Beruflich Dokumente
Kultur Dokumente
switches;DSW1 and ASW2. The topology diagram indicates their layer 2 mapping.
VLAN 40 is a new VLAN that will be used to provide the shipping personnel access to the
server. For security reasons, it is necessary to restrict access to VLAN 20 in the
following manner:
- Users connecting to ASW1’s port must be authenticate before they are given access to
the network. Authentication is to be done via a Radius server:
- Packets from devices in any other address range should be dropped on VLAN 20.
The Radius server and application servers will be installed at a future date. You have
been tasked with implementing the above access control as a pre-condition to installing
the servers. You must use the available IOS switch features.
The configuration:
Step1: Console to ASW1 from PC console 1
ASW1(config)#aaa new-model
ASW1(config)#radius-server host 172.120.39.46 key rad123
ASW1(config)#aaa authentication dot1x default group radius
ASW1(config)#dot1x system-auth-control
ASW1(config)#inter fastEthernet 0/1
ASW1(config-if)#swithcport mode access
ASW1(config-if)#dot1x port-control auto
ASW1(config-if)#exit
ASW1#copy run start
That is all, hope to helpful for you. Best Luck for ur BCMSN 642-812 Exam.
【Lab Objective】
【Lab Topology】
< ![endif]-->< ![endif]--> < !
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
table.MsoTableGrid
{mso-style-name:"Table Grid";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
border:solid windowtext 1.0pt;
mso-border-alt:solid windowtext .5pt;
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-border-insideh:.5pt solid windowtext;
mso-border-insidev:.5pt solid windowtext;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
line-height:150%;
mso-pagination:none;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
-->
【Lab Steps】
1. This lab can be completed by using Layer3 switches or routers, if using routers, you should
examine the IOS version to make sure that it supports HSRP protocol.
2. Configure PC1 and PC2 to simulate hosts, the configurations are as follows:
PC1(config)#no ip routing
PC1(config)#
PC1(config-if)#no shutdown
PC1(config-if)#exit
PC1(config)#
PC1(config)#exit
PC2(config)#no ip routing
PC2(config)#
PC2(config-if)#no shutdown
PC2(config-if)#exit
PC2(config)#
PC2(config)#exit
3. Use the ping command and the traceroute command on PC1 and PC2 to test whether the network
can be reached.
PC1#ping 10.1.1.1
!!!!!
PC1#
PC1#traceroute 10.1.1.1
PC1#
PC2#ping 10.1.1.1
!!!!!
PC2#
PC2#traceroute 10.1.1.1
R1(config-if)#shutdown
R1(config-if)#
5. Use the ping command and the traceroute command again on R1and R2 to test
C1#ping 10.1.1.1
…..
PC1#
PC1#traceroute 10.1.1.1
1***
2***
3***
………
PC2#ping 10.1.1.1
!!!!!
PC2#
PC2#tr
PC2#traceroute 10.1.1.1
6. Although the two routers can reach the destination network, the redundant devices are not fully
used by default, so, some users can’t access network when the network fails on a single-node.
7. In order to solve this problem, configure VRRP on R1 and R2, the configurations are as follows:
R1(config-if)#vrrp 1 preempt
R1(config-if)#
R1(config-if)#vrrp 2 ip 192.168.1.2
R1(config-if)#vrrp 2 preempt
R1(config-if)#exit
R1(config)#
R2(config)#interface fastEthernet 0/0
R2(config-if)#vrrp 1 ip 192.168.1.1
R2(config-if)#vrrp 1 preempt
R2(config-if)#
R2(config-if)#vrrp 2 ip 192.168.1.2
R2(config-if)#vrrp 2 preempt
R2(config-if)#exit
R2(config)#exit
R2#
8. Identify the IDs of different router groups by checking the summary information of VRRP groups
of the two routers:
R1#show vrrp
FastEthernet0/0 - Group 1
State is Master
Preemption enabled
FastEthernet0/0 - Group 2
State is Backup
Preemption enabled
Priority is 100
FastEthernet0/0 - Group 1
State is Backup
Preemption enabled
Priority is 100
FastEthernet0/0 - Group 2
State is Master
Preemption enabled
9. Set the interface Fa0/0 on R1 DOWN again, the two routers will display the following
information:
R1(config-if)#shutdown
R1(config-if)#
10. Use the ping command and the traceroute command on R1 and R2 to confirm
PC1#ping 10.1.1.1
!!!!!
PC1#
PC1#traceroute 10.1.1.1
!!!!!
PC2#
PC2#traceroute 10.1.1.1
11. Because two different VRRP groups are enabled in the network, network redundancy can be
guaranteed at large extent. It is recommended to use the extended PING command on R1 and R2 to
send data packets to the destination network in order to best observe the working process of VRRP.
Use the following commands on R1 and R2 to debug, the detailed steps will not be listed:
12. End.
Master the configuration methods of the Cisco-proprietary link aggregation protocol of PAgP.
2. Master the differences between the Layer2 PAgP configuration and the Layer3 PAgP
configuration.
【Lab Topology】
< ![endif]-->< !
[endif]--> < !
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
table.MsoTableGrid
{mso-style-name:"Table Grid";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
border:solid windowtext 1.0pt;
mso-border-alt:solid windowtext .5pt;
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-border-insideh:.5pt solid windowtext;
mso-border-insidev:.5pt solid windowtext;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
line-height:150%;
mso-pagination:none;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
-->
【Lab Steps】
1.This lab uses two Cisco Catalyst 3750 Series Switches and connects the cables of the appropriate
switches according to the topology.
2. It is recommended to set the interfaces Fa1/0/1 – 22 in shutdown status in order to assure the lab
of success.
SW1#show spanning-tree
VLAN0001
Address 0014.a8e2.9880
Cost 19
Port 25 (FastEthernet1/0/23)
Address 0014.a8f1.9880
4. Although STP can avoid loops in the network, it can’t make full use of the bandwidth of the
redundant links. The link aggregation protocol PAgP can be used to solve the link bandwidth
problems.
SW1(config-if-range)#switchport
SW1(config-if-range)#channel-protocol pagp
SW1(config)#exit
SW2(config)#interface range fastEthernet 1/0/23 - 24
SW2(config-if-range)#sw
SW2(config-if-range)#switchport
SW1(config-if-range)#channel-protocol pagp
SW2(config-if-range)#exit
SW2(config)#exit
6. The interface in the Descirable mode of PAgP will actively enter the negotiation status, while in
the Auto mode it will passively enter the negotiation status.
7. After configuring the two switches properly, IOS will show the following information in the
process of configuration.
d - PAgP is down.
Local information:
Partner’s information:
SW1#
9. Use the show etherchannel port-channel command to check the aggregation group information
Channel-group listing:
———————-
Group: 1
———-
—————————
Port-channel: Po1
————
Age of the Port-channel = 00d:00h:15m:37s
Protocol = PAgP
——+——+——+——————+———–
0 00 Fa1/0/23 Desirable-Sl 0
0 00 Fa1/0/24 Desirable-Sl 0
SW1#
I - stand-alone s - suspended
R - Layer3 S - Layer2
w - waiting to be aggregated
d - default port
Number of aggregators: 1
——+————-+———–+———————————————–
1 Po1(SU) PAgP Fa1/0/23(P) Fa1/0/24(P)
SW1#
SW1#show spanning-tree
………
SW1#
12. Configure IP addresses of VLAN1 on SW1 and SW2, test the tolerance of the aggregation link.
SW1(config)#interface vlan 1
SW1(config-if)#no shutdown
SW1(config-if)#exit
SW2(config)#interface vlan 1
SW2(config-if)#no shutdown
SW2(config-if)#exit
13. Use the Ping command on R1 to test the connectivity between the two switches.
SW2#ping 192.168.1.1
!!!!!
SW2#
14. Use the extended ping command on SW2 to send ICMP data packets to SW1 continuously to test
the redundant tolerance of the aggregation ports.
SW2#ping
Protocol [ip]:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
15. Manually shutdown the interface Fastethernet 1/0/24 or Fastethernet 1/0/24 of aggregation group
on SW1 and observe the ping feedback information on SW2. It is found that the Ping data packets
will not be interrupted, which indicates that the link aggregation can effectively avoid instability of
the topology of the single link and solve the problems that link bandwidth can be used completely
and achieve load balancing due to spanning tree under redundant link.
16. The previous configuration is of the Layer2 PAgP link aggregation, the following configuration
will show us how to configure the Layer3 PAgP link aggregation.
SW1(config)#interface port-channel 1
SW1(config-if)#no switchport
SW1(config-if)#no shutdown
SW1(config-if)#exit
SW1(config)#
SW1(config)#
SW1(config-if-range)#no switchport
SW1(config-if-range)#channel-protocol pagp
SW1(config-if-range)#exit
SW1(config)#exit
SW1#
00:12:15: %EC-5-L3DONTBNDL1: Fa1/0/23 suspended: PAgP not enabled on the remote port.
SW2(config-if)#no switchport
SW2(config-if)#no shutdown
SW2(config-if)#exit
SW2(config)#
SW2(config-if-range)#no switchport
SW2(config-if-range)#channel-protocol pagp
SW2(config)#exit
SW2#
I - stand-alone s - suspended
R - Layer3 S - Layer2
w - waiting to be aggregated
d - default port
Number of aggregators: 1
——+————-+———–+———————————————–
SW2#
SW2#ping 192.168.1.1
.!!!!
19. Use step14 and step15 to test the tolerance of the Layer3 PAgP aggregation link. The detailed
steps will not be listed.
20. End.
【Lab Objectives】
1. Understand the working principles of HSRP.
2. Master the HSRP configuration methods.
3. Understand the standby and track functions of HSRP.
【Lab Topology】
P4S-R1(config)#interface loopback 0
P4S-R1(config-if)#ip address 10.1.1.1 255.255.255.0
P4S-R1(config-if)#exit
P4S-R1(config)#
P4S-R1(config)#interface fastEthernet 0/0
P4S-R1(config-if)#ip address 192.168.1.2 255.255.255.0
P4S-R1(config-if)#no shutdown
P4S-R1(config-if)#exit
P4S-R1(config)#
P4S-R2(config)#interface loopback 0
P4S-R2(config-if)#ip address 10.1.1.1 255.255.255.0
P4S-R2(config-if)#exit
P4S-R2(config)#
P4S-R2(config)#interface fastEthernet 0/0
P4S-R2(config-if)#ip address 192.168.1.3 255.255.255.0
P4S-R2(config-if)#no shutdown
P4S-R2(config-if)#exit
P4S-R2(config)#
【Lab Objectives】
【Lab Topology】
<!
[endif]-->< ![endif]--> < !
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
table.MsoTableGrid
{mso-style-name:"Table Grid";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
border:solid windowtext 1.0pt;
mso-border-alt:solid windowtext .5pt;
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-border-insideh:.5pt solid windowtext;
mso-border-insidev:.5pt solid windowtext;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
line-height:150%;
mso-pagination:none;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
-->
【Lab Steps】
1. This lab can be completed by using Layer3 switches or routers, if using routers, you should
examine the IOS version to make sure that it supports HSRP protocol.
R1(config)#interface loopback 0
R1(config-if)#exit
R1(config)#
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#
R2(config)#interface loopback 0
R2(config-if)#exit
R2(config)#
R2(config-if)#exit
R2(config)#
Note: Configure the IP addresses of the loopback interfaces on R1 and R2 as 10.1.1.1/24 used to
simulate hosts directly connected to R1 and R2.
3. Configure PC1 to simulate clients, in order to assure the gateway of redundancy, so the gateway
directed by PC1 virtualizes the virtual gateway address through HSRP protocol.
PC1(config)#no ip routing
PC1(config)#
PC1(config-if)#no shutdown
PC1(config-if)#exit
PC1(config)#
PC1(config)#exit
PC1#
4. Use the ping command on PC1 to test whether the host of 10.1.1.1/24 can be reached.
PC1#ping 10.1.1.1
…..
5. Configure HSRP on R1 and R2 in order to effectively assure the gateway of redundancy, the
configuration is as follows:
R1#show standby
FastEthernet0/0 - Group 1
FastEthernet0/0 - Group 1
7. Each router in the HSRP group has a priority. Priority can decide which router will be the
ACTIVE router used to affect ARP request of the client. If you just enable HSRP and each router
has the same priority, the interface whose IP value is higher will be selects as ACTIVE router.
8. Use the ping command and the traceroute command on the PC1 client to track the router:
PC1#ping 10.1.1.1
!!!!!
PC1#
PC1#traceroute 10.1.1.1
PC1#show arp
PC1#
10. Use the extended ping command to send more data packets to 10.1.1.1 and manually set the
interface Fa0/0 on R1 to down status, observe the HSRP redundancy
R1(config-if)#shutdown
PC1#ping
Protocol [ip]:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!…..!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
According to the above information, it is known that PC1 can’t reach the network of 10.1.1.0/24 due
to the fault of the interface Fa0/0 on R1. In addition, R2 can’t receive the Hello packet sent by the
Active router because of the fault of the interface Fa0/0 on R1. When the time exceeds the default
HSRP time (10 seconds) held by R2, R2 will be upgraded to the Active router by itself, this
conclusion can be drawn from the following information:
11. Here, use the ping command and the traceroute command again on PC1 to confirm that the
routers and the destination hosts can be reached:
PC1>ping 10.1.1.1
!!!!!
PC1>
PC1>traceroute 10.1.1.1
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#
14. After waiting for some time, check HSRP group information on R1 and R2 again.
R1#show standby
FastEthernet0/0 - Group 1
15. If the router R1 has good performance and R2 is only used as the backup router, it is hoped that
R1 can be responsible for ARP response and Layer3 routing tasks after recovery. In order to achieve
this function, it is necessary to configure R1 with higher priority and enable HSRP standby function.
R1(config-if)#standby 1 preempt
R1(config-if)#exit
R1(config)#
16. At this moment, the router R1 will give the following prompt information:
R1#
00:55:55: %STANDBY-6-STATECHANGE: FastEthernet0/0 Group 1 state Standby -> Active
17. Check HSRP group information on R2
R2#show standby
FastEthernet0/0 - Group 1
R2#
18. HSRP can implement both redundancy for the downlink and monitoring for the uplink, it can
dynamically change into the Active role to guarantee foolproof. The following shows how to
configure the track functions of HSRP on interfaces.
R1(config-if)#standby 1 preempt
R1(config-if)#exit
R1(config)#
R2(config)#interface fastEthernet 0/0
R2(config-if)#standby 1 preempt
R2(config-if)#
19. Manually set the loopback 0 interface on R1 down, and then observe the prompted information
given by the system:
R1#conf t
R1(config)#
R1(config)#interface loopback 0
R1(config-if)#shutdown
R1(config-if)#
R1(config-if)#
01:09:58: SB1: Fa0/0 Active: j/Coup rcvd from higher pri router (100/192.168.1.3)
FastEthernet0/0 - Group 1
R1#
R2#show standby
FastEthernet0/0 - Group 1
21. End.
Switch(config)#aaa new-model
Switch(config)#radius-server host {hostname | ip-address} [key string]
Switch(config)#aaa authentication dot1x default group radius
Enable 802.1x on the switch:
Switch(config)#dot1x system-auth-control
Switch(config)# interface type mod/num
Switch(config-if)#dot1x port-control {force-authorized | forceunauthorized
| auto}
Switch(config)#aaa new-model
Switch(config)#radius-server host 10.1.1.1 key BigSecret
Switch(config)#radius-server host 10.1.1.2 key AnotherBigSecret
Switch(config)#aaa authentication dot1x default group radius
Switch(config)#dot1x system-auth-control
Switch(config)#interface range FastEthernet0/1 - 40
Switch(config-if)#switchport access vlan 10
Switch(config-if)#switchport mode access
Switch(config-if)#dot1x port-control auto
You also can configure the switch to use DHCP option-82, the DHCP Relay Agent
Information
option,
For the hosts that don’t use DHCP, you can configure a static IP source binding with the
following
configuration command:
Switch(config)#ip source binding mac-address vlan vlan-id ip-address interface type
mod/num
Next, enable IP source guard on one or more switch interfaces with the following
configuration
commands:
Switch(config)#interface type mod/num
Switch(config-if)#ip verify source [port-security]
By default, all switch ports associated with the VLAN range are considered to be
untrusted.
If you have hosts with statically configured IP address information, there will be no
DHCP
message exchange that can be inspected. Instead, you can configure an ARP access list
that defines
static MAC-IP address bindings that are permitted. Use the following configuration
commands to
define the ARP access list and one or more static entries:
Switch(config)#arp access-list acl-name
Switch(config-acl)#permit ip host sender-ip mac host sender-mac [log]
[Repeat the previous command
Now the ARP access list must be applied to DAI with the following configuration
command:
Switch(config)#ip arp inspection filter arp-acl-name vlan vlan-range [static]
To validate that an ARP reply packet is really coming from the address listed inside it,
you can
enable DAI validation with the following configuration command:
Switch(config)#ip arp inspection validate {[src-mac] [dst-mac] [ip]}
Switch(config)# vlan 10
Switch(config-vlan)# private-vlan community
Switch(config)# vlan 20
Switch(config-vlan)# private-vlan community
Switch(config)# vlan 30
Switch(config-vlan)# private-vlan isolated
Switch(config)# vlan 100
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 10,20,30
Switch(config-vlan)# exit
Switch(config)# interface range fastethernet 1/1 - 1/2
Switchconfig# switchport private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 10
Switch(config)# interface range fastethernet 1/4 - 1/5
Private VLANs 419
Associate Secondary VLANs to a Primary VLAN SVI
On switched virtual interfaces, or VLAN interfaces configured with Layer 3 addresses, you
must configure some additional private VLAN mapping. Consider the SVI for the primary VLAN,
VLAN 100, that has an IP address and participates in routing traffic. Secondary VLANs 40 (an
isolated VLAN) and 50 (a community VLAN) are associated at Layer 2 with primary VLAN 100
using the configuration in Example 16-3.
Primary VLAN 200 can forward traffic at Layer 3, but the secondary VLAN associations with it
are good at only Layer 2. To allow Layer 3 traffic switching coming from the secondary VLANs
as well, you must add a private VLAN mapping to the primary VLAN (SVI) interface, using the
following interface configuration command:
Switch(config-if)# private-vlan mapping {secondary-vlan-list | add secondaryvlan-
list | remove secondary-vlan-list}
The primary VLAN SVI function is extended to the secondary VLANs instead of requiring SVIs
for each of them. If some mapping already has been configured for the primary VLAN SVI, you
can add (add) or remove (remove) secondary VLAN mappings individually.
Switchconfig# switchport private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 20
Switch(config)# interface fastethernet 1/3
Switchconfig# switchport private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 30
Switch(config)# interface fastethernet 2/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 10,20,30
Otro bvi
Switch(config)# vlan 40
Switch(config-vlan)# private-vlan isolated vlan 50
Switch(config-vlan)# private-vlan community vlan 200
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 40,50
Switch(config-vlan)# exit
Switch(config)# interface vlan 200
Switch(config-if)# ip address 192.168.199.1 255.255.255.0
Primary VLAN 200 can forward traffic at Layer 3, but the secondary VLAN associations with it
are good at only Layer 2. To allow Layer 3 traffic switching coming from the secondary VLANs
as well, you must add a private VLAN mapping to the primary VLAN (SVI) interface, using the
following interface configuration command: