BCMSN Lab - Spanning TreeScenario: Acme is a small export company that has an existing enterprise network comprised of 5 switches; CORE, DSW1, DSW2, ASW1 and ASW2. The topology diagram indicates their desired per-VLAN spanning tree mapping.

Previous configuration atempts have resulted in the following issues:

1.-CORE should be the route bridge for VLAN20; however, DSW1 is currentely the root bridge for VLAN20.2.-Traffic for VLAN 30 should be forwarding over the gig 1/0/6 trunk port between DSW1 and DSW2. However VLAN 30 is currentely using gig 1/0/5.3.-Traffic for VLAN 40 should be forwarding over the gig 1/0/5 trunk port between DSW1 and DSW2. However VLAN 40 is currentely using gig 1/0/6.

1

You have been tasked with isolating the cause of these issues and implementing the appropriate solutions. Your task is complicated by the fact that you only have full access to DSW1, with the enable secret password cisco. Only limited show command access is provided on CORE, and DSW2 using the enable 2 level with a password of acme. No configuration changes will be possible on these routers. No access is provided to ASW1 or ASW2.-----------Solution: -----------1. You can see that currently the DSW1 is Root bridge for VLAN20. To make CORE the route bridge for VLAN20, increase the priority on DSW1 from 28692 to highest possible i.e 61440 -(because the lower priority bridge become root)

DSW1#sh spanning-tree vlan 20

DSW1#conf tDSW1(conflg)#spanning-tree vlan 20 priority 61440

2. "When a switch experiences a tie in regard to the cost to reach the root, the switch first uses the interfaces' port priority values as a tiebreaker. If the port priority values tie, the switch uses the lowest internal interface number."

In this configuration all Gig interfaces has same cost and priority. So switch DSW1 will compare interface number of Gig1/0/5 (.5) and Gig1/0/6 (.6) for Vlan 30 traffic and send traffic on lower i.e. gig 1/0/5.

DSW1#sh spanning-tree vlan 30

You can see that currently the Gig 1/0/5 interface has lower priority(128.5 «128.6), thats why the traffic is going through it.

2

To make the traffic for VLAN 30 forward over the gig 1/0/6 trunk port from DSW1 to DSW2, you should change the port priority of Gig 1/0/6 from 128 to 64.

DSW1(config)#int g1/0/6DSW1(config-if)#spannlng-tree vlan 30 port-priority 64DSW1(config-if)#no shutDSW1(config-if)#end

3. To make the traffic for VLAN 40 forward over the gig 1/0/5 trunk port from DSW2 to DSW1, we should change the cost of Gig 1/0/5 from 19 to 1.

You can see that currently the G1/0/6 is Root port for Vlan 40 and G1/0/5 port is in blocked(BLK) state. We must change its state to forward(FWD) by lowering the port cost.

DSW1#sh spanning-tree vlan 40

3

DSW1(config)#int g1/0/5DSW1(config-if)#spanning-tree vlan 40 cost 1DSW1(config-if)#no shutDSW1(config-if)#exit

Finally don't forget to save your configuration-

DSW1#wr

You can issue sh spanning-tree commands to verify the configuration-

DSW1# show spanning-tree vlan 20DSW1# show spanning-tree vlan 30DSW2# show spanning-tree vlan 40

FAQ.-Why can't we configure port-priority or cost for both vlan 30 and vlan 40 ?

Ans.- This is very huge topic to explain. I'll try to summarize it here without complicating it. For this we need to understand the concept of Upstream and Downstream switches.

4

Switch DSW1 is root bridge (Upstream) for Vlan30 and Downstream for vlan 40.Switch DSW2 is root bridge (Upstream) for Vlan40 and Downstream for vlan 30.

To influence which port is elected the root port, the two user configurable values to change are port cost and port priority. Port-priority is set on an upstream switch to influence a downstream switch and Cost is set on downstream switch to influence a upstream switch.

Moreover, Changing port cost will effect both the local bridge and all downstream bridges. Changing the port priority will only affect the directly connected downstream bridge.

So we'll configure port-priority on DSW1 for vlan 30, as it is a upstream switch for that vlan.

For task 3, if we want port Gi1/0/5 to forward vlan 40 BPDUs, we can force this to happen by either manipulating cost on the downstream switch(DSW1) or increasing the port priority on the upstream switch(DSW2). We could not set the port priority on DSW1 for vlan40, as it would not make any difference.Moreover you can see that the priority of Gi1/0/5 is already lower than 1/0/6, so we must decrease the cost. Also note that we only have limited show command level access to DSW2 switch, so we can't configure the DSW2 using port-priority command.

BCMSN Hotspot: Spanning Tree5

Scenario:CiscoSims is an Internet game provider. The game service network had recently added an additional switch block with multiple VLANs configured. Unfortunately, system administrators neglected to document the spanning tree topology during configuration. For baseline purpose, you will be required to identify the spanning-tree topology for the switch block.

6

7

Using the output of "show spanning-tree" command on switch SW-C and the provided physical topology, answer the following questions:

Questions & Answers:

Question 1:Which spanning Tree Protocol has been implemented on SW-B?

A. STP/IEEE 802.1DB. MSTP/IEEE 802.1sC. PVST+D. PVRSTE. None of the above

Explanation:802.1D has not been implemented since this is CST (Common Spanning Tree) which only allows one instance to be run at a time per Network. In this scenario there are multiple instances. It must be PVST+ since each instance only contains one VLAN.

8

..................................................................................................................................................Question 2:Which bridge ID belongs to SW-B?

A. 24623.000f.34f5.0138B. 32768.000d.bd03.0380C. 32768.000d.65db.0l02D. 32769.000d.65db.0l02E. 32874.000d.db03.0380F. 32815.000d.db03.0380

Explanation:Root ports are ports that point to the Root Bridge. In the exhibit, under VLAN 47 we see that fa0/2 is a root port for VLAN 47. Since we assume that all paths have equal cost we can gather that the root ports destination is the root bridge itself. In this case the Root Bridge for VLAN 47 is SW-B and according the exhibit the MAC address is 24623 000f 34f5 0138.....................................................................................................................................................Question 3:Which port role has interface Fa0/2 of SW-A adopted for VLAN 47?

A. Root portB. Nondesigned portC. Designated portD. Backup portE. Alternate port

Explanation:Refer to Explanation for previous question. So far we know that SW-B is the Root Bridge for VLAN 47. We also see that SW-C is using fa0/2 as its root port. Therefore SW-A will use fa0/1 for its Root port and fa0/2 will be designated since fa0/1 on SW-C is blocking. Note: If one segment of SPT is in blocking statusthe distantend port is not. Otherwise BPDUs could not be transmitted and would negate the redundancy..................................................................................................................................................Question 4:Which port state is interface Fa0/2 of SW-B in for VLANs 1 and 106?

9

A. ListeningB. LearningC. DisabledD. BlockingE. ForwardingF. Discarding

Explanation:For VLAN 1 and 106 we can conclude that the Root Bridge is SW-A. With this in mind SW-B will use fa0/1 for its root port and block the other since the Cost will be lower. In this case it will block fa0/2 for both VLANs (and most likely fa0/3 also since SW-D is using fa0/1 as its root port)................................................................................................................................................Question 5:Which bridge ID belongs to SW-A?

A. 24623.000f.34fS.0138B. 32768.000d.bd03.0380c. 32768.000d.65db.0102D. 32769.000d.65db.0102E. 32874 .000d .db03.0380F. 32815.000d.db03.0380

Explanation:We see that in VLAN 1 and VLAN 106 that fa0/1 is the root port on SW-C. As previously discussed we know that root ports point to the root bridge and assuming equal cost from switch to root and the fact that no other port is root for either VLAN that SW-A is the Root Bridge and we can gleen the information for the exhibit which list the Bridge's VLAN..................................................................................

10

Scenario:-Ferris PlastiCS,lnc. is a medium sized company, with enterprise network(access, distribution and core) switches

that provide LAN connectivity from user PCs to corporate servers. The distribution switches are configured to use HSRP to provide a high availability solution as follows:

-DS1(Distribution Switch 1) is the primary device for VLAN 101, VLAN102 and VLAN 105.-DS2(Distribution Switch 2) is the primary device for VLAN 103 and VLAN 104.

-A failure of GigabitEthernet1/0/1 on the primary device should block the primary device from being the active device, unless GigabitEthernet1/0/1 on the backup device has also failed.

Troubleshooting has Identified several issues.Currently all interfaces are up.Use the running configurations and the available show commands to investigate and respond to the following question.

................................................................................................................................................

Question 1:

11

During routine maintenance, it became necessary to shutdown G1/0/1 on DS1. All other interface were up. During this time, DS1 remained the active device for Vlan 102's HSRP group. You have determined that there is an issue with the decrement value in the track command in Vlan 102's HSRP group. What need to be done to make the group function properly ?

A. The DS1's decrement value should be configured with a value from 5 to 15B. The DS1's decrement value should be configured with a value from 9 to 15C. The DS1's decrement value should be configured with a value from 11 to 18D. The DS1's decrement value should be configured with a value from 195 to less than 205E. The DS1's decrement value should be configured with a value from 200 to less than 205F. The DS1's decrement value should be greater than 190 and less 200

Explanation:

DS1#sh run DS2#sh run

Use "show run" command. The left Vlan102 is console of DS1. Priority value is 200, we should configure the decrement value in the track command from 11 to 18. Because 200 - 11 = 189 <>

By default, when the HSRP Interface which has been tracked is down, the priority value will be reduced to 10, but the DS1 will not become standby from active. So the decrement value should increase.

.............................................................................................................................................

Question 2:

During routine maintenance, G1/0/1 on DS1 was shutdown. All other interface were up. DS2 became the active HSRP device for Vlan101 as desired. However, after G1/0/1 on DS1 was reactivated. DS1 did not become the active HSRP device as desired. What need to be done to make the group for Vlan101 function properly ?

12

A. Enable preempt on DS1's Vlan101 HSRP groupB. Disable preempt on DS1's Vlan101 HSRP groupC. Decrease DS1's priority value for Vlan101 HSRP group to a value that is less than priority value configured on DS2's HSRP group for Vlan101D. Decrease the decrement in the track command for DS1's Vlan 101 HSRP group to a value less than the value in the track command for DS2's Vlan 101 HSRP group.

Explanation:

DS1#sh run DS2#sh run

By default the preempt is not enabled, we must configure the preempt on the vlan101 manually because Vlan101 on DS1 ( left ) has preempt disabled. We need to

enable preempt, so that after it reactive , it will be active device.........................................................................................................................................

Question 3:

DS2 has not become the active device for Vlan103's HSRP group even though all interfaces are active. As related to Vlan103's HSRP group. What can be done to make the group function properly ?

A. On DS1, disable preemptB. On DS1, decrease the priority value to a value less than 190 and greater than 150C. On DS2, increase the priority value to a value greater 241 and less than 249D. On DS2, increase the decrement value in the track command to a value greater than 10 and less than 50.

Explanation:

DS1#sh run

13

DS2#sh run

The reason DS2 has not become the active device for Vlan103 is because the priority value of DS1 is higher than that of DS2. In order to make DS2 become the active device, we need to increase DS2's priority to a value grater

than 241 because of its decrement value which is 50.

.........................................................................................................................

Question 4:

If G1/0/1 on DS1 is shutdown, what will be the current priority value of the Vlan105's group on DS1 ?

A. 95B. 100C. 150D. 200

Explanation:

14

Priority is configured as 150, Track interface decrement is 55. So, if shutdown happens, interface G1/0/1 priority will be 150 - 55 = 95.

................................................................................................................................................

Question 5:

What is the configured priority value of the Vlan105's group on DS2 ?

A. 50B. 100C. 150D. 200

Explanation:

15

You can use "show standby brief" command on console2 . It should be very easy to see priority of Vlan105 as 100.

.......................................................................................................................................

Question 6:

During routine maintenance, it became necessary to shutdown G1/0/1 on DS1 and DS2. All other interface were up. During this time, DS1 became the active device for Vlan104's HSRP group. As related to Vlan104's HSRP group. What can be done to make the group function properly ?

A. On DS1, disable preemptB. On DS2, decrease the priority value to a value less than 150C. On DS1, increase the decrement value in the track command to a value greater than 6D. On DS1, disable track command.

Explanation:

DS1#sh run DS2#sh runWe should NOT disable preempt on DS1. If we do so, we will make Vlan104's HSRP group fail. Example: If we disable preempt on DS1, It can't become the active device when G1/0/1 on DS2 fail. In this question, G0/1/0 on DS1 and DS2 is shutdown.

16

Vlan104 (left) : 150 - 1= 149.Vlan 104 (right) : 200 - 155 = 145.Result is priority 149 > 145 (Vlan 104 on DS1 is active).If we increase the decrement in the track value to a value greater than 6 ( > or = 6), Vlan104 (left) : 150 - 6 = 144.Result is priority 144 < 145 (vlan 104 on DS2 is active).

BCMSN Lab - Radius ServerQuestion:CiscoSims is a small shipping company that has an existing enterprise network comprised of 2 switches, DSWI and ASW1. The topology diagram indicates their layer 2 mapping. VLAN 20 is a new VLAN that will be used to provide the shipping personnel access to the server. For security reasons, It Is necessary to restrict access to VLAN 20 in the following manner:

17

- users connecting to ASW1's port must be authenticate before they are given access to the network. Authentication is to be done via a Radius server:

- Radius server host: 172. 120.39.46- Radius key: rad123

- Authentication should be Implemented as close to the host device possible.- Devices on VLAN 20 are restricted to In the address range of 172.120.40.0/24.- Packets from devices In the address range of 172.120.40.0/24 should be passed on VLAN 20.- Packets from devices In any other address range should be dropped on VLAN 20.- Filtering should be Implemented as close to the server farm as possible.

18

The Radius server and application servers will be installed at a future date. You have been tasked with Implementing the above access control as a pre-condition to Installing the servers. You must use the available IOS switch features.

===========Solution:===========

ASW1#conf t

The question states that Authentication should be Implemented as close to the host device as possible. ASW1 is close to hosts, so we'll configure authentication on it.The fist step to configuring the authenticator is to provide it with the address and key of the RADIUS server that will act as an authentication server. Enable Radius server authentication on ASW1 switch, and enter ip address and shared key of the radius server:-

ASW1(config)#aaa new-modelASW1(config)#radius-server host 172.120.39.46 key rad123

The next step is to enable the 802.1X port authentication process. This step makes the switch an authenticator, allows it to send the EAP messages to the supplicant, proxy the information to the authentication (RADIUS) server configured in previous step, and act on the messages received from those servers to authorize ports. To configure the switch to act as an authenticator, use the following command:-

ASW1(config)#aaa authentication dot1x default group radius

Now we need to Globally enable 802.1x port-based authentication:-

ASW1(config)#dot1x system-auth-control

Now we can see that from 'sh run' command that Fa0/1 is access port for Vlan20, so we'll configure it.

19

ASW1(config)#int fastEthernet 0/1ASW1(config-if)#switchport mode accessASW1(config-If)#switchport access vlan 20

Enable 802.1X authentication on the interface:-

ASW1(config-If)#dot1x port-control auto

After a port is configured in auto mode, no clients connected to that port will be allowed to pass user traffic until the port has been authorized by the authorization server.

ASW1(conflg-If)#end

ASW1#copy run start

The question says that filtering should be Implemented as close to the server farm as possible, so we'll configure filtering on DSW1 switch.Create a named-standard access-list which only permit network 172.120.40.0 and deny any other

20

address range(implicit deny):-

DSW1#conf tDSW1(config)#ip access-list standard 10DSW1(config-std-nacl)#permit 172.120.40.0 0.0.0.255DSW1(config-std-nacl)#exit

To make sure that packets from devices in the address range of 172.120.40.0/24 passed on VLAN 20 and packets from devices in any other address range dropped on vlan20, create a vlan access-map:-

DSW1(config)#vlan access-map ciscosims 10DSW1(config-access-map)#match ip address 10 (10 is the access-list number)DSW1(config-access-map)#action forwardDSW1(config-access-map)#exit

Apply vlan access-map to vlan 20:-

DSW1(config)#vlan filter ciscosims vlan-list 20DSW1(config)#end

DSW1#copy run start

BCMSN LAB - Port FastQuestion:You work as a network engineer at CiscoSims. The CiscoSims's Chinese office is installing a temporary catalyst 3550 in an IDF to connect 24 additional users. To prevent network corruption, it is important to have the correct

21

configuration prior to connecting to the production network. It will be necessary to ensure the switch does not participate in VTP but forwards VTP advertisements received on trunk ports. All interfaces should transition immediately to the forwarding state of Spanning-Tree due to errors that have been experienced on office computers. Also, configure the user ports (All FastEthernet ports) so that the ports are permanently non·trunking.

The information of the Question:

You will configure FastEthernet ports 0/12 through 0/24 for users who belong to VLAN 20. Also, all VLAN and VTP configurations are to be completed in global conflguration mode as VLAN database mode is being deprecated by Cisco. You are required to accomplish the following tasks:

1. Ensure the switch does not participate In VTP but forwards VTP advertisements received on trunk ports.2. Ensure all non-trunking interfaces (FaQ/1 to FaQ/24) transition immediately to the forwarding state of Spanning-Tree.3. Ensure all FastEthernet interfaces are in a permanent non-trunking mode.4. Place FastEthernet interfaces 0/12 through 0/24 in VLAN 20

Solution:-

Don't enter 'vtp mode transparent' command at begining of configuration. If you do that you will not be able to add vlan 20 to the switch. vlan 20 doesn't exist in the switch and it needs to be created. It will create automatically with switchport access vlan 20 command, We can not enter in vlan database mode because it is disabled. In transparent mode vlan creation is not possible. So, do all configuration and at the last moment change the vtp mode to transparent.

switch#conf t

22

1. To ensure that all FastEthernet interfaces are in a permanent non-trunking mode, put all interfaces in to access mode:-

switch(config)#interface range fa0/1-24switch(config-if-range)#switchport mode access

2. To ensure that all non-trunking interfaces (FaQ/1 to FaQ/24) transition immediately to the forwarding state of Spanning-Tree, enable port-fast:-

switch(config-if-range)#spanning-tree portfast

3. Place FastEthernet interfaces 0/12 through 0/24 in VLAN 20:-

switch(config)#interface range fa0/12-24switch(config-if-range)#switchport access vlan 20switch(config-if-range)#end

4. To ensure that the switch does not participate In VTP but forwards VTP advertisements received on trunk ports, change vtp mode to transparent:-

switch(config)#vtp mode transparent switch(config)#exit

5. Save your configuration:-

switch#copy run start

Spanning tree PortFast is a Catalyst feature that causes a switch or trunk port to enter the spanning tree Forwarding state immediately, bypassing the Listening and Learning states. IOS-based switches only use PortFast on access ports connected to end stations. When a device is connected to a port, the port normally enters the spanning tree Listening state. When the Forward Delay timer expires, the port enters the Learning state. When the Forward Delay timer expires a second time, the port is transitioned to the Forwarding or Blocking state. When PortFast is enabled on a switch or trunk port, the port is immediately transitioned to the Forwarding state. As soon as the switch detects the link, the port is transitioned to the Forwarding state (less than 2 seconds after the cable is plugged in).

23

BCMSN Lab - VTP and Vlans

Question:

You have just been hired by CiscoSims to help their main office expand. The main offices have enhanced their wiring closets with some layer 3 switches. The new distribution layer switch has been installed and a new access layer switch cabled next to it. Your task is as follow:

The information of the Question:

VTP Domain name: ciscoVlAN Ids : 20 31IP Addresses : 172.16.71.1/24, 172.16.132.1/24

24

These are your specific tasks:1. Configure the VTP Information with the distribution layer switch as the VTP server.2. Configure the VTP Information with the access layer switch as a VTP client.3. Configure VlANs on the distribution layer switch.4. Configure inter-VlAN routing on the distribution layer switch.5. Specific VlAN port assignments will be made as users are added to the access layer switches In the future.6. All VlANs and VTP configurations are to completed in the global configuration. To configure the switch click on the host icon that is connected to the switch by way of a serial console cable.

Solution: The configuration is pretty straightforward.

vtp server configuration:-------------------------

25

Task 1. To configure the VTP Information with the distribution layer switch as the VTP server, change its vtp mode to server. Next configure the given domain name. :-

DLswitch#conf tDLswitch(config)#vtp mode serverDLswitch(config)#vtp domain CISCO

Task 3. Configure the given VlANs IDs on the distribution layer switch:-

DLswitch(config)#vlan 20DLswitch(config)#vlan 31

Now configure the given ip addresses for Vlans:-

DLswitch(config)#int vlan 20DLswitch(if-conflg)#ip add 172.16.71.1 255.255.255.0DLswitch(if-conflg)#no shutDLswitch(if-conflg)#int vlan 31DLswitch(if-config)#ip add 172.16.132.1 255.255.255.0DLswitch(if-config)#no shutDLswitch(if-config)#exit

Task 4. To configure inter-VlAN routing on the distribution layer switch, we'll issue 'ip routing' command :-

DLswitch(config)#ip routing

Save your configuration.

DLswitch#copy run start

vtp client configuration :-----------------------2. To configure the VTP information with the access layer switch as a VTP client, change its vtp mode to client. Next enter the given domain name:-

ALswitch#conf t

26

ALswitch(config)#vtp mode clientALswitch(config)#vtp domain CISCOALswitch#copy run start

That's it !! Easy huh ?

27