R&S_Volume_1_DSG_v11.0_Lab2

IPexpert’s Detailed Solution Guide for the Cisco® CCIE™ v4 Routing & Switching Lab Exam

Volume 1

IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Introduction

V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 1

IPexpert CCIE R&S Detailed Solutions Guide– Volume One

Before We Begin This product is part of the IPexpert "Blended Learning Solution™" that provides CCIE candidates with a comprehensive training program. For information about the full solution, contact an IPexpert Training Advisor today. Telephone: +1.810.326.1444 Email: [email protected] Congratulations! You now possess one of the ULTIMATE CCIE

TM Routing & Switching Lab

preparation resources available today! This resource was produced by senior engineers, technical instructors and authors, boasting decades of internetworking experience. Although there is no way to guarantee a 100% success rate on the CCIE

TM Routing & Switching Lab exam, we feel VERY confident

that your chances of passing the Lab will improve dramatically after completing this industry-recognized Workbook! At the beginning of each section, you will be referred to a diagram of the network topology. All sections utilize the same physical topology, which can be rented at www.ProctorLabs.com.

Technical Support from IPexpert and your CCIE community!

IPexpert is proud to lead the industry with multiple support options at your disposal free of charge. Our online communities have attracted a membership of nearly 20,000 of your peers from around the world! At EverythingIE.com you may social-network with your peers all focused on attaining the same goal as you – the CCIE Lab. At CCIEBlog.com you can keep up to date with everything IPExpert does, as well as start your own CCIE-focused blog or simply add your existing blog to our directory so your peers can find you. At OnlineStudyList.com, you may subscribe to multiple “SPAM-free”, CCIE-focused email lists.

mailto:[email protected]

http://www.proctorlabs.com/

http://blog.ipexpert.com

http://www.ccieblog.com/

http://www.onlinestudylist.com/

Volume 1 – Introduction IPexpert CCIE R&S Detailed Solutions Guide

2 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500

Feedback Do you have a suggestion or other feedback regarding this book or other IPexpert products? At IPexpert, we look to you – our valued clients – for the real world, frontline evaluation that we believe is necessary to improve continually. Please send an email with your thoughts to [email protected] or call 1.866.225.8064 (international callers dial +1.810.326.1444). In addition, when you pass the CCIE

TM Lab exam, we want to hear about it! Email your CCIE

TM number to

[email protected] and let us know how IPexpert helped you succeed. We would like to send you a gift of thanks and congratulations.

Additional CCIETM Preparation Material IPexpert, Inc. is committed to developing the most effective Cisco CCIE

TM R&S, Security, Service

Provider, and Voice Lab certification preparation tools available. Our team of certified networking professionals develops the most up-to-date and comprehensive materials for networking certification, including self-paced workbooks, online Cisco hardware rental, classroom training, online (distance learning) instructor-led training, audio products, and video training materials. Unlike other certification-training providers, we employ the most experienced and accomplished team of experts to create, maintain, and constantly update our products. At IPexpert, we are focused on making your CCIE

TM Lab

preparation more effective.

A message from the Author(s): The scenarios covered in this workbook were developed by Routing & Switching CCIEs to help you prepare for the Cisco CCIE Routing & Switching laboratory. It is strongly recommended that you use other reading materials in addition to this workbook. Training is not the CCIE Routing & Switching workbook objective. The intent of these labs is to test your knowledge and ability of implementing Cisco Enterprise Routing & Switching Solutions. Time management is very important, if you get stuck on a lab scenario be sure to write it down. Formulate a Checklist for skipped sections and then return to those sections once you have gone through the entire lab. Be sure to revisit the questions that you do not understand.

For more information on the CCIE Routing & Switching lab, please visit (http://www.cisco.com/go/ccie) and click on the link for Routing & Switching on the top-right of the page. Helpful Hints

Keep It Simple, try to avoid any extra work (example: adding descriptions)

Always reference everything from the Documentation Website: http://www.cisco.com/web/psa/products/index.html

Save your router configurations often (wr is the quickest command)



http://www.cisco.com/go/ccie

http://www.cisco.com/web/psa/products/index.html

IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Diagrams


IPEXPERT END-USER LICENSE AGREEMENT

END USER LICENSE FOR ONE (1) PERSON ONLY

IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS,

DO NOT OPEN OR USE THE TRAINING MATERIALS.

This is a legally binding agreement between you and IPEXPERT, the “Licensor,” from whom you have licensed the IPEXPERT training materials (the “Training Materials”). By using the Training Materials, you agree to be bound by the terms of this License, except to the extent these terms have been modified by a written agreement (the “Governing Agreement”) signed by you (or the party that has licensed the Training Materials for your use) and an executive officer of Licensor. If you do not agree to the License terms, the Licensor is unwilling to license the Training Materials to you. In this event, you may not use the Training Materials, and you should promptly contact the Licensor for return instructions. The Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual authorized to use the Training Materials throughout the term of this License.

Copyright and Proprietary Rights

The Training Materials are the property of IPEXPERT, Inc. ("IPEXPERT") and are protected by United States and International copyright laws. All copyright, trademark, and other proprietary rights in the Training Materials and in the Training Materials, text, graphics, design elements, audio, and all other materials originated by IPEXPERT at its site, in its workbooks, scenarios and courses (the "IPEXPERT Information") are reserved to IPEXPERT.

The Training Materials cannot be used by or transferred to any other person. You may not rent, lease, loan, barter, sell or time-share the Training Materials or accompanying documentation. You may not reverse engineer, decompile, or disassemble the Training Materials. You may not modify, or create derivative works based upon the Training Materials in whole or in part. You may not reproduce, store, upload, post, transmit, download or distribute in any form or by any means, electronic, mechanical, recording or otherwise any part of the Training Materials and IPEXPERT Information other than printing out or downloading portions of the text and images for your own personal, non-commercial use without the prior written permission of IPEXPERT.

You shall observe copyright and other restrictions imposed by IPEXPERT. You may not use the Training Materials or IPEXPERT Information in any manner that infringes the rights of any person or entity.

Exclusions of Warranties

THE TRAINING MATERIALS AND DOCUMENTATION ARE PROVIDED “AS IS.” LICENSOR HEREBY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW THE LIMITATION OF INCIDENTAL DAMAGES OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. This agreement gives you specific legal rights, and you may have other rights that vary from state to state.

Choice of Law and Jurisdiction

This Agreement shall be governed by and construed in accordance with the laws of the State of Michigan, without reference to any conflict of law principles. You agree that any litigation or other proceeding between you and Licensor in connection with the Training Materials shall be brought in the Michigan state or courts located in Port Huron, Michigan, and you consent to the jurisdiction of such courts to decide the matter. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods shall not apply to this License. If any provision of this Agreement is held invalid, the remainder of this License shall continue in full force and effect.

Limitation of Claims and Liability

ANY ACTION ON ANY CLAIM AGAINST IPEXPERT MUST BE BROUGHT BY THE USER WITHIN ONE (1) YEAR FOLLOWING

Volume 1 – Diagrams IPexpert CCIE R&S Detailed Solutions Guide


THE DATE THE CLAIM FIRST ACCRUED, OR SHALL BE DEEMED WAIVED. IN NO EVENT WILL THE LICENSOR‟S LIABILITY UNDER, ARISING OUT OF, OR RELATING TO THIS AGREEMENT EXCEED THE AMOUNT PAID TO LICENSOR FOR THE TRAINING MATERIALS. LICENSOR SHALL NOT BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, REGARDLESS OF WHETHER LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. WITHOUT LIMITING THE FOREGOING, LICENSOR WILL NOT BE LIABLE FOR LOST PROFITS, LOSS OF DATA, OR COSTS OF COVER.

Entire Agreement

This is the entire agreement between the parties and may not be modified except in writing signed by both parties.

U.S. Government - Restricted Rights

The Training Materials and accompanying documentation are “commercial computer Training Materials” and “commercial computer Training Materials documentation,” respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use, modification, reproduction release, performance, display, or disclosure of the Training Materials and accompanying documentation by the U.S. Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement.

IF YOU DO NOT AGREE WITH THE ABOVE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING MATERIALS AND CONTACT LICENSOR FOR INSTRUCTIONS ON RETURN OF THE TRAINING MATERIALS.

IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Table of Contents


IPexpert CCIE R&S Detailed Solutions Guide– Volume 1

NOTE

You are encouraged to take advantage of the knowledge and support from your peers around the globe. Join ccieblog.com to journal your progress. And join onlinestudylist.com to get more community support and also official support from IPexpert.

Contents IPexpert CCIE R&S Detailed Solutions Guide– Volume One ....................................................................... 1

IPEXPERT END-USER LICENSE AGREEMENT ........................................................................................ 3

END USER LICENSE FOR ONE (1) PERSON ONLY ............................................................................. 3

U.S. Government - Restricted Rights .................................................................................................... 4

Lab 1 - General Setup ................................................................................................................................... 9

Lab 1 Detailed Solutions ...................................................................................................................... 10

Lab 2 – Switching: Per-VLAN Spanning Tree + .......................................................................................... 35

Lab 2 Detailed Solutions ......................................................................................................................... 36

Lab 3 – Switching: Multiple Spanning Tree................................................................................................. 83

Lab 3 Detailed Solutions ...................................................................................................................... 84

Lab 4 – Switching: Rapid Per-VLAN Spanning Tree+ .............................................................................. 115

Lab 4 Detailed Solutions .................................................................................................................... 116

Lab 5 - Layer 2 Tunneling ......................................................................................................................... 137


Lab 6 - Frame Relay ................................................................................................................................. 157


Lab 7 - Bridging and Frame Relay ............................................................................................................ 189


Lab 8 – RIPv2 ........................................................................................................................................... 201


Lab 9 – EIGRP .......................................................................................................................................... 225


Lab 10 – OSPF ......................................................................................................................................... 253

Lab 10 Detailed Solutions ..................................................................................................................... 254

Lab 11 – OSPF ......................................................................................................................................... 287

http://www.ccieblog.com/


Volume 1 – Table of Contents IPexpert CCIE R&S Detailed Solutions Guide


Lab 11 Detailed Solutions .................................................................................................................. 288

Lab 12 - GRE and Routing Protocols ........................................................................................................ 295


Lab 13 - Border Gateway Protocol ............................................................................................................ 315


Lab 14 - Multiprotocol BGP ....................................................................................................................... 361


Lab 15 - Routing Protocol Redistribution .................................................................................................. 371


Lab 16 - ACLs and Filters for IPv4 ............................................................................................................ 417


Lab 17 - Router Security ........................................................................................................................... 447


Lab 18 - Router Security ........................................................................................................................... 471


Lab 19 - Router Redundancy and Network Services ................................................................................ 485


Lab 20 - Advanced Router Management .................................................................................................. 509


Lab 21 - Quality of Service ........................................................................................................................ 539


Lab 22 - Legacy QoS to MQC Conversion ............................................................................................... 563


Lab 23 - Quality of Service ........................................................................................................................ 585


Lab 24 - Multicast ...................................................................................................................................... 597


Lab 25 - Multicast ...................................................................................................................................... 615


Lab 26 - Multi-Protocol Label Switching .................................................................................................... 625


Lab 27 - Multiprotocol BGP ....................................................................................................................... 637


Lab 28 - MPLS VPN .................................................................................................................................. 647


Lab 29 - Inter-AS MPLS VPN.................................................................................................................... 655

IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Table of Contents



Lab 30 - Multicast VPN ............................................................................................................................. 665


Lab 31 - Layer 2 VPN ................................................................................................................................ 677


Lab 32 - RIPng and EIGRPv6 ................................................................................................................... 685


Lab 33 - OSPFv3 and MBGP .................................................................................................................... 703


Lab 34 - Cisco IOS Firewalls..................................................................................................................... 725


Volume 1 – Table of Contents IPexpert CCIE R&S Detailed Solutions Guide


This page left intentionally blank.

IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2


Lab 2 – Switching: Per-VLAN Spanning Tree +

Technologies Covered

Etherchannel

VLAN Trunking

VTP

802.1x

Spanning-Tree

Port-security

RSPAN

Private VLANs

VLAN Maps

Overview

With four switches on the CCIE R&S lab (a combination of Catalyst 3550 and Catalyst 3560 switches with the v3.0 blueprint and four Catalyst 3560 switches on the v4.0 blueprint), there is the potential for a lot of detailed challenges in the "Switching" portion of the Routing & Switching exam. This lab is part of a series that will help prepare you for the types of scenarios you may be presented with.

Estimated Time to Complete: 3-4 Hours

Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide


Lab 2 Detailed Solutions

2.1 Configure Cat3 so that you can create, modify and delete VLANs locally. The VLANs created on this switch should be propagated through the network. Use a domain name of “ipexpert”.

Cat3

vtp mode server

Cat1, Cat2, Cat4

vtp mode client

While arguably, VTP server mode would work as well. The lab didn't say ONLY Cat3 can manipulate VLANs locally, but it's a simple enough thing to set client and keep a single point of entry.

Always verify everything! We should first check that our VLANs are present on Cat3, and that they have been propogated to Cat1, Cat2 and Cat4. Checking on just your server switch isn‟t good enough, as there could have been issues with VLAN propogation. Make sure you check all four of your switches!

Cat3550-3(config)#do sh vl br

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/3, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/12, Fa0/13

Fa0/14, Fa0/15, Fa0/16, Fa0/17

Fa0/18, Gi0/1, Gi0/2

12 VLANB active Fa0/1, Gi0/2

40 VLANC active Fa0/4

100 VLANA active Fa0/11

300 VLANF active

567 VLAND active Fa0/5

1002 fddi-default act/unsup

1003 trcrf-default act/unsup

1004 fddinet-default act/unsup

1005 trbrf-default act/unsup

Cat3560-1#sh vlan brief


---- -------------------------------- --------- -------------------------------

1 default active Gi0/2, Fa0/3, Fa0/4, Fa0/5

Fa0/8, Fa0/10, Fa0/11, Fa0/12

Fa0/14, Fa0/15, Fa0/16, Fa0/17

Fa0/18, Gi0/2

12 VLANB active

40 VLANC active

100 VLANA active Fa0/1

200 VLANE active

300 VLANF active Fa0/9, Fa0/13

567 VLAND active Fa0/6, Fa0/7


1003 token-ring-default act/unsup


1005 trnet-default act/unsup

Cat3560-2(config)#do sh vlan brief




---- -------------------------------- --------- -------------------------------


Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12

Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Gi0/1, Gi0/2

12 VLANB active

40 VLANC active

100 VLANA active

200 VLANE active

240 VLAN0240 active

300 VLANF active

567 VLAND active





Cat3560-4(config)#do sh vlan brief


---- -------------------------------- --------- -------------------------------


Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12

Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Gi0/1, Gi0/2

12 VLANB active

40 VLANC active

100 VLANA active

200 VLANE active

240 VLAN0240 active

300 VLANF active

567 VLAND active





OK, everything looks good on all of our switches as far as VLAN propagation goes

You can also use "debug sw-VLAN vtp events" or "debug sw-VLAN vtp packets" if there are other concerns.

If you need to add VLANs later on, make sure to add them AFTER the VTP stuff is setup, otherwise the database won't be "revised" and therefore won't be propagated.

Next, make sure your VTP status looks as you would expect on all four switches.

Cat3550-1#sh vtp status

VTP Version : running VTP1 (VTP2 capable)

Configuration Revision : 2

Maximum VLANs supported locally : 1005

Number of existing VLANs : 11

VTP Operating Mode : Client

VTP Domain Name : ipexpert

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0xF1 0xE5 0x00 0x15 0x4F 0xBA 0xF8 0xEC

Configuration last modified by 0.0.0.0 at 3-1-93 00:17:34

Local updater ID is 0.0.0.0 (no valid interface found)

Cat3560-2#sh vtp status














Cat3560-3(config)#do sh vtp status





VTP Operating Mode : Server



















Great, we have a VTP server, three VTP clients, our revision numbers match, and our MD5 digest matches. We are good to go!

2.2 Cat1 should send VLAN updates with an MD5 one-way hash value. Other switches should not be able to process these updates unless they have the same MD5 value. Use a password of “1p3xp3rt#”. DO NOT use VLAN database commands to accomplish this task. Run VTP version 2.

Passwords in VTP are MD5 all the time. They must match to exchange information properly. Normally, you can configure this in VLAN database or in config mode, but the lab tells you otherwise. In config mode (recommended) use "vtp ?" to help find the right command.

Cat3

Cat3550-1(config)#vtp password 1p3xp3rt#

Setting device VLAN database password to 1p3xp3rt#

Check it out, our config revision increments to 3…


VTP Version : running VTP2









VTP V2 Mode : Enabled


MD5 digest : 0xD0 0x84 0xB5 0x70 0xC0 0xB0 0x68 0xB7



Cat1, Cat2, Cat4 vtp password 1p3xp3rt#

All we have done is update the password on the clients to match the server, but they have automatically updated to run VTP version 2. Excellent! Also notice, the client revision number has incremented as well, as they received an update from the Server telling them to run VTP version 2.







































If we had tried to manually set the VTP version to 2 on the client switches, we would have received an error telling us the VTP version cannot be changed in client mode. This is good, as it lets the server do all the work for us.

This task does say that Cat1 will have the capability of sending things out, so we should probably put Cat1 into server mode. This does not violate the previous task since we were not REQUIRED to put everyone else in Client mode.

Cat1

vtp mode server

2.3 If a downstream switch does not possess a port in a VLAN that Cat1 is advertising, make sure that Cat1 does not propagate broadcast traffic for those VLANs.

VTP Pruning is the obvious (and simple) solution here. It's the only mechanism that switches can dynamically shut off unused/unneeded VLANs. Since Cat3 is our VTP server, we only need to enable this on Cat3. The option will be propagated down to our other client switches

Cat3550-3(config)#vtp pruning

Pruning switched on








VTP Pruning Mode : Enabled



MD5 digest : 0x44 0xD5 0x1F 0x00 0x28 0x13 0x02 0xA3





Just like the VTP version, VTP pruning is a feature that will be propagated down to all our client switches as well. Run “show vtp status” to verify.






































2.4 Configure any interfaces connecting the switches together to appear as one link to STP per neighbor. If either of the interfaces is damaged, the switches should manage one-way links. Do not use industry standards, but make sure these links can negotiate their setup.

Consult the diagram here for assistance on this. For an etherchannel to be setup, the links must be the same. On the ProctorLabs racks anyway, there are also some GigabitEthernet links between some switches. These cannot be added into the etherchannel configuration, so go ahead and shut those down.

Plan your etherchannel as well. In some versions of IOS on many switches, the etherchannel number must match on both sides in order to come up properly. Rather than needing to think about whether you are using one of those releases or not, it's recommended just to use the correct pairing of etherchannel numbers.



If you have concerns about which switch is connected where, just check out the CDP table.

Cat1(config)#do sh cdp n

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID

Router Gig 0/2 133 R S I 3825 Gig 0/0

Cat3 Fas 0/22 127 S I WS-C3560-2Fas 0/22

Cat3 Fas 0/21 127 S I WS-C3560-2Fas 0/21

Cat2 Gig 0/2 121 S I WS-C3550-2Gig 0/2

Cat2 Fas 0/24 121 S I WS-C3550-2Fas 0/24

Cat2 Fas 0/23 121 S I WS-C3550-2Fas 0/23

Cat4 Fas 0/20 126 S I WS-C3560-2Fas 0/20

Cat4 Fas 0/19 126 S I WS-C3560-2Fas 0/19

Cat1(config)#

In order to negotiate the trunk coming up, it's important to set the modes properly. 3550's default to "dynamic desirable", 3560's default to "dynamic auto". Auto-auto does not generate a trunk.

Cat1-Cat4 int range Fa0/19 - 24

switchport mode dynamic desir

Cat4(config-if-range)#do sh int Fa0/19 switch

Name: Fa0/19

Switchport: Enabled

Administrative Mode: dynamic desirable

Operational Mode: trunk

Administrative Trunking Encapsulation: negotiate

Operational Trunking Encapsulation: isl

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-VLAN host-association: none

Administrative private-VLAN mapping: none

Administrative private-VLAN trunk native VLAN: none

Administrative private-VLAN trunk Native VLAN tagging: enabled

Administrative private-VLAN trunk encapsulation: dot1q

Administrative private-VLAN trunk normal VLANs: none

Administrative private-VLAN trunk associations: none

Administrative private-VLAN trunk mappings: none

Operational private-VLAN: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none



We should also shut them down for now.... When building trunks and etherchannel groups, it's a good idea to shut the links down until you have them all built. This will prevent your switches from becoming upset about mismatches and placing any interfaces in an errdisabled state.

Cat1-Cat4

int range Fa0/19 - 24

shut

For the channel-group, we are not to use industry standards (LACP), so we'll end up either using PAgP or just mode on.

Cat1

int gi0/1

shut

int gi0/2

shut


Description Connection to Cat4

channel-group 14 mode on







Cat2

int gi0/1

shut










Cat3

int gi0/1

shut












Cat4










Finally, turn on UDLD to manage the one-way link detection. There's no mention about anything requiring aggressive mode, so that part is up to you. There are global commands for UDLD as well, so be careful with that. Global commands are for fiber ports. Interface commands are for copper ports.

Cat1, Cat2, Cat3 and Cat4


udld port

Now, let‟s verify everything we have done here. First, we‟ll want to make sure all our etherchannels came up properly. Run “sh etherchannel summary” for a good overview. What we expect to see here is that each group has a status of “SU” meaning the channel is a L2 port-channel, and it is “In Use”. For our individual ports make sure you see the (P) meaning the port is part of the port channel

Cat3550-1#sh etherchan sum

Flags: D - down P - bundled in port-channel

I - stand-alone s - suspended

H - Hot-standby (LACP only)

R - Layer3 S - Layer2

U - in use f - failed to allocate aggregator

M - not in use, minimum links not met

u - unsuitable for bundling

w - waiting to be aggregated

d - default port

Number of channel-groups in use: 3

Number of aggregators: 3

Group Port-channel Protocol Ports

------+-------------+-----------+-----------------------------------------------

12 Po12(SU) - Fa0/23(P) Fa0/24(P)

13 Po13(SU) - Fa0/21(P) Fa0/22(P)

14 Po14(SU) - Fa0/19(P) Fa0/20(P)



Cat3560-2#show etherchan sum









d - default port




------+-------------+-----------+-----------------------------------------------

12 Po12(SU) - Fa0/23(P) Fa0/24(P)

23 Po23(SU) - Fa0/19(P) Fa0/20(P)

24 Po24(SU) - Fa0/21(P) Fa0/22(P)










d - default port




------+-------------+-----------+-----------------------------------------------

13 Po13(SU) - Fa0/21(P) Fa0/22(P)

23 Po23(SU) - Fa0/19(P) Fa0/20(P)

34 Po34(SU) - Fa0/23(P) Fa0/24(P)










d - default port




------+-------------+-----------+-----------------------------------------------

14 Po14(SU) - Fa0/19(P) Fa0/20(P)

24 Po24(SU) - Fa0/21(P) Fa0/22(P)

34 Po34(SU) - Fa0/23(P) Fa0/24(P)



Great, everything came up as expected on all four switches. Now, to verify UDLD you can check out “sh udld <int>” For brevity we will just take a look at Fa0/19 on Cat1 so you can get an idea. Notice the “Enabled” status, and that it even tells us what switch is on the other end of the link (Cat4 in this case).

Cat3550-1#sh udld Fa0/19

Interface Fa0/19

---

Port enable administrative configuration setting: Enabled

Port enable operational state: Enabled

Current bidirectional state: Bidirectional

Current operational state: Advertisement - Single neighbor detected

Message interval: 15

Time out interval: 5

Entry 1

---

Expiration time: 40

Cache Device index: 1

Current neighbor state: Bidirectional

Device ID: FDO1117Y22M

Port ID: Fa0/19

Neighbor echo 1 device: CAT0652X00L

Neighbor echo 1 port: Fa0/19

Message interval: 15

Time out interval: 5

CDP Device name: Cat3560-4

2.5 These links should allow all VLANs to travel across with their VLAN ID intact. You cannot use the Cisco proprietary protocol to achieve this. Every packet that traverses the link must have the VLAN ID, no exceptions.

Gotta go back and change a few things now... If we had done these ahead of time to the physical interfaces, they would have automatically propagated to the PortChannel interface. If you have to go back and change a trunk, especially one that is tied to a Portchannel, it is best to shut everything down, make your changes, then bring everything back up. Otherwise, you may run into issues with ports going err-disable.

Cat1 – Cat4


shutdown

switch trunk encap dot1q

exit

The other part about the VLAN-ID is a little trickier. You may change the native VLAN to something other than the default (something unused). Or there's a specific command for 802.1Q that allows the tagging of the native VLAN. Those are good keywords to search for in case you had to look it up not knowing the answer. The “vlan dot1q tag native” command is run from global config mode.

vlan dot1q tag native



OK, now that we have made the necessary changes, let‟s bring all the links back up on all the switches. The best thing to do here is copy/paste from notepad because you will want to do this fairly quickly to avoid any issues.

Cat1 – Cat4


no shutdown

Now, let‟s make sure our trunks came up as expected, and that our native VLAN is indeed being tagged as configured. The output of this command has been reduced to only show the relevant information.

Cat3550-1(config)#do sh int trunk

Port Mode Encapsulation Status Native vlan

Po14 desirable 802.1q trunking 1



Cat3550-1(config)#do sho vlan dot1q tag nat

dot1q native vlan tagging is enabled

Cat3560-2(config-if-range)#do sh int trunk





















As we can see, all the trunks are running 802.1q encapsulation and have the native VLAN being tagged as expected!



2.6 Only allow the defined VLANs across the link.

Now it's time to add a little security into our mix. The "switchport trunk allowed" command will help us decide which VLANs are or are not allowed on the link.

Cat1 - Cat4


switchport trunk allowed vlan 1,12,40,100,300,567

Cat1

int range po12 , po13 , po14


Cat2



Cat3



Cat4



Why do it on the physical links and etherchannel? In case something doesn't work? It's an easy cut/paste if nothing else.

You'll start to get inconsistent messages. Cutting and pasting will help speed things up here.

Cat1(config-if-range)#

9w4d: %EC-5-CANNOT_BUNDLE2: Fa0/19 is not compatible with Fa0/20 and will be

suspended (VLAN mask is different)

9w4d: %EC-5-COMPATIBLE: Fa0/19 is compatible with port-channel members








Check and make sure we didn't wait too long.

Cat1(config-if-range)#do sh int | in errd










Looks good so far. Now let‟s verify that only VLANs we specified are indeed allowed on the trunks

Cat3550-1(config)#do sh int trunk | beg allowed

Port Vlans allowed on trunk

Po14 1-4094

Po13 1-4094

Po12 1-4094

Port Vlans allowed and active in management domain

Po14 1,12,40,100,200,300,567

Po13 1,12,40,100,200,300,567

Po12 1,12,40,100,200,300,567

Port Vlans in spanning tree forwarding state and not pruned

Po14 1

Po13 1

Po12 1,100,300,567

Cat3560-2(config-if-range)#do sh int trunk | beg allowed


Po12 1-4094

Po23 1-4094

Po24 1-4094


Po12 1,12,40,100,200,300,567

Po23 1,12,40,100,200,300,567

Po24 1,12,40,100,200,300,567


Po12 12,40,100,567

Po23 1

Po24 none



Po13 1-4094

Po23 1-4094

Po34 1-4094


Po13 1,12,40,100,200,300,567

Po23 1,12,40,100,200,300,567

Po34 1,12,40,100,200,300,567


Po13 1,12,40,100,300,567

Po23 1

Po34 1



Po14 1-4094

Po24 1-4094

Po34 1-4094


Po14 1,12,40,100,200,300,567

Po24 1,12,40,100,200,300,567

Po34 1,12,40,100,200,300,567


Po14 12,40,100,300,567

Po24 1

Po34 1

Nicely done.



As the switches exchange information about which active VLANs they have (and prune some) and as spanning tree takes place and blocks links, you'll find different results in the last section of that command. This is where we MAY need to pay attention though to watch our traffic flows.

2.7 Make sure that any unused ports do not remain in “auto” mode.

This is a time to do some tedious work. You could do a "show interface switchport" on all interfaces, but you'd get lots of extra stuff. Let's pare it down a little.

Cat1 - Cat4

do sh int switch | in Name|Administrative Mode|Operational Mode

Cat4(config-if-range)#$ Name|Administrative Mode|Operational Mode

Name: Fa0/1

Administrative Mode: dynamic auto

Operational Mode: down

Name: Fa0/2



Name: Fa0/3



Name: Fa0/4



Name: Fa0/5



Name: Fa0/6


Operational Mode: static access

Name: Fa0/7



Name: Fa0/8



Name: Fa0/9



Name: Fa0/10



Name: Fa0/11



Name: Fa0/12



Name: Fa0/13



Name: Fa0/14



Name: Fa0/15



Name: Fa0/16



Name: Fa0/17





Name: Fa0/18



Name: Fa0/19

Administrative Mode: trunk

Operational Mode: trunk (member of bundle Po14)

Name: Fa0/20



Name: Fa0/21



Name: Fa0/22



Name: Fa0/23



Name: Fa0/24



Name: Gi0/1



Name: Gi0/2



Name: Po14



Name: Po24



Name: Po34




That's a little long-winded still but it tells us what mode these ports are in. 3560's are "dynamic auto". 3550's are "dynamic desirable". So the Cat2, Cat3, Cat4 ports we need to change. It may be worthwhile to ask the proctor whether the "auto" just meant dynamic, or specifically the word "auto". You may need to change them on all switches.

Cat1

int range Fa0/2-4 , Fa0/6-10 , Fa0/12-18 , gi0/1

switchport mode access

Cat2

int range Fa0/2-5 , Fa0/8, Fa0/10-12 , Fa0/14-18 , gi0/1-2


Cat3

int range Fa0/1-4 , Fa0/5-18 , gi0/1-2


Cat4

int range Fa0/1-18 , gi0/1-2




We should see a difference now.

Cat4(config-if-range)#$ Name|Administrative Mode|Operational Mode

Name: Fa0/1

Administrative Mode: static access


Name: Fa0/2



Name: Fa0/3



Name: Fa0/4



Name: Fa0/5



Name: Fa0/6



Name: Fa0/7



Name: Fa0/8



Name: Fa0/9



Name: Fa0/10



Name: Fa0/11



Name: Fa0/12



Name: Fa0/13



Name: Fa0/14



Name: Fa0/15



Name: Fa0/16



Name: Fa0/17



Name: Fa0/18



Name: Fa0/19



Name: Fa0/20



Name: Fa0/21



Name: Fa0/22



Name: Fa0/23





Name: Fa0/24



Name: Gi0/1



Name: Gi0/2



Name: Po14



Name: Po24



Name: Po34



2.8 Any unused ports should be placed in VLAN567.

At least we can keep the same ranges. We're just needing to change the VLAN now.

Cat1

int range Fa0/2-3 , Fa0/6-10 , Fa0/12-18 , gi0/1

switchport access vlan 567

Cat2

int range Fa0/2-5 , Fa0/8, Fa0/10-12 , Fa0/14-18 , gi0/1-2


Cat3

int range Fa0/1-4 , Fa0/5-18 , gi0/1-2


Cat4

int range Fa0/1-18 , gi0/1-2


Cat4(config-if)#do sh vl br


---- -------------------------------- --------- -------------------------------

1 default active

12 VLANB active

40 VLANC active

100 VLANA active

300 VLANF active

567 VLAND active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12

Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Gi0/1, Gi0/2





Cat4(config-if)#



You can check them on all switches to be sure, but the important parts are that nothing is in VLAN 1, and that these ports are in VLAN 567.

2.9 Enable Cat2 to authenticate 802.1x clients. The server IP address to use is 150.100.220.100 with a key of ipexpert.

Plain and simple here. 802.1X must use RADIUS in order to do authentication. That is the spec, there is no grey area for interpretation.

Dot1x needs to be turned on.

Cat2

dot1x system-auth-control

aaa new-model

aaa authentication dot1x default group radius

radius-server host 150.100.220.100 key ipexpert

To avoid further complications with any port using "login" you'll want to create a workaround.

Cat2

aaa authentication login default line

This will use the line password asked for with the telnet ability. Otherwise you may find yourself locked out of the device. Not good.

Don't forget console as well. Even though there's no "login" there, it still will lock you out. You'll get:

--------------

Cat2 con0 is now available

Press RETURN to get started.

% Authentication failed.

---------------

The proctor will NOT do password recovery for grading you. So let's change the above:

no aaa authentication login default

aaa authentication login MyVTY line

aaa authentication login MyCon none

line con 0

login authentication MyCon

line vty 0 4

login authentication MyVTY

The bottom line is that while it is very irritating to lock yourself out of a switch it is MUCH better than locking the proctor out.



Another thing you may do is "reload in 10" on the switch. If you haven't validated your config and cancelled the reload, then at least you will fix things yourself.

(Do NOT save unvalidated configurations...)

Check things out:

Cat2(config-line)#do sh aaa server

RADIUS: id 1, priority 1, host 150.100.220.100, auth-port 1645, acct-port 1646

State: current UP, duration 2562s, previous duration 0s

Dead: total time 0s, count 0

Authen: request 0, timeouts 0

Response: unexpected 0, server error 0, incorrect 0, time 0ms

Transaction: success 0, failure 0

Author: request 0, timeouts 0



Account: request 0, timeouts 0



Elapsed time since counters last cleared: 4d2h17m

Cat2(config-line)#

Being that there is no real server, or hosts to trigger anything I would be surprised if numbers were different than 0 right now. But it's good to see that the configuration is up, and operational.

2.10 Verify that Fa0/6 connected to R6 is always in an authorized state.

There are 3 modes force-authorized, force-unauthorized and auto, which requires authorization. The only mode that actually sends the EAP beacon is "auto". The others are forced, manual actions.

Cat2

int Fa0/6


dot1x port-control force-authorized

As a note, the dot1x command does not even appear until the port is put into access mode. This may be a pain to troubleshoot.



A quick check:

Cat2(config)#do sh dot1x all

Sysauthcontrol Enabled

Dot1x Protocol Version 2

Critical Recovery Delay 100

Critical EAPOL Disabled

Dot1x Info for FastEthernet0/6

-----------------------------------

PAE = AUTHENTICATOR

PortControl = FORCE_AUTHORIZED

ControlDirection = Both

HostMode = SINGLE_HOST

ReAuthentication = Disabled

QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30

ReAuthPeriod = 3600 (Locally configured)

ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

RateLimitPeriod = 0

2.11 Configure Fa0/18 on Cat2 to check to see if the client connected is

capable of 802.1x authentications.

Just like we looked at above, there are three modes, but now we are asked to "see" whether the host is capable. While there is no query option, if we send out an EAP beacon and there is no response, that's a simple way to determine they weren't capable and not let them on. (More to come in other labs with some additional security steps or details to add in here, but for now, keep things simple.)

Cat2

int Fa0/18


dot1x port-control auto



Cat2(config-if)#do sh dot1x all

Sysauthcontrol Enabled

Dot1x Protocol Version 2

Critical Recovery Delay 100

Critical EAPOL Disabled


-----------------------------------

PAE = AUTHENTICATOR

PortControl = FORCE_AUTHORIZED




QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30


ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

RateLimitPeriod = 0


-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO




QuietPeriod = 60

ServerTimeout = 30

SuppTimeout = 30


ReAuthMax = 2

MaxReq = 2

TxPeriod = 30

RateLimitPeriod = 0

2.12 Cat1 Fa0/5 should temporarily bypass the listening and learning stage to transition directly into a forwarding mode.

This should be a relatively simple question. At least once you get beyond the initial confusion of a vague question.

Cat1

int Fa0/5

spanning-tree portfast

You'll need to look at the diagrams and note which switch and port is involved. The "temporarily" word throws some confusion at you, although if a BPDU is received, it's will no longer be forwarding. But the only way to "bypass" any of the stages of spanning tree is to use portfast or to disable spanning-tree completely.

Cat1(config-if)#do sh spann int Fa0/5

VLAN Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

VLAN0567 Desg FWD 19 128.5 P2p Edge

This doesn't verify the portfast state, but it will at least verify you are in a forwarding state, and not seen as a spanning-tree peer.



2.13 Assure that Cat2 becomes the root switch for VLAN100 with one command.

So when we start at this, is Cat2 root at all?

Cat2(config-if)#do sh spanning-tree | in root|VLAN

VLAN0001

VLAN0012

VLAN0040

VLAN0100

VLAN0300

VLAN0567

Nope, doesn't look like it. Sometimes, it's difficult because of the typical spanning-tree election process. We may end up with simply the lowest MACs on Cat2 in which case this task would appear moot. But at least in my rack, this isn't the case.

One simple command. Note that it's "becomes" so we'd expect things to change. Right now, we have several VLANs but no root status.

Cat2

spanning-tree vlan 100 root primary

Now, check it out again....

Cat2(config)#do sh spanning-tree | in root|VLAN

VLAN0001

VLAN0012

VLAN0040

VLAN0100

This bridge is the root

VLAN0300

VLAN0567

Cat2(config)#

Good stuff. Keep paying attention through the labs on the various GREP manipulations that we do in order to make the show commands focus on exactly what you want/need.

We may find some additional things/changes that are needed based on later requirements, but we'll get there later. It is good to be able to see this ahead of time though.

2.14 Configure Fa0/5 that R5 connects to so that the switch will only allow this learned MAC address to communicate through this port. If any other MAC addresses are learned on this port Cat2 should shut it down for a period of three hours.

Wording here is a little vague. Basically, we are talking about Port Security. The hard part is interpreting the words about "learned MAC address". Typically this refers to dynamically learned things, but how do we determine what is correct?

In this instance, we know R5's MAC because we can either go look at it, or we can enable port-security and look first.



Cat1

int Fa0/5


switchport port-security

switchport port-security maximum 1 (default)

switchport port-security violation shutdown (default)

Ask the proctor whether it should be hard-coded for the R5 MAC that's already there, or whether dynamic is OK. The port sec-table won't survive a reload unless you use the "sticky" parameter. Do a "show interface Fa0/0" on R5 to get the MAC.

switchport port-security mac-address sticky

switchport port-security mac-address 0012.80b6.4cd8

Obviously, substitute the MAC address from your R5 there.

Verify to see things are good...

R5(config)#do sh int Fa0/0 | in bia

Hardware is MV96340 Ethernet, address is 0012.80b6.4cd8 (bia 0012.80b6.4cd8)

R5(config)#

Cat1(config-if)#do sh port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

Fa0/5 1 1 0 Shutdown

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 5120

Cat1(config-if)#do sh port-security int Fa0/5

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 1

Last Source Address:VLAN : 0012.80b6.4cd8:567

Security Violation Count : 0

The next part of this is a little harder though. The scenario says that it should shutdown for a period of three hours. There's nothing in the port security commands dealing with this. We can set an aging time, but that's only good for idle settings. Our statically defined MAC with a "sticky" command kind of defeats that purpose.

This is where we need to know HOW something works to identify it. The "shutdown" violation will put the port into an errdisabled state which is forever. Or until you do a "shut" and "no shut" on the interface.

We can, however make that recovery an automated process.



Cat1

errdisable recovery cause psecure-violation

errdisable recovery interval 10800

The measurement is in seconds. 3600 seconds in an hour, times three should be 10,800.

Cat1(config)#do sh errdisable recovery

ErrDisable Reason Timer Status

----------------- --------------

arp-inspection Disabled

bpduguard Disabled

channel-misconfig Disabled

dhcp-rate-limit Disabled

dtp-flap Disabled

gbic-invalid Disabled

l2ptguard Disabled

link-flap Disabled

mac-limit Disabled

link-monitor-fail Disabled

loopback Disabled

oam-remote-failur Disabled

pagp-flap Disabled

port-mode-failure Disabled

psecure-violation Enabled

security-violatio Disabled

sfp-config-mismat Disabled

storm-control Disabled

udld Disabled

unicast-flood Disabled

vmps Disabled

Timer interval: 10800 seconds

Interfaces that will be enabled at the next timeout:

Looks good.

2.15 You have installed a Cisco® Intrusion Protection System on Fa0/7 of Cat1 and you would like to test out its functionality. Configure the Switch to take traffic that is received on VLAN300 and send a copy to your IPS.

This will involve a few different pieces here. VLAN 300 is not really part of Cat1. Which means we need to be thinking not about Span Sessions, but REMOTE Span Sessions.

First, create a VLAN that we will use for the Remote Span sessions

Cat1

VLAN 666

name IDS-VLAN

remote-span

exit

Next, set up the span sessions where VLAN 300 exists.



Cat2

monitor session 1 source vlan 300 rx

monitor session 1 destination remote VLAN 666

Cat3560-2#sh monitor session 1 det

Session 1

---------

Type : Remote Source Session

Source Ports :

RX Only : None

TX Only : None

Both : None

Source VLANs :

RX Only : 300

TX Only : None

Both : None

Source RSPAN VLAN : None

Destination Ports : None

Filter VLANs : None

Dest RSPAN VLAN : 666

3550's require using a reflector-port for ASIC use. 3560's do not. Cat2 in our case is a 3560, so nothing to worry about here.

Then set up our new destination on Cat1

monitor session 1 source remote VLAN 666

monitor session 1 destination interface Fa0/7

Cat1(config)#do sh monitor detail

Session 1

---------

Type : Remote Destination Session

Description : -

Source Ports :

RX Only : None

TX Only : None

Both : None

Source VLANs :

RX Only : None

TX Only : None

Both : None

Source RSPAN VLAN : 666

Destination Ports : Fa0/7

Encapsulation : Native

Ingress : Disabled

Reflector Port : None

Filter VLANs : None

Dest RSPAN VLAN : None

Oh yeah... Don't forget to go back and add VLAN 666 into your list of allowed VLANs over your trunks. This is one of those implied things to do.

Cat1

int range Fa0/19 - 24 , po12 , po13 , po 14

switchport trunk allowed vlan 1,12,40,100,300,567,666

Change the PortChannel numbers as you enter the command on the other switches



Cat2



Cat3



Cat4



As another important note, we probably want to be sure that this VLAN will not get pruned as it's only an occasional thing.

Cat1


switchport trunk pruning vlan remove 666

Cat2



Cat3



Cat4





2.16 Configure VLAN567 to be in the IP Subnet 150.100.220.0/28. IP traffic should be routed. All switches will have an IP in VLAN567. Use .11, .12, .13, and .14 respectively

Configuring an IP address isn't incredibly difficult. However, if we consult the diagram or startup configs, we'll find that this instruction is contradictory to what we already have. We have a /24 on that network already.

Any time you receive conflicting reports, it's good to involve the proctor to clarify. In this case, he'll just smile and say the lab tells you what to do. (e.g. you need to change things.)

R5

int Fa0/0

ip address 150.100.220.5 255.255.255.240

R6

int Fa0/0

ip address 150.100.220.6 255.255.255.240

R7

int Fa0/0

ip address 150.100.220.7 255.255.255.240

Cat1

ip routing

int VLAN 567

ip address 150.100.220.11 255.255.255.240

Cat2

ip routing

int vlan 567

ip address 150.100.220.12 255.255.255.240

Cat3

ip routing

int vlan 567

ip address 150.100.220.13 255.255.255.240

Cat4

ip routing

int vlan 567

ip address 150.100.220.14 255.255.255.240



Ping is a good test.

R5(config-if)#do ping 150.100.220.6 re 2 ti 1

Type escape sequence to abort.

Sending 2, 100-byte ICMP Echos to 150.100.220.6, timeout is 1 seconds:

!!

Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms




!!





!!





!!





!!





!!


2.17 Configure all switches to be optimized for unicast routing.

This is all about memory allocation. Whenever we look at things that talk about memory, or optimization or things like that, there's only one command. "sdm prefer" will get us working.

Cat1, Cat2, Cat3, Cat4

sdm prefer routing



Check it out:

Cat1(config)#do sh sdm p

The current template is the default template.

The selected template optimizes the resources in

the switch to support this level of features for

8 routed interfaces and 1K VLANs.

number of unicast mac addresses: 5K

number of igmp groups: 1K

number of qos aces: 1K

number of security aces: 1K

number of unicast routes: 8K

number of multicast routes: 1K

The template stored for use after the next reload

is the routing template.

The selected template optimizes the resources in

the switch to support this level of features for

8 routed interfaces and 1K VLANs.

number of unicast mac addresses: 5K

number of igmp groups: 1K

number of qos aces: 512

number of security aces: 512

number of unicast routes: 16K

number of multicast routes: 1K

Notice the difference there. What MAY happen on the next reload is not graded as ALREADY being functional. Don't forget to reload...

2.18 Configure OSPF between R5, R6, R7 and all four of your switches. Place VLAN 567, 100, 40, and 300 into the OSPF routing process. You may use Area 0 everywhere. Add interfaces on the switches for each of these VLANs. Use .11, .12, .13, and .14 respectively.

Now it's time to actually do some routing... Interesting enough here though, we had not been told to place our switches into those extra VLANs with IP addresses.

I suppose we'll need to look at that a little, and configure that part as well. Otherwise, we won't be sharing anything anyway.

Cat1

int vlan 40

ip address 150.100.40.11 255.255.255.0

int vlan 100

ip address 100.100.100.11 255.255.255.0

int vlan 300

ip address 100.100.250.11 255.255.255.0

Cat2

int vlan 40

ip address 150.100.40.12 255.255.255.0

int vlan 100

ip address 100.100.100.12 255.255.255.0

int vlan 300

ip address 100.100.250.12 255.255.255.0



Cat3

int vlan 40

ip address 150.100.40.13 255.255.255.0

int vlan 100

ip address 100.100.100.13 255.255.255.0

int vlan 300

ip address 100.100.250.13 255.255.255.0

Cat4

int vlan 40

ip address 150.100.40.14 255.255.255.0

int vlan 100

ip address 100.100.100.14 255.255.255.0

int vlan 300

ip address 100.100.250.14 255.255.255.0

Next comes the routing part. Realistically, we don't need to peer over every single VLAN, and we weren't given any instructions on this either. Asking for clarification is good, but likely only one peering set is necessary.


router ospf 1

passive-interface default

network 150.100.40.0 0.0.0.255 area 0

network 100.100.100.0 0.0.0.255 area 0

network 100.100.250.0 0.0.0.255 area 0

network 150.100.220.0 0.0.0.15 area 0

no passive vl567

Keep in mind, you will not have pingability between routers per se. If you want to actually have this, you'll need to put a default route into each of your routers to the local SVI port in order to work. We weren't asked to, so why bother?

We'll start to see that things aren't working very well, because we have switches not peering the way they should be. They'll alternate from DOWN to INIT to EXSTART and seem to cycle in that order. Try looking at "debug ip ospf adjacency" and see what's happening.

Cat3(config-router)#

10w1d: OSPF: Send DBD to 150.100.220.12 on VLAN567 seq 0x1CD1 opt 0x52 flag 0x7

len 32

10w1d: OSPF: Retransmitting DBD to 150.100.220.12 on VLAN567 [8]

10w1d: OSPF: Rcv DBD from 150.100.220.12 on VLAN567 seq 0x1CD1 opt 0x52 flag 0x2

len 132 mtu 1504 state EXSTART

10w1d: OSPF: Nbr 150.100.220.12 has larger interface MTU

Cat3(config-router)#

MTU mismatches. Switches will have different base MTU sizes depending on what's happening and what has been previously configured.

On a 3560, you can use "system mtu routing 1500" if you'd like. 3550's don't have that option.



Or we can go to each switch and simply tell it to ignore the MTU size.


int VLAN 567

ip ospf mtu-ignore

Once that is done, you should see all peers come up. Will we see any routes? Nope, not the way we did things here. Why not? Because all routes will be connected routes since we put all switches in all VLANs.

There weren't any instructions in this lab about reachability or doing much with the actual routers, so it's not a great worry. The multiprotocol labs will make us thoroughly familiar with this method of thinking. So just wait.

2.19 Configure R5, R6, Cat1, and Cat2 to receive their time from R7. All of the devices should be in CST (-6) as well as adjust for Day Light Savings.

So now it's a matter of clocking on the devices. The switches don't have a built in clock mechanism (ISR routers do), so at least we'll see the difference.

Cat4(config-if)#do sh clock

*18:59:37.634 UTC Tue May 11 1993

Cat4(config-if)#

R5, R6, R7, Cat1, Cat2, Cat3, Cat4

clock timezone CST -6

clock summer-time CDT recurring

While loopbacks may be a great way to give a resilient interface to base time on, we don't have any routing established on R5, R6 or R7 in order to find R7's loopback. So for simplicity here, I'd go with the Fa0/0 interface that is connected to everyone.

R7

ntp source Fa0/0

ntp master

Check the time to see if we need to change the clock (exec command "clock set") or not.

R7(config)#do sh clock

13:30:33.440 CST Wed Jan 23 2008

R7(config)#



Looks good. Now let's activate it.

R5, R6, Cat1, Cat2, Cat3, Cat4

ntp server 150.100.220.7

Cat4(config)#do sh ntp assoc

address ref clock st when poll reach delay offset disp

*~150.100.220.7 127.127.7.1 8 0 64 377 1.7 0.17 0.1

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

Cat4(config)#do sh ntp status

Clock is synchronized, stratum 9, reference is 150.100.220.7

nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**18

reference time is CB4214C9.550914DE (13:32:25.332 CST Wed Jan 23 2008)

clock offset is 0.1737 msec, root delay is 1.72 msec

root dispersion is 0.34 msec, peer dispersion is 0.14 msec

And most importantly:

Cat4(config)#do sh clock

13:32:48.272 CST Wed Jan 23 2008

Cat4(config)#

Excellent.

2.20 Configure Cat1 to age out MAC addresses 50 seconds longer than the default value for devices in VLAN 567.

This is one of those things to look at the DocCD for. The command reference guide will always contain default values as well.

Cat1

mac address-table aging-time 350 VLAN 567

2.21 On Cat1, create VLAN 86, assign ports Fa0/14, 15, 16, and 17 to this VLAN. This VLAN belongs to the IT department, make sure that these ports bypass listening and learning state, DO NOT use VLAN database to create the VLAN. A Smart Port macro should be used to create the VLAN and assign the ports and the configuration to the VLAN.

Using global configuration (and execution) we can create the macro and apply it nicely. Each of the interfaces will need to be listed out. Macros and interface ranges do not play nicely with one another.



Cat1

macro name IT-VLAN

VLAN 86

name IT-Dept

exit

interface Fa0/14

switchport access VLAN 86


interface Fa0/15



interface Fa0/16



interface Fa0/17



exit

@

Then actually engage the macro. Check things out before:

Cat1(config)#do sh run int Fa0/14

Building configuration...

Current configuration : 86 bytes

.

interface FastEthernet0/14



end

Cat1

macro global apply IT-VLAN

And check out after:

Cat1(config)#do sh run int Fa0/14

Building configuration...

Current configuration : 109 bytes

.

interface FastEthernet0/14




end

2.22 Configure Cat1 such that if port Fa0/14 receives BPDU packets it should transition into down/down err-disable state.

This should actually be a simple command. Very few commands have anything to do with BPDUs. Even fewer will shut a port down. This can be a method of searching the DocCD Command Reference guide if you aren't familiar with it.

Cat1

int Fa0/14

spanning-tree bpduguard enable



Even though we've enable portfast on these ports, BPDUGuard is not enabled by default unless you have entered a global command (spanning-tree portfast bpduguard default)

2.23 Configure Cat3 & Cat4 such that if ports Fa0/15 and/or Fa0/16 receive BPDU packets they should transition into down/down err-disable state, and they should stay in that state for a period of 380 seconds. After 380 seconds they should automatically recover and transition into UP/UP state; however, if these ports receive BPDU packets again, the cycle should be repeated.

Now we're manipulating Cat3 and Cat4. A similar line of thinking, but in the last step we were happy that ports were forced to be errdisabled. Here, we want automatic recovery. We've worked with this before.

Cat3, Cat4


spanning-tree bpduguard enable

exit

errdisable recovery cause bpduguard

errdisable recovery interval 380

2.24 You would like to monitor the activity on port Fa0/18 of Cat2 as clients connect their laptops to this port. Configure the switch such that when it learns/removes a MAC address an SNMP notification is generated and sent to the Network Management Server at 150.100.40.40. Since this is a very busy network, setup a trap interval so these messages are sent every 120 seconds with up to 50 entries, in order to reduce the bandwidth consumption. Use a read only SNMP community of “Port18”.

This is going to get us involved with the wonderful world of SNMP servers as well. the word "trap" or "Network Management Server" should certainly have tilted us in this direction.

So the SNMP portion is easy to do. We can set up a community for polling if we want (also helps with restricting which NMS server we sent which traps to.)

Cat2

snmp-server community Port18 RO

snmp-server enable traps MAC-Notification

snmp-server host 150.100.40.40 Port18 MAC-Notification

Then the part about how many gets a little more confusing. We can do this with snmp-server commands, but the drawback is that those commands would influence any and all SNMP traps we were sending. This may or may not be important to us (here it is not, but real lab it may be).

Cat2

mac-address-table notification interval 120

mac-address-table notification history-size 50



And then finally trigger the traps on the interface in question. They are not enabled by default.

Cat2

int Fa0/18

snmp trap mac-notification added

snmp trap mac-notification removed

2.25 On Cat3 and Cat4, ensure that ports Fa0/12 and Fa0/13 are in VLAN 90. DO NOT use the VLAN database or any global configuration mode command to create this VLAN. Ensure that these ports cannot communicate with each other even though they are in the same VLAN. An SVI should be created so hosts can reach the outside world. Use 150.100.90.0/24 as the network and .13 and .14 respectively.

We do this a simple way or the hard way. In the lab, this choice is often determined by how many points we get for the solution. :)

The hard way would entail private VLANs' to assure complete isolation from one another. But we're only given one VLAN to work with. Private VLANs require at least two VLANs to work.

So first, let's start with the VLAN. VLAN 90 doesn't exist.

Cat3(config-if)#do sh vl br


---- -------------------------------- --------- -------------------------------

1 default active

12 VLANB active

40 VLANC active

80 IT-Dept active

100 VLANA active

300 VLANF active

567 VLAND active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/11, Fa0/14, Fa0/15

Fa0/16, Fa0/17, Fa0/18, Gi0/1

Gi0/2

666 IDS-VLAN active





Cat3(config-if)#

So we can create it. But, the lab says we can't do anything in global config mode or in VLAN database to create the VLAN. Anyone know VLAN-Making Voodoo Magic?



Actually, if you assign a port to a VLAN that doesn't exist, it will get created for you.

Cat3 , Cat4



% Access VLAN does not exist. Creating VLAN 90


So that's another way to create a VLAN without typing the command in.

Cat3 & Cat4


switchport protected

Cat4(config-if-range)#do sh int Fa0/13 switchport

Name: Fa0/13

Switchport: Enabled



Administrative Trunking Encapsulation: negotiate

Operational Trunking Encapsulation: native

Negotiation of Trunking: Off

Access Mode VLAN: 90 (VLAN0090)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-VLAN host-association: none

Administrative private-VLAN mapping: none

Administrative private-VLAN trunk native VLAN: none

Administrative private-VLAN trunk Native VLAN tagging: enabled

Administrative private-VLAN trunk encapsulation: dot1q

Administrative private-VLAN trunk normal VLANs: none

Administrative private-VLAN trunk associations: none

Administrative private-VLAN trunk mappings: none

Operational private-VLAN: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: true

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none


Note the protected state there...Next create the SVI on Cat3 and Cat4

Cat3

interface Vlan90

ip address 150.100.90.13 255.255.255.0

Cat4

interface Vlan90

ip address 150.100.90.14 255.255.255.0



The devices connected to the ports cannot technically communicate with anything else in VLAN90 without going through the SVI first so we don‟t need to add the VLAN to the trunks. But as there is nothing physically connected to these ports we will go ahead and add VLAN 90 to the trunk between Cat3 and Cat4 to get the SVI to come up.

Cat3 & Cat4

interface port-channel 34

Switchport trunk allowed vlan add 90

2.26 Ensure that only the following traffic is allowed to pass through VLAN 12

All non-IP frames sourced from MAC-address 000b.cd96.cc4f destined to any host

OSPF traffic and ICMP traffic

All other frames should be denied

VACLs or VLAN Filter Maps are the only things able to filter intra-VLAN traffic. So we need to look at setting up various filters. One thing to note is that MAC access-lists cannot be applied to IP traffic due to the ASIC and hardware architecture of the switches.

VLAN 12 only exists on Cat1. Or at least there's only ports there. So that'll make our configuration a little easier.

Cat1

mac access-list extended FilterMe

permit host 000b.cd96.cc4f any

access-list 101 permit ospf any any

access-list 101 permit icmp any any

vlan access-map Filter-VL12 10

action forward

match mac address FilterMe


action forward

match ip address 101


action drop

vlan filter Filter-VL12 vlan-list 12

And a quick test should let us know how we're doing.

R1(config)#do ping 150.100.12.2



.....

Success rate is 0 percent (0/5)

R1(config)#



Uh, that's not very good. Time to debug.

R1(config)#do deb ip pack

IP packet debugging is on




*Jan 24 04:34:43.910: IP: tableid=0, s=150.100.12.1 (local), d=150.100.12.2

(FastEthernet0/0), routed via RIB

*Jan 24 04:34:43.910: IP: s=150.100.12.1 (local), d=150.100.12.2

(FastEthernet0/0), len 100, sending

*Jan 24 04:34:43.910: IP: s=150.100.12.1 (local), d=150.100.12.2

(FastEthernet0/0), len 100, encapsulation failed.



*Jan 24 04:34:45.910: IP: s=150.100.12.1 (local), d=150.100.12.2


*Jan 24 04:34:45.910: IP: s=150.100.12.1 (local), d=150.100.12.2




*Jan 24 04:34:47.910: IP: s=150.100.12.1 (local), d=150.100.12.2


*Jan 24 04:34:47.910: IP: s=150.100.12.1 (local), d=150.100.12.2




*Jan 24 04:34:49.910: IP: s=150.100.12.1 (local), d=150.100.12.2


*Jan 24 04:34:49.910: IP: s=150.100.12.1 (local), d=150.100.12.2




*Jan 24 04:34:51.910: IP: s=150.100.12.1 (local), d=150.100.12.2


*Jan 24 04:34:51.910: IP: s=150.100.12.1 (local), d=150.100.12.2


Success rate is 0 percent (0/5)

R1(config)#

Encapsulation failed isn't good either. This is a simple Ethernet link, how can this be?

R1(config)#do sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 100.100.100.1 - 0018.b921.9279 ARPA FastEthernet0/1

Internet 150.100.12.2 0 Incomplete ARPA

Internet 150.100.12.1 - 0018.b921.9278 ARPA FastEthernet0/0

R1(config)#

Ahhhh.... No ARP. ARP is not exactly an IP packet, therefore it would be subject to our MAC access-list which is subsequently denying everything other than that one particular host. In addition if we don‟t want traffic looping through our network we need to allow spanning-tree in the acl or we are going to see all sorts of strange things start to happen.

Cat1

mac access-list extended FilterMe

permit any any 0x0806 0x0000

permit any any lsap 0xAAAA 0x0000



Cat1(config-ext-macl)#do sh access-list

Extended IP access list 101

10 permit ospf any any

20 permit icmp any any

Extended MAC access list FilterMe

permit host 000b.cd96.cc4f any

permit any any 0x806 0x0

permit any any lsap 0xAAAA 0x0

Cat1(config-ext-macl)#




.!!!!


R1(config)#

PVST+ uses LLC SNAP encapsulation equal to lsap 0xAAAA. STP and PVST use lsap 0x4242. Be sure to know what protocol you are working with when applying MAC access-lists.

THERE we go. Little things like this are important to note. ARP caches are cleared after 4 hours of inactivity or on reload. So you may not notice something like this until much later in the day. (And you are no longer thinking about Layer2 stuff at that point.)

2.27 Make sure that VLAN 40 will only carry IPv6 traffic. All other traffic should be discarded.

IPv6. Why do we have to deal with that here? Well, think about it. The restriction is that IPv6 is the ONLY type of traffic allowed to traverse VLAN 40. Everything else will be discarded. Who else better to monitor this than the switch?

We already have a little experience with MAC access-lists and matching an ethertype value (the 0x0806 above.). So now we just need to find the ethertype value for IPv6.

The question is, how are we going to find that? Likely it will be supplied.

The ethertype for IPv6 is 0x86DD

Cat 1

mac access-list extended IPv6-Only

permit any any 0x86dd 0x0000

vlan access-map IPv6 10

action forward

match mac address IPv6-Only

vlan access-map IPv6 20

action drop

vlan filter IPv6 vlan-list 40



Without having IPv6 hosts setup and/or configured, it is difficult to test this one out, but we applied the same logic that we did in the last task, so we should be good to go on this.

You will notice the OSPF neighbor relationships on Vlan40 go down. As we are just testing functionality of the configurations aspects in this section don‟t worry about this. But if this same thing happened in the actual lab this would be a good time to speak with the proctor.

01:37:55: %OSPF-5-ADJCHG: Process 1, Nbr 150.100.220.12 on Vlan40 from 2WAY to

DOWN, Neighbor Down: Dead timer expired

Cat1(config)#

01:37:58: %OSPF-5-ADJCHG: Process 1, Nbr 150.100.220.13 on Vlan40 from FULL to


Cat1(config)#

01:38:00: %OSPF-5-ADJCHG: Process 1, Nbr 150.100.220.14 on Vlan40 from FULL to


2.28 On Cat3, ports Fa0/6 through Fa0/10 will utilize the 200.200.200.0/24 subnet. Allow ports Fa0/6 and Fa0/7 to talk to each other, but no other devices in this subnet should be allowed to speak intra-VLAN to each other. Create a VLAN interface to be used as the gateway out for this subnet as 200.200.200.200/24. Additional VLANs may be created.

Finally we have a chance to play with Private VLANs on our 3560 switches. There are thee different types of VLANs to consider. Isolated, Community and Promiscuous.

Fa0/6 and Fa0/7 will be in a Community VLAN since they are allowed to talk to each other. Fa0/8, Fa0/9 and Fa0/10 will be in an isolated VLAN.

As soon as we start to enter things, we will notice that all of our VLAN commands won't work since vtp mode must be transparent first. When things are added later in a lab that change things you were forced to do earlier, then that can get rather frustrating.



In real life, we would likely want to select another vtp server switch, but here in the lab we aren't asked to. Talking to the proctor about this certainly won't hurt. Cat1 is still in server mode.

Cat3

vtp mode transparent

vlan 2000

private-vlan primary

exit

vlan 2001

private-vlan isolated

exit

vlan 2002

private-vlan community

exit

vlan 2000

private-vlan association add 2001-2002

int range Fa0/6 - 7

switchport mode private-vlan host

switchport private-vlan host-association 2000 2002


switchport mode private-vlan host

switchport private-vlan host-association 2000 2001

int vlan 2000

ip address 200.200.200.200 255.255.255.0

private-vlan mapping add 2001-2002

Cat3(config-if)#do sh vl pr

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

2000 2001 isolated Fa0/8, Fa0/9, Fa0/10

2000 2002 community Fa0/6, Fa0/7

Cat3(config-if)#

Cat3(config-if)#do sh int vl2000 private-vlan mapping

Interface Secondary VLANs

--------- --------------------------------------------------------------------

vlan2000 2001, 2002

This is exactly the way we should see things. While it looks like a lot of work to do to get this working, it's really not all that bad. Check out the "Configuring Private VLANs" part of the Configuration Guide and look at the sample configs. Cut 'n' Paste is your friend.

2.29 Except in VLAN 100, Cat3 should not have any ports blocked by spanning tree.

This is another task that looks like it's messing with an earlier requirement. When we see mention of the word "blocking" we should associate this with spanning tree. We had an earlier requirement to make Cat2 the root of VLAN 100.

One of the only ways to assure that ALL ports are in a forwarding state is to become the root bridge. Or start rearranging your physical topology. :)

So for everything other than VLAN 100, we could become root. And looking at "show spanning-tree" we probably need it.

Cat3(config-if)#do sh spanning-tree | in VLAN|BLK

VLAN0001



Po23 Altn BLK 12 128.232 P2p

Po34 Altn BLK 12 128.320 P2p

VLAN0012

Po23 Altn BLK 12 128.232 P2p

Po34 Altn BLK 12 128.320 P2p

VLAN0040

Po23 Altn BLK 12 128.232 P2p

Po34 Altn BLK 12 128.320 P2p

VLAN0090

VLAN0100

Po13 Altn BLK 12 128.152 P2p

Po34 Altn BLK 12 128.320 P2p

VLAN0300

Po23 Altn BLK 12 128.232 P2p

Po34 Altn BLK 12 128.320 P2p

VLAN0567

Po23 Altn BLK 12 128.232 P2p

Po34 Altn BLK 12 128.320 P2p

VLAN0666

Po23 Altn BLK 12 128.232 P2p

Po34 Altn BLK 12 128.320 P2p

Cat3(config-if)#

We have lots of different things blocking there.

Cat3

spanning-tree vlan 1,12,40,90,300,567,666 root primary

Now what do things look like?

Cat3(config)#do sh spanning-tree | in VLAN|BLK

VLAN0001

VLAN0012

VLAN0040

VLAN0090

VLAN0100

Po13 Altn BLK 12 128.152 P2p

Po34 Altn BLK 12 128.320 P2p

VLAN0300

VLAN0567

VLAN0666

Cat3(config)#

MUCH better. Or just to verify, run the show command a little different.

Cat3(config)#do sh spanning-tree | in VLAN|BLK|is the root

VLAN0001


VLAN0012


VLAN0040


VLAN0090


VLAN0100

Po13 Altn BLK 12 128.152 P2p

Po34 Altn BLK 12 128.320 P2p

VLAN0300


VLAN0567


VLAN0666




Very nice.

Can we adjust VLAN 100 without becoming the root? Sure, make it a preferred path to go through. Adjust the spanning-tree cost to something less than alternate paths.

Cat3

int po13

spanning-tree VLAN 100 cost 2

int po34

spanning-tree VLAN 100 cost 2

Are they still blocking?

Cat3(config-if)#do sh spanning-tree | in VLAN|BLK|is the root

VLAN0001


VLAN0012


VLAN0040


VLAN0090


VLAN0100

Po13 Altn BLK 2 128.152 P2p

Po34 Altn BLK 2 128.320 P2p

VLAN0300


VLAN0567


VLAN0666


Cat3(config-if)#

Yes. Why? The cost is great compared to what it was normally. But remember that every switch is interconnected with every other switch. The Spanning-tree Cost is a cumulative cost. Meaning that no matter how small we make the cost it'll be more than the directly connected link.

We can always go manipulate things in multiple places to affect the total path cost, but that isn't asked for in this lab task anyway.



2.30 In the event that Cat2 loses its link to Cat3, the path to the root bridge should go through Cat4 as quickly as possible. Do not use any “cost” or “priority” type commands on Cat2 to make this happen.

Time for some more spanning-tree manipulations. In order to change paths, we need to verify where we're going now. Right off, we go to Cat3 (since it's the root for most things)

Cat2(config-if)#do sh span | in VLAN|Root

VLAN0001

Root ID Priority 24577

Po23 Root FWD 12 128.248 P2p

VLAN0012


Po23 Root FWD 12 128.248 P2p

VLAN0040


Po23 Root FWD 12 128.248 P2p

VLAN0100


VLAN0300


Po23 Root FWD 12 128.248 P2p

VLAN0567


Po23 Root FWD 12 128.248 P2p

VLAN0666


Po23 Root FWD 12 128.248 P2p

Cat2(config-if)#

In the event of failure, it's all about recalculation of SPT costs. So the Cost can be changed (we're not allowed to), or if that's a tie, then a port-priority is looked at (not allowed either).

In MST and Rapid-PVST, we have Alternate or Backup ports to maintain fast failover. Prior to that, in PVST operations, we didn't have those. We did, however have two manual methods. Uplinkfast and Backbonefast. One was for Designated Ports, the other for Root Ports. Which to use?

Cisco Documentation. :) We'll find that Backbonefast was for Designated Ports (and the root bridge) and Backbonefast was for Root ports. That's what we want. But this is a two-stage thing. Backbonefast just says that the switch will converge faster. We have to make sure that the path to Cat4 is the next best choice. It says not to use "priority" or "cost" commands on Cat2, but says nothing about other switches.

Cat3

int po34

spanning-tree cost 5



Remember that cost is cumulative. You add the cost of a local link yourself. (e.g. setting this on Cat4 would accomplish nothing)

Cat2

spanning-tree uplinkfast

Cat2(config)#do sh span sum

Switch is in pvst mode

Root bridge for: VLAN0100

Extended system ID is enabled

Portfast Default is disabled

PortFast BPDU Guard Default is disabled

Portfast BPDU Filter Default is disabled

Loopguard Default is disabled

EtherChannel misconfig guard is enabled

UplinkFast is enabled

BackboneFast is disabled

Configured Pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active

---------------------- -------- --------- -------- ---------- ----------

VLAN0001 2 0 0 1 3

VLAN0012 1 0 0 2 3

VLAN0040 1 0 0 2 3

VLAN0100 0 0 0 4 4

VLAN0300 2 0 0 3 5

VLAN0567 2 0 0 6 8

VLAN0666 2 0 0 1 3

Name Blocking Listening Learning Forwarding STP Active

---------------------- -------- --------- -------- ---------- ----------

---------------------- -------- --------- -------- ---------- ----------

9 VLANs 14 0 0 23 37

Station update rate set to 150 packets/sec.

UplinkFast statistics

-----------------------

Number of transitions via uplinkFast (all VLANs) : 0

Number of proxy multicast addresses transmitted (all VLANs) : 0



Technical Verification and Support

To verify your router and switch configurations please ensure that you have downloaded the latest configurations from your www.IPexpert.com account.

You may also verify your configurations within the Volume One Proctor Guide that you received along with this Workbook. You can find this document in the eBook section of your www.IPexpert.com account.

Support is also available in the following ways:

Mailing List: http://www.OnlineStudyList.com

Email: [email protected]

http://www.ipexpert.com/

http://www.ipexpert.com/



R&S_Volume_1_DSG_v11.0_Lab2

Documents

Transcript of R&S_Volume_1_DSG_v11.0_Lab2