CCIE Pursuit Blog

January 29, 2008

ccieblog.com

I was cleaning up some of my bookmarks and was surprised to find that ccieblog.com had recently gone live.  I bookmarked this site sometime last spring.  At that time it was just parked.  I think that this site is administered by IPexpert.com, but I’m not 100% sure.  I remember looking at this site (as well as ccieradio.com before and seeing ‘copyright IPexpert.com’.  The ‘about’ page doesn’t state who owns the domain:

Welcome to CCIEblog.com, your free CCIE home page, portal and blogging community.

You can host your own CCIE blog at this site for free.  There are already a half-dozen blogs up, but all but one of them are empty (placeholders or just test pages?).  CCIE on Ice is currently the only blog with any posts:

I’m currently studying for the CCIE written which I’m scheduled to take on jan 23. in Barcelona, Spain during my trip to the Cisco Networkers Europe convention.

If I manage to pass my written test I will use this blog to report my progress towards the CCIE lab exam and also use this blog to practise my written English. So feel free to comment on my writing.

Here’s hoping that CCIE on Ice passed the written exam and will be posting about chasing the CCIE. 

If you’re not interested in creating your own CCIE blog, you might still be interested in this:

Catch up on today’s CCIE news and read the latest posts on CCIE blogs on your own custom CCIE home page, at http://start.ccieblog.com/.

I you go to start.ccieblog.com, you’ll see a NetVibes page with a number of CCIE blogs (including yours truly) already loaded.  You can customize the page and add/remove RSS feeds as well as widgets.

Some of you are probably thinking, “Someone is running WordPress and Netvibes on a server.  Big deal.”  I think that this is actually a pretty cool site because it will give those looking for CCIE blogs a very good nice place to start.  When I started my studies, I was surprised at the lack of CCIE blogs I was able to find.  Over the months, I have found quite a few blogs, but I would have loved to have had a resource like this when I was first starting.  IF the blog hosting portion of ccieblog takes off, this site will be a very nice community resource for those seeking CCIE blogs.

Speaking of CCIE blogs, I have a fresh batch cooked up which I will be posting in the next few days.

***Update***

I wasn’t hallucinating (this time!).  It looks like IPexpert does (or at the very least – did) own the ccieblog domain.  Here’s a post from a year ago:

In addition to IPexpert’s Online Certification Talk forum (www.CertificationTalk.com) and Online Study List (email list-serv) (www.OnlineStudyList.com), we are please to announce 3 additional CCIE-focused communities that will begin to take form over the next few months.

CCIE Blog - (www.CCIEBlog.com) This community will be dedicated to IPexpert instructors, management staff and various (selected) students progressing their way through the CCIE certification. Pop in and read about their daily experiences!

CCIE Radio – (www.CCIERadio.com) This site is a site dedicated to CCIE-focused PODCasts as well as streaming technical radio. More details and schedules will be available shortly!

Everything IE – (www.EverythingIE.com) If you have a question about the CCIE that you just can’t get answered (not violating the NDA of course) – this is the site for you. If you’d like to know what hotel to stay at when you’re taking the lab in Belgium, what to read, recommended links, etc – this is the “CCIE-Focused FAQ” you’ve always wanted!

If you have any questions or comments relating to these communities, or would like to get involved in the development and creation of these communities, please contact the President of IPexpert – Wayne Lawson at wayne@ipexpert.com.

Internetwork Expert Volume II: Lab 6 – Section 1

Bridging and Switching – 20 Points

1.1 Basic Configuration

This is the first lab that I’ve done where you need to set up two separate VTP domains.  I always create a Layer 2 map and it really helped out in this lab.  You’ll need to be mindful of which VTP server to create VLANs on when your building your Layer 2 network, especially with the caveat:

“VLANs should not be created within the VTP domain unnecessarily.”

1.2 Trunk Maintenance

“Ensure that the links between sw1, sw2, sw3, and sw4 will not attempt to automatically trunk using DTP.”

Depending on how you interpret this question, there are two methods you might use:

1) Put the ports into switchport mode dynamic auto (default setting on the 3560s).  This means that they will not form a trunk unless the other side of the link attempts to negotiate trunking.  This does NOT disable DTP.

switchport mode

int range fa0/13 – 21
 switchport mode dynamic auto

sw3(config-if-range)#do sh int fa0/13 switchport
Name: Fa0/13
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On

1) Hard-code the interfaces to trunk and disable DTP.  This means that you’ll need to choose a trunking encapsulation and you’ll need to shut down any links (on one side at least) that you do not want to form a trunk.  This is a little more sloppy, but it actually disables DTP.

switchport nonegotiate

int range fa0/13 – 21
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate

sw1(config-if-range)#do sh int fa0/13 switchport
Name: Fa0/13
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off

I went with option 1 (mostly because of task 1.3).

task 1.2 DTP

Be careful when applying your configuration with the interface range command as there are a couple of routed ports already configured:

sw1(config-if-range)#swit mode dyn auto
Command rejected: Fa0/14 not a switching port.
% Interface range command failed for FastEthernet0/14

sw1(config-if-range)#do sh run int fa0/14
interface FastEthernet0/14
 no switchport
 ip address 191.1.27.7 255.255.255.0
end

You’ll be alright as the routed ports will ignore the switchport commands (they are configured as “no switchport”).

1.3 Trunking

“Use dot1q encapsulation to configure the following trunks:”

You need to stop trunking of some vlans as well (read the requirements carefully).

sw1(config-if-range)#swit trunk all vlan except 7,77,777

I configured this on both sides of the trunks.  IE did not. 

Before changing VLAN allowed list:
sw3(config-if)#do sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/13      1-4094

Port        Vlans allowed and active in management domain
Fa0/13      1

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      none

After changing VLAN allowed list:
sw3(config-if)#swit trunk all vlan except 7,77,777
sw3(config-if)#do sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/13      1-6,8-76,78-776,778-4094

Port        Vlans allowed and active in management domain
Fa0/13      1

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      1

1.4 Spanning-Tree

This was a great task.  You are asked to:

“Ensure sw1 is forwarding on all trunk liks for any active VLANs.
“If a new VLAN is added to the VTP domain NET12, sw1 should forward on all trunk links for the new VLAN.”

The first subtask means the you need to make sw1 the root bride.  Easy enough, but you need to specify a vlan range.  Since we’re asked to make sure that any VLANs added to our VTP domain use sw1 as the root, we need specify a range of VLANs that can be created via VTP.  VTP cannot add extended VLANs so our range should be 1-1000:

sw1(config)#spanning-tree vlan 1-1000 root primary

Hmmmm….IE used the range 1-4096 (range including extended VLANs).

Task 1.4 Spanning-Tree

I think that their rational is: 

IF we were to put sw1 and sw2 (the members of VTP domain NET12) into vtp transparent mode, we could create extended VLANs.  Those VLANs would technically be VLANs created in VTP domain NET12.  BUT we would need to break our VTP task in order to do this. 

Set sw1 and sw2 to VTP mode transparent:

sw1(config)#do sh vtp stat | i Oper
VTP Operating Mode              : Transparent
sw1(config)#do sh run | i prior
spanning-tree vlan 1-1000 priority 24576

sw2(config)#do sh vtp stat | i Oper
VTP Operating Mode              : Transparent

Add standard and extended vlan to sw1 and sw2:

sw1(config)#vlan 1000,1234
sw1(config-vlan)#exit

sw2(config)#vlan 1000,1234
sw2(config-vlan)#exit
sw2(config)#do sh sp v 1000

VLAN1000
  Spanning tree enabled protocol ieee
  Root ID    Priority    25576
             Address     0012.018f.d580  <-sw1 MAC
             Cost        19
             Port        15 (FastEthernet0/13)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33768  (priority 32768 sys-id-ext 1000)
             Address     0012.009c.ca00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13           Root FWD 19        128.15   P2p

sw2(config)#do sh sp v 1234

VLAN1234
  Spanning tree enabled protocol ieee
  Root ID    Priority    34002
             Address     0012.009c.ca00
             This bridge is the root 
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    34002  (priority 32768 sys-id-ext 1234)
             Address     0012.009c.ca00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13           Desg FWD 19        128.15   P2p

I would definitely ask the proctor about this task.

1.5 Etherchannel

Easy trunking/etherchannel task.  Your VTP will now work for domain NET34.

1.6 Trunking

This was a bizarre task with VLANs between subinterfaces on a couple of routers.  I had this one nailed, but I spent a LONG time chasing my tail over a really basic issue.  :-(

Be aware that VLAN45 is a /25 subnet.  You’ll also need to add VLAN 45 to the VTP domain.

Here’s where I lost my way:

“Configure trunking between r4, r5, sw3, and sw4 using the information provided in the diagram.”

r4#sh cdp neig | b Device
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
sw4              Fas 0/1            146         S I       WS-C3550- Fas 0/4
sw2              Fas 0/0            136         S I       WS-C3560- Fas 0/4

r4#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  up                    up
FastEthernet0/0.4          191.1.4.4       YES NVRAM  up                    up
FastEthernet0/0.40         191.1.40.4      YES NVRAM  up                    up
FastEthernet0/0.45         191.1.45.4      YES NVRAM  up                    up
FastEthernet0/0.49         191.1.49.4      YES NVRAM  up                    up

I initially thought that the lab diagram was wrong.  Interface fa0/1 – not fa0/0 – is connected to sw4.  I was cursing IE and the routing gods for this colossal waste of time.  BUT….(as is so often the case) I WAS WRONG.  The diagram is right.  The question threw me off as it states that I need to configure trunking between sw3 and the other devices.  Some of the endpoints are on sw3, but some of these VLANs transverse sw2 (in VTP domain NET12) so I need to configure dot1q trunking on that switch (connected to r4) as well as add the VLANs to sw1 (the VTP server for the NET12 domain). 

I really blew it on this task.  If this were the actual lab, I would not only have failed, but I would have looked like an idiot in the process.

1.7 Layer 2 Tunneling

Basically tunnel from r4 fa0/1 to sw2 fa0/18.

r4#sh run int fa0/1
interface FastEthernet0/1
 ip address 191.1.48.4 255.255.255.0

sw2#sh run int fa0/18
interface FastEthernet0/18
 no switchport
 ip address 191.1.48.8 255.255.255.0

You will need to use a dot1-q tunnelling to accomplish this task.

switchport mode

dot1q-tunnel
Set the port as an IEEE 802.1Q tunnel port.

You’ll need to build your l2 tunnel across these ports:

r4#sh cdp neig fa0/1 | b Device
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
sw4              Fas 0/1            136         S I       WS-C3550- Fas 0/4

sw2#sh cdp neigh fa0/18 | b Device
Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
sw3                 Fas 0/18              170            S I      WS-C3550-2 Fas0/18

The switch is kind enough to warn you of a pitfall:

sw4(config-if)#swit mode dot1q-tunnel
sw4(config-if)#
03:03:12: %DOT1Q_TUNNELLING-4-MTU_WARNING:
System MTU of 1500 might be insufficient for 802.1Q tunnelling.
802.1Q tunnelling requires system MTU size of 1504 to handle maximum size ethernet frames.

system mtu

I see a reload in my future:

sw4(config)#system mtu 1504
Changes to the System MTU will not take effect until the next reload is done.

Task 1.7 l2tunnel

r4#sh cdp neigh f0/1 | i sw2
sw2              Fas 0/1            169         S I       WS-C3560- Fas 0/18

sw2#sh cdp neigh fa0/18 | i r4
r4                  Fas 0/18              131           R S I     2651XM    Fas0/1

Sweet!!!

1.8 MAC Filtering

This was a pretty basic port-security task. 

switchport port-security

***  Update: Don’t use ‘sticky’ as I posted below.  These MAC addresses are NOT learned dynamically.  I did not remove this from my post just to show you how stupid I am sometimes.  :-)  *** 

I used the sticky option (“When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses.”) but I would ask the proctor to clarify this.  IE did not use that option.

The only “twist” is the second subtask:

“In the case that other hosts try to access this port a syslog message should be sent to the server 191.1.7.100.”

First we have to change the switchport port-security from the default of shutdown:

violation
 (Optional) Set the security violation mode or the action to be taken if port security is violated. The default is shutdown.
 

Do I choose restrict or protect?  My CCNP knowledge has flowed out of my skull.  :-)

sw2(config-if)#swit port-security violation ?
  protect   Security violation protect mode
  restrict  Security violation restrict mode

  shutdown  Security violation shutdown mode

protect
Set the security violation protect mode. In this mode, when the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

Note We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.
 
restrict
Set the security violation restrict mode. In this mode, when the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

 
Restrict it is!!!

sw2#sh port-security int fa0/10
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 4
Total MAC Addresses        : 4
Configured MAC Addresses   : 4

Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

sw2#sh port-security int fa0/10 address
          Secure Mac Address Table
————————————————————————
Vlan    Mac Address       Type                     Ports   Remaining Age
                                                              (mins)
—-    ———–       —-                     —–   ————-
  10    0050.7014.8ef0    SecureConfigured         Fa0/10       -
  10    00cd.144e.07bf    SecureConfigured         Fa0/10       -
  10    00d0.341c.7871    SecureConfigured         Fa0/10       -
  10    00d0.586e.b710    SecureConfigured         Fa0/10       -
————————————————————————
Total Addresses: 4

I wasted some time by looking for documentation on how to configure a syslog server.  DOH!!!

sw2(config)#logging ?
  Hostname or A.B.C.D  IP address of the logging host

1.9 Spanning-Tree Convergence

A wordy task tranlated to: portfast with bpdufilter.  Just be aware of the differences in bdpufilter based on whether you configure it at the interface level or globally:

sw2(config)#spanning-tree portfast bpdufilter default

Understanding BPDU Filtering

Task 1.9 SPT

The task requires that the port return to normal spanning tree forwarding if a BPDU is received.

There is a difference in the behaviour of bpdufilter depending on if it is configured at the interface level or globally.

When you configure bpdufilter on an interface it filters BPDU from being sent or received.

When you configure bpdufilter globally then all interfaces that run portfast will filter sent BPDU’s but will revert out of the portfast state if BPDU’s are received. This is the desired behaviour for this task.

The DocCD explains it like this:

“When you globally enable BPDU filtering on Port Fast-enabled interfaces, it prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU filtering on any interface without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs.”

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 113 other followers