Upload
harish145
View
244
Download
0
Embed Size (px)
Citation preview
7/31/2019 14[1]. BCMSN Lab Workbook
1/23
The Bryant Advantage BCMSN Lab Workbook
Chris Bryant, CCIE #12933 www.thebryantadvantage.com Back To Index
BCMSN Lab Workbook
Overview
Connecting And Navigating To Your Pod
VLAN, VTP, And Trunking
STP
General Switch Commands
HSRP
Switch Security
SPAN
Multilayer Switch Commands
One Final Bonus Command
7/31/2019 14[1]. BCMSN Lab Workbook
2/23
C:\> telnet
Welcome to Microsoft Telnet Client
Escape Character is 'CTRL+]'
Microsoft Telnet> open 100.100.100.100 (put the IP address you were sent
in email in place of the 100.100.100.100)
User Access Verification
Username:
Password:
OR:
C:\>telnet 100.100.100.100
User Access Verification
Username:
Password:
7/31/2019 14[1]. BCMSN Lab Workbook
3/23
User Access Verification
Password:
THE_BRYANT_ADVANTAGE_15x#
THE_BRYANT_ADVANTAGE_16x#clear line 01
[confirm][OK]
THE_BRYANT_ADVANTAGE_16x#clear line 02
[confirm]
[OK]
THE_BRYANT_ADVANTAGE_16x#clear line 03
[confirm]
[OK]
THE_BRYANT_ADVANTAGE_16x#clear line 04
[confirm]
[OK]
THE_BRYANT_ADVANTAGE_16x#clear line 05
[confirm]
[OK]
THE_BRYANT_ADVANTAGE_16x#
THE_BRYANT_ADVANTAGE_16x#r1
Trying R1 (100.1.1.1, 2001)... Open
R1#
7/31/2019 14[1]. BCMSN Lab Workbook
4/23
R1# < Use above keystroke to go back to access server >
THE_BRYANT_ADVANTAGE_16x#r2
Trying R2 (100.1.1.1, 2002)... Open
R2# < Use above keystroke to go back to access server >
THE_BRYANT_ADVANTAGE_16x#r3
Trying R3 (100.1.1.1, 2003)... Open
R3# < Use above keystroke to go back to access server >
THE_BRYANT_ADVANTAGE_16x#sw1
Trying SW1 (100.1.1.1, 2004)... Open
sw1# < Use above keystroke to go back to access server >
THE_BRYANT_ADVANTAGE_16x#sw2
Trying SW2 (100.1.1.1, 2005)... Open
sw2# < Use above keystroke to go back to access server >
THE_BRYANT_ADVANTAGE_16x#
THE_BRYANT_ADVANTAGE_16x#1
[Resuming connection 1 to r1 ... ]
R1#
THE_BRYANT_ADVANTAGE_16x#2
[Resuming connection 2 to r2 ... ]
R2#
THE_BRYANT_ADVANTAGE_16x#3
[Resuming connection 3 to r3 ... ]
R3#THE_BRYANT_ADVANTAGE_16x#4
[Resuming connection 4 to sw1 ... ]
sw1#
THE_BRYANT_ADVANTAGE_16x#5
[Resuming connection 5 to sw2 ... ]
sw2#
THE_BRYANT_ADVANTAGE_16x#
7/31/2019 14[1]. BCMSN Lab Workbook
5/23
VLANs, VTP, and Trunks
Verify the trunk between SW1 and SW2 with show interface trunk.
SW1#show interface trunk
Port Mode Encapsulation Status Native vlan
Fa0/11 desirable 802.1q trunking 1
Fa0/12 desirable 802.1q trunking 1
Create the VTP domain CCNP on SW1. Run show vtp status on SW1
and SW2 to verify.
SW1(config)#vtp domain CCNP
Changing VTP domain name from NULL to CCNP
7/31/2019 14[1]. BCMSN Lab Workbook
6/23
SW1#show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 64
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : CCNP
SW2#show vtp statusVTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 64
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : CCNP
On SW2, change the trunking mode on fast 0/11 and fast 0/12 to dynamicauto, then to unconditional trunking. Note that the trunk doesn't comedown.
SW2(config)#int fast 0/11
SW2(config-if)#switchport mode ?
access Set trunking mode to ACCESS unconditionallydynamic Set trunking mode to dynamically negotiate access or trunk mode
trunk Set trunking mode to TRUNK unconditionally
SW2(config-if)#switchport mode dynamic auto
SW2(config-if)#switchport mode trunk
SW2(config)#int fast 0/12
SW2(config-if)#switchport mode trunk
Both switches will be VTP servers, so create VLAN 32 on either one. Runshow vlan briefto verify.
SW2(config)#vlan 32
SW2#show vlan brief
VLAN Name Status Ports---- -------------------------------- --------- ----------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8Fa0/9, Fa0/10
32 VLAN0032 active
Change the native VLAN to VLAN 32 with the switchport trunk native vlan32command. You'll need to configure this on fast 0/11 and fast 0/12 onboth switches. Be prepared for the trunk to come down during the
process.
SW1(config)#int fast 0/11
SW1(config-if)#switchport trunk native vlan 32
SW1(config-if)#int fast 0/12
SW1(config-if)#switchport trunk native vlan 32
SW2(config)#int fast 0/11
SW2(config-if)#switchport trunk native vlan 32
SW2(config-if)#int fast 0/12
SW2(config-if)#switchport trunk native vlan 32
Run show interface trunkon both switches to ensure that the trunk is upand that the native VLAN was successfully changes. (This is going to
sound strange, but get into the habit of checking both switches with showinterface trunk. Every once in a while, you'll get a response to thiscommand on one switch that doesn't match up to the other switch's
7/31/2019 14[1]. BCMSN Lab Workbook
7/23
response.)
SW2#show interface trunk
Port Mode Encapsulation Status Native vlan
Fa0/11 on 802.1q trunking 32
Fa0/12 desirable 802.1q trunking 32
SW1#show int trunk
Port Mode Encapsulation Status Native vlan
Fa0/11 desirable 802.1q trunking 32
Fa0/12 desirable 802.1q trunking 32
On SW1, disable Dynamic Trunking Protocol (DTP) on both fast 0/11 and0/12.
SW1(config)#int fast 0/11
SW1(config-if)#switchport nonegotiate
Command rejected: Conflict between 'nonegotiate' and 'dynamic' statusSW1(config-if)#switchport mode trunk
SW1(config-if)#switchport nonegotiate
SW1(config-if)#int fast 0/12
SW1(config-if)#switchport mode trunk
SW1(config-if)#switchport nonegotiate
As you quickly noticed, you can't turn DTP off when the port is in anydynamic state. Making the port an unconditional trunk port with switchportmode trunk allowed us to turn DTP off.
Prevent traffic for VLAN 1000 from being sent over fast 0/11 and 0/12 onSW1 and SW2 with the switchport trunk allowed vlan command. Verifywith show interface trunk.
SW1(config)#int fast 0/11
SW1(config-if)#switchport trunk allowed vlan except 1000
SW1(config-if)#int fast 0/12
SW1(config-if)#switchport trunk allowed vlan except 1000
SW1#show interface trunk
Port Mode Encapsulation Status Native vlan
Fa0/11 on 802.1q trunking 32
Fa0/12 on 802.1q trunking 32
Port Vlans allowed on trunk
Fa0/11 1-999,1001-4094
Fa0/12 1-999,1001-4094
Add the VLANs right back with the same command. Verify again withshow interface trunk.
SW1(config)#int fast 0/11
SW1(config-if)#switchport trunk allowed vlan add 1000
SW1(config-if)#int fast 0/12
SW1(config-if)#switchport trunk allowed vlan add 1000
Feel free to experiment with this command - add, remove, and the otheroptions. The more you use it, the better you'll be with it on the exam.
Run show vtp statuson both switches and note the configuration revisionnumber.
SW1#show vtp status
7/31/2019 14[1]. BCMSN Lab Workbook
8/23
VTP Version : 2
Configuration Revision : 1
SW2#show vtp status
VTP Version : 2
Configuration Revision : 1
On SW2, delete VLAN 32. Run show vlan briefon SW2 to verify, thenshow vtp statusto note the configuration revision number.
SW2#show vtp status
VTP Version : 2
Configuration Revision : 2
The revision number moved up to 2, as expected. Run both commandson SW1 as well.
SW1#show vtp status
VTP Version : 2
Configuration Revision : 2
Since we just deleted our native VLAN, it would be a good idea to set thatvalue back to VLAN 1! On SW1, use the switchport native vlancommandto do so. Be prepared to see an error message such as the one seenbelow.
SW1(config)#int fast 0/11
SW1(config-if)#switchport trunk native vlan 1
SW1(config)#int fast 0/12
SW1(config-if)#switchport trunk native vlan 1
05:32:33: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on
FastEthernet0/11 (1), with SW2 FastEthernet0/11 (32).
05:32:33: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered onFastEthernet0/12 (1), with SW2 FastEthernet0/12 (32).
The numbers in the parens can be very helpful if you don't spot theproblem right away. The first paren is the native VLAN according to thelocal switch port, and the second paren is the native VLAN according tothe remote switch port.
On SW2, use the no switchport trunk native vlan 32 command on bothtrunk ports. Run show interface trunkto verify the trunk is up and running.
SW2(config)#int fast 0/12
SW2(config-if)#no switchport trunk native vlan 32
SW2(config-if)#int fast 0/11
SW2(config-if)#no switchport trunk native vlan 32
SW2#show int trunk
Port Mode Encapsulation Status Native vlan
Fa0/11 on 802.1q trunking 1
Fa0/12 on 802.1q trunking 1
The trunk is up and the native VLAN has reverted back to VLAN 1.
Put SW2 into VTP Client mode and try to create a VLAN on it.
SW2(config)#vtp mode clientSetting device to VTP CLIENT mode.
SW2(config)#vlan 50
VTP VLAN configuration not allowed when device is in CLIENT mode.
7/31/2019 14[1]. BCMSN Lab Workbook
9/23
Just one more reminder about that little fact. :) Put the switch back intoserver mode.
SW2(config)#vtp mode server
Setting device to VTP SERVER mode
On SW2, enable vtp pruning. Then check on R1 and see if pruningshows as enabled on that switch as well.
SW2(config)#vtp pruning
Pruning switched on
SW1#show vtp status
VTP Version : 2
Configuration Revision : 4
Maximum VLANs supported locally : 64
Number of existing VLANs : 6
VTP Operating Mode : Server
VTP Domain Name : CCNP
VTP Pruning Mode : Enabled
To finish this section, let's get some practice in with the interface rangecommand. I can't stress this enough - this command can save you a lot oftime on Cisco exams as well as when working on production networks. Iurge you to get some practice in with this command and be comfortablewith it.
Configure ports 0/8 - 10 on both switches with the interface rangecommand. Enable portfast on all three ports, set the speed to 100 MBPS,and the duplex to full.
SW1(config)#interface range fast 0/8 - 10
SW1(config-if-range)#spanning portfast
SW1(config-if-range)#speed 100
SW1(config-if-range)#duplex full
SW2(config)#interface range fast 0/8 - 10
SW2(config-if-range)#spanning portfast
SW2(config-if-range)#speed 100
SW2(config-if-range)#duplex full
Spanning Tree Protocol
Keep in mind that the MAC addresses you see in this lab are NOT
necessarily going to be the ones you see during your time on my racks,and they won't be the same ones you have in your home lab. Whenwe're going back and forth between root bridges in this exercise, theywon't necessarily be the same ones that are the root bridges when yourun the labs.
Run show spanning-tree vlan 1 on both switches and identify the root.
SW1#show spanning vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 000e.d7f5.a040
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
7/31/2019 14[1]. BCMSN Lab Workbook
10/23
On the nonroot bridge, run show spanning vlan 1 and note the port costs.
SW2#show spanning vlan 1
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- ------
Fa0/11 Root FWD 19 128.11 P2p
Fa0/12 Altn BLK 19 128.12 P2p
We'll now change the root port cost of fast 0/12 with the spanning costcommand. Change this cost to 15, then run show spanning vlan 1 again.
SW2(config)#int fast 0/12
SW2(config-if)#spanning-tree cost 15
SW2#show spanning vlan 1
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- ------
Fa0/11 Root BLK 19 128.11 P2p
Fa0/12 Altn LIS 15 128.12 P2p
The root port selection has changed because fast 0/12's port cost is nowless than 0/11. Fast 0/11 goes into blocking mode and 0/12 will gothrough the STP port states until it reaches the Forwarding state.
Change the STP timers on the root bridge.
SW1(config)#spanning vlan 1 hello 5
SW1(config)#spanning vlan 1 forward-time 12
SW1(config)#spanning vlan 1 max-age 15
On SW2, run show spanning vlan 1. Note that the timers changed under
Root ID, but not Bridge ID. The local switch's settings are under BridgeID, but it's the timer values announced by the Root Bridge that are theones being used.
SW2#show spanning vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 000e.d7f5.a040
Cost 15
Port 12 (FastEthernet0/12)
Hello Time 5 sec Max Age 15 sec Forward Delay 12 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)Address 000f.90e2.14c0
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Make the nonroot bridge the root bridge for VLAN 1 with spanning-treevlan 1 root primary. Run show spanning vlan 1 to verify.
SW2(config)#spanning-tree vlan 1 root primary
SW2#show spanning vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 000f.90e2.14c0
This bridge is the root
7/31/2019 14[1]. BCMSN Lab Workbook
11/23
Make the new nonroot bridge the root bridge again with the spanning-treevlan 1 prioritycommand. Set the priority to 10000.
SW1(config)#spanning-tree vlan 1 priority 10000
% Bridge Priority must be in increments of 4096.
% Allowed values are:
0 4096 8192 12288 16384 20480 24576 28672
32768 36864 40960 45056 49152 53248 57344 61440
In that case, make it 8192. ;) Verify with show spanning vlan 1.
SW1(config)#spanning-tree vlan 1 priority 8192
SW1#show spanning vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 8193
Address 000e.d7f5.a040
This bridge is the root
Place port 0/5 on SW1 into Portfast. By now, you know what you'll see!BUT... there's another Portfast option that we'll look at when we come tothe end of this lab workbook.
SW1(config)#int fast 0/5
SW1(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/5 but will only
have effect when the interface is in a non-trunking mode.
Enable Uplinkfast on each switch. Do the same for Backbonefast.Remember, in production networks (and the exam), Uplinkfast is bestsuited for wiring-closet switches, and Backbonefast should be configuredon all switches in the network.
SW1(config)#spanning uplinkfast
SW2(config)#spanning uplinkfast
SW1(config)#spanning backbonefast
SW2(config)#spanning backbonefast
Assume that a third switch will be added to SW2's fast 0/7 port, and thisswitch must not become the root bridge. Configure Root Guard on thisport to meet that requirement.
SW2(config)#int fast 0/7
SW2(config-if)#spanning-tree guard root
On SW1, fast 0/5 has already been configured with Portfast. Just to makesure a switch doesn't get connected to that port, configure BPDU Guardon fast 0/5. This port will now shut down if a BPDU is received on it.
SW1(config)#int fast 0/5
SW1(config-if)#spanning-tree bpduguard
% Incomplete command.
7/31/2019 14[1]. BCMSN Lab Workbook
12/23
SW1(config-if)#spanning-tree bpduguard ?
disable Disable BPDU guard for this interface
enable Enable BPDU guard for this interface
SW1(config-if)#spanning-tree bpduguard enable
Enable aggressive UDLD globally on both switches.
SW1(config)#udld aggressive
SW2(config)#udld aggressive
On both switches, run show spanning-tree summary. This commanddoesn't get mentioned often, but once you've got some STP featuresrunning, it's a good command to know. You can see that SW2 isn't theroot bridge for any VLAN, and you can also see what features are and arenot enabled on this switch.
SW2#show spanning-tree summarySwitch is in pvst modeRoot bridge for: none
EtherChannel misconfig guard is enabledExtended system ID is enabledPortfast Default is disabledPortFast BPDU Guard Default is disabledPortfast BPDU Filter Default is disabledLoopguard Default is disabledUplinkFast is enabledBackboneFast is enabledPathcost method used is short
Name Blocking Listening Learning Forwarding STP ActiveVLAN0001 1 0 0 1 2VLAN0080 1 0 0 1 2
2 vlans 2 0 0 2 4
Since Loop Guard isn't configured on this switch, let's do so on port 0/1.
SW2(config)#interface fast 0/1
SW2(config-if)#spanning-tree guard loop
Run show spanning summary again and you'll see "Loopguard" isenabled, and the word "default" is gone. When you see default next to avalue in this command, you know that it's running at the default.
General Switch Commands
On R2, configure the switch to autorecover from all port err-disabledconditions with the errdisable recovery causecommand. Before selecting"all" as the option, use IOS Help to look at the other options. As you cansee, there are a lot of different ways for a port to go into err-disabledstate! Set the duration of the err-disabled state to 300 seconds.
SW2(config)#errdisable recovery cause all
SW2(config)#errdisable recovery cause all
SW2(config)#errdisable recovery interval ?
timer-interval(sec)
SW2(config)#errdisable recovery interval 300
Create an Etherchannel over ports fast 0/11 and 0/12 on each switch.
7/31/2019 14[1]. BCMSN Lab Workbook
13/23
Use PAgP auto mode on SW1 and PAgP desirable on the SW2. Beprepared for quite a few "line protocol down" and "line protocol up"messages while you're building the EC.
SW1(config)#int fast 0/11
SW1(config-if)#channel-group 1 mode auto
Creating a port-channel interface Port-channel 1
SW1(config-if)#int fast 0/12
SW1(config-if)#channel-group 1 mode auto
SW2(config)#int fast 0/11
SW2(config-if)#channel-group 1 mode desirable
Creating a port-channel interface Port-channel 1
SW2(config-if)#int fast 0/12
SW2(config-if)#channel-group 1 mode desirable
Verify the EC with show interface trunk. If you don't see anything, checkeach physical port with show interface fast 0/x and see if the port was
placed into err-disabled state during the EC configuration. If so, simplyopen the interface manually.
SW2#show interface trunk
Port Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 1
For further verification, run show interface port-channel 1. Note thedefaults for the speed and duplex. (It's out of the scope of the BCMSNexam, but when an EC is configured on a multilayer switch, it can bemade a Layer 3 EC and have an IP address assigned.)
SW2#show interface port-channel 1
Port-channel1 is up, line protocol is up (connected)
Hardware is EtherChannel, address is 000f.90e2.14cb (bia 000f.90e2.14cb)
MTU 1500 bytes, BW 200000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Full-duplex, 100Mb/s
Hot Standby Routing Protocol
The following lab can be run on routers or switches, and in my racks we're
going to run HSRP on R2 and R3. R2's Serial0 interface line protocolmust be up as well, so you'll need to bring the Frame Relay interfaces upon R1, R2, and R3. The Frame Relay switch in my labs is preconfigured,so you'll only need to apply the following commands on the routers:
R1:
interface serial0
ip address 172.12.123.1 255.255.255.0
encap frame
no frame inverse
frame map ip 172.12.123.2 122 broadcast
7/31/2019 14[1]. BCMSN Lab Workbook
14/23
frame map ip 172.12.123.3 123 broadcast
R2:
interface serial0
ip address 172.12.123.2 255.255.255.0
encap frame
no frame inverse
frame map ip 172.12.123.1 221 broadcast
frame map ip 172.12.123.3 221
R3:
interface serial0
ip address 172.12.123.3 255.255.255.0
encap frame
no frame inverse
frame map ip 172.12.123.1 321 broadcast
frame map ip 172.12.123.2 321
Don't forget to open the interfaces!
All interfaces should be able to ping each other. The important thing isthat R2's Serial0 line protocol is up.
R2 and R3 are also connected via an Ethernet segment. Configure172.12.23.2 /24 on R2's e0 interface and 172.12.23.3 /24 on R3's e0interface. Both ports should be in the same VLAN and pings should besuccessful between the two routers over that interface.
Configure R2 and R3 to use 172.12.23.10 as the IP address of the virtualrouter. On R2, run show standbyto view the HSRP details. If the routerisn't in Active or Standby state yet, give it half a minute and run it again.
R2(config)#int e0
R2(config-if)#standby 1 ip 172.12.23.10
R3(config)#int e0
R3(config-if)#standby 1 ip 172.12.23.10
R2#show standby
Ethernet0 - Group 1
Local state is Standby, priority 100
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 0.170
Virtual IP address is 172.12.23.10 configured
Active router is 172.12.23.3, priority 100 expires in 7.452
Standby router is local
1 state changes, last state change 00:01:07IP redundancy name is "hsrp-Et0-1" (default)
R2 is the standby, R3 the Active router. Configure R2 as the Active by
7/31/2019 14[1]. BCMSN Lab Workbook
15/23
setting its priority to 105. Verify with show standby.
R2(config)#int e0
R2(config-if)#standby 1 priority 105
R2#show standby
Ethernet0 - Group 1
Local state is Standby, priority 105
Hellotime 3 sec, holdtime 10 secNext hello sent in 0.832
Virtual IP address is 172.12.23.10 configured
Active router is 172.12.23.3, priority 100 expires in 8.340
Standby router is local
1 state changes, last state change 00:02:40
IP redundancy name is "hsrp-Et0-1" (default)
R2's priority is now higher than R3's, but it's not the Active router. For R2to become the Active while the current Active router is still online, thepreempt option must be configured. Depending on the IOS version, thepreemptwill either be set at the end of the prioritycommand, or on a lineof its own.
R2(config)#int e0
R2(config-if)#standby 1 preempt
07:55:25: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Standby ->
Active
We see a message that the local router has gone from Standby to Active,but always verify. Trust, but verify - and we do that with show standby.
R2#show standby
Ethernet0 - Group 1
Local state is Active, priority 105, may preempt
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 2.394Virtual IP address is 172.12.23.10 configured
Active router is local
Standby router is 172.12.23.3, priority 100 expires in 7.428
Virtual mac address is 0000.0c07.ac01
2 state changes, last state change 00:00:56
IP redundancy name is "hsrp-Et0-1" (default)
R2 is now the Active router.
Change the MAC address of the virtual router to aa-aa-aa-aa-aa-aa withthe standby mac-addresscommand. Verify with show standby.
R2(config)#int e0
R2(config-if)#standby 1 mac-address aaaa.aaaa.aaaa
07:57:57: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Active -> Learn
07:58:09: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Listen -> Active
R2#show standby
Ethernet0 - Group 1
Local state is Active, priority 105, may preempt
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 0.800
Virtual IP address is 172.12.23.10 configured
Active router is local
Standby router is 172.12.23.3, priority 100 expires in 9.068
Virtual mac address is aaaa.aaaa.aaaa configured
4 state changes, last state change 00:00:10IP redundancy name is "hsrp-Et0-1" (default)
Notice the word "configured" next to the MAC address in show standby.
7/31/2019 14[1]. BCMSN Lab Workbook
16/23
That indicates that this particular MAC address was statically configured.
We'll now configure HSRP interface tracking. If the line protocol on R2'sSerial0 goes down, we want R3 to become the Active router, since itsserial line will still be up.
R2's priority is 105, and R3's is 100. Since the default prioritydecrementwith interface tracking is 10, we'll leave the default in place. If we wantedto change the decrement, that value is placed at the end of the standbytrackcommand.
R2(config-if)#standby 1 track serial0
R2(config-if)#standby 1 track serial0 ?
Priority decrement
R2(config-if)#standby 1 track serial0
To test the configuration, R2's Serial0 interface will be shut down. Aftershutting that port down, run show standbyto see the results.
R2(config-if)#int s0
R2(config-if)#shut
R2#show standby
Ethernet0 - Group 1
Local state is Active, priority 95 (confgd 105), may preempt
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 2.506
Virtual IP address is 172.12.23.10 configured
Active router is local
Standby router is 172.12.23.3, priority 100 expires in 7.736
Virtual mac address is aaaa.aaaa.aaaa configured
4 state changes, last state change 00:06:36
IP redundancy name is "hsrp-Et0-1" (default)
Priority tracking 1 interface, 0 up:
Interface Decrement State
Serial0 10 Down (administratively down)
The priority did go down, and the priority tracking even shows how the linewent down! But this router is still the Active router, even though its prioritydecremented to 95. Why?
Because R3 needs the HSRP preemptoption configured on it as well. Arouter can't take over from an Active router that's up unless the preemptoption is configured.
R3(config)#int e0R3(config-if)#standby 1 preemptR3(config-if)#08:06:22: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Standby -> Active
Within seconds, R3 becomes the Active router, verifying interface tracking.
What happens when R2's Serial0 line protocol comes back up? Open itand see!
R2(config)#int s0
R2(config-if)#no shut
08:08:18: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Standby ->
Active08:08:18: %SYS-5-CONFIG_I: Configured from console by console
08:08:19: %LINK-3-UPDOWN: Interface Serial0, changed state to up
7/31/2019 14[1]. BCMSN Lab Workbook
17/23
08:08:20: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed
state to up
Just that quickly, R2 becomes the Active router again, since its priorityincremented by 10 when the line protocol came up.
Watch that preempt option! ;)
Switch Security
Enable AAA, and assume a RADIUS server at 172.1.1.1. Assume ATACACS server at 172.2.2.2 as well. (RADIUS and TACACSconfiguration is out of the scope of the BCMSN exam, but it doesn't hurtto know the basic command. Use IOS Help at the end of both hostcommands to view the options.)
SW1(config)#aaa new-model
SW1(config)#radius-server host 172.1.1.1
SW1(config)#tacacs-server host 172.2.2.2
Create a local username / password database.
SW1(config)#username BRYANT password CCIE
SW1(config)#username SOPRANO password CCNP
SW1(config)#username WALNUTS password CCNA
Configure an AAA authentication method list that will use the RADIUSserver first, then the TACACS+ server, then the local database.
SW1(config)#aaa authentication login default ?enable Use enable password for authentication.
group Use Server-group
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication
SW1(config)#aaa authentication login default group radius tacacs local
Configure port security on SW2, port 0/5. The port should allow twosecure MAC addresses. Change the default port security mode fromshutdown to protect.
SW2(config)#int fast 0/5SW2(config-if)#switchport port-security
Command rejected: Fa0/5 is not an access port.
SW2(config-if)#switchport mode access
SW2(config-if)#switchport port-security
SW2(config-if)#switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
SW2(config-if)#switchport port-security maximum 2
SW2(config-if)#switchport port-security violation protect
On SW1, configure 0/7 for dot1x authentication. The first step is to enableAAA. While we're at it, configure a default method list for authenticationthat will use the tacacs server and then any local database. Enable IEEE
7/31/2019 14[1]. BCMSN Lab Workbook
18/23
802.1x with the dot1x system-auth-control command.
SW1(config)#aaa new-model
SW1(config)#aaa authentication dot1x default tacacs
SW1(config)#dot1x system-auth-control
Make fast 0/7 an access port and configure the configuration for Automode.
SW1(config-if)#int fast 0/7
SW1(config-if)#sw mode access
SW1(config-if)#dot1x port-control auto
Note: If you attempt to configure dot1x port authentication on a potentialtrunk port, you'll get the following error:
SW1(config-if)#dot1x port-control auto
Command rejected: Dynamic mode enabled on one or more ports.
Dot1x is supported only on Ethernet interfaces configured in Access,
Routed or Private-vlan Host Mode.
SPAN
Configure Local SPAN session 1 on SW1. Ports fast 0/1 - 5 will be thesource ports, and port 0/6 will be the destination port.
SW1(config)#monitor session 1 source interface fast 0/1 - 5
SW1(config)#monitor session 1 destination int fast 0/6
Verify with show monitor. (Remember - it's not show span!)
SW1#show monitor
Session 1
---------
Type : Local Session
Source Ports :
Both : Fa0/1-5
Destination Ports : Fa0/6
Encapsulation : Native
Ingress: Disabled
Remove this session with no monitor session 1.
SW1(config)#no monitor session 1
We'll now configure a Remote SPAN (RSPAN) session. Create VLAN 45
as the special VLAN that will carry the mirrored traffic.
SW1(config)#vlan 45
SW1(config-vlan)#remote-span
The source port for this configuration will be fast 0/7 and the destinationwill be fast 0/7 on SW2.
SW1(config)#monitor session 1 source interface fast 0/7
SW1(config)#monitor session 1 destination remote vlan 45 reflector-port
fast 0/12
SW2 will receive the traffic and send it to a network analyzer on fast 0/7.SW2(config)#monitor session 1 source remote vlan 45
SW2(config)#monitor session 1 destination interface fast 0/7
7/31/2019 14[1]. BCMSN Lab Workbook
19/23
Run show monitorto verify the configuration.
SW2#show monitor
Session 1
---------
Type : Remote Destination Session
Source RSPAN VLAN: 45
Destination Ports : Fa0/7
Encapsulation : NativeIngress: Disabled
Multilayer Switching Commands
R2 and R3 are both connected to the multilayer switch in your pod. R2 ison port fast0/2, R3 on port fast 0/3. Assign the Ethernet0 interfaces onR2 and R3 the IP addresses shown in the diagram below. The routerswill serve as hosts for this lab. The hosts will not be able to send pings toeach other at this point.
R2#ping 30.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#ping 20.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
To get started, we'll put the port leading to Host 2 into VLAN 22, and theport leading to Host 3 in VLAN 33.
SW1(config)#int fast 0/2
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 22
SW1(config-if)#int fast 0/3
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 33
We're going to create two SVIs on the switch, one representing VLAN 22and the other representing VLAN 33.
Note that both SVIs show as up/up immediately after creation. SomeCisco and non-Cisco documentation mentions that you should open the
SVIs after creating them, but that's not necessarily the case in the realworld. Couldn't hurt, though. :)
SW1(config)#int vlan22
7/31/2019 14[1]. BCMSN Lab Workbook
20/23
01:30:04: %LINK-3-UPDOWN: Interface Vlan22, changed state to up
01:30:05: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan22, changed
state to up
SW1(config-if)#ip address 20.1.1.11 255.255.255.0
SW1(config-if)#int vlan33
01:30:11: %LINK-3-UPDOWN: Interface Vlan33, changed state to up
01:30:12: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan33, changed
state to up
SW1(config-if)#ip address 30.1.1.11 255.255.255.0
Verify the SVIs with show interface vlan. I'll only show the top three rowsof output for each SVI.
SW1#show int vlan11
Vlan11 is up, line protocol is up
Hardware is EtherSVI, address is 0012.7f02.4b41 (bia 0012.7f02.4b41)
Internet address is 20.1.1.11/24
SW1#show int vlan33
Vlan33 is up, line protocol is up
Hardware is EtherSVI, address is 0012.7f02.4b42 (bia 0012.7f02.4b42)
Internet address is 30.1.1.11/24
Now let's check that routing table...
SW1# show ip route
Default gateway is not set
Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty
Hmm, that's not good. We don't have one! There's a simple reason,though - on L3 switches, we need to enable IP routing, because it's off bydefault!
SW1(config)#ip routing
SW1(config)#^Z
SW1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
C 20.1.1.0 is directly connected, Vlan11
30.0.0.0/24 is subnetted, 1 subnets
C 30.1.1.0 is directly connected, Vlan33
Now that looks like the routing table we've come to know and love! In thisparticular case, there's no need to configuring a routing protocol. Yourecall from your CCNA studies that when router-on-a-stick is configured,the IP address assigned to the router's subinterfaces should be thedefault gateway setting on the hosts.
When SVIs are in use, the default gateway set on the hosts should be theIP address assigned to the SVI that represents that host's VLAN. Aftersetting this default gateway on the hosts, the hosts can now successfully
7/31/2019 14[1]. BCMSN Lab Workbook
21/23
communicate.
Since we're using routers for hosts, we'll use the ip routecommand to setthe default gateway.
R2(config)#ip route 0.0.0.0 0.0.0.0 20.1.1.11
R3(config)#ip route 0.0.0.0 0.0.0.0 30.1.1.11
Can the hosts now communicate, even though they're in different VLANs?Yes, they can!
R2#ping 30.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R3#ping 20.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Ports on multilayer switches can also be configured as routing ports, andhave IP addresses assigned directly to them. R4 is connected to themultilayer switch off port 0/4. Configure the IP address shown in thediagram on R4's Ethernet0 interface before proceeding.
The ports on a multilayer switch will all be running in L2 mode by default.To configure a port as a routing port, use the no switchportcommand,followed by the appropriate IP address. Note that in the followingconfiguration, the line protocol on the switch port goes down and comesback up in just a few seconds.
SW1(config)#interface fast 0/4
SW1(config-if)#no switchport
02:19:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4,
changed state to down
02:19:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4,
changed state to up
7/31/2019 14[1]. BCMSN Lab Workbook
22/23
SW1(config-if)#ip address 210.1.1.11 255.255.255.0
We verify the IP address assignment with show int fast 0/4.
SW1#show int fast 0/4
FastEthernet0/4 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0012.7f02.4b43 (bia 0012.7f02.4b43)
Internet address is 210.1.1.5/24
The switch can now ping 210.1.1.1, the downstream router.
SW1#ping 210.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 210.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Now we'll configure the switch to allow the hosts to ping R4. (They can ping 210.1.1.11, the switch'sinterface in that subnet, but not 210.1.1.1, the router's interface.)
The router has no path to either 20.1.1.0 /24 or 30.1.1.0/24, so there's noway for the pings to get back to Host 1 or Host 3.
R4#show ip route
< code table removed for clarity >
Gateway of last resort is not set
C 210.1.1.0/24 is directly connected, FastEthernet0/0
To remedy that, we'll now configure a dynamic routing protocol betweenthe L3 switch and the router. We'll use EIGRP in this case.
SW1(config)#router eigrp 100
SW1(config-router)#no auto-summary
SW1(config-router)#network 210.1.1.0 0.0.0.255
SW1(config-router)#network 20.1.1.0 0.0.0.255
SW1(config-router)#network 30.1.1.0 0.0.0.255
R4(config)#router eigrp 100
R4(config-router)#no auto-summary
R4(config-router)#network 210.1.1.0 0.0.0.255
The router now has the VLAN subnets in its routing table...
R4#show ip route
< code table removed for clarity >
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
D 20.1.1.0 [90/28416] via 210.1.1.11, 00:01:01, FastEthernet0/0
C 210.1.1.0/24 is directly connected, FastEthernet0/0
30.0.0.0/24 is subnetted, 1 subnets
D 30.1.1.0 [90/28416] via 210.1.1.11, 00:01:01, FastEthernet0/0
... and the hosts now have two-way IP connectivity with the router's210.1.1.1 interface.
R2#ping 210.1.1.1
Type escape sequence to abort.
7/31/2019 14[1]. BCMSN Lab Workbook
23/23
Sending 5, 100-byte ICMP Echos to 210.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3#ping 210.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 210.1.1.1, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
It never hurts to make sure the pings can go the other way, too!
R4#ping 20.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R4#ping 30.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
And finally.....
SW2(config)#spanning portfast default
%Warning: this command enables portfast by default on all interfaces. You
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.
The above command will make Portfast the default setting for all ports. Ididn't want you to configure it early because it wouldn't have workednicely with a lot of the commands you ran during and after the STPsection, but it's a good command to know for the exam and the real world.
To your Cisco success,
Chris Bryant
CCIE #12933
Copyright 2007 The Bryant Advantage. All Rights Reserved.