39086094 Train Signal CCNP Switched Networks

7/27/2019 39086094 Train Signal CCNP Switched Networks

http://slidepdf.com/reader/full/39086094-train-signal-ccnp-switched-networks 1/28

Cisco Certified Network Professional

Video CBT

LAB SERIES

Building Cisco Multilayer Switched Networks (BCMSN)

CCNP Study Package

Video CBT Lab 24

Advanced Cisco Switched Networks



Advanced Cisco Switched Networks

Cisco CCNP (BCMSN)

Fast Track CBT Video Lab 24

Part 2 of 4 in the Cisco CCNP Series





About the Authors

Chris Bryant (CCIE #12933) has extensive experience in both the practical and theoreticalsides of Cisco technologies. He is the owner of The Bryant Advantage(www.thebryantadvantage.com), a unique training organization that specializes in helping

CCNA and CCNP candidates earn their certifications while developing the hands-on skillsthe market demands. His nine years of IT experience and enthusiastic teaching style enableshim to offer Cisco training that is both unique and highly effective. When you finish Chris'Cisco Certified Network Professional Study Package you will know Cisco at a "differentlevel!"

Train Signal, Inc.400 West Dundee RoadSuite #106Buffalo Grove, IL 60089Phone - (847) 229-8780

Fax – (847) 229-8760 www.trainsignal.com

Copyright and other Intellectual Property Information© Train Signal, Inc., 2002 - 2006. All rights are reserved. No part of this publication,including written work, videos, and on-screen demonstrations (together called “theInformation” or “THE INFORMATION”), may not be reproduced or distributed in any form or by any means without the prior written permission of the copyright holder.

Products and company names, including but not limited to, Microsoft, Novell and Cisco, arethe trademarks, registered trademarks, and service marks of their respective owners.



Disclaimer and Limitation of Liability Although the publishers and authors of the Information have made every effort to ensurethat the information within it was correct at the time of publication, the publishers and theauthors do not assume and hereby disclaim any liability to any party for any loss or damagecaused by errors, omissions, or misleading information.

TRAIN SIGNAL, INC. PROVIDES THE INFORMATION "AS-IS." NEITHER TRAIN

SIGNAL, INC. NOR ANY OF ITS SUPPLIERS MAKES ANY WARRANTY OF ANY

KIND, EXPRESS OR IMPLIED. TRAIN SIGNAL, INC. AND ITS SUPPLIERS

SPECIFICALLY DISCLAIM THE IMPLIED WARRANTIES OF TITLE, NON-

INFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR

PURPOSE. THERE IS NO WARRANTY OR GUARANTEE THAT THE OPERATION

OF THE INFORMATION WILL BE UNINTERRUPTED, ERROR-FREE, OR VIRUS-

FREE, OR THAT THE INFORMATION WILL MEET ANY PARTICULAR

CRITERIA OF PERFORMANCE OR QUALITY. YOU ASSUME THE ENTIRE RISK

OF SELECTION, INSTALLATION, AND USE OF THE INFORMATION.

IN NO EVENT AND UNDER NO LEGAL THEORY, INCLUDING WITHOUT

LIMITATION, TORT, CONTRACT, OR STRICT PRODUCTS LIABILITY, SHALL

TRAIN SIGNAL, INC. OR ANY OF ITS SUPPLIERS BE LIABLE TO YOU OR ANY

OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR

CONSEQUENTIAL DAMAGES OF ANY KIND, INCLUDING WITHOUT

LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE,

COMPUTER MALFUNCTION, OR ANY OTHER KIND OF DAMAGE, EVEN IF

TRAIN SIGNAL, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH

DAMAGES. IN NO EVENT SHALL TRAIN SIGNAL, INC. BE LIABLE FOR

DAMAGES IN EXCESS OF TRAIN SIGNAL, INC.'S LIST PRICE FOR THE

INFORMATION.

To the extent that this Limitation is inconsistent with the locality where you use theSoftware, the Limitation shall be deemed to be modified consistent with such local law.

Choice of Law:

You agree that any and all claims, suits, or other disputes arising from your use of theInformation shall be determined in accordance with the laws of the State of Illinois, in theevent Train Signal, Inc. is made a party thereto. You agree to submit to the jurisdiction of the state and federal courts in Cook County, Illinois for all actions, whether in contract or intort, arising from your use or purchase of the Information.



Welcome to The Bryant Advantage’s BCMSN Lab Workbook!

This lab book has been created by Chris Bryant of The Bryant Advantage forsupplemental use with Train Signal’s Lab 24 Cisco CCNP (BCMSN) video training. Used incombination with your own personal Cisco Network or a Cisco Rack Rentals, this book willhelp you master all the skills you’ll need to pass the BSCI exam and give you a solidfoundation for your future Cisco studies. Please reference the Bonus Video – Home PrimerLab video on CD 2 for details about the setup of the lab.

The best way to learn about Cisco technologies is to use them. You’ve got to read to learnthe theory, but it’s vital to see the theory in action. With that in mind, let’s take a look at thenetwork topology you’ll use in this lab workbook.

There are two additional Cisco routers in your pod that are not shown here. The first is arouter acting as a frame relay switch, which makes it possible to have a frame relay cloud in a

practice lab. Your frame relay switch is preconfigured. (If you’d like to see theconfiguration of a frame relay switch, visit my website and check the Home Lab Helpsection.)

The second router is the access server; that’s the router you will actually be using Telnet tocommunicate with. There is no need to change the configuration of this device.

Please Read The Following Rules Carefully. They’re Not The Usual “mumbojumbo” Legalities.

By connecting to my remote labs, you agree to abide by the following rules.

1. Do not change the configuration of the access server in any way. Doing so may end yoursession, and a refund will not be given. You will also be prohibited from renting the pods inthe future.

2. Do not change the configuration register of any router or switch.

3. You are more than welcome to practice your enable secret, enable password, consolepassword, and telnet passwords. However, you MUST use the passwords “cisco” or“ccna”, without the quotation marks. Upper case or lower case is fine.

Thank you!



Connecting To Your Pod

Getting started with your pod of Cisco routers and 2950 switches is easy! First, you’ll needto Telnet to your access server. Your connection information will be emailed to you whenyou make your rack reservations.

You can use any Telnet version to connect to your access server. You can useHyperTerminal if you like, but I’ve seen some versions have trouble with Telnet. If you useHyperTerminal and have trouble authenticating, use Telnet by going out to your C: prompt.

From your C: prompt, you can type “telnet” to go into Microsoft telnet, or type “telnetx.x.x.x”, with the IP address in place of the “x”s.

C:\> telnet

Welcome to Microsoft Telnet Client

Escape Character is 'CTRL+]'

Microsoft Telnet> open 100.100.100.100 (put the IP address you were sent in email in place of the“100.100.100.100”)

User Access Verification

Username:

Password:

OR:

C:\>telnet 100.100.100.100


Username:

Password:

A few tips for logging in:

1. You will be prompted for a username, then a password.2. Do not hit the space bar at the end of entering either; this will send a null space and you will not be authenticated.3. The cursor WILL NOT MOVE when you enter your username and password. That’s aCisco default. You will not see asterisks, as you do when logging in to most Microsoftproducts.

After entering your username and password, you’ll be put into privileged exec mode on theaccess server:




Password: THE_BRYANT_ADVANTAGE_16x#

Your three routers and two Cisco 2950 switches are all connected to this access server.

Here’s how to access each device.

First, clear the lines leading to the other devices.

THE_BRYANT_ADVANTAGE_16x#clear line 01[confirm][OK]


THE_BRYANT_ADVANTAGE_16x#clear line 03[confirm]

[OK] THE_BRYANT_ADVANTAGE_16x#clear line 04[confirm][OK]


THE_BRYANT_ADVANTAGE_16x#

When you see the [confirm] choice, just hit your enter key to accept it.

Now that the lines are cleared, you’re going to connect to each device from your accessserver. This reads like a long process, but it will only take you a minute or two.

Type R1 at the prompt:

THE_BRYANT_ADVANTAGE_16x#r1 Trying R1 (100.1.1.1, 2001)... Open

R1#

Note: When you see the word “Open”, hit the Enter key again. You’ll then see the promptfor R1.

Now, you need to learn the big keystroke that you’ll be using to go back from the accessserver. Here it is:

<CTRL – SHIFT – 6> < X>



This keystroke is a little awkward at first, but before long you’ll be doing it without thinking about it. You hit ctrl-shift-6 the same way you’d enter ctrl-alt-delete (we all know that one!),then release those keys and hit “x”. Then you’re right back at the access server. Repeat theprocess for R2, R3, SW1, and SW2.

R1# < Use above keystroke to go back to access server > THE_BRYANT_ADVANTAGE_16x#r2 Trying R2 (100.1.1.1, 2002)... Open

R2# < Use above keystroke to go back to access server > THE_BRYANT_ADVANTAGE_16x#r3 Trying R3 (100.1.1.1, 2003)... Open

R3# < Use above keystroke to go back to access server > THE_BRYANT_ADVANTAGE_16x#sw1 Trying SW1 (100.1.1.1, 2004)... Open

sw1# < Use above keystroke to go back to access server >

THE_BRYANT_ADVANTAGE_16x#sw2 Trying SW2 (100.1.1.1, 2005)... Open

sw2# < Use above keystroke to go back to access server > THE_BRYANT_ADVANTAGE_16x#

Remember, you’re always coming back to the access server to get from one router toanother. Before long, you’ll be using that keystroke without even thinking about it.

Now that you’ve created those connections, you will use only the number of the connectionto go back to each device. At the access server, just type these numbers to get to eachdevice:

1: R12: R23: R34: SW15: SW2

Don’t type the entire name of the device again; just type the numbers you see here on theaccess server, as shown below.

THE_BRYANT_ADVANTAGE_16x#1[Resuming connection 1 to r1 ... ]

R1# THE_BRYANT_ADVANTAGE_16x#2[Resuming connection 2 to r2 ... ]

R2# THE_BRYANT_ADVANTAGE_16x#3[Resuming connection 3 to r3 ... ]



R3# THE_BRYANT_ADVANTAGE_16x#4[Resuming connection 4 to sw1 ... ]

sw1# THE_BRYANT_ADVANTAGE_16x#5

[Resuming connection 5 to sw2 ... ]

sw2# THE_BRYANT_ADVANTAGE_16x#

Don’t forget to hit “enter” again after you see the “resuming connection” message. That will get you to the enable prompt.

That’s all there is to it!

Since this is a switching exam, you'll be spending more of your time on the switches!However, you will use the routers in the HSRP lab.

R1 is connected to the frame relay cloud via Serial0.

R2 is connected to the frame relay cloud via Serial0 and to SW1 via Ethernet0.

R3 is connected to the frame relay cloud via Serial0 and to SW2 via Ethernet0.

SW1 is connected to R2 via fast 0/2 and to SW2 via fast 0/11 and 0/12.

SW2 is connected to R3 via fast 0/3 and to SW1 via fast 0/11 and 0/12.

R1 and R2 are also connected to an ISDN simulator, and there's a direct serial connection betweenR1 and R3. These connections are not shown because they're not used in this lab book, but you're welcome to use them. ISDN phone numbers will be included in your reservation confirmation

email.



VLANs, VTP, and Trunks

Verify the trunk between SW1 and SW2 with show interface trunk.

SW1#show interface trunk

Port Mode Encapsulation Status Native vlanFa0/11 desirable 802.1q trunking 1Fa0/12 desirable 802.1q trunking 1

Create the VTP domain CCNP on SW1. Run show vtp status on SW1 and SW2 to verify.

SW1(config)#vtp domain CCNPChanging VTP domain name from NULL to CCNPSW1#show vtp status VTP Version : 2Configuration Revision : 0Maximum VLANs supported locally : 64

Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : CCNP

SW2#show vtp status VTP Version : 2Configuration Revision : 0Maximum VLANs supported locally : 64Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : CCNP

On SW2, change the trunking mode on fast 0/11 and fast 0/12 to dynamic auto, then tounconditional trunking. Note that the trunk doesn't come down.

SW2(config)#int fast 0/11SW2(config-if)#switchport mode ?access Set trunking mode to ACCESS unconditionally dynamic Set trunking mode to dynamically negotiate access or trunk modetrunk Set trunking mode to TRUNK unconditionally

SW2(config-if)#switchport mode dynamic autoSW2(config-if)#switchport mode trunk

SW2(config)#int fast 0/12

SW2(config-if)#switchport mode trunk



Both switches will be VTP server, so create VLAN 32 on either. Run show vlan brief to verify.

SW2(config)#vlan 32SW2#show vlan brief VLAN Name Status Ports---- -------------------------------- --------- ----------------------------

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4Fa0/5, Fa0/6, Fa0/7, Fa0/8Fa0/9, Fa0/10

32 VLAN0032 active

Change the native VLAN to VLAN 32 with the switchport trunk native vlan 32 command. You'll need to configure this on fast 0/11 and fast 0/12 on both switches. Be prepared forthe trunk to come down during the process.

SW1(config)#int fast 0/11SW1(config-if)#switchport trunk native vlan 32SW1(config-if)#int fast 0/12

SW1(config-if)#switchport trunk native vlan 32

SW2(config)#int fast 0/11SW2(config-if)#switchport trunk native vlan 32SW2(config-if)#int fast 0/12SW2(config-if)#switchport trunk native vlan 32

Run show interface trunk on both switches to ensure that the trunk is up and that the native VLAN was successfully changes. (This is going to sound strange, but get into the habit of checking both switches with show interface trunk. Every once in a while, you'll get aresponse to this command on one switch that doesn't match up to the other switch'sresponse.)

SW2#show interface trunk Port Mode Encapsulation Status Native vlanFa0/11 on 802.1q trunking 32Fa0/12 desirable 802.1q trunking 32

SW1#show int trunk Port Mode Encapsulation Status Native vlanFa0/11 desirable 802.1q trunking 32Fa0/12 desirable 802.1q trunking 32

On SW1, disable Dynamic Trunking Protocol (DTP) on both fast 0/11 and 0/12.

SW1(config)#int fast 0/11SW1(config-if)#switchport nonegotiateCommand rejected: Conflict between 'nonegotiate' and 'dynamic' statusSW1(config-if)#switchport mode trunk SW1(config-if)#switchport nonegotiateSW1(config-if)#int fast 0/12SW1(config-if)#switchport mode trunk SW1(config-if)#switchport nonegotiate



As you quickly noticed, you can't turn DTP off when the port is in any dynamic state.Making the port an unconditional trunk port with switchport mode trunk allowed us to turnDTP off.

Prevent traffic for VLAN 1000 from being sent over fast 0/11 and 0/12 on SW1 and SW2 with the switchport trunk allowed vlan command. Verify with show interface trunk.

SW1(config)#int fast 0/11SW1(config-if)#switchport trunk allowed vlan except 1000SW1(config-if)#int fast 0/12SW1(config-if)#switchport trunk allowed vlan except 1000

SW1#show interface trunk Port Mode Encapsulation Status Native vlanFa0/11 on 802.1q trunking 32Fa0/12 on 802.1q trunking 32

Port Vlans allowed on trunk Fa0/11 1-999,1001-4094Fa0/12 1-999,1001-4094

Add the VLANs right back with the same command. Verify again with show interface trunk.

SW1(config)#int fast 0/11SW1(config-if)#switchport trunk allowed vlan add 1000SW1(config-if)#int fast 0/12SW1(config-if)#switchport trunk allowed vlan add 1000

Feel free to experiment with this command - add, remove, and the other options. The moreyou use it, the better you'll be with it on the exam.

Run show vtp status on both switches and note the configuration revision number.SW1#show vtp status VTP Version : 2Configuration Revision : 1SW2#show vtp status VTP Version : 2Configuration Revision : 1

On SW2, delete VLAN 32. Run show vlan brief on SW2 to verify, then show vtp status tonote the configuration revision number.

SW2#show vtp status VTP Version : 2Configuration Revision : 2



The revision number moved up to 2, as expected. Run both commands on SW1 as well.

SW1#show vtp status VTP Version : 2Configuration Revision : 2

Since we just deleted our native VLAN, it would be a good idea to set that value back to VLAN 1! On SW1, use the switchport native vlan command to do so. Be prepared to seean error message such as the one seen below.

SW1(config)#int fast 0/11SW1(config-if)#switchport trunk native vlan 1SW1(config)#int fast 0/12SW1(config-if)#switchport trunk native vlan 1

05:32:33: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered onFastEthernet0/11 (1), with SW2 FastEthernet0/11 (32).05:32:33: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered onFastEthernet0/12 (1), with SW2 FastEthernet0/12 (32).

The numbers in the parens can be very helpful if you don't spot the problem right away. The first paren is the native VLAN according to the local switch port, and the second parenis the native VLAN according to the remote switch port.

On SW2, use the no switchport trunk native vlan 32 command on both trunk ports. Run show interface trunk to verify the trunk is up and running.

SW2(config)#int fast 0/12SW2(config-if)#no switchport trunk native vlan 32SW2(config-if)#int fast 0/11SW2(config-if)#no switchport trunk native vlan 32SW2#show int trunk

Port Mode Encapsulation Status Native vlanFa0/11 on 802.1q trunking 1Fa0/12 on 802.1q trunking 1

The trunk is up and the native VLAN has reverted back to VLAN 1.

Put SW2 into VTP Client mode and try to create a VLAN on it.

SW2(config)#vtp mode clientSetting device to VTP CLIENT mode.SW2(config)#vlan 50 VTP VLAN configuration not allowed when device is in CLIENT mode.

Just one more reminder about that little fact. :) Put the switch back into server mode.

SW2(config)#vtp mode serverSetting device to VTP SERVER mode



On SW2, enable vtp pruning. Then check on R1 and see if pruning shows as enabled onthat switch as well.

SW2(config)#vtp pruning Pruning switched onSW1#show vtp status

VTP Version : 2Configuration Revision : 4Maximum VLANs supported locally : 64Number of existing VLANs : 6 VTP Operating Mode : Server VTP Domain Name : CCNP VTP Pruning Mode : Enabled

To finish this section, let's get some practice in with the interface range command. I can'tstress this enough - this command can save you a lot of time on Cisco exams as well as when working on production networks. I urge you to get some practice in with this command andbe comfortable with it.

Configure ports 0/8 - 10 on both switches with the interface range command. Enable portfaston all three ports, set the speed to 100 MBPS, and the duplex to full.

SW1(config)#interface range fast 0/8 - 10SW1(config-if-range)#spanning portfastSW1(config-if-range)#speed 100SW1(config-if-range)#duplex full

SW2(config)#interface range fast 0/8 - 10SW2(config-if-range)#spanning portfastSW2(config-if-range)#speed 100SW2(config-if-range)#duplex full



Spanning Tree

Keep in mind that the MAC addresses you see in this lab are NOT necessarily going to bethe ones you see during your time on my racks, and they won't be the same ones you have inyour home lab. When we're going back and forth between root bridges in this exercise, they

won't necessarily be the same ones that are the root bridges when you run the labs.Run show spanning-tree vlan 1 on both switches and identify the root.

SW1#show spanning vlan 1 VLAN0001

Spanning tree enabled protocol ieeeRoot ID Priority 32769

Address 000e.d7f5.a040 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

On the nonroot bridge, run show spanning vlan 1 and note the port costs.SW2#show spanning vlan 1Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- ------Fa0/11 Root FWD 19 128.11 P2pFa0/12 Altn BLK 19 128.12 P2p

We'll now change the root port cost of fast 0/12 with the spanning cost command. Changethis cost to 15, then run show spanning vlan 1 again.

SW2(config)#int fast 0/12SW2(config-if)#spanning-tree cost 15

SW2#show spanning vlan 1Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- ------Fa0/11 Root BLK 19 128.11 P2pFa0/12 Altn LIS 15 128.12 P2p

The root port selection has changed because fast 0/12's port cost is now less than 0/11.Fast 0/11 goes into blocking mode and 0/12 will go through the STP port states until itreaches the Forwarding state.

Change the STP timers on the root bridge.

SW1(config)#spanning vlan 1 hello 5

SW1(config)#spanning vlan 1 forward-time 12SW1(config)#spanning vlan 1 max-age 15



On SW2, run show spanning vlan 1. Note that the timers changed under Root ID, but notBridge ID. The local switch's settings are under Bridge ID, but it's the timer valuesannounced by the Root Bridge that are the ones being used.

SW2#show spanning vlan 1 VLAN0001


Address 000e.d7f5.a040Cost 15Port 12 (FastEthernet0/12)Hello Time 5 sec Max Age 15 sec Forward Delay 12 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000f.90e2.14c0Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300

Make the nonroot bridge the root bridge for VLAN 1 with spanning-tree vlan 1 rootprimary. Run show spanning vlan 1 to verify.

SW2(config)#spanning-tree vlan 1 root primary SW2#show spanning vlan 1 VLAN0001


Address 000f.90e2.14c0 This bridge is the root

Make the new nonroot bridge the root bridge again with the spanning-tree vlan 1 priority command. Set the priority to 10000.

SW1(config)#spanning-tree vlan 1 priority 10000% Bridge Priority must be in increments of 4096.% Allowed values are:0 4096 8192 12288 16384 20480 24576 2867232768 36864 40960 45056 49152 53248 57344 61440

In that case, make it 8192. ;) Verify with show spanning vlan 1.

SW1(config)#spanning-tree vlan 1 priority 8192SW1#show spanning vlan 1 VLAN0001


Address 000e.d7f5.a040 This bridge is the root



Place port 0/5 on SW1 into Portfast. By now, you know what you'll see! BUT... there's another Portfast option that we'll look at when we come to the end of this lab workbook.

SW1(config)#int fast 0/5SW1(config-if)#spanning-tree portfast%Warning: portfast should only be enabled on ports connected to a single

host. Connecting hubs, concentrators, switches, bridges, etc... to thisinterface when portfast is enabled, can cause temporary bridging loops.Use with CAUTION%Portfast has been configured on FastEthernet0/5 but will only have effect when the interface is in a non-trunking mode.

Enable Uplinkfast on each switch. Do the same for Backbonefast. Remember, inproduction networks (and the exam), Uplinkfast is best suited for wiring-closet switches, andBackbonefast should be configured on all switches in the network.

SW1(config)#spanning uplinkfastSW2(config)#spanning uplinkfastSW1(config)#spanning backbonefast

SW2(config)#spanning backbonefast Assume that a third switch will be added to SW2's fast 0/7 port, and this switch must notbecome the root bridge. Configure Root Guard on this port to meet that requirement.

SW2(config)#int fast 0/7SW2(config-if)#spanning-tree guard root

On SW1, fast 0/5 has already been configured with Portfast. Just to make sure a switchdoesn't get connected to that port, configure BPDU Guard on fast 0/5. This port will now shut down if a BPDU is received on it.

SW1(config)#int fast 0/5SW1(config-if)#spanning-tree bpduguard% Incomplete command.SW1(config-if)#spanning-tree bpduguard ?disable Disable BPDU guard for this interfaceenable Enable BPDU guard for this interface

SW1(config-if)#spanning-tree bpduguard enable

Enable aggressive UDLD globally on both switches.

SW1(config)#udld aggressiveSW2(config)#udld aggressive



On both switches, run show spanning-tree summary . This command doesn't get mentionedoften, but once you've got some STP features running, it's a good command to know. Youcan see that SW2 isn't the root bridge for any VLAN, and you can also see what features areand are not enabled on this switch.

SW2#show spanning-tree summary

Switch is in pvst modeRoot bridge for: noneEtherChannel misconfig guard is enabledExtended system ID is enabledPortfast Default is disabledPortFast BPDU Guard Default is disabledPortfast BPDU Filter Default is disabledLoopguard Default is disabledUplinkFast is enabledBackboneFast is enabledPathcost method used is shortName Blocking Listening Learning Forwarding STP Active

VLAN0001 1 0 0 1 2 VLAN0080 1 0 0 1 2

2 vlans 2 0 0 2 4

Since Loop Guard isn't configured on this switch, let's do so on port 0/1.

SW2(config)#interface fast 0/1SW2(config-if)#spanning-tree guard loop

Run show spanning summary again and you'll see "Loopguard" is enabled, and the word"default" is gone. When you see default next to a value in this command, you know that it'srunning at the default.



General Switch Commands

On R2, configure the switch to autorecover from all port err-disabled conditions with theerrdisable recovery cause command. Before selecting "all" as the option, use IOS Help to look atthe other options. As you can see, there are a lot of different ways for a port to go into err-

disabled state! Set the duration of the err-disabled state to 300 seconds.SW2(config)#errdisable recovery cause allSW2(config)#errdisable recovery cause allSW2(config)#errdisable recovery interval ?<30-86400> timer-interval(sec)

SW2(config)#errdisable recovery interval 300

Create an Etherchannel over ports fast 0/11 and 0/12 on each switch. Use PAgP automode on SW1 and PAgP desirable on the SW2. Be prepared for quite a few "line protocoldown" and "line protocol up" messages while you're building the EC.

SW1(config)#int fast 0/11SW1(config-if)#channel-group 1 mode auto

Creating a port-channel interface Port-channel 1SW1(config-if)#int fast 0/12SW1(config-if)#channel-group 1 mode auto

SW2(config)#int fast 0/11SW2(config-if)#channel-group 1 mode desirableCreating a port-channel interface Port-channel 1SW2(config-if)#int fast 0/12SW2(config-if)#channel-group 1 mode desirable

Verify the EC with show interface trunk. If you don't see anything, check each physicalport with show interface fast 0/x and see if the port was placed into err-disabled state during the EC configuration. If so, simply open the interface manually.

SW2#show interface trunk Port Mode Encapsulation Status Native vlanPo1 on 802.1q trunking 1

For further verification, run show interface port-channel 1. Note the defaults for the speedand duplex. (It's out of the scope of the BCMSN exam, but when an EC is configured on amultilayer switch, it can be made a Layer 3 EC and have an IP address assigned.)

SW2#show interface port-channel 1Port-channel1 is up, line protocol is up (connected)

Hardware is EtherChannel, address is 000f.90e2.14cb (bia 000f.90e2.14cb)MTU 1500 bytes, BW 200000 Kbit, DLY 1000 usec,

reliability 255/255, txload 1/255, rxload 1/255Encapsulation ARPA, loopback not setFull-duplex, 100Mb/s



Hot Standby Routing Protocol

The following lab can be run on routers or switches, and in my racks we're going to runHSRP on R2 and R3. R2's Serial0 interface line protocol must be up as well, so you'll needto bring the Frame Relay interfaces up on R1, R2, and R3. The Frame Relay switch in my

labs is preconfigured, so you'll only need to apply the following commands on the routers:R1:

interface serial0

ip address 172.12.123.1 255.255.255.0

encap frame

no frame inverse

frame map ip 172.12.123.2 122 broadcast


R2:

interface serial0

ip address 172.12.123.2 255.255.255.0

encap frame

no frame inverse


frame map ip 172.12.123.3 221

R3:

interface serial0

ip address 172.12.123.3 255.255.255.0

encap frame

no frame inverse


frame map ip 172.12.123.2 321

Don't forget to open the interfaces!

All interfaces should be able to ping each other. The important thing is that R2's Serial0 lineprotocol is up.



R2 and R3 are also connected via an Ethernet segment. Configure 172.12.23.2 /24 on R2'se0 interface and 172.12.23.3 /24 on R3's e0 interface. Both ports should be in the same VLAN and pings should be successful between the two routers over that interface.

Configure both routers to use 172.12.23.10 /25 as the IP address of the virtual router. OnR2, run show standby to view the HSRP details. If the router isn't in Active or Standby state

yet, give it half a minute and run it again.

R2(config)#int e0R2(config-if)#standby 1 ip 172.12.23.10

R3(config)#int e0R3(config-if)#standby 1 ip 172.12.23.10

R2#show standby Ethernet0 - Group 1Local state is Standby, priority 100Hellotime 3 sec, holdtime 10 secNext hello sent in 0.170 Virtual IP address is 172.12.23.10 configured Active router is 172.12.23.3, priority 100 expires in 7.452Standby router is local1 state changes, last state change 00:01:07IP redundancy name is "hsrp-Et0-1" (default)

R2 is the standby, R3 the Active router. Configure R2 as the Active by setting its priority to 105. Verify with show standby .

R2(config)#int e0R2(config-if)#standby 1 priority 105R2#show standby

Ethernet0 - Group 1Local state is Standby, priority 105Hellotime 3 sec, holdtime 10 secNext hello sent in 0.832 Virtual IP address is 172.12.23.10 configured Active router is 172.12.23.3, priority 100 expires in 8.340Standby router is local1 state changes, last state change 00:02:40IP redundancy name is "hsrp-Et0-1" (default)



R2's priority is now higher than R3's, but it's not the Active router. For R2 to become the Active while the current Active router is still online, the preempt option must beconfigured. Depending on the IOS version, the preempt will either be set at the end of thepriority command, or on a line of its own.

R2(config)#int e0R2(config-if)#standby 1 preemptR2(config-if)#07:55:25: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Standby -> Active

We see a message that the local router has gone from Standby to Active, but always verify. Trust, but verify - and we do that with show standby .

R2#show standby Ethernet0 - Group 1Local state is Active, priority 105, may preemptHellotime 3 sec, holdtime 10 sec

Next hello sent in 2.394 Virtual IP address is 172.12.23.10 configured Active router is localStandby router is 172.12.23.3, priority 100 expires in 7.428 Virtual mac address is 0000.0c07.ac012 state changes, last state change 00:00:56IP redundancy name is "hsrp-Et0-1" (default)

R2 is indeed the Active router.

Change the MAC address of the virtual router to aa-aa-aa-aa-aa-aa with the standby mac-address command. Verify with show standby .

R2(config)#int e0

R2(config-if)#standby 1 mac-address aaaa.aaaa.aaaa

07:57:57: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Active -> Learn

07:58:09: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Listen -> ActiveR2#show standby Ethernet0 - Group 1Local state is Active, priority 105, may preemptHellotime 3 sec, holdtime 10 secNext hello sent in 0.800 Virtual IP address is 172.12.23.10 configured Active router is local

Standby router is 172.12.23.3, priority 100 expires in 9.068 Virtual mac address is aaaa.aaaa.aaaa configured4 state changes, last state change 00:00:10IP redundancy name is "hsrp-Et0-1" (default)

Notice the word "configured" next to the MAC address in show standby. That indicates thatthis particular MAC address was statically configured.



We'll now configure HSRP interface tracking. If the line protocol on R2's Serial0 goes down, we want R3 to become the Active router, since it's serial line will still be up.

R2's priority is 105, and R3's is 100. Since the default priority decrement with interfacetracking is 10, we'll leave the default in place. Interface tracking only requires one additionalcommand, and if we wanted to change the decrement, that value is placed at the end of the

following command:

R2(config-if)#standby 1 track serial0R2(config-if)#standby 1 track serial0 ?<1-255> Priority decrement<cr>

R2(config-if)#standby 1 track serial0

To test the configuration, R2's Serial0 interface will be shut down. After shutting that portdown, run show standby to see the results.

R2(config-if)#int s0R2(config-if)#shutR2#show standby Ethernet0 - Group 1Local state is Active, priority 95 (confgd 105), may preemptHellotime 3 sec, holdtime 10 secNext hello sent in 2.506 Virtual IP address is 172.12.23.10 configured Active router is localStandby router is 172.12.23.3, priority 100 expires in 7.736 Virtual mac address is aaaa.aaaa.aaaa configured4 state changes, last state change 00:06:36IP redundancy name is "hsrp-Et0-1" (default)Priority tracking 1 interface, 0 up:

Interface Decrement State

Serial0 10 Down (administratively down)

The priority did go down, and the priority tracking even shows how the line went down!But this router is still the Active router, even though its priority decremented to 95. Why?

Because R3 needs the HSRP preempt option configured on it as well. A router can't takeover from an Active router that's up unless the preempt option is configured.

R3(config)#int e0R3(config-if)#standby 1 preemptR3(config-if)#08:06:22: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Standby -> Active

Within seconds, R3 becomes the Active router, verifying interface tracking.



What happens when R2's Serial0 line protocol comes back up? Open it and see!

R2(config)#int s0R2(config-if)#no shut

08:08:18: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Standby -> Active

08:08:18: %SYS-5-CONFIG_I: Configured from console by console

08:08:19: %LINK-3-UPDOWN: Interface Serial0, changed state to up08:08:20: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up

Just that quickly, R2 becomes the Active router again, since its priority incremented by 10 when the line protocol came up.

Watch that preempt option! ;)

Switch Security

Enable AAA, and assume a RADIUS server at 172.1.1.1. Assume A TACACS server at172.2.2.2 as well. (RADIUS and TACACS configuration is out of the scope of the BCMSNexam, but it doesn't hurt to know the basic command. Use IOS Help at the end of bothhost commands to view the options.)

SW1(config)#aaa new-modelSW1(config)#radius-server host 172.1.1.1SW1(config)#tacacs-server host 172.2.2.2Create a local username / password database.SW1(config)#username BRYANT password CCIE

SW1(config)#username SOPRANO password CCNPSW1(config)#username WALNUTS password CCNA

Configure an AAA authentication method list that will use the RADIUS server first, then the TACACS+ server, then the local database.

SW1(config)#aaa authentication login default ?enable Use enable password for authentication.group Use Server-groupline Use line password for authentication.local Use local username authentication.local-case Use case-sensitive local username authentication.none NO authentication

SW1(config)#aaa authentication login default group radius tacacs local



Configure port security on SW2, port 0/5. The port should allow two secure MACaddresses. Change the default port security mode from shutdown to protect.

SW2(config)#int fast 0/5SW2(config-if)#switchport port-security Command rejected: Fa0/5 is not an access port.

SW2(config-if)#switchport mode accessSW2(config-if)#switchport port-security SW2(config-if)#switchport port-security ?aging Port-security aging commandsmac-address Secure mac addressmaximum Max secure addresses violation Security violation mode<cr>

SW2(config-if)#switchport port-security maximum 2SW2(config-if)#switchport port-security violation protect

On SW1, configure 0/7 for dot1x authentication. The first step is to enable AAA. While we're at it, configure a default method list for authentication that will use the tacacs serverand then any local database. Enable IEEE 802.1x with the dot1x system-auth-controlcommand.

SW1(config)#aaa new-modelSW1(config)#aaa authentication dot1x default tacacsSW1(config)#dot1x system-auth-control

Make fast 0/7 an access port and configure the configuration for Auto mode.

SW1(config-if)#int fast 0/7

SW1(config-if)#sw mode accessSW1(config-if)#dot1x port-control auto

Note: If you attempt to configure dot1x port authentication on a potential trunk port, you'llget the following error:

SW1(config-if)#dot1x port-control autoCommand rejected: Dynamic mode enabled on one or more ports.Dot1x is supported only on Ethernet interfaces configured in Access, Routed or Private-vlan HostMode.



SPAN

Configure Local SPAN session 1 on SW1. Ports fast 0/1 - 5 will be the source ports, andport 0/6 will be the destination port.

SW1(config)#monitor session 1 source interface fast 0/1 - 5

SW1(config)#monitor session 1 destination int fast 0/6 Verify with show monitor. (Remember - it's not show span!)

SW1#show monitorSession 1--------- Type : Local SessionSource Ports :

Both : Fa0/1-5Destination Ports : Fa0/6

Encapsulation : NativeIngress: Disabled

Remove this session with no monitor session 1.SW1(config)#no monitor session 1

We'll now configure a Remote SPAN (RSPAN) session. Create VLAN 45 as the special VLAN that will carry the mirrored traffic.

SW1(config)#vlan 45SW1(config-vlan)#remote-span

The source port for this configuration will be fast 0/7 and the destination will be fast 0/7 onSW2.

SW1(config)#monitor session 1 source interface fast 0/7SW1(config)#monitor session 1 destination remote vlan 45 reflector-port fast 0/12

SW2 will receive the traffic and send it to a network analyzer on fast 0/7.

SW2(config)#monitor session 1 source remote vlan 45SW2(config)#monitor session 1 destination interface fast 0/7

Run show monitor to verify the configuration.

SW2#show monitorSession 1--------- Type : Remote Destination SessionSource RSPAN VLAN: 45Destination Ports : Fa0/7

Encapsulation : NativeIngress: Disabled



Multilayer Switching Commands

The BCMSN exam concerns itself with the theory of multilayer switching and some basiccommands. Don't worry, you'll get plenty of MLS configs in later studies!

In the meantime, make sure you're comfortable configuring the following multilayer switchcommands. At present, you cannot run these commands on my racks.

Enabling IP Routing on a L3 switch:

MLS(config)# ip routing

To turn it off, just run no ip routing .

To configure an L2 port to make it a routing port:

MLS(config-if)# switchport

To make a routing port back into a switching port:

MLS(config-if)# no switchport Also know how to create a VACL access list. Create the ACL, then the VACL, then apply it with the vlan filter command.

SW2(config)#ip access-list extended NO_123_CONTACTSW2(config-ext-nacl)#permit ip 171.10.10.0 0.0.0.3 172.10.10.0 0.0.0.255

SW2(config)# vlan access-map NO_123 10SW2(config-access-map)# match ip address NO_123_CONTACTSW2(config-access-map)# action dropSW2(config-access-map)# vlan access-map NO_123 20SW2(config-access-map)# action forward

SW2(config)# vlan filter NO_123 vlan-list 100

And finally.....SW2(config)#spanning portfast default%Warning: this command enables portfast by default on all interfaces. Youshould now disable portfast explicitly on switched ports leading to hubs,switches and bridges as they may create temporary bridging loops.

The above command will make Portfast the default setting for all ports. I didn't want you to

configure it early because it wouldn't have worked nicely with a lot of the commands you randuring and after the STP section, but it's a good command to know for the exam and thereal world.

To your Cisco success,

Chris Bryant

CCIE #12933

Documents

39086094 Train Signal CCNP Switched Networks