Drawing 2: Logical Routing Topology
Configuration tasks
Task 1: Layer 3 topology set-‐up
• Configure the Nexus 5500 switches with hostnames of “SW2” and “SW3”. The Nexus 7000 VDC’s should already have hostnames through the loading of the initial configuration. Use switchto vdc and switchback to move between different switches on the Nexus 7000.
• Configure all switches so they can all carry the layer 2 VLANs as described in drawing 1
• Configure sufficient inter-‐switch-‐links to carry the VLANs between the switches
• Configure IP addressing on SVI and physical interfaces according to drawing 1
• Configure all switches to have a Loopback0 interface with an IP address of 198.18.0.Z/32 where Z is the router number / host address as specified in drawing 1
Task 2: Static routing
• Ensure SW1-‐3 can ping the loopback address of SW1-‐4 from its own loopback address
• SW1-‐1 should be able to ping the loopback address of SW1-‐2 and vice versa without using the directly connected link between those switches, but should use the path over SW1-‐3 and SW1-‐4 for this
• Configure SW1-‐2 to be a blackhole for the 192.0.1.0/24 prefix. Give this entry a tag of 666 and an increased preference of +1
• Ensure that all layer 3 interfaces on SW1-‐2 do not send out any unreachable messages
• Remove all static routes before continuing with the next tasks
Task 3: EIGRP
• Configure a secure EIGRP adjacency between SW1-‐2 and SW1-‐4
• Ensure Loopbacks are reachable and dynamically advertised. Ensure that there are no attempts to make adjacencies on the Loopback interfaces.
• Use 64999 as autonomous system number and IPEXPERT as the EIGRP process name
• Configure 4 static routes for 198.18.4.0/24 through 198.18.7.0/24 on SW1-‐4 and ensure they are reachable through a single EIGRP routing entry on SW1-‐2. Besides the single entry the 198.18.5.0/24 network should also be seen in the routing table of SW1-‐2.
• Use wide metrics with a scaling factor of 64
• Change the bandwidth that EIGRP may use on an interface 10% lower than default
• Update the link between SW1-‐2 and SW1-‐4 so the EIGRP neighbor is declared down after 4 hello packets. You are only allowed to change configuration on SW1-‐2 to accomplish this
• Routes which are declared active should become Stuck in Active after 5 minutes
• Routes should be advertised as unreachable when there are more than 50 hops in the network
• Update the K3 value on the SW1-‐2 to SW1-‐4 interfaces to 500
Task 4: OSPF
• Configure the OSPF network as shown in drawing 2. Use the dotted decimal notation to configure area 264
• Ensure that all OSPF routers can reach each other’s Loopback addresses
• Ignore the MTU size between SW1-‐1 and SW1-‐3 when forming an adjacency
• Ensure that SW2 will never become a designated router on any OSPF interface
• Ensure that SW3 will never become a designated router on any OSPF interface
• Ensure all adjacencies in area 0 are secured using a hashed version of “IPexpertSecure”
• Ensure area 1 is secure using a simple-‐text-‐password of “IPexpert”
• Configure 4 additional Loopback interfaces on SW2 with IP addresses of 198.18.128.1/24 through 198.18.131.1/24 and ensure they are seen as a single entry in the backbone area and other areas without overlapping other IP space
• Configure a Loopback1 interface on SW1-‐3 with an IP address of 198.18.13.1/24 and ensure this whole subnet is seen throughout the layer 3 network
• Type 3, 4 and 5 LSA’s are not allowed in area 1
• Ensure that routers do not attract traffic for 2 minutes after booting up
Task 5: Redistribution, BFD and ECMP
• Configure redistribution between EIGRP and OSPF on SW1-‐4 and SW1-‐2
• Ensure full reachability is achieved while maintaining all requirements from previous tasks
• Ensure all links towards area 0 are used when traffic is exiting area 1
• Ensure that all Dynamic Routing adjacencies on SW1-‐2 towards adjacent devices are terminated using a dedicated detection protocol
• BFD sessions between SW1-‐2 and SW3 should be secured using a hashed key of
“IPexpertSecure”
• Ensure neighbor failures on SW1-‐2 are detected within 300ms
• Configure OSPF and EIGRP so they use the dedicated fast-‐hello failure detection mechanism
Task 6: Layer 3 switching features
• Ensure a static layer 2 to layer 3 mapping is created on VLAN 112 on SW1-‐1 for 198.18.112.24 to mac address abcd.1234.5678
• Configure SW2 so that it detects duplicate IP addresses and updates it’s cache on Ethernet1/5
• Ensure that SW1-‐1 reserves space for 2750 outstanding ARP entries in the ASIC to prevent the ARP replies are dropped when returned and attempted to install in the ASIC hardware
• Configure all switches so they use RFC 1191
Drawing 3: FabricPath / OTV Topology
Task 7: FabricPath and OTV
• Load the initial configuration file for part 2 of chapter 2, which will create a topology according to drawing 3
• Create VLAN 666 on all relevant switches in the topology
• Ensure hosts on VLAN 666 can communicate via layer 2 on all 4 edge switches using the technologies as mentioned in drawing 3
• Use the
198.18.10.0/24subnet when a layer 3 link is required in the topology
•
Configure VLAN interfaces (SVIs) with the following IP addresses:
SW2:
198.18.66.1/24SW3:
198.18.66.2/24SW1-‐3:
198.18.66.3/24SW1-‐4:
198.18.66.4/24• Ensure traffic is using all links between the switches to reach from SW2 and SW3 to SW1-‐3 and SW1-‐4
• Verify this task is completed successfully by being able to ping all 198.18.66.x interfaces of all edge switches
Chapter 4: Data
Center Networking High Availability
(NX-‐OS)
Chapter 4: Data Center Networking High Availability (NX-‐OS) is intended to let you be familiar with the NX-‐OS High Availability features on the Nexus platforms to create a high available network. Various types of deployments of Port-‐channels and Virtual Port-‐channels are discussed in this chapter. The second part of this chapter focuses on First Hop Redundancy Protocols (FHRPs) and High Available features of dynamic routing protocols. The third part focuses on a special implementation of virtual port-‐channels in FabricPath networks.
We highly recommend creating your own diagram at the beginning of each lab so you are able to draw on your own diagram, making it much easier when you step into the real lab.
Multiple topology drawings are available for this chapter.
General Rules
• Try to diagram out the task. Draw your own connections the way you like it
• Create a checklist to aid as you work thru the lab
• Take a very close read of the tasks to ensure you don’t miss any points during grading!
• Take your time. This is not a Mock Lab, so no time constraints are in place for finishing this particular chapter
Estimated Time to Complete: 3 hours
Pre-‐setup
• Connect to the Nexus 7000 switch and Nexus 5000 switches within the topology
• Use the central topology drawing at the start of this workbook
• Load the initial configuration of Chapter 4 on the Nexus 7000 switch to stage the Virtual Device Contexts needed for this lab
• When starting the third part of this lab regarding virtual Port-‐Channels within FabricPath networks the second set of initial configuration should be loaded on the Nexus 7000 to create a different topology with Virtual Device Contexts
• This lab is intended to be used with online rack access provided by our partner Proctor Labs (www.proctorlabs.com). Connect to the terminal server and complete the configuration tasks as detailed below
Drawing 1: Physical Topology
Drawing 2: Logical Topology
Configuration tasks
Task 1: Topology set-‐up
1. Configure the Nexus 5500 switches with hostnames of “SW2” and “SW3”. The Nexus 7000 VDC’s should already have hostnames through the loading of the initial configuration. Use switchto vdc and switchback to move between different switches on the Nexus 7000.
2. Create the VLANs as are required on the switches as shown in drawing 2 3. Configure IP addressing on SVI and interfaces according to drawing 2
4. Configure all switches to have a Loopback0 interface with an IP address of 198.18.0.Z/32 where Z is the router number / host address as specified in drawing 2
Task 2: Port-‐Channels
1. Configure Ethernet3/1 and Ethernet3/2 on SW1-1 and Ethernet1/1 and Ethernet 1/2 on SW2 to be a single logical connection to carry the VLAN required as stated in drawing 2. Use number 1 for this connection.
2. Configure Ethernet3/5 and Ethernet3/6 on SW1-2 and Ethernet1/1 and
Ethernet1/2 on SW3 to be a single logical connection to carry the VLAN required as stated in drawing 2. Use number 2 for this connection.
3. Configure logical interface 1 to negotiate it’s bundling capabilities between the switches
4. SW2 should never actively start negotiating link bundling
5. Logical interface 1 is used for bandwidth reasons and should therefore shutdown when there is less than 20Gbps capacity available in the bundle
6. Logical interface 1 should mark interfaces as hot-‐standby when additional interfaces are added to the bundle
7. Configure Ethernet1/5 and Ethernet1/6 on SW2 and SW3 to negotiate a link bundle. Use number 3 for this interface.
8. Configure logical interface 3 with IP addressing in the 198.18.23.0/24 subnet.
Use host IP addresses as previously used for these switches.
9. Ensure that when no dynamic link bundling advertisements are received on an interface on
10. There are plans to increase the capacity between SW2 and SW3 to 80Gbps with additional interfaces for resiliency purposes. Ensure that Ethernet1/5 is always chosen to participate in the bundle and Ethernet1/6 should be selected as a hot-‐standby link when additional interfaces are added to the bundle.
11. Logical interface 3 should use a very fast detection mechanism to signal the removal of an interface in the bundle
12. Configure SW2 and SW3 to load-‐balance between the interfaces in link-‐bundles using the most packet header information as possible.
13. Remove any configuration related to interface bundle 1 and 2 from the switches before continuing with the next task
Task 3: Virtual Port-‐channels (vPCs)
1. Ensure it’s possible to create Multi-‐Chassis Link Aggregation Groups (link bundles) on SW1-1 and SW1-2. Use ID 100 for this.
2. SW1-2 should be the primary device
3. Ensure it’s possible to create Multi-‐Chassis Link Aggregation Groups (link bundles) on SW2 and SW3. Use ID 200 for this.
4. Send keep alive messages across the mgmt0 interfaces of domain 200 switches
5. Use a dedicated SVI with IP addressing in the subnet of 198.18.5.0/24 to send keep alive messages between switches in domain 100. Ensure that the keep alive messages are not using the global IP routing table. Use Ethernet3/10 on SW1-1 and Ethernet 3/12 on SW1-2 for this.
6. Configure Ethernet3/9 on SW1-1 and Ethernet3/11 on SW1-2 as peer-‐link
7. Bundle Ethernet1/7 and Ethernet1/8 on SW2 and SW3 and configure this as the peer-‐
link
8. Ensure domain 100 brings up its vPCs once a peer fails or reboots. Delay this process for 5 minutes.
9. SW2 and SW3 should be seen as a single Spanning-‐Tree root with a priority of 8192
10. Configure an MC-‐LAG connection between SW1-1, SW1-2 and SW2. Use Ethernet3/1 on
11. Configure a vPC connection between SW2, SW3 and SW1-2. Use Ethernet3/5 and
Ethernet3/7 on SW1-2, Ethernet1/3 on SW2 and Ethernet1/3 on SW3. Use number 102 for this connection.
12. Use the remaining connections between SW1-1, SW1-2, SW2 and SW3 and bundle them in a single logical interface with number 103.
13. Ensure all VLANs required for Drawing 2 are allowed on the vPC links
14. Use 1234.5678.90ab as the single MAC address that is used for the identification of domain 100 LACP packets
Task 4: Graceful Restart / Non-‐Stop Forwarding
1. Configure dynamic routing protocols according to drawing 2. Ensure Loopback interfaces of SW2 and SW1-1 can ping each other and SW1-2 and SW3 can ping each other
2. Ensure that the routers running OSPF keep their routing information and keep forwarding traffic to neighbors when they are rebooting
3. An older router that will take a little over 2 minutes to reboot will be connected to SW2.
Ensure that your configuration supports this 4. Ensure that SW3 supports ISSU
5. SW3 should keep routes from restarting neighbors for 5 minutes 6. Signal a restart as fast as possible on SW3
Task 5: HSRP
1. Ensure that hosts on VLAN 111 are always able to reach their default gateway, when one of the 2 switches fails
2. Use a Cisco proprietary protocol for this use, which uses a single active default gateway 3. Use the .1 host IP address as the default gateway for this network segment
4. Make the switches primary and backup according to the best practice
5. Use a hashed key of “IPexpertYEAR1” to secure this protocol from now until December 31st the same year. At January 1st one year later the key should change to “IPexpertYEAR2”.
Ensure that switches keep accepting the old key for at least 2 more hours
6. When the backup switch is active and the primary switch comes back online after a reboot.
Ensure that it will take back the active role after the switch is up for 3 minutes 7. Give this process a name of “IPexpertVLAN111”
8. A switch should declare it’s neighbor down within 1 second
9. When one of the Ethernet uplinks fails the priority should be lowered with 1/10th of the configured priority value
10. When a second Ethernet uplink fails the switch should stop forwarding Layer 3 traffic and send traffic across the vPC peer-‐link
11. The default gateway MAC address should be the MAC address of one of the physical Ethernet interfaces
Task 6: VRRP
1. Ensure that hosts on VLAN 121 are always able to reach their default gateway, when one of the 2 switches fails
2. Use a standards based protocol for this use, which uses a single active default gateway 3. When clients on VLAN 121 issue an ARP request for the Default Gateway it should respond
with MAC address 0000.5E00.0174 without configuring this MAC address in the configuration
4. Use the .254 host IP address as the default gateway for this network segment 5. Configure SW1-2 as the primary switch using a value of 200
6. Use a clear text password of “IPexpert” to secure the protocol
7. Ensure a higher priority backup router does not take over the role of a lower priority active router. Configure this only on the current primary switch.
8. Ensure that SW1-2 becomes the standby router after 30 seconds, when the Loopback address of SW3 disappears from the routing-‐table
9. Switches should declare their neighbors down in 10 seconds
Task 7: GLBP
1. Ensure that hosts on VLAN 222 are always able to reach their default gateway, when one of the 2 switches fails
2. Use a load balancing Cisco proprietary protocol
3. Use the .55 host IP address as the default gateway for this network segment 4. Both routers should be capable of forwarding traffic.
5. SW1-1 should be answering all ARP requests
6. When the Loopback address of one of the upstream switches disappears from the routing table the switches should no longer be AVF
7. Delay the take over of the AVF role for a standby switch for 3 minutes if any current AVF fails
8. The router should become the AVG after 30 seconds if it has a higher priority than the current AVG
9. Ensure the routers support In-‐Service-‐Software-‐Upgrades
Task 8: Virtual Port-‐Channels (vPCs) and FabricPath
1. Load the initial configuration of Chapter 4 Task 8 on the Nexus 7000 switch to stage the Virtual Device Contexts needed for this lab
2. Configure the FabricPath network to stretch VLAN 666 between all Leaf switches 3. Ensure the PC connected to SW2 and SW3 is able to connect using a virtual Port-‐Channel with
number 100 on all places where necessary to configure a number
Chapter 5: Data Center Storage Networking
Chapter 5: Data Center Storage networking is intended to let you be familiar with the Storage Networking features on the Cisco MDS switches. Configuring traditional Fibre Channel networks and basic Fibre Channel features.
We highly recommend creating your own diagram at the beginning of each lab so you are able to draw on your own diagram, making it much easier when you step into the real lab.
Multiple topology drawings are available for this chapter.
General Rules
• Try to diagram out the task. Draw your own connections the way you like it
• Create a checklist to aid as you work thru the lab
• Take a very close read of the tasks to ensure you don’t miss any points during grading!
• Take your time. This is not a Mock Lab, so no time constraints are in place for finishing this particular chapter
Estimated Time to Complete: 5 hours
Pre-‐setup
• Connect to the MDS switches within the topology
• Use the central topology drawing at the start of this workbook
• The switches start with a blank configuration. You will be creating parts of your own Initial Configuration for later labs.
• This lab is intended to be used with online rack access provided by our partner Proctor Labs (www.proctorlabs.com). Connect to the terminal server and complete the configuration tasks as detailed below
Drawing 1: Physical Topology
Configuration tasks
Task 1: Initial set-‐up
1. Give the MDS switches in the topology the following hostnames: MDS1, MDS2. Configure the default username and password according to the generic lab topology
2. Ensure that they can be reached through the management network using IP addresses in the range as stated in the initial set-‐up information at the beginning of the workbook. Use Host IP addresses of .10 and .11
3. Use the default gateway of the management subnet as Time Synchronization server 4. Do not use any automatic selection of interface type for this lab, unless specifically stated 5. Do not use any automatic speed selected for interfaces
6. Use 200MBps connections towards the JBODs
7. JBODs on MDS2 should automatically detect the interface speeds 8. Ensure Fabric Logins are done by the connected JBODs 9. Enable the links between the MDS switches as standard based ISLs
10. Configure a descriptive name on all interfaces consisting of the name and port of the device which is connected. You are prohibited to use the ‘description’ command.
11. Ensure the connection towards JBOD1 is easily physically located on MDS1
12. The fiber connected to fc1/10 is of low quality causing errors on the interface. Ensure the switch does not go into err-disable state, because of this reason.
13. Ensure that interfaces on the MDS switches are shutdown when no configuration is applied to them
14. All disks inside of the JBODs should be identified on the MDS switches with a simple name in the form of JxDy where X is the JBOD number and Y is the disk number.
15. The simple device names should be seen on both MDS switches, by only configuring one of the switches. The names should not be VSAN dependent.
16. Ensure applications that use the simple names will follow changes to the database
18. JBOD1 on MDS1 is only allowed to send packets with a maximum size of 2000 bytes 19. Enable B2B credit state change numbers on all JBOD interfaces
Task 2: VSANs
1. Create VSAN 10, 20, 30 and 40 with names of “IPX_VSAN_#”, where # is the VSAN number 2. Configure fc1/5 on MDS1 in VSAN 10 and fc1/6 on MDS2
3. Configure fc1/5 on MDS2 and fc1/6 on MDS1 in VSAN 20
4. Ensure that when WWPN 20:11:00:0a:31:00:aa:de is automatically placed in VSAN 30 when it comes online anywhere in the Fibre Channel fabric
5. Ensure that J1D1 is automatically placed in VSAN 40 when it comes online in the fabric 6. MDS1 should use the Source and Destination FCID for load balancing across equal cost paths in
VSAN 10
7. MDS2 should use Exchange based load balancing across different interfaces in a port-‐channel in VSAN 20
8. Ensure that all ISLs of the MDS switches are capable of transferring multiple VSANs across the same interface
9. Configure fc1/1 and fc1/3 on both MDS switches as a single logical connection using number
9. Configure fc1/1 and fc1/3 on both MDS switches as a single logical connection using number