Upload
vukiet
View
275
Download
16
Embed Size (px)
Citation preview
CCIE Foundation by Narbik Kocharians Switching Lab Page 1 of 55 © 2007 Narbik Kocharians. All rights reserved
CCIE Foundation The GAP from CCNP to CCIE
WWW.NetWorkBooks.com
Narbik Kocharians CCIE #12410
R&S, Security, SP
3550/3560 Switching
Answers
CCIE Foundation by Narbik Kocharians Switching Lab Page 2 of 55 © 2007 Narbik Kocharians. All rights reserved
Router to Switch connection
SW1 SW2 R1
F0/0 F0/1
R2
F0/0 F0/1
R3 R3
F0/0 F0/1
R4
F0/0 F0/1
R5
F0/0 F0/1
R6
F0/0 F0/1
F0/1
F0/2
F0/3
F0/4
F0/5
F0/6
F0/1
F0/2
F0/3
F0/4
F0/5
F0/6
CCIE Foundation by Narbik Kocharians Switching Lab Page 3 of 55 © 2007 Narbik Kocharians. All rights reserved
Switch to Switch Connection
SW1 SW2 F0/20
F0/19
F0/22 F0/21 F0/21 F0/22
F0/19
F0/20 SW3 SW4
SW1 SW4 F0/7
F0/8
SW2 SW3 F0/7
F0/8
CCIE Foundation by Narbik Kocharians Switching Lab Page 4 of 55 © 2007 Narbik Kocharians. All rights reserved
Task 1
The first Catalyst switch should be configured with a hostname of “SW1” and the second Catalyst should have a hostname of “SW2”.
On the first Switch
Switch(config)#Hostname SW1
On the Second Switch
Switch(config)#Hostname SW2
Task 2
Configure SW1 to be in VTP domain called CCIE, this configuration should be propagated to SW2 via VTP messages.
Maintaining a consistent list of VLANs in a huge network where there are many interconnected switches can be an administrative nightmare, in order to reduce this administrative overhead switches that share a common VLAN information can be organized into logical groups called VTP domains. These domain do not create a layer two boundary, they only create different management domains. Switches in a given VTP domain exchange VTP updates to synchronize VLAN information. In order for two or more switches to exchange VTP updates, the two switches must have a trunk established between them, this is because VTP messages can ONLY cross trunk links. Note the two switches are connected with 2 cross over ethernet cables, if these switches are 3550s, the two ports would negotiate an ISL trunk, but if the two switches are 3560s, they would NOT negotiate a trunk, because by default the ports on 3560 switches are in auto mode, whereas, the ports on 3550 switches are in desirable mode.
To see this on the switches:
Lab 1 3550/3560 Switching
CCIE Foundation by Narbik Kocharians Switching Lab Page 5 of 55 © 2007 Narbik Kocharians. All rights reserved
On 3550 switches:
3550#Show interface status
Port Name Status Vlan Duplex Speed Type Fa0/1 notconnect 1 auto auto 10/100BaseTX Fa0/2 notconnect 1 auto auto 10/100BaseTX Fa0/3 notconnect 1 auto auto 10/100BaseTX Fa0/4 notconnect 1 auto auto 10/100BaseTX (The rest of the output is omitted)
On 3560 switches:
3560#Show run
Building configuration...
Current configuration : 2102 bytes ! interface FastEthernet0/1 switchport mode dynamic desirable ! interface FastEthernet0/2 switchport mode dynamic desirable ! interface FastEthernet0/3 switchport mode dynamic desirable
(The rest of the output is omitted)
To create the trunk, we should first check to see if the trunk was automatically negotiated, if the switches are 3560s, they will NOT negotiate a trunk, as follows:
3560#Show int trunk
SW1# Note the trunk is not negotiated. If the switches are 3550s, you should see that the trunk is automatically negotiated using Cisco proprietary trunking protocol called ISL, as follows:
3550#Show interface trunk
Port Mode Encapsulation Status Native vlan Fa0/20 desirable nisl trunking 1 Fa0/21 desirable nisl trunking 1
CCIE Foundation by Narbik Kocharians Switching Lab Page 6 of 55 © 2007 Narbik Kocharians. All rights reserved
Note the status is “nisl”, which means negotiated ISL.
To configure the ports as trunk:
On Both switches:
(config)#int range f0/1920 (configifrange)#switchport trunk encapsulation isl (configifrange)#switchport mode trunk These commands will be explained in later steps.
To verify the configuration:
On Both switches:
#Show int trunk
Port Mode Encapsulation Status Native vlan Fa0/19 on isl trunking 1 Fa0/20 on isl trunking 1
(The rest of the output is omitted)
Now that the trunk is established between the two switches, you can go on with VTP configuration as follows:
On SW1
By default the 3550/3560 switches are member of a domain called NULL, in this mode the switches will not propagate VLAN information from one switch to another. Enter the following to change the VTP domain name to “CCIE”.
SW1(config)#VTP domain CCIE
Note once the above command is entered, you should see the following message telling you that the domain name was changed from the default name of “NULL” to “CCIE”.
Changing VTP domain name from NULL to CCIE
This task could also be accomplished by entering the “VLAN database” as follows:
SW1#Vlan database SW1(vlan)#Vtp domain CCIE
CCIE Foundation by Narbik Kocharians Switching Lab Page 7 of 55 © 2007 Narbik Kocharians. All rights reserved
SW1(vlan)#Exit
When a command is entered in the Vlan database, you must perform the “exit” or the “apply” command for the changes to take effect.
Note the display below reveals that VTP propagated the VTP domain information to the second switch:
On SW2:
SW2#Sh vtp status
VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : CCIE VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD Configuration last modified by 0.0.0.0 at 0000 00:00:00 Local updater ID is 0.0.0.0 (no valid interface found)
Task 3
This VTP domain should be password protected using “Cisco” as the password.
VTP password can be changed in three ways:
Privilege mode: Switch#vtp password Cisco
Vlan Database: Vlan database Vtp password Cisco Exit
Global config mode: Switch(config)#vtp password Cisco
In this task it is configured in Global config mode as follows:
CCIE Foundation by Narbik Kocharians Switching Lab Page 8 of 55 © 2007 Narbik Kocharians. All rights reserved
On both switches
(config)#vtp password Cisco
You should get the following message: Setting device VLAN database password to Cisco
Note, if a domain name is not assigned to the switches and the default name (NULL) is used, a password can not be assigned.
This “VTP password” command can be entered in global configuration mode, privilege configuration mode or in the VLAN database mode.
The password command must be configured statically on both switches because this change will NOT get propagated via VTP messages.
To verify the configuration:
On any of the switches:
#Show VTP password This verifies the password, remember Spaces will not show
VTP Password: Cisco
Task 4
SW2 should NOT have the ability to create, delete or rename VLAN or VLAN information.
On SW2
SW2(config)#Vtp mode client
This configuration can be performed in the vlan database or global config mode. The above command was entered in the global config mode. If this command must be configured in the vlan database, you must first enter the “vtp database” command in the privilege mode, then, enter “vtp client” and lastly the “exit” command must be used for the changes to take effect. Once the command is entered you should get the following message:
Setting device to VTP CLIENT mode.
CCIE Foundation by Narbik Kocharians Switching Lab Page 9 of 55 © 2007 Narbik Kocharians. All rights reserved
The switches can operate in three different VTP modes and they are as follows:
Server mode:
Ø Creates, modifies and deletes VLANs Ø Sends and forwards VTP advertisements Ø Synchronizes VLAN information Ø Saves VLAN information in “vlan.dat” in the flash memory
Client mode:
Ø CAN NOT create, modify or delete VLAN information Ø Forwards the VTP advertisements Ø Synchronizes VLAN information Ø CAN NOT save the configuration in the NVRAM
Transparent mode:
Ø Creates, deletes and modifies VLANs locally Ø Forwards the VTP advertisements Ø Does NOT process VTP messages Ø Saves VLAN information in NVRAM and NOT the VLAN database
Task 5
Create and configure the following VLAN assignments:
Router Interface VLAN number CAT Switches Port R1 – F0/0 12 SW1 – F0/1 R2 – F0/0 12 SW1 – F0/2 R3 – F0/0 34 SW1 – F0/3 R4 – F0/0 34 SW1 – F0/4 R5 – F0/0 56 SW1 – F0/5 R6 – F0/0 56 SW1 – F0/6 R1 – F0/1 111 SW2 – F0/1
30
On SW1
SW1(config)#interface range f0/1 2
CCIE Foundation by Narbik Kocharians Switching Lab Page 10 of 55 © 2007 Narbik Kocharians. All rights reserved
SW1(configif)#switch mode access SW1(configif)#switch access vlan 12
SW1(config)#interface range f0/3 4 SW1(configif)#switch mode access SW1(configif)#switch access vlan 34
SW1(config)#interface range F0/5 6 SW1(configif)#switch mode access SW1(configif)#switch access vlan 56
SW1(config)Vlan 30 SW1(config)exit
Note the Vlan information will be propagated to the other switch (SW2), because both switches are in the same VTP domain, password and they have a trunk connecting them to each other.
On SW2
SW2#Show vlan brie
VLAN Name Status Ports 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/23, Fa0/24 Gi0/1, Gi0/2
12 VLAN0012 active 34 VLAN0034 active 56 VLAN0056 active 30 VLAN0030 active (The rest of the output is omitted)
SW2#Show VTP Status
VTP Version : 2 Configuration Revision : 4 Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 VTP Operating Mode : Client VTP Domain Name : CCIE VTP Pruning Mode : Disabled
CCIE Foundation by Narbik Kocharians Switching Lab Page 11 of 55 © 2007 Narbik Kocharians. All rights reserved
VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x97 0x9D 0xF1 0xF9 0xFE 0x21 0xCC 0x1D Configuration last modified by 0.0.0.0 at 3193 00:06:11 Local updater ID is 0.0.0.0 (no valid interface found)
On SW1
SW1#Show VTP Status
VTP Version : 2 Configuration Revision : 4 Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 VTP Operating Mode : Server VTP Domain Name : CCIE VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x97 0x9D 0xF1 0xF9 0xFE 0x21 0xCC 0x1D Configuration last modified by 0.0.0.0 at 3193 00:06:11 Local updater ID is 0.0.0.0 (no valid interface found)
Note, VTP version is 2, Configuration revision is 4, number of existing VLANs is 8 on both switches, (because they are synchronized), and the reason the VLAN information was propagated is because the VTP domain name and the password is identical on both switches and the switches are trunked.
SW1 should be used to create VLAN 111, this is because SW2 is in VTP client mode. You should see the following error message if SW2 is used to create VLAN 111.
SW2(config)#vlan 111 VTP VLAN configuration not allowed when device is in CLIENT mode.
On SW1
SW1(config)#vlan 111 SW1(configvlan)#exit
To verify the configuration:
On SW2
CCIE Foundation by Narbik Kocharians Switching Lab Page 12 of 55 © 2007 Narbik Kocharians. All rights reserved
SW2#Show vlan brief
VLAN Name Status Ports 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/2
12 VLAN0012 active 34 VLAN0034 active 56 VLAN0056 active 111 VLAN0111 active 30 VLAN0030 active
Task 6
Ensure that SW1’s Loopback0 (1.1.1.1 /8) interface is used as the preferred source for the VTP IP updater address.
Note in the last Task when the “show vtp status” command was entered on SW1, the last line of the output displayed the fact that (no valid interface found). SW1 can be configured such that the IP address of any of it’s interfaces in this case Loopback0 is used as the source of all VTP messages, as follows:
On SW1
SW1(config)# Interface Loopback 0 SW1(configif)# Ip address 1.1.1.1 255.0.0.0 SW1(configif)# Exit
SW1(config)# Vtp interface Loopback0 Note the above command is not needed, as long as SW1 has an IP address configured the source of all VTP updates will use that specific IP address as the source IP address of all VTP messages, if your switch is configured with multiple IP addresses, and you must use a specific IP address as the source of the updates, then, the above command can be used to specify the IP address of a given interface as the source of all VTP updates.
SW1#Show vtp status
VTP Version : 2 Configuration Revision : 4
CCIE Foundation by Narbik Kocharians Switching Lab Page 13 of 55 © 2007 Narbik Kocharians. All rights reserved
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8 VTP Operating Mode : Server VTP Domain Name : CCIE VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x97 0x9D 0xF1 0xF9 0xFE 0x21 0xCC 0x1D Configuration last modified by 0.0.0.0 at 3193 00:06:11 Local updater ID is 1.1.1.1 on interface Lo0 (preferred interface) Preferred interface name is lo0
On SW2
SW2#Show vtp status
VTP Version : 2 Configuration Revision : 4 Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 VTP Operating Mode : Client VTP Domain Name : CCIE VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x97 0x9D 0xF1 0xF9 0xFE 0x21 0xCC 0x1D Configuration last modified by 0.0.0.0 at 3193 00:22:29
Create a VLAN (VLAN 80) on SW1 so you can see that the change was made by an IP address of 1.1.1.1 on SW2. This VLAN should be deleted before proceeding to the next task.
On SW1
SW1(config)#Vlan 80 Sw1(config)#exit
On SW2
SW2#Show vtp status
VTP Version : 2 Configuration Revision : 5 Maximum VLANs supported locally : 1005
CCIE Foundation by Narbik Kocharians Switching Lab Page 14 of 55 © 2007 Narbik Kocharians. All rights reserved
Number of existing VLANs : 9 VTP Operating Mode : Client
VTP Domain Name : CCIE VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x02 0x05 0x92 0x34 0xF0 0xC0 0x35 0x9D Configuration last modified by 1.1.1.1 at 3193 00:34:33
On SW1
SW1(config)#No vlan 80
Task 7
Configure the switches such that flooded traffic is restricted to the trunk links that the traffic must use to reach the destination device.
This task calls for VTP pruning and the following Show command reveals the current status of VTP pruning:
On SW2
SW2#Show vtp status
VTP Version : 2 Configuration Revision : 5 Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 VTP Operating Mode : Server VTP Domain Name : CCIE VTP Pruning Mode : Disabled VTP V2 Mode : Disabled Pruning is disabled VTP Traps Generation : Disabled MD5 digest : 0x97 0x9D 0xF1 0xF9 0xFE 0x21 0xCC 0x1D Configuration last modified by 1.1.1.1. at 3193 00:12:48 Local updater ID is 1.1.1.1 o interface Lo0 (First layer3 interface found)
Note the above show command reveals that VTP Pruning is disabled
On SW1
CCIE Foundation by Narbik Kocharians Switching Lab Page 15 of 55 © 2007 Narbik Kocharians. All rights reserved
SW1#Vtp pruning
This command can be configured in privilege mode, Global config mode, and/or in the Vlan database. Once this feature is enabled, it will get propagated to the other switches within the VTP domain.
To verify the configuration on both switches:
On SW2
SW2#Show vtp status
VTP Version : 2 Configuration Revision : 6 Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 VTP Operating Mode : Server VTP Domain Name : CCIE VTP Pruning Mode : Enabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x97 0x9D 0xF1 0xF9 0xFE 0x21 0xCC 0x1D Configuration last modified by 1.1.1.1 at 3193 00:12:48
Note VTP messages propagate the change through the entire VTP domain. Its possible to have a switch within the enterprise that does not have local port membership in a given VLAN/s. VTP pruning increases the available bandwidth on the trunk links by restricting flooded traffic to those trunk links that the traffic must use to access the give host. Remember that VLAN 1 is always ineligible for pruning and traffic from VLAN 1 can not be pruned. Remember that this can ONLY be configured on the switches that are in VTP server mode.
Task 8
Ensure that SW1 is the root bridge for the VLANs 12 and SW2 is the root bridge for VLAN 56. Do NOT use the “priority” command to accomplish this task.
There are three commands that can be used to display the BID for a given switch:
Ø Show version Ø Show spanningtree bridge Ø Show interface Vlan 1
CCIE Foundation by Narbik Kocharians Switching Lab Page 16 of 55 © 2007 Narbik Kocharians. All rights reserved
On SW1
SW1#Show version
SW1#Show ver Cisco IOS Software, C3560 Software (C3560ADVIPSERVICESK9M), Version 12.2(25)SEE2, RELEASE SOFTWARE (fc1) Copyright (c) 19862006 by Cisco Systems, Inc. Compiled Fri 28Jul06 12:34 by yenanh Image textbase: 0x00003000, database: 0x012237D0 (The output of this show command is modified)
512K bytes of flashsimulated nonvolatile configuration memory. Base ethernet MAC Address : 00:19:06:7F:89:00 Motherboard assembly number : 73989706 Power supply part number : 341009702 Motherboard serial number : CAT10297MHE Power supply serial number : AZS1025050V Model revision number : D0 The rest of the output is omitted The base MAC
The following command reveals the base MAC address of the switch, the combination of priority and the base MAC address is the BID for a given switch.
SW1#Show spanningtree bridge
Hello Max Fwd Vlan Bridge ID Time Age Dly Protocol VLAN0001 32769 (32768, 1) 0019.067f.8900 2 20 15 ieee VLAN0012 32780 (32768, 12) 0019.067f.8900 2 20 15 ieee VLAN0034 32802 (32768, 34) 0019.067f.8900 2 20 15 ieee VLAN0056 32824 (32768, 56) 0019.067f.8900 2 20 15 ieee VLAN0030 32898 (32768, 30) 0019.067f.8900 2 20 15 ieee
Note the priority starts with 32768, each VLAN that is created adds it’s VLAN number to the default priority value (If the base priority and the VLAN number is added within the parenthesis, the sum will be the priority for that given VLAN, which is displayed to the left of the parenthesis), VLAN 12 adds 12 to the default priority value, therefore, the priority is 32780 and VLAN 34 adds 34 to the default priority value, therefore, the priority is 32802. Note that the MAC is the base MAC address and it remains the same, in this case (0019.067f.8900).
Note your MAC address maybe different.
CCIE Foundation by Narbik Kocharians Switching Lab Page 17 of 55 © 2007 Narbik Kocharians. All rights reserved
SW1#Show int Vlan 1
Vlan1 is up, line protocol is up Hardware is EtherSVI, address is 0019.067f.8940 (bia 0019.067f.8940) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255
The output of the above command will reveal the bia or the MAC address of VLAN 1 interface which is also the base MAC address of the switch
To find out the BID and the root bridge for a given VLAN, enter the following Show command:
On SW1
SW1#Show spanningtree vlan 12
SW1#Show spanningtree vlan 12
VLAN0012 Spanning tree enabled protocol ieee The MAC address of the root bridge Root ID Priority 32780
Address 0018.b989.8280 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32780 (priority 32768 sysidext 12) Address 0018.b989.8280 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300
The Mac address of the local switch Interface Role Sts Cost Prio.Nbr Type Fa0/19 Desg FWD 19 128.21 P2p Fa0/20 Desg FWD 19 128.22 P2p
Note even though the above show commands reveals that SW1 is the root bridge for VLAN 12 we should statically configure this switch so in the future a topology change will not change the root bridge for this VLAN. Enter the following commands to configure SW1 to be the root bridge for VLANs 12:
On SW1
SW1(config)#Spanningtree vlan 12 root primary The above command configures SW1 to be the root for VLAN 12; the “root” keyword is a
CCIE Foundation by Narbik Kocharians Switching Lab Page 18 of 55 © 2007 Narbik Kocharians. All rights reserved
macro that reduces the BID of the switch for a given VLAN by a value of 8192 (The lower value is the preferred value).
SW1#Show spanningtree vlan 12
VLAN0012 Note 32768+128192 = 24588 Spanning tree enabled protocol ieee Root ID Priority 24588
Address 0018.b989.8280 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24588 (priority 24576 sysidext 12) Address 0018.b989.8280 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300
Interface Role Sts Cost Prio.Nbr Type Fa0/19 Desg FWD 19 128.21 P2p Fa0/20 Desg FWD 19 128.22 P2p
On SW2
SW2(config)##Spanningtree vlan 56 root primary
To verify the configuration:
On SW2
SW2#Sh spanningtree vlan 56
VLAN0056 Spanning tree enabled protocol ieee Root ID Priority 24632
Address 001a.2f0a.2000 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24632 (priority 24576 sysidext 56) Address 001a.2f0a.2000 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15
Interface Role Sts Cost Prio.Nbr Type
CCIE Foundation by Narbik Kocharians Switching Lab Page 19 of 55 © 2007 Narbik Kocharians. All rights reserved
Fa0/19 Desg FWD 19 128.21 P2p Fa0/20 Desg FWD 19 128.22 P2p
Task 9
Configure SW1 to be the root bridge for VLAN 34 and SW2 to be the root bridge for VLAN 111; you should use the “priority” command to accomplish this task.
When it comes to priority and values, Cisco plays two games, basketball and golf, what I mean by that is that sometimes the lower number has more preference and sometimes the higher number. When it comes to spanningtree, the lower number has more preference.
On SW1
SW1(config)#spanningtree vlan 34 priority 0 Note the priority of this VLAN is set to zero, which is the lowest number within the range.
To verify the configuration
On Sw1
SW1#Show spanningtree vlan 34
VLAN0034 Spanning tree enabled protocol ieee Root ID Priority 34
Address 001a.2f0a.2000 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 34 (priority 0 sysidext 34) Address 001a.2f0a.2000 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300
Interface Role Sts Cost Prio.Nbr Type Fa0/19 Desg FWD 19 128.21 P2p Fa0/20 Desg FWD 19 128.22 P2p
On Sw2
CCIE Foundation by Narbik Kocharians Switching Lab Page 20 of 55 © 2007 Narbik Kocharians. All rights reserved
SW2(config)#spanningtree vlan 111 priority 0
To verify the configuration:
On Sw2
SW2#Show spanningtree vlan 111
VLAN0111 Spanning tree enabled protocol ieee Root ID Priority 111
Address 001a.2f0a.2000 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 111 (priority 0 sysidext 111) Address 001a.2f0a.2000 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15
Interface Role Sts Cost Prio.Nbr Type Fa0/19 Desg FWD 19 128.21 P2p Fa0/20 Desg FWD 19 128.22 P2p
Task 10
Configure SW1 such that the ports that the routers are connected to bypass listening and learning state. If any of these ports receive BPDU packets, they should transition into errdisable state. Use minimum number of commands to accomplish this task. This configuration should only be applied to the ports that the routers R1 R6 are connected to.
Spanningtree PortFast causes an interface that is configured as a layer 2 access port to transition from blocking to forwarding state immediately by bypassing the listening and learning states. PortFast should be configured on interfaces that have a single host connected. If PortFast is enabled on a port connecting to another switch, a Spanningtree loop may result. If BPDU guard is configured, and an interface configured as PortFast receives BPDUs, the port will transition into errdisable mode blocking all traffic.
On SW1
CCIE Foundation by Narbik Kocharians Switching Lab Page 21 of 55 © 2007 Narbik Kocharians. All rights reserved
SW1(config)#Spanningtree portfast bpduguard default
SW1(config)#Interface range F0/1 6 SW1(configif)#Spanningtree portfast This command could also be configured globally, by using the “Spanningtree portfast default” command; this command enables PortFast on all nontrunking ports.
Once the portfast command is entered you should see the following warning message: %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this Interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION %Portfast will be configured in 6 interfaces due to the range command but will only have effect when the interfaces are in a nontrunking mode.
The “spanningtree portfast bpduguard default” command in global config mode will shut the port down in errdisable mode if any portfast enabled port receives BPDU packets.
Task 11
Ø Ensure that ports F0/19 of both switches are trunking.
Ø These ports should NOT use any DTP for establishing the trunk
Ø Ensure that VLAN 111 does not get tagged as the traffic for this VLAN traverses this trunk link.
Ø Ensure that traffic for VLAN 30 does NOT traverse this trunk link.
A trunk by default carries traffic for all VLANs; in order to differentiate traffic from different VLANs a trunking protocol is used. Basically the sending switch marks each frame with a VLAN ID before sending the traffic through the trunk link so the receiving switch can distinguish the destination VLAN of the frames. For security or other reasons it’s a good practice to configure the trunk links such that they ONLY carry traffic for intended VLANs, in this task the traffic for VLAN 30 should NOT traverse this trunk link. A trunk can be established between the following devices:
Ø Between two Switches Ø A switch and a router Ø A switch and a NIC that has the capability of establishing a trunk
CCIE Foundation by Narbik Kocharians Switching Lab Page 22 of 55 © 2007 Narbik Kocharians. All rights reserved
In CCIE lab exam, I highly recommend reading each section entirely before configuring the tasks within that section. In this case if this entire section was read before, this task and task 19 would have been configured already. The last item of this task requires us to configure DOT1Q trunking. Remember that when a switch configured with DOT1Q receives an untagged frame, it will assign it to the native VLAN. In DOT1Q the native VLAN traffic is NOT tagged, the native VLAN is VLAN 1 by default. Because of this fact, you must ensure that native VLAN is identical on both ends of the trunk. If VLANs are not identical on both ends of a trunk, the traffic from different VLANs will merge, in order to prevent this from occurring, the trunk link will go down if the VLANs are not identical on both ends of a trunk.
On Both Switches
(config)#Interface F0/19 (configif)#Switchport trunk encapsulation dot1q (configif)#Switchport mode trunk
The “Switchport trunk encapsulation” command can have the following parameters:
Ø Dot1q – Specifies dot1q encapsulation on the trunk link.
Ø ISL Specifies dot1q encapsulation on the trunk link.
Ø Negotiate – Specifies that the local interface should negotiate with the neighboring interface (The interface to which it is connected to) to become either dot1q or ISL, depending on the configuration of the neighboring interface.
The “Switchport mode trunk” command puts the interface into permanent trunking mode.
To verify the configuration:
On both Switches
SW1#Show int trunk
Port Mode Encapsulation Status Native vlan Fa0/19 on 802.1q trunking 1 Fa0/20 on isl trunking 1
Port Vlans allowed on trunk
CCIE Foundation by Narbik Kocharians Switching Lab Page 23 of 55 © 2007 Narbik Kocharians. All rights reserved
Fa0/19 14094 Fa0/20 14094
Port Vlans allowed and active in management domain Fa0/19 1,12,30, 34,56, 111 Fa0/20 1,12,30, 34,56, 111
Port Vlans in spanning tree forwarding state and not pruned Fa0/19 1,12,30, 34,56 Fa0/20 12,34
To configure the second bullet item:
To see the default setting:
On Both Switches:
SW2#Show int f0/19 switchport
Name: Fa0/19 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Note the negotiation of Administrative Native VLAN tagging: enabled trunking is ON (The rest of the output is omitted)
To change this setting:
On Both Switches:
(config)#int f0/19 (configif)#switchport nonegotiate
To verify the configuration:
On Both Switches:
#Show int f0/19 switchport
CCIE Foundation by Narbik Kocharians Switching Lab Page 24 of 55 © 2007 Narbik Kocharians. All rights reserved
Name: Fa0/19 Note the trunking negotiation is OFF Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Off Access Mode VLAN: 1 (default) (The rest of the output is omitted)
To configure the third bullet item:
On SW1
SW1(configif)#switchport trunk native vlan 111
Note once this command is entered you should see the following console message: %CDP4NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/19 (111), with SW2 FastEthernet0/19
On Sw2
SW1(configif)#switchport trunk native vlan 111
To configure the forth item:
To see the default behavior:
SW1#Show interface trunk
Port Mode Encapsulation Status Native vlan Fa0/19 on 802.1q trunking 111 Fa0/20 on isl trunking 1
Note by default all VLAN are allowed to Port Vlans allowed on trunk to traverse the trunk Fa0/19 14094 Fa0/20 14094
Port Vlans allowed and active in management domain Fa0/19 1,12,30,34,56,111 Fa0/20 1,12,30,34,56,111
Port Vlans in spanning tree forwarding state and not pruned Fa0/19 1 Fa0/20 1
CCIE Foundation by Narbik Kocharians Switching Lab Page 25 of 55 © 2007 Narbik Kocharians. All rights reserved
To configure this item:
On Both Switches:
(configif)#switchport trunk allowed vlan except 30
Note the following reveals all options:
(configif)#switchport trunk allowed vlan ? WORD VLAN IDs of the allowed VLANs when this port is in trunking mode add add VLANs to the current list all all VLANs except all VLANs except the following none no VLANs remove remove VLANs from the current list You can use some of these options to accomplish this task.
To verify the configuration:
On Both Switches:
#Show interface trunk
Port Mode Encapsulation Status Native vlan Fa0/19 on 802.1q trunking 111 Fa0/20 on isl trunking 1
Port Vlans allowed on trunk Note VLAN 30 is NOT allowed to traverse Fa0/19 129,314094 the trunk Fa0/20 14094
Port Vlans allowed and active in management domain Fa0/19 1,12,34,56,111 Fa0/20 1,12,30,34,56,111
Port Vlans in spanning tree forwarding state and not pruned Fa0/19 1 Fa0/20 1
CCIE Foundation by Narbik Kocharians Switching Lab Page 26 of 55 © 2007 Narbik Kocharians. All rights reserved
Task 12
You received a request from the IT department to monitor and analyze all the packets sent and received by the host connected to port F0/14 on SW1, you have connected the packet analyzer to port F0/15 on the same switch, configure the switch to accommodate this request.
On SW1
SW1(config)#monitor session 1 source interface F0/14 both The above command identifies the source interface, which is the interface that needs to be monitored in both directions.
SW1(config)#monitor session 1 destination interface F0/15 This command identifies the destination port, this is the port to which the packet analyzer is connected to. Note the following:
Ø There can only be two monitor sessions configured on a given switch Ø Their direction to monitor can be configured as Rx, Tx, or Both, Rx is
for received traffic, Tx is for Transmitted traffic, and both is in both direction.
Ø VLANs can ONLY be configured in Rx direction. Ø To verify the configuration, enter the “Show monitor session 1”
command.
To verify the configuration:
On SW1
SW1#Show monitor session 1
Session 1 Type : Local Session Source Ports :
Both :Fa0/14 Destination Ports : Fa0/15 Encapsulation : Native
Ingress : Disabled
CCIE Foundation by Narbik Kocharians Switching Lab Page 27 of 55 © 2007 Narbik Kocharians. All rights reserved
Task 13
You received another request from your IT department to keep track of all the MAC addresses that are learned by SW2 port F0/18. The switch must use the NMS located at 192.168.1.1 /24, configure the switch to handle this request. You should use an IP address of 2.2.2.2 /8 with traps called “PRIVATE” to accomplish this task.
On SW2
SW2(config)#Snmpserver host 192.168.1.1 trap PRIVATE %IP_SNMP3SOCKET: can't open UDP socket Unable to open socket on port 161
Note since this switch is not configured with an IP address, it will fail to configure the Snmp server. Therefore, an IP address should be configured before entering the “snmpserver” command as follows:
SW2(config)#Int lo0 SW2(configif)#Ip addr 2.2.2.2 255.0.0.0
SW2(config)#snmpserver host 192.168.1.1 traps PRIVATE To setup the SnmpServer’s IP address and the traps PRIVATE
SW2(config)#snmpserver enable traps macnotification Configures the switch to send macaddress traps to the NMS
SW2(config)#macaddresstable notification To enable MACaddress notification
SW2(config)#Inter f0/18 SW2(configif)#snmp trap macnotification added The above command enables the SNMP trap on interface F0/18 and configures the switch to send MAC notification traps whenever a MACaddress is learned (added). If the switch must be configured to report the MAC addresses that are learnt and expired, then “snmp trap macnotification removed” command must also be configured under the interface.
To verify the configuration:
SW2#Show macaddresstable notification interface f0/18
MAC Notification Feature is Enabled on the switch Interface MAC Added Trap MAC Removed Trap FastEthernet0/18 Enabled Disabled
CCIE Foundation by Narbik Kocharians Switching Lab Page 28 of 55 © 2007 Narbik Kocharians. All rights reserved
Note if the “snmp trap macnotification removed” command was also entered for F0/19 interface, under the “MAC removed Trap” column you would also see as “Enabled”.
SW2#Show macaddresstable notification
MAC Notification Feature is Enabled on the switch Interval between Notification Traps : 1 secs Number of MAC Addresses Added : 0 Number of MAC Addresses Removed : 0 Number of Notifications sent to NMS : 0 Maximum Number of entries configured in History Table : 1 Current History Table Length : 0 MAC Notification Traps are Enabled History Table contents
Task 14
Configure SW2 using the following policy: The ports that routers R1 – R6 are connected should be configured such that they only allow one MACaddress to be detected, if any other MAC address besides the pertaining router’s MAC address is detected on any of these ports, the appropriate switch should drop the traffic for the newly learned MAC addresses, the switch should not send an SNMP trap or syslog message. You should use a regular and a smart port macro to accomplish this task.
On SW2
SW2(config)#Define interfacerange ROUTERPORTS F0/1 6 The above command defines a range of ports on the switch and names them “ROUTER PORTS”
SW2(config)#Macro name PORTSECUR Enter macro commands one per line. End with the character '@'. switchport mode access switchport portsecurity switchport portsecurity maximum 1 switchport portsecurity violation protect @SW2(config)# The above configuration configures a smartport macro. A smartport macro is started by the
CCIE Foundation by Narbik Kocharians Switching Lab Page 29 of 55 © 2007 Narbik Kocharians. All rights reserved
“Macro name” global config command and then followed by an arbitrary name that is assigned to the macro. Once that command is entered, a message is displayed in the command line. This message tells us to use the “@” sign in order to end and exit from this macro. Lines 3 to 6 contain the actual commands that the macro will execute. A smartport macro can be applied to an interface, interface range, or a regular macro.
Lastly the Smartport Macro is applied to the regular macro, as follows:
SW2(config)#Interface range macro ROUTERPORTS SW2(configifrange)#Macro apply PORTSECUR
To verify the configuration, a “Show run” command is entered, most of the output from this show command is omitted and only the pertaining parts are shown:
SW2#Show run Building configuration... ! macro name PortSecur switchport mode access switchport portsecurity switchport portsecurity macaddress sticky switchport portsecurity maximum 1 switchport portsecurity violation shutdown @! ! interface FastEthernet0/1 switchport mode access switchport portsecurity switchport portsecurity violation protect macro description ROUTERSECUR ! interface FastEthernet0/2 switchport mode access switchport portsecurity switchport portsecurity violation protect macro description ROUTERSECUR ! interface FastEthernet0/3 switchport mode access switchport portsecurity switchport portsecurity violation protect macro description ROUTERSECUR !
CCIE Foundation by Narbik Kocharians Switching Lab Page 30 of 55 © 2007 Narbik Kocharians. All rights reserved
interface FastEthernet0/4 switchport mode access switchport portsecurity switchport portsecurity violation protect macro description ROUTERSECUR ! interface FastEthernet0/5 switchport mode access switchport portsecurity
switchport portsecurity violation protect macro description ROUTERSECUR ! interface FastEthernet0/6 switchport mode access switchport portsecurity switchport portsecurity violation protect macro description ROUTERSECUR ! define interfacerange RouterPorts FastEthernet0/1 6 ! end
Task 15
On SW2 port F0/14 configure the amount of bandwidth utilization for broadcast traffic to 50%.
On SW2
SW2(config)#Interface F0/14 SW2(configif)#Stormcontrol broadcast level 50.00 Stormcontrol can be used for Broadcast, Unicast and Multicast traffic, this command specifies traffic suppression level for a given type of traffic for a particular interface. The level can be from 0 to 100 and an optional fraction of a level can also be configured from 0 – 99. A threshold value of 100 percent means that no limit is placed for the specified type of traffic; a value of 0.0 means that the particular type of traffic is blocked all together. On 3550 switches when the rate of Multicast traffic exceeds a predefined threshold, all incoming traffic (Broadcast, Multicast and Unicast) is dropped until the level of Multicast traffic is dropped below the threshold level. When the interface is in blocking mode, only the Spanningtree packets are forwarded. When Broadcast or Unicast thresholds are exceeded, traffic is blocked for only the type of traffic that exceeded the threshold.
CCIE Foundation by Narbik Kocharians Switching Lab Page 31 of 55 © 2007 Narbik Kocharians. All rights reserved
To verify the configuration:
SW2#Show stormcontrol f0/14 broadcast
Interface Filter State Upper Lower Current Fa0/14 Forwarding 50.00% 50.00% 0.00%
Task 16
SW2’s ports F0/15 and F0/16 are connected to company’s web and email server. These ports should be configured in VLAN 88. Ensure that these ports can’t communicate with each other. You should NOT use private VLANs to accomplish this task.
On SW1
SW1(config)#Vlan 88
To see the default setting:
On SW2
SW2(config)#Interface range F0/15 – 16 SW2(configifrange)#Switchport mode access SW2(configifrange)#Switch access vlan 88
SW2#Show inter f0/15 switch
Name: Fa0/15 Switchport: Enabled Administrative Mode: static access Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: Off Access Mode VLAN: 88 (Inactive) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative privatevlan hostassociation: none Administrative privatevlan mapping: none Administrative privatevlan trunk native VLAN: none Administrative privatevlan trunk Native VLAN tagging: enabled Administrative privatevlan trunk encapsulation: dot1q
CCIE Foundation by Narbik Kocharians Switching Lab Page 32 of 55 © 2007 Narbik Kocharians. All rights reserved
Administrative privatevlan trunk normal VLANs: none Administrative privatevlan trunk private VLANs: none Operational privatevlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 21001 Capture Mode Disabled Capture VLANs Allowed: ALL
Protected: false Note the port is not in protected mode
Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none SW2#
On SW2
Interface range F0/15 – 16 Switchport protected
To verify the configuration:
On SW2
SW2#Show inter f0/15 switch
Name: Fa0/15 Switchport: Enabled Administrative Mode: static access Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: Off Access Mode VLAN: 88 (Inactive) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative privatevlan hostassociation: none Administrative privatevlan mapping: none Administrative privatevlan trunk native VLAN: none Administrative privatevlan trunk Native VLAN tagging: enabled Administrative privatevlan trunk encapsulation: dot1q Administrative privatevlan trunk normal VLANs: none Administrative privatevlan trunk private VLANs: none Operational privatevlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 21001
CCIE Foundation by Narbik Kocharians Switching Lab Page 33 of 55 © 2007 Narbik Kocharians. All rights reserved
Capture Mode Disabled Capture VLANs Allowed: ALL
Protected: true The port is now in protected mode Unknown unicast blocked: disabled Note unknown unicast or multicast Unknown multicast blocked: disabled traffic is not blocked Appliance trust: none SW2#
Typically port blocking is implemented when protected ports are configured. By default the switch will flood packets with unknown destination MAC addresses to all ports but the port that the packet/s was received. If unknown unicast or multicast traffic is forwarded to a protected port, there could be security issues. In order to prevent this behavior, unknown broadcast or unicast packets should be blocked, as follows:
SW2(config)#Interface range F0/15 – 16 SW2(configifrange)#Switchport block unicast SW2(configifrange)#Switchport block multicast
To verify the configuration:
SW2#Show inter f0/15 switch
Name: Fa0/15 Switchport: Enabled Administrative Mode: static access Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: Off Access Mode VLAN: 88 (Inactive) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative privatevlan hostassociation: none Administrative privatevlan mapping: none Administrative privatevlan trunk native VLAN: none Administrative privatevlan trunk Native VLAN tagging: enabled Administrative privatevlan trunk encapsulation: dot1q Administrative privatevlan trunk normal VLANs: none Administrative privatevlan trunk private VLANs: none Operational privatevlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 21001 Capture Mode Disabled Capture VLANs Allowed: ALL
CCIE Foundation by Narbik Kocharians Switching Lab Page 34 of 55 © 2007 Narbik Kocharians. All rights reserved
Protected: true Unknown unicast blocked: enabled The ports are now blocking Unknown multicast blocked: enabled unknown unicast and multicast Appliance trust: none SW2#
Note in the CCIE lab you should ONLY implement what is asked from you, if you are in doubt, always ask the proctor for clarification
Task 17
Mac addresses learnt dynamically by these two switches should not stay in the MAC address table if they are inactive for longer than 10 minutes.
By default the MAC addresses that are inactive will expire within 300 seconds, this task is asking for a 10 minutes threshold, 10 minutes equates to 600 seconds, the following command will accomplish this task:
Before configuring this task, the default settings should be displayed as follows:
On SW1 and SW2
#Sh macaddresstable agingtime
Vlan Aging Time 1 300 12 300 34 300 56 300 111 300 30 300
To change the default settings:
On Both Switches:
(config)#Macaddresstable agingtime 600
To verify the configuration:
On Both Switches:
CCIE Foundation by Narbik Kocharians Switching Lab Page 35 of 55 © 2007 Narbik Kocharians. All rights reserved
#Sh macaddresstable agingtime
Vlan Aging Time 1 600 12 600 34 600 56 600 111 600 30 600
Note this setting can also be changed for a given VLAN using the following command:
(config)#macaddresstable agingtime 600 vlan ? <14094> VLAN id
Task 18
For management purposes, assign an IP address of 10.1.1.11 /24 to SW1, with a default gateway of 10.1.1.2 /24.
On SW1
SW1(config)#Inter Vlan 1 SW1(configif)#Ip address 10.1.1.11 255.255.255.0 SW1(configif)#No shut SW1(configif)#Exit
SW1(config)#Ip defaultgateway 10.1.1.2
To verify the configuration:
SW1#sh run int vlan 1
interface Vlan1 ip address 10.1.1.11 255.255.255.0 end
SW1#Sh ip route
Default gateway is 10.1.1.2
CCIE Foundation by Narbik Kocharians Switching Lab Page 36 of 55 © 2007 Narbik Kocharians. All rights reserved
Host Gateway Last Use Total Uses Interface ICMP redirect cache is empty
Task 19
Configure the F0/20 port of these two switches to trunk. You should use a Cisco proprietary solution for this trunk.
This task was configured in Task 2
Task 20
Configure Multiinstance of Spanning Tree on the switches using the follows policy:
Ø There should be two instances of STP, instance 1 and 2 Ø Instance 1 should handle VLANs 12 and 34 Ø Instance 2 should handle VLAN 56 and 111 Ø All future VLANs should use instance 0 Ø Instance 1 should use F0/19 Ø Instance 2 should use F0/20 Ø SW1 should be the root bridge for the first instance Ø SW2 should be the root bridge for the second instance Ø The name of this configuration should be CCIE Ø The revision number should be 1
On Both Switches
The default mode for spanningtree is PVST, the following Show command verifies this information:
SW1#Show spanningtree summary
Switch is in pvst mode Root bridge for: none Extended system ID is enabled (The rest of the output is omitted)
On Both Switches
(config)#Spanningtree mode mst This command changes the mode of the switch to MST.
CCIE Foundation by Narbik Kocharians Switching Lab Page 37 of 55 © 2007 Narbik Kocharians. All rights reserved
(config)#Spanningtree mst configuration (configmst)#Revision 1 (configmst)#Name CCIE (configmst)#Instance 1 vlan 12,34 (configmst)#Instance 2 vlan 56,111
The first command allows us to enter in the MST configuration mode. The second command specifies the configuration revision number; the range for this number is 165535. The third command specifies the name for this configuration, in this case CCIE. The forth and fifth commands map the requested VLANs to the specified instances, MST supports 16 instances, by default all the future VLANs will be assigned to instance 0, instance 0 is the catch all instance.
To verify this configuration:
On both Switches
Show spanningtree mst configuration
Name [CCIE] Revision 1 Instance Vlans mapped 0 111,1333,3555, 57110, 1124094 1 12,34 2 56,111
Note instance 0 handles the rest of the vlans that are not assigned to a given instance; instance 0 is the catch all instance.
To Verify the configuration before configuring the next portion of the task:
On SW1
Show spanningtree bridge
Hello Max Fwd MST Instance Bridge ID Time Age Dly Protocol MST0 32768 (32768, 0) 0019.067f.8900 2 20 15 mstp MST1 32769 (32768, 1) 0019.067f.8900 2 20 15 mstp MST2 32770 (32768, 2) 0019.067f.8900 2 20 15 mstp
CCIE Foundation by Narbik Kocharians Switching Lab Page 38 of 55 © 2007 Narbik Kocharians. All rights reserved
Note this command displays the BID for your switch, and instead of assigning a BID to each VLAN, there is a BID for each instance.
On SW1
SW1#Show spanningtree root
Root Hello Max Fwd MST Instance Root ID Cost Time Age Dly Root Port MST0 32768 0019.067f.8900 0 2 20 15 MST1 32769 0019.067f.8900 0 2 20 15
MST2 32770 0019.067f.8900 0 2 20 15 The above command displays the BID of the root bridge for different instances. Note in this case SW1 is the root for all instances.
On SW1
SW1(config)#Spanningtree mst 1 priority 0 SW1(config)#Spanningtree mst 2 priority 4096
On SW2
SW2(config)#Spanningtree mst 1 priority 4096 SW2(config)#Spanningtree mst 2 priority 0
The above commands will change the switch priority and make it more likely that SW1 will be chosen as the root switch for instance 1 and SW2 will be chosen as the root bridge for instance 2. This number must be in increments of 4096. Remember the lower value has higher preference.
To verify the configuration:
On SW1
SW1#Show spanning root
Root Hello Max Fwd MST Instance Root ID Cost Time Age Dly Root Port MST0 32768 0019.067f.8900 0 2 20 15 MST1 1 0019.067f.8900 0 2 20 15 MST2 2 001a.2f0a.2000 200000 2 20 15 Fa0/19
CCIE Foundation by Narbik Kocharians Switching Lab Page 39 of 55 © 2007 Narbik Kocharians. All rights reserved
Note the local switch (SW1) is the root bridge for instance 0 and 1, whereas, SW2 is the root for instances 2.
On SW2
SW2#Show spanning root
Root Hello Max Fwd MST Instance Root ID Cost Time Age Dly Root Port MST0 32768 0019.067f.8900 0 2 20 15 Fa0/19 MST1 1 0019.067f.8900 200000 2 20 15 Fa0/19
MST2 2 001a.2f0a.2000 0 2 20 15 Note SW2 is the root bridge for instance 2, whereas, SW1 is the root for instance 0 and 1.
To configure the last portion of this task, portpriority feature is used as follows:
On Both Switches
(config)#Int F0/19 (configif)#Spanningtree mst 1 portpriority 0 High priority (configif)# Spanningtree mst 2 portpriority 128
(config)#Int F0/20 (configif)#Spanningtree mst 1 portpriority 128 (configif)#Spanningtree mst 2 portpriority 0
In this task Portpriority is used when selecting an interface to put into the forwarding state for a given instance; a lower value has a higher priority. In this case port F0/21 will be used by all the VLANs that are assigned to instance 1, because it has a higher priority (Lower value), and the second instance will use port F0/22 because it has been configured with a higher priority (Lower value).
To verify the configuration:
On SW1
SW1#Show spanningtree int f0/19
Mst Instance Role Sts Cost Prio.Nbr Type
CCIE Foundation by Narbik Kocharians Switching Lab Page 40 of 55 © 2007 Narbik Kocharians. All rights reserved
MST0 Desg FWD 200000 128.21 P2p MST1 Desg FWD 200000 0.21 P2p MST2 Altn BLK 200000 128.21 P2p
SW1#Sh spanningtree int f0/20
Mst Instance Role Sts Cost Prio.Nbr Type MST0 Desg FWD 200000 128.22 P2p MST1 Desg FWD 200000 128.22 P2p MST2 Root FWD 200000 0.22 P2p
On SW2
SW2#Show spanningtree int f0/19
Mst Instance Role Sts Cost Prio.Nbr Type MST0 Root FWD 200000 128.21 P2p MST1 Root FWD 200000 0.21 P2p MST2 Desg FWD 200000 128.21 P2p
SW2#Sh spanningtree int f0/20
Mst Instance Role Sts Cost Prio.Nbr Type MST0 Altn BLK 200000 128.22 P2p MST1 Altn BLK 200000 128.22 P2p MST2 Desg FWD 200000 0.22 P2p
Note mst instance 1 is blocked on port F0/20 but forwarded on F0/19 and mst instance 2 is blocked on interface F0/19 and forwarded on F0/20.
Task 21
There is another protocol analyzer connected to F0/18 on SW2. You received a request to monitor and analyze all packets for port F0/16 on SW1. Configure the switches to accommodate this request.
CCIE Foundation by Narbik Kocharians Switching Lab Page 41 of 55 © 2007 Narbik Kocharians. All rights reserved
On SW1
SW1(config)#Vlan 90 SW1(configvlan)#Remotespan SW1(configvlan)#Exit
The creation of this VLAN can only be done in the global configuration mode, because this is the only mode that allows us to set the VLAN as remotespan. Ensure that this VLAN is propagated to SW2. Note in this case we had to create the VLAN on SW1, because if you remember SW2 was in VTP client mode.
To verify the configuration:
On SW1:
SW1#Sh vlan brie
VLAN Name Status Ports 1 default active Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/23, Fa0/24 Gi0/1, Gi0/2
12 VLAN0012 active Fa0/1, Fa0/2 30 VLAN0030 active 34 VLAN0034 active Fa0/3, Fa0/4 56 VLAN0056 active Fa0/5, Fa0/6 90 VLAN0090 active Ensure that this VLAN is propagated
to SW2
On SW2
SW2#Sh vlan brie
VLAN Name Status Ports 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/23, Fa0/24, Gi0/1, Gi0/2
CCIE Foundation by Narbik Kocharians Switching Lab Page 42 of 55 © 2007 Narbik Kocharians. All rights reserved
12 VLAN0012 active 30 VLAN0030 active 34 VLAN0034 active 56 VLAN0056 active 90 VLAN0090 active Ensure that this VLAN is propagated
to SW2 On SW1
SW1#Show vlan remotespan
Remote SPAN VLANs 90
On SW2
SW2#Show vlan remotespan
Remote SPAN VLANs 90
Note VLAN 90 should be displayed as remotespan on both switches.
On SW1
SW1(config)#Monitor session 2 source interface F0/16 SW1(config)#Monitor session 2 destination remote vlan 90
To verify the configuration:
On SW1
SW1#Show monitor session 2
Session 2 Type : Remote Source Session Source Ports :
Both : Fa0/16 Dest RSPAN VLAN : 90
On SW2
CCIE Foundation by Narbik Kocharians Switching Lab Page 43 of 55 © 2007 Narbik Kocharians. All rights reserved
SW2(config)#Monitor session 2 source remote vlan 90 SW2(config)#Monitor session 2 destination interface F0/18 Port F0/18 is where the protocol analyzer is connected.
To verify the configuration:
On SW2
SW2#Sh monitor session 2
Session 2 Type : Remote Destination Session Source RSPAN VLAN : 90 Destination Ports : Fa0/18 Encapsulation : Native
Ingress : Disabled RSPAN extends SPAN by enabling remote monitoring of multiple switches across your network. The traffic for RSPAN traverses over a user defined RSPAN VLAN (remote vlan), in this case VLAN 90. The SPAN traffic from port F0/16 is reflected to VLAN 90 (The RSPAN VLAN) and then forwarded over the trunk to port F0/18 an RSPAN destination. If 3550 switches are in use, then you should identify the port that reflects the traffic to VLAN 90 using the following commands:
On SW1
Monitor session 2 destination remote vlan 90 reflectorport f0/23 Note port F0/23 should NOT be in use, if you look at the led on top of port F0/23, the led will change to amber and then green.
SW1(config)#Vlan 90 SW1(configvlan)#Remotespan SW1(configvlan)#Exit
On SW2
SW2(config)#Monitor session 2 source remote vlan 90 SW2(config)#Monitor session 2 destination interface F0/18 Port F0/18 is where the protocol analyzer is connected.
CCIE Foundation by Narbik Kocharians Switching Lab Page 44 of 55 © 2007 Narbik Kocharians. All rights reserved
Task 22
You have been requested to implement the following policy on SW1:
Ø Hosts R1 or R2 should NOT have the ability to communicate with each other within their VLAN. You can use any IP addressing to test this step.
Ø None of the hosts within any of the VLANs should have the ability to access the TFTP server.
Ø You should configure VACL to accomplish this task.
Before configuring this task, we should ensure that R1 can communicate with R2, therefore, the following configuration is performed on R1 and R2:
On R1
R1(config)#int f0/0 R1(configif)#ip address 10.1.1.1 255.255.255.0 R1(configif)#No shut
On R2
R2(config)#int f0/0 R2(configif)#ip address 10.1.1.2 255.255.255.0 R2(configif)#No shut
To test the configuration:
On R1
R1#Ping 10.1.1.2
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.1.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), roundtrip min/avg/max = 1/1/4 ms
On SW1
SW1(config)#Ip accesslist extended R1R2 SW1(configextnacl)#Permit ip 10.1.1.1 0.0.0.0 host 10.1.1.2 0.0.0.0
SW1(config)#Ip accesslist extended DenyTFTP SW1(configextnacl)#Permit udp any any eq 69
CCIE Foundation by Narbik Kocharians Switching Lab Page 45 of 55 © 2007 Narbik Kocharians. All rights reserved
SW1(config)#Vlan accessmap TEST 10 SW1(configaccessmap)# Match ip addr R1R2 SW1(configaccessmap)#Action drop SW1(configaccessmap)#Exit
SW1(config)#Vlan accessmap TEST 20 SW1(configaccessmap)#Match ip addr DenyTFTP SW1(configaccessmap)#Action drop SW1(configaccessmap)#Exit
SW1(config)#Vlan accessmap TEST 30 SW1(configaccessmap)#Action forward SW1(configaccessmap)#Exit
SW1(config)#Vlan filter TEST vlanlist all
To Verify the configuration:
SW1#Show vlan filter accessmap TEST
VLAN Map TEST is filtering VLANs: 14096
SW1#Show vlan filter vlan 12
Vlan 12 has filter TEST.
To test the configuration:
On R1
R1#Ping 10.1.1.2
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
Task 23
Configure routers R1 and R3 using the following IP addresses:
Ø R1 F0/0 = 10.1.12.1 /24 Ø R3 F0/0 = 10.1.34.3 /24
CCIE Foundation by Narbik Kocharians Switching Lab Page 46 of 55 © 2007 Narbik Kocharians. All rights reserved
Configure SW1 to route between VLAN 12 and 34 such that these routers can ping each other. Use any IP address on SW1 to accomplish this task.
On R1
R1(config)#Interface F0/0 R1(configif)#Ip address 10.1.12.1 255.255.255.0 R1(configif)#No shut
R1(config)#Ip route 0.0.0.0 0.0.0.0 10.1.12.100 Note here the IP address of 10.1.12.100 is chosen as the default gateway.
On R3
R3(config)#Interface F0/0 R3(configif)#Ip address 34.1.1.1 255.0.0.0 R3(configif)#No shut
R3(config)#Ip route 0.0.0.0 0.0.0.0 10.1.34.100
On SW1
SW1(config)#Ip routing The above command is required to enable IP routing.
SW1(config)#Interface Vlan 12 SW1(configif)#Ip address 10.1.12.100 255.255.255.0 SW1(configif)#No shut Note the IP address of this logical interface is used as the default gateway of the hosts in VLAN12.
SW1(config)#Interface Vlan 34 SW1(configif)#Ip address 10.1.34.100 255.255.255.0 SW1(configif)#No shut
A Switch Virtual Interface (SVI) represents a VLAN of switch ports as one interface to the routing. Only one SVI can be associated with a VLAN. This is necessary when configuring Inter Vlan routing. When creating an SVI for a VLAN, the designated number must match the VLAN number.
To verify the configuration:
On R1
CCIE Foundation by Narbik Kocharians Switching Lab Page 47 of 55 © 2007 Narbik Kocharians. All rights reserved
R1#Ping 10.1.34.3
Type escape sequence to abort.
Sending 5, 100byte ICMP Echos to 10.1.34.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms
On R3
R3#Ping 10.1.12.1
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.12.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms
Task 24
Remove the configuration from the previous step and configure Inter Vlan routing between VLANs 12 and 34. DO NOT use SVIs to accomplish this task. F0/1 interface of any router must be used to accomplish this task. Use the IP addressing from the previous task. Ensure to use an industry standard protocol for the trunk.
Since R5’s F0/0 is part of VLAN 56, R5’s F0/1 is used to accomplish this task.
On SW1
SW1(config)#No Interface Vlan 12 SW1(config)#No Interface Vlan 34 SW1#clear macaddresstable
On SW2
SW2(config)#Interface F0/5 SW2(configif)#Switchport trunk encap Dot1q SW2(configif)#Switchport mode trunk
On R5
R5(config)#Interface F0/1 R5(configif)#No shut R5(configif)#Exit
CCIE Foundation by Narbik Kocharians Switching Lab Page 48 of 55 © 2007 Narbik Kocharians. All rights reserved
R5(config)#Int f0/1.12 R5(configif)#Encap dot1q 12 R5(configif)#Ip address 10.1.12.100 255.255.255.0
Note this IP address will be used as the default gateway of the routers in VLAN 12
R5(config)#Int f0/1.34 R5(configif)#Encap dot1q 34 R5(configif)#Ip address 10.1.34.100 255.255.255.0
To verify the configuration:
On R1
R1#Ping 10.1.34.3
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.34.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/4 ms
On R3
R3#Ping 10.1.12.1
Type escape sequence to abort. Sending 5, 100byte ICMP Echos to 10.1.12.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/2/4 ms
I guess you are Not getting the same result, well if you think a little harder you will soon realize that port security was enabled with one MAC address as the maximum and you also configured the switch such that if this threshold is exceeded, the switch should ignore the frames from the newly learned MAC address/es. All you need to do is remove all the switchport portsecurity commands and also remove the Macro that was applied to the interface, and things will work properly.
Task 25
Configure a static MAC address on SW1 for R6’s F0/0 interface in VLAN 56 such that if the switch receives frames destined to R6’s MAC address, it forwards the frames to F0/6. You should assign a MAC address of 0000.6666.6666 to R6’s F0/0 interface.
CCIE Foundation by Narbik Kocharians Switching Lab Page 49 of 55 © 2007 Narbik Kocharians. All rights reserved
On R6
R6(config)#Interface F0/0 R6(configif)#macaddress 0000.6666.6666
R6(configif)#No shut
To test this configuration:
On SW1
SW1#Sh macaddresstable dynamic
Mac Address Table
Vlan Mac Address Type Ports 1 000f.34df.6501 DYNAMIC Fa0/19 1 001a.2f0a.2015 DYNAMIC Fa0/19 1 001a.2f0a.2016 DYNAMIC Fa0/20 12 0011.203d.c880 DYNAMIC Fa0/2 12 0012.0024.14c0 DYNAMIC Fa0/1 34 0012.d9e7.e9e0 DYNAMIC Fa0/3 56 0000.6666.6666 DYNAMIC Fa0/6 Total Mac Addresses for this criterion: 7
Note when we entered the “No shut” command SW1 learned the MAC address of R6.
SW1(config)#Mac addresstable static 0000.6666.6666 vlan 56 interface f0/6
To verify the configuration:
SW1#Show macaddresstable static interface f0/6
Mac Address Table
Vlan Mac Address Type Ports 56 0000.6666.6666 STATIC Fa0/6 Total Mac Addresses for this criterion: 1
CCIE Foundation by Narbik Kocharians Switching Lab Page 50 of 55 © 2007 Narbik Kocharians. All rights reserved
Task 26
Configure Unicast Mac address filtering on SW1 such that the switch drops packets that have a source or destination address of 0000.1234.5678. If a packet is received in VLAN 34 with this MAC address as its source or destination, the packet should be dropped.
On SW1
SW1(config)#Mac addresstable static 0000.1234.5687 vlan 34 drop
Task 27
Optimize the two switches using the following policies:
Ø SW1 should be configured such that its memory resources in the switch are optimized for routing.
Switch database management (SDM) are templates that can be configured to allocate memory resources in the switch for a specific feature depending on what the switch is used for in a given network. A switch can be configured to use one of the following templates:
Ø Access – Used for QOS classification and Security. Ø Routing – Used for routing Ø Vlan – Disables routing and sets the switch to be a layer 2 switch. Ø Extendedmatch – Reformats routing memory space to allow 144bit layer 3
TCAM support needed for WCCP and/or multiple VRF instances.
On SW1
SW1(config)#Sdm prefer routing You must reboot the switch for the settings to take effect.
To Verify the configuration after the reload:
On SW1
SW1#Show sdm prefer
The current template is "desktop routing" template. The selected template optimizes the resources in the switch to support this level of features for
CCIE Foundation by Narbik Kocharians Switching Lab Page 51 of 55 © 2007 Narbik Kocharians. All rights reserved
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 11K number of directlyconnected IPv4 hosts: 3K
number of indirect IPv4 routes: 8K number of IPv4 policy based routing aces: 512 number of IPv4/MAC qos aces: 512 number of IPv4/MAC security aces: 1K
Task 28
ReConfigure the trunk ports using an industry standard protocol, these links should appear to STP as a single link, therefore, none of the interfaces should be in blocking state. If one of the links fails, the traffic should use the other link without any interruption.
This may override some of the task/s that was previously configured.
These two ports should NOT use any protocol to negotiate.
EtherChannels provide the follows:
Ø Faulttolerant, high speed links between switches and routers. Ø EtherChannel provides an automatic recovery for the loss of a link by
redistributing the traffic across the remaining link/s. Ø STP will not block one of the links in the bundle because to STP, the bundle looks
like a single link. Ø Up to 8 links can be combined to provide more bandwidth. Ø The links within the bundle must have the same characteristics such as duplexing,
speed and etc. Ø EtherChannel can be configured as layer 2 or layer 3. Ø With Layer 3, a logical interface (PortChannel) is statically configured and all
Layer 3 configurations are performed under that interface. Ø With Layer 2, the logical interface is created automatically. Ø With both Layer 2 and Layer 3, physical interfaces must be manually assigned to
the logical interface using “channelgroup” configuration command. Ø EtherChannels can be configured automatically using Port aggregation protocol
(PAgP) or Link Aggregation protocol (LACP). Ø PAgP is a Cisco proprietary protocol, whereas LACP is an industry standard
IEEE 802.3ad protocol. Ø Switches can be configured to use PAgP by configuring them in AUTO or
DESIRABLE mode.
CCIE Foundation by Narbik Kocharians Switching Lab Page 52 of 55 © 2007 Narbik Kocharians. All rights reserved
Ø Switches can be configured to use LACP by configuring them in ACTIVE or PASSIVE mode.
Ø If the switches are configured in ON mode, they will not exchange LACP or PAgP packets.
There are 5 modes that the switches can be configured in:
Ø ON – Forces the interface into an EtherChannel without PAgP or LACP packets, both switches must be configured in ON mode for the EtherChannel to be established.
Ø ACTIVE – Used in LACP, the switches will actively negotiate an EtherChannel link.
Ø PASSIVE – Used in LACP, it places the interface in a passive negotiation mode where it only responds to LACP packets that it receives. In this mode the switch will not start the negotiation process; this setting minimizes the transmission of LACP packets.
Ø AUTO – Used in PAgP, it places the interface in a passive negotiation mode; It only responds to PAgP packets that it receives. In this mode the switch will not start the negotiation process; this setting minimizes the transmission of PAgP packets.
Ø DESIRABLE – Used in PAgP, the switches will actively negotiate an EtherChannel link.
The following table is very important when configuring EtherChannels:
Switch one is configured as Switch two is configured as Will an EtherChannel be established?
Desirable Desirable YES Desirable Auto YES Auto Auto NO Active Active YES Active Passive YES Passive Passive NO
Before configuring EtherChannel, you should check to ensure that the interfaces are configured with the same characteristics.
On Both Switches
(config)#default interface FastEthernet0/19 (config)#default interface FastEthernet0/20
(config)#Int range f0/19 20
CCIE Foundation by Narbik Kocharians Switching Lab Page 53 of 55 © 2007 Narbik Kocharians. All rights reserved
(configifrange)#Switchport trunk encap dot1q (configifrange)#Switchport mode trunk (configifrange)#Channelgroup 1 mode on When EtherChannels are created, you must ensure that the interfaces in the group are configured identical.
To verify the configuration:
On SW1
SW1#Show interface trunk
Port Mode Encapsulation Status Native vlan Po1 on 802.1q trunking 1
Port Vlans allowed on trunk Po1 14094
Port Vlans allowed and active in management domain Po1 1,12,30,34,56,90,111
Port Vlans in spanning tree forwarding state and not pruned Po1 1,12,30,34,56,90,111
On SW1
SW1#Show spanningtree inter f0/19
Mst Instance Role Sts Cost Prio.Nbr Type MST00 Desg FWD 100000 128.616 P2p MST01 Desg FWD 100000 128.616 P2p MST02 Root FWD 100000 128.616 P2p
SW1#Show spanningtree inter f0/20
Mst Instance Role Sts Cost Prio.Nbr Type MST00 Desg FWD 100000 128.616 P2p MST01 Desg FWD 100000 128.616 P2p MST02 Root FWD 100000 128.616 P2p
SW1#Show spanningtree inter po1
CCIE Foundation by Narbik Kocharians Switching Lab Page 54 of 55 © 2007 Narbik Kocharians. All rights reserved
Mst Instance Role Sts Cost Prio.Nbr Type MST00 Desg FWD 100000 128.616 P2p MST01 Desg FWD 100000 128.616 P2p MST02 Root FWD 100000 128.616 P2p
On SW2
SW2#Show spanningtree interface f0/19
Mst Instance Role Sts Cost Prio.Nbr Type MST00 Root FWD 100000 128.616 P2p MST01 Root FWD 100000 128.616 P2p MST02 Desg FWD 100000 128.616 P2p
SW2#Show spanningtree interface f0/20
Mst Instance Role Sts Cost Prio.Nbr Type MST00 Root FWD 100000 128.616 P2p MST01 Root FWD 100000 128.616 P2p MST02 Desg FWD 100000 128.616 P2p
SW2#Show spanningtree interface po1
Mst Instance Role Sts Cost Prio.Nbr Type MST00 Root FWD 100000 128.616 P2p MST01 Root FWD 100000 128.616 P2p MST02 Desg FWD 100000 128.616 P2p
Note all interfaces are in forwarding state because to spanningtree, the port channel appears as a single interface.
A “show etherchannel 1 detail” or “Show etherchannel summary” commands can reveal that the interfaces are working in the bundle.
Task 29
Create VLAN 2006 on SW2. This task may override some of the task/s that was previously configured.
CCIE Foundation by Narbik Kocharians Switching Lab Page 55 of 55 © 2007 Narbik Kocharians. All rights reserved
Extendedrange VLANs:
Ø Range is 1006 – 4094. Ø Can only be configured in the global config mode. Ø The switch must be configured in transparent mode. Ø These VLANs are NOT saved in the VLAN.DAT. They are part of the
running config and they can be saved to the startup config.
On SW2
SW2(config)#Vtp mode transparent SW2(config)#Vlan 2006
Note, extended vlans are not created in the VLAN database and they are part of the running/Startup config.
SW2#Show run
Building configuration... ! vlan 12,30,34,56 Note, the extended VLAN is part of the running ! configuration vlan 90 remotespan ! vlan 111,2006 !
Task 30
Erase the startupconfiguration, all the VLANs and reload the switches before proceeding to the next task.