CCIE Challenge 3: MPLS L3VPN

This challenge is split up in four parts. Make sure you achieve the desired goals, even after multiple reboots of the routers in your topology.


The initial config files can be downloaded here.

General restrictions:

  • You are not allowed to modify any IP address on any interface
  • You are not allowed to introduce any new interfaces

Part 1: IGP.

  • Configure OSPF area 0 on the links between R7, R8, R11 and R12
    • Lo0 is part of OSPF area 0
  • Configure EIGRP as 100 on the links between R8, R9, R10, R13 and R12
    • Make sure the EIGRP process supports delay measured in picoseconds
    • Lo0 on R10 and R13 should be D EX routes
    • Lo0 on R9 should be part of EIGRP as 100 as a native EIGRP route
  • Configure RIP on the links between R7, R5, R6, R8 and R9
  • Redistribute between all processes on all possible routers

Part 2: iBGP.

  • Configure BGP as 65000 on all routers in the core network
    • R8 and R12 should be Route Reflectors
    • You’re not allowed to manually define any neighbor on R8 and R12
    • You should use the loopback addresses for the BGP connections
    • All routers should run the minimum required amount of address families

Part 3: MPLS.

  • Set up an MPLS network in the core
  • R1, R2, R3 and R4 should be members of AS1234
    • Originate the loopback addresses into BGP
    • R3 and R4 should not get each other’s routes
    • R3 and R4 should be able to reach each other, but their traffic should traverse HQ
  • Match the following outputs:
R1#trace so lo0
Type escape sequence to abort.
Tracing the route to
VRF info: (vrf in name/id, vrf out name/id)
  1 3 msec 2 msec 1 msec
[SNIP (other hops not relevant)]

R2#trace so lo0
Type escape sequence to abort.
Tracing the route to
VRF info: (vrf in name/id, vrf out name/id)
  1 1 msec 1 msec 4 msec
[SNIP (other hops not relevant)]

Part 4: Traffic Engineering.

  • Match the following outputs:
R3#trace so lo0
Type escape sequence to abort.
Tracing the route to
VRF info: (vrf in name/id, vrf out name/id)
  1 4 msec 1 msec 7 msec
  2 [MPLS: Labels 18/36 Exp 0] 11 msec 7 msec 14 msec
  3 [MPLS: Label 36 Exp 0] 8 msec 5 msec 8 msec
  4 16 msec 14 msec 12 msec
  5 17 msec 14 msec 13 msec
  6 [MPLS: Labels 25/33 Exp 0] 49 msec 55 msec 39 msec
  7 [MPLS: Label 33 Exp 0] 41 msec 20 msec 24 msec
  8 39 msec *  42 msec
R4#trace so lo0
Type escape sequence to abort.
Tracing the route to
VRF info: (vrf in name/id, vrf out name/id)
  1 8 msec 1 msec 5 msec
  2 [MPLS: Labels 24/39 Exp 0] 11 msec 16 msec 8 msec
  3 [MPLS: Labels 17/39 Exp 0] 15 msec 22 msec 18 msec
  4 [MPLS: Label 39 Exp 0] 12 msec 14 msec 15 msec
  5 22 msec 14 msec 23 msec
  6 22 msec 13 msec 19 msec
  7 [MPLS: Labels 25/34 Exp 0] 30 msec 22 msec 35 msec
  8 [MPLS: Label 34 Exp 0] 30 msec 21 msec 32 msec
  9 31 msec *  37 msec


There are a lot of tasks in this lab. I’ve grouped them conveniently for you in four parts.

The first part handles IGP’s. In this topology three IGP’s exist, RIP, OSPF and EIGRP. All configuration in regard to the IGP’s is fairly straightforward. However. The assignment does require you to redistribute between all protocols at all possible locations. This means that there is a big risk for routing loops. Especially for the loopback addresses of R10 and R13. The exercise in this part of the lab isn’t so much configuring the IGP’s as it is recognizing possible problems.

The lab doesn’t say anything about allowed or prohibited ways to ensure that loops don’t occur. Because of that you’re free to use the method of your liking. My personal preference is using route tags. But distribute lists and summarization would also be possible.

In regards to EIGRP the picosecond requirement ensures we use named mode.

The BGP task requires us to disable the ipv4 unicast address family since we’ll only need the vpnv4 address family. At least on all routers not connected to the ‘customer’ routers of R1, R2, R3 and R4. This can be done using no bgp default ipv4-unicast. Furthermore the assignment requires R8 and R12 to be the route reflectors, but they are not allowed to have any manually configured peer. This means they need to use BGP listen groups.

The MPLS part should be easy. Just take care of R11’s loopback. This is a /24 whereas most MPLS networks use /32’s. If you don’t set the ospf network type to something that actually advertises the correct subnet (ip ospf network point-to-point for example) your MPLS might not work.

Since R1, R2, R3 and R4 are all members of AS1234 you need to do something with the AS number. This can either be as-override on the PE side, or allowas-in on the CE side. Both are fine.

Part four of the assignment is where the real difficulty begins. This part requires you to perform some traffic engineering. Depending on waht you’ve done in part one this might be easy or difficult. The requirement at the beginning states that your network must match all outputs even after multiple reboots of your topology. This is because R7 and R8 are in a race condition to determine which one will advertise the RIP routes into OSPF. If R8 advertises into OSPF, R7 will never become the route toward R5 (as required in the traceroute from R3 to R4)

The traceroute from R4 to R3 should traverse R10. It does not do this by default because R8, R9 and R12 will advertise R6’s loopback address. R13 will pick R8 and R12 as next-hop because of the delay towards those addresses (just 1 hop, all delay being equal versus 2 hops to R9 via R10). The easiest way to fix this is to increase the delay toward R8 and R12. Another way to do it would be to use offset lists. The advantage of offset lists is that it gives you the possibility to modify only this specific route, which is why I chose that solution in this case. However, there were no restrictions, so delay would have been fine too.

Below are the relevant configs. The complete final configs can be found here.