.

selur gniwollof eht yb ediba ot eerga uoy ,sbal etomer ym ot gnitcennoc yB

. s e i t il a g e L o b m uj o b m u m l a u s U ehT toN eryehT .ylluferaC seluR gniwolloF ehT daeR esaelP

.ecived siht fo noitarugifnoc eht egnahc ot deen on si erehT .htiw etacinummoc ot tenleT gnisu eb yllautca lliw uoy retuor eht staht ;revres ssecca eht si retuor dnoces ehT ) . n oi t c e s pleH baL emoH eht kcehc dna etisbew ym tisiv ,hctiws yaler emarf a fo noitarugifnoc eht ees ot ekil duoy fI( .derugifnocerp si hctiws yaler emarf ruoY .bal ecitcarp a ni duolc yaler emarf a evah ot elbissop ti sekam hcihw ,hctiws yaler emarf a sa gnitca retuor a si tsrif ehT .ereh nwohs ton era taht dop ruoy ni sretuor ocsiC lanoitidda owt era erehT .koobkrow bal siht ni esu lluoy ygolopot krowten eht ta kool a ekat stel ,dnim ni taht htiW .noitca ni yroeht eht ees ot lativ sti tub ,yroeht eht nrael ot daer ot tog evuoY .meht esu ot si seigolonhcet ocsiC tuoba nrael ot yaw tseb ehT .seiduts ocsiC erutuf ruoy rof noitadnuof dilos a uoy evig dna ,maxe NSMCB eht ssap ot deen lluoy slliks eht lla retsam uoy pleh lliw koob siht ,slatneR kcaR PNCC / ANCC ym htiw noitanibmoc ni desU !koobkroW baL NSMCB egatnavdA tnayrB ehT ot emocleW

! e m o cl e W

The Bryant Advantage BCMSN Lab Workbook

One Final Bonus Command Multilayer Switch Commands SPAN Switch Security HSRP General Switch Commands STP VLAN, VTP, And Trunking Connecting And Navigating To Your Pod Chris Bryant, CCIE #12933

BCMSN Lab Workbook

Back To Index www.thebryantadvantage.com

Overview

.detacitnehtua eb ton lliw uoy dna ecaps llun a dnes lliw siht ;rehtie gniretne fo dne eht ta rab ecaps eht tih ton oD .2 . d r o w s s a p a n e h t , e m a n r e s u a r of d e t p m o r p e b lli w u o Y . 1 :ni gniggol rof spit wef A
Password:

.sx eht fo ecalp ni sserdda PI eht htiw ,x.x.x.x tenlet epyt ro ,tenlet tfosorciM otni og ot tenlet epyt nac uoy ,tpmorp :C ruoy morF .tpmorp :C ruoy ot tuo gniog yb tenleT esu ,gnitacitnehtua elbuort evah dna lanimreTrepyH esu uoy fI .tenleT htiw elbuort e v a h s n oi s r e v e m o s n e e s e v I t u b , e kil u o y fi l a ni m r e T r e p y H e s u n a c uoY .revres ssecca ruoy ot tcennoc ot noisrev tenleT yna esu nac uoY . s n oi t a v r e s e r kcar ruoy ekam uoy nehw uoy ot deliame eb lliw noitamrofni noitcennoc ruoY .revres ssecca ruoy ot tenleT ot deen lluoy ,tsriF !ysae si sehctiws 0592 dna sretuor ocsiC fo dop ruoy htiw detrats gnitteG
d o P r u o Y o T g ni t c e n n o C
!u oy knahT .enif si esac rewol ro esac reppU .skram noitatouq eht tuohtiw ,ancc ro ocsic sdrowssap eht esu TSUM uoy ,revewoH .sdrowssap tenlet dna ,drowssap elosnoc ,drowssap elbane ,terces elbane ruoy ecitcarp ot emoclew naht erom era uoY .3 .hctiws ro retuor yna fo retsiger noitarugifnoc eht egnahc ton oD .2 .erutuf eht ni sdop eht gnitner morf detibihorp eb osla lliw uoY .nevig eb ton lliw dnufer a dna ,noisses ruoy dne yam os gnioD .yaw yna ni revres ssecca eht fo noitarugifnoc eht egnahc ton oD .1

Password:

Username:

User Access Verification

Microsoft Telnet> open 100.100.100.100 (put the IP address you were sent in email in place of the 100.100.100.100)

Escape Character is 'CTRL+]'

Welcome to Microsoft Telnet Client

C:\> telnet

OR:

Username: User Access Verification C:\>telnet 100.100.100.100

.2WS dna ,1WS ,3R ,2R rof ssecorp eht taepeR .revres ssecca eht ta kcab thgir eruoy nehT .x tih dna syek esoht esaeler neht ,)!eno taht wonk lla ew( eteled-tla-lrtc retne duoy yaw emas eht 6-tfihs-lrtc tih uoY .ti tuoba gnikniht tuohtiw ti gniod eb lluoy gnol erofeb tub ,tsrif ta drawkwa elttil a si ekortsyek sihT >X < >6 TFIHS LRTC< :si ti ereH .revres ssecca eht morf kcab og ot gnisu eb lluoy taht ekortsyek gib eht nrael ot deen uoy ,woN .1R rof tpmorp eht ees neht lluoY .niaga yek retnE eht tih ,nepO drow eht ees uoy nehW :etoN
R1# THE_BRYANT_ADVANTAGE_16x#r1 Trying R1 (100.1.1.1, 2001)... Open

:t p m or p e ht t a 1 R e p y T

.owt ro etunim a uoy ekat ylno lliw ti tub ,ssecorp gnol a ekil sdaer sihT .revres ssecca ruoy morf ecived hcae ot tcennoc ot gniog eruoy ,deraelc era senil eht taht woN .ti tpecca ot yek retne ruoy tih tsuj ,eciohc ]mrifnoc[ eht ees uoy nehW
THE_BRYANT_ADVANTAGE_16x# line 05 line 04 line 03 line 02 line 01 THE_BRYANT_ADVANTAGE_16x#clear [confirm] [OK] THE_BRYANT_ADVANTAGE_16x#clear [confirm] [OK] THE_BRYANT_ADVANTAGE_16x#clear [confirm] [OK] THE_BRYANT_ADVANTAGE_16x#clear [confirm] [OK] THE_BRYANT_ADVANTAGE_16x#clear [confirm] [OK]

.secived rehto eht ot gnidael senil eht raelc ,tsriF .ecived hcae ssecca ot woh sereH .revres ssecca siht ot detcennoc lla era sehctiws ocsiC owt dna sretuor eerht ruoY
THE_BRYANT_ADVANTAGE_15x# Password:

:r e vr es ss ec c a e ht n o e d o m c e x e degelivirp otni tup eb lluoy ,drowssap dna emanresu ruoy gniretne retfA .stcudorp tfosorciM tsom ot ni gniggol nehw od uoy sa ,sksiretsa ees ton lliw uoY .tluafed ocsiC a stahT .drowssap d n a e m a n r es u r u o y r et n e u o y n e h w E V O M T O N L LI W r o sr uc e h T . 3

User Access Verification

R1# < Use above keystroke to go back to access server > THE_BRYANT_ADVANTAGE_16x#r2 Trying R2 (100.1.1.1, 2002)... Open R2# < Use above keystroke to go back to access server > THE_BRYANT_ADVANTAGE_16x#r3 Trying R3 (100.1.1.1, 2003)... Open R3# < Use above keystroke to go back to access server > THE_BRYANT_ADVANTAGE_16x#sw1 Trying SW1 (100.1.1.1, 2004)... Open sw1# < Use above keystroke to go back to access server > THE_BRYANT_ADVANTAGE_16x#sw2 Trying SW2 (100.1.1.1, 2005)... Open sw2# < Use above keystroke to go back to access server >

THE_BRYANT_ADVANTAGE_16x#

no emit ruoy fo erom gnidneps eb ll'uoy ,maxe gnihctiws a si siht ecniS !ti ot si ereht lla stahT . t p m o r p el b a n e e h t o t u o y t e g lli w t a h T . e g a s s e m noitcennoc gnimuser eht ees uoy retfa niaga retne tih ot tegrof tnoD

. w ol e b n w o h s s a , r e v r e s s s e c c a e h t n o e r e h e e s u o y srebmun eht epyt tsuj ;niaga ecived eht fo eman eritne eht epyt tnoD 2 WS :5 1 WS :4 3R :3 2R :2 1R :1 :ecived hcae ot teg ot srebmun eseht epyt tsuj ,revres ssecca eht tA .ecived hcae ot kcab og ot noitcennoc eht fo rebmun eht ylno esu lliw uoy ,snoitcennoc esoht detaerc evuoy taht woN .ti tuoba gnikniht neve tuohtiw ekortsyek taht gnisu eb lluoy ,gnol erofeB .rehtona ot retuor eno morf teg ot revres ssecca eht ot kcab gnimoc syawla eruoy ,rebmemeR
THE_BRYANT_ADVANTAGE_16x#1 [Resuming connection 1 to r1 ... ] R1# THE_BRYANT_ADVANTAGE_16x#2 [Resuming connection 2 to r2 ... ] R2# THE_BRYANT_ADVANTAGE_16x#3 [Resuming connection 3 to r3 ... ] R3# THE_BRYANT_ADVANTAGE_16x#4 [Resuming connection 4 to sw1 ... ] sw1# THE_BRYANT_ADVANTAGE_16x#5 [Resuming connection 5 to sw2 ... ] sw2# THE_BRYANT_ADVANTAGE_16x#

.liame noitamrifnoc noitavreser ruoy ni dedulcni eb lliw srebmun enohp NDSI .meht esu ot emoclew er'uoy tub ,koob bal siht ni desu ton er'yeht esuaceb nwohs ton era snoitcennoc esehT .3R dna 1R neewteb noitcennoc laires tcerid a s'ereht dna ,rotalumis NDSI na ot detcennoc osla era 2R dna 1R .21/0 dna 11/0 tsaf aiv 1WS ot dna 3/0 tsaf aiv 3R ot detcennoc si 2WS .21/0 dna 11/0 tsaf aiv 2WS ot dna 2/0 tsaf aiv 2R ot detcennoc si 1WS .0tenrehtE aiv 2WS ot dna 0laireS aiv duolc yaler emarf eht ot detcennoc si 3R .0tenrehtE aiv 1WS ot dna 0laireS aiv duolc yaler emarf eht ot detcennoc si 2R .0laireS aiv duolc yaler emarf eht ot detcennoc si 1R .bal PRSH eht ni sretuor eht esu lliw uoy ,revewoH !sehctiws eht

SW1(config)#vtp domain CCNP Changing VTP domain name from NULL to CCNP

Create the VTP domain CCNP on SW1. Run show vtp status on SW1 and SW2 to verify.
Port Fa0/11 Fa0/12 SW1#show interface trunk

Verify the trunk between SW1 and SW2 with show interface trunk.

VLANs, VTP, and Trunks

Mode desirable desirable

Encapsulation 802.1q 802.1q

Status trunking trunking

Native vlan 1 1

SW1#show vtp status VTP Version Configuration Revision Maximum VLANs supported locally Number of existing VLANs VTP Operating Mode VTP Domain Name SW2#show vtp status VTP Version Configuration Revision Maximum VLANs supported locally Number of existing VLANs VTP Operating Mode VTP Domain Name

: : : : : :

2 0 64 5 Server CCNP

: : : : : :

2 0 64 5 Server CCNP

On SW2, change the trunking mode on fast 0/11 and fast 0/12 to dynamic auto, then to unconditional trunking. Note that the trunk doesn't come down.
SW2(config)#int fast 0/11 SW2(config-if)#switchport mode ? access Set trunking mode to ACCESS unconditionally dynamic Set trunking mode to dynamically negotiate access or trunk mode trunk Set trunking mode to TRUNK unconditionally SW2(config-if)#switchport mode dynamic auto SW2(config-if)#switchport mode trunk SW2(config)#int fast 0/12 SW2(config-if)#switchport mode trunk

Both switches will be VTP servers, so create VLAN 32 on either one. Run show vlan brief to verify.
SW2(config)#vlan 32 SW2#show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ---------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10 32 VLAN0032 active

Change the native VLAN to VLAN 32 with the switchport trunk native vlan 32 command. You'll need to configure this on fast 0/11 and fast 0/12 on both switches. Be prepared for the trunk to come down during the process.
SW1(config)#int fast 0/11 SW1(config-if)#switchport trunk native vlan 32 SW1(config-if)#int fast 0/12 SW1(config-if)#switchport trunk native vlan 32 SW2(config)#int fast 0/11 SW2(config-if)#switchport trunk native vlan 32 SW2(config-if)#int fast 0/12 SW2(config-if)#switchport trunk native vlan 32

Run show interface trunk on both switches to ensure that the trunk is up and that the native VLAN was successfully changes. (This is going to sound strange, but get into the habit of checking both switches with show interface trunk. Every once in a while, you'll get a response to this command on one switch that doesn't match up to the other switch's

response.)
SW2#show interface trunk Port Fa0/11 Fa0/12 Mode on desirable Encapsulation 802.1q 802.1q Status trunking trunking Native vlan 32 32

SW1#show int trunk Port Fa0/11 Fa0/12 Mode desirable desirable Encapsulation 802.1q 802.1q Status trunking trunking Native vlan 32 32

On SW1, disable Dynamic Trunking Protocol (DTP) on both fast 0/11 and 0/12.
SW1(config)#int fast 0/11 SW1(config-if)#switchport nonegotiate Command rejected: Conflict between 'nonegotiate' and 'dynamic' status SW1(config-if)#switchport mode trunk SW1(config-if)#switchport nonegotiate SW1(config-if)#int fast 0/12 SW1(config-if)#switchport mode trunk SW1(config-if)#switchport nonegotiate

As you quickly noticed, you can't turn DTP off when the port is in any dynamic state. Making the port an unconditional trunk port with switchport mode trunk allowed us to turn DTP off. Prevent traffic for VLAN 1000 from being sent over fast 0/11 and 0/12 on SW1 and SW2 with the switchport trunk allowed vlan command. Verify with show interface trunk.
SW1(config)#int fast 0/11 SW1(config-if)#switchport trunk allowed vlan except 1000 SW1(config-if)#int fast 0/12 SW1(config-if)#switchport trunk allowed vlan except 1000 SW1#show interface trunk Port Fa0/11 Fa0/12 Port Fa0/11 Fa0/12 Mode on on Encapsulation 802.1q 802.1q Status trunking trunking Native vlan 32 32

Vlans allowed on trunk 1-999,1001-4094 1-999,1001-4094

Add the VLANs right back with the same command. Verify again with show interface trunk.
SW1(config)#int fast 0/11 SW1(config-if)#switchport trunk allowed vlan add 1000 SW1(config-if)#int fast 0/12 SW1(config-if)#switchport trunk allowed vlan add 1000

Feel free to experiment with this command - add, remove, and the other options. The more you use it, the better you'll be with it on the exam. Run show vtp status on both switches and note the configuration revision number.
SW1#show vtp status

VTP Version Configuration Revision SW2#show vtp status VTP Version Configuration Revision

: 2 : 1

: 2 : 1

On SW2, delete VLAN 32. Run show vlan brief on SW2 to verify, then show vtp status to note the configuration revision number.
SW2#show vtp status VTP Version Configuration Revision : 2 : 2

The revision number moved up to 2, as expected. Run both commands on SW1 as well.
SW1#show vtp status VTP Version Configuration Revision : 2 : 2

Since we just deleted our native VLAN, it would be a good idea to set that value back to VLAN 1! On SW1, use the switchport native vlan command to do so. Be prepared to see an error message such as the one seen below.
SW1(config)#int fast 0/11 SW1(config-if)#switchport trunk native vlan 1 SW1(config)#int fast 0/12 SW1(config-if)#switchport trunk native vlan 1 05:32:33: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/11 (1), with SW2 FastEthernet0/11 (32). 05:32:33: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/12 (1), with SW2 FastEthernet0/12 (32).

The numbers in the parens can be very helpful if you don't spot the problem right away. The first paren is the native VLAN according to the local switch port, and the second paren is the native VLAN according to the remote switch port. On SW2, use the no switchport trunk native vlan 32 command on both trunk ports. Run show interface trunk to verify the trunk is up and running.
SW2(config)#int fast 0/12 SW2(config-if)#no switchport trunk native vlan 32 SW2(config-if)#int fast 0/11 SW2(config-if)#no switchport trunk native vlan 32 SW2#show int trunk Port Fa0/11 Fa0/12 Mode on on Encapsulation 802.1q 802.1q Status Native vlan trunking 1 trunking 1

The trunk is up and the native VLAN has reverted back to VLAN 1. Put SW2 into VTP Client mode and try to create a VLAN on it.
SW2(config)#vtp mode client Setting device to VTP CLIENT mode. SW2(config)#vlan 50 VTP VLAN configuration not allowed when device is in CLIENT mode.

Just one more reminder about that little fact. :) Put the switch back into server mode.
SW2(config)#vtp mode server Setting device to VTP SERVER mode

On SW2, enable vtp pruning. Then check on R1 and see if pruning shows as enabled on that switch as well.
SW2(config)#vtp pruning Pruning switched on SW1#show vtp status VTP Version Configuration Revision Maximum VLANs supported locally Number of existing VLANs VTP Operating Mode VTP Domain Name VTP Pruning Mode

: : : : : : :

2 4 64 6 Server CCNP Enabled

To finish this section, let's get some practice in with the interface range command. I can't stress this enough - this command can save you a lot of time on Cisco exams as well as when working on production networks. I urge you to get some practice in with this command and be comfortable with it. Configure ports 0/8 - 10 on both switches with the interface range command. Enable portfast on all three ports, set the speed to 100 MBPS, and the duplex to full.
SW1(config)#interface range fast 0/8 - 10 SW1(config-if-range)#spanning portfast SW1(config-if-range)#speed 100 SW1(config-if-range)#duplex full SW2(config)#interface range fast 0/8 - 10 SW2(config-if-range)#spanning portfast SW2(config-if-range)#speed 100 SW2(config-if-range)#duplex full

Spanning Tree Protocol Keep in mind that the MAC addresses you see in this lab are NOT necessarily going to be the ones you see during your time on my racks, and they won't be the same ones you have in your home lab. When we're going back and forth between root bridges in this exercise, they won't necessarily be the same ones that are the root bridges when you run the labs. Run show spanning-tree vlan 1 on both switches and identify the root.
SW1#show spanning vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 000e.d7f5.a040 This bridge is the root Hello Time 2 sec Max Age 20 sec

Forward Delay 15 sec

On the nonroot bridge, run show spanning vlan 1 and note the port costs .
SW2#show spanning vlan 1 Interface ---------------Fa0/11 Fa0/12 Role ---Root Altn Sts Cost Prio.Nbr Type --- --------- -------- -----FWD 19 128.11 P2p BLK 19 128.12 P2p

We'll now change the root port cost of fast 0/12 with the spanning cost command. Change this cost to 15, then run show spanning vlan 1 again.
SW2(config)#int fast 0/12 SW2(config-if)#spanning-tree cost 15 SW2#show spanning vlan 1 Interface ---------------Fa0/11 Fa0/12 Role Sts Cost Prio.Nbr Type ---- --- --------- -------- -----Root BLK 19 128.11 P2p Altn LIS 15 128.12 P2p

The root port selection has changed because fast 0/12's port cost is now less than 0/11. Fast 0/11 goes into blocking mode and 0/12 will go through the STP port states until it reaches the Forwarding state. Change the STP timers on the root bridge.
SW1(config)#spanning vlan 1 hello 5 SW1(config)#spanning vlan 1 forward-time 12 SW1(config)#spanning vlan 1 max-age 15

On SW2, run show spanning vlan 1. Note that the timers changed under Root ID, but not Bridge ID. The local switch's settings are under Bridge ID, but it's the timer values announced by the Root Bridge that are the ones being used.
SW2#show spanning vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 000e.d7f5.a040 Cost 15 Port 12 (FastEthernet0/12) Hello Time 5 sec Max Age 15 sec Bridge ID

Forward Delay 12 sec

Priority 32769 (priority 32768 sys-id-ext 1) Address 000f.90e2.14c0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300

Make the nonroot bridge the root bridge for VLAN 1 with spanning-tree vlan 1 root primary. Run show spanning vlan 1 to verify.
SW2(config)#spanning-tree vlan 1 root primary SW2#show spanning vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000f.90e2.14c0 This bridge is the root

Make the new nonroot bridge the root bridge again with the spanning-tree vlan 1 priority command. Set the priority to 10000.
SW1(config)#spanning-tree % Bridge Priority must be % Allowed values are: 0 4096 8192 12288 32768 36864 40960 45056 vlan 1 priority 10000 in increments of 4096. 16384 20480 24576 28672 49152 53248 57344 61440

In that case, make it 8192. ;) Verify with show spanning vlan 1.

SW1(config)#spanning-tree vlan 1 priority 8192 SW1#show spanning vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 8193 Address 000e.d7f5.a040 This bridge is the root

Place port 0/5 on SW1 into Portfast. By now, you know what you'll see! BUT... there's another Portfast option that we'll look at when we come to the end of this lab workbook.
SW1(config)#int fast 0/5 SW1(config-if)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION %Portfast has been configured on FastEthernet0/5 but will only have effect when the interface is in a non-trunking mode.

Enable Uplinkfast on each switch. Do the same for Backbonefast. Remember, in production networks (and the exam), Uplinkfast is best suited for wiring-closet switches, and Backbonefast should be configured on all switches in the network.
SW1(config)#spanning uplinkfast SW2(config)#spanning uplinkfast SW1(config)#spanning backbonefast SW2(config)#spanning backbonefast

Assume that a third switch will be added to SW2's fast 0/7 port, and this switch must not become the root bridge. Configure Root Guard on this port to meet that requirement.
SW2(config)#int fast 0/7 SW2(config-if)#spanning-tree guard root

On SW1, fast 0/5 has already been configured with Portfast. Just to make sure a switch doesn't get connected to that port, configure BPDU Guard on fast 0/5. This port will now shut down if a BPDU is received on it.
SW1(config)#int fast 0/5 SW1(config-if)#spanning-tree bpduguard % Incomplete command.

SW1(config-if)#spanning-tree bpduguard ? disable Disable BPDU guard for this interface enable Enable BPDU guard for this interface SW1(config-if)#spanning-tree bpduguard enable

Enable aggressive UDLD globally on both switches.

SW1(config)#udld aggressive SW2(config)#udld aggressive

On both switches, run show spanning-tree summary. This command doesn't get mentioned often, but once you've got some STP features running, it's a good command to know. You can see that SW2 isn't the root bridge for any VLAN, and you can also see what features are and are not enabled on this switch.
SW2#show spanning-tree summary Switch is in pvst mode Root bridge for: none EtherChannel misconfig guard is enabled Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled UplinkFast is enabled BackboneFast is enabled Pathcost method used is short Name VLAN0001 VLAN0080 2 vlans Blocking Listening Learning Forwarding STP Active 1 0 0 1 2 1 0 0 1 2 2 0 0 2 4

Since Loop Guard isn't configured on this switch, let's do so on port 0/1.
SW2(config)#interface fast 0/1 SW2(config-if)#spanning-tree guard loop

Run show spanning summary again and you'll see "Loopguard" is enabled, and the word "default" is gone. When you see default next to a value in this command, you know that it's running at the default.

General Switch Commands On R2, configure the switch to autorecover from all port err-disabled conditions with the errdisable recovery cause command. Before selecting "all" as the option, use IOS Help to look at the other options. As you can see, there are a lot of different ways for a port to go into err-disabled state! Set the duration of the err-disabled state to 300 seconds.
SW2(config)#errdisable recovery cause all SW2(config)#errdisable recovery cause all SW2(config)#errdisable recovery interval ? <30-86400> timer-interval(sec) SW2(config)#errdisable recovery interval 300

Create an Etherchannel over ports fast 0/11 and 0/12 on each switch.

Use PAgP auto mode on SW1 and PAgP desirable on the SW2. Be prepared for quite a few "line protocol down" and "line protocol up" messages while you're building the EC.
SW1(config)#int fast 0/11 SW1(config-if)#channel-group 1 mode auto Creating a port-channel interface Port-channel 1 SW1(config-if)#int fast 0/12 SW1(config-if)#channel-group 1 mode auto SW2(config)#int fast 0/11 SW2(config-if)#channel-group 1 mode desirable Creating a port-channel interface Port-channel 1 SW2(config-if)#int fast 0/12 SW2(config-if)#channel-group 1 mode desirable

Verify the EC with show interface trunk. If you don't see anything, check each physical port with show interface fast 0/x and see if the port was placed into err-disabled state during the EC configuration. If so, simply open the interface manually.
SW2#show interface trunk Port Po1 Mode on Encapsulation Status 802.1q trunking Native vlan 1

For further verification, run show interface port-channel 1. Note the defaults for the speed and duplex. (It's out of the scope of the BCMSN exam, but when an EC is configured on a multilayer switch, it can be made a Layer 3 EC and have an IP address assigned.)
SW2#show interface port-channel 1 Port-channel1 is up, line protocol is up (connected) Hardware is EtherChannel, address is 000f.90e2.14cb (bia 000f.90e2.14cb) MTU 1500 bytes, BW 200000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Full-duplex, 100Mb/s

Hot Standby Routing Protocol The following lab can be run on routers or switches, and in my racks we're going to run HSRP on R2 and R3. R2's Serial0 interface line protocol must be up as well, so you'll need to bring the Frame Relay interfaces up on R1, R2, and R3. The Frame Relay switch in my labs is preconfigured, so you'll only need to apply the following commands on the routers: R1:
interface serial0 ip address 172.12.123.1 255.255.255.0 encap frame no frame inverse frame map ip 172.12.123.2 122 broadcast

frame map ip 172.12.123.3 123 broadcast

R2:
interface serial0 ip address 172.12.123.2 255.255.255.0 encap frame no frame inverse frame map ip 172.12.123.1 221 broadcast frame map ip 172.12.123.3 221

R3:
interface serial0 ip address 172.12.123.3 255.255.255.0 encap frame no frame inverse frame map ip 172.12.123.1 321 broadcast frame map ip 172.12.123.2 321

Don't forget to open the interfaces! All interfaces should be able to ping each other. The important thing is that R2's Serial0 line protocol is up. R2 and R3 are also connected via an Ethernet segment. Configure 172.12.23.2 /24 on R2's e0 interface and 172.12.23.3 /24 on R3's e0 interface. Both ports should be in the same VLAN and pings should be successful between the two routers over that interface. Configure R2 and R3 to use 172.12.23.10 as the IP address of the virtual router. On R2, run show standby to view the HSRP details. If the router isn't in Active or Standby state yet, give it half a minute and run it again.
R2(config)#int e0 R2(config-if)#standby 1 ip 172.12.23.10 R3(config)#int e0 R3(config-if)#standby 1 ip 172.12.23.10 R2#show standby Ethernet0 - Group 1 Local state is Standby, priority 100 Hellotime 3 sec, holdtime 10 sec Next hello sent in 0.170 Virtual IP address is 172.12.23.10 configured Active router is 172.12.23.3, priority 100 expires in 7.452 Standby router is local 1 state changes, last state change 00:01:07 IP redundancy name is "hsrp-Et0-1" (default)

R2 is the standby, R3 the Active router. Configure R2 as the Active by

setting its priority to 105. Verify with show standby.

R2(config)#int e0 R2(config-if)#standby 1 priority 105 R2#show standby Ethernet0 - Group 1 Local state is Standby, priority 105 Hellotime 3 sec, holdtime 10 sec Next hello sent in 0.832 Virtual IP address is 172.12.23.10 configured Active router is 172.12.23.3, priority 100 expires in 8.340 Standby router is local 1 state changes, last state change 00:02:40 IP redundancy name is "hsrp-Et0-1" (default)

R2's priority is now higher than R3's, but it's not the Active router. For R2 to become the Active while the current Active router is still online, the preempt option must be configured. Depending on the IOS version, the preempt will either be set at the end of the priority command, or on a line of its own.
R2(config)#int e0 R2(config-if)#standby 1 preempt 07:55:25: Active %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Standby ->

We see a message that the local router has gone from Standby to Active, but always verify. Trust, but verify - and we do that with show standby.
R2#show standby Ethernet0 - Group 1 Local state is Active, priority 105, may preempt Hellotime 3 sec, holdtime 10 sec Next hello sent in 2.394 Virtual IP address is 172.12.23.10 configured Active router is local Standby router is 172.12.23.3, priority 100 expires in 7.428 Virtual mac address is 0000.0c07.ac01 2 state changes, last state change 00:00:56 IP redundancy name is "hsrp-Et0-1" (default)

R2 is now the Active router. Change the MAC address of the virtual router to aa-aa-aa-aa-aa-aa with the standby mac-address command. Verify with show standby.
R2(config)#int e0 R2(config-if)#standby 1 mac-address aaaa.aaaa.aaaa 07:57:57: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Active -> Learn 07:58:09: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Listen -> Active R2#show standby Ethernet0 - Group 1 Local state is Active, priority 105, may preempt Hellotime 3 sec, holdtime 10 sec Next hello sent in 0.800 Virtual IP address is 172.12.23.10 configured Active router is local Standby router is 172.12.23.3, priority 100 expires in 9.068 Virtual mac address is aaaa.aaaa.aaaa configured 4 state changes, last state change 00:00:10 IP redundancy name is "hsrp-Et0-1" (default)

Notice the word "configured" next to the MAC address in show standby.

That indicates that this particular MAC address was statically configured. We'll now configure HSRP interface tracking. If the line protocol on R2's Serial0 goes down, we want R3 to become the Active router, since its serial line will still be up. R2's priority is 105, and R3's is 100. Since the default priority decrement with interface tracking is 10, we'll leave the default in place. If we wanted to change the decrement, that value is placed at the end of the standby track command.
R2(config-if)#standby 1 track serial0 R2(config-if)#standby 1 track serial0 ? <1-255> Priority decrement <cr> R2(config-if)#standby 1 track serial0

To test the configuration, R2's Serial0 interface will be shut down. After shutting that port down, run show standby to see the results.
R2(config-if)#int s0 R2(config-if)#shut R2#show standby Ethernet0 - Group 1 Local state is Active, priority 95 (confgd 105), may preempt Hellotime 3 sec, holdtime 10 sec Next hello sent in 2.506 Virtual IP address is 172.12.23.10 configured Active router is local Standby router is 172.12.23.3, priority 100 expires in 7.736 Virtual mac address is aaaa.aaaa.aaaa configured 4 state changes, last state change 00:06:36 IP redundancy name is "hsrp-Et0-1" (default) Priority tracking 1 interface, 0 up: Interface Decrement State Serial0 10 Down (administratively down)

The priority did go down, and the priority tracking even shows how the line went down! But this router is still the Active router, even though its priority decremented to 95. Why? Because R3 needs the HSRP preempt option configured on it as well. A router can't take over from an Active router that's up unless the preempt option is configured.
R3(config)#int e0 R3(config-if)#standby 1 preempt R3(config-if)# 08:06:22: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Standby -> Active

Within seconds, R3 becomes the Active router, verifying interface tracking. What happens when R2's Serial0 line protocol comes back up? Open it and see!
R2(config)#int s0 R2(config-if)#no shut 08:08:18: %STANDBY-6-STATECHANGE: Ethernet0 Group 1 state Active 08:08:18: %SYS-5-CONFIG_I: Configured from console by console Standby ->

08:08:19: %LINK-3-UPDOWN: Interface Serial0, changed state to up

08:08:20: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up

Just that quickly, R2 becomes the Active router again, since its priority incremented by 10 when the line protocol came up. Watch that preempt option! ;)

Switch Security Enable AAA, and assume a RADIUS server at 172.1.1.1. Assume A TACACS server at 172.2.2.2 as well. (RADIUS and TACACS configuration is out of the scope of the BCMSN exam, but it doesn't hurt to know the basic command. Use IOS Help at the end of both host commands to view the options.)
SW1(config)#aaa new-model SW1(config)#radius-server host 172.1.1.1 SW1(config)#tacacs-server host 172.2.2.2 Create a local username / password database. SW1(config)#username BRYANT password CCIE SW1(config)#username SOPRANO password CCNP SW1(config)#username WALNUTS password CCNA

Configure an AAA authentication method list that will use the RADIUS server first, then the TACACS+ server, then the local database.
SW1(config)#aaa authentication login default ? enable Use enable password for authentication. group Use Server-group line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication SW1(config)#aaa authentication login default group radius tacacs local

Configure port security on SW2, port 0/5. The port should allow two secure MAC addresses. Change the default port security mode from shutdown to protect.
SW2(config)#int fast 0/5 SW2(config-if)#switchport port-security Command rejected: Fa0/5 is not an access port. SW2(config-if)#switchport mode access SW2(config-if)#switchport port-security SW2(config-if)#switchport port-security ? aging Port-security aging commands mac-address Secure mac address maximum Max secure addresses violation Security violation mode <cr> SW2(config-if)#switchport port-security maximum 2 SW2(config-if)#switchport port-security violation protect

On SW1, configure 0/7 for dot1x authentication. The first step is to enable AAA. While we're at it, configure a default method list for authentication that will use the tacacs server and then any local database. Enable IEEE

802.1x with the dot1x system-auth-control command.

SW1(config)#aaa new-model SW1(config)#aaa authentication dot1x default tacacs SW1(config)#dot1x system-auth-control

Make fast 0/7 an access port and configure the configuration for Auto mode.
SW1(config-if)#int fast 0/7 SW1(config-if)#sw mode access SW1(config-if)#dot1x port-control auto

Note: If you attempt to configure dot1x port authentication on a potential trunk port, you'll get the following error:
SW1(config-if)#dot1x port-control auto Command rejected: Dynamic mode enabled on one or more ports. Dot1x is supported only on Ethernet interfaces configured Routed or Private-vlan Host Mode.

in

Access,

SPAN Configure Local SPAN session 1 on SW1. Ports fast 0/1 - 5 will be the source ports, and port 0/6 will be the destination port.
SW1(config)#monitor session 1 source interface fast 0/1 - 5 SW1(config)#monitor session 1 destination int fast 0/6

Verify with show monitor. (Remember - it's not show span!)

SW1#show monitor Session 1 --------Type : Local Session Source Ports : Both : Fa0/1-5 Destination Ports : Fa0/6 Encapsulation : Native Ingress: Disabled

Remove this session with no monitor session 1.

SW1(config)#no monitor session 1

We'll now configure a Remote SPAN (RSPAN) session. Create VLAN 45 as the special VLAN that will carry the mirrored traffic.
SW1(config)#vlan 45 SW1(config-vlan)#remote-span

The source port for this configuration will be fast 0/7 and the destination will be fast 0/7 on SW2.
SW1(config)#monitor session 1 source interface fast 0/7 SW1(config)#monitor session 1 destination remote vlan 45 reflector-port fast 0/12

SW2 will receive the traffic and send it to a network analyzer on fast 0/7.
SW2(config)#monitor session 1 source remote vlan 45 SW2(config)#monitor session 1 destination interface fast 0/7

Run show monitor to verify the configuration.

SW2#show monitor Session 1 --------Type : Remote Destination Session Source RSPAN VLAN: 45 Destination Ports : Fa0/7 Encapsulation : Native Ingress: Disabled

Multilayer Switching Commands R2 and R3 are both connected to the multilayer switch in your pod. R2 is on port fast0/2, R3 on port fast 0/3. Assign the Ethernet0 interfaces on R2 and R3 the IP addresses shown in the diagram below. The routers will serve as hosts for this lab. The hosts will not be able to send pings to each other at this point.

R2#ping 30.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R3#ping 20.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)

To get started, we'll put the port leading to Host 2 into VLAN 22, and the port leading to Host 3 in VLAN 33.
SW1(config)#int fast 0/2 SW1(config-if)#switchport mode access SW1(config-if)#switchport access vlan 22

SW1(config-if)#int fast 0/3 SW1(config-if)#switchport mode access SW1(config-if)#switchport access vlan 33

We're going to create two SVIs on the switch, one representing VLAN 22 and the other representing VLAN 33. Note that both SVIs show as up/up immediately after creation. Some Cisco and non-Cisco documentation mentions that you should open the SVIs after creating them, but that's not necessarily the case in the real world. Couldn't hurt, though. :)
SW1(config)#int vlan22

01:30:04: %LINK-3-UPDOWN: Interface Vlan22, changed state to up 01:30:05: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan22, changed state to up SW1(config-if)#ip address 20.1.1.11 255.255.255.0

SW1(config-if)#int vlan33 01:30:11: %LINK-3-UPDOWN: Interface Vlan33, changed state to up 01:30:12: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan33, changed state to up SW1(config-if)#ip address 30.1.1.11 255.255.255.0

Verify the SVIs with show interface vlan. I'll only show the top three rows of output for each SVI.
SW1#show int vlan11 Vlan11 is up, line protocol is up Hardware is EtherSVI, address is 0012.7f02.4b41 (bia 0012.7f02.4b41) Internet address is 20.1.1.11/24 SW1#show int vlan33 Vlan33 is up, line protocol is up Hardware is EtherSVI, address is 0012.7f02.4b42 (bia 0012.7f02.4b42) Internet address is 30.1.1.11/24

Now let's check that routing table...

SW1# show ip route Default gateway is not set Host Gateway ICMP redirect cache is empty Last Use Total Uses Interface

Hmm, that's not good. We don't have one! There's a simple reason, though - on L3 switches, we need to enable IP routing, because it's off by default!
SW1(config)#ip routing SW1(config)#^Z SW1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 20.0.0.0/24 20.1.1.0 30.0.0.0/24 30.1.1.0 is is is is subnetted, 1 subnets directly connected, Vlan11 subnetted, 1 subnets directly connected, Vlan33

C C

Now that looks like the routing table we've come to know and love! In this particular case, there's no need to configuring a routing protocol. You recall from your CCNA studies that when router-on-a-stick is configured, the IP address assigned to the router's subinterfaces should be the default gateway setting on the hosts. When SVIs are in use, the default gateway set on the hosts should be the IP address assigned to the SVI that represents that host's VLAN. After setting this default gateway on the hosts, the hosts can now successfully

communicate. Since we're using routers for hosts, we'll use the ip route command to set the default gateway.
R2(config)#ip route 0.0.0.0 0.0.0.0 20.1.1.11 R3(config)#ip route 0.0.0.0 0.0.0.0 30.1.1.11

Can the hosts now communicate, even though they're in different VLANs? Yes, they can!
R2#ping 30.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms R3#ping 20.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Ports on multilayer switches can also be configured as routing ports, and have IP addresses assigned directly to them. R4 is connected to the multilayer switch off port 0/4. Configure the IP address shown in the diagram on R4's Ethernet0 interface before proceeding.

The ports on a multilayer switch will all be running in L2 mode by default. To configure a port as a routing port, use the no switchport command, followed by the appropriate IP address. Note that in the following configuration, the line protocol on the switch port goes down and comes back up in just a few seconds.
SW1(config)#interface fast 0/4 SW1(config-if)#no switchport 02:19:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to down 02:19:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to up

SW1(config-if)#ip address 210.1.1.11 255.255.255.0

We verify the IP address assignment with show int fast 0/4.

SW1#show int fast 0/4 FastEthernet0/4 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 0012.7f02.4b43 (bia 0012.7f02.4b43) Internet address is 210.1.1.5/24

The switch can now ping 210.1.1.1, the downstream router.

SW1#ping 210.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 210.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms Now we'll configure the switch to allow the hosts to ping R4. (They can ping 210.1.1.11, the switch's interface in that subnet, but not 210.1.1.1, the router's interface.)

The router has no path to either 20.1.1.0 /24 or 30.1.1.0/24, so there's no way for the pings to get back to Host 1 or Host 3.
R4#show ip route < code table removed for clarity > Gateway of last resort is not set C 210.1.1.0/24 is directly connected, FastEthernet0/0

To remedy that, we'll now configure a dynamic routing protocol between the L3 switch and the router. We'll use EIGRP in this case.
SW1(config)#router eigrp 100 SW1(config-router)#no auto-summary SW1(config-router)#network 210.1.1.0 0.0.0.255 SW1(config-router)#network 20.1.1.0 0.0.0.255 SW1(config-router)#network 30.1.1.0 0.0.0.255 R4(config)#router eigrp 100 R4(config-router)#no auto-summary R4(config-router)#network 210.1.1.0 0.0.0.255

The router now has the VLAN subnets in its routing table...
R4#show ip route < code table removed for clarity >

Gateway of last resort is not set 20.0.0.0/24 is subnetted, 1 subnets 20.1.1.0 [90/28416] via 210.1.1.11, 00:01:01, FastEthernet0/0 210.1.1.0/24 is directly connected, FastEthernet0/0 30.0.0.0/24 is subnetted, 1 subnets 30.1.1.0 [90/28416] via 210.1.1.11, 00:01:01, FastEthernet0/0

D C D

... and the hosts now have two-way IP connectivity with the router's 210.1.1.1 interface.
R2#ping 210.1.1.1 Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 210.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R3#ping 210.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 210.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

It never hurts to make sure the pings can go the other way, too!
R4#ping 20.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

R4#ping 30.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

And finally.....
SW2(config)#spanning portfast default %Warning: this command enables portfast by default on all interfaces. You should now disable portfast explicitly on switched ports leading to hubs, switches and bridges as they may create temporary bridging loops.

The above command will make Portfast the default setting for all ports. I didn't want you to configure it early because it wouldn't have worked nicely with a lot of the commands you ran during and after the STP section, but it's a good command to know for the exam and the real world. To your Cisco success, Chris Bryant CCIE #12933

Copyright 2007 The Bryant Advantage. All Rights Reserved.