Got a free moment to play around on Cisco.com/PEC – cranked up the lab CCIE RS-FOCUS1 . Focused on layer two concepts.
“This is an ASET Routing and Switching “focus” lab and is intended to aid your preparation for the CCIE Routing and Switching lab using CCIE Blueprint topics (as of 1/2/2008). This lab deals with the following topics:
- CATALYST ETHERNET SWITCH CONFIGURATION
- SPANNING TREE
- SPANNING TREE OPTIONS
- CATALYST INTERCONNECTIVITY
- SWITCH SAFEGUARDS
- VLAN LOAD BALANCING
- VLAN FILTER
- CLIENT AUTHENTICATION
The tasks are marked with checkboxes, my attempt to configure them is bold..
Configure all switches for VTP domain = ASET101 and VTP mode = transparent.
On all switches:
en
conf t
vtp domain ASET101
vtp mode transparent
end
Configure SW1 and SW2 for dot1q trunks on ports Fa0/23 and Fa0/24. These interfaces should be trunk interfaces even if their neighbor interfaces are not trunk interfaces.
conf t
int range f0/23 – 24
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
end
Configure VLAN assignments as per the table below. Configure for static VLAN access and permanent nontrunking mode.
| VLAN | SW1 | SW2 | SW3 |
| 13 | – | Fa0/1, Fa0/3 | – |
| 100 | Fa0/10 | Fa0/4, Fa0/6 | – |
| 145 | Fa0/1, Fa0/4, Fa0/5 | – | – |
| 200 | – | Fa0/2, Fa0/10 | – |
| 300 | – | Fa0/5 | Gi0/10 |
SW1
conf t
vlan 100
vlan 145
exit
!
int fa0/10
switchport mode access
switchport access vlan 100
!
int range fa0/1,fa0/4 – 5
switchport mode access
switchport access vlan 145
end
SW2
conf t
vlan 13
vlan 100
vlan 200
vlan 300
exit
!
int range fa0/1,fa0/3
sw mod acc
sw acc vlan 13
!
int range fa0/4,fa0/6
sw mod acc
sw acc vlan 100
!
int range fa0/2,fa0/10
sw mod acc
sw acc vlan 200
!
int fa0/5
sw mod acc
sw acc vlan 300
!
end
SW3
conf t
vlan 300
!
Conf t
int Gi0/10
sw mod acc
sw acc vlan 300
!
end
1.2 SPANNING TREE
Ensure that all Per VLAN Spanning Tree parameters for active VLANs seen on SW1 are dictated by SW1. In addition, configure VLANS for which SW1 is root, with the following:
Root priority of zero (0).
An access port start-up delay, due to Spanning Tree, of 32 seconds.
SW1
!– VLANs 1,100,145
conf t
spann vlan 1 root primary
spann vlan 100 root primary
spann vlan 145 root primary
!
spann vlan 1 forw 16
spann vlan 100 forw 16
spann vlan 145 forw 16
1.3 SPANNING TREE OPTIONS
Disable Spanning Tree for VLAN 13 on SW2.
Configure SW2 to reduce the time it takes to choose a new root port when a link or switch fails or when the Spanning Tree reconfigures itself. Use a single command on SW2 for this.
Configure SW2 such that the default behavior on all ports is to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link.
Assume that SW2 interface Fa0/12 is connected to a customer’s Ethernet switch. Configure Fa0/12 to go into the root-inconsistent (blocked) state if the customer’s switch wants to become the Spanning Tree root.
Assume SW2 Fa0/13 will never connect to a switch or bridge. Configure SW2 interface Fa0/13 using a spanning-tree command such that Bridge Protocol Data Units (BPDUs) are not sent on the port.
SW2
conf t
no spann vlan 13
spanning-tree uplinkfast
spanning-tree loop guard default
!
int fa0/12
spanning-tree bpduguard enable
!
int f0/13
spann bpdufilter enable
1.4 CATALYST INTERCONNECTIVITY
Configure the Catalyst switches to prefer maximized bandwidth utilization between SW1 and SW2. Use a standards-based configuration. Configure the four physical interfaces to actively negotiate.
SW1#show cdp nei | in SW2
SW2 Fas 0/24 148 S I WS-C3550-2Fas 0/24
SW2 Fas 0/23 148 S I WS-C3550-2Fas
SW2#show cdp nei | in SW1
SW1 Fas 0/24 150 S I WS-C3550-2Fas 0/24
SW1 Fas 0/23 150 S I WS-C3550-2Fas 0/23
conf t
int range fa0/23 – 24
channel-group 1 mode active
1.5 CONFIGURING SWITCH SAFEGUARDS
Fiber optic connectivity will eventually replace the existing trunks. Additional trunks between SW1 and SW2 will also be added at that time. In order to assure that the fiber links are installed correctly and traffic is guaranteed to flow in a bi-directional manner, globally configure both switches such that a failing link is shut down in the event of a malfunction.
conf t
udld enable
1.6 VLAN LOAD BALANCING
VLANs 58 and 59 do not currently exist on the switches, but there are plans to use them in the future. Configure SW1 such that VLAN 58 traffic will pass primarily through the Gi0/1 interface and VLAN 59 traffic will pass primarily through the Gi0/2 interface. If one of the interfaces should fail, the remaining interface must carry all traffic. You do not need to actually configure the VLANs on the switches. Configure only Gi0/1 and Gi0/2 to accomplish this task. Your solution should not involve configuring a “cost”.
interface GigabitEthernet0/1
switchport mode dynamic desirable
spanning-tree vlan 58 port-priority 16
end
SW1(config)#do show run int gi0/2
Building configuration…
Current configuration : 111 bytes
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
spanning-tree vlan 59 port-priority 16
end
These last two .. 1.7 requires a VLAN map, I couldn’t remember how.. here are the last two tasks if anyone in the ether wants to take a whack at how you would solve the issues.. I am too sleepy to continue (3am my time) .
– Gabe
1.7 VLAN FILTER
- On SW2, prevent all DHCP client requests from entering or leaving VLANs 100, 200, and 300.
- All BOOTP requests should be dropped; all other traffic should be forwarded.
- Use a map NO-DHCP with access list 100 as part of the solution.
1.8 CLIENT AUTHENTICATION
- On SW2, place interface Fa0/7 into VLAN 13 and force the interface into access mode.
- Assume there is an 802.1X-compliant client attached to port Fa0/7. Configure the switch to prompt for client authentication on Fa0/7.
- Assume a RADIUS server is reachable at 110.1.13.59 and it requires a RADIUS key of cisco. Use default accounting and authorization ports.
- Do not configure any AAA commands except to enable AAA and then one line for dot1x authentication. A mistake may make SW2 unreachable for assessment purposes.
