Bridging and Switching – 20 Points
1.1 Basic Configuration
This is the first lab that I’ve done where you need to set up two separate VTP domains. I always create a Layer 2 map and it really helped out in this lab. You’ll need to be mindful of which VTP server to create VLANs on when your building your Layer 2 network, especially with the caveat:
“VLANs should not be created within the VTP domain unnecessarily.”
1.2 Trunk Maintenance
“Ensure that the links between sw1, sw2, sw3, and sw4 will not attempt to automatically trunk using DTP.”
Depending on how you interpret this question, there are two methods you might use:
1) Put the ports into switchport mode dynamic auto (default setting on the 3560s). This means that they will not form a trunk unless the other side of the link attempts to negotiate trunking. This does NOT disable DTP.
switchport mode
int range fa0/13 – 21
switchport mode dynamic auto
sw3(config-if-range)#do sh int fa0/13 switchport
Name: Fa0/13
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
1) Hard-code the interfaces to trunk and disable DTP. This means that you’ll need to choose a trunking encapsulation and you’ll need to shut down any links (on one side at least) that you do not want to form a trunk. This is a little more sloppy, but it actually disables DTP.
switchport nonegotiate
int range fa0/13 – 21
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
sw1(config-if-range)#do sh int fa0/13 switchport
Name: Fa0/13
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
I went with option 1 (mostly because of task 1.3).
task 1.2 DTP
Be careful when applying your configuration with the interface range command as there are a couple of routed ports already configured:
sw1(config-if-range)#swit mode dyn auto
Command rejected: Fa0/14 not a switching port.
% Interface range command failed for FastEthernet0/14
sw1(config-if-range)#do sh run int fa0/14
interface FastEthernet0/14
no switchport
ip address 191.1.27.7 255.255.255.0
end
You’ll be alright as the routed ports will ignore the switchport commands (they are configured as “no switchport”).
1.3 Trunking
“Use dot1q encapsulation to configure the following trunks:”
You need to stop trunking of some vlans as well (read the requirements carefully).
sw1(config-if-range)#swit trunk all vlan except 7,77,777
I configured this on both sides of the trunks. IE did not.
Before changing VLAN allowed list:
sw3(config-if)#do sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/13 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/13 1-4094
Port Vlans allowed and active in management domain
Fa0/13 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/13 none
After changing VLAN allowed list:
sw3(config-if)#swit trunk all vlan except 7,77,777
sw3(config-if)#do sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/13 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/13 1-6,8-76,78-776,778-4094
Port Vlans allowed and active in management domain
Fa0/13 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/13 1
1.4 Spanning-Tree
This was a great task. You are asked to:
“Ensure sw1 is forwarding on all trunk liks for any active VLANs.
“If a new VLAN is added to the VTP domain NET12, sw1 should forward on all trunk links for the new VLAN.”
The first subtask means the you need to make sw1 the root bride. Easy enough, but you need to specify a vlan range. Since we’re asked to make sure that any VLANs added to our VTP domain use sw1 as the root, we need specify a range of VLANs that can be created via VTP. VTP cannot add extended VLANs so our range should be 1-1000:
sw1(config)#spanning-tree vlan 1-1000 root primary
Hmmmm….IE used the range 1-4096 (range including extended VLANs).
Task 1.4 Spanning-Tree
I think that their rational is:
IF we were to put sw1 and sw2 (the members of VTP domain NET12) into vtp transparent mode, we could create extended VLANs. Those VLANs would technically be VLANs created in VTP domain NET12. BUT we would need to break our VTP task in order to do this.
Set sw1 and sw2 to VTP mode transparent:
sw1(config)#do sh vtp stat | i Oper
VTP Operating Mode : Transparent
sw1(config)#do sh run | i prior
spanning-tree vlan 1-1000 priority 24576
sw2(config)#do sh vtp stat | i Oper
VTP Operating Mode : Transparent
Add standard and extended vlan to sw1 and sw2:
sw1(config)#vlan 1000,1234
sw1(config-vlan)#exit
sw2(config)#vlan 1000,1234
sw2(config-vlan)#exit
sw2(config)#do sh sp v 1000
VLAN1000
Spanning tree enabled protocol ieee
Root ID Priority 25576
Address 0012.018f.d580 <-sw1 MAC
Cost 19
Port 15 (FastEthernet0/13)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 33768 (priority 32768 sys-id-ext 1000)
Address 0012.009c.ca00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15
Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13 Root FWD 19 128.15 P2p
sw2(config)#do sh sp v 1234
VLAN1234
Spanning tree enabled protocol ieee
Root ID Priority 34002
Address 0012.009c.ca00
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 34002 (priority 32768 sys-id-ext 1234)
Address 0012.009c.ca00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15
Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/13 Desg FWD 19 128.15 P2p
I would definitely ask the proctor about this task.
1.5 Etherchannel
Easy trunking/etherchannel task. Your VTP will now work for domain NET34.
1.6 Trunking
This was a bizarre task with VLANs between subinterfaces on a couple of routers. I had this one nailed, but I spent a LONG time chasing my tail over a really basic issue. 😦
Be aware that VLAN45 is a /25 subnet. You’ll also need to add VLAN 45 to the VTP domain.
Here’s where I lost my way:
“Configure trunking between r4, r5, sw3, and sw4 using the information provided in the diagram.”
r4#sh cdp neig | b Device
Device ID Local Intrfce Holdtme Capability Platform Port ID
sw4 Fas 0/1 146 S I WS-C3550- Fas 0/4
sw2 Fas 0/0 136 S I WS-C3560- Fas 0/4
r4#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM up up
FastEthernet0/0.4 191.1.4.4 YES NVRAM up up
FastEthernet0/0.40 191.1.40.4 YES NVRAM up up
FastEthernet0/0.45 191.1.45.4 YES NVRAM up up
FastEthernet0/0.49 191.1.49.4 YES NVRAM up up
I initially thought that the lab diagram was wrong. Interface fa0/1 – not fa0/0 – is connected to sw4. I was cursing IE and the routing gods for this colossal waste of time. BUT….(as is so often the case) I WAS WRONG. The diagram is right. The question threw me off as it states that I need to configure trunking between sw3 and the other devices. Some of the endpoints are on sw3, but some of these VLANs transverse sw2 (in VTP domain NET12) so I need to configure dot1q trunking on that switch (connected to r4) as well as add the VLANs to sw1 (the VTP server for the NET12 domain).
I really blew it on this task. If this were the actual lab, I would not only have failed, but I would have looked like an idiot in the process.
1.7 Layer 2 Tunneling
Basically tunnel from r4 fa0/1 to sw2 fa0/18.
r4#sh run int fa0/1
interface FastEthernet0/1
ip address 191.1.48.4 255.255.255.0
sw2#sh run int fa0/18
interface FastEthernet0/18
no switchport
ip address 191.1.48.8 255.255.255.0
You will need to use a dot1-q tunnelling to accomplish this task.
switchport mode
dot1q-tunnel
Set the port as an IEEE 802.1Q tunnel port.
You’ll need to build your l2 tunnel across these ports:
r4#sh cdp neig fa0/1 | b Device
Device ID Local Intrfce Holdtme Capability Platform Port ID
sw4 Fas 0/1 136 S I WS-C3550- Fas 0/4
sw2#sh cdp neigh fa0/18 | b Device
Device ID Local Intrfce Holdtme Capability Platform Port ID
sw3 Fas 0/18 170 S I WS-C3550-2 Fas0/18
The switch is kind enough to warn you of a pitfall:
sw4(config-if)#swit mode dot1q-tunnel
sw4(config-if)#
03:03:12: %DOT1Q_TUNNELLING-4-MTU_WARNING:
System MTU of 1500 might be insufficient for 802.1Q tunnelling.
802.1Q tunnelling requires system MTU size of 1504 to handle maximum size ethernet frames.
system mtu
I see a reload in my future:
sw4(config)#system mtu 1504
Changes to the System MTU will not take effect until the next reload is done.
Task 1.7 l2tunnel
r4#sh cdp neigh f0/1 | i sw2
sw2 Fas 0/1 169 S I WS-C3560- Fas 0/18
sw2#sh cdp neigh fa0/18 | i r4
r4 Fas 0/18 131 R S I 2651XM Fas0/1
Sweet!!!
1.8 MAC Filtering
This was a pretty basic port-security task.
switchport port-security
*** Update: Don’t use ‘sticky’ as I posted below. These MAC addresses are NOT learned dynamically. I did not remove this from my post just to show you how stupid I am sometimes. 🙂 ***
I used the sticky option (“When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses.”) but I would ask the proctor to clarify this. IE did not use that option.
The only “twist” is the second subtask:
“In the case that other hosts try to access this port a syslog message should be sent to the server 191.1.7.100.”
First we have to change the switchport port-security from the default of shutdown:
violation
(Optional) Set the security violation mode or the action to be taken if port security is violated. The default is shutdown.
Do I choose restrict or protect? My CCNP knowledge has flowed out of my skull. 🙂
sw2(config-if)#swit port-security violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode
protect
Set the security violation protect mode. In this mode, when the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.
Note We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.
restrict
Set the security violation restrict mode. In this mode, when the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.
Restrict it is!!!
sw2#sh port-security int fa0/10
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 4
Total MAC Addresses : 4
Configured MAC Addresses : 4
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
sw2#sh port-security int fa0/10 address
Secure Mac Address Table
————————————————————————
Vlan Mac Address Type Ports Remaining Age
(mins)
—- ———– —- —– ————-
10 0050.7014.8ef0 SecureConfigured Fa0/10 –
10 00cd.144e.07bf SecureConfigured Fa0/10 –
10 00d0.341c.7871 SecureConfigured Fa0/10 –
10 00d0.586e.b710 SecureConfigured Fa0/10 –
————————————————————————
Total Addresses: 4
I wasted some time by looking for documentation on how to configure a syslog server. DOH!!!
sw2(config)#logging ?
Hostname or A.B.C.D IP address of the logging host
1.9 Spanning-Tree Convergence
A wordy task tranlated to: portfast with bpdufilter. Just be aware of the differences in bdpufilter based on whether you configure it at the interface level or globally:
sw2(config)#spanning-tree portfast bpdufilter default
Understanding BPDU Filtering
Task 1.9 SPT
The task requires that the port return to normal spanning tree forwarding if a BPDU is received.
There is a difference in the behaviour of bpdufilter depending on if it is configured at the interface level or globally.
When you configure bpdufilter on an interface it filters BPDU from being sent or received.
When you configure bpdufilter globally then all interfaces that run portfast will filter sent BPDU’s but will revert out of the portfast state if BPDU’s are received. This is the desired behaviour for this task.
The DocCD explains it like this:
“When you globally enable BPDU filtering on Port Fast-enabled interfaces, it prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.
You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU filtering on any interface without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs.”