Shipping Company The Shipping

Acme is a small shipping company that has an existing enterprise network comprised of 2
switches;DSW1 and ASW2. The topology diagram indicates their layer 2 mapping.
VLAN 40 is a new VLAN that will be used to provide the shipping personnel access to the
server. For security reasons, it is necessary to restrict access to VLAN 20 in the
following manner:
- Users connecting to ASW1’s port must be authenticate before they are given access to
the network. Authentication is to be done via a Radius server:
- Radius server host: 172.120.39.46
- Radius key: rad123
- Authentication should be implemented as close to the host device possible.
- Devices on VLAN 20 are restricted to in the address range of 172.120.40.0/24.
- Packets from devices in the address range of 172.120.40.0/24 should be passed on

VLAN 20.
- Packets from devices in any other address range should be dropped on VLAN 20.
- Filtering should be implemented as close to the server farm as possible.
The Radius server and application servers will be installed at a future date. You have
been tasked with implementing the above access control as a pre-condition to installing
the servers. You must use the available IOS switch features.
The configuration:
Step1: Console to ASW1 from PC console 1
ASW1(config)#aaa new-model
ASW1(config)#radius-server host 172.120.39.46 key rad123
ASW1(config)#aaa authentication dot1x default group radius
ASW1(config)#dot1x system-auth-control
ASW1(config)#inter fastEthernet 0/1
ASW1(config-if)#swithcport mode access
ASW1(config-if)#dot1x port-control auto
ASW1(config-if)#exit
ASW1#copy run start
Step2: Console to DSW1 from PC console 2
DSW1(config)#ip access-list standard 10

DSW1(config-ext-nacl)#permit ip 172.120.40.0 0.0.0.255
DSW1(config-ext-nacl)#exit
DSW1(config)#vlan access-map PASS 10
DSW1(config-access-map)#match ip address 10
DSW1(config-access-map)#action forward
DSW1(config-access-map)#exit
DSW1(config)#vlan access-map PASS 20
DSW1(config-access-map)#action drop
DSW1(config-access-map)#exit
DSW1(config)#vlan filter PASS vlan-list 20
DSW1#copy run start
That is all, hope to helpful for you. Best Luck for ur BCMSN 642-812 Exam.
By admin | April 3, 2009
【Lab Objective】
Master the configuration of Layer3 redundancy with VRRP for gateways
【Lab Topology】
< ![endif]-->< ![endif]--> < !
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
table.MsoTableGrid
{mso-style-name:"Table Grid";
border:solid windowtext 1.0pt;
mso-border-alt:solid windowtext .5pt;
mso-border-insideh:.5pt solid windowtext;
mso-border-insidev:.5pt solid windowtext;
text-align:justify;
text-justify:inter-ideograph;
line-height:150%;
mso-pagination:none;
font-size:10.0pt;
-->
【Lab Steps】
1. This lab can be completed by using Layer3 switches or routers, if using routers, you should
examine the IOS version to make sure that it supports HSRP protocol.
2. Configure PC1 and PC2 to simulate hosts, the configurations are as follows:
PC1(config)#no ip routing
PC1(config)#
PC1(config)#interface fastEthernet 0/0
PC1(config-if)#ip address 192.168.1.10 255.255.255.0
PC1(config-if)#no cdp enable
PC1(config-if)#no shutdown
PC1(config-if)#exit
PC1(config)#
PC1(config)#ip default-gateway 192.168.1.1
PC1(config)#exit
PC2(config)#
PC2(config-if)#no cdp enable
PC2(config-if)#exit
PC2(config)#
PC2(config)#exit
3. Use the ping command and the traceroute command on PC1 and PC2 to test whether the network
can be reached.
PC1#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/60/72 ms
PC1#
PC1#traceroute 10.1.1.1
Tracing the route to 10.1.1.1
1 192.168.1.1 12 msec * 96 msec
PC1#
PC2#ping 10.1.1.1
!!!!!
PC2#
1 192.168.1.2 120 msec * 72 msec
4. Set the interface FA0/0 on R1 DOWN
R1(config)#interface fastEthernet 0/0
R1(config-if)#shutdown
R1(config-if)#
5. Use the ping command and the traceroute command again on R1and R2 to test
C1#ping 10.1.1.1
…..
Success rate is 0 percent (0/5)
PC1#
1***
2***
3***
………
PC2#ping 10.1.1.1
!!!!!
PC2#
PC2#tr
1 192.168.1.2 112 msec * 96 msec
6. Although the two routers can reach the destination network, the redundant devices are not fully
used by default, so, some users can’t access network when the network fails on a single-node.
7. In order to solve this problem, configure VRRP on R1 and R2, the configurations are as follows:

R1(config-if)#vrrp 1 ip 192.168.1.1
R1(config-if)#vrrp 1 priority 200
R1(config-if)#vrrp 1 preempt
R1(config-if)#
R1(config-if)#exit
R1(config)#
R2(config-if)#
R2(config-if)#exit
R2(config)#exit
R2#
8. Identify the IDs of different router groups by checking the summary information of VRRP groups
of the two routers:
R1#show vrrp
FastEthernet0/0 - Group 1
State is Master
Virtual IP address is 192.168.1.1
Virtual MAC address is 0000.5e00.0101

Advertisement interval is 1.000 sec
Preemption enabled
Priority is 255 (cfgd 200)
Master Router is 192.168.1.1 (local), priority is 255
Master Advertisement interval is 1.000 sec
Master Down interval is 3.003 sec
State is Backup
Preemption enabled
Priority is 100
Master Router is 192.168.1.2, priority is 255
Master Down interval is 3.609 sec (expires in 3.349 sec)

R2#show vrrp
State is Backup
Preemption enabled
Priority is 100
Master Router is 192.168.1.1, priority is 255

Master Down interval is 3.609 sec (expires in 2.773 sec)
State is Master
Preemption enabled
Priority is 255 (cfgd 200)
Master Router is 192.168.1.2 (local), priority is 255
Master Down interval is 3.003 sec
9. Set the interface Fa0/0 on R1 DOWN again, the two routers will display the following
information:
R1(config-if)#
*Jul 8 21:49:59.131: %VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Master -> Init
*Jul 8 21:49:59.135: %VRRP-6-STATECHANGE: Fa0/0 Grp 2 state Backup -> Init

R2#
*Jul 8 21:50:03.191: %VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Backup -> Master
10. Use the ping command and the traceroute command on R1 and R2 to confirm
PC1#ping 10.1.1.1
!!!!!
PC1#
1 192.168.1.2 92 msec * 120 msec

PC2#ping 10.1.1.1
!!!!!
PC2#
1 192.168.1.2 132 msec * 168 msec
11. Because two different VRRP groups are enabled in the network, network redundancy can be
guaranteed at large extent. It is recommended to use the extended PING command on R1 and R2 to
send data packets to the destination network in order to best observe the working process of VRRP.
Use the following commands on R1 and R2 to debug, the detailed steps will not be listed:
debug vrrp events

debug vrrp packets
12. End.
Hope to helpful for you!
Master the configuration methods of the Cisco-proprietary link aggregation protocol of PAgP.
2. Master the differences between the Layer2 PAgP configuration and the Layer3 PAgP
configuration.
3. PAgP is a Cisco-proprietary link aggregation protocol.
【Lab Topology】
< ![endif]-->< !
[endif]--> < !
font-size:10.0pt;
table.MsoTableGrid
text-align:justify;
line-height:150%;
font-size:10.0pt;
-->
【Lab Steps】
1.This lab uses two Cisco Catalyst 3750 Series Switches and connects the cables of the appropriate
switches according to the topology.
2. It is recommended to set the interfaces Fa1/0/1 – 22 in shutdown status in order to assure the lab
of success.
3. Check the STP information on SW1 and SW2
SW1#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0014.a8e2.9880
Cost 19
Port 25 (FastEthernet1/0/23)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0014.a8f1.9880
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa1/0/23 Root FWD 19 128.25 P2p
Fa1/0/24 Altn BLK 19 128.26 P2p
4. Although STP can avoid loops in the network, it can’t make full use of the bandwidth of the
redundant links. The link aggregation protocol PAgP can be used to solve the link bandwidth
problems.
5. The configurations on SW1 and SW2 are as follows:
SW1(config)#interface range fastEthernet 1/0/23 - 24
SW1(config-if-range)#switchport
SW1(config-if-range)#channel-protocol pagp
SW1(config-if-range)#channel-group 1 mode desirable
Creating a port-channel interface Port-channel 1

SW1(config-if-range)#exit
SW1(config)#exit
SW2(config-if-range)#sw
SW2(config-if-range)#switchport
SW2(config-if-range)#channel-group 1 mode auto
Creating a port-channel interface Port-channel 1
SW2(config)#exit
6. The interface in the Descirable mode of PAgP will actively enter the negotiation status, while in
the Auto mode it will passively enter the negotiation status.
7. After configuring the two switches properly, IOS will show the following information in the
process of configuration.
00:32:28: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/23, changed

state to down
00:32:28: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/24,

changed state to down

changed state to up

changed state to up
0:37:18: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
00:37:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed

state to up
8. Check the aggregation information on the interface of SW1.
SW1#show interfaces fastEthernet 1/0/23 etherchannel
Port state = Up Mstr In-Bndl
Channel group = 1 Mode = Desirable-Sl Gcchange = 0
Port-channel = Po1 GC = 0×00010001 Pseudo port-channel = Po1

Port index = 0 Load = 0×00 Protocol = PAgP
Flags: S - Device is sending Slow hello. C - Device is in Consistent state.
A - Device is in Auto mode. P - Device learns on physical port.
d - PAgP is down.
Timers: H - Hello timer is running. Q - Quit timer is running.
S - Switching timer is running. I - Interface timer is running.
Local information:
Hello Partner PAgP Learning Group
Port Flags State Timers Interval Count Priority Method Ifindex
Fa1/0/23 SC U6/S7 H 30s 1 128 Any 5001
Partner’s information:
Partner Partner Partner Partner Group
Port Name Device ID Port Age Flags Cap.
Fa1/0/23 SW2 0014.a8e2.9880 Fa1/0/23 20s SAC 10001
Age of the port in the current state: 00d:00h:06m:53s
SW1#
9. Use the show etherchannel port-channel command to check the aggregation group information
SW1#show etherchannel port-channel
Channel-group listing:
———————-
Group: 1
———-
Port-channels in the group:
—————————
Port-channel: Po1
————
Age of the Port-channel = 00d:00h:15m:37s
Logical slot/port = 10/1 Number of ports = 2
GC = 0×00010001 HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = PAgP
Ports in the Port-channel:
Index Load Port EC state No of bits
——+——+——+——————+———–
0 00 Fa1/0/23 Desirable-Sl 0
0 00 Fa1/0/24 Desirable-Sl 0
Time since last port bundled: 00d:00h:10m:27s Fa1/0/24
SW1#
10. Check the summary information of the aggregation link.
SW1#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
——+————-+———–+———————————————–
1 Po1(SU) PAgP Fa1/0/23(P) Fa1/0/24(P)
SW1#
11. Check the spanning-tree information.
SW1#show spanning-tree
………
Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Po1 Root FWD 12 128.616 P2p
SW1#
12. Configure IP addresses of VLAN1 on SW1 and SW2, test the tolerance of the aggregation link.
SW1(config)#interface vlan 1
SW1(config-if)#ip address 192.168.1.1 255.255.255.0
SW1(config-if)#no shutdown
SW1(config-if)#exit
SW2(config)#interface vlan 1
SW2(config-if)#exit
13. Use the Ping command on R1 to test the connectivity between the two switches.
SW2#ping 192.168.1.1
!!!!!
SW2#
14. Use the extended ping command on SW2 to send ICMP data packets to SW1 continuously to test
the redundant tolerance of the aggregation ports.
SW2#ping
Protocol [ip]:
Target IP address: 192.168.1.1
Repeat count [5]: 1000000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
15. Manually shutdown the interface Fastethernet 1/0/24 or Fastethernet 1/0/24 of aggregation group
on SW1 and observe the ping feedback information on SW2. It is found that the Ping data packets
will not be interrupted, which indicates that the link aggregation can effectively avoid instability of
the topology of the single link and solve the problems that link bandwidth can be used completely
and achieve load balancing due to spanning tree under redundant link.
16. The previous configuration is of the Layer2 PAgP link aggregation, the following configuration
will show us how to configure the Layer3 PAgP link aggregation.
17. Delete the previous Layer2 PAgP configuration.
18. Configure SW1 and SW2 as follows.
SW1(config)#interface port-channel 1
SW1(config-if)#no switchport
SW1(config-if)#exit
SW1(config)#
SW1(config)#
SW1(config-if-range)#no switchport
SW1(config)#exit
SW1#
00:12:15: %EC-5-L3DONTBNDL1: Fa1/0/23 suspended: PAgP not enabled on the remote port.
00:12:16: %EC-5-L3DONTBNDL1: Fa1/0/24 suspended: PAgP not enabled on the remote

port.
SW2(config)#interface port-channel 1
SW2(config-if)#no switchport
SW2(config-if)#exit
SW2(config)#
SW2(config-if-range)#no switchport
SW2(config)#exit
SW2#

changed state to up

changed state to up
00:20:03: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
00:20:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed

state to up
17. Check the information of the aggregation links
SW2#show etherchannel summary

Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
——+————-+———–+———————————————–
1 Po1(RU) PAgP Fa1/0/23(P) Fa1/0/24(P)
SW2#
18. Use the Ping command to test
SW2#ping 192.168.1.1
.!!!!
19. Use step14 and step15 to test the tolerance of the Layer3 PAgP aggregation link. The detailed
steps will not be listed.
20. End.

Configuring Layer 3 Redundancy with HSRP
【Lab Objectives】
1. Understand the working principles of HSRP.
2. Master the HSRP configuration methods.
3. Understand the standby and track functions of HSRP.
【Lab Topology】
【Lab Steps and Requirements】

1. This lab can be completed by using Layer3 switches or routers, if
using routers, you should examine the IOS version to make sure that it
supports HSRP protocol.
2. Configure the IP addresses of the interfaces on P4S-R1 and P4S-R2
P4S-R1(config)#interface loopback 0
P4S-R1(config-if)#ip address 10.1.1.1 255.255.255.0
P4S-R1(config-if)#exit
P4S-R1(config)#
P4S-R1(config)#interface fastEthernet 0/0
P4S-R1(config-if)#no shutdown
P4S-R1(config)#
P4S-R2(config)#interface loopback 0
P4S-R2(config)#
P4S-R2(config)#interface fastEthernet 0/0
P4S-R2(config-if)#no shutdown
P4S-R2(config)#
Note: Configure the IP addresses of the loopback interfaces on P4S-R1

and P4S-R2 as 10.1.1.1/24 used to simulate hosts directly connected to
P4S-R1 and P4S-R2.
3. Configure P4S-PC1 to simulate clients, in order to assure the
gateway of redundancy, so the gateway directed by P4S-PC1 virtualizes
the virtual gateway address through HSRP protocol.
P4S-PC1(config)#no ip routing
P4S-PC1(config)#
P4S-PC1(config)#interface fastEthernet 0/0
P4S-PC1(config-if)#ip address 192.168.1.10 255.255.255.0
P4S-PC1(config-if)#no shutdown
P4S-PC1(config-if)#exit
P4S-PC1(config)#
P4S-PC1(config)#ip default-gateway 192.168.1.1
P4S-PC1(config)#exit
P4S-PC1#
BCMSN Lab4 - Configuring Layer 3 Redundancy with

HSRP
By admin | April 2, 2009
【Lab Objectives】
1. Understand the working principles of HSRP.
2. Master the HSRP configuration methods.
3. Understand the standby and track functions of HSRP.
【Lab Topology】
<!
[endif]-->< ![endif]--> < !
font-size:10.0pt;
table.MsoTableGrid
text-align:justify;
line-height:150%;
font-size:10.0pt;
-->
【Lab Steps】
1. This lab can be completed by using Layer3 switches or routers, if using routers, you should
examine the IOS version to make sure that it supports HSRP protocol.
2. Configure the IP addresses of the interfaces on R1 and R2
R1(config)#interface loopback 0
R1(config-if)#ip address 10.1.1.1 255.255.255.0
R1(config-if)#exit
R1(config)#
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#
R2(config-if)#exit
R2(config)#

R2(config-if)#exit
R2(config)#
Note: Configure the IP addresses of the loopback interfaces on R1 and R2 as 10.1.1.1/24 used to
simulate hosts directly connected to R1 and R2.
3. Configure PC1 to simulate clients, in order to assure the gateway of redundancy, so the gateway
directed by PC1 virtualizes the virtual gateway address through HSRP protocol.
PC1(config)#
PC1(config-if)#exit
PC1(config)#
PC1(config)#exit
PC1#
4. Use the ping command on PC1 to test whether the host of 10.1.1.1/24 can be reached.
PC1#ping 10.1.1.1
…..
Success rate is 0 percent (0/5)
5. Configure HSRP on R1 and R2 in order to effectively assure the gateway of redundancy, the
configuration is as follows:

R1(config-if)#standby 1 ip 192.168.1.1
R2(config-if)#standby 1 ip 192.168.1.1
5. After configuring HSRP group on R1, IOS will show the following information:
00:13:27: %STANDBY-6-STATECHANGE: FastEthernet0/0 Group 1 state Standby -> Active
6. Check the HSRP group information on R1 and R2:
R1#show standby
Local state is Active, priority 100
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 1.348
Virtual IP address is 192.168.1.1 configured
Active router is local
Standby router is 192.168.1.3, priority 100 expires in 7.812
Virtual mac address is 0000.0c07.ac01
5 state changes, last state change 00:00:10
IP redundancy name is “hsrp-Fa0/0-1″ (default)

R2#show standby
Local state is Standby, priority 100
Active router is 192.168.1.2, priority 100 expires in 7.748
Standby router is local
7. Each router in the HSRP group has a priority. Priority can decide which router will be the
ACTIVE router used to affect ARP request of the client. If you just enable HSRP and each router
has the same priority, the interface whose IP value is higher will be selects as ACTIVE router.
8. Use the ping command and the traceroute command on the PC1 client to track the router:
PC1#ping 10.1.1.1
!!!!!
PC1#
1 192.168.1.2 68 msec 56 msec *
9. Check ARP cache on the client of PC1:
PC1#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.10 - ca02.0be4.0000 ARPA FastEthernet0/0
Internet 192.168.1.1 12 0000.0c07.ac01 ARPA FastEthernet0/0
PC1#
10. Use the extended ping command to send more data packets to 10.1.1.1 and manually set the
interface Fa0/0 on R1 to down status, observe the HSRP redundancy
00:39:48: %STANDBY-6-STATECHANGE: FastEthernet0/0 Group 1 state Active -> Init
Check the extended ping command on PC1
PC1#ping
Protocol [ip]:
Target IP address: 10.1.1.1
Repeat count [5]: 1000000
Datagram size [100]:

Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!…..!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
According to the above information, it is known that PC1 can’t reach the network of 10.1.1.0/24 due
to the fault of the interface Fa0/0 on R1. In addition, R2 can’t receive the Hello packet sent by the
Active router because of the fault of the interface Fa0/0 on R1. When the time exceeds the default
HSRP time (10 seconds) held by R2, R2 will be upgraded to the Active router by itself, this
conclusion can be drawn from the following information:
11. Here, use the ping command and the traceroute command again on PC1 to confirm that the
routers and the destination hosts can be reached:
PC1>ping 10.1.1.1
!!!!!
PC1>
PC1>traceroute 10.1.1.1
1 192.168.1.3 32 msec 28 msec *

12. HSRP can effectively guarantee the gateway redundancy to stabilize the network through the
above steps.
13. Set the interface Fa0/0 on R1 UP
R1(config-if)#exit
R1(config)#
14. After waiting for some time, check HSRP group information on R1 and R2 again.
R1#show standby
15. If the router R1 has good performance and R2 is only used as the backup router, it is hoped that
R1 can be responsible for ARP response and Layer3 routing tasks after recovery. In order to achieve
this function, it is necessary to configure R1 with higher priority and enable HSRP standby function.
R1(config-if)#standby 1 priority 200
R1(config-if)#standby 1 preempt
R1(config-if)#exit
R1(config)#
16. At this moment, the router R1 will give the following prompt information：
R1#
17. Check HSRP group information on R2
R2#show standby
R2#
18. HSRP can implement both redundancy for the downlink and monitoring for the uplink, it can
dynamically change into the Active role to guarantee foolproof. The following shows how to
configure the track functions of HSRP on interfaces.
R1(config-if)#standby 1 priority 200
R1(config-if)#standby 1 track loopback 0 150
R1(config-if)#exit
R1(config)#
R2(config-if)#
19. Manually set the loopback 0 interface on R1 down, and then observe the prompted information
given by the system:
R1#debug standby events
HSRP Events debugging is on

R1#
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
R1(config-if)#
R1(config-if)#
01:09:58: SB: Fa0/0 Grp 1 Tracked interface Loopback0 Down
01:09:58: SB: Fa0/0 Grp 1 Priority 200/200 -> 50/200
01:09:58: SB1: Fa0/0 Active: j/Coup rcvd from higher pri router (100/192.168.1.3)
01:09:58: SB1: Fa0/0 Active router is 192.168.1.3, was local
01:09:58: SB: Fa0/0 Remove active hash 192.168.1.2 (vIP 192.168.1.1)
01:09:58: SB: Fa0/0 Remove passive hash 192.168.1.3 (frc 0)
01:09:58: SB: Fa0/0 Add active hash 192.168.1.3 (vIP 192.168.1.1)
01:09:58: SB1: Fa0/0 Standby router is unknown, was 192.168.1.3
01:09:58: SB1: Fa0/0 Active -> Speak
01:09:58: %STANDBY-6-STATECHANGE: FastEthernet0/0 Group 1 state Active -> Speak
01:09:58: SB1: Fa0/0 Redundancy “hsrp-Fa0/0-1″ state Active -> Speak
01:09:58: SB: Fa0/0 Redirect adv start
01:09:58: %LINK-5-CHANGED: Interface Loopback0, changed state to administratively down
01:10:08: SB1: Fa0/0 Speak: d/Standby timer expired (unknown)
01:10:08: SB1: Fa0/0 Standby router is local
01:10:08: SB1: Fa0/0 Speak -> Standby
01:10:08: SB1: Fa0/0 Redundancy “hsrp-Fa0/0-1″ state Speak -> Standby
20. Check the HSRP group information on R1 and R2:

R1#show standby
Local state is Standby, priority 50 (confgd 200), may preempt
Priority tracking 1 interface, 0 up:
Interface Decrement State
Loopback0 150 Down (administratively down)
R1#
R2#show standby
Local state is Active, priority 100, may preempt
Active router is local
Standby router is 192.168.1.2, priority 50 expires in 9.128
Virtual mac address is 0000.0c07.ac01
Priority tracking 1 interface, 1 up:
Interface Decrement State

Loopback0 10 Up
21. End.
Switch(config)#aaa new-model
Switch(config)#radius-server host {hostname | ip-address} [key string]
Switch(config)#aaa authentication dot1x default group radius
Enable 802.1x on the switch:
Switch(config)#dot1x system-auth-control
Switch(config)# interface type mod/num
Switch(config-if)#dot1x port-control {force-authorized | forceunauthorized
| auto}
Switch(config)#aaa new-model
Switch(config)#radius-server host 10.1.1.1 key BigSecret
Switch(config)#radius-server host 10.1.1.2 key AnotherBigSecret
Switch(config)#aaa authentication dot1x default group radius
Switch(config)#dot1x system-auth-control
Switch(config)#interface range FastEthernet0/1 - 40
Switch(config-if)#switchport access vlan 10
Switch(config-if)#switchport mode access
Switch(config-if)#dot1x port-control auto
You also can configure the switch to use DHCP option-82, the DHCP Relay Agent
Information
option,
Switch(config)#[no] ip dhcp snooping information option
Switch(config)#ip dhcp snooping

Switch(config)#ip dhcp snooping vlan 104
Switch(config)#interface range fastethernet 0/35 – 36
Switch(config-if)#ip dhcp snooping limit rate 3
Switch(config-if)#interface gigabitethernet 0/1
Switch(config-if)#ip dhcp snooping trust
Switch#show ip dhcp snooping

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
104
Insertion of option 82 is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/35 no 3
FastEthernet0/36 no 3
GigabitEthernet0/1 yes unlimited
To configure IP source guard, first configure and enable DHCP snooping, as presented
in the
previous section. If you want IP source guard to detect spoofed MAC addresses, you
will also need
to configure and enable port security.
For the hosts that don’t use DHCP, you can configure a static IP source binding with the
following
configuration command:
Switch(config)#ip source binding mac-address vlan vlan-id ip-address interface type
mod/num
Next, enable IP source guard on one or more switch interfaces with the following
configuration
commands:
Switch(config)#interface type mod/num
Switch(config-if)#ip verify source [port-security]
Switch(config)#ip arp inspection vlan vlan-range
In the latter case, DHCP snooping must be enabled in addition to DAI
By default, all switch ports associated with the VLAN range are considered to be
untrusted.
Switch(config)#interface type mod/num

Switch(config-if)#ip arp inspection trust
If you have hosts with statically configured IP address information, there will be no
DHCP
message exchange that can be inspected. Instead, you can configure an ARP access list
that defines
static MAC-IP address bindings that are permitted. Use the following configuration
commands to
define the ARP access list and one or more static entries:
Switch(config)#arp access-list acl-name
Switch(config-acl)#permit ip host sender-ip mac host sender-mac [log]
[Repeat the previous command
Now the ARP access list must be applied to DAI with the following configuration
command:
Switch(config)#ip arp inspection filter arp-acl-name vlan vlan-range [static]
To validate that an ARP reply packet is really coming from the address listed inside it,
you can
enable DAI validation with the following configuration command:
Switch(config)#ip arp inspection validate {[src-mac] [dst-mac] [ip]}
Switch(config)#ip arp inspection vlan 104

Switch(config)#arp access-list StaticARP
Switch(config-acl)#permit ip host 192.168.1.10 mac host 0006.5b02.a841
Switch(config-acl)#exit
Switch(config)#ip arp inspection filter StaticARP vlan 104
Switch(config)#interface gigabitethernet 0/1
Switch(config-if)#ip arp inspection trust
Switch(config)# ip access-list extended local-17

Switch(config-acl)# permit ip host 192.168.99.17 192.168.99.0 0.0.0.255
Switch(config-acl)# exit
Switch(config)# vlan access-map block-17 10
Switch(config-access-map)# match ip address local-17
Switch(config-access-map)# action drop
Switch(config-access-map)# vlan access-map block-17 20
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan filter block-17 vlan-list 99
Switch(config)# vlan 10
Switch(config-vlan)# private-vlan community
Switch(config-vlan)# private-vlan community
Switch(config-vlan)# private-vlan isolated
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 10,20,30
Switch(config-vlan)# exit
Switch(config)# interface range fastethernet 1/1 - 1/2
Switchconfig# switchport private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 10
Switch(config)# interface range fastethernet 1/4 - 1/5
Private VLANs 419
Associate Secondary VLANs to a Primary VLAN SVI
On switched virtual interfaces, or VLAN interfaces configured with Layer 3 addresses, you
must configure some additional private VLAN mapping. Consider the SVI for the primary VLAN,
VLAN 100, that has an IP address and participates in routing traffic. Secondary VLANs 40 (an
isolated VLAN) and 50 (a community VLAN) are associated at Layer 2 with primary VLAN 100
using the configuration in Example 16-3.
Primary VLAN 200 can forward traffic at Layer 3, but the secondary VLAN associations with it
are good at only Layer 2. To allow Layer 3 traffic switching coming from the secondary VLANs
as well, you must add a private VLAN mapping to the primary VLAN (SVI) interface, using the
following interface configuration command:
Switch(config-if)# private-vlan mapping {secondary-vlan-list | add secondaryvlan-
list | remove secondary-vlan-list}
The primary VLAN SVI function is extended to the secondary VLANs instead of requiring SVIs
for each of them. If some mapping already has been configured for the primary VLAN SVI, you
can add (add) or remove (remove) secondary VLAN mappings individually.
Switch(config)# interface fastethernet 1/3
Switch(config)# interface fastethernet 2/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 10,20,30
Otro bvi
Switch(config-vlan)# private-vlan isolated vlan 50
Switch(config-vlan)# private-vlan community vlan 200
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 40,50
Switch(config-vlan)# exit
Switch(config)# interface vlan 200
Switch(config-if)# ip address 192.168.199.1 255.255.255.0
Primary VLAN 200 can forward traffic at Layer 3, but the secondary VLAN associations with it
are good at only Layer 2. To allow Layer 3 traffic switching coming from the secondary VLANs
as well, you must add a private VLAN mapping to the primary VLAN (SVI) interface, using the
following interface configuration command:
Switch(config)# interface vlan 200

Switch(config-iff)# private-vlan mapping 40,50
Use an SSID that matches the AP

2. Authenticate with the AP
3. (optional) Use a packet encryption method (data privacy)
4. (optional) Use a packet authentication method (data integrity)
5. Build an association with the AP

Shipping Company The Shipping

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Shipping Company The Shipping

Hochgeladen von

Copyright:

Verfügbare Formate

Acme is a small shipping company that has an existing enterprise network comprised of 2

- Radius server host: 172.120.39.46

- Radius key: rad123

- Authentication should be implemented as close to the host device possible.

- Devices on VLAN 20 are restricted to in the address range of 172.120.40.0/24.

- Packets from devices in the address range of 172.120.40.0/24 should be passed on

- Filtering should be implemented as close to the server farm as possible.

Step2: Console to DSW1 from PC console 2

DSW1(config)#ip access-list standard 10

By admin | April 3, 2009

Master the configuration of Layer3 redundancy with VRRP for gateways

PC1(config)#interface fastEthernet 0/0

PC1(config-if)#ip address 192.168.1.10 255.255.255.0

PC1(config-if)#no cdp enable

PC1(config)#ip default-gateway 192.168.1.1

PC2(config)#interface fastEthernet 0/0

PC2(config-if)#ip address 192.168.1.20 255.255.255.0

PC2(config-if)#no cdp enable

PC2(config)#ip default-gateway 192.168.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

Success rate is 100 percent (5/5), round-trip min/avg/max = 48/60/72 ms

Type escape sequence to abort.

Tracing the route to 10.1.1.1

1 192.168.1.1 12 msec * 96 msec

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/293/1084 ms

Type escape sequence to abort.

Tracing the route to 10.1.1.1

1 192.168.1.2 120 msec * 72 msec

4. Set the interface FA0/0 on R1 DOWN

R1(config)#interface fastEthernet 0/0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

Success rate is 0 percent (0/5)

Type escape sequence to abort.

Tracing the route to 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/128/160 ms

Type escape sequence to abort.

Tracing the route to 10.1.1.1

1 192.168.1.2 112 msec * 96 msec

R1(config)#interface fastEthernet 0/0

R1(config-if)#vrrp 1 priority 200

R1(config-if)#vrrp 2 priority 100

R2(config-if)#vrrp 1 priority 100

R2(config-if)#vrrp 2 priority 200

Virtual IP address is 192.168.1.1

Virtual MAC address is 0000.5e00.0101

Priority is 255 (cfgd 200)

Master Router is 192.168.1.1 (local), priority is 255

Master Advertisement interval is 1.000 sec

Master Down interval is 3.003 sec

Virtual IP address is 192.168.1.2

Virtual MAC address is 0000.5e00.0102

Advertisement interval is 1.000 sec

Master Router is 192.168.1.2, priority is 255

Master Advertisement interval is 1.000 sec

Master Down interval is 3.609 sec (expires in 3.349 sec)

Virtual IP address is 192.168.1.1