CCIE Pursuit Blog

March 17, 2008

Internetwork Expert Volume II: Lab 8 – Section 1

Bridging and Switching – 20 Points

“There are no faults in the initial configurations.”
“Do not alter the commands in the initial configurations.”

1.1 Trunking

First things first, CCOnlinelabs does not use fa0/24 to connect to the bbs

On sw2 they use fa0/10:

sw2#sh run int fa0/24
interface FastEthernet0/24
 switchport access vlan 52
end

sw2#sh run int fa0/10
interface FastEthernet0/10
end

That means I need to move the config from fa0/24 to fa0/10.  After altering the configuration to match the CCOnlinelabs topology, I finished the easy trunking tasks.

I did notice something odd though:

sw1(config-if-range)#do sh vtp status
VTP Version                     : running VTP1 (VTP2 capable)
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 15
VTP Operating Mode              : Transparent
VTP Domain Name                 : CCIELAB
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x99 0x68 0x38 0x79 0xE4 0x3B 0x99 0xFF
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

All of the switches are configured this way.

sw2(config)#vtp version ?
  <1-2>  Set the adminstrative domain VTP version number

I looked through the initial configs and I don’t see anything that sets these to VTP version 1.  This may be something leftover on the rental switches.  It should not matter as all switches are in VTP Transparent mode.  Transparent mode in VTP version 1 drops all VTP advertisments.  In VTP version 2 the Transparent switches pass the advertisement on but do not install them.

Weird:

r5#sh vlan 52
% Ambiguous command:  “sh vlan 52″

r5#sh vlans 52

Virtual LAN ID:  52 (IEEE 802.1Q Encapsulation)

   vLAN Trunk Interface:   FastEthernet0/1.52

   Protocols Configured:   Address:              Received:        Transmitted:
           IP              192.10.1.5                 905                  88
        Other                                           0                   1

   913 packets, 60196 bytes input
   89 packets, 5450 bytes output

r5#sh vlan?
vlan-range  vlan-switch  vlans

“show vlans”????

show vlans

To view virtual LAN (VLAN) subinterfaces, use the show vlans command in privileged EXEC mode.

1.2 Trunking

This task required that you configure trunks between sw3 and sw1  (both are 3560s in this rack) by using DTP.  Should I set ‘dyn des’ on both sides or just one?

I did both sides.  IE only did it on one side.

1.3 Trunking

“use minimal conf poss on sw1 to accomplish this task”

sw1 = 3560 – switchport mode dynamic auto
sw4 = 3550 – switchport mode dynamic desirable

sw4(config)#do sh run | b 0/13
interface FastEthernet0/13
 switchport mode dynamic desirable
 shutdown
!
interface FastEthernet0/14
 switchport mode dynamic desirable
 shutdown
!
interface FastEthernet0/15
 switchport mode dynamic desirable
 shutdown

I should be able to just no shut both sides to dynamically create 3 ISL trunks:

sw4(config)#int range fa0/13 – 15
sw4(config-if-range)#no sh

sw1(config-if-range)#int range fa0/19 – 21
sw1(config-if-range)#no sh

sw1:
sw1(config-if-range)#do sh int trun | i 0/19|0/20|0/21
Fa0/19      auto             n-isl          trunking      1
Fa0/20      auto             n-isl          trunking      1
Fa0/21      auto             n-isl          trunking      1

sw4:
sw4(config-if-range)#do sh int trunk | i 0/13|0/14|0/15
Fa0/13      desirable        n-isl          trunking      1
Fa0/14      desirable        n-isl          trunking      1
Fa0/15      desirable        n-isl          trunking      1

1.4 Spanning-Tree Protocol

Create root switches for batches of VLANs.

“Use the fewest commands needed to accomplish this task.”

This is where reading ahead pays off.  Task 1.7 is going to require that we use MST.  I need to set up MST before I start making root switches.  Hop ahead to task 1.7

*IE even combines these tasks in the solution guide.

1.7 Spanning-Tree Protocol

Set up a single instance of spanning-tree for 4 sets of VLANs.  Time for MST.

Specifying the MST Region Configuration and Enabling MSTP (required)

You need to remember that you’ll have to cut and paste this configuration on each switch.

sw1(config)#spanning-tree mst config
sw1(config-mst)#instance 1 vlan 3-7
sw1(config-mst)#instance 2 vlan 13-45
sw1(config-mst)#instance 3 vlan 52-67
sw1(config-mst)#instance 4 vlan 1,1001
sw1(config-mst)#name MYMST
sw1(config-mst)#revision 1
sw1(config-mst)#exit
sw1(config)#spanning-tree mode mst

Very cool/odd command.  A show command from within MST configuration mode:

sw1(config-mst)#show pending
Pending MST configuration
Name      [MYMST]
Revision  1     Instances configured 5

Instance  Vlans mapped
——–  ———————————————————————
0         2,8-12,46-51,68-1000,1002-4094
1         3-7
2         13-45
3         52-67
4         1,1001
——————————————————————————-

Remember that instance 0 is created by default and includes any VLANs not explicitly assigned to other instances.

Tip:  If you do “do show history” in configuration mode, this will show your last x configuration entries.  I use this if I need to cut and paste a configuration on a bunch of devices.

sw1(config)#do sh hist
  do sh run int fa0/18
  do sh int trunk
  int range fa0/19 – 21
  no sh
  do sh int trun | i 0/19|0/20|0/21
  do wr
  exit
  spanning-tree mst con
  instance 1 vlan 3-7
  instance 2 vlan 13-45
  instance 3 vlan 52-67
  instance 4 vlan 1,1001
  name MYMST
  revision 1

  do sh pending
  show pending
  exit
  spanning-tree mode mst

I can now paste this on the rest of the switches:

  spanning-tree mst con
  instance 1 vlan 3-7
  instance 2 vlan 13-45
  instance 3 vlan 52-67
  instance 4 vlan 1,1001
  name MYMST
  revision 1
  exit
  spanning-tree mode mst

sw2(config)#  spanning-tree mst con
sw2(config-mst)#  instance 1 vlan 3-7
sw2(config-mst)#  instance 2 vlan 13-45
sw2(config-mst)#  instance 3 vlan 52-67
sw2(config-mst)#  instance 4 vlan 1,1001
sw2(config-mst)#  name MYMST
sw2(config-mst)#  revision 1
sw2(config-mst)#  exit
sw2(config)#  spanning-tree mode mst
sw2(config)#^Z

Nice command to get a quick look at MST:

sw4#sh spann mst | i MST
##### MST0    vlans mapped:   2,8-12,46-51,68-1000,1002-4094
##### MST1    vlans mapped:   3-7
Root          this switch for MST1
##### MST2    vlans mapped:   13-45
Root          this switch for MST2
##### MST3    vlans mapped:   52-67
Root          this switch for MST3
##### MST4    vlans mapped:   1,1001
Root          this switch for MST4
sw4#

This will show you the vlans mapped for each instance and whether or not you’re the root for the instance [if you're not on the root switch, the "Root" output will not show up, only the VLAN mappings]

Back to 1.4

1.4 Spanning-Tree Protocol

Okay.  NOW we can start setting roots (copy tasks from above).

Configuring the MST Root Switch

sw1#sh span mst 1

##### MST1    vlans mapped:   3-7
Bridge        address 0019.56db.aa80  priority      32769 (32768 sysid 1)
Root          address 000d.65a3.bf00  priority      32769 (32768 sysid 1)  <-sw4
              port    Fa0/19          cost          200000    rem hops 19

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/1            Desg FWD 200000    128.3    P2p
Fa0/3            Desg FWD 200000    128.5    P2p
Fa0/9            Desg FWD 2000000   128.11   Shr
Fa0/11           Desg FWD 2000000   128.13   Shr
Fa0/13           Desg FWD 200000    128.15   P2p
Fa0/14           Desg FWD 200000    128.16   P2p
Fa0/15           Desg FWD 200000    128.17   P2p
Fa0/16           Desg FWD 200000    128.18   P2p
Fa0/17           Desg FWD 200000    128.19   P2p
Fa0/18           Desg FWD 200000    128.20   P2p
Fa0/19           Root FWD 200000    128.21   P2p
Fa0/20           Altn BLK 200000    128.22   P2p
Fa0/21           Altn BLK 200000    128.23   P2p

sw1(config)#spanning-tree mst 1 root primary

sw1(config)#do sh span mst | i MST
##### MST0    vlans mapped:   2,8-12,46-51,68-1000,1002-4094
##### MST1    vlans mapped:   3-7
Root          this switch for MST1
##### MST2    vlans mapped:   13-45
##### MST3    vlans mapped:   52-67
##### MST4    vlans mapped:   1,1001

sw1(config)#do sh spann mst 1

##### MST1    vlans mapped:   3-7
Bridge        address 0019.56db.aa80  priority      24577 (24576 sysid 1)
Root          this switch for MST1
—output truncated—

NOTE:  Here’s where the “minimal command” issue needs clarification.  Since sw4 is ALREADY the root for MST instance 4 (vlans 1 and 1001), then I shouldn’t need to do any configuration to make it the root. 

sw4(config)#do sh span mst | i MST
##### MST0    vlans mapped:   2,8-12,46-51,68-1000,1002-4094
##### MST1    vlans mapped:   3-7
##### MST2    vlans mapped:   13-45
##### MST3    vlans mapped:   52-67
##### MST4    vlans mapped:   1,1001
Root          this switch for MST4

BUT there is another requirement:

“No switch should be the elected root based upon a lower MAC address.”

sw4 is elected based on the lowest MAC address (priorities are the same on all switches in MST instance 4) so we DO need to explicitly configure sw4 as the root bridge.

1.5 Layer 2 Tunneling

r2 fa0/0 -> sw2 fa0/2
r6 fa0/1 -> sw4 fa0/6

I have to tunnel sw2 fa0/2 to sw4 fa0/6.  That way the router can trunk directly to each other?

Configuring IEEE 802.1Q Tunneling

vlan dot tag native
!
int fa0/6
 swit mode dot1
 l2protocol-tunnel stp
 l2protocol-tunnel cdp

[sw2 and sw4 already had their MTU set to 1504]

r2#sh cdp neigh fa0/0 | b Dev
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
r6               Fas 0/0            127        R S I      2811      Fas 0/1

r2#ping 174.1.26.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 174.1.26.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

1.6 Spanning-Tree Protocol

The task requires you to force MST instance 1 VLANs (3-7) to prefer to forward traffic to sw1 (the root) over the highest numbered DIRECTLY connected port.  If a port fails, prefer the next highest numbered port.  Complete this configuration on sw1.

The switches are currently using the lowest numbered directly connected port as the root port:

sw2#sh spann mst 1

##### MST1    vlans mapped:   3-7
Bridge        address 0019.56db.d900  priority      32769 (32768 sysid 1)
Root          address 0019.56db.aa80  priority      24577 (24576 sysid 1)
              port    Fa0/13          cost          200000    rem hops 19

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/4            Desg FWD 200000    128.6    P2p
Fa0/13           Root FWD 200000    128.15   P2p
Fa0/14           Altn BLK 200000    128.16   P2p
Fa0/15           Altn BLK 200000    128.17   P2p
Fa0/19           Altn BLK 200000    128.21   P2p

I can change this two ways on the root switch (sw1) by lowering the port-priority to prefer different ports.

sw2 fa0/15 is connected to sw1 fa0/15
sw2 fa0/14 is connected to sw1 fa0/14
sw2 fa0/13 is connected to sw1 fa0/13

We need to remember that we’re running MST:

spanning-tree mst instance-id port-priority priority

sw1(config)#int fa0/15
sw1(config-if)#spanning-tree mst 1 port-priority 0
sw1(config-if)#int fa0/14
sw1(config-if)#spanning-tree mst 1 port-priority 16

sw1#sh spann mst 1 det | b net0/13
FastEthernet0/13 of MST1 is designated forwarding
Port info             port id         128.15  priority    128  cost      200000
Designated root       address 0019.56db.aa80  priority  24577  cost           0
Designated bridge     address 0019.56db.aa80  priority  24577  port id   128.15
Timers: message expires in 0 sec, forward delay 0, forward transitions 5
Bpdus (MRecords) sent 3196, received 861

FastEthernet0/14 of MST1 is designated forwarding
Port info             port id          16.16  priority     16 cost      200000
Designated root       address 0019.56db.aa80  priority  24577  cost           0
Designated bridge     address 0019.56db.aa80  priority  24577  port id    16.16
Timers: message expires in 0 sec, forward delay 0, forward transitions 5
Bpdus (MRecords) sent 4032, received 3364

FastEthernet0/15 of MST1 is designated forwarding
Port info             port id           0.17  priority      0  cost      200000
Designated root       address 0019.56db.aa80  priority  24577  cost           0
Designated bridge     address 0019.56db.aa80  priority  24577  port id     0.17
Timers: message expires in 0 sec, forward delay 0, forward transitions 5
Bpdus (MRecords) sent 4032, received 3364

sw2#sh spann mst 1

##### MST1    vlans mapped:   3-7
Bridge        address 0019.56db.d900  priority      32769 (32768 sysid 1)
Root          address 0019.56db.aa80  priority      24577 (24576 sysid 1)
              port    Fa0/15          cost          200000    rem hops 19

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/4            Desg FWD 200000    128.6    P2p
Fa0/13           Altn BLK 200000    128.15   P2p
Fa0/14           Altn BLK 200000    128.16   P2p
Fa0/15           Root FWD 200000    128.17   P2p  <-booyah
Fa0/19           Altn BLK 200000    128.21   P2p

1.8 Etherchannel

Create a couple of L3 EtherChannels.

1.9 Interface Negotiation

Hard code all ports in vlan 3 to 100/Full

sw1#sh vlan br | i VLAN0003
3    VLAN0003                         active    Fa0/3, Fa0/9, Fa0/10, Fa0/11

sw1(config)#int range fa0/3, fa0/9 – 11
sw1(config-if-range)#speed 100
sw1(config-if-range)#duplex full

Remember that you need to hard-code BOTH sides of the link to avoid speed/duplex mismatches:

04:47:14: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/3(not half duplex), with r3 FastEthernet0/0 (half duplex).

sw1#sh cdp nei f0/3
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
                  S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
r3               Fas 0/3           153          R S I     2811      Fas 0/0

r3(config)#int fa0/0
r3(config-if)#speed 100
r3(config-if)#duplex full

sw1#sh int status | i 3
Fa0/3                        connected    3            full    100 10/100BaseTX
Fa0/9                        notconnect   3            full    100 10/100BaseTX
Fa0/10                       notconnect   3            full    100 10/100BaseTX
Fa0/11                       notconnect   3            full    100 10/100BaseTX

Fa0/13                       connected    trunk      a-full  a-100 10/100BaseTX
Fa0/23                       notconnect   1            auto   auto 10/100BaseTX

DOH!!!!  The IE solution did not include fa0/3 on sw1 (connected to r3 fa0/0).  This is a matter of question interpretation.  The task states the Windows machines are getting network errors.  Then it states:

“In order to resolve this problem, ensure that all ports in VLAN 3 are hard coded to 100Mbps Full-Duplex.”

In order to meet the last requirement you would need to hard code fa0/3 to 100/Full.  BUT the problem is NOT with network devices, but with hosts.  Another “ask the proctor” moment.  :-)

February 18, 2008

Internetwork Expert Volume II: Lab 12 – Section 2

Section 2 – Bridging and Switching – 16 Points

2.1 Core Layer 2

This task was an interesting twist on a standard L2 core task.  You are asked to configure each of the switches to match a couple of show commands:

sw3(config-if)#do sh vtp stat | i (Operating Mode|Name)
VTP Operating Mode              : Client
VTP Domain Name                 : IE
sw3(config-if)#do sh vlan br | e (unsup|^1 |^ )

VLAN Name                             Status    Ports
—- ——————————– ——— ——————————-
3    VLAN0003                         active
17   VLAN0017                         active
22   VLAN0022                         active
33   VLAN0033                         active    Fa0/3
38   VLAN0038                         active    Fa0/24
45   VLAN0045                         active    Fa0/5
46   VLAN0046                         active
58   VLAN0058                         active

I actually found this task to be easier than usual.  BUT…make sure you open your ports.  IE shut a number of them down in the initial configurations. 

2.2 EtherChannel

This was an easy Layer 3 EtherChannel task, except that the diagram has an incorrect subnet for po34 between sw3 and sw4.  It should be 129.x.34.0/24 and not 129.x.43.0/24

2.2 – typo/difference between diagram and solution

2.3 MAC Filtering

You need to limit a couple of ports to only learning two MAC addresses and to shut down for 60 seconds if they learn a third. 

Configuring Port Security

•The switch does not support port security aging of sticky secure MAC addresses.

(Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these:

•protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

Note We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.

•restrict—When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

•shutdown—The interface is error-disabled when a violation occurs, and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

Note When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands.

We need to use shutdown mode (default) with errdisable recovery cause psecure-violation

errdisable recovery

Defaults
Recovery is disabled for all causes.
The default recovery interval is 300 seconds.

Here’s the configuration:

errdisable recovery cause psecure-violation
errdisable recovery interval 60
!
int range fa0/7 – 8
switch mode access
switchport port-security
switchport port-security max 2
switchport port-security violation shutdown

sw1#sh errdisable recovery | e Dis
—————–    ————–
psecure-violation    Enabled

Timer interval: 60 seconds

Interfaces that will be enabled at the next timeout:

sw1#sh port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
—————————————————————————
      Fa0/7                         0                  0         Shutdown
      Fa0/8              2            0                  0         Shutdown
—————————————————————————
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 6272

2.4 MAC Filtering

This was a pretty easy MAC filtering task using MAC ACLs….or so I thought.  :-)

Port ACLs

Creating Named MAC Extended ACLs

mac access-list extended FILTER_ROUTER
deny host 0030.1369.87a0 any
permit any any

Applying a MAC ACL to a Layer 2 Interface

sw1(config-if-range)#mac access-group FILTER_ROUTER ?
  in  Apply to Ingress

sw1(config-if-range)#mac access-group FILTER_ROUTER in

sw1#sh mac access-group int fa0/7
Interface FastEthernet0/7:
   Inbound access-list is FILTER_ROUTER
   Outbound access-list is not set
sw1#sh mac access-group int fa0/8
Interface FastEthernet0/8:
   Inbound access-list is FILTER_ROUTER
   Outbound access-list is not set

After all of that…the solution guide uses:

mac-address-table static 0030.1369.87a0 vlan 17 drop

Okay…why?  Well, there’s really good reason. :-)

The immediate reaction to this task is typically to use an extended MAC address access-list to deny traffic from this MAC address from entering interfaces fa0/7 or fa0/8.  However, MAC address access-lists only affect non-IP traffic.  Therefore, assuming that host on VLAN 17 are running IP (a fair assumption), using a MAC assess-list to filter this host will have no effect.

Good discussion about this task:

Task 2.4

2.5 QoS

Police a port to 3Mbps, but don’t use policing.  Clue: the task specifies unicast traffic.

Configuring Storm Control

Storm control uses one of these methods to measure traffic activity:

•Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic

•Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received (Cisco IOS Release 12.2(25)SE or later)

•Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received (Cisco IOS Release 12.2(25)SE or later)

With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level. In general, the higher the level, the less effective the protection against broadcast storms.

REMEMBER that Storm control is inbound!!!

Storm control has some WEIRD parameters:

sw2(config-if)#storm-control unicast level bps ?
  <0.0 – 10000000000.0>[k|m|g]  Enter rising threshold

Specify the rising and falling suppression levels as a rate in bits per second at which traffic is received on the port.

•bps—Rising suppression level, up to 1 decimal place. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for bps is reached.

sw2(config-if)#storm-control unicast level bps 3000000

sw2(config-if)#do sh run int fa0/2
interface FastEthernet0/2
 switchport access vlan 22
 storm-control unicast level bps 3m

sw2#sh storm uni
Interface  Filter State   Upper        Lower        Current
———  ————-  ———–  ———–  ———-
Fa0/24     Forwarding         3m bps       3m bps        0 bps

Send some large pings from r2 to bb2:

r2#p 192.10.1.254 re 10000 si 1500

Type escape sequence to abort.
Sending 10000, 1500-byte ICMP Echos to 192.10.1.254, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!

sw2#sh storm uni
Interface  Filter State   Upper        Lower        Current
———  ————-  ———–  ———–  ———-
Fa0/2     Blocking           3m bps       3m bps    7.83m bps

01:29:46: %STORM_CONTROL-3-FILTERED: A Unicast storm detected on Fa0/2. A packet filter action has been applied on the interface.

sw2#sh storm uni
Interface  Filter State   Upper        Lower        Current
———  ————-  ———–  ———–  ———-
Fa0/2     Forwarding         3m bps       3m bps   12.89k bps

The IE solution uses the older percentage of interface bandwidth configuration:

storm-control unicast level 3.00

2.6 Traffic Filtering

Stop PCs on a VLAN from communicating directly with each other, but allow them to still communicate with other ports or interfaces in the VLAN.  Use the minimum configuration.

switchport protected

Use the switchport protected interface configuration command to isolate unicast, multicast, and broadcast traffic at Layer 2 from other protected ports on the same switch. Use the no form of this command to disable protection on the port.

So….which ports do I apply it to?

The answer shows fa0/7 and fa0/8 on sw1.  Are they part of VLAN 17?

Well….they were initially, but I thought that that was an intial config error (see error 4?)

From intial config:

interface range Fa0/7 – 8
 switchport access vlan 17
 no shutdown

By completing this task you will “break” task 2.1  I think that this is just the result of a mistake in the lab document for task 2.1

sw1#sh int fa0/7 swit | i Protected
Protected: true
sw1#sh int fa0/8 swit | i Protected
Protected: true

January 29, 2008

Internetwork Expert Volume II: Lab 6 – Section 1

Bridging and Switching – 20 Points

1.1 Basic Configuration

This is the first lab that I’ve done where you need to set up two separate VTP domains.  I always create a Layer 2 map and it really helped out in this lab.  You’ll need to be mindful of which VTP server to create VLANs on when your building your Layer 2 network, especially with the caveat:

“VLANs should not be created within the VTP domain unnecessarily.”

1.2 Trunk Maintenance

“Ensure that the links between sw1, sw2, sw3, and sw4 will not attempt to automatically trunk using DTP.”

Depending on how you interpret this question, there are two methods you might use:

1) Put the ports into switchport mode dynamic auto (default setting on the 3560s).  This means that they will not form a trunk unless the other side of the link attempts to negotiate trunking.  This does NOT disable DTP.

switchport mode

int range fa0/13 – 21
 switchport mode dynamic auto

sw3(config-if-range)#do sh int fa0/13 switchport
Name: Fa0/13
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On

1) Hard-code the interfaces to trunk and disable DTP.  This means that you’ll need to choose a trunking encapsulation and you’ll need to shut down any links (on one side at least) that you do not want to form a trunk.  This is a little more sloppy, but it actually disables DTP.

switchport nonegotiate

int range fa0/13 – 21
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate

sw1(config-if-range)#do sh int fa0/13 switchport
Name: Fa0/13
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off

I went with option 1 (mostly because of task 1.3).

task 1.2 DTP

Be careful when applying your configuration with the interface range command as there are a couple of routed ports already configured:

sw1(config-if-range)#swit mode dyn auto
Command rejected: Fa0/14 not a switching port.
% Interface range command failed for FastEthernet0/14

sw1(config-if-range)#do sh run int fa0/14
interface FastEthernet0/14
 no switchport
 ip address 191.1.27.7 255.255.255.0
end

You’ll be alright as the routed ports will ignore the switchport commands (they are configured as “no switchport”).

1.3 Trunking

“Use dot1q encapsulation to configure the following trunks:”

You need to stop trunking of some vlans as well (read the requirements carefully).

sw1(config-if-range)#swit trunk all vlan except 7,77,777

I configured this on both sides of the trunks.  IE did not. 

Before changing VLAN allowed list:
sw3(config-if)#do sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/13      1-4094

Port        Vlans allowed and active in management domain
Fa0/13      1

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      none

After changing VLAN allowed list:
sw3(config-if)#swit trunk all vlan except 7,77,777
sw3(config-if)#do sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/13      1-6,8-76,78-776,778-4094

Port        Vlans allowed and active in management domain
Fa0/13      1

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      1

1.4 Spanning-Tree

This was a great task.  You are asked to:

“Ensure sw1 is forwarding on all trunk liks for any active VLANs.
“If a new VLAN is added to the VTP domain NET12, sw1 should forward on all trunk links for the new VLAN.”

The first subtask means the you need to make sw1 the root bride.  Easy enough, but you need to specify a vlan range.  Since we’re asked to make sure that any VLANs added to our VTP domain use sw1 as the root, we need specify a range of VLANs that can be created via VTP.  VTP cannot add extended VLANs so our range should be 1-1000:

sw1(config)#spanning-tree vlan 1-1000 root primary

Hmmmm….IE used the range 1-4096 (range including extended VLANs).

Task 1.4 Spanning-Tree

I think that their rational is: 

IF we were to put sw1 and sw2 (the members of VTP domain NET12) into vtp transparent mode, we could create extended VLANs.  Those VLANs would technically be VLANs created in VTP domain NET12.  BUT we would need to break our VTP task in order to do this. 

Set sw1 and sw2 to VTP mode transparent:

sw1(config)#do sh vtp stat | i Oper
VTP Operating Mode              : Transparent
sw1(config)#do sh run | i prior
spanning-tree vlan 1-1000 priority 24576

sw2(config)#do sh vtp stat | i Oper
VTP Operating Mode              : Transparent

Add standard and extended vlan to sw1 and sw2:

sw1(config)#vlan 1000,1234
sw1(config-vlan)#exit

sw2(config)#vlan 1000,1234
sw2(config-vlan)#exit
sw2(config)#do sh sp v 1000

VLAN1000
  Spanning tree enabled protocol ieee
  Root ID    Priority    25576
             Address     0012.018f.d580  <-sw1 MAC
             Cost        19
             Port        15 (FastEthernet0/13)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33768  (priority 32768 sys-id-ext 1000)
             Address     0012.009c.ca00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13           Root FWD 19        128.15   P2p

sw2(config)#do sh sp v 1234

VLAN1234
  Spanning tree enabled protocol ieee
  Root ID    Priority    34002
             Address     0012.009c.ca00
             This bridge is the root 
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    34002  (priority 32768 sys-id-ext 1234)
             Address     0012.009c.ca00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13           Desg FWD 19        128.15   P2p

I would definitely ask the proctor about this task.

1.5 Etherchannel

Easy trunking/etherchannel task.  Your VTP will now work for domain NET34.

1.6 Trunking

This was a bizarre task with VLANs between subinterfaces on a couple of routers.  I had this one nailed, but I spent a LONG time chasing my tail over a really basic issue.  :-(

Be aware that VLAN45 is a /25 subnet.  You’ll also need to add VLAN 45 to the VTP domain.

Here’s where I lost my way:

“Configure trunking between r4, r5, sw3, and sw4 using the information provided in the diagram.”

r4#sh cdp neig | b Device
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
sw4              Fas 0/1            146         S I       WS-C3550- Fas 0/4
sw2              Fas 0/0            136         S I       WS-C3560- Fas 0/4

r4#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  up                    up
FastEthernet0/0.4          191.1.4.4       YES NVRAM  up                    up
FastEthernet0/0.40         191.1.40.4      YES NVRAM  up                    up
FastEthernet0/0.45         191.1.45.4      YES NVRAM  up                    up
FastEthernet0/0.49         191.1.49.4      YES NVRAM  up                    up

I initially thought that the lab diagram was wrong.  Interface fa0/1 – not fa0/0 – is connected to sw4.  I was cursing IE and the routing gods for this colossal waste of time.  BUT….(as is so often the case) I WAS WRONG.  The diagram is right.  The question threw me off as it states that I need to configure trunking between sw3 and the other devices.  Some of the endpoints are on sw3, but some of these VLANs transverse sw2 (in VTP domain NET12) so I need to configure dot1q trunking on that switch (connected to r4) as well as add the VLANs to sw1 (the VTP server for the NET12 domain). 

I really blew it on this task.  If this were the actual lab, I would not only have failed, but I would have looked like an idiot in the process.

1.7 Layer 2 Tunneling

Basically tunnel from r4 fa0/1 to sw2 fa0/18.

r4#sh run int fa0/1
interface FastEthernet0/1
 ip address 191.1.48.4 255.255.255.0

sw2#sh run int fa0/18
interface FastEthernet0/18
 no switchport
 ip address 191.1.48.8 255.255.255.0

You will need to use a dot1-q tunnelling to accomplish this task.

switchport mode

dot1q-tunnel
Set the port as an IEEE 802.1Q tunnel port.

You’ll need to build your l2 tunnel across these ports:

r4#sh cdp neig fa0/1 | b Device
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
sw4              Fas 0/1            136         S I       WS-C3550- Fas 0/4

sw2#sh cdp neigh fa0/18 | b Device
Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
sw3                 Fas 0/18              170            S I      WS-C3550-2 Fas0/18

The switch is kind enough to warn you of a pitfall:

sw4(config-if)#swit mode dot1q-tunnel
sw4(config-if)#
03:03:12: %DOT1Q_TUNNELLING-4-MTU_WARNING:
System MTU of 1500 might be insufficient for 802.1Q tunnelling.
802.1Q tunnelling requires system MTU size of 1504 to handle maximum size ethernet frames.

system mtu

I see a reload in my future:

sw4(config)#system mtu 1504
Changes to the System MTU will not take effect until the next reload is done.

Task 1.7 l2tunnel

r4#sh cdp neigh f0/1 | i sw2
sw2              Fas 0/1            169         S I       WS-C3560- Fas 0/18

sw2#sh cdp neigh fa0/18 | i r4
r4                  Fas 0/18              131           R S I     2651XM    Fas0/1

Sweet!!!

1.8 MAC Filtering

This was a pretty basic port-security task. 

switchport port-security

***  Update: Don’t use ‘sticky’ as I posted below.  These MAC addresses are NOT learned dynamically.  I did not remove this from my post just to show you how stupid I am sometimes.  :-)  *** 

I used the sticky option (“When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses.”) but I would ask the proctor to clarify this.  IE did not use that option.

The only “twist” is the second subtask:

“In the case that other hosts try to access this port a syslog message should be sent to the server 191.1.7.100.”

First we have to change the switchport port-security from the default of shutdown:

violation
 (Optional) Set the security violation mode or the action to be taken if port security is violated. The default is shutdown.
 

Do I choose restrict or protect?  My CCNP knowledge has flowed out of my skull.  :-)

sw2(config-if)#swit port-security violation ?
  protect   Security violation protect mode
  restrict  Security violation restrict mode

  shutdown  Security violation shutdown mode

protect
Set the security violation protect mode. In this mode, when the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

Note We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.
 
restrict
Set the security violation restrict mode. In this mode, when the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

 
Restrict it is!!!

sw2#sh port-security int fa0/10
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 4
Total MAC Addresses        : 4
Configured MAC Addresses   : 4

Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

sw2#sh port-security int fa0/10 address
          Secure Mac Address Table
————————————————————————
Vlan    Mac Address       Type                     Ports   Remaining Age
                                                              (mins)
—-    ———–       —-                     —–   ————-
  10    0050.7014.8ef0    SecureConfigured         Fa0/10       -
  10    00cd.144e.07bf    SecureConfigured         Fa0/10       -
  10    00d0.341c.7871    SecureConfigured         Fa0/10       -
  10    00d0.586e.b710    SecureConfigured         Fa0/10       -
————————————————————————
Total Addresses: 4

I wasted some time by looking for documentation on how to configure a syslog server.  DOH!!!

sw2(config)#logging ?
  Hostname or A.B.C.D  IP address of the logging host

1.9 Spanning-Tree Convergence

A wordy task tranlated to: portfast with bpdufilter.  Just be aware of the differences in bdpufilter based on whether you configure it at the interface level or globally:

sw2(config)#spanning-tree portfast bpdufilter default

Understanding BPDU Filtering

Task 1.9 SPT

The task requires that the port return to normal spanning tree forwarding if a BPDU is received.

There is a difference in the behaviour of bpdufilter depending on if it is configured at the interface level or globally.

When you configure bpdufilter on an interface it filters BPDU from being sent or received.

When you configure bpdufilter globally then all interfaces that run portfast will filter sent BPDU’s but will revert out of the portfast state if BPDU’s are received. This is the desired behaviour for this task.

The DocCD explains it like this:

“When you globally enable BPDU filtering on Port Fast-enabled interfaces, it prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU filtering on any interface without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs.”

January 17, 2008

Internetwork Expert Volume III: Lab 2 – Section 2

Bridging and Switching – 9 Points

There were a couple more things that threw me off my game in this lab.  I did not know that the backbone router configurations were not preloaded on the CCOnlineLabs devices.  I was wondering why I could not see the bbs from the switches.  :-)

Also, the bbs are connected to different ports than I am used to.

2.1 Trunking

Very easy task.  IE used “switchport nonegotiate” on all of their trunks.  The task did not state that negotiation should be disabled (nor did it say that we could not dynamically create the trunks).  I am debating if I should turn off DTP whenever I hard-code a trunk in my labs.

The IE solution also show a configuration for sw2’s fa0/17 as an ISL trunk????  That was not in the task.  They probably meant fa0/20, not 0/17.

IE’s verification command for 2.1 makes no sense either.  They do “sh vtp status” and show sw1 as a vtp server in the CORE domain and the remaining switches as clients in the same domain.  WTF???

2.2 Etherchannel

It’s pretty obvious that whatever lab the solution guide is for, it’s NOT for Vol III lab 2!!!!!  I had an old copy of the solution guide printed out (from 21 July 2007).  It looked much better.  :-)

Inconsistencies between Lab Doc & Solutions Guide

2.3 Layer 3 Interfaces

Another straight forward task.  You won’t be able to ping across vlan59 until you assign vlan59 to fa0/5 on sw3.  Also note that sw3 does not have direct connectivity to r5 – you will need to configure VLAN 58 on sw1 0/5.

2.4 VLAN Assignments

“sw3 should be in charge of creating VLANs; no other switches should be able to modify VLANs that sw3 has created.”

Translated: make sw3 the VTP server and the remaining switches VTP clients.

Speed Tip: Since we don’t have any named vlans we can use one vlan statement on sw3 (vtp server):

sw3(config)#vlan 10,32,23,9,67,59,58,43
sw3(config-vlan)#exit

At this point all of your SVIs should be up/up and you should be able to ping any directly connected interfaces from the switches.

January 12, 2008

Internetwork Expert Volume II: Lab 4 – Section 1

Section 1 –  Bridging and Switching – *26 Points

* Includes 4 points for Troubleshooting section.

Troubleshooting

4 errors this time – yuck.

1)

r2#sh ver | i register
Configuration register is 0x2102 (will be 0x2142 at next reload

That’s not good.  :-)

r2(config)#config-register 0x2102
r2#sh ver | i register
Configuration register is 0x2102

2)

r6#sh run int s0/0
interface Serial0/0
 ip address 54.1.1.6 255.255.255.128  <-mask should be /24
 encapsulation frame-relay

3)

Frame Relay is configured on the wrong interface (should be s0/0/0) on r2:

r2#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         141.1.0.2       YES manual up                    up
GigabitEthernet0/1         unassigned      YES NVRAM  administratively down down
Serial0/0/0                unassigned      YES NVRAM  administratively down down
Serial0/1/0                141.1.123.2     YES manual up                    down
Loopback0                  150.1.2.2       YES manual up                    up

r2(config)#do sh run int s0/0/0
interface Serial0/0/0
 no ip address
 shutdown

end

r2(config)#do sh run int s0/1/0
interface Serial0/1/0
 ip address 141.1.123.2 255.255.255.0
 encapsulation frame-relay
end

4)

r5(config)#do sh ip int br
Interface                  IP-Address      OK? Method Status                Prot
ocol
FastEthernet0/0          141.1.145.5     YES manual up               up
Serial0/0                  141.1.54.5      YES manual up                    up
FastEthernet0/1            141.1.0.5       YES manual up                 up
Serial0/1                  141.1.54.5      YES manual up                    up
Loopback0                  150.1.5.5       YES manual up                    up

r5(config)#int s0/1
r5(config-if)#ip add 141.1.45.5 255.255.255.0

1.1 Trunking

“standards based trunks” + “vlan 255 should be untagged when sent across any of these trunks” = dot1q trunks with native vlan 255.  Nuff said.

1.2 VLAN Assignments

Easy enough VTP configuration with VLAN assignments.  The only unresolved bit is whether we should leave all of the switches in VTP server mode.  I did.  That mean you only need to create the VLANs on one switch:

Make sure that your results match by running:

sh vlan br | e unsup|^ |^1 |active[ \t]+$

Well…I thought that this was easy.  I have to work on reading between the lines on these task.  You need to create all of the VLANs in the task as well as any VLANs on the diagram (6,7,8,77,88, and 255).  You’ll need to name these VLANs by substituting the digits in the VLAN with their ordinal letter in the alphabet (i.e. VLAN 77 = VLAN_GG).

The IE solution guide is missing the configuration for fa0/24 on sw1.  [note: they may have pulled it or the question may contain a typo].

1.3 Traffic Control

“Enable pruning within the VTP domain.” Just need to configure vtp pruning on any one of the switches as they are all in VTP  server mode.

sw1(config)#vtp pruning
Pruning switched on

“Although sw1 and sw3 do not have VLAN 8 locally assigned ensure that they receive unknown unicast, broadcast, or multicast traffic for VLAN 8 over their lowest numbered trunk link to sw2″

That’s just a long-winded way of saying that should not prune VLAN 8 on sw1 fa0/13 and sw3 fa0/16.

Before:
sw1(config)#do sh int fa0/13 trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      255

Port        Vlans allowed on trunk
Fa0/13      1-4094

Port        Vlans allowed and active in management domain
Fa0/13      1,6,12,36,43,45,258

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      none

switchport trunk

Set the list of VLANs that are eligible for VTP pruning when in trunking mode. The all keyword is not valid.

sw1(config-if)#switch trunk pruning vlan ?
  WORD    VLAN IDs of the allowed VLANs when this port is in trunking mode
  add     add VLANs to the current list
  except  all VLANs except the following
  none    no VLANs
  remove  remove VLANs from the current list

I could not get the except command to work:

sw3(config-if)#swit trun pru vlan except ?
  WORD  VLAN IDs of disallowed VLANS when this port is in trunking mode

sw3(config-if)#swit trun pru vlan except vlan 8
                                                                          ^
% Invalid input detected at ‘^’ marker.

sw3(config-if)#swit trun pru vlan except vlan8
Command rejected: Bad VLAN list – character #1 is a non-numeric
character (‘v’).

sw3(config-if)#swit trun pru vlan except 8
Command rejected: Bad VLAN pruning list.

…so I used:

sw1(config-if)#switch trun prun vlan 2-7,9-1001

The other odd bit is that I thought that I would see that vlan 8 was not prune-eligible with “show int fa0/13 trunk”:

sw1#sh int fa0/13 trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      255

Port        Vlans allowed on trunk
Fa0/13      1-4094

Port        Vlans allowed and active in management domain
Fa0/13      1,6-8,12,36,43,45,77,88,255,258

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      258

You can use the following to verify the prune list:

sw1#sh int fa0/13switchport| i Prun
Pruning VLANs Enabled: 2-7,9-1001
sw1#sh int fa0/14switchort | i Prun 
Pruning VLANs Enabled: 2-1001

The last subtask states:

“Traffic for VLAN 8 should not be received over any of the other trunk links.”

I thought that you would need to explicitly configure the other trunks to not allow VLAN 8 (“switchport trunk allowed”).  IE does not do that, even though the other trunks do allow VLAN 8:

sw1#sh int fa0/14 trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/14      on           802.1q         trunking      255

Port        Vlans allowed on trunk
Fa0/14      1-4094

Port        Vlans allowed and active in management domain
Fa0/14      1,6-8,12,36,43,45,77,88,255,258  <-note

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/14      none

1.4 Spanning-Tree Protocol

You need to configure sw1 as the primary spanning-tree root bridge and sw3 as the secondary root bridge for vlan 258.

“All VLAN 258 traffic from sw2 to sw1 should transit sw4″
“In the event that sw2’s path to sw1 through sw3 is down, sw2 should use the directly connected trunk links to reach sw1 directly.”
“Use the fewest number of commands to accomplish this task and do not alter sw1’s port-priorities.”

“do not alter sw1’s port-priorities” means that we’ll use port-cost to affect vlan 258’s traffic.”

We have two options: cost or port-priority.  If I am the root trying to affect how traffic comes towards me, I will use port-priority.  If I am on a non-root switch and I want to affect the way that traffic flows to the root, I will use cost.

Port-priority is looking down the spanning-tree.
Cost is looking up the spanning-tree.

spanning-tree cost

Before:
sw2#sh span vlan 258

VLAN0258
  Spanning tree enabled protocol ieee
  Root ID    Priority    24834
             Address     0012.018f.d580
             Cost        19
             Port        15 (FastEthernet0/13)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33026  (priority 32768 sys-id-ext 258)
             Address     0012.009c.ca00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13           Root FWD 19        128.15   P2p  <- sw1
Fa0/14           Altn BLK 19          128.16   P2p  <- sw1
Fa0/15           Altn BLK 19          128.17   P2p  <- sw1
Fa0/16           Desg FWD 19        128.18   P2p  <- sw3
Fa0/17           Desg FWD 19        128.19   P2p  <- sw3
Fa0/18           Desg FWD 19        128.20   P2p  <- sw3

In this case we need to change the port-cost so that sw3 is preferred (lower cost on ports to sw3).  The path directly to sw1 will be used if the path to sw3 goes down, so we will satisfy both  subtasks.

sw2(config-if-range)#spanning vlan 258 cost ?
  <1-200000000>  Change an interface’s per VLAN spanning tree path cost

sw2(config)#inter range fa0/13 – 15
sw2(config-if-range)#spanning vlan 258 cost 2000

After waiting for spanning-tree to recalculate:

sw2(config-if-range)#do sh span vlan 258 | b Interface
Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/2            Desg FWD 19        128.4    P2p
Fa0/13           Altn BLK 2000      128.15   P2p
Fa0/14           Altn BLK 2000      128.16   P2p
Fa0/15           Altn BLK 2000      128.17   P2p
Fa0/16           Root FWD 19        128.18   P2p  <-booyah!!!
Fa0/17           Altn BLK 19        128.19   P2p
Fa0/18           Altn BLK 19        128.20   P2p

I did waste a lot of time fretting over the “minimum configuration” requirement.  In the real lab, I’d just note this task and come back to it later to check for a slimmer configuration.  As it was, I got this correct.

1.5 Link Failure Detection

I knew right away that this task would require some digging in the DOC.  In the real lab I would skip this non-core task and come back to it later.

“Configure sw1 and sw2 so that port fa0/15 is brought down in the case that either switch can send traffic, but not receive, or vice versa.”
“As an additional precaution configure sw1 so that interface fa0/15 is not mistakenly elected as a designated port in the above case.”

Reading these subtasks made me think of UniDirectional Link Detection  and BDPU guard.

udld port

sw1(config-if)#udld port ?
  aggressive  Enable UDLD protocol in aggressive mode on this interface
 <cr>

UDLD supports two modes of operation: normal (the default) and aggressive. In normal mode, UDLD detects unidirectional links due to misconnected interfaces on fiber-optic connections. In aggressive mode, UDLD also detects unidirectional links due to one-way traffic on fiber-optic and twisted-pair links and due to misconnected interfaces on fiber-optic links.

Aggressive it is then.  :-)

After configuring both sides:

sw1#show udld fa0/15
Interface Fa0/15

Port enable administrative configuration setting: Enabled / in aggressive mode
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Bidirectional
Current operational state: Advertisement – Single neighbor detected
Message interval: 15
Time out interval: 5

    Entry 1
    —
    Expiration time: 31
    Device ID: 1
    Current neighbor state: Bidirectional
    Device name: CAT0835X0US
    Port ID: Fa0/15
    Neighbor echo 1 device: CAT0837N1AS
    Neighbor echo 1 port: Fa0/15

    Message interval: 15
    Time out interval: 5
    CDP Device name: sw2

The IE solution guide warns:

“The global command udld enable only applies to fiber interfaces.  Ensure to use the interface command udld port agressive for copper interfaces.”

I didn’t configure udld globally.  I figured that if the switch threw an error when I configured it at the interface level, then I would configure it globally and reconfigure it on the interface.  So I avoided a pitfall through sheer dumb luck rather than an understanding of udld.  :-)

I was wrong about BDPU guard though.  I needed loop guard instead:

spanning-tree guard

sw1#sh spanning-tree interface fa0/15 detail
 Port 17 (FastEthernet0/15) of VLAN0001 is blocking
   Port path cost 19, Port priority 128, Port Identifier 128.17.
   Designated root has priority 32769, address 000a.410e.0600
   Designated bridge has priority 32769, address 0012.009c.ca00
   Designated port id is 128.17, designated path cost 19
   Timers: message age 3, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   Loop guard is enabled on the port 
   BPDU: sent 118, received 4578
—–output truncated—–

1.6 Spanning-Tree Protocol

I need to make sw3 show this output:

VLAN0258
  Spanning tree enabled protocol ieee

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/5            Desg FWD 100       128.5    P2p
Fa0/16           Desg FWD 19        128.16   P2p
Fa0/17           Desg FWD 19        128.17   P2p
Fa0/18           Desg FWD 19        128.18   P2p
Fa0/19           Altn BLK   19        128.19   P2p
Fa0/20          Altn BLK    19        128.20   P2p
Fa0/21         Root FWD 19        128.21   P2p

Basically I need to make fa0/21 the root port (fa0/19 is currently the root port) without changing the port-cost or priority on sw3. [Technically I should have changed the cost fa0/5 as my current cost is 19, but that is an artifact of my r5 using a FastEthernet rather that Ethernet port]

This should be easy enough.  I will change the spanning-tree priority on sw4 to prefer fa0/21:

sw3#sh cdp neigh fa0/21 | b Device
Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
sw4                 Fas 0/21              141            S I      WS-C3550-2Fas0/21

spanning-tree port-priority

sw4(config-if)#spanning-tree vlan 258 port-priority ?
  <0-240>  port priority in increments of 16

sw3#sh sp v 258

VLAN0258
  Spanning tree enabled protocol ieee

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/5            Desg FWD 19        128.5    P2p
Fa0/16           Desg FWD 19        128.16   P2p
Fa0/17           Desg FWD 19        128.17   P2p
Fa0/18           Desg FWD 19        128.18   P2p
Fa0/19           Altn BLK 19        128.19   P2p
Fa0/20           Altn BLK 19        128.20   P2p
Fa0/21           Root FWD 19        128.21   P2p  <-sweet!!!!

1.7 Rate-Limiting

Another task that I would probably skip and come back to later if this came up on the actual lab.  I had to peek at the solution guide because I did not recognize that this task was asking me to configure storm-control.

storm-control

Unicast traffic – average packet size of 954 Bytes – average of 250 packet per second

sw1(config-if)#storm-control unicast level ?
  <0.00 – 100.00>  Enter rising threshold
  bps              Enter suppression level in bits per second
  pps              Enter suppression level in packets per second

954 x 8 x 250 = 1908000 bps <-this is a rabbit hole. 

Read the options…pps would be much easier.

sw1(config-if)#storm-control unicast level pps ?
  <0.0 – 10000000000.0>[k|m|g]  Enter rising threshold

sw1(config-if)#storm-control unicast level pps 250 ?
  <0.0 – 10000000000.0>[k|m|g]  Enter falling threshold
  <cr>

sw1(config-if)#storm-control unicast level pps 250

sw1#sh storm-control unicast
Interface  Filter State   Upper        Lower        Current
———  ————-  ———–  ———–  ———-
Fa0/1      Forwarding        250 pps      250 pps        0 pps

I need to review storm-control because I would not have received the points for this task even if I had been able to figure out that the task required storm-control.

1.8 QoS

This is a simple IP Prec to DSCP mutation mapping.

Configuring DSCP Maps

sw2(config)#mls qos map ip-prec-dscp ?
  <0-63>  8 dscp values separated by spaces

sw2(config)#mls qos map ip-prec-dscp 0 0 0 0 32 40 0 0

sw2#sh mls qos maps ip-prec-dscp
   IpPrecedence-dscp map:
     ipprec:   0  1  2  3  4  5  6  7
     ——————————–
       dscp:   0  0  0  0 32 40  0  0

1.9 QoS

This is another easy QoS task (especially if you have worked with VoIP phones).

Configuring the Trust State on Ports within the QoS Domain

sw2(config)#int fa0/2
sw2(config-if)#mls qos trust ?
  cos            cos keyword
  device         trusted device class
  dscp           dscp keyword
  ip-precedence  ip-precedence keyword
  <cr>

sw2(config-if)#mls qos trust ip-precedence
sw2(config-if)#do sh mls qos int fa0/2
FastEthernet0/2
QoS is disabled. When QoS is enabled, following settings will be applied
trust state: trust ip-precedence
trust mode: trust ip-precedence
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based

Make sure that you enable mls qos globally (the IE solution guide skips this step):

sw2(config)#mls qos
sw2(config)#do sh mls qos int fa0/2
FastEthernet0/2
trust state: trust ip-precedence
trust mode: trust ip-precedence
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based

January 6, 2008

Internetwork Expert Volume III: Lab 1 – Section 2

2 Bridging and Switching

2.1 VLAN Assignments

This is a pretty easy task.  You need to set up sw1 as a VTP server and the remaining switches as VTP clients.  You are then given a list of named VLANs to configure as well as a list of ports with VLAN assignments.

IE refers to the VLANs by VLAN name (i.e. VLAN_B) instead of the VLAN number.  You need to use the number when assigning a port to a VLAN:

sw1(config-if)#swit acc vla ?
  <1-4094>  VLAN ID of the VLAN when this port is in access mode
  dynamic   When in access mode, this interfaces VLAN is controlled by VMPS

sw1(config-if)#swit acc vla VLAN_B
                                                ^
% Invalid input detected at ‘^’ marker.

The initial configurations have shut down most of the ports so there are no trunks negotiated by default, so if you do these tasks in order, be sure to come back and verify VTP and access ports after your trunks are up and VTP has propagated the VLANs.

The IE solution guide shows that they are using “switchport mode access” under the ports.  I don’t see anything in the task that requires this.

My solution:

interface FastEthernet0/1
 switchport access vlan 14

sw1#sh int fa0/1 switch
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 14 (VLAN_A)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
—output truncated—

IE answer:

interface FastEthernet0/1
 switchport access vlan 14
 switchport mode access

sw1(config-if)#do sh int fa0/1 swit
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 14 (VLAN_A)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
—output truncated—

2.3 Etherchannel

Simple Etherchannel task.  This subtask is a red herring:

“Use the default native VLAN for this connection.”

Dot1q trunking uses VLAN 1 as the native VLAN by default, so no additional configuration is necessary:

sw1(config)#do sh int po1 trunk

Port        Mode         Encapsulation  Status        Native vlan
Po1         on               802.1q                   trunking      1

Since no channel-group protocol or number was specified in the task,  I used “on” and “1” respectively:

interface FastEthernet0/13
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on

2.3 Trunking

Be careful on this task.  They are asking for two distinct, non-contiguous dot1q trunks.  You can still use “interface range” to shave a little time off of this task though:

sw2(config)#int rang fa0/19,fa0/21
sw2(config-if-range)#swit tru en dot
sw2(config-if-range)#swit mod tru
sw2(config-if-range)#no shut

2.4 Etherchannel

Mind the order of operations for Layer 3 Etherchannels during this task.  The IE solution guide has a nice example of the correct order of operations.  Also, this task asks you to “use all remaining directly connected inter-switch links” between sw2 and sw3 as well as sw2 and sw4.  This gets a little difficult due to the initial configurations setting some of the connected ports in shutdown.  Unless you are given a layer 2 map with all of the inter-switch connections listed in the actual lab, this would be a pain in the ass as you would need to do a “no shut” ports on sw2, sw3, and sw4 to see the connections via “show cdp neighbor”.  Also note that both Layer 3 Etherchannels use a /25 (255.255.255.128) mask.  You’ll discover one of the two initial configuration errors during this task.

January 1, 2008

Internetwork Expert Volume III: Lab 3 – Section 2

2 Bridging and Switching

2.1 VLAN Assignments

This should have been a very simple task, but a couple of interesting wrinkles made this a harder task than normal.  I was going to blog my whole “stream of thought” experience, but you’ll get enough of that in section 4, so I’ll spare you.  :-)

Usually you are given a list of VLANs and interfaces to configure, but in this case you are asked to configure VLANs and interfaces from the network diagram only.  This is a really good exercise.  The biggest twist with this lab (and the part that took me the most amount of time) is that you will not have VTP to propagate the VLANs to the appropriate switches (more on that in a bit) so you will need to make sure that you take trunking into account when assigning VLANs to each switch.

The reason you cannot use VTP is because one of the VLANs you need to configure is VLAN 2569.  This in an extended VLAN so VTP will not allow you to configure it:

sw1(config)#vtp mode server
sw1(config)#vtp domain IE
Changing VTP domain name from NULL to IE
sw1(config)#vlan 2569
sw1(config-vlan)#exit
% Failed to create VLANs 2569
Extended VLAN(s) not allowed in current VTP mode.
%Failed to commit extended VLAN(s) changes.

In this case VLAN 2569 is going to need to be present on each switch.  We are also tasked with running VTP so we’ll need to configure all of the switches as VTP Transparent.  This means that your VLANs are not going to propagate from switch to switch.  The easy way to handle this is to assign all known VLANs on each switch.  The IE solution does not show this.  This may be a limitation of this subtask:

“Configure VLAN assignments per the diagram.”

In the real lab you should ask the proctor about this.  It’s also good to know that you can configure all known VLANs on each switch as a workaround if you are short on time.

One other caveat for this task: you will not be able to verify reachability for some addresses until you get your trunking built (covered in the next two tasks).

2.2 Trunking

This is a very easy trunking task.  The only bit of oddness is that the IE solution guide has “switchport nonegotiate” for all trunking interfaces. I don’t see anything in the task that requires that DTP be disabled.  

2.3 EtherChannel

Easy enough.  A layer 2 map comes in handy as you are only given the interfaces on one side of each etherchannel. 

IE solution is wrong for subtask 2.  It shows “channel-group 1 mode active” when it should be “channel-group 2 mode active”.

December 18, 2007

Internetwork Expert Volume II: Lab 3 – Section 1

Section 1 –  Bridging and Switching – 18 Points

I did well on this section.  This was the first lab that they threw some spanning-tree tasks at you.  Most of the tasks were pretty basic.  As you progress through the Volume II labs, you will definitely become proficient at creating trunks and EtherChannels.  This was also the first lab that I have done in which the switches had VTP configured for you.  Although VTP is configured (sw1 is the server, sw2-4 are clients), trunking is not.  This is important to note as your first few tasks will require trunking to be enabled before you can verify those tasks.  You’ll need to decide whether you want to jump ahead and configure trunking right away or wait until the trunking task to verify your first two tasks.  Yet another great reason to read the test before beginning.

NOTE: I’m going to refer to a task as the entire list of required configurations and sub-tasks as the individual configure requests within a task.  I think that I have been using task and section to mean multiple things in my past postings.  For example:

Bridging and Switching

1.1  VTP
Create a VTP domain called PILKINGTON on switches sw1 – 4.
Use VTP password KARL on all switches.
Make sw1 the VTP server.
Make sw2 – 4 VTP clients.

The section is “Bridging and Switching”, the task is “1.1 VTP”, and the sub-tasks are the four configuration steps.  Hopefully this will clear up any confusion.

1.1 Trunking

This was a basic trunking task.  You are setting up router-on-a-stick.  This implies that you will need to hard-code the trunk to dot1q encapsulation.  The twist (for me at least) in this is that the router will have a single IP address on its physical Ethernet port instead of IP addresses (in different subnets) on the subinterfaces.  I see bridging in my future.  :-)

Configuring Routing Between VLANs with IEEE 802.1Q Encapsulation

I could not find a document in the DOC that dealt with router-on-a-stick.  I’ll search for it later this week.

If you haven’t created the trunks yet (sw2 (VTP client) is the switch that you configure the trunk on) then you will have issues when verifying this task:

sw2(config-if)#do sh run int fa0/6

interface FastEthernet0/6
 description ->r6 VLANs 16, 36 (router on a stick)
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 16,36
 switchport mode trunk

sw2#sh int fa0/6 trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/6       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/6       16,36

Port        Vlans allowed and active in management domain
Fa0/6       none

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/6       none

sw2(config-if)#do sh vlan id 36
VLAN id 36 not found in current VLAN database
sw2(config-if)#do sh vlan id 16
VLAN id 16 not found in current VLAN database

My first instinct was to add the VLANs to the switch:

sw2(config)#vlan 16
%VTP VLAN configuration not allowed when device is in CLIENT mode.

Add them to the server (sw1)?  A:No.  They already exist:

sw1#sh vlan brief | i 16|36
16   VLAN0016                         active    Fa0/1
36   VLAN0036                         active

I’ll just need to wait until trunking is built between sw1 and sw2 for these VLANs to appear on sw2.  Here’s what your verification will look like after trunking has been built:

sw2(config)#do sh int fa0/6 trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/6       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/6       16,36

Port        Vlans allowed and active in management domain
Fa0/6       16,36

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/6       16,36

1.2 IP Bridging

Crap.  Bridging.  I hates me some bridgin’.  :-)

“r1 and r3 are in the same IP subnet (136.1.136.0/24), but int different broadcast domains.” <-vlan 16 and 36 as per task 8.1
“Connfigure r6 to bridge IP traffic between VLAN 16 and VLAN 36.”
“Ensure that the rest of the routing domain can communicate with both r1 and r3 via IP.” <- must be able to ping from all other devices

Time to hit the DOC:

Configuring Transparent Bridging

Cisco IOS Bridging Commands

Let’s get to it:

r6(config)#bridge 1 protocol ?
  dec          DEC protocol
  ibm          IBM protocol
  ieee         IEEE 802.1 protocol
  vlan-bridge  vlan-bridge protocol

r6(config-if)#int fa0/0
r6(config-if)#bridge-group 1

r6(config)#int bv1
Integrated Routing and Bridging is not configured!

Nuts!  I forgot to enable irb:

bridge irb

bridge route

r6(config)#bridge ?
  <1-255>            Bridge Group number for Bridging.
  cmf                Constrained multicast flooding
  crb                Concurrent routing and bridging
  irb                Integrated routing and bridging
  mac-address-table  MAC-address table configuration commands

r6(config)#bridge irb
r6(config)#bridge 1 route ?
  appletalk  AppleTalk
  clns       ISO CLNS
  decnet     DECnet
  ip         IP
  ipx        Novell IPX

r6(config)#bridge 1 route ip

At this point I had everything configured and I tried to ping r1 from r3 and vice versa – no go.  What did I do wrong?

r1#p 136.1.136.3 <-r3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.136.3, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

Doh!!!  This isn’t going to work until sw1 and sw2 can exchange VLANs via VTP. 

After trunking is configured:

r6#sh bridge

Total of 300 station blocks, 299 free
Codes: P – permanent, S – self

Bridge Group 1:

    Address       Action   Interface       Age   RX count   TX count
0011.93b0.7640   forward   Fa0/0.16          0          1          0

r1#p 136.1.136.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.136.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

r3#p 136.1.136.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.136.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
 

Booyah!!!  [this took me forever to get through]

Cool command:

show interfaces irb

r6#sh int irb | sec 0/0.16
FastEthernet0/0.16 ->VLAN 16
 Routed protocols on FastEthernet0/0.16:
  ip

 Bridged protocols on FastEthernet0/0.16:
  appletalk  clns       decnet     ip

 Software MAC address filter on FastEthernet0/0.16
  Hash Len    Address      Matches  Act      Type
  0x00:  0 ffff.ffff.ffff         6 RCV Physical broadcast
  0x2A:  0 0900.2b01.0001         0 RCV DEC spanning tree
  0x60:  0 000f.9098.cff0         0 RCV Interface MAC address
  0x60:  1 000f.9098.cff0         0 RCV Bridge-group Virtual Interface
  0xC0:  0 0100.0ccc.cccc         0 RCV CDP
  0xC1:  0 0100.0ccc.cccd       137 RCV SSTP MAC address
  0xC2:  0 0180.c200.0000         0 RCV IEEE spanning tree
  0xC2:  1 0180.c200.0000         0 RCV IBM spanning tree
  0xC2:  2 0100.0ccd.cdce         0 RCV VLAN Bridge STP

1.3 Trunking

This is a simple task to configure trunking between sw1 and sw2 and to do the same between sw1 and sw3.  Simple, except that they threw in the dreaded “minimal configuration” restriction:

“Use the MINIMUM CONFIGURATION POSSIBLE to accomplish this task”.

sw1 and sw2 are 3560s and sw3 is a 3550. 

Minimum configuration between two 3560s

The default on the 3560s is “switchport mode dynamic auto”, so they will only dynamically trunk if the other side is NOT set to auto.  We can simply configure “switchport mode dynamic desirable” on one switch (let’s use sw1)

sw1(config)#int range fa0/13 – 15
sw1(config-if-range)#switch mode dyn des
sw1(config-if-range)#no sh

sw2(config)#int range fa0/13 – 15
sw2(config-if-range)#no sh

sw1#sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      desirable    n-isl          trunking      1
Fa0/14      desirable    n-isl          trunking      1
Fa0/15      desirable    n-isl          trunking      1

sw2#sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      auto         n-isl          trunking      1
Fa0/14      auto         n-isl          trunking      1
Fa0/15      auto         n-isl          trunking      1

Minimum configuration  between a 3560 and  a 3550

This is easy because the 3550’s default is “switchport mode dynamic desirable”so it will trunk with a 3560 (default “switch mode dyn auto”) by simply opening the ports:

sw1(config)#int range fa0/15 – 16
sw1(config-if-range)#no sh

sw3(config)#int range fa0/13 – 14
sw3(config-if-range)#no sh

sw1#sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/16      auto         n-isl          trunking      1
Fa0/17      auto         n-isl          trunking      1

sw3#sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      desirable    n-isl          trunking      1
Fa0/14      desirable    n-isl          trunking      1

1.4 Link Aggregation

This is a simple EtherChannel task that took a bizarre turn.  I ended up having to trouble shoot some weirdness.  It started with this error:

02:54:53: %EC-5-L3DONTBNDL2: Fa0/15 suspended: LACP currently not enabled on the remote port.

sw4(config-if-range)#do sh eth sum
Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
——+————-+———–+———————————————–
14     Po14(SU)        LACP      Fa0/13(P)   Fa0/14(P)   Fa0/15(s)
sw1(config-if-range)#do sh eth sum
Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
——+————-+———–+———————————————–
14     Po14(SU)        LACP      Fa0/19(P)   Fa0/20(P)   Fa0/21(D)

sw1(config-if-range)#do sh run int fa0/21
interface FastEthernet0/21
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 14 mode passive

sw1(config-if-range)#do sh cdp neigh | i sw4
sw4                 Fas 0/20              154            S I      WS-C3550-2Fas0/14
sw4                 Fas 0/19              154            S I      WS-C3550-2Fas0/13

Strange, my configuration is correct.  Why can’t I get that one link in the EtherChannel up?

After all of the troubleshooting, the problem was PEBKAC:

sw1(config-if)#do sh int fa0/21
FastEthernet0/21 is down, line protocol is down (notconnect)

I had the cable that should have been connected to sw1 fa0/21 in sw2.  :(

This (hopefully) won’t be an issue in the lab.  I should have resolved this much more quickly by noting that the link was suspended (s) on one side and down (D) on the other.

1.5 Spanning-Tree Protocol

The first sub-task was to make sw1 the root switch for certain VLANs:

sw1(config)#spanning-tree vlan 4,44,52,63 root primary

sw1#sh spanning-tree root

[0012.018f.d580 is sw1's MAC Address]

                                        Root    Hello Max Fwd
Vlan                   Root ID          Cost    Time  Age Dly  Root Port
—————- ——————– ——— —– — —  ————
VLAN0001         32769 000a.410e.0600        19    2   20  15  Fa0/16
VLAN0003         32771 000a.410e.0600        19    2   20  15  Fa0/16
VLAN0004         24580 0012.018f.d580         0    2   20  15
VLAN0016         32768 000f.9098.cff0        38    2   20  15  Fa0/13
VLAN0029         32797 000a.410e.0600        19    2   20  15  Fa0/16
VLAN0036         32768 000f.9098.cff0        38    2   20  15  Fa0/13
VLAN0044         24620 0012.018f.d580         0    2   20  15
VLAN0052         24628 0012.018f.d580         0    2   20  15
VLAN0057         32825 000a.410e.0600        19    2   20  15  Fa0/16
VLAN0063         24639 0012.018f.d580         0    2   20  15

“All traffic between sw1 and sw2 for these VLANs should transit the trunk between sw1 and sw2’s port fa0/15″
“This configuration should be done on sw1″

So we want to make fa0/15 on sw2 the Root port.  Let’s use vlan 4 as an example:

sw2#sh span vlan 4

VLAN0004
  Spanning tree enabled protocol ieee
  Root ID    Priority    24580
             Address     0012.018f.d580
             Cost        19
             Port        15 (FastEthernet0/13)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32772  (priority 32768 sys-id-ext 4)
             Address     0012.009c.ca00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13           Root FWD 19      128.15   P2p
Fa0/14           Altn BLK 19        128.16   P2p
Fa0/15           Altn BLK 19        128.17   P2p

Basically we want to reverse the existing order (fa0/15 then fa0/14 then fa013) of the root port, BUT we need to make the configuration on sw1.

Port Priotity vs Cost (from Lab 3 Breakdown):

Two options: cost or port-priority.  If I am the root trying to affect how traffic comes towards me, I will use port-priority.  If I am on a non-root switch and I want to affect the way that traffic flows to the root, I will use cost.

Port-priority is looking down the spanning-tree.
Cost is looking up the spanning-tree.

Port-priority is always done closest to the root.  Port-priority only shows on the switch it is configured on.

Configuring Port Priority

sw1(config-if)#spanning-tree vlan 4,44,52,63 port-priority ?
  <0-240>  port priority in increments of 16

sw1(config)#int fa0/15
sw1(config-if)#spanning-tree vlan 4,44,52,63 port-priority 0
sw1(config-if)#int fa0/14
sw1(config-if)#spanning-tree vlan 4,44,52,63 port-priority 16
sw1(config-if)#int fa0/13
sw1(config-if)#spanning-tree vlan 4,44,52,63 port-priority 32

I would ask the proctor about the priority values.  Should we use the values above?  Should we only alter fa0/15 and fa0/14 and leave fa0/13 alone (default 128)?

sw1(config-if)#do sh sp v 4 | b Inter
Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13           Desg FWD 19         32.15   P2p <-3rd pref
Fa0/14           Desg FWD 19         16.16   P2p <-2nd pref
Fa0/15           Desg FWD 19          0.17   P2p <-1st pref
Fa0/16           Desg FWD 19        128.18   P2p
Fa0/17           Desg FWD 19        128.19   P2p
Po14             Desg FWD 9         128.176  P2p
sw2#sh sp v 4 | b Inter
Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/4            Desg FWD 19        128.6    P2p
Fa0/13           Altn BLK 19        128.15   P2p
Fa0/14           Altn BLK 19        128.16   P2p
Fa0/15           Root FWD 19        128.17   P2p

The IE answer used the following:

interface FastEthernet0/13
 switchport mode dynamic desirable
!
interface FastEthernet0/14
 switchport mode dynamic desirable
 spanning-tree vlan 4,44,52,63 port-priority 32
!
interface FastEthernet0/15
 switchport mode dynamic desirable
 spanning-tree vlan 4,44,52,63 port-priority 16

From the answer key:

“There are four variable that affect the root port selection.  These are cost, bridge-ID, port priority, and port-id in that order.”

“To influence which port is elected the root port, the two user configurable values to change are port cost and port priority.  Changing port cost will affect both the local bridge and all downstream bridges.  Changing port priority will only affect the directly connected downstream bridge.”

1.6 Spanning-Tree Protocol

“Configure sw2 so that traffic continues forwarding within THREE seconds if either port fa0/15 or fa0/14 goes down.”
“This should be accomplished while running PVST.” <-default

Understanding UplinkFast
“UplinkFast unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through the listening and learning states.  This change takes approximately 1 to 5 seconds.”

IE even recognizes the 1 to 5 second change time in their answer key:

“This process typically takes three to five seconds, and reduces convergence time considerably.”

Ummmm….so why not change the question to “within 6 seconds”?  :-)

sw2(config)#spanning-tree uplinkfast
sw2(config)#do sh span uplinkfast
UplinkFast is enabled

Station update rate set to 150 packets/sec.

UplinkFast statistics
———————–
Number of transitions via uplinkFast (all VLANs)            : 0
Number of proxy multicast addresses transmitted (all VLANs) : 0

Name                 Interface List
——————– ————————————
VLAN0001             Fa0/13(fwd), Fa0/14, Fa0/15
VLAN0003             Fa0/13(fwd), Fa0/14, Fa0/15
VLAN0004             Fa0/15(fwd), Fa0/13, Fa0/14
VLAN0016             Fa0/6(fwd)
VLAN0029             Fa0/13(fwd), Fa0/14, Fa0/15
VLAN0036             Fa0/6(fwd)
VLAN0044             Fa0/15(fwd), Fa0/13, Fa0/14
VLAN0052             Fa0/15(fwd), Fa0/13, Fa0/14
VLAN0057             Fa0/13(fwd), Fa0/14, Fa0/15
VLAN0063             Fa0/15(fwd), Fa0/13, Fa0/14

1.7 Switch Mangement

As a lab strategy, you can skip this task and do it later.  I managed to complete it by simply looking at the “snmp-server” options:

sw1(config)#snmp-server ? [some output truncated]
  chassis-id        String to uniquely identify this chassis
  community         Enable SNMP; set community string and access privs
  contact           Text for mib object sysContact
  location          Text for mib object sysLocation
  trap              SNMP trap options

sw1(config)#do sh run | i snmp-server
snmp-server community CISCORO RO
snmp-server community CISCORW RW
snmp-server location San Jose, CA US
snmp-server contact CCIE Lab SW1
snmp-server chassis-id 221-787878
snmp-server enable traps vtp
snmp-server host 136.1.2.100 traps CISCOTRAP vtp

Implicit in this question is that you should ONLY allow the SNMP server (136.1.2.100) to manage the router.  I forgot to create an ACL to filter out other devices:

sw1(config)#access-li 69 permit 136.1.2.100
sw1(config)#snmp-server community CISCORO RO 69
sw1(config)#snmp-server community CISCORW RW 69

[Lab Breakdown states that you could leave off the ACL and still get the points.  This is another "ask the proctor" issue.]

Verification:

sw1#sh snmp
Chassis: 221-787878
Contact: CCIE Lab SW1
Location: San Jose, CA US
—Output Truncated—

SNMP logging: enabled
    Logging to 136.1.2.100.162, 0/10, 0 sent, 0 dropped.
SNMP agent enabled

1.8 Link Aggregation

An easy task to end the section.  Just remember to watch the order of operations when configuring L3 EtherChannels.

Configuring Layer 3 EtherChannels

IE anwswer guide has typo (sw1 and sw2 rather than sw3 and sw4).  I also don’t understand why they require “channel-protocol pagp” under the port-channel interfaces???  That issue is discussed in the IE forums:

LAB 3 Task 1.8

[Lab Breakdown doesn't mention this either.  I think that it's a typo/default]

December 1, 2007

LFU 10: No VLAN…No CDP!!!

I was working on a practice lab today and was using CDP to verify that all of the connections were correct.  I cruised through sw1 and sw2 but when I hit sw3 I started to see strange issues with CDP.
 
sw3 fa0/3 is connected to r3 fa0/1 but I cannot see a CDP neighbor:
 
sw3#sh run int fa0/3
Building configuration…
 
Current configuration : 95 bytes
!
interface FastEthernet0/3
 switchport access vlan 33
 switchport mode dynamic desirable
end
 
Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/3                        connected    33         a-full  a-100 10/100BaseTX
 
sw3#sh int fa0/3
FastEthernet0/3 is up, line protocol is up (connected)
 
sw3#sh cdp neigh fa0/3
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
                  S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone
 
Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
sw3#

The interface is up/up and CDP is running (it would have given me an error if it was not) but CDP does not see r3’s fa0/1 interface. 

Let’s look at r3:

r3#sh run int fa0/1
Building configuration…
 
Current configuration : 95 bytes
!
interface FastEthernet0/1
 ip address 132.1.33.3 255.255.255.0
 duplex auto
 speed auto
end
 
r3#sh ip int br | i net0/1
FastEthernet0/1
            132.1.33.3      YES manual up                    up
 
r3#sh cdp neigh fa0/1
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
                  S – Switch, H – Host, I – IGMP, r – Repeater
 
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
r3#

r3’s fa0/1 interface is up and up and CDP is running.  I can actually physically trace that cable to sw3’s fa0/3 interface.  So why can’t sw3 see r3 (and vice versa) via CDP? 

Here’s the problem:
 
sw3#sh int fa0/3 switch
Name: Fa0/3
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 33 (Inactive)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none

I configured the port as an accesss port assigned to VLAN 33, but VLAN 33 does not exit on the switch (it will once VTP does it’s magic).  Once VLAN 33 is configured on the switch CDP will work:

sw3#sh vlan id 33

VLAN Name                             Status    Ports
—- ——————————– ——— ——————————-
33   VLAN0033                         active    Fa0/3, Po2

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
—- —– ———- —– —— —— ——– —- ——– —— ——
33   enet  100033     1500  –      –      –        –    –        0      0

Remote SPAN VLAN
—————-
Disabled

Primary Secondary Type              Ports
——- ——— —————– ——————————————

sw3#sh int fa0/3 switch
Name: Fa0/3
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 33 (VLAN0033)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none

sw3#sh cdp neigh fa0/3
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
                  S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
r3                  Fas 0/3               179           R S I     2651XM    Fas0/1

November 5, 2007

Internetwork Expert Volume III Lab 01: A Drive-by

After wasting most of my weekend adding backbone routers to my existing lab, I decided that I wanted to crack open lab 1 of the Internetwork Expert Volume III lab book.  These are 4-hour mini-labs that concentrate solely on “core tasks” such as switching, IGP, EGP, WAN technologies, and troubleshooting.  Here is IE’s description:

The following scenario is a practice lab exam designed to help you develop your speed and accuracy at configuring Cisco networking devices.  Specifically, this scenario is designed to assist you in your preparation for Cisco Systems’ CCIE Routing and Switching Lab exam.  The goal of this scenario is to configure and verify complete layer 2 and layer 3 reachability as quickly as possible while minimizing the usage of Cisco’s documentation or the context sensitive help.  Ensure to track your time as you progress through each section and compare your results with the specified target time.

I only had a couple of hours left in my study block, so I decided to do the first three sections (troubleshooting, bridging and switching, and WAN technologies) and leave the remaining two sections (IGP and EGP) for another day. 

I did a write erase on all of my lab devices and loaded the provided initial configurations.  I did have to make some minor changes to the provided configurations to match my actual interfaces (replace an e0/0 with an fa0/0 or an s0/0 with an s0/0/0:0 – you get the idea).  The configurations are pretty bareboned, so I got them loaded without any hassle.

Each lab comes with two network maps (one physical and the other with the routing protocol details).  One thing that is not provided is a detailed map of the inter-switch connections.  I know them fairly well and can always turn around and look directly at my stack to verify them, but for this lab I decided to only use the information given to me in the two network maps so it would be similar to the actual CCIE lab environment.  That meant a lot of “show cdp neighbor” statements on the switches to build my own mapping of the inter-switch connections.  IE made this a little more difficult as some of the ports are shut down in the initial configurations.  In order to get an accurate picture of the inter-switch connections, I needed to unshut the interfaces on each switch and then shut them back down again after recording the CDP neighbors.  I’m not sure if this will be necessarily in the actual lab, but it was good practice.

I popped my headphones on and started BT’s “This Binary Universe” (my favorite background music for labbing) on my iPod and dove in.

Troubleshooting

Time alloted: 10 minutes
Time spent: 7 minutes*

I immediately fell on my face.  The first task is troubleshooting.  You are given 10 minutes to find two faults with the initial configurations.  I jumped from device to device and looked for misconfigured IP addresses and ports that were shut down.  There are no routing protocols running in the initial configs, so I figured that this would be a pretty easy task.  I quickly found an interface with an incorrect IP address.  After that I found a number of problems.  There were two layer 3 port-channels that were not built between the switches.  None of the VLANs were configured on the switches so the SVIs were not working.  I had already found more than two issues.  ???

I cracked open the answer key and found out that the bad IP address was one of the errors.  The other error concerned one of the layer 3 port-channels that was not built yet.  I was quite clever and probably would have messed me up, but I had already read the spoiler so it had less of an impact.  I guess that the errors do not necessarily need to be apparent in the initial configurations.  It could be argued that this error could was could be spotted, but you’d need to be a whole lot more observant than I am and I am seriously doubting that the average network engineer would spot it in 10 minutes.  It is something that you would definitely need to fix to complete the lab though!

I marked this up to inexperience with the IE labs and restarted the clock, but added on the time that it took me to diagram the inter-switch topology.  That’s the reason for the asterisk next to my time.  On to the next task!

Bridging and Switching

Time allotted: 40 minutes
Time spent: 27 minutes

This section had four tasks: VLAN assignments, layer 2 Etherchannel, trunking, and layer 3 Etherchannel.  I read the tasks ahead of time and underlined possible pitfalls in each task.  I specifically looked for interdependencies (i.e. a trunking task allowing you to use either dot1q or ISL followed by a later Etherchannel task requiring a native VLAN).  Reading through the tasks I was interested to see that the tasks were pretty specific (needing little to no clarification) and also pretty basic.  I felt pretty good about finishing this section quickly and accurately.

I ran into my first stategy decision early on.  In the first task you are asked to create a number of VLANs (all with names) as well as assign the VLANs to ports on each of the four switches.  It’s pretty obvious that VTP is your friend in this task.  You could configure the VLANs on each switch, but that’s too much time wasted typing and also sets you up to fat-finger something.  The problem is that there are no trunks built between the switches, so VTP is not going to propagate your VLANs to all of the switches until you get them built.  My solution was to configure sw1 as the VTP server and the other three switches as VTP clients (luckily, this was also a specified task, so I could leave them in that state).  I then configured two VLANs on sw1.  Then I jumped out of task 2.1 and directly into tasks 2.2 (layer 2 Etherchannel) and 2.3 (trunking).  Once I had built trunking between the switches and verified that all 3 switches were seeing the 2 VLANs configured on sw1, I would go back to task 2.1 and complete the configuration of the remaining VLANs.

I think that this is a good strategy.  The IE answer guide does not give you strategy tips though.  The answer for task 2.1 shows how to create the VLANs on sw1, assign the VLANs to each port, and set up VTP.  The verification command does show that you should not expect to see the VLANs propagated to switches 2 through 4.  Fair enough.  By reading through the other tasks you can see that trunking will eventually be built so the VLANs should be propagated. 

I did see a couple of errors in the IE answer guide though.  If you were to create all of the VLANs on sw1 and then assign the VLANs to the appropriate switchports on all of the switches, then – because VTP is not working due to no trunking –  the switch would create each VLAN for you.  You’d see something like this:

sw4(config)# interface fa0/15
sw4(config-if)# switchport access vlan 57
% Access VLAN does not exist. Creating vlan 57

The switch would create the VLAN for you, but with a default VLAN name of VLAN0057.  This is not going to match the VLAN name that you’re supposed to use (VLAN_C in this case).  Furthermore, the “show vtp status” verification that the IE answer show for sw2, sw3, and sw4 shows:

Number of existing VLANs           :  5

This will not be the case if you assign the VLANs to the ports on sw2-4.  Even though you won’t have the 12 VLANs configured on sw1 until VTP does its thing, you WILL have 5 + x VLANs; where 5 is the number of default VLANS and x is the number of unique VLANs you assign to the ports.

Finally, since you would have VLANs existing on sw1 with VLAN names and the same VLANs on the other switches with the default VLAN names – what’s going to happen to the VLAN names once VTP does start propagating the VLANs to the client switches?  I’ll lab this when I have access to some switches this weekend.

All of the above is assuming that you haven’t set the VTP mode to “client” on sw2 – 4.  If you did that before assigning the VLANs to the those switches, you would avoid the mess above because the switch would not allow you to configure and VLANs.  Of course, the switch would tell you to piss off if you tried to assign a non-existent VLAN to a port.

Nuff said.  I think that my strategy is the best route.  :-)

In task 2.2 you are asked to configure a two-port port-channel using dot1q trunking and the native default VLAN.  This is easy enough except for two points that are not spelled out for you:

1)  What channel-group number should you use (this layer 2 port-channel is not on the topology map)?
2)  Which port-channel protocol should you use (PAgP, LACP, or on)?

I used channel-group 1 and “on” (“channel-group 1 mode on”).  That’s what IE used for in the answer key as well.  My general rule is to avoid any dynamic protocols unless they are specifically called for.

The “use the default native VLAN” part of the task is a bit of a red herring.  I generally hate tasks like these because you need to know what items are enabled by default.  In this case, it’s pretty easy because dot1q uses the default native VLAN by….well…default.  :-)

The next task (2.3) involved setting up some very simple trunks.  The tasks specify that you use dot1q trunks.  The only thing unclear is whether you should use dynamic trunking.  See “avoid any dynamic protocols unless they are specifically called for” above.  At this point, I had trunking built to across all four switches.  I jumped back to task 2.1 and completed the VLAN configuration and assignment.  I verified that each switch had learned all of the VLANs via VTP. 

The last task was the only one to trip me up a bit.  It involved creating layer 3 Etherchannels.  I knew that you need to configure these in a specific order, but I could not remember the order.  I hit the DOC and pulled up the configuration guide.  I was able to quickly find the document for configuring layer 3 etherchannels.  This is also the step where I would have discovered the second troubleshooting error.  I followed the DOC and had my layer 3 Etherchannels up and running, except that one of the channels (between sw2 and sw3) kept bouncing.  I still don’t know why.  I wrote the configs and reloaded sw2 and sw3.  The problem went away.

One other point about this task.  This was the first “verbiage” issue I came across.  The task asks that you use “all remaining directly connected inter-switch links” for the layer 3 Etherchannels.  The time that I spent drawing the inter-switch topology paid off handsomely in this task.

I was done with the Bridging and Switching section 13 minutes early.  Whoot!!!

WAN Technologies

Time Allotted: 20 minutes
Time Spent: 32 minutes

I need to get my butt to a meeting.  I will finish this post tonight. 

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 113 other followers