Foundation

CCIE Foundation
The GAP from CCNP to CCIE
WWW.NetWorkBooks.com
Narbik Kocharians
CCIE #12410
R&S, Security, SP
3550/3560
Switching
Answers
CCIE Foundation by Narbik Kocharians Switching Lab Page 1 of 55

© 2007 Narbik Kocharians. All rights reserved
Router to Switch connection
SW1 SW2
R1
F0/1 F0/1
F0/0 F0/1
R2
F0/2 F0/2
F0/0 F0/1
R3
R3 F0/3 F0/3
F0/0 F0/1
R4
F0/4 F0/4
F0/0 F0/1
R5
F0/5 F0/5
F0/0 F0/1
R6
F0/6 F0/6
F0/0 F0/1

Switch to Switch Connection
SW1 SW2
F0/20
F0/19
F0/22 F0/21 F0/21 F0/22
F0/19
F0/20
SW3 SW4
SW1 SW4
F0/7
F0/8
SW2 SW3
F0/7
F0/8

Lab 1
3550/3560 Switching
Task 1
The first Catalyst switch should be configured with a hostname of “SW1” and the
second Catalyst should have a hostname of “SW2”.
On the first Switch
Switch(config)#Hostname SW1
On the Second Switch
Switch(config)#Hostname SW2
Task 2
Configure SW1 to be in VTP domain called CCIE, this configuration should be
propagated to SW2 via VTP messages.
Maintaining a consistent list of VLANs in a huge network where there are many
interconnected switches can be an administrative nightmare, in order to reduce this
administrative overhead switches that share a common VLAN information can be
organized into logical groups called VTP domains. These domain do not create a
layer two boundary, they only create different management domains.
Switches in a given VTP domain exchange VTP updates to synchronize VLAN
information. In order for two or more switches to exchange VTP updates, the two
switches must have a trunk established between them, this is because VTP messages
can ONLY cross trunk links.
Note the two switches are connected with 2 cross over ethernet cables, if these
switches are 3550s, the two ports would negotiate an ISL trunk, but if the two
switches are 3560s, they would NOT negotiate a trunk, because by default the ports
on 3560 switches are in auto mode, whereas, the ports on 3550 switches are in
desirable mode.
To see this on the switches:

On 3550 switches:
3550#Show interface status
Port Name Status Vlan Duplex Speed Type

Fa0/1 notconnect 1 auto auto 10/100BaseTX
(The rest of the output is omitted)
On 3560 switches:
3560#Show run
Building configuration...
Current configuration : 2102 bytes
!
interface FastEthernet0/1
switchport mode dynamic desirable
!
!
To create the trunk, we should first check to see if the trunk was automatically
negotiated, if the switches are 3560s, they will NOT negotiate a trunk, as follows:
3560#Show int trunk
SW1#
Note the trunk is not negotiated.
If the switches are 3550s, you should see that the trunk is automatically negotiated
using Cisco proprietary trunking protocol called ISL, as follows:
3550#Show interface trunk
Port Mode Encapsulation Status Native vlan
Fa0/20 desirable nisl trunking 1
Fa0/21 desirable nisl trunking 1

Note the status is “nisl”, which means negotiated ISL.
To configure the ports as trunk:
On Both switches:
(config)#int range f0/1920
(configifrange)#switchport trunk encapsulation isl
(configifrange)#switchport mode trunk
These commands will be explained in later steps.
To verify the configuration:
On Both switches:
#Show int trunk

Fa0/19 on isl trunking 1
Now that the trunk is established between the two switches, you can go on with VTP
configuration as follows:
On SW1
By default the 3550/3560 switches are member of a domain called NULL, in this
mode the switches will not propagate VLAN information from one switch to
another. Enter the following to change the VTP domain name to “CCIE”.
SW1(config)#VTP domain CCIE
Note once the above command is entered, you should see the following message
telling you that the domain name was changed from the default name of “NULL” to
“CCIE”.
Changing VTP domain name from NULL to CCIE
This task could also be accomplished by entering the “VLAN database” as follows:
SW1#Vlan database
SW1(vlan)#Vtp domain CCIE

SW1(vlan)#Exit
When a command is entered in the Vlan database, you must perform the “exit” or
the “apply” command for the changes to take effect.
Note the display below reveals that VTP propagated the VTP domain information to
the second switch:
On SW2:
SW2#Sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : CCIE
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0000 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)
Task 3
This VTP domain should be password protected using “Cisco” as the password.
VTP password can be changed in three ways:
Privilege mode:
Switch#vtp password Cisco
Vlan Database:
Vlan database
Vtp password Cisco
Exit
Global config mode:
Switch(config)#vtp password Cisco
In this task it is configured in Global config mode as follows:

On both switches
(config)#vtp password Cisco
You should get the following message:
Setting device VLAN database password to Cisco
Note, if a domain name is not assigned to the switches and the default name (NULL)

is used, a password can not be assigned.
This “VTP password” command can be entered in global configuration mode,
privilege configuration mode or in the VLAN database mode.
The password command must be configured statically on both switches because this
change will NOT get propagated via VTP messages.
On any of the switches:
#Show VTP password This verifies the password, remember
Spaces will not show
VTP Password: Cisco
Task 4
SW2 should NOT have the ability to create, delete or rename VLAN or VLAN
information.
On SW2
SW2(config)#Vtp mode client
This configuration can be performed in the vlan database or global config mode.
The above command was entered in the global config mode. If this command must
be configured in the vlan database, you must first enter the “vtp database”
command in the privilege mode, then, enter “vtp client” and lastly the “exit”
command must be used for the changes to take effect.
Once the command is entered you should get the following message:
Setting device to VTP CLIENT mode.

The switches can operate in three different VTP modes and they are as follows:
Server mode:
Ø Creates, modifies and deletes VLANs
Ø Sends and forwards VTP advertisements
Ø Synchronizes VLAN information
Ø Saves VLAN information in “vlan.dat” in the flash memory
Client mode:
Ø CAN NOT create, modify or delete VLAN information
Ø Forwards the VTP advertisements
Ø Synchronizes VLAN information
Ø CAN NOT save the configuration in the NVRAM
Transparent mode:
Ø Creates, deletes and modifies VLANs locally
Ø Forwards the VTP advertisements
Ø Does NOT process VTP messages
Ø Saves VLAN information in NVRAM and NOT the VLAN database
Task 5
Create and configure the following VLAN assignments:
Router Interface VLAN number CAT Switches Port

R1 – F0/0 12 SW1 – F0/1
R2 – F0/0 12 SW1 – F0/2
R3 – F0/0 34 SW1 – F0/3
R4 – F0/0 34 SW1 – F0/4
R5 – F0/0 56 SW1 – F0/5
R6 – F0/0 56 SW1 – F0/6
R1 – F0/1 111 SW2 – F0/1
30
On SW1
SW1(config)#interface range f0/1 2

SW1(configif)#switch mode access
SW1(configif)#switch access vlan 12
SW1(config)#interface range f0/3 4
SW1(config)#interface range F0/5 6
SW1(config)Vlan 30
SW1(config)exit
Note the Vlan information will be propagated to the other switch (SW2), because
both switches are in the same VTP domain, password and they have a trunk
connecting them to each other.
On SW2
SW2#Show vlan brie
VLAN Name Status Ports

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/23, Fa0/24
Gi0/1, Gi0/2
12 VLAN0012 active
34 VLAN0034 active
56 VLAN0056 active
30 VLAN0030 active
SW2#Show VTP Status
VTP Version : 2
VTP Operating Mode : Client

MD5 digest : 0x97 0x9D 0xF1 0xF9 0xFE 0x21 0xCC 0x1D
On SW1
SW1#Show VTP Status
VTP Version : 2
Note, VTP version is 2, Configuration revision is 4, number of existing VLANs is 8
on both switches, (because they are synchronized), and the reason the VLAN
information was propagated is because the VTP domain name and the password is
identical on both switches and the switches are trunked.
SW1 should be used to create VLAN 111, this is because SW2 is in VTP client
mode.
You should see the following error message if SW2 is used to create VLAN 111.
SW2(config)#vlan 111
VTP VLAN configuration not allowed when device is in CLIENT mode.
On SW1
SW1(config)#vlan 111
SW1(configvlan)#exit
On SW2

SW2#Show vlan brief

Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
12 VLAN0012 active
34 VLAN0034 active
56 VLAN0056 active
111 VLAN0111 active
30 VLAN0030 active
Task 6
Ensure that SW1’s Loopback0 (1.1.1.1 /8) interface is used as the preferred source for the
VTP IP updater address.
Note in the last Task when the “show vtp status” command was entered on SW1,
the last line of the output displayed the fact that (no valid interface found).
SW1 can be configured such that the IP address of any of it’s interfaces in this case
Loopback0 is used as the source of all VTP messages, as follows:
On SW1
SW1(config)# Interface Loopback 0
SW1(configif)# Ip address 1.1.1.1 255.0.0.0
SW1(configif)# Exit
SW1(config)# Vtp interface Loopback0
Note the above command is not needed, as long as SW1 has an IP address
configured the source of all VTP updates will use that specific IP address as the
source IP address of all VTP messages, if your switch is configured with multiple IP
addresses, and you must use a specific IP address as the source of the updates, then,
the above command can be used to specify the IP address of a given interface as the
source of all VTP updates.
SW1#Show vtp status
VTP Version : 2

Local updater ID is 1.1.1.1 on interface Lo0 (preferred interface)
Preferred interface name is lo0
On SW2
SW2#Show vtp status
VTP Version : 2
Create a VLAN (VLAN 80) on SW1 so you can see that the change was made by an
IP address of 1.1.1.1 on SW2. This VLAN should be deleted before proceeding to
the next task.
On SW1
SW1(config)#Vlan 80
Sw1(config)#exit
On SW2
SW2#Show vtp status
VTP Version : 2

MD5 digest : 0x02 0x05 0x92 0x34 0xF0 0xC0 0x35 0x9D
On SW1
SW1(config)#No vlan 80
Task 7
Configure the switches such that flooded traffic is restricted to the trunk links that the
traffic must use to reach the destination device.
This task calls for VTP pruning and the following Show command reveals the
current status of VTP pruning:
On SW2
SW2#Show vtp status
VTP Version : 2
VTP V2 Mode : Disabled Pruning is disabled
Configuration last modified by 1.1.1.1. at 3193 00:12:48
Local updater ID is 1.1.1.1 o interface Lo0 (First layer3 interface found)
Note the above show command reveals that VTP Pruning is disabled
On SW1

SW1#Vtp pruning
This command can be configured in privilege mode, Global config mode, and/or in
the Vlan database. Once this feature is enabled, it will get propagated to the other
switches within the VTP domain.
To verify the configuration on both switches:
On SW2
SW2#Show vtp status
VTP Version : 2
VTP Pruning Mode : Enabled
Note VTP messages propagate the change through the entire VTP domain. Its
possible to have a switch within the enterprise that does not have local port
membership in a given VLAN/s. VTP pruning increases the available bandwidth on
the trunk links by restricting flooded traffic to those trunk links that the traffic
must use to access the give host.
Remember that VLAN 1 is always ineligible for pruning and traffic from VLAN 1
can not be pruned. Remember that this can ONLY be configured on the switches
that are in VTP server mode.
Task 8
Ensure that SW1 is the root bridge for the VLANs 12 and SW2 is the root bridge for
VLAN 56. Do NOT use the “priority” command to accomplish this task.
There are three commands that can be used to display the BID for a given switch:
Ø Show version
Ø Show spanningtree bridge
Ø Show interface Vlan 1

On SW1
SW1#Show version
SW1#Show ver
Cisco IOS Software, C3560 Software (C3560ADVIPSERVICESK9M), Version 12.2(25)SEE2,
RELEASE SOFTWARE (fc1)
Copyright (c) 19862006 by Cisco Systems, Inc.
Compiled Fri 28Jul06 12:34 by yenanh
Image textbase: 0x00003000, database: 0x012237D0
(The output of this show command is modified)
512K bytes of flashsimulated nonvolatile configuration memory.
Base ethernet MAC Address : 00:19:06:7F:89:00
Motherboard assembly number : 73989706
Power supply part number : 341009702
Motherboard serial number : CAT10297MHE
Power supply serial number : AZS1025050V
Model revision number : D0
The rest of the output is omitted The base MAC
The following command reveals the base MAC address of the switch, the combination of
priority and the base MAC address is the BID for a given switch.
SW1#Show spanningtree bridge
Hello Max Fwd
Vlan Bridge ID Time Age Dly Protocol

VLAN0001 32769 (32768, 1) 0019.067f.8900 2 20 15 ieee
VLAN0012 32780 (32768, 12) 0019.067f.8900 2 20 15 ieee
VLAN0034 32802 (32768, 34) 0019.067f.8900 2 20 15 ieee
VLAN0056 32824 (32768, 56) 0019.067f.8900 2 20 15 ieee
VLAN0030 32898 (32768, 30) 0019.067f.8900 2 20 15 ieee
Note the priority starts with 32768, each VLAN that is created adds it’s VLAN number to
the default priority value (If the base priority and the VLAN number is added within the
parenthesis, the sum will be the priority for that given VLAN, which is displayed to the left
of the parenthesis), VLAN 12 adds 12 to the default priority value, therefore, the priority is
32780 and VLAN 34 adds 34 to the default priority value, therefore, the priority is 32802.
Note that the MAC is the base MAC address and it remains the same, in this case
(0019.067f.8900).
Note your MAC address maybe different.

SW1#Show int Vlan 1
Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is 0019.067f.8940 (bia 0019.067f.8940)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
The output of the above command will reveal the bia or the MAC address of VLAN 1

interface which is also the base MAC address of the switch
To find out the BID and the root bridge for a given VLAN, enter the following Show
command:
On SW1
SW1#Show spanningtree vlan 12
VLAN0012
Spanning tree enabled protocol ieee The MAC address of the root bridge
Root ID Priority 32780
Address 0018.b989.8280
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32780 (priority 32768 sysidext 12)
Address 0018.b989.8280
Aging Time 300
The Mac address of the local switch
Interface Role Sts Cost Prio.Nbr Type

Fa0/19 Desg FWD 19 128.21 P2p
Fa0/20 Desg FWD 19 128.22 P2p
Note even though the above show commands reveals that SW1 is the root bridge for VLAN
12 we should statically configure this switch so in the future a topology change will not
change the root bridge for this VLAN. Enter the following commands to configure SW1 to
be the root bridge for VLANs 12:
On SW1
SW1(config)#Spanningtree vlan 12 root primary
The above command configures SW1 to be the root for VLAN 12; the “root” keyword is a

macro that reduces the BID of the switch for a given VLAN by a value of 8192 (The lower
value is the preferred value).
VLAN0012 Note 32768+128192 = 24588
Spanning tree enabled protocol ieee
Address 0018.b989.8280
Address 0018.b989.8280
Aging Time 300

Fa0/19 Desg FWD 19 128.21 P2p
Fa0/20 Desg FWD 19 128.22 P2p
On SW2
SW2(config)##Spanningtree vlan 56 root primary
On SW2
SW2#Sh spanningtree vlan 56
VLAN0056
Address 001a.2f0a.2000
Aging Time 15


Fa0/19 Desg FWD 19 128.21 P2p
Fa0/20 Desg FWD 19 128.22 P2p
Task 9
Configure SW1 to be the root bridge for VLAN 34 and SW2 to be the root bridge for
VLAN 111; you should use the “priority” command to accomplish this task.
When it comes to priority and values, Cisco plays two games, basketball and golf,
what I mean by that is that sometimes the lower number has more preference and
sometimes the higher number. When it comes to spanningtree, the lower number
has more preference.
On SW1
SW1(config)#spanningtree vlan 34 priority 0
Note the priority of this VLAN is set to zero, which is the lowest number within the
range.
To verify the configuration
On Sw1
VLAN0034
Root ID Priority 34
Aging Time 300

Fa0/19 Desg FWD 19 128.21 P2p
Fa0/20 Desg FWD 19 128.22 P2p
On Sw2

SW2(config)#spanningtree vlan 111 priority 0
On Sw2
VLAN0111
Aging Time 15

Fa0/19 Desg FWD 19 128.21 P2p
Fa0/20 Desg FWD 19 128.22 P2p
Task 10
Configure SW1 such that the ports that the routers are connected to bypass listening and
learning state. If any of these ports receive BPDU packets, they should transition into
errdisable state. Use minimum number of commands to accomplish this task. This
configuration should only be applied to the ports that the routers R1 R6 are connected
to.
Spanningtree PortFast causes an interface that is configured as a layer 2 access
port to transition from blocking to forwarding state immediately by bypassing the
listening and learning states. PortFast should be configured on interfaces that have
a single host connected. If PortFast is enabled on a port connecting to another
switch, a Spanningtree loop may result.
If BPDU guard is configured, and an interface configured as PortFast receives
BPDUs, the port will transition into errdisable mode blocking all traffic.
On SW1

SW1(config)#Spanningtree portfast bpduguard default
SW1(config)#Interface range F0/1 6
SW1(configif)#Spanningtree portfast
This command could also be configured globally, by using the “Spanningtree
portfast default” command; this command enables PortFast on all nontrunking
ports.
Once the portfast command is entered you should see the following warning
message:
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
Interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast will be configured in 6 interfaces due to the range command
but will only have effect when the interfaces are in a nontrunking mode.
The “spanningtree portfast bpduguard default” command in global config mode
will shut the port down in errdisable mode if any portfast enabled port receives
BPDU packets.
Task 11
Ø Ensure that ports F0/19 of both switches are trunking.
Ø These ports should NOT use any DTP for establishing the trunk
Ø Ensure that VLAN 111 does not get tagged as the traffic for this VLAN
traverses this trunk link.
Ø Ensure that traffic for VLAN 30 does NOT traverse this trunk link.
A trunk by default carries traffic for all VLANs; in order to differentiate traffic

from different VLANs a trunking protocol is used. Basically the sending switch
marks each frame with a VLAN ID before sending the traffic through the trunk link
so the receiving switch can distinguish the destination VLAN of the frames. For
security or other reasons it’s a good practice to configure the trunk links such that
they ONLY carry traffic for intended VLANs, in this task the traffic for VLAN 30
should NOT traverse this trunk link.
A trunk can be established between the following devices:
Ø Between two Switches
Ø A switch and a router
Ø A switch and a NIC that has the capability of establishing a trunk

In CCIE lab exam, I highly recommend reading each section entirely before
configuring the tasks within that section. In this case if this entire section was read
before, this task and task 19 would have been configured already.
The last item of this task requires us to configure DOT1Q trunking. Remember that
when a switch configured with DOT1Q receives an untagged frame, it will assign it
to the native VLAN. In DOT1Q the native VLAN traffic is NOT tagged, the native
VLAN is VLAN 1 by default. Because of this fact, you must ensure that native
VLAN is identical on both ends of the trunk. If VLANs are not identical on both
ends of a trunk, the traffic from different VLANs will merge, in order to prevent
this from occurring, the trunk link will go down if the VLANs are not identical on
both ends of a trunk.
On Both Switches
(config)#Interface F0/19
(configif)#Switchport trunk encapsulation dot1q
(configif)#Switchport mode trunk
The “Switchport trunk encapsulation” command can have the following
parameters:
Ø Dot1q – Specifies dot1q encapsulation on the trunk link.
Ø ISL Specifies dot1q encapsulation on the trunk link.
Ø Negotiate – Specifies that the local interface should negotiate with the
neighboring interface (The interface to which it is connected to) to
become either dot1q or ISL, depending on the configuration of the
neighboring interface.
The “Switchport mode trunk” command puts the interface into permanent trunking
mode.
On both Switches
SW1#Show int trunk

Fa0/19 on 802.1q trunking 1
Port Vlans allowed on trunk

Fa0/19 14094
Fa0/20 14094
Port Vlans allowed and active in management domain
Fa0/19 1,12,30, 34,56, 111
Fa0/20 1,12,30, 34,56, 111
Port Vlans in spanning tree forwarding state and not pruned
Fa0/19 1,12,30, 34,56
Fa0/20 12,34
To configure the second bullet item:
To see the default setting:
On Both Switches:
SW2#Show int f0/19 switchport
Name: Fa0/19
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default) Note the negotiation of
Administrative Native VLAN tagging: enabled trunking is ON
To change this setting:
On Both Switches:
(config)#int f0/19
(configif)#switchport nonegotiate
On Both Switches:
#Show int f0/19 switchport

Name: Fa0/19 Note the trunking negotiation is OFF
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
To configure the third bullet item:
On SW1
SW1(configif)#switchport trunk native vlan 111
Note once this command is entered you should see the following console message:
%CDP4NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on
FastEthernet0/19 (111), with SW2 FastEthernet0/19
On Sw2
SW1(configif)#switchport trunk native vlan 111
To configure the forth item:
To see the default behavior:
SW1#Show interface trunk
Note by default all VLAN are allowed to
Port Vlans allowed on trunk to traverse the trunk
Fa0/19 14094
Fa0/20 14094
Fa0/19 1,12,30,34,56,111
Fa0/20 1,12,30,34,56,111
Fa0/19 1
Fa0/20 1

To configure this item:
On Both Switches:
(configif)#switchport trunk allowed vlan except 30
Note the following reveals all options:
(configif)#switchport trunk allowed vlan ?
WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
add add VLANs to the current list
all all VLANs
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list
You can use some of these options to accomplish this task.
On Both Switches:
#Show interface trunk
Port Vlans allowed on trunk Note VLAN 30 is NOT allowed to traverse
Fa0/19 129,314094 the trunk
Fa0/20 14094
Fa0/19 1,12,34,56,111
Fa0/20 1,12,30,34,56,111
Fa0/19 1
Fa0/20 1

Task 12
You received a request from the IT department to monitor and analyze all the packets
sent and received by the host connected to port F0/14 on SW1, you have connected the
packet analyzer to port F0/15 on the same switch, configure the switch to accommodate
this request.
On SW1
SW1(config)#monitor session 1 source interface F0/14 both
The above command identifies the source interface, which is the interface that needs
to be monitored in both directions.
SW1(config)#monitor session 1 destination interface F0/15
This command identifies the destination port, this is the port to which the packet
analyzer is connected to.
Note the following:
Ø There can only be two monitor sessions configured on a given switch
Ø Their direction to monitor can be configured as Rx, Tx, or Both, Rx is
for received traffic, Tx is for Transmitted traffic, and both is in both
direction.
Ø VLANs can ONLY be configured in Rx direction.
Ø To verify the configuration, enter the “Show monitor session 1”
command.
On SW1
SW1#Show monitor session 1
Session 1

Type : Local Session
Source Ports :
Both :Fa0/14
Destination Ports : Fa0/15
Encapsulation : Native
Ingress : Disabled

Task 13
You received another request from your IT department to keep track of all the MAC
addresses that are learned by SW2 port F0/18. The switch must use the NMS located at
192.168.1.1 /24, configure the switch to handle this request. You should use an IP
address of 2.2.2.2 /8 with traps called “PRIVATE” to accomplish this task.
On SW2
SW2(config)#Snmpserver host 192.168.1.1 trap PRIVATE
%IP_SNMP3SOCKET: can't open UDP socket
Unable to open socket on port 161
Note since this switch is not configured with an IP address, it will fail to configure
the Snmp server. Therefore, an IP address should be configured before entering the
“snmpserver” command as follows:
SW2(config)#Int lo0
SW2(configif)#Ip addr 2.2.2.2 255.0.0.0
SW2(config)#snmpserver host 192.168.1.1 traps PRIVATE
To setup the SnmpServer’s IP address and the traps PRIVATE
SW2(config)#snmpserver enable traps macnotification
Configures the switch to send macaddress traps to the NMS
SW2(config)#macaddresstable notification
To enable MACaddress notification
SW2(config)#Inter f0/18
SW2(configif)#snmp trap macnotification added
The above command enables the SNMP trap on interface F0/18 and configures the
switch to send MAC notification traps whenever a MACaddress is learned (added).
If the switch must be configured to report the MAC addresses that are learnt and
expired, then “snmp trap macnotification removed” command must also be
configured under the interface.
SW2#Show macaddresstable notification interface f0/18
MAC Notification Feature is Enabled on the switch
Interface MAC Added Trap MAC Removed Trap

FastEthernet0/18 Enabled Disabled

Note if the “snmp trap macnotification removed” command was also entered for
F0/19 interface, under the “MAC removed Trap” column you would also see as
“Enabled”.
SW2#Show macaddresstable notification
MAC Notification Feature is Enabled on the switch
Interval between Notification Traps : 1 secs
Number of MAC Addresses Added : 0
Number of MAC Addresses Removed : 0
Number of Notifications sent to NMS : 0
Maximum Number of entries configured in History Table : 1
Current History Table Length : 0
MAC Notification Traps are Enabled
History Table contents

Task 14
Configure SW2 using the following policy:
The ports that routers R1 – R6 are connected should be configured such that they only
allow one MACaddress to be detected, if any other MAC address besides the pertaining
router’s MAC address is detected on any of these ports, the appropriate switch should
drop the traffic for the newly learned MAC addresses, the switch should not send an
SNMP trap or syslog message.
You should use a regular and a smart port macro to accomplish this task.
On SW2
SW2(config)#Define interfacerange ROUTERPORTS F0/1 6
The above command defines a range of ports on the switch and names them “ROUTER
PORTS”
SW2(config)#Macro name PORTSECUR
Enter macro commands one per line. End with the character '@'.
switchport mode access
switchport portsecurity
switchport portsecurity maximum 1
switchport portsecurity violation protect
@
SW2(config)#
The above configuration configures a smartport macro. A smartport macro is started by the

“Macro name” global config command and then followed by an arbitrary name that is
assigned to the macro.
Once that command is entered, a message is displayed in the command line. This message
tells us to use the “@” sign in order to end and exit from this macro.
Lines 3 to 6 contain the actual commands that the macro will execute. A smartport macro
can be applied to an interface, interface range, or a regular macro.
Lastly the Smartport Macro is applied to the regular macro, as follows:
SW2(config)#Interface range macro ROUTERPORTS
SW2(configifrange)#Macro apply PORTSECUR
To verify the configuration, a “Show run” command is entered, most of the output from this
show command is omitted and only the pertaining parts are shown:
SW2#Show run
!
macro name PortSecur
switchport portsecurity macaddress sticky
switchport portsecurity maximum 1
switchport portsecurity violation shutdown
@
!
!
macro description ROUTERSECUR
!
!
!

!
!
!
define interfacerange RouterPorts FastEthernet0/1 6
!
end
Task 15
On SW2 port F0/14 configure the amount of bandwidth utilization for broadcast traffic
to 50%.
On SW2
SW2(config)#Interface F0/14
SW2(configif)#Stormcontrol broadcast level 50.00
Stormcontrol can be used for Broadcast, Unicast and Multicast traffic, this
command specifies traffic suppression level for a given type of traffic for a
particular interface. The level can be from 0 to 100 and an optional fraction of a
level can also be configured from 0 – 99. A threshold value of 100 percent means
that no limit is placed for the specified type of traffic; a value of 0.0 means that the
particular type of traffic is blocked all together.
On 3550 switches when the rate of Multicast traffic exceeds a predefined threshold,
all incoming traffic (Broadcast, Multicast and Unicast) is dropped until the level of
Multicast traffic is dropped below the threshold level. When the interface is in
blocking mode, only the Spanningtree packets are forwarded.
When Broadcast or Unicast thresholds are exceeded, traffic is blocked for only the
type of traffic that exceeded the threshold.

SW2#Show stormcontrol f0/14 broadcast
Interface Filter State Upper Lower Current

Fa0/14 Forwarding 50.00% 50.00% 0.00%
Task 16
SW2’s ports F0/15 and F0/16 are connected to company’s web and email server. These
ports should be configured in VLAN 88. Ensure that these ports can’t communicate with
each other. You should NOT use private VLANs to accomplish this task.
On SW1
SW1(config)#Vlan 88
To see the default setting:
On SW2
SW2(config)#Interface range F0/15 – 16
SW2(configifrange)#Switchport mode access
SW2(configifrange)#Switch access vlan 88
SW2#Show inter f0/15 switch
Name: Fa0/15
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Access Mode VLAN: 88 (Inactive)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative privatevlan hostassociation: none
Administrative privatevlan mapping: none
Administrative privatevlan trunk native VLAN: none
Administrative privatevlan trunk Native VLAN tagging: enabled
Administrative privatevlan trunk encapsulation: dot1q

Administrative privatevlan trunk normal VLANs: none
Administrative privatevlan trunk private VLANs: none
Operational privatevlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 21001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false Note the port is not in protected mode
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
SW2#
On SW2
Interface range F0/15 – 16
Switchport protected
On SW2
Name: Fa0/15
Switchport: Enabled
Voice VLAN: none

Protected: true The port is now in protected mode
Unknown unicast blocked: disabled Note unknown unicast or multicast
Unknown multicast blocked: disabled traffic is not blocked
SW2#
Typically port blocking is implemented when protected ports are configured. By
default the switch will flood packets with unknown destination MAC addresses to
all ports but the port that the packet/s was received. If unknown unicast or
multicast traffic is forwarded to a protected port, there could be security issues. In
order to prevent this behavior, unknown broadcast or unicast packets should be
blocked, as follows:
SW2(config)#Interface range F0/15 – 16
SW2(configifrange)#Switchport block unicast
SW2(configifrange)#Switchport block multicast
Name: Fa0/15
Switchport: Enabled
Voice VLAN: none

Protected: true
Unknown unicast blocked: enabled The ports are now blocking
Unknown multicast blocked: enabled unknown unicast and multicast
SW2#
Note in the CCIE lab you should ONLY implement what is asked from you, if you
are in doubt, always ask the proctor for clarification
Task 17
Mac addresses learnt dynamically by these two switches should not stay in the MAC
address table if they are inactive for longer than 10 minutes.
By default the MAC addresses that are inactive will expire within 300 seconds, this
task is asking for a 10 minutes threshold, 10 minutes equates to 600 seconds, the
following command will accomplish this task:
Before configuring this task, the default settings should be displayed as follows:
On SW1 and SW2
#Sh macaddresstable agingtime
Vlan Aging Time

1 300
12 300
34 300
56 300
111 300
30 300
To change the default settings:
On Both Switches:
(config)#Macaddresstable agingtime 600
On Both Switches:

#Sh macaddresstable agingtime
Vlan Aging Time

1 600
12 600
34 600
56 600
111 600
30 600
Note this setting can also be changed for a given VLAN using the following
command:
(config)#macaddresstable agingtime 600 vlan ?
<14094> VLAN id
Task 18
For management purposes, assign an IP address of 10.1.1.11 /24 to SW1, with a default
gateway of 10.1.1.2 /24.
On SW1
SW1(config)#Inter Vlan 1
SW1(configif)#Ip address 10.1.1.11 255.255.255.0
SW1(configif)#No shut
SW1(configif)#Exit
SW1(config)#Ip defaultgateway 10.1.1.2
SW1#sh run int vlan 1
interface Vlan1
ip address 10.1.1.11 255.255.255.0
end
SW1#Sh ip route
Default gateway is 10.1.1.2

Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty
Task 19
Configure the F0/20 port of these two switches to trunk. You should use a Cisco
proprietary solution for this trunk.
This task was configured in Task 2
Task 20
Configure Multiinstance of Spanning Tree on the switches using the follows policy:
Ø There should be two instances of STP, instance 1 and 2
Ø Instance 1 should handle VLANs 12 and 34
Ø Instance 2 should handle VLAN 56 and 111
Ø All future VLANs should use instance 0
Ø Instance 1 should use F0/19
Ø Instance 2 should use F0/20
Ø SW1 should be the root bridge for the first instance
Ø SW2 should be the root bridge for the second instance
Ø The name of this configuration should be CCIE
Ø The revision number should be 1
On Both Switches
The default mode for spanningtree is PVST, the following Show command verifies
this information:
SW1#Show spanningtree summary
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
On Both Switches
(config)#Spanningtree mode mst
This command changes the mode of the switch to MST.

(config)#Spanningtree mst configuration
(configmst)#Revision 1
(configmst)#Name CCIE
(configmst)#Instance 1 vlan 12,34
(configmst)#Instance 2 vlan 56,111
The first command allows us to enter in the MST configuration mode. The second
command specifies the configuration revision number; the range for this number is
165535. The third command specifies the name for this configuration, in this case
CCIE. The forth and fifth commands map the requested VLANs to the specified
instances, MST supports 16 instances, by default all the future VLANs will be
assigned to instance 0, instance 0 is the catch all instance.
To verify this configuration:
On both Switches
Show spanningtree mst configuration
Name [CCIE]
Revision 1
Instance Vlans mapped

0 111,1333,3555, 57110, 1124094
1 12,34
2 56,111
Note instance 0 handles the rest of the vlans that are not assigned to a given
instance; instance 0 is the catch all instance.
To Verify the configuration before configuring the next portion of the
task:
On SW1
Show spanningtree bridge
Hello Max Fwd

MST Instance Bridge ID Time Age Dly Protocol

MST0 32768 (32768, 0) 0019.067f.8900 2 20 15 mstp
MST1 32769 (32768, 1) 0019.067f.8900 2 20 15 mstp
MST2 32770 (32768, 2) 0019.067f.8900 2 20 15 mstp

Note this command displays the BID for your switch, and instead of assigning a BID
to each VLAN, there is a BID for each instance.
On SW1
SW1#Show spanningtree root
Root Hello Max Fwd

MST Instance Root ID Cost Time Age Dly Root Port

MST0 32768 0019.067f.8900 0 2 20 15
MST1 32769 0019.067f.8900 0 2 20 15
MST2 32770 0019.067f.8900 0 2 20 15

The above command displays the BID of the root bridge for different instances.
Note in this case SW1 is the root for all instances.
On SW1
SW1(config)#Spanningtree mst 1 priority 0
On SW2
The above commands will change the switch priority and make it more likely that
SW1 will be chosen as the root switch for instance 1 and SW2 will be chosen as the
root bridge for instance 2.
This number must be in increments of 4096. Remember the lower value has higher
preference.
On SW1
SW1#Show spanning root
Root Hello Max Fwd


MST0 32768 0019.067f.8900 0 2 20 15
MST1 1 0019.067f.8900 0 2 20 15
MST2 2 001a.2f0a.2000 200000 2 20 15 Fa0/19

Note the local switch (SW1) is the root bridge for instance 0 and 1, whereas, SW2
is the root for instances 2.
On SW2
SW2#Show spanning root
Root Hello Max Fwd


MST0 32768 0019.067f.8900 0 2 20 15 Fa0/19
MST1 1 0019.067f.8900 200000 2 20 15 Fa0/19
MST2 2 001a.2f0a.2000 0 2 20 15

Note SW2 is the root bridge for instance 2, whereas, SW1 is the root for instance 0
and 1.
To configure the last portion of this task, portpriority feature is used as follows:
On Both Switches
(config)#Int F0/19
(configif)#Spanningtree mst 1 portpriority 0 High priority
(configif)# Spanningtree mst 2 portpriority 128
(config)#Int F0/20
(configif)#Spanningtree mst 1 portpriority 128
(configif)#Spanningtree mst 2 portpriority 0
In this task Portpriority is used when selecting an interface to put into the
forwarding state for a given instance; a lower value has a higher priority. In this
case port F0/21 will be used by all the VLANs that are assigned to instance 1,
because it has a higher priority (Lower value), and the second instance will use port
F0/22 because it has been configured with a higher priority (Lower value).
On SW1
SW1#Show spanningtree int f0/19
Mst Instance Role Sts Cost Prio.Nbr Type


MST0 Desg FWD 200000 128.21 P2p
MST1 Desg FWD 200000 0.21 P2p
MST2 Altn BLK 200000 128.21 P2p
SW1#Sh spanningtree int f0/20

MST0 Desg FWD 200000 128.22 P2p
MST1 Desg FWD 200000 128.22 P2p
MST2 Root FWD 200000 0.22 P2p
On SW2
SW2#Show spanningtree int f0/19

MST0 Root FWD 200000 128.21 P2p
MST1 Root FWD 200000 0.21 P2p
MST2 Desg FWD 200000 128.21 P2p
SW2#Sh spanningtree int f0/20

MST0 Altn BLK 200000 128.22 P2p
MST1 Altn BLK 200000 128.22 P2p
MST2 Desg FWD 200000 0.22 P2p
Note mst instance 1 is blocked on port F0/20 but forwarded on F0/19 and mst
instance 2 is blocked on interface F0/19 and forwarded on F0/20.
Task 21
There is another protocol analyzer connected to F0/18 on SW2. You received a request
to monitor and analyze all packets for port F0/16 on SW1. Configure the switches to
accommodate this request.

On SW1
SW1(config)#Vlan 90
SW1(configvlan)#Remotespan
SW1(configvlan)#Exit
The creation of this VLAN can only be done in the global configuration mode,
because this is the only mode that allows us to set the VLAN as remotespan. Ensure
that this VLAN is propagated to SW2. Note in this case we had to create the VLAN on
SW1, because if you remember SW2 was in VTP client mode.
On SW1:
SW1#Sh vlan brie

Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/23, Fa0/24
Gi0/1, Gi0/2
12 VLAN0012 active Fa0/1, Fa0/2
30 VLAN0030 active
90 VLAN0090 active Ensure that this VLAN is propagated
to SW2
On SW2
SW2#Sh vlan brie

Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/23, Fa0/24, Gi0/1, Gi0/2

12 VLAN0012 active
30 VLAN0030 active
34 VLAN0034 active
56 VLAN0056 active
90 VLAN0090 active Ensure that this VLAN is propagated
to SW2
On SW1
SW1#Show vlan remotespan
Remote SPAN VLANs

90
On SW2
SW2#Show vlan remotespan
Remote SPAN VLANs

90
Note VLAN 90 should be displayed as remotespan on both switches.
On SW1
SW1(config)#Monitor session 2 source interface F0/16
SW1(config)#Monitor session 2 destination remote vlan 90
On SW1
SW1#Show monitor session 2
Session 2

Type : Remote Source Session
Source Ports :
Both : Fa0/16
Dest RSPAN VLAN : 90
On SW2

SW2(config)#Monitor session 2 source remote vlan 90
SW2(config)#Monitor session 2 destination interface F0/18
Port F0/18 is where the protocol analyzer is connected.
On SW2
SW2#Sh monitor session 2
Session 2

Type : Remote Destination Session
Source RSPAN VLAN : 90
Destination Ports : Fa0/18
Encapsulation : Native
Ingress : Disabled
RSPAN extends SPAN by enabling remote monitoring of multiple switches across your
network. The traffic for RSPAN traverses over a user defined RSPAN VLAN (remote
vlan), in this case VLAN 90. The SPAN traffic from port F0/16 is reflected to VLAN 90
(The RSPAN VLAN) and then forwarded over the trunk to port F0/18 an RSPAN
destination. If 3550 switches are in use, then you should identify the port that reflects
the traffic to VLAN 90 using the following commands:
On SW1
Monitor session 2 destination remote vlan 90 reflectorport f0/23
Note port F0/23 should NOT be in use, if you look at the led on top of port F0/23, the
led will change to amber and then green.
SW1(config)#Vlan 90
SW1(configvlan)#Remotespan
SW1(configvlan)#Exit
On SW2
SW2(config)#Monitor session 2 source remote vlan 90
SW2(config)#Monitor session 2 destination interface F0/18
Port F0/18 is where the protocol analyzer is connected.

Task 22
You have been requested to implement the following policy on SW1:
Ø Hosts R1 or R2 should NOT have the ability to communicate with each other
within their VLAN. You can use any IP addressing to test this step.
Ø None of the hosts within any of the VLANs should have the ability to access the
TFTP server.
Ø You should configure VACL to accomplish this task.
Before configuring this task, we should ensure that R1 can communicate with R2,
therefore, the following configuration is performed on R1 and R2:
On R1
R1(config)#int f0/0
R1(configif)#ip address 10.1.1.1 255.255.255.0
R1(configif)#No shut
On R2
R2(config)#int f0/0
R2(configif)#ip address 10.1.1.2 255.255.255.0
To test the configuration:
On R1
R1#Ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), roundtrip min/avg/max = 1/1/4 ms
On SW1
SW1(config)#Ip accesslist extended R1R2
SW1(configextnacl)#Permit ip 10.1.1.1 0.0.0.0 host 10.1.1.2 0.0.0.0
SW1(config)#Ip accesslist extended DenyTFTP
SW1(configextnacl)#Permit udp any any eq 69

SW1(config)#Vlan accessmap TEST 10
SW1(configaccessmap)# Match ip addr R1R2
SW1(configaccessmap)#Action drop
SW1(configaccessmap)#Exit
SW1(configaccessmap)#Match ip addr DenyTFTP
SW1(configaccessmap)#Action drop
SW1(configaccessmap)#Action forward
SW1(config)#Vlan filter TEST vlanlist all
To Verify the configuration:
SW1#Show vlan filter accessmap TEST
VLAN Map TEST is filtering VLANs:
14096
SW1#Show vlan filter vlan 12
Vlan 12 has filter TEST.
To test the configuration:
On R1
R1#Ping 10.1.1.2
.....
Success rate is 0 percent (0/5)
Task 23
Configure routers R1 and R3 using the following IP addresses:
Ø R1 F0/0 = 10.1.12.1 /24
Ø R3 F0/0 = 10.1.34.3 /24

Configure SW1 to route between VLAN 12 and 34 such that these routers can ping each
other. Use any IP address on SW1 to accomplish this task.
On R1
R1(config)#Interface F0/0
R1(configif)#Ip address 10.1.12.1 255.255.255.0
R1(config)#Ip route 0.0.0.0 0.0.0.0 10.1.12.100
Note here the IP address of 10.1.12.100 is chosen as the default gateway.
On R3
R3(config)#Ip route 0.0.0.0 0.0.0.0 10.1.34.100
On SW1
SW1(config)#Ip routing
The above command is required to enable IP routing.
SW1(config)#Interface Vlan 12
Note the IP address of this logical interface is used as the default gateway of the
hosts in VLAN12.
SW1(config)#Interface Vlan 34
A Switch Virtual Interface (SVI) represents a VLAN of switch ports as one interface
to the routing. Only one SVI can be associated with a VLAN. This is necessary when
configuring Inter Vlan routing. When creating an SVI for a VLAN, the designated
number must match the VLAN number.
On R1

R1#Ping 10.1.34.3
!!!!!
On R3
R3#Ping 10.1.12.1
!!!!!
Task 24
Remove the configuration from the previous step and configure Inter Vlan routing
between VLANs 12 and 34. DO NOT use SVIs to accomplish this task. F0/1 interface of
any router must be used to accomplish this task. Use the IP addressing from the previous
task. Ensure to use an industry standard protocol for the trunk.
Since R5’s F0/0 is part of VLAN 56, R5’s F0/1 is used to accomplish this task.
On SW1
SW1(config)#No Interface Vlan 12
SW1(config)#No Interface Vlan 34
SW1#clear macaddresstable
On SW2
SW2(config)#Interface F0/5
SW2(configif)#Switchport trunk encap Dot1q
SW2(configif)#Switchport mode trunk
On R5
R5(configif)#Exit

R5(config)#Int f0/1.12
R5(configif)#Encap dot1q 12
Note this IP address will be used as the default gateway of the routers in VLAN 12
R5(config)#Int f0/1.34
R5(configif)#Encap dot1q 34
On R1
R1#Ping 10.1.34.3
!!!!!
On R3
R3#Ping 10.1.12.1
!!!!!
I guess you are Not getting the same result, well if you think a little harder you will
soon realize that port security was enabled with one MAC address as the maximum
and you also configured the switch such that if this threshold is exceeded, the switch
should ignore the frames from the newly learned MAC address/es. All you need to
do is remove all the switchport portsecurity commands and also remove the Macro
that was applied to the interface, and things will work properly.
Task 25
Configure a static MAC address on SW1 for R6’s F0/0 interface in VLAN 56 such that
if the switch receives frames destined to R6’s MAC address, it forwards the frames to
F0/6. You should assign a MAC address of 0000.6666.6666 to R6’s F0/0 interface.

On R6
R6(configif)#macaddress 0000.6666.6666
To test this configuration:
On SW1
SW1#Sh macaddresstable dynamic
Mac Address Table

Vlan Mac Address Type Ports

1 000f.34df.6501 DYNAMIC Fa0/19
1 001a.2f0a.2015 DYNAMIC Fa0/19
1 001a.2f0a.2016 DYNAMIC Fa0/20
12 0011.203d.c880 DYNAMIC Fa0/2
12 0012.0024.14c0 DYNAMIC Fa0/1
34 0012.d9e7.e9e0 DYNAMIC Fa0/3
56 0000.6666.6666 DYNAMIC Fa0/6
Total Mac Addresses for this criterion: 7
Note when we entered the “No shut” command SW1 learned the MAC address of
R6.
SW1(config)#Mac addresstable static 0000.6666.6666 vlan 56 interface f0/6
SW1#Show macaddresstable static interface f0/6
Mac Address Table

Vlan Mac Address Type Ports

56 0000.6666.6666 STATIC Fa0/6
Total Mac Addresses for this criterion: 1

Task 26
Configure Unicast Mac address filtering on SW1 such that the switch drops packets that

have a source or destination address of 0000.1234.5678. If a packet is received in VLAN
34 with this MAC address as its source or destination, the packet should be dropped.
On SW1
SW1(config)#Mac addresstable static 0000.1234.5687 vlan 34 drop
Task 27
Optimize the two switches using the following policies:
Ø SW1 should be configured such that its memory resources in the switch are
optimized for routing.
Switch database management (SDM) are templates that can be configured to
allocate memory resources in the switch for a specific feature depending on what the
switch is used for in a given network.
A switch can be configured to use one of the following templates:
Ø Access – Used for QOS classification and Security.
Ø Routing – Used for routing
Ø Vlan – Disables routing and sets the switch to be a layer 2 switch.
Ø Extendedmatch – Reformats routing memory space to allow 144bit layer 3
TCAM support needed for WCCP and/or multiple VRF instances.
On SW1
SW1(config)#Sdm prefer routing
You must reboot the switch for the settings to take effect.
To Verify the configuration after the reload:
On SW1
SW1#Show sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for

8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 11K
number of directlyconnected IPv4 hosts: 3K
number of indirect IPv4 routes: 8K
number of IPv4 policy based routing aces: 512
number of IPv4/MAC qos aces: 512
number of IPv4/MAC security aces: 1K
Task 28
ReConfigure the trunk ports using an industry standard protocol, these links should
appear to STP as a single link, therefore, none of the interfaces should be in blocking
state. If one of the links fails, the traffic should use the other link without any
interruption.
This may override some of the task/s that was previously configured.
These two ports should NOT use any protocol to negotiate.
EtherChannels provide the follows:
Ø Faulttolerant, high speed links between switches and routers.
Ø EtherChannel provides an automatic recovery for the loss of a link by
redistributing the traffic across the remaining link/s.
Ø STP will not block one of the links in the bundle because to STP, the bundle looks
like a single link.
Ø Up to 8 links can be combined to provide more bandwidth.
Ø The links within the bundle must have the same characteristics such as duplexing,
speed and etc.
Ø EtherChannel can be configured as layer 2 or layer 3.
Ø With Layer 3, a logical interface (PortChannel) is statically configured and all
Layer 3 configurations are performed under that interface.
Ø With Layer 2, the logical interface is created automatically.
Ø With both Layer 2 and Layer 3, physical interfaces must be manually assigned to
the logical interface using “channelgroup” configuration command.
Ø EtherChannels can be configured automatically using Port aggregation protocol
(PAgP) or Link Aggregation protocol (LACP).
Ø PAgP is a Cisco proprietary protocol, whereas LACP is an industry standard
IEEE 802.3ad protocol.
Ø Switches can be configured to use PAgP by configuring them in AUTO or
DESIRABLE mode.

Ø Switches can be configured to use LACP by configuring them in ACTIVE or
PASSIVE mode.
Ø If the switches are configured in ON mode, they will not exchange LACP or
PAgP packets.
There are 5 modes that the switches can be configured in:
Ø ON – Forces the interface into an EtherChannel without PAgP or LACP packets,
both switches must be configured in ON mode for the EtherChannel to be
established.
Ø ACTIVE – Used in LACP, the switches will actively negotiate an EtherChannel
link.
Ø PASSIVE – Used in LACP, it places the interface in a passive negotiation mode
where it only responds to LACP packets that it receives. In this mode the switch
will not start the negotiation process; this setting minimizes the transmission of
LACP packets.
Ø AUTO – Used in PAgP, it places the interface in a passive negotiation mode; It
only responds to PAgP packets that it receives. In this mode the switch will not
start the negotiation process; this setting minimizes the transmission of PAgP
packets.
Ø DESIRABLE – Used in PAgP, the switches will actively negotiate an
EtherChannel link.
The following table is very important when configuring EtherChannels:
Switch one is configured as Switch two is configured as Will an EtherChannel

be established?
Desirable Desirable YES
Desirable Auto YES
Auto Auto NO
Active Active YES
Active Passive YES
Passive Passive NO
Before configuring EtherChannel, you should check to ensure that the interfaces are
configured with the same characteristics.
On Both Switches
(config)#default interface FastEthernet0/19
(config)#default interface FastEthernet0/20
(config)#Int range f0/19 20

(configifrange)#Switchport trunk encap dot1q
(configifrange)#Switchport mode trunk
(configifrange)#Channelgroup 1 mode on
When EtherChannels are created, you must ensure that the interfaces in the group
are configured identical.
On SW1
SW1#Show interface trunk
Po1 on 802.1q trunking 1
Port Vlans allowed on trunk
Po1 14094
Po1 1,12,30,34,56,90,111
Po1 1,12,30,34,56,90,111
On SW1
SW1#Show spanningtree inter f0/19

MST00 Desg FWD 100000 128.616 P2p
MST01 Desg FWD 100000 128.616 P2p
MST02 Root FWD 100000 128.616 P2p
SW1#Show spanningtree inter f0/20

MST00 Desg FWD 100000 128.616 P2p
MST01 Desg FWD 100000 128.616 P2p
MST02 Root FWD 100000 128.616 P2p
SW1#Show spanningtree inter po1


MST00 Desg FWD 100000 128.616 P2p
MST01 Desg FWD 100000 128.616 P2p
MST02 Root FWD 100000 128.616 P2p
On SW2
SW2#Show spanningtree interface f0/19

MST00 Root FWD 100000 128.616 P2p
MST01 Root FWD 100000 128.616 P2p
MST02 Desg FWD 100000 128.616 P2p
SW2#Show spanningtree interface f0/20

MST00 Root FWD 100000 128.616 P2p
MST01 Root FWD 100000 128.616 P2p
MST02 Desg FWD 100000 128.616 P2p
SW2#Show spanningtree interface po1

MST00 Root FWD 100000 128.616 P2p
MST01 Root FWD 100000 128.616 P2p
MST02 Desg FWD 100000 128.616 P2p
Note all interfaces are in forwarding state because to spanningtree, the port
channel appears as a single interface.
A “show etherchannel 1 detail” or “Show etherchannel summary” commands can
reveal that the interfaces are working in the bundle.
Task 29
Create VLAN 2006 on SW2. This task may override some of the task/s that was

previously configured.

Extendedrange VLANs:
Ø Range is 1006 – 4094.
Ø Can only be configured in the global config mode.
Ø The switch must be configured in transparent mode.
Ø These VLANs are NOT saved in the VLAN.DAT. They are part of the
running config and they can be saved to the startup config.
On SW2
SW2(config)#Vtp mode transparent
SW2(config)#Vlan 2006
Note, extended vlans are not created in the VLAN database and they are part of the
running/Startup config.
SW2#Show run
!
vlan 12,30,34,56 Note, the extended VLAN is part of the running
! configuration
vlan 90
remotespan
!
vlan 111,2006
!
Task 30
Erase the startupconfiguration, all the VLANs and reload the switches before proceeding
to the next task.


Foundation

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Foundation

Încărcat de

Drepturi de autor:

Formate disponibile

CCIE Foundation

CCIE Foundation by Narbik Kocharians Switching Lab Page 1 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 2 of 55

F0/22 F0/21 F0/21 F0/22

CCIE Foundation by Narbik Kocharians Switching Lab Page 3 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 4 of 55

Port Name Status Vlan Duplex Speed Type

CCIE Foundation by Narbik Kocharians Switching Lab Page 5 of 55

Port Mode Encapsulation Status Native vlan

CCIE Foundation by Narbik Kocharians Switching Lab Page 6 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 7 of 55

Note, if a domain name is not assigned to the switches and the default name (NULL)

CCIE Foundation by Narbik Kocharians Switching Lab Page 8 of 55

Router Interface VLAN number CAT Switches Port

CCIE Foundation by Narbik Kocharians Switching Lab Page 9 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 10 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 11 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 12 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 13 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 14 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 15 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 16 of 55

The output of the above command will reveal the bia or the MAC address of VLAN 1

CCIE Foundation by Narbik Kocharians Switching Lab Page 17 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 18 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 19 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 20 of 55

A trunk by default carries traffic for all VLANs; in order to differentiate traffic

CCIE Foundation by Narbik Kocharians Switching Lab Page 21 of 55

Port Mode Encapsulation Status Native vlan

CCIE Foundation by Narbik Kocharians Switching Lab Page 22 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 23 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 24 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 25 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 26 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 27 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 28 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 29 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 30 of 55

Interface Filter State Upper Lower Current

CCIE Foundation by Narbik Kocharians Switching Lab Page 31 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 32 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 33 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 34 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 35 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 36 of 55

Hello Max Fwd

CCIE Foundation by Narbik Kocharians Switching Lab Page 37 of 55

Root Hello Max Fwd

MST2 32770 0019.067f.8900 0 2 20 15

Root Hello Max Fwd

CCIE Foundation by Narbik Kocharians Switching Lab Page 38 of 55

Root Hello Max Fwd

MST2 2 001a.2f0a.2000 0 2 20 15

CCIE Foundation by Narbik Kocharians Switching Lab Page 39 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 40 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 41 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 42 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 43 of 55

You have been requested to implement the following policy on SW­1:

CCIE Foundation by Narbik Kocharians Switching Lab Page 44 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 45 of 55

CCIE Foundation by Narbik Kocharians Switching Lab Page 46 of 55

You have been requested to implement the following policy on SW1:

Configure Unicast Mac address filtering on SW1 such that the switch drops packets that

Create VLAN 2006 on SW2. This task may override some of the task/s that was