Beruflich Dokumente
Kultur Dokumente
Part Number
Americas Headquarters Asia Pacific Headquarters Europe Headquarters
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV
San Jose, CA Singapore Amsterdam,
The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at
www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To
view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of
their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other
company. (1110R)
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS.” CISCO MAKES AND YOU RECEIVE NO
WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN
ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY
DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND
FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
This learning product may contain early release content, and while Cisco believes it to be accurate, it falls subject to the disclaimer
above.
Copyright Date:
ii V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH © 2014 Cisco Systems, Inc.
© 2014 Cisco Systems, Inc. Lab Guide iii
iv V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH © 2014 Cisco Systems, Inc.
Lab Introduction
For each challenge lab, read the lab Scenario and the Job Aids first, then proceed by solving challenges
provided.
Refer to the Command List if you need assistance with your lab exercise.
If you need additional tips, refer to the Hints section, which is available in the CLL portal.
The Validation section will help you verify whether you successfully completed the challenge.
If you need additional guidance, refer to the Answer section, which contains a detailed, step-by-step
solution for each challenge lab.
Topology
You only see and have access to PC1. You will have to figure out how the devices are connected.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 3
4 Lab Guide © 2014 Cisco Systems, Inc.
Job Aids
Note If you shut down an interface on a real router or switch, the connected device will see it as
"down/down." Due to virtualization specifics, IOL behavior is slightly different. If you shut down
an interface on a router or switch, the connected device will see it as "up/up." In IOL, the
status of an interface can only be "up/up" or "administratively down/down."
Device Information
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 5
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Command Description
description description Adds a description to the interface. Enter this command in interface
configuration mode.
interface interface slot/number Enters interface configuration mode for the specified interface.
show cdp neighbors [detail] Shows detailed information about Cisco devices that are directly
connected, including IP addresses if you add the detail keyword.
show interface interface slot/number Shows properties of the interface, including its MAC address.
telnet ip_address Uses the Telnet protocol to connect to a device specified by the IP
address.
Verification
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 7
8 Lab Guide © 2014 Cisco Systems, Inc.
Challenge 2: Configure
DHCP
A customer has a network where all clients have manually configured IPs. They are looking to hire many
new employees in the next few months, and manually configuring every IP address in the network will not
be an option anymore.
Your job is to implement DHCP service in the network. Core1 was designated to be the DHCP server.
Topology
The customer network has two VLANs: one for IT and one for SALES.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 9
10 Lab Guide © 2014 Cisco Systems, Inc.
Job Aids
Note If you shut down an interface on a real router or switch, the connected device will see it as
"down/down." Due to virtualization specifics, IOL behavior is slightly different. If you shut down
an interface on a router or switch, the connected device will see it as "up/up." In IOL, the
status of an interface can only be "up/up" or "administratively down/down."
VLAN Information
Device Connections
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 11
IP Addressing Information
Command Description
interface interface slot/number Enters interface configuration mode for the specified interface.
ip dhcp excluded-address low-address Specifies the IP addresses that the DHCP server should not assign to
DHCP clients. Use this command in global configuration mode.
ip dhcp pool name Creates a name for the DHCP server address pool and places you in
DHCP pool configuration mode. Use this command in global
configuration mode.
ip helper-address ip-address Enables the DHCP broadcast to be forwarded to the configured DHCP
server. Use this command in interface configuration mode.
release dhcp interface-type interface- Performs an immediate release of a DHCP lease for the specified
number interface.
renew dhcp interface-type interface- Forces the renewal of the DHCP lease for the specified interface.
number
show interface interface slot/number Shows properties of the interface, including its MAC address.
show ip dhcp binding Displays a list of all bindings created on a specific DHCP server.
show ip dhcp pool pool name Shows the information about DHCP address pool.
Verification
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 13
Step 1
1 On Core1, check if two PCs from VLAN 22 are seen in the DHCP binding table. The
leased-out IP addresses should be between .11 and .254.
You should get the following results:
Core1# show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.22.11 0063.6973.636f.2d61. Apr 23 2014 02:22 AM Automatic
6162.622e.6363.3031.
2e31.3630.302d.4574.
302f.30
192.168.22.12 0063.6973.636f.2d61. Apr 23 2014 02:23 AM Automatic
6162.622e.6363.3031.
2e31.3730.302d.4574.
302f.30
<... output omitted ...>
If you did not get the desirable results, check the following:
• You have excluded the IP addresses 192.168.22.1 through 192.168.22.10 from the DHCP
process.
• On Core1, you have a DHCP pool for subnet 192.168.22.0/24.
• You have configured PCs 1 and 2 to acquire IP addresses through DHCP.
Step 2
1 On Core1, check that PC3 and SRV, from VLAN 33, are seen in the DHCP binding table.
The IP address of PC3 should be between .11 and .254. The IP address of SRV must be
.185.
You should get the following results:
Core1# show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
<... output omitted ...>
192.168.33.11 0063.6973.636f.2d61. Apr 23 2014 02:26 AM Automatic
6162.622e.6363.3031.
2e32.3230.302d.4574.
302f.30
192.168.33.185 0063.6973.636f.2d61. Infinite Manual
6162.622e.6363.3031.
2e32.3330.302d.4574.
302f.30
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 15
16 Lab Guide © 2014 Cisco Systems, Inc.
Challenge 3: Configure
DHCPv6
A customer has an IPv4 network. It uses DHCP to allocate IPv4 addresses to clients.
It now wants all of its end devices double-stacked. Your job is to configure Core1 as the DHCPv6 server
and configure all the clients in the network to acquire IPv6 addresses. IPv6 is preconfigured on the link
between Core1 and SW2.
Topology
The customer network has two VLANs: one for IT and one for SALES.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 17
18 Lab Guide © 2014 Cisco Systems, Inc.
Job Aids
Note If you shut down an interface on a real router or switch, the connected device will see it as
"down/down." Due to virtualization specifics, IOL behavior is slightly different. If you shut down
an interface on a router or switch, the connected device will see it as "up/up." In IOL, the
status of an interface can only be "up/up" or "administratively down/down."
VLAN Information
Device Connections
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 19
IPv6 Addressing Information
Command Description
address prefix prefix Specifies an address prefix that should be assigned to clients. Use this
command in DHCPv6 configuration mode.
dns-server dns-server Specifies the DNS IPv6 servers that are available to a DHCPv6 client.
Use this command in DHCPv6 configuration mode.
interface interface slot/number Enters interface configuration mode for the specified interface.
ipv6 address IPv6_address Configures an IPv6 address on the interface.. Use this command in
interface configuration mode.
ipv6 dhcp pool pool_name Configures a DHCPv6 configuration information pool and enters DHCPv6
pool configuration mode. Use this command in global configuration
mode.
ipv6 dhcp relay destination Specifies a destination address to which client packets are forwarded
IPv6_address and enables DHCPv6 relay service on the interface. Use this command
in interface configuration mode.
ipv6 dhcp server pool_name Enables DHCPv6 server function on an interface. Use this command in
interface configuration mode.
ipv6 enable Enables IPv6 on the interface. Use this command in interface
configuration mode.
show ipv6 dhcp binding Displays a list of all bindings created on a specific DHCPv6 server.
Verification
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 21
Step 1
1 There are two VLAN 22 DHCPv6 bindings on Core1.
You should get the following results:
Core1# show ipv6 dhcp binding
Client: FE80::A8BB:CCFF:FE01:D00 (Vlan22)
DUID: 00030001AABBCC010D00
IA NA: IA ID 0x00020001, T1 43200, T2 69120
Address: 2001:DB8:16:0:16B:D955:A8E7:C876
preferred lifetime 86400, valid lifetime 172800
expires at Apr 24 2014 02:39 AM (172651 seconds)
Client: FE80::A8BB:CCFF:FE01:1400 (Vlan22)
DUID: 00030001AABBCC011400
IA NA: IA ID 0x00020001, T1 43200, T2 69120
Address: 2001:DB8:16:0:E1B2:FF29:F672:373D
preferred lifetime 86400, valid lifetime 172800
expires at Apr 24 2014 02:39 AM (172655 seconds)
<... output omitted ...>
If you do not see the desired results, make sure that you have done the following:
• Configured a DHCPv6 pool with the specified VLAN 22 prefix on Core1
• Configured the VLAN 22 interface with an IPv6 address on Core1
• Associated the DHCPv6 pool with an interface
• Enabled PC1 and PC2 for IPv6 and enabled them to acquire IPv6 addresses via DHCP
2 PC1 and PC2 have obtained the DNS server IPv6 address via DHCPv6.
You should get the following results:
If PC1 and PC2 have obtained IPv6 addresses via DHCP, but not the DNS address, then
you did not configure the DHCPv6 server to distribute the DNS server address to clients.
Step 2
1 There is a DHCPv6 binding on Core1 for the VLAN 33 prefix.
You should get the following results:
If the verification step is not successful, make sure that you have done the following:
• Configured a DHCPv6 pool with the specified VLAN 33 prefix on Core1.
• Configured the VLAN 33 interface with an IPv6 address on SW2.
• Associated the DHCPv6 pool with an interface.
• Configured the VLAN 33 interface on SW2 to act as a relay agent.
• Enabled PC3 for IPv6 and enabled it to acquire an IPv6 address via DHCP.
2 PC3 has obtained the DNS server IPv6 address via DHCPv6.
You should get the following results:
PC3# show ipv6 dhcp interface ethernet 0/0
<... output omitted ...>
DNS server: 2001:DB8:53::53
Information refresh time: 0
Prefix Rapid-Commit: disabled
Address Rapid-Commit: disabled
If PC3 obtained an IPv6 address via DHCP, but not the DNS address, then you did not
configure the DHCPv6 server to distribute the DNS server address to clients.
Step 3
1 SRV is manually configured with the IPv6 address 2001:DB8:21::11.
You should get the following results:
SRV# show ipv6 interface brief
Ethernet0/0 [up/up]
FE80::A8BB:CCFF:FE00:A500
2001:DB8:21::11
<... output omitted ...>
If you do not see desired results, then you have not configured the correct IPv6 address.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 23
24 Lab Guide © 2014 Cisco Systems, Inc.
Challenge 4: Configure
EtherChannel
Your senior colleague, Dwayne, has given you and your fellow colleague, Greg, a job to do.
Your task is to bundle the four links between the distribution layer switches using EtherChannel. Greg will
be responsible for bundling two links for each of the following connections: SW1-DSW1 and SW2-DSW2.
Dwayne said that the link between the distribution layer switches should be in channel group 2, and that
bundles that connect distribution and access layer switches should belong to channel group 1. Also, he
would like you to use an open standard protocol to negotiate EtherChannel links, in case the company buys
a switch from a company other than Cisco in the future. Since the links between switches will carry data
from multiple VLANs, you will need to configure all EtherChannel links as trunks.
Greg tried to configure his part. He calls you and asks for help. Right now, neither of his two pairs of links
are bundled.
On the way to Greg, Dwayne sees you. He expresses his concern of choosing the best mechanism to load
balance across EtherChannel. You assure him that you know what you are doing.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 25
Topology
Eth1/2 DSW2 1
Eth1/3 DSW2 1
Eth0/1 SW2
Eth0/2 R1
Eth0/3 SW1 1
Eth1/0 DSW2 2
Eth1/1 DSW2 2
Eth1/2 DSW2 2
Eth1/3 DSW2 2
Eth0/1 SW1
Eth0/2 R1
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 27
Device Interface Connects To Port-Channel Group
Number
Eht0/3 SW2 1
Eth1/0 DSW1 2
Eth1/1 DSW1 2
Eth1/2 DSW1 2
Eth1/3 DSW1 2
R1 Eth0/1 DSW1
Eth0/2 DSW2
Eth0/3 Internet
Command Description
channel-group number mode mode Specifies the port mode for the link in a port channel. Use this command
in interface configuration mode.
interface range interface range Enters interface configuration mode for the range of specified interfaces.
interface interface slot/number Enters interface configuration mode for the specified interface.
port-channel load-balance Configures specified load balancing for EtherChannel. Use this command
load_balancing_option in global configuration mode.
show etherchannel load-balance Shows which information Etherchannel uses to load balance traffic.
show running-config interface Filters interface configuration from the running configuration of the
interface slot/number device.
switchport mode trunk Configures the interface as a trunk port. Use this command in interface
configuration mode.
Verification
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 29
DSW1# show etherchannel 2 summary
Step 2
1 On DSW1 or SW1, verify the EtherChannel status of group 1. There should be two "P"
flags next to each port, indicating that EtherChannel group 2 is bundled. The protocol
should be set to LACP.
You should get the following results:
DSW1# show etherchannel 1 summary
Flags: D - down P - bundled in port-channel
I - standalone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
Step 3
1 On DSW2 or SW2, verify the EtherChannel status of group 1. There should be two "P"
flags next to each port, indicating that EtherChannel group 2 is bundled. The protocol
should be set to LACP.
You should get the following results:
DSW2# show etherchannel 1 summary
Flags: D - down P - bundled in port-channel
I - standalone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
Step 4
1 Make sure all four switches have EtherChannel load balancing set to src-dst-ip.
You should get the following results:
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 31
SW1# show etherchannel load-balance
EtherChannel Load-Balancing Configuration:
src-dst-ip
<... output omitted ...>
If you do not see desired results, you have not configured the correct load-balancing
mechanism.
Dennis is seeing a number of performance issues, and he wants you to help him with the following:
He would like to speed up STP convergence. Dennis noticed that if a link fails, it takes a full half-
minute until connectivity is restored. That delay is not acceptable.
He is asking how STP root bridges should be set up. Right now, everything is left for the network to
decide. After some discussion, the conclusion is that DSW1 should be the root bridge for VLANs 1, 10,
and 20. DSW2 should be the root bridge for VLANs 30 and 40.
The links between DSW1 and DSW2 are not efficiently used. Dennis is asking you to make switches
DSW1 and DSW2 use both of these two links for all VLANs.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 33
Topology
DSW1 and DSW2 are distribution layer switches. SW1 and SW2 are access layer switches.
Device Connections
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 35
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Command Description
channel-group number mode mode Specifies the port mode for the link in a port channel. Use this command
in interface configuration mode.
interface interface slot/number Enters interface configuration mode for a specified interface
interface range interface interface Enters interface configuration mode for a specified range of interfaces
slot/number - number
show spanning-tree [vlan Shows spanning-tree information, including the root bridge and STP port
vlan_number] states. You can specify a VLAN to filter down the output to a specific STP
instance.
spanning-tree vlan vlan_number root Configures a switch to become the root bridge for a specified VLAN (STP
primary instance)
spanning-tree vlan vlan_number root Configures a switch to become the root bridge for a specified VLAN (STP
secondary instance) if the primary root fails
Verification
VLAN0001
Spanning tree enabled protocol rstp
<... output omitted ...>
VLAN0001
Spanning tree enabled protocol rstp
<... output omitted ...>
VLAN0001
Spanning tree enabled protocol rstp
<... output omitted ...>
VLAN0001
Spanning tree enabled protocol rstp
<... output omitted ...>
If you do not see the desired results, you have not configured all four switches to run
RSTP.
Step 2
1 Verify that DSW1 is the root bridge for VLANs 1, 10, and 20. Verify that DSW2 is the
root bridge for VLANs 30 and 40.
You should get the following results:
DSW1# show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 24577
Address aabb.cc00.8e00
This bridge is the root
<... output omitted ...>
DSW1# show spanning-tree vlan 10
VLAN0010
Spanning tree enabled protocol rstp
Root ID Priority 24586
Address aabb.cc00.8e00
This bridge is the root
<... output omitted ...>
DSW1# show spanning-tree vlan 20
VLAN0020
Spanning tree enabled protocol rstp
Root ID Priority 24596
Address aabb.cc00.8e00
This bridge is the root
<... output omitted ...>
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 37
DSW2# show spanning-tree vlan 30
VLAN0030
Spanning tree enabled protocol rstp
Root ID Priority 24606
Address aabb.cc00.8f00
This bridge is the root
<... output omitted ...>
DSW2# show spanning-tree vlan 40
VLAN0040
Spanning tree enabled protocol rstp
Root ID Priority 24616
Address aabb.cc00.8f00
This bridge is the root
<... output omitted ...>
Step 3
1 On DSW1, verify that links Ethernet 0/0 and 0/1 are bundled into an EtherChannel.
You should get the following results:
DSW1# show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
The "P" flag next to Ethernet 0/0 and Ethernet 0/1 tells you that these two interfaces are
bundled into an EtherChannel.
You would get the same results if you performed verification on DSW2.
If you do not see the desired results, you have not successfully bundled interfaces Ethernet
0/0 and 0/1 on DSW1 and DSW2.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 39
Topology
DSW1 and DSW2 are distribution layer switches. SW1 and SW2 are access layer switches.
Device Connections
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 41
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Command Description
interface interface slot/number Enters interface configuration mode for a specified interface.
interface range interface interface Enters interface configuration mode for a specified range of interfaces.
slot/number - number
show spanning-tree interface Shows spanning-tree configuration and statistics on a specified port.
interface slot/number detail
spanning-tree bpdufilter enable Enables BPDU filter on a specific switch port. Use this command in
interface configuration mode.
spanning-tree bpduguard enable Enables BPDU guard on a port. Use this command in interface
configuration mode.
spanning-tree guard loop Enables loop guard. Use this command in interface configuration mode.
spanning-tree guard root Enables root guard. Use this command in interface configuration mode.
spanning-tree portfast Enables PortFast on a per-port basis. Use this command in interface
configuration mode.
spanning-tree portfast bpdufilter Enables BPDU filter on all switch ports that have PortFast enabled. Use
default this command in global configuration mode.
spanning-tree portfast bpduguard Enables BPDU guard on all switch ports that have PortFast enabled. Use
default this command in global configuration mode.
spanning-tree portfast default Enables PortFast on all switch ports that are defined as access. Use this
command in global configuration mode.
Verification
Note that PortFast and BPDU guard must not be configured on any other port than
Ethernet 0/0 and Ethernet 0/1 on SW1 and Ethernet 0/0 and Ethernet 0/1 on SW2.
BPDU filter must not be configured on any port in the network.
If you do not see the desired results, the following is the likely cause:
• You made changes to PortFast or BPDU guard configuration, even though it was configured
properly.
• You have not removed BPDU filter configuration.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 43
Step 2
1 Verify that root guard is enabled on Ethernet 0/2 and 0/3 on DSW1 and DSW2, and that it
is configured only on those ports.
You should get the following results:
DSW1# show spanning-tree interface ethernet 0/2 detail
<... output omitted ...>
Root guard is enabled on the port
BPDU: sent 1489, received 18
DSW1# show spanning-tree interface ethernet 0/3 detail
<... output omitted ...>
Root guard is enabled on the port
BPDU: sent 1494, received 22
Note that root guard must not be enabled on any other port than the DSW1 and DSW2
down-links.
If you do not see the desired results, the following is the likely cause:
• You have removed the existing root guard configuration for Ethernet 0/2 on both DSW1 and
DSW2.
• You have not configured root guard for Ethernet 0/3 on both DSW1 and DSW2.
Step 3
1 Verify that loop guard is configured on the SW1 and SW2 uplink ports. Verify that loop
guard is configured for all VLANs on the DSW1 and DSW2 port-channel interfaces.
You should get the following results:
SW1# show spanning-tree interface ethernet 0/2 detail
<... output omitted ...>
Loop guard is enabled on the port
<... output omitted ...>
SW1# show spanning-tree interface ethernet 0/3 detail
<... output omitted ...>
Loop guard is enabled on the port
<... output omitted ...>
If you do not see the desired results, the following is the likely cause:
• You have not configured loop guard on all ports that are, or can become, nondesignated.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 45
46 Lab Guide © 2014 Cisco Systems, Inc.
Challenge 7: Configure MST
A customer is running Rapid PVST+ in their network. Their engineer, Carol, did a great job of load-
balancing traffic for VLANs 10 through 50.
However, Carol will be required to configure many more VLANs in the future and she is afraid of
performance issues due to the large number of VLAN instances.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 47
Topology
In this network, ASW1, ASW2, and ASW3 are access layer switches. SW1, SW2, and SWB connect to
other parts of the customer network.
Device Connections
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 49
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Command Description
instance instance_number vlan Maps VLANs to an MST instance. If you do not specify the vlan
vlan_range keyword, you can use the no keyword to unmap all the VLANs that were
mapped to an MST instance. If you specify the vlan keyword, you can
use the no keyword to unmap a specified VLAN from an MST instance.
Use this command in MST configuration mode.
name name Sets the MST region name. Use this command in MST configuration
mode.
revision revision_number Sets the MST configuration revision number. Use this command in MST
configuration mode.
show current Displays the current MST configuration. Use this command from MST
configuration mode.
show pending Displays the pending MST configuration. Issue this command in MST
configuration mode. Use end or exit to apply the pending configuration.
show spanning-tree interface Shows spanning-tree information for the specified interface.
interface slot/number
show spanning-tree mst Displays the current MST configuration for specified instances.
[instance_no1, instance_no1 [,...]]
spanning-tree mode mst Changes STP on a switch to MST. Use this command in global
configuration mode.
spanning-tree mst instance_number Configures a switch as the primary or secondary root bridge.
root {primary | secondary}
Verification
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 51
ASW1(config-mst)# show current
Current MST configuration
Name [SWITCH]
Revision 1 Instances configured 3
If you do not see the desired results, one or more of these reasons could be the cause:
• You have not configured all switches with the MST region "SWITCH".
• You have not configured all switches with the MST revision "1".
• You have not configured correct VLAN-to-instance mappings.
• You have not applied the MST configuration using the exit or end commands.
Step 2
1 Check that all switches are running MST, that SW1 is the root bridge for MSTI1, and that
SW2 is the root bridge for MSTI2.
You should get the following results:
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 53
SW2# show spanning-tree mst 1,2
If you do not see the desired results, check that the following is true:
• You have configured SW1 to be the root bridge for MSTI1.
• You have configured SW2 to be the root bridge for MSTI2.
• You have enabled MST on all switches.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 55
56 Lab Guide © 2014 Cisco Systems, Inc.
Challenge 8: Configure
Routing Between VLANs
with a Router
A router has failed in a customer network. Because the customer did not save the configuration, the
engineer, Dennis, replaced the router and tried to reconfigure it.
Dennis asks you to configure R1 to route between clients in VLANs 10, 20, 30, and 40. Dennis insists that
you must not make any changes to the configuration of the user PCs.
Note Hopefully, Dennis did not change any other configurations in the network.
Topology
DSW1 and DSW2 are distribution layer switches. SW1 and SW2 are access layer switches. R1 is the Layer
3 device that is intended to route between VLANs.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 57
58 Lab Guide © 2014 Cisco Systems, Inc.
Job Aids
Note If you shut down an interface on a real router or switch, the connected device will see it as
"down/down." Due to virtualization specifics, IOL behavior is slightly different. If you shut down
an interface on a router or switch, the connected device will see it as "up/up." In IOL, the
status of an interface can only be "up/up" or "administratively down/down."
Device Connections
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 59
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Commands Description
encapsulation dot1Q vlan_number Configures encapsulation IEEE 802.1Q on the interface. Use the
command in interface configuration mode.
interface interface Enters interface configuration mode for the specified interface.
slot/number[.subinterface]
interface range interface interface Enters interface configuration mode for a specified range of interfaces.
slot/number - number
ip address address subnet_mask Configures the IP address. Use this command in interface configuration
mode.
ping ip_address Performs an ICMP connectivity test to the specified IPv4 or IPv6
address.
switchport mode {access | trunk} Configures the interface type to a trunking or nontrunking mode. Use this
command in interface configuration mode.
switchport trunk encapsulation Configures the trunk encapsulation format to IEEE 802.1Q. Use this
dot1q command in interface configuration mode.
Verification
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 61
62 Lab Guide © 2014 Cisco Systems, Inc.
Challenge 9: Configure
Routing on a Multilayer
Switch
At your company, network upgrades are occurring. Two new Layer 3 switches are purchased. The senior
engineer, Dwayne, wired up the switches and did some initial configuration.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 63
Topology
Device Connections
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 65
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Command Description
channel-group group_number mode Assigns an interface to an EtherChannel bundle. Use this command in
mode interface configuration mode.
encapsulation dot1Q vlan_number Configures encapsulation IEEE 802.1Q on the interface. Use this
command in interface configuration mode.
interface range interface interface Enters interface configuration mode for a specified range of interfaces.
slot/number - number
ip address address subnet_mask Configures an IP address. Use this command in interface configuration
mode. Use no in front to remove the configured IP address from the
interface.
network ip_address mask area Enables interfaces for the OSPF process in a specified area. Those
area_number interfaces that fall within a specified subnet will be enabled for OSPF.
router ospf process-id Creates the OSPF routing process with a specified process ID. Use this
command in global configuration mode.
switchport mode {access | trunk} Configures the interface type to a trunking or nontrunking mode. Use this
command in interface configuration mode.
switchport trunk encapsulation Configures the trunk encapsulation format to IEEE 802.1Q. Use this
dot1q command in interface configuration mode.
traceroute ip_address Discovers the route that packets actually take when traveling to their
destination.
Verification
Step 2
1 Check that you can successfully ping PC4 at 192.168.11.12 from PC3.
You should get the following results:
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 67
PC3# ping 192.168.11.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.11.12, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Step 3
1 On DSW1, verify that it acquired a default route via OSPF. On DSW2, verify that it
acquired a default route via OSPF. On R1, verify that it sees two OSPF neighbors: DSW1
and DSW2. On DSW1, verify that it sees two OSPF neighbors: R1 and DSW2.
You should get the following results:
DSW1# show ip route
<... output omitted ...>
O*E2 0.0.0.0/0 [110/1] via 192.168.99.2, 01:27:34, Ethernet0/2
<... output omitted ...>
Step 4
1 On SW, verify that the Ethernet 0/0 and Ethernet 0/1 interfaces are bundled (denoted by
"P" flags) into a Layer 2 EtherChannel (denoted by the "SU" flag).
You should get the following results:
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 69
70 Lab Guide © 2014 Cisco Systems, Inc.
Challenge 10: Configure
NTP
The senior engineer, Dwayne, prepared an NTP design for the company network, and he has asked you to
implement it.
You need to synchronize the time of R1 and R2 to five NTP servers. You can find NTP server information
in the Job Aids section. Other network devices should synchronize their time to R1 and R2. Dwayne wants
you to ensure that time will be synchronized between devices in the network even if there is no connectivity
to the Internet. Dwayne also mentioned that you should ensure that R1 and R2 will only be used for time
synchronization by devices in your network (that is, the 192.168.0.0/16 subnet).
Note The company is on Central European Time, which is +2 hours offset to the UTC. The country
that the company is located in uses the summertime setting.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 71
Topology
Device Connections
IP Address Remark
209.165.201.44 —
209.165.201.111 —
209.165.201.133 —
209.165.201.222 —
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 73
IP Address Remark
209.165.201.233 Preferred
Commands
Command Description
access-list access_list_number {permit Creates an access list rule. Use this command in global configuration
| deny} ip_address wildcard_mask mode
clock summer-time zone recurring Configures the system to switch automatically to summertime every year.
Use this command in global configuration mode.
clock timezone zone hours_offset Sets the timezone for display, with hours of offset from UTC. Use this
command in global configuration mode.
interface interface slot/number Enters interface configuration mode for specified interface.
ntp access-group {query-only | serve- Configures the control access to NTP services. Use this command in
only | serve | peer} access_list_number global configuration mode.
ntp server ip_address [prefer] Allows the software clock to be synchronized by an NTP time server. The
prefer keyword specifies that the server reference is preferred over the
other NTP servers.
show clock detail Displays the system clock, indicates the timezone, time source, and
current summertime setting.
show running-configuration | section Displays the content of the currently running configuration for the
section specified section.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 75
Task 1: Configure NTP
Step 1 Configure NTP time synchronization on all routers and switches.
Step 2 Make sure that R1 and R2 provide a clock synchronization service even if they lose Internet
connectivity.
Step 3 Secure R1 and R2 from advertising their time information to the Internet.
Verification
Step 2
1 Verify that R1 and R2 are configured as NTP masters, each with a stratum level higher
than 1.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 77
R2# show ntp associations
Step 3
1 Verify that R1 and R2 are both configured to allow synchronization requests from only the
192.168.0.0/16 subnet. Both R1 and R2 should allow "peer" access to the internal NTP
master IP address of 127.127.1.1. Both R1 and R2 should still synchronize their clocks.
R1# show run | include ntp access-group
ntp access-group peer 1
ntp access-group serve-only 2
R1# show run | include access-list
access-list 1 permit 127.127.7.1
access-list 2 permit 192.168.0.0 0.0.255.255
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 79
80 Lab Guide © 2014 Cisco Systems, Inc.
Challenge 11: Configure
Network Monitoring Using
the Cisco IOS IP SLA
The senior engineer, Dwayne, tells you that users on PC1 and PC2 are experiencing problems with
browsing to an Internet server at 209.165.200.233. He asks you to immediately configure a Cisco IOS IP
SLA that will run for 48 hours and that will conduct an HTTP connectivity test every 90 seconds. Dwayne
tells you that the IP SLA test should run on the switch DSW1 and use the VLAN 22 IP subnet as the source.
Dwayne also mentions that a while ago he attempted to configure an IP SLA on R1 that would test the
availability of an Internet server at 209.165.200.157 every 60 seconds. However, it never worked. He asks
you to troubleshoot it.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 81
Topology
Device Connections
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 83
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Command Description
frequency frequency Sets the IP SLA test to run at every specified interval of time. Use this
command in IP SLA configuration mode.
http get http://ip_address Configures an IP SLA test of HTTP GET to a specified IP address. Use
this command in IP SLA configuration mode.
ip sla operational_number Defines the IP SLA. You will then use the operational number to
schedule the test to run. Use this command in global configuration mode.
ip sla schedule operation-number [life Schedules the IP SLA to run. Use this command in global configuration
{forever | seconds}] [start-time mode.
{hh:MM[:ss] [month day | day month] |
pending | now | after hh:mm:ss}]
[ageout seconds] [recurring]
show ip sla application Shows supported IP SLA tests, how many SLAs are configured, how
many active, and so on.
Verification
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 85
Step 2
1 Verify that R1 has one IP SLA test running and that the number of success attempts is
greater than one.
R1# show ip sla application
<... output omitted ...>
Estimated number of configurable operations: 41761
Number of Entries configured : 1
Number of active Entries : 1
Number of pending Entries : 0
<... output omitted ...>
Note You can find the default gateway information for the PCs in the Job Aids.
Note If you need to test Internet connectivity from end-user devices, ping the IP address
209.165.201.225.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 87
Topology
Device Information
R1 (0/1.11) 10.0.11.2
R1 (0/2.22) 10.0.22.3
R2 (0/1.11) 10.0.11.3
R2 (0/2.22) 10.0.22.2
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 89
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Command Description
interface interface slot/number Enters interface configuration mode for the specified interface.
show standby [interface slot/number] Shows the status of HSRP groups. You can filter the output by the
interface on which the standby group is configured on.
standby standby_group Configures MD5 authentication for the specified HSRP group. Use this
authentication md5 key-string string command in interface configuration mode.
standby standby_group ip ip_address Defines the virtual IP address for the specified HSRP group. Use this
command in interface configuration mode.
standby standby_group preempt Enables pre-emption for the specified HSRP group. Use this command in
interface configuration mode.
standby standby_group priority Sets the priority of the interface, belonging to an HSRP group, to a
priority specified priority number. By default this number is 100. Use this
command in interface configuration mode.
standby standby_group track interface Enables HSRP interface tracking and changes the standby priority based
slot/number priority_decrement on the state of the interface. Use this command in interface configuration
mode.
Verification
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 91
R2# show standby
Ethernet0/1.11 - Group 11
State is Standby
1 state change, last state change 00:04:49
Virtual IP address is 10.0.11.1
Active virtual MAC address is 0000.0c07.ac0b
Local virtual MAC address is 0000.0c07.ac0b (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.872 secs
Authentication MD5, key-string
Preemption enabled
Active router is 10.0.11.2, priority 110 (expires in 8.432 sec)
Standby router is local
Priority 90 (configured 90)
Group name is "hsrp-Et0/1.11-11" (default)
Ethernet0/2.22 - Group 22
State is Active
2 state changes, last state change 00:04:38
Virtual IP address is 10.0.22.1
Active virtual MAC address is 0000.0c07.ac16
Local virtual MAC address is 0000.0c07.ac16 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.192 secs
Authentication MD5, key-string
Preemption enabled
Active router is local
Standby router is 10.0.22.3, priority 90 (expires in 9.856 sec)
Priority 110 (configured 110)
Track interface Ethernet0/0 state Up decrement 30
Group name is "hsrp-Et0/2.22-22" (default)
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 93
R2# show standby
Ethernet0/1.11 - Group 11
State is Standby
1 state change, last state change 00:04:49
Virtual IP address is 10.0.11.1
Active virtual MAC address is 0000.0c07.ac0b
Local virtual MAC address is 0000.0c07.ac0b (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.872 secs
Authentication MD5, key-string
Preemption enabled
Active router is 10.0.11.2, priority 110 (expires in 8.432 sec)
Standby router is local
Priority 90 (configured 90)
Group name is "hsrp-Et0/1.11-11" (default)
Ethernet0/2.22 - Group 22
State is Active
2 state changes, last state change 00:04:38
Virtual IP address is 10.0.22.1
Active virtual MAC address is 0000.0c07.ac16
Local virtual MAC address is 0000.0c07.ac16 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.192 secs
Authentication MD5, key-string
Preemption enabled
Active router is local
Standby router is 10.0.22.3, priority 90 (expires in 9.856 sec)
Priority 110 (configured 110)
Track interface Ethernet0/0 state Up decrement 30
Group name is "hsrp-Et0/2.22-22" (default)
For example, R1 is the active router for VLAN 11 and has its priority set to 110. R2,
which serves as the standby router, has its priority set to 90. The decrement that is
configured for that VLAN should be larger than the difference between these two
priorities, 110 and 90, so it is more than 20.
If you do not see the desired results, check the following:
• You enabled tracking of the R1 uplink in the R1 VLAN 11 HSRP group.
• You enabled tracking of the R2 uplink in the R2 VLAN 22 HSRP group.
• You configured pre-emption in the R1 VLAN 11 and R2 VLAN 22 HSRP groups.
• You configured tracking with an HSRP decrement that is bigger than the difference between
the priorities of the active and standby routers.
• The HSRP group numbers match the numbers of the VLANs that they serve.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 95
R2# show standby
Ethernet0/1.11 - Group 11
State is Standby
1 state change, last state change 00:04:49
Virtual IP address is 10.0.11.1
Active virtual MAC address is 0000.0c07.ac0b
Local virtual MAC address is 0000.0c07.ac0b (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.872 secs
Authentication MD5, key-string
Preemption enabled
Active router is 10.0.11.2, priority 110 (expires in 8.432 sec)
Standby router is local
Priority 90 (configured 90)
Group name is "hsrp-Et0/1.11-11" (default)
Ethernet0/2.22 - Group 22
State is Active
2 state changes, last state change 00:04:38
Virtual IP address is 10.0.22.1
Active virtual MAC address is 0000.0c07.ac16
Local virtual MAC address is 0000.0c07.ac16 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.192 secs
Authentication MD5, key-string
Preemption enabled
Active router is local
Standby router is 10.0.22.3, priority 90 (expires in 9.856 sec)
Priority 110 (configured 110)
Track interface Ethernet0/0 state Up decrement 30
Group name is "hsrp-Et0/2.22-22" (default)
Gregory wants the VRRP configuration to be similar to the preconfigured HSRP in the network:
R1 should, whenever available, be the master for VLAN 11 clients and the backup for VLAN 22
clients.
R2 should, whenever available, be the master for VLAN 22 clients and the backup for VLAN 11
clients.
For self-documentation, the VRRP group numbers should match the numbers of the VLANs that they
serve.
If the router uplink fails, make sure that the traffic from the PCs does not take a suboptimal path. The
network is a little underprovisioned, so Gregory worries that suboptimal traffic could have bad
consequences for the whole network.
Secure the VRRP peers. Make sure that no VRRP device can join the VRRP peers on the network
without a proper key.
Note You can find the default gateway information for the PCs in the Job Aids.
Note If you need to test Internet connectivity from end-user devices, ping the IP address
209.165.201.225.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 97
Topology
Device Information
R1 (0/1.11) 10.0.11.2
R1 (0/2.22) 10.0.22.3
R2 (0/1.11) 10.0.11.3
R2 (0/2.22) 10.0.22.2
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 99
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Command Description
interface interface slot/number Enters interface configuration mode for the specified interface.
show vrrp [interface slot/number] Shows the status of VRRP groups. You can filter the output by the
interface on which the standby group is configured on.
vrrp vrrp_group authentication md5 Configures MD5 authentication for the specified VRRP group. Use this
key-string string command in interface configuration mode.
vrrp vrrp_group ip ip_address Defines the virtual IP address for the the specified VRRP group. Use this
command in interface configuration mode.
vrrp vrrp_group preempt Enables pre-emption for the specified VRRP group. Use this command in
interface configuration mode.
vrrp vrrp_group priority priority Sets the priority of the interface, belonging to a VRRP group, to a
specified priority number. By default this number is 100. Use this
command in interface configuration mode.
vrrp vrrp_group track object_number Enables HSRP interface tracking and change the standby priority based
decrement priority_decrement on the state of the interface. Use this command in interface configuration
mode.
Verification
Ethernet0/2.22 - Group 22
State is Backup
Virtual IP address is 10.0.22.1
Virtual MAC address is 0000.5e00.0116
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 90
Authentication MD5, key-string
Master Router is 10.0.22.2, priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.648 sec (expires in 3.483 sec)
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 101
R2# show vrrp
Ethernet0/1.11 - Group 11
State is Backup
Virtual IP address is 10.0.11.1
Virtual MAC address is 0000.5e00.010b
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 90
Authentication MD5, key-string
Master Router is 10.0.11.2, priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.648 sec (expires in 3.296 sec)
Ethernet0/2.22 - Group 22
State is Master
Virtual IP address is 10.0.22.1
Virtual MAC address is 0000.5e00.0116
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 110
Track object 1 state Up decrement 30
Authentication MD5, key-string
Master Router is 10.0.22.2 (local), priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.570 sec
Ethernet0/2.22 - Group 22
State is Backup
Virtual IP address is 10.0.22.1
Virtual MAC address is 0000.5e00.0116
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 90
Authentication MD5, key-string
Master Router is 10.0.22.2, priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.648 sec (expires in 3.323 sec)
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 103
R2# show track
Track 1
Interface Ethernet0/0 line-protocol
Line protocol is Up
1 change, last change 00:09:03
Tracked by:
VRRP Ethernet0/2.22 22
Ethernet0/2.22 - Group 22
State is Master
Virtual IP address is 10.0.22.1
Virtual MAC address is 0000.5e00.0116
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 110
Track object 1 state Up decrement 30
Authentication MD5, key-string
Master Router is 10.0.22.2 (local), priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.570 sec
For example, R1 is the master for VLAN 11 and has its priority set to 110. R2, which
serves as the backup, has its priority set to 90. The decrement that is configured for that
VLAN should be larger than the difference between these two priorities, 110 and 90, so it
is more than 20.
Ethernet0/2.22 - Group 22
State is Backup
Virtual IP address is 10.0.22.1
Virtual MAC address is 0000.5e00.0116
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 90
Authentication MD5, key-string
Master Router is 10.0.22.2, priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.648 sec (expires in 3.323 sec)
Ethernet0/2.22 - Group 22
State is Master
Virtual IP address is 10.0.22.1
Virtual MAC address is 0000.5e00.0116
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 110
Track object 1 state Up decrement 30
Authentication MD5, key-string
Master Router is 10.0.22.2 (local), priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.570 sec
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 105
• Basic VRRP is properly configured.
• The VRRP group numbers match the numbers of the VLANs that they serve.
Maya has prepared the design of GLBP implementation, but she now needs your help with the
configuration:
Configure one single GLBP group for all end devices in the network to use as a default gateway.
R1 should, whenever available, be the active virtual gateway.
R1, R2, and R3 should be the virtual forwarders.
Maya has already configured new default gateways on all PCs.
If any of the router uplinks fail, the traffic from the PCs should not take a suboptimal path.
Secure the GLBP peers, and make sure that no GLBP device can join GLBP peers on the network
without a proper key.
Note You can find the default gateway information for the PCs in the Job Aids.
Note When you need to test your GLBP configuration, ping the server IP address of 192.168.0.44
from any of the end-user devices.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 107
Topology
Device Information
All three PCs use the 192.168.10.1 IP address as the default gateway.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 109
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Commands
Command Description
interface interface slot/number Enters interface configuration mode for the specified interface.
glbp glbp_group authentication md5 Configures MD5 authentication for the specified GLBP group. Use this
key-string string command in interface configuration mode.
glbp glbp_group ip ip_address Defines the virtual IP address for the specified GLBP group. Use this
command in interface configuration mode.
glbp glbp_group preempt Enables pre-emption for the specified GLBP group. Use this command in
interface configuration mode.
glbp glbp_group priority priority Sets the priority of the interface, belonging to a GLBP group, to a
specified priority number. By default this number is 100. Use this
command in interface configuration mode.
glbp glbp_group weighting maximum Defines the initial weighting value of the GLBP gateway. Use this
lower lower upper upper command in interface configuration mode.
glbp glbp_group weighting track Enables GLBP object tracking and change the GLBP weighting based on
object_number decrement decrement the availability of the tracked object. Use this command in interface
configuration mode.
show glbp [interface slot/number] Shows the status of GLBP. You can filter the output by the interface on
which the standby group is configured.
Verification
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 111
R2# show glbp
Ethernet0/0 - Group 1
State is Listen
Virtual IP address is 192.168.10.1
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.336 secs
Redirect time 600 sec, forwarder timeout 14400 sec
Authentication MD5, key-string
Preemption enabled, min delay 0 sec
Active is 192.168.10.11, priority 110 (expires in 10.464 sec)
Standby is 192.168.10.13, priority 100 (expires in 7.872 sec)
Priority 100 (default)
Weighting 100 (configured 100), thresholds: lower 80, upper 90
Track object 1 state Up decrement 30
Load balancing: round-robin
Group members:
aabb.cc01.0400 (192.168.10.11) authenticated
aabb.cc01.0900 (192.168.10.12) local
aabb.cc01.0a00 (192.168.10.13) authenticated
There are 3 forwarders (1 active)
<... output omitted ...>
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 113
R2# show glbp
Ethernet0/0 - Group 1
State is Listen
Virtual IP address is 192.168.10.1
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.336 secs
Redirect time 600 sec, forwarder timeout 14400 sec
Authentication MD5, key-string
Preemption enabled, min delay 0 sec
Active is 192.168.10.11, priority 110 (expires in 10.464 sec)
Standby is 192.168.10.13, priority 100 (expires in 7.872 sec)
Priority 100 (default)
Weighting 100 (configured 100), thresholds: lower 80, upper 90
Track object 1 state Up decrement 30
Load balancing: round-robin
Group members:
aabb.cc01.0400 (192.168.10.11) authenticated
aabb.cc01.0900 (192.168.10.12) local
aabb.cc01.0a00 (192.168.10.13) authenticated
<... output omitted ...>
In this example, R1 has the weighting at 100 and the minimum threshold set to 80. The
decrement that is configured should be larger than the difference between these two
values, 100 and 80, so it is more than 20. The upper threshold should be higher than the
lower threshold and lower than the weighting, so it can be any value between 80 and 100.
If you do not see the desired results, check the following:
• You enabled object tracking of the R1 uplink and you configured the R1 GLBP group to
track that object.
• You enabled object tracking of the R2 uplink and you configured the R2 GLBP group to
track that object.
Step 3
1 Verify that you have MD5 authentication configured for the GLBP group. There still have
to be three forwarders in the GLBP group.
R1# show glbp
Ethernet0/0 - Group 1
State is Active
1 state change, last state change 00:02:22
Virtual IP address is 192.168.10.1
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.336 secs
Redirect time 600 sec, forwarder timeout 14400 sec
Authentication MD5, key-string
Preemption enabled, min delay 0 sec
Active is local
Standby is 192.168.10.13, priority 100 (expires in 9.504 sec)
Priority 110 (configured)
Weighting 100 (configured 100), thresholds: lower 80, upper 90
Track object 1 state Up decrement 30
Load balancing: round-robin
Group members:
aabb.cc01.0400 (192.168.10.11) local
aabb.cc01.0900 (192.168.10.12) authenticated
aabb.cc01.0a00 (192.168.10.13) authenticated
There are 3 forwarders (1 active)
<... output omitted ...>
The routers have to see each other, so there still have to be three forwarders. Otherwise,
the keys have been misconfigured.
If you do not see the desired results, check the following:
• R1, R2, and R3 each have matching MD5 authentication configured for the GLBP group.
• R1, R2, and R3 belong to the same GLBP group.
• Basic GLBP is configured properly.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 115
116 Lab Guide © 2014 Cisco Systems, Inc.
Challenge 15: Configure
HSRP for IPv6
A former colleague, Nikita, has her own company that is growing quickly. Because the company is new, she
decided to implement IPv6 addressing only. Nikita thinks that native IPv6 first-hop redundancy is not fast
enough. She asks you to implement HSRP.
Dwayne, one of your senior colleagues, provided you with a high-level design of HSRP for IPv6 in the
network:
R1 should, whenever available, be active for VLAN 10 clients and in the standby mode for VLAN 20
clients.
R2 should, whenever available, be active for VLAN 20 clients and in the standby mode for VLAN 10
clients.
For self-documentation, the HSRP group numbers should match those of the VLANs that they serve.
If the router uplink fails, make sure that the traffic from the PCs does not take a suboptimal path. Use
the native HSRP mechanism to implement this solution.
Speed up the default protocol behavior. Set the hello time to 50 milliseconds, and set the hold time to
200 milliseconds.
Note Neighbor discovery behavior in IOL behaves a little bit differently than on real hardware. In
IOL, failover times with neighbor discovery are much shorter than on real hardware.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 117
Topology
Device Information
The PCs obtain their default gateway via IPv6 router advertisements.
Trunking Information
R1 (0/0.10) 2001:db8:1210::2/64
R1 (0/0.20) 2001:db8:1210::3/64
R2 (0/.010) 2001:db8:1220::2/64
R2 (0/0.20) 2001:db8:1220::3/64
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 119
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Commands
Command Description
interface interface slot/number Enters interface configuration mode for the specified interface.
show standby [interface slot/number] Shows the status of HSRP groups. You can filter the output by the
interface on which the standby group is configured.
standby standby_group ipv6 Defines the virtual IPv6 address for the specified HSRP group. Use this
{autoconfig | ipv6_address} command in interface configuration mode.
standby standby_group preempt Enables pre-emption for the specified HSRP group. Use this command in
interface configuration mode.
standby standby_group priority Sets the priority of the interface, belonging to an HSRP group, to a
priority specified priority number. By default this number is 100. Use this
command in interface configuration mode.
standby standby_group timers [msec] Configures the time between hello packets and the time before other
hello_time [msec] holdtime routers declare the active or standby HSRP device to be down. Use this
command in interface configuration mode.
standby standby_group track interface Enables HSRP interface tracking and change the standby priority based
slot/number priority_decrement on the state of the interface. Use this command in interface configuration
mode.
Verification
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 121
R2# show standby
Ethernet0/0.10 - Group 10 (version 2)
State is Standby
1 state change, last state change 00:03:16
Virtual IP address is FE80::5:73FF:FEA0:A
Active virtual MAC address is 0005.73a0.000a
Local virtual MAC address is 0005.73a0.000a (v2 IPv6 default)
Hello time 50 msec, hold time 200 msec
Next hello sent in 0.032 secs
Preemption enabled
Active router is FE80::A8BB:CCFF:FE01:C00, priority 110 (expires in 0.176 sec)
MAC address is aabb.cc01.0c00
Standby router is local
Priority 90 (configured 90)
Group name is "hsrp-Et0/0.10-10" (default)
Ethernet0/0.20 - Group 20 (version 2)
State is Active
2 state changes, last state change 00:03:01
Virtual IP address is FE80::5:73FF:FEA0:14
Active virtual MAC address is 0005.73a0.0014
Local virtual MAC address is 0005.73a0.0014 (v2 IPv6 default)
Hello time 50 msec, hold time 200 msec
Next hello sent in 0.032 secs
Preemption enabled
Active router is local
Standby router is FE80::A8BB:CCFF:FE01:C00, priority 90 (expires in 0.176 sec)
Priority 110 (configured 110)
Track interface Ethernet0/2 state Up decrement 30
Group name is "hsrp-Et0/0.20-20" (default)
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 123
R2# show standby
Ethernet0/0.10 - Group 10 (version 2)
State is Standby
1 state change, last state change 00:03:16
Virtual IP address is FE80::5:73FF:FEA0:A
Active virtual MAC address is 0005.73a0.000a
Local virtual MAC address is 0005.73a0.000a (v2 IPv6 default)
Hello time 50 msec, hold time 200 msec
Next hello sent in 0.032 secs
Preemption enabled
Active router is FE80::A8BB:CCFF:FE01:C00, priority 110 (expires
MAC address is aabb.cc01.0c00
Standby router is local
Priority 90 (configured 90)
Group name is "hsrp-Et0/0.10-10" (default)
Ethernet0/0.20 - Group 20 (version 2)
State is Active
2 state changes, last state change 00:03:01
Virtual IP address is FE80::5:73FF:FEA0:14
Active virtual MAC address is 0005.73a0.0014
Local virtual MAC address is 0005.73a0.0014 (v2 IPv6 default)
Hello time 50 msec, hold time 200 msec
Next hello sent in 0.032 secs
Preemption enabled
Active router is local
Standby router is FE80::A8BB:CCFF:FE01:C00, priority 90 (expires
Priority 110 (configured 110)
Track interface Ethernet0/2 state Up decrement 30
Group name is "hsrp-Et0/0.20-20" (default)
For example, R2 is the active router for VLAN 20 and has its priority set to 110. R1,
which serves as the standby router, has its priority set to 90. The decrement that is
configured for that VLAN should be larger than the difference between these two
priorities, 110 and 90, so it is more than 20.
If you do not see the desired results, check the following:
• You enabled tracking of the R1 uplink in the R1 VLAN 10 HSRP group.
• You enabled tracking of the R2 uplink in the R2 VLAN 10 HSRP group.
• You configured pre-emption in the R1 VLAN 10 and R2 VLAN 20 HSRP groups.
• You configured tracking with an HSRP decrement that is larger than the difference between
the priorities of the active and standby routers.
• The HSRP group numbers match the numbers of the VLANs that they serve.
Step 3
1 Verify that the timers for each IPv6 HSRP group are configured to 50 milliseconds for the
hello time and 200 milliseconds for the hold time.
R1# show standby
Ethernet0/0.10 - Group 10 (version 2)
<... output omitted ...>
Hello time 50 msec, hold time 200 msec
<... output omitted ...>
Ethernet0/0.20 - Group 20 (version 2)
<... output omitted ...>
Hello time 50 msec, hold time 200 msec
<... output omitted ...>
You could configure these timers only on active routers and changes would get propagated
to the standby routers. However, there is a problem with that. If the active router fails, the
standby router will become active—with new timers, but it does not have timer values
noted down in the startup configuration. So, if this router now restarts, it will load up with
default HSRP timer values. This setting is not a problem in this topology where you only
have two routers serving the first hop. When you have more than two routers you could
end up in a situation, although rare, where a working HSRP group of more than one virtual
router is using default timers even though that was not desired.
If you do not see the desired results, check the following:
• You configured the timers on R1 for both VLAN HSRP groups.
• You configured the timers on R2 for both VLAN HSRP groups.
• The hello time and holdtime values for each HSRP group are the same on both routers.
• The HSRP group numbers match the numbers of the VLANs that they serve.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 125
126 Lab Guide © 2014 Cisco Systems, Inc.
Challenge 16: Control
Network Access with Port
Security
It is Friday afternoon and Dwayne, a senior engineer at the firm where you work, came to see you in a
hurry. There will be a security audit done on the network at your company. You have until Monday morning
to ensure that the network follows the recommended security practices as closely as possible.
Note If you need to test Internet connectivity, use the IP address 209.165.200.233.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 127
Topology
Device Information
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 129
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Commands
Command Description
banner motd d message d Defines a message-of-the-day banner. Use this command in global
configuration mode.
cdp enable Enables Cisco Discovery Protocol on the interface. Use this command in
interface configuration mode. By default on Cisco devices, Cisco
Discovery Protocol is enabled on all interfaces.
cdp run Enables Cisco Discovery Protocol on the device, thus enabling it on all
interfaces. Use this command in global configuration mode. On Cisco
devices, Cisco Discovery Protocol is enabled by default.
enable secret Establishes a secret password for a privilege command mode, using a
nonreversible encryption method.
interface interface slot/number Enters interface configuration mode for the specified interface.
ip http server Enables the Cisco web browser UI on a device. Use this command in
global configuration mode.
line console Enters console configuration mode to configure the console interface
settings.
line vty Enters line configuration mode to configure the vty settings.
show cdp neighbors Displays information about neighboring devices discovered by using
Cisco Discovery Protocol.
show port-security Displays the information about the port security setting.
show spanning-tree [interface Shows the spanning-tree status. You can filter output per the interface
interface slot/number] [detail] and if you add the detail keyword a lot of information gets displayed,
including the status of STP stability and securing mechanisms.
spanning-tree bpdufilter enable Enables BPDU filter on the interface. Use in interface configuration
mode.
spanning-tree bpduguard enable Enables BPDU guard on the interface. Use in interface configuration
mode.
ssh -v version -l userID ip_address Starts an encrypted session with a remote device, with a specified user
ID. The version does not need to be specified. However, if you do use it,
you can choose between versions 1 and 2.
switchport access vlan vlan_number Sets the specified access VLAN to the interface in access mode. Use this
command in interface configuration mode.
switchport mode access Configures the interface as an access port. Issue this command in
interface configuration mode.
switchport port-security Enables port security on an interface. Use this command in interface
configuration mode. Port security is disabled by using no in front of this
command.
switchport port-security mac- Adds a MAC address to the list of secure MAC addresses. Use this
address mac_address command in interface configuration mode. To remove a MAC address
from the list, use the no form of this command.
switchport port-security mac- Enables dynamic MAC address learning on an interface. The learned
address sticky MAC address is then added to the running configuration. Use this
command in the interface configuration mode.
switchport port-security violation Sets the violation mode. You can choose between restrict, protect,
violation_mode and shutdown. Enter this command in interface configuration mode.
transport input ssh Defines that only the SSH protocol can be used to connect to a specific
line. Use this command in line configuration mode.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 131
Task 1: Controlling Network Access Using Port
Security
Step 1 Secure Cisco Discovery Protocol.
Step 2 Configure port security.
Step 3 Configure the encrypted enable password.
Step 4 Secure the vty and console access passwords.
Step 5 Secure remote access.
Step 6 Configure a system banner for unauthorized users.
Step 7 Secure unused ports.
Step 8 Secure STP on end-user ports.
Step 9 Secure HTTP on all devices.
Verification
Note If Cisco Discovery Protocol is disabled on the interface, the interface will not be seen in the
output of show cdp interface.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 133
Step 3
1 On DSW1, verify that the enable secret password is configured.
Step 4
1 On SW, verify that the service password-encryption command is configured.
SW# show running-config | include service password
service password-encryption
Step 5
1 Verify that you can use SSH to connect to R1 from DSW1, but you cannot use Telnet.
DSW1# ssh -l admin 192.168.98.2
Password:
R1#
Step 6
1 On R1, verify that a banner login is configured.
R1# show running-config | include banner
banner login ^C Unauthorized activities will be grounds for persecution! ^C
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 135
Step 8
1 Verify that DSW2 does not have BPDU filter configured.
Step 9
1 On DSW1, verify that the web interface is disabled for HTTP.
Password:
SW1> enable
Password:
SW1# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Now you can add descriptions to the interfaces of SW1 according to the show cdp neighbors
output:
SW1# configure terminal
SW1(config)# interface ethernet 0/3
SW1(config-if)# description DSW1
SW1(config-if)# interface ethernet 1/1
SW1(config-if)# description DSW2
Use Telnet to connect to SW2 and investigate Cisco Discovery Protocol neighbors:
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 137
PC1# telnet 192.168.0.20
Trying 192.168.0.20 ... Open
Password:
SW2> enable
Password:
SW2# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Now you can add descriptions to the interfaces of SW2 according to the show cdp neighbors
output:
SW2# configure terminal
SW2(config)# interface ethernet 1/1
SW2(config-if)# description DSW1
SW2(config-if)# interface ethernet 1/2
SW2(config-if)# description DSW2
Use Telnet to connect to DSW1 and investigate Cisco Discovery Protocol neighbors:
PC1# telnet 192.168.0.30
Trying 192.168.0.30 ... Open
Password:
DSW1> enable
Password:
DSW1# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Now you can add descriptions to the interfaces of DSW1 according to the show cdp neighbors
output:
DSW1# configure terminal
DSW1(config)# interface ethernet 0/3
DSW1(config-if)# description SW1
DSW1(config-if)# interface ethernet 0/1
DSW1(config-if)# description SW2
DSW1(config-if)# interface ethernet 0/2
DSW1(config-if)# description R1
Password:
DSW2> enable
Password:
DSW2# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Now you can add descriptions to the interfaces of DSW2 according to the show cdp neighbors
output:
DSW2# configure terminal
DSW2(config)# interface ethernet 0/1
DSW2(config-if)# description SW1
DSW2(config-if)# interface ethernet 0/3
DSW2(config-if)# description SW2
DSW2(config-if)# interface ethernet 0/2
DSW2(config-if)# description R1
Password:
R1> enable
Password:
R1# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Now you can add descriptions to the interfaces of R1 according to the show cdp neighbors
output:
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 139
R1# configure terminal
R1(config)# interface ethernet 0/1
R1(config-if)# description DSW1
R1(config-if)# interface ethernet 0/2
R1(config-if)# description DSW2
To find out where PC1 connects to, first figure out which interface PC1 uses:
PC1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.0.101 YES NVRAM up up
Ethernet0/1 unassigned YES NVRAM administratively down down
Ethernet0/2 unassigned YES NVRAM administratively down down
Ethernet0/3 unassigned YES NVRAM administratively down down
PC1 uses Ethernet 0/0, so now you can find out its MAC address:
PC1# show interface ethernet 0/0
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is aabb.cc00.0b00 (bia aabb.cc00.0b00)
Internet address is 192.168.0.101/24
MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
<... output omitted ...>
Now you can investigate the CAM tables of the network devices to find out where PC1 connects
to. If you do not see the MAC address in the CAM tables, you need to ping PC1 in order to
generate traffic between devices. The switch will then learn the MAC address of PC1.
SW1 is the device that PC1 connects to (through Ethernet 0/1):
SW1# show mac address-table
Mac Address Table
-------------------------------------------
If you look at the CAM tables of other switches, the PC1 MAC address is seen through
interfaces that connect to other switches. For example, SW2 sees the PC1 MAC address
aabb.cc00.0b00 through Ethernet1/1, the interface that connects to DSW1.
SW2# show mac address-table
Mac Address Table
-------------------------------------------
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 141
Challenge 2: Configure DHCP
Step 1 Exclude the IP addresses that the DHCP server should not lease out. Otherwise these IP
addresses can be bound to clients before you will manage to exclude them.
Core1(config)# ip dhcp excluded-address 192.168.22.1 192.168.22.10
PC1 is configured with a static IP address. Configure PC1 to obtain the IP address via DHCP.
PC1# show run interface ethernet 0/0
Building configuration...
PC2 is configured with a static IP address. Configure PC2 to obtain the IP address via DHCP.
PC2# show run interface ethernet 0/0
Building configuration...
Because Core1 is not in the same network as VLAN 33 clients, you have to configure an IP
helper address so that the DHCP messages can be forwarded to DHCP server.
SW2(config)# interface vlan 33
SW2(config-if)# ip helper 192.168.2.1
Based on the server IP address that you have discovered previously, investigate its client
identifier.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 143
Core1# show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.22.11 0063.6973.636f.2d61. Oct 05 2013 12:45 AM Automatic
6162.622e.6363.3030.
2e30.3630.302d.4574.
302f.30
192.168.22.12 0063.6973.636f.2d61. Oct 05 2013 12:47 AM Automatic
6162.622e.6363.3030.
2e30.3730.302d.4574.
302f.30
192.168.33.11 0063.6973.636f.2d61. Oct 05 2013 02:05 AM Automatic
6162.622e.6363.3030.
2e30.3830.302d.4574.
302f.30
192.168.33.12 0063.6973.636f.2d61. Oct 05 2013 02:05 AM Automatic
6162.622e.6363.3030.
2e34.3030.302d.4574.
302f.30
You will first need to clear the DHCP binding for SRV. Otherwise you will not be allowed to
configure a manual one.
Core1# clear ip dhcp binding 192.168.33.12
Assign a preferred IP address to the server. You have to create a new DHCP pool.
Core1(config)# ip dhcp pool SRV
Core1(dhcp-config)# host 192.168.33.185 255.255.255.0
Core1(dhcp-config)# client-identifier
0063.6973.636f.2d61.6162.622e.6363.3030.2e34.3030.302d.4574.302f.30
In order for the SRV to obtain the new IP address, you first have to shut down the interface and
then bring it back up.
SRV(config)# interface ethernet 0/0
SRV(config-if)# shutdown
SRV(config-if)# no shutdown
SRV(config-if)#
*Oct 4 10:23:06.349: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP
address 192.168.33.185, mask 255.255.255.0, hostname SRV
You could use the release dhcp Ethernet0/0 and the renew dhcp Ethernet0/0 privileged mode
commands to make the changes visible.
On Core1, you will need to configure the VLAN 22 interface with an IPv6 address from the
SALES prefix. Refer to the Job Aids section for IPv6 address information. Also, you need to
turn on DHCPv6 server functionality on the interface.
Core1(config)# interface vlan 22
Core1(config-if)# ipv6 address 2001:db8:16::1/64
Core1(config-if)# ipv6 dhcp server SALES
Configure PC1 to obtain IPv6 address via DHCPv6. Also, if you do not enable IPv6
functionality, the client will not acquire an IPv6 address.
PC1(config)# interface ethernet 0/0
PC1(config-if)# ipv6 enable
PC1(config-if)# ipv6 address dhcp
Step 2
On Core1, define a DHCPv6 pool for the IT subnet. Define the address prefix that will be leased
to clients. Do not forget the DNS server address to be announced via DHCPv6.
Core1(config)# ipv6 dhcp pool IT
Core1(config-dhcpv6)# address prefix 2001:db8:21::/64
Core1(config-dhcpv6)# dns-server 2001:db8:53::53
Since PC3 is in a different subnet than the DHCPv6 server, you will need to configure a DHCP
relay on SW2. Refer to the Job Aids section for IPv6 address information.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 145
SW2(config)# interface vlan 33
SW2(config-if)# ipv6 address 2001:db8:21::1/64
SW2(config-if)# ipv6 dhcp relay destination 2001:db8:99::1
Configure PC3 to obtain an IPv6 address via DHCPv6. Do not forget to enable IPv6
functionality.
PC3(config)# interface ethernet 0/0
PC3(config-if)# ipv6 enable
PC3(config-if)# ipv6 address dhcp
Step 3
Manually configure an IPv6 address on the Ethernet 0/0 interface of SRV.
SRV(config)# interface ethernet 0/0
SRV(config-if)# ipv6 address 2001:db8:21::11/64
This example shows one side being in LACP "passive" mode and the other in LACP "active"
mode. You could configure both of the sides as LACP "active" and the EtherChannel link would
still get established.
On DSW1, enter interface configuration mode for the Port-Channel 2 interface. The
configuration applied to the Port-Channel interface reflects on all links that it bundles. Configure
it as a hard-coded trunk link.
DSW1(config)# interface port-channel 2
DSW1(config-if)# switchport mode trunk
Step 2 This is just an example of troubleshooting flow. You might use a different approach.
Look at the EtherChannel group 1 status on DSW1.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 147
DSW1# show etherchannel summary
Flags: D - down P - bundled in port-channel
I - standalone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
The "SD" flag tells you that Layer 2 EtherChannel is down. Notice that the LACP protocol is
configured. The "s" flag on both ports indicates that both ports are suspended.
Look at the EtherChannel group 1 status on SW1.
SW1# show etherchannel summary
Flags: D - down P - bundled in port-channel
I - standalone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
The "SD" flag tells you that Layer 2 EtherChannel is down. Notice that the PAgP protocol is
configured. The "I" flag on both ports indicates that both ports are standalone (not bundled).
LACP and PAgP modes are not compatible. To get EtherChannel working, you will need to
change the negotiation protocol on SW1 to LACP.
Investigate port configuration on DSW1 and SW1.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 149
Step 3 This is just an example of troubleshooting flow. You might use a different approach.
Investigate the EtherChannel group 1 status on DSW2.
DSW2# show etherchannel summary
Flags: D - down P - bundled in port-channel
I - standalone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
The "SU" flag indicates that Layer 2 EtherChannel is in use. The negotiation protocol used is
LACP. One port is flagged as "P," which stands for bundled. The other port is flagged as "s,"
which stands for suspended. Essentially, the EtherChannel link is functioning, but there is only
one link present in the bundle. This hints at inconsistent configuration between ports.
Investigate the EtherChannel status on SW2.
SW2# show etherchannel summary
Flags: D - down P - bundled in port-channel
I - standalone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
Notice that one port on SW2 is configured as "trunk" and the other one is "access."
On SW2, change the switch port mode to trunk on Ethernet 1/2.
SW2(config)# interface Ethernet 1/2
SW2(config-if)# switchport mode trunk
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 151
Step 4
Investigate which EtherChannel load-balancing methods are available.
DSW1(config)# port-channel load-balance ?
dst-ip Dst IP Addr
dst-mac Dst Mac Addr
src-dst-ip Src XOR Dst IP Addr
src-dst-mac Src XOR Dst Mac Addr
src-ip Src IP Addr
src-mac Src Mac Addr
Since the network in this lab is an IP-based network the most effective solution would be to load
balance with the src-dst-ip option. This way, the traffic will get spread most evenly over the
links within EtherChannel. EtherChannel will fall back to load balancing per MAC address for
non-IP traffic.
If you investigate the EtherChannel load-balancing method in effect, you will see that SW1 is
configured for src-dst-ip. SW2 and DSW2 are configured with src-mac. EtherChannel load
balancing and DSW1 is configured with dst-mac balancing.
DSW1# show etherchannel load-balance
EtherChannel Load-Balancing Configuration:
dst-mac
<... output omitted ...>
Configure the EtherChannel load-balancing method to src-dst-ip on DSW1, DSW2, and SW2:
DSW1(config)# port-channel load-balance src-dst-ip
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 153
Challenge 5: Implement RSTP
Step 1 Configure DSW1, DSW2, SW1, and SW2 to use Rapid PVST+. If you forget to configure a
switch with rapid spanning tree, the whole network will fall back to nonrapid spanning tree.
DSW1(config)# spanning-tree mode rapid-pvst
Step 2 You can set the root bridge through the priority command or use root primary macro like it is
done in this example configuration.
DSW1(config)# spanning-tree vlan 1 root primary
DSW1(config)# spanning-tree vlan 10 root primary
DSW1(config)# spanning-tree vlan 20 root primary
Even though it was not explicitly requested, it would be wise of you to configure secondary root
bridges for all VLANs. If DSW1 goes down, you do not want one of the access layer switches
becoming the root bridge for VLAN 10.
DSW1(config)# spanning-tree vlan 30 root secondary
DSW1(config)# spanning-tree vlan 40 root secondary
Step 3 You could configure different STP costs or port priorities for different VLANs to utilize both
links between the distribution layer switches. However, that is not a good solution and the task
was to perform a configuration where both links are used by all VLANs.
Since there was no request as to how to configure EtherChannel, it is entirely up to you whether
you want to use LACP, PAgP, or neither of them. This example shows static EtherChannel
configuration.
DSW1(config)# interface range ethernet 0/0-1
DSW1(config-if-range)# channel-group 1 mode on
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 155
Challenge 6: Improve STP Configuration
Step 1
Using show spanning-tree interface interface slot/number detail, you should figure out that
PortFast is enabled only on access ports on access layer switches SW1 and SW2. On both
devices, PortFast is enabled globally.
The customer configured PortFast correctly. You should not change the configuration of
PortFast in the network.
Using show spanning-tree interface interface slot/number detail, you should figure out that
BPDU guard is enabled only on PortFast ports on access layer switches SW1 and SW2. On both
devices, PortFast is enabled globally.
The customer configured BPDU guard correctly. You should not change the configuration of
BPDU guard in the network.
Using the command, show spanning-tree interface interface slot/number detail, or show
running-config, you should figure out that BPDU filter is enabled only on SW1 and SW2 access
ports. BPDU filter is enabled per-port.
Having BPDU filter configured on the same ports as BPDU guard is not a good practice. When
these two mechanisms are configured at the same time, only BPDU filter is in effect. In addition,
you should not configure BPDU filter anywhere in the network wit a good reason.
Remove BPDU filter configuration from all devices where it is configured:
SW1(config)# interface ethernet 0/0
SW1(config-if)# no spanning-tree bpdufilter enable
SW1(config-if)# interface ethernet 0/1
SW1(config-if)# no spanning-tree bpdufilter enable
Step 2
Using show spanning-tree interface interface slot/number detail or show running-config, you
should see that root guard is enabled on DSW1 and DSW2. DSW1 has its only interface that
connects to SW1 (Ethernet 0/2) configured with root guard. DSW2 has its only interface that
connects to SW2 (Ethernet 0/2) configured with root guard.
The customer configuration is correct but incomplete. Root guard needs to be enabled on all
links where the root bridge is not expected.
Configure Ethernet 0/3 on DSW1 with root guard.
DSW1(config)# interface ethernet 0/3
DSW1(config-if)# spanning-tree guard root
Configuring SW1 and SW2 uplinks with loop guard should cover all potentially blocking ports.
Since DSW1 and DSW2 are configured either as primary or secondary root bridges, only access
layer switches will have blocked ports.
Configure loop guard on the links between DSW1 and DSW2.
DSW1(config)# interface port-channel 1
DSW1(config-if)# spanning-tree guard loop
Note that it is recommended that you apply loop guard configuration on port-channel interfaces
so that the configuration will be inherited by the interfaces that are members of the port channel.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 157
Challenge 7: Configure MST
Step 1
Before you dive into MST migration, you should evaluate whether the network is ready for
migration.
• Region name, revision number, and VLAN-to-instance mappings were already defined for you by the
customer, so you do not need to plan these out.
• The network has edge ports defined. You can check that fact by using the show spanning-tree
interface interface slot/number command.
• All interswitch connections are configured as trunks and are not pruning any VLANs that are used in
MST. You can check that fact by using the show interfaces trunk command.
On all switches, configure the MST region, "SWITCH", and the revision "1", and map VLANs
10 to 25 to MSTI1 and VLANs 26 to 50 to MSTI2.
SWB(config)# spanning-tree mst configuration
SWB(config-mst)# name SWITCH
SWB(config-mst)# revision 1
SWB(config-mst)# instance 1 vlan 10-25
SWB(config-mst)# instance 2 vlan 26-50
SWB(config-mst)# exit
Step 2
Configure SW1 to be the root bridge for MSTI1. Configure SW1 to be the secondary root bridge
for MSTI2.
SW1(config)# spanning-tree mst 1 root primary
SW1(config)# spanning-tree mst 2 root secondary
Configure SW2 to be the root bridge for MSTI2. Configure SW2 to be the secondary root bridge
for MSTI1.
SW2(config)# spanning-tree mst 2 root primary
SW2(config)# spanning-tree mst 1 root secondary
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 159
Challenge 8: Configure Routing Between VLANs
with a Router
Step 1
On R1, configure subinterfaces for VLANs 10, 20, 30, and 40. Because you are not allowed to
change the configurations of the PCs, you need to configure the R1 subinterfaces with the default
gateway addresses of the PCs.
R1(config)# interface Ethernet 0/0.10
R1(config-subif)# encapsulation dot1Q 10
R1(config-subif)# ip address 10.0.10.1 255.255.255.0
R1(config-subif)# exit
R1(config)# interface Ethernet 0/0.20
R1(config-subif)# encapsulation dot1Q 20
R1(config-subif)# ip address 10.0.20.1 255.255.255.0
R1(config-subif)# exit
R1(config)# interface Ethernet 0/0.30
R1(config-subif)# encapsulation dot1Q 30
R1(config-subif)# ip address 10.0.30.1 255.255.255.0
R1(config-subif)# exit
R1(config)# interface Ethernet 0/0.40
R1(config-subif)# encapsulation dot1Q 40
R1(config-subif)# ip address 10.0.40.1 255.255.255.0
R1(config-subif)# exit
If you investigate the PC1 configuration or consult the Job Aids section, you will see that PC1 is
configured with the IP default gateway address of 192.168.22.254:
PC1# show ip route
Default gateway is 192.168.22.254
<... output omitted ...>
If you investigate the PC2 configuration or consult the Job Aids section, you will see that PC2 is
configured with the IP default gateway address of 192.168.44.254:
PC2# show ip route
Default gateway is 192.168.44.254
<... output omitted ...>
So you need to configure two SVIs on DSW1: one for VLAN 22 with the IP address of
192.168.22.254, and one for VLAN 44 with the IP address of 192.168.44.254. Do not forget to
enable IP routing. It would also be wise to verify that there is a trunk link configured between
SW and DSW1. Use the show interfaces trunk command on either of the two switches.
DSW1(config)# ip routing
DSW1(config)# vlan 22
DSW1(config-vlan)# interface vlan 22
DSW1(config-if)# ip address 192.168.22.254 255.255.255.0
DSW1(config-if)# no shutdown
DSW1(config-if)# exit
DSW1(config)# vlan 44
DSW1(config-vlan)# interface vlan 44
DSW1(config-if)# ip address 192.168.44.254 255.255.255.0
DSW1(config-if)# no shutdown
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 161
Step 2
If you investigate DSW2, you will see that the port that connects to PC3, Ethernet 1/1, is
configured as an access port for VLAN 77. The port that connects to PC4, Ethernet 1/2, is
configured as an access port for VLAN 11.
DSW2# show vlan
If you investigate the PC3 configuration, you will see that PC3 is configured with the IP default
address of 192.168.77.254:
PC3# show ip route
Default gateway is 192.168.77.254
<... output omitted ...>
If you investigate the PC4 configuration, you will see that PC4 is configured with the IP default
address of 192.168.11.254:
PC4# show ip route
Default gateway is 192.168.11.254
<... output omitted ...>
You need to configure two SVIs on DSW2: one for VLAN 77 with the IP address of
192.168.77.254, and one for VLAN 11 with the IP address of 192.168.11.254. Do not forget to
enable IP routing.
DSW2(config)# ip routing
DSW2(config)# vlan 77
DSW2(config-vlan)# interface vlan 77
DSW2(config-if)# ip address 192.168.77.254 255.255.255.0
DSW2(config-if)# no shutdown
DSW2(config-if)# exit
DSW2(config)# vlan 11
DSW2(config-vlan)# interface vlan 11
DSW2(config-if)# ip address 192.168.11.254 255.255.255.0
DSW2(config-if)# no shutdown
Step 3
The DSW1-R1, DSW1-DSW2, and DSW2-R1 links already have Layer 3 connectivity. R1
already has activated downlinks for OSPF Area 0 and is correctly configured to announce the
default route to OSPF neighbors.
On DSW2, activate all the interfaces that have IPs within 192.168.0.0/16 for OSPF Area 0.
DSW2(config)# router ospf 1
DSW2(config-router)# network 192.168.0.0 0.0.255.255 area 0
Step 4
The connection between SW and DSW1 is Layer 2. Therefore, if you introduce a new link and
you want to bundle the links, you need to configure Layer 2 EtherChannel. Because the
negotiation protocol to use for EtherChannel is not specified, you can use whichever protocol
you want. In this example, LACP is used. The channel group number is also not specified. You
can choose whichever number you want, as long as it is not the same as the one used to bundle
the DSW1-DSW2 links.
On DSW1, Ethernet 1/2 is the port that was used to establish a second connection between SW
and DSW1. Configure it consistently with the first link: Ethernet 1/1.
DSW1(config)# interface ethernet 1/2
DSW1(config-if)# switchport trunk encapsulation dot1q
DSW1(config-if)# switchport mode trunk
DSW1(config-if)# no shutdown
On SW, Ethernet 0/1 is the port that was used to establish a second connection between SW and
DSW1. Configure it consistently with the first link: Ethernet 0/0.
SW(config)# interface ethernet 0/1
SW(config-if)# switchport trunk encapsulation dot1q
SW(config-if)# switchport mode trunk
SW(config-if)# no shutdown
Q2DEV: The code in the table shows Ethernet 0/1, not 0/0. Okay?--EDIT
Response: Changed in the text "On SW, Ethernet 0/1 is the port.."
On DSW1, bundle both links that connect to SW into a port channel.
DSW1(config)# interface range ethernet 1/1-2
DSW1(config-if-range)# channel-group 1 mode active
Creating a port-channel interface Port-channel 1
On SW, bundle both links that connect to DSW1 into a port channel.
SW(config)# interface range ethernet 0/0-1
SW(config-if-range)# channel-group 1 mode passive
Creating a port-channel interface Port-channel 1
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 163
Challenge 10: Configure NTP
Step 1
It is recommended that you configure two or three devices in your network to synchronize their
time with public NTP servers. The rest of the devices should synchronize their time with those
few devices. Do not forget to define the local timezone.
In this example, R1 and R2 are, as edge routers, the logical choice for synchronizing to the
public NTP servers.
R1(config)# ntp server 209.165.201.44
R1(config)# ntp server 209.165.201.111
R1(config)# ntp server 209.165.201.133
R1(config)# ntp server 209.165.201.222
R1(config)# ntp server 209.165.201.233 prefer
R1(config)# clock timezone CET +2
R1(config)# clock summer-time CET recurring
The rest of the devices should synchronize their time to R1 and R2. IP addresses should be those
of the loopback interfaces, because these will always be up and functional.
Note: When configuring the local device to synchronize its time with an NTP server, always
refer to the most stable interface. This interface would be directly connected or, even better, a
loopback interface.
DSW1(config)# ntp server 192.168.101.10
DSW1(config)# ntp server 192.168.102.10
DSW1(config)# clock timezone CET +2
DSW1(config)# clock summer-time CET recurring
In a small network, like the one in this example, there are no major benefits of peering DSW1
and DSW2. Let us say you lost both of your Internet connections. If in that case DSW1
synchronizes its time with R1 and DSW2 synchronizes its time with R2, their clocks can become
unsynchronized, thus it can become difficult to compare system logs between devices. If you
Step 3
If your time servers are open to time synchronization from all directions, they can provide time
synchronization services to other devices. An attacker could abuse that by issuing a lot of NTP
synchronization requests, thus overwhelming your devices and causing connection problems.
If your device is configured as an NTP master, you must allow "peer" access to a source with the
IP address 127.127.x.1. This IP address is the internal server address that is created by the ntp
master command, which the local router synchronizes to. To identify the IP address of the
internal NTP server, you can use the show ntp associations command.
You should also configure R1 and R2 to allow for them to be polled for NTP updates by devices
in the 192.168.0.0/16 network.
R1(config)# access-list 1 permit 127.127.7.1
R1(config)# access-list 2 permit 192.168.0.0 0.0.255.255
R1(config)# ntp access-group peer 1
R1(config)# ntp access-group serve-only 2
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 165
Challenge 11: Configure Network Monitoring
Using the Cisco IOS IP SLA
Step 1
Because you do not have access to the specified HTTP server, you cannot configure it as an IP
SLA responder. However, for IP SLA HTTP testing, accuracy will be good enough without
configuring the target as an IP SLA responder.
On SW, define an IP SLA. The operation number is not specified so you can use any number
that you like. After you define an HTTP test to 209.165.200.233, you need to specify the
frequency of the IP SLA test execution at 90 seconds.
DSW1(config)# ip sla 1
DSW1(config-ip-sla)# http get http://209.165.200.233 source-ip 192.168.22.254
DSW1(config-ip-sla-http)# frequency 90
DSW1(config-ip-sla-http)# exit
DSW1(config)# ip sla schedule 1 start-time now life 172800
In order to configure the availability test from the VLAN 22 subnet, you need to identify the
proper IP address on DSW1 by using the show ip interface brief command.
Step 2
Use show ip sla application to deduce that there is one IP SLA configured and that the test is
not active.
R1# show ip sla application
IP Service Level Agreements
Version: Round Trip Time MIB 2.2.0, Infrastructure Engine-III
Supported Features:
IPSLAs Event Publisher
By verifying the existing IP SLA configuration, you should see that the configured entry is 69.
Entry 69 is an ICMP echo test to the IP address 209.165.200.157 and the operation is carried out
every minute. The test already started, but its lifetime is set to only 1 second.
Therefore, Dwayne configured the IP SLA test correctly but scheduled it incorrectly. You need
to reschedule the test.
R1(config)# no ip sla schedule 69 life 1 start-time now
R1(config)# ip sla schedule 69 life forever start-time now
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 167
Challenge 12: Configure HSRP with Load
Balancing
Step 1
When you configure FHRP on a Layer 3 switch, you will configure it on its SVIs. When you
configure FHRP on a router, you will need to configure it on its subinterfaces.
R1(config)# interface ethernet 0/1.11
R1(config-subif)# standby 11 ip 10.0.11.1
R1(config-subif)# standby 11 priority 110
R1(config-subif)# standby 11 preempt
R1 is an active HSRP device for VLAN 11 whenever possible. The same applies to R2 and
VLAN 22. You can conclude that pre-emption must be enabled for both groups.
Step 2
If tracking is not configured, the active device will become the standby only if the HSRP-
enabled interface or the device itself fails. What if the uplink interface on the HSRP device fails?
To detect the failure, you have to configure interface tracking on all uplinks and specify the
value for decrementing the device priority.
R1(config)# interface ethernet0/1.11
R1(config-subif)# standby 11 track ethernet0/0 30
If you want the tracking of the interfaces to work properly, pre-emption must be configured.
Otherwise, the decremented priority will not trigger the reelection for the active router.
Step 3
Each HSRP group should have passwords configured on both HSRP peers. Use MD5
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 169
Challenge 13: Configure VRRP with Load
Balancing
Step 1
Use the default gateway that is already configured on the PCs. Between R1 and R2, configure R1
with a higher VRRP priority. R1 will then serve as the master and R2 will serve as the backup.
Whenever R1 is available, it will be the master because pre-emption is enabled by default with
VRRP.
R1(config)# interface ethernet 0/1.11
R1(config-subif)# no standby 11
R1(config-subif)# vrrp 11 ip 10.0.11.1
R1(config-subif)# vrrp 11 priority 110
Step 2
As with HSRP, without tracking configured, the master device will become the backup only if
the VRRP-enabled interface or the device itself fails. However, VRRP does not support interface
tracking, so to detect the failure of an uplink, you have to configure object tracking. Use the
object number in VRRP to track the object and decrement the priority in case of a link failure.
R1(config)# track 1 interface ethernet 0/0 line-protocol
R1(config-track)# interface ethernet 0/1.11
R1(config-subif)# vrrp 11 track 1 decrement 30
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 171
Challenge 14: Implement GLBP
Step 1 The basic configuration of GLBP is very similar to the HSRP or VRRP configuration. The
virtual IP address on all three routers must be 192.168.10.1—the same IP address that is
preconfigured on the network PCs.
R1(config)# interface ethernet0/0
R1(config-if)# glbp 1 ip 192.168.10.1
R1(config-if)# glbp 1 priority 110
R1(config-if)# glbp 1 preempt
It was specified that R1 should be the AVG whenever possible. AVG pre-emption must be
enabled on all routers.
Step 2 To configure tracking, you first need to configure a tracked object on each router. GLBP uses a
weighting scheme to determine the forwarding capacity of each router in the GLBP group.
Weighting can be automatically adjusted by tracking the state of an uplink interface. You have to
set the thresholds correctly so the router will lose the AVF role in the case of a link failure but
regain it when it comes back up.
R1(config)# track 1 interface ethernet 0/1 line-protocol
R1(config-track)# interface ethernet0/0
R1(config-if)# glbp 1 weighting 100 lower 80 upper 90
R1(config-if)# glbp 1 weighting track 1 decrement 30
Step 3 Authentication should be configured on all three peers. Use MD5 because it is more secure. You
can use any keyword you want because the customer did not specify which key to use. But you
need to make sure that this same key is specified for GLBP group 1 on all three routers.
R1(config)# interface ethernet 0/0
R1(config-if)# glbp 1 authentication md5 key-string C1sc0
The routers have to see each other, so there still have to be three forwarders. Otherwise, the keys
have been misconfigured.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 173
Challenge 15: Configure HSRP for IPv6
Step 1 As with an HSRP for IPv4 environment, you configure HSRP for IPv6 on the router
subinterfaces.
R1(config)# interface ethernet0/0.10
R1(config-subif)# standby version 2
R1(config-subif)# standby 10 ipv6 autoconfig
R1(config-subif)# standby 10 priority 110
R1(config-subif)# standby 10 preempt
R1 should be the active HSRP device for VLAN 10 devices whenever possible, so pre-emption
must be enabled. The same setting applies to R2 and VLAN 20 devices.
Note: HSRPv2 is a prerequisite for a configuration in an IPv6 environment.
Step 2 Configuration for tracking the uplinks in HSRP for IPv6 is the same as it is done in HSRP for
IPv4.
R1(config)# interface ethernet0/0.10
R1(config-subif)# standby 10 track ethernet0/1 30
Note: For the tracking of interfaces to work properly, pre-emption must be configured so that the
decremented priority triggers the reelection process for the active router.
Even if you would not configure the same timers for each IPv6 HSRP group on both routers, the
configuration on the active router would overwrite the preconfigured timers on the standby
router.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 175
Challenge 16: Control Network Access with Port
Security
Step 1
R1(config)# interface ethernet0/0
R1(config-if)# no cdp enable
In this lab, Cisco Discovery Protocol is enabled on all devices and all of their interfaces. The
protocol should be disabled on ports that connect to outside networks so that you do not
advertise information for your network to outside networks. In this lab, Cisco Discovery
Protocol should be disabled on the Ethernet 0/0 interface of R1, because this interface is the path
through which your network connects to the Internet.
Step 2
DSW2(config)# interface range ethernet 1/1, ethernet 1/2
DSW2(config-if-range)# switchport port-security mac-address sticky
DSW2(config-if-range)# switchport port-security
DSW2(config-if-range)# end
DSW2# copy running-config startup-config
Port security restricts a switch port to a specific set of MAC addresses, and it should be
configured on all ports that connect to end devices. Because both SW and DSW2 connect to end
devices, port security must be configured on both.
When SW and DSW2 learn the MAC addresses of the PCs, you have to save the running
configuration so that the learned MAC addresses stay in the configuration even if switches
reboot.
Step 3
DSW1(config)# no enable password
DSW1(config)# enable secret c1sc0
The enable secret command is preferred to the enable password command, because it uses a
nonreversible encryption method. The enable secret password is already configured on R1,
DSW2, and SW. You only have to change the replace password to the enable secret password on
DSW1.
Step 4
SW(config)# service password-encryption
You cannot use strong authentication for console and vty access, so you should secure the
For remote access, Telnet is considered insecure. Use SSH whenever possible. SSH is
configured on all devices. All devices, except R1, already have only SSH allowed. R1 has only
Telnet allowed, so you just have to reconfigure it and allow only SSH.
Step 6
R1(config)# banner login C Unauthorized activities will be grounds for prosecution! C
After users successfully access a device, they need to know the access policies of your
organization. The goal is to warn unauthorized users that their activities could be grounds for
prosecution.
DSW1, DSW2, and SW have system banners already configured. You only have to configure a
banner on R1.
Step 7
SW(config)# interface range ethernet1/0-3
SW(config-if-range)# switchport access vlan 199
SW(config-if-range)# shutdown
SW(config-if-range)# exit
SW(config)# interface range ethernet2/0-3
SW(config-if-range)# switchport access vlan 199
SW(config-if-range)# shutdown
SW(config-if-range)# exit
SW(config)# interface range ethernet3/0-3
SW(config-if-range)# switchport access vlan 199
SW(config-if-range)# shutdown
SW(config-if-range)# exit
SW(config)# interface range ethernet4/0-3
SW(config-if-range)# switchport access vlan 199
SW(config-if-range)# shutdown
SW(config-if-range)# exit
SW(config)# interface range ethernet5/0-3
SW(config-if-range)# switchport access vlan 199
SW(config-if-range)# shutdown
All unused switch ports should be shut down, configured with the switchport mode access
command, and put into an isolated VLAN to prevent unauthorized users from connecting to your
network.
Unused ports have already been secured on R1, DSW1, and DSW2. Unused ports on SW have
already been configured as access ports. You only have to shut them down and put them into an
isolated VLAN. VLAN 199 is used for consistency with other network devices.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 177
Step 8
DSW2(config)# interface range ethernet 1/1, ethernet 1/2
DSW2(config-if-range)# no spanning-tree bpdufilter enable
Always enable PortFast on ports that connect to end devices. BPDU guard should also be
enabled on these ports, so if an unexpected BPDU is received, the port is automatically shut
down. BPDU filter and BPDU guard must not be configured at the same time; otherwise, only
BPDU filter will take effect.
SW has already configured PortFast and BPDU guard on all access ports. DSW2, however, has
configured PortFast and both BPDU filter and BPDU guard. Because they should not be
configured at the same time, the BPDU filter configuration has to be removed from DSW2.
Step 9
DSW1(config)# no ip http server
R1, DSW2, and SW already have HTTP disabled, so you only have to disable HTTP on DSW1.
IOL
Special build of Cisco IOS Software for Linux, created specially for virtualized environments.
OSPF
Open Shortest Path First. Link-state, hierarchical IGP routing algorithm proposed as a successor to RIP in
the Internet community. OSPF features include least-cost routing, multipath routing, and load balancing.
OSPF was derived from an early version of the IS-IS protocol.