CCIE Pursuit Blog

April 28, 2008

Internetwork Expert Volume II: Lab 5 – Section 2

Bridging and Switching – 16 Points

2.1 VLAN Assignments

Easy enough task with all four switches running in VTP Transparent mode.  I actually finished all of the Layer 2 tasks (including Frame Relay) and then came back to this task to see which VLANs would need to be added.  The only connection that was not working was r4 (fa0/0 in VLAN4 on sw2) to BB3 (VLAN 4 on sw3).  There was no direct trunk between sw2 and sw3 so I need to add VLAN 4 to sw1:

sw1(config)#vlan 4
sw1(config-vlan)#exit

r4#p 204.12.1.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.12.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

The IE solution is missing VLAN 2005 on sw1.

2.2 Etherchannel

Easy EtherChannel task.

2.3 Load Distribution

Configure an EtherChannel so that it is optimized for multiple clients behind sw1 reaching a single server behind sw2.

We can use the example cited here:

Load Balancing and Forwarding Methods

port-channel load-balance

We want sw1 (workstations) to use source-based forwarding and sw2 (single server) to use destination-based forwarding.  This will most widely balance our traffic.

dst-ip
 Load distribution is based on the destination host IP address.
 
dst-mac
 Load distribution is based on the destination host MAC address. Packets to the same destination are sent on the same port, but packets to different destinations are sent on different ports in the channel.
 
src-dst-ip
 Load distribution is based on the source and destination host IP address.
 
src-dst-mac
 Load distribution is based on the source and destination host MAC address.
 
src-ip
 Load distribution is based on the source host IP address.
 
src-mac
 Load distribution is based on the source MAC address. Packets from different hosts use different ports in the channel, but packets from the same host use the same port.

Do we want to source on MAC or IP address????

sw2(config)#port-channel load-balance ?
  dst-ip       Dst IP Addr
  dst-mac      Dst Mac Addr
  src-dst-ip   Src XOR Dst IP Addr
  src-dst-mac  Src XOR Dst Mac Addr
  src-ip       Src IP Addr
  src-mac      Src Mac Addr

Task 2.3

For this task traffic from the file server located behind BB2 will be sent across the trunk with the source MAC address of BB2’s Ethernet interface and source IP address of this server. By default all of this traffic would use only one of the Etherchannel trunk links since the default is to load balance based on the source MAC address. With IP address destination based load balancing enabled on SW2 this traffic will now be distributed across both links. Traffic destined to BB2 will have the same source MAC address of R1, the same destination MAC address of BB2 and the same destination IP address, so we need IP address source based load balancing on SW1.

sw1#show etherchannel load-balance
EtherChannel Load-Balancing Operational State (src-ip):
Non-IP: Source MAC address
  IPv4: Source IP address
  IPv6: Source IP address

sw2#show etherchannel load-balance
EtherChannel Load-Balancing Operational State (dst-ip):
Non-IP: Destination MAC address
  IPv4: Destination IP address
  IPv6: Destination IP address

2.4 CAM Table Maintenance

“…configure sw2 so that it discards inactive entries from VLAN 8 and VLAN 88 after 10 seconds.”

mac address-table aging-time

Defaults
The default is 300 seconds.

sw2(config)#mac-address-table aging-time 10 vlan 8
sw2(config)#mac-address-table aging-time 10 vlan 88

sw2#sh mac address-table aging-time
Vlan    Aging Time
—-    ———-
   1     300
  27     300
   4     300
 162     300
   8      10
  88      10

2.5 EtherChannel

Basic layer 3 EtherChannel.  You get to set up an EtherChannel with only one connection.  🙂

 

Advertisements

April 9, 2008

Internetwork Expert Volume III: Lab 5 – Section 2

Bridging and Switching – 9 Points

2.1 Trunking

Very easy trunking task.  You just need to make sure at least one side of each trunk link is in dynamic desirable mode.

The eternal question: What to do about all of the other dynamically created trunks?

In the solution guide the other trunks (negotiated via DTP on the connections between the 3560s and the 3550s) do not appear in the verification commands.  For this lab, I went ahead and shut them all down.

2.2 VLAN Assignment

VTP is already configured (all switches are in VTP server mode in the vtp domain ‘CCIE’).  You are tasked to build all of the VLANs from the diagram.

Weird:

sw1(config-if)#do sh cdp nei f0/3
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
                  S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
r3                  Fas 0/3               120           R S I     2651XM    Fas0/0
r3                  Fas 0/3               10            R S I     2651XM    Fas0/0.1

This occured soon after I configured router-on-a-stick on r3.  I’ve never seen CDP use a subinterface as a neighbor interface.  Time to clear the cdp table:

clear cdp table

sw1(config-if)#do sh cdp nei f0/3
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
                  S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
r3                  Fas 0/3               178           R S I     2651XM    Fas0/0

Ah.  Much better.

The lab diagram does not show which ethernet port on r2 is connected to VLAN 72.  It must be 0/0 as that interface is already configured with an IP address in VLAN 72.

Weird.  All of the switches are int vtp domain CCIE and all are VTP servers.  Trunking is established between all of the switches.  Yet I am not seeing VLANs propagating via VTP:

sw1:
sw1(config-if)#do sh vtp status
VTP Version                     : 2
Configuration Revision          : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 11
VTP Operating Mode              : Server
VTP Domain Name                 : CCIE

VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x4E 0xE7 0xBF 0xB8 0x71 0x10 0xF6 0xB4
Configuration last modified by 128.1.27.7 at 3-1-93 15:57:04
Local updater ID is 128.1.27.7 on interface Vl27 (lowest numbered VLAN interface found)

sw2:
sw2(config-if)#do sh vtp status
VTP Version                     : 2
Configuration Revision          : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 8
VTP Operating Mode              : Server
VTP Domain Name                 : CCIE

VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x9C 0x35 0x84 0x20 0x54 0x5D 0x0C 0xEB
Configuration last modified by 128.1.48.8 at 3-1-93 16:03:37 <-Interface on sw2
Local updater ID is 128.1.48.8 on interface Vl48 (lowest numbered VLAN interface found) 

sw1(config-if)#do sh vtp pass
VTP Password: CISCO

sw2(config-if)#do sh vtp pass
VTP Password: CISC0

Sneaky IE bastards.  I looks like sw2’s password ends with a zero.  I went to each switch and set the vtp password to ‘CISCO’ and vlans started flowing again.

This lab has three “router-on-a-stick” setups to configure.

The IE solution guide shows VLAN 10 configured for some reason.  It’s not in this network though.

I later found vlan 10.  It’s on sw4.  It was not included in my initial config for sw4.  I should have caught this during my intial troubleshooting.

I am also not sure that we need to create VLAN 109 and apply it to the L2 ends of the routed links because in the next task we are using L2 tunneling to make those links think that they are directly connected.  I have full connectivity without VLAN 109, but we’ll see if that gives me issues later.

If this were the real lab, I’d just go ahead and configure VLAN 109 as there is no “minimum number of VLANs” requirement for this task.

2.3 Layer 2 Tunneling

“Configure sw2 so that sw3 and sw4 see each other as CDP neighbors across the routed link that connects them.”

I need to tunnel interfaces fa0/16 and fa0/19

Before:
sw3#sh cdp nei fa0/16
| b Dev
Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
sw2                 Fas 0/16              178            S I      WS-C3560-4 Fas0/16

sw4#sh cdp neigh fa0/16 | b De
Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
sw2                 Fas 0/16              151            S I      WS-C3560-4 Fas0/19

After:
sw3#sh cdp neigh fa0/16
| b De
Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
sw4                 Fas 0/16              151            S I      WS-C3550-2 Fas0/16

sw4#sh cdp nei fa0/16 | b De
Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
sw3                 Fas 0/16              170            S I      WS-C3550-2 Fas0/16

sw4#p 128.1.109.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 128.1.109.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

 

April 6, 2008

Internetwork Expert Volume II: Lab 9 – Section 1

Bridging and Switching – 17 Points

“There are no faults in the initial configurations.”
“Do not alter the commands in the initial configurations.”

1.1 Trunking

One of the first things that you’ll notice in this lab is that there are routing protocols preconfigured.  BGP on sw1, EIGRP on sw3, and so on.  This looks like it will be an interesting lab.  🙂

I’m off to a rough start already.  The first task is a simple trunking task with the requirement of:

“For ease of administration refer to these trunks with the interface macro DOT-ONE-Q.”

I’m going to assume that “refer to” means “create a macro that completes this task.”  This is another “ask the proctor” moment.

Configuring Smartports Macros

The totality of my experience with switchport macros lies with creating ping scripts. 

sw1(config)#macro name DOT-ONE-Q
Enter macro commands one per line. End with the character ‘@’.
interface range fa0/13 – 15
switchport trunk encap dot
switchport mode trunk
switchport none
no shut
@

sw1(config)#do sh run int fa0/13
interface FastEthernet0/13
end

Okay.  Let’s run this sucker:

sw1(config)#macro glob app DOT-ONE-Q
sw1(config)#do sh run int fa0/13
interface FastEthernet0/13
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate

end

Sweet!!!  Well maybe not:

sw1#sh run int fa0/14
interface FastEthernet0/14
end

For whatever reason the interface range did not take.  It only took the first interface.  Okay…there is no “minimal configuration” requirement so I took out the interface range command and explicitly configured each port:

sw1(config)#macro name DOT-ONE-Q
Enter macro commands one per line. End with the character ‘@’.
int fa0/13
switchport trunk encap dot
switchport mode trunk
switchport none
no shut
int fa0/14
switchport trunk encap dot
switchport mode trunk
switchport none
no shut
int fa0/15
switchport trunk encap dot
switchport mode trunk
switchport none
no shut
@

The IE solution uses:

define interface-range DOT-ONE-Q FastEthernet0/13 – 15

but then their macro explicitly configures each interface.  So what it the purpose of the above command?

define interface-range

1.2 Trunking

Weird.  sw4 is a 3550 yet:

interface FastEthernet0/19
 switchport mode dynamic auto <-auto?

Must have been thrown on in the initial configs.

Otherwise, this was a very basic EtherChannel configuration task.

1.3 Trunking

Fun trunking task. 

“All traffic sent over these trunk links should include a 32 bit tag.”

This threw me off at first.  ISL has a 24 byte tag and Dot1q has a 4 byte tag.  What the hell is a 32 byte tag?  Reading the requirement closer, I see 32 BIT no 32 byte.  Ah…32/8 = 4 bytes = Dot1q 🙂

Of course, I missed the second important part of that requirement: ALL TRAFFIC

By default dot1q does NOT tag the native VLAN so any traffic on the native VLAN will not have a 32 bit tag. 

vlan dot1q tag native

1.4 VLAN Assignments

Argh!!!  The dreaded “minimal VLAN configuration with all switches in VTP Transparent mode from the diagram” task.  :-0

I’m getting better at this (I completed the task successfully) but I am still VERY slow.

1.5 Spanning-Tree Filtering

spanning-tree guard

1.6 Spanning-Tree

I monkeyed around with this task trying to match the STP timers required by the task.  I finally gave up and went ahead and explicitly set the timers for VLAN 68.  This cost me the points as I needed to accomplish this task with minimal configuration:

sw2(config)#span vlan 68 hell 1
sw2(config)#span vlan 68 max 7
sw2(config)#span vlan 68 for 5
sw2(config)#do sh span vlan 68

VLAN0068
  Spanning tree enabled protocol ieee
  Root ID    Priority    24644
             Address     0019.56db.d900
             This bridge is the root
             Hello Time   1 sec  Max Age  7 sec  Forward Delay  5 sec

The IE solution is:

spanning-tree vlan 68 root primary diameter 3 hello-time 1

spanning-tree vlan

diameter net-diameter
 (Optional) Set the maximum number of switches between any two end stations. The range is 2 to 7.
 
hello-time seconds
 (Optional) Set the interval between hello bridge protocol data units (BPDUs) sent by the root switch configuration messages. The range is 1 to 10 seconds. 

sw2(config)#spanning-tree vlan 68 root prim dia 3 hello 1
sw2(config)#do sh sp vl 68

VLAN0068
  Spanning tree enabled protocol ieee
  Root ID    Priority    24644
             Address     0019.56db.d900
             This bridge is the root
             Hello Time   1 sec  Max Age  7 sec  Forward Delay  5 sec

1.7 EtherChannel

I did not understand this task at all.  The IE guide has no explanation either.  I understand the technologies involved but I could not figure out what the task was asking for.  😦

 

March 17, 2008

Internetwork Expert Volume II: Lab 8 – Section 1

Bridging and Switching – 20 Points

“There are no faults in the initial configurations.”
“Do not alter the commands in the initial configurations.”

1.1 Trunking

First things first, CCOnlinelabs does not use fa0/24 to connect to the bbs

On sw2 they use fa0/10:

sw2#sh run int fa0/24
interface FastEthernet0/24
 switchport access vlan 52
end

sw2#sh run int fa0/10
interface FastEthernet0/10
end

That means I need to move the config from fa0/24 to fa0/10.  After altering the configuration to match the CCOnlinelabs topology, I finished the easy trunking tasks.

I did notice something odd though:

sw1(config-if-range)#do sh vtp status
VTP Version                     : running VTP1 (VTP2 capable)
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 15
VTP Operating Mode              : Transparent
VTP Domain Name                 : CCIELAB
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x99 0x68 0x38 0x79 0xE4 0x3B 0x99 0xFF
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

All of the switches are configured this way.

sw2(config)#vtp version ?
  <1-2>  Set the adminstrative domain VTP version number

I looked through the initial configs and I don’t see anything that sets these to VTP version 1.  This may be something leftover on the rental switches.  It should not matter as all switches are in VTP Transparent mode.  Transparent mode in VTP version 1 drops all VTP advertisments.  In VTP version 2 the Transparent switches pass the advertisement on but do not install them.

Weird:

r5#sh vlan 52
% Ambiguous command:  “sh vlan 52”

r5#sh vlans 52

Virtual LAN ID:  52 (IEEE 802.1Q Encapsulation)

   vLAN Trunk Interface:   FastEthernet0/1.52

   Protocols Configured:   Address:              Received:        Transmitted:
           IP              192.10.1.5                 905                  88
        Other                                           0                   1

   913 packets, 60196 bytes input
   89 packets, 5450 bytes output

r5#sh vlan?
vlan-range  vlan-switch  vlans

“show vlans”????

show vlans

To view virtual LAN (VLAN) subinterfaces, use the show vlans command in privileged EXEC mode.

1.2 Trunking

This task required that you configure trunks between sw3 and sw1  (both are 3560s in this rack) by using DTP.  Should I set ‘dyn des’ on both sides or just one?

I did both sides.  IE only did it on one side.

1.3 Trunking

“use minimal conf poss on sw1 to accomplish this task”

sw1 = 3560 – switchport mode dynamic auto
sw4 = 3550 – switchport mode dynamic desirable

sw4(config)#do sh run | b 0/13
interface FastEthernet0/13
 switchport mode dynamic desirable
 shutdown
!
interface FastEthernet0/14
 switchport mode dynamic desirable
 shutdown
!
interface FastEthernet0/15
 switchport mode dynamic desirable
 shutdown

I should be able to just no shut both sides to dynamically create 3 ISL trunks:

sw4(config)#int range fa0/13 – 15
sw4(config-if-range)#no sh

sw1(config-if-range)#int range fa0/19 – 21
sw1(config-if-range)#no sh

sw1:
sw1(config-if-range)#do sh int trun | i 0/19|0/20|0/21
Fa0/19      auto             n-isl          trunking      1
Fa0/20      auto             n-isl          trunking      1
Fa0/21      auto             n-isl          trunking      1

sw4:
sw4(config-if-range)#do sh int trunk | i 0/13|0/14|0/15
Fa0/13      desirable        n-isl          trunking      1
Fa0/14      desirable        n-isl          trunking      1
Fa0/15      desirable        n-isl          trunking      1

1.4 Spanning-Tree Protocol

Create root switches for batches of VLANs.

“Use the fewest commands needed to accomplish this task.”

This is where reading ahead pays off.  Task 1.7 is going to require that we use MST.  I need to set up MST before I start making root switches.  Hop ahead to task 1.7

*IE even combines these tasks in the solution guide.

1.7 Spanning-Tree Protocol

Set up a single instance of spanning-tree for 4 sets of VLANs.  Time for MST.

Specifying the MST Region Configuration and Enabling MSTP (required)

You need to remember that you’ll have to cut and paste this configuration on each switch.

sw1(config)#spanning-tree mst config
sw1(config-mst)#instance 1 vlan 3-7
sw1(config-mst)#instance 2 vlan 13-45
sw1(config-mst)#instance 3 vlan 52-67
sw1(config-mst)#instance 4 vlan 1,1001
sw1(config-mst)#name MYMST
sw1(config-mst)#revision 1
sw1(config-mst)#exit
sw1(config)#spanning-tree mode mst

Very cool/odd command.  A show command from within MST configuration mode:

sw1(config-mst)#show pending
Pending MST configuration
Name      [MYMST]
Revision  1     Instances configured 5

Instance  Vlans mapped
——–  ———————————————————————
0         2,8-12,46-51,68-1000,1002-4094
1         3-7
2         13-45
3         52-67
4         1,1001
——————————————————————————-

Remember that instance 0 is created by default and includes any VLANs not explicitly assigned to other instances.

Tip:  If you do “do show history” in configuration mode, this will show your last x configuration entries.  I use this if I need to cut and paste a configuration on a bunch of devices.

sw1(config)#do sh hist
  do sh run int fa0/18
  do sh int trunk
  int range fa0/19 – 21
  no sh
  do sh int trun | i 0/19|0/20|0/21
  do wr
  exit
  spanning-tree mst con
  instance 1 vlan 3-7
  instance 2 vlan 13-45
  instance 3 vlan 52-67
  instance 4 vlan 1,1001
  name MYMST
  revision 1

  do sh pending
  show pending
  exit
  spanning-tree mode mst

I can now paste this on the rest of the switches:

  spanning-tree mst con
  instance 1 vlan 3-7
  instance 2 vlan 13-45
  instance 3 vlan 52-67
  instance 4 vlan 1,1001
  name MYMST
  revision 1
  exit
  spanning-tree mode mst

sw2(config)#  spanning-tree mst con
sw2(config-mst)#  instance 1 vlan 3-7
sw2(config-mst)#  instance 2 vlan 13-45
sw2(config-mst)#  instance 3 vlan 52-67
sw2(config-mst)#  instance 4 vlan 1,1001
sw2(config-mst)#  name MYMST
sw2(config-mst)#  revision 1
sw2(config-mst)#  exit
sw2(config)#  spanning-tree mode mst
sw2(config)#^Z

Nice command to get a quick look at MST:

sw4#sh spann mst | i MST
##### MST0    vlans mapped:   2,8-12,46-51,68-1000,1002-4094
##### MST1    vlans mapped:   3-7
Root          this switch for MST1
##### MST2    vlans mapped:   13-45
Root          this switch for MST2
##### MST3    vlans mapped:   52-67
Root          this switch for MST3
##### MST4    vlans mapped:   1,1001
Root          this switch for MST4
sw4#

This will show you the vlans mapped for each instance and whether or not you’re the root for the instance [if you’re not on the root switch, the “Root” output will not show up, only the VLAN mappings]

Back to 1.4

1.4 Spanning-Tree Protocol

Okay.  NOW we can start setting roots (copy tasks from above).

Configuring the MST Root Switch

sw1#sh span mst 1

##### MST1    vlans mapped:   3-7
Bridge        address 0019.56db.aa80  priority      32769 (32768 sysid 1)
Root          address 000d.65a3.bf00  priority      32769 (32768 sysid 1)  <-sw4
              port    Fa0/19          cost          200000    rem hops 19

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/1            Desg FWD 200000    128.3    P2p
Fa0/3            Desg FWD 200000    128.5    P2p
Fa0/9            Desg FWD 2000000   128.11   Shr
Fa0/11           Desg FWD 2000000   128.13   Shr
Fa0/13           Desg FWD 200000    128.15   P2p
Fa0/14           Desg FWD 200000    128.16   P2p
Fa0/15           Desg FWD 200000    128.17   P2p
Fa0/16           Desg FWD 200000    128.18   P2p
Fa0/17           Desg FWD 200000    128.19   P2p
Fa0/18           Desg FWD 200000    128.20   P2p
Fa0/19           Root FWD 200000    128.21   P2p
Fa0/20           Altn BLK 200000    128.22   P2p
Fa0/21           Altn BLK 200000    128.23   P2p

sw1(config)#spanning-tree mst 1 root primary

sw1(config)#do sh span mst | i MST
##### MST0    vlans mapped:   2,8-12,46-51,68-1000,1002-4094
##### MST1    vlans mapped:   3-7
Root          this switch for MST1
##### MST2    vlans mapped:   13-45
##### MST3    vlans mapped:   52-67
##### MST4    vlans mapped:   1,1001

sw1(config)#do sh spann mst 1

##### MST1    vlans mapped:   3-7
Bridge        address 0019.56db.aa80  priority      24577 (24576 sysid 1)
Root          this switch for MST1
—output truncated—

NOTE:  Here’s where the “minimal command” issue needs clarification.  Since sw4 is ALREADY the root for MST instance 4 (vlans 1 and 1001), then I shouldn’t need to do any configuration to make it the root. 

sw4(config)#do sh span mst | i MST
##### MST0    vlans mapped:   2,8-12,46-51,68-1000,1002-4094
##### MST1    vlans mapped:   3-7
##### MST2    vlans mapped:   13-45
##### MST3    vlans mapped:   52-67
##### MST4    vlans mapped:   1,1001
Root          this switch for MST4

BUT there is another requirement:

“No switch should be the elected root based upon a lower MAC address.”

sw4 is elected based on the lowest MAC address (priorities are the same on all switches in MST instance 4) so we DO need to explicitly configure sw4 as the root bridge.

1.5 Layer 2 Tunneling

r2 fa0/0 -> sw2 fa0/2
r6 fa0/1 -> sw4 fa0/6

I have to tunnel sw2 fa0/2 to sw4 fa0/6.  That way the router can trunk directly to each other?

Configuring IEEE 802.1Q Tunneling

vlan dot tag native
!
int fa0/6
 swit mode dot1
 l2protocol-tunnel stp
 l2protocol-tunnel cdp

[sw2 and sw4 already had their MTU set to 1504]

r2#sh cdp neigh fa0/0 | b Dev
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
r6               Fas 0/0            127        R S I      2811      Fas 0/1

r2#ping 174.1.26.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 174.1.26.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

1.6 Spanning-Tree Protocol

The task requires you to force MST instance 1 VLANs (3-7) to prefer to forward traffic to sw1 (the root) over the highest numbered DIRECTLY connected port.  If a port fails, prefer the next highest numbered port.  Complete this configuration on sw1.

The switches are currently using the lowest numbered directly connected port as the root port:

sw2#sh spann mst 1

##### MST1    vlans mapped:   3-7
Bridge        address 0019.56db.d900  priority      32769 (32768 sysid 1)
Root          address 0019.56db.aa80  priority      24577 (24576 sysid 1)
              port    Fa0/13          cost          200000    rem hops 19

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/4            Desg FWD 200000    128.6    P2p
Fa0/13           Root FWD 200000    128.15   P2p
Fa0/14           Altn BLK 200000    128.16   P2p
Fa0/15           Altn BLK 200000    128.17   P2p
Fa0/19           Altn BLK 200000    128.21   P2p

I can change this two ways on the root switch (sw1) by lowering the port-priority to prefer different ports.

sw2 fa0/15 is connected to sw1 fa0/15
sw2 fa0/14 is connected to sw1 fa0/14
sw2 fa0/13 is connected to sw1 fa0/13

We need to remember that we’re running MST:

spanning-tree mst instance-id port-priority priority

sw1(config)#int fa0/15
sw1(config-if)#spanning-tree mst 1 port-priority 0
sw1(config-if)#int fa0/14
sw1(config-if)#spanning-tree mst 1 port-priority 16

sw1#sh spann mst 1 det | b net0/13
FastEthernet0/13 of MST1 is designated forwarding
Port info             port id         128.15  priority    128  cost      200000
Designated root       address 0019.56db.aa80  priority  24577  cost           0
Designated bridge     address 0019.56db.aa80  priority  24577  port id   128.15
Timers: message expires in 0 sec, forward delay 0, forward transitions 5
Bpdus (MRecords) sent 3196, received 861

FastEthernet0/14 of MST1 is designated forwarding
Port info             port id          16.16  priority     16 cost      200000
Designated root       address 0019.56db.aa80  priority  24577  cost           0
Designated bridge     address 0019.56db.aa80  priority  24577  port id    16.16
Timers: message expires in 0 sec, forward delay 0, forward transitions 5
Bpdus (MRecords) sent 4032, received 3364

FastEthernet0/15 of MST1 is designated forwarding
Port info             port id           0.17  priority      0  cost      200000
Designated root       address 0019.56db.aa80  priority  24577  cost           0
Designated bridge     address 0019.56db.aa80  priority  24577  port id     0.17
Timers: message expires in 0 sec, forward delay 0, forward transitions 5
Bpdus (MRecords) sent 4032, received 3364

sw2#sh spann mst 1

##### MST1    vlans mapped:   3-7
Bridge        address 0019.56db.d900  priority      32769 (32768 sysid 1)
Root          address 0019.56db.aa80  priority      24577 (24576 sysid 1)
              port    Fa0/15          cost          200000    rem hops 19

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/4            Desg FWD 200000    128.6    P2p
Fa0/13           Altn BLK 200000    128.15   P2p
Fa0/14           Altn BLK 200000    128.16   P2p
Fa0/15           Root FWD 200000    128.17   P2p  <-booyah
Fa0/19           Altn BLK 200000    128.21   P2p

1.8 Etherchannel

Create a couple of L3 EtherChannels.

1.9 Interface Negotiation

Hard code all ports in vlan 3 to 100/Full

sw1#sh vlan br | i VLAN0003
3    VLAN0003                         active    Fa0/3, Fa0/9, Fa0/10, Fa0/11

sw1(config)#int range fa0/3, fa0/9 – 11
sw1(config-if-range)#speed 100
sw1(config-if-range)#duplex full

Remember that you need to hard-code BOTH sides of the link to avoid speed/duplex mismatches:

04:47:14: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/3(not half duplex), with r3 FastEthernet0/0 (half duplex).

sw1#sh cdp nei f0/3
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
                  S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
r3               Fas 0/3           153          R S I     2811      Fas 0/0

r3(config)#int fa0/0
r3(config-if)#speed 100
r3(config-if)#duplex full

sw1#sh int status | i 3
Fa0/3                        connected    3            full    100 10/100BaseTX
Fa0/9                        notconnect   3            full    100 10/100BaseTX
Fa0/10                       notconnect   3            full    100 10/100BaseTX
Fa0/11                       notconnect   3            full    100 10/100BaseTX

Fa0/13                       connected    trunk      a-full  a-100 10/100BaseTX
Fa0/23                       notconnect   1            auto   auto 10/100BaseTX

DOH!!!!  The IE solution did not include fa0/3 on sw1 (connected to r3 fa0/0).  This is a matter of question interpretation.  The task states the Windows machines are getting network errors.  Then it states:

“In order to resolve this problem, ensure that all ports in VLAN 3 are hard coded to 100Mbps Full-Duplex.”

In order to meet the last requirement you would need to hard code fa0/3 to 100/Full.  BUT the problem is NOT with network devices, but with hosts.  Another “ask the proctor” moment.  🙂

February 18, 2008

Internetwork Expert Volume II: Lab 12 – Section 2

Section 2 – Bridging and Switching – 16 Points

2.1 Core Layer 2

This task was an interesting twist on a standard L2 core task.  You are asked to configure each of the switches to match a couple of show commands:

sw3(config-if)#do sh vtp stat | i (Operating Mode|Name)
VTP Operating Mode              : Client
VTP Domain Name                 : IE
sw3(config-if)#do sh vlan br | e (unsup|^1 |^ )

VLAN Name                             Status    Ports
—- ——————————– ——— ——————————-
3    VLAN0003                         active
17   VLAN0017                         active
22   VLAN0022                         active
33   VLAN0033                         active    Fa0/3
38   VLAN0038                         active    Fa0/24
45   VLAN0045                         active    Fa0/5
46   VLAN0046                         active
58   VLAN0058                         active

I actually found this task to be easier than usual.  BUT…make sure you open your ports.  IE shut a number of them down in the initial configurations. 

2.2 EtherChannel

This was an easy Layer 3 EtherChannel task, except that the diagram has an incorrect subnet for po34 between sw3 and sw4.  It should be 129.x.34.0/24 and not 129.x.43.0/24

2.2 – typo/difference between diagram and solution

2.3 MAC Filtering

You need to limit a couple of ports to only learning two MAC addresses and to shut down for 60 seconds if they learn a third. 

Configuring Port Security

•The switch does not support port security aging of sticky secure MAC addresses.

(Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these:

•protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

Note We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.

•restrict—When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

•shutdown—The interface is error-disabled when a violation occurs, and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

Note When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands.

We need to use shutdown mode (default) with errdisable recovery cause psecure-violation

errdisable recovery

Defaults
Recovery is disabled for all causes.
The default recovery interval is 300 seconds.

Here’s the configuration:

errdisable recovery cause psecure-violation
errdisable recovery interval 60
!
int range fa0/7 – 8
switch mode access
switchport port-security
switchport port-security max 2
switchport port-security violation shutdown

sw1#sh errdisable recovery | e Dis
—————–    ————–
psecure-violation    Enabled

Timer interval: 60 seconds

Interfaces that will be enabled at the next timeout:

sw1#sh port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
—————————————————————————
      Fa0/7                         0                  0         Shutdown
      Fa0/8              2            0                  0         Shutdown
—————————————————————————
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 6272

2.4 MAC Filtering

This was a pretty easy MAC filtering task using MAC ACLs….or so I thought.  🙂

Port ACLs

Creating Named MAC Extended ACLs

mac access-list extended FILTER_ROUTER
deny host 0030.1369.87a0 any
permit any any

Applying a MAC ACL to a Layer 2 Interface

sw1(config-if-range)#mac access-group FILTER_ROUTER ?
  in  Apply to Ingress

sw1(config-if-range)#mac access-group FILTER_ROUTER in

sw1#sh mac access-group int fa0/7
Interface FastEthernet0/7:
   Inbound access-list is FILTER_ROUTER
   Outbound access-list is not set
sw1#sh mac access-group int fa0/8
Interface FastEthernet0/8:
   Inbound access-list is FILTER_ROUTER
   Outbound access-list is not set

After all of that…the solution guide uses:

mac-address-table static 0030.1369.87a0 vlan 17 drop

Okay…why?  Well, there’s really good reason. 🙂

The immediate reaction to this task is typically to use an extended MAC address access-list to deny traffic from this MAC address from entering interfaces fa0/7 or fa0/8.  However, MAC address access-lists only affect non-IP traffic.  Therefore, assuming that host on VLAN 17 are running IP (a fair assumption), using a MAC assess-list to filter this host will have no effect.

Good discussion about this task:

Task 2.4

2.5 QoS

Police a port to 3Mbps, but don’t use policing.  Clue: the task specifies unicast traffic.

Configuring Storm Control

Storm control uses one of these methods to measure traffic activity:

•Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic

•Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received (Cisco IOS Release 12.2(25)SE or later)

•Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received (Cisco IOS Release 12.2(25)SE or later)

With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level. In general, the higher the level, the less effective the protection against broadcast storms.

REMEMBER that Storm control is inbound!!!

Storm control has some WEIRD parameters:

sw2(config-if)#storm-control unicast level bps ?
  <0.0 – 10000000000.0>[k|m|g]  Enter rising threshold

Specify the rising and falling suppression levels as a rate in bits per second at which traffic is received on the port.

•bps—Rising suppression level, up to 1 decimal place. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for bps is reached.

sw2(config-if)#storm-control unicast level bps 3000000

sw2(config-if)#do sh run int fa0/2
interface FastEthernet0/2
 switchport access vlan 22
 storm-control unicast level bps 3m

sw2#sh storm uni
Interface  Filter State   Upper        Lower        Current
———  ————-  ———–  ———–  ———-
Fa0/24     Forwarding         3m bps       3m bps        0 bps

Send some large pings from r2 to bb2:

r2#p 192.10.1.254 re 10000 si 1500

Type escape sequence to abort.
Sending 10000, 1500-byte ICMP Echos to 192.10.1.254, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!

sw2#sh storm uni
Interface  Filter State   Upper        Lower        Current
———  ————-  ———–  ———–  ———-
Fa0/2     Blocking           3m bps       3m bps    7.83m bps

01:29:46: %STORM_CONTROL-3-FILTERED: A Unicast storm detected on Fa0/2. A packet filter action has been applied on the interface.

sw2#sh storm uni
Interface  Filter State   Upper        Lower        Current
———  ————-  ———–  ———–  ———-
Fa0/2     Forwarding         3m bps       3m bps   12.89k bps

The IE solution uses the older percentage of interface bandwidth configuration:

storm-control unicast level 3.00

2.6 Traffic Filtering

Stop PCs on a VLAN from communicating directly with each other, but allow them to still communicate with other ports or interfaces in the VLAN.  Use the minimum configuration.

switchport protected

Use the switchport protected interface configuration command to isolate unicast, multicast, and broadcast traffic at Layer 2 from other protected ports on the same switch. Use the no form of this command to disable protection on the port.

So….which ports do I apply it to?

The answer shows fa0/7 and fa0/8 on sw1.  Are they part of VLAN 17?

Well….they were initially, but I thought that that was an intial config error (see error 4?)

From intial config:

interface range Fa0/7 – 8
 switchport access vlan 17
 no shutdown

By completing this task you will “break” task 2.1  I think that this is just the result of a mistake in the lab document for task 2.1

sw1#sh int fa0/7 swit | i Protected
Protected: true
sw1#sh int fa0/8 swit | i Protected
Protected: true

Internetwork Expert Volume II: Lab 12 – Section 1

Troubleshooting – 3 Points

There are three initial faults in this lab.  The troubleshooting section has this interesting requirement:

“Use the minimum commands needed to solve these issues.”

1) PPP configuration on r1

I had issues right away.  The initial configuration for r1’s s0/1 interface is as follows: 

interface Serial0/1
 ip address 129.1.13.1 255.255.255.0
 ppp pap sent-username PPP password 0 CISCO
 no shutdown

The problem with this is that the router will not accept this configuration because it’s missing “encap ppp” and “ppp authentication pap”:

r1(config-if)#interface Serial0/1
r1(config-if)# ip address 129.1.13.1 255.255.255.0
r1(config-if)# ppp pap sent-username PPP password 0 CISCO
                        ^
% Invalid input detected at ‘^’ marker.

The interface will end up with only the IP address configured:

interface Serial0/1
 ip address 129.1.13.1 255.255.255.0

This is where the “minimal configuration” requirement comes into play.  r1 and r2 each have point-to-point serial connections that terminate on r3.  r3 is running ppp with pap authentication.  It is expecting a username of “PAP” and a password of “CISCO”.

r1:
interface Serial0/1
 ip address 129.1.13.1 255.255.255.0   <- HDLC encapsulation (default)

r2:
interface Serial0/1/0
 ip address 129.1.23.2 255.255.255.0
 encapsulation ppp
 ppp pap sent-username PPPpassword 0 CISCO  <-wrong username

r3:
username PAP password 0 CISCO
!
interface Serial0/2:0
 ip address 129.1.13.3 255.255.255.0
 encapsulation ppp
 ppp authentication pap
!
interface Serial0/3:0
 ip address 129.1.23.3 255.255.255.0
 encapsulation ppp
 ppp authentication pap

The solution guide says that the fix is to change the password on r3 from “PAP” to “PPP”.  That would make sense and would meet the “minimum configuration” requirement IF the PPP configuration on r1 wasn’t messed up.  Due to the intial configuration snafu, I did the following:

r1:
r1(config)#int s0/1
r1(config-if)#enc ppp
r1(config-if)#ppp pap sent-username PAPpass CISCO

r2:
r2(config-if)#noppp pap sent-username PPPpassword 0 CISCO
r2(config-if)#ppp pap sent-user PAPpass CISCO

2) sw1’s SVI interface Vlan7 should be Vlan 17

sw1#sh ip int br | e ass
Interface              IP-Address      OK? Method Status                Protocol
Vlan7                  129.1.17.7      YES NVRAM  down                  down

after:
sw1#sh ip int br | e ass
Interface              IP-Address      OK? Method Status                Protocol
Vlan17                 129.1.17.7      YES manual down                  down

3) r4’s fa0/1 has wrong IP address

I didn’t catch this one until later.  The first octet is incorrect:

interface FastEthernet0/1
 ip address 192.1.46.4 255.255.255.0

After:
interface FastEthernet0/1
 ip address 129.1.46.4 255.255.255.0 

4?)  sw1’s fa0/7 and fa0/8 should not be assigned to a VLAN???

Task 2.1 requires you to configure sw1 to match this output exactly:

sw1(config)#do sh vlan br | e (unsup|^1 |^ )

VLAN Name                             Status    Ports
—- ——————————– ——— ——————————-
3    VLAN0003                         active    Fa0/3
17   VLAN0017                         active    Fa0/1
22   VLAN0022                         active
33   VLAN0033                         active
38   VLAN0038                         active
45   VLAN0045                         active
46   VLAN0046                         active
58   VLAN0058                         active    Fa0/5 

Here’s what I had:

sw1(config-if)#do sh vlan br | e (unsup|^1 |^ )

VLAN Name                             Status    Ports
—- ——————————– ——— ——————————-
3    VLAN0003                         active    Fa0/3
17   VLAN0017                         active    Fa0/1, Fa0/7, Fa0/8
22   VLAN0022                         active
33   VLAN0033                         active
38   VLAN0038                         active
45   VLAN0045                         active
46   VLAN0046                         active
58   VLAN0058                         active    Fa0/5

sw1(config-if)#do sh run int fa0/7
interface FastEthernet0/7
 switchport access vlan 17 

sw1(config-if)#do sh run int fa0/8
interface FastEthernet0/8
 switchport access vlan 17

I defaulted the interfaces and my output match the requirement.  Unfortunately, this would come back to bite me in the butt later.  I think that the problem was a misprint in the lab guide and not an initial fault.

January 29, 2008

Internetwork Expert Volume II: Lab 6 – Section 1

Bridging and Switching – 20 Points

1.1 Basic Configuration

This is the first lab that I’ve done where you need to set up two separate VTP domains.  I always create a Layer 2 map and it really helped out in this lab.  You’ll need to be mindful of which VTP server to create VLANs on when your building your Layer 2 network, especially with the caveat:

“VLANs should not be created within the VTP domain unnecessarily.”

1.2 Trunk Maintenance

“Ensure that the links between sw1, sw2, sw3, and sw4 will not attempt to automatically trunk using DTP.”

Depending on how you interpret this question, there are two methods you might use:

1) Put the ports into switchport mode dynamic auto (default setting on the 3560s).  This means that they will not form a trunk unless the other side of the link attempts to negotiate trunking.  This does NOT disable DTP.

switchport mode

int range fa0/13 – 21
 switchport mode dynamic auto

sw3(config-if-range)#do sh int fa0/13 switchport
Name: Fa0/13
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On

1) Hard-code the interfaces to trunk and disable DTP.  This means that you’ll need to choose a trunking encapsulation and you’ll need to shut down any links (on one side at least) that you do not want to form a trunk.  This is a little more sloppy, but it actually disables DTP.

switchport nonegotiate

int range fa0/13 – 21
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate

sw1(config-if-range)#do sh int fa0/13 switchport
Name: Fa0/13
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off

I went with option 1 (mostly because of task 1.3).

task 1.2 DTP

Be careful when applying your configuration with the interface range command as there are a couple of routed ports already configured:

sw1(config-if-range)#swit mode dyn auto
Command rejected: Fa0/14 not a switching port.
% Interface range command failed for FastEthernet0/14

sw1(config-if-range)#do sh run int fa0/14
interface FastEthernet0/14
 no switchport
 ip address 191.1.27.7 255.255.255.0
end

You’ll be alright as the routed ports will ignore the switchport commands (they are configured as “no switchport”).

1.3 Trunking

“Use dot1q encapsulation to configure the following trunks:”

You need to stop trunking of some vlans as well (read the requirements carefully).

sw1(config-if-range)#swit trunk all vlan except 7,77,777

I configured this on both sides of the trunks.  IE did not. 

Before changing VLAN allowed list:
sw3(config-if)#do sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/13      1-4094

Port        Vlans allowed and active in management domain
Fa0/13      1

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      none

After changing VLAN allowed list:
sw3(config-if)#swit trunk all vlan except 7,77,777
sw3(config-if)#do sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/13      1-6,8-76,78-776,778-4094

Port        Vlans allowed and active in management domain
Fa0/13      1

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      1

1.4 Spanning-Tree

This was a great task.  You are asked to:

“Ensure sw1 is forwarding on all trunk liks for any active VLANs.
“If a new VLAN is added to the VTP domain NET12, sw1 should forward on all trunk links for the new VLAN.”

The first subtask means the you need to make sw1 the root bride.  Easy enough, but you need to specify a vlan range.  Since we’re asked to make sure that any VLANs added to our VTP domain use sw1 as the root, we need specify a range of VLANs that can be created via VTP.  VTP cannot add extended VLANs so our range should be 1-1000:

sw1(config)#spanning-tree vlan 1-1000 root primary

Hmmmm….IE used the range 1-4096 (range including extended VLANs).

Task 1.4 Spanning-Tree

I think that their rational is: 

IF we were to put sw1 and sw2 (the members of VTP domain NET12) into vtp transparent mode, we could create extended VLANs.  Those VLANs would technically be VLANs created in VTP domain NET12.  BUT we would need to break our VTP task in order to do this. 

Set sw1 and sw2 to VTP mode transparent:

sw1(config)#do sh vtp stat | i Oper
VTP Operating Mode              : Transparent
sw1(config)#do sh run | i prior
spanning-tree vlan 1-1000 priority 24576

sw2(config)#do sh vtp stat | i Oper
VTP Operating Mode              : Transparent

Add standard and extended vlan to sw1 and sw2:

sw1(config)#vlan 1000,1234
sw1(config-vlan)#exit

sw2(config)#vlan 1000,1234
sw2(config-vlan)#exit
sw2(config)#do sh sp v 1000

VLAN1000
  Spanning tree enabled protocol ieee
  Root ID    Priority    25576
             Address     0012.018f.d580  <-sw1 MAC
             Cost        19
             Port        15 (FastEthernet0/13)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33768  (priority 32768 sys-id-ext 1000)
             Address     0012.009c.ca00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13           Root FWD 19        128.15   P2p

sw2(config)#do sh sp v 1234

VLAN1234
  Spanning tree enabled protocol ieee
  Root ID    Priority    34002
             Address     0012.009c.ca00
             This bridge is the root 
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    34002  (priority 32768 sys-id-ext 1234)
             Address     0012.009c.ca00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13           Desg FWD 19        128.15   P2p

I would definitely ask the proctor about this task.

1.5 Etherchannel

Easy trunking/etherchannel task.  Your VTP will now work for domain NET34.

1.6 Trunking

This was a bizarre task with VLANs between subinterfaces on a couple of routers.  I had this one nailed, but I spent a LONG time chasing my tail over a really basic issue.  😦

Be aware that VLAN45 is a /25 subnet.  You’ll also need to add VLAN 45 to the VTP domain.

Here’s where I lost my way:

“Configure trunking between r4, r5, sw3, and sw4 using the information provided in the diagram.”

r4#sh cdp neig | b Device
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
sw4              Fas 0/1            146         S I       WS-C3550- Fas 0/4
sw2              Fas 0/0            136         S I       WS-C3560- Fas 0/4

r4#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  up                    up
FastEthernet0/0.4          191.1.4.4       YES NVRAM  up                    up
FastEthernet0/0.40         191.1.40.4      YES NVRAM  up                    up
FastEthernet0/0.45         191.1.45.4      YES NVRAM  up                    up
FastEthernet0/0.49         191.1.49.4      YES NVRAM  up                    up

I initially thought that the lab diagram was wrong.  Interface fa0/1 – not fa0/0 – is connected to sw4.  I was cursing IE and the routing gods for this colossal waste of time.  BUT….(as is so often the case) I WAS WRONG.  The diagram is right.  The question threw me off as it states that I need to configure trunking between sw3 and the other devices.  Some of the endpoints are on sw3, but some of these VLANs transverse sw2 (in VTP domain NET12) so I need to configure dot1q trunking on that switch (connected to r4) as well as add the VLANs to sw1 (the VTP server for the NET12 domain). 

I really blew it on this task.  If this were the actual lab, I would not only have failed, but I would have looked like an idiot in the process.

1.7 Layer 2 Tunneling

Basically tunnel from r4 fa0/1 to sw2 fa0/18.

r4#sh run int fa0/1
interface FastEthernet0/1
 ip address 191.1.48.4 255.255.255.0

sw2#sh run int fa0/18
interface FastEthernet0/18
 no switchport
 ip address 191.1.48.8 255.255.255.0

You will need to use a dot1-q tunnelling to accomplish this task.

switchport mode

dot1q-tunnel
Set the port as an IEEE 802.1Q tunnel port.

You’ll need to build your l2 tunnel across these ports:

r4#sh cdp neig fa0/1 | b Device
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
sw4              Fas 0/1            136         S I       WS-C3550- Fas 0/4

sw2#sh cdp neigh fa0/18 | b Device
Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
sw3                 Fas 0/18              170            S I      WS-C3550-2 Fas0/18

The switch is kind enough to warn you of a pitfall:

sw4(config-if)#swit mode dot1q-tunnel
sw4(config-if)#
03:03:12: %DOT1Q_TUNNELLING-4-MTU_WARNING:
System MTU of 1500 might be insufficient for 802.1Q tunnelling.
802.1Q tunnelling requires system MTU size of 1504 to handle maximum size ethernet frames.

system mtu

I see a reload in my future:

sw4(config)#system mtu 1504
Changes to the System MTU will not take effect until the next reload is done.

Task 1.7 l2tunnel

r4#sh cdp neigh f0/1 | i sw2
sw2              Fas 0/1            169         S I       WS-C3560- Fas 0/18

sw2#sh cdp neigh fa0/18 | i r4
r4                  Fas 0/18              131           R S I     2651XM    Fas0/1

Sweet!!!

1.8 MAC Filtering

This was a pretty basic port-security task. 

switchport port-security

***  Update: Don’t use ‘sticky’ as I posted below.  These MAC addresses are NOT learned dynamically.  I did not remove this from my post just to show you how stupid I am sometimes.  🙂  *** 

I used the sticky option (“When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses.”) but I would ask the proctor to clarify this.  IE did not use that option.

The only “twist” is the second subtask:

“In the case that other hosts try to access this port a syslog message should be sent to the server 191.1.7.100.”

First we have to change the switchport port-security from the default of shutdown:

violation
 (Optional) Set the security violation mode or the action to be taken if port security is violated. The default is shutdown.
 

Do I choose restrict or protect?  My CCNP knowledge has flowed out of my skull.  🙂

sw2(config-if)#swit port-security violation ?
  protect   Security violation protect mode
  restrict  Security violation restrict mode

  shutdown  Security violation shutdown mode

protect
Set the security violation protect mode. In this mode, when the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

Note We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.
 
restrict
Set the security violation restrict mode. In this mode, when the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

 
Restrict it is!!!

sw2#sh port-security int fa0/10
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 4
Total MAC Addresses        : 4
Configured MAC Addresses   : 4

Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

sw2#sh port-security int fa0/10 address
          Secure Mac Address Table
————————————————————————
Vlan    Mac Address       Type                     Ports   Remaining Age
                                                              (mins)
—-    ———–       —-                     —–   ————-
  10    0050.7014.8ef0    SecureConfigured         Fa0/10       –
  10    00cd.144e.07bf    SecureConfigured         Fa0/10       –
  10    00d0.341c.7871    SecureConfigured         Fa0/10       –
  10    00d0.586e.b710    SecureConfigured         Fa0/10       –
————————————————————————
Total Addresses: 4

I wasted some time by looking for documentation on how to configure a syslog server.  DOH!!!

sw2(config)#logging ?
  Hostname or A.B.C.D  IP address of the logging host

1.9 Spanning-Tree Convergence

A wordy task tranlated to: portfast with bpdufilter.  Just be aware of the differences in bdpufilter based on whether you configure it at the interface level or globally:

sw2(config)#spanning-tree portfast bpdufilter default

Understanding BPDU Filtering

Task 1.9 SPT

The task requires that the port return to normal spanning tree forwarding if a BPDU is received.

There is a difference in the behaviour of bpdufilter depending on if it is configured at the interface level or globally.

When you configure bpdufilter on an interface it filters BPDU from being sent or received.

When you configure bpdufilter globally then all interfaces that run portfast will filter sent BPDU’s but will revert out of the portfast state if BPDU’s are received. This is the desired behaviour for this task.

The DocCD explains it like this:

“When you globally enable BPDU filtering on Port Fast-enabled interfaces, it prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU filtering on any interface without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs.”

January 26, 2008

Internetwork Expert Volume III: Lab 4 – Section 2

Bridging and Switching – 9 Points

2.1 Trunking

Speed tip -Use ‘interface range’ to configure multiple, non-contiguous interfaces at one time:

sw3(config)#int range fa0/13, fa0/16, fa0/17, fa0/19, fa0/21

sw4(config-if-range)#do sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      desirable    n-isl          trunking      1
Fa0/14      desirable    n-isl          trunking      1
Fa0/15      desirable    n-isl          trunking      1
Fa0/16      desirable    n-isl          trunking      1
Fa0/17      desirable    n-isl          trunking      1
Fa0/18      desirable    n-isl          trunking      1
Fa0/19      on           802.1q         trunking       1
Fa0/20      desirable    n-isl          trunking      1
Fa0/21      on           802.1q         trunking       1 

The eternal question: to shut or not to shut the dynamically negotiated trunks?  Since the  IE solution does not show these trunks in the “show int trunk” output I went ahead and shut them down (on one side at least).

2.2 Etherchannel

WTF?

sw3(config-if-range)#channel-group 23 mode active
% Interface range command failed for FastEthernet0/17

00:55:00: %EC-5-ERRPROT: Channel protocol mismatch for interface Fa0/17 in group 23: the interface can not be added to the channel group

sw3(config-if-range)#do sh run int fa0/17
interface FastEthernet0/17
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 125
 switchport mode trunk
 switchport nonegotiate
 channel-protocol pagp  <-where did that come from?

sw3(config-if-range)#do sh start | b 0/17
interface FastEthernet0/17
 switchport mode dynamic desirable
 channel-protocol pagp

Yet another initial config error.

task 2.2 : command is missing in SG

Fix:

sw3(config-if-range)#int fa0/17
sw3(config-if)#no channel-protocol pagp
sw3(config-if)#channel-g 23 mode active

sw3(config-if)#do sh eth sum | b Group
Group  Port-channel  Protocol    Ports
——+————-+———–+———————————————–
23     Po23(SU)        LACP      Fa0/16(P)   Fa0/17(P)

2.3 VTP

“Configure the VTP domain CCIE on all four switches.”

Should I put only one of the switches in VTP Server mode?  sw3 would be the obvious candidate to be the VTP server.  I did that.  IE did not.  They left all switches as VTP servers.

“Configure VLAN assignments per the diagram”

Crap! I usually miss some VLANs when I do this.  This time was no exception.

“Filter traffic on the 802.1q trunk links so that only necessary VLAN traffic is sent over them.”

Easy enough…vtp pruning.  BUT if you are told not to shut down the dynamically negotiated trunks then those trunks will negotiate to ISL by default.  This would make this task a lot more difficult and time-consuming because VTP pruning cannot be enabled for dot1q encapsulation and not ISL or vice versa.

IE solution did not use VTP pruning.  They explicitly configured that allowed VLANs on each trunk. This might be a result of the the “802.1q trunk links” verbiage – VTP pruning would work – but on all trunks regardless of the encapsulation type used.  Pretty tricky putting this task under the VTP section.  🙂

Task 2.3, VTP

vtp (global configuration)

Follow these guidelines when setting VTP pruning:

•VTP pruning removes information about each pruning-eligible VLAN from VTP updates if there are no stations belonging to that VLAN.

If you enable pruning on the VTP server, it is enabled for the entire management domain for VLAN IDs 1 to 1005.

•Only VLANs in the pruning-eligible list can be pruned.

•Pruning is supported with VTP Version 1 and Version 2.

VTP Pruning with ISL trunk:

sw1(config-if)#do sh vtp status | i run
VTP Pruning Mode                : Enabled
sw1(config-if)#do sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/16      on           isl            trunking      1

Port        Vlans allowed on trunk
Fa0/16      1-4094

Port        Vlans allowed and active in management domain
Fa0/16      1,3-5,37,46,72-73,125

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/16      1,3-5,46,72-73,125

VTP Pruning with dot1 q trunk: 

sw1(config-if)#do sh vtp stat | i run
VTP Pruning Mode                : Enabled
sw1(config-if)#do sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/16      on           802.1q         trunking      125

Port        Vlans allowed on trunk
Fa0/16      1-4094

Port        Vlans allowed and active in management domain
Fa0/16      1,3-5,37,46,72-73,125

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/16      1,3-5,46,72-73,125
sw1, 2, 4

Hmmmm…..can’t ping bb2 from sw1 (VLAN 72):

sw1(config-if)#do p 192.10.1.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.10.1.254, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

Route: sw1 fa0/16 (trunk) -> (trunk) fa0/13 sw3 po23 (trunk) -> (trunk) po23 sw2 int fa0/24 (vlan 72) -> (vlan 72) gi1/0/1 bb2

Start at last hop before bb2:

sw2#sh int fa0/24 status

Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/24                       notconnect   72           auto   auto 10/100BaseTX 

Problem = dead port on my bb2 router (actually 3750 switch.  ARGGH!!!!

Shut/no shut fixed it…..weird!!!

sw1#ping 192.10.1.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.10.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5),
round-trip min/avg/max = 1/202/1006 ms

January 17, 2008

Internetwork Expert Volume III: Lab 2 – Section 2

Bridging and Switching – 9 Points

There were a couple more things that threw me off my game in this lab.  I did not know that the backbone router configurations were not preloaded on the CCOnlineLabs devices.  I was wondering why I could not see the bbs from the switches.  🙂

Also, the bbs are connected to different ports than I am used to.

2.1 Trunking

Very easy task.  IE used “switchport nonegotiate” on all of their trunks.  The task did not state that negotiation should be disabled (nor did it say that we could not dynamically create the trunks).  I am debating if I should turn off DTP whenever I hard-code a trunk in my labs.

The IE solution also show a configuration for sw2’s fa0/17 as an ISL trunk????  That was not in the task.  They probably meant fa0/20, not 0/17.

IE’s verification command for 2.1 makes no sense either.  They do “sh vtp status” and show sw1 as a vtp server in the CORE domain and the remaining switches as clients in the same domain.  WTF???

2.2 Etherchannel

It’s pretty obvious that whatever lab the solution guide is for, it’s NOT for Vol III lab 2!!!!!  I had an old copy of the solution guide printed out (from 21 July 2007).  It looked much better.  🙂

Inconsistencies between Lab Doc & Solutions Guide

2.3 Layer 3 Interfaces

Another straight forward task.  You won’t be able to ping across vlan59 until you assign vlan59 to fa0/5 on sw3.  Also note that sw3 does not have direct connectivity to r5 – you will need to configure VLAN 58 on sw1 0/5.

2.4 VLAN Assignments

“sw3 should be in charge of creating VLANs; no other switches should be able to modify VLANs that sw3 has created.”

Translated: make sw3 the VTP server and the remaining switches VTP clients.

Speed Tip: Since we don’t have any named vlans we can use one vlan statement on sw3 (vtp server):

sw3(config)#vlan 10,32,23,9,67,59,58,43
sw3(config-vlan)#exit

At this point all of your SVIs should be up/up and you should be able to ping any directly connected interfaces from the switches.

January 12, 2008

Internetwork Expert Volume II: Lab 4 – Section 1

Section 1 –  Bridging and Switching – *26 Points

* Includes 4 points for Troubleshooting section.

Troubleshooting

4 errors this time – yuck.

1)

r2#sh ver | i register
Configuration register is 0x2102 (will be 0x2142 at next reload

That’s not good.  🙂

r2(config)#config-register 0x2102
r2#sh ver | i register
Configuration register is 0x2102

2)

r6#sh run int s0/0
interface Serial0/0
 ip address 54.1.1.6 255.255.255.128  <-mask should be /24
 encapsulation frame-relay

3)

Frame Relay is configured on the wrong interface (should be s0/0/0) on r2:

r2#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         141.1.0.2       YES manual up                    up
GigabitEthernet0/1         unassigned      YES NVRAM  administratively down down
Serial0/0/0                unassigned      YES NVRAM  administratively down down
Serial0/1/0                141.1.123.2     YES manual up                    down
Loopback0                  150.1.2.2       YES manual up                    up

r2(config)#do sh run int s0/0/0
interface Serial0/0/0
 no ip address
 shutdown

end

r2(config)#do sh run int s0/1/0
interface Serial0/1/0
 ip address 141.1.123.2 255.255.255.0
 encapsulation frame-relay
end

4)

r5(config)#do sh ip int br
Interface                  IP-Address      OK? Method Status                Prot
ocol
FastEthernet0/0          141.1.145.5     YES manual up               up
Serial0/0                  141.1.54.5      YES manual up                    up
FastEthernet0/1            141.1.0.5       YES manual up                 up
Serial0/1                  141.1.54.5      YES manual up                    up
Loopback0                  150.1.5.5       YES manual up                    up

r5(config)#int s0/1
r5(config-if)#ip add 141.1.45.5 255.255.255.0

1.1 Trunking

“standards based trunks” + “vlan 255 should be untagged when sent across any of these trunks” = dot1q trunks with native vlan 255.  Nuff said.

1.2 VLAN Assignments

Easy enough VTP configuration with VLAN assignments.  The only unresolved bit is whether we should leave all of the switches in VTP server mode.  I did.  That mean you only need to create the VLANs on one switch:

Make sure that your results match by running:

sh vlan br | e unsup|^ |^1 |active[ \t]+$

Well…I thought that this was easy.  I have to work on reading between the lines on these task.  You need to create all of the VLANs in the task as well as any VLANs on the diagram (6,7,8,77,88, and 255).  You’ll need to name these VLANs by substituting the digits in the VLAN with their ordinal letter in the alphabet (i.e. VLAN 77 = VLAN_GG).

The IE solution guide is missing the configuration for fa0/24 on sw1.  [note: they may have pulled it or the question may contain a typo].

1.3 Traffic Control

“Enable pruning within the VTP domain.” Just need to configure vtp pruning on any one of the switches as they are all in VTP  server mode.

sw1(config)#vtp pruning
Pruning switched on

“Although sw1 and sw3 do not have VLAN 8 locally assigned ensure that they receive unknown unicast, broadcast, or multicast traffic for VLAN 8 over their lowest numbered trunk link to sw2”

That’s just a long-winded way of saying that should not prune VLAN 8 on sw1 fa0/13 and sw3 fa0/16.

Before:
sw1(config)#do sh int fa0/13 trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      255

Port        Vlans allowed on trunk
Fa0/13      1-4094

Port        Vlans allowed and active in management domain
Fa0/13      1,6,12,36,43,45,258

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      none

switchport trunk

Set the list of VLANs that are eligible for VTP pruning when in trunking mode. The all keyword is not valid.

sw1(config-if)#switch trunk pruning vlan ?
  WORD    VLAN IDs of the allowed VLANs when this port is in trunking mode
  add     add VLANs to the current list
  except  all VLANs except the following
  none    no VLANs
  remove  remove VLANs from the current list

I could not get the except command to work:

sw3(config-if)#swit trun pru vlan except ?
  WORD  VLAN IDs of disallowed VLANS when this port is in trunking mode

sw3(config-if)#swit trun pru vlan except vlan 8
                                                                          ^
% Invalid input detected at ‘^’ marker.

sw3(config-if)#swit trun pru vlan except vlan8
Command rejected: Bad VLAN list – character #1 is a non-numeric
character (‘v’).

sw3(config-if)#swit trun pru vlan except 8
Command rejected: Bad VLAN pruning list.

…so I used:

sw1(config-if)#switch trun prun vlan 2-7,9-1001

The other odd bit is that I thought that I would see that vlan 8 was not prune-eligible with “show int fa0/13 trunk”:

sw1#sh int fa0/13 trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      255

Port        Vlans allowed on trunk
Fa0/13      1-4094

Port        Vlans allowed and active in management domain
Fa0/13      1,6-8,12,36,43,45,77,88,255,258

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      258

You can use the following to verify the prune list:

sw1#sh int fa0/13switchport| i Prun
Pruning VLANs Enabled: 2-7,9-1001
sw1#sh int fa0/14switchort | i Prun 
Pruning VLANs Enabled: 2-1001

The last subtask states:

“Traffic for VLAN 8 should not be received over any of the other trunk links.”

I thought that you would need to explicitly configure the other trunks to not allow VLAN 8 (“switchport trunk allowed”).  IE does not do that, even though the other trunks do allow VLAN 8:

sw1#sh int fa0/14 trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/14      on           802.1q         trunking      255

Port        Vlans allowed on trunk
Fa0/14      1-4094

Port        Vlans allowed and active in management domain
Fa0/14      1,6-8,12,36,43,45,77,88,255,258  <-note

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/14      none

1.4 Spanning-Tree Protocol

You need to configure sw1 as the primary spanning-tree root bridge and sw3 as the secondary root bridge for vlan 258.

“All VLAN 258 traffic from sw2 to sw1 should transit sw4”
“In the event that sw2’s path to sw1 through sw3 is down, sw2 should use the directly connected trunk links to reach sw1 directly.”
“Use the fewest number of commands to accomplish this task and do not alter sw1’s port-priorities.”

“do not alter sw1’s port-priorities” means that we’ll use port-cost to affect vlan 258’s traffic.”

We have two options: cost or port-priority.  If I am the root trying to affect how traffic comes towards me, I will use port-priority.  If I am on a non-root switch and I want to affect the way that traffic flows to the root, I will use cost.

Port-priority is looking down the spanning-tree.
Cost is looking up the spanning-tree.

spanning-tree cost

Before:
sw2#sh span vlan 258

VLAN0258
  Spanning tree enabled protocol ieee
  Root ID    Priority    24834
             Address     0012.018f.d580
             Cost        19
             Port        15 (FastEthernet0/13)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33026  (priority 32768 sys-id-ext 258)
             Address     0012.009c.ca00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13           Root FWD 19        128.15   P2p  <- sw1
Fa0/14           Altn BLK 19          128.16   P2p  <- sw1
Fa0/15           Altn BLK 19          128.17   P2p  <- sw1
Fa0/16           Desg FWD 19        128.18   P2p  <- sw3
Fa0/17           Desg FWD 19        128.19   P2p  <- sw3
Fa0/18           Desg FWD 19        128.20   P2p  <- sw3

In this case we need to change the port-cost so that sw3 is preferred (lower cost on ports to sw3).  The path directly to sw1 will be used if the path to sw3 goes down, so we will satisfy both  subtasks.

sw2(config-if-range)#spanning vlan 258 cost ?
  <1-200000000>  Change an interface’s per VLAN spanning tree path cost

sw2(config)#inter range fa0/13 – 15
sw2(config-if-range)#spanning vlan 258 cost 2000

After waiting for spanning-tree to recalculate:

sw2(config-if-range)#do sh span vlan 258 | b Interface
Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/2            Desg FWD 19        128.4    P2p
Fa0/13           Altn BLK 2000      128.15   P2p
Fa0/14           Altn BLK 2000      128.16   P2p
Fa0/15           Altn BLK 2000      128.17   P2p
Fa0/16           Root FWD 19        128.18   P2p  <-booyah!!!
Fa0/17           Altn BLK 19        128.19   P2p
Fa0/18           Altn BLK 19        128.20   P2p

I did waste a lot of time fretting over the “minimum configuration” requirement.  In the real lab, I’d just note this task and come back to it later to check for a slimmer configuration.  As it was, I got this correct.

1.5 Link Failure Detection

I knew right away that this task would require some digging in the DOC.  In the real lab I would skip this non-core task and come back to it later.

“Configure sw1 and sw2 so that port fa0/15 is brought down in the case that either switch can send traffic, but not receive, or vice versa.”
“As an additional precaution configure sw1 so that interface fa0/15 is not mistakenly elected as a designated port in the above case.”

Reading these subtasks made me think of UniDirectional Link Detection  and BDPU guard.

udld port

sw1(config-if)#udld port ?
  aggressive  Enable UDLD protocol in aggressive mode on this interface
 <cr>

UDLD supports two modes of operation: normal (the default) and aggressive. In normal mode, UDLD detects unidirectional links due to misconnected interfaces on fiber-optic connections. In aggressive mode, UDLD also detects unidirectional links due to one-way traffic on fiber-optic and twisted-pair links and due to misconnected interfaces on fiber-optic links.

Aggressive it is then.  🙂

After configuring both sides:

sw1#show udld fa0/15
Interface Fa0/15

Port enable administrative configuration setting: Enabled / in aggressive mode
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Bidirectional
Current operational state: Advertisement – Single neighbor detected
Message interval: 15
Time out interval: 5

    Entry 1
    —
    Expiration time: 31
    Device ID: 1
    Current neighbor state: Bidirectional
    Device name: CAT0835X0US
    Port ID: Fa0/15
    Neighbor echo 1 device: CAT0837N1AS
    Neighbor echo 1 port: Fa0/15

    Message interval: 15
    Time out interval: 5
    CDP Device name: sw2

The IE solution guide warns:

“The global command udld enable only applies to fiber interfaces.  Ensure to use the interface command udld port agressive for copper interfaces.”

I didn’t configure udld globally.  I figured that if the switch threw an error when I configured it at the interface level, then I would configure it globally and reconfigure it on the interface.  So I avoided a pitfall through sheer dumb luck rather than an understanding of udld.  🙂

I was wrong about BDPU guard though.  I needed loop guard instead:

spanning-tree guard

sw1#sh spanning-tree interface fa0/15 detail
 Port 17 (FastEthernet0/15) of VLAN0001 is blocking
   Port path cost 19, Port priority 128, Port Identifier 128.17.
   Designated root has priority 32769, address 000a.410e.0600
   Designated bridge has priority 32769, address 0012.009c.ca00
   Designated port id is 128.17, designated path cost 19
   Timers: message age 3, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   Loop guard is enabled on the port 
   BPDU: sent 118, received 4578
—–output truncated—–

1.6 Spanning-Tree Protocol

I need to make sw3 show this output:

VLAN0258
  Spanning tree enabled protocol ieee

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/5            Desg FWD 100       128.5    P2p
Fa0/16           Desg FWD 19        128.16   P2p
Fa0/17           Desg FWD 19        128.17   P2p
Fa0/18           Desg FWD 19        128.18   P2p
Fa0/19           Altn BLK   19        128.19   P2p
Fa0/20          Altn BLK    19        128.20   P2p
Fa0/21         Root FWD 19        128.21   P2p

Basically I need to make fa0/21 the root port (fa0/19 is currently the root port) without changing the port-cost or priority on sw3. [Technically I should have changed the cost fa0/5 as my current cost is 19, but that is an artifact of my r5 using a FastEthernet rather that Ethernet port]

This should be easy enough.  I will change the spanning-tree priority on sw4 to prefer fa0/21:

sw3#sh cdp neigh fa0/21 | b Device
Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
sw4                 Fas 0/21              141            S I      WS-C3550-2Fas0/21

spanning-tree port-priority

sw4(config-if)#spanning-tree vlan 258 port-priority ?
  <0-240>  port priority in increments of 16

sw3#sh sp v 258

VLAN0258
  Spanning tree enabled protocol ieee

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/5            Desg FWD 19        128.5    P2p
Fa0/16           Desg FWD 19        128.16   P2p
Fa0/17           Desg FWD 19        128.17   P2p
Fa0/18           Desg FWD 19        128.18   P2p
Fa0/19           Altn BLK 19        128.19   P2p
Fa0/20           Altn BLK 19        128.20   P2p
Fa0/21           Root FWD 19        128.21   P2p  <-sweet!!!!

1.7 Rate-Limiting

Another task that I would probably skip and come back to later if this came up on the actual lab.  I had to peek at the solution guide because I did not recognize that this task was asking me to configure storm-control.

storm-control

Unicast traffic – average packet size of 954 Bytes – average of 250 packet per second

sw1(config-if)#storm-control unicast level ?
  <0.00 – 100.00>  Enter rising threshold
  bps              Enter suppression level in bits per second
  pps              Enter suppression level in packets per second

954 x 8 x 250 = 1908000 bps <-this is a rabbit hole. 

Read the options…pps would be much easier.

sw1(config-if)#storm-control unicast level pps ?
  <0.0 – 10000000000.0>[k|m|g]  Enter rising threshold

sw1(config-if)#storm-control unicast level pps 250 ?
  <0.0 – 10000000000.0>[k|m|g]  Enter falling threshold
  <cr>

sw1(config-if)#storm-control unicast level pps 250

sw1#sh storm-control unicast
Interface  Filter State   Upper        Lower        Current
———  ————-  ———–  ———–  ———-
Fa0/1      Forwarding        250 pps      250 pps        0 pps

I need to review storm-control because I would not have received the points for this task even if I had been able to figure out that the task required storm-control.

1.8 QoS

This is a simple IP Prec to DSCP mutation mapping.

Configuring DSCP Maps

sw2(config)#mls qos map ip-prec-dscp ?
  <0-63>  8 dscp values separated by spaces

sw2(config)#mls qos map ip-prec-dscp 0 0 0 0 32 40 0 0

sw2#sh mls qos maps ip-prec-dscp
   IpPrecedence-dscp map:
     ipprec:   0  1  2  3  4  5  6  7
     ——————————–
       dscp:   0  0  0  0 32 40  0  0

1.9 QoS

This is another easy QoS task (especially if you have worked with VoIP phones).

Configuring the Trust State on Ports within the QoS Domain

sw2(config)#int fa0/2
sw2(config-if)#mls qos trust ?
  cos            cos keyword
  device         trusted device class
  dscp           dscp keyword
  ip-precedence  ip-precedence keyword
  <cr>

sw2(config-if)#mls qos trust ip-precedence
sw2(config-if)#do sh mls qos int fa0/2
FastEthernet0/2
QoS is disabled. When QoS is enabled, following settings will be applied
trust state: trust ip-precedence
trust mode: trust ip-precedence
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based

Make sure that you enable mls qos globally (the IE solution guide skips this step):

sw2(config)#mls qos
sw2(config)#do sh mls qos int fa0/2
FastEthernet0/2
trust state: trust ip-precedence
trust mode: trust ip-precedence
trust enabled flag: ena
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based

Next Page »

Blog at WordPress.com.