CCIE Pursuit Blog

May 1, 2008

New Cisco Campus Switching Product On The Horizon?

Filed under: Cisco,Switching — cciepursuit @ 6:09 pm
Tags: ,

It looks like there may be a replacement for the 6500 on the horizon according to NetworkWorld:

As expected, Cisco is developing a significant product launch for the enterprise campus under the codename “Big Bang.”

Marie Hattar, vice president of network systems and security solutions marketing, would not divulge details on Big Bang at the Interop 2008 conference. But she said it is a code name for a campus product launch that’s not likely to happen in calendar 2008.

“You’ll see a big bang but not a forklift,” Hattar says on the upcoming campus refresh. “It’s an evolutionary big bang.”

—Read The Rest Here—

The name ‘Big Bang’ (and its overuse by the Cisco suit) sort of reminds me of a project that we worked on a couple of years ago.  We were expanding our campus LAN by implementing a GeoMax implementation.  All of the infrastructure was priced out and the business plans written.  All that remained was to pitch the project to the VP and have her sign off on it.  She loved it except for one thing.  “Change the name now.” 

The name of the project? MAN Enhanced.  Even I (with my admittedly dirty mind) didn’t catch the connotation at first. :-)  The Enzyte and Swedish pump jokes sponsorship jokes lasted weeks.

April 28, 2008

Internetwork Expert Volume II: Lab 5 – Section 2

Bridging and Switching – 16 Points

2.1 VLAN Assignments

Easy enough task with all four switches running in VTP Transparent mode.  I actually finished all of the Layer 2 tasks (including Frame Relay) and then came back to this task to see which VLANs would need to be added.  The only connection that was not working was r4 (fa0/0 in VLAN4 on sw2) to BB3 (VLAN 4 on sw3).  There was no direct trunk between sw2 and sw3 so I need to add VLAN 4 to sw1:

sw1(config)#vlan 4
sw1(config-vlan)#exit

r4#p 204.12.1.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.12.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

The IE solution is missing VLAN 2005 on sw1.

2.2 Etherchannel

Easy EtherChannel task.

2.3 Load Distribution

Configure an EtherChannel so that it is optimized for multiple clients behind sw1 reaching a single server behind sw2.

We can use the example cited here:

Load Balancing and Forwarding Methods

port-channel load-balance

We want sw1 (workstations) to use source-based forwarding and sw2 (single server) to use destination-based forwarding.  This will most widely balance our traffic.

dst-ip
 Load distribution is based on the destination host IP address.
 
dst-mac
 Load distribution is based on the destination host MAC address. Packets to the same destination are sent on the same port, but packets to different destinations are sent on different ports in the channel.
 
src-dst-ip
 Load distribution is based on the source and destination host IP address.
 
src-dst-mac
 Load distribution is based on the source and destination host MAC address.
 
src-ip
 Load distribution is based on the source host IP address.
 
src-mac
 Load distribution is based on the source MAC address. Packets from different hosts use different ports in the channel, but packets from the same host use the same port.

Do we want to source on MAC or IP address????

sw2(config)#port-channel load-balance ?
  dst-ip       Dst IP Addr
  dst-mac      Dst Mac Addr
  src-dst-ip   Src XOR Dst IP Addr
  src-dst-mac  Src XOR Dst Mac Addr
  src-ip       Src IP Addr
  src-mac      Src Mac Addr

Task 2.3

For this task traffic from the file server located behind BB2 will be sent across the trunk with the source MAC address of BB2’s Ethernet interface and source IP address of this server. By default all of this traffic would use only one of the Etherchannel trunk links since the default is to load balance based on the source MAC address. With IP address destination based load balancing enabled on SW2 this traffic will now be distributed across both links. Traffic destined to BB2 will have the same source MAC address of R1, the same destination MAC address of BB2 and the same destination IP address, so we need IP address source based load balancing on SW1.

sw1#show etherchannel load-balance
EtherChannel Load-Balancing Operational State (src-ip):
Non-IP: Source MAC address
  IPv4: Source IP address
  IPv6: Source IP address

sw2#show etherchannel load-balance
EtherChannel Load-Balancing Operational State (dst-ip):
Non-IP: Destination MAC address
  IPv4: Destination IP address
  IPv6: Destination IP address

2.4 CAM Table Maintenance

“…configure sw2 so that it discards inactive entries from VLAN 8 and VLAN 88 after 10 seconds.”

mac address-table aging-time

Defaults
The default is 300 seconds.

sw2(config)#mac-address-table aging-time 10 vlan 8
sw2(config)#mac-address-table aging-time 10 vlan 88

sw2#sh mac address-table aging-time
Vlan    Aging Time
—-    ———-
   1     300
  27     300
   4     300
 162     300
   8      10
  88      10

2.5 EtherChannel

Basic layer 3 EtherChannel.  You get to set up an EtherChannel with only one connection.  :-)

 

April 21, 2008

Beware The Man Of One Platform

Filed under: Cisco,IOS,Switching,Work — cciepursuit @ 3:26 pm
Tags: , , , ,

I vow to never be one of those guys that expects my word to be law once I am a CCIE.  This is not because I am humble (I’m not) or because the ‘Argument From Authority’ is a logical fallacy; it’s because I am wrong more often than I care to be and I will continue to be wrong more often than I care to be regardless of any digits or abbreviations after my name.  :-)

Case in point: I was troubleshooting an issue last week and was surprised to find that the VLAN interfaces (SVIs) on a 6500 series switch (an old piece of shit 6500 switch running DECNet….but I digress) each shared a single (virtual) MAC address.  I pointed this out to one of my co-workers and he said that this was normal.  I disagreed.  I jumped on a 3750 and showed him that each SVI had a unique MAC address.  I even labbed it up quickly on my 3560 to prove my point.

We noted that this might be an interesting anomaly, but it most likely was not our issue as we were troubleshooting a duplicate IP/HSRP/DECNet/STP loop issue.

Well it turns out that we were both right (and both wrong).  Depending on the platform (and IOS version?) Cisco switches may use the System MAC Address for each SVI or they may use a unique MAC Address (derived from the System MAC Address).  CCIE candidates can see this in their labs by noting the differences between the 3560s and 3550s:

3560 uses a unique MAC for each SVI:
sw1#sh ver | i IOS|emo
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(25)SEE2, RELEASE SOFTWARE (fc1)
cisco WS-C3560-48PS (PowerPC405) processor (revision G0) with 118784K/12280K bytes of memory.
512K bytes of flash-simulated non-volatile configuration memory.

sw1(config-if)#do sh int | i Vlan|bia
Vlan1 is up, line protocol is up
  Hardware is EtherSVI, address is 0012.018f.d5c0(bia 0012.018f.d5c0)
Vlan2 is up, line protocol is up
  Hardware is EtherSVI, address is 0012.018f.d5c5(bia 0012.018f.d5c5)
Vlan3 is up, line protocol is up
  Hardware is EtherSVI, address is 0012.018f.d5c6(bia 0012.018f.d5c6)
Vlan4 is up, line protocol is up
  Hardware is EtherSVI, address is 0012.018f.d5c7(bia 0012.018f.d5c7)

3550 uses the same MAC for each SVI:
sw3#sh ver | i IOS|emo
Cisco IOS Software, C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(25)SEE2, RELEASE SOFTWARE (fc1)
Cisco WS-C3550-24(PowerPC) processor (revision D0) with 65526K/8192K bytes of memory.

Vlan1 is administratively down, line protocol is down
  Hardware is EtherSVI, address is 000a.410e.0600(bia 000a.410e.0600)
Vlan2 is up, line protocol is up
  Hardware is EtherSVI, address is 000a.410e.0600(bia 000a.410e.0600)
Vlan3 is up, line protocol is up
  Hardware is EtherSVI, address is 000a.410e.0600(bia 000a.410e.0600)
Vlan4 is up, line protocol is down
  Hardware is EtherSVI, address is 000a.410e.0600(bia 000a.410e.0600)

Scott Morris has an article on this issue.

Now you’ll notice that all of the VLAN interfaces have the same MAC address. This is the System MAC address. The reason this is OK has to do with where MAC addresses are used.

A MAC address must be unique within a Layer2 network, a broadcast domain or subnet. Each VLAN is a separate L2 network, broadcast domain and subnet. So there should be no possibility for overlap here and nothing to worry about.

If your configuration is creating some strange bridging or other cross-VLAN behavior, there may be the possibility of odd behavior, but that isn’t the normal issue at all!

So, in the grand scheme of things, you shouldn’t see any duplicate MAC addresses in any place that makes a difference.

April 9, 2008

Internetwork Expert Volume III: Lab 5 – Section 2

Bridging and Switching – 9 Points

2.1 Trunking

Very easy trunking task.  You just need to make sure at least one side of each trunk link is in dynamic desirable mode.

The eternal question: What to do about all of the other dynamically created trunks?

In the solution guide the other trunks (negotiated via DTP on the connections between the 3560s and the 3550s) do not appear in the verification commands.  For this lab, I went ahead and shut them all down.

2.2 VLAN Assignment

VTP is already configured (all switches are in VTP server mode in the vtp domain ‘CCIE’).  You are tasked to build all of the VLANs from the diagram.

Weird:

sw1(config-if)#do sh cdp nei f0/3
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
                  S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
r3                  Fas 0/3               120           R S I     2651XM    Fas0/0
r3                  Fas 0/3               10            R S I     2651XM    Fas0/0.1

This occured soon after I configured router-on-a-stick on r3.  I’ve never seen CDP use a subinterface as a neighbor interface.  Time to clear the cdp table:

clear cdp table

sw1(config-if)#do sh cdp nei f0/3
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
                  S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
r3                  Fas 0/3               178           R S I     2651XM    Fas0/0

Ah.  Much better.

The lab diagram does not show which ethernet port on r2 is connected to VLAN 72.  It must be 0/0 as that interface is already configured with an IP address in VLAN 72.

Weird.  All of the switches are int vtp domain CCIE and all are VTP servers.  Trunking is established between all of the switches.  Yet I am not seeing VLANs propagating via VTP:

sw1:
sw1(config-if)#do sh vtp status
VTP Version                     : 2
Configuration Revision          : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 11
VTP Operating Mode              : Server
VTP Domain Name                 : CCIE

VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x4E 0xE7 0xBF 0xB8 0×71 0×10 0xF6 0xB4
Configuration last modified by 128.1.27.7 at 3-1-93 15:57:04
Local updater ID is 128.1.27.7 on interface Vl27 (lowest numbered VLAN interface found)

sw2:
sw2(config-if)#do sh vtp status
VTP Version                     : 2
Configuration Revision          : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 8
VTP Operating Mode              : Server
VTP Domain Name                 : CCIE

VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x9C 0×35 0×84 0×20 0×54 0x5D 0x0C 0xEB
Configuration last modified by 128.1.48.8 at 3-1-93 16:03:37 <-Interface on sw2
Local updater ID is 128.1.48.8 on interface Vl48 (lowest numbered VLAN interface found) 

sw1(config-if)#do sh vtp pass
VTP Password: CISCO

sw2(config-if)#do sh vtp pass
VTP Password: CISC0

Sneaky IE bastards.  I looks like sw2′s password ends with a zero.  I went to each switch and set the vtp password to ‘CISCO’ and vlans started flowing again.

This lab has three “router-on-a-stick” setups to configure.

The IE solution guide shows VLAN 10 configured for some reason.  It’s not in this network though.

I later found vlan 10.  It’s on sw4.  It was not included in my initial config for sw4.  I should have caught this during my intial troubleshooting.

I am also not sure that we need to create VLAN 109 and apply it to the L2 ends of the routed links because in the next task we are using L2 tunneling to make those links think that they are directly connected.  I have full connectivity without VLAN 109, but we’ll see if that gives me issues later.

If this were the real lab, I’d just go ahead and configure VLAN 109 as there is no “minimum number of VLANs” requirement for this task.

2.3 Layer 2 Tunneling

“Configure sw2 so that sw3 and sw4 see each other as CDP neighbors across the routed link that connects them.”

I need to tunnel interfaces fa0/16 and fa0/19

Before:
sw3#sh cdp nei fa0/16
| b Dev
Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
sw2                 Fas 0/16              178            S I      WS-C3560-4 Fas0/16

sw4#sh cdp neigh fa0/16 | b De
Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
sw2                 Fas 0/16              151            S I      WS-C3560-4 Fas0/19

After:
sw3#sh cdp neigh fa0/16
| b De
Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
sw4                 Fas 0/16              151            S I      WS-C3550-2 Fas0/16

sw4#sh cdp nei fa0/16 | b De
Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
sw3                 Fas 0/16              170            S I      WS-C3550-2 Fas0/16

sw4#p 128.1.109.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 128.1.109.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

 

April 6, 2008

Internetwork Expert Volume II: Lab 9 – Section 1

Bridging and Switching – 17 Points

“There are no faults in the initial configurations.”
“Do not alter the commands in the initial configurations.”

1.1 Trunking

One of the first things that you’ll notice in this lab is that there are routing protocols preconfigured.  BGP on sw1, EIGRP on sw3, and so on.  This looks like it will be an interesting lab.  :-)

I’m off to a rough start already.  The first task is a simple trunking task with the requirement of:

“For ease of administration refer to these trunks with the interface macro DOT-ONE-Q.”

I’m going to assume that “refer to” means “create a macro that completes this task.”  This is another “ask the proctor” moment.

Configuring Smartports Macros

The totality of my experience with switchport macros lies with creating ping scripts. 

sw1(config)#macro name DOT-ONE-Q
Enter macro commands one per line. End with the character ‘@’.
interface range fa0/13 – 15
switchport trunk encap dot
switchport mode trunk
switchport none
no shut
@

sw1(config)#do sh run int fa0/13
interface FastEthernet0/13
end

Okay.  Let’s run this sucker:

sw1(config)#macro glob app DOT-ONE-Q
sw1(config)#do sh run int fa0/13
interface FastEthernet0/13
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate

end

Sweet!!!  Well maybe not:

sw1#sh run int fa0/14
interface FastEthernet0/14
end

For whatever reason the interface range did not take.  It only took the first interface.  Okay…there is no “minimal configuration” requirement so I took out the interface range command and explicitly configured each port:

sw1(config)#macro name DOT-ONE-Q
Enter macro commands one per line. End with the character ‘@’.
int fa0/13
switchport trunk encap dot
switchport mode trunk
switchport none
no shut
int fa0/14
switchport trunk encap dot
switchport mode trunk
switchport none
no shut
int fa0/15
switchport trunk encap dot
switchport mode trunk
switchport none
no shut
@

The IE solution uses:

define interface-range DOT-ONE-Q FastEthernet0/13 – 15

but then their macro explicitly configures each interface.  So what it the purpose of the above command?

define interface-range

1.2 Trunking

Weird.  sw4 is a 3550 yet:

interface FastEthernet0/19
 switchport mode dynamic auto <-auto?

Must have been thrown on in the initial configs.

Otherwise, this was a very basic EtherChannel configuration task.

1.3 Trunking

Fun trunking task. 

“All traffic sent over these trunk links should include a 32 bit tag.”

This threw me off at first.  ISL has a 24 byte tag and Dot1q has a 4 byte tag.  What the hell is a 32 byte tag?  Reading the requirement closer, I see 32 BIT no 32 byte.  Ah…32/8 = 4 bytes = Dot1q :-)

Of course, I missed the second important part of that requirement: ALL TRAFFIC

By default dot1q does NOT tag the native VLAN so any traffic on the native VLAN will not have a 32 bit tag. 

vlan dot1q tag native

1.4 VLAN Assignments

Argh!!!  The dreaded “minimal VLAN configuration with all switches in VTP Transparent mode from the diagram” task.  :-0

I’m getting better at this (I completed the task successfully) but I am still VERY slow.

1.5 Spanning-Tree Filtering

spanning-tree guard

1.6 Spanning-Tree

I monkeyed around with this task trying to match the STP timers required by the task.  I finally gave up and went ahead and explicitly set the timers for VLAN 68.  This cost me the points as I needed to accomplish this task with minimal configuration:

sw2(config)#span vlan 68 hell 1
sw2(config)#span vlan 68 max 7
sw2(config)#span vlan 68 for 5
sw2(config)#do sh span vlan 68

VLAN0068
  Spanning tree enabled protocol ieee
  Root ID    Priority    24644
             Address     0019.56db.d900
             This bridge is the root
             Hello Time   1 sec  Max Age  7 sec  Forward Delay  5 sec

The IE solution is:

spanning-tree vlan 68 root primary diameter 3 hello-time 1

spanning-tree vlan

diameter net-diameter
 (Optional) Set the maximum number of switches between any two end stations. The range is 2 to 7.
 
hello-time seconds
 (Optional) Set the interval between hello bridge protocol data units (BPDUs) sent by the root switch configuration messages. The range is 1 to 10 seconds. 

sw2(config)#spanning-tree vlan 68 root prim dia 3 hello 1
sw2(config)#do sh sp vl 68

VLAN0068
  Spanning tree enabled protocol ieee
  Root ID    Priority    24644
             Address     0019.56db.d900
             This bridge is the root
             Hello Time   1 sec  Max Age  7 sec  Forward Delay  5 sec

1.7 EtherChannel

I did not understand this task at all.  The IE guide has no explanation either.  I understand the technologies involved but I could not figure out what the task was asking for.  :-(

 

March 19, 2008

STP Diameter

Here’s a nice summary of the STP diameter command from GroupStudy:

Hi Gang,

I have a question regarding the STP diameter command, does it do anything?  like stop BPDU’s or something?  I’ve lab’d this up and it doesn’t appear to do anything significant (if at all).

Mucho appreciated,

D

No, the STP diameter is not a hard limit. It is a recommendation from the RFC. Going over the limit can lead to network instability during convergence, but that does not only depend on STP diameter, but also on the STP timers, the number of MAC addresses, etc…

That is just the problem: try explaining to people that they need to limit the STP diameter. Ooh..we add one switch more and see..it still works.. what’s the problem ?

regards,
Geert

So why is it a configurable parameter, it must do something?  Does it just alter timers to “better” assist in the size of the network?

Exactly.
STP DIAMETER modifies stp timers in the switch to optimize convergence time depending in the size of the SPT DOMAIN.(size of the STP DOMAIN is the number of hops “switches” connected one to the other).

By default the STP timers in every switch are designed to operate well in a domain with 7 HOP switches. (7 hops away from the point of view of the root switch).

Now for example if your domain consist of 3 switches (from the point of view of the root switch), you can modify the diameter to 3, to optimize the stp bpdu convergence time.

By modifying the diameter, the IOS automatically adjusts the hello time, forward delay time and aging time that best fit in a network size of 3 switches.

So the purpose of the tool is to OPTIMIZE the stp convergence time.

March 17, 2008

Internetwork Expert Volume II: Lab 8 – Section 1

Bridging and Switching – 20 Points

“There are no faults in the initial configurations.”
“Do not alter the commands in the initial configurations.”

1.1 Trunking

First things first, CCOnlinelabs does not use fa0/24 to connect to the bbs

On sw2 they use fa0/10:

sw2#sh run int fa0/24
interface FastEthernet0/24
 switchport access vlan 52
end

sw2#sh run int fa0/10
interface FastEthernet0/10
end

That means I need to move the config from fa0/24 to fa0/10.  After altering the configuration to match the CCOnlinelabs topology, I finished the easy trunking tasks.

I did notice something odd though:

sw1(config-if-range)#do sh vtp status
VTP Version                     : running VTP1 (VTP2 capable)
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 15
VTP Operating Mode              : Transparent
VTP Domain Name                 : CCIELAB
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0×99 0×68 0×38 0×79 0xE4 0x3B 0×99 0xFF
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

All of the switches are configured this way.

sw2(config)#vtp version ?
  <1-2>  Set the adminstrative domain VTP version number

I looked through the initial configs and I don’t see anything that sets these to VTP version 1.  This may be something leftover on the rental switches.  It should not matter as all switches are in VTP Transparent mode.  Transparent mode in VTP version 1 drops all VTP advertisments.  In VTP version 2 the Transparent switches pass the advertisement on but do not install them.

Weird:

r5#sh vlan 52
% Ambiguous command:  “sh vlan 52″

r5#sh vlans 52

Virtual LAN ID:  52 (IEEE 802.1Q Encapsulation)

   vLAN Trunk Interface:   FastEthernet0/1.52

   Protocols Configured:   Address:              Received:        Transmitted:
           IP              192.10.1.5                 905                  88
        Other                                           0                   1

   913 packets, 60196 bytes input
   89 packets, 5450 bytes output

r5#sh vlan?
vlan-range  vlan-switch  vlans

“show vlans”????

show vlans

To view virtual LAN (VLAN) subinterfaces, use the show vlans command in privileged EXEC mode.

1.2 Trunking

This task required that you configure trunks between sw3 and sw1  (both are 3560s in this rack) by using DTP.  Should I set ‘dyn des’ on both sides or just one?

I did both sides.  IE only did it on one side.

1.3 Trunking

“use minimal conf poss on sw1 to accomplish this task”

sw1 = 3560 – switchport mode dynamic auto
sw4 = 3550 – switchport mode dynamic desirable

sw4(config)#do sh run | b 0/13
interface FastEthernet0/13
 switchport mode dynamic desirable
 shutdown
!
interface FastEthernet0/14
 switchport mode dynamic desirable
 shutdown
!
interface FastEthernet0/15
 switchport mode dynamic desirable
 shutdown

I should be able to just no shut both sides to dynamically create 3 ISL trunks:

sw4(config)#int range fa0/13 – 15
sw4(config-if-range)#no sh

sw1(config-if-range)#int range fa0/19 – 21
sw1(config-if-range)#no sh

sw1:
sw1(config-if-range)#do sh int trun | i 0/19|0/20|0/21
Fa0/19      auto             n-isl          trunking      1
Fa0/20      auto             n-isl          trunking      1
Fa0/21      auto             n-isl          trunking      1

sw4:
sw4(config-if-range)#do sh int trunk | i 0/13|0/14|0/15
Fa0/13      desirable        n-isl          trunking      1
Fa0/14      desirable        n-isl          trunking      1
Fa0/15      desirable        n-isl          trunking      1

1.4 Spanning-Tree Protocol

Create root switches for batches of VLANs.

“Use the fewest commands needed to accomplish this task.”

This is where reading ahead pays off.  Task 1.7 is going to require that we use MST.  I need to set up MST before I start making root switches.  Hop ahead to task 1.7

*IE even combines these tasks in the solution guide.

1.7 Spanning-Tree Protocol

Set up a single instance of spanning-tree for 4 sets of VLANs.  Time for MST.

Specifying the MST Region Configuration and Enabling MSTP (required)

You need to remember that you’ll have to cut and paste this configuration on each switch.

sw1(config)#spanning-tree mst config
sw1(config-mst)#instance 1 vlan 3-7
sw1(config-mst)#instance 2 vlan 13-45
sw1(config-mst)#instance 3 vlan 52-67
sw1(config-mst)#instance 4 vlan 1,1001
sw1(config-mst)#name MYMST
sw1(config-mst)#revision 1
sw1(config-mst)#exit
sw1(config)#spanning-tree mode mst

Very cool/odd command.  A show command from within MST configuration mode:

sw1(config-mst)#show pending
Pending MST configuration
Name      [MYMST]
Revision  1     Instances configured 5

Instance  Vlans mapped
——–  ———————————————————————
0         2,8-12,46-51,68-1000,1002-4094
1         3-7
2         13-45
3         52-67
4         1,1001
——————————————————————————-

Remember that instance 0 is created by default and includes any VLANs not explicitly assigned to other instances.

Tip:  If you do “do show history” in configuration mode, this will show your last x configuration entries.  I use this if I need to cut and paste a configuration on a bunch of devices.

sw1(config)#do sh hist
  do sh run int fa0/18
  do sh int trunk
  int range fa0/19 – 21
  no sh
  do sh int trun | i 0/19|0/20|0/21
  do wr
  exit
  spanning-tree mst con
  instance 1 vlan 3-7
  instance 2 vlan 13-45
  instance 3 vlan 52-67
  instance 4 vlan 1,1001
  name MYMST
  revision 1

  do sh pending
  show pending
  exit
  spanning-tree mode mst

I can now paste this on the rest of the switches:

  spanning-tree mst con
  instance 1 vlan 3-7
  instance 2 vlan 13-45
  instance 3 vlan 52-67
  instance 4 vlan 1,1001
  name MYMST
  revision 1
  exit
  spanning-tree mode mst

sw2(config)#  spanning-tree mst con
sw2(config-mst)#  instance 1 vlan 3-7
sw2(config-mst)#  instance 2 vlan 13-45
sw2(config-mst)#  instance 3 vlan 52-67
sw2(config-mst)#  instance 4 vlan 1,1001
sw2(config-mst)#  name MYMST
sw2(config-mst)#  revision 1
sw2(config-mst)#  exit
sw2(config)#  spanning-tree mode mst
sw2(config)#^Z

Nice command to get a quick look at MST:

sw4#sh spann mst | i MST
##### MST0    vlans mapped:   2,8-12,46-51,68-1000,1002-4094
##### MST1    vlans mapped:   3-7
Root          this switch for MST1
##### MST2    vlans mapped:   13-45
Root          this switch for MST2
##### MST3    vlans mapped:   52-67
Root          this switch for MST3
##### MST4    vlans mapped:   1,1001
Root          this switch for MST4
sw4#

This will show you the vlans mapped for each instance and whether or not you’re the root for the instance [if you're not on the root switch, the "Root" output will not show up, only the VLAN mappings]

Back to 1.4

1.4 Spanning-Tree Protocol

Okay.  NOW we can start setting roots (copy tasks from above).

Configuring the MST Root Switch

sw1#sh span mst 1

##### MST1    vlans mapped:   3-7
Bridge        address 0019.56db.aa80  priority      32769 (32768 sysid 1)
Root          address 000d.65a3.bf00  priority      32769 (32768 sysid 1)  <-sw4
              port    Fa0/19          cost          200000    rem hops 19

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/1            Desg FWD 200000    128.3    P2p
Fa0/3            Desg FWD 200000    128.5    P2p
Fa0/9            Desg FWD 2000000   128.11   Shr
Fa0/11           Desg FWD 2000000   128.13   Shr
Fa0/13           Desg FWD 200000    128.15   P2p
Fa0/14           Desg FWD 200000    128.16   P2p
Fa0/15           Desg FWD 200000    128.17   P2p
Fa0/16           Desg FWD 200000    128.18   P2p
Fa0/17           Desg FWD 200000    128.19   P2p
Fa0/18           Desg FWD 200000    128.20   P2p
Fa0/19           Root FWD 200000    128.21   P2p
Fa0/20           Altn BLK 200000    128.22   P2p
Fa0/21           Altn BLK 200000    128.23   P2p

sw1(config)#spanning-tree mst 1 root primary

sw1(config)#do sh span mst | i MST
##### MST0    vlans mapped:   2,8-12,46-51,68-1000,1002-4094
##### MST1    vlans mapped:   3-7
Root          this switch for MST1
##### MST2    vlans mapped:   13-45
##### MST3    vlans mapped:   52-67
##### MST4    vlans mapped:   1,1001

sw1(config)#do sh spann mst 1

##### MST1    vlans mapped:   3-7
Bridge        address 0019.56db.aa80  priority      24577 (24576 sysid 1)
Root          this switch for MST1
—output truncated—

NOTE:  Here’s where the “minimal command” issue needs clarification.  Since sw4 is ALREADY the root for MST instance 4 (vlans 1 and 1001), then I shouldn’t need to do any configuration to make it the root. 

sw4(config)#do sh span mst | i MST
##### MST0    vlans mapped:   2,8-12,46-51,68-1000,1002-4094
##### MST1    vlans mapped:   3-7
##### MST2    vlans mapped:   13-45
##### MST3    vlans mapped:   52-67
##### MST4    vlans mapped:   1,1001
Root          this switch for MST4

BUT there is another requirement:

“No switch should be the elected root based upon a lower MAC address.”

sw4 is elected based on the lowest MAC address (priorities are the same on all switches in MST instance 4) so we DO need to explicitly configure sw4 as the root bridge.

1.5 Layer 2 Tunneling

r2 fa0/0 -> sw2 fa0/2
r6 fa0/1 -> sw4 fa0/6

I have to tunnel sw2 fa0/2 to sw4 fa0/6.  That way the router can trunk directly to each other?

Configuring IEEE 802.1Q Tunneling

vlan dot tag native
!
int fa0/6
 swit mode dot1
 l2protocol-tunnel stp
 l2protocol-tunnel cdp

[sw2 and sw4 already had their MTU set to 1504]

r2#sh cdp neigh fa0/0 | b Dev
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
r6               Fas 0/0            127        R S I      2811      Fas 0/1

r2#ping 174.1.26.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 174.1.26.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

1.6 Spanning-Tree Protocol

The task requires you to force MST instance 1 VLANs (3-7) to prefer to forward traffic to sw1 (the root) over the highest numbered DIRECTLY connected port.  If a port fails, prefer the next highest numbered port.  Complete this configuration on sw1.

The switches are currently using the lowest numbered directly connected port as the root port:

sw2#sh spann mst 1

##### MST1    vlans mapped:   3-7
Bridge        address 0019.56db.d900  priority      32769 (32768 sysid 1)
Root          address 0019.56db.aa80  priority      24577 (24576 sysid 1)
              port    Fa0/13          cost          200000    rem hops 19

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/4            Desg FWD 200000    128.6    P2p
Fa0/13           Root FWD 200000    128.15   P2p
Fa0/14           Altn BLK 200000    128.16   P2p
Fa0/15           Altn BLK 200000    128.17   P2p
Fa0/19           Altn BLK 200000    128.21   P2p

I can change this two ways on the root switch (sw1) by lowering the port-priority to prefer different ports.

sw2 fa0/15 is connected to sw1 fa0/15
sw2 fa0/14 is connected to sw1 fa0/14
sw2 fa0/13 is connected to sw1 fa0/13

We need to remember that we’re running MST:

spanning-tree mst instance-id port-priority priority

sw1(config)#int fa0/15
sw1(config-if)#spanning-tree mst 1 port-priority 0
sw1(config-if)#int fa0/14
sw1(config-if)#spanning-tree mst 1 port-priority 16

sw1#sh spann mst 1 det | b net0/13
FastEthernet0/13 of MST1 is designated forwarding
Port info             port id         128.15  priority    128  cost      200000
Designated root       address 0019.56db.aa80  priority  24577  cost           0
Designated bridge     address 0019.56db.aa80  priority  24577  port id   128.15
Timers: message expires in 0 sec, forward delay 0, forward transitions 5
Bpdus (MRecords) sent 3196, received 861

FastEthernet0/14 of MST1 is designated forwarding
Port info             port id          16.16  priority     16 cost      200000
Designated root       address 0019.56db.aa80  priority  24577  cost           0
Designated bridge     address 0019.56db.aa80  priority  24577  port id    16.16
Timers: message expires in 0 sec, forward delay 0, forward transitions 5
Bpdus (MRecords) sent 4032, received 3364

FastEthernet0/15 of MST1 is designated forwarding
Port info             port id           0.17  priority      0  cost      200000
Designated root       address 0019.56db.aa80  priority  24577  cost           0
Designated bridge     address 0019.56db.aa80  priority  24577  port id     0.17
Timers: message expires in 0 sec, forward delay 0, forward transitions 5
Bpdus (MRecords) sent 4032, received 3364

sw2#sh spann mst 1

##### MST1    vlans mapped:   3-7
Bridge        address 0019.56db.d900  priority      32769 (32768 sysid 1)
Root          address 0019.56db.aa80  priority      24577 (24576 sysid 1)
              port    Fa0/15          cost          200000    rem hops 19

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/4            Desg FWD 200000    128.6    P2p
Fa0/13           Altn BLK 200000    128.15   P2p
Fa0/14           Altn BLK 200000    128.16   P2p
Fa0/15           Root FWD 200000    128.17   P2p  <-booyah
Fa0/19           Altn BLK 200000    128.21   P2p

1.8 Etherchannel

Create a couple of L3 EtherChannels.

1.9 Interface Negotiation

Hard code all ports in vlan 3 to 100/Full

sw1#sh vlan br | i VLAN0003
3    VLAN0003                         active    Fa0/3, Fa0/9, Fa0/10, Fa0/11

sw1(config)#int range fa0/3, fa0/9 – 11
sw1(config-if-range)#speed 100
sw1(config-if-range)#duplex full

Remember that you need to hard-code BOTH sides of the link to avoid speed/duplex mismatches:

04:47:14: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/3(not half duplex), with r3 FastEthernet0/0 (half duplex).

sw1#sh cdp nei f0/3
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
                  S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
r3               Fas 0/3           153          R S I     2811      Fas 0/0

r3(config)#int fa0/0
r3(config-if)#speed 100
r3(config-if)#duplex full

sw1#sh int status | i 3
Fa0/3                        connected    3            full    100 10/100BaseTX
Fa0/9                        notconnect   3            full    100 10/100BaseTX
Fa0/10                       notconnect   3            full    100 10/100BaseTX
Fa0/11                       notconnect   3            full    100 10/100BaseTX

Fa0/13                       connected    trunk      a-full  a-100 10/100BaseTX
Fa0/23                       notconnect   1            auto   auto 10/100BaseTX

DOH!!!!  The IE solution did not include fa0/3 on sw1 (connected to r3 fa0/0).  This is a matter of question interpretation.  The task states the Windows machines are getting network errors.  Then it states:

“In order to resolve this problem, ensure that all ports in VLAN 3 are hard coded to 100Mbps Full-Duplex.”

In order to meet the last requirement you would need to hard code fa0/3 to 100/Full.  BUT the problem is NOT with network devices, but with hosts.  Another “ask the proctor” moment.  :-)

March 7, 2008

spanning-tree link-type

I ran into the ‘spanning-tree link-type’ command while reviewing switching this week:

spanning-tree link-type

Use the spanning-tree link-type interface configuration command to override the default link-type setting, which is determined by the duplex mode of the interface, and to enable rapid spanning-tree transitions to the forwarding state. Use the no form of this command to return to the default setting.

spanning-tree link-type {point-to-point | shared}
no spanning-tree link-type

Syntax Description
 point-to-point
 Specify that the link type of an interface is point-to-point. 
 shared
 Specify that the link type of an interface is shared.

Defaults
The switch derives the link type of an interface from the duplex mode. A full-duplex interface is considered a point-to-point link, and a half-duplex interface is considered a shared link.

Usage Guidelines
You can override the default setting of the link type by using the spanning-tree link-type command. For example, a half-duplex link can be physically connected point-to-point to a single interface on a remote switch running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol and be enabled for rapid transitions.

Examples
This example shows how to specify the link type as shared (regardless of the duplex setting) and to prevent rapid transitions to the forwarding state:

Switch(config-if)# spanning-tree link-type shared

This is an interesting command that I had never encountered before.  Chances are pretty slim that I’ll ever use it in the wild, but I sure made a note of it for my CCIE studies.  When I encounter odd commands like this, I like to create a list of tasks that could be written that would require the command:

“Ensure that half-duplex spanning-tree ports are treated as point-to-point ports.”

I don’t need to memorize the command or its parameters, but I do like to know that it exists and to be familiar enough with its function that if I saw the above task, it would turn on a light in my head and I would know where to look in the DOCCD to find the command.

February 18, 2008

Internetwork Expert Volume II: Lab 12 – Section 2

Section 2 – Bridging and Switching – 16 Points

2.1 Core Layer 2

This task was an interesting twist on a standard L2 core task.  You are asked to configure each of the switches to match a couple of show commands:

sw3(config-if)#do sh vtp stat | i (Operating Mode|Name)
VTP Operating Mode              : Client
VTP Domain Name                 : IE
sw3(config-if)#do sh vlan br | e (unsup|^1 |^ )

VLAN Name                             Status    Ports
—- ——————————– ——— ——————————-
3    VLAN0003                         active
17   VLAN0017                         active
22   VLAN0022                         active
33   VLAN0033                         active    Fa0/3
38   VLAN0038                         active    Fa0/24
45   VLAN0045                         active    Fa0/5
46   VLAN0046                         active
58   VLAN0058                         active

I actually found this task to be easier than usual.  BUT…make sure you open your ports.  IE shut a number of them down in the initial configurations. 

2.2 EtherChannel

This was an easy Layer 3 EtherChannel task, except that the diagram has an incorrect subnet for po34 between sw3 and sw4.  It should be 129.x.34.0/24 and not 129.x.43.0/24

2.2 – typo/difference between diagram and solution

2.3 MAC Filtering

You need to limit a couple of ports to only learning two MAC addresses and to shut down for 60 seconds if they learn a third. 

Configuring Port Security

•The switch does not support port security aging of sticky secure MAC addresses.

(Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these:

•protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

Note We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.

•restrict—When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

•shutdown—The interface is error-disabled when a violation occurs, and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

Note When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands.

We need to use shutdown mode (default) with errdisable recovery cause psecure-violation

errdisable recovery

Defaults
Recovery is disabled for all causes.
The default recovery interval is 300 seconds.

Here’s the configuration:

errdisable recovery cause psecure-violation
errdisable recovery interval 60
!
int range fa0/7 – 8
switch mode access
switchport port-security
switchport port-security max 2
switchport port-security violation shutdown

sw1#sh errdisable recovery | e Dis
—————–    ————–
psecure-violation    Enabled

Timer interval: 60 seconds

Interfaces that will be enabled at the next timeout:

sw1#sh port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
—————————————————————————
      Fa0/7                         0                  0         Shutdown
      Fa0/8              2            0                  0         Shutdown
—————————————————————————
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 6272

2.4 MAC Filtering

This was a pretty easy MAC filtering task using MAC ACLs….or so I thought.  :-)

Port ACLs

Creating Named MAC Extended ACLs

mac access-list extended FILTER_ROUTER
deny host 0030.1369.87a0 any
permit any any

Applying a MAC ACL to a Layer 2 Interface

sw1(config-if-range)#mac access-group FILTER_ROUTER ?
  in  Apply to Ingress

sw1(config-if-range)#mac access-group FILTER_ROUTER in

sw1#sh mac access-group int fa0/7
Interface FastEthernet0/7:
   Inbound access-list is FILTER_ROUTER
   Outbound access-list is not set
sw1#sh mac access-group int fa0/8
Interface FastEthernet0/8:
   Inbound access-list is FILTER_ROUTER
   Outbound access-list is not set

After all of that…the solution guide uses:

mac-address-table static 0030.1369.87a0 vlan 17 drop

Okay…why?  Well, there’s really good reason. :-)

The immediate reaction to this task is typically to use an extended MAC address access-list to deny traffic from this MAC address from entering interfaces fa0/7 or fa0/8.  However, MAC address access-lists only affect non-IP traffic.  Therefore, assuming that host on VLAN 17 are running IP (a fair assumption), using a MAC assess-list to filter this host will have no effect.

Good discussion about this task:

Task 2.4

2.5 QoS

Police a port to 3Mbps, but don’t use policing.  Clue: the task specifies unicast traffic.

Configuring Storm Control

Storm control uses one of these methods to measure traffic activity:

•Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic

•Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received (Cisco IOS Release 12.2(25)SE or later)

•Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received (Cisco IOS Release 12.2(25)SE or later)

With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level. In general, the higher the level, the less effective the protection against broadcast storms.

REMEMBER that Storm control is inbound!!!

Storm control has some WEIRD parameters:

sw2(config-if)#storm-control unicast level bps ?
  <0.0 – 10000000000.0>[k|m|g]  Enter rising threshold

Specify the rising and falling suppression levels as a rate in bits per second at which traffic is received on the port.

•bps—Rising suppression level, up to 1 decimal place. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for bps is reached.

sw2(config-if)#storm-control unicast level bps 3000000

sw2(config-if)#do sh run int fa0/2
interface FastEthernet0/2
 switchport access vlan 22
 storm-control unicast level bps 3m

sw2#sh storm uni
Interface  Filter State   Upper        Lower        Current
———  ————-  ———–  ———–  ———-
Fa0/24     Forwarding         3m bps       3m bps        0 bps

Send some large pings from r2 to bb2:

r2#p 192.10.1.254 re 10000 si 1500

Type escape sequence to abort.
Sending 10000, 1500-byte ICMP Echos to 192.10.1.254, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!

sw2#sh storm uni
Interface  Filter State   Upper        Lower        Current
———  ————-  ———–  ———–  ———-
Fa0/2     Blocking           3m bps       3m bps    7.83m bps

01:29:46: %STORM_CONTROL-3-FILTERED: A Unicast storm detected on Fa0/2. A packet filter action has been applied on the interface.

sw2#sh storm uni
Interface  Filter State   Upper        Lower        Current
———  ————-  ———–  ———–  ———-
Fa0/2     Forwarding         3m bps       3m bps   12.89k bps

The IE solution uses the older percentage of interface bandwidth configuration:

storm-control unicast level 3.00

2.6 Traffic Filtering

Stop PCs on a VLAN from communicating directly with each other, but allow them to still communicate with other ports or interfaces in the VLAN.  Use the minimum configuration.

switchport protected

Use the switchport protected interface configuration command to isolate unicast, multicast, and broadcast traffic at Layer 2 from other protected ports on the same switch. Use the no form of this command to disable protection on the port.

So….which ports do I apply it to?

The answer shows fa0/7 and fa0/8 on sw1.  Are they part of VLAN 17?

Well….they were initially, but I thought that that was an intial config error (see error 4?)

From intial config:

interface range Fa0/7 – 8
 switchport access vlan 17
 no shutdown

By completing this task you will “break” task 2.1  I think that this is just the result of a mistake in the lab document for task 2.1

sw1#sh int fa0/7 swit | i Protected
Protected: true
sw1#sh int fa0/8 swit | i Protected
Protected: true

February 12, 2008

Cisco: Free Multiple Spanning Tree Training

Although this training is not specific to the CCIE, it may still be a good resource for those who are learning or reviewing MST (you will need a CCO account to access the CCNP Prep site):

CCNP TV: BCMSN – Implementing Multiple Spanning Tree Protocol, February 28, 2007

Join more than 40,000 CCNP Prep Center users for an hour long monthly online TV talk show.
Sign up now: Attendance space is limited, so visit www.cisco.com/go/prep-ccnp and click “Register Now” under the Prep Center TV heading to reserve your space today.

Date: Thursday, February 28, 2007
Time: 11 a.m. Eastern Time, 8 a.m. Pacific Time, and 16:00 GMT
Title: Multiple Spanning Tree Protocol
The program will focus on the following objectives and is designed to provide information that will assist in passing the Cisco Certified Network Professional exam. After the presentation, we’ll be taking live calls from the audience during the Q&A session.  You may also submit questions electronically.

Objectives:
During the show, Cisco Experts will discuss:

  • Motivation behind 802.1s MSTP
  • Comparison of MSTP Instances to PVST
  • MST Region, what is it?  What needs to Match?
  • MST BPDUs and MRecords
  • MST and CST interaction
  • MST configurationss
  • MST verification

To learn more, visit the www.cisco.com/go/prep-ccnp page.

« Previous PageNext Page »

The Rubric Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 109 other followers