CCNA Lab - Solution Rev1.0 Layer 2 Switching

Description example: 3550 interface FastEthernet0/4 description TO ASBR2-RACK1 -VLAN 240 switchport access vlan 240 switchport mode access duplex half!. interface FastEthernet0/3 descr

Trang 1

Task 2.1:

3750-M-CE4(config)#vtp mode server Setting device to VTP SERVER mode 3750-M-CE4(config)#vtp domain ieMentor

3750-M-CE4#sho vtp status VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 21 VTP Operating Mode : Server VTP Domain Name : ieMentor VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x9D 0x13 0x41 0x03 0x6A 0xA3 0xCF 0x2B Configuration last modified by 172.16.1.250 at 3-1-93 11:08:59

Local updater ID is 172.100.1.1 on interface Vl1 (lowest numbered VLAN interface found)

3550-CE6(config)#vtp mode client Setting device to VTP CLIENT mode

3550-CE6(config)#vtp domain ieMentor

3550-CE6#sho vtp status VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 21 VTP Operating Mode : Client VTP Domain Name : ieMentor VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xD6 0xAC 0x23 0xD9 0x5B 0xDC 0x6A 0xA1 Configuration last modified by 172.16.1.250 at 3-1-93 11:08:59

Trang 2

Description example:

3550

interface FastEthernet0/4 description TO ASBR2-RACK1 -VLAN 240 switchport access vlan 240

switchport mode access duplex half

! interface FastEthernet0/3 description to PE3-RACK1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 13,23,31,123 switchport mode trunk

Remember that all VLAN changes can be configured on the VTP server only You won’t be able to make any changes on the client

3750-M-CE4(config)#vlan 82 3750-M-CE4(config-vlan)#state active 3750-M-CE4(config-vlan)#name VLAN82_CE8

3750-M-CE4#sho vlan id 82 VLAN Name Status Ports - - -

82 VLAN82_CE8 active Fa1/0/12, Po1 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 - - - - - - - -

82 enet 100082 1500 - - - - - 0 0 Primary Secondary Type Ports

- - - -

interface FastEthernet0/8 description to CE8 - VLAN 82 switchport access vlan 82 switchport mode access duplex full

speed 100

Trang 3

Task 2.2:

3750-M-CE4

interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk

! interface FastEthernet1/0/13 description to 3550

switchport trunk encapsulation dot1q switchport mode trunk

channel-group 1 mode on

3550-CE6

interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk

! interface FastEthernet0/13 description To 3750-M switchport trunk encapsulation dot1q switchport mode trunk

! interface FastEthernet0/14 description To 3750-M switchport trunk encapsulation dot1q switchport mode trunk

Trang 4

3750-M-CE4#sho etherchannel detail Channel-group listing:

- Group: 1

- Group state = L2 Ports: 2 Maxports = 8 Port-channels: 1 Max Port-channels = 1 Protocol: -

Ports in the group:

- Port: Fa1/0/13

- Port state = Up Mstr In-Bndl Channel group = 1 Mode = On/FEC Gcchange = - Port-channel = Po1 GC = - Pseudo port-channel = Po1 Port index = 0 Load = 0x00 Protocol = -

Age of the port in the current state: 20d:14h:14m:22s Port: Fa1/0/14

- Port state = Up Mstr In-Bndl Channel group = 1 Mode = On/FEC Gcchange = - Port-channel = Po1 GC = - Pseudo port-channel = Po1 Port index = 0 Load = 0x00 Protocol = -

Age of the port in the current state: 20d:14h:14m:23s Port-channels in the group:

- Port-channel: Po1

- Age of the Port-channel = 20d:14h:14m:28s Logical slot/port = 10/1 Number of ports = 2

GC = 0x00000000 HotStandBy port = null Port state = Port-channel Ag-Inuse

Protocol = - Ports in the Port-channel:

Index Load Port EC state No of bits -+ -+ -+ -+ -

0 00 Fa1/0/13 On/FEC 0

0 00 Fa1/0/14 On/FEC 0 Time since last port bundled: 20d:14h:14m:23s Fa1/0/14

Trang 5

3550-CE6#sho etherchannel summary Flags: D - down P - in port-channel

I - stand-alone s – suspended

H - Hot-standby (LACP only)

R - Layer3 S - Layer2

U - in use f - failed to allocate aggregator

u - unsuitable for bundling

w - waiting to be aggregated

d - default port

Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports -+ -+ -+ -

1 Po1(SU) - Fa0/13(P) Fa0/14(P)

! interface Ethernet0/0.20 description to PE2 -VLAN 20 encapsulation dot1Q 20

ip address 172.16.20.254 255.255.255.0 !

interface Ethernet0/0.30 description to PE3 -VLAN 30 encapsulation dot1Q 30

ip address 172.16.30.254 255.255.255.0

RR1-RACK1#sho cdp ne Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

S - Switch, H - Host, I - IGMP, r – Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID 3550-CE6 Eth 0/0 152 R S I WS-C3550-2Fas 0/12

Trang 6

On the switch, you need to configure a dot1q trunk on the interface going to RR1 and then allow the VLANs configured on RR1

3550-CE6

interface FastEthernet0/12 description to RR

switchport trunk encapsulation dot1q switchport trunk allowed vlan 20,30 switchport mode trunk

duplex full speed 10

Task 2.4:

PE3

interface Ethernet0/0

no ip address half-duplex

! interface Ethernet0/0.13 description to CE1 - VLAN 13 encapsulation dot1Q 13

ip address 10.13.1.3 255.255.255.0

no snmp trap link-status

! interface Ethernet0/0.23 description to CE2 - VLAN 23 encapsulation dot1Q 23

! interface Ethernet0/0.30 description to RR - VLAN 30 encapsulation dot1Q 30

ip address 172.16.30.3 255.255.255.0 !

interface Ethernet0/0.31 description to PE1 - VLAN 31 encapsulation dot1Q 31

ip address 172.16.13.3 255.255.255.0 !

interface Ethernet0/0.123 description to PE2 - VLAN 123 encapsulation dot1Q 123

ip address 172.16.123.3 255.255.255.0

Trang 7

3550-CE6

interface FastEthernet0/3 description to PE3-RACK1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 13,23,31,123 switchport mode trunk

Task 2.5:

PE1

interface FastEthernet0/0 description to PE3 VLAN31

ip address 172.16.13.1 255.255.255.0 speed 100

full-duplex !

interface FastEthernet0/1 description to PE2 VLAN21

ip address 172.16.12.1 255.255.255.0 speed 100

full-duplex

3750

interface FastEthernet1/0/10 description To PE2

switchport access vlan 21 switchport mode access duplex full

speed 100

! interface FastEthernet1/0/11 description to PE1

switchport access vlan 31 switchport mode access duplex full

speed 100

Trang 8

Task 2.6:

interface Ethernet0/0

no ip address half-duplex

! interface Ethernet0/0.20 description to RR - VLAN 20 encapsulation dot1Q 20

ip address 172.16.20.2 255.255.255.0

! interface Ethernet0/0.21 description to PE1 - VLAN 21 encapsulation dot1Q 21

ip address 172.16.12.2 255.255.255.0

! interface Ethernet0/0.123 description to PE3 - VLAN 123 encapsulation dot1Q 123

ip address 172.16.123.2 255.255.255.0

PE2-RACK1#sho cdp ne Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

S - Switch, H - Host, I - IGMP, r – Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID BB1-RACK1 Eth 0/1 135 R S 2610 Eth 0/0 3750-M-CE4 Eth 0/0 155 S I ME-C3750-2Fas 1/0/12

3750

interface FastEthernet1/0/12 description to PE2

switchport trunk encapsulation dot1q switchport trunk allowed vlan 20,21,82,123 switchport mode trunk

duplex half speed 10

Trang 9

Task 2.7:

3750-M-CE4

interface FastEthernet1/0/13 description to 3550

duplex full Å Same as on 3550 speed 100 Å Same as on 3550 channel-group 1 mode on

3550-CE6(config)#spanning-tree mode pvst 3750-M-CE4(config)#spanning-tree mode pvst

Task 2.8:

Check the Port Channel rather than the physical port

3750-M-CE4#sho interfaces port-channel 1 trunk Port Mode Encapsulation Status Native vlan Po1 on 802.1q trunking 1

Port Vlans allowed on trunk Po1 1-4094

Port Vlans allowed and active in management domain Po1 1,10,13,20-21,23,30-31,60,82,101-102,110,123,240,300,600 Port Vlans in spanning tree forwarding state and not pruned Po1 1,10,13,20-21,23,30-31,60,82,101-102,110,123,240,300,600

Trang 10

Task 2.9:

3750-M-CE4(config)#vtp password iem.com Setting device VLAN database password to iem.com 3550-CE6(config)#vtp password iem.com

Setting device VLAN database password to iem.com 3550-CE6#sho vtp password

VTP Password: iem.com 3550-CE6#

3750-M-CE4#sho vtp password VTP Password: iem.com 3750-M-CE4#

Task 2.10:

3750-M-CE4(config)#monitor session 1 source vlan 13 , 23 3750-M-CE4(config)#monitor session 1 destination interface fastEthernet 1/0/4

! 3750-M-CE4#sho monitor detail Session 1

- Type : Local Session Source Ports :

RX Only : None

TX Only : None Both : None Source VLANs :

RX Only : None

TX Only : None Both : 13,23 Source RSPAN VLAN : None Destination Ports : Fa1/0/4 Encapsulation : Native Ingress : Disabled Filter VLANs : None Dest RSPAN VLAN : None

Task 2.11:

3550-CE6(config)# monitor session 1 destination interface Fa0/18 3550-CE6(config)# monitor session 1 source remote vlan 123

Trang 11

Port Vlans allowed on trunk Po1 1-4094

Port Vlans allowed and active in management domain Po1 1,10,13,20-21,23,30-31,60,82,101-102,110,123,240,300,600 Port Vlans in spanning tree forwarding state and not pruned Po1 1,10,13,20-21,23,30-31,60,82,101-102,110,123,240,300,600 3750-M-CE4#

Disallow VLANs 10 and 110 from the trunk:

3750-M-CE4(config)#int port-channel 1 3750-M-CE4(config-if)#switchport trunk allowed vlan remove 10,110

Verify that VLANs 10 and 110 are not among those still allowed on the trunk:

3750-M-CE4#sho interfaces port-channel 1 trunk Port Mode Encapsulation Status Native vlan Po1 on 802.1q trunking 1

Port Vlans allowed on trunk Po1 1-9,11-109,111-4094 Port Vlans allowed and active in management domain Po1 1,13,20-21,23,30-31,60,82,101-102,123,240,300,600 Port Vlans in spanning tree forwarding state and not pruned Po1 1,13,20-21,23,30-31,60,82,101-102,123,240,300,600

Verify that VLANs 10 and 110 are removed from trunk’s

Trang 12

switchport trunk allowed vlan 1-9,11-109,111-4094 switchport mode trunk

Task 2.13:

This task will need to be re-configured in later Labs to allow other VLANs

3750-M-CE4(config-if)#switchport trunk allowed vlan 250-299,301-599

3750-M-CE4#sho interfaces port-channel 1 trunk 3w0d: %SYS-5-CONFIG_I: Configured from console by console Port Mode Encapsulation Status Native vlan Po1 on 802.1q trunking 1

Port Vlans allowed on trunk Po1 250-299,301-599 Port Vlans allowed and active in management domain Po1

Port Vlans in spanning tree forwarding state and not pruned Po1

Trang 13

Task 2.14:

3550-CE6#sho interfaces fastEthernet 0/16 switchport Name: Fa0/16

Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off

Access Mode VLAN: 230 (VLAN0230) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none

Administrative private-vlan host-association: none Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none

Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled

Capture VLANs Allowed: ALL Protected: false

Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none

interface FastEthernet0/15 description to User 1 switchport access vlan 230 switchport mode access switchport protected

! interface FastEthernet0/16 description to User 2 switchport access vlan 230 switchport mode access switchport protected

Trang 14

Verify that the configuration changes took effect

3550-CE6#sho interfaces fastEthernet 0/16 switchport Name: Fa0/16

Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off

Access Mode VLAN: 230 (VLAN0230) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none

Administrative private-vlan host-association: none Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none

Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled

Capture VLANs Allowed: ALL Protected: true

Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none

Task 2.15:

interface FastEthernet0/15 description to User 1 switchport access vlan 230 switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security aging static switchport port-security mac-address sticky 0000.0100.1141 switchport port-security mac-address sticky 0000.0200.2050

Trang 15

3550-CE6#sho port-security address Secure Mac Address Table - Vlan Mac Address Type Ports Remaining Age (mins) - - -

230 0000.0100.1141 SecureSticky Fa0/15 -

230 0000.0200.2050 SecureSticky Fa0/15 - - Total Addresses in System (excluding one mac per port) : 1

Max Addresses limit in System (excluding one mac per port) : 5120

Task 2.16:

3550

switchport port-security aging time 1

3550-CE6#sho port-security interface fastEthernet 0/15 Port Security : Enabled

Port Status : Secure-down Violation Mode : Shutdown Aging Time : 1 mins Aging Type : Absolute SecureStatic Address Aging : Enabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 0 Sticky MAC Addresses : 2 Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0

Task 2.17:

To protect against the CAM table-overflow attack, limit the amount

of MAC addresses that can be learned on a switch port

switchport port-security maximum 2

Định dạng
Số trang	22
Dung lượng	223,36 KB