V2 Ilt Lab Guide Implementing Cisco IP Switched Networks: Switch

SWITCH
V2 ILT LAB GUIDE

Implementing Cisco
IP Switched
Networks
Lab Guide Volume number
Version Number
Part Number
Americas Headquarters Asia Pacific Headquarters Europe Headquarters
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV
San Jose, CA Singapore Amsterdam,
The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at
www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To
view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of
their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other
company. (1110R)
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS.” CISCO MAKES AND YOU RECEIVE NO
WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN
ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY
DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND
FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
This learning product may contain early release content, and while Cisco believes it to be accurate, it falls subject to the disclaimer
above.
Copyright Date:
© 2014 Cisco Systems, Inc.

© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH iii
Table of Contents
Lab Introduction ................................................................................................................. I
Challenge 1: Network Discovery ......................................................................................... 3
Topology .................................................................................................................................... 3
Job Aids ..................................................................................................................................... 5
Command List ............................................................................................................................ 6
Task 1: Network Discovery .......................................................................................................... 6
Challenge 2: Configure DHCP ............................................................................................ 9
Topology .................................................................................................................................... 9
Job Aids ................................................................................................................................... 11
Command List .......................................................................................................................... 13
Task 1: Configure DHCP............................................................................................................ 13
Challenge 3: Configure DHCPv6....................................................................................... 17
Topology .................................................................................................................................. 17
Job Aids ................................................................................................................................... 19
Command List .......................................................................................................................... 21
Task 1: Configure DHCPv6 ........................................................................................................ 21
Challenge 4: Configure EtherChannel ............................................................................... 25
Topology .................................................................................................................................. 26
Job Aids ................................................................................................................................... 27
Command List .......................................................................................................................... 29
Task 1: Configure EtherChannel.................................................................................................. 29
Challenge 5: Implement RSTP .......................................................................................... 33
Topology .................................................................................................................................. 34
Job Aids ................................................................................................................................... 35
Command List .......................................................................................................................... 36
Task 1: Implementing Rapid Spanning-Tree ................................................................................. 36
Challenge 6: Improve STP Configuration.......................................................................... 39
Topology .................................................................................................................................. 40
Job Aids ................................................................................................................................... 41
Command List .......................................................................................................................... 42
Task 1: Improve STP Configuration............................................................................................. 43
Challenge 7: Configure MST............................................................................................. 47
Topology .................................................................................................................................. 48
Job Aids ................................................................................................................................... 49
Command List .......................................................................................................................... 50
Task 1: Configure MST .............................................................................................................. 51
Challenge 8: Configure Routing Between VLANs with a Router ........................................ 57
Topology .................................................................................................................................. 57
Job Aids ................................................................................................................................... 59
Command List .......................................................................................................................... 60
Task 1: Configure Routing Between VLANs with a Router ............................................................ 60
Challenge 9: Configure Routing on a Multilayer Switch .................................................... 63
Topology .................................................................................................................................. 64
Job Aids ................................................................................................................................... 65
Command List .......................................................................................................................... 66
Task 1: Configure Routing on a Multilayer Switch ........................................................................ 67
Challenge 10: Configure NTP ........................................................................................... 71
Topology .................................................................................................................................. 72
© 2014 Cisco Systems, Inc. Lab Guide i

Job Aids ................................................................................................................................... 73
Command List .......................................................................................................................... 75
Task 1: Configure NTP .............................................................................................................. 76
Challenge 11: Configure Network Monitoring Using the Cisco IOS IP SLA ....................... 81
Topology .................................................................................................................................. 82
Job Aids ................................................................................................................................... 83
Command List .......................................................................................................................... 84
Task 1: Configure IP SLA Monitoring ......................................................................................... 84
Challenge 12: Configure HSRP with Load Balancing ......................................................... 87
Topology .................................................................................................................................. 88
Job Aids ................................................................................................................................... 89
Command List .......................................................................................................................... 90
Task 1: Configure HSRP with Load Balancing.............................................................................. 90
Challenge 13: Configure VRRP with Load Balancing ........................................................ 97
Topology .................................................................................................................................. 98
Job Aids ................................................................................................................................... 99
Command List ........................................................................................................................ 100
Task 1: Configure VRRP with Load Balancing ........................................................................... 101
Challenge 14: Implement GLBP ...................................................................................... 107
Topology ................................................................................................................................ 108
Job Aids ................................................................................................................................. 109
Command List ........................................................................................................................ 110
Task 1: Implement GLBP ......................................................................................................... 110
Challenge 15: Configure HSRP for IPv6 .......................................................................... 117
Topology ................................................................................................................................ 118
Job Aids ................................................................................................................................. 119
Command List ........................................................................................................................ 120
Task 1: Configure HSRP for IPv6.............................................................................................. 120
Challenge 16: Control Network Access with Port Security ............................................... 127
Topology ................................................................................................................................ 128
Job Aids ................................................................................................................................. 129
Command List ........................................................................................................................ 130
Task 1: Controlling Network Access Using Port Security ............................................................. 132
Answer Key .................................................................................................................... 137
Challenge 1: Network Discovery ............................................................................................... 137
Challenge 2: Configure DHCP .................................................................................................. 142
Challenge 3: Configure DHCPv6............................................................................................... 145
Challenge 4: Configure EtherChannel ........................................................................................ 147
Challenge 5: Implement RSTP .................................................................................................. 154
Challenge 6: Improve STP Configuration ................................................................................... 156
Challenge 7: Configure MST .................................................................................................... 158
Challenge 8: Configure Routing Between VLANs with a Router ................................................... 160
Challenge 9: Configure Routing on a Multilayer Switch ............................................................... 161
Challenge 10: Configure NTP ................................................................................................... 164
Challenge 11: Configure Network Monitoring Using the Cisco IOS IP SLA ................................... 166
Challenge 12: Configure HSRP with Load Balancing .................................................................. 168
Challenge 13: Configure VRRP with Load Balancing .................................................................. 170
Challenge 14: Implement GLBP ................................................................................................ 172
Challenge 15: Configure HSRP for IPv6 .................................................................................... 174
Challenge 16: Control Network Access with Port Security ........................................................... 176
Glossary.......................................................................................................................... 179
ii V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH © 2014 Cisco Systems, Inc.
© 2014 Cisco Systems, Inc. Lab Guide iii
iv V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH © 2014 Cisco Systems, Inc.
Lab Introduction
 For each challenge lab, read the lab Scenario and the Job Aids first, then proceed by solving challenges
provided.
 Refer to the Command List if you need assistance with your lab exercise.
 If you need additional tips, refer to the Hints section, which is available in the CLL portal.
 The Validation section will help you verify whether you successfully completed the challenge.
 If you need additional guidance, refer to the Answer section, which contains a detailed, step-by-step
solution for each challenge lab.
© 2014 Cisco Systems, Inc. Lab Guide I

II Lab Guide © 2014 Cisco Systems, Inc.
Challenge 1: Network
Discovery
Dwayne has given you your first task. He is asking you to investigate the network topology and document
the network by adding descriptions to all network connections.
Dwayne has given you a list of devices in the network, along with their IP addresses. Find this list in the Job
Aids section. Use Telnet to access devices and document connections. Dwayne has said that the interfaces
should be named after the devices that they connect to. For example, if RouterA connects to RouterB
through interface Ethernet 1/1, you should add a description on Ethernet 1/1 that says "RouterB".
You are not allowed to change any other configuration besides interface descriptions.
Topology
You only see and have access to PC1. You will have to figure out how the devices are connected.
© 2014 Cisco Systems, Inc. V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH 3
4 Lab Guide © 2014 Cisco Systems, Inc.
Job Aids
Note If you shut down an interface on a real router or switch, the connected device will see it as
"down/down." Due to virtualization specifics, IOL behavior is slightly different. If you shut down
an interface on a router or switch, the connected device will see it as "up/up." In IOL, the
status of an interface can only be "up/up" or "administratively down/down."
Device Information
Device IP Address Telnet Password Enable Password
PC1 192.168.0.101 cisco cisco
SW1 192.168.0.10 cisco cisco
SW2 192.168.0.20 cisco cisco
DSW1 192.168.0.30 cisco cisco
DSW2 192.168.0.40 cisco cisco
R1 192.168.10.2 cisco cisco
Command List
The table describes the commands that are used in this activity. The commands are listed in alphabetical
order so that you can easily locate the information that you need. Refer to this list if you need configuration
command assistance during the lab activity.
Command Description
configure terminal Enters global configuration mode.
description description Adds a description to the interface. Enter this command in interface
configuration mode.
enable Enters privileged EXEC mode.
interface interface slot/number Enters interface configuration mode for the specified interface.
ping ip-address Checks the connectivity to the specified IP address.
show cdp neighbors [detail] Shows detailed information about Cisco devices that are directly
connected, including IP addresses if you add the detail keyword.
show interface interface slot/number Shows properties of the interface, including its MAC address.
show ip interface brief Shows IP interface configuration in a condensed form.
show mac address-table Shows the CAM table.
telnet ip_address Uses the Telnet protocol to connect to a device specified by the IP
address.
Task 1: Network Discovery

Step 1 Investigate network connections and document them by adding descriptions to interfaces.
Access PC1 and use Telnet to access other devices in the network.
Verification
Use this section to verify your Challenge results.

Step 1
1 Verify the interface descriptions on SW1, SW2, DSW1, DSW2, and R1:
You should get the following results:

SW1# show interfaces description
Interface Status Protocol Description
Et0/0 up up PC1
Et0/1 up up
Et0/2 up up
Et0/3 up up DSW1
Et1/0 up up
Et1/1 up up DSW2
<... output omitted ...>
SW2# show interfaces description

Et0/0 up up
Et0/1 up up
Et0/2 up up
Et0/3 up up
Et1/0 up up
Et1/1 up up DSW1
Et1/2 up up DSW2
DSW1# show interfaces description

Et0/0 up up
Et0/1 up up SW2
Et0/2 up up R1
Et0/3 up up SW1
Et1/0 up up
DSW2# show interfaces description

Et0/0 up up
Et0/1 up up SW1
Et0/2 up up R1
Et0/3 up up SW2
Et1/0 up up
Et1/1 up up
Et1/2 up up
R1# show interfaces description

Et0/0 admin down down
Et0/1 up up DSW1
Et0/2 up up DSW2
Et0/3 up up Internet
Et1/0 admin down down
If you do not see the desired results, verify the following:

• You have correctly identified all device interconnections using Cisco Discovery Protocol
and CAM table information.
• You have correctly named all 13 interfaces.
Challenge 2: Configure
DHCP
A customer has a network where all clients have manually configured IPs. They are looking to hire many
new employees in the next few months, and manually configuring every IP address in the network will not
be an option anymore.
Your job is to implement DHCP service in the network. Core1 was designated to be the DHCP server.
The following is a specification list that the customer handed to you:

 SALES is in VLAN 22 and is assigned subnet 192.168.22.0/24.
 IT is in VLAN 33 and is assigned subnet 192.168.33.0/24.
 Do not offer the following IPs to the clients: 192.168.22.1 to 192.168.22.10, 192.168.33.1 to
192.168.33.10
 SRV must acquire an IP address through DHCP, but that address must be 192.168.33.185.
 You will need to configure a default router for all DHCP pools.
Topology
The customer network has two VLANs: one for IT and one for SALES.
Job Aids
VLAN Information
Device Connections
Device Interface Connects To Neighbor Interface
PC1 Ethernet 0/0 SW1 Ethernet 0/1
SRV Ethernet 0/0 SW2 Ethernet 0/2
SW1 Ethernet 0/0 Core1 Ethernet 0/1
IP Addressing Information
Device Interface IP Address
Core1 VLAN 22 192.168.22.1/24
Core1 Eth0/2 192.168.2.1/24
SW2 VLAN 33 192.168.33.1/24
SW2 Eth0/0 192.168.2.2/24

Command List
Command Description
ip dhcp excluded-address low-address Specifies the IP addresses that the DHCP server should not assign to
DHCP clients. Use this command in global configuration mode.
ip dhcp pool name Creates a name for the DHCP server address pool and places you in
DHCP pool configuration mode. Use this command in global
configuration mode.
ip helper-address ip-address Enables the DHCP broadcast to be forwarded to the configured DHCP
server. Use this command in interface configuration mode.
release dhcp interface-type interface- Performs an immediate release of a DHCP lease for the specified
number interface.
renew dhcp interface-type interface- Forces the renewal of the DHCP lease for the specified interface.
number
show interface interface slot/number Shows properties of the interface, including its MAC address.
show ip dhcp binding Displays a list of all bindings created on a specific DHCP server.
show ip dhcp pool pool name Shows the information about DHCP address pool.
Task 1: Configure DHCP

Step 1 Configure DHCP for the Sales subnet.
Step 2 Configure DHCP for IT and make sure that SRV always gets the IP of 192.168.33.185 through
DHCP.
Verification
Use this section to verify your Challenge results.
Step 1
1 On Core1, check if two PCs from VLAN 22 are seen in the DHCP binding table. The
leased-out IP addresses should be between .11 and .254.
Core1# show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.22.11 0063.6973.636f.2d61. Apr 23 2014 02:22 AM Automatic
6162.622e.6363.3031.
2e31.3630.302d.4574.
302f.30
6162.622e.6363.3031.
2e31.3730.302d.4574.
302f.30
If you did not get the desirable results, check the following:
• You have excluded the IP addresses 192.168.22.1 through 192.168.22.10 from the DHCP
process.
• On Core1, you have a DHCP pool for subnet 192.168.22.0/24.
• You have configured PCs 1 and 2 to acquire IP addresses through DHCP.
Step 2
1 On Core1, check that PC3 and SRV, from VLAN 33, are seen in the DHCP binding table.
The IP address of PC3 should be between .11 and .254. The IP address of SRV must be
.185.
Hardware address/
User name
6162.622e.6363.3031.
2e32.3230.302d.4574.
302f.30
192.168.33.185 0063.6973.636f.2d61. Infinite Manual
6162.622e.6363.3031.
2e32.3330.302d.4574.
302f.30
If you did not get the desirable results, check that:

• You have excluded the IP addresses 192.168.33.1 through 192.168.33.10 from the DHCP
process.
• On Core1, you have a DHCP pool for subnet 192.168.33.0/24.
• You have configured PC3 and SRV to acquire an IP address through DHCP.

• You have configured SW2 to act as a DHCP relay.
• You have configured a manual DHCP binding for SRV.
DHCPv6
A customer has an IPv4 network. It uses DHCP to allocate IPv4 addresses to clients.
It now wants all of its end devices double-stacked. Your job is to configure Core1 as the DHCPv6 server
and configure all the clients in the network to acquire IPv6 addresses. IPv6 is preconfigured on the link
between Core1 and SW2.
The following is a specification list that the customer handed to you:

 SALES is in VLAN 22 and is assigned the 2001:DB8:16::/64 prefix.
 IT is in VLAN 33 and is assigned the 2001:DB8:21::/64 prefix.
 The "SRV" device in VLAN 33 must have a manually configured IPv6 address of
2001:DB8:21::185/64.
 All clients and "SRV" should also acquire DNS server information through DHCP. The IP address of
the DHCP server is: 2001:DB8:53::53/64.
 Not all IPv6 addressing is preconfigured.
Topology
The customer network has two VLANs: one for IT and one for SALES.
Job Aids
VLAN Information
Device Connections
SRV Ethernet 0/0 SW2 Ethernet 0/2
IPv6 Addressing Information
Core1 Eth0/2 2001:DB8:99::1/64
Core1 VLAN22 2001:DB8:16::1/64
SW2 Eth0/0 2001:DB8:99::2/64
SW2 VLAN33 2001:DB8:21::1/64

Command List
Command Description
address prefix prefix Specifies an address prefix that should be assigned to clients. Use this
command in DHCPv6 configuration mode.
dns-server dns-server Specifies the DNS IPv6 servers that are available to a DHCPv6 client.
Use this command in DHCPv6 configuration mode.
ipv6 address IPv6_address Configures an IPv6 address on the interface.. Use this command in
interface configuration mode.
ipv6 dhcp pool pool_name Configures a DHCPv6 configuration information pool and enters DHCPv6
pool configuration mode. Use this command in global configuration
mode.
ipv6 dhcp relay destination Specifies a destination address to which client packets are forwarded
IPv6_address and enables DHCPv6 relay service on the interface. Use this command
in interface configuration mode.
ipv6 dhcp server pool_name Enables DHCPv6 server function on an interface. Use this command in
ipv6 enable Enables IPv6 on the interface. Use this command in interface
configuration mode.
show ipv6 dhcp binding Displays a list of all bindings created on a specific DHCPv6 server.
show ipv6 dhcp interface brief Displays DHCPv6 interface information.
Task 1: Configure DHCPv6

Step 1 Configure DHCPv6 for the SALES subnet.
Step 2 Configure DHCPv6 for the IT subnet.
Step 3 Configure SRV with the specified IPv6 address.
Verification
Use this section to verify your challenge results.
Step 1
1 There are two VLAN 22 DHCPv6 bindings on Core1.
Core1# show ipv6 dhcp binding
Client: FE80::A8BB:CCFF:FE01:D00 (Vlan22)
DUID: 00030001AABBCC010D00
IA NA: IA ID 0x00020001, T1 43200, T2 69120
Address: 2001:DB8:16:0:16B:D955:A8E7:C876
preferred lifetime 86400, valid lifetime 172800
expires at Apr 24 2014 02:39 AM (172651 seconds)
Client: FE80::A8BB:CCFF:FE01:1400 (Vlan22)
DUID: 00030001AABBCC011400
IA NA: IA ID 0x00020001, T1 43200, T2 69120
Address: 2001:DB8:16:0:E1B2:FF29:F672:373D
If you do not see the desired results, make sure that you have done the following:
• Configured a DHCPv6 pool with the specified VLAN 22 prefix on Core1
• Configured the VLAN 22 interface with an IPv6 address on Core1
• Associated the DHCPv6 pool with an interface
• Enabled PC1 and PC2 for IPv6 and enabled them to acquire IPv6 addresses via DHCP
2 PC1 and PC2 have obtained the DNS server IPv6 address via DHCPv6.
PC1# show ipv6 dhcp interface ethernet 0/0

DNS server: 2001:DB8:53::53
Information refresh time: 0
Prefix Rapid-Commit: disabled
Address Rapid-Commit: disabled

If PC1 and PC2 have obtained IPv6 addresses via DHCP, but not the DNS address, then
you did not configure the DHCPv6 server to distribute the DNS server address to clients.
Step 2
1 There is a DHCPv6 binding on Core1 for the VLAN 33 prefix.

Core1# show ipv6 dhcp binding
Client: FE80::A8BB:CCFF:FE01:1500 (relayed)
DUID: 00030001AABBCC011500
IA NA: IA ID 0x00020001, T1 43200, T2 69120
Address: 2001:DB8:21:0:E0FB:42FB:7214:E301
If the verification step is not successful, make sure that you have done the following:
• Configured a DHCPv6 pool with the specified VLAN 33 prefix on Core1.
• Configured the VLAN 33 interface with an IPv6 address on SW2.
• Associated the DHCPv6 pool with an interface.
• Configured the VLAN 33 interface on SW2 to act as a relay agent.
• Enabled PC3 for IPv6 and enabled it to acquire an IPv6 address via DHCP.
2 PC3 has obtained the DNS server IPv6 address via DHCPv6.
If PC3 obtained an IPv6 address via DHCP, but not the DNS address, then you did not
configure the DHCPv6 server to distribute the DNS server address to clients.
Step 3
1 SRV is manually configured with the IPv6 address 2001:DB8:21::11.
SRV# show ipv6 interface brief
Ethernet0/0 [up/up]
FE80::A8BB:CCFF:FE00:A500
2001:DB8:21::11
If you do not see desired results, then you have not configured the correct IPv6 address.
EtherChannel
Your senior colleague, Dwayne, has given you and your fellow colleague, Greg, a job to do.
Your task is to bundle the four links between the distribution layer switches using EtherChannel. Greg will
be responsible for bundling two links for each of the following connections: SW1-DSW1 and SW2-DSW2.
Dwayne said that the link between the distribution layer switches should be in channel group 2, and that
bundles that connect distribution and access layer switches should belong to channel group 1. Also, he
would like you to use an open standard protocol to negotiate EtherChannel links, in case the company buys
a switch from a company other than Cisco in the future. Since the links between switches will carry data
from multiple VLANs, you will need to configure all EtherChannel links as trunks.
Greg tried to configure his part. He calls you and asks for help. Right now, neither of his two pairs of links
are bundled.
On the way to Greg, Dwayne sees you. He expresses his concern of choosing the best mechanism to load
balance across EtherChannel. You assure him that you know what you are doing.
Topology

Job Aids
Device Connection and EtherChannel Information
Device Interface Connects To Port-Channel Group

Number
SW1 Eth 0/1 PC1
Eth 0/2 DSW1 1
Eth 0/3 DSW1 1
Eth 1/1 DSW2
SW2 Eth 0/1 PC2
Eth 1/1 DSW1
Eth1/2 DSW2 1
Eth1/3 DSW2 1
DSW1 Eth0/0 SW1 1
Eth0/1 SW2
Eth0/2 R1
Eth0/3 SW1 1
Eth1/0 DSW2 2
Eth1/1 DSW2 2
Eth1/2 DSW2 2
Eth1/3 DSW2 2
DSW2 Eth0/0 SW2 1
Eth0/1 SW1
Eth0/2 R1
Device Interface Connects To Port-Channel Group
Number
Eht0/3 SW2 1
Eth1/0 DSW1 2
Eth1/1 DSW1 2
Eth1/2 DSW1 2
Eth1/3 DSW1 2
R1 Eth0/1 DSW1
Eth0/2 DSW2
Eth0/3 Internet

Command List
Command Description
channel-group number mode mode Specifies the port mode for the link in a port channel. Use this command
interface range interface range Enters interface configuration mode for the range of specified interfaces.
port-channel load-balance Configures specified load balancing for EtherChannel. Use this command
load_balancing_option in global configuration mode.
show etherchannel load-balance Shows which information Etherchannel uses to load balance traffic.
show etherchannel number summary Shows a summary of local EtherChannels properties.
show running-config interface Filters interface configuration from the running configuration of the
interface slot/number device.
switchport mode trunk Configures the interface as a trunk port. Use this command in interface
configuration mode.
Task 1: Configure EtherChannel

Step 1 Bundle the four links between DSW1 and DSW2 into EtherChannel group 2.
Step 2 Troubleshoot the EtherChannel link between DSW1 and SW1.
Step 3 Troubleshoot the EtherChannel link between DSW2 and SW2.
Step 4 Choose and configure the most efficient EtherChannel load-balancing method.
Verification

Step 1
1 On DSW1 or DSW2, verify the EtherChannel status of group 2. There should be four "P"
flags next to each port, indicating that EtherChannel group 2 is bundled. The protocol
should be set to LACP.
DSW1# show etherchannel 2 summary
Flags: D - down P - bundled in port-channel

I - standalone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met

u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 2

Number of aggregators: 2
Group Port-channel Protocol Ports

------+-------------+-----------+-----------------------------------------------
2 Po2(SU) LACP Et1/0(P) Et1/1(P) Et1/2(P)
Et1/3(P)
If the verification step is not successful, check the following:

• Port channel 2 and all ports belonging to channel 2 are enabled on DSW1 and SW1.
• Configuration is consistent between EtherChannel group 2 ports on both DSW1 and DSW2.
• You have LACP correctly configured on EtherChannel group 2 ports on both DSW1 and
DSW2.
Step 2
1 On DSW1 or SW1, verify the EtherChannel status of group 1. There should be two "P"

d - default port


------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Et0/0(P) Et0/3(P)


• Configuration is consistent between EtherChannel group 1 ports on both DSW1 and SW1.
SW1.
Step 3
1 On DSW2 or SW2, verify the EtherChannel status of group 1. There should be two "P"

d - default port


------+-------------+-----------+-----------------------------------------------

• Configuration is consistent between EtherChannel group 1 ports on both DSW2 and SW2.
SW2.
Step 4
1 Make sure all four switches have EtherChannel load balancing set to src-dst-ip.
DSW1# show etherchannel load-balance

EtherChannel Load-Balancing Configuration:
src-dst-ip

src-dst-ip
SW1# show etherchannel load-balance
src-dst-ip

src-dst-ip
If you do not see desired results, you have not configured the correct load-balancing
mechanism.

Challenge 5: Implement
RSTP
A rapidly growing customer company has decided to redesign its LAN. Dennis, the customer engineer,
wired the switches and configured the VLANs and trunks.
Dennis is seeing a number of performance issues, and he wants you to help him with the following:
 He would like to speed up STP convergence. Dennis noticed that if a link fails, it takes a full half-
minute until connectivity is restored. That delay is not acceptable.
 He is asking how STP root bridges should be set up. Right now, everything is left for the network to
decide. After some discussion, the conclusion is that DSW1 should be the root bridge for VLANs 1, 10,
and 20. DSW2 should be the root bridge for VLANs 30 and 40.
 The links between DSW1 and DSW2 are not efficiently used. Dennis is asking you to make switches
DSW1 and DSW2 use both of these two links for all VLANs.
Topology
DSW1 and DSW2 are distribution layer switches. SW1 and SW2 are access layer switches.

Job Aids
Device Connections
SW1 Ethernet 0/2 DSW1 Ethernet 0/2
DSW1 Ethernet 0/0 DSW2 Ethernet 0/0
Command List
Command Description
channel-group number mode mode Specifies the port mode for the link in a port channel. Use this command
configure terminal Enters global configuration mode
enable Enters privileged EXEC mode
interface interface slot/number Enters interface configuration mode for a specified interface
interface range interface interface Enters interface configuration mode for a specified range of interfaces
slot/number - number
show etherchannel summary Shows basic EtherChannel information
show spanning-tree [vlan Shows spanning-tree information, including the root bridge and STP port
vlan_number] states. You can specify a VLAN to filter down the output to a specific STP
instance.
spanning-tree mode rapid-pvst Configures a switch to run RSTP
spanning-tree vlan vlan_number root Configures a switch to become the root bridge for a specified VLAN (STP
primary instance)
spanning-tree vlan vlan_number root Configures a switch to become the root bridge for a specified VLAN (STP
secondary instance) if the primary root fails
Task 1: Implementing Rapid Spanning-Tree

Step 1 Migrate the network to RSTP.
Step 2 Configure DSW1 as the root bridge for VLANs 1, 10, and 20. Configure DSW2 as the root
bridge for VLANs 30 and 40.
Step 3 Bundle the DSW1-DSW2 links into an EtherChannel.
Verification

Step 1
1 Verify that all four switches are running RSTP.

DSW1# show spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
DSW2# show spanning-tree
VLAN0001
SW1# show spanning-tree
VLAN0001
SW2# show spanning-tree
VLAN0001
If you do not see the desired results, you have not configured all four switches to run
RSTP.
Step 2
1 Verify that DSW1 is the root bridge for VLANs 1, 10, and 20. Verify that DSW2 is the
root bridge for VLANs 30 and 40.
DSW1# show spanning-tree vlan 1
VLAN0001
Root ID Priority 24577
Address aabb.cc00.8e00
This bridge is the root
VLAN0010
VLAN0020
VLAN0030
Address aabb.cc00.8f00
VLAN0040
Address aabb.cc00.8f00
If you do not see the desired results, check the following:

• Between the four switches in the network, DSW1 has the lowest STP system priority
configured for VLANs 1, 10, and 20.
• Between the four switches in the network, DSW2 has the lowest STP system priority
configured for VLANs 30 and 40.
Step 3
1 On DSW1, verify that links Ethernet 0/0 and 0/1 are bundled into an EtherChannel.
DSW1# show etherchannel summary
I - stand-alone s - suspended

d - default port


------+-------------+-----------+-----------------------------------------------
1 Po1(SU) - Et0/0(P) Et0/1(P)
The "P" flag next to Ethernet 0/0 and Ethernet 0/1 tells you that these two interfaces are
bundled into an EtherChannel.
You would get the same results if you performed verification on DSW2.
If you do not see the desired results, you have not successfully bundled interfaces Ethernet
0/0 and 0/1 on DSW1 and DSW2.

Challenge 6: Improve STP
Configuration
Dennis, the customer engineer, was pleased with your implementation of RSTP. However, he read on the
Internet that STP, while very reliable, can fail. He took it upon himself to "secure" STP.
Dennis asks you to look over his configuration of PortFast, BPDU guard, BPDU filter, loop guard, and root
guard. Make adjustments to the network configuration if it does not follow the recommended practices.
Topology
DSW1 and DSW2 are distribution layer switches. SW1 and SW2 are access layer switches.

Job Aids
Device Connections
Command List
Command Description
interface interface slot/number Enters interface configuration mode for a specified interface.
interface range interface interface Enters interface configuration mode for a specified range of interfaces.
show running-config Displays the current running configuration.
show spanning-tree interface Shows spanning-tree configuration and statistics on a specified port.
interface slot/number detail
show spanning-tree interface Displays the current state of PortFast.

interface slot/number portfast
spanning-tree bpdufilter enable Enables BPDU filter on a specific switch port. Use this command in
spanning-tree bpduguard enable Enables BPDU guard on a port. Use this command in interface
configuration mode.
spanning-tree guard loop Enables loop guard. Use this command in interface configuration mode.
spanning-tree guard root Enables root guard. Use this command in interface configuration mode.
spanning-tree portfast Enables PortFast on a per-port basis. Use this command in interface
configuration mode.
spanning-tree portfast bpdufilter Enables BPDU filter on all switch ports that have PortFast enabled. Use
default this command in global configuration mode.
spanning-tree portfast bpduguard Enables BPDU guard on all switch ports that have PortFast enabled. Use
default this command in global configuration mode.
spanning-tree portfast default Enables PortFast on all switch ports that are defined as access. Use this
command in global configuration mode.

Task 1: Improve STP Configuration
Step 1 Check the customer PortFast, BPDU guard, and BPDU filter implementation. Fix the
configuration if it is not done correctly.
Step 2 Check the customer RootGuard implementation. Fix it if it is not correctly configured.
Step 3 Check the customer loop guard implementation. Fix it if it is not configured correctly.
Verification

Step 1
1 Verify that PortFast and BPDU guard are configured only on access ports on SW1 and
SW2. Verify that BPDU filter is not configured on those ports.
SW1# show spanning-tree interface ethernet 0/0 detail
The port is in the portfast mode by default
Link type is shared by default
Bpdu guard is enabled
BPDU: sent 399, received 0

Note that PortFast and BPDU guard must not be configured on any other port than
Ethernet 0/0 and Ethernet 0/1 on SW1 and Ethernet 0/0 and Ethernet 0/1 on SW2.
BPDU filter must not be configured on any port in the network.
If you do not see the desired results, the following is the likely cause:
• You made changes to PortFast or BPDU guard configuration, even though it was configured
properly.
• You have not removed BPDU filter configuration.
Step 2
1 Verify that root guard is enabled on Ethernet 0/2 and 0/3 on DSW1 and DSW2, and that it
is configured only on those ports.
DSW1# show spanning-tree interface ethernet 0/2 detail
Root guard is enabled on the port

Note that root guard must not be enabled on any other port than the DSW1 and DSW2
down-links.
• You have removed the existing root guard configuration for Ethernet 0/2 on both DSW1 and
DSW2.
• You have not configured root guard for Ethernet 0/3 on both DSW1 and DSW2.
Step 3
1 Verify that loop guard is configured on the SW1 and SW2 uplink ports. Verify that loop
guard is configured for all VLANs on the DSW1 and DSW2 port-channel interfaces.
Loop guard is enabled on the port


DSW1# show spanning-tree interface interface port-channel 1 detail
Port 65 (Port-channel1) of VLAN0001 is designated forwarding
Port 65 (Port-channel1) of VLAN0030 is root forwarding
DSW2# show spanning-tree interface interface port-channel 1 detail

• You have not configured loop guard on all ports that are, or can become, nondesignated.
Challenge 7: Configure MST
A customer is running Rapid PVST+ in their network. Their engineer, Carol, did a great job of load-
balancing traffic for VLANs 10 through 50.
However, Carol will be required to configure many more VLANs in the future and she is afraid of
performance issues due to the large number of VLAN instances.
Your job is to migrate the customer network to MST:

 Use two MST instances: MSTI1 for VLANs 10 to 25, and MSTI2 for VLANs 26 to 50.
 Use the MST region name, "SWITCH," and the revision number, "1".
 Configure SW1 to be the root bridge for MSTI1 and SW2 to be the root bridge for MSTI2.
Topology
In this network, ASW1, ASW2, and ASW3 are access layer switches. SW1, SW2, and SWB connect to
other parts of the customer network.

Job Aids
Device Connections
SWB Ethernet 0/0 SW1 Ethernet 0/0
SWB Ethernet 0/1 SW2 Ethernet 0/0
SW1 Ethernet 0/1 SW2 Ethernet 0/1
SW1 Ethernet 0/2 ASW1 Ethernet 0/0
ASW1 Ethernet 0/1 ASW2 Ethernet 0/1
Command List
Command Description
instance instance_number vlan Maps VLANs to an MST instance. If you do not specify the vlan
vlan_range keyword, you can use the no keyword to unmap all the VLANs that were
mapped to an MST instance. If you specify the vlan keyword, you can
use the no keyword to unmap a specified VLAN from an MST instance.
Use this command in MST configuration mode.
name name Sets the MST region name. Use this command in MST configuration
mode.
revision revision_number Sets the MST configuration revision number. Use this command in MST
configuration mode.
show current Displays the current MST configuration. Use this command from MST
configuration mode.
show interfaces trunk Shows trunking information.
show pending Displays the pending MST configuration. Issue this command in MST
configuration mode. Use end or exit to apply the pending configuration.
show spanning-tree interface Shows spanning-tree information for the specified interface.
interface slot/number
show spanning-tree mst Displays the current MST configuration for specified instances.
[instance_no1, instance_no1 [,...]]
spanning-tree mode mst Changes STP on a switch to MST. Use this command in global
configuration mode.
spanning-tree mst configuration Enters MST configuration mode.
spanning-tree mst instance_number Configures a switch as the primary or secondary root bridge.
root {primary | secondary}

Task 1: Configure MST
Step 1 Configure MST regions, MST revisions, and MST instance-to-VLAN mappings.
Step 2 Configure root bridges for the MST instances that you have created and configure all switches to
run MST.
Verification

Step 1
1 Verify that all switches are configured with correct MST region name, revision number,
and VLAN-to-instance mappings.
SWB(config-mst)# show current
Current MST configuration
Name [SWITCH]
Revision 1 Instances configured 3
Instance Vlans mapped

-------- ---------------------------------------------------------------------
0 1-9,51-4094
1 10-25
2 26-50
-------------------------------------------------------------------------------
SW1(config-mst)# show current

Name [SWITCH]

-------- ---------------------------------------------------------------------
0 1-9,51-4094
1 10-25
2 26-50
-------------------------------------------------------------------------------
SW2(config-mst)# show current

Name [SWITCH]

-------- ---------------------------------------------------------------------
0 1-9,51-4094
1 10-25
2 26-50
-------------------------------------------------------------------------------
ASW1(config-mst)# show current
Name [SWITCH]

-------- ---------------------------------------------------------------------
0 1-9,51-4094
1 10-25
2 26-50
-------------------------------------------------------------------------------

Name [SWITCH]

-------- ---------------------------------------------------------------------
0 1-9,51-4094
1 10-25
2 26-50
-------------------------------------------------------------------------------

Name [SWITCH]

-------- ---------------------------------------------------------------------
0 1-9,51-4094
1 10-25
2 26-50
-------------------------------------------------------------------------------
If you do not see the desired results, one or more of these reasons could be the cause:
• You have not configured all switches with the MST region "SWITCH".
• You have not configured all switches with the MST revision "1".
• You have not configured correct VLAN-to-instance mappings.
• You have not applied the MST configuration using the exit or end commands.
Step 2
1 Check that all switches are running MST, that SW1 is the root bridge for MSTI1, and that
SW2 is the root bridge for MSTI2.

SWB# show spanning-tree mst 1,2
##### MST1 vlans mapped: 10-25

Bridge address aabb.cc00.0600 priority 32769 (32768 sysid 1)
Root address aabb.cc00.0700 priority 24577 (24576 sysid 1)
port Et0/0 cost 2000000 rem hops 19
Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------
Et0/0 Root FWD 2000000 128.1 Shr
Et0/1 Altn BLK 2000000 128.2 Shr


---------------- ---- --- --------- -------- --------------------------------
Et0/0 Altn BLK 2000000 128.1 Shr
Et0/1 Root FWD 2000000 128.2 Shr
SW1# show spanning-tree mst 1,2

Root this switch for MST1

---------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 2000000 128.1 Shr
Et0/1 Desg FWD 2000000 128.2 Shr
Et0/2 Desg FWD 2000000 128.3 Shr
Et0/3 Desg BLK 2000000 128.4 Shr


---------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 2000000 128.1 Shr
Et0/1 Root FWD 2000000 128.2 Shr
Et0/2 Desg FWD 2000000 128.3 Shr
Et0/3 Desg FWD 2000000 128.4 Shr
SW2# show spanning-tree mst 1,2


---------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 2000000 128.1 Shr
Et0/1 Root FWD 2000000 128.2 Shr
Et0/2 Desg FWD 2000000 128.3 Shr
Et0/3 Desg FWD 2000000 128.4 Shr

Root this switch for MST2

---------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 2000000 128.1 Shr
Et0/1 Desg FWD 2000000 128.2 Shr
Et0/2 Desg FWD 2000000 128.3 Shr
Et0/3 Desg FWD 2000000 128.4 Shr
ASW1# show spanning-tree mst 1,2


---------------- ---- --- --------- -------- --------------------------------
Et0/0 Root FWD 2000000 128.1 Shr
Et0/1 Desg FWD 2000000 128.2 Shr
Et0/2 Desg FWD 2000000 128.3 Shr
Et0/3 Altn BLK 2000000 128.4 Shr


---------------- ---- --- --------- -------- --------------------------------
Et0/0 Altn BLK 2000000 128.1 Shr
Et0/1 Desg FWD 2000000 128.2 Shr
Et0/2 Desg FWD 2000000 128.3 Shr
Et0/3 Root FWD 2000000 128.4 Shr


Bridge address aabb.cc00.0a00 priority 32769 (32768 sysid 1)

---------------- ---- --- --------- -------- --------------------------------
Et0/0 Altn BLK 2000000 128.1 Shr
Et0/1 Altn BLK 2000000 128.2 Shr
Et0/2 Desg FWD 2000000 128.3 Shr
Et0/3 Root FWD 2000000 128.4 Shr

Bridge address aabb.cc00.0a00 priority 32770 (32768 sysid 2)

---------------- ---- --- --------- -------- --------------------------------
Et0/0 Root FWD 2000000 128.1 Shr
Et0/1 Altn BLK 2000000 128.2 Shr
Et0/2 Desg FWD 2000000 128.3 Shr
Et0/3 Altn BLK 2000000 128.4 Shr


---------------- ---- --- --------- -------- --------------------------------
Et0/0 Root FWD 2000000 128.1 Shr
Et0/1 Altn BLK 2000000 128.2 Shr


---------------- ---- --- --------- -------- --------------------------------
Et0/0 Root FWD 2000000 128.1 Shr
Et0/1 Altn BLK 2000000 128.2 Shr
If you do not see the desired results, check that the following is true:
• You have configured SW1 to be the root bridge for MSTI1.
• You have configured SW2 to be the root bridge for MSTI2.
• You have enabled MST on all switches.
Routing Between VLANs
with a Router
A router has failed in a customer network. Because the customer did not save the configuration, the
engineer, Dennis, replaced the router and tried to reconfigure it.
Dennis asks you to configure R1 to route between clients in VLANs 10, 20, 30, and 40. Dennis insists that
you must not make any changes to the configuration of the user PCs.
Note Hopefully, Dennis did not change any other configurations in the network.
Topology
DSW1 and DSW2 are distribution layer switches. SW1 and SW2 are access layer switches. R1 is the Layer
3 device that is intended to route between VLANs.
Job Aids
Device Connections
DSW1 Ethernet 1/0 R1 Ethernet 0/0
PC VLAN Setup and IP Addressing
Device VLAN IP Address Default Gateway
PC1 10 10.0.10.100 10.0.10.1
PC2 20 10.0.20.100 10.0.20.1
PC3 30 10.0.30.100 10.0.30.1
PC4 40 10.0.40.100 10.0.40.1
Command List
Commands Description
encapsulation dot1Q vlan_number Configures encapsulation IEEE 802.1Q on the interface. Use the
command in interface configuration mode.
interface interface Enters interface configuration mode for the specified interface.
slot/number[.subinterface]
ip address address subnet_mask Configures the IP address. Use this command in interface configuration
mode.
ping ip_address Performs an ICMP connectivity test to the specified IPv4 or IPv6
address.
switchport mode {access | trunk} Configures the interface type to a trunking or nontrunking mode. Use this
switchport trunk encapsulation Configures the trunk encapsulation format to IEEE 802.1Q. Use this
dot1q command in interface configuration mode.
Task 1: Configure Routing Between VLANs with a

Router
Step 1 Configure R1 to perform inter-VLAN routing between clients in VLANs 10, 20, 30, and 40.
DSW1 also needs to be configured.
Verification
Use this section to verify your results.

Step 1
1 From PC1, you can ping PC2, PC3, and PC4.

PC1# ping 10.0.20.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.20.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
PC1# ping 10.0.30.100
.!!!!
PC1# ping 10.0.40.100
.!!!!

• You configured the Ethernet 0/0 interface of R1 with the subinterfaces for VLANs 10, 20,
30, and 40.
• The Ethernet 0/0 subinterfaces on R1 are configured with the correct IP addresses and
encapsulations.
• The DSW1-R1 link is configured as a trunk on both sides.
Routing on a Multilayer
Switch
At your company, network upgrades are occurring. Two new Layer 3 switches are purchased. The senior
engineer, Dwayne, wired up the switches and did some initial configuration.
Dwayne wants you to finish the network configuration:

 Configure DSW1 and DSW2 to perform inter-VLAN routing. DSW1 should be used as a default
gateway for PCs that connect to the switch SW. Clients that connect to DSW2 should use DSW2 as the
default gateway. All PCs are already correctly configured with IP addresses and default gateways.
 Configure DSW1 and DSW2 with OSPF Area 0 in such a way that they will exchange routes between
each other and R1. R1 already has IP addressing and routing configured. The links between DSW1 and
DSW2 need to be routed links.
 Bundle the two links between SW and DSW1 into an EtherChannel.
Topology

Job Aids
Device Connections
PC1 Ethernet 0/0 SW Ethernet 0/2
PC3 Ethernet 0/0 DSW2 Ethernet 1/2
SW Ethernet 0/0 DSW1 Ethernet 1/1
R1 Ethernet 0/1 DSW1 Ethernet 0/2
R1 Ethernet 0/0 Internet —
Client IP Address Information
PC1 Ethernet 0/0 192.168.22.157/24
PC2 Ethernet 0/0 192.168.44.111/24
PC3 Ethernet 0/0 192.168.77.121/24
PC4 Ethernet 0/0 192.168.11.121/24
Command List
Command Description
channel-group group_number mode Assigns an interface to an EtherChannel bundle. Use this command in
mode interface configuration mode.
encapsulation dot1Q vlan_number Configures encapsulation IEEE 802.1Q on the interface. Use this
interface interface Enters interface configuration mode for a specified interface.

slot/number[.subinterface]
ip address address subnet_mask Configures an IP address. Use this command in interface configuration
mode. Use no in front to remove the configured IP address from the
interface.
ip routing Enables IP routing. Multilayer switches usually do not have IP routing

enabled by default. Use this command in interface configuration mode.
network ip_address mask area Enables interfaces for the OSPF process in a specified area. Those
area_number interfaces that fall within a specified subnet will be enabled for OSPF.
no shutdown Turns on the interface.
ping ip_address Tests Layer 3 connectivity between devices.
router ospf process-id Creates the OSPF routing process with a specified process ID. Use this
show etherchannel summary Verifies the EtherChannel status.
show ip ospf neighbor Verifies OSPF neighbors.
show ip route Shows the routing table.
show vlan Verifies the VLAN configuration.
shutdown Disables an interface. Use no in front of the command to enable the

interface. Use this command in interface configuration mode.

Command Description
switchport mode {access | trunk} Configures the interface type to a trunking or nontrunking mode. Use this
switchport trunk encapsulation Configures the trunk encapsulation format to IEEE 802.1Q. Use this
dot1q command in interface configuration mode.
traceroute ip_address Discovers the route that packets actually take when traveling to their
destination.
vlan vlan-id Configures a specific VLAN.
Task 1: Configure Routing on a Multilayer Switch

Step 1 Configure inter-VLAN routing on DSW1.
Step 2 Configure inter-VLAN routing on DSW2.
Step 3 Configure single-area OSPF on DSW1 and DSW2.
Step 4 Bundle the two links between DSW1 and SW into a Layer 2 EtherChannel.
Verification
Use this section to verify your results.

Step 1
1 Check that you can successfully use the traceroute command to PC2 at 192.168.44.111
from PC1. The path needs to go through VLAN 22 on DSW1 with the IP address of
192.168.22.254.
PC1# traceroute 192.168.44.111
Tracing the route to 192.168.44.111
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.22.254 0 msec 1 msec 0 msec
2 192.168.44.111 0 msec 1 msec *
The verification was not successful. Check the following:

• You have not changed the IP addresses or default gateways on PC1 and PC2.
• You correctly configured DSW1 with the SVIs for VLANs 22 and 44.
• You enabled IP routing on DSW1.
Step 2
1 Check that you can successfully ping PC4 at 192.168.11.12 from PC3.
PC3# ping 192.168.11.12
!!!!!
The verification was not successful. Check the following:

• You have not changed the IP addresses or default gateways on PC3 and PC4.
• You correctly configured DSW2 with the SVIs for VLANs 11 and 77.
• You enabled IP routing on DSW2.
Step 3
1 On DSW1, verify that it acquired a default route via OSPF. On DSW2, verify that it
acquired a default route via OSPF. On R1, verify that it sees two OSPF neighbors: DSW1
and DSW2. On DSW1, verify that it sees two OSPF neighbors: R1 and DSW2.
DSW1# show ip route
O*E2 0.0.0.0/0 [110/1] via 192.168.99.2, 01:27:34, Ethernet0/2
DSW2# show ip route

O*E2 0.0.0.0/0 [110/1] via 192.168.98.2, 01:27:34, Ethernet0/2
R1# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface

192.168.111.2 1 FULL/BDR 00:00:30 192.168.98.1 Ethernet0/2
192.168.111.1 1 FULL/BDR 00:00:32 192.168.99.1 Ethernet0/1
DSW1# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface

209.165.201.1 1 FULL/DR 00:00:35 192.168.99.2 Ethernet0/2
192.168.111.2 1 FULL/DR 00:00:39 192.168.111.2 Ethernet0/0

• On DSW1, you enabled the VLAN 22, VLAN 44, Ethernet 0/0, and Ethernet 0/2 interfaces
for OSPF Area 0.
• On DSW2, you enabled the VLAN 77, VLAN 11, Ethernet 0/2, and Ethernet 0/0 interfaces
for OSPF Area 0.
Step 4
1 On SW, verify that the Ethernet 0/0 and Ethernet 0/1 interfaces are bundled (denoted by
"P" flags) into a Layer 2 EtherChannel (denoted by the "SU" flag).

SW# show etherchannel summary
I - stand-alone s - suspended

d - default port


------+-------------+-----------+-----------------------------------------------

• The ports that are used to connect SW and DSW1 have consistent configurations.
• The Ethernet 1/1 and Ethernet 1/2 interfaces on DSW1 are bundled into an EtherChannel.
• The Ethernet 0/0 and Ethernet 0/1 interfaces on SW are bundled into an EtherChannel.
NTP
The senior engineer, Dwayne, prepared an NTP design for the company network, and he has asked you to
implement it.
You need to synchronize the time of R1 and R2 to five NTP servers. You can find NTP server information
in the Job Aids section. Other network devices should synchronize their time to R1 and R2. Dwayne wants
you to ensure that time will be synchronized between devices in the network even if there is no connectivity
to the Internet. Dwayne also mentioned that you should ensure that R1 and R2 will only be used for time
synchronization by devices in your network (that is, the 192.168.0.0/16 subnet).
Note The company is on Central European Time, which is +2 hours offset to the UTC. The country
that the company is located in uses the summertime setting.
Topology

Job Aids
Device Connections
Public NTP Server IP Addresses
IP Address Remark
209.165.201.44 —
209.165.201.111 —
209.165.201.133 —
209.165.201.222 —
IP Address Remark
209.165.201.233 Preferred

Command List
Commands
Command Description
access-list access_list_number {permit Creates an access list rule. Use this command in global configuration
| deny} ip_address wildcard_mask mode
clock summer-time zone recurring Configures the system to switch automatically to summertime every year.
Use this command in global configuration mode.
clock timezone zone hours_offset Sets the timezone for display, with hours of offset from UTC. Use this
interface interface slot/number Enters interface configuration mode for specified interface.
ntp access-group {query-only | serve- Configures the control access to NTP services. Use this command in
only | serve | peer} access_list_number global configuration mode.
ntp master stratum Configures the device as an NTP master clock.
ntp server ip_address [prefer] Allows the software clock to be synchronized by an NTP time server. The
prefer keyword specifies that the server reference is preferred over the
other NTP servers.
show clock detail Displays the system clock, indicates the timezone, time source, and
current summertime setting.
show ntp associations Displays the status of NTP associations.
show ntp status Displays the status of NTP.
show running-configuration | section Displays the content of the currently running configuration for the
section specified section.
Task 1: Configure NTP
Step 1 Configure NTP time synchronization on all routers and switches.
Step 2 Make sure that R1 and R2 provide a clock synchronization service even if they lose Internet
connectivity.
Step 3 Secure R1 and R2 from advertising their time information to the Internet.
Verification

Step 1
1 Verify that the time source on R1 and R2 is the NTP server with the 209.165.201.233 IP
address. Also, 209.165.201.44, 209.165.201.111, 209.165.201.133, and 209.165.201.222
are configured and marked as NTP server candidates. DSW1, DSW2, and SW are
configured to synchronize their clock to R1 and R2 (192.168.102.10 and 192.168.101.10).
All devices need to be in CET and thus +2 offset to the UTC.
R1# show ntp associations
address ref clock st when poll reach delay offset disp

*~209.165.201.233 .LOCL. 1 220 1024 34 0.000 0.000 2.487
~127.127.1.1 .LOCL. 9 15 16 377 0.000 0.000 1.204
+~209.165.201.44 .LOCL. 1 297 1024 70 0.000 0.000 3.410
+~209.165.201.133 .LOCL. 1 288 1024 70 0.000 0.000 2.326
+~209.165.201.222 .LOCL. 1 285 1024 70 0.000 0.000 2.326
+~209.165.201.111 .LOCL. 1 296 1024 70 0.000 0.000 3.767
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R1# show clock detail

09:00:57.997 CET Wed Apr 23 2014
Time source is NTP
Summer time starts 02:00:00 CET Sun Mar 9 2014
Summer time ends 02:00:00 CET Sun Nov 2 2014

*~209.165.201.233 .LOCL. 1 415 1024 60 0.000 0.000 71.229
~127.127.1.1 .LOCL. 9 2 16 377 0.000 0.000 1.204
+~209.165.201.44 .LOCL. 1 367 1024 70 0.000 0.000 2.838
+~209.165.201.133 .LOCL. 1 362 1024 70 0.000 0.000 3.166
+~209.165.201.222 .LOCL. 1 421 1024 60 0.000 0.000 70.886
+~209.165.201.111 .LOCL. 1 363 1024 70 0.000 0.000 2.641
R2# show clock detail

09:03:05.145 CET Wed Apr 23 2014
Time source is NTP

DSW1# show running-config | include ntp server
ntp server 192.168.102.10
ntp server 192.168.101.10
DSW1# show clock detail
09:04:23.255 CET Wed Apr 23 2014
Time source is NTP
DSW2# show running-config | include ntp server

ntp server 192.168.102.10
ntp server 192.168.101.10
DSW2# show clock detail
09:05:10.192 CET Wed Apr 23 2014
Time source is NTP
SW# show running-config | include ntp server

ntp server 192.168.102.10
ntp server 192.168.101.10
SW# show clock detail
*09:05:39.507 CET Wed Apr 23 2014
Time source is NTP

• You configured R1 and R2 to synchronize their time to all five public NTP servers.
• You configured 209.165.201.233 as the preferred NTP server on both R1 and R2.
• DSW1, DSW2, and SW are configured to synchronize their time to R1 and R2.
• You set CET (+2) as the local timezone.
Step 2
1 Verify that R1 and R2 are configured as NTP masters, each with a stratum level higher
than 1.

*~209.165.201.233 .LOCL. 1 618 1024 300 0.000 0.000 447.64
~127.127.1.1 .LOCL. 9 13 16 377 0.000 0.000 1.204
+~209.165.201.44 .LOCL. 1 695 1024 200 0.000 0.000 949.38
+~209.165.201.133 .LOCL. 1 686 1024 200 0.000 0.000 948.94
+~209.165.201.222 .LOCL. 1 683 1024 200 0.000 0.000 949.01
+~209.165.201.111 .LOCL. 1 694 1024 200 1.000 0.500 948.93

*~209.165.201.233 .LOCL. 1 718 1024 200 0.000 0.000 949.31
~127.127.1.1 .LOCL. 9 1 16 377 0.000 0.000 1.204
+~209.165.201.44 .LOCL. 1 670 1024 200 0.000 0.000 948.93
+~209.165.201.133 .LOCL. 1 665 1024 300 0.000 0.000 447.87
+~209.165.201.222 .LOCL. 1 724 1024 200 0.000 0.000 949.03
+~209.165.201.111 .LOCL. 1 666 1024 300 0.000 0.000 447.86

• R1 and R2 are configured as local time servers with a stratum value greater than 1.
Step 3
1 Verify that R1 and R2 are both configured to allow synchronization requests from only the
192.168.0.0/16 subnet. Both R1 and R2 should allow "peer" access to the internal NTP
master IP address of 127.127.1.1. Both R1 and R2 should still synchronize their clocks.
R1# show run | include ntp access-group
ntp access-group peer 1
ntp access-group serve-only 2
R1# show run | include access-list
access-list 1 permit 127.127.7.1
access-list 2 permit 192.168.0.0 0.0.255.255
R2# show run | include ntp access-group

ntp access-group peer 1
ntp access-group serve-only 2
R2# show run | include access-list
access-list 1 permit 127.127.7.1
access-list 2 permit 192.168.0.0 0.0.255.255
R1# show ntp status

Clock is synchronized, stratum 10, reference is 127.127.1.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10
ntp uptime is 96600 (1/100 of seconds), resolution is 4000
reference time is D701D76A.41893800 (09:08:42.256 CET Wed Apr 23 2014)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 2.22 msec, peer dispersion is 1.20 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 16, last update was 3 sec ago.
R2# show ntp status

Clock is synchronized, stratum 10, reference is 127.127.1.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10
ntp uptime is 94700 (1/100 of seconds), resolution is 4000
reference time is D701D78A.CA7EFC08 (09:09:14.791 CET Wed Apr 23 2014)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 2.39 msec, peer dispersion is 1.20 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 16, last update was 15 sec ago.

• R1 and R2 have configured and applied the access list that allows devices from only the
192.168.0.0/16 subnet to synchronize their clock to them.

• R1 and R2 have configured and applied the access list that allows "peer" synchronization to
the IP address of 127.127.1.1.
Network Monitoring Using
the Cisco IOS IP SLA
The senior engineer, Dwayne, tells you that users on PC1 and PC2 are experiencing problems with
browsing to an Internet server at 209.165.200.233. He asks you to immediately configure a Cisco IOS IP
SLA that will run for 48 hours and that will conduct an HTTP connectivity test every 90 seconds. Dwayne
tells you that the IP SLA test should run on the switch DSW1 and use the VLAN 22 IP subnet as the source.
Dwayne also mentions that a while ago he attempted to configure an IP SLA on R1 that would test the
availability of an Internet server at 209.165.200.157 every 60 seconds. However, it never worked. He asks
you to troubleshoot it.
Topology

Job Aids
Device Connections
Client IP Address Information
PC1 Ethernet 0/0 192.168.22.157/24
PC2 Ethernet 0/0 192.168.44.111/24
PC3 Ethernet 0/0 192.168.77.121/24
PC4 Ethernet 0/0 192.168.11.121/24
Command List
Command Description
frequency frequency Sets the IP SLA test to run at every specified interval of time. Use this
command in IP SLA configuration mode.
http get http://ip_address Configures an IP SLA test of HTTP GET to a specified IP address. Use
this command in IP SLA configuration mode.
ip sla operational_number Defines the IP SLA. You will then use the operational number to
schedule the test to run. Use this command in global configuration mode.
ip sla schedule operation-number [life Schedules the IP SLA to run. Use this command in global configuration
{forever | seconds}] [start-time mode.
{hh:MM[:ss] [month day | day month] |
pending | now | after hh:mm:ss}]
[ageout seconds] [recurring]
show ip sla application Shows supported IP SLA tests, how many SLAs are configured, how
many active, and so on.
show ip sla configuration Shows configured IP SLAs.
show ip sla statistics Shows results of IP SLA tests.
Task 1: Configure IP SLA Monitoring

Step 1 On DSW, configure an IP SLA to test HTTP connectivity to the Internet server at
209.165.200.233.
Step 2 On R1, fix the IP SLA test so that it will test the availability of the Internet server at
209.165.200.157.
Verification

Step 1
1 On DSW1, verify that there is an IP SLA test that uses an HTTP GET to test connectivity
to the IP address 209.165.200.233. The operation frequency should be set to 90 seconds.
The start time must have already passed (the IP SLA must be active). The operation
lifetime should be 172,800 seconds (48 hours).
DSW1# show ip sla configuration

IP SLAs Infrastructure Engine-III
Entry number: 1
Type of operation to perform: http
Target address/Source address: 209.165.200.233/192.168.22.254
Target port/Source port: 80/0
Type Of Service parameters: 0x0
Vrf Name:
HTTP Operation: get
HTTP Server Version: 1.0
URL: http://209.165.200.233
Proxy:
Raw String(s):
Cache Control: enable
Owner:
Tag:
Operation timeout (milliseconds): 60000
Schedule:
Operation frequency (seconds): 90 (not considered if randomly scheduled)
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Randomly Scheduled : FALSE
Life (seconds): 172800
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Threshold (milliseconds): 5000
Distribution Statistics:
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20
History Statistics:
Number of history Lives kept: 0
Number of history Buckets kept: 15
History Filter Type: None

• On DSW1, you defined an IP SLA that tests connectivity by using HTTP GET to the IP
address of 209.165.200.233.
• The IP SLA that you created has an operational frequency of 90 seconds.
• The IP SLA that you created is scheduled to run right away and to continue for 48 hours
(172,800 seconds).
Step 2
1 Verify that R1 has one IP SLA test running and that the number of success attempts is
greater than one.
R1# show ip sla application
Estimated number of configurable operations: 41761
Number of Entries configured : 1
Number of active Entries : 1
Number of pending Entries : 0
R1# show ip sla statistics 69

Number of successes: 5
Number of failures: 0
Operation time to live: Forever
If you do not see the desired results, verify the following:

• R1 is configured with the IP SLA entry 69 that uses the ICMP echo test to the IP address
209.165.200.157.
• The IP SLA entry 69 on R1 is scheduled to run right away and has its life set to forever.

HSRP with Load Balancing
A former colleague, Gregory, has a favor to ask. He now works at a public school as a network technician.
The network is pretty solid, but no first-hop redundancy is ensured. Some of the PCs are set to use one
router for the first hop, and some PCs are set to use another router for the first hop. However, he does not
like this solution. Gregory read a little about HSRP but does not feel confident implementing this first-hop
redundancy protocol. He would like for you to help him configure it:
 R1 should, whenever available, be active for VLAN 11 clients and in standby for VLAN 22 clients.
 R2 should, whenever available, be active for VLAN 22 clients and in standby for VLAN 11 clients.
 For the purpose of self-documentation, HSRP group numbers should match those of the VLANs they
serve.
 Gregory already configured new default gateways on all PCs.
 If the uplink of a router fails, make sure that the traffic from the PCs does not take a suboptimal path.
The network is a little bit underprovisioned so Gregory worries that suboptimal traffic could have bad
consequences for the whole network.
 Secure the HSRP peers. Make sure that no HSRP device can join the HSRP peers in the network
without a proper key.
Note You can find the default gateway information for the PCs in the Job Aids.
Note If you need to test Internet connectivity from end-user devices, ping the IP address
209.165.201.225.
Topology

Job Aids
Device Information
Router VLAN Information
Device Subinterface IP Address
R1 (0/1.11) 10.0.11.2
R1 (0/2.22) 10.0.22.3
R2 (0/1.11) 10.0.11.3
R2 (0/2.22) 10.0.22.2
Command List
Command Description
show standby [interface slot/number] Shows the status of HSRP groups. You can filter the output by the
interface on which the standby group is configured on.
show track Displays information about tracked objects.
standby standby_group Configures MD5 authentication for the specified HSRP group. Use this
authentication md5 key-string string command in interface configuration mode.
standby standby_group ip ip_address Defines the virtual IP address for the specified HSRP group. Use this
standby standby_group preempt Enables pre-emption for the specified HSRP group. Use this command in
standby standby_group priority Sets the priority of the interface, belonging to an HSRP group, to a
priority specified priority number. By default this number is 100. Use this
standby standby_group track interface Enables HSRP interface tracking and changes the standby priority based
slot/number priority_decrement on the state of the interface. Use this command in interface configuration
mode.
Task 1: Configure HSRP with Load Balancing

Step 1 Configure R1 to be an active HSRP device for VLAN 11 clients and standby for VLAN 22
clients. Configure R2 to be an active HSRP device for VLAN 22 clients and standby for VLAN
11 clients.
Step 2 Configure the tracking of uplink interfaces.
Step 3 Secure the HSRP peers with authentication.
Verification

Step 1
1 Verify that R1 is configured as the HSRP active router for VLAN 11 and as the standby
router for VLAN 22. Ensure that R2 is configured as the HSRP active router for VLAN 22
and as the standby router for VLAN 11. Both routers must have the preempt option
configured. The virtual IP addresses that are configured for each HSRP group must be the
ones specified in the Job Aids.
R1# show standby
Ethernet0/1.11 - Group 11
State is Active
2 state changes, last state change 00:03:08
Virtual IP address is 10.0.11.1
Active virtual MAC address is 0000.0c07.ac0b
Local virtual MAC address is 0000.0c07.ac0b (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.408 secs
Authentication MD5, key-string
Preemption enabled
Active router is local
Standby router is 10.0.11.3, priority 90 (expires in 11.408 sec)
Priority 110 (configured 110)
Track interface Ethernet0/0 state Up decrement 30
Group name is "hsrp-Et0/1.11-11" (default)
State is Standby
1 state change, last state change 00:02:15
Active virtual MAC address is 0000.0c07.ac16
Local virtual MAC address is 0000.0c07.ac16 (v1 default)
Preemption enabled
Active router is 10.0.22.2, priority 110 (expires in 11.072 sec)
Standby router is local
R2# show standby
State is Standby
Preemption enabled
State is Active
Preemption enabled

• You configured R1 as an HSRP active router for VLAN 11 and as a standby router for
VLAN 22.
• You configured R2 as an HSRP active router for VLAN 22 and as a standby router for
VLAN 11.
• You configured the preempt option on both routers.
• The HSRP group numbers match the numbers of the VLANs that they serve.

Step 2
1 Verify that R1 has tracking of the uplink, Ethernet0/0, enabled in the HSRP group for
VLAN 11. Ensure that R2 has tracking of the uplink, Ethernet0/0, enabled in the HSRP
group for VLAN 22. Verify that both have pre-emption configured and that the decrement
configured for each group is more than the difference between the active and standby
priorities for that group.
R1# show standby
State is Active
Preemption enabled
State is Standby
Preemption enabled
R2# show standby
State is Standby
Preemption enabled
State is Active
Preemption enabled
For example, R1 is the active router for VLAN 11 and has its priority set to 110. R2,
which serves as the standby router, has its priority set to 90. The decrement that is
configured for that VLAN should be larger than the difference between these two
priorities, 110 and 90, so it is more than 20.
• You enabled tracking of the R1 uplink in the R1 VLAN 11 HSRP group.
• You configured pre-emption in the R1 VLAN 11 and R2 VLAN 22 HSRP groups.
• You configured tracking with an HSRP decrement that is bigger than the difference between
the priorities of the active and standby routers.

Step 3
1 Verify that you have MD5-type authentication configured for both HSRP groups. Ensure
that R1 is the standby router for VLAN 22 and that R2 is the standby router for VLAN 11.
R1# show standby
State is Active
Preemption enabled
State is Standby
Preemption enabled
R2# show standby
State is Standby
Preemption enabled
State is Active
Preemption enabled

• R1 and R2 have matching MD5 authentication configured on the HSRP group that serves
VLAN 11 clients.
• R1 and R2 have matching MD5 authentication configured on the HSRP group that serves
VLAN 22 clients.
• Basic HSRP is properly configured.

VRRP with Load Balancing
Gregory, a former colleague, works at a public school and has a favor to ask. The school network already
has HSRP configured, but now the school policy has changed. The school must use industry-standard
protocols when possible, so Gregory asks you to help him reconfigure the first-hop redundancy from HSRP
to VRRP.
Gregory wants the VRRP configuration to be similar to the preconfigured HSRP in the network:
 R1 should, whenever available, be the master for VLAN 11 clients and the backup for VLAN 22
clients.
 R2 should, whenever available, be the master for VLAN 22 clients and the backup for VLAN 11
clients.
 For self-documentation, the VRRP group numbers should match the numbers of the VLANs that they
serve.
 If the router uplink fails, make sure that the traffic from the PCs does not take a suboptimal path. The
network is a little underprovisioned, so Gregory worries that suboptimal traffic could have bad
consequences for the whole network.
 Secure the VRRP peers. Make sure that no VRRP device can join the VRRP peers on the network
Note If you need to test Internet connectivity from end-user devices, ping the IP address
209.165.201.225.
Topology

Job Aids
Device Information
Router VLAN Information
R1 (0/1.11) 10.0.11.2
R1 (0/2.22) 10.0.22.3
R2 (0/1.11) 10.0.11.3
R2 (0/2.22) 10.0.22.2
Command List
Command Description
no standby Removes the HSRP configuration.
show vrrp [interface slot/number] Shows the status of VRRP groups. You can filter the output by the
interface on which the standby group is configured on.
track object_number interface Configures an interface to be tracked.

interface slot/number {line protocol |
ip routing}
vrrp vrrp_group authentication md5 Configures MD5 authentication for the specified VRRP group. Use this
key-string string command in interface configuration mode.
vrrp vrrp_group ip ip_address Defines the virtual IP address for the the specified VRRP group. Use this
vrrp vrrp_group preempt Enables pre-emption for the specified VRRP group. Use this command in
vrrp vrrp_group priority priority Sets the priority of the interface, belonging to a VRRP group, to a
specified priority number. By default this number is 100. Use this
vrrp vrrp_group track object_number Enables HSRP interface tracking and change the standby priority based
decrement priority_decrement on the state of the interface. Use this command in interface configuration
mode.

Task 1: Configure VRRP with Load Balancing
Step 1 Remove the HSRP configuration on R1 and R2. Then configure R1 to be the master VRRP
device for VLAN 11 clients and the backup for VLAN 22 clients. Configure R2 to be the master
VRRP device for VLAN 22 clients and the backup for VLAN 11 clients.
Step 2 Configure the tracking of uplink interfaces.
Step 3 Secure the VRRP peers with authentication.
Verification

Step 1
1 Verify that the HSRP configuration is removed from both R1 and R2. Verify that R1 is
configured as the VRRP master router for VLAN 11 and the backup router for VLAN 22.
Ensure that R2 is configured as the VRRP master router for VLAN 22 and the backup
router for VLAN 11. Both routers must have pre-emption enabled. The configured virtual
IP addresses for each VRRP group must be the ones specified in the Job Aids.
R1# show standby
R1#
R2# show standby

R2#
R1# show vrrp

State is Master
Virtual MAC address is 0000.5e00.010b
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 110
Track object 1 state Up decrement 30
Master Router is 10.0.11.2 (local), priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.570 sec
State is Backup
Virtual MAC address is 0000.5e00.0116
Preemption enabled
Priority is 90
Master Router is 10.0.22.2, priority is 110
Master Down interval is 3.648 sec (expires in 3.483 sec)
R2# show vrrp
State is Backup
Preemption enabled
Priority is 90
State is Master
Preemption enabled
Priority is 110

• You removed the HSRP configuration on R1 and R2 for both VLANs—VLAN 11 and
VLAN 22.
• You configured R1 as the VRRP master router for VLAN 11 and as the backup router for
VLAN 22.
• You configured R2 as the VRRP master router for VLAN 22 and as the backup router for
VLAN 11.
• The VRRP group numbers match the numbers of the VLANs that they serve.

Step 2
1 Verify that R1 has object tracking configured on the uplink, Ethernet0/0, enabled in the
VRRP group for VLAN 11. Ensure that R2 has object tracking configured on the uplink,
Ethernet0/0, enabled in the VRRP group for VLAN 22. Verify that both groups have pre-
emption enabled and that the decrement that is configured for each group is larger than the
difference between the active and standby priorities for that group.
R1# show track
Track 1
Interface Ethernet0/0 line-protocol
Line protocol is Up
1 change, last change 00:03:56
Tracked by:
VRRP Ethernet0/1.11 11
R1# show vrrp

State is Master
Preemption enabled
Priority is 110
State is Backup
Preemption enabled
Priority is 90
R2# show track
Track 1
Line protocol is Up
Tracked by:
VRRP Ethernet0/2.22 22
R2# show vrrp

State is Backup
Preemption enabled
Priority is 90
State is Master
Preemption enabled
Priority is 110

• You enabled object tracking of the R1 uplink and you configured the R1 VLAN 11 VRRP
group to track that object.
• You enabled object tracking of the R2 uplink and you configured the R2 VLAN 22 VRRP
group to track that object.
• You configured object tracking with a VRRP decrement that is larger than the difference
between the priorities of the active and standby routers.
For example, R1 is the master for VLAN 11 and has its priority set to 110. R2, which
serves as the backup, has its priority set to 90. The decrement that is configured for that
VLAN should be larger than the difference between these two priorities, 110 and 90, so it
is more than 20.

Step 3
1 Verify that you have MD5-type authentication configured for both VRRP groups. Ensure
that R1 is the backup router for VLAN 22 and that R2 is the backup router for VLAN 11.
R1# show vrrp
State is Master
Preemption enabled
Priority is 110
State is Backup
Preemption enabled
Priority is 90
R2# show vrrp

State is Backup
Preemption enabled
Priority is 90
State is Master
Preemption enabled
Priority is 110

• R1 and R2 have matching MD5 authentication configured on the VRRP group that serves
VLAN 11 clients.
• R1 and R2 have matching MD5 authentication configured on the VRRP group that serves
VLAN 22 clients.
• Basic VRRP is properly configured.

Challenge 14: Implement
GLBP
A former colleague, Maya, has a favor to ask. She is now the head of IT at the company she works for. She
would like to configure first-hop redundancy. The company has many end-user devices; however, these
devices are in a single VLAN. Maya does not want to configure multiple HSRP groups to load-balance
traffic between different first-hop devices. Plus, she has heard that GLBP load-balances automatically.
Maya has prepared the design of GLBP implementation, but she now needs your help with the
configuration:
 Configure one single GLBP group for all end devices in the network to use as a default gateway.
 R1 should, whenever available, be the active virtual gateway.
 R1, R2, and R3 should be the virtual forwarders.
 Maya has already configured new default gateways on all PCs.
 If any of the router uplinks fail, the traffic from the PCs should not take a suboptimal path.
 Secure the GLBP peers, and make sure that no GLBP device can join GLBP peers on the network
Note When you need to test your GLBP configuration, ping the server IP address of 192.168.0.44
from any of the end-user devices.
Note The IP address of SRV is 192.168.0.44.
Topology

Job Aids
Device Information
All three PCs use the 192.168.10.1 IP address as the default gateway.
Command List
Commands
Command Description
glbp glbp_group authentication md5 Configures MD5 authentication for the specified GLBP group. Use this
key-string string command in interface configuration mode.
glbp glbp_group ip ip_address Defines the virtual IP address for the specified GLBP group. Use this
glbp glbp_group preempt Enables pre-emption for the specified GLBP group. Use this command in
glbp glbp_group priority priority Sets the priority of the interface, belonging to a GLBP group, to a
specified priority number. By default this number is 100. Use this
glbp glbp_group weighting maximum Defines the initial weighting value of the GLBP gateway. Use this
lower lower upper upper command in interface configuration mode.
glbp glbp_group weighting track Enables GLBP object tracking and change the GLBP weighting based on
object_number decrement decrement the availability of the tracked object. Use this command in interface
configuration mode.
show glbp [interface slot/number] Shows the status of GLBP. You can filter the output by the interface on
which the standby group is configured.
track object_number interface Configures an interface to be tracked.

interface slot/number {line protocol |
ip routing}
Task 1: Implement GLBP

Step 1 Configure GLBP on R1, R2, and R3. R1 should serve as the active virtual gateway whenever
possible.

Step 2 Configure GLBP tracking of the uplink interfaces.
Step 3 Secure the GLBP peers with authentication.
Verification

Step 1
1 Verify that R1 is configured as the GLBP AVG and that R1, R2, and R3 are configured as
virtual forwarders. Verify that all three routers belong to the same GLBP group so that
there are three forwarders. All routers must have AVG pre-emption enabled. The
configured virtual IP addresses for a GLBP group must be the ones specified in the Job
Aids. GLBP has to be configured on the LAN-facing interfaces of the routers.
R1# show glbp
Ethernet0/0 - Group 1
State is Active
Redirect time 600 sec, forwarder timeout 14400 sec
Preemption enabled, min delay 0 sec
Active is local
Standby is 192.168.10.13, priority 100 (expires in 9.504 sec)
Priority 110 (configured)
Weighting 100 (configured 100), thresholds: lower 80, upper 90
Load balancing: round-robin
Group members:
aabb.cc01.0400 (192.168.10.11) local
aabb.cc01.0900 (192.168.10.12) authenticated
aabb.cc01.0a00 (192.168.10.13) authenticated
There are 3 forwarders (1 active)
R2# show glbp
State is Listen
Active is 192.168.10.11, priority 110 (expires in 10.464 sec)
Priority 100 (default)
Group members:
aabb.cc01.0900 (192.168.10.12) local
R3# show glbp

State is Standby
Standby is local
Group members:
aabb.cc01.0a00 (192.168.10.13) local

• You configured R1 as an AVG for the GLBP group.
• You configured the GLBP virtual IP address 192.168.10.1 on all three routers.
• R1, R2, and R3 belong to the same GLBP group.
• You configured the AVG pre-emption option on all routers.
• You configured an IP address on all LAN-facing interfaces of the routers.

Step 2
1 Verify that R1, R2, and R3 have object tracking of the uplinks, Ethernet0/1, enabled in the
GLBP group. Verify that all three routers belong to the same GLBP group. Verify that the
decrement that is configured is larger than the difference between the weighting value and
minimum threshold set of the router. The upper threshold has to be set to a value that is
lower than the weighting and higher than the lower threshold, so the router can regain the
AVF role when the interface comes back up.
R1# show track
Track 1
Line protocol is Up
Tracked by:
GLBP Ethernet0/0 1
R1# show glbp

State is Active
Active is local
Group members:
aabb.cc01.0400 (192.168.10.11) local
R2# show track

Track 1
Line protocol is Up
Tracked by:
GLBP Ethernet0/0 1
R2# show glbp
State is Listen
Group members:
aabb.cc01.0900 (192.168.10.12) local
R3# show track

Track 1
Line protocol is Up
Tracked by:
GLBP Ethernet0/0 1
R3# show glbp

State is Standby
Standby is local
Group members:
aabb.cc01.0a00 (192.168.10.13) local
In this example, R1 has the weighting at 100 and the minimum threshold set to 80. The
decrement that is configured should be larger than the difference between these two
values, 100 and 80, so it is more than 20. The upper threshold should be higher than the
lower threshold and lower than the weighting, so it can be any value between 80 and 100.
• You enabled object tracking of the R1 uplink and you configured the R1 GLBP group to
track that object.
track that object.

track that object.
• You configured weighting on all three routers.
• You configured tracking with a GLBP decrement that is larger than the difference between
the weighting value and minimum threshold set of the router.
• You configured the upper weighting threshold between the lower weighting threshold and
configured weighting.
• All three routers belong to the same GLBP group.
Step 3
1 Verify that you have MD5 authentication configured for the GLBP group. There still have
to be three forwarders in the GLBP group.
R1# show glbp
State is Active
Active is local
Group members:
aabb.cc01.0400 (192.168.10.11) local
The routers have to see each other, so there still have to be three forwarders. Otherwise,
the keys have been misconfigured.
• R1, R2, and R3 each have matching MD5 authentication configured for the GLBP group.
• R1, R2, and R3 belong to the same GLBP group.
• Basic GLBP is configured properly.
HSRP for IPv6
A former colleague, Nikita, has her own company that is growing quickly. Because the company is new, she
decided to implement IPv6 addressing only. Nikita thinks that native IPv6 first-hop redundancy is not fast
enough. She asks you to implement HSRP.
Dwayne, one of your senior colleagues, provided you with a high-level design of HSRP for IPv6 in the
network:
 R1 should, whenever available, be active for VLAN 10 clients and in the standby mode for VLAN 20
clients.
 R2 should, whenever available, be active for VLAN 20 clients and in the standby mode for VLAN 10
clients.
 For self-documentation, the HSRP group numbers should match those of the VLANs that they serve.
 If the router uplink fails, make sure that the traffic from the PCs does not take a suboptimal path. Use
the native HSRP mechanism to implement this solution.
 Speed up the default protocol behavior. Set the hello time to 50 milliseconds, and set the hold time to
200 milliseconds.
Note Neighbor discovery behavior in IOL behaves a little bit differently than on real hardware. In
IOL, failover times with neighbor discovery are much shorter than on real hardware.
Topology

Job Aids
Device Information
The PCs obtain their default gateway via IPv6 router advertisements.
Trunking Information
R1 (0/0.10) 2001:db8:1210::2/64
R1 (0/0.20) 2001:db8:1210::3/64
R2 (0/.010) 2001:db8:1220::2/64
R2 (0/0.20) 2001:db8:1220::3/64
Command List
Commands
Command Description
show standby [interface slot/number] Shows the status of HSRP groups. You can filter the output by the
interface on which the standby group is configured.
standby standby_group ipv6 Defines the virtual IPv6 address for the specified HSRP group. Use this
{autoconfig | ipv6_address} command in interface configuration mode.
standby standby_group preempt Enables pre-emption for the specified HSRP group. Use this command in
standby standby_group priority Sets the priority of the interface, belonging to an HSRP group, to a
priority specified priority number. By default this number is 100. Use this
standby standby_group timers [msec] Configures the time between hello packets and the time before other
hello_time [msec] holdtime routers declare the active or standby HSRP device to be down. Use this
standby standby_group track interface Enables HSRP interface tracking and change the standby priority based
slot/number priority_decrement on the state of the interface. Use this command in interface configuration
mode.
standby version {1 | 2} Changes the HSRP version.
Task 1: Configure HSRP for IPv6

Step 1 Configure HRSP for the IPV6 environment. R1 should be the active gateway for VLAN 10
clients and in standby mode for VLAN 20 clients. R2 should be the active gateway for VLAN 20
clients and in standby mode for VLAN 10 clients.
Step 2 Configure tracking of the uplink interfaces.

Step 3 Configure the hello time to 50 milliseconds and the hold time to 200 milliseconds.
Verification

Step 1
1 Verify that R1 is configured as the HSRP active router for VLAN 10 and as the standby
router for VLAN 20. Ensure that R2 is configured as the HSRP active router for VLAN 20
and as the standby router for VLAN 10. Both routers must have pre-emption enabled.
Virtual IPv6 addresses that are configured for each HSRP group must have the FE80::
prefix.
R1# show standby
Ethernet0/0.10 - Group 10 (version 2)
State is Active
Virtual IP address is FE80::5:73FF:FEA0:A
Active virtual MAC address is 0005.73a0.000a
Local virtual MAC address is 0005.73a0.000a (v2 IPv6 default)
Hello time 50 msec, hold time 200 msec
Preemption enabled
Standby router is FE80::A8BB:CCFF:FE01:D00, priority 90 (expires in 0.192 sec)
State is Standby
Virtual IP address is FE80::5:73FF:FEA0:14
Active virtual MAC address is 0005.73a0.0014
Local virtual MAC address is 0005.73a0.0014 (v2 IPv6 default)
Preemption enabled
Active router is FE80::A8BB:CCFF:FE01:D00, priority 110 (expires in 0.176 sec)
MAC address is aabb.cc01.0d00
R2# show standby
State is Standby
Preemption enabled
Active router is FE80::A8BB:CCFF:FE01:C00, priority 110 (expires in 0.176 sec)
MAC address is aabb.cc01.0c00
State is Active
Preemption enabled
Standby router is FE80::A8BB:CCFF:FE01:C00, priority 90 (expires in 0.176 sec)

• You configured R1 as an HSRP active router for VLAN 10 and as the standby router for
VLAN 20.
• You configured R2 as an HSRP active router for VLAN 20 and as the standby router for
VLAN 10.
• You configured HSRPv2 on both routers.
• You configured the pre-emption option on both routers.
• You configured HSRP with the IPv6 virtual address.

Step 2
1 Verify that R1 has tracking of the uplink, Ethernet0/1, enabled in the IPv6 HSRP group for
VLAN 10. Ensure that R2 has tracking of the uplink, Ethernet0/2, enabled in the IPv6
HSRP group for VLAN 20. Verify that both have pre-emption configured and that the
decrement that is configured for each group is larger than the difference between the active
and standby priorities for that group.
R1# show standby
State is Active
Preemption enabled
Standby router is FE80::A8BB:CCFF:FE01:D00, priority 90 (expires
State is Standby
Preemption enabled
Active router is FE80::A8BB:CCFF:FE01:D00, priority 110 (expires
MAC address is aabb.cc01.0d00
R2# show standby
State is Standby
Preemption enabled
Active router is FE80::A8BB:CCFF:FE01:C00, priority 110 (expires
MAC address is aabb.cc01.0c00
State is Active
Preemption enabled
Standby router is FE80::A8BB:CCFF:FE01:C00, priority 90 (expires
For example, R2 is the active router for VLAN 20 and has its priority set to 110. R1,
which serves as the standby router, has its priority set to 90. The decrement that is
configured for that VLAN should be larger than the difference between these two
priorities, 110 and 90, so it is more than 20.
• You configured pre-emption in the R1 VLAN 10 and R2 VLAN 20 HSRP groups.
• You configured tracking with an HSRP decrement that is larger than the difference between
the priorities of the active and standby routers.
Step 3
1 Verify that the timers for each IPv6 HSRP group are configured to 50 milliseconds for the
hello time and 200 milliseconds for the hold time.
R1# show standby

R2# show standby
You could configure these timers only on active routers and changes would get propagated
to the standby routers. However, there is a problem with that. If the active router fails, the
standby router will become active—with new timers, but it does not have timer values
noted down in the startup configuration. So, if this router now restarts, it will load up with
default HSRP timer values. This setting is not a problem in this topology where you only
have two routers serving the first hop. When you have more than two routers you could
end up in a situation, although rare, where a working HSRP group of more than one virtual
router is using default timers even though that was not desired.
• You configured the timers on R1 for both VLAN HSRP groups.
• You configured the timers on R2 for both VLAN HSRP groups.
• The hello time and holdtime values for each HSRP group are the same on both routers.
Challenge 16: Control
Network Access with Port
Security
It is Friday afternoon and Dwayne, a senior engineer at the firm where you work, came to see you in a
hurry. There will be a security audit done on the network at your company. You have until Monday morning
to ensure that the network follows the recommended security practices as closely as possible.
Dwayne quickly listed for you the key security considerations:

 Cisco Discovery Protocol
 Port security (access should be restricted to currently connected end devices)
 Enable passwords
 vty and console passwords
 Secure remote access
 Warnings for unauthorized users
 Unused ports (for unused ports, VLAN 199 is designated)
 STP on end devices
 Web protocol
Note If you need to test Internet connectivity, use the IP address 209.165.200.233.
Topology

Job Aids
Device Information
Device Access Information
Device Username Password Enable Password
R1 admin c1sc0 c1sc0
DSW1 admin c1sc0 c1sc0
DSW2 admin c1sc0 c1sc0
SW admin c1sc0 c1sc0
Command List
Commands
Command Description
banner motd d message d Defines a message-of-the-day banner. Use this command in global
configuration mode.
cdp enable Enables Cisco Discovery Protocol on the interface. Use this command in
interface configuration mode. By default on Cisco devices, Cisco
Discovery Protocol is enabled on all interfaces.
cdp run Enables Cisco Discovery Protocol on the device, thus enabling it on all
interfaces. Use this command in global configuration mode. On Cisco
devices, Cisco Discovery Protocol is enabled by default.
enable secret Establishes a secret password for a privilege command mode, using a
nonreversible encryption method.
enable password Establishes a password for a privilege command mode.
ip http server Enables the Cisco web browser UI on a device. Use this command in
global configuration mode.
line console Enters console configuration mode to configure the console interface
settings.
line vty Enters line configuration mode to configure the vty settings.
password password Establishes a new password or changes an existing password.
service password-encryption Encrypts passwords.
show cdp neighbors Displays information about neighboring devices discovered by using
Cisco Discovery Protocol.
show ip interface interface Displays the IP information of the specified interface.

slot/number
show port-security Displays the information about the port security setting.

Command Description
show running-config Displays the running configuration.
show spanning-tree [interface Shows the spanning-tree status. You can filter output per the interface
interface slot/number] [detail] and if you add the detail keyword a lot of information gets displayed,
including the status of STP stability and securing mechanisms.
show vlan brief Displays summarized VLAN information.
spanning-tree bpdufilter enable Enables BPDU filter on the interface. Use in interface configuration
mode.
spanning-tree bpduguard enable Enables BPDU guard on the interface. Use in interface configuration
mode.
ssh -v version -l userID ip_address Starts an encrypted session with a remote device, with a specified user
ID. The version does not need to be specified. However, if you do use it,
you can choose between versions 1 and 2.
switchport access vlan vlan_number Sets the specified access VLAN to the interface in access mode. Use this
switchport mode access Configures the interface as an access port. Issue this command in
switchport port-security Enables port security on an interface. Use this command in interface
configuration mode. Port security is disabled by using no in front of this
command.
switchport port-security mac- Adds a MAC address to the list of secure MAC addresses. Use this
address mac_address command in interface configuration mode. To remove a MAC address
from the list, use the no form of this command.
switchport port-security mac- Enables dynamic MAC address learning on an interface. The learned
address sticky MAC address is then added to the running configuration. Use this
command in the interface configuration mode.
switchport port-security violation Sets the violation mode. You can choose between restrict, protect,
violation_mode and shutdown. Enter this command in interface configuration mode.
transport input ssh Defines that only the SSH protocol can be used to connect to a specific
line. Use this command in line configuration mode.
Task 1: Controlling Network Access Using Port
Security
Step 1 Secure Cisco Discovery Protocol.
Step 2 Configure port security.
Step 3 Configure the encrypted enable password.
Step 4 Secure the vty and console access passwords.
Step 5 Secure remote access.
Step 6 Configure a system banner for unauthorized users.
Step 7 Secure unused ports.
Step 8 Secure STP on end-user ports.
Step 9 Secure HTTP on all devices.
Verification

Step 1
1 On R1, verify that Cisco Discovery Protocol is enabled on the Ethernet 0/1, Ethernet 0/2,
and Ethernet 0/3 interfaces. Also ensure that Cisco Discovery Protocol is disabled on
Ethernet 0/0.
R1# show cdp interface
Ethernet0/1 is up, line protocol is up
Encapsulation ARPA
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
Encapsulation ARPA
Ethernet0/3 is administratively down, line protocol is down
Encapsulation ARPA
Note If Cisco Discovery Protocol is disabled on the interface, the interface will not be seen in the
output of show cdp interface.

• Cisco Discovery Protocol is enabled on the Ethernet 0/1, Ethernet 0/2, and Ethernet 0/3
interfaces of R1.
• Cisco Discovery Protocol is disabled on the Ethernet 0/0 interface of R1.

Step 2
1 On SW and DSW2, verify that they have port security configured on all interfaces that
connect to end devices, with a maximum of one MAC address per port. Verify that all PCs
still connect to the Internet.
SW# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Et0/2 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
DSW2# show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
PC1# ping 209.165.200.233

!!!!!
PC2# ping 209.165.200.233

!!!!!
PC3# ping 209.165.200.233

!!!!!
PC4# ping 209.165.200.233

!!!!!

• You configured port security on the Ethernet 0/2 and Ethernet 0/3 interfaces of SW.
• You configured port security on the Ethernet 1/1 and Ethernet 1/2 interfaces of DSW2.
• The PCs have the default gateway configured.
• R1 connects to the Internet.
Step 3
1 On DSW1, verify that the enable secret password is configured.
DSW1# show running-config | include enable

enable secret 4 1KT4Bo0GCWMSVl.gNwzJ8kInGfbKjQZeCtLzoTxuOXM

• You configured the enable secret password on DSW1.
Step 4
1 On SW, verify that the service password-encryption command is configured.
SW# show running-config | include service password
service password-encryption

• You enabled the service password-encryption command on SW.
Step 5
1 Verify that you can use SSH to connect to R1 from DSW1, but you cannot use Telnet.
DSW1# ssh -l admin 192.168.98.2
Password:
R1#
DSW1# telnet 192.168.98.2

Trying 192.168.98.2 ...
% Connection refused by remote host

• R1 has a local username and password configured.
• R1 has the IP domain configured.
• R1 has generated a crypto key.
• R1 is configured in such a manner that it can be accessed through only SSH.
Step 6
1 On R1, verify that a banner login is configured.
R1# show running-config | include banner
banner login ^C Unauthorized activities will be grounds for persecution! ^C

• You configured a banner login on R1.

Step 7
1 On SW, verify that all unused ports are in the access mode and are placed into an isolated
VLAN and shut down.
SW# show vlan
VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active
10 VLAN0010 active
20 VLAN0020 active
22 VLAN0022 active Et0/2
30 VLAN0030 active
199 VLAN0199 active Et1/0, Et1/1, Et1/2, Et1/3
Et2/0, Et2/1, Et2/2, Et2/3
Et3/0, Et3/1, Et3/2, Et3/3
Et4/0, Et4/1, Et4/2, Et4/3
Et5/0, Et5/1, Et5/2, Et5/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
SW# show ip int brief

Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet1/0 unassigned YES unset administratively down down

• You shut down all unused ports on SW.
• You put the unused ports for SW into VLAN 199.
• You did not change the access mode on the unused ports for SW.
Step 8
1 Verify that DSW2 does not have BPDU filter configured.
DSW2# show run | include bpdufilter

DSW2#

• You removed the BPDU filter configuration from the Ethernet 1/1 and Ethernet 1/2
interfaces on DSW2.
Step 9
1 On DSW1, verify that the web interface is disabled for HTTP.
DSW1# show running-config | include http

no ip http server

• DSW1 has disabled the web interface for HTTP.

Answer Key
Challenge 1: Network Discovery
Step 1
Use Telnet to connect to SW1 and investigate Cisco Discovery Protocol neighbors:
PC1# telnet 192.168.0.10
Trying 192.168.0.10 ... Open
User Access Verification
Password:
SW1> enable
Password:
SW1# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID

DSW1 Eth 0/3 132 R S Linux Uni Eth 0/3
Now you can add descriptions to the interfaces of SW1 according to the show cdp neighbors
output:
SW1# configure terminal
SW1(config)# interface ethernet 0/3
SW1(config-if)# description DSW1
SW1(config-if)# interface ethernet 1/1
Use Telnet to connect to SW2 and investigate Cisco Discovery Protocol neighbors:
PC1# telnet 192.168.0.20
Trying 192.168.0.20 ... Open
Password:
SW2> enable
Password:
SW2# show cdp neighbors

Now you can add descriptions to the interfaces of SW2 according to the show cdp neighbors
output:
SW2# configure terminal
Use Telnet to connect to DSW1 and investigate Cisco Discovery Protocol neighbors:
PC1# telnet 192.168.0.30
Trying 192.168.0.30 ... Open
Password:
DSW1> enable
Password:
DSW1# show cdp neighbors

SW1 Eth 0/3 155 R S Linux Uni Eth 0/3
R1 Eth 0/2 125 R Linux Uni Eth 0/1
Now you can add descriptions to the interfaces of DSW1 according to the show cdp neighbors
output:
DSW1# configure terminal
DSW1(config)# interface ethernet 0/3
DSW1(config-if)# description SW1
DSW1(config-if)# interface ethernet 0/1
DSW1(config-if)# description R1

Use Telnet to connect to DSW2 and investigate Cisco Discovery Protocol neighbors:
PC1# telnet 192.168.0.40
Trying 192.168.0.40 ... Open
Password:
DSW2> enable
Password:
DSW2# show cdp neighbors

R1 Eth 0/2 139 R Linux Uni Eth 0/2
Now you can add descriptions to the interfaces of DSW2 according to the show cdp neighbors
output:
DSW2# configure terminal
DSW2(config-if)# description R1
Use Telnet to connect to R1 and investigate Cisco Discovery Protocol neighbors:

PC1# telnet 192.168.10.2
Trying 192.168.10.2 ... Open
Password:
R1> enable
Password:
R1# show cdp neighbors

Now you can add descriptions to the interfaces of R1 according to the show cdp neighbors
output:
R1# configure terminal
R1(config)# interface ethernet 0/1
R1(config-if)# description DSW1
R1(config-if)# interface ethernet 0/2
R1(config-if)# description DSW2
To find out where PC1 connects to, first figure out which interface PC1 uses:
PC1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.0.101 YES NVRAM up up
Ethernet0/1 unassigned YES NVRAM administratively down down
PC1 uses Ethernet 0/0, so now you can find out its MAC address:
PC1# show interface ethernet 0/0
Hardware is AmdP2, address is aabb.cc00.0b00 (bia aabb.cc00.0b00)
Internet address is 192.168.0.101/24
MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Now you can investigate the CAM tables of the network devices to find out where PC1 connects
to. If you do not see the MAC address in the CAM tables, you need to ping PC1 in order to
generate traffic between devices. The switch will then learn the MAC address of PC1.
SW1 is the device that PC1 connects to (through Ethernet 0/1):
SW1# show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports

---- ----------- -------- -----
1 aabb.cc00.0b00 DYNAMIC Et0/1
1 aabb.cc80.1400 DYNAMIC Et0/3
Total Mac Addresses for this criterion: 3
If you look at the CAM tables of other switches, the PC1 MAC address is seen through
interfaces that connect to other switches. For example, SW2 sees the PC1 MAC address
aabb.cc00.0b00 through Ethernet1/1, the interface that connects to DSW1.
SW2# show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports

---- ----------- -------- -----
1 aabb.cc00.0b00 DYNAMIC Et1/1
Total Mac Addresses for this criterion: 3

On SW1, add a description on Ethernet0/1:
SW1(config-if)# description PC1
Do not forget to save all changes that you have made:

SW1# copy running-config startup-config
SW2# copy running-config startup-config
DSW1# copy running-config startup-config
R1# copy running-config startup-config
To sum up, your network looks like this:
Challenge 2: Configure DHCP
Step 1 Exclude the IP addresses that the DHCP server should not lease out. Otherwise these IP
addresses can be bound to clients before you will manage to exclude them.
Core1(config)# ip dhcp excluded-address 192.168.22.1 192.168.22.10
Create a DHCP pool for SALES.

Core1(config)# ip dhcp pool SALES
Core1(dhcp-config)# network 192.168.22.0 255.255.255.0
Core1(dhcp-config)# default-router 192.168.22.1 255.255.255.0
PC1 is configured with a static IP address. Configure PC1 to obtain the IP address via DHCP.
PC1# show run interface ethernet 0/0
Building configuration...
Current configuration : 89 bytes

!
interface Ethernet0/0
ip address 192.168.22.100 255.255.255.0
no ip route-cache
end
PC1# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
PC1(config)# interface ethernet 0/0
PC1(config-if)# ip address dhcp
PC1(config-if)#
PC1#
*Oct 4 08:45:15.535: %SYS-5-CONFIG_I: Configured from console by console
PC1#
*Oct 4 08:45:20.578: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP
address 192.168.22.11, mask 255.255.255.0, hostname PC1
PC2 is configured with a static IP address. Configure PC2 to obtain the IP address via DHCP.
PC2# show run interface ethernet 0/0

!
ip address 192.168.22.101 255.255.255.0
no ip route-cache
end
PC2# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
PC2(config-if)#
PC2#
*Oct 4 08:47:06.021: %SYS-5-CONFIG_I: Configured from console by console
PC2#

Step 2 As you did for the Sales pool, exclude the IP addresses that DHCP server should not lease out.
Core1(config)# ip dhcp excluded-address 192.168.33.1 192.168.33.10
Create a DHCP pool for IT.

Core1(config)# ip dhcp pool IT
Core1(dhcp-config)# network 192.168.33.0 255.255.255.0
Core1(dhcp-config)# default-router 192.168.33.1 255.255.255.0
Because Core1 is not in the same network as VLAN 33 clients, you have to configure an IP
helper address so that the DHCP messages can be forwarded to DHCP server.
SW2(config)# interface vlan 33
SW2(config-if)# ip helper 192.168.2.1
Configure PC3 to obtain the IP address via DHCP.

PC3(config-if)#
Configure SRV to obtain the IP address via DHCP.

SRV(config)# interface ethernet 0/0
SRV(config-if)# ip address dhcp
SRV(config-if)#
address 192.168.33.12, mask 255.255.255.0, hostname SRV
Based on the server IP address that you have discovered previously, investigate its client
identifier.
Hardware address/
User name
192.168.22.11 0063.6973.636f.2d61. Oct 05 2013 12:45 AM Automatic
6162.622e.6363.3030.
2e30.3630.302d.4574.
302f.30
6162.622e.6363.3030.
2e30.3730.302d.4574.
302f.30
6162.622e.6363.3030.
2e30.3830.302d.4574.
302f.30
6162.622e.6363.3030.
2e34.3030.302d.4574.
302f.30
You will first need to clear the DHCP binding for SRV. Otherwise you will not be allowed to
configure a manual one.
Core1# clear ip dhcp binding 192.168.33.12
Assign a preferred IP address to the server. You have to create a new DHCP pool.
Core1(config)# ip dhcp pool SRV
Core1(dhcp-config)# host 192.168.33.185 255.255.255.0
Core1(dhcp-config)# client-identifier
0063.6973.636f.2d61.6162.622e.6363.3030.2e34.3030.302d.4574.302f.30
In order for the SRV to obtain the new IP address, you first have to shut down the interface and
then bring it back up.
SRV(config-if)# shutdown
SRV(config-if)# no shutdown
SRV(config-if)#
address 192.168.33.185, mask 255.255.255.0, hostname SRV
You could use the release dhcp Ethernet0/0 and the renew dhcp Ethernet0/0 privileged mode
commands to make the changes visible.

Challenge 3: Configure DHCPv6
Step 1
On Core1, define a DHCPv6 pool for the SALES subnet. Define an address prefix that will be
leased to clients. Do not forget the DNS server address to be announced via DHCPv6.
Core1(config)# ipv6 dhcp pool SALES
Core1(config-dhcpv6)# address prefix 2001:db8:16::/64
Core1(config-dhcpv6)# dns-server 2001:db8:53::53
On Core1, you will need to configure the VLAN 22 interface with an IPv6 address from the
SALES prefix. Refer to the Job Aids section for IPv6 address information. Also, you need to
turn on DHCPv6 server functionality on the interface.
Core1(config)# interface vlan 22
Core1(config-if)# ipv6 address 2001:db8:16::1/64
Core1(config-if)# ipv6 dhcp server SALES
Configure PC1 to obtain IPv6 address via DHCPv6. Also, if you do not enable IPv6
functionality, the client will not acquire an IPv6 address.
PC1(config-if)# ipv6 enable
PC1(config-if)# ipv6 address dhcp
Repeat the procedure on PC2.

Step 2
On Core1, define a DHCPv6 pool for the IT subnet. Define the address prefix that will be leased
to clients. Do not forget the DNS server address to be announced via DHCPv6.
Core1(config)# ipv6 dhcp pool IT
Core1(config-dhcpv6)# address prefix 2001:db8:21::/64
Core1(config-dhcpv6)# dns-server 2001:db8:53::53
Turn on the DHCPv6 server for pool IT.

Core1(config)# interface ethernet 0/2
Core1(config-if)# ipv6 dhcp server IT
Since PC3 is in a different subnet than the DHCPv6 server, you will need to configure a DHCP
relay on SW2. Refer to the Job Aids section for IPv6 address information.
SW2(config)# interface vlan 33
SW2(config-if)# ipv6 address 2001:db8:21::1/64
SW2(config-if)# ipv6 dhcp relay destination 2001:db8:99::1
Configure PC3 to obtain an IPv6 address via DHCPv6. Do not forget to enable IPv6
functionality.
Step 3
Manually configure an IPv6 address on the Ethernet 0/0 interface of SRV.
SRV(config-if)# ipv6 address 2001:db8:21::11/64

Challenge 4: Configure EtherChannel
Step 1
You can identify which ports need to be configured for EtherChannel by looking at the Job Aids
or by investigating Cisco Discovery Protocol neighbors within the lab.
Access DSW1 and enter interface configuration mode for the range of interfaces Ethernet 1/0
through 1/3. Bundle interfaces into channel group 2 and set LACP "active" mode. You should
use LACP since Dwayne told you to use a negotiation protocol that will work with switches not
made by Cisco.
DSW1(config)# interface range ethernet 1/0-3
DSW1(config-if-range)# channel-group 2 mode active
Creating a port-channel interface Port-channel 2
Access DSW2 and configure EtherChannel.

DSW2(config-if-range)# channel-group 2 mode passive
This example shows one side being in LACP "passive" mode and the other in LACP "active"
mode. You could configure both of the sides as LACP "active" and the EtherChannel link would
still get established.
On DSW1, enter interface configuration mode for the Port-Channel 2 interface. The
configuration applied to the Port-Channel interface reflects on all links that it bundles. Configure
it as a hard-coded trunk link.
DSW1(config)# interface port-channel 2
DSW1(config-if)# switchport mode trunk
Configure a hard-coded trunk link also on DSW2 Port-Channel 2.

Step 2 This is just an example of troubleshooting flow. You might use a different approach.
Look at the EtherChannel group 1 status on DSW1.

d - default port


------+-------------+-----------+-----------------------------------------------
1 Po1(SD) LACP Et0/0(s) Et0/3(s)
Et1/3(P)
The "SD" flag tells you that Layer 2 EtherChannel is down. Notice that the LACP protocol is
configured. The "s" flag on both ports indicates that both ports are suspended.
Look at the EtherChannel group 1 status on SW1.
SW1# show etherchannel summary

d - default port


------+-------------+-----------+-----------------------------------------------
1 Po1(SD) PAgP Et0/2(I) Et0/3(I)
The "SD" flag tells you that Layer 2 EtherChannel is down. Notice that the PAgP protocol is
configured. The "I" flag on both ports indicates that both ports are standalone (not bundled).
LACP and PAgP modes are not compatible. To get EtherChannel working, you will need to
change the negotiation protocol on SW1 to LACP.
Investigate port configuration on DSW1 and SW1.

DSW1# show running-config interface ethernet 0/0

!
description SW1
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
channel-group 1 mode passive
end


!
description SW1
duplex auto
end
SW1# show running-config interface ethernet 0/2


!
description DSW1
duplex auto
channel-group 1 mode auto
end


!
description DSW1
duplex auto
channel-group 1 mode auto
end
Change EtherChannel negotiation on SW1 from auto (PAgP) to "active" (LACP).

SW1(config)# interface range ethernet 0/2, ethernet 0/3
SW1(config-if-range)# no channel-group 1 mode auto
SW1(config-if-range)# channel-group 1 mode active
Step 3 This is just an example of troubleshooting flow. You might use a different approach.
Investigate the EtherChannel group 1 status on DSW2.

d - default port


------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Et0/0(P) Et0/3(s)
Et1/3(P)
The "SU" flag indicates that Layer 2 EtherChannel is in use. The negotiation protocol used is
LACP. One port is flagged as "P," which stands for bundled. The other port is flagged as "s,"
which stands for suspended. Essentially, the EtherChannel link is functioning, but there is only
one link present in the bundle. This hints at inconsistent configuration between ports.
Investigate the EtherChannel status on SW2.
SW2# show etherchannel summary

d - default port


------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Et1/2(s) Et1/3(P)
The EtherChannel status is similar to what it is on DSW2.

Now you should compare interface configurations.


!
description SW2
duplex auto
end


!
description SW2
duplex auto
end


!
description DSW2
switchport mode access
duplex auto
channel-group 1 mode active
end


!
description DSW2
duplex auto
channel-group 1 mode active
end
Notice that one port on SW2 is configured as "trunk" and the other one is "access."
On SW2, change the switch port mode to trunk on Ethernet 1/2.
SW2(config)# interface Ethernet 1/2
SW2(config-if)# switchport mode trunk
Step 4
Investigate which EtherChannel load-balancing methods are available.
DSW1(config)# port-channel load-balance ?
dst-ip Dst IP Addr
dst-mac Dst Mac Addr
src-dst-ip Src XOR Dst IP Addr
src-dst-mac Src XOR Dst Mac Addr
src-ip Src IP Addr
src-mac Src Mac Addr
Since the network in this lab is an IP-based network the most effective solution would be to load
balance with the src-dst-ip option. This way, the traffic will get spread most evenly over the
links within EtherChannel. EtherChannel will fall back to load balancing per MAC address for
non-IP traffic.
If you investigate the EtherChannel load-balancing method in effect, you will see that SW1 is
configured for src-dst-ip. SW2 and DSW2 are configured with src-mac. EtherChannel load
balancing and DSW1 is configured with dst-mac balancing.
dst-mac

src-mac

src-dst-ip

src-mac
Configure the EtherChannel load-balancing method to src-dst-ip on DSW1, DSW2, and SW2:
DSW1(config)# port-channel load-balance src-dst-ip
DSW2(config)# port-channel load-balance src-dst-ip
SW2(config)# port-channel load-balance src-dst-ip

You have already checked that SW1 has src-dst-ip EtherChannel load balancing configured.
Now check DSW1, DSW2, and SW2.
src-dst-ip

src-dst-ip

src-dst-ip
Challenge 5: Implement RSTP
Step 1 Configure DSW1, DSW2, SW1, and SW2 to use Rapid PVST+. If you forget to configure a
switch with rapid spanning tree, the whole network will fall back to nonrapid spanning tree.
DSW1(config)# spanning-tree mode rapid-pvst
DSW2(config)# spanning-tree mode rapid-pvst
SW1(config)# spanning-tree mode rapid-pvst
SW2(config)# spanning-tree mode rapid-pvst
Step 2 You can set the root bridge through the priority command or use root primary macro like it is
done in this example configuration.
DSW1(config)# spanning-tree vlan 1 root primary

Even though it was not explicitly requested, it would be wise of you to configure secondary root
bridges for all VLANs. If DSW1 goes down, you do not want one of the access layer switches
becoming the root bridge for VLAN 10.
DSW1(config)# spanning-tree vlan 30 root secondary

Step 3 You could configure different STP costs or port priorities for different VLANs to utilize both
links between the distribution layer switches. However, that is not a good solution and the task
was to perform a configuration where both links are used by all VLANs.
Since there was no request as to how to configure EtherChannel, it is entirely up to you whether
you want to use LACP, PAgP, or neither of them. This example shows static EtherChannel
configuration.
DSW1(config-if-range)# channel-group 1 mode on

DSW2(config-if-range)# channel-group 1 mode on
Challenge 6: Improve STP Configuration
Step 1
Using show spanning-tree interface interface slot/number detail, you should figure out that
PortFast is enabled only on access ports on access layer switches SW1 and SW2. On both
devices, PortFast is enabled globally.
The customer configured PortFast correctly. You should not change the configuration of
PortFast in the network.
Using show spanning-tree interface interface slot/number detail, you should figure out that
BPDU guard is enabled only on PortFast ports on access layer switches SW1 and SW2. On both
devices, PortFast is enabled globally.
The customer configured BPDU guard correctly. You should not change the configuration of
BPDU guard in the network.
Using the command, show spanning-tree interface interface slot/number detail, or show
running-config, you should figure out that BPDU filter is enabled only on SW1 and SW2 access
ports. BPDU filter is enabled per-port.
Having BPDU filter configured on the same ports as BPDU guard is not a good practice. When
these two mechanisms are configured at the same time, only BPDU filter is in effect. In addition,
you should not configure BPDU filter anywhere in the network wit a good reason.
Remove BPDU filter configuration from all devices where it is configured:
SW1(config-if)# no spanning-tree bpdufilter enable

Step 2
Using show spanning-tree interface interface slot/number detail or show running-config, you
should see that root guard is enabled on DSW1 and DSW2. DSW1 has its only interface that
connects to SW1 (Ethernet 0/2) configured with root guard. DSW2 has its only interface that
connects to SW2 (Ethernet 0/2) configured with root guard.
The customer configuration is correct but incomplete. Root guard needs to be enabled on all
links where the root bridge is not expected.
Configure Ethernet 0/3 on DSW1 with root guard.
DSW1(config-if)# spanning-tree guard root
Configure Ethernet 0/3 on DSW2 with root guard.

DSW2(config-if)# spanning-tree guard root

Step 3
Using show spanning-tree interface interface slot/number detail or show running-config, you
should find that loop guard is not enabled on any device in the network. It might have been that
the customer forgot to configure it or that it was overridden by root guard configuration. The use
of loop guard and root guard is mutually exclusive.
Configure loop guard on both SW1 uplinks.
SW1(config-if)# spanning-tree guard loop
Configure loop guard on both SW2 uplinks.

Configuring SW1 and SW2 uplinks with loop guard should cover all potentially blocking ports.
Since DSW1 and DSW2 are configured either as primary or secondary root bridges, only access
layer switches will have blocked ports.
Configure loop guard on the links between DSW1 and DSW2.
DSW1(config-if)# spanning-tree guard loop

DSW2(config-if)# spanning-tree guard loop
Note that it is recommended that you apply loop guard configuration on port-channel interfaces
so that the configuration will be inherited by the interfaces that are members of the port channel.
Challenge 7: Configure MST
Step 1
Before you dive into MST migration, you should evaluate whether the network is ready for
migration.
• Region name, revision number, and VLAN-to-instance mappings were already defined for you by the
customer, so you do not need to plan these out.
• The network has edge ports defined. You can check that fact by using the show spanning-tree
interface interface slot/number command.
• All interswitch connections are configured as trunks and are not pruning any VLANs that are used in
MST. You can check that fact by using the show interfaces trunk command.
On all switches, configure the MST region, "SWITCH", and the revision "1", and map VLANs
10 to 25 to MSTI1 and VLANs 26 to 50 to MSTI2.
SWB(config)# spanning-tree mst configuration
SWB(config-mst)# name SWITCH
SWB(config-mst)# revision 1
SWB(config-mst)# instance 1 vlan 10-25
SWB(config-mst)# instance 2 vlan 26-50
SWB(config-mst)# exit
SW1(config)# spanning-tree mst configuration

SW1(config-mst)# name SWITCH
SW1(config-mst)# revision 1
SW1(config-mst)# instance 1 vlan 10-25
SW1(config-mst)# exit
SW2(config)# spanning-tree mst configuration

SW2(config-mst)# name SWITCH
SW2(config-mst)# revision 1
SW2(config-mst)# exit
ASW1(config)# spanning-tree mst configuration

ASW1(config-mst)# name SWITCH
ASW1(config-mst)# revision 1
ASW1(config-mst)# instance 1 vlan 10-25
ASW1(config-mst)# exit


Step 2
Configure SW1 to be the root bridge for MSTI1. Configure SW1 to be the secondary root bridge
for MSTI2.
SW1(config)# spanning-tree mst 1 root primary
SW1(config)# spanning-tree mst 2 root secondary
Configure SW2 to be the root bridge for MSTI2. Configure SW2 to be the secondary root bridge
for MSTI1.
SW2(config)# spanning-tree mst 2 root primary
SW2(config)# spanning-tree mst 1 root secondary
Configure all switches to run MST.

SWB(config)# spanning-tree mode mst
SW1(config)# spanning-tree mode mst
SW2(config)# spanning-tree mode mst
ASW1(config)# spanning-tree mode mst
Challenge 8: Configure Routing Between VLANs
with a Router
Step 1
On R1, configure subinterfaces for VLANs 10, 20, 30, and 40. Because you are not allowed to
change the configurations of the PCs, you need to configure the R1 subinterfaces with the default
gateway addresses of the PCs.
R1(config)# interface Ethernet 0/0.10
R1(config-subif)# encapsulation dot1Q 10
R1(config-subif)# ip address 10.0.10.1 255.255.255.0
R1(config-subif)# exit
Configure the Ethernet 1/0 interface on DSW1 to be in the trunk mode.

DSW1(config-if)# switchport trunk encapsulation dot1q

Challenge 9: Configure Routing on a Multilayer
Switch
Step 1
If you investigate SW, you will see that the port that connects to PC1, Ethernet 0/2, is configured
as an access port for VLAN 22. the port that connects to PC2, Ethernet 0/3, is configured as an
access port for VLAN 44.
SW# show vlan

---- -------------------------------- --------- -------------------------------
1 default active Et0/0, Et0/1, Et1/0, Et1/1
Et1/2, Et1/3, Et2/0, Et2/1
Et2/2, Et2/3, Et3/0, Et3/1
Et3/2, Et3/3, Et4/0, Et4/1
Et4/2, Et4/3, Et5/0, Et5/1
Et5/2, Et5/3
10 VLAN0010 active
20 VLAN0020 active
30 VLAN0030 active
If you investigate the PC1 configuration or consult the Job Aids section, you will see that PC1 is
configured with the IP default gateway address of 192.168.22.254:
PC1# show ip route
Default gateway is 192.168.22.254
If you investigate the PC2 configuration or consult the Job Aids section, you will see that PC2 is
configured with the IP default gateway address of 192.168.44.254:
PC2# show ip route
So you need to configure two SVIs on DSW1: one for VLAN 22 with the IP address of
192.168.22.254, and one for VLAN 44 with the IP address of 192.168.44.254. Do not forget to
enable IP routing. It would also be wise to verify that there is a trunk link configured between
SW and DSW1. Use the show interfaces trunk command on either of the two switches.
DSW1(config)# ip routing
DSW1(config)# vlan 22
DSW1(config-vlan)# interface vlan 22
DSW1(config-if)# ip address 192.168.22.254 255.255.255.0
DSW1(config-if)# no shutdown
DSW1(config-if)# exit
Step 2
If you investigate DSW2, you will see that the port that connects to PC3, Ethernet 1/1, is
configured as an access port for VLAN 77. The port that connects to PC4, Ethernet 1/2, is
configured as an access port for VLAN 11.
DSW2# show vlan

---- -------------------------------- --------- -------------------------------
1 default active Et0/1, Et0/2, Et0/3, Et1/0
Et1/3, Et2/0, Et2/1, Et2/2
Et2/3, Et3/0, Et3/1, Et3/2
Et3/3, Et4/0, Et4/1, Et4/2
Et4/3, Et5/0, Et5/1, Et5/2
Et5/3
10 VLAN0010 active
If you investigate the PC3 configuration, you will see that PC3 is configured with the IP default
address of 192.168.77.254:
PC3# show ip route
If you investigate the PC4 configuration, you will see that PC4 is configured with the IP default
address of 192.168.11.254:
PC4# show ip route
You need to configure two SVIs on DSW2: one for VLAN 77 with the IP address of
192.168.77.254, and one for VLAN 11 with the IP address of 192.168.11.254. Do not forget to
enable IP routing.
DSW2(config)# ip routing
DSW2(config-if)# exit
Step 3
The DSW1-R1, DSW1-DSW2, and DSW2-R1 links already have Layer 3 connectivity. R1
already has activated downlinks for OSPF Area 0 and is correctly configured to announce the
default route to OSPF neighbors.

On DSW1, activate all interfaces that have IPs within 192.168.0.0/16 for OSPF Area 0. The
process ID does not need to match between devices in order for them to become OSPF
neighbors.
DSW1(config)# router ospf 1
DSW1(config-router)# network 192.168.0.0 0.0.255.255 area 0
On DSW2, activate all the interfaces that have IPs within 192.168.0.0/16 for OSPF Area 0.
DSW2(config)# router ospf 1
DSW2(config-router)# network 192.168.0.0 0.0.255.255 area 0
Step 4
The connection between SW and DSW1 is Layer 2. Therefore, if you introduce a new link and
you want to bundle the links, you need to configure Layer 2 EtherChannel. Because the
negotiation protocol to use for EtherChannel is not specified, you can use whichever protocol
you want. In this example, LACP is used. The channel group number is also not specified. You
can choose whichever number you want, as long as it is not the same as the one used to bundle
the DSW1-DSW2 links.
On DSW1, Ethernet 1/2 is the port that was used to establish a second connection between SW
and DSW1. Configure it consistently with the first link: Ethernet 1/1.
DSW1(config-if)# switchport trunk encapsulation dot1q
On SW, Ethernet 0/1 is the port that was used to establish a second connection between SW and
DSW1. Configure it consistently with the first link: Ethernet 0/0.
SW(config)# interface ethernet 0/1
SW(config-if)# switchport trunk encapsulation dot1q
SW(config-if)# switchport mode trunk
SW(config-if)# no shutdown
Q2DEV: The code in the table shows Ethernet 0/1, not 0/0. Okay?--EDIT
Response: Changed in the text "On SW, Ethernet 0/1 is the port.."
On DSW1, bundle both links that connect to SW into a port channel.
DSW1(config-if-range)# channel-group 1 mode active
On SW, bundle both links that connect to DSW1 into a port channel.
SW(config)# interface range ethernet 0/0-1
SW(config-if-range)# channel-group 1 mode passive
Challenge 10: Configure NTP
Step 1
It is recommended that you configure two or three devices in your network to synchronize their
time with public NTP servers. The rest of the devices should synchronize their time with those
few devices. Do not forget to define the local timezone.
In this example, R1 and R2 are, as edge routers, the logical choice for synchronizing to the
public NTP servers.
R1(config)# ntp server 209.165.201.44
R1(config)# ntp server 209.165.201.233 prefer
R1(config)# clock timezone CET +2
R1(config)# clock summer-time CET recurring

R2(config)# ntp server 209.165.201.233 prefer
R2(config)# clock timezone CET +2
R2(config)# clock summer-time CET recurring
The rest of the devices should synchronize their time to R1 and R2. IP addresses should be those
of the loopback interfaces, because these will always be up and functional.
Note: When configuring the local device to synchronize its time with an NTP server, always
refer to the most stable interface. This interface would be directly connected or, even better, a
loopback interface.
DSW1(config)# ntp server 192.168.101.10
DSW1(config)# clock timezone CET +2
DSW1(config)# clock summer-time CET recurring

DSW2(config)# clock timezone CET +2
DSW2(config)# clock summer-time CET recurring
SW(config)# ntp server 192.168.101.10

SW(config)# ntp server 192.168.102.10
SW(config)# clock timezone CET +2
SW(config)# clock summer-time CET recurring
In a small network, like the one in this example, there are no major benefits of peering DSW1
and DSW2. Let us say you lost both of your Internet connections. If in that case DSW1
synchronizes its time with R1 and DSW2 synchronizes its time with R2, their clocks can become
unsynchronized, thus it can become difficult to compare system logs between devices. If you

configure DSW1 and DSW2 as peers, their time will be synchronized in even those rare
occurrences.
Step 2
You need to use a higher stratum value than the one of the public Internet servers in order to
ensure that the local clock is preferred only when there is no Internet connectivity.
R1(config)# ntp master 10
R2(config)# ntp master 10
Step 3
If your time servers are open to time synchronization from all directions, they can provide time
synchronization services to other devices. An attacker could abuse that by issuing a lot of NTP
synchronization requests, thus overwhelming your devices and causing connection problems.
If your device is configured as an NTP master, you must allow "peer" access to a source with the
IP address 127.127.x.1. This IP address is the internal server address that is created by the ntp
master command, which the local router synchronizes to. To identify the IP address of the
internal NTP server, you can use the show ntp associations command.
You should also configure R1 and R2 to allow for them to be polled for NTP updates by devices
in the 192.168.0.0/16 network.
R1(config)# access-list 1 permit 127.127.7.1
R1(config)# access-list 2 permit 192.168.0.0 0.0.255.255
R1(config)# ntp access-group peer 1
R1(config)# ntp access-group serve-only 2
R2(config)# access-list 1 permit 127.127.7.1

R2(config)# access-list 2 permit 192.168.0.0 0.0.255.255
R2(config)# ntp access-group peer 1
R2(config)# ntp access-group serve-only 2
Challenge 11: Configure Network Monitoring
Using the Cisco IOS IP SLA
Step 1
Because you do not have access to the specified HTTP server, you cannot configure it as an IP
SLA responder. However, for IP SLA HTTP testing, accuracy will be good enough without
configuring the target as an IP SLA responder.
On SW, define an IP SLA. The operation number is not specified so you can use any number
that you like. After you define an HTTP test to 209.165.200.233, you need to specify the
frequency of the IP SLA test execution at 90 seconds.
DSW1(config)# ip sla 1
DSW1(config-ip-sla)# http get http://209.165.200.233 source-ip 192.168.22.254
DSW1(config-ip-sla-http)# frequency 90
DSW1(config-ip-sla-http)# exit
DSW1(config)# ip sla schedule 1 start-time now life 172800
In order to configure the availability test from the VLAN 22 subnet, you need to identify the
proper IP address on DSW1 by using the show ip interface brief command.
Step 2
Use show ip sla application to deduce that there is one IP SLA configured and that the test is
not active.
R1# show ip sla application
IP Service Level Agreements
Version: Round Trip Time MIB 2.2.0, Infrastructure Engine-III
Supported Operation Types:

icmpEcho, path-echo, path-jitter, udpEcho, tcpConnect, http
dns, udpJitter, dhcp, ftp, lsp Group, lspPing, lspTrace
pseudowirePing, udpApp, wspApp, mcast, generic
Supported Features:
IPSLAs Event Publisher
IP SLAs low memory water mark: 57608164

Estimated system max number of entries: 42193
Estimated number of configurable operations: 42085

Number of Entries configured : 1
Number of active Entries : 0
Number of pending Entries : 0
Number of inactive Entries : 1
Time of last change in whole IP SLAs: *06:47:47.339 PST Wed Jan 8 2014
By verifying the existing IP SLA configuration, you should see that the configured entry is 69.
Entry 69 is an ICMP echo test to the IP address 209.165.200.157 and the operation is carried out
every minute. The test already started, but its lifetime is set to only 1 second.

R1# show ip sla configuration
IP SLAs Infrastructure Engine-III
Entry number: 69
Owner:
Tag:
Operation timeout (milliseconds): 5000
Type of operation to perform: icmp-echo
Target address/Source address: 209.165.200.157/0.0.0.0
Type Of Service parameter: 0x0
Request size (ARR data portion): 28
Verify data: No
Vrf Name:
Schedule:
Operation frequency (seconds): 60 (not considered if randomly scheduled)
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Randomly Scheduled : FALSE
Life (seconds): 1
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Threshold (milliseconds): 5000
Distribution Statistics:
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20
Enhanced History:
History Statistics:
Number of history Lives kept: 0
Number of history Buckets kept: 15
History Filter Type: None
Therefore, Dwayne configured the IP SLA test correctly but scheduled it incorrectly. You need
to reschedule the test.
R1(config)# no ip sla schedule 69 life 1 start-time now
R1(config)# ip sla schedule 69 life forever start-time now
Challenge 12: Configure HSRP with Load
Balancing
Step 1
When you configure FHRP on a Layer 3 switch, you will configure it on its SVIs. When you
configure FHRP on a router, you will need to configure it on its subinterfaces.
R1(config)# interface ethernet 0/1.11
R1(config-subif)# standby 11 ip 10.0.11.1
R1(config-subif)# standby 11 priority 110
R1(config-subif)# standby 11 preempt



R1 is an active HSRP device for VLAN 11 whenever possible. The same applies to R2 and
VLAN 22. You can conclude that pre-emption must be enabled for both groups.
Step 2
If tracking is not configured, the active device will become the standby only if the HSRP-
enabled interface or the device itself fails. What if the uplink interface on the HSRP device fails?
To detect the failure, you have to configure interface tracking on all uplinks and specify the
value for decrementing the device priority.
R1(config)# interface ethernet0/1.11
R1(config-subif)# standby 11 track ethernet0/0 30

If you want the tracking of the interfaces to work properly, pre-emption must be configured.
Otherwise, the decremented priority will not trigger the reelection for the active router.
Step 3
Each HSRP group should have passwords configured on both HSRP peers. Use MD5

authentication, because it is more secure.
R1(config-subif)# standby 11 authentication md5 key-string c1sc0



Challenge 13: Configure VRRP with Load
Balancing
Step 1
Use the default gateway that is already configured on the PCs. Between R1 and R2, configure R1
with a higher VRRP priority. R1 will then serve as the master and R2 will serve as the backup.
Whenever R1 is available, it will be the master because pre-emption is enabled by default with
VRRP.
R1(config-subif)# no standby 11
R1(config-subif)# vrrp 11 ip 10.0.11.1
R1(config-subif)# vrrp 11 priority 110



Step 2
As with HSRP, without tracking configured, the master device will become the backup only if
the VRRP-enabled interface or the device itself fails. However, VRRP does not support interface
tracking, so to detect the failure of an uplink, you have to configure object tracking. Use the
object number in VRRP to track the object and decrement the priority in case of a link failure.
R1(config)# track 1 interface ethernet 0/0 line-protocol
R1(config-track)# interface ethernet 0/1.11
R1(config-subif)# vrrp 11 track 1 decrement 30

R2(config-track)# interface ethernet 0/2.22
R2(config-subif)# vrrp 22 track 1 decrement 30
Note: VRRP has pre-emption configured by default.

Step 3
Each VRRP group should have a password configured on both VRRP peers. Use MD5
authentication, because it is more secure.
R1(config-subif)# vrrp 11 authentication md5 key-string c1sc0



Challenge 14: Implement GLBP
Step 1 The basic configuration of GLBP is very similar to the HSRP or VRRP configuration. The
virtual IP address on all three routers must be 192.168.10.1—the same IP address that is
preconfigured on the network PCs.
R1(config)# interface ethernet0/0
R1(config-if)# glbp 1 ip 192.168.10.1
R1(config-if)# glbp 1 priority 110
R1(config-if)# glbp 1 preempt


It was specified that R1 should be the AVG whenever possible. AVG pre-emption must be
enabled on all routers.
Step 2 To configure tracking, you first need to configure a tracked object on each router. GLBP uses a
weighting scheme to determine the forwarding capacity of each router in the GLBP group.
Weighting can be automatically adjusted by tracking the state of an uplink interface. You have to
set the thresholds correctly so the router will lose the AVF role in the case of a link failure but
regain it when it comes back up.
R1(config-track)# interface ethernet0/0
R1(config-if)# glbp 1 weighting 100 lower 80 upper 90
R1(config-if)# glbp 1 weighting track 1 decrement 30


Step 3 Authentication should be configured on all three peers. Use MD5 because it is more secure. You
can use any keyword you want because the customer did not specify which key to use. But you
need to make sure that this same key is specified for GLBP group 1 on all three routers.
R1(config-if)# glbp 1 authentication md5 key-string C1sc0


The routers have to see each other, so there still have to be three forwarders. Otherwise, the keys
have been misconfigured.
Challenge 15: Configure HSRP for IPv6
Step 1 As with an HSRP for IPv4 environment, you configure HSRP for IPv6 on the router
subinterfaces.
R1(config-subif)# standby version 2
R1(config-subif)# standby 10 ipv6 autoconfig


R1(config-subif)# interface ethernet0/0.20

R1 should be the active HSRP device for VLAN 10 devices whenever possible, so pre-emption
must be enabled. The same setting applies to R2 and VLAN 20 devices.
Note: HSRPv2 is a prerequisite for a configuration in an IPv6 environment.
Step 2 Configuration for tracking the uplinks in HSRP for IPv6 is the same as it is done in HSRP for
IPv4.

Note: For the tracking of interfaces to work properly, pre-emption must be configured so that the
decremented priority triggers the reelection process for the active router.

Step 3
R1(config-subif)# standby 10 timers msec 50 msec 200

Even if you would not configure the same timers for each IPv6 HSRP group on both routers, the
configuration on the active router would overwrite the preconfigured timers on the standby
router.
Challenge 16: Control Network Access with Port
Security
Step 1
R1(config)# interface ethernet0/0
R1(config-if)# no cdp enable
In this lab, Cisco Discovery Protocol is enabled on all devices and all of their interfaces. The
protocol should be disabled on ports that connect to outside networks so that you do not
advertise information for your network to outside networks. In this lab, Cisco Discovery
Protocol should be disabled on the Ethernet 0/0 interface of R1, because this interface is the path
through which your network connects to the Internet.
Step 2
DSW2(config)# interface range ethernet 1/1, ethernet 1/2
DSW2(config-if-range)# switchport port-security mac-address sticky
DSW2(config-if-range)# switchport port-security
DSW2(config-if-range)# end
SW(config)# interface range ethernet 0/2, ethernet 0/3

SW(config-if-range)# switchport port-security mac-address sticky
SW(config-if-range)# switchport port-security
SW(config-if-range)# end
SW# copy running-config startup-config
Port security restricts a switch port to a specific set of MAC addresses, and it should be
configured on all ports that connect to end devices. Because both SW and DSW2 connect to end
devices, port security must be configured on both.
When SW and DSW2 learn the MAC addresses of the PCs, you have to save the running
configuration so that the learned MAC addresses stay in the configuration even if switches
reboot.
Step 3
DSW1(config)# no enable password
DSW1(config)# enable secret c1sc0
The enable secret command is preferred to the enable password command, because it uses a
nonreversible encryption method. The enable secret password is already configured on R1,
DSW2, and SW. You only have to change the replace password to the enable secret password on
DSW1.
Step 4
SW(config)# service password-encryption
You cannot use strong authentication for console and vty access, so you should secure the

passwords by using service password-encryption, which prevents casual passersby from seeing
cleartext passwords.
All devices have vty and console passwords configured. The service password-encryption
command is enabled on all devices, except on SW.
Step 5
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
For remote access, Telnet is considered insecure. Use SSH whenever possible. SSH is
configured on all devices. All devices, except R1, already have only SSH allowed. R1 has only
Telnet allowed, so you just have to reconfigure it and allow only SSH.
Step 6
R1(config)# banner login C Unauthorized activities will be grounds for prosecution! C
After users successfully access a device, they need to know the access policies of your
organization. The goal is to warn unauthorized users that their activities could be grounds for
prosecution.
DSW1, DSW2, and SW have system banners already configured. You only have to configure a
banner on R1.
Step 7
SW(config)# interface range ethernet1/0-3
SW(config-if-range)# switchport access vlan 199
SW(config-if-range)# shutdown
SW(config-if-range)# exit
All unused switch ports should be shut down, configured with the switchport mode access
command, and put into an isolated VLAN to prevent unauthorized users from connecting to your
network.
Unused ports have already been secured on R1, DSW1, and DSW2. Unused ports on SW have
already been configured as access ports. You only have to shut them down and put them into an
isolated VLAN. VLAN 199 is used for consistency with other network devices.
Step 8
DSW2(config)# interface range ethernet 1/1, ethernet 1/2
DSW2(config-if-range)# no spanning-tree bpdufilter enable
Always enable PortFast on ports that connect to end devices. BPDU guard should also be
enabled on these ports, so if an unexpected BPDU is received, the port is automatically shut
down. BPDU filter and BPDU guard must not be configured at the same time; otherwise, only
BPDU filter will take effect.
SW has already configured PortFast and BPDU guard on all access ports. DSW2, however, has
configured PortFast and both BPDU filter and BPDU guard. Because they should not be
configured at the same time, the BPDU filter configuration has to be removed from DSW2.
Step 9
DSW1(config)# no ip http server
R1, DSW2, and SW already have HTTP disabled, so you only have to disable HTTP on DSW1.

Glossary
ICMP
Internet Control Message Protocol. Network layer Internet protocol that reports errors and provides other
information relevant to IP packet processing. Documented in RFC 792.
IOL
Special build of Cisco IOS Software for Linux, created specially for virtualized environments.
OSPF
Open Shortest Path First. Link-state, hierarchical IGP routing algorithm proposed as a successor to RIP in
the Internet community. OSPF features include least-cost routing, multipath routing, and load balancing.
OSPF was derived from an early version of the IS-IS protocol.
© 2014 Cisco Systems, Inc. Lab Guide 179

180 V2 ILT LAB GUIDE Implementing Cisco IP Switched Networks SWITCH © 2014 Cisco Systems, Inc.

V2 Ilt Lab Guide Implementing Cisco IP Switched Networks: Switch

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

V2 Ilt Lab Guide Implementing Cisco IP Switched Networks: Switch

Hochgeladen von

Copyright:

Verfügbare Formate

SWITCH

V2 ILT LAB GUIDE

© 2014 Cisco Systems, Inc.

© 2014 Cisco Systems, Inc. Lab Guide i

© 2014 Cisco Systems, Inc. Lab Guide I

Device IP Address Telnet Password Enable Password

PC1 192.168.0.101 cisco cisco

SW1 192.168.0.10 cisco cisco

SW2 192.168.0.20 cisco cisco

DSW1 192.168.0.30 cisco cisco

DSW2 192.168.0.40 cisco cisco

R1 192.168.10.2 cisco cisco

configure terminal Enters global configuration mode.

enable Enters privileged EXEC mode.

ping ip-address Checks the connectivity to the specified IP address.

show ip interface brief Shows IP interface configuration in a condensed form.

show mac address-table Shows the CAM table.

Task 1: Network Discovery

Use this section to verify your Challenge results.

6 Lab Guide © 2014 Cisco Systems, Inc.

SW2# show interfaces description

DSW1# show interfaces description

DSW2# show interfaces description

R1# show interfaces description

If you do not see the desired results, verify the following:

The following is a specification list that the customer handed to you:

Device Interface Connects To Neighbor Interface

PC1 Ethernet 0/0 SW1 Ethernet 0/1

PC2 Ethernet 0/0 SW1 Ethernet 0/2

PC3 Ethernet 0/0 SW2 Ethernet 0/1

SRV Ethernet 0/0 SW2 Ethernet 0/2

SW1 Ethernet 0/0 Core1 Ethernet 0/1

SW2 Ethernet 0/0 Core1 Ethernet 0/2

Device Interface IP Address

Core1 VLAN 22 192.168.22.1/24

Core1 Eth0/2 192.168.2.1/24

SW2 VLAN 33 192.168.33.1/24

SW2 Eth0/0 192.168.2.2/24

12 Lab Guide © 2014 Cisco Systems, Inc.

configure terminal Enters global configuration mode.

enable Enters privileged EXEC mode.

Task 1: Configure DHCP

Use this section to verify your Challenge results.

If you did not get the desirable results, check that:

14 Lab Guide © 2014 Cisco Systems, Inc.

The following is a specification list that the customer handed to you:

Device Interface Connects To Neighbor Interface

PC1 Ethernet 0/0 SW1 Ethernet 0/1

PC2 Ethernet 0/0 SW1 Ethernet 0/2

PC3 Ethernet 0/0 SW2 Ethernet 0/1

SRV Ethernet 0/0 SW2 Ethernet 0/2

SW1 Ethernet 0/0 Core1 Ethernet 0/1

SW2 Ethernet 0/0 Core1 Ethernet 0/2

Device Interface IP Address

Core1 Eth0/2 2001:DB8:99::1/64

Core1 VLAN22 2001:DB8:16::1/64

SW2 Eth0/0 2001:DB8:99::2/64

SW2 VLAN33 2001:DB8:21::1/64

20 Lab Guide © 2014 Cisco Systems, Inc.

configure terminal Enters global configuration mode.

enable Enters privileged EXEC mode.

show ipv6 dhcp interface brief Displays DHCPv6 interface information.

Task 1: Configure DHCPv6