CCIE-RS GOLDlab ASET CCIE Lab 1

Got a free moment to play around on Cisco.com/PEC  – cranked up the lab CCIE RS-FOCUS1  .  Focused on layer two concepts.

“This is an ASET Routing and Switching “focus” lab and is intended to aid your preparation for the CCIE Routing and Switching lab using CCIE Blueprint topics (as of 1/2/2008). This lab deals with the following topics:

  • CATALYST ETHERNET SWITCH CONFIGURATION
  • SPANNING TREE
  • SPANNING TREE OPTIONS
  • CATALYST INTERCONNECTIVITY
  • SWITCH SAFEGUARDS
  • VLAN LOAD BALANCING
  • VLAN FILTER
  • CLIENT AUTHENTICATION

The tasks are marked with checkboxes, my attempt to configure them is bold..

        Configure all switches for VTP domain = ASET101 and VTP mode = transparent.

On all switches:

en
conf t
vtp domain ASET101
vtp mode transparent
end

        Configure SW1 and SW2 for dot1q trunks on ports Fa0/23 and Fa0/24. These interfaces should be trunk interfaces even if their neighbor interfaces are not trunk interfaces.

conf t
int range f0/23 – 24
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
end

        Configure VLAN assignments as per the table below. Configure for static VLAN access and permanent nontrunking mode. 

VLAN SW1 SW2 SW3
13 Fa0/1, Fa0/3
100 Fa0/10 Fa0/4, Fa0/6
145 Fa0/1, Fa0/4, Fa0/5
200 Fa0/2, Fa0/10
300 Fa0/5 Gi0/10

SW1

conf t
vlan 100
vlan 145
exit
!
int fa0/10
switchport mode access
switchport access vlan 100
!
int range fa0/1,fa0/4 – 5
switchport mode access
switchport access vlan 145
end

SW2

conf t
vlan 13
vlan 100
vlan 200
vlan 300
exit
!
int range fa0/1,fa0/3
sw mod acc
sw acc vlan 13
!
int range fa0/4,fa0/6
sw mod acc
sw acc vlan 100
!
int range fa0/2,fa0/10
sw mod acc
sw acc vlan 200
!
int fa0/5
sw mod acc
sw acc vlan 300
!
end

SW3

conf t
vlan 300
!
Conf t
int Gi0/10
sw mod acc
sw acc vlan 300
!

end

1.2   SPANNING TREE

Ensure that all Per VLAN Spanning Tree parameters for active VLANs seen on SW1 are dictated by SW1. In addition, configure VLANS for which SW1 is root, with the following:

        Root priority of zero (0).

        An access port start-up delay, due to Spanning Tree, of 32 seconds.

SW1

!– VLANs 1,100,145

conf t
spann vlan 1 root primary
spann vlan 100 root primary
spann vlan 145 root primary
!
spann vlan 1 forw 16
spann vlan 100 forw 16
spann vlan 145 forw 16

1.3   SPANNING TREE OPTIONS

                                                                                Disable Spanning Tree for VLAN 13 on SW2.

        Configure SW2 to reduce the time it takes to choose a new root port when a link or switch fails or when the Spanning Tree reconfigures itself. Use a single command on SW2 for this.

        Configure SW2 such that the default behavior on all ports is to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link.

        Assume that SW2 interface Fa0/12 is connected to a customer’s Ethernet switch. Configure Fa0/12 to go into the root-inconsistent (blocked) state if the customer’s switch wants to become the Spanning Tree root.

        Assume SW2 Fa0/13 will never connect to a switch or bridge. Configure SW2 interface Fa0/13 using a spanning-tree command such that Bridge Protocol Data Units (BPDUs) are not sent on the port.

 

SW2

conf t

no spann vlan 13

spanning-tree uplinkfast

spanning-tree loop guard default

!

int fa0/12

spanning-tree bpduguard enable

!

int f0/13 

spann bpdufilter enable

1.4   CATALYST INTERCONNECTIVITY

Configure the Catalyst switches to prefer maximized bandwidth utilization between SW1 and SW2. Use a standards-based configuration. Configure the four physical interfaces to actively negotiate.

SW1#show cdp nei | in SW2

SW2                 Fas 0/24              148            S I      WS-C3550-2Fas 0/24

SW2                 Fas 0/23              148            S I      WS-C3550-2Fas 

SW2#show cdp nei | in SW1

SW1                 Fas 0/24              150            S I      WS-C3550-2Fas 0/24

SW1                 Fas 0/23              150            S I      WS-C3550-2Fas 0/23

conf t

int range fa0/23 – 24

channel-group 1 mode active

1.5   CONFIGURING SWITCH SAFEGUARDS

Fiber optic connectivity will eventually replace the existing trunks. Additional trunks between SW1 and SW2 will also be added at that time.  In order to assure that the fiber links are installed correctly and traffic is guaranteed to flow in a bi-directional manner, globally configure both switches such that a failing link is shut down in the event of a malfunction.

conf t

udld enable

1.6   VLAN LOAD BALANCING

VLANs 58 and 59 do not currently exist on the switches, but there are plans to use them in the future. Configure SW1 such that VLAN 58 traffic will pass primarily through the Gi0/1 interface and VLAN 59 traffic will pass primarily through the Gi0/2 interface. If one of the interfaces should fail, the remaining interface must carry all traffic. You do not need to actually configure the VLANs on the switches. Configure only Gi0/1 and Gi0/2 to accomplish this task. Your solution should not involve configuring a “cost”.

 

interface GigabitEthernet0/1

 switchport mode dynamic desirable

 spanning-tree vlan 58 port-priority 16

end

SW1(config)#do show run int gi0/2

Building configuration…

Current configuration : 111 bytes

!
interface GigabitEthernet0/2

 switchport mode dynamic desirable

 spanning-tree vlan 59 port-priority 16
end

These last two .. 1.7 requires a VLAN map, I couldn’t remember how.. here are the last two tasks if anyone in the ether wants to take a whack at how you would solve the issues..  I am too sleepy to continue (3am my time) .

– Gabe

1.7   VLAN FILTER

  • On SW2, prevent all DHCP client requests from entering or leaving VLANs 100, 200, and 300.
  • All BOOTP requests should be dropped; all other traffic should be forwarded.
  • Use a map NO-DHCP with access list 100 as part of the solution.

1.8   CLIENT AUTHENTICATION

  • On SW2, place interface Fa0/7 into VLAN 13 and force the interface into access mode.
  • Assume there is an 802.1X-compliant client attached to port Fa0/7. Configure the switch to prompt for client authentication on Fa0/7.
  • Assume a RADIUS server is reachable at 110.1.13.59 and it requires a RADIUS key of cisco. Use default accounting and authorization ports.
  • Do not configure any AAA commands except to enable AAA and then one line for dot1x authentication. A mistake may make SW2 unreachable for assessment purposes.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s