CCIE Pursuit Blog

January 12, 2008

Internetwork Expert Volume II: Lab 4 – Section 1

Section 1 –  Bridging and Switching – *26 Points

* Includes 4 points for Troubleshooting section.

Troubleshooting

4 errors this time – yuck.

1)

r2#sh ver | i register
Configuration register is 0x2102 (will be 0x2142 at next reload

That’s not good.  🙂

r2(config)#config-register 0x2102
r2#sh ver | i register
Configuration register is 0x2102

2)

r6#sh run int s0/0
interface Serial0/0
 ip address 54.1.1.6 255.255.255.128  <-mask should be /24
 encapsulation frame-relay

3)

Frame Relay is configured on the wrong interface (should be s0/0/0) on r2:

r2#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         141.1.0.2       YES manual up                    up
GigabitEthernet0/1         unassigned      YES NVRAM  administratively down down
Serial0/0/0                unassigned      YES NVRAM  administratively down down
Serial0/1/0                141.1.123.2     YES manual up                    down
Loopback0                  150.1.2.2       YES manual up                    up

r2(config)#do sh run int s0/0/0
interface Serial0/0/0
 no ip address
 shutdown

end

r2(config)#do sh run int s0/1/0
interface Serial0/1/0
 ip address 141.1.123.2 255.255.255.0
 encapsulation frame-relay
end

4)

r5(config)#do sh ip int br
Interface                  IP-Address      OK? Method Status                Prot
ocol
FastEthernet0/0          141.1.145.5     YES manual up               up
Serial0/0                  141.1.54.5      YES manual up                    up
FastEthernet0/1            141.1.0.5       YES manual up                 up
Serial0/1                  141.1.54.5      YES manual up                    up
Loopback0                  150.1.5.5       YES manual up                    up

r5(config)#int s0/1
r5(config-if)#ip add 141.1.45.5 255.255.255.0

1.1 Trunking

“standards based trunks” + “vlan 255 should be untagged when sent across any of these trunks” = dot1q trunks with native vlan 255.  Nuff said.

1.2 VLAN Assignments

Easy enough VTP configuration with VLAN assignments.  The only unresolved bit is whether we should leave all of the switches in VTP server mode.  I did.  That mean you only need to create the VLANs on one switch:

Make sure that your results match by running:

sh vlan br | e unsup|^ |^1 |active[ \t]+$

Well…I thought that this was easy.  I have to work on reading between the lines on these task.  You need to create all of the VLANs in the task as well as any VLANs on the diagram (6,7,8,77,88, and 255).  You’ll need to name these VLANs by substituting the digits in the VLAN with their ordinal letter in the alphabet (i.e. VLAN 77 = VLAN_GG).

The IE solution guide is missing the configuration for fa0/24 on sw1.  [note: they may have pulled it or the question may contain a typo].

1.3 Traffic Control

“Enable pruning within the VTP domain.” Just need to configure vtp pruning on any one of the switches as they are all in VTP  server mode.

sw1(config)#vtp pruning
Pruning switched on

“Although sw1 and sw3 do not have VLAN 8 locally assigned ensure that they receive unknown unicast, broadcast, or multicast traffic for VLAN 8 over their lowest numbered trunk link to sw2”

That’s just a long-winded way of saying that should not prune VLAN 8 on sw1 fa0/13 and sw3 fa0/16.

Before:
sw1(config)#do sh int fa0/13 trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      255

Port        Vlans allowed on trunk
Fa0/13      1-4094

Port        Vlans allowed and active in management domain
Fa0/13      1,6,12,36,43,45,258

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      none

switchport trunk

Set the list of VLANs that are eligible for VTP pruning when in trunking mode. The all keyword is not valid.

sw1(config-if)#switch trunk pruning vlan ?
  WORD    VLAN IDs of the allowed VLANs when this port is in trunking mode
  add     add VLANs to the current list
  except  all VLANs except the following
  none    no VLANs
  remove  remove VLANs from the current list

I could not get the except command to work:

sw3(config-if)#swit trun pru vlan except ?
  WORD  VLAN IDs of disallowed VLANS when this port is in trunking mode

sw3(config-if)#swit trun pru vlan except vlan 8
                                                                          ^
% Invalid input detected at ‘^’ marker.

sw3(config-if)#swit trun pru vlan except vlan8
Command rejected: Bad VLAN list – character #1 is a non-numeric
character (‘v’).

sw3(config-if)#swit trun pru vlan except 8
Command rejected: Bad VLAN pruning list.

…so I used:

sw1(config-if)#switch trun prun vlan 2-7,9-1001

The other odd bit is that I thought that I would see that vlan 8 was not prune-eligible with “show int fa0/13 trunk”:

sw1#sh int fa0/13 trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      255

Port        Vlans allowed on trunk
Fa0/13      1-4094

Port        Vlans allowed and active in management domain
Fa0/13      1,6-8,12,36,43,45,77,88,255,258

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      258

You can use the following to verify the prune list:

sw1#sh int fa0/13switchport| i Prun
Pruning VLANs Enabled: 2-7,9-1001
sw1#sh int fa0/14switchort | i Prun 
Pruning VLANs Enabled: 2-1001

The last subtask states:

“Traffic for VLAN 8 should not be received over any of the other trunk links.”

I thought that you would need to explicitly configure the other trunks to not allow VLAN 8 (“switchport trunk allowed”).  IE does not do that, even though the other trunks do allow VLAN 8:

sw1#sh int fa0/14 trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/14      on           802.1q         trunking      255

Port        Vlans allowed on trunk
Fa0/14      1-4094

Port        Vlans allowed and active in management domain
Fa0/14      1,6-8,12,36,43,45,77,88,255,258  <-note

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/14      none

1.4 Spanning-Tree Protocol

You need to configure sw1 as the primary spanning-tree root bridge and sw3 as the secondary root bridge for vlan 258.

“All VLAN 258 traffic from sw2 to sw1 should transit sw4”
“In the event that sw2’s path to sw1 through sw3 is down, sw2 should use the directly connected trunk links to reach sw1 directly.”
“Use the fewest number of commands to accomplish this task and do not alter sw1’s port-priorities.”

“do not alter sw1’s port-priorities” means that we’ll use port-cost to affect vlan 258’s traffic.”

We have two options: cost or port-priority.  If I am the root trying to affect how traffic comes towards me, I will use port-priority.  If I am on a non-root switch and I want to affect the way that traffic flows to the root, I will use cost.

Port-priority is looking down the spanning-tree.
Cost is looking up the spanning-tree.

spanning-tree cost

Before:
sw2#sh span vlan 258

VLAN0258
  Spanning tree enabled protocol ieee
  Root ID    Priority    24834
             Address     0012.018f.d580
             Cost        19
             Port        15 (FastEthernet0/13)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33026  (priority 32768 sys-id-ext 258)
             Address     0012.009c.ca00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13           Root FWD 19        128.15   P2p  <- sw1
Fa0/14           Altn BLK 19          128.16   P2p  <- sw1
Fa0/15           Altn BLK 19          128.17   P2p  <- sw1
Fa0/16           Desg FWD 19        128.18   P2p  <- sw3
Fa0/17           Desg FWD 19        128.19   P2p  <- sw3
Fa0/18           Desg FWD 19        128.20   P2p  <- sw3

In this case we need to change the port-cost so that sw3 is preferred (lower cost on ports to sw3).  The path directly to sw1 will be used if the path to sw3 goes down, so we will satisfy both  subtasks.

sw2(config-if-range)#spanning vlan 258 cost ?
  <1-200000000>  Change an interface’s per VLAN spanning tree path cost

sw2(config)#inter range fa0/13 – 15
sw2(config-if-range)#spanning vlan 258 cost 2000

After waiting for spanning-tree to recalculate:

sw2(config-if-range)#do sh span vlan 258 | b Interface
Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/2            Desg FWD 19        128.4    P2p
Fa0/13           Altn BLK 2000      128.15   P2p
Fa0/14           Altn BLK 2000      128.16   P2p
Fa0/15           Altn BLK 2000      128.17   P2p
Fa0/16           Root FWD 19        128.18   P2p  <-booyah!!!
Fa0/17           Altn BLK 19        128.19   P2p
Fa0/18           Altn BLK 19        128.20   P2p

I did waste a lot of time fretting over the “minimum configuration” requirement.  In the real lab, I’d just note this task and come back to it later to check for a slimmer configuration.  As it was, I got this correct.

1.5 Link Failure Detection

I knew right away that this task would require some digging in the DOC.  In the real lab I would skip this non-core task and come back to it later.

“Configure sw1 and sw2 so that port fa0/15 is brought down in the case that either switch can send traffic, but not receive, or vice versa.”
“As an additional precaution configure sw1 so that interface fa0/15 is not mistakenly elected as a designated port in the above case.”

Reading these subtasks made me think of UniDirectional Link Detection  and BDPU guard.

udld port

sw1(config-if)#udld port ?
  aggressive  Enable UDLD protocol in aggressive mode on this interface
 <cr>

UDLD supports two modes of operation: normal (the default) and aggressive. In normal mode, UDLD detects unidirectional links due to misconnected interfaces on fiber-optic connections. In aggressive mode, UDLD also detects unidirectional links due to one-way traffic on fiber-optic and twisted-pair links and due to misconnected interfaces on fiber-optic links.

Aggressive it is then.  🙂

After configuring both sides:

sw1#show udld fa0/15
Interface Fa0/15

Port enable administrative configuration setting: Enabled / in aggressive mode
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Bidirectional
Current operational state: Advertisement – Single neighbor detected
Message interval: 15
Time out interval: 5

    Entry 1
    —
    Expiration time: 31
    Device ID: 1
    Current neighbor state: Bidirectional
    Device name: CAT0835X0US
    Port ID: Fa0/15
    Neighbor echo 1 device: CAT0837N1AS
    Neighbor echo 1 port: Fa0/15

    Message interval: 15
    Time out interval: 5
    CDP Device name: sw2

The IE solution guide warns:

“The global command udld enable only applies to fiber interfaces.  Ensure to use the interface command udld port agressive for copper interfaces.”

I didn’t configure udld globally.  I figured that if the switch threw an error when I configured it at the interface level, then I would configure it globally and reconfigure it on the interface.  So I avoided a pitfall through sheer dumb luck rather than an understanding of udld.  🙂

I was wrong about BDPU guard though.  I needed loop guard instead:

spanning-tree guard

sw1#sh spanning-tree interface fa0/15 detail
 Port 17 (FastEthernet0/15) of VLAN0001 is blocking
   Port path cost 19, Port priority 128, Port Identifier 128.17.
   Designated root has priority 32769, address 000a.410e.0600
   Designated bridge has priority 32769, address 0012.009c.ca00
   Designated port id is 128.17, designated path cost 19
   Timers: message age 3, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   Loop guard is enabled on the port 
   BPDU: sent 118, received 4578
—–output truncated—–

1.6 Spanning-Tree Protocol

I need to make sw3 show this output:

VLAN0258
  Spanning tree enabled protocol ieee

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/5            Desg FWD 100       128.5    P2p
Fa0/16           Desg FWD 19        128.16   P2p
Fa0/17           Desg FWD 19        128.17   P2p
Fa0/18           Desg FWD 19        128.18   P2p
Fa0/19           Altn BLK   19        128.19   P2p
Fa0/20          Altn BLK    19        128.20   P2p
Fa0/21         Root FWD 19        128.21   P2p

Basically I need to make fa0/21 the root port (fa0/19 is currently the root port) without changing the port-cost or priority on sw3. [Technically I should have changed the cost fa0/5 as my current cost is 19, but that is an artifact of my r5 using a FastEthernet rather that Ethernet port]

This should be easy enough.  I will change the spanning-tree priority on sw4 to prefer fa0/21:

sw3#sh cdp neigh fa0/21 | b Device
Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
sw4                 Fas 0/21              141            S I      WS-C3550-2Fas0/21

spanning-tree port-priority

sw4(config-if)#spanning-tree vlan 258 port-priority ?
  <0-240>  port priority in increments of 16

sw3#sh sp v 258

VLAN0258
  Spanning tree enabled protocol ieee

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/5            Desg FWD 19        128.5    P2p
Fa0/16           Desg FWD 19        128.16   P2p
Fa0/17           Desg FWD 19        128.17   P2p
Fa0/18           Desg FWD 19        128.18   P2p
Fa0/19           Altn BLK 19        128.19   P2p
Fa0/20           Altn BLK 19        128.20   P2p
Fa0/21           Root FWD 19        128.21   P2p  <-sweet!!!!

1.7 Rate-Limiting

Another task that I would probably skip and come back to later if this came up on the actual lab.  I had to peek at the solution guide because I did not recognize that this task was asking me to configure storm-control.

storm-control

Unicast traffic – average packet size of 954 Bytes – average of 250 packet per second

sw1(config-if)#storm-control unicast level ?
  <0.00 – 100.00>  Enter rising threshold
  bps              Enter suppression level in bits per second
  pps              Enter suppression level in packets per second

954 x 8 x 250 = 1908000 bps <-this is a rabbit hole. 

Read the options…pps would be much easier.

sw1(config-if)#storm-control unicast level pps ?
  <0.0 – 10000000000.0>[k|m|g]  Enter rising threshold

sw1(config-if)#storm-control unicast level pps 250 ?
  <0.0 – 10000000000.0>[k|m|g]  Enter falling threshold
  <cr>

sw1(config-if)#storm-control unicast level pps 250

sw1#sh storm-control unicast
Interface  Filter State   Upper        Lower        Current
———  ————-  ———–  ———–  ———-
Fa0/1      Forwarding        250 pps      250 pps        0 pps

I need to review storm-control because I would not have received the points for this task even if I had been able to figure out that the task required storm-control.

1.8 QoS

This is a simple IP Prec to DSCP mutation mapping.

Configuring DSCP Maps

sw2(config)#mls qos map ip-prec-dscp ?
  <0-63>  8 dscp values separated by spaces

sw2(config)#mls qos map ip-prec-dscp 0 0 0 0 32 40 0 0

sw2#sh mls qos maps ip-prec-dscp
   IpPrecedence-dscp map:
     ipprec:   0  1  2  3  4  5  6  7
     ——————————–
       dscp:   0  0  0  0 32 40  0  0

1.9 QoS

This is another easy QoS task (especially if you have worked with VoIP phones).

Configuring the Trust State on Ports within the QoS Domain

sw2(config)#int fa0/2
sw2(config-if)#mls qos trust ?
  cos            cos keyword
  device         trusted device class
  dscp           dscp keyword
  ip-precedence  ip-precedence keyword
  <cr>

sw2(config-if)#mls qos trust ip-precedence
sw2(config-if)#do sh mls qos int fa0/2
FastEthernet0/2
QoS is disabled. When QoS is enabled, following settings will be applied
trust state: trust ip-precedence
trust mode: trust ip-precedence
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based

Make sure that you enable mls qos globally (the IE solution guide skips this step):

sw2(config)#mls qos
sw2(config)#do sh mls qos int fa0/2
FastEthernet0/2
trust state: trust ip-precedence
trust mode: trust ip-precedence
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: