Upload
robertomoralesnicolas
View
234
Download
0
Embed Size (px)
Citation preview
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 1/205
CCNP Guía SWITCH v2.0
@ 20131
Topología ................................................................................................................................... 2
DTP ............................................................................................................................................. 3
Trunks ........................................................................................................................................ 8
Creación y Administración de VLANs....................................................................................... 14
Asignación VLANs TRUNK ........................................................................................................ 18
VTP I ......................................................................................................................................... 22 VTP II Problema con el número Configuration Revision en VTP ............................................. 26
Private VLANs único Switch ..................................................................................................... 37
Private-VLANs pruebas de conectividad.................................................................................. 41
Port Protected ......................................................................................................................... 43
EtherChannel I PAgP (Port Aggregation Protocol) ................................................................... 47
EtherChannel II sin negociación .............................................................................................. 51
EtherChannel III modo Desirable ............................................................................................. 55
EtherChannel III Link Aggregation Control Protocol LACP ...................................................... 58
EtherChannel IV Load-Shared .................................................................................................. 61
EtherChannel V Prioridad LACP ............................................................................................... 63
EtherChannel Layer 3 ............................................................................................................... 67
STP Comportamiento por defecto ........................................................................................... 71
STP Configuración. ................................................................................................................... 79
STP BPDU Guard ...................................................................................................................... 89
FLEX Link .................................................................................................................................. 90
MSTP Multiple Spanning Tree MST 802.1s .............................................................................. 95
InterVLAN Routing utilizando SW L3 ..................................................................................... 105
InterVLAN Routing entre switches L2/L3............................................................................... 110
IP DHCP .................................................................................................................................. 117
InterVLAN Routing con HSRP en Switchs L3 .......................................................................... 121
HSRP utilizando Routers ........................................................................................................ 134
HSRP Balanceo ....................................................................................................................... 146
VRRP utilizando Routers ........................................................................................................ 153
Seguridad L2 ................................................................................. 160
Overflow Attack ..................................................................................................................... 160
CDP Attack ............................................................................................................................. 170
STP Root Guard ...................................................................................................................... 172
STP PortFast ........................................................................................................................... 174
STP BPDU Filter ...................................................................................................................... 175
VLANs ACLs v/s Seguridad en sesiones Telnet ...................................................................... 179
SSH ......................................................................................................................................... 184
SPAN ...................................................................................................................................... 185
Remote SPAN (RSPAN) .......................................................................................................... 190
Syslog ..................................................................................................................................... 192
Port-Security utilizando MACROs .......................................................................................... 195
Blocking UNICAST/MULTICAST .............................................................................................. 196
Filtro MAC .............................................................................................................................. 197
VACLs ..................................................................................................................................... 198
DHCP Snooping ...................................................................................................................... 201
ARP Spoofing (Poisoning). ..................................................................................................... 205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 2/205
CCNP Guía SWITCH v2.0
@ 20132
Topología
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 3/205
CCNP Guía SWITCH v2.0
@ 20133
DTPPermite la negociación de un trunk. Las posibles opciones según el modo de puerto configurado son:
Dynamic
Auto
Dynamic
DesirableTrunk Access
Dynamic
AutoAccess Trunk Trunk Access
Dynamic
DesirableTrunk Trunk Trunk Access
Trunk Trunk Trunk TrunkConectividad
Limitada
Access Access AccessConectividad
LimitadaAccess
Recordemos que los modos posibles modos de un puerto son:
Access: Puerto de usuario asociado a una VLAN.
Trunk: Deja el puerto en permanente trunk y negocia el estado del mismo.
Non-Negotiate: Desactiva DTP.Dynamic-Desirable: El puerto intenta activamente convertir el enlace en trunk al otro extremo del enlace. Si vemos
la tabla anterior podremos notar que se formará un trunk si el otro extremo del enlace es dynamic-auto, dynamic-
desirable o trunk.
Dynamic Auto (modo por defecto): Modo pasivo, el puerto solo formará trunk si el otro extremo del enlace es ,
dynamic-desirable o trunk.
Configure ISL trunk entre DLS1 y DLS2 cumpliendo las siguientes políticas:
DLS1 FastEthernet0/6 en modo trunk permanente intentando negociación constante con el extremo
FastEthernet0/6 de DLS2.
DLS2 FastEthernet0/6 modo dynamic auto.
Bajo este escenario no es necesario configurar la interface f0/6 de DSL2 puesto que por defecto tiene el mododynamic auto.
Antes de la configuración comprobamos el modo del puerto en DLS1.
Al final del laboratorio explique:
- Ventajas de ISL.
-
Estructura de ISL, (cada uno de sus campos y utilidad)
DLS1#sh interfaces fastEthernet 0/6 switchport
Name: Fa0/6
Switchport: Enabled
Administrative Mode: dynamic auto Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
DLS1#show interfaces trunk
No se ha formado el trunk
DLS1
interface FastEthernet0/6
switchport trunk encapsulation islswitchport mode trunk
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 4/205
CCNP Guía SWITCH v2.0
@ 20134
DLS1#show interfaces fastEthernet 0/6 switchport
Name: Fa0/6
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: isl
Operational Trunking Encapsulation: isl
DLS2#show interfaces fastEthernet 0/6 switchport
Name: Fa0/6
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: isl
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: noneTrunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 auto n-isl trunking 1
Port Vlans allowed on trunk
Fa0/6 1-4094
Port Vlans allowed and active in management domain
Fa0/6 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1
n-isl= uso de DTP.
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 5/205
CCNP Guía SWITCH v2.0
@ 20135
Configure ISL trunk entre DLS1 y DLS2 cumpliendo las siguientes políticas:
DLS1 FastEthernet0/7 debe negociar activamente la formación del trunk con extremo del enlace. El puerto
FastEthernet0/7 de DLS2 debe estar en modo pasivo en espera de formar el trunk.
Nota. Como en la caso anterior verifique el modo del puerto.
Al final del laboratorio indique:
-
Ventajas y desventajas de DTP. ¿Que recomienda Cisco respecto a DTP?
-
Al utilizar el comando "sh interfaces fastEthernet 0/7 switchport" indique el significado de
Administrative Trunking Encapsulation: negotiate
DLS1#sh interfaces fastEthernet 0/7 switchport
Name: Fa0/7
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
DLS1
interface FastEthernet0/7
switchport mode dynamic desirable
DLS1#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to up
DLS1#show interfaces fastEthernet 0/7 switchportName: Fa0/7
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: isl
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
DLS1#sh interfaces fastEthernet 0/7 trunk
Port Mode Encapsulation Status Native vlan
Fa0/7 desirable n-isl trunking 1
Port Vlans allowed on trunk
Fa0/7 1-4094
Port Vlans allowed and active in management domain
Fa0/7 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/7 none
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 6/205
CCNP Guía SWITCH v2.0
@ 20136
DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 auto n-isl trunking 1
Fa0/7 auto n-isl trunking 1
Port Vlans allowed on trunk
Fa0/6 1-4094Fa0/7 1-4094
Port Vlans allowed and active in management domain
Fa0/6 1
Fa0/7 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1
Fa0/7 1
Configure ISL entre DLS1 y DLS2. En DLS1 desactive DTP.
En ambos switchs remueva cualquier configuración existente (interfaces fastEthernet 0/6 y fastEthernet
0/7).
Al final del laboratorio indique:
- Diferencias entre la encapsulación isl y n-isl que muestra el comando "sh interfaces trunk"
DLSX
default interface range fastEthernet 0/6-7
DLS1#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/6, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to down
DLS1#sh interfaces trunk
El trunk existente se pierde luego de establecer las interfaces a sus valores por defecto.
DLS1
interface FastEthernet0/6
switchport trunk encapsulation isl
switchport mode trunk
switchport nonegotiate
interface FastEthernet0/7
switchport trunk encapsulation isl
switchport mode trunk
switchport nonegotiate
DLS1#show spanning-tree | include Fa0/6|Fa0/7
Fa0/6 Altn BLK 19 128.8 P2p
Fa0/7 Altn BLK 19 128.9 P2p
DLS2#show spanning-tree | include Fa0/6|Fa0/7
Fa0/6 Desg FWD 19 128.8 P2p
Fa0/7 Desg FWD 19 128.9 P2p
Los resultados
puedes ser
diferentes para
STP.
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 7/205
CCNP Guía SWITCH v2.0
@ 20137
DLS1#sh interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 on isl trunking 1
Fa0/7 on isl trunking 1
Port Vlans allowed on trunk
Fa0/6 1-4094
Fa0/7 1-4094Port Vlans allowed and active in management domain
Fa0/6 1
Fa0/7 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 none
Fa0/7 none
DLS2
interface FastEthernet0/6
switchport trunk encapsulation isl
switchport mode trunkswitchport nonegotiate
interface FastEthernet0/7
switchport trunk encapsulation isl
switchport mode trunk
switchport nonegotiate
DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 on isl trunking 1
Fa0/7 on isl trunking 1
Port Vlans allowed on trunk
Fa0/6 1-4094
Fa0/7 1-4094
Port Vlans allowed and active in management domain
Fa0/6 1
Fa0/7 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1Fa0/7 1
DLS2#show interfaces fastEthernet 0/6 switchport
Name: Fa0/6
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: isl
Operational Trunking Encapsulation: isl
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)Trunking Native Mode VLAN: 1 (default)
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 8/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 9/205
CCNP Guía SWITCH v2.0
@ 20139
DLS1
interface range fastEthernet 0/2-5
switchport trunk encapsulation dot1q
switchport mode trunk
DLS1#sh interfaces trunk
Port Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 1
Fa0/3 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/5 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1-4094
Fa0/3 1-4094
Fa0/4 1-4094
Fa0/5 1-4094
Port Vlans allowed and active in management domain
Fa0/2 1Fa0/3 1
Fa0/4 1
Fa0/5 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 none
Fa0/3 none
Fa0/4 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/5 none
ALS1#show interfaces fastEthernet 0/2 switchportName: Fa0/2
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
ALS1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 auto 802.1q trunking 1Fa0/3 auto 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1-4094
Fa0/3 1-4094
Port Vlans allowed and active in management domain
Fa0/2 1
Fa0/3 1
Port Vlans in spanning tree forwarding state and not prunedFa0/2 1
Fa0/3 1
Como podemos observar, los
switchs L2 2960 (ALS1 y ALS2) en
estado dynamic auto forman el
trunk dinámicamente (DTP)
utilizando 802.1q (no soportan
ISL). Para esta tarea necesitamos
configurar los switchs DLSx.
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 10/205
CCNP Guía SWITCH v2.0
@ 201310
DLS2
interface range fastEthernet 0/2-5
switchport trunk encapsulation dot1q
switchport mode trunk
DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 1
Fa0/3 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/5 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1-4094
Fa0/3 1-4094
Fa0/4 1-4094
Fa0/5 1-4094
Port Vlans allowed and active in management domain
Fa0/2 1Fa0/3 1
Fa0/4 1
Fa0/5 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 none
Fa0/3 none
Fa0/4 none
Port Vlans in spanning tree forwarding state and not pruned
Fa0/5 none
ALS2#show interfaces trunkPort Mode Encapsulation Status Native vlan
Fa0/2 auto 802.1q trunking 1
Fa0/3 auto 802.1q trunking 1
Fa0/4 auto 802.1q trunking 1
Fa0/5 auto 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1-4094
Fa0/3 1-4094
Fa0/4 1-4094
Fa0/5 1-4094
Port Vlans allowed and active in management domainFa0/2 1
Fa0/3 1
Fa0/4 1
Fa0/5 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1
Fa0/3 1
Fa0/4 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/5 1
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 11/205
CCNP Guía SWITCH v2.0
@ 201311
ALS1 y ALS2 deben formar trunk utilizando 802.1q. No se permite DTP entre estos Switches.
Nota: el/los puertos deben estar en modo trunk antes de desactivar DTP de otra manera obtendremos la siguiente
advertencia:
Command rejected: Conflict between 'nonegotiate' and 'dynamic' status.
% Range command terminated because it failed on FastEthernet0/2
ALS1
default interface range fastEthernet 0/2-7
ALS2
default interface range fastEthernet 0/2-7
ALS1
interface range fastEthernet 0/2-7
switchport mode trunk
switchport nonegotiate
ALS2
interface range fastEthernet 0/2-7
switchport mode trunk
switchport nonegotiate
ALS1#show dtp interface fastEthernet 0/2
DTP information for FastEthernet0/2:
TOS/TAS/TNS: TRUNK/NONEGOTIATE/TRUNK
TOT/TAT/TNT: 802.1Q/802.1Q/802.1Q
Neighbor address 1: E8BA70CBF604
Neighbor address 2: 000000000000Hello timer expiration (sec/state): never/STOPPED
Access timer expiration (sec/state): never/STOPPED
Negotiation timer expiration (sec/state): never/STOPPED
Multidrop timer expiration (sec/state): never/STOPPED
FSM state: S6:TRUNK
ALS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/3 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1Fa0/5 on 802.1q trunking 1
Fa0/6 on 802.1q trunking 1
Fa0/7 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1-4094
Fa0/3 1-4094
Fa0/4 1-4094
Fa0/5 1-4094
Fa0/6 1-4094
Fa0/7 1-4094
Port Vlans allowed and active in management domainFa0/2 1
Fa0/3 1
Fa0/4 1
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 12/205
CCNP Guía SWITCH v2.0
@ 201312
Fa0/5 1
Fa0/6 1
Port Vlans allowed and active in management domain
Fa0/7 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1
Fa0/3 1Fa0/4 1
Fa0/5 1
Fa0/6 1
Fa0/7 1
ALS1#show interfaces fastEthernet 0/6 trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/6 1-4094
Port Vlans allowed and active in management domainFa0/6 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1
ALS1#show interfaces fastEthernet 0/6 switchport
Name: Fa0/6
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1qNegotiation of Trunking: Off
Configure 802.1q entre los switchs L3. Estos switchs deben negociar activamente la formación del trunk.
No modifique los valores por defecto de los puertos de DLS2.
DLS1
interface range fastEthernet 0/6-7
switchport mode dynamic desirable
DLS1#sh interfaces fastEthernet 0/6 switchport
Name: Fa0/6
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: isl
Negotiation of Trunking: On
DLS2#show interfaces fastEthernet 0/6 switchport
Name: Fa0/6Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 13/205
CCNP Guía SWITCH v2.0
@ 201313
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: isl
Negotiation of Trunking: On
DLS1#show interfaces fastEthernet 0/7 trunk
Port Mode Encapsulation Status Native vlan
Fa0/7 desirable n-isl trunking 1Port Vlans allowed on trunk
Fa0/7 1-4094
Port Vlans allowed and active in management domain
Fa0/7 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/7 none
DLS2#show interfaces fastEthernet 0/6 trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 auto n-isl trunking 1
Port Vlans allowed on trunkFa0/6 1-4094
Port Vlans allowed and active in management domain
Fa0/6 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 14/205
CCNP Guía SWITCH v2.0
@ 201314
Creación y Administración de VLANs
Cree las siguientes vlans en DLS1 y verifique que se propagan dentro de todo el dominio:
-
10, 20, 30, 100-105
-
La VLAN 10 debe ser nativa.
Considere para VTP los siguientes parámetros:
-
version 2-
dominio class
Nota: Compruebe que la version del protocolo VTP sea consistente en todos los switchs.
Al final del laboratorio explique:
- Que es la VLAN nativa? Que información puede transportar? Si la VLAN nativa (native vlan) no
coincide en ambos extremos que sucede y que protocolo reconoce este comportamiento?.
-
Que información entrega la siguiente salida:
DLS1#
%DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/7 because of VTP
domain mismatch.
DLS1#
%DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/6 because of VTPdomain mismatch.
DLS1
vtp domain class
vtp version 2
vlan 10,20,30,100-105
DLS1#sh vtp status
VTP Version : running VTP2Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : class
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xE6 0xC7 0x39 0x8D 0xB9 0x5E 0x5F 0x98
Configuration last modified by 1.1.1.1 at 3-1-93 08:40:28
Local updater ID is 1.1.1.1 on interface Vl1 (lowest numbered VLAN interface found)
DLS2
vtp domain class
vtp version 2
ALS1
vtp domain class
vtp version 2
ALS2
vtp domain classvtp version 2
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 15/205
CCNP Guía SWITCH v2.0
@ 201315
DLS1#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active
30 VLAN0030 active
100 VLAN0100 active
101 VLAN0101 active
102 VLAN0102 active
103 VLAN0103 active
104 VLAN0104 active
105 VLAN0105 active
1000 VLAN1000 active
DLS1#sh vtp status
VTP Version : running VTP2
Configuration Revision : 1
Maximum VLANs supported locally : 1005
Number of existing VLANs : 14
VTP Operating Mode : Server
VTP Domain Name : class
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : DisabledMD5 digest : 0xBE 0xEE 0x27 0xCB 0x4A 0xB7 0xE9 0x5E
Configuration last modified by 1.1.1.1 at 3-1-93 08:46:56
Local updater ID is 1.1.1.1 on interface Vl1 (lowest numbered VLAN interface found)
DLS2#show vl brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active
30 VLAN0030 active
100 VLAN0100 active
101 VLAN0101 active
102 VLAN0102 active
103 VLAN0103 active
104 VLAN0104 active
105 VLAN0105 active
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 16/205
CCNP Guía SWITCH v2.0
@ 201316
ALS1#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active
30 VLAN0030 active
100 VLAN0100 active
101 VLAN0101 active
102 VLAN0102 active
103 VLAN0103 active
104 VLAN0104 active
105 VLAN0105 active
ALS2#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active
30 VLAN0030 active100 VLAN0100 active
101 VLAN0101 active
102 VLAN0102 active
103 VLAN0103 active
104 VLAN0104 active
105 VLAN0105 active
Para establecer la VLAN nativa la designamos directamente en la/las interfaces que participan en el trunk. Si el
trunk está correctamente configurado deberíamos poder ver las VLANs creadas por DLS1 en todo el dominio.
ALS2
interface range fastEthernet 0/2-7
switchport trunk native vlan 10
DLS1#show spanning-tree inconsistentports
Name Interface Inconsistency
-------------------- ------------------------ ------------------
VLAN0001 FastEthernet0/4 Port VLAN ID Mismatch
VLAN0001 FastEthernet0/5 Port VLAN ID Mismatch
VLAN0010 FastEthernet0/4 Port VLAN ID MismatchVLAN0010 FastEthernet0/5 Port VLAN ID Mismatch
Number of inconsistent ports (segments) in the system : 4
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 17/205
CCNP Guía SWITCH v2.0
@ 201317
DLS2
interface range fastEthernet 0/2-7
switchport trunk native vlan 10
DLS1
interface range fastEthernet 0/2-7
switchport trunk native vlan 10
ALS1
interface range fastEthernet 0/2-7
switchport trunk native vlan 10
%SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking FastEthernet0/6 on VLAN0010. Port consistency restored.
%SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking FastEthernet0/6 on VLAN0001. Port consistency restored.
DLS1#show spanning-tree inconsistentports
Name Interface Inconsistency
-------------------- ------------------------ ------------------Number of inconsistent ports (segments) in the system : 0
DLS1#sh interfaces fastEthernet 0/2 switchport | i Native
Trunking Native Mode VLAN: 10 (VLAN0010)
Administrative Native VLAN tagging: enabled
Administrative private-vlan trunk Native VLAN tagging: enabled
DLS2#sh interfaces fastEthernet 0/2 switchport | i Native
Trunking Native Mode VLAN: 10 (VLAN0010)
Administrative Native VLAN tagging: enabled
Administrative private-vlan trunk Native VLAN tagging: enabled
ALS1#sh interfaces fastEthernet 0/2 switchport | i Native
Trunking Native Mode VLAN: 10 (VLAN0010)
Administrative Native VLAN tagging: enabled
Administrative private-vlan trunk Native VLAN tagging: enabled
ALS2#sh interfaces fastEthernet 0/2 switchport | i Native
Trunking Native Mode VLAN: 10 (VLAN0010)
Administrative Native VLAN tagging: enabled
Administrative private-vlan trunk Native VLAN tagging: enabled
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 18/205
CCNP Guía SWITCH v2.0
@ 201318
Asignación VLANs TRUNK
En el trunk asigne (permita) VLANs según la siguiente tabla:
Interface Switchs VLANs
FastEthernet 0/6 DLS1↔DLS2 1,10,20,30,100
FastEthernet 0/2 DLS2↔ALS2 1,10,20,30,101
FastEthernet 0/6 ALS1↔ALS2 1,10,20,30,102
FastEthernet 0/2 DLS1↔ALS1 1,10,20,30,103
FastEthernet 0/4 DLS1↔ALS2 1,10,20,30,104
FastEthernet 0/4 DLS2↔ALS1 1,10,20,30,105
Las interfaces que no participan en el trunk deben ser desactivadas.
Nota: Antes de comenzar el laboratorio es importante conocer que VLANs están asociadas a los trunks utilizando el
comando show interface trunk.
Al finalizar el laboratorio explique el significado del siguiente log:- %SW_VLAN-4-VLAN_CREATE_FAIL: Failed to create VLANs 4094: extended VLAN(s) not allowed in current VTP mode
Cree y agregue en todos los trunks las VLANs 31,32 y 33, y elimine la VLAN 30 del mismo.
DLS1#sh interfaces fastEthernet 0/6 trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 desirable n-isl trunking 10
Port Vlans allowed on trunk
Fa0/6 1-4094
Port Vlans allowed and active in management domainFa0/6 1,10,20,30,100-105
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 none
DLS1
interface range fastEthernet 0/7 , fastEthernet 0/5 , fastEthernet 0/3
shutdown
DLS2
interface range fastEthernet 0/7 , fastEthernet 0/5 , fastEthernet 0/3
shutdown
ALS1
interface range fastEthernet 0/7 , fastEthernet 0/5 , fastEthernet 0/3
shutdown
ALS2
interface range fastEthernet 0/7 , fastEthernet 0/5 , fastEthernet 0/3
shutdown
ALS2#show interfaces trunk
Port Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 10
Fa0/4 on 802.1q trunking 10
Fa0/6 on 802.1q trunking 10
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 19/205
CCNP Guía SWITCH v2.0
@ 201319
Port Vlans allowed on trunk
Fa0/2 1-4094
Fa0/4 1-4094
Fa0/6 1-4094
Port Vlans allowed and active in management domain
Fa0/2 1,10,20,30,100-105
Fa0/4 1,10,20,30,100-105Fa0/6 1,10,20,30,100-105
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1,10,20,30,100-105
Fa0/4 1,10,20,30,100-105
Fa0/6 1,10,20,30,100-105
DLS1↔DLS2
DLS1
interface FastEthernet0/6
switchport trunk allowed vlan 1,10,20,30,100
DLS2
interface FastEthernet0/6
switchport trunk allowed vlan 1,10,20,30,100
DLS2#show interfaces fastEthernet 0/6 trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 desirable n-isl trunking 10
Port Vlans allowed on trunk
Fa0/6 1,10,20,30,100
Port Vlans allowed and active in management domainFa0/6 1,10,20,30,100
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1,10,20,30,100
DLS2↔ALS2
DLS2
interface FastEthernet0/2
switchport trunk allowed vlan 1,10,20,30,101
ALS2interface FastEthernet0/2
switchport trunk allowed vlan 1,10,20,30,101
ALS2#show interfaces fastEthernet 0/2 trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 10
Port Vlans allowed on trunk
Fa0/2 1,10,20,30,101
Port Vlans allowed and active in management domain
Fa0/2 1,10,20,30,101
Port Vlans in spanning tree forwarding state and not prunedFa0/2 1,10,20,30,101
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 20/205
CCNP Guía SWITCH v2.0
@ 201320
ALS1↔ALS2
ALS1
interface FastEthernet0/6
switchport trunk allowed vlan 1,10,20,30,102
ALS2interface FastEthernet0/6
switchport trunk allowed vlan 1,10,20,30,102
ALS2#show interfaces fastEthernet 0/6 trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 on 802.1q trunking 10
Port Vlans allowed on trunk
Fa0/6 1,10,20,30,102
Port Vlans allowed and active in management domain
Fa0/6 1,10,20,30,102
Port Vlans in spanning tree forwarding state and not prunedFa0/6 1,10,20,30,102
DLS1↔ALS1
DLS1
interface FastEthernet0/2
switchport trunk allowed vlan 1,10,20,30,103
ALS1
interface FastEthernet0/2
switchport trunk allowed vlan 1,10,20,30,103
ALS1#show interfaces fastEthernet 0/2 trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 10
Port Vlans allowed on trunk
Fa0/2 1,10,20,30,103
Port Vlans allowed and active in management domain
Fa0/2 1,10,20,30,103
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1,10,20,30,103
DLS1↔ALS2
DLS1
interface FastEthernet0/4
switchport trunk allowed vlan 1,10,20,30,104
ALS2
interface FastEthernet0/4
switchport trunk allowed vlan 1,10,20,30,104
ALS2#show interfaces fastEthernet 0/4 trunkPort Mode Encapsulation Status Native vlan
Fa0/4 on 802.1q trunking 10
Port Vlans allowed on trunk
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 21/205
CCNP Guía SWITCH v2.0
@ 201321
Fa0/4 1,10,20,30,104
Port Vlans allowed and active in management domain
Fa0/4 1,10,20,30,104
Port Vlans in spanning tree forwarding state and not pruned
Fa0/4 1,10,20,30,104
DLS2↔ALS1
DLS2
interface FastEthernet0/4
switchport trunk allowed vlan 1,10,20,30,105
ALS1
interface FastEthernet0/4
switchport trunk allowed vlan 1,10,20,30,105
DLS2#show interfaces fastEthernet 0/4 trunk
Port Mode Encapsulation Status Native vlanFa0/4 on 802.1q trunking 10
Port Vlans allowed on trunk
Fa0/4 1,10,20,30,105
Port Vlans allowed and active in management domain
Fa0/4 1,10,20,30,105
Port Vlans in spanning tree forwarding state and not pruned
Fa0/4 none
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 22/205
CCNP Guía SWITCH v2.0
@ 201322
VTP I
Setup: borre toda la información de configuración y reinicie el/los switches (elimine archivo vlan.dat y de
configuración)
Configurar trunk 802.1q entre DLS1 y DLS2 a través de la interface fastethernet 0/6.
Configure VTP en DLS1 y DLS2 usando dominio CLASS entre DLS1 y DLS2, versión 2, modo server, password
cisco.
En DLS1 cree las VLANs 10 (ENG), 20 (RRHH) y 30 (NATIVA). Permita en el trunk las VLANs recién creadas
más la VLAN 1. La VLAN 30 debe permitir información CDP, VTP, PAgP. Desactive Dynamic Trunk Protocol.
Al finalizar el laboratorio indique:
- Que rol VTP permite que se guarde la configuración en el archivo vlan.dat de la flash.
-
Que plataformas soportan la version VTP 3.
-
De que manera podemos reestablecer a 0 el número de revisión VTP.
DLS1
vtp version 2
vtp domain CLASS
vtp password cisco
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport trunk allowed vlan 1,10,20,30
switchport mode trunk
switchport nonegotiate
DLS2
vtp version 2
vtp domain CLASSvtp password cisco
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport trunk allowed vlan 1,10,20,30
switchport mode trunk
switchport nonegotiate
DLS1
vlan 10name ENG
vlan 20
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 23/205
CCNP Guía SWITCH v2.0
@ 201323
name RRHH
vlan 30
name NATIVA
DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlanFa0/6 on 802.1q trunking 30
Port Vlans allowed on trunk
Fa0/6 1,10,20,30
Port Vlans allowed and active in management domain
Fa0/6 1,10,20,30
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1,10,20,30
DLS1#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gi0/1
Gi0/2
10 ENG active
20 RRHH active
30 NATIVA active
DLS2#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gi0/1
Gi0/2
10 ENG active20 RRHH active
30 NATIVA active
DLS2#show vtp status
VTP Version : running VTP2
Configuration Revision : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : CLASS
VTP Pruning Mode : DisabledVTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xD7 0x7F 0x5F 0x97 0x91 0x0A 0x96 0x34
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 24/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 25/205
CCNP Guía SWITCH v2.0
@ 201325
DLS2#show running-config interface fastEthernet 0/6
Building configuration...
Current configuration : 193 bytes
!
interface FastEthernet0/6
switchport trunk encapsulation dot1qswitchport trunk native vlan 30
switchport trunk allowed vlan 1,10,20,30
switchport mode trunk
switchport nonegotiate
end
DLS2
interface FastEthernet0/6
switchport trunk allowed vlan add 50
DLS2#show running-config interface fastEthernet 0/6Building configuration...
Current configuration : 196 bytes
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport trunk allowed vlan 1,10,20,30,50
switchport mode trunk
switchport nonegotiate
DLS2#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gi0/1
Gi0/2
10 ENG active20 RRHH active
30 NATIVA active
50 DATOS active
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 26/205
CCNP Guía SWITCH v2.0
@ 201326
VTP II Problema con el número Configuration Revision en VTPVTP puede presentar problemas graves si no se toman ciertas precauciones. El siguiente escenario nos presenta un
problerma habitual que sucede cuando se conecta un switch Catalyst con un número VTP revisión mayor que el
que presenta el server VTP, este nuevo switch sobreescribirá toda la información respecto a las VLANs y su
propagación puesto que un numero mayor se considera información mas actualizada.
Borre toda la configuración anterior.
Deshabilite todas las interfaces de todos los switches (nos permite tener mayor control en lo que se refiere
a la seguridad).
Configurar trunk 802.1q con la siguientes disposición:
-
DLS1↔ DLS2 (fastethernet 0/6).
- DLS1↔ ALS1 (fastethernet 0/2).
- DLS1↔ ALS2 (fastethernet 0/4).
-
DLS2↔ ALS1 (fastethernet 0/4).
- DLS2↔ ALS2 (fastethernet 0/2).
- ALS1↔ ALS2 (fastethernet 0/6).
-
Habilite las interfaces que participan en el trunk.
En el trunk permita las VLANs 1, 10-20 excluyendo la VLAN 19. Deshabilite DTP.
DLS1
interface range fastEthernet 0/1-24
shutdown
DLS2
interface range fastEthernet 0/1-24
shutdown
ALS1
interface range fastEthernet 0/1-24
shutdown
ALS2
interface range fastEthernet 0/1-24
shutdown
ALS2#show interfaces status
Port Name Status Vlan Duplex Speed Type
Fa0/1 disabled 1 auto auto 10/100BaseTX
Fa0/2 disabled 1 auto auto 10/100BaseTX
Fa0/3 disabled 1 auto auto 10/100BaseTX
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 27/205
CCNP Guía SWITCH v2.0
@ 201327
Fa0/4 disabled 1 auto auto 10/100BaseTX
Fa0/5 disabled 1 auto auto 10/100BaseTX
Fa0/6 disabled 1 auto auto 10/100BaseTX
Fa0/7 disabled 1 auto auto 10/100BaseTX
Fa0/8 disabled 1 auto auto 10/100BaseTX
Fa0/9 disabled 1 auto auto 10/100BaseTX
Fa0/10 disabled 1 auto auto 10/100BaseTXFa0/11 disabled 1 auto auto 10/100BaseTX
Fa0/12 disabled 1 auto auto 10/100BaseTX
Fa0/13 disabled 1 auto auto 10/100BaseTX
Fa0/14 disabled 1 auto auto 10/100BaseTX
Fa0/15 disabled 1 auto auto 10/100BaseTX
Fa0/16 disabled 1 auto auto 10/100BaseTX
Fa0/17 disabled 1 auto auto 10/100BaseTX
Fa0/18 disabled 1 auto auto 10/100BaseTX
Fa0/19 disabled 1 auto auto 10/100BaseTX
Fa0/20 disabled 1 auto auto 10/100BaseTX
Fa0/21 disabled 1 auto auto 10/100BaseTX
Port Name Status Vlan Duplex Speed Type
Fa0/22 disabled 1 auto auto 10/100BaseTX
Fa0/23 disabled 1 auto auto 10/100BaseTX
Fa0/24 disabled 1 auto auto 10/100BaseTX
DLS1↔ DLS2 (fastethernet 0/6)
DLS1
interface FastEthernet0/6
switchport trunk encapsulation dot1qswitchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1
no shutdown
DLS1#show running-config interface fastEthernet 0/6
Building configuration...
Current configuration : 158 bytes!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10-18,20
switchport mode trunk
switchport nonegotiate
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 28/205
CCNP Guía SWITCH v2.0
@ 201328
DLS2
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19switchport trunk allowed vlan add 1
no shutdown
DLS2#show running-config interface fastEthernet 0/6
Building configuration...
Current configuration : 160 bytes
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10-18,20switchport mode trunk
switchport nonegotiate
end
DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/6 1,10-18,20
Port Vlans allowed and active in management domain
Fa0/6 1Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1
DLS1↔ ALS1 (fastethernet 0/2)
DLS1
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1
no shutdown
ALS1
interface FastEthernet0/2
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1no shutdown
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 29/205
CCNP Guía SWITCH v2.0
@ 201329
DLS1↔ ALS2 (fastethernet 0/4)
DLS1
interface FastEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiateswitchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1
no shutdown
ALS2
interface FastEthernet0/4
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19switchport trunk allowed vlan add 1
no shutdown
DLS2↔ ALS1 (fastethernet 0/4)
DLS2
interface FastEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiateswitchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1
no shutdown
ALS1
interface FastEthernet0/4
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19switchport trunk allowed vlan add 1
no shutdown
ALS1#show interfaces fastEthernet 0/4 trunk
Port Mode Encapsulation Status Native vlan
Fa0/4 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/4 1,10-18,20
Port Vlans allowed and active in management domain
Fa0/4 1
Port Vlans in spanning tree forwarding state and not prunedFa0/4 1
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 30/205
CCNP Guía SWITCH v2.0
@ 201330
DLS2↔ ALS2 (fastethernet 0/2)
DLS2
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiateswitchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1
no shutdown
ALS2
interface FastEthernet0/2
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19switchport trunk allowed vlan add 1
no shutdown
ALS1↔ ALS2 (fastethernet 0/6)
ALS1
interface FastEthernet0/6
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19switchport trunk allowed vlan add 1
no shutdown
ALS2
interface FastEthernet0/6
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1
no shutdown
ALS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/6 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1,10-18,20
Fa0/4 1,10-18,20
Fa0/6 1,10-18,20
Port Vlans allowed and active in management domainFa0/2 1
Fa0/4 1
Fa0/6 1
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 31/205
CCNP Guía SWITCH v2.0
@ 201331
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1
Fa0/4 1
Fa0/6 1
DLS1#sh interfaces trunkPort Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/6 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1,10-18,20
Fa0/4 1,10-18,20
Fa0/6 1,10-18,20
Port Vlans allowed and active in management domain
Fa0/2 1
Fa0/4 1Fa0/6 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 none
Fa0/4 1
Fa0/6 none
DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/6 on 802.1q trunking 1Port Vlans allowed on trunk
Fa0/2 1,10-18,20
Fa0/4 1,10-18,20
Fa0/6 1,10-18,20
Port Vlans allowed and active in management domain
Fa0/2 1
Fa0/4 1
Fa0/6 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1
Fa0/4 noneFa0/6 1
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 32/205
CCNP Guía SWITCH v2.0
@ 201332
Configure VTP usando dominio DUOC, versión 2, modo server, password duoc en todos los switchs. Cree la
loopback0 en cada Switch para utilizarlas como ID en sesiones VTP con la siguiente disposición:
-
DLS1 loopback0 → 10.1.1.1/32
-
DLS2 loopback0 → 10.2.2.2/32
- ALS1 loopback0 → 10.3.3.3/32
- ALS2 loopback0 → 10.4.4.4/32
En DLS1 cree las VLANs 10 a 20. Verificar que se han propagado. Recordemos que la VLAN 19 debe estar
excluida en el trunk, pero no localmente en DLS1.
DLS1
vlan 10-120
interface Loopback0
ip address 10.1.1.1 255.255.255.255
vtp version 2
vtp mode server
vtp domain DUOC
vtp password duoc
vtp interface Loopback0
DLS2
interface Loopback0
ip address 10.2.2.2 255.255.255.255
vtp version 2
vtp mode server
vtp domain DUOC
vtp password duoc
vtp interface Loopback0
ALS1
interface Loopback0
ip address 10.3.3.3 255.255.255.255
vtp version 2
vtp mode server
vtp domain DUOC
vtp password duoc
vtp interface Loopback0
ALS2
interface Loopback0
ip address 10.4.4.4 255.255.255.255
vtp version 2
vtp mode server
vtp domain DUOC
vtp password duoc
vtp interface Loopback0
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 33/205
CCNP Guía SWITCH v2.0
@ 201333
DLS1#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
11 VLAN0011 active
12 VLAN0012 active
13 VLAN0013 active
14 VLAN0014 active
15 VLAN0015 active
16 VLAN0016 active
17 VLAN0017 active
18 VLAN0018 active19 VLAN0019 active
20 VLAN0020 active
ALS2#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
11 VLAN0011 active
12 VLAN0012 active
13 VLAN0013 active
14 VLAN0014 active
15 VLAN0015 active
16 VLAN0016 active
17 VLAN0017 active
18 VLAN0018 active
19 VLAN0019 active20 VLAN0020 active
ALS1#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gi0/1, Gi0/210 VLAN0010 active
11 VLAN0011 active
12 VLAN0012 active
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 34/205
CCNP Guía SWITCH v2.0
@ 201334
13 VLAN0013 active
14 VLAN0014 active
15 VLAN0015 active
16 VLAN0016 active
17 VLAN0017 active
18 VLAN0018 active
19 VLAN0019 active20 VLAN0020 active
999 VLAN0999 active
DLS2#show vl brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
11 VLAN0011 active
12 VLAN0012 active
13 VLAN0013 active
14 VLAN0014 active
15 VLAN0015 active
16 VLAN0016 active
17 VLAN0017 active
18 VLAN0018 active
19 VLAN0019 active20 VLAN0020 active
DLS1#sh vtp status
VTP Version : running VTP2
Configuration Revision : 8
Maximum VLANs supported locally : 1005
Number of existing VLANs : 16
VTP Operating Mode : Server
VTP Domain Name : DUOC
VTP Pruning Mode : Disabled
VTP V2 Mode : EnabledVTP Traps Generation : Disabled
MD5 digest : 0xAE 0xB8 0xA3 0xDF 0x7E 0xA7 0x83 0x5A
Configuration last modified by 10.2.2.2 at 3-1-93 01:49:42
Local updater ID is 10.1.1.1 on interface Lo0 (preferred interface)
Preferred interface name is Loopback0
En número de revisión es el 8, es decir, junto con el 8 se entregó la información más actualizada. Ahora bien,
vamos a suponer que ALS2 aún no se une a la red, pero tiene el mismo nombre de dominio y el número de revisión
8. Puesto que ALS2 está configurado como VTP server (valor por defecto) la información la guarda en el archivo
vlan.dat en la flash.Podemos borrar las vlan 10 a 20 en ALS2 y el número de revisión se incrementará a 9 como podemos ver en el
siguiente ejemplo. Esto producirá información "mas actualizada" para VTP y eliminará de las bases de datos las
VLAN creadas por DLS1.
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 35/205
CCNP Guía SWITCH v2.0
@ 201335
ALS2#show vtp status
VTP Version : 2
Configuration Revision : 8
Maximum VLANs supported locally : 255
Number of existing VLANs : 16VTP Operating Mode : Server
VTP Domain Name : DUOC
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xAE 0xB8 0xA3 0xDF 0x7E 0xA7 0x83 0x5A
Configuration last modified by 10.2.2.2 at 3-1-93 01:49:42
Local updater ID is 10.4.4.4 on interface Lo0 (preferred interface)
Preferred interface name is Loopback0
ALS2interface range fastEthernet 0/2 , fastEthernet 0/4 , fastEthernet 0/6
shutdown
no vlan 10-20
ALS2#show vtp status
VTP Version : 2
Configuration Revision : 9
Maximum VLANs supported locally : 255
Number of existing VLANs : 6
VTP Operating Mode : ServerVTP Domain Name : DUOC
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x75 0x25 0xD6 0x97 0x64 0xEF 0x6F 0x29
Configuration last modified by 10.4.4.4 at 3-1-93 01:57:08
Local updater ID is 10.4.4.4 on interface Lo0 (preferred interface)
Preferred interface name is Loopback0
ALS2#show vlan brief | exclude unsup
VLAN Name Status Ports---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 36/205
CCNP Guía SWITCH v2.0
@ 201336
Levantamos las interfaces y vemos los resultados en los demás switchs. Nos hemos cargado todas las VLAN que
creó DLS1!!!!!!!
ALS2
interface range fastEthernet 0/2 , fastEthernet 0/4 , fastEthernet 0/6
no shutdown
DLS1#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gi0/1, Gi0/2
DLS2#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gi0/1, Gi0/2
ALS1#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gi0/1, Gi0/2
Como podemos notar, utilizar VTP puede ahorrarnos tiempo de configuración pero debe haber un plan de diseño y
configuración muy depurado de otra manera podríamos dejar una red completa sin conectividad.
De acuerdo al ejemplo recién explicado, que solución recomendaría para evitar este grave problema
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 37/205
CCNP Guía SWITCH v2.0
@ 201337
Private VLANs único Switch
Arme la siguiente topología:
Asígneles el siguiente direccionamiento:
PC IP
PC1 10.1.1.1/24
PC2 10.1.1.2/24PC3 10.1.1.3/24
Comprueba que exista comunicación entre todos los PCs. Nota: puesto que los switches se encuentran si
configuración anterior utilizarán la VLAN 1 como dominio de broadcast. Desactivar el FW en los PCs.
Nota: En plataformas Catalyst 4500 y superiores podemos habilitar PVLAN en los trunks (switchport mode private-
vlans trunk).
PC3
C:\>ping 10.1.1.1
Haciendo ping a 10.1.1.1 con 32 bytes de datos:
Respuesta desde 10.1.1.1: bytes=32 tiempo<1m TTL=255Respuesta desde 10.1.1.1: bytes=32 tiempo=2ms TTL=255
Respuesta desde 10.1.1.1: bytes=32 tiempo=1ms TTL=255
Respuesta desde 10.1.1.1: bytes=32 tiempo=1ms TTL=255
Estadísticas de ping para 10.1.1.1:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 2ms, Media = 1ms
C:\>ping 10.1.1.2Haciendo ping a 10.1.1.2 con 32 bytes de datos:
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 38/205
CCNP Guía SWITCH v2.0
@ 201338
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Estadísticas de ping para 10.1.1.2:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 0ms, Media = 0ms
DLS1#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
DLS1#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
DLS1#ping 10.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
Configure Private VLANs basándose en la siguiente tabla:
Dispositivo VLAN-Type VLAN-ID
Router Primary 100
PC1 Community 200
PC2 Community 200
PC3 Isolated 300
Private VLANs requieren una serie de pasos.
Configure el switch en modo vtp transparent
Cree la Primary VLAN
Defina las Secondary VLANs
Asocie la Secondary VLANs la Primary VLAN.
DLS1
vtp mode transparent
DLS1#sh vtp status
VTP Version : running VTP1 (VTP2 capable)
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5VTP Operating Mode : Transparent
VTP Domain Name :
VTP Pruning Mode : Disabled
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 39/205
CCNP Guía SWITCH v2.0
@ 201339
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
DLS1
vlan 100name VLAN_PRIMARIA
private-vlan primary
private-vlan association 411,421,431
vlan 200
private-vlan community
vlan 300
private-vlan isolated
DLS1#sh vlan private-vlan
Primary Secondary Type Ports------- --------- ----------------- ------------------------------------------
100 primary
200 community
300 isolated
DLS1
vlan 100
private-vlan association add 200,300
DLS1#sh vlan private-vlan
Primary Secondary Type Ports------- --------- ----------------- ------------------------------------------
100 200 community
100 300 isolated
El siguiente paso consiste en configurar la interface fastethernet 0/4 (que se conecta con el Router) en modo
promiscuo y hacer mapeo de VLAN Primaria con Secundarias.
DLS1
interface FastEthernet0/4switchport private-vlan mapping 100 200,300
switchport mode private-vlan promiscuous
DLS1#sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 200 community Fa0/4
100 300 isolated Fa0/4
En los puertos que conectan los hosts crear la asociación y definirlos en modo host.
DLS1
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 40/205
CCNP Guía SWITCH v2.0
@ 201340
interface FastEthernet0/1
switchport private-vlan host-association 100 200
switchport mode private-vlan host
spanning-tree portfast
interface FastEthernet0/2
switchport private-vlan host-association 100 200switchport mode private-vlan host
spanning-tree portfast
interface FastEthernet0/3
switchport private-vlan host-association 100 300
switchport mode private-vlan host
spanning-tree portfast
DLS1#sh interfaces fastEthernet 0/4 switchport
Name: Fa0/4
Switchport: EnabledAdministrative Mode: private-vlan promiscuous
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: 100 (VLAN_PRIMARIA) 200 (VLAN0200) 300 (VLAN0300)
Administrative private-vlan trunk native VLAN: noneAdministrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: falseUnknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
DLS1#sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 200 community Fa0/1, Fa0/2, Fa0/4
100 300 isolated Fa0/3, Fa0/4
Asociación entre
puertos hosts y
promiscuous
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 41/205
CCNP Guía SWITCH v2.0
@ 201341
Private-VLANs pruebas de conectividad.Según lo que hemos estudiado PC1 y PC2 deben tener conectividad junto con el Router que se encuentra en modo
promiscuo.
PC2C:\>ping 10.1.1.1
Haciendo ping a 10.1.1.1 con 32 bytes de datos:
Respuesta desde 10.1.1.1: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.1: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.1: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.1: bytes=32 tiempo<1m TTL=128
Estadísticas de ping para 10.1.1.1:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 0ms, Media = 0ms
C:\>ping 10.1.1.100
Haciendo ping a 10.1.1.100 con 32 bytes de datos:
Respuesta desde 10.1.1.100: bytes=32 tiempo=38ms TTL=255
Respuesta desde 10.1.1.100: bytes=32 tiempo=15ms TTL=255
Respuesta desde 10.1.1.100: bytes=32 tiempo=16ms TTL=255
Respuesta desde 10.1.1.100: bytes=32 tiempo=31ms TTL=255
Estadísticas de ping para 10.1.1.100:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:Mínimo = 15ms, Máximo = 38ms, Media = 25ms
PC3
C:\>ping 10.1.1.1
Haciendo ping a 10.1.1.1 con 32 bytes de datos:
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Estadísticas de ping para 10.1.1.1:
Paquetes: enviados = 4, recibidos = 0, perdidos = 4(100% perdidos),
C:\>ping 10.1.1.100
Haciendo ping a 10.1.1.100 con 32 bytes de datos:
Respuesta desde 10.1.1.100: bytes=32 tiempo=23ms TTL=255
Respuesta desde 10.1.1.100: bytes=32 tiempo=16ms TTL=255
Respuesta desde 10.1.1.100: bytes=32 tiempo=31ms TTL=255
Respuesta desde 10.1.1.100: bytes=32 tiempo=15ms TTL=255
Estadísticas de ping para 10.1.1.100:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 15ms, Máximo = 31ms, Media = 21ms
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 42/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 43/205
CCNP Guía SWITCH v2.0
@ 201343
Port Protected
Crear la VLAN 10 en ALS1.
Configurar como puertos de acceso las interfaces Fa0/10 y Fa0/11 como muestra la figura. Probar si existe
conectividad entre los PCs . Luego habilitar port protect.
Comprobar que los PCs pueden comunicarse con el Router pero no entre ellos.
Nota: Ambos puertos deben estar en modo protected para que estén aislados el uno del otro.
ALS1
vlan 111
name PORT-PROTECTED
interface FastEthernet0/10
switchport access vlan 111
switchport mode access
spanning-tree portfast
interface FastEthernet0/11
switchport access vlan 111
switchport mode access
spanning-tree portfast
PC1
C:\>ping 10.1.12.2 -t
Haciendo ping a 10.1.12.2 con 32 bytes de datos:
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 44/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 45/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 46/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 47/205
CCNP Guía SWITCH v2.0
@ 201347
EtherChannel I PAgP (Port Aggregation Protocol)
Crear trunking configurando las interfaces f0/6 y f0/7 de DLS1 y DLS2. Utilice protocolo standard de la
industria. Como resultado deberíamos ver un solo enlace para STP. Si un enlace falla no debería haber
interrupción del tráfico. DLS1 solo debe responder si se inicia una negociación desde el otro extremo, debe
adoptar modo pasivo. DLS2 debe intentarformar un etherchannel en forma activa.
PortChannelSW1 Configurado con SW2 Configurado con Etherchannel?
Desirable (PAgP Cisco) Desirable Sí
Desirable (PAgP Cisco) Auto SíAuto Auto No
Modos PAgP:
On: No existe negociación PAgP. En el otro extremo debe estar en modo ON igualmente.
Auto (default): Responde a mensajes PAgP pero no inicia la negociación. Se creará el portchannel siempre que en
el otro extremo este en modo Desirable.
Desirable: El puerto intenta activamente formar un etherchannel. Para que sea se forme el PortChannel en el otro
extremo debe estar configurado en modo Auto o Desirable.
Proceso recomendado:
1.
Utilice default interface para dejar la interface sin configuración (valores por defecto)2.
Crear un channel-group en la interface física (asignar un número identificativo), se creará un portchannel
automáticamente.
3. (Muy importante) definir el trunk dentro del portchannel (encapsulation, mode, …)
Al finalizar el laboratorio explique:
-
Finalidad del modo non-silent en conjunto con auto y desirable.
-
Que información entrega el comando show pagp internal.
------------------------------------------------------------------------------------------------------------------------Ejemplo de tipos de etherchannels PAgP
DLS1(config)#interface range fastEthernet 0/6-7DLS1(config-if-range)#channel-group 1 mode ?
active Enable LACP unconditionally
auto Enable PAgP only if a PAgP device is detected
desirable Enable PAgP unconditionally
on Enable Etherchannel only
passive Enable LACP only if a LACP device is detected
------------------------------------------------------------------------------------------------------------------------
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 48/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 49/205
CCNP Guía SWITCH v2.0
@ 201349
DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 1
Port Vlans allowed on trunk
Po1 1-4094
Port Vlans allowed and active in management domain
Po1 1Port Vlans in spanning tree forwarding state and not pruned
Po1 1
DLS2#show interfaces fastEthernet 0/6 switchport | include Mode
Administrative Mode: trunk
Operational Mode: trunk (member of bundle Po1)
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Capture Mode Disabled
DLS1#show interfaces fastEthernet 0/6 switchport | include ModeAdministrative Mode: trunk
Operational Mode: trunk (member of bundle Po1)
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Capture Mode Disabled
En terminos de trunk el PortChannel está operativo, sin embargo debemos comprobar que el enlace aparezca
como uno solo desde el punto de vista de Spanning Tree. Naturalmente no hemos creado VLANs y nos basaremos
en la VLAN por defecto. En la siguiente salida podemos observar que para STP solo aparece un enlace: el
PortChannel.
DLS2#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0022.5688.7900
Cost 31
Port 56 (Port-channel1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 3037.a6eb.d580
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po1 Root FWD 12 128.56 P2p
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 50/205
CCNP Guía SWITCH v2.0
@ 201350
DLS1#sh spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address e8ba.70cb.f600
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address e8ba.70cb.f600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po1 Desg FWD 12 128.56 P2p
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 51/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 52/205
CCNP Guía SWITCH v2.0
@ 201352
DLS1
default interface range fastEthernet 0/2-3
interface FastEthernet0/2
channel-group 2 mode on
no shut
interface FastEthernet0/3
channel-group 2 mode on
no shut
interface Port-channel2
switchport trunk encapsulation dot1q
switchport mode trunk
ALS1
default interface range fastEthernet 0/2-3
interface FastEthernet0/2
channel-group 2 mode on
no shut
interface FastEthernet0/3
channel-group 2 mode on
no shut
interface Port-channel2
switchport mode trunk
DLS1#sh interfaces trunk
Port Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 1
Po2 on 802.1q trunking 1
Port Vlans allowed on trunk
Po1 1-4094
Po2 1-4094
Port Vlans allowed and active in management domain
Po1 1
Po2 1
Port Vlans in spanning tree forwarding state and not prunedPo1 1
Po2 1
ALS1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Po2 on 802.1q trunking 1
Port Vlans allowed on trunk
Po2 1-4094
Port Vlans allowed and active in management domain
Po2 1
Port Vlans in spanning tree forwarding state and not prunedPo2 1
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 53/205
CCNP Guía SWITCH v2.0
@ 201353
ALS1#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundlingw - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
2 Po2(SU) - Fa0/2(P) Fa0/3(P)
DLS1#sh etherchannel summaryFlags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 2
Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) PAgP Fa0/6(P) Fa0/7(P)
2 Po2(SU) - Fa0/2(P) Fa0/3(P)
DLS1#sh etherchannel protocol
Channel-group listing:
----------------------Group: 1
----------
Protocol: PAgP
Group: 2
----------
Protocol: - (Mode ON)
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 54/205
CCNP Guía SWITCH v2.0
@ 201354
ALS1#show etherchannel protocol
Channel-group listing:
----------------------
Group: 2
----------
Protocol: - (Mode ON)
ALS1#show spanning-tree interface port-channel 2
Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 12 128.64 P2p
DLS1#sh spanning-tree interface port-channel 2
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0001 Root FWD 12 128.64 P2p
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 55/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 56/205
CCNP Guía SWITCH v2.0
@ 201356
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
2 Po2(SU) PAgP Fa0/2(P) Fa0/3(P)
DLS2#show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 2
Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) PAgP Fa0/6(P) Fa0/7(P)
2 Po2(SU) PAgP Fa0/2(P) Fa0/3(P)
DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 1
Po2 on 802.1q trunking 1
Port Vlans allowed on trunk
Po1 1-4094Po2 1-4094
Port Vlans allowed and active in management domain
Po1 1
Po2 1
Port Vlans in spanning tree forwarding state and not pruned
Po1 1
Po2 1
ALS2#show interfaces trunkPort Mode Encapsulation Status Native vlan
Po2 on 802.1q trunking 1
Port Vlans allowed on trunk
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 57/205
CCNP Guía SWITCH v2.0
@ 201357
Po2 1-4094
Port Vlans allowed and active in management domain
Po2 1
Port Vlans in spanning tree forwarding state and not pruned
Po2 1
ALS2#show etherchannel protocolChannel-group listing:
----------------------
Group: 2
----------
Protocol: PAgP
DLS2#show etherchannel protocol
Channel-group listing:
----------------------
Group: 1
----------Protocol: PAgP
Group: 2
----------
Protocol: PAgP
Otro comando útil para verificar el PortChannel es el show interface etherchannel.
Explique cada campo del comando.
DLS2#show interfaces fastEthernet 0/2 etherchannel
Port state = Up Mstr In-Bndl
Channel group = 2 Mode = Desirable-Sl Gcchange = 0
Port-channel = Po2 GC = 0x00020001 Pseudo port-channel = Po2
Port index = 0 Load = 0x00 Protocol = PAgP
Flags: S - Device is sending Slow hello. C - Device is in Consistent state.
A - Device is in Auto mode. P - Device learns on physical port.
d - PAgP is down.
Timers: H - Hello timer is running. Q - Quit timer is running.
S - Switching timer is running. I - Interface timer is running.
Local information:Hello Partner PAgP Learning Group
Port Flags State Timers Interval Count Priority Method Ifindex
Fa0/2 SC U6/S7 H 30s 1 128 Any 5002
Partner's information:
Partner Partner Partner Partner Group
Port Name Device ID Port Age Flags Cap.
Fa0/2 ALS2 0022.5688.7900 Fa0/2 21s SC 20001
Age of the port in the current state: 0d:00h:06m:28s
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 58/205
CCNP Guía SWITCH v2.0
@ 201358
EtherChannel III Link Aggregation Control Protocol LACP
Configure trunk entre ALS1 y ALS2 como muestra la figura. Como resultado deberíamos ver un solo enlace
para STP. Si un enlace falla no debería haber interrupción del tráfico. Configurar LACP. ALS1 debe estar en
modo pasivo. ALS2 debe intentar activamente formar un etherchannel.
PortChannel LACPSW1 Configurado con SW2 Configurado con Etherchannel?
Active Active Sí
Active Passive Sí
Passive Passive No
ALS1
default interface range fastEthernet 0/6-7
interface range fastEthernet 0/6-7
channel-group 1 mode passive
interface Port-channel1
switchport mode trunk
ALS2
default interface range fastEthernet 0/6-7
interface range fastEthernet 0/6-7
channel-group 1 mode active
interface Port-channel1
switchport mode trunk
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 59/205
CCNP Guía SWITCH v2.0
@ 201359
ALS1#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundlingw - waiting to be aggregated
d - default port
Number of channel-groups in use: 2
Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/6(P) Fa0/7(P)
2 Po2(SU) - Fa0/2(P) Fa0/3(P)
ALS2#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 2Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/6(P) Fa0/7(P)
2 Po2(SU) PAgP Fa0/2(P) Fa0/3(P)
ALS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 1
Po2 on 802.1q trunking 1Port Vlans allowed on trunk
Po1 1-4094
Po2 1-4094
Port Vlans allowed and active in management domain
Po1 1
Po2 1
Port Vlans in spanning tree forwarding state and not pruned
Po1 1
Po2 1
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 60/205
CCNP Guía SWITCH v2.0
@ 201360
ALS2#show lacp neighbor
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
Channel group 1 neighbors
Partner's information:
LACP port Oper Port Port
Port Flags Priority Dev ID Age Key Number State
Fa0/6 SP 32768 0022.5689.5d80 17s 0x1 0x6 0x3C
Fa0/7 SP 32768 0022.5689.5d80 16s 0x1 0x7 0x3C
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 61/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 62/205
CCNP Guía SWITCH v2.0
@ 201362
DLS2#show etherchannel load-balance
EtherChannel Load-Balancing Configuration:
dst-ip
EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Destination MAC address
IPv4: Destination IP address
IPv6: Destination IP address
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 63/205
CCNP Guía SWITCH v2.0
@ 201363
EtherChannel V Prioridad LACP
Agregar al Etherchannel Po2 de DLS2 y ALS2 las interfaces Fa0/13 a Fa0/18.
Los puertos Fa0/15 y Fa0/18 deben quedar en estado StandBy. Utilice la prioridad adecuada.
Al finalar el laboratorio indique:
-
Cual método utiliza PAgP para mantener el mismo comportamiento, es decir, puertos de respaldo
dentro de un PortChannel.
DLS2
default interface range fastEthernet 0/2-3 , fastEthernet 0/13-20
interface range fastEthernet 0/2-3 , fastEthernet 0/13-20
channel-group 2 mode active
interface Port-channel2
switchport trunk encapsulation dot1q
switchport mode trunk
ALS2
default interface range fastEthernet 0/2-3 , fastEthernet 0/13-20
interface range fastEthernet 0/2-3 , fastEthernet 0/13-20
channel-group 2 mode active
interface Port-channel2
switchport mode trunk
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 64/205
CCNP Guía SWITCH v2.0
@ 201364
ALS2#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundlingw - waiting to be aggregated
d - default port
Number of channel-groups in use: 2
Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/6(P) Fa0/7(P)
2 Po2(SU) LACP Fa0/2(P) Fa0/3(P) Fa0/13(P)
Fa0/14(P) Fa0/15(P) Fa0/16(P)Fa0/17(P) Fa0/18(P) Fa0/19(H)
Fa0/20(H)
La salida anterior nos muestra que el protocolo estándar LACP o IEEE 802.2ad puede crear un portchannel
utilizando hasta 16 puertos, pero solo quedarán activos 8, el resto actúan como respaldo. En este caso, sin
configuración adicional, el proceso LACP se encarga de escoger cuales puertos estarán activos y cuales standby. En
este laboratorio se pide que los puertos que actuarán como respaldo deben ser Fa0/13 a Fa0/18. Debemos tener
presente que el switch con menor lacp sys-id es quién define que enlaces físicos serán primarios y secundarios. En
este caso debería ser ALS2. Este dato es importante puesto que la configuración de la prioridad la debemos hacer
en el Catalyst que tenga menor prioridad.
ALS2#show lacp sys-id
32768, 0022.5688.7900
DLS2#show lacp sys-id
32768, 3037.a6eb.d580
ALS2
lacp system-priority 100
interface range fa0/2 - 3 , fa0/13 - 20
channel-protocol lacp
interface range fa0/2 - 3 , fa0/14 - 17 , f0/19-20
lacp port-priority 100
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 65/205
CCNP Guía SWITCH v2.0
@ 201365
ALS2#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundlingw - waiting to be aggregated
d - default port
Number of channel-groups in use: 2
Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/6(P) Fa0/7(P)
2 Po2(SU) LACP Fa0/2(P) Fa0/3(P) Fa0/13(H)
Fa0/14(P) Fa0/15(P) Fa0/16(P)
Fa0/17(P) Fa0/18(H) Fa0/19(P)
Fa0/20(P)
ALS2#show interfaces fastEthernet 0/18 etherchannel
Port state = Up Mstr Assoc Hot-stdby Not-in-Bndl
Channel group = 2 Mode = Active Gcchange = -
Port-channel = null GC = - Pseudo port-channel = Po2
Port index = 0 Load = 0x00 Protocol = LACP
Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.
A - Device is in active mode. P - Device is in passive mode.
Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number StateFa0/18 SA hot-sby 32768 0x2 0x2 0x12 0x5
Partner's information:
LACP port Oper Port Port
Port Flags Priority Dev ID Age Key Number State
Fa0/18 SA 32768 3037.a6eb.d580 3s 0x2 0x14 0x5
Age of the port in the current state: 0d:00h:07m:23s
ALS2#show interfaces fastEthernet 0/13 etherchannel
Port state = Up Mstr Assoc Hot-stdby Not-in-Bndl
Channel group = 2 Mode = Active Gcchange = -
Port-channel = null GC = - Pseudo port-channel = Po2Port index = 0 Load = 0x00 Protocol = LACP
Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.
A - Device is in active mode. P - Device is in passive mode.
Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Fa0/13 SA hot-sby 32768 0x2 0x2 0xD 0x5
Partner's information:
LACP port Oper Port Port
Port Flags Priority Dev ID Age Key Number State
Fa0/13 SA 32768 3037.a6eb.d580 22s 0x2 0xF 0x5Age of the port in the current state: 0d:00h:08m:01s
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 66/205
CCNP Guía SWITCH v2.0
@ 201366
ALS2#show spanning-tree interface port-channel 2
Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 5 128.64 P2p
DLS2#show spanning-tree vlan 1VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0022.5688.7900
Cost 5
Port 64 (Port-channel2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 3037.a6eb.d580
Hello Time 2 sec Max Age 20 sec Forward Delay 15 secAging Time 300
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po1 Desg FWD 12 128.56 P2p
Po2 Root FWD 5 128.64 P2p
DLS2#show etherchannel port-channel | begin Group: 2
Group: 2
----------
Port-channels in the group:
---------------------------Port-channel: Po2 (Primary Aggregator)
------------
Age of the Port-channel = 0d:00h:24m:19s
Logical slot/port = 2/2 Number of ports = 8
HotStandBy port = Fa0/18 Fa0/13
Port state = Port-channel Ag-Inuse
Protocol = LACP
Port security = Disabled
Ports in the Port-channel:
Index Load Port EC state No of bits------+------+------+------------------+-----------
0 00 Fa0/2 Active 0
0 00 Fa0/3 Active 0
0 00 Fa0/14 Active 0
0 00 Fa0/15 Active 0
0 00 Fa0/16 Active 0
0 00 Fa0/17 Active 0
0 00 Fa0/19 Active 0
0 00 Fa0/20 Active 0
Time since last port bundled: 0d:00h:12m:30s Fa0/20
Time since last port Un-bundled: 0d:00h:12m:32s Fa0/13
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 67/205
CCNP Guía SWITCH v2.0
@ 201367
EtherChannel Layer 3
Setup: Borrar configuraciónes anteriores de ambos Switches.
Configurar los puertos FastEthernet0/6 al FastEthernet0/7 de DLS1 y DLS2 como muestra la figura. Estos
enlaces se deben ver como uno solo. Configurar direccionamiento IP mostrado. En la creación del
Portchannel 12 no debe existir negociación.
Configure OSPF y forme adyacencia entre los dos switchs 3560. Cree la loopback0 con la siguiente
disposición:
-
DLS1→10.1.1.1/24
-
DLS2→10.2.2.2/24
Publique esta interfaces con sus máscaras correctas.
Habilite telnet en DLS2 Catalyst, utilice los siguientes datos:
- usuario admin password cisco
- Autentificar en función de base de datos local utilizando AAA.
-
Solo se permite la loopback0 como dirección de origen (10.1.1.1/24), en caso contrario se debe
bloquear la conexión y enviar un log a la consola.
DLS1
ip routing
default interface range fastEthernet 0/6-7
interface Port-channel12
no switchport
ip address 10.1.12.1 255.255.255.0
interface range fastEthernet 0/6-7
no switchport
channel-group 12 mode on
DLS2
default interface range fastEthernet 0/6-7
interface Port-channel12
no switchport
ip address 10.1.12.2 255.255.255.0
interface range fastEthernet 0/6-7
no switchport
channel-group 12 mode on
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 68/205
CCNP Guía SWITCH v2.0
@ 201368
DLS2#show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not metu - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
12 Po12(RU) - Fa0/6(P) Fa0/7(P)
DLS2#show etherchannel summary
Flags: D - down P - bundled in port-channelI - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
12 Po12(RU) - Fa0/6(D) Fa0/7(P)
Pruebas Etherchanel L3
DLS2#ping 10.1.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
DLS2
access-list 100 permit ip host 10.1.12.2 host 10.1.12.1
DLS2#debug ip packet 100
IP packet debugging is on for access list 100
DLS2#ping 10.1.12.1 source 10.1.12.2 repeat 1
Type escape sequence to abort.Sending 1, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.12.2
!
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 69/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 70/205
CCNP Guía SWITCH v2.0
@ 201370
DLS1#telnet 10.2.2.2
Trying 10.2.2.2 ...
% Connection refused by remote host
DLS2#
%SEC-6-IPACCESSLOGS: list 10 denied 10.1.12.1 1 packet
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 71/205
CCNP Guía SWITCH v2.0
@ 201371
STP Comportamiento por defecto
Deshabilitar las interfaces que no participan en la topología.
¿Como podemos determinar el comportamiento de STP en este ejemplo? Iremos paso a paso explicando este
proceso. Para este ejemplo utilizaremos la VLAN 1 como referencia. La manera más efectiva y sencilla de
determinar los roles STP es el siguiente:
1. Determinar el costo de cada enlace. Para eso nos resultará útil la siguiente tabla (podemos verificar que
los datos sean efectivamente los que aparecen utilizando show interface):
BW del
enlace
Costo
STP
4 Mbps 250
10 Mbps 100
16 Mbps 62
45 Mbps 39
100 Mbps 19
155 Mbps 14
622 Mbps 6
1 Gbps 4
10 Gbps 2
- Bridge ID: Bridge priority: Bridge MAC address.
DLS1#show spanning-tree bridge id
VLAN0001 8001.e8ba.70cb.f600
DLS2#show spanning-tree bridge id
VLAN0001 8001.3037.a6eb.d580
ALS1#show spanning-tree bridge id
VLAN0001 8001.0022.5689.5d80
ALS2#show spanning-tree bridge id
VLAN0001 8001.0022.5688.7900
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 72/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 73/205
CCNP Guía SWITCH v2.0
@ 201373
Root ID Priority 32769
Address 0022.5688.7900
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
DLS1#sh spanning-tree vlan 1
VLAN0001Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0022.5688.7900
Cost 19
Port 6 (FastEthernet0/4)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 74/205
CCNP Guía SWITCH v2.0
@ 201374
3.
Seleccionar el ROOT PORT (solo uno en cada noroot bridge). Este puerto corresponde al bridge (o switch)
que tiene el mejor camino al Root Bridge, es decir, el costo menor.
DLS1 el RP es la interface fastethernet 0/4 (costo 19).
DLS2 el RP es la interface fastethernet 0/2 (costo 19).
ALS1 el RP es la interface fastethernet 0/6 (costo 19).
ALS2 es el ROOT BRIDGE. No aplica.
DLS1#sh spanning-tree root port
VLAN0001 FastEthernet0/9
DLS2#sh spanning-tree root port
VLAN0001 FastEthernet0/7
ALS1#sh spanning-tree root port
VLAN0001 FastEthernet0/11
4.
Selección de Designated Port DP. Cada enlace debe seleccionar el puerto que tenga menor costo al Root
Bridge. Este último también participa, y como es lógico todos sus puertos son designados. En caso de que
los valores sean los mismos debemos utilizar un método de desempate.
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 75/205
CCNP Guía SWITCH v2.0
@ 201375
-
Menor root bridge ID
- Menor costo hacia el root bridge
- Menor ID del Sender Bridge
- Menor ID de Sender por ID
Nota: la mayoría de los parámetros se pueden obtener utilizando el comando show spanning-tree
interface detail.
ALS2#show spanning-tree interface fastEthernet 0/2 detail
Port 2 (FastEthernet0/2) of VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.2.
Designated root has priority 32769, address 0022.5688.7900
Designated bridge has priority 32769, address 0022.5688.7900
Designated port id is 128.2, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
BPDU: sent 4002, received 2
Enlace DLS1 ↔ DLS2: el costo de ambas interfaces es el mismo al Root Bridge. Debemos comprobar otros
criterios. El valor de Root Bridge ID de DLS1 es mayor que el valor de DLS2.
DLS1#sh spanning-tree bridge id
VLAN0001 8001.e8ba.70cb.f600
DLS2#show spanning-tree bridge id
VLAN0001 8001.3037.a6eb.d580
DLS1#sh spanning-tree vlan 1 interface fastEthernet 0/6Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0001 Altn BLK 19 128.8 P2p
DLS2#sh spanning-tree vlan 1 interface fastEthernet 0/6
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 19 128.8 P2p
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 76/205
CCNP Guía SWITCH v2.0
@ 201376
Enlace DLS1 ↔ ALS2. ALS2 es el Root, de manera que el mejor camino al Root es sencillamente el puerto
de ALS2 fastethernet 0/4. Lo mismo aplica para DLS2 ↔ ALS2 y ALS1 ↔ ALS2.
ALS2#show spanning-tree vlan 1 interface fastEthernet 0/2
Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 19 128.2 P2p
ALS2#show spanning-tree vlan 1 interface fastEthernet 0/4
Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 19 128.4 P2p
ALS2#show spanning-tree vlan 1 interface fastEthernet 0/6
Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 19 128.6 P2p
Enlace DLS2↔ALS1. Verificamos que existe el mismo costo para alcanzar el Root Bridge por lo tanto
determinamos cual es el Bridge con el menor ID, en este caso la prioridad menor la tiene ALS1 por lo tanto
el puerto designado (DP) es la interface fastethernet 0/4 de ALS1.
DLS2#sh spanning-tree bridge id
VLAN0001 8001.3037.a6eb.d580
ALS1#sh spanning-tree bridge id
VLAN0001 8001.0022.5689.5d80
ALS1#show spanning-tree interface fastEthernet 0/4
Vlan Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 19 128.4 P2p
DLS2#show spanning-tree interface fastEthernet 0/4
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0001 Altn BLK 19 128.6 P2p
Enlace DLS1↔ALS1. Verificamos que existe el mismo costo para alcanzar el Root Bridge por lo tanto
determinamos cual es el Bridge con el menor ID, en este caso la prioridad menor la tiene ALS1 por lo tanto
el puerto designado (DP) es la interface fastethernet 0/4 de ALS1.
ALS1#sh spanning-tree bridge id
VLAN0001 8001.0022.5689.5d80
DLS1#show spanning-tree bridge id
VLAN0001 8001.e8ba.70cb.f600
DLS1#sh spanning-tree interface fastEthernet 0/2
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0001 Altn BLK 19 128.4 P2p
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 77/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 78/205
CCNP Guía SWITCH v2.0
@ 201378
ALS1#sh spanning-tree vlan 1 | begin Interface
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/4 Desg FWD 19 128.4 P2p
Fa0/6 Root FWD 19 128.6 P2p
ALS2#sh spanning-tree vlan 1 | begin Interface
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/4 Desg FWD 19 128.4 P2p
Fa0/6 Desg FWD 19 128.6 P2p
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 79/205
CCNP Guía SWITCH v2.0
@ 201379
STP Configuración.
Prelab: Borrar configuraciónes anteriores.
Configurar Etherchannel entre DLS1 y DLS2 (Fa0/6 y Fa0/7). Utilizar LACP.
Para el trunk configure ISL entre DLS1 y DLS2. No utilizar DTP.
Al final del laboratorio indique:
- La utilidad del comando no-isl-entries enable.
- Que utilidad tiene el comando debug spanning-tree switch state.
DLS1
default interface range fastEthernet 0/6-7
interface range fastEthernet 0/6-7
channel-group 12 mode active
interface Port-channel12
switchport trunk encapsulation isl
switchport mode trunk
switchport nonegotiate
DLS2
default interface range fastEthernet 0/6-7
interface range fastEthernet 0/6-7
channel-group 12 mode active
interface Port-channel12
switchport trunk encapsulation isl
switchport mode trunk
switchport nonegotiate
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 80/205
CCNP Guía SWITCH v2.0
@ 201380
DLS1#sh etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
12 Po12(SU) LACP Fa0/6(P) Fa0/7(P)
DLS2#sh etherchannel summaryFlags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
12 Po12(SU) LACP Fa0/6(P) Fa0/7(P)
DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Po12 on isl trunking 1
Port Vlans allowed on trunk
Po12 1-4094
Port Vlans allowed and active in management domain
Po12 1Port Vlans in spanning tree forwarding state and not pruned
Po12 1
DLS2#show spanning-tree vlan 1 interface port-channel 12
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 12 128.144 P2p
DLS1#show spanning-tree vlan 1 interface port-channel 12
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------VLAN0001 Altn BLK 12 128.144 P2p
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 81/205
CCNP Guía SWITCH v2.0
@ 201381
Configurar 802.1q en el resto de enlaces como muestra la figura. Las interfaces que no participan en el
laboratroio deben deshabilitarse.
Al final de esta sección indique que método de pathcost es usado.
DLS1#show interfaces status | include disabled
Fa0/3 disabled 1 auto auto 10/100BaseTX
Fa0/5 disabled 1 auto auto 10/100BaseTX
DLS1
default interface range fastEthernet 0/2 , fastEthernet 0/4
interface range fastEthernet 0/2 , fastEthernet 0/4
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
DLS2
default interface range fastEthernet 0/2 , fastEthernet 0/4
interface range fastEthernet 0/2 , fastEthernet 0/4
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
ALS1
default interface range fastEthernet 0/2 , fastEthernet 0/4 , fastEthernet 0/6
interface range fastEthernet 0/2 , fastEthernet 0/4 , fastEthernet 0/6
switchport mode trunk
switchport nonegotiate
ALS2default interface range fastEthernet 0/2 , fastEthernet 0/4 , fastEthernet 0/6
interface range fastEthernet 0/2 , fastEthernet 0/4 , fastEthernet 0/6
switchport mode trunk
switchport nonegotiate
DLS1#sh interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Po12 on isl trunking 1
Port Vlans allowed on trunkFa0/2 1-4094
Fa0/4 1-4094
Po12 1-4094
Port Vlans allowed and active in management domain
Fa0/2 1
Fa0/4 1
Po12 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 none
Fa0/4 1
Po12 none
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 82/205
CCNP Guía SWITCH v2.0
@ 201382
DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Po12 on isl trunking 1
Port Vlans allowed on trunk
Fa0/2 1-4094Fa0/4 1-4094
Po12 1-4094
Port Vlans allowed and active in management domain
Fa0/2 1
Fa0/4 1
Po12 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1
Fa0/4 none
Po12 1
ALS1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/6 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1-4094
Fa0/4 1-4094
Fa0/6 1-4094
Port Vlans allowed and active in management domain
Fa0/2 1Fa0/4 1
Fa0/6 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1
Fa0/4 1
Fa0/6 1
ALS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1Fa0/6 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1-4094
Fa0/4 1-4094
Fa0/6 1-4094
Port Vlans allowed and active in management domain
Fa0/2 1
Fa0/4 1
Fa0/6 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1Fa0/4 1
Fa0/6 1
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 83/205
CCNP Guía SWITCH v2.0
@ 201383
Como observamos, ASL2 será siempre el Root Bridge, puesto que tiene la MAC menor. Esto provoca que todos los
puertos de ALS2 se encuentren en estado FWD (Forwarding) como podemos ver en la siguiente salida.
Indique la utilidad de los temporizadores hello, forward delay y Max Age en el envío de BDPUs.
ALS2#show spanning-treeVLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0022.5688.7900
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0022.5688.7900
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/4 Desg FWD 19 128.4 P2p
Fa0/6 Desg FWD 19 128.6 P2p
Configure VTP con la siguiente disposición:
-
DLS1 VTP Server, versión 2, domain DUOC, password cisco
-
DLS2 VTP Client, versión 2, domain DUOC, password cisco- ALS1 VTP Client, versión 2, domain DUOC, password cisco
- ALS2 VTP Client, versión 2, domain DUOC, password cisco
DLS1
vtp domain DUOC
vtp password cisco
vtp mode server
DLS2
vtp domain DUOCvtp password cisco
vtp mode client
ALS1
vtp domain DUOC
vtp password cisco
vtp mode client
ALS2
vtp domain DUOC
vtp password ciscovtp mode client
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 84/205
CCNP Guía SWITCH v2.0
@ 201384
En DLS1 crear la VLAN 2, 3, 4, 5, 6, 7, 8, 9, 10.
Comprobar que estas VLANs se hayan instalado en los switchs VTP client.
Donde guardan las VLANs los switchs con el rol de VTP client?
DLS1
vlan 2-10
DLS1#sh vl brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VLAN0005 active
6 VLAN0006 active
7 VLAN0007 active
8 VLAN0008 active
9 VLAN0009 active
10 VLAN0010 active
DLS2#sh vl brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VLAN0005 active
6 VLAN0006 active
7 VLAN0007 active
8 VLAN0008 active
9 VLAN0009 active
10 VLAN0010 active
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 85/205
CCNP Guía SWITCH v2.0
@ 201385
ALS1#show vl brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gi0/1, Gi0/2
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VLAN0005 active
6 VLAN0006 active
7 VLAN0007 active
8 VLAN0008 active
9 VLAN0009 active
10 VLAN0010 active
ALS2#show vl brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gi0/1, Gi0/2
2 VLAN0002 active3 VLAN0003 active
4 VLAN0004 active
5 VLAN0005 active
6 VLAN0006 active
7 VLAN0007 active
8 VLAN0008 active
9 VLAN0009 active
10 VLAN0010 active
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 86/205
CCNP Guía SWITCH v2.0
@ 201386
DLS1 debe ser Root Bridge para las VLANs 1, 2, 3, 4, y Bridge de respaldo para las VLANs 5, 6, 7, 8, 9, 10.
DLS2 debe ser Root Bridge para las VLANs 5, 6, 7, 8, 9, 10, y Bridge de respaldo para las VLANs 1,2,3,4.
Notemos en algunos detalles. ALS2 (poner atención, en los equipos de cada POD el resultado puede ser distinto,
trabajamos con valores por defecto) es el Root Bridge para todas las VLANs.
ALS2#show version | include Base
Base ethernet MAC Address : 00:22:56:88:79:00
ALS2#show spanning-tree bridge
Hello Max Fwd
Vlan Bridge ID Time Age Dly Protocol
---------------- --------------------------------- ----- --- --- --------
VLAN0001 32769 (32768, 1) 0022.5688.7900 2 20 15 ieee
VLAN0002 32770 (32768, 2) 0022.5688.7900 2 20 15 ieee
VLAN0003 32771 (32768, 3) 0022.5688.7900 2 20 15 ieee
VLAN0004 32772 (32768, 4) 0022.5688.7900 2 20 15 ieee
VLAN0005 32773 (32768, 5) 0022.5688.7900 2 20 15 ieee
VLAN0006 32774 (32768, 6) 0022.5688.7900 2 20 15 ieee
VLAN0007 32775 (32768, 7) 0022.5688.7900 2 20 15 ieee
VLAN0008 32776 (32768, 8) 0022.5688.7900 2 20 15 ieee
VLAN0009 32777 (32768, 9) 0022.5688.7900 2 20 15 ieee
VLAN0010 32778 (32768, 10) 0022.5688.7900 2 20 15 ieee
DLS1#sho spanning-tree root id
VLAN0001 8001.0022.5688.7900
VLAN0002 8002.0022.5688.7900
VLAN0003 8003.0022.5688.7900
VLAN0004 8004.0022.5688.7900
VLAN0005 8005.0022.5688.7900
VLAN0006 8006.0022.5688.7900
VLAN0007 8007.0022.5688.7900
VLAN0008 8008.0022.5688.7900
VLAN0009 8009.0022.5688.7900
VLAN0010 800A.0022.5688.7900
En la siguiente salida podemos observar la BridgeID de DLS1. Cuando le asignemos el rol primario para las VLANs 1,
2, 3, 4 veremos que la BridgeID coincide con el de DLS1.
DLS1#show version | include Base
Base ethernet MAC Address : E8:BA:70:CB:F6:00
ALS2#show spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 32769 0022.5688.7900 0 2 20 15
VLAN0002 32770 0022.5688.7900 0 2 20 15
VLAN0003 32771 0022.5688.7900 0 2 20 15VLAN0004 32772 0022.5688.7900 0 2 20 15
VLAN0005 32773 0022.5688.7900 0 2 20 15
VLAN0006 32774 0022.5688.7900 0 2 20 15
DLS1 reconoce que el root para todas las VLANs
creadas y VLAN 1 es el switch que tiene el
Bridge-ID 8001.0022.5688.7900, es decir, ALS2.
La misma comprobación debemos hacerla en
cada switch no root.
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 87/205
CCNP Guía SWITCH v2.0
@ 201387
VLAN0007 32775 0022.5688.7900 0 2 20 15
VLAN0008 32776 0022.5688.7900 0 2 20 15
VLAN0009 32777 0022.5688.7900 0 2 20 15
VLAN0010 32778 0022.5688.7900 0 2 20 15
DLS1
spanning-tree vlan 1,2,3,4 root primary
spanning-tree vlan 5-10 root secondary
DLS1 es ahora el root para las VLAN 1,2,3,4. Utilizando el comando show spanning-tree root vemos el BridgeID
24577 e8ba.70cb.f600 correspondiente a la VLAN 1.
En que casos el proceso STP baja la prioridad 4096?
Porque DLS1 asume el rol de Root para todas las VLANs siendo que se configuró para que sea primario para
las VLANs 1 a la 4?
ALS2#show spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 24577 e8ba.70cb.f600 19 2 20 15 Fa0/4
VLAN0002 24578 e8ba.70cb.f600 19 2 20 15 Fa0/4
VLAN0003 24579 e8ba.70cb.f600 19 2 20 15 Fa0/4
VLAN0004 24580 e8ba.70cb.f600 19 2 20 15 Fa0/4
VLAN0005 28677 e8ba.70cb.f600 19 2 20 15 Fa0/4
VLAN0006 28678 e8ba.70cb.f600 19 2 20 15 Fa0/4VLAN0007 28679 e8ba.70cb.f600 19 2 20 15 Fa0/4
VLAN0008 28680 e8ba.70cb.f600 19 2 20 15 Fa0/4
VLAN0009 28681 e8ba.70cb.f600 19 2 20 15 Fa0/4
VLAN0010 28682 e8ba.70cb.f600 19 2 20 15 Fa0/4
DLS1#sh spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 24577 e8ba.70cb.f600 0 2 20 15
VLAN0002 24578 e8ba.70cb.f600 0 2 20 15VLAN0003 24579 e8ba.70cb.f600 0 2 20 15
VLAN0004 24580 e8ba.70cb.f600 0 2 20 15
VLAN0005 28677 e8ba.70cb.f600 0 2 20 15
VLAN0006 28678 e8ba.70cb.f600 0 2 20 15
VLAN0007 28679 e8ba.70cb.f600 0 2 20 15
VLAN0008 28680 e8ba.70cb.f600 0 2 20 15
VLAN0009 28681 e8ba.70cb.f600 0 2 20 15
VLAN0010 28682 e8ba.70cb.f600 0 2 20 15
Sabemos que la prioridad STP por defecto es de 32768.
Notemos además que se suma el número de la VLAN a cada
prioridad, es decir, si se trata de la VLAN 10 el valor de la
prioridad será de 32768 + 10→32778. Si un switch le
asignamos el rol de root para ciertas o todas las VLANs por
medio de la configuración, STP baja la prioridad 8192 + el
valor de la VLAN. Si vemos el ejemplo la VLAN 4 tenemos
que 32768 + 4 →32772 - 8192 = 24580.
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 88/205
CCNP Guía SWITCH v2.0
@ 201388
Configuramos la segunda tarea.
DLS2
spanning-tree vlan 5,6,7,8,9,10 root primary
spanning-tree vlan 1-4 root secondary
DLS2#show spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 24577 e8ba.70cb.f600 12 2 20 15 Po12
VLAN0002 24578 e8ba.70cb.f600 12 2 20 15 Po12
VLAN0003 24579 e8ba.70cb.f600 12 2 20 15 Po12
VLAN0004 24580 e8ba.70cb.f600 12 2 20 15 Po12
VLAN0005 24581 3037.a6eb.d580 0 2 20 15
VLAN0006 24582 3037.a6eb.d580 0 2 20 15
VLAN0007 24583 3037.a6eb.d580 0 2 20 15VLAN0008 24584 3037.a6eb.d580 0 2 20 15
VLAN0009 24585 3037.a6eb.d580 0 2 20 15
VLAN0010 24586 3037.a6eb.d580 0 2 20 15
DLS1#sh spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 24577 e8ba.70cb.f600 0 2 20 15
VLAN0002 24578 e8ba.70cb.f600 0 2 20 15
VLAN0003 24579 e8ba.70cb.f600 0 2 20 15VLAN0004 24580 e8ba.70cb.f600 0 2 20 15
VLAN0005 24581 3037.a6eb.d580 12 2 20 15 Po12
VLAN0006 24582 3037.a6eb.d580 12 2 20 15 Po12
VLAN0007 24583 3037.a6eb.d580 12 2 20 15 Po12
VLAN0008 24584 3037.a6eb.d580 12 2 20 15 Po12
VLAN0009 24585 3037.a6eb.d580 12 2 20 15 Po12
VLAN0010 24586 3037.a6eb.d580 12 2 20 15 Po12
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 89/205
CCNP Guía SWITCH v2.0
@ 201389
STP BPDU Guard
La interface fastethernet0/2 de ALS2 debe pertenecer a la VLAN 10. Próximamente se conectará un PC.
Evitar que el proceso STP transite por los estados listening/learning. En caso que la interface reciba algún
paquete BPDU deberá quedar en estado errdisable que tendrá una duración de 30 segundos.
ALS2
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
ALS2#show interfaces fastEthernet 0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: downAdministrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 10 (VLAN0010)
ALS2
spanning-tree portfast bpduguard default
errdisable recovery interval 30
Si conectamos algún dispositivo que envíe BPDUs (ejemplo un Switch) obtendremos los siguientes resultados:
04:27:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to down
04:27:49: %LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to down
04:27:50: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/2 with BPDU Guard enabled.
Disabling port.
ALS2#
04:27:50: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/2, putting Fa0/2 in err-disable state
ALS2#show interfaces fastEthernet 0/2 status err-disabled
Port Name Status Reason
Fa0/2 err-disabled bpduguard
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 90/205
CCNP Guía SWITCH v2.0
@ 201390
FLEX Link
Crear trunk utilizando Fa0/7 y Fa0/8 de ambos switches utilizando un protocolo estándar.
DLS1 VTP Server
ALS1 VTP Client
DLS1 debe crear las VLANs 100, 200, 300 y 400. DLS1 debe ser root de todas las VLANs
Comprueba que ALS1 posee las VLANs
El enlace Flex (Flex link) es una característica que se encuentra disponible en capa 2 y puede coexistir con STP. Esta
mejora permite que el tiempo de convergencia sea menor a 50 milisegundos, en resumen este tiempo se mantiene
constante independientemente del número de VLAN o dirección MAC configuradas en el switch.
Este enlace consta de un par de interfaces de capa 2 que pueden estar configuradas como switchports o port
channels, y funcionan como respaldo para otro enlace. También ofrece una solución alternativa al protocolo
Spanning Tree (STP), permitiendo a los usuarios su desactivación y todavía proporcionar un enlace redundante.
DLS1interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport mode trunk
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 91/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 92/205
CCNP Guía SWITCH v2.0
@ 201392
DLS1#sh spanning-tree vlan 100
VLAN0100
Spanning tree enabled protocol ieee
Root ID Priority 24676
Address e8ba.70cb.f600
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24676 (priority 24576 sys-id-ext 100)
Address e8ba.70cb.f600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/7 Desg FWD 19 128.9 P2p
Fa0/8 Desg FWD 19 128.10 P2p
ALS1#show spanning-tree vlan 100
VLAN0100
Spanning tree enabled protocol ieee
Root ID Priority 24676
Address e8ba.70cb.f600
Cost 19
Port 7 (FastEthernet0/7)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32868 (priority 32768 sys-id-ext 100)
Address 0022.5689.5d80Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/7 Root FWD 19 128.7 P2p
Fa0/8 Altn BLK 19 128.8 P2p
Configurar FlexLink con las siguientes políticas.
ALS1 fa0/7 backup
Conectar PCs a algún puerto de acceso de DLS1 y ALS1 (misma VLAN y probar conectividad entre ellos).
Desactivar enlace activo y esperar comprobar el tiempo de activación.
Hacer balanceo de carga usandoel comando de interface switchport backup interface fastEthernet 0/3 prefer vlan
101…..
ALS1
interface FastEthernet0/8
switchport mode trunk
switchport backup interface Fa0/7
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 93/205
CCNP Guía SWITCH v2.0
@ 201393
ALS1#show interfaces switchport backup
Switch Backup Interface Pairs:
Active Interface Backup Interface State
------------------------------------------------------------------------
FastEthernet0/8 FastEthernet0/7 Active Up/Backup Standby
DLS1interface FastEthernet0/1
switchport access vlan 100
switchport mode access
spanning-tree portfast
ALS1
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
spanning-tree portfast
Pruebas de conectividad Flex Link
PC1 → 10.1.1.1/24 conectado a la Fa0/1 de DLS1
PC2 → 10.1.1.2/24 conectado a la Fa0/1 de ALS1
Deberíamos tener conectividad a través de ping.
Fa0/8 actúa activamente en el tráfico, si deshabilitamos la interface no existe interrumpción de tráfico.
ALS1(config)#interface fastEthernet 0/8
ALS1(conig-if)#shutdown
ALS1#show interfaces switchport backup
Switch Backup Interface Pairs:
Active Interface Backup Interface State
------------------------------------------------------------------------
FastEthernet0/8 FastEthernet0/7 Active Down/Backup Up
PC1 ping 10.1.1.2 -t
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
ALS1(config)#interface fastEthernet 0/8
ALS1(config-if)#no shutdown
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 94/205
CCNP Guía SWITCH v2.0
@ 201394
ALS1#show interfaces switchport backup
Switch Backup Interface Pairs:
Active Interface Backup Interface State
------------------------------------------------------------------------
FastEthernet0/8 FastEthernet0/7 Active Standby/Backup Up
Como vemos en la salida anterior la interface fa0/8 no vuelva al estado activo por defecto. En otras palabras no se
apropia del puesto que dejó. Para esto debemos establecer explícitamente que lo haga.
Fastethernet 0/8 debe vovler a su estado UP en 4 segundos luego de restablecer el enlace.
ALS1
interface FastEthernet0/8
switchport backup interface Fa0/7 preemption delay 4
switchport backup interface Fa0/7 preemption mode forced //Si no incluimos forced el proceso no lo considera
01:14:35: %BACKUP_INTERFACE-5-PREEMPT: Preempting interface Fa0/7 in backup pair (Fa0/8, Fa0/7),
preemption mode is forced
ALS1#show interfaces switchport backup detail
Switch Backup Interface Pairs:
Active Interface Backup Interface State
------------------------------------------------------------------------
FastEthernet0/8 FastEthernet0/7 Active Up/Backup Standby
Interface Pair : Fa0/8, Fa0/7
Preemption Mode : forcedPreemption Delay : 4 seconds
Bandwidth : 100000 Kbit (Fa0/8), 100000 Kbit (Fa0/7)
Mac Address Move Update Vlan : auto
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 95/205
CCNP Guía SWITCH v2.0
@ 201395
MSTP Multiple Spanning Tree MST 802.1s
Configure ambos switches en modo trunk. Utilice 802.1q.
VTP. DLS1 debe ser server VTP, DLS2 client VTP. Utilizar domain VTP DUOC, VTP versión 2.
En DLS1 crear las VLANs 10, 20, 30, 40, 50, y 60. Comprobar que estas VLANs se propaguen a DLS2.
Utilice RSTP+ para la configuración inicial.
DLS1
spanning-tree mode rapid-pvst
vlan 10,20,30,40,50,60
vtp mode server
vtp domain DUOC
vtp version 2
DLS2
spanning-tree mode rapid-pvst
vtp mode client
vtp domain DUOC
vtp version 2
DLS1
interface range fastEthernet 0/6-7
switchport trunk encapsulation dot1q
switchport mode trunk
DLS2
interface range fastEthernet 0/6-7
switchport trunk encapsulation dot1q
switchport mode trunk
DLS1#sh interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 on 802.1q trunking 1
Fa0/7 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/6 1-4094
Fa0/7 1-4094
Port Vlans allowed and active in management domain
Fa0/6 1,10,20,30,40,50,60
Fa0/7 1,10,20,30,40,50,60
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1,10,20,30,40,50,60
Fa0/7 none
LS2#show interfaces trunk
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 96/205
CCNP Guía SWITCH v2.0
@ 201396
Port Mode Encapsulation Status Native vlan
Fa0/6 on 802.1q trunking 1
Fa0/7 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/6 1-4094
Fa0/7 1-4094
Port Vlans allowed and active in management domainFa0/6 1,10,20,30,40,50,60
Fa0/7 1,10,20,30,40,50,60
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1,10,20,30,40,50,60
Fa0/7 1
DLS2#show vtp status
VTP Version : running VTP2
Configuration Revision : 2
Maximum VLANs supported locally : 1005
Number of existing VLANs : 11VTP Operating Mode : Client
VTP Domain Name : DUOC
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x87 0xDB 0x5B 0x22 0xB7 0x09 0xAD 0x2D
Configuration last modified by 1.1.1.1 at 3-1-93 00:24:25
DLS1#sh vtp status
VTP Version : running VTP2
Configuration Revision : 2Maximum VLANs supported locally : 1005
Number of existing VLANs : 11
VTP Operating Mode : Server
VTP Domain Name : DUOC
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x87 0xDB 0x5B 0x22 0xB7 0x09 0xAD 0x2D
Configuration last modified by 1.1.1.1 at 3-1-93 00:24:25
Local updater ID is 1.1.1.1 on interface Vl1 (lowest numbered VLAN interface found)
DLS2>show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active30 VLAN0030 active
40 VLAN0040 active
50 VLAN0050 active
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 97/205
CCNP Guía SWITCH v2.0
@ 201397
60 VLAN0060 active
Configure MST siguiendo las siguientes políticas:
Crear dos instancias STP: instancia1, instancia2.
El número de revisión (revision number) debe ser 1.
El nombre MST debe ser CLASS
A instancia1 le corresponden las VLANs 10, 20, 30
A instancia2 le corresponde la VLANs 40, 50, 60 y 1
Las siguientes VLANs serán parte de la instancia0.
Instacia1 → fastethernet0/6
Instacia2 → fastethernet0/7
DLS1 debe ser Root Bridge para instancia1
DLS2 debe ser Root Bridge para instancia2
La ventaja de MST es que puede mapear multiples VLANs que tengan los mismos requerimientos (mismo tráfico) ygenerar una sola instancia de STP, lo que se traduce en una menor utilización de los recursos del dispositivo.
Nota: Al habilitar MST deshabilitamos RSTP+.
Verifiquemos cuantas instancias existen. Para eso utilizaremos el comando show spanning-tree.
DLS1#sh spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 0022.5688.7900Cost 38
Port 8 (FastEthernet0/6)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address e8ba.70cb.f600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/6 Root FWD 19 128.8 P2p
Fa0/7 Altn BLK 19 128.9 P2p
VLAN0010
Spanning tree enabled protocol rstp
Root ID Priority 32778
Address 3037.a6eb.d580
Cost 19
Port 8 (FastEthernet0/6)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32778 (priority 32768 sys-id-ext 10)
Address e8ba.70cb.f600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 98/205
CCNP Guía SWITCH v2.0
@ 201398
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/6 Root FWD 19 128.8 P2p
Fa0/7 Altn BLK 19 128.9 P2p
*
**
VLAN0060
Spanning tree enabled protocol rstp
Root ID Priority 32828
Address 3037.a6eb.d580
Cost 19
Port 8 (FastEthernet0/6)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32828 (priority 32768 sys-id-ext 60)
Address e8ba.70cb.f600Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/6 Root FWD 19 128.8 P2p
Fa0/7 Altn BLK 19 128.9 P2p
Como vemos en la salida anterior STP está corriendo una instancia distinta para cada VLAN, asumiendo que cada
instancia tiene un camino distinto o flujo distinto, aun cuando siguen misma topología física. DLS1 y DLS2 podránutilizar MST si ambos tienen identica:
Región name
Revision number
VLAN-to-instance assignments
Para configuirar MST debemos seguir los siguientes pasos:
1. Configurar MST globalmente:
DLS1
spanning-tree mode mst
DLS2
spanning-tree mode mst
DLS2#show spanning-tree vlan 10
MST0
Spanning tree enabled protocol mstp
Root ID Priority 32768
Address 3037.a6eb.d580
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 99/205
CCNP Guía SWITCH v2.0
@ 201399
Bridge ID Priority 32768 (priority 32768 sys-id-ext 0)
Address 3037.a6eb.d580
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/6 Desg FWD 200000 128.8 P2pFa0/7 Desg BLK 200000 128.9 P2p
DLS1#sh spanning-tree vlan 10
MST0
Spanning tree enabled protocol mstp
Root ID Priority 32768
Address 3037.a6eb.d580
Cost 0
Port 8 (FastEthernet0/6)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32768 (priority 32768 sys-id-ext 0)
Address e8ba.70cb.f600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/6 Root FWD 200000 128.8 P2p
Fa0/7 Altn BLK 200000 128.9 P2p
Nota: Si no se establece, todas las instancias quedan en instancia 0.
DLS1#sh spanning-tree mst configuration
Name []
Revision 0 Instances configured 1
Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 1-4094
-------------------------------------------------------------------------------
DLS2#show spanning-tree mst configuration
Name []
Revision 0 Instances configured 1
Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 1-4094
-------------------------------------------------------------------------------
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 100/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 101/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 102/205
CCNP Guía SWITCH v2.0
@ 2013102
Podemos notar que existe un BID por cada instancia, a 32768 se le suma el número de la instancia haciendo del BID
único.
DLS1#sh spanning-tree bridge
Hello Max Fwd
MST Instance Bridge ID Time Age Dly Protocol---------------- --------------------------------- ----- --- --- --------
MST0 32768 (32768, 0) e8ba.70cb.f600 2 20 15 mstp
MST1 32769 (32768, 1) e8ba.70cb.f600 2 20 15 mstp
MST2 32770 (32768, 2) e8ba.70cb.f600 2 20 15 mstp
DLS1#show version | include Base
Base ethernet MAC Address : E8:BA:70:CB:F6:00
DLS2#show spanning-tree root
Hello Max Fwd
MST Instance Bridge ID Time Age Dly Protocol---------------- --------------------------------- ----- --- --- --------
MST0 32768 (32768, 0) 3037.a6eb.d580 2 20 15 mstp
MST1 32769 (32768, 1) 3037.a6eb.d580 2 20 15 mstp
MST2 32770 (32768, 2) 3037.a6eb.d580 2 20 15 mstp
DLS2#show version | include Base
Base ethernet MAC Address : 30:37:A6:EB:D5:80
DLS1 debe ser Root Bridge para instancia1
DLS2 debe ser Root Bridge para instancia2
Ya podemos establecer prioridades trabajando con VLANs empaquetadas, como una sola entidad, instancia 1 e
instancia 2. La prioridad debemos establecerla en incrementos de 4096 (0, 4096, 8192..)
DLS1(config)#spanning-tree mst 1 priority ?
<0-61440> bridge priority in increments of 4096
DLS1(config)#spanning-tree mst 1 priority 0
DLS1(config)#spanning-tree mst 2 priority 4096
DLS2
spanning-tree mst 1 priority 4096
spanning-tree mst 2 priority 0
spanning-tree mst 2 priority 4096
spanning-tree mst 1 priority 0
DLS1#show version | include Base
Base ethernet MAC Address : E8:BA:70:CB:F6:00
DLS2#show version | include BaseBase ethernet MAC Address : 30:37:A6:EB:D5:80
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 103/205
CCNP Guía SWITCH v2.0
@ 2013103
DLS1#show spanning-tree root
Root Hello Max Fwd
MST Instance Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
MST0 32768 3037.a6eb.d580 200000 2 20 15 Fa0/6
MST1 1 e8ba.70cb.f600 0 2 20 15
MST2 4098 e8ba.70cb.f600 0 2 20 15
DLS2#show spanning-tree root
Root Hello Max Fwd
MST Instance Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
MST0 32768 3037.a6eb.d580 0 2 20 15
MST1 4097 3037.a6eb.d580 0 2 20 15
MST2 2 3037.a6eb.d580 0 2 20 15
DLS1#sh spanning-tree interface fastEthernet 0/6
Mst Instance Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
MST0 Root FWD 200000 128.8 P2p Bound(RSTP)
MST1 Mstr FWD 200000 128.8 P2p Bound(RSTP)
MST2 Mstr FWD 200000 128.8 P2p Bound(RSTP)
DLS1#sh spanning-tree interface fastEthernet 0/7
Mst Instance Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
MST0 Altn BLK 200000 128.9 P2p Bound(RSTP)MST1 Altn BLK 200000 128.9 P2p Bound(RSTP)
MST2 Altn BLK 200000 128.9 P2p Bound(RSTP)
DLS2#sh spanning-tree interface fastEthernet 0/6
Mst Instance Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
MST0 Desg FWD 200000 128.8 P2p
MST1 Desg FWD 200000 128.8 P2p
MST2 Desg FWD 200000 128.8 P2p
DLS2#sh spanning-tree interface fastEthernet 0/7Mst Instance Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
MST0 Desg FWD 200000 128.9 P2p
MST1 Desg FWD 200000 128.9 P2p
MST2 Desg FWD 200000 128.9 P2p
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 104/205
CCNP Guía SWITCH v2.0
@ 2013104
Queremos que el tráfico de la instancia 1 utilice la Fa0/6 y la instancia 2 la Fa0/7
DLS1
interface FastEthernet0/6
spanning-tree mst 1 port-priority 0
spanning-tree mst 2 port-priority 240
interface FastEthernet0/7
spanning-tree mst 1 port-priority 240
spanning-tree mst 2 port-priority 0
DLS2
interface FastEthernet0/6
spanning-tree mst 1 port-priority 0
spanning-tree mst 2 port-priority 240
interface FastEthernet0/7spanning-tree mst 1 port-priority 240
spanning-tree mst 2 port-priority 0
Notemos que instancia 1 utiliza la interface Fa0/6 y la instancia 2 la Fa0/7
DLS2#show spanning-tree interface fastEthernet 0/6
Mst Instance Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
MST0 Desg FWD 200000 128.13 P2pMST1 Root FWD 200000 0.13 P2p
MST2 Desg FWD 200000 240.13 P2p
DLS2#show spanning-tree interface fastEthernet 0/7
Mst Instance Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
MST0 Desg FWD 200000 128.14 P2p
MST1 Altn BLK 200000 240.14 P2p
MST2 Desg FWD 200000 0.14 P2p
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 105/205
CCNP Guía SWITCH v2.0
@ 2013105
InterVLAN Routing utilizando SW L3
En DLS1 crear las VLANs 10 y 20. Posteriormente cree la interface VLAN (SVI) correspondiente a las VLANs
creadas.
Asignar las VLANs de acceso como muestra la figura. Evitar que el proceso STP transite por los estados
listening/learning en los puertos de acceso Fa0/1 y Fa0/8.
Configurar los PCs como muestra la figura y establecer como Default Gateway la SVI. Comprobar
conectividad.
DLS1
vlan 10,20
interface Vlan10
ip address 10.0.0.1 255.255.255.0
no shut
interface Vlan20
ip address 20.0.0.1 255.255.255.0
no shut
DLS1#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
10 VLAN0010 active20 VLAN0020 active
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 106/205
CCNP Guía SWITCH v2.0
@ 2013106
Asignar las VLANs de acceso como muestra la figura. Evitar que el proceso STP transite por los estados
listening/learning en los puertos de acceso Fa0/1 y Fa0/8.
DLS1
interface FastEthernet0/1
description ***a PC1***
switchport access vlan 10
switchport mode access
spanning-tree portfast
no shutdown
interface FastEthernet0/8
description ***a PC2***
switchport access vlan 20
switchport mode access
spanning-tree portfast
no shutdown
DLS1#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
DLS1#ping 20.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.2, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
PC1
C:\>ping 10.0.0.1
Haciendo ping a 10.0.0.1 con 32 bytes de datos:
Respuesta desde 10.0.0.1: bytes=32 tiempo=3ms TTL=255
Respuesta desde 10.0.0.1: bytes=32 tiempo=1ms TTL=255
Respuesta desde 10.0.0.1: bytes=32 tiempo=1ms TTL=255
Respuesta desde 10.0.0.1: bytes=32 tiempo<1m TTL=255
Estadísticas de ping para 10.0.0.1:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 3ms, Media = 1ms
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 107/205
CCNP Guía SWITCH v2.0
@ 2013107
PC2
C:\>ping 20.0.0.1
Haciendo ping a 20.0.0.1 con 32 bytes de datos:
Respuesta desde 20.0.0.1: bytes=32 tiempo=28ms TTL=255
Respuesta desde 20.0.0.1: bytes=32 tiempo=2ms TTL=255Respuesta desde 20.0.0.1: bytes=32 tiempo=2ms TTL=255
Respuesta desde 20.0.0.1: bytes=32 tiempo=1ms TTL=255
Estadísticas de ping para 20.0.0.1:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 1ms, Máximo = 28ms, Media = 8ms
Habilitar ruteo en el switch.
DLS1
ip routing
DLS1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
C 20.0.0.0 is directly connected, Vlan20
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Vlan10
Creamos una ruta por defecto en los PCs.
Comprobamos que tenemos conectividad entre PC1 (VLAN 10) y PC2(VLAN 20)
PC1
C:\>route add 0.0.0.0 mask 0.0.0.0 10.0.0.1
PC2
C:\>route add 0.0.0.0 mask 0.0.0.0 20.0.0.1
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 108/205
CCNP Guía SWITCH v2.0
@ 2013108
PC1
C:\>route print
===========================================================================
ILista de interfaces
0x1 ........................... MS TCP Loopback interface
0x2 ...00 24 8c cd 2a 2a ...... SiS191 Ethernet Controller - Minipuerto del admi
nistrador de paquetes0x3 ...08 00 27 00 f0 c5 ...... VirtualBox Host-Only Ethernet Adapter - Minipuer
to del administrador de paquetes
===========================================================================
===========================================================================
Rutas activas:
Destino de red Máscara de red Puerta de acceso Interfaz Métrica
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.2 1
PC2
C:\>route print
===========================================================================ILista de interfaces
0x1 ........................... MS TCP Loopback interface
0x2 ...0c ee e6 a0 33 43 ...... Adaptador de red Broadcom 802.11g - Minipuerto d
el administrador de paquetes
0x10004 ...00 26 22 70 6d df ...... Atheros AR8132 PCI-E Fast Ethernet Controlle
r - Minipuerto del administrador de paquetes
===========================================================================
===========================================================================
Rutas activas:
Destino de red Máscara de red Puerta de acceso Interfaz Métrica
0.0.0.0 0.0.0.0 20.0.0.1 20.0.0.2 1
PC1
C:\>ping 20.0.0.2
Haciendo ping a 20.0.0.2 con 32 bytes de datos:
Respuesta desde 20.0.0.2: bytes=32 tiempo=1ms TTL=127
Respuesta desde 20.0.0.2: bytes=32 tiempo<1m TTL=127
Respuesta desde 20.0.0.2: bytes=32 tiempo<1m TTL=127
Respuesta desde 20.0.0.2: bytes=32 tiempo<1m TTL=127
Estadísticas de ping para 20.0.0.2:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 1ms, Media = 0ms
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 109/205
CCNP Guía SWITCH v2.0
@ 2013109
PC2
C:\>ping 10.0.0.2
Haciendo ping a 10.0.0.2 con 32 bytes de datos:
Respuesta desde 10.0.0.2: bytes=32 tiempo<1m TTL=127
Respuesta desde 10.0.0.2: bytes=32 tiempo<1m TTL=127Respuesta desde 10.0.0.2: bytes=32 tiempo<1m TTL=127
Respuesta desde 10.0.0.2: bytes=32 tiempo<1m TTL=127
Estadísticas de ping para 10.0.0.2:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 0ms, Media = 0ms
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 110/205
CCNP Guía SWITCH v2.0
@ 2013110
InterVLAN Routing entre switches L2/L3.
Configurar los cuatro switchs basado en los siquientes requerimientos::
- VTP domain duoc
- VTP versión 2
- DLS1 → VTP Server, DLS2 → VTP Client, ALS2 → VTP Client, ALS1 → VTP Client - Domain duoc
Configurar Link Aggregation como muestra la figura, no utilice negociación en los portchannels, salvo en
Po2 DLS2-ALS2. Configurar trunk utilizando encapsulación 802.1q.
DLS1 debe crear las VLANs 10 y 20.Comprobar que estas VLANs mas la default sean “visibles” por los
demás switchs (DLS2, ALS1 y ALS2)
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 111/205
CCNP Guía SWITCH v2.0
@ 2013111
Configurar los puertos de acceso en los switchs L2 como muestra la figura asignando la VLAN
correspondiente. Evitar que el proceso STP transite por los estados listening/learning.
Crear las SVI en cada switch L3. Habilitar routing.
En los PC asignar direccionamiento mostrados. Adicionalmente crear una ruta por defecto apuntando alDG.
Comprobamos que tenemos conectividad entre PC1 (VLAN 10) y PC2(VLAN 20).
Configurar los PCs como muestra la figura y establecer como Default Gateway la IP de la interface VLAN.
Comprobar conectividad.
Configurar los cuatro switchs basado en los siquientes requerimientos::
-
VTP domain i29
-
VTP versión 2
-
DLS1 → VTP Server, DLS2 → VTP Client, ALS2 → VTP Client, ALS1 → VTP Client.
Configurar Link Aggregation como muestra la figura, no utilice negociación en los portchannels, salvo en
Po1 DLS2-ALS2. Configurar trunk utilizando encapsulación 802.1q. Solo se permiten las VLANs defaul, 10 y
20.
DLS1
vtp mode server
vtp domain i29
vtp version 2
DLS2
vtp mode client
vtp domain i29
vtp version 2
ALS1
vtp mode client
vtp domain i29
vtp version 2
ALS2vtp mode client
vtp domain i29
vtp version 2
DLS1
default interface range fastEthernet 0/2-3 , fastEthernet 0/6-7
interface range fastEthernet 0/2-3
channel-group 1 mode on
interface Port-channel1switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20
switchport mode trunk
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 112/205
CCNP Guía SWITCH v2.0
@ 2013112
switchport nonegotiate
interface range fastEthernet 0/6-7
channel-group 12 mode on
interface Port-channel12
switchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,10,20
switchport mode trunk
switchport nonegotiate
DLS2
default interface range fastEthernet 0/2-3 , fastEthernet 0/6-7 , fastEthernet 0/13-20
interface range fastEthernet 0/2-3 , fastEthernet 0/13-20
channel-group 2 mode active
interface Port-channel2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20
switchport mode trunk
switchport nonegotiate
interface range fastEthernet 0/6-7
channel-group 12 mode on
interface Port-channel12
switchport trunk encapsulation dot1qswitchport trunk allowed vlan 1,10,20
switchport mode trunk
switchport nonegotiate
DLS2#show etherchannel 12 summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundlingw - waiting to be aggregated
d - default port
Number of channel-groups in use: 2
Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
12 Po12(SU) - Fa0/6(P) Fa0/7(P)
ALS1default interface range fastEthernet 0/2-3
interface range fastEthernet 0/2-3
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 113/205
CCNP Guía SWITCH v2.0
@ 2013113
channel-group 1 mode on
interface Port-channel1
switchport trunk allowed vlan 1,10,20
switchport mode trunk
switchport nonegotiate
DLS1#sh etherchannel 1 summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 2
Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) - Fa0/2(P) Fa0/3(P)
ALS2
default interface range fastEthernet 0/2-3 , fastEthernet 0/13-20
interface range fastEthernet 0/2-3 , fastEthernet 0/13-20
channel-group 2 mode active
interface Port-channel2
switchport trunk allowed vlan 1,10,20
switchport mode trunk
switchport nonegotiate
ALS2#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspendedH - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------
2 Po2(SU) LACP Fa0/2(P) Fa0/3(P) Fa0/13(P)
Fa0/14(P) Fa0/15(P) Fa0/16(P)
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 114/205
CCNP Guía SWITCH v2.0
@ 2013114
Fa0/17(P) Fa0/18(P) Fa0/19(H)
Fa0/20(H)
DLS1 debe crear las VLANs 10 y 20.Comprobar que estas VLANs mas la default sean “visibles” por los
demás switchs (DLS2, ALS1 y ALS2)
Configurar los puertos de acceso en los switchs L2 como muestra la figura asignando la VLAN
correspondiente. Evitar que el proceso STP transite por los estados listening/learning.
DLS1
vlan 10,20
DLS1#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active
DLS2#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active
ALS1
interface FastEthernet0/23
switchport access vlan 10
switchport mode access
spanning-tree portfast
ALS1#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active Fa0/23
20 VLAN0020 active
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 115/205
CCNP Guía SWITCH v2.0
@ 2013115
ALS2
interface FastEthernet0/23
switchport access vlan 20
switchport mode access
spanning-tree portfast
ALS2#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/24, Gi0/1
Gi0/2
10 VLAN0010 active
20 VLAN0020 active Fa0/23
Crear las SVI en cada switch L3 (ver figura). Habilitar routing.
En los PC asignar direccionamiento mostrados.
DLS1
interface Vlan10
ip address 10.0.0.1 255.255.255.0
interface Vlan20
ip address 20.0.0.1 255.255.255.0
DLS2
interface Vlan10
ip address 10.0.0.2 255.255.255.0
interface Vlan20
ip address 20.0.0.2 255.255.255.0
DLS2#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
DLS2#ping 20.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
DLS1
ip routing
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 116/205
CCNP Guía SWITCH v2.0
@ 2013116
DLS2
ip routing
PC1
C:\>ping 20.0.0.10
Haciendo ping a 20.0.0.10 con 32 bytes de datos:
Respuesta desde 20.0.0.10: bytes=32 tiempo<1m TTL=127Respuesta desde 20.0.0.10: bytes=32 tiempo<1m TTL=127
Respuesta desde 20.0.0.10: bytes=32 tiempo<1m TTL=127
Respuesta desde 20.0.0.10: bytes=32 tiempo<1m TTL=127
Estadísticas de ping para 20.0.0.10:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 0ms, Media = 0ms
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 117/205
CCNP Guía SWITCH v2.0
@ 2013117
IP DHCP
Continuación laboratorio anterior.
Deshabilitar Po12
En DLS1 crear la VLAN 100 más la SVI 100 utilizando la IP address 100.1.1.1/24. Debe ser permitida en el
Po1 DLS1/ALS1.
Configurar DHCP en DLS1 con las siguientes características:
- Pool ABCD 100.1.1.0/24
-
Default Router 100.1.1.1
-
Arriendo indefinido.
-
Se debe excluir el rango 100.1.1.1 a 100.1.1.20
En ALS1 asignar al puerto Fa0/23 la VLAN 100 (puerto de acceso).
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 118/205
CCNP Guía SWITCH v2.0
@ 2013118
DLS1
vlan 100
interface Vlan100
ip address 100.1.1.1 255.255.255.0
ip dhcp excluded-address 100.1.1.1 100.1.1.20
ip dhcp pool ABCD
network 100.1.1.0 255.255.255.0
default-router 100.1.1.1
lease infinite
interface port-channel 1
switchport trunk allowed vlan add 100
DLS1#sh running-config interface port-channel 1Building configuration...
Current configuration : 159 bytes
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,100
switchport mode trunk
switchport nonegotiate
ALS1interface port-channel 1
switchport trunk allowed vlan add 100
ALS1#sh running-config interface port-channel 1
Building configuration...
Current configuration : 121 bytes
!
interface Port-channel1
switchport trunk allowed vlan 1,10,20,100
switchport mode trunkswitchport nonegotiate
ALS1#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/24, Gi0/1, Gi0/210 VLAN0010 active Fa0/23
20 VLAN0020 active
100 VLAN0100 active
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 119/205
CCNP Guía SWITCH v2.0
@ 2013119
ALS1
default interface fastEthernet 0/23
interface FastEthernet0/23
switchport access vlan 100switchport mode access
spanning-tree portfast
Conectamos PC1 a puerto Fa0/23 y utilizamos el comando debug ip dhcp server packet para verificar la
negociación DHCP entre cliente y servidor.
DLS1#debug ip dhcp server packet
DHCP server packet debugging is on.
*Mar 1 01:25:03.142: DHCPD: Reload workspace interface Vlan100 tableid 0.
*Mar 1 01:25:03.142: DHCPD: tableid for 100.1.1.1 on Vlan100 is 0
*Mar 1 01:25:03.142: DHCPD: client's VPN is .
*Mar 1 01:25:03.142: DHCPD: DHCPREQUEST received from client 0100.248c.cd2a.2a.
*Mar 1 01:25:03.142: DHCPD: client has moved to a new subnet.
*Mar 1 01:25:03.142: DHCPD: Sending DHCPNAK to client 0100.248c.cd2a.2a.
*Mar 1 01:25:03.142: DHCPD: broadcasting BOOTREPLY to client 0024.8ccd.2a2a.
*Mar 1 01:25:04.
DLS1#140: DHCPD: Reload workspace interface Vlan100 tableid 0.
*Mar 1 01:25:04.140: DHCPD: tableid for 100.1.1.1 on Vlan100 is 0
*Mar 1 01:25:04.140: DHCPD: client's VPN is .*Mar 1 01:25:04.140: DHCPD: using received relay info.
*Mar 1 01:25:04.140: DHCPD: DHCPDISCOVER received from client 0100.248c.cd2a.2a on interface Vlan100.
*Mar 1 01:25:04.140: DHCPD: using received relay info.
DLS1#
*Mar 1 01:25:06.153: DHCPD: Sending DHCPOFFER to client 0100.248c.cd2a.2a (100.1.1.21).
*Mar 1 01:25:06.153: DHCPD: Check for IPe on Vlan100
*Mar 1 01:25:06.153: DHCPD: creating ARP entry (100.1.1.21, 0024.8ccd.2a2a).
*Mar 1 01:25:06.153: DHCPD: unicasting BOOTREPLY to client 0024.8ccd.2a2a (100.1.1.21).
*Mar 1 01:25:06.162: DHCPD: Reload workspace interface Vlan100 tableid 0.
*Mar 1 01:25:06.162: DHCPD: tableid for 100.1.1.1 on Vlan100 is 0
*Mar 1 01:25:06.162: DHCPD: client's VPN is .*Ma
DLS1#r 1 01:25:06.162: DHCPD: DHCPREQUEST received from client 0100.248c.cd2a.2a.
*Mar 1 01:25:06.162: DHCPD: Sending DHCPACK to client 0100.248c.cd2a.2a (100.1.1.21).
*Mar 1 01:25:06.162: DHCPD: Check for IPe on Vlan100
*Mar 1 01:25:06.162: DHCPD: creating ARP entry (100.1.1.21, 0024.8ccd.2a2a).
*Mar 1 01:25:06.162: DHCPD: unicasting BOOTREPLY to client 0024.8ccd.2a2a (100.1.1.21).
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 120/205
CCNP Guía SWITCH v2.0
@ 2013120
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 121/205
CCNP Guía SWITCH v2.0
@ 2013121
InterVLAN Routing con HSRP en Switchs L3
Objetivos:
Configurar InterVLAN routing utilizando HSRP para redundancia y tolerante a fallas (en DG).
VLAN HSRP GW Address
1 1.1.1.1/24
10 10.0.0.1/24
20 20.0.0.1/24
30 30.0.0.1/24
40 40.0.0.0/24
Configure Etherchannel como muestra la figura. Utilice LACP. Utilice 802.1q como protocolo de trunking.
DLS1
default interface range fastEthernet 0/2-7
interface range fastEthernet 0/2-3
channel-group 1 mode active
interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk
interface range fastEthernet 0/4-5
channel-group 2 mode active
interface Port-channel2
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 122/205
CCNP Guía SWITCH v2.0
@ 2013122
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk
interface range fastEthernet 0/6-7
channel-group 3 mode active
interface Port-channel3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk
DLS2
default interface range fastEthernet 0/2-7
interface range fastEthernet 0/2-3
channel-group 1 mode active
interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk
interface range fastEthernet 0/4-5
channel-group 2 mode active
interface Port-channel2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,30,40switchport mode trunk
interface range fastEthernet 0/6-7
channel-group 3 mode active
interface Port-channel3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk
DLS2#show etherchannel 3 summaryFlags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 3
Number of aggregators: 3
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
3 Po3(SU) LACP Fa0/6(P) Fa0/7(P)
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 123/205
CCNP Guía SWITCH v2.0
@ 2013123
ALS1
default interface range fastEthernet 0/2-7
interface range fastEthernet 0/2-3
channel-group 1 mode active
interface Port-channel1switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk
interface range fastEthernet 0/4-5
channel-group 2 mode active
interface Port-channel2
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk
interface range fastEthernet 0/6-7channel-group 3 mode active
interface Port-channel3
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk
ALS1#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 3
Number of aggregators: 3
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/2(P) Fa0/3(P)
2 Po2(SU) LACP Fa0/4(P) Fa0/5(P)
3 Po3(SD) LACP Fa0/6(I) Fa0/7(I)
ALS2
default interface range fastEthernet 0/2-7
interface range fastEthernet 0/2-3
channel-group 1 mode active
interface Port-channel1
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk
interface range fastEthernet 0/4-5
channel-group 2 mode active
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 124/205
CCNP Guía SWITCH v2.0
@ 2013124
interface Port-channel2
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk
interface range fastEthernet 0/6-7
channel-group 3 mode active
interface Port-channel3
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk
ALS2#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundlingw - waiting to be aggregated
d - default port
Number of channel-groups in use: 3
Number of aggregators: 3
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/2(P) Fa0/3(P)
2 Po2(SU) LACP Fa0/4(P) Fa0/5(P)
3 Po3(SU) LACP Fa0/6(P) Fa0/7(P)
DLS1#sh interfaces trunkPort Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 1
Po2 on 802.1q trunking 1
Po3 on 802.1q trunking 1
Port Vlans allowed on trunk
Po1 1,10,20,30,40
Po2 1,10,20,30,40
Po3 1,10,20,30,40
Port Vlans allowed and active in management domainPo1 1
Po2 1
Po3 1
Port Vlans in spanning tree forwarding state and not pruned
Po1 none
Po2 1
Po3 none
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 125/205
CCNP Guía SWITCH v2.0
@ 2013125
Confiure DLS2, ALS1 y ALS2 en modo cliente VTP.
En DLS1 utilice el domino VTP duoc.cl, además cree las VLANs que muestra la figura con sus nombres
correspondientes. Compruebe que todas las VLANs sean visibles en todos los switches.
DLS2
vtp mode client
ALS1
vtp mode client
ALS2
vtp mode client
ALS2#show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 255
Number of existing VLANs : 5
VTP Operating Mode : Client
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
DLS1
vtp domain duoc.cl
vlan 10
name CONTROL
vlan 20
name RRHH
vlan 30
name SMTP
vlan 40
name WWW
DLS1#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 CONTROL active
20 RRHH active
30 SMTP active
40 WWW active
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 126/205
CCNP Guía SWITCH v2.0
@ 2013126
ALS2#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 CONTROL active
20 RRHH active
30 SMTP active
40 WWW active
ALS1#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 CONTROL active
20 RRHH active
30 SMTP active
40 WWW active
DLS2#show vlan brief | exclude unsupVLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 CONTROL active
20 RRHH active
30 SMTP active
40 WWW active
Configure los puertos de acceso en cada switch con su VLAN correspondiente. Estos puertos no deben
transitar en los estados de STP (Listening, Learning..).
DLS1
interface FastEthernet0/1
switchport access vlan 30
switchport mode access
spanning-tree portfast
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 127/205
CCNP Guía SWITCH v2.0
@ 2013127
DLS2
interface FastEthernet0/1
switchport access vlan 40
switchport mode access
spanning-tree portfast
ALS1interface FastEthernet0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
ALS2
interface FastEthernet0/1
switchport access vlan 20
switchport mode access
spanning-tree portfast
Configure los hosts de acuerdo al direccionamiento mostrado. En el ejemplo siguiente solo se incluyen dos
ejemplos, puerto de acceso VLAN 10 y puerto acceso VLAN 40.
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 128/205
CCNP Guía SWITCH v2.0
@ 2013128
InterVLANs
Provea conectividad extremo a extremo entre VLANs. Crear SVI que serán utilizadas como D-GW.
DLS1
ip routing
interface Vlan10
ip address 10.0.0.1 255.255.255.0
interface Vlan20
ip address 20.0.0.1 255.255.255.0
interface Vlan30
ip address 30.0.0.1 255.255.255.0
interface Vlan40
ip address 40.0.0.1 255.255.255.0
DLS2
ip routing
interface Vlan10
ip address 10.0.0.2 255.255.255.0
interface Vlan20
ip address 20.0.0.2 255.255.255.0
interface Vlan30ip address 30.0.0.2 255.255.255.0
interface Vlan40
ip address 40.0.0.2 255.255.255.0
Probar conectividad con las interfaces SVI y luego entre sitios.
Deshabilitar FW en los PCs o crear una excepción.
Server WWW
C:\>ipconfig
Configuración IP de Windows
Adaptador Ethernet Conexión de área local :
Estado de los medios. . . .: medios desconectados
Adaptador Ethernet Conexión de área local :
Sufijo de conexión específica DNS :
Dirección IP. . . . . . . . . . . : 40.0.0.10
Máscara de subred . . . . . . . . : 255.255.255.0
Puerta de enlace predeterminada : 40.0.0.1
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 129/205
CCNP Guía SWITCH v2.0
@ 2013129
C:\>ping 10.0.0.1
Haciendo ping a 10.0.0.1 con 32 bytes de datos:
Respuesta desde 10.0.0.1: bytes=32 tiempo=23ms TTL=255
Respuesta desde 10.0.0.1: bytes=32 tiempo=1ms TTL=255
Respuesta desde 10.0.0.1: bytes=32 tiempo=2ms TTL=255
Respuesta desde 10.0.0.1: bytes=32 tiempo=6ms TTL=255
Estadísticas de ping para 10.0.0.1:Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 1ms, Máximo = 23ms, Media = 8ms
C:\>ping 20.0.0.1
Haciendo ping a 20.0.0.1 con 32 bytes de datos:
Respuesta desde 20.0.0.1: bytes=32 tiempo=1ms TTL=255
Respuesta desde 20.0.0.1: bytes=32 tiempo=2ms TTL=255
Respuesta desde 20.0.0.1: bytes=32 tiempo<1m TTL=255
Respuesta desde 20.0.0.1: bytes=32 tiempo=2ms TTL=255Estadísticas de ping para 20.0.0.1:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 2ms, Media = 1ms
C:\>ping 30.0.0.1
Haciendo ping a 30.0.0.1 con 32 bytes de datos:
Respuesta desde 30.0.0.1: bytes=32 tiempo=2ms TTL=255
Respuesta desde 30.0.0.1: bytes=32 tiempo=2ms TTL=255
Respuesta desde 30.0.0.1: bytes=32 tiempo=1ms TTL=255Respuesta desde 30.0.0.1: bytes=32 tiempo=6ms TTL=255
Estadísticas de ping para 30.0.0.1:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 1ms, Máximo = 6ms, Media = 2ms
C:\>ping 40.0.0.1
Haciendo ping a 40.0.0.1 con 32 bytes de datos:
Respuesta desde 40.0.0.1: bytes=32 tiempo=1ms TTL=255
Respuesta desde 40.0.0.1: bytes=32 tiempo=2ms TTL=255Respuesta desde 40.0.0.1: bytes=32 tiempo<1m TTL=255
Respuesta desde 40.0.0.1: bytes=32 tiempo=1ms TTL=255
Estadísticas de ping para 40.0.0.1:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 2ms, Media = 1ms
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 130/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 131/205
CCNP Guía SWITCH v2.0
@ 2013131
interface Vlan40
ip address 40.0.0.1 255.255.255.0
standby 1 ip 40.0.0.100
standby 1 priority 100
standby 1 preempt
DLS1#sh standby briefP indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl1 1 101 P Active local unknown 1.1.1.100
Vl10 1 101 P Active local unknown 10.0.0.100
Vl20 1 101 P Active local unknown 20.0.0.100
Vl30 1 100 P Active local unknown 30.0.0.100
Vl40 1 100 P Active local unknown 40.0.0.100
DLS2
interface Vlan1standby 1 ip 1.1.1.100
standby 1 priority 100
standby 1 preempt
interface Vlan10
standby 1 ip 10.0.0.100
standby 1 priority 100
standby 1 preempt
interface Vlan20
standby 1 ip 20.0.0.100standby 1 priority 100
standby 1 preempt
interface Vlan30
standby 1 ip 30.0.0.100
standby 1 priority 101
standby 1 preempt
interface Vlan40
standby 1 ip 40.0.0.100
standby 1 priority 101standby 1 preempt
DLS1
*Mar 1 05:59:39.701: %HSRP-5-STATECHANGE: Vlan30 Grp 1 state Active -> Speak
*Mar 1 05:59:39.919: %HSRP-5-STATECHANGE: Vlan40 Grp 1 state Active -> Speak
*Mar 1 05:59:50.581: %HSRP-5-STATECHANGE: Vlan40 Grp 1 state Speak -> Standby
*Mar 1 05:59:50.883: %HSRP-5-STATECHANGE: Vlan30 Grp 1 state Speak -> Standby
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 132/205
CCNP Guía SWITCH v2.0
@ 2013132
DLS1#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl1 1 101 P Active local 1.1.1.2 1.1.1.100
Vl10 1 101 P Active local 10.0.0.2 10.0.0.100
Vl20 1 101 P Active local 20.0.0.2 20.0.0.100Vl30 1 100 P Standby 30.0.0.2 local 30.0.0.100
Vl40 1 100 P Standby 40.0.0.2 local 40.0.0.100
DLS1#sh standby
Vlan1 - Group 1
State is Active
2 state changes, last state change 00:24:00
Virtual IP address is 1.1.1.100
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 secNext hello sent in 2.048 secs
Preemption enabled
Active router is local
Standby router is 1.1.1.2, priority 100 (expires in 10.112 sec)
Priority 101 (configured 101)
Group name is "hsrp-Vl1-1" (default)
Vlan10 - Group 1
State is Active
2 state changes, last state change 00:20:47
Virtual IP address is 10.0.0.100
Active virtual MAC address is 0000.0c07.ac01Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.416 secs
Preemption enabled
Active router is local
Standby router is 10.0.0.2, priority 100 (expires in 9.664 sec)
Priority 101 (configured 101)
Group name is "hsrp-Vl10-1" (default)
Vlan20 - Group 1
State is Active
2 state changes, last state change 00:20:48Virtual IP address is 20.0.0.100
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.368 secs
Preemption enabled
Active router is local
Standby router is 20.0.0.2, priority 100 (expires in 8.144 sec)
Priority 101 (configured 101)
Group name is "hsrp-Vl20-1" (default)
Vlan30 - Group 1State is Standby
4 state changes, last state change 00:11:23
Virtual IP address is 30.0.0.100
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 133/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 134/205
CCNP Guía SWITCH v2.0
@ 2013134
HSRP utilizando Routers
Pre LAB
Construir el laboratorio mostrado en el diagrama.Las configuraciones base/iniciales deben cargarse antes de continuar con el laboratorio.
Formar conectividad entre sitios utilizando enrutamiento estático.
R1 debe apuntar a la puerta de enlace 172.16.1.100 (IP Virtual)
R6 debe apuntar a la puerta de enlace 172.16.2.100 (IP Virtual)
Sitio1
R1
ip route 0.0.0.0 0.0.0.0 172.16.1.100
R2
ip route 100.1.1.1 255.255.255.255 172.16.1.1
ip route 172.16.2.0 255.255.255.0 10.1.24.4
ip route 100.6.6.6 255.255.255.255 10.1.24.4
R3
ip route 100.1.1.1 255.255.255.255 172.16.1.1
ip route 172.16.2.0 255.255.255.0 10.1.35.5
ip route 100.6.6.6 255.255.255.255 10.1.35.5
Sitio2
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 135/205
CCNP Guía SWITCH v2.0
@ 2013135
R6
ip route 0.0.0.0 0.0.0.0 172.16.2.100
R4
ip route 100.6.6.6 255.255.255.255 172.16.2.6
ip route 172.16.1.0 255.255.255.0 10.1.24.2
ip route 100.1.1.1 255.255.255.255 10.1.24.2
R5
ip route 100.6.6.6 255.255.255.255 172.16.2.6
ip route 172.16.1.0 255.255.255.0 10.1.35.3
ip route 100.1.1.1 255.255.255.255 10.1.35.3
R2#sh ip route static
100.0.0.0/32 is subnetted, 2 subnets
S 100.6.6.6 [1/0] via 10.1.24.4
S 100.1.1.1 [1/0] via 172.16.1.1
172.16.0.0/24 is subnetted, 2 subnetsS 172.16.2.0 [1/0] via 10.1.24.4
Configurar R2 como router activo HSRP y R3 backup (STANDBY).
Configurar R4 como router activo HSRP y R5 backup (STANDBY).
Un router de respaldo debe tomar el rol activo si:
El enlace Frame-Relay en el router activo no presenta señal de linea (L2)
El router activo deja de funcionar.
Sitio1
En los routers HSRP definimos la dirección que será usada como puerta de enlace por R1. Modificamos la prioridad
tanto en R2 como en R3, lo importante es que R2 siempre tenga un número de prioridad mayor, la prioridad define
los roles en un dominio HSRP.
Debemos tener en cuenta que HSRP soporta preempt , esto quiere decir que si un router HSRP con una prioridad
mayor se conecta al segmento de red éste dispositivo adoptará el papel de activo, aunque ya exista otro
cumpliendo ese papel.
R2interface FastEthernet0/0
standby 10 ip 172.16.1.100
standby 10 priority 101
standby 10 preempt
R3
interface FastEthernet0/0
standby 10 ip 172.16.1.100
standby 10 priority 95
standby 10 preempt
R3#debug standby events
HSRP Events debugging is on
*May 16 17:43:10.843: HSRP: Fa0/0 Interface up
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 136/205
CCNP Guía SWITCH v2.0
@ 2013136
*May 16 17:43:10.847: HSRP: Fa0/0 Starting minimum interface delay (1 secs)
*May 16 17:43:11.847: HSRP: Fa0/0 Interface min delay expired
*May 16 17:43:11.847: HSRP: Fa0/0 Grp 10 Init: a/HSRP enabled
*May 16 17:43:11.851: HSRP: Fa0/0 Grp 10 Init -> Listen
*May 16 17:43:11.855: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Init -> Backup
*May 16 17:43:21.851: HSRP: Fa0/0 Grp 10 Listen: c/Active timer expired (unknown)
*May 16 17:43:21.855: HSRP: Fa0/0 Grp 10 Listen -> Speak*May 16 17:43:21.855: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Backup -> Speak
*May 16 17:43:22.779: HSRP: Fa0/0 Grp 10 Speak: f/Hello rcvd from higher pri Speak router (101/172.16.1.2)
*May 16 17:43:22.783: HSRP: Fa0/0 Grp 10 Speak -> Listen
*May 16 17:43:22.787: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Speak -> Backup
Verificamos que R2 sea el router activo y R3 el respaldo:
R2#show standby
FastEthernet0/0 - Group 10State is Active
2 state changes, last state change 00:55:27
Virtual IP address is 172.16.1.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.744 secs
Preemption enabled
Active router is local
Standby router is 172.16.1.3, priority 95 (expires in 10.112 sec)
Priority 101 (configured 101)Group name is "hsrp-Fa0/0-10" (default)
R3#show standby
FastEthernet0/0 - Group 10
State is Standby
1 state change, last state change 00:55:55
Virtual IP address is 172.16.1.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.320 secsPreemption enabled
Active router is 172.16.1.2, priority 101 (expires in 8.272 sec)
Standby router is local
Priority 95 (configured 95)
Group name is "hsrp-Fa0/0-10" (default)
Sitio2
R4
interface FastEthernet0/0standby 10 ip 172.16.2.100
standby 10 priority 101
standby 10 preempt
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 137/205
CCNP Guía SWITCH v2.0
@ 2013137
R5
interface FastEthernet0/0
standby 10 ip 172.16.2.100
standby 10 priority 95
standby 10 preempt
R4#show debugging
HSRP:
HSRP Events debugging is on
*May 16 17:51:42.043: HSRP: Fa0/0 API 172.16.2.4 is not an HSRP address
*May 16 17:51:42.159: HSRP: Fa0/0 API 172.16.2.100 is not an HSRP address
*May 16 17:51:42.163: HSRP: Fa0/0 Grp 10 Disabled -> Init
*May 16 17:51:42.163: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Disabled -> Init
*May 16 17:51:42.211: HSRP: Fa0/0 Grp 10 Priority 100 -> 101
*May 16 17:51:52.179: HSRP: Fa0/0 Interface up
*May 16 17:51:52.183: HSRP: Fa0/0 Starting minimum interface delay (1 secs)*May 16 17:51:53.179: HSRP: Fa0/0 Interface min delay expired
*May 16 17:51:53.179: HSRP: Fa0/0 Grp 10 Init: a/HSRP enabled
*May 16 17:51:53.183: HSRP: Fa0/0 Grp 10 Init -> Listen
*May 16 17:51:53.183: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Init -> Backup
*May 16 17:52:03.183: HSRP: Fa0/0 Grp 10 Listen: c/Active timer expired (unknown)
*May 16 17:52:03.187: HSRP: Fa0/0 Grp 10 Listen -> Speak
*May 16 17:52:03.187: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Backup -> Speak
*May 16 17:52:13.187: HSRP: Fa0/0 Grp 10 Speak: d/Standby timer expired (unknown)
*May 16 17:52:13.191: HSRP: Fa0/0 Grp 10 Standby router is local
*May 16 17:52:13.191: HSRP: Fa0/0 Grp 10 Speak -> Standby
*May 16 17:52:13.195: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Speak -> Standby*May 16 17:52:13.195: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Speak -> Standby
*May 16 17:52:13.687: HSRP: Fa0/0 Grp 10 Standby: c/Active timer expired (unknown)
*May 16 17:52:13.691: HSRP: Fa0/0 Grp 10 Active router is local
*May 16 17:52:13.691: HSRP: Fa0/0 Grp 10 Standby router is unknown, was local
*May 16 17:52:13.695: HSRP: Fa0/0 Grp 10 Standby -> Active
*May 16 17:52:13.695: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Standby -> Active
*May 16 17:52:13.699: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Standby -> Active
*May 16 17:52:16.707: HSRP: Fa0/0 Grp 10 Redundancy group hsrp-Fa0/0-10 state Active -> Active
*May 16 17:52:19.711: HSRP: Fa0/0 Grp 10 Redundancy group hsrp-Fa0/0-10 state Active -> Active
R4#show standbyFastEthernet0/0 - Group 10
State is Active
2 state changes, last state change 01:04:37
Virtual IP address is 172.16.2.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.048 secs
Preemption enabled
Active router is local
Standby router is 172.16.2.5, priority 95 (expires in 10.112 sec)Priority 101 (configured 101)
Group name is "hsrp-Fa0/0-10" (default)
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 138/205
CCNP Guía SWITCH v2.0
@ 2013138
R5#show standby
FastEthernet0/0 - Group 10
State is Standby
1 state change, last state change 01:04:40
Virtual IP address is 172.16.2.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)Hello time 3 sec, hold time 10 sec
Next hello sent in 0.896 secs
Preemption enabled
Active router is 172.16.2.4, priority 101 (expires in 9.920 sec)
Standby router is local
Priority 95 (configured 95)
Group name is "hsrp-Fa0/0-10" (default)
Comprobamos que camino toman los paquetes utilizando una traza desde R1 a R6 y desde R6 a R1.
R1#traceroute 172.16.2.6 probe 1
Type escape sequence to abort.
Tracing the route to 172.16.2.6
1 172.16.1.2 32 msec
2 10.1.24.4 88 msec
3 172.16.2.6 128 msec
R6#traceroute 100.1.1.1 probe 1
Type escape sequence to abort.
Tracing the route to 100.1.1.11 172.16.2.4 36 msec
2 10.1.24.2 104 msec
3 172.16.1.1 120 msec
Tener presente que no debemos establecer cualquier número en la prioridad (esto aplica tanto a VRRP como
HSRP). Debe ser consistente con el valor de decremento, es decir, si por ejemplo R2 con prioridad 100 no tiene
señal del enlace FR, este disminuirá su prioridad en 10. Si R3 tiene configurada una prioridad HSRP de 90 se
producirá un problema (ambos routers con la misma prioridad), el proceso HSRP tomará como router activo el que
tenga la dirección IP mayor, y puede darse la casualidad que sea el mismo router que debería pasar al modo
Standby. Para evitar esto debemos establecer números relativamente cercanos, por ejemplo 101 para el routeractivo, y 95 para el router respaldo, si el activo cae disminuye a 91 su prioridad, el respaldo con 95 toma de
inmediato el rol activo.
Un router de respaldo debe tomar el rol activo si:
El enlace Frame-Relay en el router activo no presenta señal de linea (L2)
El router activo deja de funcionar.
Para testear el enlace Frame-Relay podemos utilizar el comando track como se muestra a continuación:
Si protocolo de línea (line protocol) está down R2 disminuirá en 10 su prioridad dejando que R3 tome el rol de
active. Recordemos que la prioridad de R2 es de 101, con 10 menso tenemos 91, en contraposición a R3 que fue
configurado con prioridad 95.
Sitio1
R2
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 139/205
CCNP Guía SWITCH v2.0
@ 2013139
track 23 interface Serial1/0 line-protocol
interface FastEthernet0/0
standby 10 track 23 decrement 10
R3
track 23 interface Serial1/0 line-protocol
interface FastEthernet0/0
standby 10 track 23 decrement 10
R2#show standby
FastEthernet0/0 - Group 10
State is Active
2 state changes, last state change 00:18:33
Virtual IP address is 172.16.1.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)Hello time 3 sec, hold time 10 sec
Next hello sent in 2.276 secs
Preemption enabled
Active router is local
Standby router is 172.16.1.3, priority 95 (expires in 7.956 sec)
Priority 101 (configured 101)
Track object 23 state Up decrement 10
IP redundancy name is "hsrp-Fa0/0-10" (default)
R3#show standby
FastEthernet0/0 - Group 10State is Standby
1 state change, last state change 00:18:31
Virtual IP address is 172.16.1.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.296 secs
Preemption enabled
Active router is 172.16.1.2, priority 101 (expires in 9.644 sec)
Standby router is local
Priority 95 (configured 95)Track object 23 state Up decrement 10
IP redundancy name is "hsrp-Fa0/0-10" (default)
Sitio2
R4
track 45 interface Serial1/0 line-protocol
interface FastEthernet0/0standby 10 track 45 decrement 10
R5
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 140/205
CCNP Guía SWITCH v2.0
@ 2013140
track 45 interface Serial1/0 line-protocol
interface FastEthernet0/0
standby 10 track 45 decrement 10
R4#show standby
FastEthernet0/0 - Group 10State is Active
2 state changes, last state change 00:11:01
Virtual IP address is 172.16.2.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.808 secs
Preemption enabled
Active router is local
Standby router is 172.16.2.5, priority 95 (expires in 7.320 sec)
Priority 101 (configured 101)Track object 45 state Up decrement 10
IP redundancy name is "hsrp-Fa0/0-10" (default)
R5#show standby
FastEthernet0/0 - Group 10
State is Standby
1 state change, last state change 00:10:57
Virtual IP address is 172.16.2.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 secNext hello sent in 2.780 secs
Preemption enabled
Active router is 172.16.2.4, priority 101 (expires in 8.312 sec)
Standby router is local
Priority 95 (configured 95)
Track object 45 state Up decrement 10
IP redundancy name is "hsrp-Fa0/0-10" (default)
Para comprobar como funciona este esquema generamos en R2 desactivamos la interface serial. Y verificamos el
cambio de prioridad en R2.
R2(config)#interface serial 1/0
R2(config-if)#shutdown
R2#show standby
FastEthernet0/0 - Group 10
State is Speak
3 state changes, last state change 00:00:06
Virtual IP address is 172.16.1.100
Active virtual MAC address is 0000.0c07.ac0aLocal virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.748 secs
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 141/205
CCNP Guía SWITCH v2.0
@ 2013141
Preemption enabled
Active router is 172.16.1.3, priority 95 (expires in 9.824 sec)
Standby router is unknown
Priority 91 (configured 101)
Track object 23 state Down decrement 10
IP redundancy name is "hsrp-Fa0/0-10" (default)
R2#*May 16 18:04:40.735: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Speak -> Standby
R3#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 10 95 P Active local 172.16.1.2 172.16.1.100
A pesar de todos los esfuerzos no se produce el comportamiento esperado, R1 pierde conectividad con R6.La razón es que ciertas tecnologías L2 como Frame-Relay son localmente significativas y solo requieren mantener
conexión con el SW FR local; en nuestro caso, la serial de R2 está caída. Recordemos que R4 sigue sondenando el
line protocol en localmente pero no decrementa su prioridad.
R1#ping 100.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.6.6.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#show ip int brief serial 1/0
Interface IP-Address OK? Method Status Protocol
Serial1/0 10.1.24.2 YES manual administratively down down
R4 no se entera que hay un problema en el cable puesto que la interface que conecta R4 con el SW Frame-Relay
está UP:
R4#show ip int brief serial 1/0
Interface IP-Address OK? Method Status ProtocolSerial1/0 10.1.24.4 YES manual up up
R2#show standby all brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 10 91 P Standby 172.16.1.3 local 172.16.1.100
R3#show standby all brief
P indicates configured to preempt.
|Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 10 95 P Active local 172.16.1.2 172.16.1.100
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 142/205
CCNP Guía SWITCH v2.0
@ 2013142
Puesto que R2 testea el enlace y nota de inmediato que la interface serial 1/0 está caída, se convierte en Stanby
HSRP en Sitio1, sin embargo, no sucede lo mismo en Sitio2 y R4 sigue actuando como router activo a pesar de no
tener conectividad con R2. Podemos solucionar este problema con alguno protocolo de enrutamiento interior
(IGP) que genere keepalive, o generar artificialmente keepalive usando IP SLA, como veremos más adelante.
Si volvemos a levantar la interface serial de R2 veremos el comportamiento de preempt. El tracking comprueba
ahora que la interface serial está UP. R2 se publica a si mismo con una prioridad de 101 en HSRP que es mayor que95 de R3, y se convierte nuevamente en el router activo.
R2(config)#interface serial 1/0
R2(config-if)#no shutdown
R2#show standby all brief
P indicates configured to preempt.
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 10 101 P Active local 172.16.1.3 172.16.1.100
Para corregir el problema y mantener conectividad entre los sitios podemos utilizar una combinación de IP SLA y
tracking. IP SLA nos permiten en esta sección sondear las seriales de nuestros vecinos, vale decir, la actividad que
se produce a través de todo el enlace FR.
La forma de configurar SLA varía entre plataformas. La que presentamos aquí corresponde al IOS 12.4(20)T
R2
ip sla 10
icmp-echo 10.1.24.4
frequency 5ip sla schedule 10 life forever start-time now
track 10 ip sla 10 reachability
interface FastEthernet0/0
standby 10 preempt delay minimum 1
standby 10 track 10 decrement 10
R3
ip sla 10
icmp-echo 10.1.35.5frequency 5
ip sla schedule 10 life forever start-time now
track 10 ip sla 10 reachability
interface FastEthernet0/0
standby 10 preempt delay minimum 1
standby 10 track 10 decrement 10
R4ip sla 10
icmp-echo 10.1.24.2
frequency 5
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 143/205
CCNP Guía SWITCH v2.0
@ 2013143
ip sla schedule 10 life forever start-time now
track 10 ip sla 10 reachability
interface FastEthernet0/0
standby 10 preempt delay minimum 1
standby 10 track 10 decrement 10
R5
ip sla 10
icmp-echo 10.1.35.3
frequency 5
ip sla schedule 10 life forever start-time now
track 10 ip sla 10 reachability
interface FastEthernet0/0
standby 10 preempt delay minimum 1standby 10 track 10 decrement 10
R2(config-if)#int s1/0
R2(config-if)#shutdown
R2(config-if)#
%TRACKING-5-STATE: 23 interface Se1/0 line-protocol Up->Down
R2(config-if)#
%LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down
R2(config-if)#
%ENTITY_ALARM-6-INFO: ASSERT INFO Se1/0 Physical Port Administrative State Down
R2(config-if)#%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Active -> Speak
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down
R2(config-if)#
%TRACKING-5-STATE: 10 ip sla 10 reachability Up->Down
R2(config-if)#
%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Speak -> Standby
Como podemos ver R2 y R4 cambian de estado Active a Standby. R3 y R5 cambian de estado Standby a Active. Es
el comportamiento deseado.
R2#show standby
FastEthernet0/0 - Group 10
State is Standby
9 state changes, last state change 00:01:56
Virtual IP address is 172.16.1.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.904 secs
Preemption enabled, delay min 1 secsActive router is 172.16.1.3, priority 95 (expires in 10.896 sec)
Standby router is local
Priority 81 (configured 101)
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 144/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 145/205
CCNP Guía SWITCH v2.0
@ 2013145
Operation time to live: Forever
R4#show ip sla statistics
IPSLAs Latest Operation Statistics
IPSLA operation id: 10
Latest RTT: NoConnection/Busy/TimeoutLatest operation start time: *22:39:16.122 UTC Wed Mar 17 2010
Latest operation return code: Timeout
Number of successes: 0
Number of failures: 177
Operation time to live: Forever
R5#show ip sla statistics
IPSLAs Latest Operation Statistics
IPSLA operation id: 10
Latest RTT: 32 millisecondsLatest operation start time: *22:39:39.830 UTC Wed Mar 17 2010
Latest operation return code: OK
Number of successes: 357
Number of failures: 0
Operation time to live: Forever
Rehabilitamos el enlace R2/R4
R2(config)#interface serial 1/0
R2(config-if)#no shutdown
R2(config-if)#%TRACKING-5-STATE: 23 interface Se1/0 line-protocol Down->Up
R2(config-if)#
%LINK-3-UPDOWN: Interface Serial1/0, changed state to up
R2(config-if)#
%ENTITY_ALARM-6-INFO: CLEAR INFO Se1/0 Physical Port Administrative State Down
R2(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
R2(config-if)#
%TRACKING-5-STATE: 10 ip sla 10 reachability Down->Up
R2#
%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Standby -> Active
R1#traceroute 172.16.2.6
1 172.16.1.2 84 msec 72 msec 28 msec
2 10.1.24.4 76 msec 40 msec 72 msec
3 172.16.2.6 120 msec * 100 msec
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 146/205
CCNP Guía SWITCH v2.0
@ 2013146
HSRP Balanceo
Configure direccionamiento mostrado (incluyendo la red Broadcast). Configure FR p2p entre R1-R2 y R1-R3
respetando el esquema de direccionamiento que aparece en la figura.
R1
interface Serial1/0
encapsulation frame-relay
no shut
interface Serial1/0.12 point-to-point
ip address 10.1.12.1 255.255.255.0
frame-relay interface-dlci 102
interface Serial1/0.13 point-to-point
ip address 10.1.13.1 255.255.255.0
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 147/205
CCNP Guía SWITCH v2.0
@ 2013147
frame-relay interface-dlci 103
R2
interface Serial1/0
encapsulation frame-relay
no shut
interface Serial1/0.12 point-to-point
ip address 10.1.12.2 255.255.255.0
frame-relay interface-dlci 201
R3
interface Serial1/0
encapsulation frame-relay
no shut
interface Serial1/0.13 point-to-point
ip address 10.1.13.3 255.255.255.0frame-relay interface-dlci 301
R1#show frame-relay map
Serial1/0.12 (up): point-to-point dlci, dlci 102(0x66,0x1860), broadcast
status defined, active
Serial1/0.13 (up): point-to-point dlci, dlci 103(0x67,0x1870), broadcast
status defined, active
R1#show frame-relay pvc | i STATUS
DLCI = 102, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial1/0.12
DLCI = 103, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial1/0.13
R1#ping 10.1.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/34/48 ms
R1#ping 10.1.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.3, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 24/40/60 ms
R2
interface FastEthernet0/0
ip address 10.1.100.2 255.255.255.0
no shut
R3
interface FastEthernet0/0
ip address 10.1.100.3 255.255.255.0
no shut
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 148/205
CCNP Guía SWITCH v2.0
@ 2013148
R4
interface FastEthernet0/0
ip address 10.1.100.4 255.255.255.0
no shut
R5
interface FastEthernet0/0ip address 10.1.100.5 255.255.255.0
no shut
R4#ping 255.255.255.255 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
Reply to request 0 from 10.1.100.5, 60 ms
Reply to request 0 from 10.1.100.2, 124 ms
Reply to request 0 from 10.1.100.3, 120 ms
En R1 configure una ruta estátiva apuntando a la red LAN 10.1.100.0/24 a través de R2.
En R1 configure una ruta estátiva apuntando a la red LAN 10.1.100.0/24 a través de R2.
En R2 configure una ruta estática apuntando a la IP 100.1.1.1.
En R3 configure una ruta estática apuntando a la IP 100.1.1.1.
R4 y R5 deben crear una ruta por defecto apuntando a la IP virtual 10.1.100.10.
R1
ip route 10.1.100.0 255.255.255.0 10.1.12.2
ip route 10.1.100.0 255.255.255.0 10.1.13.3
R2
ip route 100.1.1.1 255.255.255.255 10.1.12.1
R3
ip route 100.1.1.1 255.255.255.255 10.1.13.1
R4
ip route 0.0.0.0 0.0.0.0 10.1.100.10
R5ip route 0.0.0.0 0.0.0.0 10.1.100.10
Configure HSRP de manera que R2 sea el router activo y R3 el router stand-by. Utilizar IP virtual
10.1.100.10. Utilizar grupo 1. R3 debe mantener su prioridad por defecto.
Probar conectividad entre R4-R5 e IP virtual luego conectividad a IP 100.1.1.1. Utilice ping y tracert.
R2
interface FastEthernet0/0standby 1 ip 10.1.100.10
standby 1 priority 200
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 149/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 150/205
CCNP Guía SWITCH v2.0
@ 2013150
R3
key chain ZZTOP
key 1
key-string duoc.com
interface FastEthernet0/0
standby 1 authentication md5 key-chain ZZTOP
R2#show standby
FastEthernet0/0 - Group 1
State is Active
2 state changes, last state change 00:38:57
Virtual IP address is 10.1.100.10
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.144 secs
Authentication MD5, key-chain "ZZTOP"Preemption disabled
Active router is local
Standby router is 10.1.100.3, priority 100 (expires in 9.600 sec)
Priority 200 (configured 200)
Group name is "hsrp-Fa0/0-1" (default)
R3 y R2 deben tomar el rol activo después de finalizado el holdtime.
R2interface FastEthernet0/0
standby 1 preempt
R3
interface FastEthernet0/0
standby 1 preempt
R2#show standby
FastEthernet0/0 - Group 1
State is Active
2 state changes, last state change 00:45:45Virtual IP address is 10.1.100.10
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.528 secs
Authentication MD5, key-chain "ZZTOP"
Preemption enabled
Active router is local
Standby router is 10.1.100.3, priority 100 (expires in 8.704 sec)
Priority 200 (configured 200)
Group name is "hsrp-Fa0/0-1" (default)
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 151/205
CCNP Guía SWITCH v2.0
@ 2013151
Modificar los interveslos hello y holdtime a 2 y 6 segundos respectivamente
R2
interface FastEthernet0/0
standby 1 timers 2 6
R3
interface FastEthernet0/0
standby 1 timers 2 6
R2#show standby | include Hello
Hello time 2 sec, hold time 6 sec
Crear una nueva DG con la IP virtual 10.1.100.11. Utilice grupo 2.
Configurar R4 para que su DG sea la IP 10.1.100.11. R4 debe utilizar a R3 para alcanzar la IP 100.1.1.1.
R2
interface FastEthernet0/0
standby 2 ip 10.1.100.11
standby 2 priority 95
standby 2 preempt
R3
interface FastEthernet0/0
standby 2 ip 10.1.100.11
standby 2 priority 105
standby 2 preempt
R2#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 200 P Active local 10.1.100.3 10.1.100.10
Fa0/0 2 95 P Standby 10.1.100.3 local 10.1.100.11
R3#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 100 P Standby 10.1.100.2 local 10.1.100.10
Fa0/0 2 105 P Active local 10.1.100.2 10.1.100.11
R4
no ip route 0.0.0.0 0.0.0.0 10.1.100.10
ip route 0.0.0.0 0.0.0.0 10.1.100.11
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 152/205
CCNP Guía SWITCH v2.0
@ 2013152
R4#traceroute 100.1.1.1 probe 1
Type escape sequence to abort.
Tracing the route to 100.1.1.1
1 10.1.100.3 36 msec
2 10.1.13.1 80 msec
R5#traceroute 100.1.1.1 probe 1Type escape sequence to abort.
Tracing the route to 100.1.1.1
1 10.1.100.2 64 msec
2 10.1.12.1 52 msec
Los routers deben enviar traps HSRP al NNS con la dirección 172.16.1.1
R2
snmp-server enable traps hsrp
snmp-server host 172.16.1.1 public hsrp
R3
snmp-server enable traps hsrp
snmp-server host 172.16.1.1 public hsrp
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 153/205
CCNP Guía SWITCH v2.0
@ 2013153
VRRP utilizando Routers
Pre LAB
Construir el laboratorio mostrado en el diagrama.Las configuraciones base/iniciales deben cargarse antes de continuar con el laboratorio.
Utilizaremos equilibrado de carga (Load-Sharing)
Formar conectividad entre sitios utilizando enrutamiento estático.
R1 debe apuntar a la puerta de enlace 172.16.1.100 (IP Virtual)
R6 debe apuntar a la puerta de enlace 172.16.2.100 (IP Virtual)
R1ip route 0.0.0.0 0.0.0.0 172.16.1.100
R2
ip route 100.1.1.1 255.255.255.255 172.16.1.1
ip route 172.16.2.0 255.255.255.0 10.1.24.4
ip route 100.6.6.6 255.255.255.255 10.1.24.4
R3
ip route 100.1.1.1 255.255.255.255 172.16.1.1
ip route 172.16.2.0 255.255.255.0 10.1.35.5
ip route 100.6.6.6 255.255.255.255 10.1.35.5
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 154/205
CCNP Guía SWITCH v2.0
@ 2013154
Sitio2
R6
ip route 0.0.0.0 0.0.0.0 172.16.2.100
R4
ip route 100.6.6.6 255.255.255.255 172.16.2.6ip route 172.16.1.0 255.255.255.0 10.1.24.2
ip route 100.1.1.1 255.255.255.255 10.1.24.2
R5
ip route 100.6.6.6 255.255.255.255 172.16.2.6
ip route 172.16.1.0 255.255.255.0 10.1.35.3
ip route 100.1.1.1 255.255.255.255 10.1.35.3
Configurar R2 como Master VRRP y R3 Backup para la ip address 172.16.1.100
Configurar R2 como Master VRRP y R3 Backup para la ip address 172.16.2.100
R2
interface FastEthernet0/0
vrrp 10 ip 172.16.1.100
vrrp 10 priority 150
vrrp 10 preempt
R3
interface FastEthernet0/0
vrrp 10 ip 172.16.1.100
vrrp 10 priority 100
vrrp 10 preempt
R2#show vrrp
FastEthernet0/0 - Group 10
State is Master
Virtual IP address is 172.16.1.100
Virtual MAC address is 0000.5e00.010a
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 150
Master Router is 172.16.1.2 (local), priority is 150
Master Advertisement interval is 1.000 sec
Master Down interval is 3.414 sec
R3#show vrrp
FastEthernet0/0 - Group 10
State is Backup
Virtual IP address is 172.16.1.100
Virtual MAC address is 0000.5e00.010a
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Master Router is 172.16.1.2, priority is 150
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 155/205
CCNP Guía SWITCH v2.0
@ 2013155
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec (expires in 3.253 sec)
R4
interface FastEthernet0/0
vrrp 10 ip 172.16.2.100
vrrp 10 priority 150vrrp 10 preempt
R5
interface FastEthernet0/0
vrrp 10 ip 172.16.2.100
vrrp 10 priority 100
vrrp 10 preempt
R4#show vrrp
FastEthernet0/0 - Group 10
State is MasterVirtual IP address is 172.16.2.100
Virtual MAC address is 0000.5e00.010a
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 150
Master Router is 172.16.2.4 (local), priority is 150
Master Advertisement interval is 1.000 sec
Master Down interval is 3.414 sec
R5#show vrrp
FastEthernet0/0 - Group 10State is Backup
Virtual IP address is 172.16.2.100
Virtual MAC address is 0000.5e00.010a
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Master Router is 172.16.2.4, priority is 150
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec (expires in 3.545 sec)
R1#ping 172.16.1.100Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/46/80 ms
R2 es el Master VRRP por tanto es el GW de salida para alcanzar a R6.
R1#traceroute 172.16.2.6
Type escape sequence to abort.
Tracing the route to 172.16.2.6
1 172.16.1.2 128 msec 64 msec 28 msec
2 10.1.24.4 72 msec 60 msec 52 msec
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 156/205
CCNP Guía SWITCH v2.0
@ 2013156
3 172.16.2.6 108 msec * 116 msec
Un router de respaldo debe tomar el rol activo si:
El enlace HDLC en el router activo no presenta señal de línea (L2)
El router activo deja de funcionar.
Esta tarea requiere utilizar el comando track para determinar el estado de la interface serial. Considerar que el
valor de decremento de VRRP para el track es de 10, este valor no es suficiente para que el router Backup asuma el
papel de Master. Lo modificamos a 60 en R2 y R4.
R2
track 10 interface Serial1/0 line-protocol
carrier-delay
interface FastEthernet0/0
vrrp 10 track 10 decrement 60
R3
track 10 interface Serial1/0 line-protocol
carrier-delay
interface FastEthernet0/0
vrrp 10 track 10
R4
track 10 interface Serial1/0 line-protocol
carrier-delay
interface FastEthernet0/0
vrrp 10 track 10 decrement 60
R5
track 10 interface Serial1/0 line-protocol
carrier-delay
interface FastEthernet0/0
vrrp 10 track 10
Verificación
R2(config)#interface serial 1/0
R2(config-if)#shutdown
R2(config-if)#
%LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down
%ENTITY_ALARM-6-INFO: ASSERT INFO Se1/0 Physical Port Administrative State Down
R2(config-if)#
%TRACKING-5-STATE: 10 interface Se1/0 line-protocol Up->Down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down
R2(config-if)#
%VRRP-6-STATECHANGE: Fa0/0 Grp 10 state Master -> Backup
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 157/205
CCNP Guía SWITCH v2.0
@ 2013157
R2#show vrrp
FastEthernet0/0 - Group 10
State is Backup
Virtual IP address is 172.16.1.100
Virtual MAC address is 0000.5e00.010a
Advertisement interval is 1.000 secPreemption enabled
Priority is 90 (cfgd 150)
Track object 10 state Down decrement 60
Master Router is 172.16.1.3, priority is 100
Master Advertisement interval is 1.000 sec
Master Down interval is 3.414 sec (expires in 2.918 sec)
R3#show vrrp
FastEthernet0/0 - Group 10
State is Master
Virtual IP address is 172.16.1.100Virtual MAC address is 0000.5e00.010a
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Track object 10 state Up decrement 10
Master Router is 172.16.1.3 (local), priority is 100
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec
Los routers R2 y R4 bajan su prioridad al no detectar señal , por tanto el camino (path) que sigue R1 para alcanzara R6 es ahora a través del enlace R3/R5.
Tanto R2 como R4 ahora son Backup. Notar que el decremento de las prioridades en ambos es de 90. Como R3 y
R5 tienen la prioridad por defecto 100 son ahora routers VRRP Masters.
R1#traceroute 172.16.2.6
Type escape sequence to abort.
Tracing the route to 172.16.2.6
1 172.16.1.3 68 msec 60 msec 40 msec
2 10.1.35.5 84 msec 40 msec 60 msec
3 172.16.2.6 124 msec * 104 msec
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 158/205
CCNP Guía SWITCH v2.0
@ 2013158
Load Sharing
Borrar configuración VRRP anterior y subir interface serial de R2.
En R2/R3/R4/R5
(config-if)#no vrrp 10
R2(config-if)#int s1/0
R2(config-if)#no shutdown
Configurar R2 como Master VRRP y R3 Backup para la dirección IP 172.16.1.100.
Configurar R2 como Backup VRRP y R3 Master para la dirección IP 172.16.1.101.
Configurar R4 como Master VRRP y R5 Backup para la dirección IP 172.16.2.100.
Configurar R4 como Backup VRRP y R5 Master para la dirección IP 172.16.2.101.
R1 y R6 deben tener dos rutas estaticas con igual distancia administrativa (AD 69)para que exista balance de carga.
R1
ip route 0.0.0.0 0.0.0.0 172.16.1.101 69
ip route 0.0.0.0 0.0.0.0 172.16.1.100 69
R1#sh ip route static
S* 0.0.0.0/0 [69/0] via 172.16.1.101
[69/0] via 172.16.1.100
R6
ip route 0.0.0.0 0.0.0.0 172.16.2.101 69
ip route 0.0.0.0 0.0.0.0 172.16.2.100 69
R6#sh ip route static
S* 0.0.0.0/0 [69/0] via 172.16.2.101
[69/0] via 172.16.2.100
Para lograr que la carga se comparta entre los dos puntos de salida, debemos crear dos procesos en VRRP. Unrouter actúa para un proceso como Master y para el otro como Backup.
R2
interface FastEthernet0/0
vrrp 10 ip 172.16.1.100
vrrp 10 priority 200
vrrp 20 ip 172.16.1.101
no vrrp 20 preempt
R3interface FastEthernet0/0
vrrp 10 ip 172.16.1.100
no vrrp 10 preempt
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 159/205
CCNP Guía SWITCH v2.0
@ 2013159
vrrp 20 ip 172.16.1.101
vrrp 20 priority 200
R2#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 10 200 3218 Y Master 172.16.1.2 172.16.1.100
Fa0/0 20 100 3609 Backup 172.16.1.3 172.16.1.101
R3#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 10 100 3609 Backup 172.16.1.2 172.16.1.100
Fa0/0 20 200 3218 Y Master 172.16.1.3 172.16.1.101
R4
interface FastEthernet0/0
vrrp 10 ip 172.16.2.100
vrrp 10 priority 200
vrrp 20 ip 172.16.2.101no vrrp 20 preempt
R5
interface FastEthernet0/0
vrrp 10 ip 172.16.2.100
no vrrp 10 preempt
vrrp 20 ip 172.16.2.101
vrrp 20 priority 200
R4#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addrFa0/0 10 200 3218 Y Master 172.16.2.4 172.16.2.100
Fa0/0 20 100 3609 Backup 172.16.2.5 172.16.2.101
R5#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 10 100 3609 Backup 172.16.2.4 172.16.2.100
Fa0/0 20 200 3218 Y Master 172.16.2.5 172.16.2.101
Verificamos que el trafico fluya a través de ambos routers R2/R3 en Sitio1
R1#traceroute 172.16.2.6
Type escape sequence to abort.
Tracing the route to 172.16.2.6
1 172.16.1.3 120 msec
172.16.1.2 60 msec
172.16.1.3 44 msec
2 10.1.24.4 44 msec
10.1.35.5 48 msec10.1.24.4 44 msec
3 172.16.2.6 168 msec * 176 msec
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 160/205
CCNP Guía SWITCH v2.0
@ 2013160
Verificamos que el trafico fluya a través de ambos routers R4/R5 en Sitio2
R6#traceroute 172.16.1.1
Type escape sequence to abort.
Tracing the route to 172.16.1.1
1 172.16.2.4 64 msec
172.16.2.5 108 msec
172.16.2.4 44 msec
2 10.1.35.3 56 msec
10.1.24.2 88 msec
10.1.35.3 68 msec
3 172.16.1.1 180 msec * 128 msec
Seguridad L2
Overflow AttackHabilite el puerto FastEthernet 0/24 de ALS1 como puerto de acceso para la VLAN 10
ALS1
vlan 10
interface FastEthernet0/24
switchport access vlan 10
switchport mode Access
ALS1#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Gi0/1
Gi0/2
10 VLAN0010 active Fa0/24
ALS1
interface Vlan10
ip address 10.1.3.1 255.255.255.0
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 161/205
CCNP Guía SWITCH v2.0
@ 2013161
no shutdown
ALS1#show mac-address-table interface fastEthernet 0/24
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----10 50b7.c307.a19d DYNAMIC Fa0/24
Total Mac Addresses for this criterion: 1
PC1
Adaptador de Ethernet Ethernet:
Sufijo DNS específico para la conexión. . :
Descripción . . . . . . . . . . . . . . . : Realtek PCIe GBE Family Controlle
r
Dirección física. . . . . . . . . . . . . : 50-B7-C3-07-A1-9D
DHCP habilitado . . . . . . . . . . . . . : síConfiguración automática habilitada . . . : sí
Vínculo: dirección IPv6 local. . . : fe80::e01f:70bc:4361:24fc%12(Preferido)
Dirección IPv4 de configuración automática: 169.254.36.252(Preferido)
Máscara de subred . . . . . . . . . . . . : 255.255.0.0
Puerta de enlace predeterminada . . . . . :
IAID DHCPv6 . . . . . . . . . . . . . . . : 266863514
DUID de cliente DHCPv6. . . . . . . . . . : 00-01-00-01-19-20-34-FE-50-B7-C3-
07-A1-9D
Servidores DNS. . . . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1fec0:0:0:ffff::3%1
NetBIOS sobre TCP/IP. . . . . . . . . . . : habilitado
Habilitamos MACOF.
ALS1#show mac-address-table count
Mac Entries for Vlan 1:
---------------------------
Dynamic Address Count : 1Static Address Count : 0
Total Mac Addresses : 1
Mac Entries for Vlan 10:
---------------------------
Dynamic Address Count : 1
Static Address Count : 0
Total Mac Addresses : 1
Total Mac Address Space Available: 7948
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 162/205
CCNP Guía SWITCH v2.0
@ 2013162
ALS1#show mac-address-table interface fastEthernet 0/24
Mac Address Table
-------------------------------------------Vlan Mac Address Type Ports
---- ----------- -------- -----
10 0009.7252.ac80 DYNAMIC Fa0/24
10 000d.ce5e.a8d8 DYNAMIC Fa0/24
10 000d.dd6d.9634 DYNAMIC Fa0/24
10 0010.6a35.66b9 DYNAMIC Fa0/24
10 0012.c941.7800 DYNAMIC Fa0/24
10 0013.2974.8c4d DYNAMIC Fa0/24
10 0019.f71a.0e80 DYNAMIC Fa0/24
10 001a.1d32.baee DYNAMIC Fa0/24
10 0026.3a54.0e86 DYNAMIC Fa0/2410 0027.922f.791a DYNAMIC Fa0/24
10 0029.165f.a6e2 DYNAMIC Fa0/24
10 0032.c36d.57e4 DYNAMIC Fa0/24
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 163/205
CCNP Guía SWITCH v2.0
@ 2013163
10 0035.b663.a1c7 DYNAMIC Fa0/24
10 0039.8211.5365 DYNAMIC Fa0/24
10 003a.9a53.15ef DYNAMIC Fa0/24
10 003a.ce27.57a2 DYNAMIC Fa0/24
10 003c.374c.2505 DYNAMIC Fa0/24
10 003c.b762.b981 DYNAMIC Fa0/24
10 003d.6c70.3de3 DYNAMIC Fa0/24
ALS1#show mac-address-table count
Mac Entries for Vlan 1:
---------------------------
Dynamic Address Count : 5
Static Address Count : 0
Total Mac Addresses : 5
Mac Entries for Vlan 10:
---------------------------
Dynamic Address Count : 8067
Static Address Count : 0Total Mac Addresses : 8067
Total Mac Address Space Available: 0
En el puerto FastEthernet 0/24 solo permitir una sola MAC origen. En caso de superar el número de MACs
la interface debe quedar en estado err-disable.
Nota: Al configurar port-security sin argumentos solo pemrite una sola dirección MAC por la interface configurada.
ALS1#clear mac-address-table dynamic
ALS1#show mac-address-table count
Mac Entries for Vlan 1:
---------------------------
Dynamic Address Count : 5
Static Address Count : 0
Total Mac Addresses : 5
Mac Entries for Vlan 10:
---------------------------
Dynamic Address Count : 1
Static Address Count : 0
Total Mac Addresses : 1
Total Mac Address Space Available: 7544
ALS1#show running-config interface fastEthernet 0/24
Building configuration...
Current configuration : 122 bytes
!
interface FastEthernet0/24
switchport access vlan 10
switchport mode accessswitchport port-security
end
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 164/205
CCNP Guía SWITCH v2.0
@ 2013164
Habilitamos MACOF y comprobamos que a través del puerto FastEhternet 0/24
ALS1#
%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/24, putting Fa0/24 in err-disable state
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 16f2.b324.6763 on
port FastEthernet0/24.
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to down
ALS1#show interfaces status err-disabled
Port Name Status Reason
Fa0/24 err-disabled psecure-violation
ALS1#show mac-address-table interface fastEthernet 0/24
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
ALS1#show port-security interface fastEthernet 0/24
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0Last Source Address:Vlan : 50b7.c307.a19d:10
Security Violation Count : 1
ALS1#show port-security address
Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
10 50b7.c307.a19d SecureDynamic Fa0/24 -
------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 165/205
CCNP Guía SWITCH v2.0
@ 2013165
Permita 10 MAC origen en la interface fastEthernet 0/24, en caso que se supere este número el proceso la
interface se debe mantener activa pero no procesando las MACs adicionales.
Nota: para volver a activar el puerto debemos entrar a la interface y resetearla.
ALS1
interface FastEthernet0/24
switchport port-security maximum 10
switchport port-security
switchport port-security violation protect
ALS1#show interfaces status | begin Fa0/24
Fa0/24 connected 10 a-full a-100 10/100BaseTX
Gi0/1 notconnect 1 auto auto 10/100/1000BaseTX
Gi0/2 notconnect 1 auto auto 10/100/1000BaseTX
ALS1#show interfaces fastEthernet 0/24 summary
*: interface is up
IHQ: pkts in input hold queue IQD: pkts dropped from input queue
OHQ: pkts in output hold queue OQD: pkts dropped from output queue
RXBS: rx rate (bits/sec) RXPS: rx rate (pkts/sec)
TXBS: tx rate (bits/sec) TXPS: tx rate (pkts/sec)
TRTL: throttle count
Interface IHQ IQD OHQ OQD RXBS RXPS TXBS TXPS TRTL
-------------------------------------------------------------------------
* FastEthernet0/24 0 0 0 0 0 0 0 0 0
Habilitamos MACOF
Nota. Podemos observar el LED del switch para el puerto en cuestión con mucha actividad en cuanto se aplica
MACOF.
ALS1#show mac-address-table interface fastEthernet 0/24
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 0800.2731.0471 STATIC Fa0/24
10 2a14.a76a.7db9 STATIC Fa0/2410 4ce5.e74d.8fe7 STATIC Fa0/24
10 501b.7b6d.b8f2 STATIC Fa0/24
10 50b7.c307.a19d STATIC Fa0/24
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 166/205
CCNP Guía SWITCH v2.0
@ 2013166
10 548e.e961.71e5 STATIC Fa0/24
10 56ac.330b.57d3 STATIC Fa0/24
10 7223.943d.3829 STATIC Fa0/24
10 9ece.7d5c.4520 STATIC Fa0/24
10 a270.a12a.e326 STATIC Fa0/24
Total Mac Addresses for this criterion: 10
Permita 10 MAC origen en la interface fastEthernet 0/24, en caso que se supere este número el proceso la
interface se debe mantener activa y enviar mensajes de consola y SNMP.
Nota: Al activar switchport port-security violation restrict se enviará un mensaje a la consola cada 5 segundos.
Además de enviar traps en caso que SNMP esté configurado.
ALS1
interface FastEthernet0/24
switchport port-security maximum 10
switchport port-security
switchport port-security violation restrict
ALS1#show interfaces status | begin Fa0/24
Fa0/24 connected 10 a-full a-100 10/100BaseTX
Gi0/1 notconnect 1 auto auto 10/100/1000BaseTX
Gi0/2 notconnect 1 auto auto 10/100/1000BaseTX
ALS1#show ip interface brief fastEthernet 0/24
Interface IP-Address OK? Method Status Protocol
FastEthernet0/24 unassigned YES unset up up
Habilitamos MACOF
ALS1#
03:28:39: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address
1037.c012.148d on port FastEthernet0/24.
ALS1#
03:28:44: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address
c0e0.5b15.8406 on port FastEthernet0/24.
ALS1#03:28:49: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address
78ad.b573.942d on port FastEthernet0/24.
ALS1#
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 167/205
CCNP Guía SWITCH v2.0
@ 2013167
03:28:54: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address
2e44.ad42.0a4a on port FastEthernet0/24.
ALS1#show mac-address-table interface fastEthernet 0/24 vlan 10
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports---- ----------- -------- -----
10 0800.2731.0471 STATIC Fa0/24
10 2a14.a76a.7db9 STATIC Fa0/24
10 4ce5.e74d.8fe7 STATIC Fa0/24
10 501b.7b6d.b8f2 STATIC Fa0/24
10 50b7.c307.a19d STATIC Fa0/24
10 548e.e961.71e5 STATIC Fa0/24
10 56ac.330b.57d3 STATIC Fa0/24
10 7223.943d.3829 STATIC Fa0/24
10 9ece.7d5c.4520 STATIC Fa0/24
10 a270.a12a.e326 STATIC Fa0/24Total Mac Addresses for this criterion: 10
Switch Spoofing
Habilite Yersinia para DTP de manera que se forme un trunk entre el PC y el puerto FasEthernet0/24 del switch.
Para que se forme el trunk debemos utilizar DTP. Si una interface está habilitada con Dynamic Trunk Protocol (valor
por defecto) Yersinia puede formar un trunk y recibir información que transporta el mismo (VLANs).
Para que se forme el trunk la interface debe estar en modo dynamic auto o dynamic desirable. El valor por defecto
para el Catalyst 2960 es Administrative Mode: dynamic auto. Una manera de evitar este problema es deshabilitar
DTP.
ALS1
default interface fastEthernet 0/24
PC
Adaptador de Ethernet Ethernet:
Dirección física. . . . . . . . . . . . . : 50-B7-C3-07-A1-9D
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 168/205
CCNP Guía SWITCH v2.0
@ 2013168
ALS1#show interfaces fastEthernet 0/24 trunk
Port Mode Encapsulation Status Native vlan
Fa0/24 auto 802.1q not-trunking 1
Port Vlans allowed on trunk
Fa0/24 1
Port Vlans allowed and active in management domain
Fa0/24 1Port Vlans in spanning tree forwarding state and not pruned
Fa0/24 none
ALS1#sh interfaces fa0/24 switchport
Name: Fa0/24
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static Access
La salida anterior nos muestra el modo administrativo del puerto Fa0/24 además de el status del trunk not-
trunking. Ahora, al activar el modo enabling trunking en Yersinia se formará un trunk utilizando DTP.
ALS1#sh debugging
DTP:
DTP events debugging is on
*Mar 1 00:27:38.226: DTP-event:Fa0/24:Received packet event ../dyntrk/dyntrk _process.c:2200
*Mar 1 00:27:39.233: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to
down
*Mar 1 00:27:39.283: DTP-event:Fa0/24:Received packet event ../dyntrk/dyntrk _process.c:2200*Mar 1 00:27:40.340: DTP-event:Fa0/24:Received packet event ../dyntrk/dyntrk _process.c:2200
*Mar 1 00:27:42.252: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up
ALS1#
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 169/205
CCNP Guía SWITCH v2.0
@ 2013169
*Mar 1 00:28:12.074: DTP-event:Fa0/24:Received packet event ../dyntrk/dyntrk_process.c:2200
*Mar 1 00:28:44.873: DTP-event:Fa0/24:Received packet event ../dyntrk/dyntrk_process.c:2200
*Mar 1 00:29:17.664: DTP-event:Fa0/24:Received packet event ../dyntrk/dyntrk_process.c:2200
*Mar 1 00:29:50.456: DTP-event:Fa0/24:Received packet event ../dyntrk/dyntrk_process.c:2200
*Mar 1 00:30:23.247: DTP-event:Fa0/24:Received packet event ../dyntrk/dyntrk_process.c:2200
ALS1#sh interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/24 auto 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/24 1-4094
Port Vlans allowed and active in management domain
Fa0/24 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/24 1
ALS1#
Para evitar este ataque podemos establecer el puerto en modo acceso.
ALS1
interface FastEthernet0/24
switchport mode access
switchport nonegotiate
ALS1#sh interfaces fastEthernet 0/24 switchport
Name: Fa0/24
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static accessAdministrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
ALS1#sh interfaces fastEthernet 0/24 trunk
Port Mode Encapsulation Status Native vlan
Fa0/24 off 802.1q not-trunking 1
Port Vlans allowed on trunk
Fa0/24 1
Port Vlans allowed and active in management domain
Fa0/24 1
Port Vlans in spanning tree forwarding state and not prunedFa0/24 1
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 170/205
CCNP Guía SWITCH v2.0
@ 2013170
CDP Attack
Habilite CDP attack utilizando Yersinia.
Este ataque degrada enormemente el desempeño del switch puesto que inunda con miles de entradas CDP
colapsando la memoria. En este ejmplo se ha utilizado el Catalyst 2960 dejándolo inoperable mientras es atacado.
EL indicador de puerto comienza a parpadear rápidamente, luego pasa a ambar y finalmente cae.
ALS1#show debugging
Generic VLAN Manager:
vlan manager packets debugging is on
Condition 1: interface Fa0/24 (1 flags triggered)
Flags: Fa0/24
ALS1#
04:35:17204524532: %SYS-3-CPUHOG: Task is running for (2138)msecs, more than (2000)msecs (132/26),process =HLFM address learning process.
-Traceback= 4C92C8 3A2D24 3A3244 BDD138 BD470C
04:35:30064771072: %SYS-3-CPUHOG: Task is running for (4275)msecs, more than (2000)msecs (235/26),process =
HLFM address learning process.
-Traceback= 3C7718 3C8528 3C949C 3AD0C8 12A574 12BC74 3A6DF8 3A715C 3A7290 3A3094 3A3244 BDD138
BD470C
04:35:42949672992: %SYS-3-CPUHOG: Task is running for (6415)msecs, more tha
ALS1#n (2000)msecs (343/26),process = HLFM address learning process.
-Traceback= 355738 355B28 5AECBC 3AD2F8 12A574 12BC74 3A6DF8 3A715C 3A7290 3A3094 3A3244 BDD138
BD470C
04:35:56673435648: %SYS-3-CPUHOG: Task is running for (8551)msecs, more than (2000)msecs (444/26),process =HLFM address learning process.
-Traceback= 3BD898 3C888C 3C89A0 3C8A8C 3C94E4 3AD378 12A574 12BC74 3A6DF8 3A715C 3A7290 3A3094
3A3244 BDD138 BD470C
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 171/205
CCNP Guía SWITCH v2.0
@ 2013171
04:35:68719476736: %SYS-3-CPUHOG: Task is running for (10688)msecs, more than (200
ALS1#0)msecs (547/26),process = HLFM address learning process.
-Traceback= 3BD518 3C8528 3C949C 3AD0C8 12A574 12BC74 3A6DF8 3A715C 3A7290 3A3094 3A3244 BDD138
BD470C
04:35:81629033244: %SYS-3-CPUHOG: Task is running for (12809)msecs, more than (2000)msecs (608/26),process
= HLFM address learning process.
-Traceback= B99038 B99438 3C8E74 3C7200 3AD3AC 12A574 12BC74 3A6DF8 3A715C 3A7290 3A3094 3A3244BDD138 BD470C
04:35:90218967836: %SYS-3-CPUHOG: Task is running for (14906)msecs, more than (2000)msecs (608
ALS1#/26),process = HLFM address learning process.
-Traceback= B99030 B99438 3C8E74 3C7200 3AD3AC 12A574 12BC74 3A6DF8 3A715C 3A7290 3A3094 3A3244
BDD138 BD470C
04:35:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
ALS1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
222JJJX Fas 0/24 216 R T S H I yersinia Eth 0
2EEEWWW Fas 0/24 184 B I yersinia Eth 0
3KKKXXX Fas 0/24 185 H I yersinia Eth 0
222EEEW Fas 0/24 186 T B S I r yersinia Eth 0
2IIWWWE Fas 0/24 184 B H yersinia Eth 0
444LLLY Fas 0/24 184 I r yersinia Eth 0
3KKKYYY Fas 0/24 185 T S H I yersinia Eth 0
444LLLZ Fas 0/24 185 R S H yersinia Eth 0
EEEWWW0 Fas 0/24 184 R T B r yersinia Eth 0
DVVV000 Fas 0/24 186 R B r yersinia Eth 05MMMZZZ Fas 0/24 184 R T B H yersinia Eth 0
YCCCUU9 Fas 0/24 185 T I yersinia Eth 0
1DDDVVV Fas 0/24 185 R T S I r yersinia Eth 0
1DDVVVD Fas 0/24 184 R B S H I r yersinia Eth 0
5LLLZZZ Fas 0/24 184 R T B H yersinia Eth 0
EVVV000 Fas 0/24 184 R B r yersinia Eth 0
111DDDV Fas 0/24 183 R B S I r yersinia Eth 0
555LLLZ Fas 0/24 183 R I r yersinia Eth 0
111EEEW Fas 0/24 184 T yersinia Eth 0
ARRR000 Fas 0/24 183 R S H I r yersinia Eth 0
--More—
Deshabilitar CDP en la interface Fa0/24
Nota: una manera de mitigar un ataque CDP es deshabilitar CDP ya sea globalmente o por puerto. Se verá actividad
por parte del LED del puerto sin embargo el switch podrá seguir operando.
ALS1
interface FastEthernet0/24
no cdp enable
ALS1#show running-config interface fastEthernet 0/24
Building configuration...
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 172/205
CCNP Guía SWITCH v2.0
@ 2013172
Current configuration : 49 bytes
!
interface FastEthernet0/24
no cdp enable
end
STP Root Guard
Con aplicaciones como Yersinia podemos asumir el rol de STP root desde el PC. Primero veamos el
comportamiento utilizando ataque STP Claiming Root Role. Antes verificamos el rol de ALS1.
ALS1#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0022.5689.5d80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0022.5689.5d80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/24 Desg FWD 19 128.24 P2p
ALS1#debug spanning-tree root
Spanning Tree root changes debugging is on
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 173/205
CCNP Guía SWITCH v2.0
@ 2013173
ALS1#
STP: VLAN0001 new root is 32769, 0022.5688.5d80 on port Fa0/24, cost 19
ALS1#show spanning-tree root detail
VLAN0001
Root ID Priority 32769
Address 0022.5688.5d80Cost 19
Port 24 (FastEthernet0/24)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
La salida anterior nos muestra que tanto el PC como el catalyst ALS1 tienen la misma prioridad, sin embargo el
valor de la MAC (quien determina el desempate) es menor en el PC:
ALS1 0022.5689.5d80
PC 0022.5688.5d80
Por lo tanto el PC asume el rol de Root. El comando show spanning-tree root detail nos muestra que ALS1 ya no
es el Roor Bridge.
Configure una característica de STP para paliar este problema.
El comando guard root en la interface evita que un
ALS1
interface FastEthernet0/24
spanning-tree guard root
ALS1#show spanning-tree root detail
VLAN0001
Root ID Priority 32769
Address 0022.5689.5d80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
05:58:16: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/24.
STP: VLAN0001 we are the spanning tree root
05:58:17: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/24 on VLAN0001.
05:58:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
ALS1#show spanning-tree interface fastEthernet 0/24 detail
Port 24 (FastEthernet0/24) of VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.24.
Designated root has priority 32769, address 0022.5689.5d80
Designated bridge has priority 32769, address 0022.5689.5d80
Designated port id is 128.24, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
Root guard is enabled on the port
BPDU: sent 347, received 0
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 174/205
CCNP Guía SWITCH v2.0
@ 2013174
STP PortFast
Configure el puerto FasEthernet 0/24 de ALS1 de manera que el puerto levante inmediatamente evitando los
estados STP.
EN caso que no configuremos portfast el puerto demora 30 segundo en estar operativo (15 segundos en estado
listening + 15 segundos en estado learning antes de pasar al forwarding). Antes de configurar la interface
notaremos que al conectar el PC al puerto este transita por distintos estados.
ALS1#debug spanning-tree events
Spanning Tree event debugging is on
setting bridge id (which=3) prio 32769 prio cfg 32768 sysid 1 (on) id 8001.0022.5689.5d80
set portid: VLAN0001 Fa0/24: new port id 8018
STP: VLAN0001 Fa0/24 -> listening
ALS1#
06:19:18: %LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to up
06:19:20: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up
ALS1#
STP: VLAN0001 Fa0/24 -> learning
ALS1#
STP: VLAN0001 Fa0/24 -> forwarding
06:19:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
Configure una característica de STP que evite la transision de Listening y Learning y pase inmediatamente a
envío (Forwarding).
Nota. Al configurar portfast el proceso no advierte que solo debemos conectar host o podríamos generar loops en
caso de conectar hubs, switchs…
ALS1
interface FastEthernet0/24spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/24 but will only
have effect when the interface is in a non-trunking mode.
ALS1#show spanning-tree interface fastEthernet 0/24 detail
Port 24 (FastEthernet0/24) of VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.24.
Designated root has priority 32769, address 0022.5689.5d80
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 175/205
CCNP Guía SWITCH v2.0
@ 2013175
Designated bridge has priority 32769, address 0022.5689.5d80
Designated port id is 128.24, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast mode
Link type is point-to-point by default
Root guard is enabled on the portBPDU: sent 347, received 0
STP BPDU Filter
Los Catalyst están constantemente enviando BGPU por todas las interfaces activas, incluso en los puertos de
acceso, los host reciben paquetes que no saben como interpretar. Utilizando WIreshark podemos observar que el
PC recibe paquetes STP:
Configure una característica de STP de manera que el Catalyst no envie BPDUs a los hosts.
ALS1
interface FastEthernet0/24spanning-tree bpdufilter enable
ALS1#show spanning-tree interface fastEthernet 0/24 detail
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 176/205
CCNP Guía SWITCH v2.0
@ 2013176
Port 24 (FastEthernet0/24) of VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.24.
Designated root has priority 32769, address 0022.5689.5d80
Designated bridge has priority 32769, address 0022.5689.5d80
Designated port id is 128.24, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1The port is in the portfast mode
Link type is point-to-point by default
Bpdu filter is enabled
Root guard is enabled on the port
BPDU: sent 1007, received 0
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 177/205
CCNP Guía SWITCH v2.0
@ 2013177
Si activamos el analizador de de protocolos veremos que al configurar BGPU FIlter los paquetes STP no se envían
por el puerto configurado.
Configure la interface FastEthernet0/24 de manera que si se recibe una BPDU por el puerto este quede en
estado err-disable.
En algunos casos se pueden recibir BPDU como parte de un ataque. Para deshabilitarlo utilizamos BPDU Guard.
Utilizando Yersinia enviaremos BPDUs de manera que el puerto se desactive.
ALS1
interface FastEthernet0/24
spanning-tree portfast
spanning-tree bpduguard enable
ALS1#show spanning-tree interface fastEthernet 0/24 detail
Port 24 (FastEthernet0/24) of VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.24.
Designated root has priority 32769, address 0022.5689.5d80
Designated bridge has priority 32769, address 0022.5689.5d80
Designated port id is 128.24, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast mode
Link type is point-to-point by default
Bpdu guard is enabled
Bpdu filter is enabled
Root guard is enabled on the port
BPDU: sent 1007, received 0
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 178/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 179/205
CCNP Guía SWITCH v2.0
@ 2013179
VLANs ACLs v/s Seguridad en sesiones Telnet
Configure Portchannel mostrado en la figura. Utilizar LACP y 802.1q como protocolo de trunking.
En DLS1 crear la VLAN 10 y comprobar que se propaga a DLS2.
Configurar los puertos de acceso para la VLAN10. Utilice portfast.
DLS1
default interface range fastEthernet 0/6-7
interface range fastEthernet 0/6-7
channel-group 3 mode active
exit
interface Port-channel3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10switchport mode trunk
vlan 10
vtp domain cisco
DLS2
default interface range fastEthernet 0/6-7
interface range fastEthernet 0/6-7
channel-group 3 mode active
exit
interface Port-channel3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10
switchport mode trunk
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 180/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 181/205
CCNP Guía SWITCH v2.0
@ 2013181
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/61/80 ms
Configurar los routers con el direccionamiento mostrado y habilite telnet. En R1 se permite sesiones de
entrada de la IP 100.2.2.2. En R2 se permite sesiones de entrada de la IP 100.1.1.1. Si existe un intento de
conexión telnet desde una dirección de origen distinta se debe enviar un log a la consola indicándolo.
Formar adyacencia OSPF 1 area 0entre R1 y R2. No debe existir elección DR/BDR.
Crear y publicar la loopback0 100.1.1.1/24 en R1 y la loopback0 100.2.2.2/24 utilizando OSPF. Comprobar
que se publiquen con sus máscaras correctas.
R1
interface Loopback0
ip address 100.1.1.1 255.255.255.0
ip ospf 1 area 0
ip ospf network point-to-point
interface FastEthernet0/0
ip ospf network point-to-point
ip ospf 1 area 0
R2
interface Loopback0
ip address 100.2.2.2 255.255.255.0
ip ospf 1 area 0
ip ospf network point-to-point
interface FastEthernet0/0
ip ospf network point-to-point
ip ospf 1 area 0
R2#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
100.1.1.1 0 FULL/ - 00:00:33 10.1.1.1 FastEthernet0/0
R2#sh ip route ospf
Gateway of last resort is not set
100.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O 100.1.1.0/24 [110/2] via 10.1.1.1, 00:00:25, FastEthernet0/0
R2#ping 100.1.1.1 source 100.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 100.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/60/68 ms
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 182/205
CCNP Guía SWITCH v2.0
@ 2013182
R1
access-list 10 permit 100.2.2.0 0.0.0.255
access-list 10 deny any log
line vty 0 4
access-class 10 in
exec-timeout 0 0password cisco
login
transport input telnet
transport output telnet
R2
access-list 10 permit 100.1.1.0 0.0.0.255
access-list 10 deny any log
line vty 0 4
access-class 10 inexec-timeout 0 0
password cisco
login
transport input telnet
transport output telnet
R1#telnet 100.2.2.2
Trying 100.2.2.2 ...
% Connection refused by remote host
R2#
*Jun 13 13:53:58.599: %SEC-6-IPACCESSLOGNP: list 10 denied 0 10.1.1.1 -> 0.0.0.0, 1 packet
R1#telnet 100.2.2.2 /source-interface loo0
Trying 100.2.2.2 ... Open
User Access Verification
Password:cisco
R2>en
Password:cisco
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 183/205
CCNP Guía SWITCH v2.0
@ 2013183
En DLS2 utilice VLAN Access-list para bloquear todo el tráfico ICMP y HTML . Se debe permitir el tráfico
telnet.
DLS2
ip access-list extended ICMP
permit icmp any any
vlan access-map DROP-ICMP 10
match ip address ICMP
action drop
vlan access-map DROP-ICMP 20
action forward
R1#ping 100.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/64/100 ms
Como podemos ver en la salida anterior, aun es posible utilizar el ping. Para activar las políticas restrictivas
debemos utilizar el comando vlan filter indicando la VLAN sobre la que tendrá influencia el filtro; en nuestro caso
se trata de la VLAN 10.
Luego de hacer la última configuración podemos ver que no es posible el trafico icmp entre sitios, sin embargo aun
podemos ingresar a través de telnet.
DLS2
vlan filter DROP-ICMP vlan-list 10
R1#ping 100.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.2.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#telnet 100.2.2.2 /source-interface loo0
Trying 100.2.2.2 ... Open
User Access Verification
Password:
R2>en
Password:
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 184/205
CCNP Guía SWITCH v2.0
@ 2013184
SSH
Configure SSH en DLS2 utilizando las siguientes políticas:
-
Domain: duoc.cl
-
Key: 1024
- Authentication: Debería ser realizada en base a la base de datos local.
-
Username: U1- Password: cisco
- Puertos: Debería ser activa la autenticación para los puertos VTY.
-
Restricciones: Solo se permiten conexiones SSH en DLS2.
DLS2
ip domain name duoc.cl
DLS2(config)#crypto key zeroize rsa
% All RSA keys will be removed.
% All router certs issued using these keys will also be removed.Do you really want to remove these keys? [yes/no]: yes
DLS2(config)#
*Mar 1 06:11:47.245: %SSH-5-DISABLED: SSH 1.99 has been disabled
DLS2(config)#crypto key generate rsa usage-keys
The name for the keys will be: DLS2.duoc.cl
Choose the size of the key modulus in the range of 360 to 4096 for your
Signature Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
Choose the size of the key modulus in the range of 360 to 4096 for yourEncryption Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 5 seconds)
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 6 seconds)
DLS2(config)#
*Mar 1 06:12:15.012: %SSH-5-ENABLED: SSH 1.99 has been enabled
La siguiente configuración habilita los servicios AAA
DLS2
aaa new-model
username U1 password duoc
aaa authentication login LOCAL local
line vty 0 4
login authentication LOCAL
transport input ssh
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 185/205
CCNP Guía SWITCH v2.0
@ 2013185
DLS1#ssh -l U1 -c aes128-cbc 1.1.1.2
Password:cisco
DLS2>en
Password:duoc
SPAN
En DLS1 crear las VLANs 10, 20, 99.
Formar trunk entre Switches directamente conectados (utilice dos enlaces entre dispositivos). Se deben
permitir únicamente las VLANs recién creadas más la VLAN por defecto. Utilizar protocolo de trunk
estándar.
DLS1 es el server para el dominio VTP duoc, el resto de los switches tienen el rol de client. Comprobar que
las VLANs se han propagado en cada uno los switches.
DLS1 debe ser root para las VLANs 1, 10 y 20. Y Root secundario para la VLAN 99
DLS2 debe ser root para la VLAN 99. Y Root secundario para las VLANs 1, 10 y 20.
DLS1
interface range fastEthernet 0/2-7
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1,10,20,99
DLS2
interface range fastEthernet 0/13-20
shutdown
interface range fastEthernet 0/2-7
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1,10,20,99
ALS1
interface range fastEthernet 0/13-20
shutdown
interface range fastEthernet 0/2-7
switchport mode trunk
switchport trunk allowed vlan 1,10,20,99
ALS2
interface range fastEthernet 0/2-7
switchport mode trunk
switchport trunk allowed vlan 1,10,20,99
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 186/205
CCNP Guía SWITCH v2.0
@ 2013186
DLS1#sh interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/3 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1Fa0/5 on 802.1q trunking 1
Fa0/6 on 802.1q trunking 1
Fa0/7 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1,10,20,99
Fa0/3 1,10,20,99
Fa0/4 1,10,20,99
Fa0/5 1,10,20,99
Fa0/6 1,10,20,99
Fa0/7 1,10,20,99
DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/3 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/5 on 802.1q trunking 1
Fa0/6 on 802.1q trunking 1
Fa0/7 on 802.1q trunking 1
Port Vlans allowed on trunkFa0/2 1,10,20,99
Fa0/3 1,10,20,99
Fa0/4 1,10,20,99
Fa0/5 1,10,20,99
Fa0/6 1,10,20,99
Fa0/7 1,10,20,99
ALS1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/3 on 802.1q trunking 1Fa0/4 on 802.1q trunking 1
Fa0/5 on 802.1q trunking 1
Fa0/6 on 802.1q trunking 1
Fa0/7 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1,10,20,99
Fa0/3 1,10,20,99
Fa0/4 1,10,20,99
Fa0/5 1,10,20,99
Fa0/6 1,10,20,99Fa0/7 1,10,20,99
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 187/205
CCNP Guía SWITCH v2.0
@ 2013187
DLS2
vtp mode client
ALS1
vtp mode client
ALS2vtp mode client
DLS1
vtp mode server
vtp domain duoc
vlan 10,20,99
DLS1#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active
99 VLAN0099 active
DLS2#show vlan brief | exclude unsupVLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active
99 VLAN0099 active
ALS1#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active99 VLAN0099 active
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 188/205
CCNP Guía SWITCH v2.0
@ 2013188
ALS2#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active
99 VLAN0099 active
DLS1
spanning-tree vlan 1,10,20 root primary diameter 3
spanning-tree vlan 99 root secondary diameter 3
DLS2spanning-tree vlan 99 root primary diameter 3
spanning-tree vlan 1,10,20 root secondary diameter 3
DLS2#show spanning-tree vlan 99
VLAN0099
Spanning tree enabled protocol ieee
Root ID Priority 24675
Address 3037.a6eb.d580
This bridge is the root
Hello Time 2 sec Max Age 12 sec Forward Delay 9 sec
Bridge ID Priority 24675 (priority 24576 sys-id-ext 99)
Address 3037.a6eb.d580
Hello Time 2 sec Max Age 12 sec Forward Delay 9 sec
Aging Time 9
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2 Desg LRN 19 128.4 P2p
Fa0/3 Desg LRN 19 128.5 P2p
Fa0/4 Desg LRN 19 128.6 P2p
Fa0/5 Desg LRN 19 128.7 P2pFa0/6 Desg FWD 19 128.8 P2p
Fa0/7 Desg LRN 19 128.9 P2p
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 189/205
CCNP Guía SWITCH v2.0
@ 2013189
En ALS2 instalar un analizador de protocolos en el Puerto Fa0/1 y sondear el tráfico que se genera en el
mismo switch pero en el puerto de acceso Fa0/11 donde se encuentra un PC abriendo una sesión telnet
apuntando a la SVI1 (1.1.1.X).
ALS2
interface FastEthernet0/1
switchport mode access
switchport access vlan 1
spanning-tree portfast
interface FastEthernet0/11
switchport mode access
switchport access vlan 1
spanning-tree portfast
monitor session 1 source interface fastEthernet 0/11 both
monitor session 1 destination interface fastEthernet 0/1
TELNET
C:\>telnet 1.1.1.1
User Access Verification
Password:
DLS1>en
Password:
DLS1#
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 190/205
CCNP Guía SWITCH v2.0
@ 2013190
Remote SPAN (RSPAN)
En DLS2 instalar un analizador de protocolos en el Puerto Fa0/1 y sondear el tráfico que se genera en DLS1
Puerto de acceso Fa0/8 donde se encuentra un PC abriendo una sesión telnet apuntando a la SVI1
(1.1.1.X). La VLAN 99 debe ser configurada como VLAN SPAN.
Nota: Podemos enviar el tráfico que se genera en la Fa0/1 de DLS1 en cualquier switch que tenga acceso a la VLAN
99, la RSPAN. En este ejemplo solo utilizamos DLS2 como receptor pero podrían ser además ALS1 y ALS2.
DLS1
vlan 99
remote-span
DLS1#sh vlan remote-span
Remote SPAN VLANs
------------------------------------------------------------------------------99
DLS2#show vlan remote-span
Remote SPAN VLANs
------------------------------------------------------------------------------
99
ALS1#show vlan remote-span
Remote SPAN VLANs
------------------------------------------------------------------------------
99
ALS2#sh vlan remote-span
Remote SPAN VLANs
------------------------------------------------------------------------------
99
DLS1
monitor session 2 source interface fastEthernet 0/8
monitor session 2 destination remote vlan 99
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 191/205
CCNP Guía SWITCH v2.0
@ 2013191
DLS1#sh monitor session 2
Session 2
---------
Type : Remote Source Session
Source Ports :
Both : Fa0/8
Dest RSPAN VLAN : 99
DLS2
monitor session 2 source remote vlan 99
monitor session 2 destination interface fastEthernet 0/1
DLS1
interface FastEthernet0/8
switchport mode access
spanning-tree portfast
DLS2
interface FastEthernet0/1
switchport mode access
spanning-tree portfast
TELNET
C:\>telnet 1.1.1.1
User Access Verification
Password:
DLS1>en
Password:
DLS1#
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 192/205
CCNP Guía SWITCH v2.0
@ 2013192
Syslog
Crear PortChannel 3 entre DLS1 y DLS2, no utilizar PAgP o LACP. Habilitar interfaces para conectividad L 3.
Y configurar direccionamiento mostrado. Verificar que existe conectividad entre ambos dispositivos L3.
DLS1
ip routing
interface Port-channel3
no switchport
ip address 10.1.12.1 255.255.255.0
interface FastEthernet0/6
no switchport
channel-group 3 mode on
interface FastEthernet0/7
no switchport
channel-group 3 mode on
DLS2
ip routing
interface Port-channel3
no switchport
ip address 10.1.12.2 255.255.255.0
interface FastEthernet0/6
no switchport
channel-group 3 mode on
interface FastEthernet0/7
no switchport
channel-group 3 mode on
DLS2#ping 10.1.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 193/205
CCNP Guía SWITCH v2.0
@ 2013193
Configure EIGRP 1 como muestra la figura. Publicar además la loopback0 de cada switch.
La red 172.16.1.0/24 debe ser redistribuida dentro de EIGRP.
DLS1
interface Loopback0
ip address 10.1.1.1 255.255.255.0
router eigrp 1
network 10.0.0.0
no auto-summary
DLS2
interface Loopback0
ip address 10.2.2.2 255.255.255.0
router eigrp 1
network 10.0.0.0
no auto-summary
DLS2#sh ip route eigrp
10.0.0.0/24 is subnetted, 3 subnets
D 10.1.1.0 [90/143360] via 10.1.12.1, 00:00:12, Port-channel3
DLS2
interface FastEthernet0/1
no switchport
ip address 172.16.1.1 255.255.255.0
router eigrp 1
redistribute connected metric 1 1 1 1 1
DLS1#sh ip route eigrp
172.16.0.0/24 is subnetted, 1 subnets
D EX 172.16.1.0 [170/2560002816] via 10.1.12.2, 00:00:36, Port-channel3
10.0.0.0/24 is subnetted, 3 subnets
D 10.2.2.0 [90/143360] via 10.1.12.2, 00:03:47, Port-channel3
Configure DLS1 de manera que todos los mensajes logs se envíen al servidor Syslog 172.16.1.2.
DLS1
logging on
logging trap 7
logging source-interface Loopback0
logging 172.16.1.2
logging host 172.16.1.2
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 194/205
CCNP Guía SWITCH v2.0
@ 2013194
06-26-2012 14:27:00 Local7.Debug 10.1.1.1 62: *Mar 1 00:42:05.767: EIGRP: Packet from
ourselves ignored
06-26-2012 14:27:00 Local7.Debug 10.1.1.1 61: *Mar 1 00:42:05.767: AS 1, Flags 0x0, Seq 0/0
interfaceQ 0/0
06-26-2012 14:27:00 Local7.Debug 10.1.1.1 60: *Mar 1 00:42:05.767: EIGRP: Received HELLO
on Loopback0 nbr 10.1.1.1
06-26-2012 14:27:00 Local7.Debug 10.1.1.1 59: *Mar 1 00:42:05.767: AS 1, Flags 0x0, Seq 0/0interfaceQ 0/0 iidbQ un/rely 0/0
06-26-2012 14:27:00 Local7.Debug 10.1.1.1 58: *Mar 1 00:42:05.767: EIGRP: Sending HELLO on
Loopback0
06-26-2012 14:27:00 Local7.Debug 10.1.1.1 57: *Mar 1 00:42:05.700: AS 1, Flags 0x0, Seq 0/0
interfaceQ 0/0 iidbQ un/rely 0/0
06-26-2012 14:27:00 Local7.Debug 10.1.1.1 56: *Mar 1 00:42:05.700: EIGRP: Sending HELLO on
Port-channel3
06-26-2012 14:27:00 Local7.Debug 10.1.1.1 55: *Mar 1 00:42:05.549: AS 1, Flags 0x0, Seq 0/0
interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
06-26-2012 14:27:00 Local7.Debug 10.1.1.1 54: *Mar 1 00:42:05.549: EIGRP: Received HELLO
on Port-channel3 nbr 10.1.12.206-26-2012 14:25:18 Local7.Info 10.1.1.1 53: *Mar 1 00:40:24.492: %SYS-6-
LOGGINGHOST_STARTSTOP: Logging to host 172.16.1.2 Port 514 started - CLI initiated
06-26-2012 14:25:17 Local7.Notice 10.1.1.1 52: *Mar 1 00:40:18.485: %SYS-5-CONFIG_I:
Configured from console by vty0 (10.1.12.2)
06-26-2012 14:22:30 Local7.Debug 127.0.0.1 Kiwi Syslog Server - Test message number 0002
06-26-2012 14:19:55 Local7.Info 10.1.12.1 51: *Mar 1 00:35:03.149: %SYS-6-
LOGGINGHOST_STARTSTOP: Logging to host 172.16.1.2 Port 514 started - CLI initiated
06-26-2012 14:19:54 Local7.Notice 10.1.12.1 50: *Mar 1 00:35:02.092: %SYS-5-CONFIG_I:
Configured from console by vty0 (10.1.12.2)
06-26-2012 14:17:17 Local7.Debug 127.0.0.1 Kiwi Syslog Server - Test message number 0001
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 195/205
CCNP Guía SWITCH v2.0
@ 2013195
Port-Security utilizando MACROs
Antes de comenzar este laboratorio debemos borrar la configuración del switch.
Configure ALSx de manera que los puertos de la fastethernet 0/10 a fastethernet 0/16 solo permitan una
dirección MAC. En caso de que se detecte más de una MAC el switch debe descartar el tráfico para esa
MAC no permitida.
Utilizar una MACRO
Comprobar conectando PC.
El siguiente comando define un rango de puertos del switch con el nombre UNA-MAC.
ALSx
define interface-range UNA-MAC fastEthernet 0/10-16
macro name SECURITY
Enter macro commands one per line. End with the character '@'.
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security violation protect
@
interface range macro UNA-MAC
macro apply SECURITY
ALS2#show running-config interface fastEthernet 0/11
Building configuration...
Current configuration : 167 bytes
!
interface FastEthernet0/11
switchport mode access
switchport port-security
switchport port-security violation protect
macro description SECURITY
ALS2#show interfaces fastEthernet 0/11 switchport
Name: Fa0/11
Switchport: Enabled
Administrative Mode: static accessOperational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabledAdministrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 196/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 197/205
CCNP Guía SWITCH v2.0
@ 2013197
Filtro MAC
Configure en ALSx un filtro para MAC unicast de manera que el switch descarte paquetes que tengan la
dirección origen o destino 0000.1234.DC10. Si un paquete se recibe por cualquier puerto que está asociado
a la VLAN por defecto, este debe ser descartado (drops).
Comprobar configurando la MAC 0000.1234.DC10 en la interface f0/0 del Router (o PC) y conectarlo al
puerto f0/23 del switch ALS1.
ALS1
mac-address-table static 0000.1234.DC10 vlan 1 drop
ALS2#show mac-address-table static address 0000.1234.DC10
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0000.1234.dc10 STATIC DropTotal Mac Addresses for this criterion: 1
ALS1
interface FastEthernet0/23
switchport mode access
spanning-tree portfast
R1
interface FastEthernet0/0
mac-address 0000.1234.dc10
ip address 10.1.1.10 255.255.255.0
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 198/205
CCNP Guía SWITCH v2.0
@ 2013198
VACLs
Setup: Configure DLS1 con la SVI 110 11.1.1.1/24. El PC debe conectarse a la interface Fa0/1. DLS1 debe ser
DHCP server y enviar la dirección IP 11.1.1.12/24 al PC. Habilite telnet en DLS1.
Configure un filtro VACL de manera que permita al PC conectado al DLS1 acceder a este mismo switch
utilizando telnet pero no se permite pruebas ICMP. Utilice VACL. Cualquier otro tráfico es permitido.
PC1
Adaptador de Ethernet Ethernet:
Sufijo DNS específico para la conexión. . :
Descripción . . . . . . . . . . . . . . . : Realtek PCIe GBE Family Controlle
r
Dirección física. . . . . . . . . . . . . : 50-B7-C3-07-A1-9D
DHCP habilitado . . . . . . . . . . . . . : sí
Configuración automática habilitada . . . : sí
Vínculo: dirección IPv6 local. . . : fe80::e01f:70bc:4361:24fc%12(Preferido)
Dirección IPv4. . . . . . . . . . . . . . : 11.1.1.12(Preferido)
Máscara de subred . . . . . . . . . . . . : 255.255.255.0
Concesión obtenida. . . . . . . . . . . . : domingo, 09 de junio de 2013 11:3
9:59
La concesión expira . . . . . . . . . . . : lunes, 10 de junio de 2013 11:39:
58C:\>
Antes de seguir con el laboratorio comprobaremos si existe acceso via telnet e ICMP.
PC
C:\>ping 11.1.1.1
Haciendo ping a 11.1.1.1 con 32 bytes de datos:
Respuesta desde 11.1.1.1: bytes=32 tiempo=5ms TTL=255
Respuesta desde 11.1.1.1: bytes=32 tiempo=3ms TTL=255
Respuesta desde 11.1.1.1: bytes=32 tiempo=3ms TTL=255
Respuesta desde 11.1.1.1: bytes=32 tiempo=2ms TTL=255
Estadísticas de ping para 11.1.1.1:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 2ms, Máximo = 5ms, Media = 3ms
PC
C:\>telnet 11.1.1.1
DLS1>enable
DLS1#sh users
Line User Host(s) Idle Location
0 con 0 idle 00:08:27
* 1 vty 0 idle 00:00:00 11.1.1.12
Interface User Mode Idle Peer Address
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 199/205
CCNP Guía SWITCH v2.0
@ 2013199
DLS1
access-list 100 permit tcp any any eq 23
access-list 101 permit icmp any any
vlan access-map FILTRO 10
action forward
match ip address 100
vlan access-map FILTRO 20
action drop
match ip address 101
vlan access-map FILTRO 30
action forward
vlan filter FILTRO vlan-list 110
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 200/205
CCNP Guía SWITCH v2.0
@ 2013200
DLS1#sh vlan filter
VLAN Map FILTRO is filtering VLANs:
110
DLS1#sh vlan access-map
Vlan access-map "FILTRO" 10
Match clauses:
ip address: 100
Action:
forward
Vlan access-map "FILTRO" 20
Match clauses:
ip address: 101
Action:
drop
Vlan access-map "FILTRO" 30
Match clauses:
Action:
forward
DLS1#ping 11.1.1.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.1.1.12, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
DLS1#copy startup-config tftp:
Address or name of remote host []? 11.1.1.12
Destination filename [dls1-confg]?
!!
5448 bytes copied in 0.100 secs (54480 bytes/sec)
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 201/205
CCNP Guía SWITCH v2.0
@ 2013201
DHCP Snooping
DLS1 debe tener el rol VTP Server en el dominio duoc.cl. ALS1 debe ser client VTP.
DLS1 debe crear la VLAN 100 llamada DHCP. Comprobar que se propague a ALS1.
Crear PortChannel 1 entre DLS1 y ALS1, no utilizar PAgP o LACP . Habilitar trunking utilizando 802.1q y
permitir las VLANs 1 y 100. Deshabilitar DTP.
DLS1
vtp mode server
vtp domain duoc.cl
vlan 100
name DHCP
interface range fastEthernet 0/2-3
channel-group 1 mode on
interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100
switchport mode trunk
switchport nonegotiate
ALS1vtp mode client
interface range fastEthernet 0/2-3
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 202/205
CCNP Guía SWITCH v2.0
@ 2013202
channel-group 1 mode on
interface Port-channel1
switchport trunk allowed vlan 1,100
switchport mode trunk
switchport nonegotiate
ALS1#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) - Fa0/2(P) Fa0/3(P)
En DLS1 SVI 100 utilizando la IP address 100.1.1.1/24.
Configurar DHCP en DLS1 con las siguientes características:
- Pool ABCD 100.1.1.0/24
- Default Router 100.1.1.1
-
Arriendo 4 días, 10 horas, 30 minutos.
-
Se debe excluir el rango 100.1.1.1 a 100.1.1.20
En ALS1 asignar al puerto Fa0/23 la VLAN 100 (puerto de acceso).
DLS1
interface Vlan100
ip address 100.1.1.1 255.255.255.0
no shutdown
ip dhcp excluded-address 100.1.1.1 100.1.1.20
ip dhcp pool ABCD
network 100.1.1.0 255.255.255.0
default-router 100.1.1.1
lease 4 10 30
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 203/205
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 204/205
CCNP Guía SWITCH v2.0
@ 2013204
ALS1
ip dhcp snooping
ip dhcp snooping vlan 100
ip dhcp snooping information option
interface FastEthernet0/21
ip dhcp snooping limit rate 3
interface FastEthernet0/23
ip dhcp snooping limit rate 3
interface Port-channel1
ip dhcp snooping trust
ALS1#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100DHCP snooping is configured on the following Interfaces:
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/21 no 3
FastEthernet0/23 no 3Port-channel1 yes unlimited
8/11/2019 Guia Switch v3
http://slidepdf.com/reader/full/guia-switch-v3 205/205
CCNP Guía SWITCH v2.0
ARP Spoofing (Poisoning).
ARP corre sobre Ethernet (typoe 0x0806). Este protocolo ser creó en 1982, tiempo en que los problemas de
seguridad eran escasos, por lo tanto no posee mecanismos de autentificación lo que lo hace un protocolo
que puede ser atacado.
Si un host reemplaza su tarjeta de red envía un ARP no solicitado a todos los host del segmento para que
actualicen su tabla MAC, también conocido como gratiutous ARP.
Problemas ARP:
Sin autenticación: puede exiatir suplantación de identidad (Spoofing)
Fuga de datos: Todos los hosts en un segmento se enteran que se iniciará una conversación entre dos
hosts.
Ataque por Disponibilidad: puesto que los hosts en un segmento deben responder a una petición ARP,
un atacante puede envíar miles de peticiones ARP lo que conlleva a que los hosts del segmento deban
responder con ARP reply.