Internetwork Expert Volume II: Lab 12 – Section 3

Section 3 – Frame Relay – 8 Points

3.1 Hub-and-Spoke

Basic hub and spoke configuration with the additional requirement of turning on CDP.

3.2 Point-To-Point

Very basic configuration.

3.3 Keepalives

This is the first lab where I’ve had to configure Frame Relay End-To-End keepalives.  Time to get my FREEK on. 

Key phrases:

“having r4 and r5 poll each other”
“the other side’s interface is up and reachable every 15 seconds”

frame-relay end-to-end keepalive mode

frame-relay end-to-end keepalive timer

Defaults
Send timer: 10 seconds
Receive timer: 15 seconds

r5(config)#map-class frame KEEPALIVES
r5(config-map-class)#frame end-to-end keepalive mode bidirectional
r5(config-map-class)#frame end-to-end keepalive timer send 15

* Receive timer is 15 by default so we don’t need to configure it.

r5(config-map-class)#int s0/0.54
r5(config-subif)#frame-relay interface-dlci 504
r5(config-fr-dlci)#class KEEPALIVES

Damn my fat fingers.  I accidentally typed a subinterface that did not exist – which brought it into existence 

r4(config-map-class)#int s0/0.15
% Incomplete command.

r4(config-subif)#do sh ip int br
Serial0/0.15               unassigned      YES unset  up                    up

r4(config-subif)#no int s0/0.15
Not all config may be removed and may reappear after reactivating the sub-interface

I see a reload in my future. 

r4#sh frame end keep

End-to-end Keepalive Statistics for Interface Serial0/0 (Frame Relay DTE)

DLCI = 405, DLCI USAGE = LOCAL, VC STATUS = ACTIVE (EEK UP)

SEND SIDE STATISTICS

Send Sequence Number: 255,      Receive Sequence Number: 255
Configured Event Window: 3,     Configured Error Threshold: 2
Total Observed Events: 1,       Total Observed Errors: 0
Monitored Events: 0,            Monitored Errors: 0
Successive Successes: 0,        End-to-end VC Status: UP

RECEIVE SIDE STATISTICS

Send Sequence Number: 255,      Receive Sequence Number: 255
Configured Event Window: 3,     Configured Error Threshold: 2
Total Observed Events: 1,       Total Observed Errors: 0
Monitored Events: 0,            Monitored Errors: 0
Successive Successes: 0,        End-to-end VC Status: UP

3.4 Point-to-Point

Very basic configuration.

Internetwork Expert Volume II: Lab 12 – Section 2

Section 2 – Bridging and Switching – 16 Points

2.1 Core Layer 2

This task was an interesting twist on a standard L2 core task.  You are asked to configure each of the switches to match a couple of show commands:

sw3(config-if)#do sh vtp stat | i (Operating Mode|Name)
VTP Operating Mode              : Client
VTP Domain Name                 : IE
sw3(config-if)#do sh vlan br | e (unsup|^1 |^ )

VLAN Name                             Status    Ports
—- ——————————– ——— ——————————-
3    VLAN0003                         active
17   VLAN0017                         active
22   VLAN0022                         active
33   VLAN0033                         active    Fa0/3
38   VLAN0038                         active    Fa0/24
45   VLAN0045                         active    Fa0/5
46   VLAN0046                         active
58   VLAN0058                         active

I actually found this task to be easier than usual.  BUT…make sure you open your ports.  IE shut a number of them down in the initial configurations. 

2.2 EtherChannel

This was an easy Layer 3 EtherChannel task, except that the diagram has an incorrect subnet for po34 between sw3 and sw4.  It should be 129.x.34.0/24 and not 129.x.43.0/24

2.2 – typo/difference between diagram and solution

2.3 MAC Filtering

You need to limit a couple of ports to only learning two MAC addresses and to shut down for 60 seconds if they learn a third. 

Configuring Port Security

•The switch does not support port security aging of sticky secure MAC addresses.

(Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these:

•protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

Note We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.

•restrict—When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

•shutdown—The interface is error-disabled when a violation occurs, and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

Note When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands.

We need to use shutdown mode (default) with errdisable recovery cause psecure-violation

errdisable recovery

Defaults
Recovery is disabled for all causes.
The default recovery interval is 300 seconds.

Here’s the configuration:

errdisable recovery cause psecure-violation
errdisable recovery interval 60
!
int range fa0/7 – 8
switch mode access
switchport port-security
switchport port-security max 2
switchport port-security violation shutdown

sw1#sh errdisable recovery | e Dis
—————–    ————–
psecure-violation    Enabled

Timer interval: 60 seconds

Interfaces that will be enabled at the next timeout:

sw1#sh port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
—————————————————————————
      Fa0/7              2            0                  0         Shutdown
      Fa0/8              2            0                  0         Shutdown
—————————————————————————
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 6272

2.4 MAC Filtering

This was a pretty easy MAC filtering task using MAC ACLs….or so I thought. 

Port ACLs

Creating Named MAC Extended ACLs

mac access-list extended FILTER_ROUTER
deny host 0030.1369.87a0 any
permit any any

Applying a MAC ACL to a Layer 2 Interface

sw1(config-if-range)#mac access-group FILTER_ROUTER ?
  in  Apply to Ingress

sw1(config-if-range)#mac access-group FILTER_ROUTER in

sw1#sh mac access-group int fa0/7
Interface FastEthernet0/7:
   Inbound access-list is FILTER_ROUTER
   Outbound access-list is not set
sw1#sh mac access-group int fa0/8
Interface FastEthernet0/8:
   Inbound access-list is FILTER_ROUTER
   Outbound access-list is not set

After all of that…the solution guide uses:

mac-address-table static 0030.1369.87a0 vlan 17 drop

Okay…why?  Well, there’s really good reason.

The immediate reaction to this task is typically to use an extended MAC address access-list to deny traffic from this MAC address from entering interfaces fa0/7 or fa0/8.  However, MAC address access-lists only affect non-IP traffic.  Therefore, assuming that host on VLAN 17 are running IP (a fair assumption), using a MAC assess-list to filter this host will have no effect.

Good discussion about this task:

Task 2.4

2.5 QoS

Police a port to 3Mbps, but don’t use policing.  Clue: the task specifies unicast traffic.

Configuring Storm Control

Storm control uses one of these methods to measure traffic activity:

•Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic

•Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received (Cisco IOS Release 12.2(25)SE or later)

•Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received (Cisco IOS Release 12.2(25)SE or later)

With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level. In general, the higher the level, the less effective the protection against broadcast storms.

REMEMBER that Storm control is inbound!!!

Storm control has some WEIRD parameters:

sw2(config-if)#storm-control unicast level bps ?
  <0.0 – 10000000000.0>[k|m|g]  Enter rising threshold

Specify the rising and falling suppression levels as a rate in bits per second at which traffic is received on the port.

•bps—Rising suppression level, up to 1 decimal place. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for bps is reached.

sw2(config-if)#storm-control unicast level bps 3000000

sw2(config-if)#do sh run int fa0/2
interface FastEthernet0/2
 switchport access vlan 22
 storm-control unicast level bps 3m

sw2#sh storm uni
Interface  Filter State   Upper        Lower        Current
———  ————-  ———–  ———–  ———-
Fa0/24     Forwarding         3m bps       3m bps        0 bps

Send some large pings from r2 to bb2:

r2#p 192.10.1.254 re 10000 si 1500

Type escape sequence to abort.
Sending 10000, 1500-byte ICMP Echos to 192.10.1.254, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!

sw2#sh storm uni
Interface  Filter State   Upper        Lower        Current
———  ————-  ———–  ———–  ———-
Fa0/2     Blocking           3m bps       3m bps    7.83m bps

01:29:46: %STORM_CONTROL-3-FILTERED: A Unicast storm detected on Fa0/2. A packet filter action has been applied on the interface.

sw2#sh storm uni
Interface  Filter State   Upper        Lower        Current
———  ————-  ———–  ———–  ———-
Fa0/2     Forwarding         3m bps       3m bps   12.89k bps

The IE solution uses the older percentage of interface bandwidth configuration:

storm-control unicast level 3.00

2.6 Traffic Filtering

Stop PCs on a VLAN from communicating directly with each other, but allow them to still communicate with other ports or interfaces in the VLAN.  Use the minimum configuration.

switchport protected

Use the switchport protected interface configuration command to isolate unicast, multicast, and broadcast traffic at Layer 2 from other protected ports on the same switch. Use the no form of this command to disable protection on the port.

So….which ports do I apply it to?

The answer shows fa0/7 and fa0/8 on sw1.  Are they part of VLAN 17?

Well….they were initially, but I thought that that was an intial config error (see error 4?)

From intial config:

interface range Fa0/7 – 8
 switchport access vlan 17
 no shutdown

By completing this task you will “break” task 2.1  I think that this is just the result of a mistake in the lab document for task 2.1

sw1#sh int fa0/7 swit | i Protected
Protected: true
sw1#sh int fa0/8 swit | i Protected
Protected: true

Internetwork Expert Volume II: Lab 12 – Section 1

Troubleshooting - 3 Points

There are three initial faults in this lab.  The troubleshooting section has this interesting requirement:

“Use the minimum commands needed to solve these issues.”

1) PPP configuration on r1

I had issues right away.  The initial configuration for r1’s s0/1 interface is as follows: 

interface Serial0/1
 ip address 129.1.13.1 255.255.255.0
 ppp pap sent-username PPP password 0 CISCO
 no shutdown

The problem with this is that the router will not accept this configuration because it’s missing “encap ppp” and “ppp authentication pap”:

r1(config-if)#interface Serial0/1
r1(config-if)# ip address 129.1.13.1 255.255.255.0
r1(config-if)# ppp pap sent-username PPP password 0 CISCO
                        ^
% Invalid input detected at ‘^’ marker.

The interface will end up with only the IP address configured:

interface Serial0/1
 ip address 129.1.13.1 255.255.255.0

This is where the “minimal configuration” requirement comes into play.  r1 and r2 each have point-to-point serial connections that terminate on r3.  r3 is running ppp with pap authentication.  It is expecting a username of “PAP” and a password of “CISCO”.

r1:
interface Serial0/1
 ip address 129.1.13.1 255.255.255.0   <- HDLC encapsulation (default)

r2:
interface Serial0/1/0
 ip address 129.1.23.2 255.255.255.0
 encapsulation ppp
 ppp pap sent-username PPPpassword 0 CISCO  <-wrong username

r3:
username PAP password 0 CISCO
!
interface Serial0/2:0
 ip address 129.1.13.3 255.255.255.0
 encapsulation ppp
 ppp authentication pap
!
interface Serial0/3:0
 ip address 129.1.23.3 255.255.255.0
 encapsulation ppp
 ppp authentication pap

The solution guide says that the fix is to change the password on r3 from “PAP” to “PPP”.  That would make sense and would meet the “minimum configuration” requirement IF the PPP configuration on r1 wasn’t messed up.  Due to the intial configuration snafu, I did the following:

r1:
r1(config)#int s0/1
r1(config-if)#enc ppp
r1(config-if)#ppp pap sent-username PAPpass CISCO

r2:
r2(config-if)#noppp pap sent-username PPPpassword 0 CISCO
r2(config-if)#ppp pap sent-user PAPpass CISCO

2) sw1’s SVI interface Vlan7 should be Vlan 17

sw1#sh ip int br | e ass
Interface              IP-Address      OK? Method Status                Protocol
Vlan7                  129.1.17.7      YES NVRAM  down                  down

after:
sw1#sh ip int br | e ass
Interface              IP-Address      OK? Method Status                Protocol
Vlan17                 129.1.17.7      YES manual down                  down

3) r4’s fa0/1 has wrong IP address

I didn’t catch this one until later.  The first octet is incorrect:

interface FastEthernet0/1
 ip address 192.1.46.4 255.255.255.0

After:
interface FastEthernet0/1
 ip address 129.1.46.4 255.255.255.0 

4?)  sw1’s fa0/7 and fa0/8 should not be assigned to a VLAN???

Task 2.1 requires you to configure sw1 to match this output exactly:

sw1(config)#do sh vlan br | e (unsup|^1 |^ )

VLAN Name                             Status    Ports
—- ——————————– ——— ——————————-
3    VLAN0003                         active    Fa0/3
17   VLAN0017                         active    Fa0/1
22   VLAN0022                         active
33   VLAN0033                         active
38   VLAN0038                         active
45   VLAN0045                         active
46   VLAN0046                         active
58   VLAN0058                         active    Fa0/5 

Here’s what I had:

sw1(config-if)#do sh vlan br | e (unsup|^1 |^ )

VLAN Name                             Status    Ports
—- ——————————– ——— ——————————-
3    VLAN0003                         active    Fa0/3
17   VLAN0017                         active    Fa0/1, Fa0/7, Fa0/8
22   VLAN0022                         active
33   VLAN0033                         active
38   VLAN0038                         active
45   VLAN0045                         active
46   VLAN0046                         active
58   VLAN0058                         active    Fa0/5

sw1(config-if)#do sh run int fa0/7
interface FastEthernet0/7
 switchport access vlan 17 

sw1(config-if)#do sh run int fa0/8
interface FastEthernet0/8
 switchport access vlan 17

I defaulted the interfaces and my output match the requirement.  Unfortunately, this would come back to bite me in the butt later.  I think that the problem was a misprint in the lab guide and not an initial fault.