AAA
aaa new-model aaa authentication login default group radius local username test password 0 cisco radius server Test address ipv4 1.2.1.2 auth-port 1812 acct-port 1813 key aaa
ip dhcp snooping configuration UDLD
Normal Mode detects that an interface has become uni-directional UDLD will generate a Syslog and mark the port has having an undermined state.
STP
Which of the following correctly identifies the name, and duration of the Spanning-tree timer that governs how long a port will remain in the Listening and Learning states? Forward Delay timer, 15-seconds
Portfast
May be enabled across all Access Ports with a single command. May not be enabled on interfaces operating as VLAN Trunks.
MSTI and IST 802.1d
All interfaces on a switch are in VLAN 2. That switch is running the 802.1d STP. When that switch receives a Topology Change BPDU from the Root Bridge, what action will it take? All dynamic MAC addresses learned in VLAN 2 will have their Aging Timer modified to match the value of the Spanning-Tree Forwarding Delay.
802.1s
IEEE MST Boundary ports The switch is connected to another switch running 802.1w. The switch is connected to another switch running 802.1d. The switch is connected to another switch in a different MST Region.
802.1w
IEEE Rapid Spanning-Tree Blocking state Alternate Backup Why ports transition to Blocking state? Alternate Received a BPDU from a different switch. Backup Received a BPDU from itself. Rapid-PVST allows any Bridge to send a Topology Change BPDU whereas PVST+ restricts this action solely to the Root Bridge.
Loopguard PVLAN
If using VTP v1 or v2, your switch must be in VTP Transparent mode. The Spanning-tree BPDU Guard feature is automatically enabled on PVLAN Host ports.
Switchport Security
Restrict - silently discards any frames that caused a violation and increments the Security Violation counter. Protect - silently discards any frames default mode is Shutdown, place the port that experienced the violation into the err-disabled state.
IP Source Guard
By default relies on the DHCP Snooping Db to accomplish its verification. IP Source Guard must be enabled on individual interfaces.
FHRP
All routers participating in the FHRP use the same virtual IP address. VRRP IP protocol 112 If five routers, all connected to the same broadcast domain, are running VRRP, one of those routers will be servicing packets from hosts and that router will be called the VRRP Master Router. HSRP HSRP sends its packets to the IP destination address of 224.0.0.2. If five routers, all connected to the same broadcast domain, are running HSRP, one of those routers will be servicing packets from hosts and that router will be call the HSRP Active Router.
VLANs
Default 1, 1002, 1005
PVLAN
Isolated port
Communicates only with promiscuous ports
Promiscuous port
Communicates with all other ports
Community
Communicates with other members of the community and all promiscuous ports
Example
vtp mode transparent vlan 600 private-vlan community vlan 400 private-vlan isolated vlan 200 private-vlan primary private-vlan association 400,600 int f5/1 switchport mode private-vlan host switchport private-vlan host-association 200, 400 int range f 5/2 - 3 switchport mode private-vlan host switchport private-vlan host-association 200, 600 int f 5/4 switchport mode private-vlan promiscuous switchport private-vlan mapping 200, 400, 600 int g 0/1 switchport mode trunk switchport trunk encapsulation dot1q ! Private VLAN Edge int f 0/1 switchport protected int f 0/2 switchport protected show vlan private-vlan type show vlan private-vlan shw int f0/1 switchport
GLBP
Allows full use of resources on all devices without the administrative burden of creating multiple groups. Provides a single virtual IP address and multiple virtual MAC addresses. Routes traffic to single gateway distributed across routers. Provides automatic rerouting in the event of any failure.
Supports up to 1024 groups AVG load balances traffic
GLBP group members elect one AVG. AVG assigns a virtual MAC address to each member of the group. AVG replies to the ARP requests from clients with different virtual MAC addresses, thus achieving load balancing. Each router becomes an AVG for frames that are addressed to that virtual MAC address.
AVG
Active Virtual Gateway
AVF
Active Virtual Forwarder
Multicast: 224.0.0.102
Sw(config)# track 90 int f0/24 line-protocol Sw(config)# track 91 int f0/23 line-protocol Sw(config)# int vlan 10 Sw(config-if)# ip add 10.1.10.2 255.255.255.0 Sw(config-if)# glbp 1 10.1.10.1 Sw(config-if)# glbp 1 weighting 110 lower 85 upper 105 Sw(config-if)# glbp timers msec 200 msec 700 Sw(config-if)# glbp preempt delay minimum 300 Sw(config-if)# glbp 1 authentication md5 keystring xyz123 Sw(config-if)# glbp 1 weighting track 90 decrement 10 Sw(config-if)# glbp 1 weighting track 91 decrement 20
GLBP and VLAN Spanning
Both distribution switches act as a default gateway. Blocked uplink causes traffic to take a less than optimal path.
Job Aids
Job Aids These job aids are available to help you complete the lab activity. Scenario CCNP.com is a small company that is installing an enterprise network that consists of three routers and six switches that are supporting seven hosts and an FTP server. The company has decided to implement a local VLAN model, and it has implemented a routed core level—CR1, CR2, and CR3. The distribution level (DSW1 and DSW2) and the access level (ASW1, ASW2, ASW3, and ASW4) are operating with Layer 2 switching. Interswitch Connectivity Layer 2 interswitch links have been configured as trunks that use dot1q encapsulation. Trunks between switches are operating as routed interfaces. VLAN Implementation CCNP.com has established the following VLANs: VLANs VLAN No. Name 10 ASW1 20 ASW2 30 ASW3 40 ASW4 99 Unassigned_Port_VLAN
Layer 3 Implementation CCNP.com is using EIGRP as the routing process with an AS of 10. IP address assignments were allocated from the following table: IP Addressing Segment IP Address Notes CR1—loopback 0 172.16.0.1/32
CR2—loopback 0 172.16.0.2/32
CR3—loopback 0 172.16.0.3/32
VLAN 1 172.16.0.16/28 CR2—172.16.0.17/28 (e0/1.1) CR3—172.16.0.18/28 (e0/1.1) DSW1—172.16.0.19/28 DSW2—172.16.0.20/28 ASW1—172.16.0.21/28 ASW2—172.16.0.22/28 ASW3—172.16.0.23/28 ASW4—172.16.0.24/28 VLAN 10 172.16.10.0/24 CR2—172.16.10.254/24 (e0/1.10) CR3—172.16.10.253/24 (e0/1.10) H11 and H12—Assigned by DHCP. VLAN 20 172.16.20./24 CR2—172.16.20.254/24 (e0/1.20) CR3—172.16.20.253/24 (e0/1.20) H21 and H22—Assigned by DHCP VLAN 30 172.16.30.0/24 CR2—172.16.30.254/24 (e0/1.30) CR3—172.16.30.253/24 (e0/1.30) H31 and H32—Assigned by DHCP VLAN 40 172.16.40.0/24 CR2—172.16.40.254/24 (e0/1.40) CR3—172.16.40.253/24 (e0/1.40) FTP server—172.16.40.1/24 H41—Assigned by DHCP Note: For testing purposes, the host devices in this lab are based on Cisco IOS Software. Switch Access Controls All switches support remote access through a Telnet session. The username and password for remote access are Remote_User and Enter_Remote, respectively. Universal IP Connectivity A ping from any device to all addresses on all devices must be successful.
Lab Tasks Using the information in the Job Aids sectish spaon, create an implementation and verification plan to implement your solution. A sample implementation and verification plan form is provided. After completing the implementation and verification plan, use that plan to successfully implement your solution. Implementation Task List Task No. Task Implementation Command(s) Verification Command(s) Notes
Task 1: Configure and Verify GLBP Users on VLAN 10 are complaining that they intermittently lose the ability to access any host that is not on VLAN 10. Analysis of this issue has found that the issue is encountered when either CR2 or DSW1 are shut down for maintenance. Further analysis has found that the issue is related to the default router that DHCP is providing the host. The DHCP server configuration on CR1 is as follows: CR1#sh run | sec dhcp
no ip dhcp use vrf connected ip dhcp excluded-address 172.16.10.253 172.16.10.254 ip dhcp excluded-address 172.16.20.253 172.16.20.254 ip dhcp excluded-address 172.16.30.253 172.16.30.254 ip dhcp excluded-address 172.16.40.1 ip dhcp excluded-address 172.16.40.254 ip dhcp pool VLAN_10 network 172.16.10.0 255.255.255.0 default-router 172.16.10.254 ip dhcp pool VLAN_20 network 172.16.20.0 255.255.255.0 default-router 172.16.20.254 ip dhcp pool VLAN_30 network 172.16.30.0 255.255.255.0 default-router 172.16.30.253 ip dhcp pool VLAN_40 network 172.16.40.0 255.255.255.0 default-router 172.16.40.253 CR1#
The DHCP server is sending a default router of 172.16.10.254 to all the hosts on VLAN 10. When either CR2 or DSW1 are shut down for maintenance, this address cannot be reached by the host.
There are several ways that a LAN client can determine which router should be the first hop to a particular remote destination. The client can use a dynamic process or static configuration. Examples of dynamic discovery are as follows:
• Proxy ARP: The client uses ARP to get to the destination that it wants to reach, and a router will respond to the ARP request with its own MAC address. • Routing protocol: The client listens to dynamic routing protocol updates (for example, from RIP) and forms its own routing table. • ICMP Router Discovery Protocol (IRDP) client: The client runs an ICMP router discovery client. • DHCP provides a mechanism for passing configuration information to hosts on a TCP/IP network. A host that runs a DHCP client requests configuration information from a DHCP server when it boots onto the network. This configuration information typically comprises an IP address and a default gateway.
The drawback to dynamic discovery protocols is that they incur some configuration and processing overhead on the LAN client. Also, in case of a router failure, the process of switching to another router can be slow. There is no mechanism within DHCP for switching to an alternative router if the default gateway fails. An alternative to dynamic discovery protocols is to statically configure a default router on the client. This approach simplifies client configuration and processing, but it creates a single point of failure. If the default gateway fails, the LAN client is limited to communicating only on the local IP network segment and is cut off from the rest of the network. GLBP protects data traffic from a failed router or circuit, like HSRP and VRRP, while allowing packet load sharing between a group of redundant routers. The GLBP feature provides automatic router backup for IP hosts that are configured with a single default gateway on an IEEE 802.3 LAN. Multiple first-hop routers on the LAN combine to offer a single virtual first-hop IP router while sharing the IP packet forwarding load. Other routers on the LAN may act as redundant GLBP routers that will become active if any of the existing forwarding routers fail. GLBP performs a function for the user that is similar, but not identical, to HSRP and VRRP. HSRP and VRRP protocols allow multiple routers to participate in a virtual router group that is configured with a virtual IP address. One member is elected to be the active router to forward packets that are sent to the virtual IP address for the group. The other routers in the group are redundant until the active router fails. These standby routers have unused bandwidth that the protocol is not using. Although multiple virtual router groups can be configured for the same set of routers, the hosts must be configured for different default gateways, which results in an extra administrative burden. GLBP provides load balancing over multiple routers (gateways) using a single virtual IP address and multiple virtual MAC addresses. Each host is configured with the same virtual IP address, and all routers in the virtual router group participate in forwarding packets. GLBP members communicate between each other through hello messages that are sent every 3 seconds to the multicast address 224.0.0.102, UDP port 3222 (source and destination). Members of a GLBP group elect one gateway to be the active virtual gateway (AVG) for that group. Other group members provide backup for the AVG in case the AVG becomes unavailable. The AVG assigns a virtual MAC address to each member of the GLBP group. Each gateway assumes responsibility for forwarding packets that are sent to the virtual MAC address that is assigned to it by the AVG. These gatgleways are known as active virtual forwarders (AVFs) for their virtual MAC address. The AVG is responsible for answering ARP requests for the virtual IP address. Load sharing is achieved by the AVG replying to the ARP requests with different virtual MAC addresses. CR2 is the AVG for a GLBP group and is responsible for the virtual IP address 172.16.10.254. CR2 is also an AVF for the virtual MAC address 0007.b400.0101. CR3 is a member of the same GLBP group and is designated as the AVF for the virtual MAC address 0007.b400.0102. Client 11 has a default gateway IP address of 172.16.10.254 and a gateway MAC address of 0007.b400.0101. Client 12 shares the same default gateway IP address, but it receives the gateway MAC address 0007.b400.0102 because CR3 is sharing the traffic load with CR3. CR2 becomes unavailable; Client 11 will not lose access to the WAN because CR3 will assume responsibility for forwarding packets that are sent to the virtual MAC address of CR2, and for responding to packets that are sent to its own virtual MAC address. CR3 will also assume the role of the AVG for the entire GLBP group. Communication for the GLBP members continues despite the failure of a router in the GLBP group. GLBP Virtual MAC Address Assignment A GLBP group allows up to four virtual MAC addresses per group. The AVG is responsible for assigning the virtual MAC addresses to each member of the group. Other group members request a virtual MAC address after they discover the AVG through hello messages. Gateways are assigned the next MAC address in sequence. A virtual forwarder that is assigned a virtual MAC address by the AVG is known as a primary virtual forwarder. Other members of the GLBP group learn the virtual MAC addresses from hello messages. A virtual forwarder that has learned the virtual MAC address is referred to as a secondary virtual forwarder. GLBP Virtual Gateway Redundancy GLBP operates virtual gateway redundancy in the same way as HSRP. One gateway is elected as the AVG, another gateway is elected as the standby virtual gateway, and the remaining gateways are placed in a listen state. If an AVG fails, the standby virtual gateway will assume responsibility for the virtual IP address. A new standby virtual gateway is then elected from the gateways in the listen state. GLBP Virtual Forwarder Redundancy Virtual forwarder redundancy is similar to virtual gateway redundancy with an AVF. If the AVF fails, one of the secondary virtual forwarders in the listen state assumes responsibility for the virtual MAC address. The new AVF is also a primary virtual forwarder for a different forwarder number. GLBP migrates hosts away from the old forwarder number, using two timers that start as soon as the gateway changes to the active virtual forwarder state. GLBP uses the hello messages to communicate the current state of the timers. The redirect time is the interval during which the AVG continues to redirect hosts to the old virtual forwarder MAC address. When the redirect time expires, the AVG stops redirecting hosts to the virtual forwarder, although the virtual forwarder will continue to forward packets that were sent to the old virtual forwarder MAC address. The secondary hold time is the interval during which the virtual forwarder is valid. When the secondary hold time expires, the virtual forwarder is removed from all gateways in the GLBP group. The expired virtual forwarder number becomes eligible for reassignment by the AVG. CCNP.com has decided to implement GLBP on VLAN 10 as a solution to the default gateway issue. CR2 should be the primary router. Task 2: Configure and Verify GLBP Load Sharing CCNP.com has analyzed the traffic in its network. The study indicates that the best configuration for the network is to have DSW1 as the master root bridge and DSW2 as the backup root bridge for VLANs 10, 20, and 30. DSW2 should be the master root bridge and DSW1 should be the backup root bridge for VLAN 40. Configure spanning tree to implement this scheme. With HSRP and VRRP, the active router is the gateway for all traffic; therefore, selection of the active router is important. With GLBP, the gateway function is distributed by the AVG to the members of the group, which means that a single router is no longer the sole gateway. However, there is overhead that is related to the function of the AVG. The AVG function should be distributed as well. Configure the GLBP groups to implement the following scheme:
• CR2 should be the primary AVG for all hosts on VLANs 10, 20, 30, and 40. • CR3 should be the primary AVG for the FTP server.
Task 3: Configure GLBP to Track the Status of an Interface With GLBP enabled, there are several fault conditions that need to be addressed. Disable the e0/0 interface on CR2, and do a traceroute from H11 to the loopback interface of CR1. H11#trace 172.16.0.1 Type escape sequence to abort. Tracing the route to CR1_loo0 (172.16.0.1)
1 172.16.10.252 4 msec 0 msec 4 msec 2 CR1_e0_0 (172.16.1.1) 0 msec * 4 msec H11#
CR2(config-if)#int e0/0
CR2(config-if)#shut CR2(config-if)# *Aug 4 19:38:21.502: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 172.16.1.1 (Ethernet0/0) is down: interface down CR2(config-if)# *Aug 4 19:38:23.510: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to administratively down *Aug 4 19:38:24.518: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to down
CR2(config-if)# H11#trace 172.16.0.1 Type escape sequence to abort.
Tracing the route to CR1_loo0 (172.16.0.1) 1 172.16.10.252 4 msec 0 msec 0 msec 2 172.16.10.252 !H * !H H11#
The trace fails. When a packet arrives at CR2, CR2 cannot forward the packet because its only route to CR1 is through the e0/0 interface. Note: Depending on the gateway MAC address that is provided by the AVG, this fault condition may appear on either H11 or H12. Re-enable e0/0 on CR2. Configure the GLBP group to handle the following conditions:
• If the e0/0 interface on CR2 is up and e0/0 on CR3 is up, CR2 should be the master router. • If the e0/0 interface on CR2 is down and e0/0 on CR3 is up, CR3 should be the master router. • If the e0/0 interface on CR2 is up and e0/0 on CR3 is down, CR2 should be the master router. • If the e0/0 interface on CR2 is down and e0/0 on CR3 is down, CR2 should be the master router.
Task 4: Configure GLBP to Monitor an IP Route CCNP.com has added a Layer 3 link between CR2 and CR3. Enable this link using an IP address of 172.16.1.9/30 for the e0/2 interface on CR2 and an IP address of 172.16.1.10/30 for the e0/2 interface on CR3. The GLBP group for VLAN 20 should use CR2 and CR3 as an AF as long as they have an IP route to the loopback address of CR1. Task 5: Configure GLBP to Monitor Reachability Configure the GLBP group for VLAN 30 to use CR2 as an AF under the following conditions:
• A ping any can be successfully performed from CR2 to the following addresses on CR1: ○ 172.16.200.1 ○ 172.16.201.1 ○ 172.16.202.1 • If CR2 relinquishes the AF role, it cannot regain that role until pings are successful to at least two of the addresses.
© 1992-2016 Cisco Systems, Inc. All rights reserved.
Pasted from <https://cll1.cisco.com/content/xtrac/1>
Final Configs Links To Final Configuration CR1 Configuration CR2 Configuration CR3 Configuration DSW1 Configuration DSW2 Configuration CR1 Configuration CR1#show running-config
Building configuration...
Current configuration : 2474 bytes
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname CR1 ! boot-start-marker boot-end-marker ! ! no aaa new-model clock timezone PST 0 no ip domain lookup ip domain name CCNP.com ip host CR1_e0_0 172.16.1.1 ip host CR1_e0_1 172.16.1.5 ip host CR1_loo0 172.16.0.1 ip host CR2_e0_0 172.16.1.2 ip host CR2_VLAN1 172.16.0.17 ip host CR2_VLAN30 172.16.30.254 ip host CR2_VLAN40 172.16.40.254 ip host CR3_e0_0 172.16.1.6 ip host CR3_VLAN1 172.16.0.18 ip host CR3_VLAN10 172.16.10.253 ip host CR3_VLAN20 172.16.20.253 ip host DSW1_VLAN1 172.16.0.19 ip host DSW2_VLAN1 172.16.0.20 ip host ASW1_VLAN1 172.16.0.21 ip host ASW2_VLAN1 172.16.0.22 ip host ASW3_VLAN1 172.16.0.23 ip host ASW4_VLAN1 172.16.0.24 ip host FTP_Server 172.16.40.1 ip host VLAN10 172.16.20.254 ip host VLAN30 172.16.30.253 ip host VLAN40 172.16.40.253 no ip dhcp use vrf connected ip dhcp excluded-address 172.16.10.253 172.16.10.254 ip dhcp excluded-address 172.16.20.253 172.16.20.254 ip dhcp excluded-address 172.16.30.253 172.16.30.254 ip dhcp excluded-address 172.16.40.1 ip dhcp excluded-address 172.16.40.254 ip dhcp excluded-address 172.16.10.252 ip dhcp excluded-address 172.16.20.252 ip dhcp excluded-address 172.16.30.252 ip dhcp excluded-address 172.16.40.252 ip dhcp excluded-address 172.16.40.251 ! ip dhcp pool VLAN_10 network 172.16.10.0 255.255.255.0 default-router 172.16.10.254 ! ip dhcp pool VLAN_20 network 172.16.20.0 255.255.255.0 default-router 172.16.20.254 ! ip dhcp pool VLAN_30 network 172.16.30.0 255.255.255.0 default-router 172.16.30.254 ! ip dhcp pool VLAN_40 network 172.16.40.0 255.255.255.0 default-router 172.16.40.254 ! ! ! multilink bundle-name authenticated ! ! username Remote_User privilege 15 password 0 Enter_Remote archive log config hidekeys ! ! ! ! ! ! ! interface Loopback0 ip address 172.16.0.1 255.255.255.255 ! interface Ethernet0/0 description link to CR2 ip address 172.16.1.1 255.255.255.252 ! interface Ethernet0/1 description link to CR3 ip address 172.16.1.5 255.255.255.252 ! interface Ethernet0/2 no ip address shutdown ! interface Ethernet0/3 no ip address shutdown ! router eigrp 10 network 172.16.0.0 auto-summary ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ! ! ! ! control-plane ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 login local transport input all ! end
CR1#
CR2 Configuration CR2#show running-config
Building configuration...
Current configuration : 3674 bytes
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname CR2 ! boot-start-marker boot-end-marker ! ! no aaa new-model clock timezone PST 0 no ip domain lookup ip domain name CCNP.com ip host CR1_e0_0 172.16.1.1 ip host CR1_e0_1 172.16.1.5 ip host CR1_loo0 172.16.0.1 ip host CR2_e0_0 172.16.1.2 ip host CR2_VLAN1 172.16.0.17 ip host CR2_VLAN30 172.16.30.254 ip host CR2_VLAN40 172.16.40.254 ip host CR3_e0_0 172.16.1.6 ip host CR3_VLAN1 172.16.0.18 ip host CR3_VLAN10 172.16.10.253 ip host CR3_VLAN20 172.16.20.253 ip host DSW1_VLAN1 172.16.0.19 ip host DSW2_VLAN1 172.16.0.20 ip host ASW1_VLAN1 172.16.0.21 ip host ASW2_VLAN1 172.16.0.22 ip host ASW3_VLAN1 172.16.0.23 ip host ASW4_VLAN1 172.16.0.24 ip host FTP_Server 172.16.40.1 ip host VLAN10 172.16.20.254 ip host VLAN30 172.16.30.253 ip host VLAN40 172.16.40.253 ! ! ! multilink bundle-name authenticated ! ! username Remote_User privilege 15 password 0 Enter_Remote archive log config hidekeys ! ! ! ! ! track 10 interface Ethernet0/0 line-protocol ! track 20 ip route 172.16.0.1 255.255.255.255 reachability ! track 30 rtr 30 ! track 31 rtr 31 ! track 32 rtr 32 ! ! ! interface Loopback0 ip address 172.16.0.2 255.255.255.255 ! interface Ethernet0/0 description link to CR1 ip address 172.16.1.2 255.255.255.252 ! interface Ethernet0/1 description link to DSW1 no ip address ! interface Ethernet0/1.1 description VLAN 1 encapsulation dot1Q 1 native ip address 172.16.0.17 255.255.255.240 ! interface Ethernet0/1.10 description VLAN 10 encapsulation dot1Q 10 ip address 172.16.10.252 255.255.255.0 ip helper-address 172.16.1.1 glbp 10 ip 172.16.10.254 glbp 10 priority 150 glbp 10 preempt glbp 10 weighting 150 lower 140 glbp 10 weighting track 10 decrement 11 ! interface Ethernet0/1.20 description VLAN 20 encapsulation dot1Q 20 ip address 172.16.20.252 255.255.255.0 ip helper-address 172.16.1.1 glbp 20 ip 172.16.20.254 glbp 20 priority 110 glbp 20 preempt glbp 20 weighting 150 lower 140 glbp 20 weighting track 20 decrement 11 ! interface Ethernet0/1.30 description VLAN 30 encapsulation dot1Q 30 ip address 172.16.30.252 255.255.255.0 ip helper-address 172.16.1.1 glbp 30 ip 172.16.30.254 glbp 30 priority 110 glbp 30 preempt glbp 30 weighting 200 lower 51 upper 149 glbp 30 weighting track 30 decrement 50 glbp 30 weighting track 31 decrement 50 glbp 30 weighting track 32 decrement 50 ! interface Ethernet0/1.40 description VLAN 40 encapsulation dot1Q 40 ip address 172.16.40.252 255.255.255.0 ip helper-address 172.16.1.1 glbp 40 ip 172.16.40.254 glbp 40 priority 110 glbp 40 preempt glbp 41 ip 172.16.40.253 ! interface Ethernet0/2 description link to CR3 ip address 172.16.1.9 255.255.255.252 ! interface Ethernet0/3 no ip address shutdown ! router eigrp 10 passive-interface default no passive-interface Ethernet0/0 no passive-interface Ethernet0/2 network 172.16.0.0 auto-summary ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ! ip sla 10 icmp-echo 172.16.200.1 source-ip 172.16.10.252 frequency 10 ip sla schedule 10 life forever start-time now ip sla 30 icmp-echo 172.16.200.1 source-ip 172.16.10.252 frequency 10 ip sla schedule 30 life forever start-time now ip sla 31 icmp-echo 172.16.201.1 source-ip 172.16.10.252 frequency 10 ip sla schedule 31 life forever start-time now ip sla 32 icmp-echo 172.16.202.1 source-ip 172.16.10.252 frequency 10 ip sla schedule 32 life forever start-time now ! ! ! control-plane ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 login local transport input all ! end
CR2#
CR3 Configuration CR3#show running-config
Building configuration...
Current configuration : 3254 bytes
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname CR3 ! boot-start-marker boot-end-marker ! ! no aaa new-model clock timezone PST 0 no ip domain lookup ip domain name CCNP.com ip host CR1_e0_0 172.16.1.1 ip host CR1_e0_1 172.16.1.5 ip host CR1_loo0 172.16.0.1 ip host CR2_e0_0 172.16.1.2 ip host CR2_VLAN1 172.16.0.17 ip host CR2_VLAN30 172.16.30.254 ip host CR2_VLAN40 172.16.40.254 ip host CR3_e0_0 172.16.1.6 ip host CR3_VLAN1 172.16.0.18 ip host CR3_VLAN10 172.16.10.253 ip host CR3_VLAN20 172.16.20.253 ip host DSW1_VLAN1 172.16.0.19 ip host DSW2_VLAN1 172.16.0.20 ip host ASW1_VLAN1 172.16.0.21 ip host ASW2_VLAN1 172.16.0.22 ip host ASW3_VLAN1 172.16.0.23 ip host ASW4_VLAN1 172.16.0.24 ip host FTP_Server 172.16.40.1 ip host VLAN10 172.16.20.254 ip host VLAN30 172.16.30.253 ip host VLAN40 172.16.40.253 ! ! ! multilink bundle-name authenticated ! ! username Remote_User privilege 15 password 0 Enter_Remote archive log config hidekeys ! ! ! ! ! track 10 interface Ethernet0/0 line-protocol ! track 20 ip route 172.16.0.1 255.255.255.255 reachability ! ! ! interface Loopback0 ip address 172.16.0.3 255.255.255.255 ! interface Ethernet0/0 description link to CR1 ip address 172.16.1.6 255.255.255.252 ! interface Ethernet0/1 description link to DSW2 no ip address ! interface Ethernet0/1.1 description VLAN 1 encapsulation dot1Q 1 native ip address 172.16.0.18 255.255.255.240 ! interface Ethernet0/1.10 description VLAN 10 encapsulation dot1Q 10 ip address 172.16.10.253 255.255.255.0 ip helper-address 172.16.1.1 glbp 10 ip 172.16.10.254 glbp 10 weighting 145 lower 144 glbp 10 weighting track 10 decrement 2 ! interface Ethernet0/1.20 description VLAN 20 encapsulation dot1Q 20 ip address 172.16.20.253 255.255.255.0 ip helper-address 172.16.1.1 glbp 20 ip 172.16.20.254 glbp 20 weighting 150 lower 140 glbp 20 weighting track 20 decrement 11 ! interface Ethernet0/1.30 description VLAN 30 encapsulation dot1Q 30 ip address 172.16.30.253 255.255.255.0 ip helper-address 172.16.1.1 glbp 30 ip 172.16.30.254 ! interface Ethernet0/1.40 description VLAN 40 encapsulation dot1Q 40 ip address 172.16.40.251 255.255.255.0 ip helper-address 172.16.1.1 glbp 40 ip 172.16.40.254 glbp 41 ip 172.16.40.253 glbp 41 priority 110 glbp 41 preempt ! interface Ethernet0/2 description link to CR2 ip address 172.16.1.10 255.255.255.252 ! interface Ethernet0/3 no ip address shutdown ! interface Ethernet1/0 no ip address shutdown ! interface Ethernet1/1 no ip address shutdown ! interface Ethernet1/2 no ip address shutdown ! interface Ethernet1/3 no ip address shutdown ! interface Ethernet2/0 no ip address shutdown ! interface Ethernet2/1 no ip address shutdown ! interface Ethernet2/2 no ip address shutdown ! interface Ethernet2/3 no ip address shutdown ! router eigrp 10 passive-interface default no passive-interface Ethernet0/0 no passive-interface Ethernet0/2 network 172.16.0.0 auto-summary ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ! ! ! ! control-plane ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 login local transport input all ! end
CR3#
DSW1 Configuration DSW1#show running-config
Building configuration...
Current configuration : 2935 bytes
! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname DSW1 ! boot-start-marker boot-end-marker ! ! username Remote_User privilege 15 password 0 Enter_Remote no aaa new-model clock timezone PST 0 ip subnet-zero no ip routing no ip domain-lookup ip domain-name CCNP.com ip host VLAN40 172.16.40.253 ip host VLAN30 172.16.30.253 ip host VLAN10 172.16.20.254 ip host FTP_Server 172.16.40.1 ip host ASW4_VLAN1 172.16.0.24 ip host ASW3_VLAN1 172.16.0.23 ip host ASW2_VLAN1 172.16.0.22 ip host ASW1_VLAN1 172.16.0.21 ip host DSW2_VLAN1 172.16.0.20 ip host DSW1_VLAN1 172.16.0.19 ip host CR3_VLAN20 172.16.20.253 ip host CR3_VLAN10 172.16.10.253 ip host CR3_VLAN1 172.16.0.18 ip host CR3_e0_0 172.16.1.6 ip host CR2_VLAN40 172.16.40.254 ip host CR2_VLAN30 172.16.30.254 ip host CR2_VLAN1 172.16.0.17 ip host CR2_e0_0 172.16.1.2 ip host CR1_loo0 172.16.0.1 ip host CR1_e0_1 172.16.1.5 ip host CR1_e0_0 172.16.1.1 ! vtp domain CCNP.com vtp mode transparent ! ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree vlan 10,20,30 priority 24576 spanning-tree vlan 40 priority 28672 ! vlan internal allocation policy ascending ! vlan 10 name ASW1 ! vlan 20 name ASW2 ! vlan 30 name ASW3 ! vlan 40 name ASW4 ! vlan 99 name Unassigned_Port_VLAN ! ! ! ! ! ! interface Ethernet0/0 description link to CR2 switchport trunk encapsulation dot1q switchport mode trunk duplex auto ! interface Ethernet0/1 description link to DSW2 switchport trunk encapsulation dot1q switchport mode trunk duplex auto ! interface Ethernet0/2 switchport access vlan 99 switchport mode access shutdown duplex auto ! interface Ethernet0/3 switchport access vlan 99 switchport mode access shutdown duplex auto ! interface Ethernet1/0 description link to ASW1 switchport trunk encapsulation dot1q switchport mode trunk duplex auto ! interface Ethernet1/1 description link to ASW2 switchport trunk encapsulation dot1q switchport mode trunk duplex auto ! interface Ethernet1/2 description link to ASW3 switchport trunk encapsulation dot1q switchport mode trunk duplex auto ! interface Ethernet1/3 description link to ASW4 switchport trunk encapsulation dot1q switchport mode trunk duplex auto ! interface Ethernet2/0 switchport access vlan 99 switchport mode access shutdown duplex auto ! interface Ethernet2/1 switchport access vlan 99 switchport mode access shutdown duplex auto ! interface Ethernet2/2 switchport access vlan 99 switchport mode access shutdown duplex auto ! interface Ethernet2/3 switchport access vlan 99 switchport mode access shutdown duplex auto ! interface Vlan1 ip address 172.16.0.19 255.255.255.240 no ip route-cache ! ! ip classless no ip http server ! ! ! ! ! control-plane ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 login local transport input ssh ! end
DSW1#
DSW2 Configuration DSW2#show running-config
Building configuration...
*Apr 10 10:13:20.019: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 2935 bytes ! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname DSW2 ! boot-start-marker boot-end-marker ! ! username Remote_User privilege 15 password 0 Enter_Remote no aaa new-model clock timezone PST 0 ip subnet-zero no ip routing no ip domain-lookup ip domain-name CCNP.com ip host VLAN40 172.16.40.253 ip host VLAN30 172.16.30.253 ip host VLAN10 172.16.20.254 ip host FTP_Server 172.16.40.1 ip host ASW4_VLAN1 172.16.0.24 ip host ASW3_VLAN1 172.16.0.23 ip host ASW2_VLAN1 172.16.0.22 ip host ASW1_VLAN1 172.16.0.21 ip host DSW2_VLAN1 172.16.0.20 ip host DSW1_VLAN1 172.16.0.19 ip host CR3_VLAN20 172.16.20.253 ip host CR3_VLAN10 172.16.10.253 ip host CR3_VLAN1 172.16.0.18 ip host CR3_e0_0 172.16.1.6 ip host CR2_VLAN40 172.16.40.254 ip host CR2_VLAN30 172.16.30.254 ip host CR2_VLAN1 172.16.0.17 ip host CR2_e0_0 172.16.1.2 ip host CR1_loo0 172.16.0.1 ip host CR1_e0_1 172.16.1.5 ip host CR1_e0_0 172.16.1.1 ! vtp domain CCNP.com vtp mode transparent ! ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree vlan 10,20,30 priority 28672 spanning-tree vlan 40 priority 24576 ! vlan internal allocation policy ascending ! vlan 10 name ASW1 ! vlan 20 name ASW2 ! vlan 30 name ASW3 ! vlan 40 name ASW4 ! vlan 99 name Unassigned_Port_VLAN ! ! ! ! ! ! interface Ethernet0/0 description link to CR3 switchport trunk encapsulation dot1q switchport mode trunk duplex auto ! interface Ethernet0/1 description link to DSW1 switchport trunk encapsulation dot1q switchport mode trunk duplex auto ! interface Ethernet0/2 switchport access vlan 99 switchport mode access shutdown duplex auto ! interface Ethernet0/3 switchport access vlan 99 switchport mode access shutdown duplex auto ! interface Ethernet1/0 description link to ASW1 switchport trunk encapsulation dot1q switchport mode trunk duplex auto ! interface Ethernet1/1 description link to ASW2 switchport trunk encapsulation dot1q switchport mode trunk duplex auto ! interface Ethernet1/2 description link to ASW3 switchport trunk encapsulation dot1q switchport mode trunk duplex auto ! interface Ethernet1/3 description link to ASW4 switchport trunk encapsulation dot1q switchport mode trunk duplex auto ! interface Ethernet2/0 switchport access vlan 99 switchport mode access shutdown duplex auto ! interface Ethernet2/1 switchport access vlan 99 switchport mode access shutdown duplex auto ! interface Ethernet2/2 switchport access vlan 99 switchport mode access shutdown duplex auto ! interface Ethernet2/3 switchport access vlan 99 switchport mode access shutdown duplex auto ! interface Vlan1 ip address 172.16.0.20 255.255.255.240 no ip route-cache ! ! ip classless no ip http server ! ! ! ! ! control-plane ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 login local transport input all ! end
DSW2#
© 1992-2016 Cisco Systems, Inc. All rights reserved.
Pasted from <https://cll1.cisco.com/content/xtrac/3#R2>
VRRP Sw(config)# track 90 int f0/24 line-protocol Sw(config)# int vlan 10 Sw(config-if)# ip add 10.1.10.2 255.255.255. Sw(config-if)# vrrp 1 10.1.10.1 Sw(config-if)# vrrp 1 priority 110 Sw(config-if)# vrrp 1 timers advertise mscec 500 Sw(config-if)# vrrp authentication md5 keystring xyz123 Sw(config-if)# vrrp 1 track 90 decrement 20
HSRP
Cisco proprietary Configuration:
Configure the E0/1 interface of R1 with the IP address and HSRP standby IP. R1(config)# int e0/1 R1(config-if)# ip add 192.168.1.3 255.255.255.0 R1(config-if)# standby 1 ip 192.168.1.1 Configure the E0/1 interface of R2 with the IP address and HSRP standby IP. R2(config)# int e0/1 R2(config-if)# ip add 192.168.1.2 255.255.255.0 R2(config-if)# standby 1 ip 192.168.1.1
standby 1 is for group 1 show ip arp Configuring HSRP Priority
The active router is elected based on the HSRP priority. Use a value 0 and 255. The default priority is 100. R2(config)# int e0/1 R2(config-if)# standby 1 priority 110
Configuring HSRP Pre-Empt
This configuration pre-empts HSRP election if a device with a higher priority comes online. Disabled by default. R1(config)# int e0/1 R1(config-if)# standby 1 preempt R2(config)# int e0/1 R2(config-if)# standby 1 preempt
show standby show standby brief
Tie-breaker is highest IP address. Higher priority means that router will be the active.
Stackwise
show switch show platform stack manager all show switch stack-ports
NTP
Sw# clock set 12:13:00 10 January 2014 Sw# show clock Sw# show calendar Sw# show clock detail Sw(config)# clock timezone EDT -5 Sw(config)# clock summer-time EDT recurring Sw# clock update-calendar
NTP Modes:
Server Provides accurate time information to clients. Client Synchronizes its time to the server. This mode is most suited for file-server and workstation clients that are not required to provide any form of time synchronization to other local clients. It can also provide accurate time to other devices. Peer Peers exchange time synchronization information. Symmetric mode. Broadcast/multicast Special "push" mode of NTP server, used only when time accuracy is not a big concern.
Server and client can be the same device.
System clock
Runs from the moment the system starts and keeps track of the current date and time. Can be set in three ways: NTP SNTP Manual configuration
The system clock is set based on its time in its internal battery-powered calendar. The Calendar is also called a hardware clock. The calendar system is battery-powered and tracks the date and time across system restarts.
Configuration:
R1(config)# ntp server 209.165.200.187 R1# show ntp status R1# show ntp associations R1# show clock R1# show clock detail R1(config)# clock timezone EDT -5 R1(config)# clock summer-time EDT recurring R1# show clock detail Sw1(config)# ntp server 10.0.0.1 (points to router) Sw1(config)# clock timezone EDT -5 Sw1(config)# clock summer-time EDT recurring Sw1# show ntp status Sw2(config)# ntp server 10.0.0.1 (points to router) Sw2(config)# clock timezone EDT -5 Sw2(config)# clock summer-time EDT recurring Sw2# show ntp status Configure Sw1 and Sw2 as NTP peers Sw1(config)# ntp peer 172.16.0.12 Sw2(config)# ntp peer 172.16.0.11 Sw1# show ntp associations Sw2# show ntp associations
NTP is a flat heirarchy
Securing NTP
NTPServer(config)# ntp authentication-key md5 MyPassword NTPServer(config)# ntp authenticate NTPServer(config)# ntp trusted-key 1 NTPClient(config)# ntp authentication-key md5 MyPassword NTPClient(config)# ntp authenticate NTPClient(config)# ntp trusted-key 1 NTPClient(config)# ntp server 10.0.1.22 key 1 Configures Core1 to peer with only a specified IP address: Core1(config)# access-list 1 permit 10.0.1.0 0.0.255.255 Core1(config)# ntp access-group peer 1 Configures Core1 to answer synchronization requests from only 10.1.0.0/16 subnet devices: Core1(config)# access-list 1 permit 10.1.0.0 0.0.255.255 Core1(config)# ntp access-group serve-only 1
Access lists should only be configured on devices that peer with an external NTP source.
NTP Source Address
Configures Loopback 0 to be used as the source NTP communication. Ensures reachability. NTPServer(config)# ntp source Loopback 0
NTP Versions
Versions 3 and 4 are current Version 4 is for IPv6 NTPv4 introduces better security NTPv3 uses broadcast messages NTPv4 uses multicast messages NTPv4 is backward compatible with NTPv3
NTP in an IPv6 Environment
NTPv4 can use IPv6 Sw(config)# ntp server 2001:db8:0::8:800:200c:417a version 4 Sw# show clock Sw# show clock detail Sw# show ntp associations Sw# show ntp associations detail Sw# show ntp status Sw# debug ntp events
Simple Network Time Protocol SNTP
Uses a subset of NTP functionalities. It's a receive-only mechanism, usually for low-end devices. SNTP and NTP cannot coexist on the same device because they use the same port number. SNTP can only receive the time from NTP server; it cannot be used to provide time services to other systems.
SNTP Configuration
Allows the software clock to be synchronized by an SNTP time server. Sw(config)# sntp authenticate Sw(config)# sntp authentication-key 1 md5 c1sc0 Sw(config)# sntp trusted-key 1 Sw(config)# sntp server 172.16.22.44 Sw# show sntp
SPAN
Switched Analysis
SPAN Session:
Association of a destination port with source ports
Source VLAN:
VLAN monitored for traffic analysis
Ingress Source Port
From
Egress Source Port
To
Destination Port
To sniffer
A source port can be configured as an Ingress and Egress at the same time
Configuration:
Sw1(config)# monitor session 1 source interface g0/1 Sw1(config)# monitor session 1 destination interface g0/2 Sw1# show monitor
RSPAN
Remote Switched Analysis
Remote SPAN supports source and destination ports on different switches, while local SPAN support only source and destination ports on the same switch. Trunk has to configured with the RSPAN VLAN RSPAN consists of the following:
RSPAN source session RSPAN VLAN RSPAN destination session
Configuration:
Sw1(config)# vlan 100 Sw1 (config-vlan)# name SPAN-VLAN Sw1(config-vlan)# remote-span Sw1(config)# monitor session 2 source g0/1 Sw1(config)# monitor session 2 destination remote vlan 100 Sw2(config)# vlan 100 Sw2(config-vlan)# name SPAN-VLAN Sw2(config-vlan)# remote-span Sw2(config)# monitor session 3 destination interface g0/2 Sw2(config)# monitor session 3 source remote vlan 100
MST Configuring MST
show spanning-tree summary
look at Switch in in pvst mode can see vlan instances
Configuring MST Regions:
Sw1(config)# spanning-tree mst configuration Sw1(config-mst)# name CCNP Sw1(config-mst)# revision 1 Sw2(config)# spanning-tree mst configuration Sw2(config-mst)# name CCNP Sw2(config-mst)# revision 1 Sw3(config)# spanning-tree mst configuration Sw3(config-mst)# name CCNP Sw31(config-mst)# revision 1
Mapping VLANs to MST Instances
Sw1(config)# spanning-tree mst configuration Sw1(config-mst)# instance 1 vlan 2,3 Sw1(config-mst)# instance 2 vlan 4,5 Sw2(config)# spanning-tree mst configuration Sw2(config-mst)# instance 1 vlan 2,3 Sw2(config-mst)# instance 1 vlan 4,5 Sw3(config)# spanning-tree mst configuration Sw3(config-mst)# instance 1 vlan 2,3 Sw3(config-mst)# instance 1 vlan 4,5
All other VLANs are mapped to instance 0 by default
Configuring MST Switch Priority
Sw1(config)# spanning-tree mst 1 root primary Sw1(config)# spanning-tree mst 2 root secondary Sw2(config)# spanning-tree mst 1 root secondary Sw2(config)# spanning-tree mst 2 root primary
Sw1(config)# spanning-tree mode mst Sw2(config)# spanning-tree mode mst Sw3(config)# spanning-tree mode mst
changes mode to mst
Sw1# show spanning-tree summary
Switch is in mst mode (IEEE Standard) Shows how many MST instances are active
Sw1(config) # spanning-tree mst configuration Sw1 (config-mst)# show current
Shows Revison # of instances configured VLANS in each instance
Sw1# show spanning-tree mst configuration digest
Shows the digest, name, rev #, how many instances configured digest is sent back and forth within the BPDU digest must match between switches
Sw1# show spanning-tree mst 1
shows port roles for each port
To change mst port priority
Sw1(config)# int f0/0 Sw1(config-if)# spanning-tree mst 1 port-priority 32 Sw1# show spanningj-tree mst 1
MST uses the same election as STP:
1. Lowest BID 2. Lowest root path cost 3. Lowest sender BID 4. Lowest sender port ID
Like with any other STP, the MST path cost default value is derived from the media speed of an interface. If a loop occurs, MST uses the cost to select the forwarding interface.
Sw1(config)# int f0/0 Sw1(config-if)# spanning-tree mst 1 cost 100000 Sw1# show spanning-tree mst
MST Protocol Migration
Move from STP to MST Identify edge port. Make sure that interswitch connections are configured as trunks and are not pruning any VLANs that are used in MST. Decide how many STP instances you need and how to map them to VLANs. Choose the region name and revision number. Avoid mapping VLANs to instance 0. Migrate the core and make you way down to the access switches. Configuration of PortFast, BPDU guard, BPDU filter, root guard, and loop guard is the same with PVST+.
? CEF ? show ip cef ○ shows output of FIB ○ Next Hop § attached - directly attached § receive - an ip address that is assigned to this router § no route - no information § 2.2.2.2/32 10.1.1.2 serial1/0 leave out of serial 1/0 to reach 2.2.2.2 ? conf t ○ ip cef § enables cef ○ ipv6 cef § enables ipv6 cef ? show ip interface f0/1 ○ can see if cef is enabled ? conf t ○ int f0/1 § ip route-cache cef ? show ip interface f0/1 ○ ip cef should be enabled now ? show adjacency detail ? Policy Based Routing ○ Forwards based on route map configuration § Route Map □ MATCH R IP address R Range of packet lengths □ SET R Next-hop IP address R Default Next-hop IP address R Interface R Default Interface ? conf t ○ route-map CLIENT1-TO-SERVER1 § match ip address 100 § set ip next-hop 203.0.113.1 § exit ○ int f0/0 § ip policy route-map CLIENT1-TO-SERVER1 ? show route-map ? conf t ○ ip sla 1 § icmp-echo 203.0.113.5 source-ip 192.0.2.1 § frequency 5 § threshold 100 § exit ? conf t ○ ip sla schedule 1 life forever start-time now ○ track 1 ip sla 1 § delay down 10 up 10 ○ ip route 198.51.100.0 255.255.255.0 203.0.113.5 track 1 ○ ip route 198.51.100.0 255.255.255.0 203.0.113.1 2 ? show ip route ? show track 1 ? show ip sla statistics ? conf t ○ no ip sla 1 ○ ip sla 1 § icmp-echo 203.0.113.5 source-ip 192.0.2.1 § frequency 5 § threshold 10 ○ ip sla schedule 1 life forever start-time now ? show track 1 ○ should show "over threshold" ○ shoud show "state down" ? show ip route ○ WAN route is now used