IPexpert's CCIE R&S (v5) Technology Workbook (Vol. 1) Detailed Solution Guide

(1)

(2)

CCIE Routing & Switching

Volume 1 Detailed Solution Guide

Version 5.2C

0

8

a

l

(3)

Version 5.2C 2 | P a g e

iPexpert's End-User License Agreement

END USER LICENSE FOR ONE (1) PERSON ONLY IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS,

DO NOT OPEN OR USE THE TRAINING MATERIALS.

This is a legally binding agreement between you and IPEXPERT, the “Licensor,” from whom you have licensed the IPEXPERT training materials (the “Training Materials”). By using the Training Materials, you agree to be bound by the terms of this License, except to the extent these terms have been modified by a written agreement (the “Governing Agreement”) signed by you (or the party that has licensed the Training Materials for your use) and an executive officer of Licensor. If you do not agree to the License terms, the Licensor is unwilling to license the Training Materials to you. In this event, you may not use the Training Materials, and you should promptly contact the Licensor for return instructions. The Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual authorized to use the Training Materials throughout the term of this License.

Copyright and Proprietary Rights

The Training Materials are the property of IPEXPERT, Inc. ("IPEXPERT") and are protected by United States and International copyright laws. All copyright, trademark, and other proprietary rights in the Training Materials and in the Training Materials, text, graphics, design elements, audio, and all other materials originated by IPEXPERT at its site, in its workbooks, scenarios and courses (the "IPEXPERT Information") are reserved to IPEXPERT.

The Training Materials cannot be used by or transferred to any other person. You may not rent, lease, loan, barter, sell or time-share the Training Materials or accompanying documentation. You may not reverse engineer, decompile, or disassemble the Training Materials. You may not modify, or create derivative works based upon the Training Materials in whole or in part. You may not reproduce, store, upload, post, transmit, download or distribute in any form or by any means, electronic, mechanical, recording or otherwise any part of the Training Materials and IPEXPERT Information other than printing out or downloading portions of the text and images for your own personal, non-commercial use without the prior written permission of IPEXPERT.

You shall observe copyright and other restrictions imposed by IPEXPERT. You may not use the Training Materials or IPEXPERT Information in any manner that infringes the rights of any person or entity.

Exclusions of Warranties

THE TRAINING MATERIALS AND DOCUMENTATION ARE PROVIDED “AS IS.” LICENSOR HEREBY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW THE LIMITATION OF INCIDENTAL DAMAGES OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. This agreement gives you specific legal rights, and you may have other rights that vary from state to state.

Choice of Law and Jurisdiction

This Agreement shall be governed by and construed in accordance with the laws of the State of Michigan, without reference to any conflict of law principles. You agree that any litigation or other proceeding between you and Licensor in connection with the Training Materials shall be brought in the Michigan state or courts located in Port Huron, Michigan, and you consent to the jurisdiction of such courts to decide the matter. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods shall not apply to this License. If any provision of this Agreement is held invalid, the remainder of this License shall continue in full force and effect.

(14)

13 | P a g e Version 5.2C Limitation of Claims and Liability

ANY ACTION ON ANY CLAIM AGAINST IPEXPERT MUST BE BROUGHT BY THE USER WITHIN ONE (1) YEAR FOLLOWING THE DATE THE CLAIM FIRST ACCRUED, OR SHALL BE DEEMED WAIVED. IN NO EVENT WILL THE LICENSOR’S LIABILITY UNDER, ARISING OUT OF, OR RELATING TO THIS AGREEMENT EXCEED THE AMOUNT PAID TO LICENSOR FOR THE TRAINING MATERIALS. LICENSOR SHALL NOT BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, REGARDLESS OF WHETHER LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. WITHOUT LIMITING THE FOREGOING, LICENSOR WILL NOT BE LIABLE FOR LOST PROFITS, LOSS OF DATA, OR COSTS OF COVER.

Entire Agreement

This is the entire agreement between the parties and may not be modified except in writing signed by both parties.

U.S. Government - Restricted Rights

The Training Materials and accompanying documentation are “commercial computer Training Materials” and “commercial computer Training Materials documentation,” respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use, modification, reproduction release, performance, display, or disclosure of the Training Materials and accompanying documentation by the U.S. Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement.

IF YOU DO NOT AGREE WITH THE ABOVE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING MATERIALS AND CONTACT LICENSOR FOR INSTRUCTIONS ON RETURN OF THE TRAINING MATERIALS.

(15)

Welcome, and Thank You!

On behalf of the entire iPexpert team, I'd personally like to thank you for putting your greatest certification journey in our hands, and trusting us to deliver cutting-edge training to help you accomplish this goal. Although there is no way to guarantee a 100% pass rate on the CCIE Lab, my team and I feel extremely confident that your chances of passing will improve dramatically with the use of our training materials.

-Respectfully, Wayne A. Lawson II, CCIE #5244 (Emeritus) / Founder & CEO - iPexpert, Inc.

Feedback

At iPexpert, we value the feedback (both positive and constructive) offered by our clientele. Our dedication to offering the best tools and content to help students succeed could not be possible without your comments and suggestions. Your feedback is what continually keeps us enhancing our product portfolio, and it is greatly appreciated. If there is anything you'd like us to know, please do so via the feedback@ipexpert.com alias.

In addition, when you pass your CCIE Lab Exam, we want to hear about it! Please email your Full Name (used in the CCIE Verification Tool), CCIE number and the track to success@ipexpert.com and let us know how iPexpert played a role in your success. We would like to be sure you're welcomed into the "CCIE Club" appropriately, send you a gift for your accomplishment.

Technical Support and Freebies

To conclude, we are also proud to lead the industry with multiple support options at your disposal, free of charge. Our online support community has attracted a membership of your peers from around the world, and is monitored on a daily basis by our instructors and our students. We also consistently publish technical articles / papers on our blog. You can also follow up on Facebook, Twitter, LinkedIn, Google+ and YouTube for more in-depth discussion on current industry trends and CCIE preparation tips.

Lastly, referrals are very important to us. It tells us that; 1) you like, value, and approve of our training and 2) it helps us to continue to grow as a company. If you have any of your peers who you feel will value by the use of any of our training materials, please send us their name, email address, telephone number and what certification and track you feel that they're interested in. If your referral makes a purchase, we will provide you with in-house credit that can be used at any time. If your referrals exceed a certain threshold, we will also include a gift card of your choice (either an American Express or Amazon gift card).

(16)

How to Use This Lab Preparation Workbook

In 2014 Cisco announced a new CCIE Routing & Switching blueprint for their V5 of the Lab Exam. This change was one of the biggest changes we've seen the over 14 years since we've been delivering cutting-edge CCIE training materials. The changes consisted of a modification of the lab structure to now include:

 A restructure of the way the lab is delivered. You will first have to complete a Troubleshooting section where you'll have access to the rack that Cisco provides you to do so. The next section consists of the Diagnostics section, which is done without access to your rack. The third section is the Configuration section, which is the actual "lab" that most people focus on, and have been primarily concerned about in the past. With this new lab structure, it's VERY IMPORTANT that you are well-prepared for all three Sections of the Lab Exam. At any point, you could fail the Lab Exam if you don't receive enough points in 1 of the 3 sections.

 Cisco has also made a drastic change in the topology that you'll be given. It's common knowledge at the time of this book's publication that the topology you're given has gone from their previous 6 to 8 router / 4 switch topology (seen in the labs previous to V4), to a topology that could potentially consist of up to 40 routers and 8 switches. It's imperative that you work through practice scenarios on a large topology, so you're familiar with the intricacies and technological specifics that can be introduced with a topology that large.

 Cisco has also changed their retake policy which now requires their CCIE candidates to wait longer durations before their next attempt(s). Below we have listed Cisco's new policy.

 And, finally, Cisco has created this impressive blueprint and broken it into sections. Cisco provides you with the 5 section titles and the number of points so you're able to understand how their grading works and how much focus and attention is placed on that various section. The primary section outline is provided below; however, we have not provided all of the topics and subtopics that Cisco has provided. We recommend that you reference Cisco's website URL, which provides these details for the Routing & Switching V5 Lab, which will require you to have a CCO and Cisco Learning Network login prior to being given access. That URL was found here at the date of this book's publication.

(17)

Cisco's New Retake Policy

Cisco R&S V5 Blueprint (Primary Sections w/ Assigned Point Values)

 Layer 2 Technologies: 20%

 Layer 3 Technologies: 40%  VPN Technologies: 20%  Infrastructure Security: 5%  Infrastructure Services: 15%

About This Lab Preparation Workbook

Throughout this workbook, you'll be asked to reference various diagrams and to pre-load configurations. These pre-loaded configurations will be automatically loaded when you're utilizing our online rack rental solution. All diagrams are provided in a .zip file that's accessed when you're logged into your iPexpert's Member's Area. If you're asked to reference a table, it will be located within this actual workbook, unless otherwise noted.

Additional Information Pertaining to Cisco's CCIE R&S Lab Exam

NOTE

The following information has been obtained from Cisco's Learning Network. We are not affiliated with, or endorsed in any way by Cisco.

(18)

About the CCIE Lab Exam

The CCIE Lab Exam is an eight-hour, hands-on exam which requires you to configure and troubleshoot a series of complex networks to given specifications. Knowledge of troubleshooting is an important

skill and candidates are expected to diagnose and solve issues as part of the CCIE Lab Exam. You will

not configure end-user systems, but are responsible for all devices residing in the network (hubs, etc.). Point values and testing criteria are provided. More detail is found on the Routing & Switching Lab Exam Blueprint and the list of Lab Equipment and IOS Versions.

Cost

The Lab Exam cost does not include travel and lodging expenses. Costs may vary due to exchange rates and local taxes (VAT, GST). You are responsible for any fees your financial institution charges to complete the payment transaction. Price not confirmed and is subject to change until full payment is

made. For more information on the Lab Exam Registration please reference the Take Your Lab

Exam tab.

Lab Environment

The Cisco documentation is available in the lab room, but the exam assumes knowledge of the more common protocols and technologies. The documentation can be navigated using the index. No outside reference materials are permitted in the lab room. You must report any suspected equipment issues to the proctor during the exam; adjustments cannot be made once the exam is over.

Lab Exam Grading

The labs are graded by proctors who ensure that all the criteria have been met. They will use automatic tools to gather data from the routers in order to perform preliminary evaluations. Candidates must reach a minimum threshold in all three sections and achieve an overall passing score.

Lab Format

The CCIE Routing & Switching Lab Exam consist of a 2 hour Troubleshooting section, a 30 minute Diagnostic section, and a 5 hour and 30 minute Configuration section. Candidates may choose to borrow up to 30 minutes from the Configuration section and use it in the Troubleshooting section.

(19)

Results

You can review your Lab Exam results online (login required), usually within 48 hours. Results are Pass/Fail and failing score reports indicate major topic areas where additional study and preparation may be useful.

Reevaluation of Lab Results

A Reread involves having a second proctor load your configurations into a rack to re-create the test and re-score the entire exam. Rereads are available for the Routing & Switching, and Service Provider technology tracks.

A Review involves having a second proctor verify your answers and any applicable system-generated debug data saved from your exam. Reviews are available for all other tracks.

Payment Terms

Make your request within 14 days following your exam date by using the "Request for Reread" link next to your lab record. A Reread costs $1000.00 USD and a Review costs $400.00 USD. Payment is made online via credit card and your Reread or Review will be initiated upon successful payment. You may not cancel the appeal request once the process has been initiated. Refunds are given only when results change from fail to pass.

Troubleshooting

The CCIE Routing & Switching Lab Exam features a 2 hour troubleshooting section. Candidates will be presented with a series of trouble tickets for preconfigured networks and need to diagnose and resolve the network fault or faults. As with the configuration section, the network must be up and running for a candidate to receive credit. Candidates who finish the Troubleshooting section early may proceed on to the Diagnostic section, but they will not be allowed to go back to Troubleshooting.

NOTE

(20)

(21)

Lab 1: Configure and Troubleshoot Switch

Port Modes :: Detailed Solutions

Technologies Covered

 CDP  Access ports  VLAN database  VLAN  Trunking  dot1Q  Native VLAN  Manual pruning

 Layer 3 native interfaces  SVIs

 Router-on-a-stick

Detailed Solution Guide

This portion of the material is designed to provide our students with the exact commands to use, when to use them, and also the various show commands that will allow you to understand what you're looking for. In addition, the instructor has provided some detail as to why the various solutions have been used versus another potential command set that would have accomplished the same outcome.

(22)

iPexpert’s Recommended Reading Material

 Cisco Discovery Protocol Version 2:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cdp/configuration/15-mt/cdp-15-mt-book/nm-cdp-discover.html

 Configuring Access and Trunk Interfaces:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide /cli_rel_4_0_1a/CLIConfigurationGuide/AccessTrunk.html

 Configuring InterVLAN Routing on Layer 3 Switches:

http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.html

iPexpert’s Recommended Video Training

iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE Routing & Switching lab exam. We recommend watching the following learning videos, which cover the topics seen in this lab scenario.

 Video Title: CDP Theory  Video Title: CDP Demo

 Video Title: VLANS and Trunking Theory  Video Title: VLANS and Trunking Demo  Video Title: Multilayer Switching

Topology Detail

Logically connect and configure your network as displayed in the drawing below. You may also refer to the diagram located within your configuration files for topology information.

(23)

Diagram 1.1: Switch Port Modes Topology

Lab 1 Setup

 This lab is intended to be used with online rack access. Connect to the terminal server for the online rack, and complete the configuration tasks as detailed below.

Configuration Tasks :: Detailed Solutions

1. Disable CDP on R2.

We can globally disable CDP on a device. On R2, configure the following:

R2(config)#no cdp run

2. Disable CDP on the connection between R6 and Cat2.

NOTE

(24)

23 | P a g e Version 5.2C On Cat2, we can see R6 in the list of the neighbors detected by CDP.

Cat2#sh cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID Cat4 Eth 5/1 152 R S Linux Uni Eth 5/1 Cat4 Eth 5/0 152 R S Linux Uni Eth 5/0 BB2 Eth 5/2 163 R B Linux Uni Eth 0/0 BB3 Eth 5/3 153 R B Linux Uni Eth 0/0 Cat3 Eth 4/1 152 R S Linux Uni Eth 4/1 Cat3 Eth 4/0 152 R S Linux Uni Eth 4/0 R2 Eth 0/2 110 R B Linux Uni Eth 0/1 R6 Eth 1/2 157 R B Linux Uni Eth 0/0 Cat1 Eth 3/2 172 R S Linux Uni Eth 3/2 Cat1 Eth 3/1 172 R S Linux Uni Eth 3/1 Cat1 Eth 3/0 172 R S Linux Uni Eth 3/0 R8 Eth 2/0 149 R B Linux Uni Eth 0/1

We have to disable CDP on the connection between Cat2 and R6. On Cat2, configure the following:

Cat2(config)#int e1/2

Cat2(config-if)#no cdp enable

On R6, configure the following:

R6(config)#int e0/0

R6(config-if)#no cdp enable

3. Between Cat1 and Cat2, CDP should only be running on the E3/1 and E3/2 interfaces. The updates should be sent every 20 seconds, and the neighbor should be declared lost after 6 missing updates.

There are 3 connections between Cat1 and Cat2 that is to say E3/0, E3/1, and E3/2. We have to disable CDP on the E3/0 interface.

(25)

On Cat2, configure the following:

The CDP updates should be sent every 20 seconds, and the neighbor should be declared lost after 6 missing updates. Default value can be seen using the following show command:

Cat2#sh cdp

Global CDP information:

Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled

On Cat1 and Cat2, configure the following:

Cat2(config)#cdp timer 20 Cat2(config)#cdp holdtime 120

We can check that the configuration has taken effect:

Cat2#sh cdp

Global CDP information:

Sending CDP packets every 20 seconds Sending a holdtime value of 120 seconds Sending CDPv2 advertisements is enabled

4. Between Cat1 and Cat2, the broadcasted CDP packets should not report mismatched nativeVLAN IDs.

Reporting mismatched native VLAN ID with a syslog message is one of the very nice features that are supported by CDP version 2. To stop this reporting we have to send only CDP version 1 updates between Cat1 and Cat2. Modifying the CDP version is not supported on an interface level, but only on a global level.

(26)

25 | P a g e Version 5.2C On Cat1 and Cat2, use the following:

CatX(config)#no cdp advertise-v2

5. Configure VLAN 101, 102, 103, and 999 in the VLAN local database of Cat1 and Cat2 with the respective name of VLAN101, VLAN102, VLAN103, VLAN999. The configuration of the VLANs should appear in the running-configuration and no VLAN distribution protocol should be running. On Cat1 and Cat2, configure the following:

CatX(config)#vlan 101 CatX(config-vlan)#name VLAN101 CatX(config-vlan)#vlan 102 CatX(config-vlan)#name VLAN102 CatX(config-vlan)#vlan 103 CatX(config-vlan)#name VLAN103 CatX(config-vlan)#vlan 999 CatX(config-vlan)#name VLAN999

The VLANs that were just created are shown when typing the show vlan command. However, the configurations of the VLANs are not shown in the running-configuration file. This is due to the fact that the default VTP mode is set to server.

Cat2#sh vtp status

VTP Version capable : 1 to 3 VTP version running : 1 VTP Domain Name :

VTP Pruning Mode : Disabled VTP Traps Generation : Disabled Device ID : aabb.cc00.6600

Configuration last modified by 172.16.102.102 at 10-4-14 10:02:18

Local updater ID is 172.16.102.102 on interface Lo0 (first layer3 interface found) Feature VLAN:

---

VTP Operating Mode : Server Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 Configuration Revision : 6

MD5 digest : 0x6B 0x99 0x57 0x33 0x79 0x8A 0xD8 0xFB 0xF4 0xC3 0xEB 0x40 0xEE 0xD7 0xF5 0x6C

(27)

We have to modify the VTP mode to transparent in order to see the VLAN configuration in the running configuration file.

CatX(config)#vtp mode transparent

6. Configure interface E3/0 in access mode VLAN 101 on Cat1 and Cat2. On Cat1 and Cat2, configure the following:

CatX(config)#int e3/0 CatX(config-if)#switchport

CatX(config-if)#switchport mode access CatX(config-if)#switchport access vlan 101

7. Configure the following IP addresses under the following interfaces:

Table 1.2

Cat1 E0/2 10.1.0.1/24

R2 E0/0 10.1.0.2/24

Make sure that ping is working between the 2 interfaces. On Cat1, configure the following:

Cat1(config)#int E0/2

Cat1(config-if)#no switchport

Cat1(config-if)#ip address 10.1.0.1 255.255.255.0

R2(config)#int E0/0

(28)

27 | P a g e Version 5.2C Verify the ping from R2 to Cat1 is working:

R2#ping 10.1.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds: .!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

The first ping is lost because it corresponds to the time for the ARP transactions to take place.

8. Configure an ISL trunk between Cat1 and Cat2 on E3/1. Allow VLAN 102. Allow DTP to negotiate whether a trunk forms. VLAN 999 should be the native VLAN.

Cat1#sh int trunk

Port Mode Encapsulation Status Native vlan Et3/1 desirable n-isl trunking 1

Et3/2 desirable n-isl trunking 1 Et4/0 desirable n-isl trunking 1 Et4/1 desirable n-isl trunking 1 Port Vlans allowed on trunk

Et3/1 1-4094 Et3/2 1-4094 Et4/0 1-4094 Et4/1 1-4094

Port Vlans allowed and active in management domain Et3/1 1,101-103

Et3/2 1,101-103 Et4/0 1,101-103 Et4/1 1,101-103

Port Vlans in spanning tree forwarding state and not pruned Et3/1 1,101-103

Et3/2 1,101-103 Et4/0 1,101-103

Port Vlans in spanning tree forwarding state and not pruned Et4/1 1,101-103

(29)

By default, an ISL trunk is negotiated as soon as the port E3/1 comes up. So without any configuration changes, we have a working trunk for VLANs 101,102, 103, and 999. Per the task requirements, the trunk will be limited to transmit VLANs 102 and 999.

CatX(config)#int e3/1

CatX(config-if)#switchport trunk allowed vlan 102,999 CatX(config-if)#switchport trunk native vlan 999

We can check that only VLAN 102 is trunked on port E3/1.

Cat1#sh int e3/1 trunk

Port Mode Encapsulation Status Native vlan Et3/1 desirable n-isl trunking 999

Port Vlans allowed on trunk Et3/1 102,999

Port Vlans allowed and active in management domain Et3/1 102,999

Port Vlans in spanning tree forwarding state and not pruned Et3/1 102,999

9. Configure a dot1q trunk between Cat1 and Cat2 on E3/2. Allow only VLAN 103 on the trunk. VLAN 103 should be sent untagged.

CatX(config-if)#switchport trunk encapsulation dot1q CatX(config-if)#switchport mode trunk

We are going to limit this trunk to transmit only on the VLAN 103 and to configure the VLAN 103 as the native VLAN on the trunk. The native VLAN is sent untagged.

(30)

CatX(config-if)#switchport trunk allowed vlan 103 CatX(config-if)#switchport trunk native vlan 103

We can check our configuration with the following command:

Cat2#sh int e3/2 trunk

Port Mode Encapsulation Status Native vlan Et3/2 on 802.1q trunking 103

Port Vlans allowed on trunk Et3/2 103

Port Vlans allowed and active in management domain Et3/2 103

Port Vlans in spanning tree forwarding state and not pruned Et3/2 103

10. Configure only the following SVIs:

Table 1.3

Cat1 Vlan 103 10.103.0.1/24

Cat2 Vlan 101 10.101.0.2/24

Cat1(config)#int vlan 103

Cat1(config-if)#ip address 10.103.0.1 255.255.255.0 Cat1(config-if)#no shut

(31)

Cat2(config)#int vlan 101

Cat2(config-if)#ip address 10.101.0.2 255.255.255.0 Cat2(config-if)#no shut

11. Configure the following sub-interfaces on the E0/0 of R6:

Table 1.4

E0/0.101 10.101.0.6/24

E0/0.103 10.103.0.6/24

We are going to configure a router on a stick topology. R6 is going to do the on-a-stick inter-Vlan routing.

R6(config)#interface Ethernet0/0.101 R6(config-if)#encapsulation dot1Q 101 R6(config-if)#ip address 10.101.0.6 255.255.255.0 R6(config)#interface Ethernet0/0.103 R6(config-if)#encapsulation dot1Q 103 R6(config-if)#ip address 10.103.0.6 255.255.255.0

Cat2(config)#interface Ethernet1/2

Cat2(config-if)#switchport trunk encapsulation dot1q Cat2(config-if)#switchport trunk allowed vlan 101,103 Cat2(config-if)#switchport mode trunk

12. Ensure that you can ping from interface Vlan 103 on Cat1 to interface Vlan 101 on Cat2 by using R6 as the inter-VLAN routing point. Do not use the ip route command.

In order to route from VLAN 103 to VLAN 101 over the router on a stick R6, we have to give each VLAN a default gateway. As we are not allowed to use the ip route command, we can use the

(32)

31 | P a g e Version 5.2C On Cat1, configure the following:

Cat1(config)#no ip routing

Cat1(config)#ip default-gateway 10.103.0.6

Cat2(config)#no ip routing

Cat2(config)#ip default-gateway 10.101.0.6

Interestingly enough, please note that you have to disable IP routing on the switch. Otherwise, the IP default-gateway will not be taken into account.

The ping from Cat2 to Cat1 routed from R6 is not up and running:

Cat1#ping 10.101.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.101.0.2, timeout is 2 seconds: !!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms Cat1#traceroute 10.101.0.2

Type escape sequence to abort. Tracing the route to 10.101.0.2

VRF info: (vrf in name/id, vrf out name/id) 1 10.103.0.6 0 msec 0 msec 1 msec

2 10.101.0.2 1 msec * 0 msec

Helpful Verification Commands

 Show cdp

 Show cdp neighbor

 Show vtp status

 Show interface trunk

(33)

Technical Verification and Support

To verify your configurations please ensure that you have downloaded the latest “final configurations” from within the iPexpert Member’s Area.

For instructor and developer support, please be sure to submit questions through our interactive support community that’s accessible from the Member’s Area.

(34)

Lab 2: Configure and Troubleshoot VTP ::

Detailed Solutions

Technologies Covered

 VTPv1  VTPv2  VTPv3  VTP pruning

Detailed Solution Guide

(35)

iPexpert’s Recommended Reading Material

 Understanding VLAN Trunk Protocol:

http://www.cisco.com/c/en/us/support/docs/lan-switching/vtp/10558-21.html  VTP Version 3:

http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/solution_guide_c78_508010.html

iPexpert’s Recommended Video Training

 Video Title: VTP v1/v2 Theory  Video Title: VTP v1/v2 Demo

Topology Details

(36)

Diagram 2.1: VTP Topology

Lab 2 Setup

Configuration Tasks :: Detailed Solutions

1. Configure a dot1q trunk allowing all VLANs on all the connections between Cat1 and Cat2, between Cat2 and Cat3, and between Cat3 and Cat4.

NOTE

Load the initial configuration files before starting to work on the tasks.

(37)

Cat1(config-if)#switchport trunk encapsulation dot1q Cat1(config-if)#switchport mode trunk

(38)

2. Configure Cat4 as the server of the VTP domain iPexpert. On Cat4, configure the following:

Cat4(config)#vtp mode server Cat4(config)#vtp domain iPexpert

3. Configure Cat3 not to update its VLAN database. Cat3 should silently forward VTP packets. On Cat3, configure the following:

Cat3(config)#vtp mode transparent

4. Configure Cat1 and Cat2 as client of Cat4. NOTE

It is important to configure the VTP in mode transparent and not in mode off. A switch configured with VTP mode off will not forward the VTP packets, and the VTP server Cat4 would not be able to reach the

(39)

CatX(config)#vtp mode client CatX(config)#vtp domain iPexpert

5. Add VLAN 150 and 151 on Cat4, and check that those VLANs are now present on Cat1 and Cat2, but not on Cat3.

On Cat4, the VTP server, configure the following:

Cat4(config)#vlan 150 Cat4(config-vlan)#vlan 151

Let’s verify that the 2 VLANs have been propagated to the VTP clients Cat1 and Cat2. Make sure that all the trunks on the path from Cat4 to Cat1 are up and running and trunking properly.

Cat1#sh vlan

VLAN Name Status Ports

---- --- --- --- 1 default active Et0/0, Et0/1, Et0/2, Et0/3 Et1/0, Et1/1, Et1/2, Et1/3 Et2/0, Et2/1, Et2/2, Et2/3 Et3/0, Et3/3, Et4/0, Et4/1 Et4/2, Et4/3, Et5/0, Et5/1 Et5/2, Et5/3, Et6/0, Et6/1 Et6/2, Et6/3, Et7/0, Et7/1 Et7/2, Et7/3 150 VLAN0150 active 151 VLAN0151 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- --- --- --- --- --- --- ---- --- --- --- 1 enet 100001 1500 - - - - - 0 0 150 enet 100150 1500 - - - - - 0 0 151 enet 100151 1500 - - - - - 0 0

(40)

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- --- --- --- --- --- --- ---- --- --- --- 1002 fddi 101002 1500 - - - - - 0 0 1003 tr 101003 1500 - - - - srb 0 0 1004 fdnet 101004 1500 - - - ieee - 0 0 1005 trnet 101005 1500 - - - ibm - 0 0 Primary Secondary Type Ports

--- --- --- ---

6. Add VLAN 1500 on Cat4, and make sure that it is propagated to Cat1 and Cat2, but not to Cat3. VTP version 1 and 2 support only the propagation of VLANs ranging from 1-1001. In order to forward the VLAN with the VLAN ID 1500, we have to upgrade the VTP version to version 3.

On Cat1, Cat2, Cat3, and Cat4, configure the following:

CatX(config)#vtp version 3

CatX(config)#spanning-tree extend system-id

The default operational state of a switch configured with VTP v3 is to be in secondary server mode. Cat4 has to be converted into a primary VTP version 3 server; this is done with the following command :

Cat4#vtp primary vlan

Let’s observe what happens when this command is entered.

This system is becoming primary server for feature vlan No conflicting VTP3 devices found.

Do you want to continue? [confirm]

%Cat_VLAN-4-VTP_PRIMARY_SERVER_CHG: aabb.cc00.6800 has become the primary server for the VLAN VTP feature

Cat4#sh vtp status

VTP Version capable : 1 to 3 VTP version running : 3

(41)

VTP Pruning Mode : Disabled VTP Traps Generation : Disabled Device ID : aabb.cc00.6800 Feature VLAN:

---

VTP Operating Mode : Primary Server Number of existing VLANs : 7

Number of existing extended VLANs: 0 Maximum VLANs supported locally : 4096 Configuration Revision : 1

Primary ID : aabb.cc00.6800 Primary Description : Cat4

MD5 digest : 0x7B 0x3D 0xBC 0x71 0xB5 0x80 0xA9 0xDF 0x47 0xA4 0x1D 0x7E 0x50 0xF8 0x5C 0xEB Feature MST:

---

VTP Operating Mode : Transparent Feature UNKNOWN:

---

VTP Operating Mode : Transparent

Now that the network has been upgraded to VTP version 3, we can configure VLAN ID 1500 on Cat4 and this VLAN will be propagated to Cat1 and Cat2.

Cat4(config)#vlan 1500

On Cat1, we can check that this VLAN has been propagated to the Version 3 clients:

Cat1#sh vlan

(42)

1 default active Et0/0, Et0/1, Et0/2, Et0/3 Et1/0, Et1/1, Et1/2, Et1/3 Et2/0, Et2/1, Et2/2, Et2/3 Et3/0, Et3/3, Et4/0, Et4/1 Et4/2, Et4/3, Et5/0, Et5/1 Et5/2, Et5/3, Et6/0, Et6/1 Et6/2, Et6/3, Et7/0, Et7/1 Et7/2, Et7/3 150 VLAN0150 active 151 VLAN0151 active 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup 1500 VLAN1500 active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- --- --- --- --- --- --- ---- --- --- --- 1 enet 100001 1500 - - - - - 0 0 150 enet 100150 1500 - - - - - 0 0 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- --- --- --- --- --- --- ---- --- --- --- 151 enet 100151 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 0 0 1003 trcrf 101003 4472 1005 3276 - - srb 0 0 1004 fdnet 101004 1500 - - - ieee - 0 0 1005 trbrf 101005 4472 - - 15 ibm - 0 0 1500 enet 101500 1500 - - - - - 0 0 VLAN AREHops STEHops Backup CRF

---- --- --- --- 1003 7 7 off

Primary Secondary Type Ports

(43)

7. Configure the VTP domain with a password of “090909”. This password should be stored in the NVRAM database.

On Cat1, Cat2, Cat3, and Cat4, configure the following:

CatX(config)#vtp password 090909 hidden

By using the hidden keyword, the secret key generated from the password string is saved in the nvram:vlan.dat file. This will also hash the password so when performing the command “sh vtp

password”, the password will not be in clear text.

Once we have configured the VTP password, we have to re-enable Cat4 as the primary VTP server and type the password.

This system is becoming primary server for feature vlan Enter VTP Password:

No conflicting VTP3 devices found. Do you want to continue? [confirm]

%Cat_VLAN-4-VTP_PRIMARY_SERVER_CHG: aabb.cc00.6800 has become the primary server for the VLAN VTP feature

8. Ensure that the next VLAN created will not be propagated to switches where this VLAN is not allowed on any trunks.

When an allowed-list is configured on a trunk, only VTP information regarding VLANs allowed on the trunk should be transmitted. The feature that will limit the flooding of VTP traffic is called VTP pruning.

VTP pruning in VTP version 3 should be enabled on all switches in the domain except the ones in VTP transparent mode. Just like setting the primary server we will do this in enable mode, no configuration mode.

On Cat1, Cat2, and Cat4, configure the following:

CatX#vtp pruning

9. Ensure that Cat2 can take over the server role in the case of a failure of Cat4. On Cat2, configure the following:

(44)

43 | P a g e Version 5.2C Cat2 will be acting as a VTP version 3 secondary server, the primary server being Cat4.

10. Configure R2 in VLAN 150 and R5 in VLAN 1500 as client ports. Since Cat1 does not have any client ports in VLAN 151, make sure that broadcast packets in VLAN 151 will never be transmitted to Cat1.

Cat1(config-if)#switchport access vlan 150 Cat1(config-if)#switchport mode access

Cat1(config-if)#switchport access vlan 1500 Cat1(config-if)#switchport mode access Cat1(config)#interface Ethernet3/1

Cat1(config-if)#duplex auto

Cat2(config-if)#switchport trunk encapsulation dot1q Cat2(config-if)#switchport trunk allowed vlan 150,1500

(45)

Cat2(config-if)#switchport mode trunk Cat2(config-if)#duplex auto

Cat4(config)#vlan 151

Even if the VLAN 151 has been propagated with VTP to Cat1, the broadcast on VLAN 151 will not be sent to Cat1, thanks to the allowed list configured on the trunks.

Cat1#sh vlan

---- --- --- --- 1 default active Et0/0, Et0/1, Et0/3, Et1/0 Et1/2, Et1/3, Et2/0, Et2/1 Et2/2, Et2/3, Et3/0, Et3/3 Et4/0, Et4/1, Et4/2, Et4/3 Et5/0, Et5/1, Et5/2, Et5/3 Et6/0, Et6/1, Et6/2, Et6/3 Et7/0, Et7/1, Et7/2, Et7/3 150 VLAN0150 active Et0/2

151 VLAN0151 active 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup 1500 VLAN1500 active Et1/1

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- --- --- --- --- --- --- ---- --- --- --- 1 enet 100001 1500 - - - - - 0 0 150 enet 100150 1500 - - - - - 0 0 151 enet 100151 1500 - - - - - 0 0 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- --- --- --- --- --- --- ---- --- --- --- 1002 fddi 101002 1500 - - - - - 0 0 1003 trcrf 101003 4472 1005 3276 - - srb 0 0 1004 fdnet 101004 1500 - - - ieee - 0 0

(46)

1005 trbrf 101005 4472 - - 15 ibm - 0 0 1500 enet 101500 1500 - - - - - 0 0 VLAN AREHops STEHops Backup CRF

---- --- --- --- 1003 7 7 off

Primary Secondary Type Ports

--- --- --- ---

Helpful Verification Commands

 Show interface trunk

 Show interface Ethernet 1/2 switchport

 Show VTP status

 Show VLAN

Technical Verification and Support

To verify your configurations please ensure that you have downloaded the latest “final configurations” from within the iPexpert Member’s Area.

For instructor and developer support, please be sure to submit questions through our interactive support community that’s accessible from the Member’s Area.

(47)

Lab 3: Configure and Troubleshoot

Portchannels :: Detailed Solutions

Technologies Covered

 LACP etherchannel  PagP etherchannel  Manual etherchannel  L2 etherchannel  L3 etherchannel  Load-balancing

 Etherchannel misconfiguration guard

Detailed Solution Guide

(48)

iPexpert’s Recommended Reading Material

 Configuring EtherChannels:

http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-4_3_S/configuration/guide/3800x3600xscg/swethchl.html

 EtherChannel Misconfiguration Guard:

http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-4_1_S/configuration/guide/3800x3600xscg/swstpopt.html-wp1113708

 Configuring EtherChannel Load Balancing:

http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-4_3_S/configuration/guide/3800x3600xscg/swethchl.html

iPexpert’s Recommended Video Training

 Video Title: Ethernet Channels  Video Title: Ethernet Link Aggregation  Video Title: EtherChannel Configuration

Topology Details

(49)

Diagram 3.1: Portchannels Topology

Lab 3 Setup

Configuration Tasks :: Detailed Solutions

1. Between Cat2 and Cat3, configure a static port-channel Po23 dot1q trunk and allow only VLAN 101.

Pay attention to the word “static”. We do not want our port-channel to negotiate. When we create a port-channel the best and easiest way to configure it is to first configure the physical port the way we want. The last command we apply, the “channel-group” command, which then creates our virtual port-channel interface automatically.

IPexpert's CCIE R&S (v5) Technology Workbook (Vol. 1) Detailed Solution Guide

CCIE Routing & Switching

Volume 1 Detailed Solution Guide

0

8

a

l

l

Table of Contents

iPexpert's End-User License Agreement

U.S. Government - Restricted Rights

Welcome, and Thank You!

Feedback

Technical Support and Freebies

How to Use This Lab Preparation Workbook

Cisco's New Retake Policy

Cisco R&S V5 Blueprint (Primary Sections w/ Assigned Point Values)

About This Lab Preparation Workbook

Additional Information Pertaining to Cisco's CCIE R&S Lab Exam

Lab 1: Configure and Troubleshoot Switch

Port Modes :: Detailed Solutions

Technologies Covered

Detailed Solution Guide

iPexpert’s Recommended Reading Material

iPexpert’s Recommended Video Training

Topology Detail

Diagram 1.1: Switch Port Modes Topology

Lab 1 Setup

Configuration Tasks :: Detailed Solutions

NOTE

Table 1.2

Table 1.3

Table 1.4

Helpful Verification Commands

Technical Verification and Support

Lab 2: Configure and Troubleshoot VTP ::

Detailed Solutions

Technologies Covered

Detailed Solution Guide

iPexpert’s Recommended Reading Material

iPexpert’s Recommended Video Training

Topology Details

Diagram 2.1: VTP Topology

Lab 2 Setup

Configuration Tasks :: Detailed Solutions

NOTE

Helpful Verification Commands

Technical Verification and Support

Lab 3: Configure and Troubleshoot

Portchannels :: Detailed Solutions

Technologies Covered

Detailed Solution Guide

iPexpert’s Recommended Reading Material

iPexpert’s Recommended Video Training

Topology Details

Diagram 3.1: Portchannels Topology

Lab 3 Setup

Configuration Tasks :: Detailed Solutions

NOTE