 – Layer Two Tunneling Protocol – Version 3 (L2TPv3)

IOS-XR Secure Domain Router (SDR)

Before we start with SDR concept, we need an introduction about virtualization techniques for creating virtualized router entities. A Hardware-Isolated Virtual Router (HVR) has hardware-based resource isolation between routing entities, whereas a Software-Isolated Virtual Router (SVR) comprises software-based resource isolation between routing entities.

Within SVRs, there are several models for achieving virtualization. One model allows for multiple guest operating systems to overlay on a host operating system.This approach tends to have a detrimental impact on scale because it introduces significant contention of resources.
In contrast, the HVR approach dedicates both control plane and data plane resources on a per-module boundary to individual virtual entities, so there is no sharing of either control plane or data plane resources.

Secure Domain Routers

Cisco routers (running IOS XR) can be partitioned into multiple, independent routers known as secure domain routers (SDRs), not VRFs’. With SDRs we can split a single physical system into multiple logically separated routers, with their own routing functions, but they share resources with the rest of the system. For example, the software, configurations, protocols, and routing tables assigned to an SDR belong to that SDR only, but other functions, such as chassis-control and switch fabric, are shared with the rest of the system.
To accommodate the high bandwidth and control plane needs in provider networks, especially POPs, Cisco IOS XR Software includes support for an HVR technology known as Secure Domain Routers (SDRs). SDRs provide full isolation between virtualized routing instances through the use of Distributed Route Processors (DRPs) for extra control plane resources. SDRs are defined on per-slot boundaries, with entire Route Processors (RPs) and Modular Services Cards (MSCs) dedicated to an SDR.


Comparison of Virtualization Technologies with Cisco IOS XR Software-Supported Secure Domain Router


Cisco nV Technology

Cisco nV allows you to simplify operations and deployment of new services across different boundaries in a Service Provider network. But what is exactly this technology? It’s a single logical switch/router built by interconnecting an ASR9K and one or more smaller satellite switches. This switches act as a remote line cards, they are provisioned in ASR9K (called Host).



nV Edge Overview



nV System Overview


  • Control plane extension: Active RSP and standby RSP are on the different chassis,
    they sync up via external EOBC links “AS IF” they are in the same physical chassis
  • Data plane extension: bundle regular data links into special “nV fabric link” to simulate
    switch fabric function between two physical chassis to data packet across
  • No dedicated fabric chassis -> flexible co-located or different location deployment (No distance limitation)

nV Satellite


  • All Satellite Configuration is done on the Host (zero touch)
  • nV Satellite can greatly simplify access and aggregation networks
  • Support flexible access and agg network topologies
  • Satellite is a remote line card: Access ports have feature parity with ASR9K local ports
  • nV Satellite interface naming follows the same local interface naming convention:sat-ID / sat-slot / sat-bay / sat-port

Control Plane

Discovery Phase

  • CDP like protocol to discover Satellites
  • Heartbeat sent every second to detect failures

Control Phase

  • Inter-process Communication Channel (TCP socket)


On Satellite

  • Add nV-Tag to frames before forward to Edge

On the Host

  • Receive Frames with nV-Tag identifies Satellite Virtual Interface

Satellite Deployment Models

Mode 1: Static pinning (Any access ports could be mapped to any single fabric port.)

Mode 2:Fabric bundle (access ports are mapped to a fabric bundle)

Satellite Types: asr9000v, asr901, asr903


nV Satellite L2fabric, Ring Topologies

Since XR 5.1.1

  • Extending satellite connection across a Layer 2 network
  • A native 802.1Q tag is added to the Satellite-Host control and data plane protocol
  • Expanding to support ring, & cascaded topologies
  • Maintains the same plug & play operationalsimplicity
  • CFM/CCM used for fast failure detection*

* CFM/CCM for simple ring and cascading will be in future releases



BRKARC-2024 – Cisco ASR 9000 nV Technology and Deployment (2014 San Francisco)

Cisco IOS-XR Basics

IOS-XR code is really new for me, so i will write a few posts about it. So i will start with the basics. You can see this Operating System on CRS generations, ASR 9000 and NCS Box’s.

Configure Username and Group

The root-system means priviledge 15 in normal IOS

RP/0/0/CPU0:XR-4(config)#username cocheno
RP/0/0/CPU0:XR-4(config-un)# group root-system
RP/0/0/CPU0:XR-4(config-un)# password cocheno

The predefined groups are as follows:

  • cisco-support: This group is used by the Cisco support team.
  • netadmin: Has the ability to control and monitor all system and network parameters.
  • operator: A demonstration group with basic privileges.
  • root-lr: Has the ability to control and monitor the specific secure domain router.
  • root-system: Has the ability to control and monitor the entire system.
  • sysadmin: Has the ability to control and monitor all system parameters but cannot configure network protocols.
  • serviceadmin: Service administration tasks, for example, Session Border Controller (SBC).

Configure Hostname

RP/0/0/CPU0:XR(config)#hostname XR-4

Assigning IP Addresses

IOS-XR has some alias configured, it will interpret correctly if you not use ipv4 in this case

RP/0/0/CPU0:XR-4(config)#int gigabitEthernet 0/0/0/0.201
RP/0/0/CPU0:XR-4(config-subif)#encapsulation dot1q 201
ipv4 ipv6
RP/0/0/CPU0:XR-4(config-subif)#ip add

Check where your are in config hierarchy

RP/0/0/CPU0:XR-4(config-subif)#pwdSun Mar 6 17:37:05.948 UTC
interface GigabitEthernet0/0/0/0.201

Save Config

Saving the Config is a 2 step, you work on a candidate config instead of running-config protecting you from misconfig.

Showing config before commit it in running-config

RP/0/0/CPU0:XR-4(config)#show configuration
Sun Mar 6 16:03:23.913 UTC
Building configuration…
!! IOS XR Configuration 5.2.2
interface GigabitEthernet0/0/0/0.201
ipv4 address
encapsulation dot1q 201
Sun Mar 6 16:05:19.315 UTC

we can also assign a label to the commit, and rollback based on it as well

RP/0/0/CPU0:XR-4(config)#commit label IPV4_v201

Rolling back change we did previously

RP/0/0/CPU0:XR-4#rollback configuration last 1
Sun Mar 6 16:10:35.003 UTC
Loading Rollback Changes.
Loaded Rollback Changes in 1 sec
4 items committed in 1 sec (3)items/sec
Updated Commit database in 1 sec
Configuration successfully rolled back 1 commits.

You can use a time based commit, you need to accept the commit in 120 seconds, or it will rollback the changes

RP/0/0/CPU0:XR-4(config)#commit confirmed 120

Check the last system commits

RP/0/0/CPU0:XR-4(config)#show config commit list detail
Sun Mar 6 16:21:30.499 UTC1) CommitId: 1000000004 Label: IPV4_v201
UserId: cisco Line: con0_0_CPU0
Client: CLI Time: Sun Mar 6 16:21:28 2016
Comment: NONE2) CommitId: 1000000003 Label: NONE
UserId: cisco Line: con0_0_CPU0
Client: Rollback Time: Sun Mar 6 16:10:36 2016
Comment: NONE


RP/0/0/CPU0:XR-4#show configuration rollback changes last 1
Sun Mar 6 16:24:50.435 UTC
Building configuration…
!! IOS XR Configuration 5.2.2
no interface GigabitEthernet0/0/0/0.201

Configure Telnet/SSH

RP/0/0/CPU0:XR-4(config)#telnet vrf default ipv4 server max-servers 5
RP/0/0/CPU0:XR-4#crypto key generate dsa
Sun Mar 6 17:52:29.135 UTC
The name for the keys will be: the_default
Choose the size of your DSA key modulus. Modulus size can be 512, 768, or 1024 bits. Choosing a key modulus
How many bits in the modulus [1024]:
Generating DSA keys …
Done w/ crypto generate keypair
[OK]RP/0/0/CPU0:XR-4#conf t
Sun Mar 6 17:52:44.114 UTC
RP/0/0/CPU0:XR-4(config)#domain name cocheno.com
RP/0/0/CPU0:XR-4(config)#ssh server v2

Check SSH Sessions

RP/0/0/CPU0:XR-5#show ssh
Sun Mar 6 17:55:15.633 UTC
SSH version : Cisco-2.0id pty location state userid host ver authentication
Incoming sessions
0 vty0 0/0/CPU0 SESSION_OPEN cisco v2 password

Check commit failures

RP/0/0/CPU0:XR-4(config)#show configuration failed

After you change candidate config, you can abort without commit it


Replace the entire config by the candidate, if your candidate is empty will you have factory default

RP/0/0/CPU0:XR-4(config)#commit replace
Sun Mar 6 16:47:46.101 UTCThis commit will replace or remove the entire running configuration. This
operation can be service affecting.
Do you wish to proceed? [no]:

Revision CCIE Service Provider Exam Topic Updates from v3.0 to v4.0

Cisco announced a new Exam for CCIE SP v4, this new exam will follow a new structure like the newest one CCIE R&S v5.

The last day to test for both the Written Exam v3.0 (350-029) and the Lab Exam v3.0 will be May 21, 2015.  Beginning May 22, 2015, the Written Exam v4.0 (400-201) and the Lab Exam v4.0 will be available for testing.



CCIE Service Provider Written Exam Version 4.0 (400-201)








**Clique para expandir/colapsar os objectivos em detalhe**

CCIE Service Provider Lab Exam Version 4.0


**Clique para expandir/colapsar os objectivos em detalhe**


  • P and PE role: ASR 9000 series running IOS-XR 5.2 Release
  • RR and CE role: ASR 1000 series running IOS-XE 3.13 (15.4S) Release
  • PE and CE role: Cisco 7600 series running IOS 15.4S Release
  • Access and Aggregation: ME 3600 series running IOS 15.4S Release

CCIE Service Provider Exam Topic Updates from v3.0 to v4.0

Written Exam Topics v4.0

Lab Exam Topics v4.0

Equipment List v4.0

O CCIE em V’s

A tabela das versões dos Labs (CCIE) em que se tornaram activas. Supostamente a Cisco informa com 6 meses de antecedência a nova versão. Algumas não foi possível constatar qual a versão pelo que considerei como sendo a v1.

Track v1 v2 v3 v4 v5
Routing & Switching  ?  ? ? 18 Out 2009 3 Jun 2014
25 Jul 2016 (Written)
Security  ? ? Abr 2009 19 Nov 2012
25 Jul 2016 (Written)
Service Provider ? ? 18 Abril 2011 22 Maio 2015
25 Jul 2016 (Written)
Collaboration 14 Fev 2014
25 Jul 2016 (Written)
 ?  ? ? ?
Data Center Dez 2012  25 Jul 2016
25 Jul 2016 (Written)
?  ?  ?
SP Operations 2010 Retired
Wireless  ?  18 Nov 2011 14 Set 2015
25 Jul 2016 (Written)
? ?
Voice (Retired)
Storage Networking (Retired)

Service Provider Operations Retired [email protected]