Chapter 20 Scenarios for Final Preparation
C H A P T E R 20
Scenarios for Final Preparation
This chapter presents scenarios that you can use to review most of the concepts contained in this book. The scenarios are designed to assist you in final preparation for the BCMSN exam. Case studies are presented with network diagrams and questions covering many switching topics.
This chapter emphasizes an overall understanding of switching concepts, configuration commands, and network operation. Although the Cisco BCMSN exam might not contain scenarios of this type, you can become better prepared by thinking about the “bigger picture” of a network and how you can apply each switching topic.
Scenario 1: Trunking and DTP
This scenario is built around a network of switches connected by trunking links. You need to think about how DTP operates and how trunks are negotiated (or not) between switches.
Consider the network shown in Figure 20-1 and answer the questions that follow. Assume that all switches shown support DTP.
Figure 20-1 Diagram for Scenario 1
switchport mode dynamic auto PC-1
VLAN 1 10.5.5.72 Catalyst A interface vlan 1
10.1.5.2
Catalyst B interface vlan 1
10.1.5.3
Catalyst C interface vlan 1
10.1.5.1
PC-2 VLAN 1 10.5.5.50
PC-3 VLAN 1 10.5.5.100
PC-4 VLAN 2 10.1.100.17
gig 0/1 gig 0/1
gig 0/1 gig 0/2
All Trunks Carry all VLANs.
switchport mode dynamic auto
switchport mode trunk switchport mode dynamic desirable
536 Chapter 20: Scenarios for Final Preparation
1. What is the mode of the link between Catalyst A and Catalyst B?
2. Suppose that the network administrator types these commands for interface GigabitEthernet 0/1 on Catalyst B:
Switch(config)# iiiinnnnttettereerrrffffaacaacecceee ggiggiiiggggaaaabbibbitiittteeeetttthhehheeerrrrnnnneeteet tt 0000//1//111 Switch(config-if)# sssswwwwiiiittcttchcchhhppppoooorrtrrttt mmommodoodddeeee ttttrrrruuuunnknnkkk Switch(config-if)# sswsswwwiiiittcttchcchhhppppoooorrtrrttt nnonnonoonnneeeeggggootootttiiiiaaaattetteee
What will the link mode be now?
3. Catalyst B has been given the command no switchport nonegotiate for interface GigabitEthernet 0/1. What is the link mode now?
4. What is the mode of the link between Catalyst A and Catalyst C?
5. Assume that all links between Catalyst switches are in trunking mode, transporting VLANs 1 through 1005. Can PC-2 ping PC-4?
6. Suppose that PC-1 begins to generate a broadcast storm. Where would the effects of this storm be experienced in this network? Consider both devices and links. Will PC-4 receive the broadcasts?
Scenario 2: VLANs, Trunking, and VTP
This scenario is designed to stir your thinking about VLAN and trunking connectivity. You also need to examine switch configurations and apply them to a network diagram. See the diagram shown in Figure 20-2 and answer the questions that follow. Portions of the configurations of the three Catalyst switches are shown above them.
Figure 20-2 Diagram for Scenario 2
PC-1 VLAN 2 10.2.2.1 Catalyst A
PC-2 VLAN 10
10.2.2.2
PC-3 VLAN 10
10.1.1.1 Catalyst B
Catalyst C interface gigabitethernet 0/1
switchport mode access switchport access vlan 2 interface fastethernet 0/1 switchport mode access switchport access vlan 2
gig 0/1
fast 0/1
gig 0/1
fast 0/1
gig 0/2 gig 0/1
fast 0/1 interface gigabitethernet 0/1
switchport mode access switchport access vlan 10 interface fastethernet 0/1 switchport mode access switchport access vlan 10 interface gigabitethernet 0/2 switchport trunk encapsulation isl switchport mode trunk
interface gigabitethernet 0/1
switchport trunk encapsulation dot1q switchport mode trunk
interface fastethernet 0/1 switchport mode access switchport access vlan 10
Scenario 3: EtherChannels 537
1. PC-1 and PC-2 both are configured with IP addresses on the same subnet. Notice that each PC connects to a different VLAN number. Given the switch configurations shown, can PC-1 ping PC-2?
2. PC-2 and PC-3 are assigned to the same IP subnet (using subnet mask 255.0.0.0) and the same VLAN. Can PC-2 and PC-3 ping each other?
3. Will the trunk link between Catalyst B and Catalyst C come up successfully?
4. Suppose that the trunk between Catalyst B and Catalyst C is configured properly. Where will VLAN1 be pruned? Why?
5. Suppose that Catalyst A is a VTP server, Catalyst C is a VTP client, and Catalyst B is configured for VTP transparent mode. All switches are in the Bermuda management domain. If VLAN14 is created on Catalyst A, which switches also will create VLAN 14 using VTP?
6. If VLAN 15 is created on Catalyst B, what other switches also will create VLAN 15 through VTP?
7. If VLAN 16 is created on Catalyst C, what will happen?
Scenario 3: EtherChannels
This scenario focuses on EtherChannel links between switches. See the diagram shown in Figure 20-3 and answer the questions that follow.
Figure 20-3 Diagram for Scenario 3
1. Four GigabitEthernet interfaces on Catalyst A are to be bundled into a Gigabit EtherChannel with Catalyst B. If each of these interfaces also is configured as a trunk, what must be similar about them on both switches?
2. Catalyst A should actively initiate an EtherChannel with Catalyst B. PAgP negotiation should be used. What commands should be used on each of Catalyst A’s ports to configure
negotiation of EtherChannel 1?
3. What is the default load-distribution algorithm, assuming that the switches are Catalyst 6500s?
Catalyst A Gig 3/4 Gig 3/4 Catalyst B
Gig 3/3 Gig 3/3
Gig 3/2 Gig 3/2
Gig 3/1 Gig 3/1
538 Chapter 20: Scenarios for Final Preparation
4. Suppose that the EtherChannel is a Layer 3 interface on both switches so that each switch uses one MAC and one IP address. Should you choose the src-dst-mac or src-dst-ip algorithm to maximize the load distribution across all the links?
Scenario 4: Traditional STP
This scenario exercises your ability to think through the Spanning Tree Protocol operation. You are presented with a simple network of two switches. This keeps the STP complexity to a minimum while forcing you to think through the STP convergence process on a live network. Given the network diagram shown in Figure 20-4, complete the following exercises.
Figure 20-4 Network Diagram for Scenario 4
1. Manually compute the spanning-tree topology. Note which switch is the root bridge, which ports are root ports and designated ports, and which ports are in the Blocking state.
2. If the 100-Mbps link (port FastEthernet 1/2) is disconnected, what happens with the STP?
3. If the 1000-Mbps link (port GigabitEthernet 2/1) is disconnected, how much time will elapse before the two switches can communicate again? (Assume that both switches use the default STP timer values and no additional features for faster convergence.)
4. Assume that the physical 1000-Mbps link (port GigabitEthernet 2/1) stays up and active, but BPDUs are not allowed to pass (that is, an access list filter is blocking BPDUs). What happens and when?
Catalyst A 32768.00-d0-58-a3-83-c9
100 Mbps fa1/1
Catalyst B
32768.00-d0-58-a3-83-ca
10 Mbps
1000 Mbps fa1/2 g2/1
fa1/1 fa1/2 g2/1
Scenario 5: Advanced STP 539
Scenario 5: Advanced STP
A small network consists of two core switches, Catalyst C1 and C2, and an access switch, A1, as shown in Figure 20-5. Advanced Spanning Tree Protocol features will improve the convergence times and reduce the number of STP instances. Answer these questions.
Figure 20-5 Network Diagram for Scenario 5
1. To prevent the possibility of a unidirectional link occurring on switch A1’s uplinks, what switch feature can be used? What commands are necessary to enable this feature? Assume that the links should be disabled if a unidirectional condition is found. Which switches need to be configured this way?
2. On Catalyst A1, what feature and command should be used to prevent unexpected STP BPDUs from being received on the ports connected to end users?
3. For the links between switch A1 and the user PCs, what command is needed to configure these as RSTP edge ports?
4. By default, the traditional PVST+ mode is enabled on a switch. What command can be used to enable RSTP to be used with PVST+?
5. Suppose that MST is to be configured to reduce the number of STP instances because 12 unique VLANs are being used across the network. How many MST instances are needed for the three switches shown in Figure 20-5, assuming that traffic should be load-balanced across the two uplinks of switch A1?
6. What commands are needed to configure switch C1 for MST?
7. Now make sure that C1 is configured as the root bridge for one MST instance. What commands are needed?
Catalyst C1 Catalyst C2
Catalyst A1
VLANs 100 101 102 103 104
VLAN 99 (Management) Trunk
Links
VLANs 200 201 202 203 204
540 Chapter 20: Scenarios for Final Preparation
Scenario 6: Router Redundancy with HSRP, VRRP, and GLBP
This scenario covers two methods by which you can configure multilayer switches to provide redundant router or gateway functionality: HSRP, VRRP, and GLBP.
A network consists of two VLANs: 101 and 102. Suppose that the PCs in VLAN 101
(192.168.101.0/24) use address 192.168.101.1 as their default gateway. The PCs in VLAN 102 (192.168.102.0/24) use 192.168.102.1.
1. What commands are necessary to configure HSRP on a Catalyst switch so that it becomes the active router for VLAN 101 and the standby router for VLAN 102? If a failed router interface is restored, control should be passed back to it from the HSRP standby router. (You can use IP addresses 192.168.101.2 and 192.168.102.2, if needed.)
2. What commands can you use to configure VRRP for the network described in question 1?
3. GLBP is to be used in the network shown in Figure 20-6. Answer the following questions about this network.
Figure 20-6 Network Diagram for Scenario 6
a. What command should you use to make Catalyst B become the active virtual gateway (AVG) for GLBP group 10?
b. The virtual gateway address is 192.168.10.1. Which switches should be configured for this, and with what command?
c. Give the command needed on the AVG to implement round-robin load balancing, evenly distributing the virtual gateway MAC addresses across the set of AVFs.
VLAN 10 Catalyst A Catalyst B
Standby AVG / AVF
Catalyst C VLAN 10
192.168.10.10
AVG VLAN 10 192.168.10.11
AVF VLAN 10 192.168.10.12
GLBP Gateway 192.168.10.1
Scenario 8: Securing Access and Managing Traffic in a Switched Network 541
d. Each of the AVF switches must be configured to become members of GLBP group 10.
How can this be accomplished?
Scenario 7: IP Telephony in a Switched Network
This scenario uses a simple two-switch network to reinforce the concepts needed to properly implement IP telephony. Think about supplying power to the Cisco IP Phone, as well as how to implement QoS trust within this network. Use Figure 20-7 as a reference for the following questions.
Figure 20-7 Network Diagram for Scenario 7
1. Assume that Catalyst B supports Power over Ethernet. If interface Fa1/0/1 has its default configuration, will power be supplied to the IP Phone? Now suppose that someone has entered the power inline never command for that interface. What command could you use to begin supplying power to the phone dynamically?
2. Where should a QoS trust boundary be implemented? In other words, which switches should trust incoming QoS information and which ones should not?
3. On Catalyst B, configure interface FastEthernet 3/1 to inform the IP Phone to use VLAN 17 for voice traffic. Also add a configuration command to ensure that no QoS trust is extended to the IP Phone’s PC data port.
4. What configuration commands would be necessary to enable QoS trust on Catalyst B’s Gig 1/0/1 uplink and to disable trust on port Fa1/0/2 where the user PC is connected?
Scenario 8: Securing Access and Managing Traffic in a Switched Network
This scenario is designed to stir your thinking about how to control access to switched networks, how to control traffic within a VLAN, and how to monitor traffic.
1. Network administrators want to have tight control over hosts moving around within their network. A Catalyst 3750 needs to have port-level security enabled on all 48 of its
FastEthernet access-layer ports. Only one host should be connected per port, so the default behavior of shutting down the port is acceptable. What commands are necessary to do this?
Catalyst A
Gig 1/0/1
Catalyst B
User PC Cisco IP Phone Public
Network
Gig 1/0/1
Fa 1/0/1
Fa 1/0/2 Gig 1/0/2
User PC IP
542 Chapter 20: Scenarios for Final Preparation
2. Port-level security is desired on a Catalyst 3750 interface FastEthernet 1/0/18, where 24 users are connected through an Ethernet hub. Rather than have the switch port shut down on a security violation, network administrators want only the hosts in violation to be rejected.
What command can accomplish this?
3. Configure a VLAN access control list that can perform packet filtering within a VLAN. Users in the 192.168.191.0 255.255.255.0 network should be allowed to use only HTTP (www) traffic to the web server 192.168.191.199/24, on VLAN 180. How can you configure the VACL to accomplish this?
4. An access-layer switch has ports FastEthernet 1/0/1 through 1/0/48 connected to end-user PCs. Is it possible for a user to make one of these ports come up in trunking mode? If so, what commands should you enter to prevent unexpected trunk negotiation?
5. Suppose that a switch has a trunk link GigabitEthernet 1/0/1 configured with the following commands:
Switch(config)# iiniinnntttteeeerrfrrfffaaaaccccee ee ggggiiiiggaggaaabbbbiiiittetteteettthhhheereernrrnnneeeetttt 1111////00/00/1//111 Switch(config-if)# sssswwiwwiiittttcccchhphhpoppooorrrrtttt
Switch(config-if)# sssswwiwwiiittttcccchhphhpoppooorrrrtttt ttttrrrruunuunknnkkk eeneennnccccaaaappsppsssuuuullllaataatittiiioooonnnn ddddoooott1tt1q11qqq Switch(config-if)# sssswwiwwiiittttcccchhphhpoppooorrrrtttt ttttrrrruunuunknnkkk nnannaaattttiiiivvevveee vvlvvlallaaannnn 111100000000 Switch(config-if)# sssswwiwwiiittttcccchhphhpoppooorrrrtttt ttttrrrruunuunknnkkk aalaallllllloooowwewweeedddd vvlvvlllaaaannnn 1111000000-00-3--33300000000 Switch(config-if)# sssswwiwwiiittttcccchhphhpoppooorrrrtttt mmmmooooddedde ee ttrttrurruuunnnnkkkk
VLANs 100, 200, and 300 all are used for user traffic. What, if anything, should be done to the trunk configuration to prevent a VLAN hopping attack from occurring?
6. A Catalyst switch has users connected to ports FastEthernet 1/0/1 through 1/0/30. These users are associated with VLAN 50. Two production DHCP servers are connected to ports FastEthernet 1/0/40 and 1/0/41. What commands should be entered to enable DHCP snooping so that DHCP spoofing attacks can be detected and prevented?
Scenario 9: Implementing a Wireless LAN
This scenario is designed to stir your thinking about how to add WLAN components to an existing switched campus network, and how to extend network connectivity to wireless users. In this scenario, a Cisco Wireless LAN Controller (WLC) is positioned at the network core, and Cisco Lightweight Access Points (LAPs) are positioned at the access layer switches. Use Figure 20-8 as a reference for the questions that follow.
1. Suppose that LAP1 is configured to use 802.11g channel 1. What channel should be configured on LAP2?
2. Wireless users in the LAP1 cell use SSID “InMotion” to associate with their WLAN. What considerations should you make on LAP2 to allow users to roam between the cells?
Scenario 9: Implementing a Wireless LAN 543
Figure 20-8 Network Diagram for Scenario 8
3. LAP1’s wired Ethernet connection will belong to VLAN 200, using IP address 192.168.200.10.
The LAP will also need to provide VLAN 50 to its wireless clients. What commands could you use to configure Switch A1’s FastEthernet 0/1 interface, where LAP1 connects?
4. The WLC will use IP address 192.168.201.10 on VLAN 201 to form the LWAPP tunnels with the LAPs. On which WLC interface should you configure this address?
5. LAP1 is located on VLAN 200 in the 192.168.200.0/24 subnet. Both LAPs need to join the same WLC and both need to offer VLAN 50 to their wireless clients. Would you have to place LAP2 on VLAN 200 in the 192.168.200.0/24 subnet? Why or why not?
6. What two things must be configured on the WLC so that wireless clients using SSID
“InMotion” can begin communicating on the 192.168.50.0/24 subnet?
Switch C1
Switch A1 Switch A2
LAP1 VLAN 200 192.168.200.10
LAP2
Fa0/1
Fa1/1
Fa0/1
Gig0/1 Gig0/1
Gig2/1 Gig2/2
SSID “InMotion”
VLAN 50 192.168.50.0/24
WLC VLAN 201 192.168.201.10
544 Chapter 20: Scenarios for Final Preparation
Scenario Answers
Scenario 1 Answers
1. The link is still an access link, with no trunking established, because both switches are set to auto mode. The switches are passively waiting for the other to initiate trunking.
2. Trunking is still not established. Catalyst A is waiting to be asked to trunk, and Catalyst B is set to nonegotiate. Catalyst B will never try to negotiate trunking because its DTP packets have been silenced.
3. Trunking finally has been established. Both switches A and B will use DTP, and B will effectively ask A to bring up a trunk link.
4. Trunking. Catalyst A expects trunking on the link, while Catalyst C actively tries to negotiate trunking.
5. No. The two PC devices are connected to different VLANs. Without a router or Layer 3 device connecting the VLANs, no traffic will cross between them.
6. All hosts on VLAN 1 (PC-1, PC-2, and PC-3) will experience the broadcast storm. All trunk links between switches will transport the broadcast frames. In addition, all switch supervisor CPUs will receive and process the broadcasts because each switch has an IP address for management assigned to VLAN 1. (For this reason, it is recommended to reserve VLAN 1 for control protocol traffic only. User-generated broadcasts can overload the switch supervisor to the extent that it no longer can keep track of its control or “overhead” protocols, such as VTP, CDP, and so forth. Instead, all user traffic should be kept off VLAN 1.)
Scenario 2 Answers
1. Yes. PC-1 and PC-2 are connected to access VLAN switch ports, VLAN 2 and VLAN 10, respectively. Normally, if these were assigned to different VLANs, they could not ping each other unless a Layer 3 device were present to route between the Layer 2 VLANs. In this case, however, the link between Catalyst A and B is the key. On one switch, the link is an access VLAN port on VLAN 2; on the other end, it is an access VLAN port on VLAN 10. These are physically connected, and each switch has no knowledge of what VLAN the other has assigned to the link. Therefore, data can pass across the link freely, connecting the two VLANs.
2. No. Again, the key is the link between Catalyst B and C. Catalyst B has the link configured as an ISL trunk, whereas Catalyst C has it configured as an 802.1Q trunk. Because the trunk encapsulations are different, no data will pass between them.
Scenario 4 Answers 545
3. Yes, the trunk link on each switch will come up successfully, even though the trunk will not work end to end because of the encapsulation mismatch. This is because DTP packets will be exchanged, but both ends of the link are configured to trunk unconditionally.
As a side note, DTP and CDP packets will be exchanged between the switches. Both of these protocols are sent over VLAN 1 in ISL encapsulation and over the native VLAN (VLAN 1, by default) in dot1Q encapsulation. Because the trunk encapsulation is different on each end of the link, each switch will tag VLAN 1 differently. Therefore, VLAN 1 will not be contiguous across the link, and these protocols will not pass successfully.
4. VLAN 1 will not be pruned. Although VLAN 1 is present on all switches, it is not pruned because VLAN 1 is ineligible for pruning by definition.
5. Only Catalyst C creates VLAN 14 in response to VTP advertisements. Catalyst B in transparent mode relays only the VTP information, without interpreting the information.
6. Only Catalyst B creates VLAN 15. Because it is in transparent mode, no VLAN activity will be advertised to other neighboring switches. However, Catalyst B is allowed to create, delete, and rename VLANs freely. These VLANs are significant only to the local switch.
7. Catalyst C will not allow any VLANs to be created unless they are learned from a VTP server in the Bermuda domain. Because it is in VTP client mode, no VLAN changes can be performed from the console.
Scenario 3 Answers
1. All bundled ports must have the same set of allowed VLANs, the same native VLAN, the same trunk encapsulation, and the same trunk mode. (In addition, the switch ports all must have identical speed and duplex settings.)
2. You can use the following configuration commands:
CatalystA(config)# iiiinntnnttteeeerrrrffaffacaaccceeee rrrraaaannnnggegge ee ggiggigiigggaaaabbbbiitiittteeeetttthhehhereerrrnnnneeeett tt 3333//1//1 11 ---- 4444 CatalystA(config-if)# cccchhhhaanaannnnnnneeeellll--p--ppprrrroooottottoooccccooooll ll ppppaaaaggpggppp
CatalystA(config-if)# cccchhhhaanaannnnnnneeeellll--g--gggrrrroooouupuuppp 11 11 mmmmooooddeddeee ddeddeseesssiiiirrrraabaabbblllleeee
3. The Catalyst 6500 default algorithm is the XOR of the source and destination IP addresses, using the port-channel load-balance src-dst-ip command.
4. Most of the traffic crossing the EtherChannel will have the same two MAC addresses as source or destination—that of the two Layer 3 interfaces. Therefore, the src-dst-mac algorithm will always use only one of the four links within the EtherChannel. The source and destination IP addresses, however, probably will be varied and will yield the best distribution.
Scenario 4 Answers
1. The spanning-tree topology should look like the diagram in Figure 20-9. Catalyst A is the root bridge, and only the 1000-Mbps link is forwarding. The root ports (RP) and designated ports (DP) are labeled on the diagram.