CCIE-RS GOLDlab ASET CCIE Lab 1

Got a free moment to play around on Cisco.com/PEC  – cranked up the lab CCIE RS-FOCUS1  .  Focused on layer two concepts.

“This is an ASET Routing and Switching “focus” lab and is intended to aid your preparation for the CCIE Routing and Switching lab using CCIE Blueprint topics (as of 1/2/2008). This lab deals with the following topics:

  • CATALYST ETHERNET SWITCH CONFIGURATION
  • SPANNING TREE
  • SPANNING TREE OPTIONS
  • CATALYST INTERCONNECTIVITY
  • SWITCH SAFEGUARDS
  • VLAN LOAD BALANCING
  • VLAN FILTER
  • CLIENT AUTHENTICATION

The tasks are marked with checkboxes, my attempt to configure them is bold..

        Configure all switches for VTP domain = ASET101 and VTP mode = transparent.

On all switches:

en
conf t
vtp domain ASET101
vtp mode transparent
end

        Configure SW1 and SW2 for dot1q trunks on ports Fa0/23 and Fa0/24. These interfaces should be trunk interfaces even if their neighbor interfaces are not trunk interfaces.

conf t
int range f0/23 – 24
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
end

        Configure VLAN assignments as per the table below. Configure for static VLAN access and permanent nontrunking mode. 

VLAN SW1 SW2 SW3
13 Fa0/1, Fa0/3
100 Fa0/10 Fa0/4, Fa0/6
145 Fa0/1, Fa0/4, Fa0/5
200 Fa0/2, Fa0/10
300 Fa0/5 Gi0/10

SW1

conf t
vlan 100
vlan 145
exit
!
int fa0/10
switchport mode access
switchport access vlan 100
!
int range fa0/1,fa0/4 – 5
switchport mode access
switchport access vlan 145
end

SW2

conf t
vlan 13
vlan 100
vlan 200
vlan 300
exit
!
int range fa0/1,fa0/3
sw mod acc
sw acc vlan 13
!
int range fa0/4,fa0/6
sw mod acc
sw acc vlan 100
!
int range fa0/2,fa0/10
sw mod acc
sw acc vlan 200
!
int fa0/5
sw mod acc
sw acc vlan 300
!
end

SW3

conf t
vlan 300
!
Conf t
int Gi0/10
sw mod acc
sw acc vlan 300
!

end

1.2   SPANNING TREE

Ensure that all Per VLAN Spanning Tree parameters for active VLANs seen on SW1 are dictated by SW1. In addition, configure VLANS for which SW1 is root, with the following:

        Root priority of zero (0).

        An access port start-up delay, due to Spanning Tree, of 32 seconds.

SW1

!– VLANs 1,100,145

conf t
spann vlan 1 root primary
spann vlan 100 root primary
spann vlan 145 root primary
!
spann vlan 1 forw 16
spann vlan 100 forw 16
spann vlan 145 forw 16

1.3   SPANNING TREE OPTIONS

                                                                                Disable Spanning Tree for VLAN 13 on SW2.

        Configure SW2 to reduce the time it takes to choose a new root port when a link or switch fails or when the Spanning Tree reconfigures itself. Use a single command on SW2 for this.

        Configure SW2 such that the default behavior on all ports is to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link.

        Assume that SW2 interface Fa0/12 is connected to a customer’s Ethernet switch. Configure Fa0/12 to go into the root-inconsistent (blocked) state if the customer’s switch wants to become the Spanning Tree root.

        Assume SW2 Fa0/13 will never connect to a switch or bridge. Configure SW2 interface Fa0/13 using a spanning-tree command such that Bridge Protocol Data Units (BPDUs) are not sent on the port.

 

SW2

conf t

no spann vlan 13

spanning-tree uplinkfast

spanning-tree loop guard default

!

int fa0/12

spanning-tree bpduguard enable

!

int f0/13 

spann bpdufilter enable

1.4   CATALYST INTERCONNECTIVITY

Configure the Catalyst switches to prefer maximized bandwidth utilization between SW1 and SW2. Use a standards-based configuration. Configure the four physical interfaces to actively negotiate.

SW1#show cdp nei | in SW2

SW2                 Fas 0/24              148            S I      WS-C3550-2Fas 0/24

SW2                 Fas 0/23              148            S I      WS-C3550-2Fas 

SW2#show cdp nei | in SW1

SW1                 Fas 0/24              150            S I      WS-C3550-2Fas 0/24

SW1                 Fas 0/23              150            S I      WS-C3550-2Fas 0/23

conf t

int range fa0/23 – 24

channel-group 1 mode active

1.5   CONFIGURING SWITCH SAFEGUARDS

Fiber optic connectivity will eventually replace the existing trunks. Additional trunks between SW1 and SW2 will also be added at that time.  In order to assure that the fiber links are installed correctly and traffic is guaranteed to flow in a bi-directional manner, globally configure both switches such that a failing link is shut down in the event of a malfunction.

conf t

udld enable

1.6   VLAN LOAD BALANCING

VLANs 58 and 59 do not currently exist on the switches, but there are plans to use them in the future. Configure SW1 such that VLAN 58 traffic will pass primarily through the Gi0/1 interface and VLAN 59 traffic will pass primarily through the Gi0/2 interface. If one of the interfaces should fail, the remaining interface must carry all traffic. You do not need to actually configure the VLANs on the switches. Configure only Gi0/1 and Gi0/2 to accomplish this task. Your solution should not involve configuring a “cost”.

 

interface GigabitEthernet0/1

 switchport mode dynamic desirable

 spanning-tree vlan 58 port-priority 16

end

SW1(config)#do show run int gi0/2

Building configuration…

Current configuration : 111 bytes

!
interface GigabitEthernet0/2

 switchport mode dynamic desirable

 spanning-tree vlan 59 port-priority 16
end

These last two .. 1.7 requires a VLAN map, I couldn’t remember how.. here are the last two tasks if anyone in the ether wants to take a whack at how you would solve the issues..  I am too sleepy to continue (3am my time) .

– Gabe

1.7   VLAN FILTER

  • On SW2, prevent all DHCP client requests from entering or leaving VLANs 100, 200, and 300.
  • All BOOTP requests should be dropped; all other traffic should be forwarded.
  • Use a map NO-DHCP with access list 100 as part of the solution.

1.8   CLIENT AUTHENTICATION

  • On SW2, place interface Fa0/7 into VLAN 13 and force the interface into access mode.
  • Assume there is an 802.1X-compliant client attached to port Fa0/7. Configure the switch to prompt for client authentication on Fa0/7.
  • Assume a RADIUS server is reachable at 110.1.13.59 and it requires a RADIUS key of cisco. Use default accounting and authorization ports.
  • Do not configure any AAA commands except to enable AAA and then one line for dot1x authentication. A mistake may make SW2 unreachable for assessment purposes.
Advertisements

Exploring STP behaviors – Part 1

Lets explore the behavior of STP (802.1D) on our new device “Switch1”.  We plug it in, power it up and connect to the console with our console cable.  We quickly enter enable mode and run show ver and note our base MAC address.

We can run a few more commands to see what is going on with spanning tree on the switch.
Switch1#show spanning-tree
Switch1#show spanning-tree active 
Switch1#show spanning-tree detail
Switch1#show spanning-tree vlan 1

The commands above will all return the output:  No spanning tree instance exists.

The commands show spanning-tree inconsistentports  will return limited output.  The command show spanning-tree summary will give us a summary of features, most importantly at this point is that it lets us know that the switch is running STP per vlan by default.

 

Connecting the switch to a shutdown router interface will initiate the STP instance.  Once the router interface is powered on or a device with an active interface is connected, we can observe the spanning tree instance in action.

Switch1#sh spanning-tree

VLAN0001

  Spanning tree enabled protocol ieee

  Root ID    Priority    32769

             Address     00 01.6376.BDED

             This bridge is the root

             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)

             Address     0001.6376.BDED

             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type

—————- —- — ——— ——– ——————————–

Fa0/1            Desg LSN 19        128.1    P2p

The switch will quickly establish himself as the root / begins BPDU exchange and  the interface will begin transitioning through the STP States:

Power On / Initialize

Blocking

Listening state

Learning state

Forwarding state

====

add summarization of port state above.

====

SWITCH1 will send out BPDUs to multicast address(es) 01:80:C2:00:00:00 – 01:80:C2:00:00:10  every 2 seconds according to the default timer avobe.   By default the BPDU’s will carry the default priority of 32769 (about half of 2^16).

BPDU will contain a Root ID (8 bytes – initially self) and a Bridge ID (8 bytes – initially self) and other fields such as the STP version, the timers and BPDU type.  For now lets understand the Bridge ID
Again – the Bridge ID is 8 bytes.  Its composed of the MAC address of the switch/bridge and the priority.  the mac address in this case is 0001.6376.BDED  that’s 12 nybles, or 6 bytes the remaining 2 bytes are used for the Priority.

The details above while wordy are not unimportant.  The root election when other switches are plugged in will depend entirely on the contents of the Bridge ID in the BPDU exchange.

The show spanning-tree details command will now give a more verbose explanation of the spanning tree elements, including very valuable detail regarding topology changes and their source.

Switch1#show spanning-tree detail 

VLAN0001 is executing the ieee compatible Spanning Tree Protocol

  Bridge Identifier has priority of 32768, sysid 1, 0001.6376.BDED

  Configured hello time 2, max age 20, forward delay 15

  Current root has priority 32769

  Topology change flag not set, detected flag not set

  Number of topology changes 0 last change occurred 00:00:00 ago

        from FastEthernet0/1

  Times:  hold 1, topology change 35, notification 2

   hello 2, max age 20, forward delay 15

  Timers: hello 0, topology change 0, notification 0, aging 300

Port 1 (FastEthernet0/1) of VLAN0001 is designated forwarding

  Port path cost 19, Port priority 128, Port Identifier 128.1

  Designated bridge has priority 32769, address 0001.6376.BDED

  Designated port id is 128.1, designated path cost 19

  Timers: message age 16, forward delay 0, hold 0

  Number of transitions to forwarding state: 1

  Link type is point-to-point by default

Here are some of the other commands and their output:

Switch1#show spanning-tree summary 

Switch is in pvst mode

Root bridge for: default

Extended system ID           is enabled

Portfast Default             is disabled

PortFast BPDU Guard Default  is disabled

Portfast BPDU Filter Default is disabled

Loopguard Default            is disabled

EtherChannel misconfig guard is disabled

UplinkFast                   is disabled

BackboneFast                 is disabled

Configured Pathcost method used is short

Name                   Blocking Listening Learning Forwarding STP Active

———————- ——– ——— ——– ———- ———-

VLAN0001                     0         0        0          1          1

———————- ——– ——— ——– ———- ———-

1 vlans                      0         0        0          1          1

Switch1#show spanning-tree interface fastEthernet 0/1

Vlan             Role Sts Cost      Prio.Nbr Type

—————- —- — ——— ——– ——————————–

VLAN0001         Desg FWD 19        128.1     P2p

The output above lets us know that f0/1 on Switch1 is participating in Spanning Tree for VLAN1.  Which has converged (we know this because the port is “Designated” and has transitioned to FWD state.   I will continue this next time with the effects of directly connecting a 2nd and 3rd switch to Switch 1.

That’s all for today.  Later gaters!

~

Gabe @ networkdojo.net