Issuu on Google+

IPexpert’s Detailed Solution Guide for the Cisco® CCIE™ v4 Routing & Switching Lab Exam Volume 1


Volume 1 – Introduction

IPexpert CCIE R&S Detailed Solutions Guide

IPexpert CCIE R&S Detailed Solutions Guide– Volume One Before We Begin This product is part of the IPexpert "Blended Learning Solution™" that provides CCIE candidates with a comprehensive training program. For information about the full solution, contact an IPexpert Training Advisor today. Telephone: +1.810.326.1444 Email: sales@ipexpert.com TM

Congratulations! You now possess one of the ULTIMATE CCIE Routing & Switching Lab preparation resources available today! This resource was produced by senior engineers, technical instructors and authors, boasting decades of internetworking experience. Although there is no way to TM guarantee a 100% success rate on the CCIE Routing & Switching Lab exam, we feel VERY confident that your chances of passing the Lab will improve dramatically after completing this industry-recognized Workbook! At the beginning of each section, you will be referred to a diagram of the network topology. All sections utilize the same physical topology, which can be rented at www.ProctorLabs.com.

Technical Support from IPexpert and your CCIE community!

IPexpert is proud to lead the industry with multiple support options at your disposal free of charge. Our online communities have attracted a membership of nearly 20,000 of your peers from around the world! At EverythingIE.com you may social-network with your peers all focused on attaining the same goal as you – the CCIE Lab. At CCIEBlog.com you can keep up to date with everything IPExpert does, as well as start your own CCIE-focused blog or simply add your existing blog to our directory so your peers can find you. At OnlineStudyList.com, you may subscribe to multiple “SPAM-free”, CCIE-focused email lists.

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

1


Volume 1 – Introduction

IPexpert CCIE R&S Detailed Solutions Guide

Feedback Do you have a suggestion or other feedback regarding this book or other IPexpert products? At IPexpert, we look to you – our valued clients – for the real world, frontline evaluation that we believe is necessary to improve continually. Please send an email with your thoughts to feedback@ipexpert.com or call 1.866.225.8064 (international callers dial +1.810.326.1444). TM

TM

In addition, when you pass the CCIE Lab exam, we want to hear about it! Email your CCIE number to success@ipexpert.com and let us know how IPexpert helped you succeed. We would like to send you a gift of thanks and congratulations.

Additional CCIETM Preparation Material TM

IPexpert, Inc. is committed to developing the most effective Cisco CCIE R&S, Security, Service Provider, and Voice Lab certification preparation tools available. Our team of certified networking professionals develops the most up-to-date and comprehensive materials for networking certification, including self-paced workbooks, online Cisco hardware rental, classroom training, online (distance learning) instructor-led training, audio products, and video training materials. Unlike other certificationtraining providers, we employ the most experienced and accomplished team of experts to create, TM maintain, and constantly update our products. At IPexpert, we are focused on making your CCIE Lab preparation more effective.

A message from the Author(s): The scenarios covered in this workbook were developed by Routing & Switching CCIEs to help you prepare for the Cisco CCIE Routing & Switching laboratory. It is strongly recommended that you use other reading materials in addition to this workbook. Training is not the CCIE Routing & Switching workbook objective. The intent of these labs is to test your knowledge and ability of implementing Cisco Enterprise Routing & Switching Solutions. Time management is very important, if you get stuck on a lab scenario be sure to write it down. Formulate a Checklist for skipped sections and then return to those sections once you have gone through the entire lab. Be sure to revisit the questions that you do not understand. For more information on the CCIE Routing & Switching lab, please visit (http://www.cisco.com/go/ccie) and click on the link for Routing & Switching on the top-right of the page.

Helpful Hints   

2

Keep It Simple, try to avoid any extra work (example: adding descriptions) Always reference everything from the Documentation Website: http://www.cisco.com/web/psa/products/index.html Save your router configurations often (wr is the quickest command)

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


IPexpert CCIE R&S Detailed Solutions Guide

Volume 1 – Diagrams

IPEXPERT END-USER LICENSE AGREEMENT END USER LICENSE FOR ONE (1) PERSON ONLY IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING MATERIALS. This is a legally binding agreement between you and IPEXPERT, the “Licensor,” from whom you have licensed the IPEXPERT training materials (the “Training Materials”). By using the Training Materials, you agree to be bound by the terms of this License, except to the extent these terms have been modified by a written agreement (the “Governing Agreement”) signed by you (or the party that has licensed the Training Materials for your use) and an executive officer of Licensor. If you do not agree to the License terms, the Licensor is unwilling to license the Training Materials to you. In this event, you may not use the Training Materials, and you should promptly contact the Licensor for return instructions. The Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual authorized to use the Training Materials throughout the term of this License. Copyright and Proprietary Rights The Training Materials are the property of IPEXPERT, Inc. ("IPEXPERT") and are protected by United States and International copyright laws. All copyright, trademark, and other proprietary rights in the Training Materials and in the Training Materials, text, graphics, design elements, audio, and all other materials originated by IPEXPERT at its site, in its workbooks, scenarios and courses (the "IPEXPERT Information") are reserved to IPEXPERT. The Training Materials cannot be used by or transferred to any other person. You may not rent, lease, loan, barter, sell or timeshare the Training Materials or accompanying documentation. You may not reverse engineer, decompile, or disassemble the Training Materials. You may not modify, or create derivative works based upon the Training Materials in whole or in part. You may not reproduce, store, upload, post, transmit, download or distribute in any form or by any means, electronic, mechanical, recording or otherwise any part of the Training Materials and IPEXPERT Information other than printing out or downloading portions of the text and images for your own personal, non-commercial use without the prior written permission of IPEXPERT. You shall observe copyright and other restrictions imposed by IPEXPERT. You may not use the Training Materials or IPEXPERT Information in any manner that infringes the rights of any person or entity. Exclusions of Warranties THE TRAINING MATERIALS AND DOCUMENTATION ARE PROVIDED “AS IS.” LICENSOR HEREBY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW THE LIMITATION OF INCIDENTAL DAMAGES OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. This agreement gives you specific legal rights, and you may have other rights that vary from state to state. Choice of Law and Jurisdiction This Agreement shall be governed by and construed in accordance with the laws of the State of Michigan, without reference to any conflict of law principles. You agree that any litigation or other proceeding between you and Licensor in connection with the Training Materials shall be brought in the Michigan state or courts located in Port Huron, Michigan, and you consent to the jurisdiction of such courts to decide the matter. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods shall not apply to this License. If any provision of this Agreement is held invalid, the remainder of this License shall continue in full force and effect. Limitation of Claims and Liability ANY ACTION ON ANY CLAIM AGAINST IPEXPERT MUST BE BROUGHT BY THE USER WITHIN ONE (1) YEAR FOLLOWING

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

3


Volume 1 – Diagrams

IPexpert CCIE R&S Detailed Solutions Guide

THE DATE THE CLAIM FIRST ACCRUED, OR SHALL BE DEEMED WAIVED. IN NO EVENT WILL THE LICENSOR‟S LIABILITY UNDER, ARISING OUT OF, OR RELATING TO THIS AGREEMENT EXCEED THE AMOUNT PAID TO LICENSOR FOR THE TRAINING MATERIALS. LICENSOR SHALL NOT BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, REGARDLESS OF WHETHER LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. WITHOUT LIMITING THE FOREGOING, LICENSOR WILL NOT BE LIABLE FOR LOST PROFITS, LOSS OF DATA, OR COSTS OF COVER. Entire Agreement This is the entire agreement between the parties and may not be modified except in writing signed by both parties.

U.S. Government - Restricted Rights The Training Materials and accompanying documentation are “commercial computer Training Materials” and “commercial computer Training Materials documentation,” respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use, modification, reproduction release, performance, display, or disclosure of the Training Materials and accompanying documentation by the U.S. Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement. IF YOU DO NOT AGREE WITH THE ABOVE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING MATERIALS AND CONTACT LICENSOR FOR INSTRUCTIONS ON RETURN OF THE TRAINING MATERIALS.

4

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


IPexpert CCIE R&S Detailed Solutions Guide

Volume 1 – Table of Contents

IPexpert CCIE R&S Detailed Solutions Guide– Volume 1

NOTE You are encouraged to take advantage of the knowledge and support from your peers around the globe. Join ccieblog.com to journal your progress. And join onlinestudylist.com to get more community support and also official support from IPexpert.

Contents IPexpert CCIE R&S Detailed Solutions Guide– Volume One ....................................................................... 1 IPEXPERT END-USER LICENSE AGREEMENT ........................................................................................ 3 END USER LICENSE FOR ONE (1) PERSON ONLY ............................................................................. 3 U.S. Government - Restricted Rights .................................................................................................... 4 Lab 1 - General Setup ................................................................................................................................... 9 Lab 1 Detailed Solutions ...................................................................................................................... 10 Lab 2 – Switching: Per-VLAN Spanning Tree + .......................................................................................... 35 Lab 2 Detailed Solutions ......................................................................................................................... 36 Lab 3 – Switching: Multiple Spanning Tree................................................................................................. 83 Lab 3 Detailed Solutions ...................................................................................................................... 84 Lab 4 – Switching: Rapid Per-VLAN Spanning Tree+ .............................................................................. 115 Lab 4 Detailed Solutions .................................................................................................................... 116 Lab 5 - Layer 2 Tunneling ......................................................................................................................... 137 Lab 5 Detailed Solutions .................................................................................................................... 138 Lab 6 - Frame Relay ................................................................................................................................. 157 Lab 6 Detailed Solutions .................................................................................................................... 158 Lab 7 - Bridging and Frame Relay ............................................................................................................ 189 Lab 7 Detailed Solutions .................................................................................................................... 190 Lab 8 – RIPv2 ........................................................................................................................................... 201 Lab 8 Detailed Solutions .................................................................................................................... 202 Lab 9 – EIGRP .......................................................................................................................................... 225 Lab 9 Detailed Solutions .................................................................................................................... 226 Lab 10 – OSPF ......................................................................................................................................... 253 Lab 10 Detailed Solutions ..................................................................................................................... 254 Lab 11 – OSPF ......................................................................................................................................... 287

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

5


Volume 1 – Table of Contents

IPexpert CCIE R&S Detailed Solutions Guide

Lab 11 Detailed Solutions .................................................................................................................. 288 Lab 12 - GRE and Routing Protocols ........................................................................................................ 295 Lab 12 Detailed Solutions .................................................................................................................. 296 Lab 13 - Border Gateway Protocol ............................................................................................................ 315 Lab 13 Detailed Solutions ..................................................................................................................... 316 Lab 14 - Multiprotocol BGP ....................................................................................................................... 361 Lab 14 Detailed Solutions .................................................................................................................. 362 Lab 15 - Routing Protocol Redistribution .................................................................................................. 371 Lab 15 Detailed Solutions ..................................................................................................................... 372 Lab 16 - ACLs and Filters for IPv4 ............................................................................................................ 417 Lab 16 Detailed Solutions ..................................................................................................................... 418 Lab 17 - Router Security ........................................................................................................................... 447 Lab 17 Detailed Solutions ..................................................................................................................... 448 Lab 18 - Router Security ........................................................................................................................... 471 Lab 18 Detailed Solutions ..................................................................................................................... 472 Lab 19 - Router Redundancy and Network Services ................................................................................ 485 Lab 19 Detailed Solutions .................................................................................................................. 486 Lab 20 - Advanced Router Management .................................................................................................. 509 Lab 20 Detailed Solutions ..................................................................................................................... 510 Lab 21 - Quality of Service ........................................................................................................................ 539 Lab 21 Detailed Solutions ..................................................................................................................... 540 Lab 22 - Legacy QoS to MQC Conversion ............................................................................................... 563 Lab 22 Detailed Solutions ..................................................................................................................... 564 Lab 23 - Quality of Service ........................................................................................................................ 585 Lab 23 Detailed Solutions ..................................................................................................................... 586 Lab 24 - Multicast ...................................................................................................................................... 597 Lab 24 Detailed Solutions ..................................................................................................................... 598 Lab 25 - Multicast ...................................................................................................................................... 615 Lab 25 Detailed Solutions ..................................................................................................................... 616 Lab 26 - Multi-Protocol Label Switching .................................................................................................... 625 Lab 26 Detailed Solutions ..................................................................................................................... 626 Lab 27 - Multiprotocol BGP ....................................................................................................................... 637 Lab 27 Detailed Solutions ..................................................................................................................... 638 Lab 28 - MPLS VPN .................................................................................................................................. 647 Lab 28 Detailed Solutions ..................................................................................................................... 648 Lab 29 - Inter-AS MPLS VPN.................................................................................................................... 655

6

Copyright Š 2010 by IPexpert, Inc. All Rights Reserved.

v1500


IPexpert CCIE R&S Detailed Solutions Guide

Volume 1 – Table of Contents

Lab 29 Detailed Solutions ..................................................................................................................... 656 Lab 30 - Multicast VPN ............................................................................................................................. 665 Lab 30 Detailed Solutions ..................................................................................................................... 666 Lab 31 - Layer 2 VPN ................................................................................................................................ 677 Lab 31 Detailed Solutions ..................................................................................................................... 678 Lab 32 - RIPng and EIGRPv6 ................................................................................................................... 685 Lab 32 Detailed Solutions ..................................................................................................................... 686 Lab 33 - OSPFv3 and MBGP .................................................................................................................... 703 Lab 33 Detailed Solutions ..................................................................................................................... 704 Lab 34 - Cisco IOS Firewalls..................................................................................................................... 725 Lab 34 Detailed Solutions ..................................................................................................................... 726

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

7


Volume 1 – Table of Contents

IPexpert CCIE R&S Detailed Solutions Guide

This page left intentionally blank.

8

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


IPexpert CCIE R&S Detailed Solutions Guide

Volume 1 – Lab 2

Lab 2 – Switching: PerVLAN Spanning Tree + Technologies Covered         

Etherchannel VLAN Trunking VTP 802.1x Spanning-Tree Port-security RSPAN Private VLANs VLAN Maps

Overview With four switches on the CCIE R&S lab (a combination of Catalyst 3550 and Catalyst 3560 switches with the v3.0 blueprint and four Catalyst 3560 switches on the v4.0 blueprint), there is the potential for a lot of detailed challenges in the "Switching" portion of the Routing & Switching exam. This lab is part of a series that will help prepare you for the types of scenarios you may be presented with.

Estimated Time to Complete: 3-4 Hours

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

35


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

Lab 2 Detailed Solutions 2.1

Configure Cat3 so that you can create, modify and delete VLANs locally. The VLANs created on this switch should be propagated through the network. Use a domain name of “ipexpert”. Cat3 vtp mode server

Cat1, Cat2, Cat4 vtp mode client

 While arguably, VTP server mode would work as well. The lab didn't say ONLY Cat3 can manipulate VLANs locally, but it's a simple enough thing to set client and keep a single point of entry.  Always verify everything! We should first check that our VLANs are present on Cat3, and that they have been propogated to Cat1, Cat2 and Cat4. Checking on just your server switch isn‟t good enough, as there could have been issues with VLAN propogation. Make sure you check all four of your switches! Cat3550-3(config)#do sh vl br VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/3, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Gi0/1, Gi0/2 12 VLANB active Fa0/1, Gi0/2 40 VLANC active Fa0/4 100 VLANA active Fa0/11 300 VLANF active 567 VLAND active Fa0/5 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup Cat3560-1#sh vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Gi0/2, Fa0/3, Fa0/4, Fa0/5 Fa0/8, Fa0/10, Fa0/11, Fa0/12 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Gi0/2 12 VLANB active 40 VLANC active 100 VLANA active Fa0/1 200 VLANE active 300 VLANF active Fa0/9, Fa0/13 567 VLAND active Fa0/6, Fa0/7 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Cat3560-2(config)#do sh vlan brief VLAN Name

36

Status

Ports

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

---- -------------------------------- --------- ------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Gi0/1, Gi0/2 12 VLANB active 40 VLANC active 100 VLANA active 200 VLANE active 240 VLAN0240 active 300 VLANF active 567 VLAND active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Cat3560-4(config)#do sh vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Gi0/1, Gi0/2 12 VLANB active 40 VLANC active 100 VLANA active 200 VLANE active 240 VLAN0240 active 300 VLANF active 567 VLAND active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup

 OK, everything looks good on all of our switches as far as VLAN propagation goes  You can also use "debug sw-VLAN vtp events" or "debug sw-VLAN vtp packets" if there are other concerns.  If you need to add VLANs later on, make sure to add them AFTER the VTP stuff is setup, otherwise the database won't be "revised" and therefore won't be propagated.  Next, make sure your VTP status looks as you would expect on all four switches. Cat3550-1#sh vtp status VTP Version : running VTP1 (VTP2 capable) Configuration Revision : 2 Maximum VLANs supported locally : 1005 Number of existing VLANs : 11 VTP Operating Mode : Client VTP Domain Name : ipexpert VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xF1 0xE5 0x00 0x15 0x4F 0xBA 0xF8 0xEC Configuration last modified by 0.0.0.0 at 3-1-93 00:17:34 Local updater ID is 0.0.0.0 (no valid interface found) Cat3560-2#sh vtp status VTP Version

V1500

: running VTP1 (VTP2 capable)

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

37


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

Configuration Revision : 2 Maximum VLANs supported locally : 1005 Number of existing VLANs : 11 VTP Operating Mode : Client VTP Domain Name : ipexpert VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xF1 0xE5 0x00 0x15 0x4F 0xBA 0xF8 0xEC Configuration last modified by 0.0.0.0 at 3-1-93 00:17:34 Cat3560-3(config)#do sh vtp status VTP Version : running VTP1 (VTP2 capable) Configuration Revision : 2 Maximum VLANs supported locally : 1005 Number of existing VLANs : 11 VTP Operating Mode : Server VTP Domain Name : ipexpert VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xF1 0xE5 0x00 0x15 0x4F 0xBA 0xF8 0xEC Configuration last modified by 0.0.0.0 at 3-1-93 00:22:38 Cat3560-4(config)#do sh vtp status VTP Version : running VTP1 (VTP2 capable) Configuration Revision : 2 Maximum VLANs supported locally : 1005 Number of existing VLANs : 11 VTP Operating Mode : Client VTP Domain Name : ipexpert VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xF1 0xE5 0x00 0x15 0x4F 0xBA 0xF8 0xEC Configuration last modified by 0.0.0.0 at 3-1-93 00:22:38

 Great, we have a VTP server, three VTP clients, our revision numbers match, and our MD5 digest matches. We are good to go!

2.2

Cat1 should send VLAN updates with an MD5 one-way hash value. Other switches should not be able to process these updates unless they have the same MD5 value. Use a password of “1p3xp3rt#”. DO NOT use VLAN database commands to accomplish this task. Run VTP version 2.  Passwords in VTP are MD5 all the time. They must match to exchange information properly. Normally, you can configure this in VLAN database or in config mode, but the lab tells you otherwise. In config mode (recommended) use "vtp ?" to help find the right command. Cat3 Cat3550-1(config)#vtp password 1p3xp3rt# Setting device VLAN database password to 1p3xp3rt#

 Check it out, our config revision increments to 3… Cat3550-3(config)#do sh vtp status VTP Version : running VTP2 Configuration Revision : 3 Maximum VLANs supported locally : 1005 Number of existing VLANs : 11 VTP Operating Mode : Server

38

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


IPexpert CCIE R&S Detailed Solutions Guide

Volume 1 – Lab 2

VTP Domain Name : ipexpert VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0xD0 0x84 0xB5 0x70 0xC0 0xB0 0x68 0xB7 Configuration last modified by 0.0.0.0 at 3-1-93 00:27:39 Local updater ID is 0.0.0.0 (no valid interface found)

Cat1, Cat2, Cat4 vtp password 1p3xp3rt#

 All we have done is update the password on the clients to match the server, but they have automatically updated to run VTP version 2. Excellent! Also notice, the client revision number has incremented as well, as they received an update from the Server telling them to run VTP version 2.

Cat3560-1(config)#do sh vtp status VTP Version : running VTP2 Configuration Revision : 3 Maximum VLANs supported locally : 1005 Number of existing VLANs : 11 VTP Operating Mode : Client VTP Domain Name : ipexpert VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0xD0 0x84 0xB5 0x70 0xC0 0xB0 0x68 0xB7 Configuration last modified by 0.0.0.0 at 3-1-93 00:27:39 Cat3560-2(config)#do sh vtp status VTP Version : running VTP2 Configuration Revision : 3 Maximum VLANs supported locally : 1005 Number of existing VLANs : 11 VTP Operating Mode : Client VTP Domain Name : ipexpert VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0xD0 0x84 0xB5 0x70 0xC0 0xB0 0x68 0xB7 Configuration last modified by 0.0.0.0 at 3-1-93 00:27:39

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

39


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

Cat3560-4(config)#do sh vtp status VTP Version : running VTP2 Configuration Revision : 3 Maximum VLANs supported locally : 1005 Number of existing VLANs : 11 VTP Operating Mode : Client VTP Domain Name : ipexpert VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0xD0 0x84 0xB5 0x70 0xC0 0xB0 0x68 0xB7 Configuration last modified by 0.0.0.0 at 3-1-93 00:27:39

 If we had tried to manually set the VTP version to 2 on the client switches, we would have received an error telling us the VTP version cannot be changed in client mode. This is good, as it lets the server do all the work for us.  This task does say that Cat1 will have the capability of sending things out, so we should probably put Cat1 into server mode. This does not violate the previous task since we were not REQUIRED to put everyone else in Client mode. Cat1 vtp mode server

2.3

If a downstream switch does not possess a port in a VLAN that Cat1 is advertising, make sure that Cat1 does not propagate broadcast traffic for those VLANs.  VTP Pruning is the obvious (and simple) solution here. It's the only mechanism that switches can dynamically shut off unused/unneeded VLANs. Since Cat3 is our VTP server, we only need to enable this on Cat3. The option will be propagated down to our other client switches Cat3550-3(config)#vtp pruning Pruning switched on Cat3550-3(config)#do sh vtp status VTP Version : running VTP2 Configuration Revision : 4 Maximum VLANs supported locally : 1005 Number of existing VLANs : 11 VTP Operating Mode : Server VTP Domain Name : ipexpert VTP Pruning Mode : Enabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0x44 0xD5 0x1F 0x00 0x28 0x13 0x02 0xA3 Configuration last modified by 0.0.0.0 at 3-1-93 00:55:32 Local updater ID is 0.0.0.0 (no valid interface found)

40

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


IPexpert CCIE R&S Detailed Solutions Guide

Volume 1 – Lab 2

 Just like the VTP version, VTP pruning is a feature that will be propagated down to all our client switches as well. Run “show vtp status” to verify. Cat3560-1(config)#do sh vtp status VTP Version : running VTP2 Configuration Revision : 4 Maximum VLANs supported locally : 1005 Number of existing VLANs : 11 VTP Operating Mode : Client VTP Domain Name : ipexpert VTP Pruning Mode : Enabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0x44 0xD5 0x1F 0x00 0x28 0x13 0x02 0xA3 Configuration last modified by 0.0.0.0 at 3-1-93 00:55:32 Cat3560-2(config)#do sh vtp status VTP Version : running VTP2 Configuration Revision : 4 Maximum VLANs supported locally : 1005 Number of existing VLANs : 11 VTP Operating Mode : Server VTP Domain Name : ipexpert VTP Pruning Mode : Enabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0x44 0xD5 0x1F 0x00 0x28 0x13 0x02 0xA3 Configuration last modified by 0.0.0.0 at 3-1-93 00:55:32 Local updater ID is 0.0.0.0 (no valid interface found) Cat3560-4(config)#do sh vtp status VTP Version : running VTP2 Configuration Revision : 4 Maximum VLANs supported locally : 1005 Number of existing VLANs : 11 VTP Operating Mode : Client VTP Domain Name : ipexpert VTP Pruning Mode : Enabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0x44 0xD5 0x1F 0x00 0x28 0x13 0x02 0xA3 Configuration last modified by 0.0.0.0 at 3-1-93 00:55:32

2.4

Configure any interfaces connecting the switches together to appear as one link to STP per neighbor. If either of the interfaces is damaged, the switches should manage one-way links. Do not use industry standards, but make sure these links can negotiate their setup.  Consult the diagram here for assistance on this. For an etherchannel to be setup, the links must be the same. On the ProctorLabs racks anyway, there are also some GigabitEthernet links between some switches. These cannot be added into the etherchannel configuration, so go ahead and shut those down.  Plan your etherchannel as well. In some versions of IOS on many switches, the etherchannel number must match on both sides in order to come up properly. Rather than needing to think about whether you are using one of those releases or not, it's recommended just to use the correct pairing of etherchannel numbers.

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

41


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

 If you have concerns about which switch is connected where, just check out the CDP table. Cat1(config)#do sh cdp n Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone Device ID Router Gig Cat3 Fas Cat3 Fas Cat2 Gig Cat2 Fas Cat2 Fas Cat4 Fas Cat4 Fas Cat1(config)#

Local Intrfce 0/2 0/22 0/21 0/2 0/24 0/23 0/20 0/19

Holdtme 133 127 127 121 121 121 126 126

Capability Platform R S I 3825 Gig S I WS-C3560-2Fas S I WS-C3560-2Fas S I WS-C3550-2Gig S I WS-C3550-2Fas S I WS-C3550-2Fas S I WS-C3560-2Fas S I WS-C3560-2Fas

Port ID 0/0 0/22 0/21 0/2 0/24 0/23 0/20 0/19

 In order to negotiate the trunk coming up, it's important to set the modes properly. 3550's default to "dynamic desirable", 3560's default to "dynamic auto". Auto-auto does not generate a trunk.

Cat1-Cat4 int range Fa0/19 - 24 switchport mode dynamic desir Cat4(config-if-range)#do sh int Fa0/19 switch Name: Fa0/19 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: trunk Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: isl Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-VLAN host-association: none Administrative private-VLAN mapping: none Administrative private-VLAN trunk native VLAN: none Administrative private-VLAN trunk Native VLAN tagging: enabled Administrative private-VLAN trunk encapsulation: dot1q Administrative private-VLAN trunk normal VLANs: none Administrative private-VLAN trunk associations: none Administrative private-VLAN trunk mappings: none Operational private-VLAN: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none

42

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


IPexpert CCIE R&S Detailed Solutions Guide

Volume 1 – Lab 2

 We should also shut them down for now.... When building trunks and etherchannel groups, it's a good idea to shut the links down until you have them all built. This will prevent your switches from becoming upset about mismatches and placing any interfaces in an errdisabled state. Cat1-Cat4 int range Fa0/19 - 24 shut

 For the channel-group, we are not to use industry standards (LACP), so we'll end up either using PAgP or just mode on. Cat1 int gi0/1 shut int gi0/2 shut int range Fa0/19 - 20 Description Connection to Cat4 channel-group 14 mode on int range Fa0/21 - 22 Description Connection to Cat3 channel-group 13 mode on int range Fa0/23 - 24 Description Connection to Cat2 channel-group 12 mode on

Cat2 int gi0/1 shut int range Fa0/19 - 20 Description Connection to Cat3 channel-group 23 mode on int range Fa0/21 - 22 Description Connection to Cat4 channel-group 24 mode on int range Fa0/23 - 24 Description Connection to Cat1 channel-group 12 mode on

Cat3 int gi0/1 shut int range Fa0/19 - 20 Description Connection to Cat2 channel-group 23 mode on int range Fa0/21 - 22 Description Connection to Cat1 channel-group 13 mode on int range Fa0/23 - 24 Description Connection to Cat4 channel-group 34 mode on

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

43


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

Cat4 int range Fa0/19 - 20 Description Connection to Cat1 channel-group 14 mode on int range Fa0/21 - 22 Description Connection to Cat2 channel-group 24 mode on int range Fa0/23 - 24 Description Connection to Cat3 channel-group 34 mode on

 Finally, turn on UDLD to manage the one-way link detection. There's no mention about anything requiring aggressive mode, so that part is up to you. There are global commands for UDLD as well, so be careful with that. Global commands are for fiber ports. Interface commands are for copper ports. Cat1, Cat2, Cat3 and Cat4 int range Fa0/19 - 24 udld port

 Now, let‟s verify everything we have done here. First, we‟ll want to make sure all our etherchannels came up properly. Run “sh etherchannel summary” for a good overview. What we expect to see here is that each group has a status of “SU” meaning the channel is a L2 port-channel, and it is “In Use”. For our individual ports make sure you see the (P) meaning the port is part of the port channel Cat3550-1#sh etherchan sum Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator M u w d

-

not in use, minimum links not met unsuitable for bundling waiting to be aggregated default port

Number of channel-groups in use: 3 Number of aggregators: 3 Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------12 Po12(SU) Fa0/23(P) Fa0/24(P) 13 Po13(SU) Fa0/21(P) Fa0/22(P) 14 Po14(SU) Fa0/19(P) Fa0/20(P)

44

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


IPexpert CCIE R&S Detailed Solutions Guide

Volume 1 – Lab 2

Cat3560-2#show etherchan sum Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator M u w d

-

not in use, minimum links not met unsuitable for bundling waiting to be aggregated default port

Number of channel-groups in use: 3 Number of aggregators: 3 Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------12 Po12(SU) Fa0/23(P) Fa0/24(P) 23 Po23(SU) Fa0/19(P) Fa0/20(P) 24 Po24(SU) Fa0/21(P) Fa0/22(P) Cat3560-3#sh etherchan sum Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator M u w d

-

not in use, minimum links not met unsuitable for bundling waiting to be aggregated default port

Number of channel-groups in use: 3 Number of aggregators: 3 Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------13 Po13(SU) Fa0/21(P) Fa0/22(P) 23 Po23(SU) Fa0/19(P) Fa0/20(P) 34 Po34(SU) Fa0/23(P) Fa0/24(P) Cat3560-4#sh etherchan sum Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator M u w d

-

not in use, minimum links not met unsuitable for bundling waiting to be aggregated default port

Number of channel-groups in use: 3 Number of aggregators: 3 Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------14 Po14(SU) Fa0/19(P) Fa0/20(P) 24 Po24(SU) Fa0/21(P) Fa0/22(P) 34 Po34(SU) Fa0/23(P) Fa0/24(P)

V1500

Copyright Š 2010 by IPexpert, Inc. All Rights Reserved.

45


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

 Great, everything came up as expected on all four switches. Now, to verify UDLD you can check out “sh udld <int>” For brevity we will just take a look at Fa0/19 on Cat1 so you can get an idea. Notice the “Enabled” status, and that it even tells us what switch is on the other end of the link (Cat4 in this case). Cat3550-1#sh udld Fa0/19 Interface Fa0/19 --Port enable administrative configuration setting: Enabled Port enable operational state: Enabled Current bidirectional state: Bidirectional Current operational state: Advertisement - Single neighbor detected Message interval: 15 Time out interval: 5 Entry 1 --Expiration time: 40 Cache Device index: 1 Current neighbor state: Bidirectional Device ID: FDO1117Y22M Port ID: Fa0/19 Neighbor echo 1 device: CAT0652X00L Neighbor echo 1 port: Fa0/19 Message interval: 15 Time out interval: 5 CDP Device name: Cat3560-4

2.5

These links should allow all VLANs to travel across with their VLAN ID intact. You cannot use the Cisco proprietary protocol to achieve this. Every packet that traverses the link must have the VLAN ID, no exceptions.  Gotta go back and change a few things now... If we had done these ahead of time to the physical interfaces, they would have automatically propagated to the PortChannel interface. If you have to go back and change a trunk, especially one that is tied to a Portchannel, it is best to shut everything down, make your changes, then bring everything back up. Otherwise, you may run into issues with ports going err-disable. Cat1 – Cat4 int range Fa0/19 - 24 shutdown switch trunk encap dot1q exit

 The other part about the VLAN-ID is a little trickier. You may change the native VLAN to something other than the default (something unused). Or there's a specific command for 802.1Q that allows the tagging of the native VLAN. Those are good keywords to search for in case you had to look it up not knowing the answer. The “vlan dot1q tag native” command is run from global config mode. vlan dot1q tag native

46

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

 OK, now that we have made the necessary changes, let‟s bring all the links back up on all the switches. The best thing to do here is copy/paste from notepad because you will want to do this fairly quickly to avoid any issues. Cat1 – Cat4 int range Fa0/19 - 24 no shutdown

 Now, let‟s make sure our trunks came up as expected, and that our native VLAN is indeed being tagged as configured. The output of this command has been reduced to only show the relevant information.

Cat3550-1(config)#do sh int trunk Port Po14 Po13 Po12

Mode desirable desirable desirable

Encapsulation 802.1q 802.1q 802.1q

Status trunking trunking trunking

Native vlan 1 1 1

Status trunking trunking trunking

Native vlan 1 1 1

Status trunking trunking trunking

Native vlan 1 1 1

Status trunking trunking trunking

Native vlan 1 1 1

Cat3550-1(config)#do sho vlan dot1q tag nat dot1q native vlan tagging is enabled Cat3560-2(config-if-range)#do sh int trunk Port Po12 Po23 Po24

Mode desirable desirable desirable

Encapsulation 802.1q 802.1q 802.1q

Cat3550-2(config)#do sho vlan dot1q tag nat dot1q native vlan tagging is enabled Cat3560-3(config-if-range)#do sh int trunk Port Po13 Po23 Po34

Mode desirable desirable desirable

Encapsulation 802.1q 802.1q 802.1q

Cat3550-3(config)#do sho vlan dot1q tag nat dot1q native vlan tagging is enabled Cat3560-4(config-if-range)#do sh int trunk Port Po14 Po24 Po34

Mode desirable desirable desirable

Encapsulation 802.1q 802.1q 802.1q

Cat3550-4(config)#do sho vlan dot1q tag nat dot1q native vlan tagging is enabled

 As we can see, all the trunks are running 802.1q encapsulation and have the native VLAN being tagged as expected!

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

47


Volume 1 – Lab 2

2.6

IPexpert CCIE R&S Detailed Solutions Guide

Only allow the defined VLANs across the link.  Now it's time to add a little security into our mix. The "switchport trunk allowed" command will help us decide which VLANs are or are not allowed on the link. Cat1 - Cat4 int range Fa0/19 - 24 switchport trunk allowed vlan 1,12,40,100,300,567

Cat1 int range po12 , po13 , po14 switchport trunk allowed vlan 1,12,40,100,300,567

Cat2 int range po12 , po23 , po24 switchport trunk allowed vlan 1,12,40,100,300,567

Cat3 int range po13 , po23 , po34 switchport trunk allowed vlan 1,12,40,100,300,567

Cat4 int range po14 , po24 , po34 switchport trunk allowed vlan 1,12,40,100,300,567

 Why do it on the physical links and etherchannel? In case something doesn't work? It's an easy cut/paste if nothing else.  You'll start to get inconsistent messages. Cutting and pasting will help speed things up here. Cat1(config-if-range)# 9w4d: %EC-5-CANNOT_BUNDLE2: Fa0/19 is not compatible with Fa0/20 and will be suspended (VLAN mask is different) 9w4d: %EC-5-COMPATIBLE: Fa0/19 is compatible with port-channel members 9w4d: %EC-5-CANNOT_BUNDLE2: Fa0/21 is not compatible with Fa0/22 and will be suspended (VLAN mask is different) 9w4d: %EC-5-COMPATIBLE: Fa0/21 is compatible with port-channel members 9w4d: %EC-5-CANNOT_BUNDLE2: Fa0/23 is not compatible with Fa0/24 and will be suspended (VLAN mask is different) 9w4d: %EC-5-COMPATIBLE: Fa0/23 is compatible with port-channel members Cat1(config-if-range)#

 Check and make sure we didn't wait too long. Cat1(config-if-range)#do sh int | in errd Cat1(config-if-range)# Cat2(config-if-range)#do sh int | in errd Cat2(config-if-range)# Cat3(config-if-range)#do sh int | in errd Cat3(config-if-range)# Cat4(config-if-range)#do sh int | in errd Cat4(config-if-range)#

48

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


IPexpert CCIE R&S Detailed Solutions Guide

Volume 1 – Lab 2

 Looks good so far. Now let‟s verify that only VLANs we specified are indeed allowed on the trunks Cat3550-1(config)#do sh int trunk | beg allowed Port Vlans allowed on trunk Po14 1-4094 Po13 1-4094 Po12 1-4094 Port Po14 Po13 Po12

Vlans allowed and active in management domain 1,12,40,100,200,300,567 1,12,40,100,200,300,567 1,12,40,100,200,300,567

Port Po14 Po13 Po12

Vlans in spanning tree forwarding state and not pruned 1 1 1,100,300,567

Cat3560-2(config-if-range)#do sh int trunk | beg allowed Port Vlans allowed on trunk Po12 1-4094 Po23 1-4094 Po24 1-4094 Port Po12 Po23 Po24

Vlans allowed and active in management domain 1,12,40,100,200,300,567 1,12,40,100,200,300,567 1,12,40,100,200,300,567

Port Po12 Po23 Po24

Vlans in spanning tree forwarding state and not pruned 12,40,100,567 1 none

Cat3560-3(config-if-range)#do sh int trunk | beg allowed Port Vlans allowed on trunk Po13 1-4094 Po23 1-4094 Po34 1-4094 Port Po13 Po23 Po34

Vlans allowed and active in management domain 1,12,40,100,200,300,567 1,12,40,100,200,300,567 1,12,40,100,200,300,567

Port Po13 Po23 Po34

Vlans in spanning tree forwarding state and not pruned 1,12,40,100,300,567 1 1

Cat3560-4(config-if-range)#do sh int trunk | beg allowed Port Vlans allowed on trunk Po14 1-4094 Po24 1-4094 Po34 1-4094 Port Po14 Po24 Po34

Vlans allowed and active in management domain 1,12,40,100,200,300,567 1,12,40,100,200,300,567 1,12,40,100,200,300,567

Port Po14 Po24 Po34

Vlans in spanning tree forwarding state and not pruned 12,40,100,300,567 1 1

 Nicely done.

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

49


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

 As the switches exchange information about which active VLANs they have (and prune some) and as spanning tree takes place and blocks links, you'll find different results in the last section of that command. This is where we MAY need to pay attention though to watch our traffic flows.

2.7

Make sure that any unused ports do not remain in “auto” mode.  This is a time to do some tedious work. You could do a "show interface switchport" on all interfaces, but you'd get lots of extra stuff. Let's pare it down a little. Cat1 - Cat4 do sh int switch | in Name|Administrative Mode|Operational Mode Cat4(config-if-range)#$ Name|Administrative Mode|Operational Mode Name: Fa0/1 Administrative Mode: dynamic auto Operational Mode: down Name: Fa0/2 Administrative Mode: dynamic auto Operational Mode: down Name: Fa0/3 Administrative Mode: dynamic auto Operational Mode: down Name: Fa0/4 Administrative Mode: dynamic auto Operational Mode: down Name: Fa0/5 Administrative Mode: dynamic auto Operational Mode: down Name: Fa0/6 Administrative Mode: dynamic auto Operational Mode: static access Name: Fa0/7 Administrative Mode: dynamic auto Operational Mode: static access Name: Fa0/8 Administrative Mode: dynamic auto Operational Mode: down Name: Fa0/9 Administrative Mode: dynamic auto Operational Mode: static access Name: Fa0/10 Administrative Mode: dynamic auto Operational Mode: static access Name: Fa0/11 Administrative Mode: dynamic auto Operational Mode: static access Name: Fa0/12 Administrative Mode: dynamic auto Operational Mode: static access Name: Fa0/13 Administrative Mode: dynamic auto Operational Mode: static access Name: Fa0/14 Administrative Mode: dynamic auto Operational Mode: down Name: Fa0/15 Administrative Mode: dynamic auto Operational Mode: down Name: Fa0/16 Administrative Mode: dynamic auto Operational Mode: down Name: Fa0/17 Administrative Mode: dynamic auto Operational Mode: down

50

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

Name: Fa0/18 Administrative Mode: dynamic auto Operational Mode: down Name: Fa0/19 Administrative Mode: trunk Operational Mode: trunk (member of Name: Fa0/20 Administrative Mode: trunk Operational Mode: trunk (member of Name: Fa0/21 Administrative Mode: trunk Operational Mode: trunk (member of Name: Fa0/22 Administrative Mode: trunk Operational Mode: trunk (member of Name: Fa0/23 Administrative Mode: trunk Operational Mode: trunk (member of Name: Fa0/24 Administrative Mode: trunk Operational Mode: trunk (member of Name: Gi0/1 Administrative Mode: dynamic auto Operational Mode: down Name: Gi0/2 Administrative Mode: dynamic auto Operational Mode: down Name: Po14 Administrative Mode: trunk Operational Mode: trunk Name: Po24 Administrative Mode: trunk Operational Mode: trunk Name: Po34 Administrative Mode: trunk Operational Mode: trunk Cat4(config-if-range)#

bundle Po14) bundle Po14) bundle Po24) bundle Po24) bundle Po34) bundle Po34)

 That's a little long-winded still but it tells us what mode these ports are in. 3560's are "dynamic auto". 3550's are "dynamic desirable". So the Cat2, Cat3, Cat4 ports we need to change. It may be worthwhile to ask the proctor whether the "auto" just meant dynamic, or specifically the word "auto". You may need to change them on all switches. Cat1 int range Fa0/2-4 , Fa0/6-10 , Fa0/12-18 , gi0/1 switchport mode access

Cat2 int range Fa0/2-5 , Fa0/8, Fa0/10-12 , Fa0/14-18 , gi0/1-2 switchport mode access

Cat3 int range Fa0/1-4 , Fa0/5-18 , gi0/1-2 switchport mode access

Cat4 int range Fa0/1-18 , gi0/1-2 switchport mode access

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

51


Volume 1 â&#x20AC;&#x201C; Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

ď&#x192;¨ We should see a difference now. Cat4(config-if-range)#$ Name|Administrative Mode|Operational Mode Name: Fa0/1 Administrative Mode: static access Operational Mode: down Name: Fa0/2 Administrative Mode: static access Operational Mode: down Name: Fa0/3 Administrative Mode: static access Operational Mode: down Name: Fa0/4 Administrative Mode: static access Operational Mode: down Name: Fa0/5 Administrative Mode: static access Operational Mode: down Name: Fa0/6 Administrative Mode: static access Operational Mode: static access Name: Fa0/7 Administrative Mode: static access Operational Mode: static access Name: Fa0/8 Administrative Mode: static access Operational Mode: down Name: Fa0/9 Administrative Mode: static access Operational Mode: static access Name: Fa0/10 Administrative Mode: static access Operational Mode: static access Name: Fa0/11 Administrative Mode: static access Operational Mode: static access Name: Fa0/12 Administrative Mode: static access Operational Mode: static access Name: Fa0/13 Administrative Mode: static access Operational Mode: static access Name: Fa0/14 Administrative Mode: static access Operational Mode: down Name: Fa0/15 Administrative Mode: static access Operational Mode: down Name: Fa0/16 Administrative Mode: static access Operational Mode: down Name: Fa0/17 Administrative Mode: static access Operational Mode: down Name: Fa0/18 Administrative Mode: static access Operational Mode: down Name: Fa0/19 Administrative Mode: trunk Operational Mode: trunk (member of bundle Po14) Name: Fa0/20 Administrative Mode: trunk Operational Mode: trunk (member of bundle Po14) Name: Fa0/21 Administrative Mode: trunk Operational Mode: trunk (member of bundle Po24) Name: Fa0/22 Administrative Mode: trunk Operational Mode: trunk (member of bundle Po24) Name: Fa0/23

52

Copyright Š 2010 by IPexpert, Inc. All Rights Reserved.

v1500


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

Administrative Mode: trunk Operational Mode: trunk (member of bundle Po34) Name: Fa0/24 Administrative Mode: trunk Operational Mode: trunk (member of bundle Po34) Name: Gi0/1 Administrative Mode: static access Operational Mode: down Name: Gi0/2 Administrative Mode: static access Operational Mode: down Name: Po14 Administrative Mode: trunk Operational Mode: trunk Name: Po24 Administrative Mode: trunk Operational Mode: trunk Name: Po34 Administrative Mode: trunk Operational Mode: trunk

2.8

Any unused ports should be placed in VLAN567.  At least we can keep the same ranges. We're just needing to change the VLAN now. Cat1 int range Fa0/2-3 , Fa0/6-10 , Fa0/12-18 , gi0/1 switchport access vlan 567

Cat2 int range Fa0/2-5 , Fa0/8, Fa0/10-12 , Fa0/14-18 , gi0/1-2 switchport access vlan 567

Cat3 int range Fa0/1-4 , Fa0/5-18 , gi0/1-2 switchport access vlan 567

Cat4 int range Fa0/1-18 , gi0/1-2 switchport access vlan 567

Cat4(config-if)#do sh vl br VLAN ---1 12 40 100 300 567

Name -------------------------------default VLANB VLANC VLANA VLANF VLAND

1002 fddi-default 1003 trcrf-default 1004 fddinet-default 1005 trbrf-default Cat4(config-if)#

V1500

Status Ports --------- ------------------------------active active active active active active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Gi0/1, Gi0/2 act/unsup act/unsup act/unsup act/unsup

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

53


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

 You can check them on all switches to be sure, but the important parts are that nothing is in VLAN 1, and that these ports are in VLAN 567.

2.9

Enable Cat2 to authenticate 802.1x clients. The server IP address to use is 150.100.220.100 with a key of ipexpert.  Plain and simple here. 802.1X must use RADIUS in order to do authentication. That is the spec, there is no grey area for interpretation.  Dot1x needs to be turned on. Cat2 dot1x system-auth-control aaa new-model aaa authentication dot1x default group radius radius-server host 150.100.220.100 key ipexpert

 To avoid further complications with any port using "login" you'll want to create a workaround. Cat2 aaa authentication login default line

 This will use the line password asked for with the telnet ability. Otherwise you may find yourself locked out of the device. Not good.  Don't forget console as well. Even though there's no "login" there, it still will lock you out. You'll get: -------------Cat2 con0 is now available

Press RETURN to get started. % Authentication failed. ---------------

 The proctor will NOT do password recovery for grading you. So let's change the above: no aaa authentication login default aaa authentication login MyVTY line aaa authentication login MyCon none line con 0 login authentication MyCon line vty 0 4 login authentication MyVTY

 The bottom line is that while it is very irritating to lock yourself out of a switch it is MUCH better than locking the proctor out.

54

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


IPexpert CCIE R&S Detailed Solutions Guide

Volume 1 – Lab 2

 Another thing you may do is "reload in 10" on the switch. If you haven't validated your config and cancelled the reload, then at least you will fix things yourself.  (Do NOT save unvalidated configurations...)  Check things out: Cat2(config-line)#do sh aaa server RADIUS: id 1, priority 1, host 150.100.220.100, auth-port 1645, acct-port 1646 State: current UP, duration 2562s, previous duration 0s Dead: total time 0s, count 0 Authen: request 0, timeouts 0 Response: unexpected 0, server error 0, incorrect 0, time 0ms Transaction: success 0, failure 0 Author: request 0, timeouts 0 Response: unexpected 0, server error 0, incorrect 0, time 0ms Transaction: success 0, failure 0 Account: request 0, timeouts 0 Response: unexpected 0, server error 0, incorrect 0, time 0ms Transaction: success 0, failure 0 Elapsed time since counters last cleared: 4d2h17m Cat2(config-line)#

 Being that there is no real server, or hosts to trigger anything I would be surprised if numbers were different than 0 right now. But it's good to see that the configuration is up, and operational.

2.10

Verify that Fa0/6 connected to R6 is always in an authorized state.

 There are 3 modes force-authorized, force-unauthorized and auto, which requires authorization. The only mode that actually sends the EAP beacon is "auto". The others are forced, manual actions. Cat2 int Fa0/6 switchport mode access dot1x port-control force-authorized

 As a note, the dot1x command does not even appear until the port is put into access mode. This may be a pain to troubleshoot.

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

55


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

 A quick check: Cat2(config)#do sh dot1x all Sysauthcontrol Enabled Dot1x Protocol Version 2 Critical Recovery Delay 100 Critical EAPOL Disabled Dot1x Info for FastEthernet0/6 ----------------------------------PAE = AUTHENTICATOR PortControl = FORCE_AUTHORIZED ControlDirection = Both HostMode = SINGLE_HOST ReAuthentication = Disabled QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 30 ReAuthPeriod = 3600 (Locally configured) ReAuthMax = 2 MaxReq = 2 TxPeriod = 30 RateLimitPeriod = 0

2.11

Configure Fa0/18 on Cat2 to check to see if the client connected is capable of 802.1x authentications.

 Just like we looked at above, there are three modes, but now we are asked to "see" whether the host is capable. While there is no query option, if we send out an EAP beacon and there is no response, that's a simple way to determine they weren't capable and not let them on. (More to come in other labs with some additional security steps or details to add in here, but for now, keep things simple.) Cat2 int Fa0/18 switchport mode access dot1x port-control auto

56

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

Cat2(config-if)#do sh dot1x all Sysauthcontrol Enabled Dot1x Protocol Version 2 Critical Recovery Delay 100 Critical EAPOL Disabled Dot1x Info for FastEthernet0/6 ----------------------------------PAE = AUTHENTICATOR PortControl = FORCE_AUTHORIZED ControlDirection = Both HostMode = SINGLE_HOST ReAuthentication = Disabled QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 30 ReAuthPeriod = 3600 (Locally configured) ReAuthMax = 2 MaxReq = 2 TxPeriod = 30 RateLimitPeriod = 0 Dot1x Info for FastEthernet0/18 ----------------------------------PAE PortControl ControlDirection HostMode ReAuthentication QuietPeriod ServerTimeout SuppTimeout ReAuthPeriod ReAuthMax MaxReq TxPeriod RateLimitPeriod

2.12

= = = = = = = = = = = = =

AUTHENTICATOR AUTO Both SINGLE_HOST Disabled 60 30 30 3600 (Locally configured) 2 2 30 0

Cat1 Fa0/5 should temporarily bypass the listening and learning stage to transition directly into a forwarding mode.

 This should be a relatively simple question. At least once you get beyond the initial confusion of a vague question. Cat1 int Fa0/5 spanning-tree portfast

 You'll need to look at the diagrams and note which switch and port is involved. The "temporarily" word throws some confusion at you, although if a BPDU is received, it's will no longer be forwarding. But the only way to "bypass" any of the stages of spanning tree is to use portfast or to disable spanning-tree completely. Cat1(config-if)#do sh spann int Fa0/5 VLAN Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------VLAN0567 Desg FWD 19 128.5 P2p Edge

 This doesn't verify the portfast state, but it will at least verify you are in a forwarding state, and not seen as a spanning-tree peer.

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

57


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

2.13

Assure that Cat2 becomes the root switch for VLAN100 with one command.

 So when we start at this, is Cat2 root at all? Cat2(config-if)#do sh spanning-tree | in root|VLAN VLAN0001 VLAN0012 VLAN0040 VLAN0100 VLAN0300 VLAN0567

 Nope, doesn't look like it. Sometimes, it's difficult because of the typical spanningtree election process. We may end up with simply the lowest MACs on Cat2 in which case this task would appear moot. But at least in my rack, this isn't the case.  One simple command. Note that it's "becomes" so we'd expect things to change. Right now, we have several VLANs but no root status. Cat2 spanning-tree vlan 100 root primary

 Now, check it out again.... Cat2(config)#do sh spanning-tree | in root|VLAN VLAN0001 VLAN0012 VLAN0040 VLAN0100 This bridge is the root VLAN0300 VLAN0567 Cat2(config)#

 Good stuff. Keep paying attention through the labs on the various GREP manipulations that we do in order to make the show commands focus on exactly what you want/need.  We may find some additional things/changes that are needed based on later requirements, but we'll get there later. It is good to be able to see this ahead of time though.

2.14

Configure Fa0/5 that R5 connects to so that the switch will only allow this learned MAC address to communicate through this port. If any other MAC addresses are learned on this port Cat2 should shut it down for a period of three hours.

 Wording here is a little vague. Basically, we are talking about Port Security. The hard part is interpreting the words about "learned MAC address". Typically this refers to dynamically learned things, but how do we determine what is correct?  In this instance, we know R5's MAC because we can either go look at it, or we can enable port-security and look first.

58

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


IPexpert CCIE R&S Detailed Solutions Guide

Volume 1 – Lab 2

Cat1 int Fa0/5 switchport switchport switchport switchport

mode access port-security port-security maximum 1 (default) port-security violation shutdown (default)

 Ask the proctor whether it should be hard-coded for the R5 MAC that's already there, or whether dynamic is OK. The port sec-table won't survive a reload unless you use the "sticky" parameter. Do a "show interface Fa0/0" on R5 to get the MAC. switchport port-security mac-address sticky switchport port-security mac-address 0012.80b6.4cd8

 Obviously, substitute the MAC address from your R5 there.  Verify to see things are good... R5(config)#do sh int Fa0/0 | in bia Hardware is MV96340 Ethernet, address is 0012.80b6.4cd8 (bia 0012.80b6.4cd8) R5(config)#

Cat1(config-if)#do sh port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------Fa0/5 1 1 0 Shutdown --------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 5120

Cat1(config-if)#do sh port-security int Fa0/5 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:VLAN : 0012.80b6.4cd8:567 Security Violation Count : 0

 The next part of this is a little harder though. The scenario says that it should shutdown for a period of three hours. There's nothing in the port security commands dealing with this. We can set an aging time, but that's only good for idle settings. Our statically defined MAC with a "sticky" command kind of defeats that purpose.  This is where we need to know HOW something works to identify it. The "shutdown" violation will put the port into an errdisabled state which is forever. Or until you do a "shut" and "no shut" on the interface.  We can, however make that recovery an automated process.

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

59


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

Cat1 errdisable recovery cause psecure-violation errdisable recovery interval 10800

 The measurement is in seconds. 3600 seconds in an hour, times three should be 10,800. Cat1(config)#do sh errdisable recovery ErrDisable Reason Timer Status -----------------------------arp-inspection Disabled bpduguard Disabled channel-misconfig Disabled dhcp-rate-limit Disabled dtp-flap Disabled gbic-invalid Disabled l2ptguard Disabled link-flap Disabled mac-limit Disabled link-monitor-fail Disabled loopback Disabled oam-remote-failur Disabled pagp-flap Disabled port-mode-failure Disabled psecure-violation Enabled security-violatio Disabled sfp-config-mismat Disabled storm-control Disabled udld Disabled unicast-flood Disabled vmps Disabled Timer interval: 10800 seconds Interfaces that will be enabled at the next timeout:

 Looks good.

2.15

You have installed a Cisco® Intrusion Protection System on Fa0/7 of Cat1 and you would like to test out its functionality. Configure the Switch to take traffic that is received on VLAN300 and send a copy to your IPS.

 This will involve a few different pieces here. VLAN 300 is not really part of Cat1. Which means we need to be thinking not about Span Sessions, but REMOTE Span Sessions.  First, create a VLAN that we will use for the Remote Span sessions Cat1 VLAN 666 name IDS-VLAN remote-span exit

 Next, set up the span sessions where VLAN 300 exists.

60

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


IPexpert CCIE R&S Detailed Solutions Guide

Volume 1 – Lab 2

Cat2 monitor session 1 source vlan 300 rx monitor session 1 destination remote VLAN 666

Cat3560-2#sh monitor session 1 det Session 1 --------Type : Remote Source Session Source Ports : RX Only : None TX Only : None Both : None Source VLANs : RX Only : 300 TX Only : None Both : None Source RSPAN VLAN : None Destination Ports : None Filter VLANs : None Dest RSPAN VLAN : 666

 3550's require using a reflector-port for ASIC use. 3560's do not. Cat2 in our case is a 3560, so nothing to worry about here.  Then set up our new destination on Cat1 monitor session 1 source remote VLAN 666 monitor session 1 destination interface Fa0/7

Cat1(config)#do sh monitor detail Session 1 --------Type : Remote Destination Session Description : Source Ports : RX Only : None TX Only : None Both : None Source VLANs : RX Only : None TX Only : None Both : None Source RSPAN VLAN : 666 Destination Ports : Fa0/7 Encapsulation : Native Ingress : Disabled Reflector Port : None Filter VLANs : None Dest RSPAN VLAN : None

 Oh yeah... Don't forget to go back and add VLAN 666 into your list of allowed VLANs over your trunks. This is one of those implied things to do. Cat1 int range Fa0/19 - 24 , po12 , po13 , po 14 switchport trunk allowed vlan 1,12,40,100,300,567,666

 Change the PortChannel numbers as you enter the command on the other switches

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

61


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

Cat2 int range Fa0/19 - 24 , po12 , po23 , po 24 switchport trunk allowed vlan 1,12,40,100,300,567,666

Cat3 int range Fa0/19 - 24 , po13 , po23 , po 34 switchport trunk allowed vlan 1,12,40,100,300,567,666

Cat4 int range Fa0/19 - 24 , po14 , po24 , po 34 switchport trunk allowed vlan 1,12,40,100,300,567,666

 As another important note, we probably want to be sure that this VLAN will not get pruned as it's only an occasional thing. Cat1 int range Fa0/19 - 24 , po12 , po13 , po 14 switchport trunk pruning vlan remove 666

Cat2 int range Fa0/19 - 24 , po12 , po23 , po 24 switchport trunk pruning vlan remove 666

Cat3 int range Fa0/19 - 24 , po13 , po23 , po 34 switchport trunk pruning vlan remove 666

Cat4 int range Fa0/19 - 24 , po14 , po24 , po 34 switchport trunk pruning vlan remove 666

62

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


IPexpert CCIE R&S Detailed Solutions Guide

2.16

Volume 1 – Lab 2

Configure VLAN567 to be in the IP Subnet 150.100.220.0/28. IP traffic should be routed. All switches will have an IP in VLAN567. Use .11, .12, .13, and .14 respectively

 Configuring an IP address isn't incredibly difficult. However, if we consult the diagram or startup configs, we'll find that this instruction is contradictory to what we already have. We have a /24 on that network already.  Any time you receive conflicting reports, it's good to involve the proctor to clarify. In this case, he'll just smile and say the lab tells you what to do. (e.g. you need to change things.) R5 int Fa0/0 ip address 150.100.220.5 255.255.255.240

R6 int Fa0/0 ip address 150.100.220.6 255.255.255.240

R7 int Fa0/0 ip address 150.100.220.7 255.255.255.240

Cat1 ip routing int VLAN 567 ip address 150.100.220.11 255.255.255.240

Cat2 ip routing int vlan 567 ip address 150.100.220.12 255.255.255.240

Cat3 ip routing int vlan 567 ip address 150.100.220.13 255.255.255.240

Cat4 ip routing int vlan 567 ip address 150.100.220.14 255.255.255.240

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

63


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

 Ping is a good test. R5(config-if)#do ping 150.100.220.6 re 2 ti 1 Type escape sequence to abort. Sending 2, 100-byte ICMP Echos to 150.100.220.6, timeout is 1 seconds: !! Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms R5(config-if)#do ping 150.100.220.7 re 2 ti 1 Type escape sequence to abort. Sending 2, 100-byte ICMP Echos to 150.100.220.7, timeout is 1 seconds: !! Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms R5(config-if)#do ping 150.100.220.11 re 2 ti 1 Type escape sequence to abort. Sending 2, 100-byte ICMP Echos to 150.100.220.11, timeout is 1 seconds: !! Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms R5(config-if)#do ping 150.100.220.12 re 2 ti 1 Type escape sequence to abort. Sending 2, 100-byte ICMP Echos to 150.100.220.12, timeout is 1 seconds: !! Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms R5(config-if)#do ping 150.100.220.13 re 2 ti 1 Type escape sequence to abort. Sending 2, 100-byte ICMP Echos to 150.100.220.13, timeout is 1 seconds: !! Success rate is 100 percent (2/2), round-trip min/avg/max = 1/2/4 ms R5(config-if)#do ping 150.100.220.14 re 2 ti 1 Type escape sequence to abort. Sending 2, 100-byte ICMP Echos to 150.100.220.14, timeout is 1 seconds: !! Success rate is 100 percent (2/2), round-trip min/avg/max = 1/2/4 ms

2.17

Configure all switches to be optimized for unicast routing.

 This is all about memory allocation. Whenever we look at things that talk about memory, or optimization or things like that, there's only one command. "sdm prefer" will get us working. Cat1, Cat2, Cat3, Cat4 sdm prefer routing

64

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

 Check it out: Cat1(config)#do sh sdm p The current template is the default template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1K VLANs. number number number number number number

of of of of of of

unicast mac addresses: igmp groups: qos aces: security aces: unicast routes: multicast routes:

5K 1K 1K 1K 8K 1K

The template stored for use after the next reload is the routing template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1K VLANs. number number number number number number

of of of of of of

unicast mac addresses: igmp groups: qos aces: security aces: unicast routes: multicast routes:

5K 1K 512 512 16K 1K

 Notice the difference there. What MAY happen on the next reload is not graded as ALREADY being functional. Don't forget to reload...

2.18

Configure OSPF between R5, R6, R7 and all four of your switches. Place VLAN 567, 100, 40, and 300 into the OSPF routing process. You may use Area 0 everywhere. Add interfaces on the switches for each of these VLANs. Use .11, .12, .13, and .14 respectively.

 Now it's time to actually do some routing... Interesting enough here though, we had not been told to place our switches into those extra VLANs with IP addresses.  I suppose we'll need to look at that a little, and configure that part as well. Otherwise, we won't be sharing anything anyway. Cat1 int ip int ip int ip

vlan 40 address 150.100.40.11 255.255.255.0 vlan 100 address 100.100.100.11 255.255.255.0 vlan 300 address 100.100.250.11 255.255.255.0

Cat2 int ip int ip int ip

V1500

vlan 40 address 150.100.40.12 255.255.255.0 vlan 100 address 100.100.100.12 255.255.255.0 vlan 300 address 100.100.250.12 255.255.255.0

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

65


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

Cat3 int ip int ip int ip

vlan 40 address 150.100.40.13 255.255.255.0 vlan 100 address 100.100.100.13 255.255.255.0 vlan 300 address 100.100.250.13 255.255.255.0

Cat4 int ip int ip int ip

vlan 40 address 150.100.40.14 255.255.255.0 vlan 100 address 100.100.100.14 255.255.255.0 vlan 300 address 100.100.250.14 255.255.255.0

 Next comes the routing part. Realistically, we don't need to peer over every single VLAN, and we weren't given any instructions on this either. Asking for clarification is good, but likely only one peering set is necessary. Cat1, Cat2, Cat3, Cat4 router ospf 1 passive-interface default network 150.100.40.0 0.0.0.255 area 0 network 100.100.100.0 0.0.0.255 area 0 network 100.100.250.0 0.0.0.255 area 0 network 150.100.220.0 0.0.0.15 area 0 no passive vl567

 Keep in mind, you will not have pingability between routers per se. If you want to actually have this, you'll need to put a default route into each of your routers to the local SVI port in order to work. We weren't asked to, so why bother?  We'll start to see that things aren't working very well, because we have switches not peering the way they should be. They'll alternate from DOWN to INIT to EXSTART and seem to cycle in that order. Try looking at "debug ip ospf adjacency" and see what's happening. Cat3(config-router)# 10w1d: OSPF: Send DBD to 150.100.220.12 on VLAN567 seq 0x1CD1 opt 0x52 flag 0x7 len 32 10w1d: OSPF: Retransmitting DBD to 150.100.220.12 on VLAN567 [8] 10w1d: OSPF: Rcv DBD from 150.100.220.12 on VLAN567 seq 0x1CD1 opt 0x52 flag 0x2 len 132 mtu 1504 state EXSTART 10w1d: OSPF: Nbr 150.100.220.12 has larger interface MTU Cat3(config-router)#

 MTU mismatches. Switches will have different base MTU sizes depending on what's happening and what has been previously configured.  On a 3560, you can use "system mtu routing 1500" if you'd like. 3550's don't have that option.

66

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


IPexpert CCIE R&S Detailed Solutions Guide

Volume 1 – Lab 2

 Or we can go to each switch and simply tell it to ignore the MTU size. Cat1, Cat2, Cat3, Cat4 int VLAN 567 ip ospf mtu-ignore

 Once that is done, you should see all peers come up. Will we see any routes? Nope, not the way we did things here. Why not? Because all routes will be connected routes since we put all switches in all VLANs.  There weren't any instructions in this lab about reachability or doing much with the actual routers, so it's not a great worry. The multiprotocol labs will make us thoroughly familiar with this method of thinking. So just wait.

2.19

Configure R5, R6, Cat1, and Cat2 to receive their time from R7. All of the devices should be in CST (-6) as well as adjust for Day Light Savings.

 So now it's a matter of clocking on the devices. The switches don't have a built in clock mechanism (ISR routers do), so at least we'll see the difference. Cat4(config-if)#do sh clock *18:59:37.634 UTC Tue May 11 1993 Cat4(config-if)#

R5, R6, R7, Cat1, Cat2, Cat3, Cat4 clock timezone CST -6 clock summer-time CDT recurring

 While loopbacks may be a great way to give a resilient interface to base time on, we don't have any routing established on R5, R6 or R7 in order to find R7's loopback. So for simplicity here, I'd go with the Fa0/0 interface that is connected to everyone. R7 ntp source Fa0/0 ntp master

 Check the time to see if we need to change the clock (exec command "clock set") or not. R7(config)#do sh clock 13:30:33.440 CST Wed Jan 23 2008 R7(config)#

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

67


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

 Looks good. Now let's activate it. R5, R6, Cat1, Cat2, Cat3, Cat4 ntp server 150.100.220.7 Cat4(config)#do sh ntp assoc address ref clock st when poll reach delay offset disp *~150.100.220.7 127.127.7.1 8 0 64 377 1.7 0.17 0.1 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

Cat4(config)#do sh ntp status Clock is synchronized, stratum 9, reference is 150.100.220.7 nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**18 reference time is CB4214C9.550914DE (13:32:25.332 CST Wed Jan 23 2008) clock offset is 0.1737 msec, root delay is 1.72 msec root dispersion is 0.34 msec, peer dispersion is 0.14 msec

 And most importantly: Cat4(config)#do sh clock 13:32:48.272 CST Wed Jan 23 2008 Cat4(config)#

 Excellent.

2.20

Configure Cat1 to age out MAC addresses 50 seconds longer than the default value for devices in VLAN 567.

 This is one of those things to look at the DocCD for. The command reference guide will always contain default values as well. Cat1 mac address-table aging-time 350 VLAN 567

2.21

On Cat1, create VLAN 86, assign ports Fa0/14, 15, 16, and 17 to this VLAN. This VLAN belongs to the IT department, make sure that these ports bypass listening and learning state, DO NOT use VLAN database to create the VLAN. A Smart Port macro should be used to create the VLAN and assign the ports and the configuration to the VLAN.

 Using global configuration (and execution) we can create the macro and apply it nicely. Each of the interfaces will need to be listed out. Macros and interface ranges do not play nicely with one another.

68

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

Cat1 macro name IT-VLAN VLAN 86 name IT-Dept exit interface Fa0/14 switchport access VLAN spanning-tree portfast interface Fa0/15 switchport access VLAN spanning-tree portfast interface Fa0/16 switchport access VLAN spanning-tree portfast interface Fa0/17 switchport access VLAN spanning-tree portfast exit @

86 86 86 86

 Then actually engage the macro. Check things out before: Cat1(config)#do sh run int Fa0/14 Building configuration... Current configuration : 86 bytes . interface FastEthernet0/14 switchport access VLAN 567 switchport mode access end

Cat1 macro global apply IT-VLAN

 And check out after: Cat1(config)#do sh run int Fa0/14 Building configuration... Current configuration : 109 bytes . interface FastEthernet0/14 switchport access VLAN 86 switchport mode access spanning-tree portfast end

2.22

Configure Cat1 such that if port Fa0/14 receives BPDU packets it should transition into down/down err-disable state.

 This should actually be a simple command. Very few commands have anything to do with BPDUs. Even fewer will shut a port down. This can be a method of searching the DocCD Command Reference guide if you aren't familiar with it. Cat1 int Fa0/14 spanning-tree bpduguard enable

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

69


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

 Even though we've enable portfast on these ports, BPDUGuard is not enabled by default unless you have entered a global command (spanning-tree portfast bpduguard default)

2.23

Configure Cat3 & Cat4 such that if ports Fa0/15 and/or Fa0/16 receive BPDU packets they should transition into down/down err-disable state, and they should stay in that state for a period of 380 seconds. After 380 seconds they should automatically recover and transition into UP/UP state; however, if these ports receive BPDU packets again, the cycle should be repeated.

 Now we're manipulating Cat3 and Cat4. A similar line of thinking, but in the last step we were happy that ports were forced to be errdisabled. Here, we want automatic recovery. We've worked with this before. Cat3, Cat4 int range Fa0/15 - 16 spanning-tree bpduguard enable exit errdisable recovery cause bpduguard errdisable recovery interval 380

2.24

You would like to monitor the activity on port Fa0/18 of Cat2 as clients connect their laptops to this port. Configure the switch such that when it learns/removes a MAC address an SNMP notification is generated and sent to the Network Management Server at 150.100.40.40. Since this is a very busy network, setup a trap interval so these messages are sent every 120 seconds with up to 50 entries, in order to reduce the bandwidth consumption. Use a read only SNMP community of “Port18”.

 This is going to get us involved with the wonderful world of SNMP servers as well. the word "trap" or "Network Management Server" should certainly have tilted us in this direction.  So the SNMP portion is easy to do. We can set up a community for polling if we want (also helps with restricting which NMS server we sent which traps to.) Cat2 snmp-server community Port18 RO snmp-server enable traps MAC-Notification snmp-server host 150.100.40.40 Port18 MAC-Notification

 Then the part about how many gets a little more confusing. We can do this with snmp-server commands, but the drawback is that those commands would influence any and all SNMP traps we were sending. This may or may not be important to us (here it is not, but real lab it may be). Cat2 mac-address-table notification interval 120 mac-address-table notification history-size 50

70

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

 And then finally trigger the traps on the interface in question. enabled by default.

They are not

Cat2 int Fa0/18 snmp trap mac-notification added snmp trap mac-notification removed

2.25

On Cat3 and Cat4, ensure that ports Fa0/12 and Fa0/13 are in VLAN 90. DO NOT use the VLAN database or any global configuration mode command to create this VLAN. Ensure that these ports cannot communicate with each other even though they are in the same VLAN. An SVI should be created so hosts can reach the outside world. Use 150.100.90.0/24 as the network and .13 and .14 respectively.

 We do this a simple way or the hard way. In the lab, this choice is often determined by how many points we get for the solution. :)  The hard way would entail private VLANs' to assure complete isolation from one another. But we're only given one VLAN to work with. Private VLANs require at least two VLANs to work.  So first, let's start with the VLAN. VLAN 90 doesn't exist. Cat3(config-if)#do sh vl br VLAN ---1 12 40 80 100 300 567

Name -------------------------------default VLANB VLANC IT-Dept VLANA VLANF VLAND

666 IDS-VLAN 1002 fddi-default 1003 trcrf-default 1004 fddinet-default 1005 trbrf-default Cat3(config-if)#

Status Ports --------- ------------------------------active active active active active active active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/11, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Gi0/1 Gi0/2 active act/unsup act/unsup act/unsup act/unsup

 So we can create it. But, the lab says we can't do anything in global config mode or in VLAN database to create the VLAN. Anyone know VLAN-Making Voodoo Magic?

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

71


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

 Actually, if you assign a port to a VLAN that doesn't exist, it will get created for you. Cat3 , Cat4 int range Fa0/12 - 13 switchport access VLAN 90

% Access VLAN does not exist. Creating VLAN 90 Cat3(config-if-range)#

 So that's another way to create a VLAN without typing the command in. Cat3 & Cat4 int range Fa0/12 - 13 switchport protected Cat4(config-if-range)#do sh int Fa0/13 switchport Name: Fa0/13 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 90 (VLAN0090) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-VLAN host-association: none Administrative private-VLAN mapping: none Administrative private-VLAN trunk native VLAN: none Administrative private-VLAN trunk Native VLAN tagging: enabled Administrative private-VLAN trunk encapsulation: dot1q Administrative private-VLAN trunk normal VLANs: none Administrative private-VLAN trunk associations: none Administrative private-VLAN trunk mappings: none Operational private-VLAN: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: true Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none Cat4(config-if-range)#

 Note the protected state there...Next create the SVI on Cat3 and Cat4 Cat3 interface Vlan90 ip address 150.100.90.13 255.255.255.0

Cat4 interface Vlan90 ip address 150.100.90.14 255.255.255.0

72

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


IPexpert CCIE R&S Detailed Solutions Guide

Volume 1 – Lab 2

 The devices connected to the ports cannot technically communicate with anything else in VLAN90 without going through the SVI first so we don‟t need to add the VLAN to the trunks. But as there is nothing physically connected to these ports we will go ahead and add VLAN 90 to the trunk between Cat3 and Cat4 to get the SVI to come up. Cat3 & Cat4 interface port-channel 34 Switchport trunk allowed vlan add 90

2.26

Ensure that only the following traffic is allowed to pass through VLAN 12   

All non-IP frames sourced from MAC-address 000b.cd96.cc4f destined to any host OSPF traffic and ICMP traffic All other frames should be denied

 VACLs or VLAN Filter Maps are the only things able to filter intra-VLAN traffic. So we need to look at setting up various filters. One thing to note is that MAC accesslists cannot be applied to IP traffic due to the ASIC and hardware architecture of the switches.  VLAN 12 only exists on Cat1. Or at least there's only ports there. So that'll make our configuration a little easier. Cat1 mac access-list extended FilterMe permit host 000b.cd96.cc4f any access-list 101 permit ospf any any access-list 101 permit icmp any any vlan access-map Filter-VL12 10 action forward match mac address FilterMe vlan access-map Filter-VL12 20 action forward match ip address 101 vlan access-map Filter-VL12 30 action drop vlan filter Filter-VL12 vlan-list 12

 And a quick test should let us know how we're doing. R1(config)#do ping 150.100.12.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.100.12.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R1(config)#

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

73


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

 Uh, that's not very good. Time to debug. R1(config)#do deb ip pack IP packet debugging is on R1(config)#do ping 150.100.12.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.100.12.2, timeout is 2 seconds: *Jan 24 04:34:43.910: IP: tableid=0, s=150.100.12.1 (local), d=150.100.12.2 (FastEthernet0/0), routed via RIB *Jan 24 04:34:43.910: IP: s=150.100.12.1 (local), d=150.100.12.2 (FastEthernet0/0), len 100, sending *Jan 24 04:34:43.910: IP: s=150.100.12.1 (local), d=150.100.12.2 (FastEthernet0/0), len 100, encapsulation failed. *Jan 24 04:34:45.910: IP: tableid=0, s=150.100.12.1 (local), d=150.100.12.2 (FastEthernet0/0), routed via RIB *Jan 24 04:34:45.910: IP: s=150.100.12.1 (local), d=150.100.12.2 (FastEthernet0/0), len 100, sending *Jan 24 04:34:45.910: IP: s=150.100.12.1 (local), d=150.100.12.2 (FastEthernet0/0), len 100, encapsulation failed. *Jan 24 04:34:47.910: IP: tableid=0, s=150.100.12.1 (local), d=150.100.12.2 (FastEthernet0/0), routed via RIB *Jan 24 04:34:47.910: IP: s=150.100.12.1 (local), d=150.100.12.2 (FastEthernet0/0), len 100, sending *Jan 24 04:34:47.910: IP: s=150.100.12.1 (local), d=150.100.12.2 (FastEthernet0/0), len 100, encapsulation failed. *Jan 24 04:34:49.910: IP: tableid=0, s=150.100.12.1 (local), d=150.100.12.2 (FastEthernet0/0), routed via RIB *Jan 24 04:34:49.910: IP: s=150.100.12.1 (local), d=150.100.12.2 (FastEthernet0/0), len 100, sending *Jan 24 04:34:49.910: IP: s=150.100.12.1 (local), d=150.100.12.2 (FastEthernet0/0), len 100, encapsulation failed. *Jan 24 04:34:51.910: IP: tableid=0, s=150.100.12.1 (local), d=150.100.12.2 (FastEthernet0/0), routed via RIB *Jan 24 04:34:51.910: IP: s=150.100.12.1 (local), d=150.100.12.2 (FastEthernet0/0), len 100, sending *Jan 24 04:34:51.910: IP: s=150.100.12.1 (local), d=150.100.12.2 (FastEthernet0/0), len 100, encapsulation failed. Success rate is 0 percent (0/5) R1(config)#

 Encapsulation failed isn't good either. This is a simple Ethernet link, how can this be? R1(config)#do sh arp Protocol Address Internet 100.100.100.1 Internet 150.100.12.2 Internet 150.100.12.1 R1(config)#

Age (min) 0 -

Hardware Addr 0018.b921.9279 Incomplete 0018.b921.9278

Type ARPA ARPA ARPA

Interface FastEthernet0/1 FastEthernet0/0

 Ahhhh.... No ARP. ARP is not exactly an IP packet, therefore it would be subject to our MAC access-list which is subsequently denying everything other than that one particular host. In addition if we don‟t want traffic looping through our network we need to allow spanning-tree in the acl or we are going to see all sorts of strange things start to happen. Cat1 mac access-list extended FilterMe permit any any 0x0806 0x0000 permit any any lsap 0xAAAA 0x0000

74

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


IPexpert CCIE R&S Detailed Solutions Guide

Volume 1 – Lab 2

Cat1(config-ext-macl)#do sh access-list Extended IP access list 101 10 permit ospf any any 20 permit icmp any any Extended MAC access list FilterMe permit host 000b.cd96.cc4f any permit any any 0x806 0x0 permit any any lsap 0xAAAA 0x0 Cat1(config-ext-macl)#

R1(config)#do ping 150.100.12.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.100.12.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms R1(config)#

 PVST+ uses LLC SNAP encapsulation equal to lsap 0xAAAA. STP and PVST use lsap 0x4242. Be sure to know what protocol you are working with when applying MAC access-lists.  THERE we go. Little things like this are important to note. ARP caches are cleared after 4 hours of inactivity or on reload. So you may not notice something like this until much later in the day. (And you are no longer thinking about Layer2 stuff at that point.)

2.27

Make sure that VLAN 40 will only carry IPv6 traffic. All other traffic should be discarded.

 IPv6. Why do we have to deal with that here? Well, think about it. The restriction is that IPv6 is the ONLY type of traffic allowed to traverse VLAN 40. Everything else will be discarded. Who else better to monitor this than the switch?  We already have a little experience with MAC access-lists and matching an ethertype value (the 0x0806 above.). So now we just need to find the ethertype value for IPv6.  The question is, how are we going to find that? Likely it will be supplied.  The ethertype for IPv6 is 0x86DD Cat 1 mac access-list extended IPv6-Only permit any any 0x86dd 0x0000 vlan access-map IPv6 10 action forward match mac address IPv6-Only vlan access-map IPv6 20 action drop vlan filter IPv6 vlan-list 40

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

75


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

 Without having IPv6 hosts setup and/or configured, it is difficult to test this one out, but we applied the same logic that we did in the last task, so we should be good to go on this.  You will notice the OSPF neighbor relationships on Vlan40 go down. As we are just testing functionality of the configurations aspects in this section don‟t worry about this. But if this same thing happened in the actual lab this would be a good time to speak with the proctor. 01:37:55: %OSPF-5-ADJCHG: DOWN, Neighbor Down: Dead Cat1(config)# 01:37:58: %OSPF-5-ADJCHG: DOWN, Neighbor Down: Dead Cat1(config)# 01:38:00: %OSPF-5-ADJCHG: DOWN, Neighbor Down: Dead

2.28

Process 1, Nbr 150.100.220.12 on Vlan40 from 2WAY to timer expired Process 1, Nbr 150.100.220.13 on Vlan40 from FULL to timer expired Process 1, Nbr 150.100.220.14 on Vlan40 from FULL to timer expired

On Cat3, ports Fa0/6 through Fa0/10 will utilize the 200.200.200.0/24 subnet. Allow ports Fa0/6 and Fa0/7 to talk to each other, but no other devices in this subnet should be allowed to speak intra-VLAN to each other. Create a VLAN interface to be used as the gateway out for this subnet as 200.200.200.200/24. Additional VLANs may be created.

 Finally we have a chance to play with Private VLANs on our 3560 switches. There are thee different types of VLANs to consider. Isolated, Community and Promiscuous.  Fa0/6 and Fa0/7 will be in a Community VLAN since they are allowed to talk to each other. Fa0/8, Fa0/9 and Fa0/10 will be in an isolated VLAN.  As soon as we start to enter things, we will notice that all of our VLAN commands won't work since vtp mode must be transparent first. When things are added later in a lab that change things you were forced to do earlier, then that can get rather frustrating.

76

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

 In real life, we would likely want to select another vtp server switch, but here in the lab we aren't asked to. Talking to the proctor about this certainly won't hurt. Cat1 is still in server mode. Cat3 vtp mode transparent vlan 2000 private-vlan primary exit vlan 2001 private-vlan isolated exit vlan 2002 private-vlan community exit vlan 2000 private-vlan association add 2001-2002 int range Fa0/6 - 7 switchport mode private-vlan host switchport private-vlan host-association 2000 2002 int range Fa0/8 - 10 switchport mode private-vlan host switchport private-vlan host-association 2000 2001 int vlan 2000 ip address 200.200.200.200 255.255.255.0 private-vlan mapping add 2001-2002

Cat3(config-if)#do sh vl pr Primary ------2000 2000

Secondary --------2001 2002

Type ----------------isolated community

Ports -----------------------------------------Fa0/8, Fa0/9, Fa0/10 Fa0/6, Fa0/7

Cat3(config-if)# Cat3(config-if)#do sh int vl2000 private-vlan mapping Interface Secondary VLANs --------- -------------------------------------------------------------------vlan2000 2001, 2002

 This is exactly the way we should see things. While it looks like a lot of work to do to get this working, it's really not all that bad. Check out the "Configuring Private VLANs" part of the Configuration Guide and look at the sample configs. Cut 'n' Paste is your friend.

2.29

Except in VLAN 100, Cat3 should not have any ports blocked by spanning tree.

 This is another task that looks like it's messing with an earlier requirement. When we see mention of the word "blocking" we should associate this with spanning tree. We had an earlier requirement to make Cat2 the root of VLAN 100.  One of the only ways to assure that ALL ports are in a forwarding state is to become the root bridge. Or start rearranging your physical topology. :)  So for everything other than VLAN 100, we could become root. And looking at "show spanning-tree" we probably need it. Cat3(config-if)#do sh spanning-tree | in VLAN|BLK VLAN0001

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

77


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

Po23 Po34 VLAN0012 Po23 Po34 VLAN0040 Po23 Po34 VLAN0090 VLAN0100 Po13 Po34 VLAN0300 Po23 Po34 VLAN0567 Po23 Po34 VLAN0666 Po23 Po34 Cat3(config-if)#

Altn BLK 12 Altn BLK 12

128.232 128.320

P2p P2p

Altn BLK 12 Altn BLK 12

128.232 128.320

P2p P2p

Altn BLK 12 Altn BLK 12

128.232 128.320

P2p P2p

Altn BLK 12 Altn BLK 12

128.152 128.320

P2p P2p

Altn BLK 12 Altn BLK 12

128.232 128.320

P2p P2p

Altn BLK 12 Altn BLK 12

128.232 128.320

P2p P2p

Altn BLK 12 Altn BLK 12

128.232 128.320

P2p P2p

 We have lots of different things blocking there. Cat3 spanning-tree vlan 1,12,40,90,300,567,666 root primary

 Now what do things look like? Cat3(config)#do sh spanning-tree | in VLAN|BLK VLAN0001 VLAN0012 VLAN0040 VLAN0090 VLAN0100 Po13 Altn BLK 12 128.152 Po34 Altn BLK 12 128.320 VLAN0300 VLAN0567 VLAN0666 Cat3(config)#

P2p P2p

 MUCH better. Or just to verify, run the show command a little different. Cat3(config)#do sh spanning-tree | in VLAN|BLK|is the root VLAN0001 This bridge is the root VLAN0012 This bridge is the root VLAN0040 This bridge is the root VLAN0090 This bridge is the root VLAN0100 Po13 Altn BLK 12 128.152 P2p Po34 Altn BLK 12 128.320 P2p VLAN0300 This bridge is the root VLAN0567 This bridge is the root VLAN0666 This bridge is the root

78

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


IPexpert CCIE R&S Detailed Solutions Guide

Volume 1 – Lab 2

 Very nice.  Can we adjust VLAN 100 without becoming the root? Sure, make it a preferred path to go through. Adjust the spanning-tree cost to something less than alternate paths. Cat3 int po13 spanning-tree VLAN 100 cost 2 int po34 spanning-tree VLAN 100 cost 2

 Are they still blocking? Cat3(config-if)#do sh spanning-tree | in VLAN|BLK|is the root VLAN0001 This bridge is the root VLAN0012 This bridge is the root VLAN0040 This bridge is the root VLAN0090 This bridge is the root VLAN0100 Po13 Altn BLK 2 128.152 P2p Po34 Altn BLK 2 128.320 P2p VLAN0300 This bridge is the root VLAN0567 This bridge is the root VLAN0666 This bridge is the root Cat3(config-if)#

 Yes. Why? The cost is great compared to what it was normally. But remember that every switch is interconnected with every other switch. The Spanning-tree Cost is a cumulative cost. Meaning that no matter how small we make the cost it'll be more than the directly connected link.  We can always go manipulate things in multiple places to affect the total path cost, but that isn't asked for in this lab task anyway.

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

79


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

2.30

In the event that Cat2 loses its link to Cat3, the path to the root bridge should go through Cat4 as quickly as possible. Do not use any “cost” or “priority” type commands on Cat2 to make this happen.

 Time for some more spanning-tree manipulations. In order to change paths, we need to verify where we're going now. Right off, we go to Cat3 (since it's the root for most things) Cat2(config-if)#do sh VLAN0001 Root ID Priority Po23 Root VLAN0012 Root ID Priority Po23 Root VLAN0040 Root ID Priority Po23 Root VLAN0100 Root ID Priority VLAN0300 Root ID Priority Po23 Root VLAN0567 Root ID Priority Po23 Root VLAN0666 Root ID Priority Po23 Root Cat2(config-if)#

span | in VLAN|Root 24577 FWD 12

128.248

P2p

24588 FWD 12

128.248

P2p

24616 FWD 12

128.248

P2p

24776 FWD 12

128.248

P2p

25143 FWD 12

128.248

P2p

25242 FWD 12

128.248

P2p

24676

 In the event of failure, it's all about recalculation of SPT costs. So the Cost can be changed (we're not allowed to), or if that's a tie, then a port-priority is looked at (not allowed either).  In MST and Rapid-PVST, we have Alternate or Backup ports to maintain fast failover. Prior to that, in PVST operations, we didn't have those. We did, however have two manual methods. Uplinkfast and Backbonefast. One was for Designated Ports, the other for Root Ports. Which to use?  Cisco Documentation. :) We'll find that Backbonefast was for Designated Ports (and the root bridge) and Backbonefast was for Root ports. That's what we want. But this is a two-stage thing. Backbonefast just says that the switch will converge faster. We have to make sure that the path to Cat4 is the next best choice. It says not to use "priority" or "cost" commands on Cat2, but says nothing about other switches. Cat3 int po34 spanning-tree cost 5

80

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

 Remember that cost is cumulative. You add the cost of a local link yourself. (e.g. setting this on Cat4 would accomplish nothing) Cat2 spanning-tree uplinkfast

Cat2(config)#do sh span sum Switch is in pvst mode Root bridge for: VLAN0100 Extended system ID is Portfast Default is PortFast BPDU Guard Default is Portfast BPDU Filter Default is Loopguard Default is EtherChannel misconfig guard is UplinkFast is BackboneFast is Configured Pathcost method used

enabled disabled disabled disabled disabled enabled enabled disabled is short

Name Blocking Listening Learning Forwarding STP Active ---------------------- -------- --------- -------- ---------- ---------VLAN0001 2 0 0 1 3 VLAN0012 1 0 0 2 3 VLAN0040 1 0 0 2 3 VLAN0100 0 0 0 4 4 VLAN0300 2 0 0 3 5 VLAN0567 2 0 0 6 8 VLAN0666 2 0 0 1 3 Name Blocking Listening Learning Forwarding STP Active ---------------------- -------- --------- -------- ---------- ------------------------------- -------- --------- -------- ---------- ---------9 VLANs 14 0 0 23 37 Station update rate set to 150 packets/sec. UplinkFast statistics ----------------------Number of transitions via uplinkFast (all VLANs) : 0 Number of proxy multicast addresses transmitted (all VLANs) : 0

V1500

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

81


Volume 1 – Lab 2

IPexpert CCIE R&S Detailed Solutions Guide

Technical Verification and Support To verify your router and switch configurations please ensure that you have downloaded the latest configurations from your www.IPexpert.com account. You may also verify your configurations within the Volume One Proctor Guide that you received along with this Workbook. You can find this document in the eBook section of your www.IPexpert.com account. Support is also available in the following ways:  

82

Mailing List: http://www.OnlineStudyList.com Email: support@ipexpert.com

Copyright © 2010 by IPexpert, Inc. All Rights Reserved.

v1500


R&S_Volume_1_DSG_v11.0_Lab2