CCIE Pursuit Blog

January 31, 2008

Internetwork Expert Blog: Private VLANs Demystified

The Internetwork Expert blog continues to post excellent information and tutorials.  The most recent post concerns private VLANs.  This was a topic that confused the hell out of me at first.  I read the configuration guide and was completely lost.  I eventually got my head around the concept (and have even used them at work).  I would have loved to have read this post 9 months ago.  :-)

Private VLAN concepts are quite simple, but Cisco’s implementation and configuration is a bit confusing – with all the “mappings” and “associations”. Here comes a short overview of how private VLANs work.

To begin with, let’s look at the concept of VLAN as a broadcast domain. What Private VLANs (PVANs) do, is split the domain into multiple isolated broadcast subdomains. It’s a simple nesting principle – VLANs inside a VLAN. As we know, Ethernet VLANs are not allowed to communicate directly, they need L3 device to forward packets between broadcast domains. The same concept applies to PVLANS – since the subdomains are isolated at level 2, they need to communicate using an upper level (L3 and packet forwarding) entity – such as router. However, there is difference here. Regular VLANs usually correspond to a single IP subnet. When we split VLAN using PVLANs, hosts in different PVLANs still belong to the same IP subnet, but they need to use router (another L3 device) to talk to each other (for example, by means of local Proxy ARP). In turn, router may either permit or forbid communications between sub-VLANs using access-lists.

—Read the rest here—

Cisco Unleashes The Überswitch

Filed under: Cisco,Switching — cciepursuit @ 7:54 am
Tags: , , ,

Cisco is about to unleash a new switch on the world.  It sounds like an absolute beast.:

The Nexus brings Cisco into not just a new territory for its business, but a new product category: a unified switch that spans storage and computing in data centers and has security built in. Given the stakes, superlatives are natural.

- A single Nexus chassis will be able to handle more than 15Tbps of traffic ripping through a data center, up from just 2Tbps for a current Catalyst 6500 switch.

- At that rate, the switch could run 5 million concurrent transcontinental conferencing sessions using Cisco’s TelePresence Collaboration system. It could also copy the entire searchable Internet in 7.5 minutes.

- One interface module for the Nexus 7000 chassis will come with 32 10Gbps ports, and the platform is designed to support future interfaces including 100Gbps.

- The company spent about $250 million on research and development for the new platform, and at its peak, the Nexus R&D team numbered more than 500 engineers, according to Tom Edsall, senior vice president and chief technology officer of Cisco’s Data Center Business Unit.

As with the Catalyst 6000 Series and the CRS-1, Cisco developed the Nexus with an eye to long-term needs. Where the CRS marked the debut of IOS XR, the first modular version of IOS, the Nexus will have Cisco’s first OS that can be fully virtualized, called NX-OS. The Nexus will also break new ground with its lossless switching fabric, a departure from traditional Ethernet — though backward compatible with it, Cisco said.

It looks great too:

Cisco Nexus Switch

January 30, 2008

Status Update: 20 – 26 January

I’m still having ups and downs with my studies.  I am at the point where I am able to recognize what technology solves each core task, but I’m still missing bits of configuration and making dumb mistakes.  I am also still pretty weak in BGP.  My time is horrible as well.  Some of that is due to me typing notes as I lab as well as searching for everything in the DOC.  Next Wednesday will be my first simulated lab (I’m doing Volume II lab 1).  This will give me a better idea of how slow I really am.

I don’t know if it’s the weather (it’s been under zero here for over a week – that translates to “insanely cold” in Celsius), but I’ve been a little disappointed with my progress lately.  I’m probably going take a week off pretty soon.  By “a week off”, I mean that I will not be labbing but I will still be reading and watching some IEATC videos.

Here are my goals from last week: 

Do Volume II lab 6.  Do Volume III lab 4.  Do 4 random labs from each of Volume I OSPF, EIGRP, RIP (12 total).

I finished Volume III lab 4 and I did my 12 random labs.  I only finished the first three sections (through IGP) redistribution of Volume II lab 6.

Goals for this week:  Finish Volume II lab 6.  Redo Volume III lab 1.  Do the Volume I BGP labs.

Days Until Lab: 123
Readiness (1 to 10): 2
Lab Hours This Week 12
Study Hours This Week (estimate): 3

Internetwork Expert Volume II: Lab 6 – Section 2

WAN Technologies – 7 Points

2.1 Hub-and-Spoke

This was a simple Frame Relay Hub-and-Spoke configuration using physical interfaces and frame maps.  The only “twist” is the last subtask:

“Do not send any redundant broadcast traffic from the spokes to the hub.”

You only need to add the ‘broadcast’ keyword to the frame map to the hub router on the spokes:

r5(spoke):
interface Serial0/0
 ip address 191.17.125.5 255.255.255.0
 encapsulation frame-relay
 frame-relay map ip 191.17.125.1 501 broadcast <- to the hub
 frame-relay map ip 191.17.125.2 501
<-to other spoke
 no frame-relay inverse-arp

Also, IE has the interface up so Frame Relay Inverse ARP is already running:

r1(config-if)#do sh frame map
Serial0/0 (up): ip 191.17.125.2 dlci 102(0×66,0×1860), dynamic,
              broadcast,, status defined, active
Serial0/0 (up): ip 191.17.125.5 dlci 105(0×69,0×1890), dynamic,
              broadcast,, status defined, active
Serial0/0 (up): ip 191.17.34.3 dlci 103(0×67,0×1870), dynamic,
              broadcast,, status defined, active
Serial0/0 (up): ip 191.17.34.4 dlci 104(0×68,0×1880), dynamic,
              broadcast,, status defined, active

Use your favorite method to clear the dynamic Frame Relay mappings.  I ususally reload the routers.

2.2 Point-To-Point

“When r3 pings its own IP address, these packets should be sent to r4 and redirected back.”

This task was pretty easy for me because of all of the times that I have accidentally created a frame map with my local IP address instead of the far end IP address,  :-)

Before:
r3(config-if)#do sh run int s1/0
interface Serial1/0
 ip address 191.17.34.3 255.255.255.0
 encapsulation frame-relay
 frame-relay map ip 191.17.34.4 304 broadcast
 no frame-relay inverse-arp

r3(config-if)#do ping 191.17.34.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 191.17.34.3, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

r3(config-if)#do sh ip route 191.17.34.3
Routing entry for 191.17.34.0/24
  Known via “connected”, distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via Serial1/0
      Route metric is 0, traffic share count is 1

r3(config-if)#do sh frame map
Serial1/0 (up): ip 191.17.34.4 dlci 304(0×130,0x4C00), static,
              broadcast,
              CISCO, status defined, active

After:
r3(config-if)#int s1/0
r3(config-if)#frame map ip 191.17.34.3 304
r3(config-if)#do sh frame map
Serial1/0 (up): ip 191.17.34.3 dlci 304(0×130,0x4C00), static,
              CISCO, status defined, active
Serial1/0 (up): ip 191.17.34.4 dlci 304(0×130,0x4C00), static,
              broadcast,
              CISCO, status defined, active

r3(config-if)#do p 191.17.34.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 191.17.34.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5),
round-trip min/avg/max = 116/117/124 ms

2.3 Point-to-Point

“Configure the Frame Relay connection between r6 and bb1 using PVC 51 on r6′s main Serial interface.”
“Do not allow r6 to send Frame Relay Inverse-ARP requests on any other circuits assigned to this interface.”

While this task does not explicly tell you which method to use to map the IP address to the DLCI, the second subtask makes it sound like we are supposed to allow Frame Relay Inverse-ARP create our mapping on DLCI 51, but not the rest of the PVCs.

r6(config-if)#do sh frame pvc | i DLCI|Serial0/0
PVC Statistics for interface Serial0/0 (Frame Relay DTE)
DLCI = 51, DLCI USAGE = LOCAL, PVC STATUS = DELETED, INTERFACE = Serial0/0
DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = DELETED, INTERFACE = Serial0/0
DLCI = 101, DLCI USAGE = LOCAL, PVC STATUS = DELETED, INTERFACE = Serial0/0
DLCI = 201, DLCI USAGE = UNUSED, PVC STATUS = DELETED, INTERFACE = Serial0/0
DLCI = 301, DLCI USAGE = UNUSED, PVC STATUS = DELETED, INTERFACE = Serial0/0
DLCI = 401, DLCI USAGE = UNUSED, PVC STATUS = DELETED, INTERFACE = Serial0/0

r6(config-if)#no frame inverse-arp ip ?
  <16-1007>  Set DLCI for inverse ARP

  vc-bundle  vc-bundle

r6(config-if)#no frame inverse-arp ip 100
r6(config-if)#no frame inverse-arp ip 101
r6(config-if)#no frame inverse-arp ip 201
r6(config-if)#no frame inverse-arp ip 301
r6(config-if)#no frame inverse-arp ip 401

r6#sh frame map
Serial0/0 (up): ip 54.17.3.254 dlci 51(0×33,0xC30), dynamic
              broadcast,, status defined, active

2.4 PPP

An easy task asking you to configure header compression.  One twist:

“Allow for the maximum number of TCP sessions to be compressed over this link.”

ip tcp header-compression

ip tcp compression-connections

r1(config-if)#ip tcp ?
  adjust-mss               Adjust the mss of transit packets
  compression-connections  Maximum number of compressed connections
  header-compression       Enable TCP header compression

r1(config-if)#ip tcp compression-connections ?
  <1-256>  Number of connections

r1(config-if)#ip tcp compression-connections 256

r3#sh ip tcp header-compression
TCP/IP header compression statistics:
  Interface Serial1/2 (compression on, VJ)
    Rcvd:    0 total, 0 compressed, 0 errors, 0 status msgs
             0 dropped, 0 buffer copies, 0 buffer failures
    Sent:    0 total, 0 compressed, 0 status msgs, 0 not predicted
             0 bytes saved, 0 bytes sent
    Connect: 256 rx slots, 256 tx slots,
             0 misses, 0 collisions, 0 negative cache hits, 256 free contexts

You Snooze, You Loose

I’m pretty much set for CCIE training material.  The only thing that I really want to add before I take a shot at the lab is a Mock Lab Workshop.  I’m meeting with my manager this week for my review and will pitch this as my training class for the year.  If she says no, then I’m going to have to decide if I want to pay for this out of pocket.  If she says yea, then I’ll book it.  The only downside is that a number of the workshops have already sold out, so I’m left with the following choices:

February 11 – 15  CCIE R&S Mock Lab Workshop Online Week 1  9am PST  Sign Up – $1,995         
March 17 – 21  CCIE R&S Mock Lab Workshop Onsite (Reno, NV)  9am PST  Sign Up – $3,495               
June 16 – 20  CCIE R&S Mock Lab Workshop Onsite (Reno, NV)  9am PDT  Sign Up – $3,495               
September 1 – 5  CCIE R&S Mock Lab Workshop Onsite (Reno, NV) 9am PDT  Sign Up – $3,495      
December 1 – 5  CCIE R&S Mock Lab Workshop Online Week 1  TBA Sign Up – $1,995 

I really want to take my lab in early June because I really don’t want to keep up this study pace into the summer.  I live in Minnesota and the summer months (especially the early summer) are pretty sacred.  That said, I don’t think that I’ll be ready by 11 February and I’m not waiting until September, so my only two options are the March or June dates.  If my employer foots the bill I will probably push my lab back a couple of weeks and go in June.  If I have to pay (and I decide that it’s worth the expense), then I’ll probably go in March.

January 29, 2008

ccieblog.com

I was cleaning up some of my bookmarks and was surprised to find that ccieblog.com had recently gone live.  I bookmarked this site sometime last spring.  At that time it was just parked.  I think that this site is administered by IPexpert.com, but I’m not 100% sure.  I remember looking at this site (as well as ccieradio.com before and seeing ‘copyright IPexpert.com’.  The ‘about’ page doesn’t state who owns the domain:

Welcome to CCIEblog.com, your free CCIE home page, portal and blogging community.

You can host your own CCIE blog at this site for free.  There are already a half-dozen blogs up, but all but one of them are empty (placeholders or just test pages?).  CCIE on Ice is currently the only blog with any posts:

I’m currently studying for the CCIE written which I’m scheduled to take on jan 23. in Barcelona, Spain during my trip to the Cisco Networkers Europe convention.

If I manage to pass my written test I will use this blog to report my progress towards the CCIE lab exam and also use this blog to practise my written English. So feel free to comment on my writing.

Here’s hoping that CCIE on Ice passed the written exam and will be posting about chasing the CCIE. 

If you’re not interested in creating your own CCIE blog, you might still be interested in this:

Catch up on today’s CCIE news and read the latest posts on CCIE blogs on your own custom CCIE home page, at http://start.ccieblog.com/.

I you go to start.ccieblog.com, you’ll see a NetVibes page with a number of CCIE blogs (including yours truly) already loaded.  You can customize the page and add/remove RSS feeds as well as widgets.

Some of you are probably thinking, “Someone is running WordPress and Netvibes on a server.  Big deal.”  I think that this is actually a pretty cool site because it will give those looking for CCIE blogs a very good nice place to start.  When I started my studies, I was surprised at the lack of CCIE blogs I was able to find.  Over the months, I have found quite a few blogs, but I would have loved to have had a resource like this when I was first starting.  IF the blog hosting portion of ccieblog takes off, this site will be a very nice community resource for those seeking CCIE blogs.

Speaking of CCIE blogs, I have a fresh batch cooked up which I will be posting in the next few days.

***Update***

I wasn’t hallucinating (this time!).  It looks like IPexpert does (or at the very least – did) own the ccieblog domain.  Here’s a post from a year ago:

In addition to IPexpert’s Online Certification Talk forum (www.CertificationTalk.com) and Online Study List (email list-serv) (www.OnlineStudyList.com), we are please to announce 3 additional CCIE-focused communities that will begin to take form over the next few months.

CCIE Blog - (www.CCIEBlog.com) This community will be dedicated to IPexpert instructors, management staff and various (selected) students progressing their way through the CCIE certification. Pop in and read about their daily experiences!

CCIE Radio – (www.CCIERadio.com) This site is a site dedicated to CCIE-focused PODCasts as well as streaming technical radio. More details and schedules will be available shortly!

Everything IE – (www.EverythingIE.com) If you have a question about the CCIE that you just can’t get answered (not violating the NDA of course) – this is the site for you. If you’d like to know what hotel to stay at when you’re taking the lab in Belgium, what to read, recommended links, etc – this is the “CCIE-Focused FAQ” you’ve always wanted!

If you have any questions or comments relating to these communities, or would like to get involved in the development and creation of these communities, please contact the President of IPexpert – Wayne Lawson at wayne@ipexpert.com.

Internetwork Expert Volume II: Lab 6 – Section 1

Bridging and Switching – 20 Points

1.1 Basic Configuration

This is the first lab that I’ve done where you need to set up two separate VTP domains.  I always create a Layer 2 map and it really helped out in this lab.  You’ll need to be mindful of which VTP server to create VLANs on when your building your Layer 2 network, especially with the caveat:

“VLANs should not be created within the VTP domain unnecessarily.”

1.2 Trunk Maintenance

“Ensure that the links between sw1, sw2, sw3, and sw4 will not attempt to automatically trunk using DTP.”

Depending on how you interpret this question, there are two methods you might use:

1) Put the ports into switchport mode dynamic auto (default setting on the 3560s).  This means that they will not form a trunk unless the other side of the link attempts to negotiate trunking.  This does NOT disable DTP.

switchport mode

int range fa0/13 – 21
 switchport mode dynamic auto

sw3(config-if-range)#do sh int fa0/13 switchport
Name: Fa0/13
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On

1) Hard-code the interfaces to trunk and disable DTP.  This means that you’ll need to choose a trunking encapsulation and you’ll need to shut down any links (on one side at least) that you do not want to form a trunk.  This is a little more sloppy, but it actually disables DTP.

switchport nonegotiate

int range fa0/13 – 21
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate

sw1(config-if-range)#do sh int fa0/13 switchport
Name: Fa0/13
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off

I went with option 1 (mostly because of task 1.3).

task 1.2 DTP

Be careful when applying your configuration with the interface range command as there are a couple of routed ports already configured:

sw1(config-if-range)#swit mode dyn auto
Command rejected: Fa0/14 not a switching port.
% Interface range command failed for FastEthernet0/14

sw1(config-if-range)#do sh run int fa0/14
interface FastEthernet0/14
 no switchport
 ip address 191.1.27.7 255.255.255.0
end

You’ll be alright as the routed ports will ignore the switchport commands (they are configured as “no switchport”).

1.3 Trunking

“Use dot1q encapsulation to configure the following trunks:”

You need to stop trunking of some vlans as well (read the requirements carefully).

sw1(config-if-range)#swit trunk all vlan except 7,77,777

I configured this on both sides of the trunks.  IE did not. 

Before changing VLAN allowed list:
sw3(config-if)#do sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/13      1-4094

Port        Vlans allowed and active in management domain
Fa0/13      1

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      none

After changing VLAN allowed list:
sw3(config-if)#swit trunk all vlan except 7,77,777
sw3(config-if)#do sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/13      1-6,8-76,78-776,778-4094

Port        Vlans allowed and active in management domain
Fa0/13      1

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      1

1.4 Spanning-Tree

This was a great task.  You are asked to:

“Ensure sw1 is forwarding on all trunk liks for any active VLANs.
“If a new VLAN is added to the VTP domain NET12, sw1 should forward on all trunk links for the new VLAN.”

The first subtask means the you need to make sw1 the root bride.  Easy enough, but you need to specify a vlan range.  Since we’re asked to make sure that any VLANs added to our VTP domain use sw1 as the root, we need specify a range of VLANs that can be created via VTP.  VTP cannot add extended VLANs so our range should be 1-1000:

sw1(config)#spanning-tree vlan 1-1000 root primary

Hmmmm….IE used the range 1-4096 (range including extended VLANs).

Task 1.4 Spanning-Tree

I think that their rational is: 

IF we were to put sw1 and sw2 (the members of VTP domain NET12) into vtp transparent mode, we could create extended VLANs.  Those VLANs would technically be VLANs created in VTP domain NET12.  BUT we would need to break our VTP task in order to do this. 

Set sw1 and sw2 to VTP mode transparent:

sw1(config)#do sh vtp stat | i Oper
VTP Operating Mode              : Transparent
sw1(config)#do sh run | i prior
spanning-tree vlan 1-1000 priority 24576

sw2(config)#do sh vtp stat | i Oper
VTP Operating Mode              : Transparent

Add standard and extended vlan to sw1 and sw2:

sw1(config)#vlan 1000,1234
sw1(config-vlan)#exit

sw2(config)#vlan 1000,1234
sw2(config-vlan)#exit
sw2(config)#do sh sp v 1000

VLAN1000
  Spanning tree enabled protocol ieee
  Root ID    Priority    25576
             Address     0012.018f.d580  <-sw1 MAC
             Cost        19
             Port        15 (FastEthernet0/13)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33768  (priority 32768 sys-id-ext 1000)
             Address     0012.009c.ca00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13           Root FWD 19        128.15   P2p

sw2(config)#do sh sp v 1234

VLAN1234
  Spanning tree enabled protocol ieee
  Root ID    Priority    34002
             Address     0012.009c.ca00
             This bridge is the root 
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    34002  (priority 32768 sys-id-ext 1234)
             Address     0012.009c.ca00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13           Desg FWD 19        128.15   P2p

I would definitely ask the proctor about this task.

1.5 Etherchannel

Easy trunking/etherchannel task.  Your VTP will now work for domain NET34.

1.6 Trunking

This was a bizarre task with VLANs between subinterfaces on a couple of routers.  I had this one nailed, but I spent a LONG time chasing my tail over a really basic issue.  :-(

Be aware that VLAN45 is a /25 subnet.  You’ll also need to add VLAN 45 to the VTP domain.

Here’s where I lost my way:

“Configure trunking between r4, r5, sw3, and sw4 using the information provided in the diagram.”

r4#sh cdp neig | b Device
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
sw4              Fas 0/1            146         S I       WS-C3550- Fas 0/4
sw2              Fas 0/0            136         S I       WS-C3560- Fas 0/4

r4#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  up                    up
FastEthernet0/0.4          191.1.4.4       YES NVRAM  up                    up
FastEthernet0/0.40         191.1.40.4      YES NVRAM  up                    up
FastEthernet0/0.45         191.1.45.4      YES NVRAM  up                    up
FastEthernet0/0.49         191.1.49.4      YES NVRAM  up                    up

I initially thought that the lab diagram was wrong.  Interface fa0/1 – not fa0/0 – is connected to sw4.  I was cursing IE and the routing gods for this colossal waste of time.  BUT….(as is so often the case) I WAS WRONG.  The diagram is right.  The question threw me off as it states that I need to configure trunking between sw3 and the other devices.  Some of the endpoints are on sw3, but some of these VLANs transverse sw2 (in VTP domain NET12) so I need to configure dot1q trunking on that switch (connected to r4) as well as add the VLANs to sw1 (the VTP server for the NET12 domain). 

I really blew it on this task.  If this were the actual lab, I would not only have failed, but I would have looked like an idiot in the process.

1.7 Layer 2 Tunneling

Basically tunnel from r4 fa0/1 to sw2 fa0/18.

r4#sh run int fa0/1
interface FastEthernet0/1
 ip address 191.1.48.4 255.255.255.0

sw2#sh run int fa0/18
interface FastEthernet0/18
 no switchport
 ip address 191.1.48.8 255.255.255.0

You will need to use a dot1-q tunnelling to accomplish this task.

switchport mode

dot1q-tunnel
Set the port as an IEEE 802.1Q tunnel port.

You’ll need to build your l2 tunnel across these ports:

r4#sh cdp neig fa0/1 | b Device
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
sw4              Fas 0/1            136         S I       WS-C3550- Fas 0/4

sw2#sh cdp neigh fa0/18 | b Device
Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
sw3                 Fas 0/18              170            S I      WS-C3550-2 Fas0/18

The switch is kind enough to warn you of a pitfall:

sw4(config-if)#swit mode dot1q-tunnel
sw4(config-if)#
03:03:12: %DOT1Q_TUNNELLING-4-MTU_WARNING:
System MTU of 1500 might be insufficient for 802.1Q tunnelling.
802.1Q tunnelling requires system MTU size of 1504 to handle maximum size ethernet frames.

system mtu

I see a reload in my future:

sw4(config)#system mtu 1504
Changes to the System MTU will not take effect until the next reload is done.

Task 1.7 l2tunnel

r4#sh cdp neigh f0/1 | i sw2
sw2              Fas 0/1            169         S I       WS-C3560- Fas 0/18

sw2#sh cdp neigh fa0/18 | i r4
r4                  Fas 0/18              131           R S I     2651XM    Fas0/1

Sweet!!!

1.8 MAC Filtering

This was a pretty basic port-security task. 

switchport port-security

***  Update: Don’t use ‘sticky’ as I posted below.  These MAC addresses are NOT learned dynamically.  I did not remove this from my post just to show you how stupid I am sometimes.  :-)  *** 

I used the sticky option (“When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses.”) but I would ask the proctor to clarify this.  IE did not use that option.

The only “twist” is the second subtask:

“In the case that other hosts try to access this port a syslog message should be sent to the server 191.1.7.100.”

First we have to change the switchport port-security from the default of shutdown:

violation
 (Optional) Set the security violation mode or the action to be taken if port security is violated. The default is shutdown.
 

Do I choose restrict or protect?  My CCNP knowledge has flowed out of my skull.  :-)

sw2(config-if)#swit port-security violation ?
  protect   Security violation protect mode
  restrict  Security violation restrict mode

  shutdown  Security violation shutdown mode

protect
Set the security violation protect mode. In this mode, when the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

Note We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.
 
restrict
Set the security violation restrict mode. In this mode, when the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

 
Restrict it is!!!

sw2#sh port-security int fa0/10
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 4
Total MAC Addresses        : 4
Configured MAC Addresses   : 4

Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

sw2#sh port-security int fa0/10 address
          Secure Mac Address Table
————————————————————————
Vlan    Mac Address       Type                     Ports   Remaining Age
                                                              (mins)
—-    ———–       —-                     —–   ————-
  10    0050.7014.8ef0    SecureConfigured         Fa0/10       -
  10    00cd.144e.07bf    SecureConfigured         Fa0/10       -
  10    00d0.341c.7871    SecureConfigured         Fa0/10       -
  10    00d0.586e.b710    SecureConfigured         Fa0/10       -
————————————————————————
Total Addresses: 4

I wasted some time by looking for documentation on how to configure a syslog server.  DOH!!!

sw2(config)#logging ?
  Hostname or A.B.C.D  IP address of the logging host

1.9 Spanning-Tree Convergence

A wordy task tranlated to: portfast with bpdufilter.  Just be aware of the differences in bdpufilter based on whether you configure it at the interface level or globally:

sw2(config)#spanning-tree portfast bpdufilter default

Understanding BPDU Filtering

Task 1.9 SPT

The task requires that the port return to normal spanning tree forwarding if a BPDU is received.

There is a difference in the behaviour of bpdufilter depending on if it is configured at the interface level or globally.

When you configure bpdufilter on an interface it filters BPDU from being sent or received.

When you configure bpdufilter globally then all interfaces that run portfast will filter sent BPDU’s but will revert out of the portfast state if BPDU’s are received. This is the desired behaviour for this task.

The DocCD explains it like this:

“When you globally enable BPDU filtering on Port Fast-enabled interfaces, it prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU filtering on any interface without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs.”

January 28, 2008

Juniper Extends Certification Fast Track Program Through 2008

Filed under: Training Materials — cciepursuit @ 5:20 pm
Tags: , ,

Juniper offered a fast track certification program with free training and vouchers, but it was set to end at the end of 2007.  I was interested in it, but I could not commit any time due to my CCIE studies.  It looks like they are extending this program until (at least) the end of 2008.  After I complete my CCIE, I might look into getting some basic Juniper certification and this program looks like a good way to accomplish that. 

Because of its enormous popularity, the Juniper Networks Certification Fast Track Program is being extended through 2008! We are very excited about the number of participants in the program, and we look forward to working with more networking professionals in 2008.

There are some important changes to the program that we highlight below.

  1. Enterprise Routing Courseware Remains At No Cost, Vouchers Now Worth a 50% Discount for Exams
    • What’s the same:
      • The existing Enterprise Routing courseware will remain available on the Fast Track Web Portal, and participants will continue to have the opportunity to earn Enterprise Routing associate-level (JNCIA-ER) and specialist-level (JNCIS-ER) certification vouchers.
    • What’s changed:
      • Beginning February 8, participants will realize a 50% savings when redeeming JNCIA-ER and JNCIS-ER vouchers at any Prometric Testing Center, as opposed to being able to take the exams at no charge in 2007.
      • This change in cost still provides an exceptional opportunity for participants because the courseware, valued at several thousand dollars, still remains at no charge for the participants, and on average, a participant will incur a cost of only $60 per exam.
  2. New Program Name and New Certifications Coming Soon
    • The program name has changed from the JUNOS Enterprise Routing Certification Fast Track Program to the Juniper Networks Certification Fast Track Program because coming soon we are adding two additional certification offerings to the program in 2008. Stay tuned for future announcements.
  3. Cisco Certification Requirement Removed and New Fast Track Web Portal Created
    • Starting in 2008, networking professionals no longer need to be Cisco certified to participate in the Juniper Networks Certification Fast Track Program. This change allows all experienced networking professional to participate in the program. Throughout 2008, Juniper Networks will continue to fast track even more networking professionals in the shortest amount of time-at a substantial savings!
    • COMING SOON on February 8, we are releasing the new Juniper Networks Certification Fast Track Web Portal. To provide our participants an even better experience, we are implementing the following features:
      • A new, easy-to-navigate, enhanced user interface
      • Updated program information with the addition of FAQs
      • Event-based e-mail notifications to keep participants’ accounts more secure
      • The ability to track the progress of participants’ preassessment exams!

January 27, 2008

Internetwork Expert: Recommended Labs To Repeat

A while ago I posted about Internetwork Expert recommending that some candidates repeat a set of Volume II labs multiple times as an alternative to completing all of the Volume II labs.  Here are the specific labs as mentioned in posts from GroupStudy:

In the 12 day bootcamp, they recommended lab 1,7,8,9,10 & 11 from the version 4, volume 2 workbook.

Steve

Which order to do them in: 

I would do them sequentially, i.e. 1,7,8,9,10,11, then back to 1,7,8,9,10,11.  This way you’re not just memorizing the information, but retaining it instead.

Brian McGahan, CCIE #8593 (R&S/SP/Security)

A clarification on who should use this method:

I think that people are reading this as if I’m saying this is the only preparation needed.  What I’m saying is that after you have a solid understanding of the blueprint topics and are ready to move onto the full scale labs  that doing 30 full scale labs by repeating the same 6 labs 5 times each is better for some people than doing 30 totally different full scale labs.

Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)

Internetwork Expert Volume III: Lab 4 – Section 5

Exterior Gateway Routing – 6 Points

5.1 BGP Peerings

This was a pretty easy BGP peering task.  You need to set up a confederation, so you’ll need to be familiar with:

bgp confederation identifier

bgp confederation peers

I did mess up a little bit. I configured “neighbor 150.1.5.5 ebgp-multihop” on r4.

r4 (AS 100) <— r6 (no BGP) —> bb1 (AS 54)

It turns out that I don’t need this command because r6 is bridging, not routing.

neighbor ebgp-multihop

I also missed “neighbor 152.1.37.3 next-hop-self” on sw1, but I did eventually catch that error when I found that I was not installing the bb2 routes on r3:

Without “neighbor 152.1.37.3 next-hop-self” on sw1:

r3#sh ip route bgp
B    119.0.0.0/8 [200/0] via 152.1.125.5, 00:28:44
B    118.0.0.0/8 [200/0] via 152.1.125.5, 00:28:44
B    117.0.0.0/8 [200/0] via 152.1.125.5, 00:28:44
B    116.0.0.0/8 [200/0] via 152.1.125.5, 00:28:44
B    115.0.0.0/8 [200/0] via 152.1.125.5, 00:28:44
B    114.0.0.0/8 [200/0] via 152.1.125.5, 00:28:44
B    113.0.0.0/8 [200/0] via 152.1.125.5, 00:28:44
B    112.0.0.0/8 [200/0] via 152.1.125.5, 00:28:44

r3#sh ip bgp | i Network|192.10.1.254
   Network          Next Hop            Metric LocPrf Weight Path
*  205.90.31.0      192.10.1.254             0    100      0 (7000) 254 ?
220.20.3.0       192.10.1.254             0    100      0 (7000) 254 ?
*  222.22.2.0       192.10.1.254             0    100      0 (7000) 254 ?

r3#sh ip route 192.10.1.254
% Network not in table

With “neighbor 152.1.37.3 next-hop-self” on sw1:

r3#sh ip route bgp
B    119.0.0.0/8 [200/0] via 152.1.125.5, 00:30:15
B    118.0.0.0/8 [200/0] via 152.1.125.5, 00:30:15
B    222.22.2.0/24 [200/0] via 152.1.37.7, 00:00:15
B    117.0.0.0/8 [200/0] via 152.1.125.5, 00:30:15
B    220.20.3.0/24 [200/0] via 152.1.37.7, 00:00:15
B    116.0.0.0/8 [200/0] via 152.1.125.5, 00:30:15
B    115.0.0.0/8 [200/0] via 152.1.125.5, 00:30:15
B    114.0.0.0/8 [200/0] via 152.1.125.5, 00:30:15
B    113.0.0.0/8 [200/0] via 152.1.125.5, 00:30:15
B    112.0.0.0/8 [200/0] via 152.1.125.5, 00:30:15
B    205.90.31.0/24 [200/0] via 152.1.37.7, 00:00:15

r3#sh ip bgp | i Network|152.1.37.7
   Network          Next Hop            Metric LocPrf Weight Path
*> 205.90.31.0      152.1.37.7               0    100      0 (7000) 254 ?
*> 220.20.3.0       152.1.37.7               0    100      0 (7000) 254 ?
*> 222.22.2.0       152.1.37.7               0    100      0 (7000) 254 ?

r3#sh ip route 152.1.37.7
Routing entry for 152.1.37.0/24
  Known via “connected”, distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via FastEthernet0/0
      Route metric is 0, traffic share count is 1

5.2 BGP Bestpath Selection

“Configure the network so that AS 100 routes through r1 to reach prefixes originated in AS 254.”
“Use MED to accomplish this.”

set metric (BGP, OSPF, RIP)

I had the right idea for this task, but I boned it up.  IE used an aggregate-address on sw1 to ensure reachability to all networks advertised by the backbone routers.  They have a short writeup to explain their method.

aggregate-address

I REALLY need to study BGP some more.

Next Page »

The Rubric Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 109 other followers