14[1]. BCMSN Lab Workbook

7/31/2019 14[1]. BCMSN Lab Workbook

1/23

The Bryant Advantage BCMSN Lab Workbook

Chris Bryant, CCIE #12933 www.thebryantadvantage.com Back To Index

BCMSN Lab Workbook

Overview

Connecting And Navigating To Your Pod

VLAN, VTP, And Trunking

STP

General Switch Commands

HSRP

Switch Security

SPAN

Multilayer Switch Commands

One Final Bonus Command


2/23

C:\> telnet

Welcome to Microsoft Telnet Client

Escape Character is 'CTRL+]'

Microsoft Telnet> open 100.100.100.100 (put the IP address you were sent

in email in place of the 100.100.100.100)

User Access Verification

Username:

Password:

OR:

C:\>telnet 100.100.100.100


Username:

Password:


3/23


Password:

THE_BRYANT_ADVANTAGE_15x#

THE_BRYANT_ADVANTAGE_16x#clear line 01

[confirm][OK]


[confirm]

[OK]


[confirm]

[OK]


[confirm]

[OK]


[confirm]

[OK]


THE_BRYANT_ADVANTAGE_16x#r1

Trying R1 (100.1.1.1, 2001)... Open

R1#


4/23

R1# < Use above keystroke to go back to access server >


Trying R2 (100.1.1.1, 2002)... Open



Trying R3 (100.1.1.1, 2003)... Open


THE_BRYANT_ADVANTAGE_16x#sw1

Trying SW1 (100.1.1.1, 2004)... Open

sw1# < Use above keystroke to go back to access server >

THE_BRYANT_ADVANTAGE_16x#sw2

Trying SW2 (100.1.1.1, 2005)... Open

sw2# < Use above keystroke to go back to access server >


THE_BRYANT_ADVANTAGE_16x#1

[Resuming connection 1 to r1 ... ]

R1#



R2#



R3#THE_BRYANT_ADVANTAGE_16x#4

[Resuming connection 4 to sw1 ... ]

sw1#


[Resuming connection 5 to sw2 ... ]

sw2#



5/23

VLANs, VTP, and Trunks

Verify the trunk between SW1 and SW2 with show interface trunk.

SW1#show interface trunk

Port Mode Encapsulation Status Native vlan

Fa0/11 desirable 802.1q trunking 1


Create the VTP domain CCNP on SW1. Run show vtp status on SW1

and SW2 to verify.

SW1(config)#vtp domain CCNP

Changing VTP domain name from NULL to CCNP


6/23

SW1#show vtp status

VTP Version : 2

Configuration Revision : 0

Maximum VLANs supported locally : 64

Number of existing VLANs : 5

VTP Operating Mode : Server

VTP Domain Name : CCNP

SW2#show vtp statusVTP Version : 2






On SW2, change the trunking mode on fast 0/11 and fast 0/12 to dynamicauto, then to unconditional trunking. Note that the trunk doesn't comedown.

SW2(config)#int fast 0/11

SW2(config-if)#switchport mode ?

access Set trunking mode to ACCESS unconditionallydynamic Set trunking mode to dynamically negotiate access or trunk mode

trunk Set trunking mode to TRUNK unconditionally

SW2(config-if)#switchport mode dynamic auto

SW2(config-if)#switchport mode trunk



Both switches will be VTP servers, so create VLAN 32 on either one. Runshow vlan briefto verify.

SW2(config)#vlan 32

SW2#show vlan brief

VLAN Name Status Ports---- -------------------------------- --------- ----------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8Fa0/9, Fa0/10

32 VLAN0032 active

Change the native VLAN to VLAN 32 with the switchport trunk native vlan32command. You'll need to configure this on fast 0/11 and fast 0/12 onboth switches. Be prepared for the trunk to come down during the

process.


SW1(config-if)#switchport trunk native vlan 32

SW1(config-if)#int fast 0/12






Run show interface trunkon both switches to ensure that the trunk is upand that the native VLAN was successfully changes. (This is going to

sound strange, but get into the habit of checking both switches with showinterface trunk. Every once in a while, you'll get a response to thiscommand on one switch that doesn't match up to the other switch's


7/23

response.)



Fa0/11 on 802.1q trunking 32


SW1#show int trunk




On SW1, disable Dynamic Trunking Protocol (DTP) on both fast 0/11 and0/12.


SW1(config-if)#switchport nonegotiate

Command rejected: Conflict between 'nonegotiate' and 'dynamic' statusSW1(config-if)#switchport mode trunk





As you quickly noticed, you can't turn DTP off when the port is in anydynamic state. Making the port an unconditional trunk port with switchportmode trunk allowed us to turn DTP off.

Prevent traffic for VLAN 1000 from being sent over fast 0/11 and 0/12 onSW1 and SW2 with the switchport trunk allowed vlan command. Verifywith show interface trunk.


SW1(config-if)#switchport trunk allowed vlan except 1000


SW1(config-if)#switchport trunk allowed vlan except 1000





Port Vlans allowed on trunk

Fa0/11 1-999,1001-4094

Fa0/12 1-999,1001-4094

Add the VLANs right back with the same command. Verify again withshow interface trunk.


SW1(config-if)#switchport trunk allowed vlan add 1000


SW1(config-if)#switchport trunk allowed vlan add 1000

Feel free to experiment with this command - add, remove, and the otheroptions. The more you use it, the better you'll be with it on the exam.

Run show vtp statuson both switches and note the configuration revisionnumber.

SW1#show vtp status


8/23

VTP Version : 2


SW2#show vtp status

VTP Version : 2


On SW2, delete VLAN 32. Run show vlan briefon SW2 to verify, thenshow vtp statusto note the configuration revision number.

SW2#show vtp status

VTP Version : 2


The revision number moved up to 2, as expected. Run both commandson SW1 as well.

SW1#show vtp status

VTP Version : 2


Since we just deleted our native VLAN, it would be a good idea to set thatvalue back to VLAN 1! On SW1, use the switchport native vlancommandto do so. Be prepared to see an error message such as the one seenbelow.





05:32:33: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on

FastEthernet0/11 (1), with SW2 FastEthernet0/11 (32).

05:32:33: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered onFastEthernet0/12 (1), with SW2 FastEthernet0/12 (32).

The numbers in the parens can be very helpful if you don't spot theproblem right away. The first paren is the native VLAN according to thelocal switch port, and the second paren is the native VLAN according tothe remote switch port.

On SW2, use the no switchport trunk native vlan 32 command on bothtrunk ports. Run show interface trunkto verify the trunk is up and running.


SW2(config-if)#no switchport trunk native vlan 32


SW2(config-if)#no switchport trunk native vlan 32

SW2#show int trunk




The trunk is up and the native VLAN has reverted back to VLAN 1.

Put SW2 into VTP Client mode and try to create a VLAN on it.

SW2(config)#vtp mode clientSetting device to VTP CLIENT mode.

SW2(config)#vlan 50

VTP VLAN configuration not allowed when device is in CLIENT mode.


9/23

Just one more reminder about that little fact. :) Put the switch back intoserver mode.

SW2(config)#vtp mode server

Setting device to VTP SERVER mode

On SW2, enable vtp pruning. Then check on R1 and see if pruningshows as enabled on that switch as well.

SW2(config)#vtp pruning

Pruning switched on

SW1#show vtp status

VTP Version : 2






VTP Pruning Mode : Enabled

To finish this section, let's get some practice in with the interface rangecommand. I can't stress this enough - this command can save you a lot oftime on Cisco exams as well as when working on production networks. Iurge you to get some practice in with this command and be comfortablewith it.

Configure ports 0/8 - 10 on both switches with the interface rangecommand. Enable portfast on all three ports, set the speed to 100 MBPS,and the duplex to full.

SW1(config)#interface range fast 0/8 - 10

SW1(config-if-range)#spanning portfast

SW1(config-if-range)#speed 100

SW1(config-if-range)#duplex full

SW2(config)#interface range fast 0/8 - 10

SW2(config-if-range)#spanning portfast

SW2(config-if-range)#speed 100

SW2(config-if-range)#duplex full

Spanning Tree Protocol

Keep in mind that the MAC addresses you see in this lab are NOT

necessarily going to be the ones you see during your time on my racks,and they won't be the same ones you have in your home lab. Whenwe're going back and forth between root bridges in this exercise, theywon't necessarily be the same ones that are the root bridges when yourun the labs.

Run show spanning-tree vlan 1 on both switches and identify the root.

SW1#show spanning vlan 1

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 32769

Address 000e.d7f5.a040

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec


10/23

On the nonroot bridge, run show spanning vlan 1 and note the port costs.


Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- ------

Fa0/11 Root FWD 19 128.11 P2p

Fa0/12 Altn BLK 19 128.12 P2p

We'll now change the root port cost of fast 0/12 with the spanning costcommand. Change this cost to 15, then run show spanning vlan 1 again.


SW2(config-if)#spanning-tree cost 15


Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- ------

Fa0/11 Root BLK 19 128.11 P2p

Fa0/12 Altn LIS 15 128.12 P2p

The root port selection has changed because fast 0/12's port cost is nowless than 0/11. Fast 0/11 goes into blocking mode and 0/12 will gothrough the STP port states until it reaches the Forwarding state.

Change the STP timers on the root bridge.

SW1(config)#spanning vlan 1 hello 5

SW1(config)#spanning vlan 1 forward-time 12

SW1(config)#spanning vlan 1 max-age 15

On SW2, run show spanning vlan 1. Note that the timers changed under

Root ID, but not Bridge ID. The local switch's settings are under BridgeID, but it's the timer values announced by the Root Bridge that are theones being used.


VLAN0001




Cost 15

Port 12 (FastEthernet0/12)


Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)Address 000f.90e2.14c0


Aging Time 300

Make the nonroot bridge the root bridge for VLAN 1 with spanning-treevlan 1 root primary. Run show spanning vlan 1 to verify.

SW2(config)#spanning-tree vlan 1 root primary


VLAN0001



Address 000f.90e2.14c0



11/23

Make the new nonroot bridge the root bridge again with the spanning-treevlan 1 prioritycommand. Set the priority to 10000.

SW1(config)#spanning-tree vlan 1 priority 10000

% Bridge Priority must be in increments of 4096.

% Allowed values are:

0 4096 8192 12288 16384 20480 24576 28672

32768 36864 40960 45056 49152 53248 57344 61440

In that case, make it 8192. ;) Verify with show spanning vlan 1.

SW1(config)#spanning-tree vlan 1 priority 8192


VLAN0001





Place port 0/5 on SW1 into Portfast. By now, you know what you'll see!BUT... there's another Portfast option that we'll look at when we come tothe end of this lab workbook.


SW1(config-if)#spanning-tree portfast

%Warning: portfast should only be enabled on ports connected to a single

host. Connecting hubs, concentrators, switches, bridges, etc... to this

interface when portfast is enabled, can cause temporary bridging loops.

Use with CAUTION

%Portfast has been configured on FastEthernet0/5 but will only

have effect when the interface is in a non-trunking mode.

Enable Uplinkfast on each switch. Do the same for Backbonefast.Remember, in production networks (and the exam), Uplinkfast is bestsuited for wiring-closet switches, and Backbonefast should be configuredon all switches in the network.

SW1(config)#spanning uplinkfast

SW2(config)#spanning uplinkfast

SW1(config)#spanning backbonefast

SW2(config)#spanning backbonefast

Assume that a third switch will be added to SW2's fast 0/7 port, and thisswitch must not become the root bridge. Configure Root Guard on thisport to meet that requirement.


SW2(config-if)#spanning-tree guard root

On SW1, fast 0/5 has already been configured with Portfast. Just to makesure a switch doesn't get connected to that port, configure BPDU Guardon fast 0/5. This port will now shut down if a BPDU is received on it.


SW1(config-if)#spanning-tree bpduguard

% Incomplete command.


12/23

SW1(config-if)#spanning-tree bpduguard ?

disable Disable BPDU guard for this interface

enable Enable BPDU guard for this interface

SW1(config-if)#spanning-tree bpduguard enable

Enable aggressive UDLD globally on both switches.

SW1(config)#udld aggressive

SW2(config)#udld aggressive

On both switches, run show spanning-tree summary. This commanddoesn't get mentioned often, but once you've got some STP featuresrunning, it's a good command to know. You can see that SW2 isn't theroot bridge for any VLAN, and you can also see what features are and arenot enabled on this switch.

SW2#show spanning-tree summarySwitch is in pvst modeRoot bridge for: none

EtherChannel misconfig guard is enabledExtended system ID is enabledPortfast Default is disabledPortFast BPDU Guard Default is disabledPortfast BPDU Filter Default is disabledLoopguard Default is disabledUplinkFast is enabledBackboneFast is enabledPathcost method used is short

Name Blocking Listening Learning Forwarding STP ActiveVLAN0001 1 0 0 1 2VLAN0080 1 0 0 1 2

2 vlans 2 0 0 2 4

Since Loop Guard isn't configured on this switch, let's do so on port 0/1.

SW2(config)#interface fast 0/1

SW2(config-if)#spanning-tree guard loop

Run show spanning summary again and you'll see "Loopguard" isenabled, and the word "default" is gone. When you see default next to avalue in this command, you know that it's running at the default.

General Switch Commands

On R2, configure the switch to autorecover from all port err-disabledconditions with the errdisable recovery causecommand. Before selecting"all" as the option, use IOS Help to look at the other options. As you cansee, there are a lot of different ways for a port to go into err-disabledstate! Set the duration of the err-disabled state to 300 seconds.

SW2(config)#errdisable recovery cause all

SW2(config)#errdisable recovery cause all

SW2(config)#errdisable recovery interval ?

timer-interval(sec)

SW2(config)#errdisable recovery interval 300

Create an Etherchannel over ports fast 0/11 and 0/12 on each switch.


13/23

Use PAgP auto mode on SW1 and PAgP desirable on the SW2. Beprepared for quite a few "line protocol down" and "line protocol up"messages while you're building the EC.


SW1(config-if)#channel-group 1 mode auto

Creating a port-channel interface Port-channel 1


SW1(config-if)#channel-group 1 mode auto


SW2(config-if)#channel-group 1 mode desirable

Creating a port-channel interface Port-channel 1


SW2(config-if)#channel-group 1 mode desirable

Verify the EC with show interface trunk. If you don't see anything, checkeach physical port with show interface fast 0/x and see if the port was

placed into err-disabled state during the EC configuration. If so, simplyopen the interface manually.



Po1 on 802.1q trunking 1

For further verification, run show interface port-channel 1. Note thedefaults for the speed and duplex. (It's out of the scope of the BCMSNexam, but when an EC is configured on a multilayer switch, it can bemade a Layer 3 EC and have an IP address assigned.)

SW2#show interface port-channel 1

Port-channel1 is up, line protocol is up (connected)

Hardware is EtherChannel, address is 000f.90e2.14cb (bia 000f.90e2.14cb)

MTU 1500 bytes, BW 200000 Kbit, DLY 1000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Full-duplex, 100Mb/s

Hot Standby Routing Protocol

The following lab can be run on routers or switches, and in my racks we're

going to run HSRP on R2 and R3. R2's Serial0 interface line protocolmust be up as well, so you'll need to bring the Frame Relay interfaces upon R1, R2, and R3. The Frame Relay switch in my labs is preconfigured,so you'll only need to apply the following commands on the routers:

R1:

interface serial0

ip address 172.12.123.1 255.255.255.0

encap frame

no frame inverse

frame map ip 172.12.123.2 122 broadcast


14/23


R2:

interface serial0

ip address 172.12.123.2 255.255.255.0

encap frame

no frame inverse


frame map ip 172.12.123.3 221

R3:

interface serial0

ip address 172.12.123.3 255.255.255.0

encap frame

no frame inverse


frame map ip 172.12.123.2 321

Don't forget to open the interfaces!

All interfaces should be able to ping each other. The important thing isthat R2's Serial0 line protocol is up.

R2 and R3 are also connected via an Ethernet segment. Configure172.12.23.2 /24 on R2's e0 interface and 172.12.23.3 /24 on R3's e0interface. Both ports should be in the same VLAN and pings should besuccessful between the two routers over that interface.

Configure R2 and R3 to use 172.12.23.10 as the IP address of the virtualrouter. On R2, run show standbyto view the HSRP details. If the routerisn't in Active or Standby state yet, give it half a minute and run it again.

R2(config)#int e0

R2(config-if)#standby 1 ip 172.12.23.10

R3(config)#int e0

R3(config-if)#standby 1 ip 172.12.23.10

R2#show standby

Ethernet0 - Group 1

Local state is Standby, priority 100

Hellotime 3 sec, holdtime 10 sec

Next hello sent in 0.170

Virtual IP address is 172.12.23.10 configured

Active router is 172.12.23.3, priority 100 expires in 7.452

Standby router is local

1 state changes, last state change 00:01:07IP redundancy name is "hsrp-Et0-1" (default)

R2 is the standby, R3 the Active router. Configure R2 as the Active by


15/23

setting its priority to 105. Verify with show standby.

R2(config)#int e0

R2(config-if)#standby 1 priority 105

R2#show standby

Ethernet0 - Group 1

Local state is Standby, priority 105

Hellotime 3 sec, holdtime 10 secNext hello sent in 0.832


Active router is 172.12.23.3, priority 100 expires in 8.340

Standby router is local

1 state changes, last state change 00:02:40

IP redundancy name is "hsrp-Et0-1" (default)

R2's priority is now higher than R3's, but it's not the Active router. For R2to become the Active while the current Active router is still online, thepreempt option must be configured. Depending on the IOS version, thepreemptwill either be set at the end of the prioritycommand, or on a lineof its own.

R2(config)#int e0

R2(config-if)#standby 1 preempt

07:55:25: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Standby ->

Active

We see a message that the local router has gone from Standby to Active,but always verify. Trust, but verify - and we do that with show standby.

R2#show standby

Ethernet0 - Group 1

Local state is Active, priority 105, may preempt


Next hello sent in 2.394Virtual IP address is 172.12.23.10 configured

Active router is local

Standby router is 172.12.23.3, priority 100 expires in 7.428

Virtual mac address is 0000.0c07.ac01



R2 is now the Active router.

Change the MAC address of the virtual router to aa-aa-aa-aa-aa-aa withthe standby mac-addresscommand. Verify with show standby.

R2(config)#int e0

R2(config-if)#standby 1 mac-address aaaa.aaaa.aaaa

07:57:57: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Active -> Learn

07:58:09: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Listen -> Active

R2#show standby

Ethernet0 - Group 1

Local state is Active, priority 105, may preempt






Virtual mac address is aaaa.aaaa.aaaa configured

4 state changes, last state change 00:00:10IP redundancy name is "hsrp-Et0-1" (default)

Notice the word "configured" next to the MAC address in show standby.


16/23

That indicates that this particular MAC address was statically configured.

We'll now configure HSRP interface tracking. If the line protocol on R2'sSerial0 goes down, we want R3 to become the Active router, since itsserial line will still be up.

R2's priority is 105, and R3's is 100. Since the default prioritydecrementwith interface tracking is 10, we'll leave the default in place. If we wantedto change the decrement, that value is placed at the end of the standbytrackcommand.

R2(config-if)#standby 1 track serial0

R2(config-if)#standby 1 track serial0 ?

Priority decrement

R2(config-if)#standby 1 track serial0

To test the configuration, R2's Serial0 interface will be shut down. Aftershutting that port down, run show standbyto see the results.

R2(config-if)#int s0

R2(config-if)#shut

R2#show standby

Ethernet0 - Group 1

Local state is Active, priority 95 (confgd 105), may preempt






Virtual mac address is aaaa.aaaa.aaaa configured



Priority tracking 1 interface, 0 up:

Interface Decrement State

Serial0 10 Down (administratively down)

The priority did go down, and the priority tracking even shows how the linewent down! But this router is still the Active router, even though its prioritydecremented to 95. Why?

Because R3 needs the HSRP preemptoption configured on it as well. Arouter can't take over from an Active router that's up unless the preemptoption is configured.

R3(config)#int e0R3(config-if)#standby 1 preemptR3(config-if)#08:06:22: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Standby -> Active

Within seconds, R3 becomes the Active router, verifying interface tracking.

What happens when R2's Serial0 line protocol comes back up? Open itand see!

R2(config)#int s0

R2(config-if)#no shut

08:08:18: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Standby ->

Active08:08:18: %SYS-5-CONFIG_I: Configured from console by console

08:08:19: %LINK-3-UPDOWN: Interface Serial0, changed state to up


17/23

08:08:20: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed

state to up

Just that quickly, R2 becomes the Active router again, since its priorityincremented by 10 when the line protocol came up.

Watch that preempt option! ;)

Switch Security

Enable AAA, and assume a RADIUS server at 172.1.1.1. Assume ATACACS server at 172.2.2.2 as well. (RADIUS and TACACSconfiguration is out of the scope of the BCMSN exam, but it doesn't hurtto know the basic command. Use IOS Help at the end of both hostcommands to view the options.)

SW1(config)#aaa new-model

SW1(config)#radius-server host 172.1.1.1

SW1(config)#tacacs-server host 172.2.2.2

Create a local username / password database.

SW1(config)#username BRYANT password CCIE

SW1(config)#username SOPRANO password CCNP

SW1(config)#username WALNUTS password CCNA

Configure an AAA authentication method list that will use the RADIUSserver first, then the TACACS+ server, then the local database.

SW1(config)#aaa authentication login default ?enable Use enable password for authentication.

group Use Server-group

line Use line password for authentication.

local Use local username authentication.

local-case Use case-sensitive local username authentication.

none NO authentication

SW1(config)#aaa authentication login default group radius tacacs local

Configure port security on SW2, port 0/5. The port should allow twosecure MAC addresses. Change the default port security mode fromshutdown to protect.

SW2(config)#int fast 0/5SW2(config-if)#switchport port-security

Command rejected: Fa0/5 is not an access port.

SW2(config-if)#switchport mode access

SW2(config-if)#switchport port-security

SW2(config-if)#switchport port-security ?

aging Port-security aging commands

mac-address Secure mac address

maximum Max secure addresses

violation Security violation mode

SW2(config-if)#switchport port-security maximum 2

SW2(config-if)#switchport port-security violation protect

On SW1, configure 0/7 for dot1x authentication. The first step is to enableAAA. While we're at it, configure a default method list for authenticationthat will use the tacacs server and then any local database. Enable IEEE


18/23

802.1x with the dot1x system-auth-control command.

SW1(config)#aaa new-model

SW1(config)#aaa authentication dot1x default tacacs

SW1(config)#dot1x system-auth-control

Make fast 0/7 an access port and configure the configuration for Automode.


SW1(config-if)#sw mode access

SW1(config-if)#dot1x port-control auto

Note: If you attempt to configure dot1x port authentication on a potentialtrunk port, you'll get the following error:

SW1(config-if)#dot1x port-control auto

Command rejected: Dynamic mode enabled on one or more ports.

Dot1x is supported only on Ethernet interfaces configured in Access,

Routed or Private-vlan Host Mode.

SPAN

Configure Local SPAN session 1 on SW1. Ports fast 0/1 - 5 will be thesource ports, and port 0/6 will be the destination port.

SW1(config)#monitor session 1 source interface fast 0/1 - 5

SW1(config)#monitor session 1 destination int fast 0/6

Verify with show monitor. (Remember - it's not show span!)

SW1#show monitor

Session 1

---------

Type : Local Session

Source Ports :

Both : Fa0/1-5

Destination Ports : Fa0/6

Encapsulation : Native

Ingress: Disabled

Remove this session with no monitor session 1.

SW1(config)#no monitor session 1

We'll now configure a Remote SPAN (RSPAN) session. Create VLAN 45

as the special VLAN that will carry the mirrored traffic.

SW1(config)#vlan 45

SW1(config-vlan)#remote-span

The source port for this configuration will be fast 0/7 and the destinationwill be fast 0/7 on SW2.

SW1(config)#monitor session 1 source interface fast 0/7

SW1(config)#monitor session 1 destination remote vlan 45 reflector-port

fast 0/12

SW2 will receive the traffic and send it to a network analyzer on fast 0/7.SW2(config)#monitor session 1 source remote vlan 45

SW2(config)#monitor session 1 destination interface fast 0/7


19/23

Run show monitorto verify the configuration.

SW2#show monitor

Session 1

---------

Type : Remote Destination Session

Source RSPAN VLAN: 45

Destination Ports : Fa0/7

Encapsulation : NativeIngress: Disabled

Multilayer Switching Commands

R2 and R3 are both connected to the multilayer switch in your pod. R2 ison port fast0/2, R3 on port fast 0/3. Assign the Ethernet0 interfaces onR2 and R3 the IP addresses shown in the diagram below. The routerswill serve as hosts for this lab. The hosts will not be able to send pings toeach other at this point.

R2#ping 30.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R3#ping 20.1.1.1



.....

Success rate is 0 percent (0/5)

To get started, we'll put the port leading to Host 2 into VLAN 22, and theport leading to Host 3 in VLAN 33.



SW1(config-if)#switchport access vlan 22



SW1(config-if)#switchport access vlan 33

We're going to create two SVIs on the switch, one representing VLAN 22and the other representing VLAN 33.

Note that both SVIs show as up/up immediately after creation. SomeCisco and non-Cisco documentation mentions that you should open the

SVIs after creating them, but that's not necessarily the case in the realworld. Couldn't hurt, though. :)

SW1(config)#int vlan22


20/23

01:30:04: %LINK-3-UPDOWN: Interface Vlan22, changed state to up

01:30:05: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan22, changed

state to up

SW1(config-if)#ip address 20.1.1.11 255.255.255.0

SW1(config-if)#int vlan33

01:30:11: %LINK-3-UPDOWN: Interface Vlan33, changed state to up

01:30:12: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan33, changed

state to up


Verify the SVIs with show interface vlan. I'll only show the top three rowsof output for each SVI.

SW1#show int vlan11

Vlan11 is up, line protocol is up

Hardware is EtherSVI, address is 0012.7f02.4b41 (bia 0012.7f02.4b41)

Internet address is 20.1.1.11/24

SW1#show int vlan33

Vlan33 is up, line protocol is up

Hardware is EtherSVI, address is 0012.7f02.4b42 (bia 0012.7f02.4b42)


Now let's check that routing table...

SW1# show ip route

Default gateway is not set

Host Gateway Last Use Total Uses Interface

ICMP redirect cache is empty

Hmm, that's not good. We don't have one! There's a simple reason,though - on L3 switches, we need to enable IP routing, because it's off bydefault!

SW1(config)#ip routing

SW1(config)#^Z

SW1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS

level-2

ia - IS-IS inter area, * - candidate default, U - per-user static

route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

20.0.0.0/24 is subnetted, 1 subnets

C 20.1.1.0 is directly connected, Vlan11


C 30.1.1.0 is directly connected, Vlan33

Now that looks like the routing table we've come to know and love! In thisparticular case, there's no need to configuring a routing protocol. Yourecall from your CCNA studies that when router-on-a-stick is configured,the IP address assigned to the router's subinterfaces should be thedefault gateway setting on the hosts.

When SVIs are in use, the default gateway set on the hosts should be theIP address assigned to the SVI that represents that host's VLAN. Aftersetting this default gateway on the hosts, the hosts can now successfully


21/23

communicate.

Since we're using routers for hosts, we'll use the ip routecommand to setthe default gateway.

R2(config)#ip route 0.0.0.0 0.0.0.0 20.1.1.11

R3(config)#ip route 0.0.0.0 0.0.0.0 30.1.1.11

Can the hosts now communicate, even though they're in different VLANs?Yes, they can!

R2#ping 30.1.1.1



!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

R3#ping 20.1.1.1



!!!!!


Ports on multilayer switches can also be configured as routing ports, andhave IP addresses assigned directly to them. R4 is connected to themultilayer switch off port 0/4. Configure the IP address shown in thediagram on R4's Ethernet0 interface before proceeding.

The ports on a multilayer switch will all be running in L2 mode by default.To configure a port as a routing port, use the no switchportcommand,followed by the appropriate IP address. Note that in the followingconfiguration, the line protocol on the switch port goes down and comesback up in just a few seconds.

SW1(config)#interface fast 0/4

SW1(config-if)#no switchport

02:19:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4,

changed state to down

02:19:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4,

changed state to up


22/23


We verify the IP address assignment with show int fast 0/4.

SW1#show int fast 0/4

FastEthernet0/4 is up, line protocol is up (connected)

Hardware is Fast Ethernet, address is 0012.7f02.4b43 (bia 0012.7f02.4b43)


The switch can now ping 210.1.1.1, the downstream router.

SW1#ping 210.1.1.1



!!!!!


Now we'll configure the switch to allow the hosts to ping R4. (They can ping 210.1.1.11, the switch'sinterface in that subnet, but not 210.1.1.1, the router's interface.)

The router has no path to either 20.1.1.0 /24 or 30.1.1.0/24, so there's noway for the pings to get back to Host 1 or Host 3.

R4#show ip route

< code table removed for clarity >


C 210.1.1.0/24 is directly connected, FastEthernet0/0

To remedy that, we'll now configure a dynamic routing protocol betweenthe L3 switch and the router. We'll use EIGRP in this case.

SW1(config)#router eigrp 100

SW1(config-router)#no auto-summary

SW1(config-router)#network 210.1.1.0 0.0.0.255



R4(config)#router eigrp 100

R4(config-router)#no auto-summary

R4(config-router)#network 210.1.1.0 0.0.0.255

The router now has the VLAN subnets in its routing table...

R4#show ip route

< code table removed for clarity >



D 20.1.1.0 [90/28416] via 210.1.1.11, 00:01:01, FastEthernet0/0

C 210.1.1.0/24 is directly connected, FastEthernet0/0


D 30.1.1.0 [90/28416] via 210.1.1.11, 00:01:01, FastEthernet0/0

... and the hosts now have two-way IP connectivity with the router's210.1.1.1 interface.

R2#ping 210.1.1.1



23/23


!!!!!


R3#ping 210.1.1.1



!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

It never hurts to make sure the pings can go the other way, too!

R4#ping 20.1.1.1



!!!!!


R4#ping 30.1.1.1



!!!!!


And finally.....

SW2(config)#spanning portfast default

%Warning: this command enables portfast by default on all interfaces. You

should now disable portfast explicitly on switched ports leading to hubs,

switches and bridges as they may create temporary bridging loops.

The above command will make Portfast the default setting for all ports. Ididn't want you to configure it early because it wouldn't have workednicely with a lot of the commands you ran during and after the STPsection, but it's a good command to know for the exam and the real world.

To your Cisco success,

Chris Bryant

CCIE #12933

Copyright 2007 The Bryant Advantage. All Rights Reserved.

Documents

14[1]. BCMSN Lab Workbook