CCNA Lab - Unlock IEWB RS Vol 1 - Lab 11

Bridging and Switching Task 1.1 SW1: interface range FastEthernet0/13 - 15 switchport mode dynamic desirable switchport trunk encapsulation dot1q no shutdown!. interface FastEtherne

Trang 1

1 Bridging and Switching

Task 1.1

SW1:

interface range FastEthernet0/13 - 15

switchport mode dynamic desirable

switchport trunk encapsulation dot1q

no shutdown

!

interface FastEthernet0/16

no shutdown

SW2:

interface range FastEthernet0/13 - 15

no shutdown

!

no shutdown

SW3:

no shutdown

!

no shutdown

Task 1.1 Verification

Rack1SW1#show interfaces trunk

Port Mode Encapsulation Status Native vlan

Fa0/13 desirable 802.1q trunking 1

Port Vlans allowed on trunk

Trang 2

Trang 3

Task 1.2

SW1:

spanning-tree vlan 4,28,38,56 priority 4096

spanning-tree vlan 1,3,5,7,17,23 priority 61440

Task 1.2 Breakdown

Spanning-tree root bridge election is determined by the lowest bridge-ID

Bridge-ID is made up of two portions, the bridge priority and a MAC address The bridge priority defaults to 32768, half of the maximum value 65535 Since each bridge-

ID must be unique, and since each VLAN (by default) runs its own instance of spanning-tree, there must be some way to distinguish bridge-IDs between

difference spanning-tree instances

In older platforms, this was accomplished by assigning a single MAC address per VLAN This solution results in a waste of MAC addresses, since each VLAN requires its own simply for identification New Cisco switch platforms use the system-id extension to deal with this problem The bridge-ID for a specific

spanning-tree VLAN instance will be the configured priority plus the system-id extension The system-id extension is effectively the VLAN number Therefore,

in order to ensure that SW1 is the root for VLANs 4, 28, 38, and 56 (even

VLANs), and that SW2 is the root for VLANs 3, 5, 7, 17, and 23 (odd VLANs), the priority must be adjusted accordingly on SW1 Since a lower priority value is better, SW1 has been set with the lowest priority value, zero, for even VLANs For odd VLANs, SW1’s priority has been set to the configurable maximum value

of 61440 These values are arbitrary as long as SW1 priority for the even VLANs

is less than SW2’s default priority (32768) plus the system-id extension (VLAN number) Furthermore, SW1 can use any arbitrary number to force SW2 to be the root for the odd VLANs, as long as it is greater than SW2’s priority plus the system-id extension

SW3’s spanning-tree priority is set to 61440 in the initial configuration This should have been noticed before starting the lab

Trang 6

Verify the spanning-tree root ports for even numbered VLANs on SW2:

Rack1SW2#show spanning-tree vlan 4,28,38,56 | include VLAN|Interface|Fa

Trang 7

Shutdown Fa0/14 on SW1 and view the spanning-tree information:

Rack1SW2#show spanning-tree vlan 4,28,38,56 | include VLAN|Interface|Fa

By default, all three of these interfaces will have a tie in port cost at 19

(FastEthernet) By adjusting the cost of interface Fa0/15 to less than 19, it will be preferred for these VLANs Once Fa0/15 is down, the choice will be between port Fa0/13 and Fa0/14, both with a cost of 19 Since cost is a tie, and since the priority has not been adjusted on SW2, the tie breaker will be the lowest port ID

As 13 is lower than 14, port Fa0/13 will be chosen without any further

configuration

Spanning-tree port cost: Lab 4

Trang 8

Verify the spanning-tree root ports for odd numbered VLANs:

Rack1SW1#show spanning-tree vlan 3,5,7,17,23 | inc VLAN|Interface|Fa

Trang 9

snmp-server enable traps MAC-Notification

snmp-server host 187.1.3.100 CISCOTRAP MAC-Notification

mac-address-table notification

To enable SNMP trapping when a MAC address is added or removed from the

CAM table, issue the global configuration commands mac-address-table notification and snmp-server enable traps MAC-Notification

Then, these traps are selectively enabled on a per-interface basis by issuing the

snmp trap mac-notifications interface level command These traps are

then forwarded to the NMS station located at 187.1.3.100, using the community string CISCOTRAP

Verify SNMP MAC Address logging configuration:

Trang 10

Rack1SW2#show mac-address-table notification

MAC Notification Feature is Enabled on the switch

Interval between Notification Traps : 1 secs

Number of MAC Addresses Added : 1

Number of MAC Addresses Removed : 0

Number of Notifications sent to NMS : 1

Maximum Number of entries configured in History Table : 1

Current History Table Length : 1

MAC Notification Traps are Enabled

History Table contents

-

History Index 0, Entry Timestamp 348747, Despatch Timestamp 348747

MAC Changed Message :

Operation: Added Vlan: 28 MAC Addr: 0060.7015.ac7a Dot1dBasePort: 24

Task 1.6

SW1, SW2 and SW3:

ip access-list extended IPONLY

permit ip any any

!

mac access-list extended IP_ARP

permit any any 0x806 0x0

!

mac access-list extended PVST_PLUS

permit any any 0x010B 0x0

!

mac access-list extended PVST

permit any any lsap 0x4242 0x0

permit any any lsap 0xaaaa 0x0

Trang 11

The above task describes a seemingly straightforward scenario in which only IP traffic is allowed to transit VLAN 56 This is accomplished by creating a VLAN access-list (VACL) which permits IP traffic, and denies all other However, when this access-map is applied, other behind the scenes protocols stop working These protocols include IP ARP and STP (PVST+ in our case) PVST+ BPDUs are transported in Ethernet frames using 802.3 LLC SNAP encapsulation over 802.1q trunks, having PID (Protocol ID) of 0x010B Additionally, some PVST+ BPDUs are encapsulated into Ethernet 802.3 LLC frames, having SSAP/DSAP 0x42 to interoperate with classic IEEE STP

In addition to permitting IP, these above protocols must be permitted Although

IP uses the ethertype 0x800, IP ARP uses its own ethertype value of 0x806 This value must also be permitted, otherwise ARP cannot work Note that even though PVST+ uses LLC SNAP encapsulation, you can match the PID value using the “ethertype” keyword in MAC access-lists

With the VLAN filter applied, try to IPX ping R6 from R5:

Rack1R6#show ipx interface FastEthernet0/0

FastEthernet0/0 is up, line protocol is up

IPX address is 56.0015.62d0.4830, SNAP [up]

Delay of this IPX network, in ticks is 1

IPXWAN processing not enabled on this interface

Trang 12

IPX SAP update interval is 60 seconds

IPX type 20 propagation packet forwarding is disabled

Rack1R5#ping 56.0015.62d0.4830

Translating "56.0015.62d0.4830"

Type escape sequence to abort

Sending 5, 100-byte IPX Novell Echoes to 56.0015.62d0.4830, timeout is

2 seconds:

Success rate is 0 percent (0/5)

Ensure that IP/ARP works fine:

Rack1R5#ping 187.1.56.6

Sending 5, 100-byte ICMP Echos to 187.1.56.6, timeout is 2 seconds:.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms

Verify the spanning-tree status You should see a root port on SW2:

Rack1SW2#show spanning-tree vlan 56

-Fa0/6 Desg FWD 19 128.8 P2p

Trang 13

Translating "56.0015.62d0.4830"

Sending 5, 100-byte IPX Novell Echoes to 56.0015.62d0.4830, timeout is

2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Make sure that you turn the vlan filter back on, or you will lose the points for the section

switchport access vlan 17

switchport voice vlan 7

mls qos trust cos

!

switchport access vlan 17

switchport voice vlan 7

mls qos trust cos

communicate with the phone is to apply both the access and voice VLAN to the port Ensure that these VLANs are defined in the VLAN database

Quality of Service processing is disabled on the 3560 by default To enable QoS

processing, issue the mls qos global configuration command Next, the

command mls qos trust cos has been issued on the interfaces connected

to the IP phones This instructs the switch to maintain the CoS value that is received on the interface

Lastly, an interface range macro has been defined named VPORTS This macro can be used in the future to reference ports Fa0/7 and Fa0/8 together These macros can be used to reduce the administrative overhead of keeping track of which interfaces contain the same configuration For example, if a certain range

of interfaces are configured in an EtherChannel bundle, a macro could be

Trang 14

created to manage all the member interfaces This way, the member interfaces could be referenced by the macro, and it would be ensured that all member interfaces receive the same configuration

Verify MLS QoS configuration:

Rack1SW1#show mls qos interface fa0/7

FastEthernet0/7

trust state: trust cos

trust mode: trust cos

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: none

Rack1SW1#show mls qos interface fa0/8

FastEthernet0/8

trust state: trust cos

trust mode: trust cos

COS override: dis

default COS: 0

DSCP Mutation Map: Default DSCP Mutation Map

Trust device: none

Verify Voice VLAN and appliance trust:

Rack1SW1#show interfaces fa0/7 switchport | inc Voice|Appl

Voice VLAN: 7 (VLAN0007)

Appliance trust: none

Rack1SW1#show interfaces fa0/8 switchport | inc Voice|Appl

Voice VLAN: 7 (VLAN0007)

Appliance trust: none

Trang 15

Task 1.8

SW1-SW3:

spanning-tree backbonefast

SW1:

spanning-tree vlan 4,28,38,56 forward-time 10

SW2:

spanning-tree vlan 1,3,5,7,17,23 forward-time 10

Rack1SW1#show spanning-tree vlan 4 | include Forward

Hello Time 2 sec Max Age 20 sec Forward Delay 10 sec Hello Time 2 sec Max Age 20 sec Forward Delay 10 sec

Rack1SW1#show spanning-tree vlan 1 | include Forward Hello Time 2 sec Max Age 20 sec Forward Delay 10 sec Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Rack1SW1#show spanning-tree backbonefast BackboneFast is enabled BackboneFast statistics -

Number of transition via backboneFast (all VLANs) : 0

Number of inferior BPDUs received (all VLANs) : 0

Number of RLQ request PDUs received (all VLANs) : 0

Number of RLQ response PDUs received (all VLANs) : 0

Number of RLQ request PDUs sent (all VLANs) : 0

Number of RLQ response PDUs sent (all VLANs) : 0

Task 1.9

R4:

username Rack1R5 password 0 C1SC0?2000

!

interface Serial0/1

encapsulation ppp

ppp authentication chap

R5:

interface Serial0/1

encapsulation ppp

clockrate 64000

ppp chap password 0 C1SC0?2000

Trang 16

Note that the escape sequence CTRL-V or ESC-Q must be used in order to enter

a question mark in the password field This username/password pair must also

be configured in R4’s local username database in order to authenticate R5

The username and ppp chap commands with the “0” option after the password

is telling the router that the password to come is in plain text format (i.e

unencrypted) This is also the default option when entering a password so the commands below will achieve the same result:

username Rack1R5 password 0 C1SC0?2000

username Rack1R5 password C1SC0?2000

If the commands are used with the “7” option after the password, the router will

be expecting the password to come to be in encrypted form Commonly this is

used when a configuration is being copied from one router that has the service password-encryption command applied to another router Below is the

output of the command with the password in encrypted form:

username Rack1R5 password 7 123A5424312453567A7B74

Trang 17

%LINK-3-UPDOWN: Interface Serial0/1, changed state to up

Se0/1 PPP: Using default call direction

Se0/1 PPP: Treating connection as a dedicated line

Se0/1 PPP: Session handle[1A000004] Session id[3]

Se0/1 PPP: Authorization required

Se0/1 PPP: No authorization without authentication

Se0/1 CHAP: I CHALLENGE id 2 len 28 from "Rack1R4"

Se0/1 CHAP: Using hostname from unknown source

Se0/1 CHAP: Using password from interface CHAP

Se0/1 CHAP: O RESPONSE id 2 len 28 from "Rack1R5"

Se0/1 CHAP: I SUCCESS id 2 len 4

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changedstate to up

2 Interior Gateway Protocol

ip rip authentication mode md5

ip rip authentication key-chain RIP

Trang 18

Verify that SW2 receives authenticated RIP updates:

Rack1SW2#debug ip rip

RIP protocol debugging is on

RIP: received packet with MD5 authentication

RIP: received v2 update from 192.10.1.254 on Vlan28

route-map CONNECTED->RIP permit 10

match interface Loopback0

Verify that the Loopback0 interface is being advertised:

Rack1SW2#show ip rip database

Trang 20

Task 2.4

R1:

interface Serial0/0.134 multipoint

ip ospf network point-to-multipoint

interface Serial0/0.134 multipoint

ip ospf network point-to-multipoint

Verify the OSPF neighbors:

Rack1R1#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

150.1.3.3 0 FULL/ - - 187.1.134.3 OSPF_VL0150.1.7.7 1 FULL/BDR 00:00:38 187.1.17.7 FastEthernet0/0150.1.3.3 0 FULL/ - 00:01:57 187.1.134.3 Serial0/0.134

Trang 21

Neighbor ID Pri State Dead Time Address Interface150.1.3.3 0 FULL/ - - 187.1.134.3 OSPF_VL0150.1.5.5 0 FULL/ - 00:00:34 187.1.45.5 Serial0/1150.1.3.3 0 FULL/ - 00:01:57 187.1.134.3 Serial0/0.134

Verify the OSPF network type on Frame Relay segment between R1, R3, and R4:

Rack1R3#show ip ospf interface s1/0

Serial1/0 is up, line protocol is up

Internet Address 187.1.134.3/24, Area 134

Process ID 1, Router ID 150.1.3.3, Network Type POINT_TO_MULTIPOINT,Cost: 781

Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT,

Timer intervals configured, Hello 30, Dead 120, Wait 120,Retransmit 5

set metric-type type-2

Trang 22

Verify the OSPF networks origination:

Rack1SW1#show ip route ospf

area 134 virtual-link 150.1.4.4 authentication message-digest

area 134 virtual-link 150.1.4.4 message-digest-key 1 md5 CISCO

R4:

router ospf 1

area 134 virtual-link 150.1.3.3 authentication message-digest

area 134 virtual-link 150.1.3.3 message-digest-key 1 md5 CISCO

Trang 23

Verify the OSPF virtual-link authentication:

Rack1R3#show ip ospf virtual-links

Virtual Link OSPF_VL1 to router 150.1.4.4 is up

Run as demand circuit

DoNotAge LSA allowed

Transit area 134, via interface Serial1/0, Cost of using 781

Transmit Delay is 1 sec, State POINT_TO_POINT,

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:08

Adjacency State FULL (Hello suppressed)

Index 2/5, retransmission queue length 0,number of retransmission 1 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)

Last retransmission scan length is 1, maximum is 1

Last retransmission scan time is 0 msec, maximum is 0 msec

Message digest authentication enabled

Youngest key id is 1

Virtual Link OSPF_VL0 to router 150.1.1.1 is up

Run as demand circuit

DoNotAge LSA allowed

Transit area 134, via interface Serial1/0, Cost of using 781

Transmit Delay is 1 sec, State POINT_TO_POINT,

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:08

Adjacency State FULL (Hello suppressed)

Index 1/4, retransmission queue length 0,number of retransmission 1 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)

Last retransmission scan length is 1, maximum is 1

Last retransmission scan time is 0 msec, maximum is 0 msec

Simple password authentication enabled

Confirm that no authentication is enabled on area0 interfaces on R1 and SW1:

Rack1R1#show ip ospf interface fa0/0

FastEthernet0/0 is up, line protocol is up

Process ID 1, Router ID 150.1.1.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1

Designated Router (ID) 150.1.1.1, Interface address 187.1.17.1

Backup Designated router (ID) 150.1.7.7, Interface address 187.1.17.7 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40

Hello due in 00:00:01

Index 1/1, flood queue length 0

Next 0x0(0)/0x0(0)

Last flood scan length is 1, maximum is 2

Last flood scan time is 0 msec, maximum is 0 msec

Neighbor Count is 1, Adjacent neighbor count is 1

Adjacent with neighbor 150.1.7.7 (Backup Designated Router)

Suppress hello for 0 neighbor(s)

Trang 24

Rack1SW1#show ip ospf interface vl17

Vlan17 is up, line protocol is up

Process ID 1, Router ID 150.1.7.7, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State BDR, Priority 1

Designated Router (ID) 150.1.1.1, Interface address 187.1.17.1

Backup Designated router (ID) 150.1.7.7, Interface address 187.1.17.7 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40

Hello due in 00:00:01

Supports Link-local Signaling (LLS)

Index 1/2, flood queue length 0

Next 0x0(0)/0x0(0)

Last flood scan length is 1, maximum is 1

Last flood scan time is 0 msec, maximum is 0 msec

Neighbor Count is 1, Adjacent neighbor count is 1

Adjacent with neighbor 150.1.1.1 (Designated Router)

Suppress hello for 0 neighbor(s)

Trang 25

route-map CONNECTED->EIGRP permit 10

Verify the EIGRP neighbors:

Rack1R5#show ip eigrp neighbors

IP-EIGRP neighbors for process 10

H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num

2 187.1.235.2 Se0/0 138 00:03:34 48 288 0 4

1 187.1.56.6 Et0/1 12 00:03:44 135 810 0 7

0 187.1.235.3 Se0/0 130 00:04:05 824 4944 0 7

Verify the EIGRP routes:

Rack1R2#show ip route eigrp

187.1.0.0/24 is subnetted, 3 subnets

D 187.1.56.0 [90/2195456] via 187.1.235.5, 00:09:44,

Serial0/0.235

D 187.1.5.0 [90/2195456] via 187.1.235.5, 00:09:44, Serial0/0.235 150.1.0.0/24 is subnetted, 2 subnets

Rack1R5#show ip eigrp neighbors detail

IP-EIGRP neighbors for process 10

H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num

2 187.1.235.2 Se0/0 169 00:00:14 32 200 0 5 Version 12.2/1.2, Retrans: 1, Retries: 0, Prefixes: 2

Stub Peer Advertising ( CONNECTED SUMMARY ) Routes

1 187.1.56.6 Et0/1 12 00:14:42 54 324 0 12 Version 12.4/1.2, Retrans: 0, Retries: 0, Prefixes: 1

0 187.1.235.3 Se0/0 170 00:15:03 296 1776 0 14 Version 12.3/1.2, Retrans: 0, Retries: 0, Prefixes: 5

Trang 26

route-map EIGRP_TO_OSPF permit 10

match ip address EVEN

set metric-type type-1

redistribute connected route-map CONNECTED_TO_EIGRP

redistribute ospf 1 metric 1500 10 255 1 1500 route-map OSPF_TO_EIGRP

route-map CONNECTED_TO_EIGRP permit 10

!

Trang 27

redistribute rip subnets route-map RIP_TO_OSPF

redistribute connected subnets

no other interfaces should be advertised into RIP while this configuration is

performed Therefore, a route-map is configured on SW2 that matches only the Loopback 0 interface, and is used to filter networks that are redistributed into RIP

as connected This configuration presents a problem with reachability from R3 to BB2

When the Loopback 0 network of SW2 is redistributed into RIP, all other

networks are implicitly denied As the VLAN 38 interface of SW2 is directly

connected, this network will not be advertised into RIP This presents the

problem that R3 no longer has IP reachability to SW2, however other devices in the routing domain will have reachability due to the redistribution of OSPF into RIP on SW2 In order to maintain reachability while staying within the

requirements, a manual summary has been configured to BB2

By adding the ip summary-address rip 187.1.0.0 255.255.0.0 on the

VLAN 28 interface, the entire major network 187.1.0.0/16 will be advertised on to BB2, and will therefore resolve the issue of connectivity between R3 and BB2

Trang 28

Verify the external routes redistributed into OSPF:

Rack1R4#show ip route ospf

187.1.0.0/16 is variably subnetted, 15 subnets, 3 masks

O E1 150.1.6.0/24 [110/84] via 187.1.134.3, 00:13:19, Serial0/0.134 [110/84] via 187.1.45.5, 00:13:19, Serial0/1

O E2 150.1.5.0/24 [110/20] via 187.1.45.5, 00:20:33, Serial0/1

O 150.1.3.0/24 [110/65] via 187.1.134.3, 00:34:35, Serial0/0.134

O E1 150.1.2.0/24 [110/84] via 187.1.134.3, 00:13:23, Serial0/0.134 [110/84] via 187.1.45.5, 00:13:23, Serial0/1

RIP protocol debugging is on

RIP: sending v2 update to 224.0.0.9 via Vlan28 (192.10.1.8)

RIP: build update entries

150.1.1.1/32 via 0.0.0.0, metric 1, tag 0

150.1.2.0/24 via 0.0.0.0, metric 1, tag 0

150.1.3.3/32 via 0.0.0.0, metric 1, tag 0

Định dạng
Số trang	56
Dung lượng	722,35 KB