CCIE Pursuit Blog

August 8, 2008

Internetwork Expert Volume II: Lab 6 – Section 7

Section 7 – QoS – 6 Points

7.1 Real Time Protocol

“…ensure that all RTP packets sent over the Frame Relay circuit between r2 and r4 are prioritized.”
“Allocate 25% fo the bandwidth for these RTP packets.”
“This configuration should be done in such a way that it is easy to add additional QoS configuration at a later date.”

Well the first thing we need to do is classify the RTP traffic.

Rack11R3(config)#class-map TASK_7_1
Rack11R3(config-cmap)#match protocol rtp ?
  audio         Match voice packets
  payload-type  Match an explicit PT
  video         Match video packets
  <cr>

The task mentions VoIP users but also say “all RTP packets”. I chose “audio” and was wrong.  😦  As always, clarify these types of questions with the proctor.

Okay, now the policy-map:

Rack11R3(config-cmap)#policy-map TASK_7_1
Rack11R3(config-pmap)#class TASK_7_1
Rack11R3(config-pmap-c)#?
QoS policy-map class configuration commands:
  bandwidth        Bandwidth
  compression      Activate Compression
  drop             Drop all packets
  estimate         estimate resources required for this class
  exit             Exit from QoS class action configuration mode
  netflow-sampler  NetFlow action
  no               Negate or set default values of a command
  police           Police
  priority         Strict Scheduling Priority for this Class
  queue-limit      Queue Max Threshold for Tail Drop
  random-detect    Enable Random Early Detection as drop policy
  service-policy   Configure Flow Next
  set              Set QoS values
  shape            Traffic Shaping

We are asked to prioritize the RTP packets and allocate them 25% of the bandwidth.

Rack11R3(config-pmap-c)#priority ?
  <8-2000000>  Kilo Bits per second
  percent      % of total bandwidth

Rack11R3(config)#int s1/0
Rack11R3(config-if)#service-policy out TASK_7_1

Do the same thing on r4 (do “sh hist” while still in config mode and copy and paste on r4(making sure to change int s1/0 to int s0/0).

Rack11R4#sh policy-map
  Policy Map TASK_7_1
    Class TASK_7_1
      Strict Priority
      Bandwidth 25 (%)

Rack11R4#sh policy-map int s0/0

 Serial0/0

  Service-policy output: TASK_7_1

    Class-map: TASK_7_1 (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol rtp
      Queueing
        Strict Priority
        Output Queue: Conversation 264
        Bandwidth 25 (%)
        Bandwidth 386 (kbps) Burst 9650 (Bytes)
        (pkts matched/bytes matched) 0/0
        (total drops/bytes drops) 0/0

    Class-map: class-default (match-any)
      25 packets, 1777 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

The solution guide has a great breakdown on this task.

7.2 Congestion Avoidance

“…configure your network so that HTTP traffic is dropped prior to the interface becoming congested.”
“This HTTP traffic should not be reserved by any bandwidth.”

Does “your network” mean all devices or just r3 and r4 (continuing from the last task)?  I’m going to stick with r3 and r4 only because configuring this on 20+ interfaces seems a bit much.  I’m guessing that the second task means that we should not use the bandwidth statement.

“dropped prior to…congestion” simply sounds like WRED to me.  Simply WRED?  Loved them in the 80’s.  🙂  Okay, not really and I apologize to all three people who got that pathetic attempt at humor.

Let’s match HTTP traffic:

Rack11R4(config)#class-map TASK_7_2
Rack11R4(config-cmap)#match proto http

And add this to our already existing policy-map (which – in hindsight – should have been named something else):

Rack11R4(config-cmap)#policy-map TASK_7_1
Rack11R4(config-pmap)#class TASK_7_2
Rack11R4(config-pmap-c)#random-detect
bandwidth on the class is required to issue this command

DOH!!!  Adding a bandwidth statement would break the task requirement.

This stumped me.  I had to peek the solution guide:

“To configure WRED in the MQC, one of two conditions must be met.  There must either be a bandwidth reservation made within a class [verboten for this task], or the default-class must be running weighted fair queuing.”

Okay…so how does that help us?:

Rack11R4(config-pmap-c)#class class-default
Rack11R4(config-pmap-c)#fair
Rack11R4(config-pmap-c)#class TASK_7_2
Rack11R4(config-pmap-c)#random-detect
bandwidth on the class is required to issue this command

The answer is pretty cool.  First match all traffic other than HTTP traffic using the ‘not’ keyword:

Rack11R4(config-cmap)#class-map TASK_7_2
Rack11R4(config-cmap)#no match protocol http
Rack11R4(config-cmap)#match notproto http

Now turn on random-detect and fair-queueing for the default class:

Rack11R4(config-cmap)#policy-map TASK_7_1
Rack11R4(config-pmap)#class class-default
Rack11R4(config-pmap-c)#fair
Rack11R4(config-pmap-c)#random

Here’s what your policy map looks like:

Rack11R4(config-pmap-c)#do sh run | sec policy-map
policy-map TASK_7_1
 class TASK_7_1
  priority percent 25
 class TASK_7_2
 class class-default
  fair-queue
  random-detect

So all RTP traffic (class TASK_7_1) is prioritized.  Then we match all other traffic EXCEPT HTTP traffic in class TASK_7_2…but we don’t do anything to it.  This means that the only remaining traffic is HTTP traffic…which is now in the default class.  Booyah!  We just go around the bandwidth restriction.  Nice method and one to remember for the lab.

April 5, 2008

Internetwork Expert Volume II: Lab 6 – Section 10

IP Services – 2 Points

10.1 CDP

Configure CDP with the following parameters:

1) Send updates every 5 seconds
2) Discard CDP entries after 15 seconds
3) r4 should include it’s lo0 IP address in the CDP packet for identification

This should be easy…except that we’re dealing with the LAN segment that we used L2 tunneling on back in section 1.  But that doesn’t matter because we need to make these changes in global configuration.

cdp timer

Defaults
60 seconds

cdp holdtime

Defaults
180 seconds

cdp source-interface

r4(config)#cdp timer 5
r4(config)#cdp hold 15
r4(config)#cdp source-interface lo0
r4(config)#do sh cdp
Global CDP information:
        Sending CDP packets every 5 seconds
      Sending a holdtime value of 15 seconds
        Sending CDPv2 advertisements is  enabled
        Source interface is Loopback0

Before setting CDP source interface to lo0:
sw2(config)#do sh cdp nei fa0/18 det
————————-
Device ID: r4
Entry address(es):
  IP address: 191.1.48.4
Platform: Cisco 2651XM,  Capabilities: Router Switch IGMP
Interface: FastEthernet0/18,  Port ID (outgoing port): FastEthernet0/1
Holdtime : 11 sec
—output truncated—

After setting CDP source interface to lo0:
sw2(config)#do sh cdp nei fa0/18 det
————————-
Device ID: r4
Entry address(es):
  IP address: 150.1.4.4
Platform: Cisco 2651XM,  Capabilities: Router Switch IGMP
Interface: FastEthernet0/18,  Port ID (outgoing port): FastEthernet0/1
Holdtime : 12 sec
—output truncated—

10.2 UDP Echo

I had no idea on this task:

“Configure sw2 to respond to UPD echoes from a network management station with the IP address 191.1.77.100.”
“sw2 should not respond to packets sent to the UDP ‘discard’ and ‘chargen’ ports from this network management station.”

service udp-small-servers

sw2(config)#access-list 100 deny udp any any eq ?
  discard        Discard (9)

‘chargen’ = ?

Chargen

Chargen is short for Character Generator and is a service that generates random characters either in one UDP packet containing a random number (between 0 and 512) of characters, or a TCP session. The UDP Chargen server looks for a UDP packet on port 19 and responds with the random character packet.

I had to travel to the InterTubes to find this, but IE has a slick trick:

sw2#telnet 150.1.8.8 ?
—output truncated—
  chargen            Character generator (19) <-there’s my UDP port
  cmd                Remote commands (rcmd, 514)
  daytime            Daytime (13)
  discard            Discard (9)
—output truncated—

Internetwork Expert Volume II: Lab 6 – Section 9

System Management – 6 Points

9.1 SNMP

SNMP Configuration Task List

“Allow r3 to be reloaded via SNMP”

Enabling the SNMP Agent Shutdown Mechanism

r3(config)#snmp-server system-shutdown

I’m never sure whether or not to enable traps.  I’m not alone:

Task 9.1

9.2 RMON

Easy enough task.  You just have to make sure you read it correctly.  I got the following error which I could not rectify:

r3(config)#rmon alarm 1 ifEntry.10.5 60 delta rising 80000 1 fall 40000 1
Unknown object: ifEntry.10.5

 

Internetwork Expert Volume II: Lab 6 – Section 6

IPv6 – 7 Points

6.1 IPv6 Addressing

Easy task, but I’m not sure why the IE solution uses eui-64 addressing for fa0/0 on r3?

Task 6.1 – IPv6

6.2 RIPng

Configure RIPng on all interfaces running IPv6.  Have r3 originate a default route to r2.  r2 should not see any of the specific subnets learned from BB2, but don’t use a prefix-list to accomplish this.

NOTE: Don’t forget to disable split-horizon on r1 (FR hub).

I’d love to give you a link to the DOCCD for some of these commands, but Cisco has completely fucked up the IPv6 documentation.

r3(config-if)#int s0/3:0
r3(config-if)#ipv rip RIPng en
r3(config-if)#ipv rip RIPng ?
  default-information  Configure handling of default route

r3(config-if)#ipv rip RIPng default-information ?
  only       Advertise only the default route
  originate  Originate the default route

r3(config-if)#ipv rip RIPng default-information only

r2#sh ipv route rip
IPv6 Routing Table – 8 entries
Codes: C – Connected, L – Local, S – Static, R – RIP, B – BGP
       U – Per-user Static route, M – MIPv6
       I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary
       O – OSPF intra, OI – OSPF inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2
       ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2
       D – EIGRP, EX – EIGRP external
R   ::/0 [120/2]
     via FE80::211:93FF:FEB0:9DA0, Serial0/1/0

R   2001:192:10:1::/64 [120/2]
     via FE80::211:93FF:FEB0:9DA0, Serial0/1/0
R   2001:CC1E:1:5::/64 [120/3]
     via FE80::1, Serial0/0/0

6.3 RIPng Summarization

Configrue r3 to advertise a single /48 summary of all of the IPv6 addresses.

r3(config)#int fa0/0
r3(config-if)#ipv6 rip RIPng summary-address 2001:CC1E:1::/48

r3#debug ipv6 rip fa0/0
RIP Routing Protocol debugging is on for interface FastEthernet0/0
*Mar  1 22:31:38: RIPng: Sending multicast update on FastEthernet0/0 for RIPng
*Mar  1 22:31:38:        src=FE80::211:93FF:FEB0:9DA0
*Mar  1 22:31:38:        dst=FF02::9 (FastEthernet0/0)
*Mar  1 22:31:38:        sport=521, dport=521, length=52
*Mar  1 22:31:38:        command=2, version=1, mbz=0, #rte=2
*Mar  1 22:31:38:        tag=0, metric=1, prefix=2001:192:10:1::/64
*Mar  1 22:31:38:       tag=0, metric=1, prefix=2001:CC1E:1::/48 

 

Internetwork Expert Volume II: Lab 6 – Section 8

Security – 6 Points

8.1 BPDU Filtering

Configure sw1 and sw2 to filter all DECnet spanning-tree BPDUs in VLAN 363

I figured that I would find this under the spanning-tree commands, but I was way off.  You need to use a VACL to filter this traffic:

mac access-list extended NO_DEC_BPDU
 permit any any dec-spanning
!
vlan access-map NO_DEC_BPDU 10
 action drop
 match mac address NO_DEC_BPDU
vlan access-map NO_DEC_BPDU 20
 action forward
!
vlan filter NO_DEC_BPDU vlan-list 363

sw1#sh vlan filter vlan 363
Vlan 363 has filter NO_DEC_BPDU.

sw1#sh vlan access-map
Vlan access-map “NO_DEC_BPDU”  10
  Match clauses:
    mac address: NO_DEC_BPDU
  Action:
    drop
Vlan access-map “NO_DEC_BPDU”  20
  Match clauses:
  Action:
    forward

sw1#sh vlan filter access-map NO_DEC_BPDU
VLAN Map NO_DEC_BPDU is filtering VLANs:
  363

VLAN 363 is not present on sw1 and sw2  🙂

sw1#sh vlan id 363
VLAN id 363 not found in current VLAN database

sw2#sh vlan id 363
VLAN id 363 not found in current VLAN database

Task 8.1 BPDU Filtering

8.2 Traffic Filtering

Hosts must authenticate to r2 before they are allowed to telnet to sw1.  Use one user/password combination to allow access to sw1 and another to grant access to r2’s CLI.

This is a task that IE is fond of.  We just used a VACL, so why not use a DACL.  🙂

r2(config)#ip access-list extended DYNAMIC
% Invalid access list name.

IOS would not let me use the word, “dynamic” as the name of my extended access-list.

Invalid access list name.

I think that Cisco IOS block creating access-list with the name “dynamic” , this is due to introducing new dynamic access-list starting from the release 12.3(7)T.  Also new show command was entered “Show ip access-list dynamic” starting from the above release , so for not making any confilicts the IOS blocks access lists with the name “dynamic”

Dynamic access is used for more security purpose, if you are interested in it , you can go to the following link:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scflock.htm

Oh well, IOS likes BOOBIES though….who doesn’t?  🙂

r2(config)#ip access-list extended BOOBIES
r2(config-ext-nacl)#dynamic PERMIT_TELNET perm tcp any any eq telnet

 

Internetwork Expert Volume II: Lab 6 – Section 5

IP Multicast – 8 Points

5.1  PIM

Easy task.  There is a typo in the task.  You need to configure pim dense-mode on sw1’s fa0/14 interface (not fa0/2).

Task 5.1 – typo error in the task description

5.2  PIM Filtering

Configure r1 so that it does not become a PIM neighbor with r5.  r5 should still allow clients on VLAN 5 to receive multicast traffic.

This is a case of multicast stub routing.  There is a very nice breakdown on this in the solution guide.  I’m still struggling with advanced multicast.  I need to take some time and review multicast.

Before:
r1(config)#do sh ip pim  neig
PIM Neighbor Table
Mode: B – Bidir Capable, DR – Designated Router, N – Default DR Priority,
      S – State Refresh Capable
Neighbor          Interface                Uptime/Expires    Ver   DR
Address                                                            Prio/Mode
191.1.125.5       Serial0/0                00:17:02/00:01:27 v2    1 / DR S
191.1.125.2       Serial0/0                00:18:55/00:01:32 v2    1 / S
191.1.13.3        Serial0/1                00:17:58/00:01:31 v2    1 / S

After:
*Mar  1 20:54:06.241: %PIM-5-NBRCHG: neighbor 191.1.125.5 DOWN on interface Serial0/0 DR
*Mar  1 20:54:06.241: %PIM-5-DRCHG: DR change from neighbor 191.1.125.5 to 191.1.125.2 on interface Serial0/0

r1(config-if)#do sh ip pim nei
PIM Neighbor Table
Mode: B – Bidir Capable, DR – Designated Router, N – Default DR Priority,
      S – State Refresh Capable
Neighbor          Interface                Uptime/Expires    Ver   DR
Address                                                            Prio/Mode
191.1.125.2       Serial0/0                00:20:49/00:01:37 v2    1 / DR S <-No more r5
191.1.13.3        Serial0/1                00:19:52/00:01:35 v2    1 / S

ip pim neighbor-filter

r5#sh ip igmp int fa0/0 | i help
  IGMP helper address is 191.1.125.1

ip igmp helper-address

5.3 IGMP

Configure VLAN 363 on r3 (fa0/0) to support IGMP version 1.

r3(config)#int fa0/0
r3(config-if)#ip igmp version 1

r3#sh ip igmp int fa0/0 | i ver
  Current IGMP host version is 1
  Current IGMP router version is 1

ip igmp version

5.4 Multicast Testing

Configure sw1 to forward traffic for multicast group 225.25.25.25 but do not allow sw1 to process switch this traffic.

ip igmp static-group

sw1(config)#int vlan 7
sw1(config-if)#ip igmp static-group 225.25.25.25

sw1#sh ip igmp group
IGMP Connected Group Membership
Group Address    Interface                Uptime    Expires   Last Reporter
225.25.25.25     Vlan7                00:00:25  stopped   0.0.0.0
224.0.1.40       FastEthernet0/14         00:39:18  00:02:30  191.1.27.2

sw1#sh ip multicast int vlan 7
Vlan7 is up, line protocol is up
  Internet address is 191.1.7.7/24
  Multicast routing: enabled
  Multicast switching: distributed   <-Should say process
  Multicast packets in/out: 0/0
  Multicast boundary: not set
  Multicast TTL threshold: 0
  Multicast Tagswitching: disabled

Hmmmmm…..I never could get my output to show process switching.  😦

task 5.4 process switching

 

Internetwork Expert Volume II: Lab 6 – Section 4

Exterior Gateway Routing – 11 Points

4.1 BGP Peering

Easy task as there are not a lot of devices running BGP and all but one peering is on r6.

“All BGP traffic between r4 and r6 should traverse the VPN tunnel.”

Easy enough,  just make the neighbor addresses 191.1.46.x.  This also save me from configuring ‘ebgp multihop’ for the r4 <-> r6 peering.

4.2  BGP Bestpath Selection

Send all traffic for prefixes learned from AS 54 on r6 to BB1.  Don’t use local_pref.

What about weight?

Best Path Selection Table:

Attribute Direction Applied Traffic Flow Affected Prefer
Weight Inbound Outbound High
Local_Pref Inbound Outbound High
AS-Path Outbound Inbound Shortest
MED Outbound Inbound Lowest

Just set the weight from routes learned from BB1 to something greater than the default of 0 (IE used 100, I used 65000):

r6(config-router)#do sh ip bgp | i 54.1.3.254
*> 112.0.0.0        54.1.3.254               0         65000 54 50 60 i
*> 113.0.0.0        54.1.3.254               0         65000 54 50 60 i
*> 114.0.0.0        54.1.3.254               0         65000 54 i
*> 115.0.0.0        54.1.3.254               0         65000 54 i
*> 116.0.0.0        54.1.3.254               0         65000 54 i
*> 117.0.0.0        54.1.3.254               0         65000 54 i
*> 118.0.0.0        54.1.3.254               0         65000 54 i
*> 119.0.0.0        54.1.3.254               0         65000 54 i

4.3 BGP Filtering

Configure r6 so that AS 100 will not accept any prefixes from as 54 with a mask longer than /20.  Use a single-line prefix-list.

The prefix-list bit is easy:

r6(config)#ip prefix-list LESSTHANTWENTY perm 0.0.0.0/0 le 20

There’s a really nice breakdown on prefix-lists in general in the IE solution guide.

I was thrown off by the SET_WEIGHT route-map in the IE solution guide, but it’s same route-map name they used in the previous task (I had named mine ‘WEIGHT’) with an additional line.  So your final route-map should look similar to this:

route-map WEIGHT permit 10
 match ip address prefix-list LESSTHANTWENTY
 set weight 65000

task 4.3

4.4 BGP Summarization

Configure a summary of 191.1.0.0/16 and 150.1.0.0/20 but do not use aggregate-address.  You are allowed to use two static routes on r3 to accomplish this.

I had NO CLUE on this one.  I peeked the solution guide and then slapped my big, dumb forehead.  The ip routes are to NULL0.  You then redistribute the static routes.  DOH!!!

r3(config)#ip route 150.1.0.0 255.255.240.0 null0
r3(config)#ip route 191.1.0.0 255.255.0.0 null0
r3(config)#router bgp 200
r3(config-router)#redist static

r6#sh ip route bgp | i 150|191.1.
     191.1.0.0/16 is variably subnetted, 21 subnets, 4 masks
B       191.1.0.0/16 [20/0] via 204.12.1.3, 00:01:00         
     150.1.0.0/16 is variably subnetted, 10 subnets, 3 masks
B       150.1.0.0/20 [20/0] via 204.12.1.3, 00:01:00 

4.5 BGP Table Stability

Configure r6 to not advertise 112.0.0.0/8 and 113.0.0.0/8 if they are “consistently unstable.”

bgp dampening

Usage Guidelines
The bgp dampening command is used to enable BGP route dampening. This command can be entered without any arguments or keywords. The half-life, reuse, suppress, and max-suppress-time arguments are position-dependent; meaning that if any of these arguments are entered, then all optional arguments must be entered.

When BGP dampening is configured and a prefix is withdrawn, BGP considers the withdrawn prefix as a flap and increases the penalty by a 1000. If BGP receives an attribute change, BGP increases the penalty by 500. If then the prefix has been withdrawn, BGP keeps the prefix in the BGP table as a history entry. If the prefix has not been withdrawn by the neighbor and BGP is not using this prefix, the prefix is marked as dampened. Dampened prefixes are not used in the BGP decision process and not installed to the routing table.

router bgp 100
 bgp dampening route-map FLAPPERS
!
ip prefix-list FLAPPERS seq 5 permit 112.0.0.0/8
ip prefix-list FLAPPERS seq 10 permit 113.0.0.0/8
!
route-map FLAPPERS permit 10
 match ip address prefix-list FLAPPERS

I missed on important piece though:

r6(config-router)#
*Mar  6 18:15:27.386: %BGP-3-BADROUTEMAP: Bad parameters in the route-map FLAPPERS applied for Dampening

You MUST specify dampening parameters in the route map.  Just use the defaults:

Defaults
BGP dampening is disabled by default. The following values are used when this command is enabled without configuring any optional arguments:

half-life: 15 minutes
reuse: 750
suppress: 2000
max-suppress-time: 4 times half-life

r6(config-router)#route-map FLAPPERS perm 10
r6(config-route-map)#set dampening 15 750 2000 60

r6#sh ip bgp dampening parameters
 dampening 15 750 2000 60 (route-map FLAPPERS 10)
  Half-life time      : 15 mins       Decay Time       : 2320 secs
  Max suppress penalty: 12000         Max suppress time: 60 mins
  Suppress penalty    :  2000         Reuse penalty    : 750

 

February 5, 2008

Internetwork Expert Volume II: Lab 6 – Section 3

Interior Gateway Routing – 24 Points

3.1 OSPF

Basic hub-and-spoke OSPF task:

“Do not use the ip ospf network statement on any of these devices.”

r1(config-router)#do sh ip os int s0/0 | i Type
  Process ID 100, Router ID 150.17.1.1, Network Type NON_BROADCAST, Cost: 64

r2(config-router)#do sh ip os int s0/0 | i Type
  Process ID 100, Router ID 150.17.2.2, Network Type NON_BROADCAST, Cost: 64

r5(config-router)#do sh ip os int s0/0 | i Type
  Process ID 100, Router ID 150.17.5.5, Network Type NON_BROADCAST, Cost: 64

Neighbor statements on the hub and “ip prio 0” on the spokes will take care of the job.

r1#sh ip os neig

Neighbor ID     Pri   State           Dead Time   Address         Interface
150.17.2.2        0   FULL/DROTHER    00:01:54    191.17.125.2    Serial0/0
150.17.5.5        0   FULL/DROTHER    00:01:46    191.17.125.5    Serial0/0

3.2 OSPF

There were a TON of subtasks on this one.

You’ll need to remember that you changed the MTU size on sw3 and sw4 back in task section 1 as you’ll need ‘mtu-ignore’ on r4 and r5.

There are a ton of redistribute connected with route-maps as well.  You’ll need to use redistristribution rather than configuring ‘ip ospf x area y’ under the loopback 0 interfaces because the switches don’t currently support that function yet.

route-map CONN->OSPF permit 10
 match int lo0
 set tag 101
router os 100
 redist conn sub route-map CONN->OSPF

You are asked to advertise r5’s loopback 0 as well but cannot use redistristribution or a network statement under the OSPF process.  You can configure this under the loopback 0 interface.  No area is specified, IE used area 0 (so did I).

r5(config)#int lo0
r5(config-if)#ip ospf 100 area 0

3.3 OSPF

Another task with a lot of configuration.

“Traffic from sw2 to VLAN 7 should transit the Serial link between r2 and r3.”
“In the case that the link between r1 and r3 is down traffic from sw1 to vlan 7 should transit the ethernt link between r4 and r5.”

vlan 7 is on sw1

sw2#sh ip route 191.17.7.7
% Subnet not in table

sw2 is in area 48 which does not have a connection to area 0, so we’ll need to build a virtual link first to get that route to sw2.  As a matter of fact, we’ll need need to build a number of virtual-links to complete our OSPF domain.  After connecting all areas:

sw2#sh ip route 191.17.7.0
Routing entry for 191.17.7.0/24
  Known via “ospf 100”, distance 110, metric 68, type inter area
  Last update from 191.17.48.4 on FastEthernet0/18, 00:14:33 ago
  Routing Descriptor Blocks:
  * 191.17.48.4, from 150.17.4.4, 00:14:33 ago, via FastEthernet0/18
      Route metric is 68, traffic share count is 1

sw2#trace 191.17.7.7

Type escape sequence to abort.
Tracing the route to 191.17.7.7

  1 191.17.48.4 0 msec 0 msec 0 msec
  2 191.17.45.5 8 msec 0 msec 0 msec
  3 191.17.125.1 34 msec 25 msec 34 msec
  4 191.17.125.2 58 msec 51 msec 58 msec
  5 191.17.27.7 59 msec *  51 msec

So I need to make r2 and r1 prefer the path to r3 – rather than the FR.  I can do that with cost or change the bandwidth (indirectly change cost).  The Ethernet connection from r4 to r5 will be used only as a last choice because I cranked up the cost:

r4(config-subif)#ip os cost ?
  <1-65535>  Cost
r4(config-subif)#ip os cost 65534

r5(config-router)#int fa0/1.45
r5(config-subif)#ip os cost 65534

With Frame Relay connection up:

sw2#trace 191.1.7.7

Type escape sequence to abort.
Tracing the route to 191.1.7.7

  1 191.1.48.4 0 msec 9 msec 0 msec
  2 191.1.34.30 msec 0 msec 8 msec
  3 191.1.23.20 msec 9 msec 0 msec
  4 191.1.27.7 8 msec *  0 msec

With Frame Relay down:

r3(config)#int s0/0:0
r3(config-if)#shut

sw2#trace 191.1.7.7

Type escape sequence to abort.
Tracing the route to 191.1.7.7

  1 191.1.48.40 msec 0 msec 8 msec
  2 191.1.45.50 msec 0 msec 0 msec
  3 191.1.125.1 8 msec 9 msec 0 msec
  4 191.1.125.2 8 msec 9 msec 8 msec
  5 191.1.27.7 8 msec *  0 msec

This is a pretty easy to lose track of your IGP build because the last two tasks have you building buttloads of areas.  Make sure to look at your IGP diagram and figure out where your virtual-links need to be built.

3.4 OSPF Filtering

“Configure the network so that r2 filters all routing advertisements to sw1 with the exception of a default route.”
“Do not use a distribute-list or prefix-list to accomplish this.”

Sounds like a stub network to me.  Now to decide which flavor of OSPF stub to use.

We are redistributing int lo0 on sw1:

router ospf 100
 router-id 150.1.7.7
 redistribute connected subnets route-map CONN->OSPF
!
route-map CONN->OSPF permit 10
 match interface Loopback0
 set tag 71

We’ll need to use NSSA with a default route.

area nssa

I had the right idea, but I missed the ‘no-redistribution’ keyword

no-redistribution
 (Optional) Used when the router is an NSSA Area Border Router (ABR) and you want the redistribute command to import routes only into the normal areas, but not into the NSSA area.
 
no-summary
 (Optional) Allows an area to be a not-so-stubby area but not have summary routes injected into it.

The IE solution guide says that the last two subtasks (see above) means that that sw1 should not see a specific route to sw1’s loopback.  I did not get that from reading the task, but it’s obvious that is what is meant if you look at the OSPF routes on sw1 without the no-redistribution keyword:

area 27 nssa no-summary (on r2):
sw1#sh ip route os
     150.1.0.0/24 is subnetted, 2 subnets
O N2    150.1.2.0 [110/20] via 191.1.27.2, 00:00:17, FastEthernet0/14
O*IA 0.0.0.0/0 [110/2] via 191.1.27.2, 00:00:22, FastEthernet0/14

area 27 nssa no-redistribution no-summary (on r2):
sw1#sh ip route os
O*IA 0.0.0.0/0 [110/2] via 191.1.27.2, 00:00:04, FastEthernet0/14

The solution guide has a very detailed write up about this task.

3.5 OSPF Authentication

All area 0 adjacencies should use MD5 hash and all non-area 0 adjacencies should use a clear-text password.

area authentication

message-digest
 (Optional) Enables Message Digest 5 (MD5) authentication on the area specified by the area-id argument.
 
Defaults
Type 0 authentication (no authentication)

ip ospf authentication-key

ip ospf authentication

The biggest pitfall in this task is that you need to remember that OSPF virtual-links are area 0 links (and will require md5 authentication in this task).  Don’t get thrown off by the fact that the virtual-link command shows the area that the link is transversing (i.e. ‘area 12virtual-link 150.1.2.2′) and think that you should apply the authentication method for that non-zero area.

3.6 Default Routing

You’re asked to inject a default route into the OSPF domain on r3 with this stipulation:

“In order to prevent the unnecessary forwarding of traffic that will eventually be dropped, ensure that r3 only advertises this default route if it has an active connection to either bb2 or bb3.”

I was completely lost on this task.  I knew that I needed to use ‘default-information originate’ to inject the default route, but I didn’t know how to make that route conditional.

This is one of those case where you can harvest some points from the DOC:

default-information originate (OSPF)

route-map map-name
 (Optional) Routing process will generate the default route if the route map is satisfied.

3.7 RIPv2

“r3 should not accept any routes from bb3 that have an odd number in the first octet.”

Sweet.  I’ll write an ACL and us an offset-list to poison those routes…..or not:

“Do not use a distribute-list or an offset-list to accomplish this.”

Shit.  What’s the third way?  I got stumped on this one and I really shouldn’t have been:

distance (IP)

r3#sh run | sec router rip|access-list
router rip
 version 2
 passive-interface default
 no passive-interface FastEthernet0/1
 network 204.12.1.0
 distance 255 204.12.1.254 0.0.0.0 69
 no auto-summary
!
access-list 69 permit 1.0.0.0 254.255.255.255

Before:
r3(config)#do sh ip route rip
     31.0.0.0/16 is subnetted, 4 subnets
R       31.3.0.0 [120/1] via 204.12.1.254, 00:00:04, FastEthernet0/1
R       31.2.0.0 [120/1] via 204.12.1.254, 00:00:04, FastEthernet0/1
R       31.1.0.0 [120/1] via 204.12.1.254, 00:00:04, FastEthernet0/1
R       31.0.0.0 [120/1] via 204.12.1.254, 00:00:04, FastEthernet0/1

     30.0.0.0/16 is subnetted, 4 subnets
R       30.2.0.0 [120/1] via 204.12.1.254, 00:00:04, FastEthernet0/1
R       30.3.0.0 [120/1] via 204.12.1.254, 00:00:04, FastEthernet0/1
R       30.0.0.0 [120/1] via 204.12.1.254, 00:00:04, FastEthernet0/1
R       30.1.0.0 [120/1] via 204.12.1.254, 00:00:04, FastEthernet0/1

After:
r3#sh ip route rip
     30.0.0.0/16 is subnetted, 4 subnets
R       30.2.0.0 [120/1] via 204.12.1.254, 00:00:02, FastEthernet0/1
R       30.3.0.0 [120/1] via 204.12.1.254, 00:00:02, FastEthernet0/1
R       30.0.0.0 [120/1] via 204.12.1.254, 00:00:02, FastEthernet0/1
R       30.1.0.0 [120/1] via 204.12.1.254, 00:00:02, FastEthernet0/1

I’m not sure why IE redistributed r6’s lo0 into RIP.  The subtask states:

“Advertise r6’s loopback 0 into RIP.”

The IE solution shows the 150.1.0.0 network advertised under the RIP process as well as the loopback 0 interface redistributed (via connected) into RIP.  Strange. 

I’m not the only one confused by this: 

Task 3.7

3.8 IGP Redistribution

“Redistribute between OSPF and RIP on r3.”

This has to be the easiest IGP redistribution scenario yet.  I only have to deal with RIP and OSPF and

I’m tasked with mutual redistribution on a single device.  Of course there are these requirements:

“All routers in the OPSF domain should have a longer match for r6’s interface loopback 0.”
“No other routes should be redistributed from RIP to OSPF.”

Huh?

IE says that this means:

“…simply means that RIP should be redistributed into OSPF, but when RIP is redistributed into OPSF the only prefix the should be allowed is r6’s loopback 0 network.”

Lab 6 Task 3.8 IGP redistribution

Task 3.8

Rereading this task (after messing up my configuration) I understand it now.  The last subtask specifies that only r6’s loopback should be redistributed from RIP to OSPF.  This task was like an optical illusion to me.  Once I understood what they wanted, I couldn’t figure out how I had missed it before.  🙂 

I completely screwed this task up.  If I got this in the lab I would have failed for sure.

3.9 EIGRP

You’ll start seeing this message soon after your EIGRP adjacency comes up:

*Mar  5 08:49:19.600: IP-EIGRP(Default-IP-Routing-Table:10): Neighbor 54.1.2.254 not on common subnet for Serial0/0

“…configure r6 so that it does not accept any EIGRP packets on the Frame Relay interface except for those sent from BB1.”

Oh fun.  😦

You have to be careful when building your ACL so that you don’t break EIGRP. Don’t forget to add a permit at the end of your ACL:

ip access-list extended EIGRP_FILTER
 permit eigrp host 54.1.3.254 any
 deny   eigrp any any
 permit ip any any <-IMPORTANT!!!

3.10 VPN Routing

I nearly crapped myself when I saw ‘VPN’.  It turns out that this is a rather easy GRE tunnel task.

“As an additional integrity check ensure that any corrupt packets received on the VPN interface are discarded.”

tunnel checksum 
 

January 30, 2008

Internetwork Expert Volume II: Lab 6 – Section 2

WAN Technologies – 7 Points

2.1 Hub-and-Spoke

This was a simple Frame Relay Hub-and-Spoke configuration using physical interfaces and frame maps.  The only “twist” is the last subtask:

“Do not send any redundant broadcast traffic from the spokes to the hub.”

You only need to add the ‘broadcast’ keyword to the frame map to the hub router on the spokes:

r5(spoke):
interface Serial0/0
 ip address 191.17.125.5 255.255.255.0
 encapsulation frame-relay
 frame-relay map ip 191.17.125.1 501 broadcast <- to the hub
 frame-relay map ip 191.17.125.2 501
<-to other spoke
 no frame-relay inverse-arp

Also, IE has the interface up so Frame Relay Inverse ARP is already running:

r1(config-if)#do sh frame map
Serial0/0 (up): ip 191.17.125.2 dlci 102(0x66,0x1860), dynamic,
              broadcast,, status defined, active
Serial0/0 (up): ip 191.17.125.5 dlci 105(0x69,0x1890), dynamic,
              broadcast,, status defined, active
Serial0/0 (up): ip 191.17.34.3 dlci 103(0x67,0x1870), dynamic,
              broadcast,, status defined, active
Serial0/0 (up): ip 191.17.34.4 dlci 104(0x68,0x1880), dynamic,
              broadcast,, status defined, active

Use your favorite method to clear the dynamic Frame Relay mappings.  I ususally reload the routers.

2.2 Point-To-Point

“When r3 pings its own IP address, these packets should be sent to r4 and redirected back.”

This task was pretty easy for me because of all of the times that I have accidentally created a frame map with my local IP address instead of the far end IP address,  🙂

Before:
r3(config-if)#do sh run int s1/0
interface Serial1/0
 ip address 191.17.34.3 255.255.255.0
 encapsulation frame-relay
 frame-relay map ip 191.17.34.4 304 broadcast
 no frame-relay inverse-arp

r3(config-if)#do ping 191.17.34.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 191.17.34.3, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

r3(config-if)#do sh ip route 191.17.34.3
Routing entry for 191.17.34.0/24
  Known via “connected”, distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via Serial1/0
      Route metric is 0, traffic share count is 1

r3(config-if)#do sh frame map
Serial1/0 (up): ip 191.17.34.4 dlci 304(0x130,0x4C00), static,
              broadcast,
              CISCO, status defined, active

After:
r3(config-if)#int s1/0
r3(config-if)#frame map ip 191.17.34.3 304
r3(config-if)#do sh frame map
Serial1/0 (up): ip 191.17.34.3 dlci 304(0x130,0x4C00), static,
              CISCO, status defined, active
Serial1/0 (up): ip 191.17.34.4 dlci 304(0x130,0x4C00), static,
              broadcast,
              CISCO, status defined, active

r3(config-if)#do p 191.17.34.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 191.17.34.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5),
round-trip min/avg/max = 116/117/124 ms

2.3 Point-to-Point

“Configure the Frame Relay connection between r6 and bb1 using PVC 51 on r6’s main Serial interface.”
“Do not allow r6 to send Frame Relay Inverse-ARP requests on any other circuits assigned to this interface.”

While this task does not explicly tell you which method to use to map the IP address to the DLCI, the second subtask makes it sound like we are supposed to allow Frame Relay Inverse-ARP create our mapping on DLCI 51, but not the rest of the PVCs.

r6(config-if)#do sh frame pvc | i DLCI|Serial0/0
PVC Statistics for interface Serial0/0 (Frame Relay DTE)
DLCI = 51, DLCI USAGE = LOCAL, PVC STATUS = DELETED, INTERFACE = Serial0/0
DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = DELETED, INTERFACE = Serial0/0
DLCI = 101, DLCI USAGE = LOCAL, PVC STATUS = DELETED, INTERFACE = Serial0/0
DLCI = 201, DLCI USAGE = UNUSED, PVC STATUS = DELETED, INTERFACE = Serial0/0
DLCI = 301, DLCI USAGE = UNUSED, PVC STATUS = DELETED, INTERFACE = Serial0/0
DLCI = 401, DLCI USAGE = UNUSED, PVC STATUS = DELETED, INTERFACE = Serial0/0

r6(config-if)#no frame inverse-arp ip ?
  <16-1007>  Set DLCI for inverse ARP

  vc-bundle  vc-bundle

r6(config-if)#no frame inverse-arp ip 100
r6(config-if)#no frame inverse-arp ip 101
r6(config-if)#no frame inverse-arp ip 201
r6(config-if)#no frame inverse-arp ip 301
r6(config-if)#no frame inverse-arp ip 401

r6#sh frame map
Serial0/0 (up): ip 54.17.3.254 dlci 51(0x33,0xC30), dynamic
              broadcast,, status defined, active

2.4 PPP

An easy task asking you to configure header compression.  One twist:

“Allow for the maximum number of TCP sessions to be compressed over this link.”

ip tcp header-compression

ip tcp compression-connections

r1(config-if)#ip tcp ?
  adjust-mss               Adjust the mss of transit packets
  compression-connections  Maximum number of compressed connections
  header-compression       Enable TCP header compression

r1(config-if)#ip tcp compression-connections ?
  <1-256>  Number of connections

r1(config-if)#ip tcp compression-connections 256

r3#sh ip tcp header-compression
TCP/IP header compression statistics:
  Interface Serial1/2 (compression on, VJ)
    Rcvd:    0 total, 0 compressed, 0 errors, 0 status msgs
             0 dropped, 0 buffer copies, 0 buffer failures
    Sent:    0 total, 0 compressed, 0 status msgs, 0 not predicted
             0 bytes saved, 0 bytes sent
    Connect: 256 rx slots, 256 tx slots,
             0 misses, 0 collisions, 0 negative cache hits, 256 free contexts

January 29, 2008

Internetwork Expert Volume II: Lab 6 – Section 1

Bridging and Switching – 20 Points

1.1 Basic Configuration

This is the first lab that I’ve done where you need to set up two separate VTP domains.  I always create a Layer 2 map and it really helped out in this lab.  You’ll need to be mindful of which VTP server to create VLANs on when your building your Layer 2 network, especially with the caveat:

“VLANs should not be created within the VTP domain unnecessarily.”

1.2 Trunk Maintenance

“Ensure that the links between sw1, sw2, sw3, and sw4 will not attempt to automatically trunk using DTP.”

Depending on how you interpret this question, there are two methods you might use:

1) Put the ports into switchport mode dynamic auto (default setting on the 3560s).  This means that they will not form a trunk unless the other side of the link attempts to negotiate trunking.  This does NOT disable DTP.

switchport mode

int range fa0/13 – 21
 switchport mode dynamic auto

sw3(config-if-range)#do sh int fa0/13 switchport
Name: Fa0/13
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On

1) Hard-code the interfaces to trunk and disable DTP.  This means that you’ll need to choose a trunking encapsulation and you’ll need to shut down any links (on one side at least) that you do not want to form a trunk.  This is a little more sloppy, but it actually disables DTP.

switchport nonegotiate

int range fa0/13 – 21
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate

sw1(config-if-range)#do sh int fa0/13 switchport
Name: Fa0/13
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off

I went with option 1 (mostly because of task 1.3).

task 1.2 DTP

Be careful when applying your configuration with the interface range command as there are a couple of routed ports already configured:

sw1(config-if-range)#swit mode dyn auto
Command rejected: Fa0/14 not a switching port.
% Interface range command failed for FastEthernet0/14

sw1(config-if-range)#do sh run int fa0/14
interface FastEthernet0/14
 no switchport
 ip address 191.1.27.7 255.255.255.0
end

You’ll be alright as the routed ports will ignore the switchport commands (they are configured as “no switchport”).

1.3 Trunking

“Use dot1q encapsulation to configure the following trunks:”

You need to stop trunking of some vlans as well (read the requirements carefully).

sw1(config-if-range)#swit trunk all vlan except 7,77,777

I configured this on both sides of the trunks.  IE did not. 

Before changing VLAN allowed list:
sw3(config-if)#do sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/13      1-4094

Port        Vlans allowed and active in management domain
Fa0/13      1

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      none

After changing VLAN allowed list:
sw3(config-if)#swit trunk all vlan except 7,77,777
sw3(config-if)#do sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/13      1-6,8-76,78-776,778-4094

Port        Vlans allowed and active in management domain
Fa0/13      1

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      1

1.4 Spanning-Tree

This was a great task.  You are asked to:

“Ensure sw1 is forwarding on all trunk liks for any active VLANs.
“If a new VLAN is added to the VTP domain NET12, sw1 should forward on all trunk links for the new VLAN.”

The first subtask means the you need to make sw1 the root bride.  Easy enough, but you need to specify a vlan range.  Since we’re asked to make sure that any VLANs added to our VTP domain use sw1 as the root, we need specify a range of VLANs that can be created via VTP.  VTP cannot add extended VLANs so our range should be 1-1000:

sw1(config)#spanning-tree vlan 1-1000 root primary

Hmmmm….IE used the range 1-4096 (range including extended VLANs).

Task 1.4 Spanning-Tree

I think that their rational is: 

IF we were to put sw1 and sw2 (the members of VTP domain NET12) into vtp transparent mode, we could create extended VLANs.  Those VLANs would technically be VLANs created in VTP domain NET12.  BUT we would need to break our VTP task in order to do this. 

Set sw1 and sw2 to VTP mode transparent:

sw1(config)#do sh vtp stat | i Oper
VTP Operating Mode              : Transparent
sw1(config)#do sh run | i prior
spanning-tree vlan 1-1000 priority 24576

sw2(config)#do sh vtp stat | i Oper
VTP Operating Mode              : Transparent

Add standard and extended vlan to sw1 and sw2:

sw1(config)#vlan 1000,1234
sw1(config-vlan)#exit

sw2(config)#vlan 1000,1234
sw2(config-vlan)#exit
sw2(config)#do sh sp v 1000

VLAN1000
  Spanning tree enabled protocol ieee
  Root ID    Priority    25576
             Address     0012.018f.d580  <-sw1 MAC
             Cost        19
             Port        15 (FastEthernet0/13)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33768  (priority 32768 sys-id-ext 1000)
             Address     0012.009c.ca00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13           Root FWD 19        128.15   P2p

sw2(config)#do sh sp v 1234

VLAN1234
  Spanning tree enabled protocol ieee
  Root ID    Priority    34002
             Address     0012.009c.ca00
             This bridge is the root 
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    34002  (priority 32768 sys-id-ext 1234)
             Address     0012.009c.ca00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13           Desg FWD 19        128.15   P2p

I would definitely ask the proctor about this task.

1.5 Etherchannel

Easy trunking/etherchannel task.  Your VTP will now work for domain NET34.

1.6 Trunking

This was a bizarre task with VLANs between subinterfaces on a couple of routers.  I had this one nailed, but I spent a LONG time chasing my tail over a really basic issue.  😦

Be aware that VLAN45 is a /25 subnet.  You’ll also need to add VLAN 45 to the VTP domain.

Here’s where I lost my way:

“Configure trunking between r4, r5, sw3, and sw4 using the information provided in the diagram.”

r4#sh cdp neig | b Device
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
sw4              Fas 0/1            146         S I       WS-C3550- Fas 0/4
sw2              Fas 0/0            136         S I       WS-C3560- Fas 0/4

r4#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  up                    up
FastEthernet0/0.4          191.1.4.4       YES NVRAM  up                    up
FastEthernet0/0.40         191.1.40.4      YES NVRAM  up                    up
FastEthernet0/0.45         191.1.45.4      YES NVRAM  up                    up
FastEthernet0/0.49         191.1.49.4      YES NVRAM  up                    up

I initially thought that the lab diagram was wrong.  Interface fa0/1 – not fa0/0 – is connected to sw4.  I was cursing IE and the routing gods for this colossal waste of time.  BUT….(as is so often the case) I WAS WRONG.  The diagram is right.  The question threw me off as it states that I need to configure trunking between sw3 and the other devices.  Some of the endpoints are on sw3, but some of these VLANs transverse sw2 (in VTP domain NET12) so I need to configure dot1q trunking on that switch (connected to r4) as well as add the VLANs to sw1 (the VTP server for the NET12 domain). 

I really blew it on this task.  If this were the actual lab, I would not only have failed, but I would have looked like an idiot in the process.

1.7 Layer 2 Tunneling

Basically tunnel from r4 fa0/1 to sw2 fa0/18.

r4#sh run int fa0/1
interface FastEthernet0/1
 ip address 191.1.48.4 255.255.255.0

sw2#sh run int fa0/18
interface FastEthernet0/18
 no switchport
 ip address 191.1.48.8 255.255.255.0

You will need to use a dot1-q tunnelling to accomplish this task.

switchport mode

dot1q-tunnel
Set the port as an IEEE 802.1Q tunnel port.

You’ll need to build your l2 tunnel across these ports:

r4#sh cdp neig fa0/1 | b Device
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
sw4              Fas 0/1            136         S I       WS-C3550- Fas 0/4

sw2#sh cdp neigh fa0/18 | b Device
Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
sw3                 Fas 0/18              170            S I      WS-C3550-2 Fas0/18

The switch is kind enough to warn you of a pitfall:

sw4(config-if)#swit mode dot1q-tunnel
sw4(config-if)#
03:03:12: %DOT1Q_TUNNELLING-4-MTU_WARNING:
System MTU of 1500 might be insufficient for 802.1Q tunnelling.
802.1Q tunnelling requires system MTU size of 1504 to handle maximum size ethernet frames.

system mtu

I see a reload in my future:

sw4(config)#system mtu 1504
Changes to the System MTU will not take effect until the next reload is done.

Task 1.7 l2tunnel

r4#sh cdp neigh f0/1 | i sw2
sw2              Fas 0/1            169         S I       WS-C3560- Fas 0/18

sw2#sh cdp neigh fa0/18 | i r4
r4                  Fas 0/18              131           R S I     2651XM    Fas0/1

Sweet!!!

1.8 MAC Filtering

This was a pretty basic port-security task. 

switchport port-security

***  Update: Don’t use ‘sticky’ as I posted below.  These MAC addresses are NOT learned dynamically.  I did not remove this from my post just to show you how stupid I am sometimes.  🙂  *** 

I used the sticky option (“When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses.”) but I would ask the proctor to clarify this.  IE did not use that option.

The only “twist” is the second subtask:

“In the case that other hosts try to access this port a syslog message should be sent to the server 191.1.7.100.”

First we have to change the switchport port-security from the default of shutdown:

violation
 (Optional) Set the security violation mode or the action to be taken if port security is violated. The default is shutdown.
 

Do I choose restrict or protect?  My CCNP knowledge has flowed out of my skull.  🙂

sw2(config-if)#swit port-security violation ?
  protect   Security violation protect mode
  restrict  Security violation restrict mode

  shutdown  Security violation shutdown mode

protect
Set the security violation protect mode. In this mode, when the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

Note We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.
 
restrict
Set the security violation restrict mode. In this mode, when the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

 
Restrict it is!!!

sw2#sh port-security int fa0/10
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 4
Total MAC Addresses        : 4
Configured MAC Addresses   : 4

Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

sw2#sh port-security int fa0/10 address
          Secure Mac Address Table
————————————————————————
Vlan    Mac Address       Type                     Ports   Remaining Age
                                                              (mins)
—-    ———–       —-                     —–   ————-
  10    0050.7014.8ef0    SecureConfigured         Fa0/10       –
  10    00cd.144e.07bf    SecureConfigured         Fa0/10       –
  10    00d0.341c.7871    SecureConfigured         Fa0/10       –
  10    00d0.586e.b710    SecureConfigured         Fa0/10       –
————————————————————————
Total Addresses: 4

I wasted some time by looking for documentation on how to configure a syslog server.  DOH!!!

sw2(config)#logging ?
  Hostname or A.B.C.D  IP address of the logging host

1.9 Spanning-Tree Convergence

A wordy task tranlated to: portfast with bpdufilter.  Just be aware of the differences in bdpufilter based on whether you configure it at the interface level or globally:

sw2(config)#spanning-tree portfast bpdufilter default

Understanding BPDU Filtering

Task 1.9 SPT

The task requires that the port return to normal spanning tree forwarding if a BPDU is received.

There is a difference in the behaviour of bpdufilter depending on if it is configured at the interface level or globally.

When you configure bpdufilter on an interface it filters BPDU from being sent or received.

When you configure bpdufilter globally then all interfaces that run portfast will filter sent BPDU’s but will revert out of the portfast state if BPDU’s are received. This is the desired behaviour for this task.

The DocCD explains it like this:

“When you globally enable BPDU filtering on Port Fast-enabled interfaces, it prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU filtering on any interface without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs.”

Blog at WordPress.com.