Advanced CCIE Routing & Switching 2.0 www.MicronicsTraining.com Narbik Kocharians CCIE #12410 R&S, Security, SP VOL-ITable of Content: Subject Page Volume Topology 8 Voki 3560 Switching Lab 1 Trunks 4 Lab 2 EtherChannels os Lal 3 Basie 3560 Configuration 1 8 Lab 43560 Configuration 134 Lab 5 Advanced STP Configuration 188 Lab 6 Tunneling 211 Lab 7 Fallback Bridging 229 Lal 8 MSTP (802.15) 237 Lab 9 Private VLANs 248 Frame-relay ual 290 205 int Framesrelay W/O Frame maps 300 Lah 5 Frame-relay and Authentication 305 Lab 6 Frame-relay End-to-End Keeps 314 Lab 7 Tricky Frame-relay Configuration 328 Lab 8 Frame-relay Multi 337 Lab 9 Back-fo-Back Frame-relay connection 343 ODR Lab 1 On Demand Routing 353 Vorl RIPy2 Tab TRIPV2 and Frame-relay 358 Vorl Lab 2 RIPV2 Authentication 6 ‘Vokl Lab 3 Advanced RIPv2 Mini Mock Lab 7 Vokl EIGRP Tab 1 Figip onfiguration 392 Vorl Lab 2 Advanced Figrp Stub Configuration 428 Vokl Lab 3 Eigrp & Default-information 438 Vokl Lab 4 Eigrp Filtering 49 VoklTable of Content: Subject Page [Volume 358 Vorr 461 Vorr S68 Vokl Lab 4 OSPF Cost 493 Vokl Lab 5 OSPF Summarization 499 Vorl Lab 6 ks and GRE Tunnels 506 Voll 514 Vor 522 Vokl S 550 Vokl Lab 10 Redirecting Traffic in OSPF 360 Voll Lab 11 Database Overload Protection 564 Vokl Lab 12 OSPF Non-Broadcast Networks 569 Vor Lab 13 OSPF Broadeast Networks 578 Voki Lab 14 OSPF Point-to-Point Networks 582 Vorr Lab 15 OSPF Point-to- Multipoint Networks 586 Vokl Lab 16 OSPF Point-to-Multi Network — I 592 Vokl Lab 17 OSPF P-to-M Non-Broadeast Net 599 Voll Lab 18 OSPF and NBMA 603 Vor Tab 19 Forward Address Suppression oa Vorr Lab 20 OSPF NSSA no-redistribution & Injection 2s Vorl of default routes BGP Lab I Establishing Neighbor Adjacency oa Vort Lab 2 Route Reflectors 653 Voll Lab 3 Conditional Adv & Back door 668 Vor Lab 4 Route Dampening (687 Vor Lab 5 Route Aggregation 7 Voki Lab 6 The community Attribute 719 Vorr Lab 7 BGP Cost Community 736 Vokl Lab & BGP & Load Balancing 746 Vokl Lab 9 BGP Load Balancing 750 Vokl Lab 10 BGP Unequal Cost Load Balancing 754 Vor Lab 11 BGP Local Preference 762 Vokr Lab 12 BGP Local Preference— I 772 Vorr Lab 13 The AS-Path Attribute 779 Vokl Lab 14 The Weight Attribute 789 Vorl Lab 15MED. 797 Vor Lab 16 Filtering Using ACLs & Prefixelists 815 VorLab 17 Regular Expressions 829 Lab 18 Adv BGP Configurations 849 Lab 19 Adi ance 860 Lab 20 BGP Confederation 868 ing Local AS Number 873 Lab 22 BGP Allow-as 880 Policy Based Routing Tab 1 PBR based on Source IP address 386 Vort Redistribution 598 Vort 919 Volt Lab 3 Advanced Redistribution 935 Vort Lab 4 Routing Loops 964 Volt IP SLA Lab TIP SLA O83 Vort Lab 2 Reliable Static Routing using IP SLA 989 ort onal Default Route 996 Volt Injection using IP SLA Lab J Object Tracking in HSRP Using SLA 1005 Volt Lab 5 Object Tracking 1019) Vort GRE Tunnels Lab 1 Basie Configuration of GRE Tunnels 1034 Vort Lab 2 Configuration of GRE Tunnels 1046 ok Lab 3 Configuration of GRE Tunnels 1056 Volt Lab 4 GRE & Recursive loops 1063. Vort Qos Tab TNES QOS i Voll Lab 2 DSCP Mutation 2 Voll Lab 3 DSCP-CoS Mapping 36 Volt Lab 4 CoS-DSCP Mapping Fl Voll Lab 5 IP-Precedence-DSCP Mapping. a Volt Lab 6 Policing On 3560 Switches 5 Volt Lab 7 Priority Queuing o Voll Lab 8 Custom Queuing 3B Volt Lab 9 WFQ il Vol-tt Lab 10 RSVP, 82 Volt Lab 1 Mateh Aceess-group 89 Volt Lab 12 Match Destination & Source Add MAC 4 Voll Lab 13 Match Input-Interface 100 Volt Lab 14 Mateh FR-de & Packet Length 104 Voll Lab 15 Match IP Precedence vs. Match Precedence 113 Volt Lab 16 Match Protocol HTTP URL, MIME & Host 135 Volt Lab 17 Match Fred 132 VollLab 18 Frame-relay Traffic § 136 Lab 19 Frame-relay Traffic-shaping = IT 143) Lab 20 Frame-relay Fragmenta 152 Lab 21 Frame-relay PIPQ Vol-il Lab 22 Frame-retay DE 163 Lab 23 Frame-relay and Compression 166 Lab 24 CBWFQ 179 Lab 35 CBWFQ 185 Lab 26 Converting Custom Queuing to CBWFQ 187 Volt Lab 27 LLQ 190 Lab 28 CAR 194 Lab 29 Class Based Policing = I 200 Voli Lab 30 CB Policing — 211 Volt Lab 31 WRED & CB WRED 216 Voli NAT 222 Volt 229 Vol-It 231 Volt 238 Volt Lab 5 Configuration of Dynamic NAT— 243 Volt Lab 6NAT and Load Balancing 248 Volt Lab 7 Configuring PAT 251 Vol-It Lab § Configuring PAR 257 Voli Lab 9 Configuring Static NAT Redundancy 261 Volt WHSRP Lab 10 Si 268 Volt Lab 1 274 Volt Lab 12 Transha 282 Lab 13NAT 285 IP Services Lab I DHCP Configuration 292 Volt Lab 2 HSRP Configuration 296 Lab 3 VRRP Con figura 305; Lab 4GLBP Configuration 312 Voli Lab SIRDP Configuration 324 Lab 6 Configuring DRP 331 Lab 7 Configuring WCCP. 333 Lab 8 Core Dump Using FTP 334) Lab 9 HTTP Connection Management 336 Voli Lab 10 Configuting NTP. 339) Volt Lab 11 More IP Stuff 348 Volt IP Prefix-List Lab I PrefixeLists 356) VoliIPy6 Lab 1 Configuring Basie IPv6 384 Voll Lab 2 Configuring RIPng 405 Volt Lab 3 Configuring OSPFV3 466 Volt Lab 4 Configuring OSPFv3 Multi-Area 475 Vol-tt Lab 5 Summarization of Internal & External NW 480 Lab 6 OSPFY3 Stub, T/Stub and 489 Lab 7 OSPFV3 Cost and Auto-cost 301 Volt Lab 8 Tunneling IPV6 Over IPv4 508 Volt Lab 9 Eigep and IPv6 534 Vol-lt Security Tab 1 Basie Router Security Configuration, 359 Voll Lab 2 Standard Named Access 566 Vol-lt Lab 3 Controlling Telnet Access and SSH 570 Vol-It Lab 4 Extended Access List IP and ICMP 577 Volt Lab 5 Extended Access List OSPF & Eigep 583 Volt Lab 6 Using MOC as a ig tool 587 Voll Lab 7 Extended Access List With Established 501 Vol-lt Lab 8 Dynamic Access List 504 Vol-It Lab 9 Reflexive Aceess-Lists 604 Volt Lab 10 Access-list & Time Range 611 Volt Lab 11 Configuring Basic CBAC 615 Voll Lab 12 Configuring CBAC 617 Vol-lt Lab 13 Configuring CBAC & Java Blocking 624 Vol-It Lab 14 Configuring PAM 626 Volt Lab 15 Configuring uRPF 628 Volt Tab 16 Configuring Zone Based Firewall 634 Voll Lab 17 Control Plane Policing 641 Volt Lab 18 Configuring 10S IPS 648 Vol-It Lab 19 Attacks 658 Volt Lab 20 AAA Authentication 669 Volt Multicasting Lab 1 Configuring IGMP 74 Voli Lab 2 PIM Dense Mode 691 Volt Lab 3 Statie RP Configuration Tit Voll Lab 4 Auto-RP. 727 Volt Lab 5 Auto-Rp Filtering & Listener 750 Voll Lab 6 Configuring B: 772 Voll Lab 7 Configuring MSDP 788 Vol-Il Lab 8 Anyeast RP 807 Voll Lab 9 Configuring SSM 817 Volt Lab 10 Helper-Map 828 Volt MPLS & L3VPNsLab 1 Configuring Label Di 837 Volt Lab 2 Static & RIPv2 Rout 897 Voli Lab 3 OSPF Routing in a VPN 927 Volt Lab 4 Backdoor links & OSPF 947 Volt Lab 5 Eigep Routing in a VPN 968 Volt Lab 6 BGP Roi ina VPN 985 Volt Lab 7 Complex VPNs and Filters 1005 Vol-It Troubleshooting Lab 1 Troubleshooting Mock Lab Vor Mock Lab Tab I Mock Lab VoriliSwitch =1 Switch-2 FO/ ae =n FO/ Fo2 ——E Soo Fo/2 FO/3 ms a FO/3 FO/A Foi4 FOIS me : FO/5 Foe + —“ this port should be configured into permanent Trunking mode and it Should negotiate to convert the neighboring interface into a trunk Cat-2 = F0/19 > this port should be configured to actively attempt to convert the link to A trunk Cat+l(configeif}#Switch mode Trunk Note you get the following message: Command rejected: An interface whose trunk encapsulation is "Auto" can not be configured to "trunk" mode. The above message can be verified with the following show command: Cat-1#Show interface FO/19 Switehport Name: Fa0/19 Switchport: Enabled Administrative Mod Operational Mode: down Administrative Trunking Eneapsulat: Negotiation of Trunking: On (The rest of the output is omitted) iynamic auto By default the ports on Catalyst 3560 are set to“ Auto” this is revealed by the Administrative mode” and the Trunking encapsulation is set to “negotiate”, revealed by Administrative Trunking Encapsulation”, when the “Administrative Trunking Encapsulation” is set to negotiate, the Trunking mode ean NOT be set ta ON. To set the Trunking encapsulation to ISL: On Cat-1 Catel(cor Cat-l(confi y#Int FO19 )#Switch port trunk encapsulation islCat-1(contfig-if}#No Shutdown To verify the configuration: Qn Cat-1 Catel#Show interface FO/19 Switehport Name: Fa/19 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: down Administrative Trunking Encapsulaty (The rest of the output is omitted) To configure Cat-1 Cat-I(conig)#int £0/19 Cat-1(contig-if}#Switeh port mode trunk Note the difference To verify the configuration: On Cat-1 Cat-1#Show interface FO/19 Switehport Name: Fa0/19 Switehport: Enabled Operational Mode: down Administrative Trunking Encapsul (The rest of the output is omitted) Note the “Admi encapsulati istrative Mode” is no longer “dynamic Auto” and the Trunking is set to IS On Cat-2 Cat-2(config)#int F019 Cat-2(contig-if}#Switch port mode dynamic desirable Cat-2(config-if}#No shutTo verify the configuration: On Ci Cate2#Show interface FO/19 Switehport Name: Fa0/19 Note the operational mode changed Switchport: Enabled from “0 Administrative Mode: dynamic destfable Operational Mode: Trunk Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: (The rest of the output is omitted) Dynamic Desirable" and the “Administrative Trunking ate” and the next line reveals the encapsulation mode that ated, in this case ISL. this port has nego On Cat-1 Cate1#Show interface trunk Port Mode —_—_ Encapsulation Status Native vian Fa0/19 om trunking 1 Port —_Vians allowed ont Fa0/19—1-4094 agement domain > This column reveals the configured Trunking mode Port Vans allowed and active in Fa/19 1 Port Vans in spanning tree forwarding state) FaQ/19 1 ‘not pruned Note Cat-2 negotiated an ISL Trunk, whereas, Cate did not. Qn Cat-2 Cat-2#Show interface trur fon Status Native vlan trunking 1 Port Mode“ Encaps Fa/19 desirable n-is! Port Vians allowed on trunk Fa0/19— 1-4094Port Vians allowed and active in management domain Fa0/19 1 Port Vlans in spanning tree forwarding state and not pruned FaQ/19 1 Task 4 Configure an ISL trunk between Cat-! and Cat-2 using F0/20 based on the following policy: Cat-1 - F020 > this port should be configured into permanent Trunking mode and it Should negotiate to convert the neighboring interface into a trunk Cat-2 - F0/20 > this port should be configured to negotiate a trunk ONLY if it receives ‘Negotiate packets from a neighboring port; this port should never start The negotiation process On Cat-1 Cate l(contig)#int 0°20 Cat-1(config-if}#S witehport trunk encap ist Cate |(contigeif}#Switch port mode trunk Cat-1(config-if#NO shut verify the config uration. Administrative Mode: trunk (The rest of the output is omitted) Cat-1#Sh inter status | ine Fa(/20 Fa0/20 notconnect 1 auto auto 10/100BaseTX terface otconnect™ state, it does means that it has not Note just because the output states that th not mean that the interface is not connected to any device, detected any signaling from neighboring interface.On C Cat-2(config)#int 10°20 Cat-2(contig-if}#Switch port mode dynamic auto Cat-2(contig-iff#NO shut To verify the config uration: On C: Cat-2#Show inter £20 Switchport | Ine Administrative Mode Administrative Mode: dynamic auto (The rest of the output is omitted) Note the “Administrative Trunking E1 reas, on Cat-2 its set to “negotiate”. task stated that F0/20 on Cat-2 should negotiate ISL ONLY, then, configuring “switchport mode dynamic auto” will not suffice and the “Switchport trunk encapsulation is!” needs be added to the configuration of Cat-2"s F0/20. .” on Catel, apsulation™ is set to “IS On Cat-1 Cat-1#Show inter trunk Port Mode Encapsulation Status Native vlan Fa0/19 on trunking 1 Fa0/20 on ish trunking 1 (The rest of the output is omitted) On Cat-2 Cat-2#Show inter trunk Port Mode ~— Encapsulation Status Native vlan Fa0/19 desirable n- Fa0/20 auto n. (The rest of the output is omitted)sk 5 Configure an ISL Trunk between Catel and Cat-3 using FO/21 interface. These ports should be configured to negotiate to convert the neighboring interface into an ISL trunk, but should NOT be in permanent trunking mode. es On Both Swit Cat-x(config)#int #0/21 Cat-x(config-if}#switehport trunk encapsulation isl Cat-x(cor Cat-x(conti )#switchport mode dynamic desirable }#NO shut To verify the config uration: On Ci Cat-1#Show inter £0/21 switchport |Ine Administrative Mode Administrative Made: dynamic desirable Cate1#Show inter trunk Port Mode — Encapsulation Status Native vlan FaQ/19 on 1 wunking 1 Fa0/20 on 1 wwunking 1 Fa0/21 desirable ist trunking 1 (The rest of the output is omitted) On Cat-3 Cat-3#Show inter £/21 Switchport | Ine Administrative Mode Admit rative Made: dynamic desirable Cat-3#Show inter trunk Port Mode Encapsulation Status Native vian FaQ/21 desirable ist trunking 1 (The rest of the output is omitted)Task 6 Configure an ISL trunk between Cat-1 and Cat-3 using F0/22 interface based on the following policy: Cat-1— F0/22 > this port should be cot A tunk ured to actively attempt to convert the Link to Cat-3 - F0/22 > this port should be configured to negotiate a trunk ONLY ifreceives negotiation packets from a neighboring port; this port should never start the negotiation process On Cat-1 Cate l(contig)#int 10°22 Cat- 1 (config-if}#switchport trunk eneaps ula Catel(contigeif}#swi mode dynamic desirable Cat-1(config-if#NO shut On Cat-3 Cat-3(contig)#int 10°22 ig-if}#Switch port mode dynamic au Cat-3(contigeif#NO shut On Cat-L Cat-1#Show interface {0/22 Switehport | Ine Administrative Mode Administrative Made: dynamic desirable Cat-1#Show interface trunk Port Mode Encapsulation Status Native vlan FaQ/19 on isl trunking 1 Fa/20 on isl trunking Fa0/21 desirable isl tunking 1 Fa0/22_— desirable ist trunking 1 (The rest of the output is omitted) On Cat-3Cat-3#Show interface 10/22 s Administrative Made: dynamic auto Cate3#Show interface trunk Port Mode ~— Encapsulation Status Native vlan Fa0/21 desirable ist trunking 1 Fa0/22 auto mist trunking 1 (The rest of the output is omitted) If the the “encapsulation” column in the output of the would have been “is!” and NOT “n. Switchport trunk encapsulation ISL” was added to Cat-3°s FW22 interface, Show interface trunk” command I” which means negotiated ISL. Configure an ISL trunk between Cat-] and Cat-4 using F0/23 interface; these switches should be configured into permanent trunking mode and negotiate to convert the neighboring interface into a trunk On C: & Cat-4 Cat-x(conig)#int £0/23 )#switchport trunk encapsulation isl )#Switch port mode trunk To verify the configuration: On Cat-1 Cat-1#Show inter F023 switehport [Ine Administrative Mode Administrative Mode: trunk Cat-1#Show inter trunk Port Mode Encapsulation Status Native vlan Fal/19 on wunking 1 FaQ/20 on trunking 1FaQ/21 desirable 1 Fal/22 desirable 1 Fa0/23 on 1 (The rest of the output is omitted) On Cat-4 Cated#Sh int FO/23 swi | Inc Administrative Mode Administrative Made: trunk Cat-d#S how inter trunk Port Made Encapsulation Status Native vlan Fa0/23- on ist trunking 1 (The rest of the output is omitted) Task 8 Configure an ISL trunk between Cat-1 and Cat-4 using interface F0/24; these ports should NOT use DTP to negotiate a Trunk. On Cat-1 fig)int F024 igeif}#switchport trunk encapsulation ist Cat-I(config-if}#switchport mode trunk CateI(configeif}#switchport nonegotiate Cat 1(config-if}#No shut, Cat-lcon Catel(con This command disabled DTP, but it MUST be configured after the “switchport mode trunk" command On Cat-4 Catel(contig)#int F024 Cat-I(config-if}#switchport trunk eneaps Catel(contigeif}#switchport mode trun! Cat-1(config-if}#switchport nonegotiate Cat-1(contig-if}#NO shut To verify the config uration:Negotiation of Trunking: Off Cat-1#Show int trunk Port Mode Encapsulation Status Native vlan Fa0/19 on wwunking 1 Fa/20 on trunking 1 FaQ/21 desirable trunking 1 Fal/22 desirable trunking 1 Fal/23_ on trunking = 1 Fa0/24-— on trunking 1 (The rest of the output is omitted) Qn Cat-4 Cat-d#Sh int FO/24 swi | Inc Administrative Mode|Negotiation Administrative Mode: trunk Negotiation of Trunking: Off Cat-4#Show int trunk Port Mode Encapsulation Status Native vian Fa0/23_ on wunking 1 Fa0/24— on isl trunking 1 (The rest of the output is omitted) Task 9 Configure a Dotlq trunk between Cat-2 and Cat-4 using F0/21 interface based on the following policy: Cat-2 - F0/21 > this port should be configured into a permanent Trunking mode and it Should negotiate to convert the neighboring interface into a trunk Cat-4 — F0/21 > this port should be cor A trunk ured to actively attempt to convert the Link toOn C: Cat-2(config)#int FO21 Cat-2(contig-if}#Switch port trunk encapsulation dotl q Cat-2(contig-if Cat-2(config-if#NO Shutdown On Cat-4 Cat-d(configyFint £021 Cat-4(contigeif}#switchport mode dynamic desirable Cat-d(contig-if}#NO shut To verify the configuration On Cat-2 Cat-2#Sh int trunk | Exe isl Port Mode Encapsulation Status ‘Native vlan Fa0/21 on B02.1q trunking 1 (The rest ofthe output is omitted) On Cat-4 Cat-4#Show int trunk | exe isl Port Mode Encapsulation Status Native vlan Fa0/21 desirable n-802.1q trunking 1 (The rest of the output is omitted) Task 10 Configure a trunk between Cat-2 and Cat-4 using F0/22 interface; you should use an industry standard protocol for the trunking encapsulation based on the fo llawing policy: Cat-2 - F0/22 > this port should be configured into permanent Trunking mode and it Should negotiate to convert the neighboring interface into a Trank Cat-4~ F0/22 > this port should be configured to negotiate a trunk ONLY ifreceives ‘Negotiate packets from a neighboring port; this port should never start The negotiation processOn C: Cat-2(contig)#int 10/22 Cat-2(contig-if}#Switch port trunk encap dot 1q Cat-2(contig-if#Swi Cat-2(contig-iff#NO shut On Cat-4 Cat-4(contig)#int 10/22 Cat-4(config-if}#swi mode dyna Cat-2#Show int trunk | exe Port Mode Encapsulation Status Native vlan FaQ/21 on 802.1q runking 1 Fa0/22 on 802.1q trunking 1 (The rest of the output is omitted) On Cat-4 Cat-4#Sh int trunk Lexe isl Port Mode Encapsulation Status Native vlan Fa0/21 desirable n-802.1q trunking 1 Fa0/22 auto m-802.1q trunking 1 (The rest of the output is omitted) Task 11 Configure a Trunk link between Cat-3 and Cated using F0/19 interface. These ports should be configured to negotiate to convert the neighboring interface into a dot! q trunk, but they should NOT be in permanent trunking mode. Qn Bot! itCat-x(contig)#int 10/19 Cat-x(config-if}#switchport trunk encapsulation dot!q Catex(contigeif}#switchport mode dynamic desirable ig-if}#NO shut ‘o verify the config uration Port Mode Encapsulation Status Native vlan Fa0/19 desirable 802.1q trunking = 1 (The rest of the output is omitted) On Cat-4 Cated#Show int trunk | Exe ish Port Mode —Eneapsulation Status Native vlan Fa0/19 desirable 802.1g trunking 1 FaQ/21 desirable n-802.1q trunking 1 FaQ/22 auto n-B02.1q trunking = (The rest of the output is omitted) Task 12 Configure a Dotlq trunk between Cat-3 and Cate4 using F0/20 interface based on the following policy: Cat-3 —F0/20 > this port should be configured to actively attempt to convert the Tink to a Trunk. This port should NOT be in permanent trunking mo de. Cat-4 — F0/20 > this port should be configured to negotiate a trunk ONLY ifreceives [Negotiation packets from a neighboring port; this port should never start the negotiation process. On Cat-3 Cat-3(contig)#int 10/20 Cat-3(config-if}#switchport trunk encapsulation dotlgCat-3(config-if}#swi mode dynamic desirable Cat-3(config-if}#NO shut On Cat-4 Cat-4(contig)#int 10/20 Cat-4(config-if}#Switch port mode dynamic au Cat-4(contigeif#NO shut To verify the config uration: On Ci Cate3#Sh int trunk | Exe is! Port Mode Encapsulation Status Native vian Fa0/19 desirable 802.14 trunking 1 Fa0/20 desirable 802.1q trunking = 1 (The rest of the output is omitted) On Cat-4 Cated#Sh int trunk [exe is! Port Mode ——_Eneapsulation Status Native vlan Fa0/19 desirable 802.1g trunking 1 Fa0/20 auto 80214 trunking 1 FaQ/21 desirable n-802,1q trunking Fa0/22 auto m802.1q trunking 1 (The rest of the output is omitted) Task 13 Configure a Dotlq trunk between Cat-2 and Cat-3 using F0/23 interface; these switches should be configured into permanent trunking mode and negotiate to convert the neighboring interface into a trunk Qn Bot! Cat-x(config)#int F023Cat-x(config-if}#switchport trunk encapsulation dotlq Cat-x(config-if}#Switch port mode trunk Catex(contigeif#NO shut verify the configuration Qn Cat-2 Cate2#Sh int trunk [exe is! Port Mode Encapsulation Status Native vlan FaQ/21 on 802.1q trunking 1 FaQ/22 on 802.1q trunking 1 F20/23 on 802.1 trunking 1 (The rest of the output is omitted) On Cat-3 Cat-3#Sh int trunk | exe isl Port Mode — Encapsulation Status Native vlan Fa/19 desirable 802.1q trunking 1 Fa0/20 desirable 802.19 trunking = 1 Fa0/23 on B02.1q trunking 1 (The rest of the output is omitted) Task 14 Configure a Dotlq trunk between Cat-2 and Cat-3 using interface FO/24; these ports should NOT use DTP to negotiate a Trunk On Both itch Catex(contig)#int F024 Cat-x(config-if}#Switch port trunk encapsulation dot! q Cat-x(contig-if}#Switeh port mode trunk Cat-x(contig-if}#Switch port nonegotiate Cat-x(contig-iff#NO shut To verify the configuration:On Cat-2 Cat-2#Sh int trunk |exe Port Mode Encapsulation Status Native vlan FaQ/21 on 802.1g trunking 1 Fa0/22 on 802.1q trunking 1 Fa0/23 on 802.1q trunking 1 Fa024 on 802.1q, trunking 1 (The rest of the output is omitted) On Cat-3 Cat-3#Show int trunk | exc isl Port Mode Encapsulation Status Native vlan FaQ/19 desirable 802.1q trunking 1 Fa0/20 desirable 802.14 trunking 1 Fa0/23 on 802.1q trunking 1 Fa0/24 on 802.1q trunking 1 (The rest of the output is omitted) Task 15 Configure the following VLANs on Cat-1 and ensure that they are propagated to the other switches: VLANs 2 — 10, 100, 200, 300, 400, 120, 130, 140, 230, 240, and 340 On Cat-1 Cat-I(config)#vian 2-10, 100,200, 300,400,120, 130, 140,230,240,340 Cat-I(config-vlan)#e: To verify the configuration: On All Switches: Catex#Sh vlan brie |b VLANO0022 VLANOO02 active 3) VLANO003 active 4 VLANOOO4 active 5 VLANOOOS active 6 VLANO006 active 7 VLANOOO7 active 8 VLANOOO8 active 9 VLANO009 active 10 VLANOO1O active 100 VLANO100 active 120 VLAN0120 active 130 VLANO130 active 140 VLANO140 active 200 VLAN0200 active 230 VLAN0230 active 240 VLAN0240 active 300 VLAN0300 active 340 VLAN0340 active 400 VLANO400 active (The rest of the output is omitted) Task 16 Configure the trunks based on the following policy: icy Item Trunk Interface: [ Between Switches | Allowed VLAN/s 1 FO19 Cat-1 €9 Cat-2 [ONLY 120 2 FO2I Cate? €9 Catt [ONLY 240 3 FOI9 Cate3 €9 Cat ONLY 340 a FO2I Gael €9 Ca ONLY 130 3 FO23 Cat-1 €> Catt [ONLY 140 6 FO23 Cat-2 €9 Cat ONLY 30 Policy item 1:—© <———— The output of the following Show command reveals the default status of the trunk: Cat-1#Show inter trunk |B Vlans Port ___Vlans allowed on trunk wed on trunkFaQ/19—1-4094 Fa0/201-4094 FaQ/21 1.4094 Fal/221-4094 Fa0/23 1.4094 FaQ/24 14094 Port —_Vilans allowed and active in management domain Fa/19_ 1-10,100,120,1 30, 140,200,230,240,300,340,400 Fa0/20 — 1-10,100,120,130,140,200,230,240,300,340,400 Fa0/21 — 1-10,100,120,130,140,200,230,240,300,340,400 Fa0/22 1-10,100,120,130,140,200,230,240,300,340,400 Fa0/23 1-10,100,120,130, 140,200,230,240,300,340,400 Fa0/24 — 1-10,100,120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) To configure the task: On Both Switches: Note the follaving command ONLY allows VLAN 120 on the trunk Catex(config) int £0/19 Cat-x(config-if}#Switch port trunk allowed VLAN 120 On Cat-L Cat-1#Show int trunk | B Vlans allowed on trunk Port —_Vians allowed on trunk FaO/19 120 Fa0/20 1-404 FaQ/21 1-4094 FaQ/22 1-404 Fa0/23 1-4094 Fa0/24 1-404 Port —_Vlans allowed and active in management domain FaQ/19 120 Fa0/20 1-10,100,120,1 30, 140,200,230,240,300,340,400 Fa0/21 1-10,100,120,130,140,200,230,240,300,340,400 Fa0/22_ 1-10,100,120,1 30, 140,200,230,240,300,340,400 Fa0/23__ 1-10,100,120,130,140,200,230,240,300,340,400Fa0/24 — 1-10,100,120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) Policy item 2: <——_______ On Cat-2 and Cat-4: Cat-x(config)#int 80/21 Catex(contigeif}#switchport trunk allowed vlan 240 To verify the config uration. On Cat-4 Cate2#Show int trunk | B Vlans allowed on trunk Port Vlans allowed on trunk Fa0/19 120 Fa0/20 1-094 Faor21 240 FaQ/22 14094 Fa0/231-4094 Fa/24 14094 Port Vlans allowed and active in management domain Fa0/l9 120 Fa/20 — 1-10,100,120,130,140,200,230,240,300,340,400 Fao/21 240 Fa/22_ 1-10,100,120,130, 140,200,230,240,300,340,400 Fa0/23 1-10,100,120,1 30, 140,200,230,240,300,340,400 FaQ/24 — 1-10,100,120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) On Cat-2 Cat-d#Show int trunk | B Vlans al Port Vlans allowed on trunk FaQ/19— 1-4094 Fa0/20 1-4094 Fao21 240 FaQ/22 14094 FaQ/23__1-4094Fa0/24 1-4094 Port —_Vilans allowed and active in management domain Fa/19_1-10,100,120,1 30, 140,200,230,240,300,340,400 Fa0/20 — 1+10,100,120,130, 140,200,230,240,300,340,400 FaQ/21 240 Fa0/22_ 1-10,100,120,130, 140,200,230,240,300,340,400 Fa0/23— 1-10,100,120,130,140,200,230,240,300,340,400 Fa0/24 — 1-10,100,120,1 30, 140,200,230,240,300,340,400 (The rest of the output is omitted) Policy Item 32 << $$. On Cat-3 and Cat-4 Cat-x(config)#int £0/19 Catex(configeif}#switchport trunk allowed vian 340 To verify the configuration: On C: Cate3#Show int trunk | B Vlans al ‘on trunk Port Vlans allowed on trunk Fao 40 Fa0/201-4094 FaQ/211-4094 FaQ/22 1-4094 FaQ/23 1-4094 Fal/24 1-4094 Port Vlans allowed and active in management domain Fa0/19 340 Fa/20 _ 1-10,100,120,130, 140,200,230,240,300,340,400 Fa0/21 — 1-10,100,120,1 30, 140,200,230,240,300,340,400 Fa0/22_ 1+10,100,120,130,140,200,230,240,300,340,400 Fa0/23 1-10,100,120,130,140,200,230,240,300,340,400 Fa0/24 — 1-10,100,120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) On Cat-4 Cat-4#Show int trunk |B Vians al ‘on trunk,Port —_Vlans allowed on trunk Fa0/19 340 FaQ/20 154094 FaQ/21 240 Fa0/22 1.4094 FaQ/23 1-4094 Fa0/24 1-404 Port —_Vians allowed and active in management domain FaO19 340 Fa0/20 1-10,100,120,1 30, 140,200,230,240,300,340,400 FaQ/21 240 Fa0/22 1-10,100,120,130,140,200,230,240,300,340,400 Fa0/23 1-10,100,120,130,140,200,230,240,300,340,400 Fa0/24 — 1-10,100,120,130, 140,200,230,240,300,340,400 (The rest of the output is omitted) Policy Item 4. <——— On Cat-1 and Cat-3 Cat-x(config)#int 1/21 Cat-x(config-if}#switehport trunk allowed vlan 130 To verify the config uration: On C: Cat-1#Show int trunk | B Vlans al on trunk Port Vlans allowed on trunk Fal/19 120 Fal/20 1-404 Fao/21 130 FaQ/22 14094 Fa0/23 1-094 Fa0/24 1-094 Port —Vilans allowed and active in management domain Fal/19 120 Fa0/20 — 1-10,100,120,130,140,200,230,240,300,340,400 Fa0/21 130 FaQ/22 —_ 1+10,100,120,130,140,200,230,240,300,340,400 Fa/23__ 1-10,100,120,130,140,200,230,240,300,340,400Fa/24 110,100, 120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) On Cat-3 Cat-3#Show int trunk | B Vlans al Port Fa(/19 Fat)/20 Faoi21 Fa/22 Fa()/23 Fa0/24 Port Fal)/19 Fa0/20 Fa0/21 Fa()/22 Fal)/23 Fa()/24 ‘Vians allowed on trunk 340 1-494 130 1-4094 1640094 1-4094 ‘Vians allowed and active in management domain 340 110,100, 120,130,140,200,230,240,300,340,400 130 1+10,100,120,130,140,200,230,240,300,340,400 1-10, 100,120,130, 140,200,230,240,300,340,400 1+10, 100, 120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) Policy Item $24 _______ On Cat-1_and Cat-4 Catex(config)#int F023 Cat-x(contig-if}#Switch port trunk allowed vlan 140 Cat-1#Show int trunk | B Vlans al Port Fa0/19 Fa(l/20 FaQ/21 Fa()/22 Fao/23 ‘Vians allowed on trunk 120 1.4094 130 1.4094 140Fa0/24 1-4094 Port —_Vilans allowed and active in management domain Fa0/19 120 Fa0/20 — 1+10,100,120,130, 140,200,230,240,300,340,400 FaQ/21 130 Fa0/22_ 1-10,100,120,1 30, 140,200,230,240,300,340,400 Fa0/23 140 Fa/24 — 1-10,100,120,1 30, 140,200,230,240,300,340,400 (The rest of the output is omitted) On Cat-4 Cat-d#Show int trunk | B Vlans allowed on trunk Port Vlans allowed on trunk Fa0/19 340 Fa0/20 1-4094 FaQ/21 240 Fa0/22 1-4094 Fa0/23° 140 FaQ/241-4094 Port Vins allowed and active in management domain FaQ/19 340 Fa0/20 1+10,100,120,130,140,200,230,240,300,340,400 FaQ/21 240 Fa0/22_ 1+10,100,120,130,140,200,230,240,300,340,400 FaQ/23 140 Fa0/24 — 1-10,100,120,1 30, 140,200,230,240,300,340,400 (The rest of the output is omitted) Policy Item 6: On Cat-2 and Cat-3 Catex(config)Fint F023 Cat-x(config-if}#Switch port trunk allowed vlan 230 To verify the configuration: On Cat:Cat-2#Show int trunk | B Vlans allowed on trunk Port Fal)/19 Fa0/20 Fa()/21 Fa()/22 Faoi23 Fa0)/24 Port Fa0/19 Fal)/20 FaQ/21 Fa()/22 Fa0/23 Fa()/24 ‘Vians allowed on trunk 120 140094 240 1.4094 230 1.4094 ‘Vians allowed and active in management domain ha 100,120,130, 140,200,230,240,300,340,400 ri 100,120,130, 140,200,230,240,300,340,400 in, 100,120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) On Cat-3 Cate3#Show int trunk | B Vlans al Port Fa0/19 Fa0)/20 Fa0/21 Fa()/22 Fao/23 Fall/24 Port Fal/19 Fa()/20 Fa/21 Fa/22 F 20/23 Fa0/24 ‘Vians allowed on trunk 340 1.4094 130 1.4094 230 1.4094 ‘Vians allowed and active in management domain 340 1-10,100,120,130,140,200,230,240,300,340,400 130 110,100, 120,130,140,200,230,240,300,340,400 230 1-10,100,120,130,140,200,230,240,300,340,400 (The rest of the output is omitted)Task 17, Add VLANs to the allowed list of the trunk based on the following chart Policy Item Trunk Interface: [ Between Switches | Allowed VLANIs i FO19 Cael EF Cat 100 2 FO2I Cate2 €> Cate [200 2 FOS Cat3 3 Cart| 300 a Fos Cael €> Cat [400 Cat-x(contig)#int 10/19 Catex(configeif}#Switch port trunk allowed vlan add 100 To verify the configuration: On Cat-1 Cat-1#Show int trunk | B Vlans allowed on trunk Port —Vilans allowed on trunk Fa0/19 100,120 Fa0/20 14094 FaQ/21 130 FaQ/22 1.4094 Fal/23 140 FaQ/24 1.4094 Port Vlans allowed and active in management domain Fa0/19 100,120 Fa0/20 1-10, 100,120,130,140,200,230,240,300,340,400 FaQ/21 130 FaQ/22 — 1-10,100,120,130,140,200,230,240,300,340,400 Fa0/23 140 Fa0/24 — 1-10,100,120,1 30, 140,200,230,240,300,340,400 (The rest of the output is omitted) Cat-2#Show int trunk | B Vlans allowed on trunkPort Vlans allowed on trunk Fa0/19 100,120 FaQ/20 154094 FaQ/21 240 Fa0/22 1.4094 FaQ/23 230 Fa0/24 1-094 Port Vlans allowed and active in management domain FaO/19 100,120 FaQ/20 1-10, 100,120,130,140,200,230,240,300,340,400 FaQ/21 240 Fa/22— 1-10,100,120,130,140,200,230,240,300,340,400 FaQ/23_ 230 Fa0/24 — 1-10,100,120,1 30, 140,200,230,240,300,340,400 (The rest of the output is omitted) Policy item 2: nn On Cat-2 and Cat-4 Cat-d(config)#int £0/21 Cated(configeif}#Switch port trunk allowed vlan 200 To verify the config uration. On Cat-2 Cat-2#Show int trunk | B Vlans allowed on trunk Port Vlans allowed on trunk FaQ/19 100,120 FaQ/20 1-4094 Fao21 200,240 FaQ/221-4094 Fa0/23 230 Fal/24 1-404 Port Vlans allowed and active in management domain Fa0/19 100,120 Fa0/20 — 1-10,100,120,130,140,200,230,240,300,340,400 Fao/21 200,240 FaQ/22__1-10,100,120,130,140,200,230,240,300,340,400FaQ/23 Fall/24 230 110,100, 120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) On Cat-4 Cat-4#Show int trunk | B Vlans al Port Fa0/19 Fa0/20 Fa0/21 FaQ/22 Fa()/23 Fa/24 Port Fa0/19 Fa0/20 Fa0/21 Fa()/22 Fa)/23 Fa()/24 ‘Vians allowed on trunk 340 1-4094 200,240 1-4094 140 140094 ‘Vians allowed and active in management domain 340 1-10, 100, 120,130, 140,200,230,240,300,340,400 200,240 110,100, 120,130,140,200,230,240,300,340,400 140 110,100, 120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) Policy item 3: On Cat-3 and Cat-4 Cat-x(config)#int 10/19 Cat-x(config-if}#Switch port trunk allowed vlan add 300 To verify the configuration: On C: Cat-3#Show int trunk | B Vlans allowed on trunk Port Faov19 Fa()/20 FaQ/21 Fa()/22 ‘Vians allowed on trunk 300,340 1.4094 130 1.4094FaQ/23 230 Fal/24 1-404 Port Vlans allowed and active in management domain Fa0/19 300,340 FaQ/20 — 1-10,100,120,130,140,200,230,240,300,340,400 Fa0/21 130 Fa0/22 — 1-10,100,120,130,140,200,230,240,300,340,400 Fa0/23 230 Fa0/24 — 1-10,100,120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) On Cat-4 Cat-4#Show int trunk | B Vlans allowed on trunk Port Vlans allowed on trunk Fa0/19 300,340 Fa0/201-4094 Fa/21 200,240 FaQ/22 1.4094 Fa0/23 140 FaQ/24 1.4094 Port Vins allowed and active in management domain FaO19 300,340 Fa0/20 1-10,100,120,130, 140,200,230,240,300,340,400 FaQ/21 200,240 Fa0/22_ 1-10,100,120,130,140,200,230,240,300,340,400 Fa0/23 140 Fa0/24 — 1-10,100,120,1 30, 140,200,230,240,300,340,400 (The rest of the output is omitted) Policy item 4: On Cat-1 and Cat-4 Catex(contig)#int F023 Cat-x(config-if}#Switch port trunk allowed vlan add 400, To verify the config uration: On Cat-1Cat-1#Show int trunk | B Vlans allowed on trunk Port Vilans allowed on trunk Fal/19 100,120 Fa0/20 1.4094 FaQ/21 130 Fa0/22 14094 Fao23 140,400 Fa0/24 1-094 Port —Vilans allowed and active in management domain FaQ/19 100,120 Fa/20 — 1-10,100,120,130,140,200,230,240,300,340,400 FaQ/21 130 Fa/22 — 1-10,100,120,130,140,200,230,240,300,340,400 Fa0/23 140,400 Fa/24 — 1-10,100,120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) On Cat-4 Cat-4#Show int trunk | B Vlans al ‘on trunk, Port Vilans allowed on trunk Fal/19 300,340 FaQ/20 1.4094 FaQ/21 200,240 FaQ/22 1.4094 Fa0/23° 140,400 Fa0/241-4094 Port Vins allowed and active in management domain Fa0/19 300,340 Fa0/20 — 1-10,100,120,1 30, 140,200,230,240,300,340,400 Fa0/21 200,240 Fa0/22_ 1-10,100,120,130, 140,200,230,240,300,340,400 Fa0/23 140,400 Fa0/24 — 1-10,100,120,1 30, 140,200,230,240,300,340,400 (The rest of the output is omitted)Task 18 Remove VLANs from the allowed list of the trunks based on the following chart: Policy Item Trunk Interface: [ Between Switches | Allowed VLAN/s i FO22 Cate €9 Cat-3_ [Remove 1,410 ONLY, 2 FO22 ‘Cate2 €> Catd [Remove 2,4—10 ONLY Policy item 1; <—_. On Cat-1 and Cat-3 Cat-x(config)#int 10/22 Cat-x(contig-if}#Switeh port trunk allowed vian remove 14-10 To verify the configuration: Qn Cat-1 (Cate1#Show int trunk | B Vlans allowed on trunic Port Vilans allowed on trunk Fa0/19 100,120 Fa0/20 14094 FaQ/21 130 Fa0/22 — 2-3,11-4094 Fa0/23 140,400 FaQ/24 1-4094 Port —Vians allowed and active in management domain Fa0/19 100,120 Fa0/20 1-10,100,120,1 30, 140,200,230,240,300,340,400 Fa0/21 130 Fa/22 2-3, 100,120,130, 140,200,230,240,300,340,400 FaQ/23_ 140,400 Fa0/24 — 1-10,100,120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) On Cat-3 Cat-3#Show int trunk | B Vians al on trunk Port ___Vlans allowed on trunkFal/19 300,340 Fa0/20 1-404 FaQ/21 130 Fa0/22—-2-3,11-4094 Fa0/23 230 FaQ/24 1-4094 Port Vians allowed and active in management domain Fa0/19 300,340 Fa0/20 1-10,100,120,130,140,200,230,240,300,340,400 Fa0/21 130 Fa0/22 — 2-3,100,120,130, 140,200,230,240,300,340,400 FaQ/23 230 Fa0/24 — 1-10,100,120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) Policy item 2; «<———_——— On C: and Cat-4 Cat-x(config)#int 10/22 Catex(contigeif}#Switch port trunk allowed vlan remove 2,410 To verify the configuration: On C: Cat-2#Show int trunk | B Vlans al on trunk Port Vlans allowed on trunk Fal/19 100,120 Fa0/20 14094 FaQ/21 200,240 Fa0/22—1,3,11-4004 Fa0/23 230 Fa0/24 1-4094 Port —Vlans allowed and active in management domain Fal/19 100,120 Fa0/20 — 1-10,100,120,130,140,200,230,240,300,340,400 FaQ/21 200,240 FaO/22 — 1,3,100,120,130, 140,200,230,240,300,340,400 Fa/23__ 230Fa0/24 — 1-10,100,120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) On Cat-4 Cat-4#Show int trunk | B Vlans allowed on trunk Port —_Vilans allowed on trunk Fal/19 300,340 Fa0/20 1.4094 FaQ/21 200,240 Fa0/22 1,3,11-4004 Fa0/23 140,400 Fa0/24 1-4094 Port Vins allowed and active in management domain Fa0/19 300,340 Fa0/20 — 1-10,100,120,1 30, 140,200,230,240,300,340,400 Fa0/21 200,240 Fa0/22 1,3,100,120,130, 140,200,230,240,300,340,400 FaQ/23 140,400 Fa/24 — 1-10,100,120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) Task 19 Configure Cat-1, Cat-2 and Cat-4 based on the following chart: Policy Item. Trunk Interface: | Between Switches | Allowed VLAN/s 1 FO20 Cat-1 EF Cat-2 [None 2 Fos Catel €F Cad [None On Cat-1 and Cat-2 Cat-x(config)#int £0/20 Cat-x(config-if}#Swi trunk allow vlan noneOn Cat-1 Cat-1#Show int trunk | B Vlans al ‘on trunk, Port Vlans allowed on trunk Fa0/19 100,120 F20/20 none FaQ/21 130 Fa0/22 2-3,11-4094 Fa/23 140,400 Fa0/24 1-4094 Port _Vlans allowed and active in management domain FaQ/19 100,120 Fa0/20 none FaQ/21 130 FaQ/22 2-3, 100,120,1 30,140,200,230,240,300,340,400 Fa0/23 140,400 Fa0/24 — 1-10,100,120,130,140,200,230,240,300,340,400 (The rest of the ouput is omitted) On Cat-2 Cat-2#Show int trunk | B Vlans al Port Vlans allowed on trunk Fa0/19 100,120 Fa0/20 none FaQ/21 200,240 Fa0/22 1,3,11-4094 Fa0/23 230 Fa0/24 1-4094 Port —Vlans allowed and active in management domain FaQ/19 100,120 Fa0/20 none Fa/21 200,240 FaQ/22 —_ 1,3,100,120,130,140,200,230,240,300,340,400 FaQ/23 230 Fa0/24 —1+10,100,120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) Policy Item #2. +Cat-x(contig)#int 10°24 Cat-x(config-if}#Swi trunk allowed vlan none To verify the configuration: On Cat-1 Cat-1#Show int trunk | B Vlans allowed on trunk Port Vlans allowed on trunk Fal/19 100,120 Fa0/20 none FaQ/21 130 Fa0/22 2-31-4094 Fa0/23 140,400 Fu0/24 none Port Vians allowed and active in management domain Fa0/19 100,120 Fa0/20 none Fa/21 130 Fa0/22_— 2=3, 100,120,130, 140,200,230,240,300,340,400 Fa0/23_ 140,400 Fa0/24— none (The rest of the output is omitted) On Cat-4 Cated#Show int trunk | B Vlans allowed on trunk Port Vlans allowed on trunk Fa0/19 300,340 FaQ/20—1-339,341-4094 FaQ/21 200,240 FaQ/221,3,11-4094 Fa0/23 140,400 Fa0/24 none Port Vlans allowed and active in management domain Fa0/19 300,340 Fa0/20 — 1-10,100,120,130,140,200,230,240,300,400 FaQ/21 200,240 Fa0/22 1,3, 100,120,130,140,200,230,240,300,340,400 FaQ/23_ 140,400Fa/24 none (The rest of the output is omitted) Task 20 Configure Cate 1, Cate3 and Cated based an the following chart: Policy Item Trunk Interface: [ Between Switches | Allowed VLANIs 1 FO20 Cat-3 €9 Catt ‘All but 340) 2 FOI? Cael EF Cat ‘All but 130) On Cat-3 and 4 Cat-x(contig)#int 10/20 Cat-x(config-if}#Swi trunk allowed vlan except 340 To verify the configuration: On Cat-3 Cate3#Show int trunk | B Vlans allowed on trunk Port Vlans allowed on trunk FaQ/19 300,340 Fa0/20 1-339,341-4094 FaQ/21 130 FaQ/222-3,11-4094 FaQ/23_ 230 Fa0/24 1-4094 Port Vlans allowed and active in management domain Fa0/19 300,340 Fa0/20— 1-10,100,120,130,140,200,230,240,300,400 FaQ/21 130 Fa0/22 2-3, 100,120,1 30,140,200,230,240,300,340,400 Fa0/23 230 Fa0/24 — 1-10,100,120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) On Cat-4Cat-4#Show int trunk | B Vlans allowed on trunk Port Vilans allowed on trunk FaQ/19 300,340 Fa0/20 1-339,341-4094 FaQ/21 200,240 Fa0/22 1,3,11-4094 Fa0/23 140,400 Fa0/24— 1-4094 Port Vins allowed and active in management domain Fa0/19 300,340 Fa0/20 1-10,100,120,130,140,200,230,240,300,400 FaQ/21 200,240 Fa/22_ 1,3, 100,120,130,140,200,230,240,300,340,400 FaQ/23 140,400 Fa/24 — 1-10,100,120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) On Cat-1 and Cat-3 Cat-x(config)#int 1/22 Cat-x(contig-if}#Swi trunk allowed vlan except 130 To verify the configuration: On C: Cat-1#Show int trunk | B Vlans al on trunk Port Vlans allowed on trunk Fal/19 100,120 Fa/20 none FaQ/21 130 Fa0/22— 1-129,131-4094 FaQ/23 140,400 Fa0/24/ none Port —Vlans allowed and active in management domain Fa/19 100,120 Fa0/20 none FaQ/21 130 Fa0/22 — 1-10,100, 120,140,200,230,240,300,340,400 Fa/23 140,400Fa0/24 none (The rest of the output is omitted) On Cat-3 Cat-3#Show int trunk | B Vlans allowed on trunk Port —_Vilans allowed on trunk Fal/19 300,340 FaQ/20 143393414094 FaQ/21 130 Fa0/22— 1-129,131-4004 FaQ/23 230 Fa0/24 1-094 Port Vins allowed and active in management domain Fa0/19 300,340 Fa0/20 — 1-10,100,120,1 30, 140,200,230,240,300,400 Fa0/21 130 Fa0/22_ 1-10,100,120,140,200,230,240,300,340,400 Fa0/23 230 Fa0/24 — 1-10,100,120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) Task 21 Configure Cat-2 and Cat-3 based on the following chart Policy Item. Trunk Interface: | Between Switches | Allowed VLAN/s 1 FO23 ‘Cat-2 EF Cat-3 ALL, 2 Fos Cate2 EF Card ALL On Cat-2 and Cat-3 Catex(contig)#int range 10/23=4 Cat-x(config-if}#swi trunk allow vlan all To verify the config uration: On Cat-2Cat-2#Show int trunk | B Vlans allowed on trunk Port Fal)/19 Fa0/20 Fa()/21 Fa()/22 Fa/23 Fa0/24 Port Fa0/19 Fal)/20 FaQ/21 Fa()/22 Fa0/23 Fa0/24 ‘Vians allowed on trunk 100,120 none 200,240 1,3,11-4094 1-4094 14094 ‘Vians allowed and active in management domain 100,120 200,240 1,3,100,120,1 30,140,200,230,240,300,340,400 110,100, 120,130,140,200,230,240,300,340,400 1-10,100, 120,130,140,200,230,240,300,340,400 (The rest of the output is omitted) On Cat-3 Cat-3#Show int trunk | B Vlans allowed on trunk Port Fa0/19 Fa/20 Fa()/21 Fa)/22 F 0/23 Fao24 Port Fal)/19 Fa0)/20 Fa(/21 Fa()/22 Fa0/23 Fa0/24 ‘Vians allowed on trunk 300,340 1-339,341-4094 130 1-129,131-4094 14094 14094 ‘Vians allowed and active in management domain 300,340 1+10,100,120,130,140,200,230,240,300,400 130 110,100, 120,140,200,230,240,300,340,400 1-10,100, 120,130,140,200,230,240,300,340,400 1-10,100, 120,130,140,200,230,240,300,340,400 (The rest of the output is omitted)Task 22 Erase the config, text and Vlan.dat on all four switches and reload them before proceeding to the next task, On All Four hes Cat-x#Delete vlan.dat Cat-x#Delete configstext Cat-xtreload Task 23 Configure all four switches based on following requirements: Shut down all ports on all four switches Configure a Dotlq trunk between Switch | and 2 using port FO/19 Set the VTP domain on Switch I and 2 to TST Name the first Switeh to Cat-1 and the second Switch to Cat-2. On The First § Switeh(config}#Host Cat-1 On The Second Switch: Switeh(contig)#Hiost Cat-2 On All Four, hes: Cat-x(config)#int range 10/1-24 Catex(contfig-ifsrange)#Shut On Cat-1 and Cat-2 Catex(contig)#int FO/19 Cat-x(config-if}#swi trunk encapsulation dot Iq Cat-x(config-if}#swi mode trunkCat-x(contig-if#NO shut Catex(contig)#Vtp domain TST Task 24 Configure VLAN 100 on Cat-l and assign its F0/1 interface to this VLAN. Qn Cat-1 Cat-I(config)#int £0/1 Catel(configeif}#S wi mode ace Cat-I(config-if}#Swi ace v 100 Cat-1(contig-iff#NO shut verify the config uration. On Cat-1 Cat-1#Show vlan brie | Inc VLANO100 100 VLANO100 active Task 25 Configure the switches such that they restrict flooded traffic to those trunk links that the traffic must use to access the appropriate network device!s This task is asking for VTP Pruning to be enabled, to understand VTP pruning, its helpful to know the VTP message types. There are four types of VTP advertisements that are exchanged between the switehes, and they are: 1. Summary advertisements: An update sent by VTP servers or a client every 300 seconds or when a VLAN database change occurs. This update ineludes: VTP version, domain name, configuration revision number, time stamp, and number of subset advertisements.If the advertisement results from a VLAN database change, one or more subset advertisements will fallow, 2. Subset advertisements: An update that follows a summary advertisement resulting from a change in the VLAN database. A subset advertisement includes the specific change/s that was made to agiven VLAN/s, 3. Advertisement requests from client: hese are updates sent by a switch requesting more information so it can update its database, If and when a switch receives a VTP summary advertisement with a configuration revision number higher than its own, the local switch will send an advertisement request, requesting formation about changes so it can update it’s VLAN database. A switch operating in VTP server mode then responds with one or more subset advertisements. 4 VLAN membership announcement: These messages are generated by the switches when VTP Pruning is enabled and a port wes tell the nei ig traffic for that given VLAN. If the local switch does NOT send this message for a given VLAN, the neighboring switch will NOT send the traffic for that VLAN, and therefore the traffic for that VLAN will be pruned. On Cat-1 Cat-14Show interface pruning, this device's VTP adm tr Pruning not currently enabled e domain. Note the above message states that the pruning feature is NOT enabled. The output of the following messages reveals the same fact: Cat-1#Show vip status | Inc VTP Pruning Made VTP Pruning Mode isabled To enable VTP Pruning: Cat-1#Vtp Pruning Pruning switched on To verify the configuration: On C:Cat-1#Show vip status | Inc VTP Pruning Mode VTP Pruning Mode : Enabled Note this configuration will be propagated to all switches that have a trunk establishes with the local switch that and are in the same VTP domain: Qn Cat-2 Cat-24Show vtp status | Inc VTP Pruning Mode VTP Pruning Mode : Enabled Cat-2#8h interface F0/19 pruning Note the following output has two seetions, the first section lists VLANs that are pruned, because the local switch has not received a Van Membership Announcement message (VMA) from the neighboring switch: Port Vlans pruned for lack of request by neighbor Fa0/19 none This section of the output identifies for what VLANs the local switch has sent VMAs, and therefore, not pruned: Port Vian traffic requested of neighbor Fa0/19 1 On Cat-1 Note the local switch will NOT send traffic for VLAN out of this trunk interface, because the local switch has NOT received VMAs for this VLAN. Port Vlans pruned for lack of request by neighbor Fao/19 100 Note the local switch has sent VMAs for these two VLANs: Port Vian traffie requested of neighbor Fa0/19 1,100Task 26 Configure VLANs 200, 300, 400, 500 and 600 on Cat-1 and ensure that these VLANs are propagated to Cat-2, On Cat-1 Cat-I(config)#VIan 200,300,400,500,600 Cat-I(config-vian)#exit On Cat: Cate2#Show vlan br [exe unsup 100 VLANO100 active 200 VLANO200 act 300 VLANO300 active 400 VLANOSOO active 500 VLANOSOO active 600 VLANO600 active To verify the configuration: On Cat-1 Note the output of the following show command displays that VLANs 100, 200, 300, 400, 500 and 600 are pruned: Cat-1#Show interface FO/19 pruning Port Vlans pruned for lack of request by neighbor Fa0/19 — 100,200,300,400,500,600 Port Vian traffic requested of neighbor Fa0/19 1,100 On C: Cat-2#Show interface FO/19 pruning Port —Vlans pruned for lack of request by neighbor Fa0/19__ 200,300,400,500,600Port Vian traffic requested of neighbor Fa0/19 1 Task 27 Configure FO/2 interface of Cat-2 in VLAN 100, On Cat-2 Cat-2(config)#int 0/2 Cat-2(contige Cat-2(contig- Cat-2(contig-if}#NO shut Note you may have to wait for 30 seconds for convergence: Cat-2#Show interface FO/19 pruning, Port Vlans pruned for lack of request by neighbor Fa0/19 200,300,400,500,600 Port Vian traffic requested of neighbor Fal/19 1,100 Note the output of the above show command reveals that the local switeh has sent VMA message for VLAN 100. Configure the switches such that ONLY VLAN 300 is pruned. On C: Cat-1#Show interface FO/19 pruning Port —Vlans pruned for lack of request by neighbor Fa0/19 — 200,300,400,500,600Port Vian traffic requested of neighbor Fa0/19 1,100 Note VLAN 300 is pruned. To configure the switches such that its no longer pruned: On Both Switch Catex(contig)#int 10/19 Cat-x(config-if}#Switeh port trunk pruy ig vlan 300 Note the above command instructs the trunk to Prune VLAN 300 ONL the rest of the VLANs in the VLAN Database will NOT be pruned. "therefore, On Cat-1 Cat-1#Show interface FO/19 pruning Port —Vlans pruned for lack of request by neighbor Fa0/19 300 Port Vian traffic reqit Fa0/19— 1,100,200,400,500, of neighbor Nate VLAN 300 is the ONLY VLAN that is On Cat-2 7 Pruned, n Cal UL Cat-2#Show interface FO/L9*pruning, ~ Port Vans prated for lack of request by neighbor Fa0/19 300 Port Vian traffie requested of neighbor Fa0/19 1,100,200,400,500,600 Task 29 Configure the switches such that VLAN 200 is also pruned, you should NOT use the command from the previous task to acc omplish this task: On Both Switches:Cat-x(contig)#int 10/19 Cat-x(config-if}#Switeh port trunk pruy ‘To verify the config uration: On Cat-1 Cat-14Sh inter {0/19 pruning Port Vlans pruned for lack of request by neighbor Fa0/19 200,300 Port Vian traffic Tequested of neighbor Fa0/19 — 1,100,400,500,60" Note VLAN 204 VLANs added to the list of Pruned Port Vlans ppatfed for lack of request by neighbor Fa0/19 200,500 Port Vian traffic requested of neighbor Fa0/19— 1,100,400,500,600 Task 30 Configure the switches such that NONE of the VLANs are pruned, On Both Switch Catex(contig)#int 10/19 Cat-x(config-if}#Switch port trunk pruning vlan NONE To verify the configuration: Qn Cat-1 Cat-1#Show interface {0/19 pruning,Port —_Vians pruned for lack of request by neighbor Fa0/19 none Port Vian traffic reqt Fa0/19— 1,100,200,300,401 Qn Cat-2 Note NONE of the VLANs are pruned Cat-2#Show interface FO/19 pr Port —-Vians pruned for lack of request by neighbor Fa0/19 none *” Port Vian traffic requested of neighbor Fa0/19 —— 1,100,200,300,400, 00,600 Task 31 Configure the switches such that all VLANs are pruned. Qn Bot! Cat-n(config)#Int FO19 Cat-x(config-if}#Switeh trunk pruning vlan 100,200,300,400,500,600 Note you should get the following errors: Command rejected: Bad VLAN pruning list The reason the error message was generated was because VLAN 1 CAN NOT BE PRUNED. Cat-x(config)#int F019 Cat-x(config-if}#Switeh trunk pruning vlan 100,200,300,400,500,600 To verify the configuration: Qn Cat-1 Cat-1#Show interface FO/19 pruningPort —Vlans pruned for lack of request by neighbor Fa0/19 — 200,300,400,500,600 Port Vian traffic requested of neighbor Fa0/19 1,100 Note VLAN 100 can NOT be pruned beeause the local swit in this VLAN, h has port membership Qn Cat-2 Cat-2#Show interface FO/19 pruning Port —Vilans pruned for lack of request by neighbor Fa/19 200,300,400,500,600 Port Vian traffic requested of neighbor Fa0/19 1,100 Task 32 Configure the switches such that VLAN 200 is no longer pruned; do not use « command that was used before to accomplish this task. On Both Switches: Cat-x(config)#int FO/19 Cat-x(config-if}#Switch port trunk pruning vlan remove 200 To verify the configuration: On Cat-1 Cat-1#Show interface FO/19 pruning Port Vlans pruned for lack of request by neighbor FaQ/19 300,400,500,600Port Vian traffic requested of neighbor FaQ/19 1,100,200 —— Note VLAN 200 was removed from the On Ci list of VLANs being pruned Port —Vilans pruned for lack’Of request by neighbor Fa0/19 300,400,500,600 Port Vian traffic Fa0/19 1,100,200 juested of neighbor Task 33 Erase the vian.dat and config.text and reload the switches before proceeding to the next lab,Lab 2 EtherChannels Foi21-22 Task 1 Configure the hostname of the first switches as per diagram. Ensure that the ports of these four switches are in Shutdown mode. Configure VTP domain name to TST on all four switches. Fo/19-20 F0/19-20 ze-bzd On SW-L Switch(config)#hostname SW=1 SW-l(co SW-I (confi SW-l(confi int range f/1-24 ‘range)#Shut ig#VTP domain TSTOn $s Switeh(config#hostname SW-2 Switeh(config)#hostname SW-3 Hint range 0/1-24 range)#Shut SW-3(config}#VTP domain TST SW-4(confi SW-4(con: Configure ports F0/19 and F0/20 on SWe1 and SW-2 as trunk links using an industry standard protocol, these links should appear to Spanning-tree protocol as a single link. If one of the links fail, the traffie should use the other link without any interruption. The portson SWI should be configured such that they ONLY respond to PAgP packets and never start the negotiation process, EtherChannels provide the follows: % Faultetolerant, high speed links between switches and routers, > EtherChanne| provides an automatic recovery for the loss of a link by redistributing the traffic across the remaining link/s, > _STP will not block one of the links in the bundle because to STP, the bundlevv vv vy vovvy y Tooks like a single link. Up to 8 links can be combined to provide more bandwidth. The links within the bundle must have the same characterist ies such as duplexing, speed and ete. EtherChanne | can be configured as layer 2 or layer 3 With Layer 3, a logical interface (PorteChannel) is statically configured and all Layer 3 configurations are performed under that interface With Layer 2, the logical interface is created automatically. With both Layer 2 and Layer 3, physical interfaces must be manually assigned to the logical interface using “channel-group” configuration command EtherChanne ls can be configured automatically using Port aggregation protocol (PAgP) or Link Aggregation protocol (LACP), PAgP isa Cisco proprietary protocol, whereas LACP isan industry standard IEEE 802.3ad protocol. Switches can be configured to use PAgP by configuring them in AUTO or DESIRABLE mode. Switches can be configured to use LACP by configuring them in ACTIVE or PASSIVE mode. Ifthe switehes are configured in ON mode, they will not exchange LACP or PAgP packets. There are 5 modes that the switches can be configured > w \ y w The following table is very ON — Forces the interface into an EtherChannel without PAgP or LACP packets, both switches must be configured in ON mode for the EtherChannel to be established ACTIVE - Used in LACP, the switches will actively negotiate an EtherChannel link PASSIVE — Usod in LACP, it places the interface in a passive negotiation mode where it only responds to LACP packets that it receives. In this mode the switeh will not start the negotiation process; this setting minimizes the transmission of LACP packets, AUTO — Used in PAgP, it places the interface in passive negotiation mode; It only responds to PAgP packets that it receives. In this mode the switch will not start the negotiation process; this setting minimizes the transmission of PAgP packets DESIRABLE ~ Used in PAgP, the switches will actively negotiate an EtherChanne | Link. portant to understand when configuring EtherChannels:TfSW-l is TfSW-2 is Willan configured in configured in | EtherChannel be established? Desirabl Desirable YES Desirable Auto YES Auto’ Auto NO = Active Active YES LACP Active Passive YES LACP Passive Passive NO = ‘ON ‘ON YES NONE ON ‘Auto NO = ‘ON Desirable NO ‘ON Passive NO ON ‘Active NO When configuring EtherChannels, configuration of EtherChannels should be con figured in certai n for crea EtherChannels: order, the following is my recommenda terface” for the interfaces involved. p and channel-group number to the physical Il create a port-channel interface automat ig encapsulation directly in port-channel 1. Configure “Defaul 2. Assign a channel-gro terfaces, this step 3. Configure the trunki configuration mode. 4. Reset the ports in the group by entering hut” and then, “N ep One On SW-1 SW-1(config)#Default interface range FO! SW-I(config)#Interface range {119-20 int range f/19-20 srange)#Chamnel-group 12 mode Auto You should see the following messages: Creating a port-channel interface Port-channel 12 Note the interface Port-channel 12 is created automatically:SW-1#Show nun | Inc interface Port-channel interface Portchannell2 SW-1(config-if}#Switchport mode trunk On SW-2 SW-2(config)#Default interface range FO! SW-2(cor SW-2(confi int range £0/19=20 range)#Channel-group 21 mode Desirable SW-2(config)#Int Port-channel 21 SW-2(contig-if)#Switehport trunk encapsulation dotlq SW-2(config-if)#Switchport mode trunk Hint range 10/19-20 range)#Shut range)#NO shut SW-x(contig- verify the config uration. On SW-1 SW:14Sh inter! Port Mode Encapsulation Status Native vlan Pol? on 802.1q trunking 1 (The rest of the output is omitted) Or SW.24Sh interface trunkPort — Mode: Encapsulation Status Native vlan Poll on 802.1q trunking 1 (The rest of the output is omitted) Or SW-1#Show interface 0/19 switehport | Inc Operational Made al Mode: trunk (member of bundle Pol 2) SW:2#5h int {0/19 ewi | Inc Operational Mode Operational Mode: trunk (member of bundle Po21) Task 3 Configure ports F021 and F0/22 on SW-3 and SW-1 as trunk links using an industry standard protocol, these links should appear to STP as a single link. If one of the links fails, the traffic should use the other link without any interruption. These ports should NOT negotiate by exchanging LACP or PAgP protocol to accomplish this task. Or SW-1(config}#default interface range FW21-22 Int range FO!21 - 22 range)#Channel-group 13 mode on -range)#NO shut SWs1 (confi SW= (confi range)#int port-channel 13 }#switchport trunk encapsulation dotlq SW-1(contig-if)#swi mode trunk On SW-3 )#Default int range {0/21-22 SW-3(config#Int range 0/21 ~ 22On Both $W-1 and SW-3 SW-x(config)#int range £0/21-22 Port Mode Encapsulation Status Native vlan Pol2 on 802.1q trunking 1 Pol} on 821g trunking 1 (The rest of the output is omitted) SW-1#Show etherchannel protocol Channel-group listing: pT Grou; - “>> Note PAgP is used for Etherchanne! negotiation, Protacol: PAgP 4 3+ Note PAgP or LACP is NOT in use Port Mode Encapsulation Status Native vlan Po31 on B02.1q trunking 1 (The rest of the output is omitted)SW-3#Show etherchannel summary. Flags: D+ down P= in port-channel 1 - stand-alone s - suspended H +Hotestandby (LACP only) R-Layer} S-Layer? U-inuse = failed to allocate aggregator u- unsuitable for bundling w - waiting to be aggregated d- default port Number of channeF-groups in use: 1 Number of aggrega' Group Port-channel Protocol Ports 31 Po3SU) Fal/21(P) Fab/22(P) Task 5 Ensure that all the EtherChannels created on SW-I are load-balanced based on destination MAC address, Etherchannel Load balancing can be done on 3850 or 3560 switches; 3560 switches On 3550 Switehe Source MAC Address — Packets forwarded to an EtherChannel are distributed across the ports in the channel based on the Source MAC address ofthe incoming packets. Therefore, different devices with different source MAC addresses use different interfaces in the bundle, When source MAC address load balancing is enabled, the load distribution based on the Source and Destination IP address pair is also enabled and this is for routed IP traffic. De MAC Address — Ifthe EtherChannel is between a router and a switeh and since the router has a single MAC address, destination based load balancing is the best way. In this load balancing method, packets forwarded to an EtherChannel are distributed across the ports in the channel based on the Destination MAC address ofthe incoming packets. Note there are only two choices on 3550 switches SW-3(config}#Port-channel load-balance ? dstemae Dst Mac Addr sremac Sre Mac Addr To verify the default setting: On SW.3#Show Etherchannel load-balance EtherChannel Load-Balancing Operational State (¢re-mac) MAC Address ~ When packets are forwarded to an Etherchannel, they're distributed across the ports in the channel based on the Source MAC address of the incoming frame, Des AC Address - When packets are forwarded to an Etherchannel, they're distributed across the ports in the channel based on the Destination MAC address of the incoming frame. Source and Destination MAC Address « When packets are forwarded to an Etherchannel, they're distributed across the ports in the channel based on th Destination MAC address pair of the incoming frame. ree & urce IP Address - When packets are ‘across the ports in the channel based on the orwarded to an Etherchanrel, they're distributed ree IP address of the incoming frame. Des mn IP Address - When packets are forwarded to an Etherchannel, they're distributed across the ports in the channel based on the Destination IP address of the incoming frame, urce & Destinati mn IP Address « When packets are forwarded to an Etherchannel,they're distributed across the ports in the channel based on the address pair of the incoming frame. To see the above options on 3560 switches: SW-1(config#Port-channel load-balanee dstip Dst IP Addr dstmac st Mac Addr src-dsteip Src XOR Dst IP Addr sre-dst-mac Sre XOR Dst Mac Addr srcsip Sre IP Addr sremac Se Mac Addr To verify the default setting SW-1#Show Etherchannel load-balance EtherChannel Load-Balancing Operational State (sre-mac): To configure the load balancing based on the destination Mac addresse: Or SW-1(config)#port-channel load-balance dst-mac To verify the configuration: Or SW-1#Show etherchannel load EtherChannel Load-Balancing Operational State (dst-mac): Destination MAC address Destination MAC address IPV6: Destination IP address Note since the command is entered in the global configuration mode, it effects all EtherChannel ports created on the local switchTask 6 Ensure that all the EtherChannels created on SW-2 are load-balanced based on the following policy: + For NomIP, Source and Destination MAC address * For IPv4, Source and Destination IP Address pair + For IPV6, Source and Destination IP address pair Or SW-2(config)#port-channel load-balance sre-dst-ip SW.2#Show Etherchannel load-balance EtherChannel Load-Balancing Operational State (sre-dst-ip): Non-IP: IPv4: Souree XOR Desti IPV6: Souree XOR Desti The follow change 2 reveals the behavior of a 3560 sw h when the load balancing is If the load-balancing is changed to “sre-mac”s NowIP: Source MAC address IPv4: Souree MAC address IPV6: Source IP address If the load-balancing is changed to “dst-mac": NomlP: Destination MAC address IPv4; Destination MAC address IPv6: Destination IP address If the load-balancing is changed to “sre-ip”: Nom-IP: Source MAC address IPv4: Source IP address IPv6: Source IP address If the load-balancing is changed to “dst-Now-IP: Destination MAC address IPv4: Destination IP address IPV6: Destination IP address If the load-balancing is changed to “sre-dst-mac”: NorIP: Source XOR Destination MAC address IPv4: Souree XOR Destination MAC address IPV6: Souree XOR Destination IP address If the load-balancing is changed to “sre-dst-ip”: Nor-IP: Source XOR Destination MAC address IPv4: Souree XOR Destination IP address IPv6: Souree XOR Destination IP address Configure ports FO/21 and F0’22 on SW.2 and SW as trunk links using Cisco proprietary trunking encapsulation, these links should appear to STP as a single link. If one of the links fails, the traffic should use the other link without any interruption. These ports should actively negotiate an etherchannel using PAgP. On SW-2 SW-2(config)#default interface range f0/21-22 SW-2(config)Fint range {0/21-22 SW-2(c0r range)#ehannel-group 24 mode desirable SW-2(config-if-range)#NO shut SW-2(config)#Int port-channel 24 SW-2(c01 \#switchport trunk encapsulation isl SW-2(cor \#switchport mode trunk On SW-4 SW-4(config}#default interface range {21-22 hint range #0/21-22 range) #ehannel-gro -range)#NO shut p 42 mode desirable SW-4(confi)#int port-channel 42 }#switchport trunk encapsulation is! \#switchport mode trunk On SW-2 and SW-4 To verify the configuration: On SW-4 SW-4#Show interface trunk Port Mode — Encapsulation Status Native vlan Pos? on ist trunking 1 (The rest of the output is omitted) To verify the configuration: On SW-4 SW-1#Show etherechannel protocol Channel-group listing: On SW-2 SW.2#Show interface trunk Port Mode Encapsulation Status Native vlan Po2l on 802.1q trunking 1 Pol4 on ist trunking 1 (The rest of the output is omitted)SW-2#Show etherehannel summary. Flags: D+ down P= in port-channel 1 - stand-alone s - suspended H +Hotestandby (LACP only) R-Layer} S-Layer? U-inuse = failed to allocate aggregator u- unsuitable for bundling w - waiting to be aggregated d- default port Number of channel-groups in use: 2 Number of aggregators: 2 Group Port-channel Protocol Ports 21 Po2WSU) —- PAgP FF a0/19(P)FaD/20(P) 24 Pod4SU) —- PAgP- =F a0/21(P) Fa0/22(P) Task 8 Configure ports F0/19 and F0’20 on SW-3 and SW as trunk links using Cisco proprietary trunking encapsulation, these links should appear to STP as a single link. If one of the links fails, the traffic should use the other link without any interruption. These ports on SW-3 should be configured such that they ONLY respond to LACP packets that, are received fiom the appropriate ports on SW-4.SW-4(config}#default interface range f0/19-20 p 43 mode active }#switchport trumk encapsulation isl }#switchport mode trunk Wad To verify the configuration: On $s SW.3#Show etherehannel protocol Channel-group listing: Group: 31 Pro - (Mode ON) Grou; Protocol: LACP SW-3#Show interface trunk Port Mode Encapsulation Status Native vlan Po3]_ on isl trunking 1 Pos4 on isl trunking 1 (The rest of the output is omitted) On SW-4 SW-4#Show interface trunkPort Mode Encapsulation Status Native vlan Pod2 desirable mis! trunking | Pos} on isl trunking 1 (The rest of the output is omitted) SW-4#Sh ether summ |B Number Number of channel-groups in use: 2 Number of aggregators: 2 Group Port-channe! Protocol Ports 42 Pod2(SU) —-PAgP—Fa0/21(P) Fal/22(P) 43 Pod3(SU) — LACP_—Fa0/1(P) Fa0/20(P) sk 9 Configure ports F0/23 and F0/24 on SW-1 and SW-4 as trunk links using Cisco proprietary trunking encapsulation, these links should appear to STP as a single link. If ‘one of the links fails, the traffic should use the other link without any interruption. These ports should be configured such that they actively negotiate a LACP Etherchannel. On SW-1 SW-l(co }#default interface range {/23-24 SW-1(config)#int range {0/23-24 range)#channel-group 14 mode active -range)#NO shut }#switchport trunk encapsulation isl SW-|(config-if)#switchport mode trunk On SW-4 #default interface range f/23-24 int range 10/23-24 range)#channel-group 41 mode active SW-4(configeif-range)#NO shut}#switchport trunk encapsulation isl \#switchport mode trunk On SW-1 and SW-4 To verify the configuration: On SW-L SWe1#Show inter trunk Port Mode Encapsulation Status Native vlan Pol? on 802.1q trunking 1 Pol} on 802.1q trunking 1 Pol4 on ist trunking 1 (The rest of the output is omitted) Or V4 SW-4#Show inter trunk Port Mode Encapsulation Status Native vlan Pott on isl trunking 1 Pot2 desirable nisl trunking 1 Pol3 on isl trunking = 1 (The rest of the output is omitted) SW-4#Show Etherchannel Pro (Channel-group listing:Group: 43 Protocol: LACP sk 9 Configure ports FQ/23 and F0/24 on SW-2 and SW-3 as a single layer three link; SW-2 should be configured with an IP address of 10.1.23.2 24 and SW-3 should be configured with an IP address of 10.1.23.3 24, These ports should NOT negotiate using LACP or PAg?: Note when configuring layer 3 to be as follows: herChannels, I recommend the order of operation 1, Default interface the physical interfaces 2. Configure the interface port-channel 3. Configure the port-channel interface with IP address 4. Configure the physical interfaces with “No 5, Assign the port-channel ID to the interfaces interface configuration command 6. Reset the physical interfaces by and then configure the ig the channel-group hut" and “NO Shut" On SW-2 SW-2(config#default interface range {0/23-24 SW:2(cor )Aint portechannel 23 range)#channel-group 23 mode on #NO shut SW-3(config)#default interface range f0/23-24 SW-3(config#int port-channel 32SW-3cor SW-3(confi int range §0/23-24 range)#Channel-group 32 mode on Note if the “No Switehport” interface command is NOT configured, you should see the following erro Command rejected (Port-channel32, Fal/23): Either port is L2 and port-channel is L3, or vice- versa % Range command terminated because it failed on Fast therned/23 range)#NO swi SW-3(configeif-range)#Channel-group 32 mode 0 SW-3(confi verify and test the configuration: On SW. SW.2#Show Etherchannel summary B Number Number of channel-groups in use: 3 Number of aggregators: 3 Group Port-channel Protocol Ports 21 Po2NSU) = PAP FA/19(P) Fa020(P) 23° Po23(RU) - Fab/23(P) Fa0/24(P) 24 Po2a(SU) = PAP = Fai21(P) Fa022(P) On SW-3 SW-34Ping 10.1.23.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.23.2, timeout is 2 seconds:Success rate is 80 percent (4/5), roundstrip min/avg/max = 1/1/1 ms Task 10 Erase the startup configuration and vlan dat before proceeding to the next labLab 3 Basic 3560 configuration I Task 1 Shutdown ports FO/21 — F0/24 on Switeh | and 2, On Both Switches Switeh(con: Switch(contig-i-range)#Shut Hint range FO/2 1-24 verify the config uration. On Both Switches Switeh#Show int status Port Name Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5 Fa0/6 Fa0/7 Fa0/8 Fa0/9 Fa0/10 Fa0/I1 Fa()/12 FaQ/13 Fall/I4 FaQ/15 Fall/16 Fa/17 Fa0/18 Fa0/19 Fat)/20 Fa(/21 Fa()/22 Status connected connected connected connected connected connected notconnect noteonnect notconnect connected notconnect noteonnect notconnect notconnect notconnect notconnect notconnect notconnect connected connected disabled disabled Vian 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Duplex Speed Type auto auto afl afl afl aefull auto auto auto aefull ‘auto auto auto auto auto auto auto auto afl aefall auto auto auto 10/1 00BaseTX auto 10/1 00BaseTX a-100 10/100BaseTX +100 10/100BaseTX a-100 10/100BaseTX +100 10/100BaseTX auto 10/1 00BaseTX auto 10/1 00BaseTX auto 10/1 00BaseTX a-100 10/100BaseTX auto 10/1 00BaseTX auto 10/1 00BaseTX auto 10/1 00BaseTX auto 10/1 00BaseTX auto 10/1 00BaseTX auto 10/1 00BaseTX auto 10/1 00BaseTX auto 10/1 00BaseTX a-100 10/100BaseTX a-100 10/100BaseTX auto 10/1 00BaseTX auto 10/1 00BaseTXFaQ/23 disabled 1 auto auto 10/1 00BaseTX Fall/24 disabled 1 auto auto 10/1 00BaseTX (The rest of the output ts omitted) Task 2 Configure the first Switch to be in VTP domain called CCIE, this information should be propagated to Switch 2 via VTP messages. You can use any encapsulation or tagging to accomplish this task. Before assigning a VTP domain name, there must be a trunk established between the he two switches so the configurations will be propagated to the other s On both switches Switch#Show interface trunk Switch Note the two 3560s switehes are connected with 2 cross over ethernet cables, if these switches were 3550s, the two ports would have negotiated an ISL trunk, actually they ‘would show up as “n-is!", this is because by default the ports are configured in desirable mode. With 3560 switches, the ports are not in desirable mode, a “show int £0/19 switchport” will reveal that by default the ports are configured in “Auto” mode (The trative Mode), and therefore, the port/s must be configured statically to trunk ate a trunk. On Both switches: Switeh#Show edp neighbors Capability Codes: R + Router, T+ Trans Bridge, B « Source Route Bridge S - Switch, H - Host, 1 - IGMP, r= Repeater, P - Phone Device ID Local Intrfte Holdtme Capability Platform Port ID Switch Fas 0/20 178 SI WS-C3560+2Fas 0/20 Switch Fas 0/19 177 SI WS-C3560-2Fas 0/19 Note the “Show edp neighbors” command reveals the ports connecting the two switches. y be different depending on the ports of the routers connecting to these case the ports on the routers are in Shutdown mode,On Both switches: Switch(config)#i Switeh{con: range f0/19-20 range )#switch po trunk encapsulati Switch(config-if-range)#switchport mode trunk verify the configuration On the first switches: Switeh#Show int trunk Port Mode —_ Encapsulation Status Native vlan Fa0/19 on trunking 1 Fa0/20 on isl trunking 1 Port Vians allowed on trunk Fa0/19 1-4094 Fa0/20 1-404 Port —Vlans allowed and active in management domain Fa0/19 1 Fa/20 1 Port Vlans in spanning tree forwarding state and not pruned Fe0/19 1 Fa0/20 none Now that the trunk is established between the two switehes, therefore, the VTP configuration will he propagated via VIP messages: On the first switch Switeh(config}#WTP domain CCIE called NULL, therefore, after 1g message unless the switch was By default the 3560 switches are member of a dom: entering the above command, you will get the follow’ member of another domain: Changing VTP domain name from NULL to CCIE This task could also be accomplished within the “VLAN database” as follows:Switch#Vlan database Switch( vian}#Vtp domain CCIE Switeh( vian)#Exit When any configuration is performed in the Vian database, you must configure the “exit” or the “apply” command for the changes to take effect. Note the output of the following show command reveals that VIP propagated the VTP domain information to the second switeh: Qn the second swite! Switeh#Sh vip status VTP Version 2 Configuration Revision 0 Maximum VLANs supported locally : 1005 Number of existing VLANs 5 VTP Operating Mode Server VTP Domain Name CCIE VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MDS digest 0x57 OxCD Ox40 0X65 0x63 0x59 0x47 OXBD Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00 Local updater ID is 0.0.0.0 (no valid interface found) sk 3 This VTP domain should be password protected using “Cisco” as the password, On both switches Switch(config}#WTP password Cisco You should get the following message: Setting device VLAN database pass word to Cisco Note, if'a domain name is not assigned to the switches and the default name of“NULL” is used, a password can not be assigned. The “VTP password” command can be entered in global configuration mode, privilege configuration mode or in the VLAN database mode. The password command must be configured statically on both switches beeause this change will NOT get propagated via VTP messages. To verify the configuration: On the First switch Switeh#Show vip status VIP Version 2 Configuration Revision 0 Maximum VLANs supported locally : 1005 Number of existing VLANs: 5 VTP Operating Mode Server 4—— The mode is server by default VTP Domain Name CCIE «—— name VTP Pruning Mode Disabled VTP V2 Made Disabled VTP Traps Generation : Disabled MDS digest x14 0x7D Ox15 0x09 OxDC 0x39 Ox65 OxC2 Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00 Local updater ID is 0.0.0.0 (no walid interface found) VTP password can be changed in three ways: Privilege mode: Switch# vip password Cisco Vian Database: Vian database Vip password Cisco Exit Global config mo Switch(config)#vtp password Cisco On the ‘ond s Switch#Show vip statusVTP Version 22 Configuration Revision = 0 Maximum VLANs supported locally : 1005 Number of existing VLANs: 5 VTP Operating Mode Server +—— The mode is server by default VTP Domain Name CCIE «—— _ Thedomain name VTP Pruning Mode Disabled VTP V2 Mode Disabled VTP Traps Generation Disabled MDS digest : 0X57 OxCD Ox40 0x65 0X63 0x59 0x47 OXBD Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00 Local updater ID is 0.0.0.0 (no walid interface found) On any of the switches: Switch#Show VTP password VTP Password: Ciseo “ sk 4 ‘The first Catalyst switch should be configured with a hostname of Cat-I and the second Catalyst should have a hostname of Cat-2, On the first Switch Switeh(config)#Hostname Cat-1 Switch(config}#Hostname Cat-2 sk 5 Cat-2 should NOT have the ability to creste, delete orrename VLAN or any VLAN in formation.On Cat-2 Cat-2(con! fig)#Vtp mode client This configuration can be performed in the van database or global config mod The above command displays the command as it was entered in the global config mode. If you are asked to enter the command in the vlan database, you must first enter the “vtp database” command in the privilege mode, then, enter “ytp client” and lastly the “exit” command is entered so the changes can take effect Once the command is entered you should get the following message: Setting device to VTP CLIE: \Tmode. VTP Modi The switehes can operate in three VTP modes and they are as follows: ~The switch is able to delete, ereate, or rename VLAN formation. Catalyst 3560 in server mode participates in the VTP domain and propagates the VLAN information. > In this mode the switch is able to receive and process the VIP messages, but they are not able to create, delete, or rename VLAN information. They ean assign a port to a given VLAN that already exists. Catalyst 3560 in elient mode participates in the VTP domain and propagates the VIP messages. > Transparent ~ In this mode the switch is able to create, delete and modify the VLAN information but it will not propagate its VLAN information to other switches. Catalyst 3560 switches in this mode do NOT participate in VTP domain. A Catalyst 3860 switch must be in this mode in order to create the extended-range VLANs (1006 = 4094), this configuration can only be performed in the global config mode and NOT in the Vian database. Task 6 Create and configure the following VLAN assignments on the switches: CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book 2.0 2009 Nari Racharians. Allright reserved € 90 of 1068Router Interface VLAN number CAT Switches Port RI- FOO 12 Cat-1/ FO/1 R2-F00 12 Cat-1/ FOZ R3-FO/0 34 Cat-1/ FO/3. R4 = FOO 34 Cat-1/ F0/4 RS5- FOO 56 Cat-1/ FOS Ro - FOO 56 Cat-1/ FO/6 On Cat-1 Cat-1(config)#interface range 0/1 - 2 Cat-I(contig-if}#switch mode access Cat-I(config-if}#switeh access vlan 12 Cat-1(config)#interface range 10/3 - 4 Catel(configeif}#switch mode access Cat-I(config-if}#switch access vlan 34 Cat-I(contig)#interface range FOS - 6 Cat-I(contig-if}#switeh mode access Cat-I(config-if}#switch access vlan 56 Note the Vian information will be propagated to the other switch (Cat-2), because both switches are in the same VTP domain and they are both configured with the same password. On Cat-2 Cat-2#Show vlan brie | Exe unsup_ VLAN Name Status Ports 1 default active FalW/1, Fa0/2, Fa0/3, Fata Fa0/5, Fa0/6, FaQ/7, Fa0/8 Fa0/9, Fa0/10, Fa/I1, Fa(/12 Fa0/13, FaQ/14, Fa0/15, Fa0/16 Fa0/17, FaQ/18, Fa0/23, Fa0/24 Gil, Gi0/2 12 VLANOOI2 active 34 VLANOO34 active 56 VLANOOS6 activeCat-2#Show VTP Status VTP Version 2 Configuration Revision 3 Maximum VLANs supported locally : 1005 Number of existing VLANs 8 VTP Operating Mode Client VTP Domain Name CCIE VTP Pruning Mode Disabled VTP V2 Mode Disabled VTP Traps Generation : Disabled MDS digest 0x97 Ox9D OXF OxF9 OXFE 0x21 OxCC OxID Configuration last modified by 0.0.0.0 at 3-1-93 00:06:11 Local updater ID is 0.0.0.0 (no walid interface found) On Cat-1 Cat-1#Show VTP Status VTP Version Configuration Revision Maximum VLANs supported locally : 1005 Number of existing VLANs VTP Operating Mode VTP Domain Name VTP Pruning Mode VTP V2 Mode VTP Traps Generation MDS digest 0x97 OXx9D OxFI OxF9 OxFE 0x21 OxCC ox1D Configuration last modified by 0.0.0.0 at 3-1-93 00:06:11 Local updater ID is 0.0.0.0 (no valid interface found) Note, the VP version is 2, Configuration re VLANs is8 on both s the VLAN informa the password is identi jon is 3, number of existing hes, (because they are synchronized), and the reason ‘was propagated is because the VTP domain name and al on both switches and the switches are trunked,Task 7 Configure Loopback 0 and Loopback | interfaces on Cat-l, use the IP address of 1.1.1.1 /Sand 1.1.1.1 /8 respectively and ensure that ONLY the IP address of Loopback | interface is used as the preferred source for the VTP IP updater address. Note in the previous Task when the “show vip status” command was entered on CateL, the last line of the output displayed “no valid interface found”. Catalyst switches will use the IP address of the lowest physical interface number, 1¢ does not exist, then loopback 0 interface will be used as t! messages, but this behavior can be change by using the“ opback 1” global eonfig command. On Cat-1 Cat-1(contig)# Interface Loopback 0 Cat-I(configeif}# Ip address 1.1.1.1 255.0.0.0 Cat-1(config)# Interface Loopback | Catel(contigeif}# Ip address 1.1.1.1 255.0.0.0 Catel#Show vip status VTP Version 2 Configuration Revision 23 Maximum VLANs supported locally : 1005 Number of existing VLANs VTP Operating Mode VTP Domain Name VTP Pruning Mode VTP V2 Made VTP Traps Generation Disabled MDS digest 0x97 Ox9D OxF1 OxF9 OxFE 0x21 OxCC Ox 1D Configuration last modified by 0.0.0.0 at 3-1-93 00:06:11 Local updater ID is 1.1.1.1 on interface LoO (first layer3 interface found) Note Loopback 0 is used as the source of all VTP messages. Enter the following command to change the source to Loopback 1 interface: Cat-I(contig)# Vtp interface Loopback! ONLY interface mandatory. YOU MUST IT WILL NOT WORK, the IOS will Note the “ONLY” argument makes th TYPE LOOPBACK! OR LOI, OR E! take LI but it WILL NOT WORK.To verify the config uration: On Cat-1 Cat-1#Show vip status VTP Version 22 Configuration Revision =3 Maximum VLANs supported locally : 1005 Number of existing VLANs: 8 VTP Operating Mode Server VTP Domain Name CCIE VTP Pruning Mode Disabled VTP V2 Mode Disabled VTP Traps Generation : Disabled MDS digest : 0x97 OX9D OXF] OxF9 OXFE Ox21 OxCC Ox D Configuration last modified by 0.0.0.0 at 3-1-93 00:18:54 Local updater ID is 11.1.1.1 on interface Lol (preferred interface) Preferred interface name is loopback! (mandatory) On Cat-2 Cat-2#Show vip status VTP Version 2 Configuration Revision 3 Maximum VLANs supported locally : 1005 Number of existing VLANs: 8 VTP Operating Mode Client VTP Domain Name CCIE VTP Pruning Mode Disabled VTP V2 Made : Disabled VTP Traps Generation : Disabled MDS digest 0x97 Ox9D OxF1 OxF9 OxFE 0x21 OxCC Ox1 D Configuration last modified by 0.0.0.0 at 31-93 00 9 Note this change has not been propagated, therefore, to force the propagation of this change, a VLAN is created, in this ease VLAN 80, so you ean see that the change was made by the Loopback 1 interface with an IP address of 1.1.1.1 on Cat-2. This VLAN should be deleted before proceeding to the next task. On Cat-1Cat-I(contig)#VIan 80 Cate I(config-vlan) #Exit ‘To verify the config uration: On Cat-2 Cat-2#Show vtp status VTP Version Configuration Revision Maximum VLANs supported locally : 1005 Number of existing VLAN : VTP Operating Mode Client VTP Domain Name CCIE VTP Pruning Mode Disabled VTP V2 Mode Disabled VTP Traps Generation Disabled MDS digest Ox02 Ox05 0x92 Ox34 OxFO OxCO 0x35 Ox9D Configuration last modified by 11.1.1. at 3-1-93 00:34:33, On Cat Cat-I(contig)#No vlan 80 Task 8 Re-configure the trunk between the two switches such that none ofthese switches use DTP to negotiate this trunk On Both Switches (config)#Interface range FO/19-20 (config-ifrange)#Switchport nonegotiate Note the ports must be in trunk mode before the “nonegotiate” comman or else the following error message will he received: entered, Command rejected: Conflict between ‘nonegotiate’ and ‘dynamic’ status.A port can be configured as follows: Static Access - This port can belong to ONLY one VLAN, and it’s manually assigned toa given VLAN. unk ~ A trunk port by default is member of all normal range VLANs 1-1005 (but note that VLANs 1, 1002 — 1008 are automatically created and can not be removed, only 2 to 1001 can be manually created, these VLANs are kept in the VLAN.DA This also includes the extended-range VLANs (1006 - 4094), and this membership. can be limited by configuring the ved-vlan” command. This port ean be encapsulated by ISL or tagged by 802.1q. namic Access ~ A dynamic access port can only be a member of one normal VLAN, and these ports are dynamically assigned to a given VLAN by a VMPS. Vel and VLAN - This is an access port connected to an IP phone such as Cisco's 7960, ‘VLAN is used for Voice traffic. Dot1g-Tunnel - These are tunnel ports and are used for 802.1q tunneling to maintain customer VLAN integrity across a service provider's network. A tunnel port is configured on an edge switch in the service provider's network and it's connected to an 802.1q trunk port on a customer switch’ interface, a tunnel port belongs to a single VLAN that is dedicated to tunneling, To verify the config uration: Qn Cat-1 Cate1#Sh interfaces {0/19 switchport Name: Fa0/19 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: i Operational Trunking Encapsulation: is! Negotiation of Trunking: Off (The rest of the output is omitted) Cat-1#Sh interfaces {0/20 switehport Name: Fa0/20 CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book 2.0 9 ar bik Kocharians Allright reaervedSwitehport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: Operational Trunking Encapsulation: is! Negotiation of Trunking: Off (The rest of the output is omitted) Task 9 Configure the switches such that flooded traffic is restricted to the tunk links that the traffic must use to reach the destination device, To see the default setting: On Cat-2 Cat-2#Show vip status VTP Version 2 Configuration Revision 25 Maximum VLANs supported locally : 1005 Number of existing VLANs : VTP Operating Mode Client VTP Domain Name CCIE VTP Pruning Mode isublede— VTP V2 Mode : Disabled Pruning is disabled VTP Traps Generation Disabled MDS digest 0x97 0x9D OxF1 OxE9 OxFE 0x21 OxCC OxID Configuration last modified by 1.1.1.1 at 31-93 00:12:48 Note VIP Pruning is VTP pruning: isubled by default, enter the following command to enable On Cat-1 Cat-14Vtp pruning This command ean be co the Vian database, Once thi ured in privilege mode, Global config mode, and/or in feature is enabled it will get propagated to the otherswitehes within the VTP domain, ‘o verify the configuration on both switch On Cat-2 Cat-2#Show vip status VTP Version 2 Configuration Revision 25 Maximum VLANs supported locally : 1005 Number of existing VLANs VTP Operating Mode VTP Domain Name VTP Pruning Mode VTP V2 Mode VTP Traps Generation MDS digest 0x97 0x9D OxF 1 OxF9 OxFE 0x21 OxCC OxID Configuration last modified by 1.1.1.1 at 3-1-93 00:12:48 Note VIP messages propagate the change through the entire VIP dom: Configure Cate] and Cat-2 such that only the trunk ports (F019 and FO/20) and the ports that routers RI to RG are connected are in use, the rest of the ports should be configured in administrative ly down state. On Both Swite (config}#Int range {0/7-18 , FO/23-24 To verify the config uration: On Cat-1 Cat-1#Show inter status | Ine disable Fa0/7 disabled 1 auto _auto 10/100BaseTXFa0/8 disabled 1 auto auto 10/100BaseTX Fa0/9 disabled 1 auto auto 10/100BaseTX Fa0/10 disabled 1 auto auto 10/100BaseTX Fa(/I1 disabled 1 auto auto 10/100BaseTX Fa/12 disabled 1 auto auto 10/100BaseTX Fa(/13 disabled 1 auto auto 10/100BaseTX Fa/14 disabled 1 auto auto 10/100BaseTX Fa0/15 disabled 1 auto auto 10/100BaseTX Fa0/16 disabled 1 auto auto 10/100BaseTX Fa0/17 disabled 1 auto auto 10/100BaseTX Fall/18 disabled 1 auto auto 10/100BaseTX FaQ/21 disabled 1 auto auto 10/100BaseTX Fa()/22 disabled 1 auto auto 10/100BaseTX FaQ/23 disabled 1 auto auto 10/100BaseTX Fall/24 disabled 1 auto auto 10/100BaseTX Task 11 Ensure that Catel is the root bridge for the VLANs 12, 64 and Cat-2 is the root bridge for VLAN 56, Do NOT use the “priority” command to accomplish this task, There are two commands that can be used to display the BID for a given switch: > Show spanning-tree bridge Qn Cat-1 Cat-1#Show version [Ine Base Base ethernet MAC Address: 00:1B:1D4:59:A6:00 The folloving command reveals the base MAC address of the switch: The BID is a combination of priority and the base MAC address. Cat-1#Show spanning-tree brid Hella Max Fud Vian Bridge ID Time Age Dly Protocol VLANQOO] 32769 (32768, 1) O01b.d459.0600 2 20 15 ieee VLANOOI2 __32780 (32768, 12) 001b.d459.2600 2 20 15 _ ieeeVLANOO34 32802 (32768, 34) 001b.d459.2600 2 20 15 ieee VLANOOS6 32824 (32768, 56) 001b.d459.2600 2 20 15 ieee starts with 32768, each VLAN that is created addsit's VLAN number to the default priority value (If the base priority and the VLAN number is added within the parenthesis, the sum will be the priority for that given VLAN), VLAN 12 adds 12 to the default priority value therefore the priority is 32780 and VLAN 34 adds 34 to the default priority value, therefore, the priority is 32802. Note that the MAC is the base MAC address and it remains the same, in this ease (001b.d459.2600). Note your MAC address maybe different, Note the prio Enter the following command to reveal the BID and the rvot bridge for a given VLAN: On Cat-1 Cat-1#4Show spanning-tree vlan 12 VLANOOI2 Spanning tree enabled protocol ieee The MAC address of the root bridge Root ID Priority 32780 Address 0011 bbeb.8780" Cost 19 Port 21 (FastEthernet0/19) Hello Time: 2 sec Max Age 20sec Forward Delay 15 see Bridge ID Priority 32780 (priority 32768 syssideext 12) Address 00 1b.d450.2600 Hello Time 2 sec Max Age Forward Delay 15 sec Aging Time 300 The Mae address of the local switeh Interface Role Sts Cost Prio.Nbr Type Fa/19 Root FWD 19 128.21 Pap Fa()/20 Altn BLK 19 12822 P2p Enter the following commands to configure Cat-1 to be the root bridge for VLANs 12 and 34: On Cat-1 Cat-1(contig)#Spanning-tree vlan 12,34 root primary The above command configures Cate1 to be the root for VLANs 12 and 34; the “root” keyword isa macro that reduces the BID of the switch for a given VLAN by a value of 8192(The lower value is the preferred value), There are no spaces between the 12 and the comma and the 34. Cat-14Show spanning-tree vlan 12 VLANOOI2 Note 32768+12-8192 = 24588 Spanning tree enabled protocg Root ID Priority 24588 Address 001b.d459.2600 This bridge is the root Hello Time 2 see Max Age 20 see Forward Delay 15 see Bridge ID Priority 24588 (priority 24576 sys-id-ext 12) Address 016.459.2600 Hello Time 2see Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interfiee Role Sts Cost. Prio.Nbr Type Fa0/19 DesgFWD19 128.21 P2p Fa0/20 DesgFWD19 128,22 P2p On Cat-2 Cat-2(contig)##Spanning-tree vlan 56 ro primary To verify the configuration: Qn Cat: Cat-2#Show spanning vlan 56 VLANOOS6 Spanning tree enabled protocol iece Root ID Priority 24632 Address 0011 bbeb.8780 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24632 (priority 24576 syseideext 56) Address 0011.bbeb.8780 Hello Time 2sec Max Age 20 sec Forward Delay 15 sec Aging Time 300Interface Role Sts Cost Prio. Nbr Type Fa/19 DesgFWD19 128.21 P2p Fal)/20 DesgFWD19 128.22 Pp sk 12 Cate] should be configured such that the ports that routers RI to R6 are connected will bypass listening and learning state. If any of these ports receive BPDU packets, they should transition into errdisable state. Use minimum number of commands to accomplish this task, This configuration should only be applied to the ports that the routers RI = RG are connected to as well as any future port that has this feature enabled. On Cat-1 Cat-1(contig)#Spanning-tree portfast bpduguard default Cat-I(config)#Interface range FO/1 - 6 Cat-I(config-if}#Spaning-tree portfast Once the “Spanning-tree portfast” command is entered you should see the following warning message: Warning: por‘fast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... fo this Interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION %P ortfast will be configured in 6 interfaces due to the range command bue will only have effect when the interfaces are in a non-irunking mode The “spanning-tree portfast bpduguard default” command in global config mode will shut the port down in err-disable mode if any portfast enabled port receives BPDU packets. To verify the configuration: On Cat-1 Catel#Sh spanning-tree interface {0/1 portfastVLANOOI2 ——enabl Note if the output of the above show command states “no spanning tree info available for Fast Ethernet/1”, it only means that the F0/0 interface of R1 is in Shutdown mode. To test the configuratio On SW2 Cat-2(contig)#spanning-tree portfast bpduguard default Cat-2(contig)#int 10/23 Cat-2(config-if}#swi mode ace Cat-2(config-if}#spanning-tree portfast Cat-2(config-if}#No shut Note if the {0/23 interface of Switch 3 is enabled, it will generate BPDUs and because of this con figuration, F0/23 interface of SW-2 will transition into err-disable mode, as follows: On Switch 3 Switeh(config)#int £23 Switch(configeif#NO shut On C: You should see the following messages: 9%6SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastE thernet)/23 with BPDU Guard enabled. Disabling port. %6P M-4-ERR_DISABLE: bpduguard error detected on Fa0/23, putting Fal/23 in err disable state verify that interface £0/23 err-disable mod. On Cat-2 Cat-2#8h inter {0/23 status Port Name Status Vian Duplex Speed Type Fa0/23 ermdisabled 1 auto auto 10/100BaseTXOn Cat-2 Cat-2(config}#NO spanning-tree portfast bpduguard default Cate2(config)#int 10/23 Cat-2(config-if}#S hut Cat-2(configeif}#NO spanning-tree portfast Task 13 Cat-2 should be configured such that the ports that routers R1 to R6 are connected (FO/I = FO/6) will bypass listening and learning state. Ifany of these ports receive BPDU packets, they should no longer bypass their listening and learning state. This configuration should apply to existing and future ports that are configured as partfast. On Cat-2 Cat-2(contig)#Spanning-tree portfast bpdufilter default Cat-2(config)#Interface range FO/1 «6 Cat-2(config-if}#S pan ning-tree portfast When BPDUFilter is enabled globally, it will apply to all portfast enabled interfaces; If any portfast enabled interface reeeives BPDUs, it will bypass listening and learning state, which means that it will loose it’s portfast state. Task 14 ‘You received a request from the IT department to monitor and analyze all the packets sent and received by the host connected to port F0/14 on Cat-1; you have connected the packet analyzer to port FO/15 on the same switch. Configure the switch to accommodate this request. On Cat-1Cat-I(cor Cat-l(con fig)#monitor session 1 destination interface FO/1S Note the following: > There can only be two monitor sessions configured on a given switeh > itor can be configured as Rx, Tx, or Both. Rx is for Transmitted traffic, and both isin beth directions. Both is the default direction > Te verify Enter the “Show monitor session 1” command. To verify the configuration: On Cat-1 Cat-1#Show monitor session 1 Session | Type Source Ports = Both Fa0/ld Destination Ports : Fa0/15 Encapsulation : Native Ingress: Disabled sk 15 ‘You received another request from your IT department to keep track of all the MAC addresses that are learned by Cat-2 port F0’18, The switch must use the NMS located at 192.168. 1.1 /24; this switeh should send a community string of “Private” with the notification operation. You should use an IP address of 2.2.2.2 /8 to accomplish this task. On Ci Cat-2(contig)#Snmp-server host 192.168.1.1 traps Private %l PSNMP-3-SOCKET: can't open UDP socket Unable to open socket on port 161 Note since this switch is not configured with an IP address, it will fail to configurethe Snmp server. Therefore, an IP address should be configured before entering the “snmp-server" command as follows: Cat-2(config)#Int lod Cat-2(configeif#ip addr 2.2.2.2 255.0.0.0 The following command identifies he NMS and sends a community string of Private with the notification operation, Cat-2(contig)#snmp-server host 192.168.1.1 traps Private The following command configures the switch to send mac-address traps to the NMS: Cat-2(config)#snmp-server enable traps mac-notification Cat-2(config)#Inter 40/18 Cat-2(config-if}#snmp trap mae-notifieation added The above command enables the SNMP trap on interface FO/18 and configures the h to send MAC notification traps whenever a MAC-address is added. If the h must be configured to report the MAC addresses that are learnt and expired, then “snmp trap mac-notification change removed” command must also be configured. To verify the configuration: On C: Cat-2#Show mac-address-table notification inter £0/18 MAC Notification Feature bled on the switch Interfice MAC Added Trap MAC Removed Trap FastEthernet@/18 Enabled Disabled Note the mac-notification is disabled, the following command will enable the mac- notification on the switch: Cat-2(contig)#mac ad dress-table notification To verify the con!ation Feature is Enabled on the switch MAC Added Trap MAC Removed Trap FastEthernet(/18 Enabled sk 16 Configure Cat-2"s port F014 to limit the amount of bandwidth utilization for broadcast traffic to 50%, On Cat-2 Cat-2(contig)#Interface FO/14 Cat-2(contig-if}#S Storm-control can be used for Broadcast, Unicast and Multicast traffic, this command specifies traffie suppression level for a given type of traffic fora particular interface, The level can be from 0 to 100 and an optional fraction of a level can also be configured from 0-99. A threshold value of 100 percent means that no placed for the specified type of traffics a value of 0.0 means that the particular type of tra fic is blocked all together. exceeds. predefined threshold, st) is dropped until the level of Multicast traffic is dropped below the threshold level. Once this occurs, only the Spanning-tree packets are forwarded. When Broadeast or Unicast thresholds are ‘exceeded, traffic is blocked for only the type of traffic that exceeded the threshold. To verify the config uration: Qn Cat-2 Cate2#Show stormscontrol f/14 broadcast Interface Filter State Upper Lower CurrentFaQ/l4 Forwarding 50.00% 50.00% 0.00% jk Ifyou get own” as Filter State, the port might be down. Task 17 Mac addresses learnt dynamically by these twa switches should not stay in the MAC address table ifthey are inactive for longer than 10 minutes. By default the MAC addresses that are inactive will expire within 300 seconds, this taskis asking for a 10 minutes threshold, 10 minutes equates to 600 seconds; the following command sets the idle timer to 10 minutes: On Bot! hes (config}#Mae add ress-table aging-time 600 To verify the config uration: On Both Switches #Sh mac address-table aging-time Vian Aging Time 1 600 12 600 34 600 56 600 Task 18 For management purposes, assign an IP address of 10.1. 1.11 (24 to Catel, with a default gateway of 10.1, 1,100 24, On CiCat-1(config)#Inter Vian 1 Cat-I(config-if}#Ip address 10.11.11 255.255.255.0, Cate l(contigeif}#No shut Catel(contig)#Ip default-gateway 10.1.1.100 To verify the config uration: On C: Cat-14Sh ip interfiee vlan 1 Vianl is up, line protocol is up Internet address is 10.1.1.11/24 Broadcast address is 255.255.255.255 Address determined by setup command (The rest of the output is omitted) Cat-1#Sh ip route Default gateway is 10.1.1,100 Host Gateway Last Use Total Uses Interface ICMP redirect cache is empty Task 19 Configure routers R1 and R3 using the following IP sddresses: Configure Cate] to route between VLAN 12 and 34, use ping to verify the communication. The gateway for VLANI2 should be configured to be 10.1.12.100, and the gateway for WLAN 34 should be configured to be 10.1.34. 100. On RI Rl (config}#Interface FO/0 Ri(configeif}#Ip address 10.1. 12. 1 255.255.255.0Rl (config)#1p route 0,0.0.0 0.0.0.0 10.1.12.100 On R3 R3(config)#Interface FO/0 ify#Ip address 10.1.34.3 255.255.255.0 R3(config)#1p route 0,0.0.0 0.0.0.0 10.1,34.100 Onc: Cat-l(config)#Ip routing Cat-1(config)#Interface Vian 12 Cat-1(configeif#Ip address 10.1.12.100 255.255.255.0 Cat-I(contig)#Interface Vian 34 Cat-l(contig-if}#lp address 10,1,34.100 255,255.255.0 A Switeh Virtual Interface (SV) represents a VLAN of switch ports as interface to the routing. Only one SVI ean be associated with a VLAN. necessary when configuring InterVlan routing. When creating an SVI for a VLAN, the designated number must match the VLAN number. To verify the configuration: OnRI R1#Ping 10,1,34.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.34.3, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms On R3 R3#Ping 10,1,12.1Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds: Success rate is 100 percent (8/8), round-trip min/avg/max = 1/2/4 ms Note By default, IP routing is disabled on the switch and if the “IP Routing” command is NOT enabled on Cat-1, the communication between RI and R3 can NOT occur. Task 20 Remove the configuration from the previous step and configure InterVlan routing between VLANs 12 and 34, DO NOT use SVIsto accomplish this task, FO/1 interface of any router ean be used to accomplish this task, Use the IP addressing from the previous task. Ensure to use an industry standard protocol/s to accomplish this task. Since R5's F0/0 is part of VLAN 56, R5's F0/1 is used to accomplish this task. On C: Cat-1(config)#NO Interface Vian 12 Cat-l(contig}#NO Interface Vian 34 On C: Cat-2(config)#Interface FO/S Cat-2(configeif}#Switchport trunk encap Dotlq Cat-2(config-if}#Switehport mode trunk On RS R5(config)#Interface FO/1 RS(con: ‘No shut RS(configh#1nt f0/1.12 R5(config-if}#Eneap dotlq 12 ifWIp address 10.1,12, 100 255,255.255.0 R5(config-if}#Ip address 10.1.34, 100 255.255,255.0To verify the configuration. On RL& RS R1#Clear arp OnkL R1#Ping 10,1,34.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.34.3, timeout is 2 seconds: Success rate is 100 percent (5/5), roundetrip min/avg/max = 1/1/4 ms On R3 R34Ping 101,121 ‘Type escape sequence to abort, Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/24 ms Task 21 Configure Cat-1 such that whenever the switch learns or removes a MAC address on its port FO/4, an SNMP notification is generated and sent to the NMS located at 192.168.1.1 with a community string of CATI. Since there are many users coming and going from the network, set up a trap interval time to bundle the notification traps and reduce network traffic using the following parameters: > The traps should be generated every 30 minutes. > The trap should contain a maximum of 150 entries. This feature enables us to track users on a network by storing the Mac address activity on the switch. Once configured, every time a MAC address is learned or removed an SNMP notification is generated and sent to the NMS. On a very that an busy network when lots of users come and go, the default beha SNMP trap is sent every second. Because this ean consume bandw'are two parameters that can be configured to remedy thi are as fol > Mac address-table notification interval — This value specifies the notification trap interval in seconds between each set of traps that are generated to the NMS. Default value is one second, and the range is 0 — 2,147,483,647 seconds. > Mae address-table notification history-size — Specifies the maximum number of entries in the MAC notification history table, The default value is 1, and the range és | - $00 entries. On Cat-1 Cat-1(config)#Snmp-server host 192.168.1.1 traps CATI Cat-I(config)#Snmp-server enable traps mae-notification Cat-1(cor Cat- (cor Cat-I(cor Cate 1(contig)#int £0/4 Cat-1(config-if}#Snmp trap mac-no Catel(configeif}#Snmp trap mac-notification removed To verify the config uration: On Cat-1 Cat-l#Show maceaddressetable no MAC Notification Feature is Enabled on the switch Interface MAC Added Trap MAC Removed Trap FastEthernetf/18 Enabled Cat-1#Show mac-address-table no Interval between Notification Traps : 1800 secs Number of MAC Addresses Added : 0 Number of MAC Addresses Removed : 0 Number of Notifications sent to NMS : 0)Maximum Number of entries configured in History Table : 150 Current History Table Length : 0 MAC Notification Traps are Enabled History Table contents On R4 R4(config)#int 10/0 Ra(configeifMIP address 4.4.4.4 255,0,0.0 R4(configeif}# no shut R4sPing 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: Success rate is 0 percent (0/5) Note the purpose of the above configuration is to generate some traffic. The following Show command reveals that one MAC address was learned and added to the table. On SW1 Cat-1#Sh mac-address-table notifie MAC Notification Feature is Enabled on the switch Interval between Notification Traps : 1800 secs Number of MAC Addresses Added : 1 Number of MAC Addresses Removed : 0 Number of Notifications sent to NMS : 0 Maximum Number of entries configured in History Table : 150 Current History Table Length : 0 MAC Notification Traps are Enabled History Table contents On R4 R4(config)#int £0/0 Ra(config-if#ShutThe output of the following show command reveals that one MAC address was removed. On Cat-1 Cat-1#Sh mac-address-table notification MAC Notification Feature is Enabled on the switch Interval between Notification Traps : 1800 secs Number of MAC Addresses Added : 1 Number of MAC Addresses Removed : 1 Number of Notifications sent to NMS : 0 Maximum Number of entries eanfigured in History Table : 150 Current History Table Length : 0 MAC Notification Traps are Enabled History Table contents Task 22 Optimize Cat-1 using the following policies: Cat-1 should be configured such that its memory resources are optimized for routing. Switch database management (SDM) are templates that can be configured to allocate memory resources in the switch for a specific feature depending on what the his used for n network. A switch can be configured to use one of the following templates: > Access ~ Used for QOS classification and Security. > Routing — Used for routing Vian - Disables routing and sets the switch to be a layer 2 switch. > Extended-match —reformats routing memory space to allow 144-bit layer 3 TCAM support needed for WCCP and/or multiple VRF instances. On Cat-1 Cat-1(contig)#Sdm prefer routing: You must reboot for these settings to take effect, Cat-1#WR.Cat-l#Reload On Cat-1 Cat-1#Show sdm prefer ‘The current template is lesktop routing” temp late The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs, number of unicast mac addresses number of IPv4 IGMP groups + multicast routes: number of IPv4 unicast routes: number of directly-connected IPv4 hosts: number of indirect IPv4 routes: number of IPv4 policy based routing aces: number of IPva/MAC qos aces: number of IPv4/MAC security aces: ‘The current template is "desktop default” template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mae addresses number of Pv4 IGMP groups + multicast routes: number of Pv4 unicast routes: number of directly-connected IPv4 hosts: number of indirect IPvd routes: number of 1Pv4 policy based routing aces: number of 1Pv4/MAC gos aces: number of Pv4/MAC security aces: Note, the difference in memory allocation is revealed if the buffer allocation of Cat-2 is compared to the Cat-1, 3K IK 1K 3K 8K 512 512 IK 6K IK 8K OK 2K 0 512 1Ksk 23 Create VLANs 30, 31 and 32 on Cat-1 and ensure that these VLANs can not traverse the trunk link between Cat-1 and Cat-2. By default a trunk port sends and receives traffic from all VLANs, however, a gven VLAN or VLANs can be removed from the trunk link in order to prevent traffic from that VLAN/s from traversing over the trunk, On Cat-1 Cat-l(cor Cat-l(conti Before configuring the task we have to check to see if the VLANs that we just created can traverse the trunk link. Cat-1#Show interface trunk Port Mode —_Encapsulation Status Native vlan FaQ/19 on sl trunking 1 Fa0/20 on isl wunking 1 Port —Vilans allowed on trunk Fad/19 14094 1-4094 Port —_Vilans allowed and active in management domain Fa0/19 — 1,12,30-32,34,56 Fa0/20 1,12,30-32,34,56 Port Vins in spanning tree forwarding state and not pruned FaQ/19—1,12,44,56 Fa0/20 1 y ‘0 remove th LANs from the trunk links On Both Switches (config}#Interface range £0/19-20 frange)#Switchport trunk allowed vlan except 30,3132 Note if an EtherChannel was created, the command had to be configured directlyunder the port-channel interface, ‘0 Verify the configuration: Qn Cat-1 Cat-1#8how int trunk Port Mode Encapsulation Status Native vlan Fa0/19 on ‘tmunking 1 Fa/20 on isl trunking 1 Port Vian allowed on trunk FaO/19 — 1-29,.33-4094 Note VLANs 30= 32 are removed from the trunk Fa0/20— 1-29,33-4094 Port Vlans allowed and active in management domain Fa0/19 1,12,34,56 Fa0/20 112,456 Port —_Vlans in spanning tree forwarding state and not pruned Fa0/19 1,12,34,56 Fa0/20 1 Note the options that can be used with “Switchport trunk allowed VLAN” command are: Remove, add, all, and except. The “Switehport trunk allowed vian remove 30.31.32” command could accomplish the same task. Task 24 Configure Cat-1's port F0/15 and F016 such that when client PCs comneet to these ports, they auto matically become member ofa given VLAN. Catel should be configured to use 10.1.1.1 as the primary and 10.1.1.2 asthe secondary VMPS server. Ensure that the local switch reconfirms the VLAN membership every half hour and if the VMPS can not be contacted, the local switch will retry 5 times before considering the VMPS unavailable. VMPS: > The 3850 switch can’t be setup as a VMPS server, but it can be configured as a> The client communicates with the VMPS through Vlan Query Pt > When a VMPS receives a VQP from the client, it searches its database f VLAN map ping, and if the mapping is found, it conveys the VLAN the client and then the client assigns that given VLAN to the port that the client connected to. Secure mode, which means that if a MAC to VLAN mapping can not be found in its database, the VMPS will send a port-shutdown- message to the client and the client will shut down that given port, however, if the VMPS is not configured it will send aceess-deny message, and the a secure mode, port. AN membership information is performed every 60 minutes, this al config command. > Ifthe VMPS client can’t contact the VMPS server, it will retry to establish that communication three times and this value ean be changed using vmps retry” command in the global config mode, > The database is in form an ASCII file sayed an a FTP server, which the VMPS On C: Before configuring this task we should check some of the default values: Cat-1#8how vps VOQP Client Status: VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 \VMPS domain server: Reconfirmation status VMPS Action: No Dynamie Port MPS VOP version is version 1, and the reeonfirmat minutes, and the retry value is set to 3. is at its default value of 60 here are no VMPS servers. CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book 2.0 Page 119 of 1068 © 2009 Narbik Kochariant Allright reervedCat-I(config)#int range #0/15 - 16 Cate I(config-if 1¢ above command sets ports FO/LS and FO/16 to V will acquire their VLAN information dynamieall because these ports were shut down earlier AN dynamic, which means that they ie “no shut” command is required Cat-1(contig)#vmps reconfirm 30 Cat-I(contig)#vmps retry § The above two commands configure the reconfirmation interval to 30 minutes and the retry counter to 5. Cate l(contig)#vmps server 10.1.1.1 primary Cat-1(config)#vmps server 10.1.1.2 These commands configure the primary and the secondary VMPS servers. To verify the configuration: On Cat-1 Cat-14Show vmps VQP Client Status: YMPS VQP Version: 1 Reconfirm Interval: 30 min Server Retry Count: 5 VMPS domain server: 10.1.1.2 10.1.1.1 (primary, current) Reconfirmation status MPS Action: No Dynamic Port Task 25 Port F0/17 on Cat-1 is connected to a Cisco 7960 IP Phone. Voice traffic that originates from the phone is tagged with a CoS of 5A PC is comnected to the 7960 1P Phone which is generating traffic with CoS of3. Ensure that the data traffic belongs to VLAN 3 and the Voice traffic belongs to VLAN 5. The traffic originated by the 7960 IP Phone should maintain it's CoS value, whereas, the traffic that originated from the PC connected to the 7960 IP Phone should be re-written, with a CoS of 1, On Cat-1 Cat-1(config)#MIs-qos Cat-I(contig)#Interface FO/17 Cat-I(config-if}#Switehport access Vian 3 Cat-I(contig-if}#Switchport voice Vian 5 Cat-I(config-if}#Switehport priority extend cos 1 MIs gos trust cos Cat-1(config-if}#No shut ‘When the phone gets connected to the switeh it will form an 802.1q trunk link. The traffic destined to the PC will be carried in the access VLAN, whereas the traffie destined for the 7960 IP Phone will be carried in Voice VLAN. By default the 3850 doesn’t process the CoS value and rewrites all frames with 2 CoS value of 0. To configure the phone such that it processes the CoS values, the QOS must be enabled globally using the “mls qos” command. To configure the switch so it trusts the incoming CoS value from the 7960 IP Phone the “mls qos trust cos” command is used. Since the PC connected to the IP Phone can send traffic to the Phone with any Cos value and the phone wants to ensure that the that it generates get better priority, it overrides the CoS for all traffic that is originated by the PC. In this task we have to configure the switeh such that it re-writes the traffie with 4 CoS of 1, therefore, the “Switchport priority extended cos 1” command is used. The *no shut” command is required because the port was shut down earlier. Task 26, Configure trunking between Catel and Cat-2 such that VLAN 12 doesnot get tagged when the traffic for this VLAN traverses the trunk. encapsulation on the trunk links should have been DOTIQ; in the uring a given section, the entire section should be read before configuring the individual tasks within that section. CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book 2.0 9 ar bik Kocharians Allright reaerved of 1068When a trunk is configured with Dot Iq, it can receive b h forwards untagged traff h tagged and untagged the native VLAN ONL When the native VLAN is changed, ensure that the change is configured on both switches or the trunk link will go down, On Bot! hes (config)#Interface range FO/19-20 -ange)#Switchport trunk encap dotlq Verify the configuration: Qn Cat-1 Cat-1#Show int trunk Port Mode Encapsulation Status Native vlan Fal/19 on 802.1q trunking 1 F020 on 802.1g tunking 1 Port Vians allowed on trunk FaQ/19 —1-29,33-4094 Fa0/201-29,33-4094 Port —Vilans allowed and active in management domain FaQ/19 —1,3,5,12,34,56 FaQ/20 — 1,3,5,12,34,56 Port —_Vians in spanning tree forwarding state and not pruned FaQ/19—1,3,5,12,34,56 Fa0/20 1 To configure the native VLAN: On Both Switches (config#Interface range FO/19-20On Cat-1 Cat-14Show interface trunk Port Mode Encapsulation Status Native vlan Fal/19 on 802.1q trunking 12 Fa0/20 on 802.1q trunking 12 Port Vians allowed on trunk FaQ/19 — 1-29,33-4094 Fa0/20— 1-29,33-4094 Port —_Vlans allowed and active in management domain FaQ/19—1,3,5,12,34,56 Fa0/20 1,3,5,12,34,56 Port Vlans in spanning tree forwarding state and not pruned FaQ/19—1,3,5,12,34,56 Fa0/20 1 Qn Cat-2 Cat-2#Show interface trunk Port Mode Encapsulation Status Native vlan Fa0/S on 802.1 trunking 1 Fa0/19 on -802.1g trunking 12 F020 on -802.1g trunking 12 Port Vans allowed on trunk Fa0/S 1-4094 FaQ/19 — 1-29,33-4094 FaQ/20—1+29,33-4094 Port Vlans allowed and active in management domain Fa0/S— 1,3,5,12,30-32,34,56 FaQ/19 —1,3,5,12,34,56 Fa0/20 — 1,3,5,12,34,56 Port —_Vlans in spanning tree forwarding state and not pruned Fa0/S — 1,3,5,12,30-32,34,56 Fa0/19 1,12,34,56 Fa0/20 noneTask 27 The IT department decided to stop monitoring port F014 from Task 14, you have received a new request to monitor port FO/14 on Cat-1 but the protocal analyzer és connected to port F0/18 on Cat-2, Configure the switches to accommodate this request. On Cat-1 Cate1(contig}¥NO monitor sessio Cate1(config)#Vian 90 Cat-1(config-vlan)#Remote-span Cate l(configevlan)#Exit The creation of this VLAN can only be done in the global configuration mode, the only mode that allows us to set the VLAN as remote-span, Ensure AN is propagated to Cat-2. ‘o verify the configuration On Cat-1: Cat-145h vlan VLAN Name Status Ports 1 default active Fa0l/7, Fa0/8, Fa0/9, Fa/L0 Fa0/1 1, FaQ/12, Fa0/13, Fal/14 Fa0/18, FaQ/21, Fa0/22, Fa/23 Fa0/24, Gi0/1, Gid/2 3 VLANO003 active Fa0/17 5 VLANOOOS active Fal/17 12, VLANOOI2 active Fa0/1, Fa0/2 30 VLANO030 active 31 VLANOO31 active 32 VLANO0032 active 34 VLANOO34 active Fa0/3, Falla 56 VLANO0S6 active Fa0/5, Fa0/6 90 VLAN0O90 active ¢—— Ensure that this VLAN is propagated (The rest of the output is omitted) to Cat-2 On Cat:Cat-2#Sh vlan brie VLAN Name Status Ports active FalW/1, Fa0/2, Fa0/3, Fava Fa0/6, Fa0/7, FaQ/8, Fa0/9 Fa0/10, FaQ/11, Fa0/12, Fa0/13 Fa0/14, FaQ/15, Fa0/16, Fall/17 FaQ/18, FaQ/21, Fa0/22, Fa(/23 Fa0/24, Gi/1, Gid/2 3) VLANO003 active 5 VLANOOOS active 12 VLANOOI2 active 30 VLAN0O30 active 31 VLANOO31 active 32. VLANOO32, active 34 VLANOO34 active 36 VLANOOS6 active 90 VLANOO90 active ~—_____ Note the VLAN is propagated. (The rest of the output is omitted) On C: Cat-1#Show vlan remote-span Remote SPAN VLANs 90 On Cat-2 Cat-2#Show vlan remote-span Remote SPAN VLANs 90 Note VLAN 90 should be displayed as remote-span on both switches. On Cat-1 session 1 soures Cat. 1(contig)#MotCat-I(config}#Monitor session 1 destination remote ylan 90 ‘o verify the configuration Qn Cat-1 Cate1#Show monitor s Session | Type : Remote Source Session Source Ports : Both FaQ/ld Dest SPAN VLAN: 90 On Cat-2 Cat-2(config)# Cat-2(contig)#Moi Port FO/18 is where the protocol analyzer is connected. To verify the configuration: On Ci Cat-2#Sh monitor Session 1 Type Remote Destination Session Source RSPAN VLAN: 90 Destination Ports Fa0/18 Encapsulation ‘Native Ingress Disabled RSPAN extends SPAN by enabling remote monitoring of multiple switches acrass your network. The traffic for RSPAN traverses over a user defined RSPAN VLAN (remote vlan), in this case VLAN 90, The SPAN traffic from port F0/14 is reflected to VLAN 90 (The RSPAN VLAN) and then forwarded over the trunk to port F018 an RSPAN destination,Task 28 Configure the hostname of the third switch to be Cat-3, and disable all ports but F0/21- 22. This Switch should join the “CCIE” VTP domain. On the third Switch Switch(config}#Hostname Cat-3 Cat-3(config)#int range 0/1 - 20 , F023 - 24 Cat-3(config-iftrange)#Shut Cat-3(config)#vtp domain CCIE Cat-3(config)#vtp password Cisco Note sometimes a VI VLANs, as follows: AN needs to be created in order to propagate the e On C: Cat-3(config)#vlan 99 Cat-3(contigevlan)#exit Note the VLANs are propagated: (Cat-3#8h vlan brie VLAN Name Status Ports 1 default active Fall/1, Faf/2, Fa/3, Fa0/d Fa0/5, Fa0/6, FaQ/7, Fa0/8 Fa0/9, Fa0/10, Faf/I1, Faf/12 Fa0/13, Fa/14, Fa0/15, Fa0/16 Fa0/17, FaQ/18, Fa0/19, Fa0/20 Fa0/23, FaQ/24, Gid/1, Gi0/2 12 VLANOOI2 active 30 VLANOO30 active 31 VLANOO31 active 32. VLANOO32 active 34 VLANOO34 active 56 VLANOOS6 active 90 VLANOO90 active Next, Vian 99 is removed:Cat-3(contig)#NO vlan 99 Cate3#Show vian brie | Exe unsuy VLAN Name Status Ports 1 default active Fa0/1, Fa/2, Fa0/3, Fa0/4 Fa0/S, Fa0/6, Fa0/7, Fa0/8 Fa0/9, FaQ/10, Fall/11, Fa(/12 Fa0/13, FaQ/14, Fa0/15, Fa0/16 Fa0/17, FaQV/18, Fa0/19, Fa0/20 Fa0/23, FaQ/24, Gid/1, Gi0/2 12 VLANOOI2 active 30 VLANO030 active 31 VLANOO31 active 32. VLANOO32, active 34 VLANOO34 active 56 VLANOOS6 active sk 29 Configure ports FO/21 and F0’22 on Cat-3 and Cat-1 as trunk links using an industry standard protocol, these links should appear to STP as a single link. If one of the links fails, the traffie should use the other link without any interruption. These ports should NOT negotiate by using any protocol to accomplish this task. EtherChannels provide the follows: > Fault-tolerant, high speed links between switches and routers. ¥ EtherChanne| provides an automatic recovery for the loss of a link by redistributing the traffic across the remaining link/s, > STP will not block one of the links in the bundle because to STP, the bundle looks like-a single link, > Up to 8 links can be combined to provide more bandwidth > The links within the bundle must have the same characteristics such as duplexing, speed and ete EtherChannel can be configured as layer 2 or layer 3 > With Layer 3, a logical interface (Port-Channel) is statically configured and all Layer 3 configurations are performed under that interface. > With Layer 2, the logical interface is created automatic: With both Layer 2 and Layer 3, physical interfaces must be manually assigned tothe logical interface using “channel-group” confi guration command EtherChanne ls can be configured automaticaly using Port aggregation protocol (PAgP) or Link Aggregation protocol (LACP). PAgP isa Cisco proprietary protocol, whereas LACP isan industry standard IEEE 802.3ad protocol. Switches can be configured to use PAgP by configuring them in AUTO or DESIRABLE mode. Switches can be configured to use LACP by configuring them in ACTIVE or PASSIVE mode. Ifthe switches are configured in ON mode, the y will not exchange LACP or PAgP packets here are S modes that the switches can be configured The following table is very important when configuring EtherCha nel ON — Forces the interface into an EtherChannel without PAgP or LACP packets, both switches must be configured in ON mode for the EtherChannel to be actively negotiate an EtherChannel SIVE — Used in LACP, it places the interface in a passive negotiation mode where it only responds to LACP packets that it receives, In this mode the switch will not start the negotiation process; this setting minimizes the transmission of LACP packets, AUTO ~ Used in PAgP, it places the interface in a passive negotiation mode; It only responds to PAgP packets that it receives. In this mode the switch will not start the negotiation process; this setting minimizes the transmission of PAgP packets DESIRABLE - Used in PAgP, the switches will actively negotiate an EtherChanne! link. Switch one is configured as | Switch two is configured as | Will an EtherChannel be established? YES YES NO) YES YE! NO.