R&S_Volume_1_DSG_v11.0_Lab2
-
Upload
ipexpert-inc -
Category
Documents
-
view
220 -
download
0
description
Transcript of R&S_Volume_1_DSG_v11.0_Lab2
IPexpert’s Detailed Solution Guide for the Cisco® CCIE™ v4 Routing & Switching Lab Exam
Volume 1
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Introduction
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 1
IPexpert CCIE R&S Detailed Solutions Guide– Volume One
Before We Begin This product is part of the IPexpert "Blended Learning Solution™" that provides CCIE candidates with a comprehensive training program. For information about the full solution, contact an IPexpert Training Advisor today. Telephone: +1.810.326.1444 Email: [email protected] Congratulations! You now possess one of the ULTIMATE CCIE
TM Routing & Switching Lab
preparation resources available today! This resource was produced by senior engineers, technical instructors and authors, boasting decades of internetworking experience. Although there is no way to guarantee a 100% success rate on the CCIE
TM Routing & Switching Lab exam, we feel VERY confident
that your chances of passing the Lab will improve dramatically after completing this industry-recognized Workbook! At the beginning of each section, you will be referred to a diagram of the network topology. All sections utilize the same physical topology, which can be rented at www.ProctorLabs.com.
Technical Support from IPexpert and your CCIE community!
IPexpert is proud to lead the industry with multiple support options at your disposal free of charge. Our online communities have attracted a membership of nearly 20,000 of your peers from around the world! At EverythingIE.com you may social-network with your peers all focused on attaining the same goal as you – the CCIE Lab. At CCIEBlog.com you can keep up to date with everything IPExpert does, as well as start your own CCIE-focused blog or simply add your existing blog to our directory so your peers can find you. At OnlineStudyList.com, you may subscribe to multiple “SPAM-free”, CCIE-focused email lists.
Volume 1 – Introduction IPexpert CCIE R&S Detailed Solutions Guide
2 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
Feedback Do you have a suggestion or other feedback regarding this book or other IPexpert products? At IPexpert, we look to you – our valued clients – for the real world, frontline evaluation that we believe is necessary to improve continually. Please send an email with your thoughts to [email protected] or call 1.866.225.8064 (international callers dial +1.810.326.1444). In addition, when you pass the CCIE
TM Lab exam, we want to hear about it! Email your CCIE
TM number to
[email protected] and let us know how IPexpert helped you succeed. We would like to send you a gift of thanks and congratulations.
Additional CCIETM Preparation Material IPexpert, Inc. is committed to developing the most effective Cisco CCIE
TM R&S, Security, Service
Provider, and Voice Lab certification preparation tools available. Our team of certified networking professionals develops the most up-to-date and comprehensive materials for networking certification, including self-paced workbooks, online Cisco hardware rental, classroom training, online (distance learning) instructor-led training, audio products, and video training materials. Unlike other certification-training providers, we employ the most experienced and accomplished team of experts to create, maintain, and constantly update our products. At IPexpert, we are focused on making your CCIE
TM Lab
preparation more effective.
A message from the Author(s): The scenarios covered in this workbook were developed by Routing & Switching CCIEs to help you prepare for the Cisco CCIE Routing & Switching laboratory. It is strongly recommended that you use other reading materials in addition to this workbook. Training is not the CCIE Routing & Switching workbook objective. The intent of these labs is to test your knowledge and ability of implementing Cisco Enterprise Routing & Switching Solutions. Time management is very important, if you get stuck on a lab scenario be sure to write it down. Formulate a Checklist for skipped sections and then return to those sections once you have gone through the entire lab. Be sure to revisit the questions that you do not understand.
For more information on the CCIE Routing & Switching lab, please visit (http://www.cisco.com/go/ccie) and click on the link for Routing & Switching on the top-right of the page. Helpful Hints
Keep It Simple, try to avoid any extra work (example: adding descriptions)
Always reference everything from the Documentation Website: http://www.cisco.com/web/psa/products/index.html
Save your router configurations often (wr is the quickest command)
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Diagrams
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 3
IPEXPERT END-USER LICENSE AGREEMENT
END USER LICENSE FOR ONE (1) PERSON ONLY
IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS,
DO NOT OPEN OR USE THE TRAINING MATERIALS.
This is a legally binding agreement between you and IPEXPERT, the “Licensor,” from whom you have licensed the IPEXPERT training materials (the “Training Materials”). By using the Training Materials, you agree to be bound by the terms of this License, except to the extent these terms have been modified by a written agreement (the “Governing Agreement”) signed by you (or the party that has licensed the Training Materials for your use) and an executive officer of Licensor. If you do not agree to the License terms, the Licensor is unwilling to license the Training Materials to you. In this event, you may not use the Training Materials, and you should promptly contact the Licensor for return instructions. The Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual authorized to use the Training Materials throughout the term of this License.
Copyright and Proprietary Rights
The Training Materials are the property of IPEXPERT, Inc. ("IPEXPERT") and are protected by United States and International copyright laws. All copyright, trademark, and other proprietary rights in the Training Materials and in the Training Materials, text, graphics, design elements, audio, and all other materials originated by IPEXPERT at its site, in its workbooks, scenarios and courses (the "IPEXPERT Information") are reserved to IPEXPERT.
The Training Materials cannot be used by or transferred to any other person. You may not rent, lease, loan, barter, sell or time-share the Training Materials or accompanying documentation. You may not reverse engineer, decompile, or disassemble the Training Materials. You may not modify, or create derivative works based upon the Training Materials in whole or in part. You may not reproduce, store, upload, post, transmit, download or distribute in any form or by any means, electronic, mechanical, recording or otherwise any part of the Training Materials and IPEXPERT Information other than printing out or downloading portions of the text and images for your own personal, non-commercial use without the prior written permission of IPEXPERT.
You shall observe copyright and other restrictions imposed by IPEXPERT. You may not use the Training Materials or IPEXPERT Information in any manner that infringes the rights of any person or entity.
Exclusions of Warranties
THE TRAINING MATERIALS AND DOCUMENTATION ARE PROVIDED “AS IS.” LICENSOR HEREBY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW THE LIMITATION OF INCIDENTAL DAMAGES OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. This agreement gives you specific legal rights, and you may have other rights that vary from state to state.
Choice of Law and Jurisdiction
This Agreement shall be governed by and construed in accordance with the laws of the State of Michigan, without reference to any conflict of law principles. You agree that any litigation or other proceeding between you and Licensor in connection with the Training Materials shall be brought in the Michigan state or courts located in Port Huron, Michigan, and you consent to the jurisdiction of such courts to decide the matter. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods shall not apply to this License. If any provision of this Agreement is held invalid, the remainder of this License shall continue in full force and effect.
Limitation of Claims and Liability
ANY ACTION ON ANY CLAIM AGAINST IPEXPERT MUST BE BROUGHT BY THE USER WITHIN ONE (1) YEAR FOLLOWING
Volume 1 – Diagrams IPexpert CCIE R&S Detailed Solutions Guide
4 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
THE DATE THE CLAIM FIRST ACCRUED, OR SHALL BE DEEMED WAIVED. IN NO EVENT WILL THE LICENSOR‟S LIABILITY UNDER, ARISING OUT OF, OR RELATING TO THIS AGREEMENT EXCEED THE AMOUNT PAID TO LICENSOR FOR THE TRAINING MATERIALS. LICENSOR SHALL NOT BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, REGARDLESS OF WHETHER LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. WITHOUT LIMITING THE FOREGOING, LICENSOR WILL NOT BE LIABLE FOR LOST PROFITS, LOSS OF DATA, OR COSTS OF COVER.
Entire Agreement
This is the entire agreement between the parties and may not be modified except in writing signed by both parties.
U.S. Government - Restricted Rights
The Training Materials and accompanying documentation are “commercial computer Training Materials” and “commercial computer Training Materials documentation,” respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use, modification, reproduction release, performance, display, or disclosure of the Training Materials and accompanying documentation by the U.S. Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement.
IF YOU DO NOT AGREE WITH THE ABOVE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING MATERIALS AND CONTACT LICENSOR FOR INSTRUCTIONS ON RETURN OF THE TRAINING MATERIALS.
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Table of Contents
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 5
IPexpert CCIE R&S Detailed Solutions Guide– Volume 1
NOTE
You are encouraged to take advantage of the knowledge and support from your peers around the globe. Join ccieblog.com to journal your progress. And join onlinestudylist.com to get more community support and also official support from IPexpert.
Contents IPexpert CCIE R&S Detailed Solutions Guide– Volume One ....................................................................... 1
IPEXPERT END-USER LICENSE AGREEMENT ........................................................................................ 3
END USER LICENSE FOR ONE (1) PERSON ONLY ............................................................................. 3
U.S. Government - Restricted Rights .................................................................................................... 4
Lab 1 - General Setup ................................................................................................................................... 9
Lab 1 Detailed Solutions ...................................................................................................................... 10
Lab 2 – Switching: Per-VLAN Spanning Tree + .......................................................................................... 35
Lab 2 Detailed Solutions ......................................................................................................................... 36
Lab 3 – Switching: Multiple Spanning Tree................................................................................................. 83
Lab 3 Detailed Solutions ...................................................................................................................... 84
Lab 4 – Switching: Rapid Per-VLAN Spanning Tree+ .............................................................................. 115
Lab 4 Detailed Solutions .................................................................................................................... 116
Lab 5 - Layer 2 Tunneling ......................................................................................................................... 137
Lab 5 Detailed Solutions .................................................................................................................... 138
Lab 6 - Frame Relay ................................................................................................................................. 157
Lab 6 Detailed Solutions .................................................................................................................... 158
Lab 7 - Bridging and Frame Relay ............................................................................................................ 189
Lab 7 Detailed Solutions .................................................................................................................... 190
Lab 8 – RIPv2 ........................................................................................................................................... 201
Lab 8 Detailed Solutions .................................................................................................................... 202
Lab 9 – EIGRP .......................................................................................................................................... 225
Lab 9 Detailed Solutions .................................................................................................................... 226
Lab 10 – OSPF ......................................................................................................................................... 253
Lab 10 Detailed Solutions ..................................................................................................................... 254
Lab 11 – OSPF ......................................................................................................................................... 287
Volume 1 – Table of Contents IPexpert CCIE R&S Detailed Solutions Guide
6 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
Lab 11 Detailed Solutions .................................................................................................................. 288
Lab 12 - GRE and Routing Protocols ........................................................................................................ 295
Lab 12 Detailed Solutions .................................................................................................................. 296
Lab 13 - Border Gateway Protocol ............................................................................................................ 315
Lab 13 Detailed Solutions ..................................................................................................................... 316
Lab 14 - Multiprotocol BGP ....................................................................................................................... 361
Lab 14 Detailed Solutions .................................................................................................................. 362
Lab 15 - Routing Protocol Redistribution .................................................................................................. 371
Lab 15 Detailed Solutions ..................................................................................................................... 372
Lab 16 - ACLs and Filters for IPv4 ............................................................................................................ 417
Lab 16 Detailed Solutions ..................................................................................................................... 418
Lab 17 - Router Security ........................................................................................................................... 447
Lab 17 Detailed Solutions ..................................................................................................................... 448
Lab 18 - Router Security ........................................................................................................................... 471
Lab 18 Detailed Solutions ..................................................................................................................... 472
Lab 19 - Router Redundancy and Network Services ................................................................................ 485
Lab 19 Detailed Solutions .................................................................................................................. 486
Lab 20 - Advanced Router Management .................................................................................................. 509
Lab 20 Detailed Solutions ..................................................................................................................... 510
Lab 21 - Quality of Service ........................................................................................................................ 539
Lab 21 Detailed Solutions ..................................................................................................................... 540
Lab 22 - Legacy QoS to MQC Conversion ............................................................................................... 563
Lab 22 Detailed Solutions ..................................................................................................................... 564
Lab 23 - Quality of Service ........................................................................................................................ 585
Lab 23 Detailed Solutions ..................................................................................................................... 586
Lab 24 - Multicast ...................................................................................................................................... 597
Lab 24 Detailed Solutions ..................................................................................................................... 598
Lab 25 - Multicast ...................................................................................................................................... 615
Lab 25 Detailed Solutions ..................................................................................................................... 616
Lab 26 - Multi-Protocol Label Switching .................................................................................................... 625
Lab 26 Detailed Solutions ..................................................................................................................... 626
Lab 27 - Multiprotocol BGP ....................................................................................................................... 637
Lab 27 Detailed Solutions ..................................................................................................................... 638
Lab 28 - MPLS VPN .................................................................................................................................. 647
Lab 28 Detailed Solutions ..................................................................................................................... 648
Lab 29 - Inter-AS MPLS VPN.................................................................................................................... 655
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Table of Contents
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 7
Lab 29 Detailed Solutions ..................................................................................................................... 656
Lab 30 - Multicast VPN ............................................................................................................................. 665
Lab 30 Detailed Solutions ..................................................................................................................... 666
Lab 31 - Layer 2 VPN ................................................................................................................................ 677
Lab 31 Detailed Solutions ..................................................................................................................... 678
Lab 32 - RIPng and EIGRPv6 ................................................................................................................... 685
Lab 32 Detailed Solutions ..................................................................................................................... 686
Lab 33 - OSPFv3 and MBGP .................................................................................................................... 703
Lab 33 Detailed Solutions ..................................................................................................................... 704
Lab 34 - Cisco IOS Firewalls..................................................................................................................... 725
Lab 34 Detailed Solutions ..................................................................................................................... 726
Volume 1 – Table of Contents IPexpert CCIE R&S Detailed Solutions Guide
8 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
This page left intentionally blank.
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 35
Lab 2 – Switching: Per-VLAN Spanning Tree +
Technologies Covered
Etherchannel
VLAN Trunking
VTP
802.1x
Spanning-Tree
Port-security
RSPAN
Private VLANs
VLAN Maps
Overview
With four switches on the CCIE R&S lab (a combination of Catalyst 3550 and Catalyst 3560 switches with the v3.0 blueprint and four Catalyst 3560 switches on the v4.0 blueprint), there is the potential for a lot of detailed challenges in the "Switching" portion of the Routing & Switching exam. This lab is part of a series that will help prepare you for the types of scenarios you may be presented with.
Estimated Time to Complete: 3-4 Hours
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
36 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
Lab 2 Detailed Solutions
2.1 Configure Cat3 so that you can create, modify and delete VLANs locally. The VLANs created on this switch should be propagated through the network. Use a domain name of “ipexpert”.
Cat3
vtp mode server
Cat1, Cat2, Cat4
vtp mode client
While arguably, VTP server mode would work as well. The lab didn't say ONLY Cat3 can manipulate VLANs locally, but it's a simple enough thing to set client and keep a single point of entry.
Always verify everything! We should first check that our VLANs are present on Cat3, and that they have been propogated to Cat1, Cat2 and Cat4. Checking on just your server switch isn‟t good enough, as there could have been issues with VLAN propogation. Make sure you check all four of your switches!
Cat3550-3(config)#do sh vl br
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/3, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Gi0/1, Gi0/2
12 VLANB active Fa0/1, Gi0/2
40 VLANC active Fa0/4
100 VLANA active Fa0/11
300 VLANF active
567 VLAND active Fa0/5
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
Cat3560-1#sh vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/8, Fa0/10, Fa0/11, Fa0/12
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Gi0/2
12 VLANB active
40 VLANC active
100 VLANA active Fa0/1
200 VLANE active
300 VLANF active Fa0/9, Fa0/13
567 VLAND active Fa0/6, Fa0/7
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Cat3560-2(config)#do sh vlan brief
VLAN Name Status Ports
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 37
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Gi0/1, Gi0/2
12 VLANB active
40 VLANC active
100 VLANA active
200 VLANE active
240 VLAN0240 active
300 VLANF active
567 VLAND active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Cat3560-4(config)#do sh vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Gi0/1, Gi0/2
12 VLANB active
40 VLANC active
100 VLANA active
200 VLANE active
240 VLAN0240 active
300 VLANF active
567 VLAND active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
OK, everything looks good on all of our switches as far as VLAN propagation goes
You can also use "debug sw-VLAN vtp events" or "debug sw-VLAN vtp packets" if there are other concerns.
If you need to add VLANs later on, make sure to add them AFTER the VTP stuff is setup, otherwise the database won't be "revised" and therefore won't be propagated.
Next, make sure your VTP status looks as you would expect on all four switches.
Cat3550-1#sh vtp status
VTP Version : running VTP1 (VTP2 capable)
Configuration Revision : 2
Maximum VLANs supported locally : 1005
Number of existing VLANs : 11
VTP Operating Mode : Client
VTP Domain Name : ipexpert
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xF1 0xE5 0x00 0x15 0x4F 0xBA 0xF8 0xEC
Configuration last modified by 0.0.0.0 at 3-1-93 00:17:34
Local updater ID is 0.0.0.0 (no valid interface found)
Cat3560-2#sh vtp status
VTP Version : running VTP1 (VTP2 capable)
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
38 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
Configuration Revision : 2
Maximum VLANs supported locally : 1005
Number of existing VLANs : 11
VTP Operating Mode : Client
VTP Domain Name : ipexpert
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xF1 0xE5 0x00 0x15 0x4F 0xBA 0xF8 0xEC
Configuration last modified by 0.0.0.0 at 3-1-93 00:17:34
Cat3560-3(config)#do sh vtp status
VTP Version : running VTP1 (VTP2 capable)
Configuration Revision : 2
Maximum VLANs supported locally : 1005
Number of existing VLANs : 11
VTP Operating Mode : Server
VTP Domain Name : ipexpert
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xF1 0xE5 0x00 0x15 0x4F 0xBA 0xF8 0xEC
Configuration last modified by 0.0.0.0 at 3-1-93 00:22:38
Cat3560-4(config)#do sh vtp status
VTP Version : running VTP1 (VTP2 capable)
Configuration Revision : 2
Maximum VLANs supported locally : 1005
Number of existing VLANs : 11
VTP Operating Mode : Client
VTP Domain Name : ipexpert
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xF1 0xE5 0x00 0x15 0x4F 0xBA 0xF8 0xEC
Configuration last modified by 0.0.0.0 at 3-1-93 00:22:38
Great, we have a VTP server, three VTP clients, our revision numbers match, and our MD5 digest matches. We are good to go!
2.2 Cat1 should send VLAN updates with an MD5 one-way hash value. Other switches should not be able to process these updates unless they have the same MD5 value. Use a password of “1p3xp3rt#”. DO NOT use VLAN database commands to accomplish this task. Run VTP version 2.
Passwords in VTP are MD5 all the time. They must match to exchange information properly. Normally, you can configure this in VLAN database or in config mode, but the lab tells you otherwise. In config mode (recommended) use "vtp ?" to help find the right command.
Cat3
Cat3550-1(config)#vtp password 1p3xp3rt#
Setting device VLAN database password to 1p3xp3rt#
Check it out, our config revision increments to 3…
Cat3550-3(config)#do sh vtp status
VTP Version : running VTP2
Configuration Revision : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs : 11
VTP Operating Mode : Server
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 39
VTP Domain Name : ipexpert
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xD0 0x84 0xB5 0x70 0xC0 0xB0 0x68 0xB7
Configuration last modified by 0.0.0.0 at 3-1-93 00:27:39
Local updater ID is 0.0.0.0 (no valid interface found)
Cat1, Cat2, Cat4 vtp password 1p3xp3rt#
All we have done is update the password on the clients to match the server, but they have automatically updated to run VTP version 2. Excellent! Also notice, the client revision number has incremented as well, as they received an update from the Server telling them to run VTP version 2.
Cat3560-1(config)#do sh vtp status
VTP Version : running VTP2
Configuration Revision : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs : 11
VTP Operating Mode : Client
VTP Domain Name : ipexpert
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xD0 0x84 0xB5 0x70 0xC0 0xB0 0x68 0xB7
Configuration last modified by 0.0.0.0 at 3-1-93 00:27:39
Cat3560-2(config)#do sh vtp status
VTP Version : running VTP2
Configuration Revision : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs : 11
VTP Operating Mode : Client
VTP Domain Name : ipexpert
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xD0 0x84 0xB5 0x70 0xC0 0xB0 0x68 0xB7
Configuration last modified by 0.0.0.0 at 3-1-93 00:27:39
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
40 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
Cat3560-4(config)#do sh vtp status
VTP Version : running VTP2
Configuration Revision : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs : 11
VTP Operating Mode : Client
VTP Domain Name : ipexpert
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xD0 0x84 0xB5 0x70 0xC0 0xB0 0x68 0xB7
Configuration last modified by 0.0.0.0 at 3-1-93 00:27:39
If we had tried to manually set the VTP version to 2 on the client switches, we would have received an error telling us the VTP version cannot be changed in client mode. This is good, as it lets the server do all the work for us.
This task does say that Cat1 will have the capability of sending things out, so we should probably put Cat1 into server mode. This does not violate the previous task since we were not REQUIRED to put everyone else in Client mode.
Cat1
vtp mode server
2.3 If a downstream switch does not possess a port in a VLAN that Cat1 is advertising, make sure that Cat1 does not propagate broadcast traffic for those VLANs.
VTP Pruning is the obvious (and simple) solution here. It's the only mechanism that switches can dynamically shut off unused/unneeded VLANs. Since Cat3 is our VTP server, we only need to enable this on Cat3. The option will be propagated down to our other client switches
Cat3550-3(config)#vtp pruning
Pruning switched on
Cat3550-3(config)#do sh vtp status
VTP Version : running VTP2
Configuration Revision : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs : 11
VTP Operating Mode : Server
VTP Domain Name : ipexpert
VTP Pruning Mode : Enabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x44 0xD5 0x1F 0x00 0x28 0x13 0x02 0xA3
Configuration last modified by 0.0.0.0 at 3-1-93 00:55:32
Local updater ID is 0.0.0.0 (no valid interface found)
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 41
Just like the VTP version, VTP pruning is a feature that will be propagated down to all our client switches as well. Run “show vtp status” to verify.
Cat3560-1(config)#do sh vtp status
VTP Version : running VTP2
Configuration Revision : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs : 11
VTP Operating Mode : Client
VTP Domain Name : ipexpert
VTP Pruning Mode : Enabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x44 0xD5 0x1F 0x00 0x28 0x13 0x02 0xA3
Configuration last modified by 0.0.0.0 at 3-1-93 00:55:32
Cat3560-2(config)#do sh vtp status
VTP Version : running VTP2
Configuration Revision : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs : 11
VTP Operating Mode : Server
VTP Domain Name : ipexpert
VTP Pruning Mode : Enabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x44 0xD5 0x1F 0x00 0x28 0x13 0x02 0xA3
Configuration last modified by 0.0.0.0 at 3-1-93 00:55:32
Local updater ID is 0.0.0.0 (no valid interface found)
Cat3560-4(config)#do sh vtp status
VTP Version : running VTP2
Configuration Revision : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs : 11
VTP Operating Mode : Client
VTP Domain Name : ipexpert
VTP Pruning Mode : Enabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x44 0xD5 0x1F 0x00 0x28 0x13 0x02 0xA3
Configuration last modified by 0.0.0.0 at 3-1-93 00:55:32
2.4 Configure any interfaces connecting the switches together to appear as one link to STP per neighbor. If either of the interfaces is damaged, the switches should manage one-way links. Do not use industry standards, but make sure these links can negotiate their setup.
Consult the diagram here for assistance on this. For an etherchannel to be setup, the links must be the same. On the ProctorLabs racks anyway, there are also some GigabitEthernet links between some switches. These cannot be added into the etherchannel configuration, so go ahead and shut those down.
Plan your etherchannel as well. In some versions of IOS on many switches, the etherchannel number must match on both sides in order to come up properly. Rather than needing to think about whether you are using one of those releases or not, it's recommended just to use the correct pairing of etherchannel numbers.
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
42 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
If you have concerns about which switch is connected where, just check out the CDP table.
Cat1(config)#do sh cdp n
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
Router Gig 0/2 133 R S I 3825 Gig 0/0
Cat3 Fas 0/22 127 S I WS-C3560-2Fas 0/22
Cat3 Fas 0/21 127 S I WS-C3560-2Fas 0/21
Cat2 Gig 0/2 121 S I WS-C3550-2Gig 0/2
Cat2 Fas 0/24 121 S I WS-C3550-2Fas 0/24
Cat2 Fas 0/23 121 S I WS-C3550-2Fas 0/23
Cat4 Fas 0/20 126 S I WS-C3560-2Fas 0/20
Cat4 Fas 0/19 126 S I WS-C3560-2Fas 0/19
Cat1(config)#
In order to negotiate the trunk coming up, it's important to set the modes properly. 3550's default to "dynamic desirable", 3560's default to "dynamic auto". Auto-auto does not generate a trunk.
Cat1-Cat4 int range Fa0/19 - 24
switchport mode dynamic desir
Cat4(config-if-range)#do sh int Fa0/19 switch
Name: Fa0/19
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: isl
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-VLAN host-association: none
Administrative private-VLAN mapping: none
Administrative private-VLAN trunk native VLAN: none
Administrative private-VLAN trunk Native VLAN tagging: enabled
Administrative private-VLAN trunk encapsulation: dot1q
Administrative private-VLAN trunk normal VLANs: none
Administrative private-VLAN trunk associations: none
Administrative private-VLAN trunk mappings: none
Operational private-VLAN: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 43
We should also shut them down for now.... When building trunks and etherchannel groups, it's a good idea to shut the links down until you have them all built. This will prevent your switches from becoming upset about mismatches and placing any interfaces in an errdisabled state.
Cat1-Cat4
int range Fa0/19 - 24
shut
For the channel-group, we are not to use industry standards (LACP), so we'll end up either using PAgP or just mode on.
Cat1
int gi0/1
shut
int gi0/2
shut
int range Fa0/19 - 20
Description Connection to Cat4
channel-group 14 mode on
int range Fa0/21 - 22
Description Connection to Cat3
channel-group 13 mode on
int range Fa0/23 - 24
Description Connection to Cat2
channel-group 12 mode on
Cat2
int gi0/1
shut
int range Fa0/19 - 20
Description Connection to Cat3
channel-group 23 mode on
int range Fa0/21 - 22
Description Connection to Cat4
channel-group 24 mode on
int range Fa0/23 - 24
Description Connection to Cat1
channel-group 12 mode on
Cat3
int gi0/1
shut
int range Fa0/19 - 20
Description Connection to Cat2
channel-group 23 mode on
int range Fa0/21 - 22
Description Connection to Cat1
channel-group 13 mode on
int range Fa0/23 - 24
Description Connection to Cat4
channel-group 34 mode on
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
44 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
Cat4
int range Fa0/19 - 20
Description Connection to Cat1
channel-group 14 mode on
int range Fa0/21 - 22
Description Connection to Cat2
channel-group 24 mode on
int range Fa0/23 - 24
Description Connection to Cat3
channel-group 34 mode on
Finally, turn on UDLD to manage the one-way link detection. There's no mention about anything requiring aggressive mode, so that part is up to you. There are global commands for UDLD as well, so be careful with that. Global commands are for fiber ports. Interface commands are for copper ports.
Cat1, Cat2, Cat3 and Cat4
int range Fa0/19 - 24
udld port
Now, let‟s verify everything we have done here. First, we‟ll want to make sure all our etherchannels came up properly. Run “sh etherchannel summary” for a good overview. What we expect to see here is that each group has a status of “SU” meaning the channel is a L2 port-channel, and it is “In Use”. For our individual ports make sure you see the (P) meaning the port is part of the port channel
Cat3550-1#sh etherchan sum
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 3
Number of aggregators: 3
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
12 Po12(SU) - Fa0/23(P) Fa0/24(P)
13 Po13(SU) - Fa0/21(P) Fa0/22(P)
14 Po14(SU) - Fa0/19(P) Fa0/20(P)
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 45
Cat3560-2#show etherchan sum
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 3
Number of aggregators: 3
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
12 Po12(SU) - Fa0/23(P) Fa0/24(P)
23 Po23(SU) - Fa0/19(P) Fa0/20(P)
24 Po24(SU) - Fa0/21(P) Fa0/22(P)
Cat3560-3#sh etherchan sum
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 3
Number of aggregators: 3
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
13 Po13(SU) - Fa0/21(P) Fa0/22(P)
23 Po23(SU) - Fa0/19(P) Fa0/20(P)
34 Po34(SU) - Fa0/23(P) Fa0/24(P)
Cat3560-4#sh etherchan sum
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 3
Number of aggregators: 3
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
14 Po14(SU) - Fa0/19(P) Fa0/20(P)
24 Po24(SU) - Fa0/21(P) Fa0/22(P)
34 Po34(SU) - Fa0/23(P) Fa0/24(P)
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
46 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
Great, everything came up as expected on all four switches. Now, to verify UDLD you can check out “sh udld <int>” For brevity we will just take a look at Fa0/19 on Cat1 so you can get an idea. Notice the “Enabled” status, and that it even tells us what switch is on the other end of the link (Cat4 in this case).
Cat3550-1#sh udld Fa0/19
Interface Fa0/19
---
Port enable administrative configuration setting: Enabled
Port enable operational state: Enabled
Current bidirectional state: Bidirectional
Current operational state: Advertisement - Single neighbor detected
Message interval: 15
Time out interval: 5
Entry 1
---
Expiration time: 40
Cache Device index: 1
Current neighbor state: Bidirectional
Device ID: FDO1117Y22M
Port ID: Fa0/19
Neighbor echo 1 device: CAT0652X00L
Neighbor echo 1 port: Fa0/19
Message interval: 15
Time out interval: 5
CDP Device name: Cat3560-4
2.5 These links should allow all VLANs to travel across with their VLAN ID intact. You cannot use the Cisco proprietary protocol to achieve this. Every packet that traverses the link must have the VLAN ID, no exceptions.
Gotta go back and change a few things now... If we had done these ahead of time to the physical interfaces, they would have automatically propagated to the PortChannel interface. If you have to go back and change a trunk, especially one that is tied to a Portchannel, it is best to shut everything down, make your changes, then bring everything back up. Otherwise, you may run into issues with ports going err-disable.
Cat1 – Cat4
int range Fa0/19 - 24
shutdown
switch trunk encap dot1q
exit
The other part about the VLAN-ID is a little trickier. You may change the native VLAN to something other than the default (something unused). Or there's a specific command for 802.1Q that allows the tagging of the native VLAN. Those are good keywords to search for in case you had to look it up not knowing the answer. The “vlan dot1q tag native” command is run from global config mode.
vlan dot1q tag native
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 47
OK, now that we have made the necessary changes, let‟s bring all the links back up on all the switches. The best thing to do here is copy/paste from notepad because you will want to do this fairly quickly to avoid any issues.
Cat1 – Cat4
int range Fa0/19 - 24
no shutdown
Now, let‟s make sure our trunks came up as expected, and that our native VLAN is indeed being tagged as configured. The output of this command has been reduced to only show the relevant information.
Cat3550-1(config)#do sh int trunk
Port Mode Encapsulation Status Native vlan
Po14 desirable 802.1q trunking 1
Po13 desirable 802.1q trunking 1
Po12 desirable 802.1q trunking 1
Cat3550-1(config)#do sho vlan dot1q tag nat
dot1q native vlan tagging is enabled
Cat3560-2(config-if-range)#do sh int trunk
Port Mode Encapsulation Status Native vlan
Po12 desirable 802.1q trunking 1
Po23 desirable 802.1q trunking 1
Po24 desirable 802.1q trunking 1
Cat3550-2(config)#do sho vlan dot1q tag nat
dot1q native vlan tagging is enabled
Cat3560-3(config-if-range)#do sh int trunk
Port Mode Encapsulation Status Native vlan
Po13 desirable 802.1q trunking 1
Po23 desirable 802.1q trunking 1
Po34 desirable 802.1q trunking 1
Cat3550-3(config)#do sho vlan dot1q tag nat
dot1q native vlan tagging is enabled
Cat3560-4(config-if-range)#do sh int trunk
Port Mode Encapsulation Status Native vlan
Po14 desirable 802.1q trunking 1
Po24 desirable 802.1q trunking 1
Po34 desirable 802.1q trunking 1
Cat3550-4(config)#do sho vlan dot1q tag nat
dot1q native vlan tagging is enabled
As we can see, all the trunks are running 802.1q encapsulation and have the native VLAN being tagged as expected!
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
48 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
2.6 Only allow the defined VLANs across the link.
Now it's time to add a little security into our mix. The "switchport trunk allowed" command will help us decide which VLANs are or are not allowed on the link.
Cat1 - Cat4
int range Fa0/19 - 24
switchport trunk allowed vlan 1,12,40,100,300,567
Cat1
int range po12 , po13 , po14
switchport trunk allowed vlan 1,12,40,100,300,567
Cat2
int range po12 , po23 , po24
switchport trunk allowed vlan 1,12,40,100,300,567
Cat3
int range po13 , po23 , po34
switchport trunk allowed vlan 1,12,40,100,300,567
Cat4
int range po14 , po24 , po34
switchport trunk allowed vlan 1,12,40,100,300,567
Why do it on the physical links and etherchannel? In case something doesn't work? It's an easy cut/paste if nothing else.
You'll start to get inconsistent messages. Cutting and pasting will help speed things up here.
Cat1(config-if-range)#
9w4d: %EC-5-CANNOT_BUNDLE2: Fa0/19 is not compatible with Fa0/20 and will be
suspended (VLAN mask is different)
9w4d: %EC-5-COMPATIBLE: Fa0/19 is compatible with port-channel members
9w4d: %EC-5-CANNOT_BUNDLE2: Fa0/21 is not compatible with Fa0/22 and will be
suspended (VLAN mask is different)
9w4d: %EC-5-COMPATIBLE: Fa0/21 is compatible with port-channel members
9w4d: %EC-5-CANNOT_BUNDLE2: Fa0/23 is not compatible with Fa0/24 and will be
suspended (VLAN mask is different)
9w4d: %EC-5-COMPATIBLE: Fa0/23 is compatible with port-channel members
Cat1(config-if-range)#
Check and make sure we didn't wait too long.
Cat1(config-if-range)#do sh int | in errd
Cat1(config-if-range)#
Cat2(config-if-range)#do sh int | in errd
Cat2(config-if-range)#
Cat3(config-if-range)#do sh int | in errd
Cat3(config-if-range)#
Cat4(config-if-range)#do sh int | in errd
Cat4(config-if-range)#
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 49
Looks good so far. Now let‟s verify that only VLANs we specified are indeed allowed on the trunks
Cat3550-1(config)#do sh int trunk | beg allowed
Port Vlans allowed on trunk
Po14 1-4094
Po13 1-4094
Po12 1-4094
Port Vlans allowed and active in management domain
Po14 1,12,40,100,200,300,567
Po13 1,12,40,100,200,300,567
Po12 1,12,40,100,200,300,567
Port Vlans in spanning tree forwarding state and not pruned
Po14 1
Po13 1
Po12 1,100,300,567
Cat3560-2(config-if-range)#do sh int trunk | beg allowed
Port Vlans allowed on trunk
Po12 1-4094
Po23 1-4094
Po24 1-4094
Port Vlans allowed and active in management domain
Po12 1,12,40,100,200,300,567
Po23 1,12,40,100,200,300,567
Po24 1,12,40,100,200,300,567
Port Vlans in spanning tree forwarding state and not pruned
Po12 12,40,100,567
Po23 1
Po24 none
Cat3560-3(config-if-range)#do sh int trunk | beg allowed
Port Vlans allowed on trunk
Po13 1-4094
Po23 1-4094
Po34 1-4094
Port Vlans allowed and active in management domain
Po13 1,12,40,100,200,300,567
Po23 1,12,40,100,200,300,567
Po34 1,12,40,100,200,300,567
Port Vlans in spanning tree forwarding state and not pruned
Po13 1,12,40,100,300,567
Po23 1
Po34 1
Cat3560-4(config-if-range)#do sh int trunk | beg allowed
Port Vlans allowed on trunk
Po14 1-4094
Po24 1-4094
Po34 1-4094
Port Vlans allowed and active in management domain
Po14 1,12,40,100,200,300,567
Po24 1,12,40,100,200,300,567
Po34 1,12,40,100,200,300,567
Port Vlans in spanning tree forwarding state and not pruned
Po14 12,40,100,300,567
Po24 1
Po34 1
Nicely done.
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
50 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
As the switches exchange information about which active VLANs they have (and prune some) and as spanning tree takes place and blocks links, you'll find different results in the last section of that command. This is where we MAY need to pay attention though to watch our traffic flows.
2.7 Make sure that any unused ports do not remain in “auto” mode.
This is a time to do some tedious work. You could do a "show interface switchport" on all interfaces, but you'd get lots of extra stuff. Let's pare it down a little.
Cat1 - Cat4
do sh int switch | in Name|Administrative Mode|Operational Mode
Cat4(config-if-range)#$ Name|Administrative Mode|Operational Mode
Name: Fa0/1
Administrative Mode: dynamic auto
Operational Mode: down
Name: Fa0/2
Administrative Mode: dynamic auto
Operational Mode: down
Name: Fa0/3
Administrative Mode: dynamic auto
Operational Mode: down
Name: Fa0/4
Administrative Mode: dynamic auto
Operational Mode: down
Name: Fa0/5
Administrative Mode: dynamic auto
Operational Mode: down
Name: Fa0/6
Administrative Mode: dynamic auto
Operational Mode: static access
Name: Fa0/7
Administrative Mode: dynamic auto
Operational Mode: static access
Name: Fa0/8
Administrative Mode: dynamic auto
Operational Mode: down
Name: Fa0/9
Administrative Mode: dynamic auto
Operational Mode: static access
Name: Fa0/10
Administrative Mode: dynamic auto
Operational Mode: static access
Name: Fa0/11
Administrative Mode: dynamic auto
Operational Mode: static access
Name: Fa0/12
Administrative Mode: dynamic auto
Operational Mode: static access
Name: Fa0/13
Administrative Mode: dynamic auto
Operational Mode: static access
Name: Fa0/14
Administrative Mode: dynamic auto
Operational Mode: down
Name: Fa0/15
Administrative Mode: dynamic auto
Operational Mode: down
Name: Fa0/16
Administrative Mode: dynamic auto
Operational Mode: down
Name: Fa0/17
Administrative Mode: dynamic auto
Operational Mode: down
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 51
Name: Fa0/18
Administrative Mode: dynamic auto
Operational Mode: down
Name: Fa0/19
Administrative Mode: trunk
Operational Mode: trunk (member of bundle Po14)
Name: Fa0/20
Administrative Mode: trunk
Operational Mode: trunk (member of bundle Po14)
Name: Fa0/21
Administrative Mode: trunk
Operational Mode: trunk (member of bundle Po24)
Name: Fa0/22
Administrative Mode: trunk
Operational Mode: trunk (member of bundle Po24)
Name: Fa0/23
Administrative Mode: trunk
Operational Mode: trunk (member of bundle Po34)
Name: Fa0/24
Administrative Mode: trunk
Operational Mode: trunk (member of bundle Po34)
Name: Gi0/1
Administrative Mode: dynamic auto
Operational Mode: down
Name: Gi0/2
Administrative Mode: dynamic auto
Operational Mode: down
Name: Po14
Administrative Mode: trunk
Operational Mode: trunk
Name: Po24
Administrative Mode: trunk
Operational Mode: trunk
Name: Po34
Administrative Mode: trunk
Operational Mode: trunk
Cat4(config-if-range)#
That's a little long-winded still but it tells us what mode these ports are in. 3560's are "dynamic auto". 3550's are "dynamic desirable". So the Cat2, Cat3, Cat4 ports we need to change. It may be worthwhile to ask the proctor whether the "auto" just meant dynamic, or specifically the word "auto". You may need to change them on all switches.
Cat1
int range Fa0/2-4 , Fa0/6-10 , Fa0/12-18 , gi0/1
switchport mode access
Cat2
int range Fa0/2-5 , Fa0/8, Fa0/10-12 , Fa0/14-18 , gi0/1-2
switchport mode access
Cat3
int range Fa0/1-4 , Fa0/5-18 , gi0/1-2
switchport mode access
Cat4
int range Fa0/1-18 , gi0/1-2
switchport mode access
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
52 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
We should see a difference now.
Cat4(config-if-range)#$ Name|Administrative Mode|Operational Mode
Name: Fa0/1
Administrative Mode: static access
Operational Mode: down
Name: Fa0/2
Administrative Mode: static access
Operational Mode: down
Name: Fa0/3
Administrative Mode: static access
Operational Mode: down
Name: Fa0/4
Administrative Mode: static access
Operational Mode: down
Name: Fa0/5
Administrative Mode: static access
Operational Mode: down
Name: Fa0/6
Administrative Mode: static access
Operational Mode: static access
Name: Fa0/7
Administrative Mode: static access
Operational Mode: static access
Name: Fa0/8
Administrative Mode: static access
Operational Mode: down
Name: Fa0/9
Administrative Mode: static access
Operational Mode: static access
Name: Fa0/10
Administrative Mode: static access
Operational Mode: static access
Name: Fa0/11
Administrative Mode: static access
Operational Mode: static access
Name: Fa0/12
Administrative Mode: static access
Operational Mode: static access
Name: Fa0/13
Administrative Mode: static access
Operational Mode: static access
Name: Fa0/14
Administrative Mode: static access
Operational Mode: down
Name: Fa0/15
Administrative Mode: static access
Operational Mode: down
Name: Fa0/16
Administrative Mode: static access
Operational Mode: down
Name: Fa0/17
Administrative Mode: static access
Operational Mode: down
Name: Fa0/18
Administrative Mode: static access
Operational Mode: down
Name: Fa0/19
Administrative Mode: trunk
Operational Mode: trunk (member of bundle Po14)
Name: Fa0/20
Administrative Mode: trunk
Operational Mode: trunk (member of bundle Po14)
Name: Fa0/21
Administrative Mode: trunk
Operational Mode: trunk (member of bundle Po24)
Name: Fa0/22
Administrative Mode: trunk
Operational Mode: trunk (member of bundle Po24)
Name: Fa0/23
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 53
Administrative Mode: trunk
Operational Mode: trunk (member of bundle Po34)
Name: Fa0/24
Administrative Mode: trunk
Operational Mode: trunk (member of bundle Po34)
Name: Gi0/1
Administrative Mode: static access
Operational Mode: down
Name: Gi0/2
Administrative Mode: static access
Operational Mode: down
Name: Po14
Administrative Mode: trunk
Operational Mode: trunk
Name: Po24
Administrative Mode: trunk
Operational Mode: trunk
Name: Po34
Administrative Mode: trunk
Operational Mode: trunk
2.8 Any unused ports should be placed in VLAN567.
At least we can keep the same ranges. We're just needing to change the VLAN now.
Cat1
int range Fa0/2-3 , Fa0/6-10 , Fa0/12-18 , gi0/1
switchport access vlan 567
Cat2
int range Fa0/2-5 , Fa0/8, Fa0/10-12 , Fa0/14-18 , gi0/1-2
switchport access vlan 567
Cat3
int range Fa0/1-4 , Fa0/5-18 , gi0/1-2
switchport access vlan 567
Cat4
int range Fa0/1-18 , gi0/1-2
switchport access vlan 567
Cat4(config-if)#do sh vl br
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
12 VLANB active
40 VLANC active
100 VLANA active
300 VLANF active
567 VLAND active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Gi0/1, Gi0/2
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
Cat4(config-if)#
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
54 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
You can check them on all switches to be sure, but the important parts are that nothing is in VLAN 1, and that these ports are in VLAN 567.
2.9 Enable Cat2 to authenticate 802.1x clients. The server IP address to use is 150.100.220.100 with a key of ipexpert.
Plain and simple here. 802.1X must use RADIUS in order to do authentication. That is the spec, there is no grey area for interpretation.
Dot1x needs to be turned on.
Cat2
dot1x system-auth-control
aaa new-model
aaa authentication dot1x default group radius
radius-server host 150.100.220.100 key ipexpert
To avoid further complications with any port using "login" you'll want to create a workaround.
Cat2
aaa authentication login default line
This will use the line password asked for with the telnet ability. Otherwise you may find yourself locked out of the device. Not good.
Don't forget console as well. Even though there's no "login" there, it still will lock you out. You'll get:
--------------
Cat2 con0 is now available
Press RETURN to get started.
% Authentication failed.
---------------
The proctor will NOT do password recovery for grading you. So let's change the above:
no aaa authentication login default
aaa authentication login MyVTY line
aaa authentication login MyCon none
line con 0
login authentication MyCon
line vty 0 4
login authentication MyVTY
The bottom line is that while it is very irritating to lock yourself out of a switch it is MUCH better than locking the proctor out.
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 55
Another thing you may do is "reload in 10" on the switch. If you haven't validated your config and cancelled the reload, then at least you will fix things yourself.
(Do NOT save unvalidated configurations...)
Check things out:
Cat2(config-line)#do sh aaa server
RADIUS: id 1, priority 1, host 150.100.220.100, auth-port 1645, acct-port 1646
State: current UP, duration 2562s, previous duration 0s
Dead: total time 0s, count 0
Authen: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Author: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Account: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Elapsed time since counters last cleared: 4d2h17m
Cat2(config-line)#
Being that there is no real server, or hosts to trigger anything I would be surprised if numbers were different than 0 right now. But it's good to see that the configuration is up, and operational.
2.10 Verify that Fa0/6 connected to R6 is always in an authorized state.
There are 3 modes force-authorized, force-unauthorized and auto, which requires authorization. The only mode that actually sends the EAP beacon is "auto". The others are forced, manual actions.
Cat2
int Fa0/6
switchport mode access
dot1x port-control force-authorized
As a note, the dot1x command does not even appear until the port is put into access mode. This may be a pain to troubleshoot.
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
56 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
A quick check:
Cat2(config)#do sh dot1x all
Sysauthcontrol Enabled
Dot1x Protocol Version 2
Critical Recovery Delay 100
Critical EAPOL Disabled
Dot1x Info for FastEthernet0/6
-----------------------------------
PAE = AUTHENTICATOR
PortControl = FORCE_AUTHORIZED
ControlDirection = Both
HostMode = SINGLE_HOST
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
2.11 Configure Fa0/18 on Cat2 to check to see if the client connected is
capable of 802.1x authentications.
Just like we looked at above, there are three modes, but now we are asked to "see" whether the host is capable. While there is no query option, if we send out an EAP beacon and there is no response, that's a simple way to determine they weren't capable and not let them on. (More to come in other labs with some additional security steps or details to add in here, but for now, keep things simple.)
Cat2
int Fa0/18
switchport mode access
dot1x port-control auto
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 57
Cat2(config-if)#do sh dot1x all
Sysauthcontrol Enabled
Dot1x Protocol Version 2
Critical Recovery Delay 100
Critical EAPOL Disabled
Dot1x Info for FastEthernet0/6
-----------------------------------
PAE = AUTHENTICATOR
PortControl = FORCE_AUTHORIZED
ControlDirection = Both
HostMode = SINGLE_HOST
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Dot1x Info for FastEthernet0/18
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
2.12 Cat1 Fa0/5 should temporarily bypass the listening and learning stage to transition directly into a forwarding mode.
This should be a relatively simple question. At least once you get beyond the initial confusion of a vague question.
Cat1
int Fa0/5
spanning-tree portfast
You'll need to look at the diagrams and note which switch and port is involved. The "temporarily" word throws some confusion at you, although if a BPDU is received, it's will no longer be forwarding. But the only way to "bypass" any of the stages of spanning tree is to use portfast or to disable spanning-tree completely.
Cat1(config-if)#do sh spann int Fa0/5
VLAN Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0567 Desg FWD 19 128.5 P2p Edge
This doesn't verify the portfast state, but it will at least verify you are in a forwarding state, and not seen as a spanning-tree peer.
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
58 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
2.13 Assure that Cat2 becomes the root switch for VLAN100 with one command.
So when we start at this, is Cat2 root at all?
Cat2(config-if)#do sh spanning-tree | in root|VLAN
VLAN0001
VLAN0012
VLAN0040
VLAN0100
VLAN0300
VLAN0567
Nope, doesn't look like it. Sometimes, it's difficult because of the typical spanning-tree election process. We may end up with simply the lowest MACs on Cat2 in which case this task would appear moot. But at least in my rack, this isn't the case.
One simple command. Note that it's "becomes" so we'd expect things to change. Right now, we have several VLANs but no root status.
Cat2
spanning-tree vlan 100 root primary
Now, check it out again....
Cat2(config)#do sh spanning-tree | in root|VLAN
VLAN0001
VLAN0012
VLAN0040
VLAN0100
This bridge is the root
VLAN0300
VLAN0567
Cat2(config)#
Good stuff. Keep paying attention through the labs on the various GREP manipulations that we do in order to make the show commands focus on exactly what you want/need.
We may find some additional things/changes that are needed based on later requirements, but we'll get there later. It is good to be able to see this ahead of time though.
2.14 Configure Fa0/5 that R5 connects to so that the switch will only allow this learned MAC address to communicate through this port. If any other MAC addresses are learned on this port Cat2 should shut it down for a period of three hours.
Wording here is a little vague. Basically, we are talking about Port Security. The hard part is interpreting the words about "learned MAC address". Typically this refers to dynamically learned things, but how do we determine what is correct?
In this instance, we know R5's MAC because we can either go look at it, or we can enable port-security and look first.
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 59
Cat1
int Fa0/5
switchport mode access
switchport port-security
switchport port-security maximum 1 (default)
switchport port-security violation shutdown (default)
Ask the proctor whether it should be hard-coded for the R5 MAC that's already there, or whether dynamic is OK. The port sec-table won't survive a reload unless you use the "sticky" parameter. Do a "show interface Fa0/0" on R5 to get the MAC.
switchport port-security mac-address sticky
switchport port-security mac-address 0012.80b6.4cd8
Obviously, substitute the MAC address from your R5 there.
Verify to see things are good...
R5(config)#do sh int Fa0/0 | in bia
Hardware is MV96340 Ethernet, address is 0012.80b6.4cd8 (bia 0012.80b6.4cd8)
R5(config)#
Cat1(config-if)#do sh port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/5 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 5120
Cat1(config-if)#do sh port-security int Fa0/5
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:VLAN : 0012.80b6.4cd8:567
Security Violation Count : 0
The next part of this is a little harder though. The scenario says that it should shutdown for a period of three hours. There's nothing in the port security commands dealing with this. We can set an aging time, but that's only good for idle settings. Our statically defined MAC with a "sticky" command kind of defeats that purpose.
This is where we need to know HOW something works to identify it. The "shutdown" violation will put the port into an errdisabled state which is forever. Or until you do a "shut" and "no shut" on the interface.
We can, however make that recovery an automated process.
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
60 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
Cat1
errdisable recovery cause psecure-violation
errdisable recovery interval 10800
The measurement is in seconds. 3600 seconds in an hour, times three should be 10,800.
Cat1(config)#do sh errdisable recovery
ErrDisable Reason Timer Status
----------------- --------------
arp-inspection Disabled
bpduguard Disabled
channel-misconfig Disabled
dhcp-rate-limit Disabled
dtp-flap Disabled
gbic-invalid Disabled
l2ptguard Disabled
link-flap Disabled
mac-limit Disabled
link-monitor-fail Disabled
loopback Disabled
oam-remote-failur Disabled
pagp-flap Disabled
port-mode-failure Disabled
psecure-violation Enabled
security-violatio Disabled
sfp-config-mismat Disabled
storm-control Disabled
udld Disabled
unicast-flood Disabled
vmps Disabled
Timer interval: 10800 seconds
Interfaces that will be enabled at the next timeout:
Looks good.
2.15 You have installed a Cisco® Intrusion Protection System on Fa0/7 of Cat1 and you would like to test out its functionality. Configure the Switch to take traffic that is received on VLAN300 and send a copy to your IPS.
This will involve a few different pieces here. VLAN 300 is not really part of Cat1. Which means we need to be thinking not about Span Sessions, but REMOTE Span Sessions.
First, create a VLAN that we will use for the Remote Span sessions
Cat1
VLAN 666
name IDS-VLAN
remote-span
exit
Next, set up the span sessions where VLAN 300 exists.
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 61
Cat2
monitor session 1 source vlan 300 rx
monitor session 1 destination remote VLAN 666
Cat3560-2#sh monitor session 1 det
Session 1
---------
Type : Remote Source Session
Source Ports :
RX Only : None
TX Only : None
Both : None
Source VLANs :
RX Only : 300
TX Only : None
Both : None
Source RSPAN VLAN : None
Destination Ports : None
Filter VLANs : None
Dest RSPAN VLAN : 666
3550's require using a reflector-port for ASIC use. 3560's do not. Cat2 in our case is a 3560, so nothing to worry about here.
Then set up our new destination on Cat1
monitor session 1 source remote VLAN 666
monitor session 1 destination interface Fa0/7
Cat1(config)#do sh monitor detail
Session 1
---------
Type : Remote Destination Session
Description : -
Source Ports :
RX Only : None
TX Only : None
Both : None
Source VLANs :
RX Only : None
TX Only : None
Both : None
Source RSPAN VLAN : 666
Destination Ports : Fa0/7
Encapsulation : Native
Ingress : Disabled
Reflector Port : None
Filter VLANs : None
Dest RSPAN VLAN : None
Oh yeah... Don't forget to go back and add VLAN 666 into your list of allowed VLANs over your trunks. This is one of those implied things to do.
Cat1
int range Fa0/19 - 24 , po12 , po13 , po 14
switchport trunk allowed vlan 1,12,40,100,300,567,666
Change the PortChannel numbers as you enter the command on the other switches
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
62 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
Cat2
int range Fa0/19 - 24 , po12 , po23 , po 24
switchport trunk allowed vlan 1,12,40,100,300,567,666
Cat3
int range Fa0/19 - 24 , po13 , po23 , po 34
switchport trunk allowed vlan 1,12,40,100,300,567,666
Cat4
int range Fa0/19 - 24 , po14 , po24 , po 34
switchport trunk allowed vlan 1,12,40,100,300,567,666
As another important note, we probably want to be sure that this VLAN will not get pruned as it's only an occasional thing.
Cat1
int range Fa0/19 - 24 , po12 , po13 , po 14
switchport trunk pruning vlan remove 666
Cat2
int range Fa0/19 - 24 , po12 , po23 , po 24
switchport trunk pruning vlan remove 666
Cat3
int range Fa0/19 - 24 , po13 , po23 , po 34
switchport trunk pruning vlan remove 666
Cat4
int range Fa0/19 - 24 , po14 , po24 , po 34
switchport trunk pruning vlan remove 666
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 63
2.16 Configure VLAN567 to be in the IP Subnet 150.100.220.0/28. IP traffic should be routed. All switches will have an IP in VLAN567. Use .11, .12, .13, and .14 respectively
Configuring an IP address isn't incredibly difficult. However, if we consult the diagram or startup configs, we'll find that this instruction is contradictory to what we already have. We have a /24 on that network already.
Any time you receive conflicting reports, it's good to involve the proctor to clarify. In this case, he'll just smile and say the lab tells you what to do. (e.g. you need to change things.)
R5
int Fa0/0
ip address 150.100.220.5 255.255.255.240
R6
int Fa0/0
ip address 150.100.220.6 255.255.255.240
R7
int Fa0/0
ip address 150.100.220.7 255.255.255.240
Cat1
ip routing
int VLAN 567
ip address 150.100.220.11 255.255.255.240
Cat2
ip routing
int vlan 567
ip address 150.100.220.12 255.255.255.240
Cat3
ip routing
int vlan 567
ip address 150.100.220.13 255.255.255.240
Cat4
ip routing
int vlan 567
ip address 150.100.220.14 255.255.255.240
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
64 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
Ping is a good test.
R5(config-if)#do ping 150.100.220.6 re 2 ti 1
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 150.100.220.6, timeout is 1 seconds:
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms
R5(config-if)#do ping 150.100.220.7 re 2 ti 1
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 150.100.220.7, timeout is 1 seconds:
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms
R5(config-if)#do ping 150.100.220.11 re 2 ti 1
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 150.100.220.11, timeout is 1 seconds:
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms
R5(config-if)#do ping 150.100.220.12 re 2 ti 1
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 150.100.220.12, timeout is 1 seconds:
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms
R5(config-if)#do ping 150.100.220.13 re 2 ti 1
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 150.100.220.13, timeout is 1 seconds:
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 1/2/4 ms
R5(config-if)#do ping 150.100.220.14 re 2 ti 1
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 150.100.220.14, timeout is 1 seconds:
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 1/2/4 ms
2.17 Configure all switches to be optimized for unicast routing.
This is all about memory allocation. Whenever we look at things that talk about memory, or optimization or things like that, there's only one command. "sdm prefer" will get us working.
Cat1, Cat2, Cat3, Cat4
sdm prefer routing
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 65
Check it out:
Cat1(config)#do sh sdm p
The current template is the default template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1K VLANs.
number of unicast mac addresses: 5K
number of igmp groups: 1K
number of qos aces: 1K
number of security aces: 1K
number of unicast routes: 8K
number of multicast routes: 1K
The template stored for use after the next reload
is the routing template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1K VLANs.
number of unicast mac addresses: 5K
number of igmp groups: 1K
number of qos aces: 512
number of security aces: 512
number of unicast routes: 16K
number of multicast routes: 1K
Notice the difference there. What MAY happen on the next reload is not graded as ALREADY being functional. Don't forget to reload...
2.18 Configure OSPF between R5, R6, R7 and all four of your switches. Place VLAN 567, 100, 40, and 300 into the OSPF routing process. You may use Area 0 everywhere. Add interfaces on the switches for each of these VLANs. Use .11, .12, .13, and .14 respectively.
Now it's time to actually do some routing... Interesting enough here though, we had not been told to place our switches into those extra VLANs with IP addresses.
I suppose we'll need to look at that a little, and configure that part as well. Otherwise, we won't be sharing anything anyway.
Cat1
int vlan 40
ip address 150.100.40.11 255.255.255.0
int vlan 100
ip address 100.100.100.11 255.255.255.0
int vlan 300
ip address 100.100.250.11 255.255.255.0
Cat2
int vlan 40
ip address 150.100.40.12 255.255.255.0
int vlan 100
ip address 100.100.100.12 255.255.255.0
int vlan 300
ip address 100.100.250.12 255.255.255.0
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
66 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
Cat3
int vlan 40
ip address 150.100.40.13 255.255.255.0
int vlan 100
ip address 100.100.100.13 255.255.255.0
int vlan 300
ip address 100.100.250.13 255.255.255.0
Cat4
int vlan 40
ip address 150.100.40.14 255.255.255.0
int vlan 100
ip address 100.100.100.14 255.255.255.0
int vlan 300
ip address 100.100.250.14 255.255.255.0
Next comes the routing part. Realistically, we don't need to peer over every single VLAN, and we weren't given any instructions on this either. Asking for clarification is good, but likely only one peering set is necessary.
Cat1, Cat2, Cat3, Cat4
router ospf 1
passive-interface default
network 150.100.40.0 0.0.0.255 area 0
network 100.100.100.0 0.0.0.255 area 0
network 100.100.250.0 0.0.0.255 area 0
network 150.100.220.0 0.0.0.15 area 0
no passive vl567
Keep in mind, you will not have pingability between routers per se. If you want to actually have this, you'll need to put a default route into each of your routers to the local SVI port in order to work. We weren't asked to, so why bother?
We'll start to see that things aren't working very well, because we have switches not peering the way they should be. They'll alternate from DOWN to INIT to EXSTART and seem to cycle in that order. Try looking at "debug ip ospf adjacency" and see what's happening.
Cat3(config-router)#
10w1d: OSPF: Send DBD to 150.100.220.12 on VLAN567 seq 0x1CD1 opt 0x52 flag 0x7
len 32
10w1d: OSPF: Retransmitting DBD to 150.100.220.12 on VLAN567 [8]
10w1d: OSPF: Rcv DBD from 150.100.220.12 on VLAN567 seq 0x1CD1 opt 0x52 flag 0x2
len 132 mtu 1504 state EXSTART
10w1d: OSPF: Nbr 150.100.220.12 has larger interface MTU
Cat3(config-router)#
MTU mismatches. Switches will have different base MTU sizes depending on what's happening and what has been previously configured.
On a 3560, you can use "system mtu routing 1500" if you'd like. 3550's don't have that option.
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 67
Or we can go to each switch and simply tell it to ignore the MTU size.
Cat1, Cat2, Cat3, Cat4
int VLAN 567
ip ospf mtu-ignore
Once that is done, you should see all peers come up. Will we see any routes? Nope, not the way we did things here. Why not? Because all routes will be connected routes since we put all switches in all VLANs.
There weren't any instructions in this lab about reachability or doing much with the actual routers, so it's not a great worry. The multiprotocol labs will make us thoroughly familiar with this method of thinking. So just wait.
2.19 Configure R5, R6, Cat1, and Cat2 to receive their time from R7. All of the devices should be in CST (-6) as well as adjust for Day Light Savings.
So now it's a matter of clocking on the devices. The switches don't have a built in clock mechanism (ISR routers do), so at least we'll see the difference.
Cat4(config-if)#do sh clock
*18:59:37.634 UTC Tue May 11 1993
Cat4(config-if)#
R5, R6, R7, Cat1, Cat2, Cat3, Cat4
clock timezone CST -6
clock summer-time CDT recurring
While loopbacks may be a great way to give a resilient interface to base time on, we don't have any routing established on R5, R6 or R7 in order to find R7's loopback. So for simplicity here, I'd go with the Fa0/0 interface that is connected to everyone.
R7
ntp source Fa0/0
ntp master
Check the time to see if we need to change the clock (exec command "clock set") or not.
R7(config)#do sh clock
13:30:33.440 CST Wed Jan 23 2008
R7(config)#
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
68 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
Looks good. Now let's activate it.
R5, R6, Cat1, Cat2, Cat3, Cat4
ntp server 150.100.220.7
Cat4(config)#do sh ntp assoc
address ref clock st when poll reach delay offset disp
*~150.100.220.7 127.127.7.1 8 0 64 377 1.7 0.17 0.1
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
Cat4(config)#do sh ntp status
Clock is synchronized, stratum 9, reference is 150.100.220.7
nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**18
reference time is CB4214C9.550914DE (13:32:25.332 CST Wed Jan 23 2008)
clock offset is 0.1737 msec, root delay is 1.72 msec
root dispersion is 0.34 msec, peer dispersion is 0.14 msec
And most importantly:
Cat4(config)#do sh clock
13:32:48.272 CST Wed Jan 23 2008
Cat4(config)#
Excellent.
2.20 Configure Cat1 to age out MAC addresses 50 seconds longer than the default value for devices in VLAN 567.
This is one of those things to look at the DocCD for. The command reference guide will always contain default values as well.
Cat1
mac address-table aging-time 350 VLAN 567
2.21 On Cat1, create VLAN 86, assign ports Fa0/14, 15, 16, and 17 to this VLAN. This VLAN belongs to the IT department, make sure that these ports bypass listening and learning state, DO NOT use VLAN database to create the VLAN. A Smart Port macro should be used to create the VLAN and assign the ports and the configuration to the VLAN.
Using global configuration (and execution) we can create the macro and apply it nicely. Each of the interfaces will need to be listed out. Macros and interface ranges do not play nicely with one another.
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 69
Cat1
macro name IT-VLAN
VLAN 86
name IT-Dept
exit
interface Fa0/14
switchport access VLAN 86
spanning-tree portfast
interface Fa0/15
switchport access VLAN 86
spanning-tree portfast
interface Fa0/16
switchport access VLAN 86
spanning-tree portfast
interface Fa0/17
switchport access VLAN 86
spanning-tree portfast
exit
@
Then actually engage the macro. Check things out before:
Cat1(config)#do sh run int Fa0/14
Building configuration...
Current configuration : 86 bytes
.
interface FastEthernet0/14
switchport access VLAN 567
switchport mode access
end
Cat1
macro global apply IT-VLAN
And check out after:
Cat1(config)#do sh run int Fa0/14
Building configuration...
Current configuration : 109 bytes
.
interface FastEthernet0/14
switchport access VLAN 86
switchport mode access
spanning-tree portfast
end
2.22 Configure Cat1 such that if port Fa0/14 receives BPDU packets it should transition into down/down err-disable state.
This should actually be a simple command. Very few commands have anything to do with BPDUs. Even fewer will shut a port down. This can be a method of searching the DocCD Command Reference guide if you aren't familiar with it.
Cat1
int Fa0/14
spanning-tree bpduguard enable
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
70 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
Even though we've enable portfast on these ports, BPDUGuard is not enabled by default unless you have entered a global command (spanning-tree portfast bpduguard default)
2.23 Configure Cat3 & Cat4 such that if ports Fa0/15 and/or Fa0/16 receive BPDU packets they should transition into down/down err-disable state, and they should stay in that state for a period of 380 seconds. After 380 seconds they should automatically recover and transition into UP/UP state; however, if these ports receive BPDU packets again, the cycle should be repeated.
Now we're manipulating Cat3 and Cat4. A similar line of thinking, but in the last step we were happy that ports were forced to be errdisabled. Here, we want automatic recovery. We've worked with this before.
Cat3, Cat4
int range Fa0/15 - 16
spanning-tree bpduguard enable
exit
errdisable recovery cause bpduguard
errdisable recovery interval 380
2.24 You would like to monitor the activity on port Fa0/18 of Cat2 as clients connect their laptops to this port. Configure the switch such that when it learns/removes a MAC address an SNMP notification is generated and sent to the Network Management Server at 150.100.40.40. Since this is a very busy network, setup a trap interval so these messages are sent every 120 seconds with up to 50 entries, in order to reduce the bandwidth consumption. Use a read only SNMP community of “Port18”.
This is going to get us involved with the wonderful world of SNMP servers as well. the word "trap" or "Network Management Server" should certainly have tilted us in this direction.
So the SNMP portion is easy to do. We can set up a community for polling if we want (also helps with restricting which NMS server we sent which traps to.)
Cat2
snmp-server community Port18 RO
snmp-server enable traps MAC-Notification
snmp-server host 150.100.40.40 Port18 MAC-Notification
Then the part about how many gets a little more confusing. We can do this with snmp-server commands, but the drawback is that those commands would influence any and all SNMP traps we were sending. This may or may not be important to us (here it is not, but real lab it may be).
Cat2
mac-address-table notification interval 120
mac-address-table notification history-size 50
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 71
And then finally trigger the traps on the interface in question. They are not enabled by default.
Cat2
int Fa0/18
snmp trap mac-notification added
snmp trap mac-notification removed
2.25 On Cat3 and Cat4, ensure that ports Fa0/12 and Fa0/13 are in VLAN 90. DO NOT use the VLAN database or any global configuration mode command to create this VLAN. Ensure that these ports cannot communicate with each other even though they are in the same VLAN. An SVI should be created so hosts can reach the outside world. Use 150.100.90.0/24 as the network and .13 and .14 respectively.
We do this a simple way or the hard way. In the lab, this choice is often determined by how many points we get for the solution. :)
The hard way would entail private VLANs' to assure complete isolation from one another. But we're only given one VLAN to work with. Private VLANs require at least two VLANs to work.
So first, let's start with the VLAN. VLAN 90 doesn't exist.
Cat3(config-if)#do sh vl br
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
12 VLANB active
40 VLANC active
80 IT-Dept active
100 VLANA active
300 VLANF active
567 VLAND active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/11, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Gi0/1
Gi0/2
666 IDS-VLAN active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
Cat3(config-if)#
So we can create it. But, the lab says we can't do anything in global config mode or in VLAN database to create the VLAN. Anyone know VLAN-Making Voodoo Magic?
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
72 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
Actually, if you assign a port to a VLAN that doesn't exist, it will get created for you.
Cat3 , Cat4
int range Fa0/12 - 13
switchport access VLAN 90
% Access VLAN does not exist. Creating VLAN 90
Cat3(config-if-range)#
So that's another way to create a VLAN without typing the command in.
Cat3 & Cat4
int range Fa0/12 - 13
switchport protected
Cat4(config-if-range)#do sh int Fa0/13 switchport
Name: Fa0/13
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 90 (VLAN0090)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-VLAN host-association: none
Administrative private-VLAN mapping: none
Administrative private-VLAN trunk native VLAN: none
Administrative private-VLAN trunk Native VLAN tagging: enabled
Administrative private-VLAN trunk encapsulation: dot1q
Administrative private-VLAN trunk normal VLANs: none
Administrative private-VLAN trunk associations: none
Administrative private-VLAN trunk mappings: none
Operational private-VLAN: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: true
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Cat4(config-if-range)#
Note the protected state there...Next create the SVI on Cat3 and Cat4
Cat3
interface Vlan90
ip address 150.100.90.13 255.255.255.0
Cat4
interface Vlan90
ip address 150.100.90.14 255.255.255.0
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 73
The devices connected to the ports cannot technically communicate with anything else in VLAN90 without going through the SVI first so we don‟t need to add the VLAN to the trunks. But as there is nothing physically connected to these ports we will go ahead and add VLAN 90 to the trunk between Cat3 and Cat4 to get the SVI to come up.
Cat3 & Cat4
interface port-channel 34
Switchport trunk allowed vlan add 90
2.26 Ensure that only the following traffic is allowed to pass through VLAN 12
All non-IP frames sourced from MAC-address 000b.cd96.cc4f destined to any host
OSPF traffic and ICMP traffic
All other frames should be denied
VACLs or VLAN Filter Maps are the only things able to filter intra-VLAN traffic. So we need to look at setting up various filters. One thing to note is that MAC access-lists cannot be applied to IP traffic due to the ASIC and hardware architecture of the switches.
VLAN 12 only exists on Cat1. Or at least there's only ports there. So that'll make our configuration a little easier.
Cat1
mac access-list extended FilterMe
permit host 000b.cd96.cc4f any
access-list 101 permit ospf any any
access-list 101 permit icmp any any
vlan access-map Filter-VL12 10
action forward
match mac address FilterMe
vlan access-map Filter-VL12 20
action forward
match ip address 101
vlan access-map Filter-VL12 30
action drop
vlan filter Filter-VL12 vlan-list 12
And a quick test should let us know how we're doing.
R1(config)#do ping 150.100.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.100.12.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1(config)#
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
74 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
Uh, that's not very good. Time to debug.
R1(config)#do deb ip pack
IP packet debugging is on
R1(config)#do ping 150.100.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.100.12.2, timeout is 2 seconds:
*Jan 24 04:34:43.910: IP: tableid=0, s=150.100.12.1 (local), d=150.100.12.2
(FastEthernet0/0), routed via RIB
*Jan 24 04:34:43.910: IP: s=150.100.12.1 (local), d=150.100.12.2
(FastEthernet0/0), len 100, sending
*Jan 24 04:34:43.910: IP: s=150.100.12.1 (local), d=150.100.12.2
(FastEthernet0/0), len 100, encapsulation failed.
*Jan 24 04:34:45.910: IP: tableid=0, s=150.100.12.1 (local), d=150.100.12.2
(FastEthernet0/0), routed via RIB
*Jan 24 04:34:45.910: IP: s=150.100.12.1 (local), d=150.100.12.2
(FastEthernet0/0), len 100, sending
*Jan 24 04:34:45.910: IP: s=150.100.12.1 (local), d=150.100.12.2
(FastEthernet0/0), len 100, encapsulation failed.
*Jan 24 04:34:47.910: IP: tableid=0, s=150.100.12.1 (local), d=150.100.12.2
(FastEthernet0/0), routed via RIB
*Jan 24 04:34:47.910: IP: s=150.100.12.1 (local), d=150.100.12.2
(FastEthernet0/0), len 100, sending
*Jan 24 04:34:47.910: IP: s=150.100.12.1 (local), d=150.100.12.2
(FastEthernet0/0), len 100, encapsulation failed.
*Jan 24 04:34:49.910: IP: tableid=0, s=150.100.12.1 (local), d=150.100.12.2
(FastEthernet0/0), routed via RIB
*Jan 24 04:34:49.910: IP: s=150.100.12.1 (local), d=150.100.12.2
(FastEthernet0/0), len 100, sending
*Jan 24 04:34:49.910: IP: s=150.100.12.1 (local), d=150.100.12.2
(FastEthernet0/0), len 100, encapsulation failed.
*Jan 24 04:34:51.910: IP: tableid=0, s=150.100.12.1 (local), d=150.100.12.2
(FastEthernet0/0), routed via RIB
*Jan 24 04:34:51.910: IP: s=150.100.12.1 (local), d=150.100.12.2
(FastEthernet0/0), len 100, sending
*Jan 24 04:34:51.910: IP: s=150.100.12.1 (local), d=150.100.12.2
(FastEthernet0/0), len 100, encapsulation failed.
Success rate is 0 percent (0/5)
R1(config)#
Encapsulation failed isn't good either. This is a simple Ethernet link, how can this be?
R1(config)#do sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 100.100.100.1 - 0018.b921.9279 ARPA FastEthernet0/1
Internet 150.100.12.2 0 Incomplete ARPA
Internet 150.100.12.1 - 0018.b921.9278 ARPA FastEthernet0/0
R1(config)#
Ahhhh.... No ARP. ARP is not exactly an IP packet, therefore it would be subject to our MAC access-list which is subsequently denying everything other than that one particular host. In addition if we don‟t want traffic looping through our network we need to allow spanning-tree in the acl or we are going to see all sorts of strange things start to happen.
Cat1
mac access-list extended FilterMe
permit any any 0x0806 0x0000
permit any any lsap 0xAAAA 0x0000
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 75
Cat1(config-ext-macl)#do sh access-list
Extended IP access list 101
10 permit ospf any any
20 permit icmp any any
Extended MAC access list FilterMe
permit host 000b.cd96.cc4f any
permit any any 0x806 0x0
permit any any lsap 0xAAAA 0x0
Cat1(config-ext-macl)#
R1(config)#do ping 150.100.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.100.12.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
R1(config)#
PVST+ uses LLC SNAP encapsulation equal to lsap 0xAAAA. STP and PVST use lsap 0x4242. Be sure to know what protocol you are working with when applying MAC access-lists.
THERE we go. Little things like this are important to note. ARP caches are cleared after 4 hours of inactivity or on reload. So you may not notice something like this until much later in the day. (And you are no longer thinking about Layer2 stuff at that point.)
2.27 Make sure that VLAN 40 will only carry IPv6 traffic. All other traffic should be discarded.
IPv6. Why do we have to deal with that here? Well, think about it. The restriction is that IPv6 is the ONLY type of traffic allowed to traverse VLAN 40. Everything else will be discarded. Who else better to monitor this than the switch?
We already have a little experience with MAC access-lists and matching an ethertype value (the 0x0806 above.). So now we just need to find the ethertype value for IPv6.
The question is, how are we going to find that? Likely it will be supplied.
The ethertype for IPv6 is 0x86DD
Cat 1
mac access-list extended IPv6-Only
permit any any 0x86dd 0x0000
vlan access-map IPv6 10
action forward
match mac address IPv6-Only
vlan access-map IPv6 20
action drop
vlan filter IPv6 vlan-list 40
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
76 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
Without having IPv6 hosts setup and/or configured, it is difficult to test this one out, but we applied the same logic that we did in the last task, so we should be good to go on this.
You will notice the OSPF neighbor relationships on Vlan40 go down. As we are just testing functionality of the configurations aspects in this section don‟t worry about this. But if this same thing happened in the actual lab this would be a good time to speak with the proctor.
01:37:55: %OSPF-5-ADJCHG: Process 1, Nbr 150.100.220.12 on Vlan40 from 2WAY to
DOWN, Neighbor Down: Dead timer expired
Cat1(config)#
01:37:58: %OSPF-5-ADJCHG: Process 1, Nbr 150.100.220.13 on Vlan40 from FULL to
DOWN, Neighbor Down: Dead timer expired
Cat1(config)#
01:38:00: %OSPF-5-ADJCHG: Process 1, Nbr 150.100.220.14 on Vlan40 from FULL to
DOWN, Neighbor Down: Dead timer expired
2.28 On Cat3, ports Fa0/6 through Fa0/10 will utilize the 200.200.200.0/24 subnet. Allow ports Fa0/6 and Fa0/7 to talk to each other, but no other devices in this subnet should be allowed to speak intra-VLAN to each other. Create a VLAN interface to be used as the gateway out for this subnet as 200.200.200.200/24. Additional VLANs may be created.
Finally we have a chance to play with Private VLANs on our 3560 switches. There are thee different types of VLANs to consider. Isolated, Community and Promiscuous.
Fa0/6 and Fa0/7 will be in a Community VLAN since they are allowed to talk to each other. Fa0/8, Fa0/9 and Fa0/10 will be in an isolated VLAN.
As soon as we start to enter things, we will notice that all of our VLAN commands won't work since vtp mode must be transparent first. When things are added later in a lab that change things you were forced to do earlier, then that can get rather frustrating.
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 77
In real life, we would likely want to select another vtp server switch, but here in the lab we aren't asked to. Talking to the proctor about this certainly won't hurt. Cat1 is still in server mode.
Cat3
vtp mode transparent
vlan 2000
private-vlan primary
exit
vlan 2001
private-vlan isolated
exit
vlan 2002
private-vlan community
exit
vlan 2000
private-vlan association add 2001-2002
int range Fa0/6 - 7
switchport mode private-vlan host
switchport private-vlan host-association 2000 2002
int range Fa0/8 - 10
switchport mode private-vlan host
switchport private-vlan host-association 2000 2001
int vlan 2000
ip address 200.200.200.200 255.255.255.0
private-vlan mapping add 2001-2002
Cat3(config-if)#do sh vl pr
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
2000 2001 isolated Fa0/8, Fa0/9, Fa0/10
2000 2002 community Fa0/6, Fa0/7
Cat3(config-if)#
Cat3(config-if)#do sh int vl2000 private-vlan mapping
Interface Secondary VLANs
--------- --------------------------------------------------------------------
vlan2000 2001, 2002
This is exactly the way we should see things. While it looks like a lot of work to do to get this working, it's really not all that bad. Check out the "Configuring Private VLANs" part of the Configuration Guide and look at the sample configs. Cut 'n' Paste is your friend.
2.29 Except in VLAN 100, Cat3 should not have any ports blocked by spanning tree.
This is another task that looks like it's messing with an earlier requirement. When we see mention of the word "blocking" we should associate this with spanning tree. We had an earlier requirement to make Cat2 the root of VLAN 100.
One of the only ways to assure that ALL ports are in a forwarding state is to become the root bridge. Or start rearranging your physical topology. :)
So for everything other than VLAN 100, we could become root. And looking at "show spanning-tree" we probably need it.
Cat3(config-if)#do sh spanning-tree | in VLAN|BLK
VLAN0001
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
78 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
Po23 Altn BLK 12 128.232 P2p
Po34 Altn BLK 12 128.320 P2p
VLAN0012
Po23 Altn BLK 12 128.232 P2p
Po34 Altn BLK 12 128.320 P2p
VLAN0040
Po23 Altn BLK 12 128.232 P2p
Po34 Altn BLK 12 128.320 P2p
VLAN0090
VLAN0100
Po13 Altn BLK 12 128.152 P2p
Po34 Altn BLK 12 128.320 P2p
VLAN0300
Po23 Altn BLK 12 128.232 P2p
Po34 Altn BLK 12 128.320 P2p
VLAN0567
Po23 Altn BLK 12 128.232 P2p
Po34 Altn BLK 12 128.320 P2p
VLAN0666
Po23 Altn BLK 12 128.232 P2p
Po34 Altn BLK 12 128.320 P2p
Cat3(config-if)#
We have lots of different things blocking there.
Cat3
spanning-tree vlan 1,12,40,90,300,567,666 root primary
Now what do things look like?
Cat3(config)#do sh spanning-tree | in VLAN|BLK
VLAN0001
VLAN0012
VLAN0040
VLAN0090
VLAN0100
Po13 Altn BLK 12 128.152 P2p
Po34 Altn BLK 12 128.320 P2p
VLAN0300
VLAN0567
VLAN0666
Cat3(config)#
MUCH better. Or just to verify, run the show command a little different.
Cat3(config)#do sh spanning-tree | in VLAN|BLK|is the root
VLAN0001
This bridge is the root
VLAN0012
This bridge is the root
VLAN0040
This bridge is the root
VLAN0090
This bridge is the root
VLAN0100
Po13 Altn BLK 12 128.152 P2p
Po34 Altn BLK 12 128.320 P2p
VLAN0300
This bridge is the root
VLAN0567
This bridge is the root
VLAN0666
This bridge is the root
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 79
Very nice.
Can we adjust VLAN 100 without becoming the root? Sure, make it a preferred path to go through. Adjust the spanning-tree cost to something less than alternate paths.
Cat3
int po13
spanning-tree VLAN 100 cost 2
int po34
spanning-tree VLAN 100 cost 2
Are they still blocking?
Cat3(config-if)#do sh spanning-tree | in VLAN|BLK|is the root
VLAN0001
This bridge is the root
VLAN0012
This bridge is the root
VLAN0040
This bridge is the root
VLAN0090
This bridge is the root
VLAN0100
Po13 Altn BLK 2 128.152 P2p
Po34 Altn BLK 2 128.320 P2p
VLAN0300
This bridge is the root
VLAN0567
This bridge is the root
VLAN0666
This bridge is the root
Cat3(config-if)#
Yes. Why? The cost is great compared to what it was normally. But remember that every switch is interconnected with every other switch. The Spanning-tree Cost is a cumulative cost. Meaning that no matter how small we make the cost it'll be more than the directly connected link.
We can always go manipulate things in multiple places to affect the total path cost, but that isn't asked for in this lab task anyway.
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
80 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
2.30 In the event that Cat2 loses its link to Cat3, the path to the root bridge should go through Cat4 as quickly as possible. Do not use any “cost” or “priority” type commands on Cat2 to make this happen.
Time for some more spanning-tree manipulations. In order to change paths, we need to verify where we're going now. Right off, we go to Cat3 (since it's the root for most things)
Cat2(config-if)#do sh span | in VLAN|Root
VLAN0001
Root ID Priority 24577
Po23 Root FWD 12 128.248 P2p
VLAN0012
Root ID Priority 24588
Po23 Root FWD 12 128.248 P2p
VLAN0040
Root ID Priority 24616
Po23 Root FWD 12 128.248 P2p
VLAN0100
Root ID Priority 24676
VLAN0300
Root ID Priority 24776
Po23 Root FWD 12 128.248 P2p
VLAN0567
Root ID Priority 25143
Po23 Root FWD 12 128.248 P2p
VLAN0666
Root ID Priority 25242
Po23 Root FWD 12 128.248 P2p
Cat2(config-if)#
In the event of failure, it's all about recalculation of SPT costs. So the Cost can be changed (we're not allowed to), or if that's a tie, then a port-priority is looked at (not allowed either).
In MST and Rapid-PVST, we have Alternate or Backup ports to maintain fast failover. Prior to that, in PVST operations, we didn't have those. We did, however have two manual methods. Uplinkfast and Backbonefast. One was for Designated Ports, the other for Root Ports. Which to use?
Cisco Documentation. :) We'll find that Backbonefast was for Designated Ports (and the root bridge) and Backbonefast was for Root ports. That's what we want. But this is a two-stage thing. Backbonefast just says that the switch will converge faster. We have to make sure that the path to Cat4 is the next best choice. It says not to use "priority" or "cost" commands on Cat2, but says nothing about other switches.
Cat3
int po34
spanning-tree cost 5
IPexpert CCIE R&S Detailed Solutions Guide Volume 1 – Lab 2
V1500 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. 81
Remember that cost is cumulative. You add the cost of a local link yourself. (e.g. setting this on Cat4 would accomplish nothing)
Cat2
spanning-tree uplinkfast
Cat2(config)#do sh span sum
Switch is in pvst mode
Root bridge for: VLAN0100
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is enabled
BackboneFast is disabled
Configured Pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 2 0 0 1 3
VLAN0012 1 0 0 2 3
VLAN0040 1 0 0 2 3
VLAN0100 0 0 0 4 4
VLAN0300 2 0 0 3 5
VLAN0567 2 0 0 6 8
VLAN0666 2 0 0 1 3
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
---------------------- -------- --------- -------- ---------- ----------
9 VLANs 14 0 0 23 37
Station update rate set to 150 packets/sec.
UplinkFast statistics
-----------------------
Number of transitions via uplinkFast (all VLANs) : 0
Number of proxy multicast addresses transmitted (all VLANs) : 0
Volume 1 – Lab 2 IPexpert CCIE R&S Detailed Solutions Guide
82 Copyright © 2010 by IPexpert, Inc. All Rights Reserved. v1500
Technical Verification and Support
To verify your router and switch configurations please ensure that you have downloaded the latest configurations from your www.IPexpert.com account.
You may also verify your configurations within the Volume One Proctor Guide that you received along with this Workbook. You can find this document in the eBook section of your www.IPexpert.com account.
Support is also available in the following ways:
Mailing List: http://www.OnlineStudyList.com
Email: [email protected]