Thursday, August 13, 2015

CCIE Lab1, Section 1


Introduction:

 In this lab, I will introduce you a CCIE Lab configuration including 8 sections:

- Section 1: LAN Switching and Frame Relay.
- Section 2: IPv4 IGP Protocols.
- Section 3: BGP.
- Section 4: IPv6.
- Section 5: QoS.
- Section 6: Security.
- Section 7: Multicast.
- Section 8: IP Services.

Through this lab, you will learn L2, L3 switching and routing configuration from basic to high level. Because there are lots of topics mentioned in this lab, it requires you to have a fundamental knowledge of Switch and Router.

Network Topology:
Figure 1: Lab Diagram. 


Figure 2: Lab device connectivity.

  R1 Lo0 120.100.1.1/24        R6 Lo0 120.100.6.1/24      
R2 Lo0 120.100.2.1/24        SW1 Lo0 120.100.7.1/24
R3 Lo0 120.100.3.1/24        SW2 Lo0 120.100.8.1/24
R4 Lo0 120.100.4.1/24         SW3 Lo0 120.100.9.1/24
  R5 Lo0 120.100.5.1/24         SW4 Lo0 120.100.10.1/24

Figure 3: Lab topology details.

Equipment List:

- R1, R2, R3, R4, R5, R6: Cisco routers c7200.
- Sw1, Sw2, Sw3, Sw4: Cisco routers c3745 operating as 3550, 3560 Switches.


Figure 4: VLAN Assignment.


Figure 5: Frame Relay Logical Connectivity.

Section 1: LAN Switching and Frame Relay


Requirements:

■  Configure  your  switches as a collapsed  backbone  network  with Switches  1 and 2 performing  core  and distribution functionality and  Switches  3 and  4 as access  switches  in your  topology. Switches  3 and  4 should  connect only to the core switches.
■  Switch  1 and  2 should  run  spanning  tree  in 802.1w  mode;  Switches  3 and  4 should operate  in their  default  spanning-tree mode.  
■  Configure  Switch  1 to be the root bridge and Switch  2 the secondary root bridge for VLANs  1 and 300. Ensure  that Switches 3 and 4 can never  become  root bridges for any VLANs  for which Switch  1 and  Switch  2 are  root bridges by configuring  only Switches  1 and  2.  
■  Ensure  you  fully  utilize  the  available  bandwidth between  switches  by grouping  together  your  interswitch  links  as trunks. Ensure  that only dot1q  and EtherChannel are supported.
■  Ensure  traffic  is distributed on individual Ethernet  trunks  between  switches  based on  the destination MAC  address of individual flows.
■  Ensure  that user  interfaces  are shut  down  dynamically by all switches  should  they  toggle excessively; if they  remain stable for 35 seconds,  they  should  be reenabled. Configure  Fast Ethernet  Port 3/7 on each  switch so that  if multicast traffic  is received on this port,  the port  is automatically  disabled. 
■  Fast Ethernet  Ports  3/8  will be used for  future  connectivity on each  switch.  Configure these  ports as access ports for VLAN300, which  should  begin  forwarding  traffic  immediately on connection. Devices  connected  to these ports will dynamically  receive  IP addresses  from a DHCP  server  due  to be connected  to Port 3/9 on sw1.  For security purposes,  this is the only port on the network from which DHCP addresses  should  be allocated.  En-  sure the switches  intercept  the DHCP  requests and  add  the  ingress  port  and VLAN and  switch MAC address  prior to sending onward  to the DHCP  server.  Limit DHCP requests  to 600 packets  per minute  per user port.
■  For  additional  security ensure  the user ports on Switches  1–4 and 8 can communicate only with  the network with IP addresses  gained  from the DHCP  feature configured  previously.  Use a dynamic  feature  to ensure  the only information forwarded upon  connection is DHCP  request  packets,  then  any  traffic  that matches  the DHCP  IP  information received  from  the DHCP binding for  additional  security.  
■  R5 and R6 have  been  preconfigured  with  IP addresses on  their  Ethernet  interfaces. Configure R4  and  its associated switch port accordingly without  using secondary  addressing  to communicate with R5 and R6. Configure R4 with an IP address  of 120.100.45.4/24  to communicate with R5, and configure R4 with  an IP address  of 120.100.46.4/24 to communicate with R6. Configure R4 g1/0 and Switch  2 f3/4 only.  
■  Your  initial  Frame  Relay  configuration  has  been  supplied   for  the  R1-R2-R3   connectivity and  R2-R5.  Configure each device per  Figure  5  to ensure  each  device  is  reachable  over  the  Frame Relay  network.  Use  only  the  indicated DLCIs.  

Configuration:

■  Configure  your  switches as a collapsed  backbone  network  with Switches  1 and 2 performing  core  and distribution functionality and  Switches  3 and  4 as access  switches  in your  topology. Switches  3 and  4 should  connect only to the core switches.

This  is a simple  start  to the exercise.  The switches  are fully meshed  to begin with;  to create  a collapsed  backbone  topology, the core switches  should be connected together,  and each  access switch  should  be dual-homed  to the core switches. The only switches  that should  not connect directly  to each other would  be the access  switches  (Sw3  and Sw4). By shutting down  the interfaces  between Sw3 and Sw4, you create  the required  topology. Even  though  the resulting topology is not looped  at this stage, you can verify  route bridge  assignment  by using  the show spanning  tree root command.

SW3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW3(config)#int f3/14
SW3(config-if)#shut
SW3(config-if)#int f3/15
SW3(config-if)#shut
SW4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW4(config)#int f3/14
SW4(config-if)#shut
SW4(config-if)#int f3/15
SW4(config-if)#shut

■  Switch  1 and  2 should  run  spanning  tree  in 802.1w  mode;  Switches  3 and  4 should operate  in their  default  spanning-tree mode. 

 802.1w  is rapid  spanning  tree;  this  is backward  compatible  with  the switches'  default  (PVST), so by configuring  Switches 1 and 2 into rapid  spanning  tree mode,  spanning  tree can still operate  effectively  with Switches  3 and 4.

SW1(config)#spanning-tree mode rapid-pvst
SW2(config)#spanning-tree mode rapid-pvst

■  Configure  Switch  1 to be the root bridge and Switch  2 the secondary root bridge for VLANs  1 and 300. Ensure  that Switches 3 and 4 can never  become  root bridges for any VLANs  for which Switch  1 and  Switch  2 are  root bridges by configuring  only Switches  1 and  2. 

 This  is a straightforward question  for the core switches. The  root bridge  prioritization  root guard  is configured  on the ports  that connect  Switches 1 and 2 to Switches 3 and 4; this ensures  that  if a superior  BPDU  is received  on these  ports, it is ignored. 
  
SW1(config)#  spanning-tree  vlan 1 root primary 
SW1(config)# spanning-tree vlan 300 root primary 
SW1(config-if)# interface Fastethernet  3/10
SW1(config-if)#  spanning-tree  guard  root
SW1(config-if)#  interface Fastethernet  3/11
SW1(config-if)#  spanning-tree  guard  root
SW1(config-if)#  interface Fastethernet  3/12
SW1(config-if)#  spanning-tree  guard  root
SW1(config-if)#  interface Fastethernet  3/13
SW1(config-if)#  spanning-tree  guard  root

SW2(config)#  spanning-tree  vlan 1 root secondary
SW2(config)# spanning-tree vlan 300 root secondary
SW2(config-if)# interface Fastethernet  3/10
SW2(config-if)#  spanning-tree  guard  root
SW2(config-if)#  interface Fastethernet  3/11
SW2(config-if)#  spanning-tree  guard  root
SW2(config-if)#  interface Fastethernet  3/12
SW2(config-if)#  spanning-tree  guard  root
SW2(config-if)#  interface Fastethernet  3/13
SW2(config-if)#  spanning-tree  guard  root

■  Ensure  you  fully  utilize  the  available  bandwidth between  switches  by grouping  together  your  interswitch  links  as trunks. Ensure  that only dot1q  and EtherChannel are supported.

This  is another  straightforward question for all switches  to create EtherChannels  between  devices. Using  the command channel-group n mode on under  the physical  interfaces  ensures that only EtherChannel  is supported,  as opposed to pagp or lacp, and dot1q  is the trunking  protocol. For Layer 2 EtherChannels,  you don’t have  to create  a port-channel  interface first by using  the interface port-channel configuration  command  before  assigning  a physical  port  to a channel group. You can use  the channel-group interface  configuration  command  that automatically creates the port-channel interface,  although  a manual  port channel  configuration has been  shown  here  for clarity. Remember  that now  that you have Ether- Channels between  switches, you will need  to configure  root guard on these interfaces to ensure  that Switches 3 and 4 cannot become root bridges. This is over and above  the previous  physical interface configuration completed previously.

SW1(config)#  interface  Port-channel1
SW1(config-if)#  switchport trunk encapsulation dot1q
SW1(config-if)#  switchport mode trunk 
SW1(config-if)# spanning-tree  guard  root 
SW1(config-if)# interface Port-channel2
SW1(config-if)#  switchport trunk encapsulation dot1q
SW1(config-if)#  switchport mode trunk 
SW1(config-if)# spanning-tree  guard  root 
SW1(config-if)# interface Port-channel3
SW1(config-if)#  switchport trunk encapsulation dot1q
SW1(config-if)#  switchport mode  trunk
SW1(config-if)#  interface  range FastEthernet3/10-11
SW1(config-if)#  channel-group  1 mode  on
SW1(config-if)#  interface  range FastEthernet3/12-13
SW1(config-if)#  channel-group  2 mode  on
SW1(config-if)#  interface  range FastEthernet3/14-15
SW1(config-if)#  channel-group  3 mode  on

SW2(config)#  interface  Port-channel1
SW2(config-if)#  switchport trunk encapsulation dot1q
SW2(config-if)#  switchport mode  trunk
SW2(config-if)#  interface  Port-channel2
SW2(config-if)#  switchport trunk encapsulation dot1q
SW2(config-if)#  switchport mode  trunk
SW2(config-if)#  interface  Port-channel3
SW2(config-if)#  switchport trunk  encapsulation dot1q
SW2(config-if)#  switchport mode  trunk
SW2(config-if)#  interface  range FastEthernet3/10-11
SW2(config-if)#  channel-group  1 mode  on
SW2(config-if)#  interface  range FastEthernet3/12-13
SW2(config-if)#  channel-group  2 mode  on
SW2(config-if)#  interface  range FastEthernet3/14-15
SW2(config-if)#  channel-group  3 mode  on

SW3(config)#  interface  Port-channel1
SW3(config-if)#  switchport trunk encapsulation dot1q
SW3(config-if)#  switchport mode  trunk
SW3(config-if)#  interface  Port-channel2
SW3(config-if)#  switchport trunk encapsulation dot1q
SW3(config-if)#  switchport mode  trunk
SW3(config-if)#  interface  range FastEthernet3/10-11
SW3(config-if)#  channel-group  1 mode  on
SW3(config-if)#  interface  range FastEthernet3/12-13
SW3(config-if)#  channel-group  2 mode  on

SW4(config)#  interface  Port-channel1
SW4(config-if)#  switchport trunk encapsulation dot1q
SW4(config-if)#  switchport mode  trunk
SW4(config-if)#  interface  Port-channel2
SW4(config-if)#  switchport trunk encapsulation dot1q
SW4(config-if)#  switchport mode  trunk
SW4(config-if)#  interface  range FastEthernet3/10-11
SW4(config-if)#  channel-group  1 mode  on
SW4(config-if)#  interface  range FastEthernet3/12-13
SW4(config-if)#  channel-group  2 mode  on

SW1#show etherchannel summary
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        R - Layer3      S - Layer2
        U - in use
Group Port-channel  Ports
-----+------------+-----------------------------------------------------------
1     Po1(SU)     Fa3/10(P)  Fa3/11(P)
2     Po2(SU)     Fa3/12(P)  Fa3/13(P)
3     Po3(SU)     Fa3/14(P)  Fa3/15(P)

SW2#show etherchannel summary
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        R - Layer3      S - Layer2
        U - in use
Group Port-channel  Ports
-----+------------+-----------------------------------------------------------
1     Po1(SU)     Fa3/10(P)  Fa3/11(P)
2     Po2(SU)     Fa3/12(P)  Fa3/13(P)
3     Po3(SU)     Fa3/14(P)  Fa3/15(P)

SW3#show etherchannel summary
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        R - Layer3      S - Layer2
        U - in use
Group Port-channel  Ports
-----+------------+-----------------------------------------------------------
1     Po1(SU)     Fa3/10(P)  Fa3/11(P)
2     Po2(SU)     Fa3/12(P)  Fa3/13(P)

SW4#show etherchannel summary
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        R - Layer3      S - Layer2
        U - in use
Group Port-channel  Ports
-----+------------+-----------------------------------------------------------
1     Po1(SU)     Fa3/10(P)  Fa3/11(P)
2     Po2(SU)     Fa3/12(P)  Fa3/13(P)

■  Ensure  traffic  is distributed on individual Ethernet  trunks  between  switches  based on  the destination MAC  address of individual flows.

  A common problem with EtherChannels  is traffic not being distributed  equally  among  the physical interfaces.  Configuring channel load balancing  based on the destination  MAC  address  of an individual  flow  is just one method  available  to distribute traffic.

SW1(config)#  port-channel load-balance  dst-mac 
SW2(config)#  port-channel  load-balance  dst-mac 
SW3(config)#  port-channel load-balance dst-mac
SW4(config)# port-channel load-balance dst-mac

SW1#sh etherchannel load-balance
 Po1 ---> Destination MAC address
 Po2 ---> Destination MAC address
 Po3 ---> Destination MAC address

■  Ensure  that user  interfaces  are shut  down  dynamically by all switches  should  they  toggle excessively; if they  remain stable for 35 seconds,  they  should  be reenabled. Configure  Fast Ethernet  Port 3/7 on each  switch so that  if multicast traffic  is received on this port,  the port  is automatically  disabled.
  Interfaces  that  flap can cause  problems  in a network.  Toggling would  usually  indicate a problem such as a faulty  connecting NIC or faulty  cable;  placing  the ports  into error disable  is a method  of stabilizing  the environment.  To disable  a port when multicast traffic is present,  you need  to configure  storm control with  the multicast  option  set  to 0.

SW1(config)#  errdisable  recovery cause link-flap
SW1(config)#  errdisable  recovery interval 35
SW1(config)#  interface FastEthernet  3/7
SW1(config-if)#  storm-control multicast  level 0
SW1(config-if)#  storm-control  action shutdown

SW2(config)#  errdisable  recovery cause link-flap
SW2(config)#  errdisable  recovery interval 35
SW2(config)#  interface FastEthernet  3/7
SW2(config-if)#  storm-control multicast  level 0
SW2(config-if)#  storm-control  action shutdown

SW3(config)#  errdisable  recovery cause link-flap
SW3(config)#  errdisable  recovery interval 35
SW3(config)#  interface FastEthernet  3/7
SW3(config-if)#  storm-control multicast  level 0
SW3(config-if)#  storm-control  action shutdown

SW4(config)#  errdisable  recovery cause link-flap
SW4(config)#  errdisable  recovery interval 35
SW4(config)#  interface FastEthernet  3/7
SW4(config-if)#  storm-control multicast  level 0
SW4(config-if)#  storm-control  action shutdown

■  Fast Ethernet  Ports  3/8  will be used for  future  connectivity on each  switch.  Configure these  ports as access ports for VLAN300, which  should  begin  forwarding  traffic  immediately on connection. Devices  connected  to these ports will dynamically  receive  IP addresses  from a DHCP  server  due  to be connected  to Port 3/9 on sw1.  For security purposes,  this is the only port on the network from which DHCP addresses  should  be allocated.  Ensure the switches  intercept  the DHCP  requests and  add  the  ingress  port  and VLAN and  switch MAC address  prior to sending onward  to the DHCP  server.  Limit DHCP requests  to 600 packets  per minute  per user port.

   This  is a DHCP  Snooping  question. This  is a useful  security  feature  that protects  the network  from  rogue DHCP  servers.  When the DHCP  option-82  feature  is enabled  on the switch with  the command  ip dhcp  snooping  information  option,  a subscriber  is identified by the switch port  through which  it connects  to the network  and by its MAC  address. DHCP snooping also facilitates  a rate  limiting feature  for DHCP  requests  to prevent  a DHCP  denial  of service  by excessive false  requests  from a host, which would have the "gobbler  effect"  of requesting numerous  leases  from  the same  port. The question includes  a couple  of points  that could  easily  be overlooked  if you are suffering  from exam pressure, namely  the ports are  required  to be configured  with  switchport  host (or by configuring portfast)  to set the port mode  to access  and to 
forward immediately. The  rate limiting  is configured in packets  per second  not per minute  as implied,  so you would need  to pay attention  to detail.

SW1(config)#  ip dhcp  snooping
SW1(config)#  ip dhcp  snooping vlan 300
SW1(config)#  ip dhcp  snooping  information option
SW1(config)#  int fastEthernet  3/9
SW1(config-if)#  ip dhcp  snooping  trust
SW1(config)#  interface  fastEthernet  3/8
SW1(config-if)#  ip dhcp  snooping  limit rate 10
SW1(config)#  interface  range  fastEthernet  3/8-9
SW1(config-if-range)#  switchport host
SW1(config-if-range)#  switchport  access vlan 300

SW2(config)#  ip dhcp  snooping
SW2(config)#  ip dhcp  snooping vlan 300
SW2(config)#  ip dhcp  snooping  information option
SW2(config)#  interface fastEthernet  3/8
SW2(config-if)#  ip dhcp  snooping  limit rate 10
SW2(config-if)#  switchport host
SW2(config-if)#  switchport  access vlan 300

SW3(config)#  ip dhcp  snooping
SW3(config)#  ip dhcp  snooping vlan 300
SW3(config)#  ip dhcp  snooping  information option
SW3(config)#  interface  fastEthernet  3/8
SW3(config-if)#  ip dhcp  snooping  limit rate 10
SW3(config-if)#  switchport host
SW3(config-if)#  switchport  access vlan 300

SW4(config)#  ip dhcp  snooping
SW4(config)#  ip dhcp  snooping vlan 300
SW4(config)#  ip dhcp  snooping  information option
SW4(config)#  interface  fastEthernet  3/8
SW4(config-if)#  ip dhcp  snooping  limit rate 10
SW4(config-if)#  switchport host
SW4(config-if)#  switchport  access vlan 300

■  For  additional  security ensure  the user ports on Switches  1–4 and 8 can communicate only with  the network with IP addresses  gained  from the DHCP  feature configured  previously.  Use a dynamic  feature  to ensure  the only information forwarded upon  connection is DHCP  request  packets,  then  any  traffic  that matches  the DHCP  IP  information received  from  the DHCP binding for  additional  security.  

  A complementary feature  to DHCP  Snooping  is IP Source Guard. This  feature  binds  the  information  received  from  the DHCP address offered  and effectively  builds a dynamic VACL  on a per port basis  to enable  only source  traffic matched from  the DHCP offer to ingress  the switch  port  for additional  security.
SW1(config)#  int f3/8
SW1(config-if)#  ip verify source

SW2(config)#  int f3/8
SW2(config-if)#  ip verify source

SW3(config)#  int f3/8

SW3(config-if)#  ip verify source

SW4(config)#  int f3/8
SW4(config-if)#  ip verify source

■  R5 and R6 have  been  preconfigured  with  IP addresses on  their  Ethernet  interfaces. Configure R4  and  its associated switch port accordingly without  using secondary  addressing  to communicate with R5 and R6. Configure R4 with an IP address  of 120.100.45.4/24  to communicate with R5, and configure R4 with  an IP address  of 120.100.46.4/24 to communicate with R6. Configure R4 g1/0 and Switch  2 f3/4 only.  

   This  is just a simple  trunking  question  on Switch2  to R4 to enable  R4 to connect  to VLAN45  and VLAN46.  One point to remember is that Switch2  does not have VLAN45  and VLAN46 configured  locally within  the default  configuration, so you will need  to create  the VLANs  locally  prior  to configuring  the  trunk.
R4(config)#  interface GigabitEthernet1/0.45
R4(config-if)#  encapsulation  dot1Q  45
R4(config-if)#  ip address  120.100.45.4  255.255.255.0
R4(config-if)#  interface GigabitEthernet1/0.46
R4(config-if)#  encapsulation  dot1Q  46
R4(config-if)#  ip address  120.100.46.4  255.255.255.0

SW2#vlan database
SW2(vlan)#  vlan 45
SW2(vlan)#  vlan 46
SW2(vlan)#exit
APPLY completed.
Exiting....
SW2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW2(config)#  interface FastEthernet3/4
SW2(config-if)#  switchport trunk encapsulation dot1q
SW2(config-if)#  switchport trunk allowed vlan 45,46

SW2(config-if)#  switchport mode  trunk

■  Your  initial  Frame  Relay  configuration  has  been  supplied   for  the  R1-R2-R3   connectivity and  R2-R5.  Configure each device per  Figure  5  to ensure  each  device  is  reachable  over  the  Frame Relay  network.  Use  only  the  indicated DLCIs.  
  Make sure the interface IP address has been set for R1, R2, R3 and R5. All you need  to add  is maps on R1, R2 and R3 as well as R2 and R5 spokes to enable them  to communicate with each other. Depend on the question, R1 and  R2 also need to communicate each other.

R1#  conf  t
R1(config)#  int s6/0
R1(config-if)#encapsulation frame-relay ietf
R1(config-if)#  frame-relay  map  ip 120.100.123.2 103 broadcast
R1(config-if)#  frame-relay  map  ip 120.100.123.3 103 broadcast

R2#  conf  t
R2(config)#  int s6/0
R2(config-if)#encapsulation frame-relay ietf
R2(config-if)#  frame-relay  map  ip 120.100.123.1 203 broadcast
R2(config-if)#  frame-relay  map  ip 120.100.123.3 203 broadcast
R2(config-if)#exit
R2(config)#  int s6/1
R2(config-if)#encapsulation frame-relay ietf
R2(config-if)#  frame-relay  map  ip 120.100.25.5 215 broadcast

R3#  conf  t
R3(config)#  int s6/0
R3(config-if)#encapsulation frame-relay ietf
R3(config-if)#  frame-relay  map  ip 120.100.123.1 301 broadcast
R3(config-if)#  frame-relay  map  ip 120.100.123.2 302 broadcast

R5#  conf  t
R5(config)#  int s6/1
R5(config-if)#encapsulation frame-relay ietf
R5(config-if)#  frame-relay  map  ip 120.100.25.2 315 broadcast

R1#ping 120.100.123.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 120.100.123.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 780/940/1088 ms
R1#ping 120.100.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 120.100.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 232/456/580 ms

R2#ping 120.100.25.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 120.100.25.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 384/568/800 ms
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)