DOC

IEWB-RS-VOL-2.lab1.solutions.v5.00.041

By Robin Ramirez,2014-08-03 13:21
5 views 0
IEWB-RS-VOL-2.lab1.solutions.v5.00.041

     本文由figarojp贡献

     pdf文档可能在WAP端浏览体验不佳。建议您优先选择TXT;或下载源文件到本机查

    看。

     CCIE R&S Lab Workbook Volume II Version 5

     Lab 1 Solutions

     Troubleshooting

     Issue 1: R3: interface Serial1/1 no frame-relay map no frame-relay map frame-relay map ip frame-relay map ip Issue 2: R4: interface FastEthernet0/0 no ip address 183.1.54.4 255.255.255.0 ip address 183.1.45.4 255.255.255.0 Issue 3: R1: interface Serial0/0 no frame-relay lmi-type q933a

     ip 183.1.0.4 305 ip 183.1.0.5 305 broadcast 183.1.0.4 315 183.1.0.5 315 broadcast

     Task 1.1

     SW1: vtp domain CISCO-A vtp mode transparent ! vlan 6 name VLAN_6 vlan 28 name VLAN_28 vlan 105 name VLAN_105 vlan 33 name VLAN_33 vlan 45 name VLAN_45 vlan 46 name VLAN_46 vlan 102 name VLAN_102 vlan 105 name VLAN_105 vlan 107 name

    VLAN_107 ! interface FastEthernet0/3 switchport access vlan 33 ! interface FastEthernet0/5 switchport access vlan 105 ! interface FastEthernet0/7 switchport access vlan 28

     Strategy Note

     Although this first task did not specify the VTP mode for SW1 and SW2 task 1.6 will require them to be in transparent mode. Before starting a section read over the whole section to find interdependencies such as this.

     Copyright ? 2009 Internetwork Expert 1

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     ! interface FastEthernet0/14 no switchport ip address 183.1.107.7 255.255.255.0 SW2: vtp domain CISCO-A vtp mode transparent ! vlan 6 name VLAN_6 vlan 28 name VLAN_28 vlan 105 name VLAN_105 vlan 33 name VLAN_33 vlan 45 name VLAN_45 vlan 46 name VLAN_46 vlan 102 name VLAN_102 vlan 105 name VLAN_105 vlan 107 name VLAN_107 ! interface FastEthernet0/2 switchport access vlan 28 ! interface FastEthernet0/4 switchport access vlan 45 ! interface FastEthernet0/6 switchport access vlan 46 ! interface FastEthernet0/7 switchport access vlan 28 ! interface FastEthernet0/14 switchport access vlan 107 ! interface FastEthernet0/21 switchport access vlan 105 ! interface FastEthernet0/24 switchport access vlan 102

     Lab 1 Solutions

     Copyright ? 2009 Internetwork Expert 2

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     SW3: vtp domain CISCO-B vtp mode server ? Quick Note ! vlan 6 VTP mode command is name VLAN_6 optional as the default vlan 28 VTP mode is server. name VLAN_28 vlan 105 name VLAN_105 vlan 33 name VLAN_33 vlan 45 name VLAN_45 vlan 46 name VLAN_46

    vlan 58 name VLAN_58 vlan 102 name VLAN_102 vlan 105 name VLAN_105 vlan 107 name VLAN_107 ! interface FastEthernet0/3 no switchport ip address 183.1.39.9 255.255.255.0 ! interface FastEthernet0/5 switchport access vlan 45 ! interface FastEthernet0/21 switchport access vlan 107 ! interface FastEthernet0/24 switchport access vlan 33 SW4: vtp domain CISCO-B vtp

    mode client ! interface FastEthernet0/4 switchport access vlan 46 ! interface FastEthernet0/6

    switchport access vlan 6 ! interface FastEthernet0/18 no switchport ip address 183.1.105.10 255.255.255.0 ! interface FastEthernet0/21 no switchport ip address 183.1.107.10 255.255.255.0

     Lab 1 Solutions

     Copyright ? 2009 Internetwork Expert 3

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     Lab 1 Solutions

     Task 1.1 Breakdown ? Strategy Tip

     This task cannot be fully verified without trunking configured between the switches. Based on this it would be advisable to configure task 1.2 first before task 1.1, in order to allow for full verification of the VLAN assignments that span multiple layer 2 switches.

     The first step in configuring VLAN Trunking Protocol (VTP) is to define the VTP domain name. This is accomplished by issuing the vtp domain [name] command in either the vlan database or global configuration mode. By default the VTP domain is NULL. Configuring the VTP domain name on one switch will result in the other switches inheriting the VTP domain name assuming they are trunking. Next the VLANs must be defined and the names configured. Due to the fact SW1 and SW2 are in transparent mode this step will need to be performed on both switches. Since SW3 is a VTP server and SW4 is a VTP client within the VTP domain CISCO-B the VLAN configuration only needs to be applied to SW3. Another option would be to configure SW2, SW3, and SW4 as VTP clients, then configure the VLANs on SW1. Assuming they are trunking the VLAN information will be propagated via VTP to the other switches from SW1. After the VLAN information is learned the VTP modes and domain names can be changed. To define a VLAN issue the VLAN [vlan] command in either the VLAN database or global configuration mode. Note that VLAN database mode has been deprecated in version 12.2(25)SEE. In order to verify the above configuration issue the show vtp status command. To check whether VTP is properly configured ensure that the domain names are identical, the MD5 hash value of the VTP passwords are the same (if VTP authentication is configured), and the configuration revision number matches. In addition to access ports and trunk ports some interfaces in the VLAN assignment table are listed as “routed” and “VLAN” interfaces. The Catalyst 3550 and 3560 series switches are layer 3 switches and define three different interface types, switchports, routed ports, and switched-virtual interfaces (SVIs).

     Copyright ? 2009 Internetwork Expert 4

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     Lab 1 Solutions

     Switchports include layer 2 access, trunk, and tunnel ports. The default mode for all interfaces on the 3550 is to be a dynamic desirable layer 2 switchport. The default mode for all interfaces on the 3560 is to be a dynamic auto layer 2 switchport. Routed ports are native layer 3 interfaces and can be directly configured with IP. To configure a routed interface issue the no switchport command on the interface. Lastly a switched virtual interface (SVI) is a logical layer 3 interface that represents a domain of switchports. SVIs are used to configure inter-VLAN routing. To configure an SVI simply issue the interface vlan [vlan] command in global configuration mode.

     Pitfall

     Creating a switched virtual interface does not automatically create the VLAN in the VLAN database. You must additionally issue the vlan [vlan] command in global configuration or the VLAN database for the VLAN to be created. Only once the VLAN exists in the database and has an interface forwarding the VLAN in spanning-tree will the SVI go into the up/up state.

     Further Reading

     Understanding and Configuring VLAN Trunk Protocol (VTP) Configuring Inter-VLAN Routing on the Catalyst 3550 Series Switch

     Copyright ? 2009 Internetwork Expert 5

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     Lab 1 Solutions

     Task 1.1 Verification

     Verify VTP status and VLAN assignment: Rack1SW1#show vtp status VTP Version : running VTP1 (VTP2 capable) Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 13 VTP Operating Mode : Transparent VTP Domain Name : CISCO-A VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x57 0xA5 0x7D 0xD8 0x19 0xDE 0x8B 0xF1 Configuration last modified by 183.1.17.7 at 0-0-00 00:00:00 Rack1SW1#show vlan brief | exclude unsup VLAN Name Status Ports 1 default active Fa0/2, Fa0/4, Fa0/6, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gi0/1 Gi0/2 6 VLAN_6 active 28 VLAN_28 active Fa0/7 33 VLAN_33 active Fa0/3 45 VLAN_45 active 46 VLAN_46 active 58 VLAN_58 active 102 VLAN_102 active 105 VLAN_105 active Fa0/5 107 VLAN_107 active Rack1SW2#show vtp status VTP Version : running VTP1 (VTP2 capable) Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 13 VTP Operating Mode : Transparent VTP Domain Name : CISCO-A VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x7E 0xBB 0x74 0xA0 0xD9 0xDC 0x07 0x54 Configuration last modified by 150.1.8.8 at 0-0-00 00:00:00

     Copyright ? 2009 Internetwork Expert 6

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     Rack1SW2#show vlan brief | ex unsup

     Lab 1 Solutions

     VLAN Name Status Ports 1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/22 Fa0/23, Gi0/1, Gi0/2 6 VLAN_6 active 28 VLAN_28 active Fa0/2, Fa0/7 33 VLAN_33 active 45 VLAN_45 active Fa0/4 46 VLAN_46 active Fa0/6 58 VLAN_58 active 102 VLAN_102 active Fa0/24 105 VLAN_105 active Fa0/21 107 VLAN_107 active Fa0/14 Rack1SW3#show vtp status VTP Version : 2 Configuration Revision : 10 Maximum VLANs supported locally : 1005 Number of existing VLANs : 14 VTP Operating Mode : Server VTP Domain Name : CISCO-B VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xB1 0x1D 0x7F 0x76 0xB0 0x4D 0x88 0x91 Configuration last modified by 183.1.39.9 at 3-1-93 00:26:06 Local updater ID is 183.1.39.9 on interface Fa0/3 (first layer3 interface found) Rack1SW3#show vlan brief | exclude unsup VLAN Name Status Ports 1 default active Fa0/1, Fa0/2, Fa0/4, Fa0/6

    Fa0/7, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/21, Fa0/22, Fa0/23, Gi0/1 Gi0/2 6 VLAN_6 active 28 VLAN_28 active 33 VLAN_33 active Fa0/24 45 VLAN_45 active Fa0/5 46 VLAN_46 active 58 VLAN_58 active 102 VLAN_102 active 105 VLAN_105 active 107 VLAN_107 active

     Copyright ? 2009 Internetwork Expert 7

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     Lab 1 Solutions

     Rack1SW4#show vtp status VTP Version : 2 Configuration Revision : 10 Maximum VLANs supported locally : 1005 Number of existing VLANs : 14 VTP Operating Mode : Client VTP Domain Name : CISCO-B VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xB1 0x1D 0x7F 0x76 0xB0 0x4D 0x88 0x91 Configuration last modified by 183.1.39.9 at 3-1-93 00:26:06 Rack1SW4#show vlan brief | exclude unsup VLAN Name Status Ports 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/5 Fa0/7, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/2 6 VLAN_6 active Fa0/6 28 VLAN_28 active 33 VLAN_33 active 45 VLAN_45 active 46

    VLAN_46 active Fa0/4 58 VLAN_58 active 102 VLAN_102 active 105 VLAN_105 active 107 VLAN_107 active

     Task 1.2

     SW1: interface range Fa0/13, Fa0/15 switchport trunk encapsulation dot1q switchport trunk native vlan 46 switchport mode trunk ! interface range Fa0/16 - 20 shutdown ! interface FastEthernet0/21 switchport trunk encapsulation dot1q switchport mode trunk SW2: interface range Fa0/13, Fa0/15 - 18 switchport trunk encapsulation dot1q switchport trunk native vlan 46 switchport mode trunk ! interface range Fa0/19 - 20 shutdown

     Quick Note

     The task did not specify the trunking encapsulation to use so ISL could have also been used as opposed to dot1q.

     Copyright ? 2009 Internetwork Expert 8

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     SW3: interface range Fa0/16 - 20 switchport trunk encapsulation dot1q switchport trunk native vlan 46 switchport mode trunk ! interface range Fa0/13 - 15 shutdown SW4: interface range Fa0/19 - 20 switchport trunk encapsulation dot1q switchport trunk native vlan 46 switchport mode trunk ! interface range Fa0/13 - 14 , Fa0/16 - 17 shutdown ! interface FastEthernet0/15 switchport trunk encapsulation dot1q switchport mode trunk

     Lab 1 Solutions

     Task 1.2 Breakdown

     By default all interfaces on the Catalyst 3550 series switch default to dynamic desirable mode. This will result in the interconnected ports negotiating an Inter Switch Link (ISL) trunk through Dynamic Trunking Protocol (DTP). The Catalyst 3560 series switches default to dynamic auto mode. This means that they will not automatically attempt to trunk with a remote switch but will accept negotiations for trunking if a remote switch requests to trunk. ISL is a Cisco proprietary trunking protocol and tags all traffic sent over the trunk link with an ISL header. As an alternative to running ISL encapsulation over a trunk link 802.1q offers a standards based trunking

    encapsulation. Unlike an ISL trunk 802.1q tags all traffic sent over the trunk link with a dot1q header with the exception of the “native” VLAN. Any frames received over a dot1q trunk that do not have a VLAN header are assumed to belong to the native VLAN. To configure 802.1q encapsulation on a trunk link issue the switchport trunk encapsulation dot1q command on the interface. By default the native vlan for a dot1q trunk is VLAN 1. To change this issue the switchport trunk native vlan [vlan] command. Note that both ends of the trunk link must agree on the native VLAN.

     Copyright ? 2009 Internetwork Expert 9

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     Lab 1 Solutions

     Since ports of the 3550 are dynamic ports a failed negotiation in trunking will result in the port reverting to access mode. “Access” mode implies that the interface will be connected to an end node, and belongs to one VLAN. To ensure that the interface always maintains trunking status, remove the port from “dynamic” mode by issuing the switchport mode trunk interface command.?

    Note

     A switchport cannot run in static trunking mode while the trunking encapsulation is set to auto-negotiate. Therefore be sure to issue the switchport trunk encapsulation command before issuing the switchport mode trunk command.

     Further Reading

     Configuring VLANs: Configuring VLAN Trunks

     Strategy Tip

     Remember to verify each task before moving on to the next task. Also after completing a task it’s a good time to save your configurations.

     Copyright ? 2009 Internetwork Expert 10

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     Lab 1 Solutions

     Task 1.2 Verification

     Verify trunking configuration: Rack1SW1#show interfaces trunk Port Fa0/13 Fa0/15 Fa0/21 Mode on on on Encapsulation 802.1q 802.1q 802.1q Status trunking trunking trunking Native vlan 46 46 1

     Rack1SW2#show interfaces trunk Port Fa0/13 Fa0/15 Fa0/16 Fa0/17 Fa0/18 Mode on on on on on Encapsulation 802.1q 802.1q 802.1q 802.1q 802.1q Status trunking trunking trunking trunking trunking Native vlan 46 46 46 46 46

     Rack1SW3#show interfaces trunk Port Fa0/16 Fa0/17 Fa0/18 Fa0/19 Fa0/20 Mode on on on on on Encapsulation 802.1q 802.1q 802.1q 802.1q 802.1q Status trunking trunking trunking trunking trunking Native vlan 46 46 46 46 46

     Rack1SW4#show interfaces trunk Port Fa0/15 Fa0/19 Fa0/20 Mode on on on Encapsulation 802.1q 802.1q 802.1q Status trunking trunking trunking Native vlan 1 46 46

     Copyright ? 2009 Internetwork Expert 11

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     Lab 1 Solutions

     Strategy Tip

     Before moving beyond this point of the lab a basic connectivity test should be performed for all directly connected Ethernet interface IP addresses. One of the keys to passing the lab is to be able to find problems early on. For example if basic testing wasn’t done and there are issues with a BGP peering session between SW4 and BB2, time could be wasted troubleshooting a BGP problem that is actually related to a basic connectivity problem which should have been discovered earlier in the verification process.

     Rack1R1#ping 183.1.17.7 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 183.1.17.7, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Rack1R2#ping 183.1.28.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 183.1.28.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms Rack1R3#ping 183.1.39.9 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 183.1.39.9, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Rack1R3#ping 204.12.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 204.12.1.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms Rack1R4#ping 183.1.45.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 183.1.45.5, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4 ms Rack1R4#ping 183.1.46.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 183.1.46.6, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms

     Copyright ? 2009 Internetwork Expert 12

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     Rack1R5#ping 183.1.105.10

     Lab 1 Solutions

     Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 183.1.105.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Rack1SW1#ping 183.1.107.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 183.1.107.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms Rack1SW4#ping 192.10.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.10.1.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

     Task 1.3

     SW1 and SW2: interface FastEthernet0/7 spanning-tree portfast

     Task 1.3 Breakdown

     Spanning-tree forwarding delay refers to the time it takes a port to transition through the listening and learning phases of spanning-tree protocol (STP). These phases are used to determine what type of traffic is being received on an interface, and to avoid a loop in the spanning-tree topology if one is detected. Since end stations by definition are stub connections to the switch block, a spanning-tree loop cannot occur on these ports under normal circumstances. In addition to being unnecessary, running spanning-tree on ports that connect to end stations may result in undesirable effects. These effects may include hosts not being able to negotiate addresses through DHCP, log on to a network domain, etc. In order to minimize these effects spanning-tree portfast should be configured on interfaces which connect to end nodes. Portfast reduces the delay

    associated with STP by skipping the listening and learning phases, and transitioning a port directly to forwarding state. To configure portfast issue the spanning-tree portfast command on the interface. Note that portfast should not be configured on interfaces that connect to routers, switches, or hubs, as this may result in a loop in the spanning-tree domain.

     Copyright ? 2009 Internetwork Expert 13

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     Lab 1 Solutions

     Further Reading

     Using PortFast and Other Commands to Fix Workstation Startup Connectivity Delays

     Task 1.4

     SW1 and SW2: interface FastEthernet0/7 spanning-tree bpduguard enable

     Task 1.4 Breakdown

     As stated in the previous section portfast should not be configured on interfaces that connect to routers, switches, or hubs, as this may result in a loop in the spanning-tree domain. When portfast is enabled the listening and learning phases of STP are skipped. Since these are the phases used to determine if there is a loop in the topology, a loop can not be immediately detected if portfast is enabled. In order to prevent this case, the switches support a feature known as BPDU guard. A bridge protocol data unit (BPDU) is the packet used to advertise spanning-tree protocol information. If a BPDU is received on an interface it implies that there is a device running STP connected to that interface. If a BPDU is received on an interface which is configured with BPDU guard, the interface will be put into err-disabled state. BPDU guard can therefore be used in combination with portfast to prevent a loop if a switch or bridge is connected to a port running portfast. To enable BPDU guard use the interface command spanning-tree bpduguard enable.

     Further Reading

     Spanning Tree Portfast BPDU Guard Enhancement

     Copyright ? 2009 Internetwork Expert 14

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     Lab 1 Solutions

     Tasks 1.3 & 1.4 Verification

     Verify spanning-tree information for the ports (ports should be in up/up state): Rack1SW1#show spanning-tree int fa0/7 detail | include portfast|Bpdu The port is in the portfast mode Bpdu guard is enabled Rack1SW2#show spanning-tree int fa0/7 detail | include portfast|Bpdu The port is in the portfast mode Bpdu guard is enabled

     Task 1.5

     SW1: interface FastEthernet0/21 switchport trunk allowed vlan 102

     Quick Note

     Only VLAN 102 is allowed. SW2: interface range Fa0/16 - 18 switchport trunk allowed vlan 1-101,103-4094 SW3: interface range Fa0/16 - 20 switchport trunk allowed vlan 1-101,103-4094 SW4: interface FastEthernet0/15 switchport trunk allowed vlan 102 ! interface range Fa0/19 - 20 switchport trunk allowed vlan 1-101,103-4094

     Quick Note

     The switchport trunk allowed vlan except 102 command will produce the same output in the

switch’s configuration.

     Task 1.5 Breakdown

     By default all VLANs that exist on the switch are permitted to be carried over a trunk link. To remove specific VLANs from a trunk use the switchport trunk allowed vlan command. To allow VLANs on the trunk after they have been removed the same command is also used but with different options. The first option is add which will add VLANs to the current allowed list. The all option is used to allow all VLANs on the trunk. Note that this is the default behavior and the all option will be used only after VLANs have been manually removed from the trunk. The except option is used to allow all VLANs except a certain VLAN or VLANs to be trunked. The none option is used to not allow any VLANs over the trunk. Finally the remove option is used to remove VLANs from the current allowed list.

     Copyright ? 2009 Internetwork Expert 15

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     Lab 1 Solutions

     Task 1.5 Verification

     Rack1SW1#show interface fastEthernet0/21 trunk | begin allowed Port Vlans allowed on trunk Fa0/21 102 Port Fa0/21 Port Fa0/21 Vlans allowed and active in management domain 102 Vlans in spanning tree forwarding state and not pruned 102

     Alternate method for verification: Rack1SW1#show interface fa0/21 switchport | include Trunking VLANs Trunking VLANs Enabled: 102 Rack1SW2#show interface fa0/16 switchport | include Trunking VLANs Trunking VLANs Enabled: 1-101,103-4094 Rack1SW2#show interface fa0/17 switchport | include Trunking VLANs Trunking VLANs Enabled: 1-101,103-4094 Rack1SW2#show interface fa0/18 switchport | include Trunking VLANs Trunking VLANs Enabled: 1-101,103-4094 Rack1SW3#show interface fa0/16 switchport | include Trunking VLANs Trunking VLANs Enabled: 1-101,103-4094 Rack1SW3#show interface fa0/17 switchport | include Trunking VLANs Trunking VLANs Enabled: 1-101,103-4094 Rack1SW3#show interface fa0/18 switchport | include Trunking VLANs Trunking VLANs Enabled: 1-101,103-4094 Rack1SW3#show interface fa0/19 switchport | include Trunking VLANs Trunking VLANs Enabled: 1-101,103-4094 Rack1SW3#show interface fa0/20 switchport | include Trunking VLANs Trunking VLANs Enabled: 1-101,103-4094 Rack1SW4#show interface fa0/15 switchport | include Trunking VLANs Trunking VLANs Enabled: 102 Rack1SW4#show interface fa0/19 switchport | include Trunking VLANs Trunking VLANs Enabled: 1-101,103-4094 Rack1SW4#show interface fa0/20 switchport | include Trunking VLANs Trunking VLANs Enabled: 1-101,103-4094

     Copyright ? 2009 Internetwork Expert 16

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     Ensure that SW4 can still reach BB2 through VLAN 102: Rack1SW4#ping 192.10.1.254

     Lab 1 Solutions

     Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.10.1.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

     Task 1.6

     SW1: vlan 281 private-vlan isolated ! vlan 28 name VLAN_28 private-vlan primary

    private-vlan association 281 ! interface FastEthernet0/7 switchport private-vlan host-association 28 281 switchport mode private-vlan host SW2: vlan 281 private-vlan isolated ! vlan 28 name VLAN_28 private-vlan primary private-vlan association 281 ! ! interface FastEthernet0/2 switchport private-vlan mapping 28 281 switchport mode private-vlan promiscuous ! interface FastEthernet0/7 switchport private-vlan host-association 28 281 switchport mode private-vlan host

     Quick Note

     By default devices connected to SW1 port Fa0/7 and SW2 port Fa0/7 will not be able to communicate with SW2’s V28 interface.

     Task 1.6 Breakdown

     By default all ports within a VLAN have layer 2 reachability between each other. Private VLANs allow for the separation of a single VLAN into multiple segments or sub-broadcast domains by restricting layer 2 communication within the VLAN. A common implementation for Private VLANs would be to restrict communication between web servers within a VLAN but allow access to a DNS server and their default gateway. Although this configuration could be accomplished using protected ports, protected ports only restrict traffic within a single switch. Private VLANs allow for this configuration to span across multiple switches.

     Copyright ? 2009 Internetwork Expert 17

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     Lab 1 Solutions

     Private VLANs require that the switches to be in VTP transparent mode. There are three types of VLANs that make up a private VLAN. The first one is called the primary VLAN. The other two, community and isolated, are referred to as secondary VLANs. Ports that are assigned to an isolated VLAN can not communicate with other ports at layer 2, with the exception of ports in the primary VLAN. Ports assigned within a community can communicate with other ports assigned within the same community, along with ports assigned to the primary VLAN. This means that layer 2 communication is not permitted between two isolated ports, an isolated port and a port within a community, or between two ports within different communities. Also note that these restrictions exclude trunk ports. There are three types of ports for Private VLANs. The first one is called a promiscuous port. A promiscuous port can communicate via layer 2 to all other promiscuous ports, isolated ports, and community ports. Promiscuous ports are assigned to the primary VLAN. The second port type is called an isolated port. Isolated ports can only communicate via layer 2 to promiscuous ports. The last type is called a community port. A community port can talk to other ports that are within the same community and ports that are promiscuous ports.

     Note

     Private VLAN Guidelines: ? ? ? Private VLANs must be configured in the global configuration; the VLAN database mode configuration is not supported for Private VLANs. Private VLAN information is not propagated via VTP. Isolated and community VLANs do not run their own instance of spanning tree; if fine-tuning of spanning tree is needed the configuration should be applied to the primary VLAN. Although Private VLANs restrict layer 2 communication devices may still be able to communicate if their traffic is routed through a layer 3 device.

     Copyright ? 2009 Internetwork Expert 18

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     Lab 1 Solutions

     Task 1.6 Verification

     Rack1SW1#show interfaces fa0/7 switchport | include private|28|281 Administrative Mode: private-vlan host Administrative private-vlan host-association: 28 (VLAN_28) 281 (VLAN0281) Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Rack1SW2#show interfaces fa0/2 switchport | include private|28|281 Administrative Mode: private-vlan promiscuous Operational Mode: private-vlan promiscuous Administrative private-vlan host-association: none Administrative private-vlan mapping: 28 (VLAN_28) 281 (VLAN0281) Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: 28 (VLAN_28) 281 (VLAN0281) Rack1SW2#show interfaces fa0/7 switchport | include private|28|281 Administrative Mode: private-vlan host Administrative private-vlan host-association: 28 (VLAN_28) 281 (VLAN0281) Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none For testing purposes we will temporarily change R6’s Fa0/0 IP address and VLAN to facilitate the test. Rack1SW2#show running-config interface

    fa0/6 Building configuration…… Current configuration : 117 bytes ! interface FastEthernet0/6 switchport private-vlan host-association 28 281 switchport mode private-vlan host end

     Copyright ? 2009 Internetwork Expert 19

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     Rack1R6#show running-config interface Fa0/0 Building configuration…… Current

    configuration : 98 bytes ! interface GigabitEthernet0/0 ip address 183.1.28.6 255.255.255.0 end Rack1R6#ping 183.1.28.2

     Lab 1 Solutions

     Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 183.1.28.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Rack1R6#ping 183.1.28.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 183.1.28.8, timeout is 2 seconds: …… Success rate is 0 percent (0/5) Rack1SW2#ping 183.1.28.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 183.1.28.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms Rack1SW2#ping 183.1.28.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 183.1.28.6, timeout is 2 seconds: …… Success rate is 0 percent (0/5)

     Copyright ? 2009 Internetwork Expert 20

     www.InternetworkExpert.com

     CCIE R&S Lab Workbook Volume II Version 5

     Lab 1 Solutions

Report this document

For any questions or suggestions please email
cust-service@docsford.com